Global threat scenario is evolving too fast, with attackers finding different ways to pilferage and exfilterate data out of your network, security teams have to be proactively alert and defend their information. While traditional security has been largely addressing an organization's perimeter, critical applications and servers which host critical information, hackers/cyber criminals have found the importance of targeting end points in a company largely because they are in the "trusted" zone. Perpetrators very well know that it is far easy to map an organizations network/its information and gain access to sensitive data if they masquerade themselves as trusted users.
Peripherals which you would trust to connect to your PC's/Laptops have been recent targets of encoded firmware malware's which exploit the basic design of how they are programmed to interact via your seemingly innocent USB ports.
Security researchers recently demonstrated that it possible to reprogram the firmware on USB peripherals, be it USB drives, USB Mice, or any device that has programmable chip. The reprogram process by attackers can leave good amount of malicious code on to the chip of USB device allowing the same to effectively hide from antivirus and malware scans and obey the instructions that exploit your data.
Imagine a scenario of social engineering where one of your employees is given a firmware infected USB drive which in turn plugged into that user's official laptop and what can follow as a result is only limited to one's imagination, now let's quickly examine and see what is possible when something like this happens at your organization.
USB malware's that can act as keyboards:
Recently demonstrated malware a.k.a BadUSB was successfully able to emulate a keyboard on users' desktop and issue commands that were preprogrammed into the code. The level of access peripherals have being part of the operating system, malware can do variety of things by issuing commands to exfilterate data to loading a Trojan which will act as a backdoor to establishing a connection to a remote server, possibilities are only limited to the abilities of the attacker. Another interesting facet is attackers have found a way infect other peripherals which are connected onto the same system expanding their attack surface.
USB drives as network cards:
USB malware's can create a spoofed network card which in turn will redirect most of your traffic via custom DNS server which would then point to attackers doing man in the middle attacks.
The ease of having operating systems on a USB:
A modified thumb drive or an operating system image (usually in .iso format) can be already injected with boot sector viruses which can control how the user uses the OS, and allowing an attacker to remotely take over the machine and compromise sensitive and confidential information. This will be like booting from an Virus OS.
All the above things do sound scary and we need to be be, as Karsten Nohl puts it in a recent blackhat conference there is no way this can be patched, because attackers are exploiting the very way the USB was designed.
Imagine the power this gives the attackers, they can reprogram almost every USB device which has a onboard firmware that can be reprogrammed, including, mouse, external touchpad, phones etc.
USB drives are everywhere, and this itself makes it so scary because from a CEO, to an engineer in a company at least once in a day connect an USB related device to their computers, and as the availability of this kind of exploit grows, need for a proactive security program in an organization only increases. Cottonmouth, revealed in the leaks of Edward Snowden. The device, which hid in a USB peripheral plug, was advertised in a collection of NSA internal documents as surreptitiously installing malware on a target's machine to enable backdoor. Though the exact mechanism is not described, it is highly likely that attackers did use USB peripherals which is conceptually close to what is being discussed here.
What is the Solution?
There are workarounds for this problem, while there is no patch/tool/fix which is yet available to detect these kind of malwares, until USB peripheral companies come up with code signing on their firmware and antivirus companies are able to scan a firmware code, it is best to follow the below steps to stay secure.
- Enable USB drives in organization system only where necessary and create awareness among users not to trust unknown devices
- Conduct a full-fledged audit of your systems to see if you are already compromised with this kind or other security threats
- Continuously monitor your systems including endpoints for any suspicious activities and stop perpetrators before the information leaves your company