Our Blog | ActZero

The Resurgence of Removable Hardware Threats | ActZero

Written by Ryan Masrani | Mar 19, 2021 4:00:00 AM

The use of external devices is more and more common these days. Even before the pandemic, external devices like USB keys and external hard drives allowed employees to easily take their projects with them when they were on the go.

But with their widespread use, externals are a huge target for malware. USB malware is designed to infect a user when it has made initial contact with a machine. With the sudden increase in work from home (WFH) thanks to the pandemic, followed by periods of people back in offices and then lockdown and working from home again, the threat of malware on external devices has never been more acute. 

The goal of these removable hardware threats can vary. They include:

  • Gaining remote control over the victim’s device
  • Spying on people through their webcam, microphone, or keyboard
  • Stealing passwords and personal information, and
  • Encrypting data to demand a ransom

So why are USBs vulnerable to malware, and how can you safeguard yourself from these types of attacks? Here is our breakdown of what you need to know and strategies to keep your systems safe.

Why External Devices?

A big part of why USB malware is such a popular attack vector is its simplicity.

External devices are passed around from user to user and connected to multiple computers across various parts of networks. While malware usually relies on an active network to spread, moving from computer to computer and system to system via USB is a fast alternative.

Moreover, USB attacks may be more likely to succeed given there is little awareness of USB-based malware. Threat actors can use this ignorance to their advantage. While people might be vigilant about not opening an attachment on a strange email for fear of a virus, few will think twice about plugging a USB drive into their computer.

A 2016 experiment at the University of Illinois Urbana-Champaign found students and staff picked up 98% of USB sticks planted around the university by the experimenters. Half of those people later plugged the drive into a computer and accessed files.

One recent example of a botnet spread through USBs is “VictoryGate,” which has been actively mining Monero cryptocurrency since 2019. Especially prevalent in Latin America, VictoryGate propagates in Windows machines via USB drives, installing malicious code that turns unsuspecting users’ computers into crypto mining machines, which is also known as cryptojacking. Known victims include both public and private sector organizations, including financial institutions.

Methods of External Device Attacks

How can the malware get on USB devices in the first place?

As with the experiment mentioned above, hackers can target people simply by planting external devices in public, anticipating that they will be picked up and plugged into a computer. Again, because USB malware is not widely known, someone who finds a USB drive in a parking lot or coffee shop may simply think they’ve scored a free thumb drive. 

Hackers can also download malicious software on USB devices while the drives are connected to your computer. Infected email attachments, torrents, or files from unknown websites or links can all provide access to your computer for hackers to exploit for a number of purposes, including USB-based malware.

In the workplace context, once an infected external device is connected to an employee’s computer, malware will copy onto the user’s workstation and then spread laterally throughout the system, potentially putting every computer in that network at risk.

Prevention

There are many proactive measures you can take to prevent a USB-based attack. Examples include:

  • Scanning your external devices alongside your machine weekly. This will help identify and remove known threats on both your endpoint, and the USB itself. It’s subject to the drawbacks of any signature-based detection, but given the ‘convenience-driven’ nature of removable hardware threats, it goes a long way. 

  • Never inserting external devices that you find. Remember that attackers will leave these devices in public on purpose, with the hopes of someone finding and using them. The upside (a “free” few-dollar thumb drive) is far outweighed by the downside (a compromised endpoint!).

  • Encrypting your external devices. Encryption can help protect sensitive data should it fall into the wrong hands. Encryption also protects your flash drives from malware and other device security threats being added to them.

  • Ensuring your external device vendor is secure. Hardware vulnerabilities are a common problem, and they can vary by vendor. Always ensure that your external device vendor is secured against potential vulnerabilities and that your external device is up to date. An example of such a report on a Sandisk USB drive is available here.

How ActZero Can Help

The number one goal of an attacker is to find a readily exploitable source of infection. Since external devices have become such a huge part of our lives during this pandemic, attackers will try to monetize this vulnerability as much as possible. By following the preventive measures outlined here, you will be well-positioned to protect yourself and your organization from serious harm.

To learn how ActZero’s managed detection and response (MDR) service can help mitigate your risk of USB-based attack as well as other cyber threats, request a demo today.