« Back to Blog

Threat Spotlight: USB Devices Gone Rogue

By Cylance Threat Guidance Team

Introduction

Hak5 recently released a new tool dubbed Bash Bunny. The tool is a reprogrammed USB device that provides all sorts of fun pen-testing scenarios. While device security is a hot-button issue today, there are many ways to thwart these attacks and not all of them require cutting edge security technology. In many cases, the simplest solution is maintaining physical control of your devices and not plugging in untrusted USBs. With the advent of cloud file sharing sites, this advice is easier than ever to follow.

In this blog, we will unravel the mechanics behind USB flash drives and show you how they operate. We will touch on how USB flash drive controller firmware is vulnerable to reprogramming and the risk it carries. Next, we will talk about HAK5’s Rubber Ducky and Bash Bunny USB flash drive attack tools. Then, we will provide suggestions to help mitigate against physical security threats.

Before we get started, I would like to divide our information into the following sections:

•  The Mechanics of USB Flash Drives

•  USB Controller Firmware Reprogramming

•  Bash Bunny and Rubber Ducky

•  Protecting the Physical Perimeter

The Mechanics of USB Flash Drives

A USB flash drive contains a Processor, Bootloader, RAM, Firmware, a USB Controller, LEDs, and a Mass Storage Device inside.

 

Figure 1: Under The Hood of USB Flash Drives

The USB Bootloader is used to load and store firmware in RAM (random-access memory) on execution. The USB Controller is used to manage read and write data queries made to the Mass Storage unit. The Mass Storage unit stores data on a non-volatile media, such as a ROM (read-only memory) chip.

USB flash drives operate over a protocol called USB (universal serial bus). Interrupt requests are sent to and from a USB device and a host controller over a USB connection.

USB devices contain a Mass Storage Class (MSC), which is used to allow access to internal data storage. However, the Mass Storage Class lacks performance requirements. So, another class, called USB Attached SCSI (small computer system interface) was introduced to resolve the performance issues with MSC, by enabling command queuing and out-of-order completions for USB mass-storage devices.

Some of these commands include:

Figure 2: SCSI Commands (Ref. http://usb.org/)

USB Controller Firmware Reprogramming

Now that we have a rough idea of how USB flash drives work, let’s take a look at how USB devices can be reprogrammed for malicious purposes.

USB Device Descriptors contain information about the USB’s Product ID and Vendor ID. The Product ID and Vendor ID are represented by a sixteen-hexadecimal digit. This information is used to define USB device types, such as keyboards or Ethernet over USB adapters, which can be programmatically set by firmware.

Now, this brings up a security concern. Firmware can be reprogrammed to contain information about a different device class, such as a keyboard, which gives USB flash drives the ability to inject keystrokes. On many USB flash drives, firmware reprogramming is made possible due to the lack of write-protection. Malware can also be embedded in the firmware image.

Once the USB device is connected to a computer and the device driver is installed, the operating system will then inherently trust the spoofed device and can then start a malicious chain reaction. More examples of this will be shown in the Bash Bunny and Rubber Ducky section of this blog, and are shown demonstrated in our research team’s video, which can be found here.

Bash Bunny and Rubber Ducky

Bash Bunny and USB Rubber Ducky are two malicious USB devices. Developed by the members of the HAK5 community, these devices emulate other devices, such as keyboards, by spoofing Product IDs and Vendor IDs. This enables several attack scenarios, from simple keystroke injection to complete remote command shell access to the attached endpoint. From there, the tools can be used to execute payloads of any variety. These attacks rely on social engineering tactics to trick the user into inserting a rogue USB flash drive. Alternatively, the attacker must gain physical access to the device and covertly implant the USB device on an inconspicuous port.

The primary difference between Rubber Ducky and Bash Bunny is the number of devices that are emulated. While Rubber Ducky simply imitates a keyboard device, Bash Bunny can emulate many other devices, including Ethernet over a USB adapter, a serial port, and a storage device. The payloads are written in Ducky Script, which is a custom programming language. Bash Bunny can also be reprogrammed with a text editor, without having to load it as a firmware image. The following images are used to demonstrate a few attacks associated with these devices.

Let’s start by injecting the following “ducky payload” into memory, using Rubber Ducky:

Figure 3: Rubber Ducky Payload

As you can see below, we achieved a reverse meterpreter shell:


Figure 4: Gain Reverse Windows Meterpreter Shell


Figure 5: Elevated To Windows SYSTEM Account

Next, we will use Bash Bunny to execute a PowerShell script and Invoke-Mimikatz to dump windows credentials, as you can see below:


Figure 6: Bash Bunny Payload


Figure 7: Mimikatz PowerShell Payload Executed


Figure 8:, Credentials Dumped

Protecting the Physical Perimeter

Many companies suffer breaches because an attacker gains physical access to unattended systems. Some of these systems may even include kiosks and ATMs. USB flash drives make it easy to deliver malicious payloads to these systems, since they are difficult to inventory because of their ubiquity and, therefore, malicious USB flash drives blend in with legitimate ones.

With that in mind, I would like to offer a few pro tips:

•  Use USB flash drives with hardware write-protection switches

•  Limit the amount of corporate data that you store on your USB drives

•  Attach USB drives to key chains/ lanyards to avoid losing the media

•  Disable inactive USB ports

•  Set a Windows Group Policy to filter USB devices

Conclusion

Here, we’d like to reiterate that security controls should be implemented when designing hardware components. Physical security and logical security should be integrated into one holistic security program, from the start. For anyone who is interested in learning more about attacks involving USB flash drives, I recommend reading David Kierznowski’s paper entitled BadUSB 2.0.

If you use our endpoint protection product, CylancePROTECT®, you were already protected from the attacks highlighted in this post. If you don't have CylancePROTECT, contact us to learn how our AI based solution can predict and prevent unknown and emerging threats.

Tags: