After making its debut in 2014, the BadUSB attack has made a comeback, with the FBI issuing a public warning in January 2022 after a large number of USB drives containing malicious software were distributed in America posing as the Department of Health and Amazon (CSO, 2022). With the rise of ransomware and remote hacking operations, it seems almost old-fashioned to bring the humble USB stick into a cyberattack and that fact may be exactly why it is an effective tactic: no one expects it.
What is a BadUSB attack?
It starts with a USB drive that is configured for malicious intent by the cybercriminal. Looking harmless, the USB stick is delivered to the victim with a lure to entice the victim to plug it into their system. This can be done with the promise of a gift card as a thank you that can be accessed on the USB or with an urgent task such as invoices on the USB that need to be processed. Once the BadUSB is inserted into the computer it will take over to initiate the cyberattack.
Senior Security Research Manager for Trustwave Spider Labs, Karl Sigler, explains, “The USB drive is actually configured as a USB keyboard and the computer will identify it as such. Once inserted, the USB ‘keyboard’ will automatically start typing and will typically invoke a command shell and inject commands to download malware.”
What are the security threats?
The concern goes beyond downloading a virus, as the BadUSB poses a range of cybersecurity threats including data theft, ransomware, or even destroying the computer via charge overload.
How to prevent it:
User awareness is your first defense. Practicing good habits such as thinking twice before you insert a USB into your device (can I trust this USB?) and not inserting a USB that you don’t know the origins of (don’t pick up a USB off the ground).
As a backup defense, we strongly recommend deploying a quality cybersecurity system to protect your digital environment. Sophos provides sophisticated protection against malware, ransomware, and other attacks. (We offer a free 30-day full product trial with no obligations).
The BadUSB attack serves as proof we can still fall for old tricks. Stay vigilant out there and make sure to always think twice before trusting a humble USB stick. If it’s unusually urgent or seems too good to be true… well, you know what they say.