Flash Drive Hazards: Navigating USB Security Risks and Protecting Your Data
Numerous organizations connect USB storage devices to vital networks and information systems to transfer and store vast amounts of crucial data. Additionally, workers utilize portable USB gadgets to transport confidential work-related information while operating from remote locations. Regrettably, there are a multitude of security risks associated with USB devices you should be aware of to thwart the potential peril they pose to your organization.
According to a recent study, attackers have mastered the art of launching malware campaigns using infected USB devices. These attacks increased threefold in the first half of 2023. For example, Sogu presently stands out as the most assertive cyber-espionage endeavor using USB devices, with a global reach targeting various industries and endeavoring to steal data from compromised computer systems.
Chinese-backed hackers seem to have recognized that many international entities maintain a connection to the technological past, where USB drives circulate like business cards and internet cafés remain prevalent. In the last year, these espionage-driven hackers have taken advantage of this temporal disparity, reintroducing old-fashioned USB malware into the networks of numerous targets.
Sogu malware has affected individuals and entities in Australia, Switzerland, China, Japan, Ukraine, Singapore, Indonesia, the Philippines, the United States, France, the United Kingdom, Italy, Poland, and Austria. While the majority of those impacted operate within the energy, health, logistics, pharmaceutical, communications, and information technology domains, victims span a diverse range of sectors.
The resurgence of USB-based cyber attacks
The need for security teams to limit the accessibility of USB drives and external devices on organizational systems has increased due to rising cases of cyber-espionage campaigns targeting organizations spanning diverse industries.
In one such campaign, TEMP.Hex, a China-affiliated threat actor, employs USB flash drives as a means to deploy the Sogu malware to gain unauthorized access and exfiltrate sensitive data from host systems. The malware replicates itself onto any removable drive connected to the compromised host, presenting the attacker with a mechanism to disseminate the payload to other systems, potentially even those isolated from external networks. TEMP.Hex uses Sogu to gather information on economic and national security significance to China, posing a threat to organizations across various sectors, notably in health, transportation, business services, government, construction, and engineering.
In addition, a different threat actor identified as UNC4698 uses infected USB drives as a delivery method for malware onto targeted systems. The malware associated with this campaign, named "SnowyDrive," establishes a backdoor on the infected systems, enabling the cyber attacker to engage with the device remotely and issue commands. The primary targets of UNC4698's activities in this campaign are organizations within the oil and gas sector in Asia.
Also, UNC4191, another China-affiliated threat actor, orchestrates a cyberattack campaign by deploying four distinct malware families through infected USB drives. The victims of this campaign encompass both private and public sector entities in Southeast Asia and, to a lesser extent, organizations in the Asia-Pacific region, Europe, and the United States.
In June 2023, a threat actor affiliated with China referred to as "Camaro Dragon" (also known as Mustang Panda), successfully breached a hospital network by introducing malware through a compromised USB drive. The deployed self-propagating malware aimed at stealing data within the network.
Last but not least, the financially driven FIN7 group (also called Carbanak) drew the attention of the FBI after it employed a deceptive tactic by sending ransomware-laden USB drives, cleverly disguised to appear as if they originated from the U.S. Department of Health and Human Services to targets within the U.S. transportation, defense, and other sectors.
USB drives are a hidden threat to organizational cybersecurity
While most organizations pay attention to external threats, such as phishing, BEC, and hacking, a seemingly harmless device often escapes scrutiny—the USB drive.
This compact and portable gadget carries significant risks to the integrity, confidentiality, and availability of sensitive business data. Essentially, the ubiquity of USB drive usage is noteworthy, as it has become integral to our personal and professional spheres. As per findings from a study conducted by Kingston Technology, a large percentage of employees regularly use USB drives for work-related activities. Despite this convenience, this widespread usage poses a potential vulnerability, offering malicious actors an avenue to compromise a company's security defenses.
As previously described, USB drives can serve as carriers for malware, leading to swift distribution across an organization's network. A study done by the University of Illinois revealed that half of individuals are likely to plug in USB drives they find on the ground. When connected to an organization's computer, a compromised USB drive has the potential to introduce Malicious software, Trojans, viruses, ransomware, or other threats, thereby jeopardizing sensitive data and disrupting operational integrity.
Additionally, USB drives can be exploited as tools for social engineering attacks. In such scenarios, an attacker employs the USB drop attack method, where they intentionally leave a USB device in a public location with enticing labels, such as "Employee Salary Details" or "Confidential Project Data." The innate curiosity of individuals often prompts them to insert the drive into their computers, unwittingly exposing the organization's systems to malware infections or granting unauthorized access to sensitive data.
Furthermore, employees, whether accidentally or with malicious intent, can leverage USB drives to compromise organizational security. For example, an employee may transfer confidential data onto a USB drive for remote work, accidentally exposing it to potential threats. Also, disgruntled employees may utilize USB drives to exfiltrate sensitive information to sabotage essential operations or for personal gain.
Here are some real-world examples of how USB devices have been used to perpetrate large-scale cyberattacks:
- Stuxnet: One of the most infamous cyber-attacks in history involved the Stuxnet worm. It was designed to target industrial control systems. The worm initially propagated through infected USB drives, underscoring the severe repercussions associated with such attack vectors.
- Healthcare Data Breaches: In 2017, a US-based healthcare provider fell victim to a significant data breach due to a stolen, unencrypted USB drive. The drive contained patient records, causing the incident to compromise the security and privacy of numerous patients.
Potential security risks from using USB drives
In an era dominated by digital connectivity, the convenience of USB storage devices cannot be overstated. These compact tools have become indispensable in transferring, storing, and accessing data on the go. However, as we embrace the ease these devices offer, it is crucial to pause and consider the potential risks associated with their use.
- 1. Transmitting Malware and Viruses
One of the foremost concerns is the accidental transmission of viruses or malware between machines. Many people often use USB storage devices interchangeably between different computers, and this can result in the accidental transmission of malicious software from one system to another. This risk is particularly heightened in environments where multiple devices are connected, such as in workplaces, schools, or public spaces. Cyber threats are evolving constantly, and a seemingly harmless USB device may serve as a carrier for harmful code that can compromise the security of the connected systems.
- 2. Theft or Loss of Unencrypted Devices
The loss or theft of unencrypted USB devices often leads to unauthorized access to sensitive data. These small, portable gadgets are prone to being misplaced or forgotten, putting the stored information at risk of falling into the wrong hands. Whether it's personal documents, confidential work files, or proprietary data, the consequences of such a loss can be severe. Individuals and organizations alike need to be vigilant about the physical security of these devices to mitigate the risks associated with accidental data exposure.
- 3. Targeted Cyberattacks
Targeted hacking often occurs through 'found' USB devices. Cybercriminals may strategically place seemingly abandoned USB drives in public spaces, relying on the curiosity of unsuspecting individuals to plug them into their devices. Once connected, these rogue devices can unleash malicious software or initiate unauthorized access, allowing hackers to exploit vulnerabilities in the host system.
- 4. Non-Compliance Risks
Numerous compliance regulations, including HIPAA, PCI DSS, and GDPR, delineate specific instructions on how companies should secure various types of client data. These directives encompass crucial aspects like data encryption, access controls for different data categories, and governance. Failure to adhere to such regulatory mandates exposes organizations to severe penalties and increases the risk of data breaches and loss.
For instance, the absence of encryption on devices allows unauthorized access, and the misplacement of such devices may lead to sensitive data falling into unauthorized hands. Moreover, employees might use USB drives to transfer personally identifiable information to their devices, lacking the necessary data protection measures mandated by diverse regulations.
- 5. Lack of Enforced Acceptable Use Policies
A prevalent issue among companies is the failure to enforce acceptable use policies outlining the best security practices when connecting flash drives to internal systems and networks. This oversight can lead to potential problems, as employees might misuse privileges, exposing the organization to data loss, malware attacks, and breaches. At a minimum, organizations should implement robust access control mechanisms across all systems to limit access to valuable data. Furthermore, USB data storage devices should undergo periodic internal audits and reviews, with employees required to justify any usage considered inappropriate or excessive. Implementing acceptable use policies is crucial to safeguard corporate data from loss and unauthorized access, as well as to shield the organization from the perils of malware attacks.
Best security practices when using USB devices
Implement Acceptable Use Policies: Establish and enforce clear policies regarding the use of USB devices within the organization. Specify permissible use cases, define security measures, and educate employees on responsible handling of USB drives. Also, regularly update and communicate these policies to maintain a culture of security awareness.
Disable Auto-Run Features: Configure systems to turn off auto-run features for USB devices. This prevents the automatic execution of potentially malicious code upon connecting a USB drive, reducing the risk of malware infections.
Use Endpoint Protection Software: Deploy reliable endpoint protection software that includes features like real-time scanning for USB devices. This measure ensures that any connected device undergoes a thorough security scan to detect and mitigate potential threats before accessing the system.
Encrypt USB Drives: Encourage the use of encrypted USB drives to safeguard data in case of device loss or theft. Encryption adds a layer of protection, ensuring that even if the USB drive is compromised, the data remains inaccessible without the appropriate decryption key.
Regularly Update Security Software: Keep security software, including antivirus and anti-malware tools, up to date to defend against the latest threats. Regular updates ensure that the software recognizes and mitigates evolving risks associated with USB devices.
Outsourcing to a Reputable Security Provider: Choose a security provider with a proven track record in cybersecurity. Assess their expertise, experience, and the range of services they offer to ensure they align with the specific security needs of your organization. Also, select a provider that offers a comprehensive suite of security services, including threat detection, incident response, vulnerability assessments, and ongoing monitoring. This ensures a holistic approach to safeguarding your organization's assets.
Training and Awareness for All Employees: Conduct regular cybersecurity training sessions for all employees to raise awareness about potential threats, security best practices, and the importance of adhering to security policies. Emphasize the dangers of phishing attacks and educate employees on how to recognize and report suspicious emails. More importantly, educate employees on secure practices when using USB devices, including verifying the source, scanning for malware, and reporting any lost or stolen devices promptly.
Monitoring All Endpoints: Implement EDR (Endpoint Detection and Response) systems to monitor and analyze endpoint activities continuously. These systems can detect and respond to suspicious behavior, providing real-time threat intelligence. Furthermore, monitor network traffic for unusual patterns or activities that may indicate a security incident. Also, use UBA (User Behavior Analytics)tools to track and analyze user behavior across endpoints. This helps identify deviations from normal patterns, potentially indicating insider threats or compromised accounts.
Leverage Media Control and Encryption: Implement device control policies that restrict the types of USB devices allowed within the organization. This reduces the risk of introducing malicious or unauthorized hardware. Moreover, implement centralized device management solutions to control and monitor USB devices across the network to allow admins to enforce security policies consistently. It is also important to apply full disk encryption to all endpoints to protect data at rest. This safeguards the information in case a device is lost or stolen, ensuring that unauthorized access to sensitive data is mitigated.
The way forward - getting expert assistance
Are you looking to level up or get started? Pulsar Security can help. You can contact us today to learn more about our security solutions to enhance the protection of your organization.
Corey Belanger
Corey is a Security Consultant and leads QA of product development, using his expertise in these dual roles to more effectively test and secure applications, whether while building enterprise applications or while performing penetration tests and vulnerability assessments for customers. An Army veteran with a tour of duty in Afghanistan, Corey has built a post-military career in security while earning Network+, Security+, GIAC Certified Incident Handler, GIAC Python Coder, GIAC Web App Penetration Testing, and GIAC Penetration Tester certifications. Corey is also a BsidesNH organizer and founding member of TechRamp, avenues which he uses to help others build their skills for careers in security and technology. Fun Fact: When not manning a terminal or watching the Bruins, Corey can often be found snowboarding or riding his motorcycle.