How to detect and respond to cyberattacks via USB

According to the SonicWall Cyber Threat report , in 2020 there were almost five billion cyber intrusion attempts , five thousand five hundred million malware attacks and three hundred million ransomware attacks . This is around eight hundred and twenty thousand ransomware attacks a day . The bad news is that this year these numbers will be higher.

Cybercrime is an industry in itself and a very lucrative business, where cybercriminals monetize access to corporate networks of companies and public entities by taking advantage of organizational weaknesses and technical vulnerabilities. The form of monetization that has grown the most in the last year has been ransomware, compared to another type of monetization such as credit card fraud. Organized crime has always been there, but technologies such as Blockchain and cryptocurrencies are the main driver of current growth with a reach never seen before. As in any industry, they reinvest the income obtained, but in this sector they reinvest in cyber infrastructure for future attacks, continually improving their cyberattack strategy. We don’t have to make things easier for cybercriminals and move at the speed of technology, being innovative with quick responses and continually updating our cyber defense strategies.

The most used attack vectors are via compromised email BEC (Business Email Compromise) or by exploiting technical vulnerabilities. In the end, the cybercriminal can compromise personal information CDB (Computer Data Breach) , steal confidential data from organizations and threaten to publicly disclose it or hijack corporate information and Information Technology managed services with ransomware as in the case of Kaseya . The great forgotten are the attack vectors that are produced via USB. This normally occurs because we are confident that our antivirus systems will be able to detect any type of malware every time we insert a pendrive into our PC or connect our phone, which is possible, but it is not completely safe. In cybersecurity, it is not enough to trust, we must be safe.

The reality is that cyberattacks via USB are attacks directed at selected, well-prepared organizations and are not carried out with malware that any updated antivirus can identify by signing. Custom programs are usually developed, modifying the pendrive controller so that, in the case of connecting it to the USB of a PC, it is believed to be a keyboard and can be entered into the corporate network without the user detecting it. The person who connects the pendrive will see that it does not contain any files because after entering the network it has self-destroyed. This attack technology is called badUSB and was announced in 2014 on blackhat USA by Security Research Labs (BADUSB – on accesories that turn evil).

What can the cybercriminal do by entering corporate networks with this type of attack? Well, everything imaginable and much more, for example:
• Collect information from the Operating System
• Steal information from browsers and cookies
• Capture the desktop screen
• Steal passwords for WIFI connections
• Upload information through FTP server
• Add users with administrator privileges and delete users
• Block programs in the Operating System silently
• Infect the system by downloading a binary from the Internet, … etc.

What cyber defense strategy against cyberattacks via USB should companies and public entities apply?

The cybercriminal’s strategy to access the network is based, on the one hand, on the absence of procedures for the acceptable use of USB devices in organizations, and on the other hand, they take advantage of the excess of confidence that supposes, with a high degree of error, that our current cyber defense will detect any type of intrusion via USB.

Both in private companies with IT (Information Technology) and OT (Operational Technology) networks, in which suppliers can access production machines to update the software via USB, or in public entities where citizens can provide information to the Administration by electronic media with a pendrive, it is necessary to define a procedure for detecting and responding to threats via USB with a hardware frontier equipment before introducing the information from the USB into the corporate network.

There are products in the international market such as Safe Door from authUSB, which act as frontier equipment to help detect malware, badUSB and even USBKiller that sends surges voltage to the device to which it is connected to destroy it electrically. For these types of threats, companies and public entities have to continuously improve their cyber defense strategy, with internal training on these cyber threats, defining action procedures for the internal use of USB devices and implementing hardware devices that act as frontier equipment for the detection and response of cyberattacks via USB.

Share this:Tweet about this on Twitter
Share on LinkedIn

About Javier Mazcuñán

director appsec
This entry was posted in appsec and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *