Your adversary may not always be on the other side of a screen.
A cyberattack isn’t always the result of a distant and unknown “bad guy”—some stages of an attack can take place in person. Combining digital attack vectors like accounts, operating systems, and more with physical techniques and onsite hacking is becoming increasingly popular in advanced attacks. For both small organizations and large corporations, a breach in physical security can easily lead to a breach in cybersecurity if left unchecked.
In this specific example, we’re looking at a small, unassuming device called a Rubber Ducky.
Wait, a Rubber Ducky?
No, not the kind you’re thinking of.
Have you ever been given the following advice?
If you find a USB drive (thumb drive, flash drive), don’t plug it in.
This advice stems from a cyber-physical attack tactic which started gaining popularity in 2010 with the invention of the USB “Rubber Ducky.” The Rubber Ducky was created by an information security company called Hak5. Hak5 has been around since 2005, chatting technology and information security on their podcast, demonstrating tips and tricks on their Youtube channel, and developing hacking gear for what they call their community “where all hackers belong.”
Before you rush to condemn Hak5 for supporting hackers and creating dangerous devices, it’s important to remember that not all hackers are bad guys. The term “hacker” is often associated with “cybercriminal,” but that negative connotation has only arisen in more recent years as the attackers behind large, newsworthy breaches have been deemed “hackers” or “hacker groups.” The original “hackers” of the world were simply technology nerds, engineers, programmers—people who were passionate about tinkering, testing, breaking, and fixing old, new, and emerging technologies to see just what they were capable of. Hackers are the reason we have the internet today.
Today’s hackers, penetration testers, and the like are constantly on the frontlines of discovering new security vulnerabilities and ways to hack computer systems. In doing this, as you may remember from the story behind the Mimikatz tool, today’s hackers and security enthusiasts not only identify vital information for developers to improve security, but they also put their own safety on the line by trying to improve the security of our global cyber community. Hak5 specifically announces that they are committed to “elevating the information security by educating, equipping, and encouraging” the hacker community.
But like every well-intentioned new resource, Hak5’s creations have opened the doors for the people in the world who choose to hack with malicious intent. The Rubber Ducky hacking tool, along with similar tools that have emerged after it, gave criminals an easy way to take the ease and portability of a “flash drive” and use it to hack. The Rubber Ducky uses keystroke injection technology to run malicious code quickly and easily on a device—serving as an unsuspecting way to steal passwords, drop malware, install “backdoors” into systems, exfiltrate data, and more. Attackers can leverage USB attacks by leaving USB drives behind and waiting for users to pick them up, sending them to their targets, or by entering a physical establishment, using social engineering tactics to gain access, and then plug the drives into systems themselves.
Rubber Ducky Tool in Action
In the short video below, watch as Security Engineer Derrick demonstrates the use of a Rubber Ducky to execute commands on a user’s device.
While this example was lighthearted, it demonstrates how quick and easy it is for malicious hackers to use the same tool to carry out damaging actions.
Cybersecurity Game Plan
If an attacker has used a Rubber Ducky tool in your network, strong detection and response capabilities are the first solutions to turn to. Endpoint Detection & Response (EDR) software and expert security monitoring can combine to identify the use of the tool and track what actions were taken by the attacker, helping you identify the breach and begin remediating as quickly as possible.
Of course, if a malicious USB drive has been used to execute code, spread malware, or steal information on a device or multiple devices within your network, that means there has also been a physical security breach that needs to be addressed. An attacker was able to either get themselves or their tool inside your organization without being stopped, and then proceed to use that tool on your organization’s machines. Cybersecurity and physical security are both equally important as in the end, your organization’s assets are on the line in any type of security breach.
On the frontlines of this type of attack, physical security and general security awareness within your organization are both vital. Even if your organization doesn’t use badges, access codes, or other systems for secure access, each employee can be instrumental in your line of defense if they know security best practices. Never allow unknown personnel to access secure areas or devices within your organization without verifying their identity and intent.
You can also protect your systems from these attacks in the event that the “people” layer of your prevention fails. Strong endpoint security solutions that can detect and block malicious USB devices and the code they attempt to run is key to preventing the success of this attack.