USB Drive Attacks Create a significant risk of cybersecurity by using the daily use of USB -device for delivering malware and bypassing traditional network safety measures. These attacks lead to violations of data, financial losses and operational violations, and a long -term influence on the reputation of the organization. An example is the stuxnet worm, revealed in 2010, malicious software designed to focus on industrial management systems, in particular Iranian nuclear enrichment facilities. It exploits multiple vulnerabilities with zero day and spread primarily through USB discs, making it one of the first examples of cyberattacks with real physical effects. Stuxnet was at risk of removable media and increased the global awareness of the threat of cybersecurity critical infrastructure.
As USB Drive Attacks
Attackers use different methods to provide harmful useful loads through the USB, focusing on individuals and organizations.
- Falling attacks: Infected USB Disks are intentionally left in public, such as parking to lure the victims to connect them and infect their computers.
- Attacks based on mail: USB -Dyski are sent to targets by mail, disguised in advertising items or legitimate devices to fool them with connecting them to their systems.
- Social engineering: Attackers use psychological tactics to convince the victims to connect infected USB -Disks to their computers.
- Unwanted connection: Attackers connect infected USB -dissils unattended, distributing malicious software without interaction with the victims.
How do USB Drive attacks work
USB drive attacks usually adhere to a multi-stage process to penetrate the systems and harm.
- Intelligence: Attackers explore their goal to determine potential vulnerabilities. In this case, they can gather information about the organization, its employees and its operative environment to determine the likelihood of using a USB dispenser.
- Weapons: The actors threaten the USB drive, built up malicious software. This can be achieved directly by infecting the drive or developing a seemingly benign file such as a document, video or image containing a hidden malicious code.
- Delivery: The attackers distribute the infected USB -driven target by dropping it into public territories, giving it as an advertising subject or using social engineering for its delivery.
- Exploitation: When the target connects to the USB drive, malicious software is activated automatically or through interaction with users using the system’s vulnerabilities.
- Setting: Malicious software is installed in the target system, acquiring persistence. This stage allows the attacker to maintain control over the infected device, even if it is rebooted or disabled.
- Command and Management (C2): Malicious software talks to the attacker server. This allows the attacker to issue commands, highlight or deploy additional useful loads.
- Actions on tasks: Attackers reach their goals such as theft of sensitive data, deployment ransom or constantly access for future operation.
 |
| Figure 1: Steps showing how USB attacks work. |
Improve your posture in cybersecurity in relation
Vase It is an open source security platform that helps organizations identify and respond to security threats through systemic monitoring, from information events to critical incidents. Organizations can actively prevent violations and save sensitive data by controlling USB activity with Wazuh.
Monitoring Activity drive USB in Windows using Wazuh
Wazuh tracks USB -driven activity at Windows end points using PNP Audit activity function. This magazine feature connects events and playback (PNP) that help determine when the USB discs are connected. It is available in Windows 10 Pro and Windows 11 Pro, Windows Server 2016 and later versions.
Organizations can customize Wazuh to identify specific system events and control over USB events, in particular, focusing on ID 6416 Windows Windows, indicating when an external device is connected. Security administrators can detect a USB device connection by creating user rules to detect potential security incidents.
The next step includes the creation of a permanent database (CDB) unique devices’ devices (Deviceid) devices. This list allows Wazuh to distinguish authorized and unauthorized devices, creating alerts for both categories. For example, when the USB drive allowed is connected, it triggers a lower level warning, while unauthorized compounds can create high speed alerts indicating a potential security violation.
 |
| Figure 2: USB drive plugins on the plugins at the final point of Windows. |
 |
| Figure 3: USB Drive event Authorized. |
 |
| Figure 4: Unauthorized USB drive. |
Case by detecting threat: detection of Raspberry Robin Activities Activities
Wazuh gives a solution to mitigate USB -related threats such as Raspberry Robin, Windows Worm.
Raspberry Robin focuses on industries as oil, gas, transport and technology, causing operational disruptions. It is distributed using disguised .lnk files, receiving persistence by updating the user register and imitates legal folders. Worm uses legitimate Windows processes such as msiexec.exe, Rundll32.exe, odbconf.exe and fodhelper.exe to perform, storage and download additional malicious components. Its dependence on command servers and TOR (C2) -based management adds stealth and complicates detection.
Wazuh discovers Raspberry Robin, monitoring the registry modification, unusual command models and suspicious system binary files. Its rules for monitoring integrity and detection of threats in real time determine the harmful activity, allowing you to respond quickly to the softening of potential disruptions.
Wazuh discovers and softens Raspberry Robin, controlling and responding to suspicious activity as:
- Abnormal activity CMD.exe: termination of suspicious processes or isolation of the affected endpoints.
- Loading msiexec.exe. from incomprehensible domains, blocking and notifications of administrators.
- Detection of the UAC by Fodhelper.exestopping the process and notification of administrators.
- Blocking unusual weekend connections by Rundll32.exe and dllhost.exe.
The following is the exemplary configuration of the rules that reveals the possible action of Raspberry Robin.
92004
(?i)cmd\.exe$
(?i)cmd\.exe.+((\/r)|(\/v\.+\/c)|(\/c)).*cmd
Possible Raspberry Robin execution on $(win.system.computer)
T1059.003
61603
(?i)msiexec\.exe$
(?i)msiexec.*(\/q|\-q|\/i|\-i).*(\/q|\-q|\/i|\-i).*http(s){0,1}\:\/\/.+(.msi){0,1}
msiexec.exe downloading and executing packages on $(win.system.computer)
T1218.007
61603
(?i)(cmd|powershell|rundll32)\.exe
(?i)fodhelper\.exe
Use of fodhelper.exe to bypass UAC on $(win.system.computer)
T1548.002
61603
(regsvr32\.exe|rundll32\.exe|dllhost\.exe).*\";document.write\(\);GetObject\(\"script:.*\).Exec\(\)
Possible Raspberry Robin execution on $(win.system.computer)
T1218.011
 |
| Figure 5: IOC and Raspberry Robin behavior and behavior found on the Windows final point. |
 |
| Figure 6: A warning showing a Raspberry Robin Popper, revealed on the Windows final point. |
More details of detection of Raspberry Robin worm using Wazuh please visit this blog.
Monitoring USB Discs in Linux via Wazuh
USB Disks can also make a risk of security with Linux end points as potential vectors for malware and unauthorized data access. UDEV is a systemic utility on Linux, which automatically detects and manages external devices such as USB -Disk, when connected. It creates the necessary device files in the /Dev directory so that the system can interact with them. Administrators can create UDEV user rules that create detailed events by giving an understanding of USB activities. Wazuh has built -in rules for USB monitoring, but UDEV activities provide richer details by improving threats.
We set up UDEV rules at our Linux final points to trigger the registration scenario every time a USB device is connected. The Wazuh agent must be customized to read a JSON generated file made from the registration scenario that allows it to process and analyze USB activity.
Like Windows USB disc monitoring, you need a permanent list of database (CDB) USB serial numbers. Wazuh compares the incoming connections to this list, launching unauthorized devices.
 |
| Figure 7: USB drive alerts to monitor the final Linux point. |
 |
| Figure 8: Unauthorized USB -Pass on Linux final point. |
Message in the blog on Monitoring USB Discs in Linux via Wazuh Provides additional information about USB -Displays connected to the Linux final points.
Monitoring USB Discs in MacOS using Wazuh
You can use a custom scenario to register critical events related to USB -devices at the MacOS final points and then configure Wazuh to control these events. Administrators can extract information such as connection and shutdown, suppliers identifiers, product IDs and consistent USB -dysk numbers connected. This scenario interacts with the MacOS input/output set for collecting the USB device, which is then formatted as JSON and stored in the log file. Magazine data obtained from this custom script are sent to the Wazuh server for analysis using the Wazuh agent.
Message in the blog on Monitoring USB Discs in MacOS using Wazuh Show steps to monitor USB dispenses at the MacOS final points.
 |
| Figure 9: USB alerts on the MacOS monitoring point. |
 |
| Figure 10: Unauthorized USB Alert -MacOS. |
Conclusion
USB Drive attacks are at risk of security in major operating systems, which allows for malware and unauthorized access to malicious subjects.
Wazuh offers different detection mechanisms to increase the chances of detecting USB attacks and mitigate potential impact. Organizations can increase cybersecurity by integrating these detection methods and implementing a strict USB access policy.
