Beware of Sophisticated Malicious USB Keys

KB4-CON-RogerMalicious USB keys have always been a problem. There is almost no professional penetration testing team that does not drop a handful of USB keys outside of any targeted organization and see success from employees plugging them in and opening boobytrapped documents or running malicious executables.

My favorite trick, when I was a full-time penetration tester, was to label the dropped USB keys with the company’s name and include a malicious file labeled “Pending layoffs”. Employees could not wait to plug those in and open the file.

KnowBe4 even has functionality for creating and tracking simulated USB key drops built-in to our software. The feature can tell you who plugged them in and launched the simulated malware, who typed in their passwords, and so on. It is a great feature for administrators who want to test and educate their employees on potential social engineering attacks. We even had sysadmins hit by their own simulated USB creations because they forgot about them, had them laying around, and plugged them in many months later. That’s embarrassing.

USB key attacks are real. They do happen. Some ransomware gangs in particular are known for focusing on using USB attacks. In 2020, Sophos reported that seven percent of ransomware attacks (172 incidents) started via USB. It was the only ransomware report touting USB keys as a key root compromise, and it is likely that Sophos’ customers experience really reflected that stat because they were more commonly hit by a ransomware program from the ransomware group that more likely uses USB keys, but it is used by more than one ransomware group and by real-world hackers in general. Here are some related news stories:

Sophisticated USB Attacks

Many readers may visualize attackers dropping plain, unmarked, USB keys into parking lots and hoping for the best. But USB attackers can be quite sophisticated and go above and beyond in the branding and marketing of their malicious USB keys. Some are creating official looking “FedEx” packaging, which includes professional-looking, high-quality, folders, letters, and USB keys. Some of these USB scams are so, so good, I wonder if I could spot the phish. Here are two examples:

Fake Microsoft Office Scam

In this example, the potential victim was mailed out what looked like a (free) version of Microsoft Office Professional plus.

USB Scam Example

Is this original, legitimate, Microsoft packaging the hacker simply re-used or is it newly created, fake branding? I do not know. It is that good.

Fake Ledger Crypto Device

Ledger is one of the world’s leading physical device cryptocurrency wallet vendors. They make high quality crypto wallets that significantly decrease the risk of online and offline cryptocurrency attacks. In July 2020, a servicing vendor was compromised leading to the theft of Ledger’s customer list. Ledger, rightfully, notified customers and it was a moderately big story at the time. Ledger warned customers to be alert about potential future attacks related to the theft of their information.

Well, Ledger’s caution to their customers was warranted. In June 2021, an attacker made up very sophisticated, Ledger-branded packaging enclosed by shrink wrap. See images below from a news article:

Here is the external packaging box:

Ledger Example

It contained a compromised Ledger device, letter, and instructions, telling customers that the previously announced (real) compromised required that Ledger send all impacted customers a new, “improved” Ledger device which they need to “upgrade” to. Here is the letter.

Ledger Example

It is on a fake Ledger-branded letterhead supposedly signed by the Ledger CEO, with a fake signature. The instructions looked like this:

Ledger UsB Scam Instructions

The instructions told the potential victim how to “install” the new Ledger device. If the potential victim followed the instructions, all their cryptocurrency protected by the Ledger device would be stolen.

The original person, the original potential victim, reporting the scam did not fall for it. But how many other Ledger customers who got sent the fake packaging, letter, instructions, and new compromised device did?

Again, if I was a Ledger customer, would I have noticed the scam? I am not sure. I hope I would…but I am not 100% sure. What about our average end-users? Since over 30% of our uneducated co-workers will click on what we think is an obvious, fairly unsophisticated, phishing scam, I have to believe that a higher percentage would fall for these types of very sophisticated, professional-looking USB scams, if appropriately motivated by the subject matter and purported vendor. So, what can you do?

USB Scam Defenses

All cyber defenses have three main components: policies, technical defenses, and education.

Make sure your organization’s policies instruct employees to be aware of such attacks, and that they are never to pick up an unknown or unapproved mobile storage device (of any kind) and plug it into organization resources. Unknown USB devices should be reported and given to IT security. That is Step 1.

Secondly, install technical defenses which prevent unapproved mobile media from being successfully plugged into or accessed on company resources. Make sure autoruns is disabled. Make sure antivirus programs always scan successfully access mobile media devices. This includes even camera media cards.

Lastly, and most importantly, make sure your employees are educated (use this article) about the increasing sophistication of USB attacks that include very professional-looking packaging and branding. We are not in the “anonymous” USB key dropped in a parking lot stage of attacks anymore.

Education is key because no matter how great your policies or technical controls are, there is always a chance something bad will get by. And none of your great policies and technical controls on organization-managed devices will stop the employee (or child, parent, etc.) from falling for the same scheme on a non-managed asset. There is no perfect defense that can prevent cybersecurity badness from getting to all users and people.

If you are concerned about USB attacks, make sure to do simulated USB key attacks. Certainly, you can try the old, anonymous USB-style of testing, but if you really want to be sure which employees would or would not be caught up by a more sophisticated USB scheme, send a simulated USB branded package to the employee’s work location or home using the regular “snail mail” delivery service. Just a few key employees compromised by your simulation can be used to help educate the rest of the company. As with any phishing simulation test, make sure to get senior management approval first. No one ever got promoted by proving to the CEO they could also be phished (without prior notice).

Simply educating your employees about USB key attacks is one of the best things you can do to prevent these types of attacks.

Free USB Security Test

On average 45% of your users will plug in USBs. Find out now what your user’s reactions are to unknown USBs, with KnowBe4's new Free USB Security Test. Download our special, "beaconized" file onto any USB drive. Then label the drive with something enticing and drop the drive at an on-site high traffic area. If an employee picks it up, plugs it in their workstation and opens the file, it will "call home" and report the "fail" to your KnowBe4 console. And for Office documents, if the user also enables macros (!), additional data is tracked and geomapped.

USBHow your free 7-day USB Security Test works:

  • Fill out the form, and immediately...
  • Download "beaconized" Word, Excel or PDF files
  • Copy to any USB Drive, label and drop it
  • Reports on opens and if macros were enabled
  • Takes just a few minutes to set up

Test Your Users

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews