While it’s difficult to imagine our modern business lives without mass storage devices, printers, scanners, and cameras, each USB connection can be a serious risk for an organization’s security. USB devices can be infected with malware that attacks your corporate system once a device is connected. Such attacks can result in the theft or compromise of sensitive data, damage to your infrastructure, or even damaged machines.
Have you already included USB devices in your corporate security policy? How do you protect your corporate computers from infected USB devices? Let’s look closer at the most common types of USB drive dangers and ways to secure your organization from them.
What dangers do USB devices pose?
The number of USB attacks is increasing year by year. Аccording to the Honeywell Industrial Cybersecurity USB Threat Report 2021, the percentage of malware transmitted via USB devices increased from 19% in 2019 to 37% in 2020. But before we start considering methods to protect against USB attacks, it’s worth looking at why they’re so dangerous.
Hackers can use USB devices to gain access to a computer. In such a way, hackers can harm, steal, or change sensitive information, destroy a computer, use computer resources to spy on computer users, etc. In most cases, the victims remain unaware for a long time that they have been targeted.
How do USB devices get infected?
Researchers from the Ben-Gurion University of the Negev in Israel have published a paper on USB attack types. They point out four categories of exploits with USB devices:
- Reprogramming a device’s internal microcontroller. In this case, the device doesn’t act like it’s supposed to (e.g. a charger injects keystrokes upon connection).
- Reprogramming firmware to perform actions (starting data exfiltration, launching a cryptocurrency miner, infecting a computer with a Trojan, etc.).
- Exploiting flaws in USB protocols or standards (.exe files automatically running, upgrading a driver using infected files).
- Executing electrical power surge attacks to destroy a computer.
How do USB devices get infected with malware? It can happen intentionally or unintentionally.
Unintentional infection occurs when someone inserts an unprotected USB device into an insecure system.
In an intentional infection, someone knowingly infects a device in order to connect it to a system and harm sensitive data. A device may also be infected during production due to a lack of quality control.
How USB hackers can attack your system
A computer can be infected not only with a USB flash drive but with any device that connects via a USB port, such as a keyboard, microphone, or mouse. Below is an overview of the main methods and devices hackers use to steal sensitive information or harm hardware.
Infected storage drives
Storage devices are convenient for employees who need to work from home, share data with partners at conferences, or use several computers. But with a simple USB stick, it is very easy to infect their endpoints. For example, an employee may be compromise their computer by using unknown USB devices, personal USB devices that were infected elsewhere, etc.
Companies from the retail, restaurant, and hotel industries were victims of a USB attack in 2020 in which hackers of the FIN7 cybercriminal group sent parcels to various companies posing as Best Buy. These parcels contained a Best Buy gift card and an infected USB drive. The accompanying note asked the recipient to see a list of products that could be bought with the gift card using the USB storage drive. In such a way, hackers delivered Griffon malware to steal sensitive information from companies.
Data-stealing malware is hard to detect. Once it gets inside a system, it masks itself as a harmless process. Depending on a hacker’s goal, the malware scans the network and steals browser forms, emails, or specific types of files.
These types of USB malware attacks evolve alongside USB ports. In 2019, researchers found a vulnerability in the Thunderbolt interface of USB-C ports. The Thunderbolt connection allows low-level direct memory access, which makes it possible for installed malware to monitor keystrokes, network traffic, and even framebuffer data.
Cryptojacking isn’t a new type of malicious activity, but it has gained popularity over the last few years. Although miners don’t harm your system and steal your data, they exploit computer resources, slowing down performance.
Trojan.BitCoinMiner is one of the popular malicious crypto miners and can be spread via files, messages, emails, and USB devices.
A new crypto mining malware, LemonDuck, affects Windows and Linux systems and spreads via phishing emails, exploits, USB devices, and brute force attacks. Once LemonDuck gets into a system, it attacks all other malware already present and gains access to all vulnerabilities. After that, LemonDuck steals credentials, removes security controls, and starts a crypto mining campaign.
Infected charging cables
Employees often need to charge their mobile phones and connect them to their corporate computers via a USB charging cable to do so. However, this comes with a risk that your corporate system will be damaged with a hacking device like USBsamurai — a remote-controlled USB injecting cable that costs less than $15. It uses its own wireless protocol and allows a hacker to record keystrokes through a covert wireless channel. In such a way, air-gapped networks, where systems are totally isolated from thirdßparty devices, can be subject to attacks.
Another example of an infected device is a a cable with an integrated Wi-Fi PCB created by security researcher Mike Grover in 2019. This cable is recognized by Windows and Linux systems as a human interface device. Using Wi-Fi PCB, a hacker can use it to connect to a computer remotely and manipulate the cursor, stealing information.
A USB device can do more than just infect your system with malware. Such devices can also exploit a well-known USB power surge vulnerability. Power and data lines are poorly protected from voltage peaks. This is probably the only type of USB attack you can’t protect from.
For example, the USB Kill device charges a computer’s capacitors to 110 volts and leads to system death. In 2019, a student from the College of St. Rose in New York used USB Kill to destroy 59 college computers.
Other USB devices
Cyber attackers can use any USB device, not only storage drives and charging cables. There are numerous cases when hackers have taken control of routers and cameras and used them to collect data or conduct denial of service attacks. This can happen because any such device has a microcontroller that’s responsible for communication. However, this microcontroller isn’t protected against code changes, so hackers can make it work in a completely different way than it was initially designed to.
For example, in 2021, security researchers discovered a printer-based attack vector that had lurked in HP printer drivers for 16 years and caused damage to hundreds of millions of machines. Due to this bug, hackers could gain access to a system and view, change, delete, or encrypt important data.
If an employee inserts an infected USB device into a USB port, it will take seconds to infect the computer. But detecting such an attack and estimating the damage from it is much more time-consuming. Let’s take a look at several methods you can use to protect your sensitive data from USB-related cyber attacks.
How to protect your organization from USB attacks?
As you can see from the examples above, hackers are coming up with more and more sophisticated ways to obtain sensitive corporate information. The theft or destruction of important data can be very harmful to your organization. Therefore, it’s worth installing additional security measures to protect sensitive data from possible USB attacks. Below, we give you an overview of some of the measures you can take to protect computers from infected USB devices.
The human factor plays a significant role in the spread of USB cyberattacks. An employee may be irresponsible or uninformed and use an infected USB device. That’s why it’s a good idea to train your employees. Provide employees with instructions on:
- How to store sensitive information
- How to protect a USB device from viruses
- Which devices can and cannot be plugged into corporate computers
- How to recognize a USB threat
- How to protect from threats against USB-enabled devices
- What to do in case of a cyber attack
The main goal of such training is to motivate employees to be more responsible in cybersecurity matters and to do their best to prevent cyberattacks.
Encrypt sensitive data
Another way to protect your data is to encrypt it. In order to access encrypted data, a user has to enter a password or key file. Even if attackers manage to steal your information with a USB device, they won’t be able to use it if it’s encrypted.
Install cybersecurity tools
You can install antivirus software, scanners to check every connected USB device, and other USB management tools that will block or inform you about unapproved devices. It is very important to regularly check these systems and update them.
Whitelist USB devices
Blocking all USB devices and ports might seem like a perfect solution to protect your organization from malware. But in fact, this will be challenging to execute and disruptive for employees. Therefore, you can create a whitelist for allowed removable devices so that everything except specified devices will automatically be blocked.
Conduct regular cybersecurity audits
New cyber threats emerge fast and often. Besides, your company’s infrastructure changes over time. New employees come in, new devices are used, new methods of protection against cyber attacks emerge. Conducting regular system audits, updating USB device whitelists and blacklists, and updating protection tools will help you prevent USB-based attacks and ensure your data security. Moreover, regular checks help you identify weak points that need additional protection.
How can Ekran System help?
Ekran System is insider risk management software that can be used for efficient USB management.
Using its configuration rules, you can specify the types of USB devices to monitor and block. These rules can easily be customized for every individual client and client group.
By default, Ekran System provides you with the following features:
- Monitoring of connected USB devices. Ekran System collects logs of a specified class of connected USB devices along with all other user activity metadata.
- Alerts about connected USB devices. Ekran System notifies security officers with real-time alerts when a potentially dangerous device is plugged into a USB port.
- Blocking of connected USB devices. The software automatically blocks any prohibited device and optionally notifies the user with a pop-up message.
- Access control for USB devices. Users must ask permission to use a USB device when it is connected. The administrator can manually allow or deny access.
- USB device whitelist and blacklist. You can create a list of USB devices that are allowed and not allowed to connect, creating rules by vendor, hardware, and other parameters.
Finally, upon your request, Ekran System can generate a report that includes data about all events associated with USB devices.
USB devices pose a serious threat to your company’s IT security unless they’re managed properly. A malicious USB device can steal your data, infect your network.
Ekran System offers an effective USB malware protection tool that can easily be customized to meet your requirements. Using its default and custom rules, you can protect every computer in your corporate network against threats posed by USB devices.