It’s Called BadUSB for a Reason

security affairs logo

Cybercrime gang FIN7’s badUSB attacks serve as a reminder of two key vulnerabilities present among all organizations.

The criminal group had been mailing malware-ridden USBs to various entities in the transport, insurance, and defense industries under the guise that they originated from a trusted source, such as Amazon and the US Department of Health and Human Services. Those from the former were supposedly gift vouchers, while the latter claimed to include new COVID guidelines. FIN7’s badUSB attacks serve as a reminder of two key vulnerabilities present among all organizations. Let’s explore them below:

Friend or foe

The badUSB attack first exploited enterprises’ greatest weakness: insiders. The malicious USBs appeared to have come from a legitimate source, thus gaining the recipient’s trust. And the accompanying letters played on human emotions, such as fear and greed, taking over any cautionary instincts. The seemingly benign device further alleviates any potential suspicion, especially since USB usage increased by 30% in 2021, making it a commonly used device. It is unlikely one would question its integrity.

Social engineering is a prerequisite to almost all cyberattacks. Hardware-based attacks require physical access to the target entity, and employee carelessness and negligence make social engineering the perfect tool to gain said access. As FIN7 demonstrated, it was because of social engineering that the attacks were successful. With 98% of cyberattacks relying on the psychological manipulation of humans, employees are the barrier between a perpetrator and its target, demonstrating the ongoing need for employee cybersecurity training. And while enterprises are aware of such need – most undertaking actionable steps to meet it – human error will always remain a weakness, and training is not a silver bullet.

To mitigate staff carelessness, enterprises implement a robust cybersecurity strategy, typically comprised of various policies, regulatory compliance, and security software. Surely, then, enterprises have a security tool that identifies the USB as a rogue device once it connects to an endpoint? Wrong. And this brings us to the second vulnerability exploited in the badUSB attack: asset visibility.

What you see is not what you get

BadUSBs and other spoofing devices perfectly impersonate legitimate HIDs through Layer 1 manipulation. Existing security solutions fail to cover the Layer 1 domain, resulting in gaps in asset visibility that prevent the detection of spoofing devices. Instead, security tools recognize it as an authorized device and grant it access to the network – the attack tool raises no security alarms. In other words, once an insider has been successfully exploited through social engineering techniques and subsequently connects the badUSB to an endpoint, there is nothing in place to mitigate the attack.

In some instances, however, the enterprise does not know it has fallen victim to an attack. Of course, when a rogue device executes a malware, ransomware, or DDoS attack, the organization knows it has suffered a breach (although often unaware it originated from a rogue device due to the visibility issue). Yet should a rogue device get used for reconnaissance, espionage, or data theft, it is almost impossible to know that an attack has occurred, further adding to the danger of hardware attack tools.

The ease with which one can purchase a rogue device, thanks to their accessibility and low cost, exacerbates the risk (many costing less than $100 on sites such as AliExpress). Such tools, once only used by well-resourced agencies, such as the NSA, as revealed by Edward Snowden, are now readily available to anyone. This increases the number and type of attackers; reckless, malicious actors, such as terrorist organizations, can get their hand on such devices, increasing the severity of the threat as they act without anything to lose.

You can’t protect what you can’t see

The badUSB is just one of many rogue devices used to carry out malicious activities. These hardware-based attacks highlight that anything connected to the network poses a threat. While organizations can invest in cybersecurity training to increase employees’ awareness about what devices they are using, insiders will always remain a weakness. Zero Trust approaches better alleviate the threat by authenticating and authorizing devices based on the principle of “never trust, always verify”. However, as we have seen, the covert nature of rogue devices means they easily bypass the security tools that implement Zero Trust protocols. That is not to say Zero Trust is an ineffective defense mechanism, but that it requires greater asset visibility to ensure the correct access decisions get made; that rogue devices never get authorized. Layer 1 visibility provides the missing gap necessary for effective Zero Trust policy enforcement and, in turn, comprehensive protection against hardware-based attacks, such as the ones conducted by FIN7.

April 29th, 2022