Physical objects as security threats are in the news at the moment. The oft-touched upon tale of rogue USB sticks is a common one. Being wary of random devices found on the floor, or handed out at events is a smart move. You simply don’t know what’s lurking, and it’s hard to find out safely without the right tools available. Even then, something can slip by and cause no end of trouble on your desktop or network.
Back in 2015, we covered the Dead Drops art project. This involved people hiding their USB stick in public places, and others finding them to join an “anonymous file-sharing network” and see what lurks. Security wise, this is an absolutely terrible idea for most folks.
On the other hand: people absolutely do plug in USB sticks found in the street, and they also happily use freebies at events. Most won’t concern themselves with security worries, but they should. However, it’s one thing to voluntarily grab USB sticks yourself. It’s quite another to be potentially disarmed by someone sending you said device instead.
The FBI has warned that a malware group is sending out infected USB sticks to specific targets. The group is behind major attacks such as the notorious colonial pipeline ransomware incident. Make no mistake, these are heavy hitters (and have been here before, and that time they included gifts such as cuddly toys).
The bogus sticks have been winging their way to potential victims through the post for a number of months. There’s elements of social engineering involved, too. It isn’t just a random stick in an unlabelled baggy, there’s a variety of packaging depending on who the sticks have been sent to. It’s perhaps not quite as visually impressive as rogue teddy bears, but it still gets the job done.
Social engineering their way to USB victory
The attackers use a couple of different postal services to send the USBs into the wide blue yonder: United Parcel Service, and United States Postal Service. The sticks have been sent to “US businesses in the transportation, insurance, and defence industries”. The packages are designed to resemble Amazon gifts, and Covid alerts from the US Department of Health, which are likely to carry a strong pull factor for the unwary.
If the USB stick is inserted into a PC, it launches a BadUSB attack and the malware auto-registers as a keyboard. From there, it uses keystrokes to place malware on the system and, potentially, deposit and fire up additional rogue files. Bleeping Computer notes that the end goal is to deploy ransomware on the compromised network.
Tips for keeping USB access points safe
- It’s not realistic to suggest disabling all USB ports on workplace machines, considering how many USB devices we use on a daily basis. However, you can ensure that only ones in use are functional. You can also buy physical locks which block use of ports with no software required to do it. Similarly, you can buy devices which lock wires into ports and reveal evidence of tampering if one is somehow pulled out.
- Dedicated workstations running virtual machines, or a non Windows OS, can be set up for any “stray” USB sticks.
- Disabling autorun is also helpful should such a thing already be enabled.
- Restricting access to any and all USB sticks to a handful of trained staff may be thought of as time-intensive, but realistically you likely don’t run into dozens of mysterious USB sticks on a daily basis.
We don’t know how many organisations have been affected, nor do we know how successful this campaign has been. Organisations should be cautious if they’re in one of the sectors targeted by this attack. In fact, we should all be cautious where rogue USB sticks are concerned. Get ahead of the curve and ponder this issue now, instead of waiting to find out if your area of business is on the next FBI release a few months down the line.