SoS Musings - The Danger of USB Attacks

By grigby1 

Malicious actors have been observed to be relentless in their efforts to attack individuals and organizations via USB drives. For example, in 2022, the Federal Bureau of Investigation (FBI) warned of a cybercrime group mailing out USB drives with the goal of spreading ransomware. The USB drives, sent in the mail through the US Postal Service and United Parcel Service, facilitated 'BadUSB' attacks. One USB drive had a message appearing to be a COVID-19 warning from the US Department of Health and Human Services (DHHS). Other malicious USB drives were sent with a gift card claiming to be from Amazon. BadUSB exploits the USB standard's versatility, enabling an attacker to reprogram a USB drive to perform malicious activities such as emulating a keyboard to create keystrokes on a computer, installing malware before the operating system boots, spoofing a network card, redirecting traffic, and more. USB attacks continue to grow in frequency and sophistication.     

Researchers at Mandiant observed a threefold growth in USB malware attacks in the first half of 2023. Mandiant described two espionage campaigns, the first of which involves malware called SOGU. The company identifies SOGU malware as one of the most prevalent software variants that enter a computer via a USB drive. It has been used to target both government agencies and private businesses. The second example of USB malware provided by Mandiant is SNOWYDRIVE, which creates a backdoor at a target and then controls the system remotely. Additionally, it attempts to move laterally within a corporate network to get as much access as possible to sensitive data.     

Check Point Research discovered a new variant of self-propagating malware actively spread via USB drives by Camaro Dragon, a China-backed Advanced Persistent Threat (APT) operation. Researchers found multiple new variants of the malware while investigating a cybersecurity incident faced by a European healthcare facility. According to the researchers, the healthcare facility was infected when a staff member attending a conference in Asia shared their USB drive with a colleague whose computer was infected. The malware was then transferred to the drive. When the employee returned to their home hospital in Europe, they introduced the infected USB drive to the hospital's computer systems, causing the infection to spread. Camaro Dragon, an espionage-focused group has historically targeted Southeast Asian countries. It has been linked to previous campaigns in which infected USB drives were used to spread malware.     

Hackers were using USB drives containing a strain of malware typically used by the Chinese government to target people in Mongolia, Papua New Guinea, Ghana, Zimbabwe, and Nigeria. Sophos researchers previously discovered the use of USB drives containing the PlugX malware to target government organizations in Southeast Asia. The malware carried by the USB drives was developed in 2008 by Chinese government hackers known as Mustang Panda. The PlugX malware attack, which is described as "retro" due to its use of USB drives, was then discovered in Africa. Gabor Szappanos, threat research director at Sophos, noted that removable media is not normally considered 'mobile' when compared to Internet-based attacks, but this technique has shown to be effective in this part of the world. When delivered, the malware communicates with an IP address previously associated with Mustang Panda actors. The PlugX malware copies the contents of a victim's recycle bin and their device's hard drive, collecting various files.     

USB-based cyberattacks can have a lingering effect. In 2008, Turla, a Russian cyber espionage group, gained notoriety as the hackers behind agent[.]btz, a piece of malware that spread throughout the US Department of Defense's (DOD) systems via infected USB devices used by Pentagon employees. Fifteen years later, this year, the same group appeared to be attempting a new variation of this approach, which involves hijacking the USB infections of other hackers in order to piggyback on their infections and choose their spying targets. Mandiant disclosed discovering an incident where Turla hackers accessed victim networks by registering the expired domains of almost decade-old cybercriminal malware that spread through infected USB drives. Turla took control of the malware's Command-and-Control (C2) servers and sifted through its victims to identify those worthy of targeting for espionage. This strategy allows Turla to remain undiscovered by hiding itself within the footprints of other hackers while scouring a broad assortment of networks.     

The public must be made increasingly aware of USB-based attacks. This year, US government agencies issued a warning about malware planted in public charging stations for phones and other electronic devices. The FBI Denver office urged the public to avoid using free charging stations in airports, hotels, and shopping malls, as malicious actors have discovered methods to use public USB ports to infect devices with malware and monitoring software. Instead, people are encouraged to bring their own charger and USB cord as well as use an electrical outlet. The sentiment was reiterated in a notice from the Federal Communications Commission (FCC) regarding the phenomenon known as "juice jacking," adding that, in some cases, criminals may have intentionally left cables connected to charging stations. In addition, there have been reports of infected cables being distributed as promotional gifts. Experts have emphasized that charging stations pose a threat to both individuals and businesses.     

A team of researchers from the Ben-Gurion University of the Negev in Israel identified 29 ways in which attackers could use USB devices to compromise users' computers in order to inform users of the many different ways USB devices can be abused to infect systems and steal data from protected and air-gapped networks. The researchers classified the 29 exploitation techniques into four different categories based on the way the attack is performed: reprogrammable microcontroller USB attacks, maliciously reprogrammed USB peripheral firmware attacks, attacks based on unprogrammed USB devices, and USB-based electrical attacks. The first category of exploitation methods involves reprogramming the USB device's internal microcontroller so that the device appears to be a particular USB device, such as a charger, but performs the operations of another, like a keyboard. The second category is the reprogramming of the USB device's firmware to execute malicious actions, such as malware downloading, data exfiltration, and more. The third category exploits flaws in how operating systems typically interact with USB protocols/standards instead of reprogramming USB device firmware. The final category of USB attacks is electrical-based, which could involve permanently destroying devices by inserting a USB device that causes an electrical surcharge.     

USB attacks have unique advantages that continue to make them both trending and impactful. Cybercriminals could be drawn to USB attacks because they allow them to evade implemented security mechanisms, achieve secret persistence, gain initial access to corporate networks, and infect air-gapped systems. The SoS community is encouraged to continue exploring and addressing such attacks. 

To see previous articles, please visit the Science of Security Musings Archive.

Submitted by Gregory Rigby on