“Look What I Found! Uh Oh… A USB.”
What is USB drop attack?
USB drop attacks is one of the major techniques used by red teamers to check the level of security best practices in an organization. A USB drop attack happens when an attacker places a USB gadget, possibly containing malicious code, in a strategic location with the intent of someone taking it and plugging it into a machine. Social engineering is used in this form of attack. In terms of cyber security, social engineering is the use of manipulative methods to persuade people to divulge information or take a certain action. In this scenario, the intruder (or attackers) is attempting to persuade victims (targets) to insert a USB device into their computer. An attacker (or attackers) can further trick victims into clicking on files loaded into the USB device, depending on the type of USB drop attack.
This type of attack has been used for years by everyone from lowly “script kiddies” to nation-state hacking groups. Depending on how it is deployed, it can be targeted to a single individual or organization or randomly distributed. A famous example of this attack is the Stuxnet worm, designed to destroy centrifuges at an Iranian nuclear plant. It is thought the worm was developed and distributed jointly by certain ally nations.
Air-gapped computers? With right social engineering techniques, can still be compromised with USB drop Attacks.
Why is this attack successful?
This attack is so successful because it takes advantage of humans’ inherent curiosity and/or ability to support others. When there is a device lying around with possibly “juicy” details on it, humans can’t help but grab it to see what’s inside. A successful intruder takes advantage of a victim’s natural interest to convince them to take a USB gadget. When a gadget is taken, the contents are almost always going to be checked by the perpetrator. Attackers will have tempting files or file names within the device to capitalize on the human traits that drew them to the device in the first place.
Types of USB drop Attacks
1. USB Human Interface Device (HID) Spoofing
Spoofing a USB Human Interface Device (HID) fools a computer into believing a keyboard is being used by a human. This kind of USB drop attack is very flexible since it can be used on a variety of operating systems. HID spoofing machines can also be built from arduino boards the size of a standard flash drive. These machines use their own programming language, DuckyScript, to mimic everything a keyboard can do. If they are not well hidden, the victim will note this and unplug the devices before completion. It can be disabled if a warning victim hears keystrokes or feels impatient when no storage appears after plugging it in.
Two of the most popular devices are the USB Rubber Ducky from Hak5 and the Malduino by Maltronics.
2. Malicious File/Code
Malicious files are loaded into ordinary flash drives, and the malware is activated when the user opens them. Files are typically assigned tempting names in order to entice victims to click on them. Attackers with little skill can be unable to mask files and must rely on victims to click on them. If the code executed bypasses the machine’s malware security, victims may be unaware of the attack. These attackers are only constrained by their creativity and the machine’s countermeasures, such as antivirus software. The benefit of using this type of attack over HID spoofing is that the code will run completely shielded from view if executed correctly.
3. Social Engineering Links
The use of malicious phishing links is used in this attack. The threat is internet-dependent and demands that the victim’s device be linked to the internet. Using keystroke commands, this attack can be used with HID spoofing devices to redirect a victim to a phishing web. It is more likely to be found on a popular flash drive and relies heavily on social engineering to deceive unsuspecting users into following links and then performing the desired action.
4. USB Kill
This attack is the most destructive out of all USB drop attacks. When plugged in, the USB Kill creates a power surge destroying the machine. The vast majority of devices are not protected against this type of attack. Some of these devices are hard to spot because they sell an “anonymous” edition that has no markings to indicate it is a USB Kill. The device will do this continuously until the machine is destroyed or until it is unplugged.
5. Zero Day
When this category of attack is talked about, it almost always references the Stuxnet attack. This attack takes advantage of an undiscovered vulnerability in the machine’s software. Some cyber security experts do not include this attack as its own category. The logic of categorizing it appears to exist both ways making it the most ill-defined category.
6.Reconnaissance and Deployment
Any successful hacker would not only put a lot of thought and planning into the code and/or malicious connections on the device, but also in the device’s deployment. An attack will be to try a variety of methods to convince a person to take a computer and insert it into their system. When an attacker fails to execute the attack properly, it makes no difference how much work they put into the code on the device if the target does not accept it. If a victim takes a device, the intruder must still convince them to connect it into the target device. An experienced attacker or attackers will do a number of things to maximize the likelihood that their attacks will be effective. It can be difficult to plan the deployment. Based on the method of attack, the aim or objectives, and other factors, deployment planning can vary. Depending on the attack operation, multiple tactics can or may not be used, vastly elaborated on, or used in various instructions. Reconnaissance, or recon for short, is the time an intruder spends researching deployment tactics. In cyber defense, recon refers to gathering intelligence on a target or targets. An attacker will recon victims and target machines in person and/or via a device in a USB drop attack.
Be responsible and use your knowledge for good, together let’s make this world more secure.
Written by Ashan Vijay — 3rd Year 1st Semester -Cyber Security Student-SLIIT