Protecting Against Malicious USB Devices
By Amy Simmons, Vigilant Analyst
A Vigilant Know More Series
Every now and then an anecdote bubbles around the water cooler, a kind of InfoSec campfire story.
The settings change, but the general gist is: A man finds a thumb drive on his desk. There’s no manufacturer, no brand name, no tape-and-marker identification; there’s only the number 23 in a friendly green LED. The man plugs the USB into his workstation, thinking it must be from a coworker. No folder pops up on his desktop, no prompt to run the software within. In fact, nothing happens at all. The man clicks around and moves his mouse, but sees no pointer. His computer makes a noise he will never properly describe to IT, and the machine shuts off. The man looks at the thumb drive he plugged in to find the friendly green LED now reads “24”.
This is only an anecdote, though such flash drives exist as a proof-of-concept. After all, no threat actor worth their salt is going to brick a machine they’re trying to access. But much like how every urban legend has a granule of truth, so too does the USB of legend. While not as dramatic as a flash drive that records its “kills”, malware authors do make use of an often overlooked vulnerability: removable drives.
What Is A Drop Attack?
Drop attacks, or USB-borne malware, are an uncommon but growing threat to enterprise environments. This time last year, removable media accounted for 9% of all reported security incidents. This increased to 20% for incidents where the initial infection was a physical endpoint as opposed to a cloud-based service. Industrial facilities were hit especially hard in 2022, with malware designed to propagate over USB for infection accounted for 52% of all reported malware infections, a significant jump from the 37% seen in 2021.
The effects can be devastating. The ‘world’s first digital weapon’ Stuxnet used USB devices to compromise the infected systems’ logic controllers, spy on the machines, and destroy centrifuges used in SCADA systems. All of that occurred without a single connection to the Internet.
The methods vary, but the end goal is to take advantage of human curiosity or inherent trust. All attacks begin with a user plugging in the USB. From there, depending on the sophistication of the attack, the user may be convinced to click on a benign file, such as an executable disguised as a PDF or Text file. While one can hope that no user would click on a file named “Payroll Information All Employees.pdf” or “Holiday Party Pictures.zip” or “Please Return My USB.txt”, curiosity can get the better of someone. Another, equally effective method comes in the auto-run function. Simply put, the moment the computer acknowledges the USB, the executable within fires. To use another example, a successful BadUSB attack occurred in 2020; a malicious external drive acted as a keyboard that, when connected to the target computer, emulated keypresses to download a malicious payload via PowerShell.
At this point, the attack is well underway, and swift containment is the only course of action to prevent further damage.
Remediation, Lessons Learned, Next Steps
Other than the obvious, there are ways to detecting the how and why. So long as there are logs, there can be detections and alerts. It’s no different for local attacks. For example, in certain drop attacks the malicious code on the removable drive is simply a command to reach out and download a payload from a website. This traffic is logged, even if the connection attempt failed. There, one can find a host that is infected. From there, remediation can be as simple as removing the file or as painful as a total system reimage.
As with the most dangerous threats, proper training and knowledge is key to help prevent malware attacks from removable drives. If a user finds a USB stick or other removable media, they should either leave it alone or take it to IT and explain when, where and how they found it. Discourage the use of removable media in any instance, but especially for departments that deal in sensitive information. If a removable drive must be used, ensure the data is encrypted and is protected. On domain-controlled hosts, Group Policy Objects are your friend; disabling USB devices is an option in Group Policy Management, and one highly recommended. If Vigilant MEDR is employed in your environment, a similar rule can be set in the environment, and trusted devices can be whitelisted.
And if a mysterious thumb drive appears on your desk with a “24” in green LED, you may want to smash it with a hammer.