BadUSB

Last updated

"It's the struggle between simplicity and security. The power of USB is that you plug it in and it just works. This simplicity is exactly what's enabling these attacks."

Contents

- Karsten Nohl, 2014 [1]

At 2, the USB controller of which the custom firmware can be flashed to is visible Usbkey internals edit.jpg
At 2, the USB controller of which the custom firmware can be flashed to is visible

BadUSB is a computer security attack using USB devices that are programmed with malicious software. [2] For example, USB flash drives can contain a programmable Intel 8051 microcontroller, which can be reprogrammed, turning a USB flash drive into a malicious device. [3] This attack works by programming the fake USB flash drive to emulate a keyboard, which once plugged into a computer, is automatically recognized and allowed to interact with the computer, and can then initiate a series of keystrokes which open a command window and issue commands to download malware.

The BadUSB attack was first revealed during a Black Hat talk in 2014 by Karsten Nohl, Sascha Krißler and Jakob Lell. Two months after the talk, other researchers published code that can be used to exploit the vulnerability. [4] In 2017, version 1.0 of the USG dongle, which acts like a hardware firewall, was released, which is designed to prevent BadUSB style attacks. [5]

Criminal usage

In March 2020, the FBI issued a warning that members of the FIN7 cybercrime group have been targeting companies in the retail, restaurant, and hotel industries with BadUSB attacks designed to deliver REvil or BlackMatter ransomware. [6] Packages have been sent to employees in IT, executive management, and human resources departments. [6] One intended target was sent a package in the mail which contained a fake gift card from Best Buy as well as a USB flash drive with a letter stating that the recipient should plug the drive into their computer to access a list of items that could be purchased with the gift card. [6] [7] When tested, the USB drive emulated a keyboard, and then initiated a series of keystrokes which opened a PowerShell window and issued commands to download malware to the test computer, and then contacted servers in Russia. [6] [7]

In January 2022, the FBI issued another warning that members FIN7 were targeting transportation and insurance companies (since August 2021), and defense companies (since November 2021), with BadUSB attacks designed to deliver REvil or BlackMatter ransomware. [8] [9] These targets were sent USB drives in packages claiming to be from Amazon or the United States Department of Health and Human Services, with letters talking about free gift cards or COVID-19 protocols that were purportedly further explained by information on the USB drive. [8] [9] As above, when plugged in, the USB drives emulate a keyboard, and then initiate a series of keystrokes which open a PowerShell window and issue commands to download malware. [8] [9]

See also

Further reading

Related Research Articles

<span class="mw-page-title-main">Malware</span> Malicious software

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

<span class="mw-page-title-main">Firmware</span> Low-level computer software

In computing, firmware is a specific class of computer software that provides the low-level control for a device's specific hardware. Firmware, such as the BIOS of a personal computer, may contain basic functions of a device, and may provide hardware abstraction services to higher-level software such as operating systems. For less complex devices, firmware may act as the device's complete operating system, performing all control, monitoring and data manipulation functions. Typical examples of devices containing firmware are embedded systems, home and personal-use appliances, computers, and computer peripherals.

<span class="mw-page-title-main">Timeline of computer viruses and worms</span> Computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

<span class="mw-page-title-main">Scareware</span> Malware designed to elicit fear, shock, or anxiety

Scareware is a form of malware which uses social engineering to cause shock, anxiety, or the perception of a threat in order to manipulate users into buying unwanted software. Scareware is part of a class of malicious software that includes rogue security software, ransomware and other scam software that tricks users into believing their computer is infected with a virus, then suggests that they download and pay for fake antivirus software to remove it. Usually the virus is fictional and the software is non-functional or malware itself. According to the Anti-Phishing Working Group, the number of scareware packages in circulation rose from 2,850 to 9,287 in the second half of 2008. In the first half of 2009, the APWG identified a 585% increase in scareware programs.

<span class="mw-page-title-main">Ransomware</span> Malicious software used in ransom demands

Ransomware is a type of malware from cryptovirology that threatens to publish the victim's personal data or permanently block access to it unless a ransom is paid off. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem – and difficult to trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

<span class="mw-page-title-main">Crimeware</span> Class of malware designed specifically to automate cybercrime

Crimeware is a class of malware designed specifically to automate cybercrime.

<span class="mw-page-title-main">Bitdefender</span> Romanian cybersecurity technology company

Bitdefender is a Romanian cybersecurity technology company headquartered in Bucharest, Romania, with offices in the United States, Europe, Australia and the Middle East.

<span class="mw-page-title-main">Computer virus</span> Computer program that modifies other programs to replicate itself and spread

A computer virus is a type of malware that, when executed, replicates itself by modifying other computer programs and inserting its own code into those programs. If this replication succeeds, the affected areas are then said to be "infected" with a computer virus, a metaphor derived from biological viruses.

Secure USB flash drives protect the data stored on them from access by unauthorized users. USB flash drive products have been on the market since 2000, and their use is increasing exponentially. As both consumers and businesses have increased demand for these drives, manufacturers are producing faster devices with greater data storage capacities.

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.

Cyber spying, cyber espionage, or cyber-collection is the act or practice of obtaining secrets and information without the permission and knowledge of the holder of the information using methods on the Internet, networks or individual computers through the use of proxy servers, cracking techniques and malicious software including Trojan horses and spyware. Cyber espionage can be used to target various actors- individuals, competitors, rivals, groups, governments, and others- in order to obtain personal, economic, political or military advantages. It may wholly be perpetrated online from computer desks of professionals on bases in far away countries or may involve infiltration at home by computer trained conventional spies and moles or in other cases may be the criminal handiwork of amateur malicious hackers and software programmers.

Malvertising is the use of online advertising to spread malware. It typically involves injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages. Because advertising content can be inserted into high-profile and reputable websites, malvertising provides malefactors an opportunity to push their attacks to web users who might not otherwise see the ads, due to firewalls, more safety precautions, or the like. Malvertising is "attractive to attackers because they 'can be easily spread across a large number of legitimate websites without directly compromising those websites'."

In 2008, the United States Department of Defense was infected with malware. Described at the time as the "worst breach of U.S. military computers in history", the defense against the attack was named "Operation Buckshot Yankee". It led to the creation of the United States Cyber Command.

Blackshades is a malicious trojan horse used by hackers to control infected computers remotely. The malware targets computers using operating systems based on Microsoft Windows. According to US officials, over 500,000 computer systems have been infected worldwide with the software.

<span class="mw-page-title-main">Juice jacking</span> Mobile security risk

Juice jacking is a theoretical type of compromise of devices like smartphones and tablets which use the same cable for charging and data transfer, typically a USB cable. The goal of the attack is to either install malware on the device, or to surreptitiously copy potentially sensitive data. As of April 2023 there have been no credible reported cases of juice jacking outside of research efforts.

Dridex, also known as Bugat and Cridex, is a form of malware that specializes in stealing bank credentials via a system that utilizes macros from Microsoft Word.

<span class="mw-page-title-main">Karsten Nohl</span> German cryptography expert and hacker (born 1981)

Karsten Nohl is a German cryptography expert and hacker. His areas of research include Global System for Mobile Communications (GSM) security, radio-frequency identification (RFID) security, and privacy protection.

REvil was a Russia-based or Russian-speaking private ransomware-as-a-service (RaaS) operation. After an attack, REvil would threaten to publish the information on their page Happy Blog unless the ransom was received. In a high profile case, REvil attacked a supplier of the tech giant Apple and stole confidential schematics of their upcoming products. In January 2022, the Russian Federal Security Service said they had dismantled REvil and charged several of its members.

<span class="mw-page-title-main">Ryuk (ransomware)</span> Type of ransomware

Ryuk is a type of ransomware known for targeting large, public-entity Microsoft Windows cybersystems. It typically encrypts data on an infected system, rendering the data inaccessible until a ransom is paid in untraceable bitcoin. Ryuk is believed to be used by two or more criminal groups, most likely Russian, who target organizations rather than individual consumers.

FIN7, also associated with GOLD NIAGARA, ITG14, Carbon Spider, ALPHV and Blackcat, is a Russian criminal advanced persistent threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. A portion of FIN7 is run out of the front company Combi Security. It has been called one of the most successful criminal hacking groups in the world.

References

  1. Goodin, Dan (July 31, 2014). "This thumbdrive hacks computers. 'BadUSB' exploit makes devices turn 'evil'". Ars Technica . Archived from the original on 2017-09-09. Retrieved 2021-09-07.
  2. Greenberg, Andy (July 31, 2014). "Why the Security of USB Is Fundamentally Broken". Wired. ISSN   1059-1028 . Retrieved 2021-09-07.
  3. Nohl, Karsten; Krißler, Sascha; Lell, Jakob. "BadUSB - On accessories that turn evil" (PDF). Archived (PDF) from the original on 2016-10-19.
  4. Greenberg, Andy (October 2, 2014). "The Unpatchable Malware That Infects USBs Is Now on the Loose". Wired. ISSN   1059-1028 . Retrieved 2021-09-07.
  5. Doctorow, Cory (March 2, 2017). "USG: an open source anti-BadUSB hardware firewall for your USB port". Boing Boing . Archived from the original on 2017-03-03. Retrieved 2021-09-07.
  6. 1 2 3 4 Ilascu, Ionut (2020-03-27). "FBI: Hackers Sending Malicious USB Drives & Teddy Bears via USPS". Bleeping Computer . This is not a one-off incident, though. The FBI warns that FIN7 has mailed these packages via USPS to numerous businesses (retail, restaurant, hotel industry) where they target employees in human resources, IT, or executive management departments. These packages sometimes include "gifts" like teddy bears or gift cards. These USB drives are configured to emulate keystrokes that launch a PowerShell command to retrieve malware from server controlled by the attacker. Then, the USB device contacts domains or IP‌ addresses in Russia.
  7. 1 2 Cimpanu, Catalin (March 26, 2020). "Rare BadUSB attack detected in the wild against US hospitality provider". ZDNet . Archived from the original on 2020-03-26. Retrieved 2021-09-07.
  8. 1 2 3 Gatlan, Sergiu (2022-01-07). "FBI: Hackers use BadUSB to target defense firms with ransomware". Bleeping Computer . FIN7 operators impersonated Amazon and the US Department of Health & Human Services (HHS) to trick the targets into opening the packages and connecting the USB drives to their systems. Since August, reports received by the FBI say that these malicious packages also contain letters about COVID-19 guidelines or counterfeit gift cards and forged thank you notes, depending on the impersonated entity.
  9. 1 2 3 Tung, Liam (2022-01-10). "Ransomware warning: Cyber criminals are mailing out USB drives that install malware". ZDNET .

Further reading

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.