Hacking

It’s Called BadUSB for a Reason

Cybercrime gang FIN7’s badUSB attacks serve as a reminder of two key vulnerabilities present among all organizations.

The criminal group had been mailing malware-ridden USBs to various entities in the transport, insurance, and defense industries under the guise that they originated from a trusted source, such as Amazon and the US Department of Health and Human Services. Those from the former were supposedly gift vouchers, while the latter claimed to include new COVID guidelines. FIN7’s badUSB attacks serve as a reminder of two key vulnerabilities present among all organizations. Let’s explore them below:

Friend or foe

The badUSB attack first exploited enterprises’ greatest weakness: insiders. The malicious USBs appeared to have come from a legitimate source, thus gaining the recipient’s trust. And the accompanying letters played on human emotions, such as fear and greed, taking over any cautionary instincts. The seemingly benign device further alleviates any potential suspicion, especially since USB usage increased by 30% in 2021, making it a commonly used device. It is unlikely one would question its integrity.

Social engineering is a prerequisite to almost all cyberattacks. Hardware-based attacks require physical access to the target entity, and employee carelessness and negligence make social engineering the perfect tool to gain said access. As FIN7 demonstrated, it was because of social engineering that the attacks were successful. With 98% of cyberattacks relying on the psychological manipulation of humans, employees are the barrier between a perpetrator and its target, demonstrating the ongoing need for employee cybersecurity training. And while enterprises are aware of such need – most undertaking actionable steps to meet it – human error will always remain a weakness, and training is not a silver bullet.

To mitigate staff carelessness, enterprises implement a robust cybersecurity strategy, typically comprised of various policies, regulatory compliance, and security software. Surely, then, enterprises have a security tool that identifies the USB as a rogue device once it connects to an endpoint? Wrong. And this brings us to the second vulnerability exploited in the badUSB attack: asset visibility.

What you see is not what you get

BadUSBs and other spoofing devices perfectly impersonate legitimate HIDs through Layer 1 manipulation. Existing security solutions fail to cover the Layer 1 domain, resulting in gaps in asset visibility that prevent the detection of spoofing devices. Instead, security tools recognize it as an authorized device and grant it access to the network – the attack tool raises no security alarms. In other words, once an insider has been successfully exploited through social engineering techniques and subsequently connects the badUSB to an endpoint, there is nothing in place to mitigate the attack.

In some instances, however, the enterprise does not know it has fallen victim to an attack. Of course, when a rogue device executes a malware, ransomware, or DDoS attack, the organization knows it has suffered a breach (although often unaware it originated from a rogue device due to the visibility issue). Yet should a rogue device get used for reconnaissance, espionage, or data theft, it is almost impossible to know that an attack has occurred, further adding to the danger of hardware attack tools.

The ease with which one can purchase a rogue device, thanks to their accessibility and low cost, exacerbates the risk (many costing less than $100 on sites such as AliExpress). Such tools, once only used by well-resourced agencies, such as the NSA, as revealed by Edward Snowden, are now readily available to anyone. This increases the number and type of attackers; reckless, malicious actors, such as terrorist organizations, can get their hand on such devices, increasing the severity of the threat as they act without anything to lose.

You can’t protect what you can’t see

The badUSB is just one of many rogue devices used to carry out malicious activities. These hardware-based attacks highlight that anything connected to the network poses a threat. While organizations can invest in cybersecurity training to increase employees’ awareness about what devices they are using, insiders will always remain a weakness. Zero Trust approaches better alleviate the threat by authenticating and authorizing devices based on the principle of “never trust, always verify”. However, as we have seen, the covert nature of rogue devices means they easily bypass the security tools that implement Zero Trust protocols. That is not to say Zero Trust is an ineffective defense mechanism, but that it requires greater asset visibility to ensure the correct access decisions get made; that rogue devices never get authorized. Layer 1 visibility provides the missing gap necessary for effective Zero Trust policy enforcement and, in turn, comprehensive protection against hardware-based attacks, such as the ones conducted by FIN7.

About the author: Jessica Amado, Head of Cyber Research at Sepio

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: 
https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, badUSB)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

2 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

8 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

20 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

24 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

This website uses cookies.