Defense and Analysis of Hijacking User Login Credentials via Remote Code Execution and Raspberry PI

Cyber-security is a rapidly growing concern for all organizations. Ransomware and Botnets are becoming pervasive across the internet. Management needs to understand how systems are compromised by attackers who implant payloads as ransomware and botnets. One such concern is physical access to machines by bad actors in the organization or mobile workstations working at offsite locations. Gaining physical access a bad actor can implant malware in the form of ransomware or a botnet which becomes an initial point of entry for assuming control over an organizations network. In this example, we illustrate the dangers of physical access and use a USB device to implant a payload via remote code execution. The remote code installs an application developed to mimic a Windows 10 login screen and populates the login screen with the username of the currently logged in user. Once the user logs in to this fake screen, the application logs the user’s credentials, namely the username and plain text password, via an HTTP post to a remote command and control server. Following our demonstration, we discuss implications and countermeasures to aid management in improving security of the organization.