BadUSB explained: How rogue USBs threaten your organization

In January 2022, the FBI issued a public warning over a USB attack campaign in which numerous USB drives, laced with malicious software, were sent to employees at organizations in the transportation, defense, and insurance sectors between August and November 2021. The USBs came with fake letters impersonating the Department of Health and Human Services and Amazon, sent via the U.S. Postal Service and UPS. The campaign has been dubbed “BadUSB,” and the FIN7 hacker organization has been named as the culprit. Here is what you need to know about BadUSB and mitigating the risks of this USB attack.

BadUSB definition

“The BadUSB attack provides the victim with what looks like a physical USB stick and a lure to plug it into the victim’s system, such as promising a gift card as a thank you or invoices that need to be processed,” explains Karl Sigler, senior security research manager at Trustwave SpiderLabs. His malware research team initially discovered the campaign in 2020 while examining a malicious thumb drive as part of a forensic investigation for a U.S. hospitality provider.

“The USB drive is actually configured as a USB keyboard, and the computer will identify it and configure it as such,” he tells CSO. “Once inserted, the USB keyboard will automatically start typing and will typically invoke a command shell and inject commands to download malware.”

Security threats posed by BadUSB

BadUSB, when successful, acts as an initial downloader for anything from credential grabbers to backdoors and ransomware, Sigler says. These types of attacks are often discussed among security professionals, but are not common. Given the rarity of the attack, it is likely effective in a lot of situations, he adds.

“This attack vector may be an attempt to exploit the work-from-home trend,” wrote Cybereason chief visionary officer and co-founder, Yossi Naar. “There are fewer guard rails and an increase in the likelihood a user will plug into a work computer or to their home network, to which their work computer is also connected.”

Naar also noted that some organizations or departments routinely employ USB thumb drives and people are therefore more likely to use a USB storage device without suspicion. “That would make this tactic more effective,” he continued, warning that once attackers have gained a foothold, they can escalate privileges or conduct reconnaissance from the inside.

Perhaps the riskiest element of BadUSB is the possibility that the campaign is merely a distraction for a different or broader attack, Naar said. “There are a variety of more effective attack vectors that don’t rely on a potentially traceable and high-touch campaign like this,” he wrote, adding that FIN7 is a sophisticated threat actor, “which is why this all feels like a big misdirection.”

Preventing BadUSB risks

Business can take several steps to prevent falling victim to the BadUSB attack. The first is to include this campaign and others like it in security awareness training and make sure that all employees understand they should turn over any unidentified hardware to their internal security team before attempting to insert or connect it to their system, Sigler tells CSO.

“Systems would also benefit from up-to-date endpoint protection that can monitor for command shell abuse and any subsequent malware that might be downloaded,” while physical and software-based USB port blockers for critical systems that don’t require any USB accessories are worthwhile, too, Sigler says.

If BadUSB is indeed an attack misdirection attempt as Naar stated, organizations need to examine the entire malicious operation across their environment and not simply focus on the USB drive foothold to recognize indicators of behaviors and identify and stop additional malicious activity, he wrote.