Connecting a malicious thumb drive: An undetectable cyberattack
When we think of preventing cyberattacks, many of us think of phishing, malware or ransomware attacks. But you just might be overlooking the power of an external drive.
How a fake USB drive can take over your computer
Did you know cybercriminals can pull off a nearly undetectable cyberattack using only a malicious thumb drive? Infosec Principal Security Researcher Keatron Evans explains in this episode of Cyber Work Applied.
Cyber Work listeners get free cybersecurity training resources. Click below to get your free courses and other materials.
Malicious USB: Example and demo
Below is the edited transcript of Keatron’s Malicious USB walkthrough, along with a portion of the code he uses.
Dangers of connecting unknown USB drives
(0:00-0:35) Hello, I'm Keatron Evans, and I'm going to show you one of the most overlooked ways people get hacked or compromised, plugging in USB thumb drives, external drives and other such media. The method I'm going to demonstrate is nearly undetectable.
We constantly drive home the message of being careful of what you download from the internet and how dangerous downloads can be, but one of the more devastating and harder-to-detect scenarios is plugging in a malicious or weaponized USB drive. We're going to take one, which I've hardware hacked and make it appear as if it's a human interface device, or in this case, a keyboard to the operating system.
See Infosec IQ in action
Making a fake USB drive with malware
(0:36-0:57) The actual malicious payload is loaded into the firmware on this keyboard controller that's inside here, as opposed to just being a file on an actual USB drive. So essentially, this thing is not a USB drive at all; it just appears to be one.
The fact that it's not actually external storage means Windows security will treat it differently because after all, what harm could come from plugging in a USB keyboard?
How the malicious USB drive works
(0:58- 1:31) What you see here on my screen is I've got a listener in Metasploit waiting for someone somewhere to plug a drive just like this one in. When they plug it in, the hardware code that I firmware hacked in the disk drive is going to tell their machine to connect back to my machine.
It's going to do that in the form of sending actual keystrokes to their keyboard and having them type the code up for me on the machine as if I were sitting at the machine typing the code, almost like having an alien plug into your brain and type something.
Demo of malicious USB leading to attacker control
(1:32-2:20) Let's go ahead and look at what's happening on my screen as we wait for the victim to plug in the drive. Right now, we see nothing on my screen; it's just waiting. And now the victim is plugging in the drive.
C:\Users\Administrator>
And as you can see, as a result of them plugging it in, I now have a command shell on that victim's machine, which we, at that point, can completely take control of. I can do IP config.
C:\Users\Administrator>ipconfig
I can get a list of files on that machine.
C:\Users\Administrator>dir
And I can even write a file to this machine's desktop and have it control that machine if I wanted to do that.
C:\Users\Administrator>echo
So from here on, that machine belongs to me, and all the victim had to do was simply plug in this drive and not do anything else, and the rest was done automatically.
Phishing simulations & training
More cybersecurity training resources
Want more free resources? Check out the weekly Cyber Work Podcast for in-depth conversations with cybersecurity practitioners and industry thought leaders.
Cyber Work listeners also get other free cybersecurity training resources. Check out the latest free courses and resources to keep learning!
In this Series
- Connecting a malicious thumb drive: An undetectable cyberattack
- Tax scam season: How to protect your data from common scams in 2024
- Security awareness for kids: Tips for safe internet use
- Celebrate Data Privacy Week: Free privacy and security awareness resources
- Consumer data, who owns it and who protects it?
- Human error is responsible for 74% of data breaches
- What is a social engineering attack?
- Biggest cybersecurity mistakes by large organizations
- 4 common social media scams (and how to avoid them)
- From theory to practice: Designing a successful security awareness training program
- Understanding cyberattacks: Types, risks and prevention strategies
- Securing digital frontiers: The importance of information and IT security awareness training
- Optimizing your corporate security awareness training: Strategies and techniques
- What is security awareness: Definition, history and types
- Top 10 security awareness training topics for your employees in 2023 and beyond
- AI best practices: How to securely use tools like ChatGPT
- 5 ways to prevent APT ransomware attacks
- 4 mistakes every higher ed IT leader should avoid when building a cybersecurity awareness program
- ISO 27001 security awareness training: How to achieve compliance
- Run your security awareness program like a marketer with these campaign kits
- Deepfake phishing: Can you trust that call from the CEO?
- Fake shopping stores: A real and dangerous threat
- 10 best security awareness training vendors in 2022
- How to hack two-factor authentication: Which type is most secure?
- Malicious push notifications: Is that a real or fake Windows Defender update?
- Free Cybersecurity and Infrastructure Security Agency (CISA) ransomware resources to help reduce your risk
- How IIE moved mountains to build a culture of cybersecurity
- At Johnson County Government, success starts with engaging employees
- How to transform compliance training into a catalyst for behavior change
- Specialty Steel Works turns cyber skills into life skills
- The other sextortion: Data breach extortion and how to spot it
- Texas HB 3834: Security awareness training requirements for state employees
- SOCs spend nearly a quarter of their time on email security
- Security awareness manager: Is it the career for you?
- Risks of preinstalled smartphone malware in a BYOD environment
- The ROI of security awareness training
- 5 reasons to implement a self-doxxing program at your organization
- What is a security champion? Definition, necessity and employee empowerment [Updated 2021]
- Excel 4.0 malicious macro exploits: What you need to know
- Worst passwords of the decade: A historical analysis
- ID for Facebook, Twitter and other sites? Not so fast, says security expert
- 3 surprising ways your password could be hacked
- Fake online shopping websites: 6 ways to identify a fraudulent shopping website
- All about carding (for noobs only) [updated 2021]
- Password security: Complexity vs. length [updated 2021]
- What senior citizens need to know about security awareness
- 55 federal and state regulations that require employee security awareness and training
- Brand impersonation attacks targeting SMB organizations
- How to avoid getting locked out of your own account with multi-factor authentication
- Breached passwords: The most frequently used and compromised passwords of the year
- Top 5 ways ransomware is delivered and deployed
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
Security awareness
Tax scam season: How to protect your data from common scams in 2024
Security awareness
Security awareness
Celebrate Data Privacy Week: Free privacy and security awareness resources
Security awareness