Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CAPEC-457:USB Memory Attacks
Attack Pattern ID:457
Version:v3.9
Attack Pattern Name:USB Memory Attacks
Abstraction:Detailed
Status:Draft
Likelihood of Attack:Low
Typical Severity:High
DetailsContent HistoryRelated WeaknessesReports
▼Description
An adversary loads malicious code onto a USB memory stick in order to infect any system which the device is plugged in to. USB drives present a significant security risk for business and government agencies. Given the ability to integrate wireless functionality into a USB stick, it is possible to design malware that not only steals confidential data, but sniffs the network, or monitor keystrokes, and then exfiltrates the stolen data off-site via a Wireless connection. Also, viruses can be transmitted via the USB interface without the specific use of a memory stick. The attacks from USB devices are often of such sophistication that experts conclude they are not the work of single individuals, but suggest state sponsorship. These attacks can be performed by an adversary with direct access to a target system or can be executed via means such as USB Drop Attacks.
▼Extended Description
▼Alternate Terms
▼Relationships
NatureTypeIDName
ChildOfS456Infected Memory
CanPrecedeS529Malware-Directed Internal Reconnaissance
Nature: ChildOf
Type: Standard
ID: 456
Name: Infected Memory
Nature: CanPrecede
Type: Standard
ID: 529
Name: Malware-Directed Internal Reconnaissance
▼Execution Flow
Explore
1.

Determine Target System

In certain cases, the adversary will explore an organization's network to determine a specific target machine to exploit based on the information it contains or privileges the main user may possess.

Technique
If needed, the adversary explores an organization's network to determine if any specific systems of interest exist.
Experiment
1.

Develop or Obtain malware and install on a USB device

The adversary develops or obtains the malicious software necessary to exploit the target system, which they then install on an external USB device such as a USB flash drive.

Technique
The adversary can develop or obtain malware for to perform a variety of tasks such as sniffing network traffic or monitoring keystrokes.
Exploit
1.

Connect or deceive a user into connecting the infected USB device

Once the malware has been placed on an external USB device, the adversary connects the device to the target system or deceives a user into connecting the device to the target system such as in a USB Drop Attack.

Technique
The adversary connects the USB device to a specified target system or performs a USB Drop Attack, hoping a user will find and connect the USB device on their own. Once the device is connected, the malware executes giving the adversary access to network traffic, credentials, etc.
▼Prerequisites
Some level of physical access to the device being attacked.
Information pertaining to the target organization on how to best execute a USB Drop Attack.
▼Skills Required
▼Resources Required
▼Indicators
▼Consequences
ScopeLikelihoodImpactNote
▼Mitigations
Ensure that proper, physical system access is regulated to prevent an adversary from physically connecting a malicious USB device themself.
Use anti-virus and anti-malware tools which can prevent malware from executing if it finds its way onto a target system. Additionally, make sure these tools are regularly updated to contain up-to-date virus and malware signatures.
Do not connect untrusted USB devices to systems connected on an organizational network. Additionally, use an isolated testing machine to validate untrusted devices and confirm malware does not exist.
▼Example Instances
▼Related Weaknesses
IDName
CWE-1299Missing Protection Mechanism for Alternate Hardware Interface
ID: CWE-1299
Name: Missing Protection Mechanism for Alternate Hardware Interface
▼Taxonomy Mappings
Taxonomy NameEntry IDEntry Name
ATTACK1091Replication Through Removable Media
ATTACK1092Communication Through Removable Media
Taxonomy Name: ATTACK
Entry ID: 1091
Entry Name: Replication Through Removable Media
Taxonomy Name: ATTACK
Entry ID: 1092
Entry Name: Communication Through Removable Media
▼Notes
▼References
Reference ID: REF-379
Title: Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (2nd Draft)
Author: Jon Boyens, Angela Smith, Nadya Bartol, Kris Winkler, Alex Holbrook, Matthew Fallon
Publication:
Publisher:National Institute of Standards and Technology (NIST)
Edition:
URL:https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1-draft2.pdf
URL Date:2022-02-16
Day:28
Month:10
Year:2021
Details not found