September 6, 2022
Good morning, everyone!
This week’s critical vulnerabilities:
Patch all the things!
James Webb Telescope images used to deliver malware
A new phishing campaign is using malware-infected images from the James Webb Telescope that can sneak past most antivirus protections. Two lessons in this story:
- Always consult original sources of information. Don't rely on a link in an email or a website, go to the original source for legitimate information and safe downloads. In this case, visit nasa.gov.
- Think before you click! Nearly all malware is actually installed by users, because they just don't pay attention.
The most freaky time of the year
This is one of my favorite times of the year, because it's when all the freaky hacks revealed at DefCon (an annual hacking conference) get written up! This year did not disappoint, so let me introduce you to two of my favorites:
On the outside,this incredible cable looks like any ordinary USB charging cable. But oh, the surprises inside!
“It’s a cable that looks identical to the other cables you already have,” explains MG, the cable’s creator. “But inside each cable, I put an implant that’s got a web server, USB communications, and Wi-Fi access. So it plugs in, powers up, and you can connect to it.”
So, what can this magic cable do?
- perform keystroke injection attacks, tricking a target machine into thinking it’s a keyboard and then typing in text commands
- using the command line, it could launch software applications, download malware, or steal passwords and send them over the internet
- if used to connect a keyboard to a host computer, the cable can record every keystroke that passes through it and save up to 650,000 key entries in its onboard storage for retrieval later
- onboard wifi enables the device to send and receive data outside protected networks, even creating the possibility of stealing data from targets that are “air gapped,” i.e., completely disconnected from external networks.
Anyone can buy one of these for $179 with the choice of Lightning, USB-A, or USB-C connectors, making it possible to target nearly any type of device. Okay, so most people are probably not at risk from this kind of targeted attack ... but what happens when the Chinese start putting these same capabilities in cheap charger cables sold all over the world?
Protect yourself! Always bring your own charging cable; don't use any one else's cable (even if you know that person -- you don't know that the cable is legit). Buy known brands, as their QA is likely going to prevent sneaky technology from being inserted at the point of manufacture.
USB Rubber Ducky
The old Rubber Ducky was scary, but the new and improved version is far more powerful. How does it work?
To the human eye, the USB Rubber Ducky looks like an unremarkable USB flash drive. Plug it into a computer, though, and the machine sees it as a USB keyboard — which means it accepts keystroke commands from the device just as if a person was typing them in.
“Everything it types is trusted to the same degree as the user is trusted,” Kitchen told me, “so it takes advantage of the trust model built in, where computers have been taught to trust a human. And a computer knows that a human typically communicates with it through clicking and typing.”
But wait, there's more!
It ships with a major upgrade to the DuckyScript programming language, which is used to create the commands that the Rubber Ducky will enter into a target machine.
Older versions could just do basic keystroke sequences, but the new version allows for sophisticated programming, including testing the environment and acting accordingly.
That means, for example, the new Ducky can run a test to see if it’s plugged into a Windows or Mac machine and conditionally execute code appropriate to each one or disable itself if it has been connected to the wrong target. It also can generate pseudorandom numbers and use them to add variable delay between keystrokes for a more human effect.
As if that weren't enough!
Perhaps most impressively, it can steal data from a target machine by encoding it in binary format and transmitting it through the signals meant to tell a keyboard when the CapsLock or NumLock LEDs should light up. With this method, an attacker could plug it in for a few seconds, tell someone, “Sorry, I guess that USB drive is broken,” and take it back with all their passwords saved.
Protect yourself! At $59.99 each, these are cheaper than the O.MG Cable, but if you practice good USB hygiene all the time, you should be fine.
Who's going to have trouble sleeping tonight? 😂
Talk to you again soon!
Security Awareness Training Available Here, There, Everywhere!
Thanks to COVID-19, lots of things went virtual, including my employee Security Awareness Training. Live training made a comeback a few months ago, but many organizations are retreating. No worries. Wherever you and your employees may be, I can deliver an interesting and informative training session in whatever format you prefer.
Contact me to schedule your employee training sessions. They're fun! ☺