Malicious USB keys have always been a problem. There is almost no professional penetration testing team that does not drop a handful of USB keys outside of any targeted organization and see success from employees plugging them in and opening boobytrapped documents or running malicious executables.
My favorite trick, when I was a full-time penetration tester, was to label the dropped USB keys with the company’s name and include a malicious file labeled “Pending layoffs”. Employees could not wait to plug those in and open the file.
KnowBe4 even has functionality for creating and tracking simulated USB key drops built-in to our software. The feature can tell you who plugged them in and launched the simulated malware, who typed in their passwords, and so on. It is a great feature for administrators who want to test and educate their employees on potential social engineering attacks. We even had sysadmins hit by their own simulated USB creations because they forgot about them, had them laying around, and plugged them in many months later. That’s embarrassing.
USB key attacks are real. They do happen. Some ransomware gangs in particular are known for focusing on using USB attacks. In 2020, Sophos reported that seven percent of ransomware attacks (172 incidents) started via USB. It was the only ransomware report touting USB keys as a key root compromise, and it is likely that Sophos’ customers experience really reflected that stat because they were more commonly hit by a ransomware program from the ransomware group that more likely uses USB keys, but it is used by more than one ransomware group and by real-world hackers in general. Here are some related news stories:
Sophisticated USB Attacks
Many readers may visualize attackers dropping plain, unmarked, USB keys into parking lots and hoping for the best. But USB attackers can be quite sophisticated and go above and beyond in the branding and marketing of their malicious USB keys. Some are creating official looking “FedEx” packaging, which includes professional-looking, high-quality, folders, letters, and USB keys. Some of these USB scams are so, so good, I wonder if I could spot the phish. Here are two examples:
Fake Microsoft Office Scam
In this example, the potential victim was mailed out what looked like a (free) version of Microsoft Office Professional plus (see images of the package below taken from Twitter).
Is this original, legitimate, Microsoft packaging the hacker simply re-used or is it newly created, fake branding? I do not know. It is that good.
Fake Ledger Crypto Device
Ledger is one of the world’s leading physical device cryptocurrency wallet vendors. They make high quality crypto wallets that significantly decrease the risk of online and offline cryptocurrency attacks. In July 2020, a servicing vendor was compromised leading to the theft of Ledger’s customer list. Ledger, rightfully, notified customers and it was a moderately big story at the time. Ledger warned customers to be alert about potential future attacks related to the theft of their information.
Well, Ledger’s caution to their customers was warranted. In June 2021, an attacker made up very sophisticated, Ledger-branded packaging enclosed by shrink wrap. See images below from a news article:
Here is the external packaging box:
It contained a compromised Ledger device, letter, and instructions, telling customers that the previously announced (real) compromised required that Ledger send all impacted customers a new, “improved” Ledger device which they need to “upgrade” to. Here is the letter.
It is on a fake Ledger-branded letterhead supposedly signed by the Ledger CEO, with a fake signature. The instructions looked like this:
The instructions told the potential victim how to “install” the new Ledger device. If the potential victim followed the instructions, all their cryptocurrency protected by the Ledger device would be stolen.
The original person, the original potential victim, reporting the scam did not fall for it. But how many other Ledger customers who got sent the fake packaging, letter, instructions, and new compromised device did?
Again, if I was a Ledger customer, would I have noticed the scam? I am not sure. I hope I would…but I am not 100% sure. What about our average end-users? Since over 30% of our uneducated co-workers will click on what we think is an obvious, fairly unsophisticated, phishing scam, I have to believe that a higher percentage would fall for these types of very sophisticated, professional-looking USB scams, if appropriately motivated by the subject matter and purported vendor. So, what can you do?
All cyber defenses have three main components: policies, technical defenses, and education.
Make sure your organization’s policies instruct employees to be aware of such attacks, and that they are never to pick up an unknown or unapproved mobile storage device (of any kind) and plug it into organization resources. Unknown USB devices should be reported and given to IT security. That is Step 1.
Secondly, install technical defenses which prevent unapproved mobile media from being successfully plugged into or accessed on company resources. Make sure autoruns is disabled. Make sure antivirus programs always scan successfully access mobile media devices. This includes even camera media cards.
Lastly, and most importantly, make sure your employees are educated (use this article) about the increasing sophistication of USB attacks that include very professional-looking packaging and branding. We are not in the “anonymous” USB key dropped in a parking lot stage of attacks anymore.
Education is key because no matter how great your policies or technical controls are, there is always a chance something bad will get by. And none of your great policies and technical controls on organization-managed devices will stop the employee (or child, parent, etc.) from falling for the same scheme on a non-managed asset. There is no perfect defense that can prevent cybersecurity badness from getting to all users and people.
If you are concerned about USB attacks, make sure to do simulated USB key attacks. Certainly, you can try the old, anonymous USB-style of testing, but if you really want to be sure which employees would or would not be caught up by a more sophisticated USB scheme, send a simulated USB branded package to the employee’s work location or home using the regular “snail mail” delivery service. Just a few key employees compromised by your simulation can be used to help educate the rest of the company. As with any phishing simulation test, make sure to get senior management approval first. No one ever got promoted by proving to the CEO they could also be phished (without prior notice).
Simply educating your employees about USB key attacks is one of the best things you can do to prevent these types of attacks.