4. The Need for Cybersecurity: Cyber Attacks 81 objectives. The attacker could also try to exploit a vulnerability to escalate his privileges (more on this below). In some evil maid attacks, the attacker may have only a short window of time with the target device. This would be the case if a person is using a computer in a public place and briefly walks away to take a phone call, get a drink, etc. A rubber ducky attack is an attack that uses a special-purpose USB stick to open a command prompt and quickly execute a series of commands by “typing” at computer speeds. The attacker plugs the device into a USB port of the unattended computer, waits for a few seconds, and then unplugs it and walks away. In that time, the rubber ducky could create a connection back to the attacker’s device, giving him access over the network. This attack only works if the user is still logged in when the rubber ducky is plugged in. This is why it is important for users to activate the lock screen whenever they step away from their computers. If an attacker gains physical access to a locked device, he could try a password guessing attack. If he is unable to login, the attacker can restart the device and boot to an alternative OS stored on a USB stick. This may allow the attacker to see the contents of the hard drive and copy files and potentially even discover the login credentials to the installed OS. Using full disk encryption would thwart this attack (see Section 9.2.2.1). An evil maid attacker could easily perform a denial attack on the device by damaging it in some way physically or by formatting or encrypting the hard drive. An attacker could also use his unattended access to install an inconspicuous hardware-based keystroke logger on the device as explained above. For all these reasons, maintaining the physical security of computing devices is a vital component of cybersecurity. 4.1.3 Post Exploitation “By reprogramming the hard drive firmware (i.e. rewriting the hard drive’s operating system), the group achieves…an extreme level of persistence that helps to survive disk formatting and OS reinstallation…[and] the ability to create an invisible, persistent area hidden inside the hard drive.” - from “Equation Group: The Crown Creator of Cyber-Espionage” by Kaspersky Labs After attackers gain initial access to the target, the post exploitation phase begins. In this phase, many times the attacker gains command and control (C2) access to the victim machine. C2 allows the attacker the ability to remotely issue commands. It usually begins with the victim machine “calling home” and creating a connection back out to the attacker’s machine—this is called a reverse shell. At this point, the attacker may be able to quickly accomplish his actions on objectives (see next section) and move on. But in many attacks, the entry point acts as merely an initial foothold. From there, hackers may attempt to do three things: maintain access, escalate their privileges, and pivot to other computers.
RkJQdWJsaXNoZXIy MTM4ODY=