BAD USB: Attack on a SHUT DOWN Computer | Real Experiment
Summary
TLDRThis video script narrates the alarming threat posed by 'BadUSB' devices, which can be disguised as everyday flash drives. The FBI has reported on such devices sent to various companies, containing malware from the notorious Fin7 hacking group. The video demonstrates how these devices, when plugged into a computer, can execute malicious code, acting as a keyboard to input commands. It also discusses the potential for remote control and the use of social engineering to trick victims. The script concludes with advice on prevention, including using whitelist software for USB devices and exercising caution when handling unfamiliar devices.
Takeaways
- 🚨 The FBI has been receiving reports of malicious packages sent to companies in various sectors, including transportation, insurance, and defense, with two variants mimicking official communications and gifts.
- 💡 The packages contain flash drives that are part of a hacking campaign by the group FIN7, known for their advanced encryption tools and dark web activities.
- 🔍 The video demonstrates how such a flash drive can be used to infiltrate a system, showing the changes it makes when connected to a computer.
- 🛡️ The video introduces 'Suub', a platform for online address verification, and discusses the importance of verifying addresses to prevent such attacks.
- 🔑 The flash drive in question is a 'BadUSB' device, capable of acting as a keyboard and executing malicious code remotely.
- 🔬 Upon connection, the BadUSB device opens an execution window and runs code from an attacker's server, indicating a hardware-based attack.
- 🔒 The video emphasizes the need for caution, suggesting that only pre-approved devices should be connected to computers to prevent unauthorized access.
- 🕵️♂️ Social engineering plays a key role in these attacks, with the flash drive often used as a decoy to trick victims into plugging it into their computers.
- 💻 The video explains that even locked computers can be vulnerable to 'delayed RCE' attacks, where the BadUSB waits for the computer to be unlocked before executing malicious code.
- 🔄 The cost of creating such devices is low, making them easily accessible and widespread, which poses a significant threat to cybersecurity.
- 🛡️ The video concludes with advice on using whitelisting software and exercising common sense to protect against these types of attacks.
Q & A
What has the FBI been receiving reports about since August 2021?
-The FBI has been receiving reports about several packages sent to US companies in transportation, insurance, and defense, which contained fake flash drives mimicking messages from HHS US or Amazon gifts.
Which hack group was discovered to be behind the sent flash drives?
-The hack group FIN7, known for their dark side and black matter encryption tools, was discovered to be behind the flash drives.
What is the purpose of the fake flash drives as described in the video?
-The fake flash drives are designed to execute malicious code on the connected computer, potentially giving the attackers remote access and control over the system.
What is the 'bad USB' mentioned in the script, and what can it do?
-The 'bad USB' is a malicious device that appears as an ordinary flash drive but is capable of causing irreparable damage to data by executing harmful commands on the connected computer.
What is the significance of the Arduino Pro Micro board found inside the bad USB?
-The Arduino Pro Micro board inside the bad USB is used as a microcontroller to execute the programmed malicious actions, such as acting as a keyboard to input commands or keystrokes.
How does the bad USB device bypass suspicion when plugged into a computer?
-The bad USB device bypasses suspicion by mimicking a regular USB plug and using social engineering to make the package seem authentic, such as including convincing letters and fake gift cards.
What is the role of the keylogger in the bad USB attack?
-The keylogger running on the computer records all keystrokes, which can later be used by the attacker to gain sensitive information or perform unauthorized actions.
What is the ssub platform, and how does it relate to the video script?
-The ssub platform is an online address verification platform that helps prevent attacks by verifying the authenticity of addresses in various industries. It is mentioned in the script as a way to enhance security.
What is the 'delayed RCE' mentioned in the script, and how does it work?
-Delayed RCE (Remote Code Execution) is a technique where the bad USB is programmed to send keystrokes at specific intervals, aiming to catch the moment when the computer is turned on and unlocked, allowing the attacker to gain access without immediate detection.
What are some of the methods to prevent bad USB attacks as suggested in the video?
-Some methods to prevent bad USB attacks include using specialized software to allow only pre-approved devices, implementing a whitelist of USB devices based on their unique vendor and product IDs, and exercising caution by not inserting unfamiliar devices into computers.
What is the final recommendation for users to protect themselves from bad USB attacks?
-The final recommendation is to use common sense and caution, only plug in devices from trusted sources, and use safe, clean computers without important data or internet access for testing suspicious devices.
Outlines
🔒 The Threat of Malicious USBs: A Deep Dive
This paragraph discusses the FBI's reports on malicious packages sent to companies in critical sectors, imitating both government health guidelines and Amazon gift packages, which were found to contain harmful flash drives. The script reveals the inner workings of these 'bad USBs', which are capable of causing significant damage to data. The video is created by the Su sub verification platform and introduces the voice assistant, Elliot, who guides viewers through the online security landscape. The paragraph also details the technical aspects of the malicious USB, including its Arduino Pro micro board and the social engineering tactics used to deceive victims into using the infected devices.
🛡️ Combating Cyber Threats with Address Verification
The second paragraph introduces Lucas from Su sub, who explains how online address verification can prevent cyber attacks. Su sub offers three main methods of verification: document upload, geolocation, and access to government databases. Companies can choose which method suits their business best to implement and reduce the number of attacks. The paragraph also touches on the technical aspects of the attack, such as the use of ready-made solutions like Hack 5, the low cost and availability of such devices, and the potential for a 'delayed RCE' attack on locked computers, where the malicious device waits for an opportune moment to execute its code.
🛡️ Advanced Protection Measures Against Bad USB Attacks
The final paragraph focuses on strategies to protect against bad USB attacks, emphasizing the use of specialized software solutions that whitelist pre-approved devices based on their unique vendor and product IDs. This method safeguards against a variety of attacks and undesirable consequences. The paragraph also stresses the importance of common sense and caution, advising against the insertion of unfamiliar devices into computers, and suggests using safe, clean computers with no sensitive data for testing purposes. Su sub is presented as a resource for safely navigating the online world.
Mindmap
Keywords
💡FBI
💡HHS
💡Flash Drive
💡Hack Group FIN7
💡Dark Side and Black Matter Encryption Tools
💡Bad USB
💡Arduino Pro Micro
💡Keylogger
💡RAT (Remote Administration Tool)
💡Social Engineering
💡ssub
💡Delayed RCE (Remote Code Execution)
💡Whitelist
Highlights
Since August 2021, the FBI has received reports of several malicious packages sent to US companies in transportation, insurance, and defense sectors.
Packages came in two variants: one mimicking a message from HHS with COVID-19 protection guidelines and a flash drive, and the other imitating an Amazon gift package with a fake gift card and a 'lyo' USB flash drive.
The FBI discovered that the flash drives were sent by the hacking group FIN7, known for their dark side and black matter encryption tools.
The video demonstrates the disassembly of a malicious flash drive and its impact on a connected computer system.
Inside the flash drive is an Arduino Pro Micro board, which is not designed for soldering a full USB but was modified to do so.
The board was soldered with rigid wires and the USB plug was glued to the case to avoid suspicion.
The 'bad USB' is capable of causing irreparable damage to data and operates as a keyboard controller, capable of pre-programming keystrokes.
Upon connection, the flash drive executes malicious code from an attacker's server, indicating it's not a storage device but a keyboard input device.
The flash drive can be disguised in various forms, including a webcam or a USB cable, depending on the context.
Social engineering skills are often used to convince victims that the flash drive is authentic and not suspicious.
The video introduces Lucas from ssub, discussing prevention methods for such attacks, including online address verification.
ssub is a leader in online address verification, offering solutions for banking, finance, gambling, and other businesses.
The attack can be fast and unnoticed, with the hardware part sometimes using ready-made solutions like Hack 5.
The software part of the attack uses the Arduino built-in loader, which supports multiple refreshing and user application code.
Attackers may use a remote administration tool (RAT) to install a backdoor on the victim's computer.
A more terrifying type of attack involves inserting a flash drive into a turned-off computer to send keystrokes at a later time when the computer is unlocked.
Protection against such attacks includes using specialized software solutions that allow only pre-approved devices to connect.
The most important rule for protection is common sense and caution, not inserting unfamiliar devices into computers.
ssub is ready to help satisfy curiosity safely and win battles in the online jungle.
Transcripts
[Music]
since August 2021 the FBI has received
reports of several packages that were
sent to us companies in transportation
insurance and defense the packages came
in two variant
one mimicked a message from HHS US
Department of Health and Human Services
with a letter inside with references to
covid-19 protection guidelines and a
flash drive with additional
materials the other imitated a package
from Amazon gift wrapped inside was a
fake thank you letter a fake gift card
and a lyo USB flash drive
[Music]
the FBI discovered that the flash drives
were sent out by the hack group fin 7
known for their dark side and black
matter encryption Tools in this video we
have taken apart such a flash drive
connected it to a working computer
recorded all the changes it made to the
system and we will show you in detail
how an attack can be organized against
your company or against your family and
most importantly you'll see how to
protect yourself from this
threet this video was created by the Su
sub verification platform but more about
suub in a bit oh yeah you've probably
wondered who this mysterious voice is I
think it's time to get acquainted my
name is Elliot and I am your voice
assistant who helps you survive in the
online
jungle well let's get back to our story
it looks like an ordinary flash drive in
fact it is the bad USB which is capable
of causing irreparable damage to your
data let's open it up
[Music]
as we can see inside there is an Arduino
Pro micr board let's take a closer look
this board clearly has but does not use
a micro USB interface and as we can see
in order not to arouse suspicion of the
victim the connector was soldered to a
classic USB plug and the board itself is
obviously not designed for soldering
full USB in this case they did the
tricky thing the plug was glued to the
case and the board was soldered with a
pair of of rigid wires this was done to
force the ejection of the stick onto the
case and not onto the board so what does
this very bad flash drive do let's check
it out we have a computer that is not
connected to a network and does not
contain any important data the flash
drive does not know that we now have a
key logger running on this computer
which records all keystrokes we will
check the log of this program later but
for now let's take a look at the
computer
screen immediately after connecting the
execute window opens
let's stop the recording and look at
what was written in the startup window
this command runs malicious code from
the attacker server for example from a
rented digital ocean virtual type there
is no data on the fake flash drive of
course moreover the behavior is clear it
is not a flash drive but in this case
it's the keyboard more precisely the
device is programmed as a keyboard this
can be checked in task manager now let's
have a look at the log what do we see a
miniature device with a keyboard
controller immediately after connection
performs random keystrokes the ability
to pre-program these keystrokes is
usually used to enter any OS command by
using the corresponding hotkeys for
example Windows r or alt F2 the most
popular form factor of such a device is
a flash drive but given the small size
of the device it can be built anywhere
whether it's a webcam or even a USB
cable OMG cable the suitable device form
is set by the context as the choice must
be optimal in one situation or another
in addition this attack requires social
engineering skills in most cases the
flash drive is essentially a decoy it is
thrown in different ways in a letter in
a parcel in a mailbox it's accompanied
by letters which convince the victim
that it's authentic and does not arouse
suspicion the main thing for the victim
is to plug the flash drive into the
computer obviously once a flash drive
attack occurs well it can be pretty
tricky to undo it it is of course a
hardware attack at the end of the day hi
my name is Lucas from ssub and I'm going
to tell you a little bit about how we
can prevent some of these attacks from
occurring in the first place you know
what could lower the amounts of attacks
that occur like this well by simply
verifying the address in the beginning
ssub is a leader in online address
verification uh whether it be in banking
Finance gambling or many other business
types we're able to verify the address
of someone through three main ways the
first one being document upload
basically taking in that utility bill
that we're also familiar with something
that we like to call geolocation which
is essentially finding out where you are
based on a number of factors without the
document upload and the third option
would then be access to government
databases where available companies can
then Implement these methods
simultaneously or pick and choose which
parts are going to suit your business
best if you want to learn more about
some sub's addressed verification
Solutions as well as our other products
please feel free to click the link below
the attack is extremely fast as
keystrokes are made quite quickly it's
quite possible that the user will not
even notice
anything as a hardware part attackers
sometimes use ready-made Solutions like
hack 5 however a person who has heard at
least something about rubber ducky May
suspect Danger from the logo scattering
around dozens of such flash drives must
be cheap and widespread in fact such
flash drives must become a consumable
item it's true homemade solutions
dictate their own limitations this table
shows approximate prices for for devices
that can be disguised as a flash drive
and their compatibility with operating
systems as you can see all this is
extremely cheap and available in almost
any country in the world the bigger
problem is getting the casing usually
criminals buy the cheapest flash drive
of the right size and remove the
contents leaving only the casing or they
print the casing on a 3D printer as for
the software part Arduino built-in
loader supports multiple refeshing it's
at Mega 32 u4 you can write to it the
command repeatedly for each specific
situation in essence you only need to
fill it up with user application code
it's not possible to extract such code
from the flash drive which came into our
hands but we have written a sketch that
could perform all the functions recorded
in the
log now let's see what an attacker is
likely to do to gain remote access the
shortest way is to run a rat remote
Administration tool that is to install a
back door on the computer for example
windows
Linux each of the above commands is
built in and as short as possible in one
action it downloads and runs code over
HTTP or better
https before the attack the attacker
most likely won't know what the
restrictions are on the local network so
there is no absolute guarantee of
success the signal May simply not get
through but the execution of the
commands even in this case will give the
attacker enough information first since
the server address is given by name a
DNS query will be executed the DNS
system is distributed and the query from
the victim's computer will usually be
sent anyway if the hacker is using his
own DNS Zone delegated to a subordinate
server he will see the query in the logs
this will be a signal that the flash
drive was connected and the rce has
occurred however this does not guarantee
that network access is
possible second if access to the
internet is not restricted in any way
the attacker's server will receive a
HTTP request which can also be seen in
the logs this will be a signal that a
network connection is possible and that
the hacker can remotely control the
victim's
computer however this does not guarantee
that the security mechanisms of the
operating system allow the execution of
the remote control program nevertheless
even if the attack fails the attacker
will have information about the rules of
access to the internet from the user's
computer and their awareness of such
incidents such information can be used
in repeat attacks and there is an even
more terrifying type of attack that is
often overlooked an attack on a locked
down computer imagine that someone came
to your house for a visit or broke into
your apartment when you weren't there or
pretended to be a client in your office
and being unnoticed he inserted a flash
drive into the USB input of the turned
off computer when the office system unit
is pushed into a Dusty dark corner it's
easy enough to insert something
inconspicuously there and people won't
notice anything for several years do you
often look at the back of your computer
at home but your mouse or keyboard can
be replaced with an identical one that
has a built-in bad USB but why do this
if the computer does not work it's
simple the criminal programs the flash
drive to send keystrokes not immediately
but every n hours or minutes to catch
the moment when the machine will be
turned on and unlocked this is called
delayed rce as long as the PC is locked
all clicks will go to the password input
field and disappear I.E the attack will
go virtually unnoticed in fact such a
device makes useless all attempts to
ensure security by locking the computer
which everyone is so used to after all
once left unattended a laptop can have
such a device inserted into it and no
matter whether the computer has been
locked or not bad USB flash drive will
try to perform clicks we mean arbitrary
code at intervals of a few minutes hours
or days and sooner or later the moment
will definitely come when the PC will be
unlocked then the malicious code will be
executed and the hacker will get remote
access and now let's talk about how to
protect yourself probably the best
protection here is to use specialized
software Solutions allowing the
connection of only pre-approved devices
from the list a whit list each USB
device has its own unique vendor ID and
product ID which are listed on the Whit
list all other USB devices including bad
USB sticks will not be recognized by the
OS this method perfectly protects not
only from the attack described above but
also from a number of other attacks and
can generally keep working computers
from a host of undesirable consequences
and the most important rule is common
sense and caution just as children must
not talk to strangers the adults must
not put any unfamiliar devices into
their computers or you can do it only on
a safe clean computer with no important
data and no internet access if you're
really curious well suub is always ready
to help you satisfy your curiosity
safely and win all these battles in the
online jungle
[Music]
تصفح المزيد من مقاطع الفيديو ذات الصلة
5.0 / 5 (0 votes)