How much do you know about the top covert hacking tools in 2024?
As cybersecurity defenders, we must be aware of the damage that covert hacking tools can cause to design comprehensive security controls. In this article, we will review a set of covert hacking tools that should concern IT security teams. Collectively, these physical devices hint at the level of threat that hacking tools present to an organization.
Let's explore what this means for the modern threat landscape:
Threat actors have access to a wide range of digital devices that are specially designed to circumvent security controls covertly. These tools can be used for both legitimate security testing and malicious purposes, but one thing is certain: in the wrong hands, they pose significant security risks. Attacks they typically perform include keystroke injection, passive monitoring, and MiTM attacks. Many covert hacking devices require physical access to an organization's premises or devices.
Still, some such as rogue WiFi access points can be used to attack users without entering the premises. The risk is not limited to an organization's demarcation point, data centers, networking appliances, or backbone infrastructure. Covert offensive tools can seriously threaten an organization via access to a USB port on a non-critical workstation.
Here are what experts deem to be the top covert hacking tools in 2024 and beyond:
There are 100s of different types of cables out there. Rouge cables are covertly designed to perform a few main tasks: collecting or modifying data being transmitted are the main two, but cables can also act as a separate device on the network. Here are some cables you certainly don't want to be plugged into any of your devices.
O.MG Cable / USBNinja: These cables mimic a standard USB cable but contain an embedded Linux implant with a WiFi antenna built right into it allowing it to execute commands and pre-designed payloads remotely. Astonishingly, they don't appear to be any larger than a regular USB cable and come in virtually every USB port format. Some of the most covert versions emulate Apple charging cables with a lightning connection at one end just waiting to be plugged into a computer and mobile device.
USB Keyboard emulator: This device resembles a regular USB flash drive but is actually an automated keystroke injection tool. It can send keystrokes to a computer at almost 100 characters per second. That's enough to write about 10,000 lines of code in a few minutes, allowing an attacker to actually write a malware payload directly to the device, bypassing any network filters.
OMG Plug: The O.MG plug is a USB device smaller than a typical thumb-drive that can be covertly plugged into a USB port and controlled remotely via its embedded Linux OS and WiFi chip. These devices offer instant, direct, and persistent access to a victim's command shell as long as they remain plugged in.
LAN Turtle: This device is a USB ethernet adapter that can be used to completely MiTM a victim's network connection. It can perform onboard network reconnaissance, password cracking, and man-in-the-middle attacks, (MiTM) making it a versatile tool for network penetration. The device establishes a remote shell connection to an attacker's own command and control (C2) server allowing remote access to its embedded Linux internals.
USB Keylogger: These relatively simple tools are designed to be plugged in between a keyboard and the computer's USB port to record keystrokes. It is particularly threatening because it's undetectable by most antivirus programs and can be used to steal usernames, passwords, and other sensitive information.
HDMI Tap: A tool used for remotely accessing and controlling a computer, including the ability to capture videos and live broadcast the screen to the attacker over WiFi. It can be used with smart projectors and computers, allowing for a wide range of surveillance and data interception applications.
KeySweeper: Looks like a USB wall charger but is designed to log keystrokes from wireless Microsoft keyboards covertly. It can send this data over a wireless network to the attacker.
Rogue WiFi Access Points: These can perform MiTM attacks on wireless networks, by primarily spoofing a legitimate access point, or offering a free WiFi to unsuspecting victims. They can then intercept and redirect traffic via DNS spoofing, perform packet sniffing, and ARP poisoning. These devices are a major motivating factor for enabling WPA-2 Enterprise authentication on all devices. WPA2 Enterprise uses certificate-based authentication to mutually authenticate the client device and the Wi-Fi access point, ensuring a more secure and individualized connection than WPA2 Personal, which only uses a password.
FlipperZero: The FipperZero is a compact device capable of interacting with various wireless protocols and frequency ranges. The Flipper Zero primarily operates in the sub-1 GHz frequency band, supporting standard protocols like 433 MHz, 868 MHz, and 915 MHz, which are widely used in remote controls, key fobs, and home automation systems. It's very effective for replay attacks against access control systems like NFC cards and RFID tags and can also be used to attack Bluetooth.
IMSI-Catcher: The term "IMSI" stands for International Mobile Subscriber Identity, which is a unique number associated with every mobile phone SIM card. Also known as "stingrays," these devices mimic cell phone towers to intercept mobile phone traffic and can be used to track the movement of mobile phone users. If a user's cellular device connects to a IMSI-catcher rather than a legitimate cellular tower, they can be used to eavesdrop on conversations and text messages and conduct MiTM attacks on any internet connection. If the attacker has access to stolen SSL/TLS CA certificates trusted by your device an attacker can read and modify all communication in cleartext.
Wireless Frequency Jammers: A WiFi frequency jammer is a device designed to disrupt or block the operation of wireless networks within its effective range. The use of such devices is typically illegal in many jurisdictions. Jammers can prevent surveillance cameras from transmitting to a central security system or be used to render entire wireless networks unusable.
Shark Jack: A small ethernet enabled device that runs embedded Linux and can be used for wired network recon and active attacks. It can be used covertly for passive network mapping or actively to launch network attacks via any insecure ethernet port. The device starts its recon or attack as soon as it's hot-plugged into an ethernet port.
Plunder Bug LAN Tap: This is a small ethernet tapping device that captures PCAP files of network traffic and enables active packet injection. They can be physically connected in a network and collected at a later time or can be actively controlled via USB connection to a mobile device.
Packet Squirrel Active LAN Tap: This is essentially a more advanced version of the aforementioned LAN tap device with a more powerful embedded Linux OS that can establish remote shell connections to an attacker's C2 server. These devices offer sophisticated attack capabilities just like having a device plugged directly into the victim's network.
Bus Pirate: A versatile universal bus interface, Bus Pirate allows communication with a wide range of electronic devices and supports various protocols such as I2C, SPI, UART, and more. As a versatile and multifunctional tool for interfacing with various electronic buses and communication protocols the tool is popular among hackers, hobbyists, and professionals for its ease of use and wide range of functionalities and can be used to easily access UART ports to hack many network devices.
Fake USB Data Blockers: At first glance, these appear to be a standard data blocker. Attackers can leave them lying around in public places for USB drop attacks similar to USB drives with Trojanized files. But these devices contain an O.MG implant capable of transmitting payloads to any device they are plugged into. They can also be controlled remotely, allowing the operator to execute commands from a distance.
Mere access to an active USB or ethernet port can allow an attacker to perform a wide range of attacks against a device to compromise a network. Other rouge devices can monitor or intercept various wireless communication protocols remotely. IT security practitioners must know what they are up against and take measures to defend their devices and networks against such attacks.
Looking to learn more about how to bolster your security posture ahead of the next attempted cyber breach? Contact us or download our Buyer's Guide today.
October 24 - Blog
Packetlabs is thrilled to have been a part of SecTor 2024. Learn more about our top takeaway's from this year's Black Hat event.
September 27 - Blog
InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.
September 26 - Blog
Blackwood APT uses AiTM attacks that are set to target software updates. Is your organization prepared? Learn more in today's blog.