Earlier this year, the FBI issued a warning about a cybercrime campaign that had been ongoing since last August. The malicious activity involved sending USB drives to American companies in several industries under the guise of being from the US Department of Health and Human Services or a gift from Amazon. When plugged into a computer, these drives initiate what is known as a so-called “BadUSB” attack — registering as a USB keyboard and inputting commands that install malware or create backdoors for bad actors to access later.
While BadUSB attacks require someone to physically insert an affected drive into a computer, once a curious employee has made that mistake, the harmful code has direct access to your organization’s most sensitive data. For IT Security professionals, BadUSB is like inviting an attacker to sit at one of your employee’s desk and use their unlocked system to attack your cybersecurity.
Where do “BadUSB Drives” come from?
A drive programmed with BadUSB is usually a hack of a standard, inexpensive USB drive. The drive is altered, with new firmware and software, to mimic other devices like keyboards to covertly interface with the target’s computer to install malware and even ransomware in the background. BadUSB ploys rely on social engineering – preying on common individual behaviors to gain access without the target ever knowing. These drives are planted in specific places (or with specific people) in proximity to the target IT system. All it takes to start working is for one employee to find a “lost” drive by the company entrance or near their home and plug it in to see “if it works.” At that point, it is often too late to stop the system’s compromise. The unknown drives usually have enticing features like ample storage capacities with a terabyte or more, making them even more attractive to an unsuspecting target. It only takes one affected drive inserted into a connected computer for hackers to work their way in, so BadUSB campaigns can involve planting or sending countless drives to increase their chances of success.
How does BadUSB work — and why is it so dangerous?
The impact of BadUSB is tantamount to allowing an unknown hacker to sit at an employee’s unlocked computer and directly attack the network from the inside. That’s why BadUSB attacks are much simpler than phishing attacks. With a USB plugged into an employee’s work system, an attacker doesn’t even need to know the password. Their script runs and attacks the network and injects malware where it can. It can replicate itself across the network and spread if the Data Loss Prevention software does not catch it. While the method of access is simple, the potential damage is extreme — a drive with BadUSB can interact with the computer just like a skilled hacker could sitting in an employee’s chair. Depending on the attacks programmed into the drive, this could result in files being copied, destroyed, or held for ransom, a backdoor being covertly planted for hackers to access in the future, keyloggers being installed, and acquiring administrative access or infiltrating other connected systems.
IT security comes down to the agents running on the employee system; if they are updated and able to block commands from foreign devices, the crisis can be averted. But it can be challenging for a security agent to tell the difference between the USB injecting code and the employee inputting commands through their own keyboard, making it difficult to prevent BadUSB attacks with automated solutions. With zero-day exploits growing, threat mitigation now involves a bit of luck.
What can IT security do to stay protected?
Years ago, many companies took an overprotective approach and locked down all USB ports, but that solution caused its own headaches. IT employees had to regularly make exceptions for executives, legal, human resources, finance, and other personnel who needed to transport important files to and from the system, often for urgent business purposes. Since then, USB drives have been allowed, and solutions such as endpoint security agents and Windows Group Policy Objects (GPOs) apply their protections.
An Approved List of office-provided, employee-owned standard USB drives can prevent external drives from connecting with devices in an enterprise network. Still, because BadUSB can be hacked into standard USB flash storage devices, one briefly misplaced employee drive could become a key point of failure accepted by the IT system. Hardware-encrypted devices, on the other hand, have crypto processors built into the devices themselves, meaning the correct password is needed to write any new data onto the drive. This password requirement prevents the injection of malware like BadUSB and provides greater peace of mind when used by employees across a network – an attacker would not know what the actual password used by an employee is, so they would not be able to mimic the employee’s actual drive.
As always, strong and regularly updated Endpoint Management is part of the best defense against cyberattacks. The software that companies use (such as offerings from Microsoft, McAfee, Symantec, Sophos, etc.) has the ability to scan the Product ID (PID) of any device connected to a USB port and determine an action, such as blocking the USB port completely and not allowing a connection to the system. Using hardware-encrypted drives provides built-in protection against BadUSB, including custom PIDs to help IT block unauthorized drives from their endpoints.
Facing the ongoing threat of BadUSB
BadUSB attacks have proliferated in the last year for a simple reason — they work. As long as curiosity is part of human nature, BadUSB and similar threats will continue to pose a threat to unprepared organizations. Staying vigilant and regularly reviewing and updating security solutions can make the risk of a successful attack less likely, but combining these efforts with a standard reliance on hardware-encrypted USB and external SSD devices offers the best protection against BadUSB. By implementing these changes and staying up to date on warnings of how BadUSB attacks will continue to evolve, organizations and businesses stand the strongest chance of staying protected.