When I am doing informal risk analysis for things like designing a Security Awareness Program for clients, it is not uncommon for the client to suggest removing USB/removable storage usage training from the program. The typical reasoning for this is that the organization feels that their anti-malware is sufficient mitigation against this threat or in some cases they have a policy or technical control that limits USB drive usage in the workplace. I agree these are good controls to have; however, I am going to argue that they have a limit and Security Awareness Programs can help fill the gap.
A new exploit that has just been found in the wild is a great example of that limit because it is very ingenious and SERIOUS. The con works like this:
- A person that works for a high-profile employee (or another party of interest) is sent a high-value gift card.
- The gift card, typically from Best Buy or another national brand, is real. The recipient is instructed that a list of the items that the gift card can be used with is on the included USB drive (thumb drive).
- The user inserts the USB drive and looks at the list. There is NO MALWARE on the drive partition. If the machine has a USB drive blocking policy the volume will not mount, but the exploit will still work. The user does not have to open or read the document.
- The USB drive is NOT a drive. It is actually a microcontroller designed to emulate a USB KEYBOARD. In an instant, it uses this new keyboard to run scripts and commands. What scrips and commands it issues can be programmed by the evil hacker.
- The abilities of such a system are almost limitless. The current examples found in the wild have been shown to open a covert channel back to a C&C and send information about the system that has been compromised, as well as inserting remote control exploits into the victim’s device.
The envelope and enclosed letter are of excellent quality and there are no poor translations or spelling issues to cause suspicion. Hacks and exploits like these cannot be stopped by anti-malware, firewalls or policy. Our principal remediation is Security Awareness Programs including training, events and other related mitigations.
With today’s huge influx of remote users in the workforce and a reduced ability to physically monitor employees’ systems and out-of-band traffic, these exploits are expected to become much worse. The best defense is to work with a trusted advisor to design these risks into your Security Awareness Program using adult learning methods and modern methods for metrics and feedback.
If you’d like to learn more about other methods to protect your company, watch our on-demand webinar, Answers to the Top Five Security Questions CISOs Ask Us.
Source and more technical information: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/would-you-exchange-your-security-for-a-gift-card/