Cylance vs. Malicious USB Devices

Background and Timeline

USB-based malware has been around for a relatively long time. Since this type of attack requires physical access to an endpoint – a workstation, server, or a laptop – these compromises can only be launched by actors with malicious intent – or by accident. As was highlighted in multiple studies a couple of years ago, 70 percent of employees who found a ‘dropped’ USB key in their parking lot or elsewhere in their office building inserted it into their own PC within a few hours to view the contents. Most did so with the reported motive of looking for identifying information, to enable them to return the device to its rightful owner. If the drive or case had a decal of the official logo of the company they worked for, 90 percent plugged it in.

Rogue USB devices have been at the heart of many high profile attacks. The most infamous was Stuxnet, delivered on an infected memory stick, which caused actual physical damage to Iranian power plants. But USB attacks have also included lesser-known attacks, such Ploutus, Alice, and Skimer targeted at automated tellers (ATMs). The tally also includes BlackPOS (used in the Target Stores breach) and vSkimmer, both of which are focused on point of sale (POS) units. 

Our Research team has created this video showing two type of USB attack, in real-time:

VIDEO: CylancePROTECT vs. USB Device Attacks (Bash Bunny and Rubber Ducky)

How Is It Delivered? What Does It Do?

This malware is either loaded onto commodity drives, or, in some cases, placed on specialized USB keys with an embedded microSD card. Due to the spoofing of VIDs and PIDs, computers cannot discern what the actual intent of the drive is.

Once the keys are inserted in a host (Read more...)

This is a Security Bloggers Network syndicated blog post authored by The Cylance Team. Read the original post at: Cylance Blog