USB drive attacks provide malware and exploit the daily use of USB devices to avoid traditional network security measures, and constitute important cybersecurity risks. These attacks lead to data breaches, financial losses, and operational disruptions, which have a lasting impact on the organization’s reputation. For example, the StuxNet worm, discovered in 2010, is malware designed to target industrial control systems, particularly nuclear enrichment facilities in Iran. It exploits multiple zero-day vulnerabilities and spreads primarily through USB drives, making it one of the first examples of cyberattacks with real physical effects. Stuxnet has exposed the risks of removable media and has raised global awareness of cybersecurity threats to critical infrastructure.
How USB drive attacks propagate
Attackers use a variety of methods to provide malicious payloads through USB drives, targeting individuals and organizations.
Drop attack: Infected USB drives are intentionally left in public areas such as parking lots, seducing the victim and infecting the computer. Email-based attacks: USB drives are sent to the target with emails disguised as promotional items or legal devices, tricking them into connecting them to the system. Social Engineering: Attackers use psychological tactics to persuade the victim to connect an infected USB drive to a computer. Unsolicited Plug: Attackers plug the infected USB drive into an unmanned system, spreading the malware without victim interaction.
How a USB drive attacks
USB drive attacks usually follow a multi-step process to penetrate the system and cause damage.
Reconnaissance: Attackers investigate targets to identify potential vulnerabilities. In this case, they may gather information about the organization, its employees, and its operating environment to determine the possibility of anyone using a USB drive. Weaponization: Threat actors prepare a USB drive by embedding malware. This can be achieved by creating seemingly benign files, such as documents, videos, or images that infect the drive directly or contain hidden malicious code. Delivery: Attackers distribute infected USB drives to targets by dropping them into public areas and offering them as promotional items or delivering them using social engineering. Exploitation: When the target connects to a USB drive, the malware is automatically activated and activated via user interaction to exploit any system vulnerabilities. Installation: Malware is installed on the target system for persistence. This step allows an attacker to maintain control of an infected device even if it is restarted or disconnected. Commands and Controls (C2): Malware communicates with the attacker’s server. This allows an attacker to issue commands, remove data, and deploy additional payloads. Actions to Objectives: Attackers achieve their goals, including theft of sensitive data, deployment of ransomware, and establishing permanent access for future exploitation.
Figure 1: Procedures showing how a USB drive works.
Strengthen cybersecurity stance against USB drive attacks using Wazuh
Wazuh is an open source security platform that helps organizations detect and respond to security threats by monitoring system activity, from informational events to critical incidents. Organizations can actively prevent violations and protect sensitive data by monitoring USB activity using Wazuh.
Monitoring USB drive activity on Windows using Wazuh
Wazuh uses the Audit PNP Activity feature to monitor USB drive activity on Windows endpoints. This feature logs Plug and Play (PNP) events. This helps to identify that a USB drive is connected. Available for Windows 10 Pro and Windows 11 Pro, Windows Server 2016, and later versions.
Organizations can configure Wazuh to detect specific system events and monitor USB-related events. It focuses in particular on Windows Event ID 6416, which indicates when an external device is connected. Security administrators can detect USB device connections by creating Wazuh custom rules to identify potential security incidents.
The next step involves creating a constant database (CDB) for the unique device identifiers (DeviciD) of the authorized devices. This list allows Wazuh to distinguish between certified and rogue devices and generate alerts for both categories. For example, when an approved USB drive is plugged in, a low-level alert will be triggered, but an unauthorized connection can generate a sensitive alert that indicates a potential security breaches.
Figure 2: USB drive plugin event for monitored Windows endpoints.
Figure 3: Certified USB drive event.
Figure 4: Illegal USB drive event.
Threat detection Use Case: Detecting Raspberry Robin USB-Drive Activity
Wazuh offers solutions to mitigate USB-related threats, such as the Windows-based worm Raspberry Robin.
Raspberry Robin targets industries such as oil, gas, transportation and technology, causing operational disruptions. It spreads through impersonated .lnk files and gains persistence by updating the user-assist registry, mimicking legitimate folders. The worm runs, persists and downloads additional malicious components using legal Windows processes such as msiexec.exe, rundll32.exe, odbcconf.exe, fodhelper.exe, and more. Reliance on TOR-based command and control (C2) servers for outbound communications adds stealth and complicates detection.
Wazuh detects Raspberry Robin by using registry changes, unusual command execution patterns, and suspicious system binaries. Its real-time file integrity monitoring and threat detection rules allow for quick responses to identify malicious activity and mitigate potential disruptions.
Wazuh detects and mitigates Raspberry Robin by monitoring and responding to suspicious activities such as:
Abnormal CMD.exe activity: Termination of suspicious processes or isolation of affected endpoints. Download msiexec.exe from an obscure domain, block connections, and flag warning administrators. Detects UAC bypass via fodhelper.exe, terminates the process and notifies the administrator. Blocks abnormal outbound connections by rundll32.exe and dllhost.exe.
Below is a sample custom rule configuration that detects possible Raspberry Robin activities:
92004(?i)cmd\.exe $(?i)cmd\.exe. +((\/r)|(\/v \.+\/c)|(\/c)). (?i) msiexec. *(\/q | \ -q | \/i | \ -i). *(\/q | \ -q | \/i | \ -i). *http[s]{0,1} \:\/\/.+[.msi]{0,1} msiexec.exe $(win.system.computer)t1218.007 61603(?i)(cmd | powershell | rundll32)\T1548.002 61603(regsvr32\.exe | rundll32\.exe | dllhost\.exe).
Figure 5: Raspberry Robin IOC and behavior discovered on a monitored Windows endpoint.
Figure 6: An alert indicating the Raspberry Robin IOC detected on a monitored Windows endpoint.
For more information about using Wazuh to detect Raspberry Robin Worm, see this blog.
Monitor USB drives on Linux using Wazuh
USB drives can also introduce security risks to Linux endpoints as potential vectors of malware and unauthorized data access. Udev is a system utility on Linux that automatically detects and manages external devices such as USB drives. When plugging in, you create the required device files in the /dev directory so that the system can interact with them. Administrators can create custom UDEV rules that generate detailed events and provide insight into USB activity. Wazuh has built-in rules for USB monitoring, but events generated in Udev provide richer details and improve threat detection.
Whenever a USB device is connected, configure UDEV rules on the Linux endpoint to trigger a logging script. The Wazuh agent must be configured to read the generated JSON log files generated from the logging script, allowing USB activity to be processed and analyzed.
Just like monitoring Windows USB Drive, you need a certain database (CDB) list of approved USB device serial numbers. Wazuh compares the incoming connections to this list and triggers alerts for rogue devices.
Figure 7: USB drive alerts for monitored Linux endpoints.
Figure 8: Illegal USB drive event on a monitored Linux endpoint.
A blog post on monitoring USB drives on Linux using Wazuh provides detailed information on monitoring USB drives connected to Linux endpoints.
Monitoring your MacOS USB drive using Wazuh
You can use custom scripts to configure Wazuh to record important events related to USB devices on your MacOS endpoints and monitor these events. Administrators can extract information such as connection and disconnect events, vendor ID, product ID, and USB drive serial number. This script interacts with the MacOS I/O kit framework to collect USB device information. It is formatted as JSON and saved in a log file. The log data generated from this custom script is sent to the Wazuh server for analysis using the Wazuh agent.
A blog post on monitoring a MacOS USB drive using Wazuh provides instructions for monitoring a USB drive on a MacOS endpoint.
Figure 9: USB drive alerts on monitored MacOS endpoints.
Figure 10: Incorrect USB drive alerts at monitored MACOS endpoints.
Conclusion
USB drive attacks pose security risks across major operating systems, allowing malware propagation and malicious access.
Wazuh offers a variety of detection mechanisms to detect USB drive attacks and increase the likelihood of reducing potential impact. Organizations can enhance cybersecurity by integrating these detection methods and enforcing strict USB access policies.
reference
Source link
