In hybrid workplaces, infected USBs move from home to office

This holiday season: Don’t be fooled by a decorative gift box, especially if it contains an Amazon voucher, a thank-you note, and a USB drive.

In early 2022, the FBI warned that a basket from “FIN7” cybercriminals containing “BadUSB” ransomware hidden in the storage key was being delivered to US businesses. And that terrible present—as the name suggests, a bad USB—seems to be on the rise.

While threat actors still send malicious storage drives, hoping that curious employees can’t resist seeing what’s on there, hybrid work has led to infected devices moving from home to office.

“Maybe they share USB keys between their personal laptop, their family PC, their work machine, and printer…So, the infection is actually happening outside of the organization, but directly affecting the organization’s endpoint when they use that USB again. In pretty much all the cases that we found, that was the initial infection vector,” said George Glass, head of threat intelligence at the global risk advisory Kroll.

In one example, according to Glass, an end-user downloaded a cracked, illegitimate version of Photoshop, which led to malicious files on the USB drive, and ultimately the corporate network, when the employee brought the device into the office.

Malware moves quickly on a USB port, bypassing email firewalls and filters. “As soon as it’s plugged in, there’s very little user interaction that has to happen…And in some cases, an autorun triggers,” Glass told IT Brew.

Kroll’s Q3 research, which had not tracked USB malware in previous quarters, found enough of an uptick in cases to warrant tracking, said Glass in a follow-up email.

It’s happened USBefore. Malicious USB attacks date as far back as the mid-2000s. Some examples:

• 2006: A proof-of-concept known as “USB Hacksaw” sent data from external drives to an attacker’'s mail account.
• 2008: A flash drive compromised an American military laptop.
• 2010: A “rubber ducky” contained keystrokes pre-installed.
• 2022: Red Canary reported a “Raspberry Robin” worm. Kroll observed USB devices containing legitimate-looking .LNK files which, when clicked, installed the malware.

Kroll’s report also noted instances of cybercriminals sending USB drives to offices, “with the intention of operators gaining access to their devices after the USB drives were plugged in.”

With BadUSB attacks, the USB drive masquerades as a keyboard—firing keystrokes that quickly inject payloads.

“The analogy is, how about inviting a known hacker to sit at your employee’s unlocked workstation/notebook and just start attacking the network? That is indeed what is happening,” said Rich Kanadjian, global business manager for encrypted storage at drive-maker Kingston Technology in an email, noting that customers are reporting cases of BadUSB.

Don’t glue the ports just yet. Endpoint-detection tools can scan connected devices and allow only certain ones to run. Active Directory group policies disable Autorun, and USB ports can even be set solely for charging.

User training—bring the mysterious USB gift box to IT to take a look!—is an essential defense against USB malware, said Jason LaPorte at Power Consulting. Also: maybe go with another storage option.

“It’s 2023 in like, six weeks. Dropbox, OneDrive, SharePoint—that’s where all your company files should be going,” LaPorte told IT Brew.—BH