Kaspersky Lab researchers developed a proof of concept attack that encourages IT pros to think twice about how insider threats can compromise networks.
While other attacks can be carried out which exploit physical access to devices, researchers noted this attack is special because it can be carried out by anyone who has physical access to any USB port on the victim’s network and could allow an attacker to retrieve user authentication data even when the targeted system is locked, according to a June 6 blog post.
It’s also possible to obtain administrator credentials or cookies from a PC and can be implemented using a device that costs no more than $20 without any special skills, all that is needed is physical access to corporate computers.
Researchers conducted a series of two experiments to intercept user credentials within the corporate network and to retrieve cookies in a bid to restore the user session on a popular website.
The attacks are carried out by briefly connecting a Raspberry Pi Zero via USB port to the computer within the corporate perimeter. The device was configured to enumerate itself as an Ethernet adapter on the system it was being plugged into.
The attacks were tested against three scenarios which were against a corporate computer logged into a domain, against a corporate computer on a public network, and against a home computer.
An intruder could also steal cookies from a PC when a Raspberry Pi Zero is connected to it via USB, however so far the attack only works when the system is unlocked, which reduces the chances of success, the post said.
Researchers recommend users never leave their systems unlocked, check if there are extra USB devices connected to their computers, regular change passwords, and remain cautious when asked to use unfamiliar flash drives.
Administrators are encouraged to monitor for suspicious USB’s drives and devices connected via USB ports as well.
“If the network topology allows it, we suggest using solely Kerberos protocol for authenticating domain users,” the report said. “If, however, there is a demand for supporting legacy systems with LLNMR and NTLM authentication, we recommend breaking down the network into segments, so that even if one segment is compromised, attackers cannot access the whole network.”
Admins should also restrict privileged domain users from logging in to the legacy systems, especially domain administrators, change domain user passwords regularly, and ensure all of the computers within a corporate network have to be protected with security solutions.