BadUSB explained: How rogue USBs threaten your organizationElvis
The FBI has warned of an attack campaign that sends USB drives containing malicious software to employees. Here is what you need to know about BadUSB and mitigating its risks.
In January 2022, the FBI issued a public warning over a USB attack campaign in which numerous USB drives, laced with malicious software, were sent to employees at organizations in the transportation, defense, and insurance sectors between August and November 2021. The USBs came with fake letters impersonating the Department of Health and Human Services and Amazon, sent via the U.S. Postal Service and UPS. The campaign has been dubbed BadUSB. Here is what you need to know about BadUSB and mitigating the risks of this USB attack.
“The BadUSB attack provides the victim with what looks like a physical USB stick and a lure to plug it into the victim’s system, such as promising a gift card as a thank you or invoices that need to be processed. Malware research teams initially discovered the campaign in 2020 while examining a malicious thumb drive as part of a forensic investigation for a U.S. hospitality provider.
“The USB drive is configured as a USB keyboard, and the computer will identify it and configure it as such. Once inserted, the USB keyboard will automatically start typing and will typically invoke a command shell and inject commands to download malware.”
Security threats posed by BadUSB
BadUSB, when successful, acts as an initial downloader for anything from credential grabbers to backdoors and ransomware. These types of attacks are often discussed among security professionals but are not common. Given the rarity of the attack, it is likely effective in a lot of situations.
This attack vector may be an attempt to exploit the work-from-home trend. There are fewer guard rails and an increase in the likelihood a user will plug into a work computer or to their home network, to which their work computer is also connected.
Some organizations or departments routinely employ USB thumb drives and people are therefore more likely to use a USB storage device without suspicion. That would make this tactic more effective, once attackers have gained a foothold, they can escalate privileges or conduct reconnaissance from the inside which is term post exploitation.
Perhaps the riskiest element of BadUSB is the possibility that the campaign is merely a distraction for a different or broader attack. “There are a variety of more effective attack vectors that don’t rely on a potentially traceable and high-touch campaign like this.
Preventing BadUSB risks
Business can take several steps to prevent falling victim to the BadUSB attack. The first is to include this campaign and others like it in security awareness training and make sure that all employees understand they should turn over any unidentified hardware to their internal security team before attempting to insert or connect it to their system.
Systems would also benefit from up-to-date endpoint protection that can monitor for command shell abuse and any subsequent malware that might be downloaded, while physical and software-based USB port blockers for critical systems that don’t require any USB accessories are worthwhile, too.
If BadUSB is indeed an attack misdirection attempt, organizations need to examine the entire malicious operation across their environment and not simply focus on the USB drive foothold to recognize indicators of behaviors and identify and stop additional malicious activity.
Other attack methods is to spread BadUSB sticks at organizations executive management’s car parking lot, leaving it in lifts, distribution at conferences, selling them cheap around targeted organization premises.