I thought I was done with device security for the time being – but then, of course, I got a question from a client.
“What about USB drives?”
Rather than write a completely new article let me reprint an article I wrote for CyberAwake looking at USB storage security – including some ideas for the type of policy you need to keep these popular devices from becoming a cyber security hazard.
A USB Cyber-attack
For this USB cyber-attack to succeed your users will need to do multiple things wrong…
There is a very thorough explanation of a cyber-attack, written by Bill Toulas over on BleepingComputer, that starts with an infected USB drive and then escalates to websites and malicious downloads (Toulas, 2024). The attack is targeted mainly at Italian victims but it is worth discussing here as for it to succeed the users have to be very co-operative!
One – Getting the USB cyber-attack to the potential victim
The article states that it is unknown how the infected USB drives arrive at their victims, obviously this is the key stage in any USB cyber-attack, but I can quickly think of one way that would probably succeed with any business that does not have clear policies and procedures for good cyber security. The promotional gift.
I have a box in my desk drawer of various USD sticks, printed with vendor logos, taglines and contact details that I have been given at trade shows and conferences over the years. All of which were handed to me by bona fide representatives of those companies. However before I used them I scanned them for threats. If the USB drive had arrived in the post or I had picked it up off the street, or found it left in a coffee shop I would have simply binned it. That is what our policy states.
But if you do not have such a policy or your member of staff chooses to ignore it because they were excited by the unexpected gift… then you have a problem.
Two – Clicking links…
Once that USB drive is in the computer, your user then has to ignore your policy of not clicking on unidentified links, because that is the next step in this hack. In this particular case the link launches malicious code and downloads a payload to the now infected computer… The victim is then taken to a legitimate website like Vimeo, GitHub or Ars Technica – none of which will look suspicious to the victim.
Three – The malicious payloads
The attack chain continues by exploiting the functionality of these legitimate websites and concealing the malicious payload inside plain text strings inside legitimate content, that are harmless to casual visitors but for a visitor infected with the right payload they enable the USB cyber-attack to continue.
Four – Now the real payload is delivered
This code then delivers the QUIETBOARD malware and connects the victim’s computer (and potentially their network and cloud systems) to the threat actors’ command and control servers, from there they are in control. QUIETBOARD has an impressive list of malicious features that can then be deployed – have a look at Bill’s article for the list.
Needless to say, now the problems really start for your organisation, starting with credential and data theft and escalating from there.
Why do the hackers do this?
Simply money. Whatever information they can steal, they will find ways of monetising it.
What do you need to do?
Cyber-security policies and procedures that are easily understood and then implemented and staff training to support them.
If you cannot deliver that – we can.
Clive Catton MSc (Cyber Security) – by-line and other articles
References
Toulas, B. (2024, January 31). Hackers push USB malware payloads via news, media hosting sites. BleepingComputer. https://www.bleepingcomputer.com/news/security/hackers-push-usb-malware-payloads-via-news-media-hosting-sites/
Further Reading
If you must use portable USB drives, then you must read this… – CyberAwake
Device Security
Device Security (Pt. 1) – CyberAwake
Device Security (Pt. 2) | Smart Thinking Solutions
Device Security Just One More Thing… (Pt. 3) | Smart Thinking Solutions
Photo by Karolina Grabowska