A recent spate of USB-based cyberattacks has hit organizations in the US. Malicious USB devices are posted to selected victims. As soon as they are plugged in, the damage is done.

The Threats Posed by USB Drives

USB drives are convenient, trivially affordable, and ubiquitous. That convenience comes at the expense of security. USB drives are portable, concealable, and can be used to exfiltrate sensitive information from corporate computers and networks. For that reason, many organizations ban USB drives from the workplace and use software tools to disable USB access. Such measures are not the norm. Typically, they are deployed only in larger organizations. Elsewhere, USB drives are free to be used.

The theft of data is only one of the threats. USB drives can be misplaced and lost, exposing private and sensitive information. USB drives are typically used to transport files and move them between computers. If a drive is plugged into a computer that is infected with malware, the USB drive is infected. It then becomes a transport mechanism for the malware. USB drives are likely to be plugged into poorly-protected domestic computers as well as corporate ones, raising the risks of infection.

As well as accidental infection with malware, USB drives can be primed with malicious software and left as bait. The easiest way to do that is to camouflage a malicious program so that it looks like a PDF or document file, and hope the victim tries to open it. Others are much more subtle.

In January 2022, the FBI issued a statement regarding a new wave of USB drive-based cyberattacks, dubbed BadUSB. USB drives were posted to employees at transportation, defense, and financial organizations.

The USB drives were accompanied by convincing letters. Some purported to be from the US Department of Health and Human Services and spoke about COVID-19 guidelines. Others imitated Amazon gift boxes and even included a forged gift card. The USB drives were modified so that they attacked the target's computers as soon as they were plugged in.

The Bait and Wait

Leaving USB drives in employee car parks and other accessible areas of a business is a simple way to get malicious USB drives into the hands of employees. Simple social engineering tricks increase the likelihood that someone will take it back into their place of work, and insert it into their computer.

USB drives are planted before lunch. That way, the employees find them at lunchtime. They're going to return to their desk for the afternoon. If the USB drives are dropped after lunch, the employee is likely to find them at the end of their working day and take it home.

Attaching a bunch of keys to the USB drive changes their discovery from "I've found a USB drive" to "I've found someone's keys." That triggers a different set of reactions. Everyone can relate to the hassle of losing a bunch of keys. In an attempt to try to do the right thing and identify the owner, the person who finds them is very likely to check the USB drive for clues.

If they see a document with an irresistible title, such as "Redundancy Plans" or "Management Buy-Out", they'll probably try to open it. If the document is really a malicious program or is carrying a malicious payload, the computer---and therefore the network---is infected.

Staff cybersecurity awareness training must explain the dangers of plugging in unidentified USB drives. When I've been engaged to provide staff awareness training I follow up some weeks later with benign simulated attacks. This measures staff susceptibility. It allows training modules to be repeated if one particular attack finds a disproportionate number of victims, and it allows poorly performing individuals to be identified and retrained.

The USB drops are almost always successful. Even when staff members correctly identify phishing emails and other attack types, someone falls for the lure of the USB drive. There's something about the nature of the USB drive---perhaps because it is completely inert unless it is plugged in---that makes some people unable to resist plugging them in. At least, until they've been caught out for the first time.

The "once bitten, twice shy" approach is OK in the context of a benign testing campaign, but with a real threat? You're already infected.

Stepping on a Landmine

More sophisticated attacks use USBs that can infect the computer without the user trying to run a program or open a file. Malicious USBs have been created---and found in the field---that exploited a vulnerability in the way Windows parsed the metadata in Windows shortcuts. This was exploited so that a bogus Control Panel application was executed. The bogus Control Panel application was the malware.

All that was required was for the user to insert the USB drive and view the list of files on the device. Shortcuts on the USB drive caused a malicious Control Panel application to be launched. The malicious application was also on the USB drive.

The BadUSB devices have been modified so that even less interaction is required. All that is required is for the victim to insert the USB drive.

When they are plugged in, USB devices conduct a conversation with the operating system. The device identifies itself by telling the operating system the make, model, and type of device it is. Depending on what type of device it is, the operating system might interrogate the USB device for more information about itself and its capabilities. The BadUSB devices are modified---the manufacturer's firmware is overwritten with a custom firmware by the threat actors---so they identify themselves as a USB keyboard.

As soon as the device is registered with Windows as a keyboard, it sends a stream of characters to the operating system. Windows accepts these as typed input and acts upon them. The commands open a PowerShell window and download malware. The user need do no more than insert the USB drive.

Malicious USBs known as USB Killers are already well known, but these are crude devices that damage the computer they're plugged into. The small amount of electrical power that is sent to USB devices is accumulated and magnified inside the USB killer and released as rapid bursts of up to 200V back into the computer through the USB port. The physical damage this causes renders the computer inoperative. USB killers don't achieve anything beyond vandalism, as bad as that is. They don't spread malware or infect the computer or network in any way.

By masquerading as a keyboard, the BadUSB devices can download and install any kind of malware, with credential grabbers and ransomware being the most common. The BadUSB attacks are a form of social engineering. Social engineering tries to manipulate the victim into taking some action that benefits the threat actors. The convincing cover letter and other trappings combine to add authenticity to the identity of the sender.

Steps You Can Take

As with all social engineering attacks, the best defense is education, but there are other steps you can take too.

• Staff awareness training---backed up with susceptibility testing---will help prevent this type of attack from being effective. This should be repeated at least annually.
• If USB drives don't need to form a part of workflows, consider disabling USB access. Use cloud file storage or other means to transfer files that are too large to email and need to be accessed in different locations.
• Disable autorun for USB devices.
• Ensure end-point protection software scans USB drives upon insertion.
• An air-gapped "decontamination" computer can be used to scan and inspect any USB sticks if they must be brought into your premises.