
Whether you're here as part of Deer Brook's penetration testing or you navigated here yourself, it's important to take note of the very real security threat that unknown USB sticks pose.
If you find a USB stick (or a flash drive) in public, it might seem like an innocent device simply left behind by a passerby. But no matter what, do not take the device. And especially do not plug it into your work or personal computer.
Scammers, hackers, and threat actors have been known to take USB sticks, jam-packed with malware or ransomware, and leave them in public places. They're banking on people finding these devices, curiosity in tow, and plugging them into personal or work computers to see what's on them.
There's dozens of ways cyberattackers can leverage USB sticks to make them malicious.
Different Types of USB Drop Attacks
Not all USB drop attacks function the same, but they're all equally dangerous.
There's four prominent types of USB drop attacks: ones that focus on social engineering, those that leverage malicious code in their contents, ones that spoof devices such as keyboards, and attacks that fry the victim's computer.
A USB drop attack, like any other piece of malware, isn't confined to just one category or type of attack. Elements from one or all of these categories can be present on an infected USB device.
Social Engineering
A malicious USB device employing social engineering tactics will have files and folder names designed to pique a victim's interest.
To get someone to click on these malicious files, they'll be named anything ranging from "PRIVATE," to "CONFIDENTIAL," to "SECRET."
Upon clicking on these files, cyberattackers can either leverage more social engineering tactics through use of internet phishing, or they can launch malicious code from those files themselves–as long as they've been clicked, anything's on the table.
Malicious Code
Many USB drop attacks take advantage of malicious code to infect victims' computers. Upon clicking a file, malware can get automatically installed on the victim's computer.
From there, the malware can do any number of things, as it really just depends on what the cyberattacker wants to achieve: personal information and confidential data can be stolen and sent to the attacker, ransomware could encrypt files on the victim's system and demand a payment in exchange for the return of files, and more.
Human Interface Device (HID) Spoofing
USB drop attacks that use HID spoofing will fool a victim's computer into thinking the device is a keyboard, allowing the device to bypass any potential antivirus scanning.
The USB stick then proceeds to inject preconfigured keystrokes and shortcut commands that, more often than not, give the cyberattacker access to the victim's computer via remote access functionality.
This is another gateway for hackers to install malware on a victim's computer, just like attacks that use malicious code.
USB Killer
While USB killer attack techniques aren't nearly as popular as the other three types mentioned, they're still equally dangerous and worth pointing out.
USB killer attacks are designed to fry and destroy a victim's computer by way of a voltage surge. Cyberattackers can either purchase USBs already configured for this purpose, or can modify specific types of regular USB devices.
Once plugged in, a USB killer device is designed to release a high-voltage of power back to the victim's computer and effectively destroy it.
How to Avoid USB Drop Attacks
The easiest way to avoid a USB drop attack is to not plug in any unfamiliar USB sticks that you come across. But if there's a situation where you really need to, then you should set aside a device not connected to the internet or any networks, and plug the USB stick into that device. But that's the only thing you should ever use that device for, going forward.
Don't Plug in Rogue USB Sticks
In USB drop attacks, a lot of legwork to get computers and systems infected is being done by the the victim's curiosity. Social engineering and other tricks are utilized at every moment possible in the hopes of someone, in one moment of weakness, succumbing.
Keep your guard up, and make it a rule to never plug in any unknown USB devices. That goes for devices you find in public, or those that you receive unprompted in the mail.
Disable AutoPlay and Autorun
AutoPlay functionality allows USB sticks and drives to launch without asking for permission or alerting you. Disabling AutoPlay will help prevent malicious code from automatically running when you plug in an infected device.
On Windows, you can disable AutoPlay (or autorun) by either navigating through the Control Panel or using your search bar directly. From there, you can switch off any options that approximate to "Use AutoPlay for all media and devices."
Use an Air Gapped Device
As mentioned before, if you really need to plug in an unknown USB device, set aside a computer that's dedicated exactly for that purpose.
That means it contains none of your personal information or confidential data, and isn't connected to any networks or the internet.
Using an air gapped device doesn't mean that device is secure. It just means malware and infectious software that gets installed onto it won't spread.
Keep Your Computer Updated
Keeping your computer up-to-date on the most recent system and software updates is always the way to go.
Many cyberattacks take advantage of system or software versions with particular vulnerabilities. Couple that with the fact many people put off updating their computers, and you have a recipe for easily-preventable cyber intrusions.
Final Thoughts
The easiest way to prevent a USB drop attack is to steer clear of any USB sticks you don't own yourself. Don't be fooled by a rogue USB device found in public, and especially don't trust any files or folders stored on it.
Have any questions? You can always email Deer Brook here or call us at 207-387-0396.