- \n
- USB-driven threats are rising fast, with malicious USB activity jumping from 37% to 57% in one year.<\/li>\n\n\n\n
- Infected USB devices can silently deliver malware, steal sensitive data, or even physically damage systems without anyone noticing.<\/li>\n\n\n\n
- USB attacks take many forms, including data-stealing malware, ransomware, cryptojacking, HID spoofing, and even hardware-destroying USB killers.<\/li>\n\n\n\n
- Effective USB attack prevention requires a layered defense approach that includes developing strict USB device policies, implementing employee awareness programs, encrypting data, and continuously monitoring connected devices.<\/li>\n\n\n\n
- Consider using tools that can monitor, control, and log USB device activity at the endpoint level.<\/li>\n<\/ul>\n\n\n\n
What dangers do USB devices pose?<\/h2>\n\n\n\n
The number of USB attacks is increasing year by year. \u0410ccording to the Honeywell Industrial Cybersecurity USB Threat Report 2022<\/a> [PDF], the number of threats capable of spreading over USB devices rose from 37% in 2020 to 57% in 2021. But before we figure out how to prevent USB attacks, it\u2019s worth looking at why they\u2019re so dangerous.<\/p>\n\n\n\n
Hackers can use USB devices to gain access to a computer. In such a way, they can harm, steal, or change sensitive information, physically destroy the computer, use computer resources to spy on users, etc. In most cases, the victims remain unaware for a long time that they have been targeted.<\/p>\n\n\n\n
![\"Harm](\"https:\/\/www.syteca.com\/wp-content\/uploads\/2023\/05\/figure-1-How-Can-Ekran-System-Protect-You-against-Infected-USB-Devices.png\")
<\/figure>\n\n\n\nHow do USB devices get infected?<\/h2>\n\n\n\n
Users can infect USB devices with malware either intentionally or unintentionally.<\/p>\n\n\n\n
Unintentional infection<\/strong> occurs when someone inserts an unprotected USB device into a compromised system.<\/p>\n\n\n\n
In an intentional infection<\/strong>, someone knowingly infects a device in order to connect it to a system and harm sensitive data. A device infected during production may also make it onto store shelves due to a lack of quality control.<\/p>\n\n\n\n
Researchers from the Ben-Gurion University of the Negev in Israel point out<\/a> four ways perpetrators may attack your organization with the help of USB devices:<\/p>\n\n\n\n
- \n
- Reprogramming a device\u2019s internal microcontroller. In this case, the device doesn\u2019t act like it\u2019s supposed to (e.g. a charger injects keystrokes upon connection).<\/li>\n\n\n\n
- Reprogramming firmware to perform actions (starting data exfiltration<\/a>, launching a cryptocurrency miner, infecting a computer with a Trojan, etc.).<\/li>\n\n\n\n
- Exploiting flaws in USB protocols or standards (.exe files automatically running, upgrading a driver using infected files).<\/li>\n\n\n\n
- Executing an electrical power surge attack to destroy the computer.<\/li>\n<\/ul>\n\n\n\n
Cybersecurity in Hospitality Industry: Pandemic Lessons and 8 Best Practices to Improve Data Protection<\/a><\/p>\n\n\n\n
USB attack types: how USB hackers can attack your system<\/h2>\n\n\n\n
Cybercriminals can infect not only USB flash drives but any device that connects via a USB port, such as a keyboard, microphone, or mouse. To understand how to mitigate threats from USB attacks, you first need to know what methods and devices hackers use to steal sensitive information or harm hardware.<\/p>\n\n\n\n
![\"Common](\"https:\/\/www.syteca.com\/wp-content\/uploads\/2023\/05\/figure-2-How-Can-Ekran-System-Protect-You-against-Infected-USB-Devices.png\")
<\/figure>\n\n\n\nInfected storage drives<\/h3>\n\n\n\n
Storage devices are convenient for employees who need to work from home, share data with partners at conferences, or use several computers. But with a simple USB stick, it is very easy to infect endpoints. For example, an employee may compromise their computer by using unknown USB devices or personal USB devices that were infected elsewhere.<\/p>\n\n\n\n
Between December 2021 and September 2022, the Turla espionage group (supposedly sponsored by the Russian government) carried out a cyber attack on a Ukrainian organization using an infected USB device. The incident started when someone inserted an infected USB stick into the victim\u2019s endpoint and clicked a disguised malicious link leading to the deployment of Andromeda<\/a>. This malware helped perpetrators download other malware to the victim\u2019s computer and eventually exfiltrate sensitive data. <\/p>\n\n\n\n
Employee Keystroke Monitoring with Syteca<\/a><\/p>\n\n\n\n
Data-stealing malware<\/h3>\n\n\n\n
Data-stealing malware is hard to detect. Once it gets inside a system, it masks itself as a harmless process. Depending on a hacker\u2019s goal, the malware scans the network and steals browser forms, emails, or specific types of files.These types of USB malware attacks have evolved alongside USB specifications. In 2019, researchers found a vulnerability in the Thunderbolt interface of USB-C ports<\/a>. The Thunderbolt connection allows low-level direct memory access, which makes it possible for installed malware to monitor keystrokes, network traffic, and even framebuffer data.<\/p>\n\n\n\n
Ransomware<\/h3>\n\n\n\n
Ransomware<\/a> is a type of malware designed to encrypt files on a computer and make them impossible to open and use. In case of a successful ransomware attack, malicious actors threaten to publish sensitive information online or permanently block access to it unless the victim pays a ransom. <\/p>\n\n\n\n
In October 2022, Microsoft discovered that a relatively new worm called Raspberry Robin<\/a> was being spread via USB devices and used for human-operated ransomware activity in combination with other malware. The case that Microsoft was observing started with a Raspberry Robin infection followed by Cobalt Strike activity<\/a>. This activity included a TrueBot infection \u2014 a downloader malware that eventually led to the deployment of Clop ransomware<\/a>.<\/p>\n\n\n\n
7 Examples of Real-Life Data Breaches Caused by Insider Threats<\/a><\/p>\n\n\n\n
Self-replicating malware<\/h3>\n\n\n\n
Self-replicating malware USB attacks allow cybercriminals not only to infect the system that a malicious USB device initially connects to but also to infect other USB devices that are subsequently connected to the same system. <\/p>\n\n\n\n
In November 2022, Mandiant Managed Defense<\/a> identified cyber espionage activity leveraging USB devices as a major attack stream. The initial malware side-loaded three other types of malware, disguising it as legitimate activity. And by self-replicating each time a new USB device connected to the system, this malware was able to propagate to new systems and potentially gather information from air-gapped systems.<\/p>\n\n\n\n
Cryptocurrency miners<\/h3>\n\n\n\n
Cryptojacking<\/a> is the act of hijacking someone’s computing device and utilizing the device’s processing power to mine cryptocurrencies. Cryptojacking isn\u2019t a new type of malicious activity, but it has gained popularity over the last few years. Although miners don\u2019t harm your system and steal your data, they exploit computer resources, slowing down performance.<\/p>\n\n\n\n
Trojan.BitCoinMiner<\/a> is one of the popular malicious crypto miners and can be spread via files, messages, emails, and USB devices.<\/p>\n\n\n\n
Crypto mining malware called LemonDuck<\/a> affects Windows and Linux systems and spreads via phishing emails, exploits, USB devices, and brute force attacks. Once LemonDuck gets into a system, it attacks all other malware already present and gains access to all vulnerabilities. After that, it steals credentials, removes security controls, and starts a crypto mining campaign.<\/p>\n\n\n\n
Infected charging cables<\/h3>\n\n\n\n
Employees often need to charge their mobile phones and connect them to their corporate computers via a USB charging cable to do so. However, this comes with a risk that your corporate system will be damaged with a hacking device like USBsamurai<\/a> \u2014 a remote-controlled USB injecting cable that costs less than $15. It uses its own wireless protocol and allows a hacker to record keystrokes through a covert wireless channel. In such a way, air-gapped networks, where systems are totally isolated from third-party devices, can be subject to attacks.<\/p>\n\n\n\n
Another example of an infected device is a cable with an integrated Wi-Fi PCB<\/a> created by security researcher Mike Grover in 2019. This cable is recognized by Windows and Linux systems as a human interface device. A hacker can use Wi-Fi PCB to connect to the computer remotely and manipulate the cursor, stealing information.<\/p>\n\n\n\n
10 Must-Have Information Security Policies for Every Organization<\/a><\/p>\n\n\n\n
USB killer<\/h3>\n\n\n\n
A USB device can do more than just infect your system with malware. Such devices can also exploit a well-known USB power surge vulnerability. In the USB specification, power and data lines are poorly protected from voltage peaks. This is probably the only type of USB attack you can\u2019t protect from.<\/p>\n\n\n\n
For example, the USB Kill<\/a> device charges a computer\u2019s capacitors to 110 volts and leads to system death. In 2019, a student from the College of St. Rose in New York used USB Kill<\/a> to destroy 59 college computers.<\/p>\n\n\n\n
Human interface device (HID) spoofing<\/h3>\n\n\n\n
Human interface device (HID) spoofing<\/a> is a cyber attack that helps malicious users easily take control over a victim\u2019s computer by disguising a USB device as a legitimate keyboard. Such attacks can be difficult to detect and prevent, as human interface devices are often considered trusted peripherals by most operating systems. Once your employee connects a malicious HID, it executes a set of keystrokes predefined by the attacker. In most cases, it involves downloading various malware, such as credential grabbers, backdoor malware, or ransomware.<\/p>\n\n\n\n
One of the devices used in HID attacks is a Rubber Ducky<\/a>. In the past, a Rubber Ducky was capable of generating fake Windows pop-ups for credential harvesting and sending a user\u2019s saved passwords from the Chrome browser to the attacker. Recently, Rubber Duckies have become even more advanced, being able to steal data faster by encoding it in binary format.<\/p>\n\n\n\n
Other USB devices<\/h3>\n\n\n\n
Cyber attackers can use any USB device, not only storage drives and charging cables.<\/p>\n\n\n\n
\n ![\"USB](\"https:\/\/www.syteca.com\/wp-content\/uploads\/2023\/05\/figure-3-How-Can-Ekran-System-Protect-You-against-Infected-USB-Devices-1.png\")
<\/figure>\n<\/figure>\n\n\n\nThere are numerous cases when hackers have taken control of routers and cameras and used them to collect data or conduct denial of service attacks. This can happen because any such device has a microcontroller that\u2019s responsible for communication. However, this microcontroller isn\u2019t protected against code changes, so hackers can make it work in a completely different way than it was initially designed to.<\/p>\n\n\n\n
For example, in 2021, security researchers discovered a printer-based attack vector<\/a> that had lurked in HP printer drivers for 16 years and caused damage to hundreds of millions of machines. Due to this bug, hackers could gain access to a system and view, change, delete, or encrypt important data.<\/p>\n\n\n\n
If an employee inserts an infected USB device into a USB port, it will take seconds to infect the computer. But detecting such an attack and estimating the damage from it is much more time-consuming. Let\u2019s take a look at how to prevent sensitive data leaks caused by USB devices.<\/p>\n\n\n\n
12 Cybersecurity Best Practices to Prevent Cyber Attacks in 2023<\/a><\/p>\n\n\n\n
How to protect your organization from USB attacks<\/h2>\n\n\n\n
In 2022, the FBI\u2019s cyber division updated one of their FLASH Numbers<\/a> regarding a case of a cyber criminal group that targeted the US defense industry with a USB-based attack. This signals that the threat of USB attacks is still real for organizations.<\/p>\n\n\n\n
Hackers continue their attempts to obtain sensitive corporate information with the help of USB devices and invent sophisticated new ways to do so. This means you should keep learning about possible threats and consider installing additional security measures to protect sensitive data from possible USB attacks.<\/p>\n\n\n\n
Let’s overview some of the essential measures you can take to protect your corporate computers and networks from infected USB devices.<\/p>\n\n\n\n
![\"How](\"https:\/\/www.syteca.com\/wp-content\/uploads\/2023\/05\/figure-4-How-Can-Ekran-System-Protect-You-against-Infected-USB-Devices.png\")
<\/figure>\n\n\n\nImplement a USB device policy<\/h3>\n\n\n\n
Creating and implementing an unambiguous policy regarding the use of USB devices in the workplace is crucial. Make sure your organization has a policy that clearly defines the correct steps for connecting USB devices to corporate computers and provides guidelines for the use of personal USB devices.<\/p>\n\n\n\n
Educate employees<\/h3>\n\n\n\n
The human factor plays a significant role in the spread of USB cyberattacks. An employee may be irresponsible or uninformed and use an infected USB device. That\u2019s why it\u2019s a good idea to train your employees. Provide employees with instructions on:<\/p>\n\n\n\n
- \n
- How to store sensitive information<\/li>\n\n\n\n
- How to protect a USB device from viruses<\/li>\n\n\n\n
- Which devices can and cannot be plugged into corporate computers<\/li>\n\n\n\n
- How to recognize a USB threat<\/li>\n\n\n\n
- How to protect from threats against USB-enabled devices<\/li>\n\n\n\n
- What to do in case of a cyber attack<\/li>\n<\/ul>\n\n\n\n
The main goal of such training is to motivate employees to be more responsible in cybersecurity matters and to do their best to prevent cyberattacks.<\/p>\n\n\n\n
Insider Threat Awareness: What Is It, Why Does It Matter, and How Can You Improve It?<\/a><\/p>\n\n\n\n
Encrypt sensitive data<\/h3>\n\n\n\n
Consider protecting your data<\/a> by encrypting it. In order to access encrypted data, a user has to enter a password or key file. Thus, even if attackers manage to steal your organization\u2019s encrypted information with a USB device, they won\u2019t be able to read and use it.<\/p>\n\n\n\n
Install cybersecurity tools<\/h3>\n\n\n\n
Make sure that the antivirus software you\u2019re currently using has the scanning functionality to check every connected USB device. As well, consider using a USB management tool<\/a> that can block or inform you about unapproved devices. Be sure to regularly check these systems and regularly update them.<\/p>\n\n\n\n
Make exceptions for trustworthy USB devices<\/h3>\n\n\n\n
You may think that blocking all USB devices and ports might seem like the perfect solution to protect your organization from malware. But in fact, this will be challenging to execute and disruptive for employees. Therefore, you can create a list of exceptions with allowed removable devices based on their type or manufacturer. Thus, everything except specified devices will automatically be blocked.<\/p>\n\n\n\n
Conduct regular cybersecurity audits<\/h3>\n\n\n\n
Over time, cybercriminals\u2019 methods evolve and change, just as your company\u2019s infrastructure does. New employees come in, new devices are used, new methods of protection against cyber attacks emerge. Make sure you conduct regular system audits, update the list of exceptions with allowed USB devices, and update protection tools regularly to prevent USB-based attacks and ensure your organization\u2019s data security. Moreover, regular checks can help you identify weak points that need additional protection.<\/p>\n\n\n\n
How to Pass an IT Compliance Audit<\/a><\/p>\n\n\n\n
How can Syteca help you prevent USB-based attacks?<\/h2>\n\n\n\n
Syteca<\/a> is insider risk management software that can be used for efficient USB management.<\/p>\n\n\n\n
Using its configuration rules, you can specify the types of USB devices to monitor and block. These rules can easily be customized for every individual client and client group.<\/p>\n\n\n\n
By default, Syteca provides you with the following features:<\/p>\n\n\n\n
\n ![\"Finctionalities](\"https:\/\/www.syteca.com\/wp-content\/uploads\/2023\/05\/figure-5-How-Can-Ekran-System-Protect-You-against-Infected-USB-Devices.png\")
<\/figure>\n<\/figure>\n\n\n\n- \n
- Monitoring of connected USB devices.<\/strong> Syteca collects logs of a specified class of connected USB devices along with all other user activity metadata<\/a>.<\/li>\n\n\n\n
- Alerts about connected USB devices. <\/strong>Syteca notifies security officers with real-time alerts<\/a> when a potentially dangerous device is plugged into a USB port.<\/li>\n\n\n\n
- Blocking of connected USB devices.<\/strong> The software automatically blocks any new device and optionally notifies the user with a pop-up message.<\/li>\n\n\n\n
- Access control for USB devices.<\/strong> Users must ask permission to use a USB device when it is connected. The administrator can manually allow or deny access.<\/li>\n\n\n\n
- Exception rules for allowed USB devices.<\/strong> You can add exceptions for USB devices that are allowed to connect, creating rules by vendor, hardware, and other parameters.<\/li>\n<\/ul>\n\n\n\n
Finally, upon your request, Syteca can generate a report<\/a> that includes data about all events associated with USB devices.<\/p>\n\n\n\n
USB Device Management<\/a><\/p>\n\n\n\n
Conclusion<\/strong><\/h2>\n\n\n\n
As the use of USB devices in the workplace becomes more prevalent, so does the risk of security breaches. Malicious USB devices can easily steal sensitive data or infect entire networks, causing significant damage to a company\u2019s IT security.<\/p>\n\n\n\n
Syteca provides a comprehensive USB-based attack protection tool<\/a> that can be tailored to meet the unique needs of any business. With its default and customizable rules, it provides effective protection against USB threats to every computer on a corporate network.<\/p>\n\n\n\n
Besides USB device management, Syteca offers other robust functionalities to enhance the protection of your organization\u2019s sensitive data and overall cybersecurity, such as privileged access management<\/a>, user activity monitoring<\/a>, real-time incident response<\/a>, and auditing and reporting<\/a>.<\/p>\n\n\n\n
- Alerts about connected USB devices. <\/strong>Syteca notifies security officers with real-time alerts<\/a> when a potentially dangerous device is plugged into a USB port.<\/li>\n\n\n\n
- Monitoring of connected USB devices.<\/strong> Syteca collects logs of a specified class of connected USB devices along with all other user activity metadata<\/a>.<\/li>\n\n\n\n