USB drive attacks constitute a significant cybersecurity risk, taking advantage of the everyday use of USB devices to deliver malware and circumvent traditional network security measures. These attacks lead to data breaches, financial losses, and operational disruptions, with lasting impacts on an organization’s reputation. An example is the Stuxnet worm discovered in 2010, a malware designed to target industrial control systems, specifically Iran’s nuclear enrichment facilities. It exploited multiple zero-day vulnerabilities and spread primarily through USB drives, making it one of the first examples of a cyberattack with real-world physical effects. Stuxnet exposed the risks of removable media and raised global awareness of cybersecurity threats to critical infrastructure.
Attackers use various methods to deliver malicious payloads via USB drives, targeting individuals and organizations.
USB drive attacks typically follow a multi-step process to infiltrate systems and cause damage.
Wazuh is an open source security platform that helps organizations detect and respond to security threats by monitoring system activities, from informational events to critical incidents. Organizations can proactively prevent breaches and safeguard sensitive data by monitoring USB activity with Wazuh.
Wazuh monitors USB drive activities on Windows endpoints using the Audit PNP Activity feature. This feature logs Plug and Play (PnP) events, which helps identify when USB drives are connected. It is available on Windows 10 Pro and Windows 11 Pro, Windows Server 2016, and later versions.
Organizations can configure Wazuh to detect specific system events and monitor USB-related events, particularly focusing on Windows event ID 6416, which indicates when an external device is connected. Security administrators can detect USB device connections by creating Wazuh custom rules to identify potential security incidents.
The next step includes creating a Constant Database (CDB) of permitted devices’ unique device identifiers (DeviceID). This list allows Wazuh to differentiate between authorized and unauthorized devices, generating alerts for both categories. For instance, when an authorized USB drive is plugged in, it triggers a lower-level alert, while unauthorized connections can generate high-severity alerts that indicate a potential security breach.
Wazuh provides a solution to mitigate USB-related threats, such as Raspberry Robin, a Windows-based worm.
Raspberry Robin targets industries like oil, gas, transportation, and tech, causing operational disruptions. It spreads via disguised .lnk files, gains persistence by updating the UserAssist registry, and mimics legitimate folders. The worm uses legitimate Windows processes such as msiexec.exe, rundll32.exe, odbcconf.exe, and fodhelper.exe to execute, persist, and download additional malicious components. Its reliance on TOR-based command and control (C2) servers for outbound communication adds stealth and complicates detection.
Wazuh detects Raspberry Robin by monitoring registry modifications, unusual command execution patterns, and suspicious system binaries use. Its real-time file integrity monitoring and threat detection rules identify malicious activity, enabling swift response to mitigate potential disruptions.
Wazuh detects and mitigates Raspberry Robin by monitoring and responding to suspicious activity like:
Below is a sample custom rule configuration that detects possible Raspberry Robin activities.
For more details on detecting the Raspberry Robin worm using Wazuh, please visit this blog.
USB drives can also introduce security risks to Linux endpoints as potential vectors for malware and unauthorized data access. udev is a system utility on Linux that automatically detects and manages external devices, such as USB drives, when plugged in. It creates the necessary device files in the /dev directory so that the system can interact with them. Administrators can create custom udev rules that generate detailed events, providing insights into USB activity. Wazuh has built-in rules for USB monitoring, but udev-generated events provide richer details, improving threat detection.
We configure udev rules on our Linux endpoints to trigger a logging script whenever a USB device is connected. The Wazuh agent must be set up to read the generated JSON log file produced from the logging script, allowing it to process and analyze USB activity.
Like the Windows USB drive monitoring, you need a constant database (CDB) list of authorized USB device serial numbers. Wazuh will compare incoming connections against this list, triggering alerts for unauthorized devices.
The blog post on Monitoring USB drives in Linux using Wazuh provides more information on monitoring USB drives plugged into Linux endpoints.
You can use a custom script to log critical events related to USB devices on macOS endpoints and then configure Wazuh to monitor these events. Administrators can extract information such as connection and disconnection events, vendor IDs, product IDs, and serial numbers of USB drives plugged in. This script interacts with macOS’s I/O Kit framework to gather USB device information, which is then formatted as JSON and saved to a log file. The log data generated from this custom script is sent to the Wazuh server for analysis using the Wazuh agent.
The blog post on Monitoring USB drives in macOS using Wazuh shows the steps to monitor USB drives on macOS endpoints.
USB drive attacks pose a security risk across major operating systems, enabling malware propagation and unauthorized access to malicious actors.
Wazuh offers various detection mechanisms to increase the chances of detecting USB Drive attacks and mitigate the potential impact. Organizations can enhance cybersecurity by integrating these detection methods and enforcing strict USB access policies.
