Hacked by USB: Why the Humble Can Be a Harbinger of Danger

Written by: Martin Dale Bolima, Tech Journalist, AOPG.

It is hard to believe this still needs to be said: “Stop plugging that unknown USB—or flash drive if you prefer it—into your computer, much less your workstation.”

For the longest time, malicious actors have used the humble USB to carry out cyber attacks, and they apparently are still doing it today. In fact, back in January, the FBI issued a warning to U.S. companies about a cybercriminal group from Eastern Europe using infected USB drives for nefarious purposes. The group’s MO, evidently, is to send these USB drives to companies—those in the transportation, defence and insurance sectors in this case—with the hopes of just one employee plugging itto their computer.

And this is not an isolated case. A recent study, the “2022 State of the Phish,” report by enterprise security firm Proofpoint shows an uptick in USB-aided attacks, with 54% of global organisations reporting such attacks in 2021—significantly higher than the 15% reported in 2020.

What Are USB-Aided Attacks?

A USB-aided attack—or simply, “USB attack”—is as the name suggests: A cyber attack carried out using a USB drive, otherwise known also as a “flash drive” or “thumb drive.” Said USB drive is generally laced with malicious code, like a virus or malware, and when plugged into the computer, will implant the nefarious code—making the computer the point of attack. USB attacks generally fall into one of these four categories:

1. Keystroke stealer. A USB’s internal microcontrollers can be reprogrammed to act like a remote keyboard that allows the threat actor to “steal” the victim’s keystrokes and potentially figure out their login credentials and passwords. The notorious Rubber Ducky USB loosely falls under this category.
2. Executables. A USB’s internal firmware can be reprogrammed to make it execute certain functions, like installing malware and ransomware, compromising data, or taking control of the computer’s camera without the victim knowing.
3. Flaw exploiters. A USB can also be reconfigured to exploit flaws in the way the USB and the computer interact with each other. A common instance, in this case, is the USB reprogramming legitimate firmware into something malicious.
4. Killers. A USB can actually be used to deliver an electrical charge to the computer to outright damage or destroy it. An example is the aptly named USB killer, which stores power from the computer’s USB port (think of charging a smartphone on the computer) until such time it reaches the desired level—at which point it discharges this power and fries the connected device.

The Old-Turned-New MO: Using the USB to Steal Money

The uptick in USB attacks might persist well into 2022 and beyond with the discovery of another USB-aided cyber attack MO: UK-based scammers send random people a USB drive containing a counterfeit Microsoft Office suite (worth USD $439) but in packaging that makes everything look legitimate. Upon plugging in, the unsuspecting victim will not see an Office launch installation wizard but a warning of a possible virus. It also contains a prompt called a spurious support line that will try to persuade the former to provide the latter with remote access to the PC to “fix” the problem—for a fee.

“As soon as they had plugged the USB into the computer, a warning screen appeared saying there was a virus,” said Martin Pitman), a cybersecurity consultant at Atheniem, a consultancy and training organisation based in the UK. “To get help and fix the issue, they needed to call a toll-free number to get the computer up and running again. As soon as they called the number on the screen, the helpdesk installed some sort of [remote access program] and took control of the victim’s computer.”

Microsoft is at least on top of the situation, noting how this scam is a rarity but still launching its own internal investigation on the matter. It has also put up a dedicated support page to help people avoid scams and frauds.

A Dangerous Ducky Is Daring to Do More

If the USB-as-a-hacking-tool situation is not problematic enough, along comes the USB Rubber Ducky. It is the latest iteration of the original Rubber Ducky of a decade ago, which back then became a hacker’s dream—small and so innocent-looking but dangerous just the same.

Among other things, hackers could use the Rubber Ducky to create a fake Windows pop-up that steals the user’s login credentials and prompts Chrome to send over to the hacker’s server the user’s saved passwords. And all it took, for the most part, was some clever social engineering to get unsuspecting people to plug the USB into their computer.

Now, a decade later, that same Rubber Ducky just got put on steroids, with its DuckyScript programming language upgraded to create and execute a range of new commands—including a few specific to Mac and Windows devices. Whereas the Rubbery Ducky of old focused on writing keystroke sequences only, this modern, new normal iteration can do so much more, like writing functions, using logic control flows and storing various variables.

In layman’s terms, this is one dangerous duck. The caveat, of course, is that it can do damage only when it is plugged in. If not, it is as harmless as a sleeping duck.

Stop Plugging!

If it is any consolation, USBs are no longer as commonplace as they were a decade or so ago, when they reigned as the most convenient means of file storage. But they are still around, and they can be a menace just the same. And this is why organisations must be vigilant and smart when using USBs. The best rule of thumb to follow in this case is to never plug in an unknown USB.

On the off chance the organisation is still reliant on USBs, everyone should:

• Have a separate USB for work and for personal use.
• Disable autorun to keep malicious code in the USB from executing automatically upon plugging.
• Keep their systems updated, especially for Windows users.
• Leverage virtualisation software, like VirtualBox by Oracle, which can be used to open a USB in a virtual environment so it cannot affect the computer itself.
• Be extremely careful and cautious with USBs.

The reality nowadays is that it can be very easy to let one’s guard down, especially with something so small and so innocent-looking. USBs are exactly that for the most part—that is unless cybercriminals are using them for some evil workings.