Apricorn comments on USB hacking

 

Following the news of the FBI’s warnings about hackers infiltrating US businesses by mailing employees malicious USBs (https://edition.cnn.com/2022/01/07/politics/fbi-usb-hackers-warning/index.html), we ask Jon Fielding, managing director EMEA, Apricorn (www.apricorn.com) for his views.

“UK businesses should take note of this rising trend.  We expect to see cyber-attackers follow suit to target organizations in the UK, posting USBs to employees in an attempt to trick them into installing malware on their corporate machines.  The fact that many workers continue to access networks and systems using a mix of personal and company devices, with varying levels of security, probably increases the odds of hitting the jackpot.”

“Criminals will try every avenue to get inside access to an organization – either physically or virtually.  We’ve seen the advent of phishing and malware from infected websites, for example.  This is just a new avenue that builds off the old bad USB exploit.  If the USB stick can be sent to the right people (spearphishing), with a convincing story that means it gets used, it can give criminals a point of unfettered access to the network.  Hackers can modify the device's firmware to allow it to impersonate a keyboard, for instance, and send keystrokes (commands) to the host machine to download malware, install back doors, or potentially install ransomware – which is the direction this attack vector is likely to end up taking if it’s successful on a large scale.”

“However, there’s a straightforward way of combating the risk without resorting to a blanket ban on the use of USBs, which play an increasingly vital role in the ability to move and store data securely offline in a hybrid work environment.”

“Organizations can mitigate the risk by mandating the use of a corporate-standard USB device with high level encryption, and firmware implemented in a way that makes it impossible to modify for this exploit.  The policy can then be enforced by locking down USB ports on employees’ machines so they can only accept an approved USB.  This should be backed up with workforce-wide education around the new threat, and the risks associated with using unsanctioned USBs, as well as the role employees must play in countering it.”