Recently in Arstechnica.com there was an article bringing light to how Windows computers can be exploited when booby-trapped USB fobs are inserted into the machine that then executes malicious code.
Microsoft has acknowledged this and released a security bulletin regarding the issue stating, “To exploit the vulnerability, an attacker would have insert a malicious USB device into a target system.”
So what's the problem, right? Yes, there is a vulnerability that needs to be patched, but someone would have to gain physical access to the computer system and insert the USB fob to get the malicious code to execute. That's not going to happen, right?
Wrong. But it’s not happening how you think……
What's wrong with this proposed scenario is that people don't actually have to insert USB fobs into computers like in a James Bond or Mission Impossible movie. They get the corporate users to do it for them via social engineering.
Think I'm kidding? Here at Digital Defense, Inc. (DDI), we conduct USB drops as part of our onsite social engineering engagements, and more often than you might think, people who find the fob are curious and will quickly insert it into their computer to see what it contains. Even worse, we've even seen people insert the USB at work, and subsequently take the USB fob from the office to try it at home as well. Given this scenario, the employee “infects” not only their work computer, but also a home computer that may also connect to the corporate network.
So what can you do to protect your company? At DDI we suggest a multi-pronged approach to protecting companies from these types of attacks.
Tips to Protect Against USB Attacks
Lock Down USB Ports
Lock down the USB ports on all of the corporate computers via software or hardware locks. This isn’t foolproof and doesn’t solve the problem by itself. There will invariably need to be computers that have USB ports open to move files back and forth because they are air gapped, on separate networks, etc.
Update Your Anti-virus/Anti-malware Software
Most companies have anti-virus/anti-malware software already available on their systems; however, this does little if the exploit being used is a “zero day” or if the AV software has no signature for it. Even so, that doesn’t mean that it doesn’t need to be there! All computer systems need to have up-to-date AV/AM software to ensure that the known issues are caught before they can do any real damage.
Employee Education is Key
Lastly, and this is where many companies fail, is training staff on common cyber criminal tactics. Employees should be educated and taught not to insert the USB fob in the first place (even those that come from well-respected companies at conferences) I have seen many corporate security training programs, and unfortunately, the majority of them say nothing about not inserting USB fob into the corporate workstation or laptop. As such, training programs need to be updated to ensure employees understand the danger of inserting the unknown USB fob so that they have insight into the real danger and can participate in protecting the company.
In closing, these types of social engineering attacks are more common than most people think; however, by putting controls and training in place, your organization can protect itself and ensure that they do not fall prey and become the next news headline.