New AV evasion techniques- 2
This is the second part of blog that discusses new cyber trends that avoid AV. This blog will revolve around cybersecurity threats that involve hardware interaction with the system(direct or indirect) and will cover mainly 2 techniques:
- Sim Port Attack
- Rubber Ducky Attack
Sim Port Attacks:
Sim port attacks are not mostly public campaigns , but are more concentrated on a few individuals(like people with a lot of bitcoin in their accounts). As we know in most cases 2 factor authentication(2FA) is used to retrieve accounts incase if a person forgets his accounts password(like gmail, Facebook etc) ,and the account recovery link comes on the mobile phone attached with account.Though this method looks relatively safer,but hackers can exploit this 2FA by sim port attack ,where a malicious hacker just needs to impersonate as the victim and ask telecom provider company to sim swap their number(which on genuine case is used to transfer their number to a new telecom carrier ,or in-case of mobile upgradation) to a phone that they control .
Steps to sim port attack: —
1) Gain as much information as possible about the person whom you are trying to impersonate(through social media accounts of the victim or through personal relations).
2)Try to impersonate in-front of telecom provider company as victim and try to fool them to sim port the number to a device you control.
3)Wait for correct time (a time where victim is least alert onn like late night),as the moment hacker sim ports a device ,victims older phone will be logged out from his account and will lose cellular service for sometime .
4)If step 3 doesn’t attract any strong response from victim(like querying the telecom company,which has very less probability), attacker initiates password recovery procedure from your different accounts .
5)As some accounts have time limit that a person has to wait before password recovery procedure completes(like in coinbase bitcoin wallet ,a person has to wait for minimum 24 hours before password recovery procedure completes),attacker may be forced to return control over sim back to victim after making initial recovery requests(after deleting proof of procedure starting from account like verification conformation email).
6)Attacker again sim ports after the waiting period time ends ,and then transfers all valuables(like cryptocurrency) to his own account .
How to protect from these types of attacks:
a) A person can use hardware wallets/offline storage when not transaction of cryptocurrency.
b) One should try not to share personally identifiable information (birthdate, location, pictures with geo-location data, etc.) on social media accounts.
c) Revoke SMS based 2FA :Time has proven that SMS based 2FA is not enough to protect data.one can pick a Yubikey (hardware that supports one-time passwords, public-key encryption and authentication,)that one can physically control and cannot be spoofed or manipulated.
d) Use a password manager for your passwords.
Rubber Ducky Attack:
The Rubber Ducky is in indeed an HID (techopedia.com/definition/19781/human-interface-device-hid) device but some recent models serves also as a USB storage device. Though some end-point protection systems give protection against most of the malicious USB insertion; some more sophisticated attacks like Rubber ducky USB attacks can easily bypass your end-point protection tool.While it appears to be an innocuous USB thumb drive, when it is plugged into a computer, it instead registers itself as a USB keyboard on the system and fires off a keystroke payload at lightning speed.
The malicious actor doesn’t even need to directly inject the rubber ducky, he can leave it somewhere where you’ll find it and when you insert it into your computer to examine it, it will send commands to your computer as if the attacker is sitting at your keyboard.
USB rubber ducky installs its several modules like information stealer (cookies,stored passwords,keyloggers),backdoor installer,and many more malicious modules in seconds, thus not giving much time for real-time AV to scan it. Recently, these rubber duckies have also been used as spear phishing attack, meaning after enumeration of the endpoint security implementations, these USB sticks are loaded with payloads to switch-off or evade those specific end-point devices and then cause massive damage.
This attack even happens even if you have turned off Autoplay.
It contains mainly 3 parts:
1)The mini “keyboard” adapter : It’s a silicon chip with a CPU and a slot for inserting the microSD card — the card comes mounted inside the keyboard adapter.This is the brains of the whole setup, and is what sends in your keystrokes as if they were coming from a “Human Interface Device” (HID) (ie “keyboard”).
2)The microSD card: This is a pretty standard piece of hardware. This is what the keyboard adapter uses to know what payload to send in as keystrokes.
3)The microSD-to-USB adapter: You’ll use this adapter to mount the microSD card on your machine as a normal USB storage device so that you can transfer your payload to it.
Making a rubber ducky isn’t a costly affair, neither it requires great skill to make it at home. Some of the tutorials on making rubber ducky are:
TUTORIAL:
How to protect from these types of attacks:
1.We may consider using Product ID & Vendor ID whitelisting software,banning any untrusted software device to connect to our machine. We might consider creating a GPO (group policy object) that requires password input for all UAC prompts, as that will effectively limit any keyboard emulator to non-admin access.
2. We can easily install software's that logs the keystrokes( just like a keylogger by hooking windows keyboard input API’s) and then warn user if user input speed is more than normal.
