Background and Timeline
USB-based malware has been around for a relatively long time. Since this type of attack requires physical access to an endpoint – a workstation, server, or a laptop – these compromises can only be launched by actors with malicious intent – or by accident. As was highlighted in multiple studies a couple of years ago, 70 percent of employees who found a ‘dropped’ USB key in their parking lot or elsewhere in their office building inserted it into their own PC within a few hours to view the contents. Most did so with the reported motive of looking for identifying information, to enable them to return the device to its rightful owner. If the drive or case had a decal of the official logo of the company they worked for, 90 percent plugged it in.
Rogue USB devices have been at the heart of many high profile attacks. The most infamous was Stuxnet, delivered on an infected memory stick, which caused actual physical damage to Iranian power plants. But USB attacks have also included lesser-known attacks, such Ploutus, Alice, and Skimer targeted at automated tellers (ATMs). The tally also includes BlackPOS (used in the Target Stores breach) and vSkimmer, both of which are focused on point of sale (POS) units.
Our Research team has created this video showing two type of USB attack, in real-time:
VIDEO: CylancePROTECT vs. USB Device Attacks (Bash Bunny and Rubber Ducky)
How Is It Delivered? What Does It Do?
This malware is either loaded onto commodity drives, or, in some cases, placed on specialized USB keys with an embedded microSD card. Due to the spoofing of VIDs and PIDs, computers cannot discern what the actual intent of the drive is.
Once the keys are inserted in a host computer or device, a further complication arises: there is no actual ‘malware’ as such contained on the stick, merely instructions (scripts) to create malware. And this is where things get worse, since antivirus (AV) and endpoint detection and response (EDR) tools are completely blind to the havoc about to come.
We often hear about the prominence and growth of “file-less” malware. Well, USB malware is almost like “malware-less malware.” Scripts on the memory key create the malware in real-time, save on the host as a script or executable, and then unleash their fury.
The two malicious USB devices we demonstrate in our video above are Bash Bunny and USB Rubber Ducky. These avoid standard endpoint USB protection by emulating harmless devices, such as keyboards and mice. While not shown in the video, a Mac (protected by standard AV) still allowed the device to be configured by Apple’s Keyboard and Mouse Wizard.
The primary difference between the two types of USB attack is the number of devices that can be emulated. While Rubber Ducky simply imitates a keyboard device, Bash Bunny can emulate a wide range of things, including Ethernet over USB, a serial port, and a mass storage device. The unusual payloads are written in Ducky Script, which is a custom programming language that goes undetected.
As you’ll see in the video, Bash Bunny was reprogrammed using a simple text editor, without having to load it as a firmware image. In these videos, we’ve made it easy to see what happened. In real life, users won’t have a clue that their machines were compromised.
This week's Threat Spotlight by the Cylance Threat Guidance team features a deeper dive into these two USB devices. Check out the full blog post here.
What Does Cylance Do To Protect Against It?
With our machine-learning-based, predictive, prevention technology, CylancePROTECT® stops these types of attacks at their core.
In the case of Rubber Ducky, Cylance immediately detects the script, blocking it from ever executing. Anything downstream from the script attack – notably svchost.exe, explorer.exe, and wmiprvse.exe – becomes benign, since all of the malicious code is neutralized.
With our Bash Bunny example, CylancePROTECT prevents the dumping of credentials by blocking a Powershell memory attack (LsassRead). All of this happens instantly and silently without impacting the user experience or bogging down the system.
Also note – if Device Protection was turned on, Cylance would have been able to block by the vendor ID and product ID.
Ultimately, Cylance prevents these attacks without any risk of compromised credentials or remote the control of machines. If you’d like to learn more about blocking these types of attacks, contact us to let us know more about your security needs.