"It's the struggle between simplicity and security. The power of USB is that you plug it in and it just works. This simplicity is exactly what's enabling these attacks."
Contents
BadUSB is a computer security attack using USB devices that are programmed with malicious software. [2] For example, USB flash drives can contain a programmable Intel 8051 microcontroller, which can be reprogrammed, turning a USB flash drive into a malicious device. [3] This attack works by programming the fake USB flash drive to emulate a keyboard. Once it is plugged into a computer, it is automatically recognized and allowed to interact with the computer. It can then initiate a series of keystrokes which open a command window and issue commands to download malware.
The BadUSB attack was first revealed during a Black Hat talk in 2014 by Karsten Nohl, Sascha Krißler and Jakob Lell. Two months after the talk, other researchers published code that can be used to exploit the vulnerability. [4] In 2017, version 1.0 of the USG dongle, which acts like a hardware firewall, was released, which is designed to prevent BadUSB style attacks. [5]
In March 2020, the FBI issued a warning that members of the FIN7 cybercrime group had been targeting companies in the retail, restaurant, and hotel industries with BadUSB attacks designed to deliver REvil or BlackMatter ransomware. [6] Packages have been sent to employees in IT, executive management, and human resources departments. [6] One intended target was sent a package in the mail which contained a fake gift card from Best Buy as well as a USB flash drive with a letter stating that the recipient should plug the drive into their computer to access a list of items that could be purchased with the gift card. [6] [7] When tested, the USB drive emulated a keyboard, and then initiated a series of keystrokes which opened a PowerShell window and issued commands to download malware to the test computer, and then contacted servers in Russia. [6] [7]
In January 2022, the FBI issued another warning that members of FIN7 were targeting transportation and insurance companies (since August 2021), and defense companies (since November 2021), with BadUSB attacks designed to deliver REvil or BlackMatter ransomware. [8] [9] These targets were sent USB drives in packages claiming to be from Amazon or the United States Department of Health and Human Services, with letters talking about free gift cards or COVID-19 protocols that were purportedly further explained by information on the USB drive. [8] [9] As above, when plugged in, the USB drives emulate a keyboard, and then initiate a series of keystrokes which open a PowerShell window and issue commands to download malware. [8] [9]
In computing, firmware is software that provides low-level control of computing device hardware. For a relatively simple device, firmware may perform all control, monitoring and data manipulation functionality. For a more complex device, firmware may provide relatively low-level control as well as hardware abstraction services to higher-level software such as an operating system.
Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that a person using the keyboard is unaware that their actions are being monitored. Data can then be retrieved by the person operating the logging program. A keystroke recorder or keylogger can be either software or hardware.
This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.
Ransomware is a type of malware that permanently blocks access to the victim's personal data unless a "ransom" is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem, and difficult-to-trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.
Crimeware is a class of malware designed specifically to automate cybercrime.
Secure USB flash drives protect the data stored on them from access by unauthorized users. USB flash drive products have been on the market since 2000, and their use is increasing exponentially. As businesses have increased demand for these drives, manufacturers are producing faster devices with greater data storage capacities.
A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.
Cyber spying, cyber espionage, or cyber-collection is the act or practice of obtaining secrets and information without the permission and knowledge of the holder of the information using methods on the Internet, networks or individual computers through the use of proxy servers, cracking techniques and malicious software including Trojan horses and spyware. Cyber espionage can be used to target various actors- individuals, competitors, rivals, groups, governments, and others- in order to obtain personal, economic, political or military advantages. It may wholly be perpetrated online from computer desks of professionals on bases in far away countries or may involve infiltration at home by computer trained conventional spies and moles or in other cases may be the criminal handiwork of amateur malicious hackers and software programmers.
Malvertising is the use of online advertising to spread malware. It typically involves injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages. Because advertising content can be inserted into high-profile and reputable websites, malvertising provides malefactors an opportunity to push their attacks to web users who might not otherwise see the ads, due to firewalls, more safety precautions, or the like. Malvertising is "attractive to attackers because they 'can be easily spread across a large number of legitimate websites without directly compromising those websites'."
In 2008, the United States Department of Defense was infected with malware. Described at the time as the "worst breach of U.S. military computers in history", the defense against the attack was named "Operation Buckshot Yankee". It led to the creation of the United States Cyber Command.
The Android Debug Bridge is a programming tool used for the debugging of Android-based devices. The daemon on the Android device connects with the server on the host PC over USB or TCP, which connects to the client that is used by the end-user over TCP. Made available as open-source software under the Apache License by Google since 2007, its features include a shell and the possibility to make backups. The adb software is available for Windows, Linux and macOS. It has been misused by botnets and other malware, for which mitigations were developed such as RSA authentication and device whitelisting.
Agent.BTZ, also named Autorun, is a computer worm that infects USB flash drives with spyware. A variant of the SillyFDC worm, it was used in a massive 2008 cyberattack on the US military, infecting 300,000 computers.
Blackshades is a malicious trojan horse used by hackers to control infected computers remotely. The malware targets computers using operating systems based on Microsoft Windows. According to US officials, over 500,000 computer systems have been infected worldwide with the software.
Juice jacking is a theoretical type of compromise of devices like smartphones and tablets which use the same cable for charging and data transfer, typically a USB cable. The goal of the attack is to either install malware on the device, or to surreptitiously copy potentially sensitive data. As of April 2023 there have been no credible reported cases of juice jacking outside of research efforts.
USBKill is anti-forensic software distributed via GitHub, written in Python for the BSD, Linux, and OS X operating systems. It is designed to serve as a kill switch if the computer on which it is installed should fall under the control of individuals or entities against the desires of the owner. It is free software, available under the GNU General Public License.
A medical device hijack is a type of cyber attack. The weakness they target are the medical devices of a hospital. This was covered extensively in the press in 2015 and in 2016.
Karsten Nohl is a German cryptography expert and hacker. His areas of research include Global System for Mobile Communications (GSM) security, radio-frequency identification (RFID) security, and privacy protection.
REvil was a Russia-based or Russian-speaking private ransomware-as-a-service (RaaS) operation. After an attack, REvil would threaten to publish the information on their page Happy Blog unless the ransom was received. In a high profile case, REvil attacked a supplier of the tech giant Apple and stole confidential schematics of their upcoming products. In January 2022, the Russian Federal Security Service said they had dismantled REvil and charged several of its members.
Ryuk is a type of ransomware known for targeting large, public-entity Microsoft Windows cybersystems. It typically encrypts data on an infected system, rendering the data inaccessible until a ransom is paid in untraceable bitcoin. Ryuk is believed to be used by two or more criminal groups, most likely Russian or Ukrainian, who target organizations rather than individual consumers.
FIN7, also called Carbon Spider, ELBRUS, or Sangria Tempest, is a Russian criminal advanced persistent threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. A portion of FIN7 is run out of the front company Combi Security. It has been called one of the most successful criminal hacking groups in the world. FIN7 is also associated with GOLD NIAGARA, ITG14, ALPHV and BlackCat.
This is not a one-off incident, though. The FBI warns that FIN7 has mailed these packages via USPS to numerous businesses (retail, restaurant, hotel industry) where they target employees in human resources, IT, or executive management departments. These packages sometimes include "gifts" like teddy bears or gift cards. These USB drives are configured to emulate keystrokes that launch a PowerShell command to retrieve malware from server controlled by the attacker. Then, the USB device contacts domains or IP addresses in Russia.
FIN7 operators impersonated Amazon and the US Department of Health & Human Services (HHS) to trick the targets into opening the packages and connecting the USB drives to their systems. Since August, reports received by the FBI say that these malicious packages also contain letters about COVID-19 guidelines or counterfeit gift cards and forged thank you notes, depending on the impersonated entity.