Rare BadUSB Attack Detected in the Wild Against US Hospitality Provider (zdnet.com) 38
A US hospitality provider has recently been the target of an incredibly rare BadUSB attack, ZDNet has learned from cyber-security firm Trustwave. From a report: The attack happened after the company received an envelope containing a fake BestBuy gift card, along with a USB thumb drive.The receiving company was told to plug the USB thumb drive into a computer to access a list of items the gift card could be used for. But in reality, the USB thumb drive was what security experts call a "BadUSB" -- a USB thumb drive that actually functions as a keyboard when connected to a computer, where it emulates keypresses to launch various automated attacks.
In the old days (Score:3, Informative)
We'd call the front desk and trick the receptionist into typing commands in for us.
While social engineering has come a long way technologically, there is a certain respect I have for people who don't need to use props for their con-art.
Re: (Score:2)
There is something to getting more done with less effort, props or not.
Re: (Score:2)
and the old trick the receptionis with fake bills in the mail as well.
Re: (Score:2)
We'd call up a manager and claim to be IT and that the password database had crashed. Because we know this guy needs his access now (he doesn't), we're going to call him up directly to reset his password first. Pro-active IT handling the big problem, right? What would he like his new password to be? Most often, same as the current one.
OK sir, give me about 15 minutes and you should be able to log right back in. Have a great day.
Re: (Score:2, Insightful)
Seriously, you and those replying to you all seem to be proud of yourselves. Fucking assholes.
And yet, I'm the one who'll get modded down to hell for this post, by other fucking assholes like you.
Re: (Score:2)
We'd call the front desk and trick the receptionist into typing commands in for us.
Receptionist: "Just a moment sir while I load a fresh ribbon in the typewriter."
Re: (Score:1)
I'm the guy that has to chip the white-out off the screen.
Motive? (Score:2)
Boy, somebody sure had it in for that hospitality provider (whatever that is), didn't they?
Re:Motive? (Score:5, Interesting)
This certainly isn't the first, it's just the first that for some reason someone reported on. I get virus-laden USB crap in the mail all the time.
Typically from some company trying to sell me something and ordering a crap-ton of USB sticks from China which nearly guaranteed have a virus or something else on them that's auto-loading.
I haven't personally had a BadUSB yet, but I know others have, once in a while a security company will do that as a stunt and it just opens up Notepad and types a message - doesn't work on a Linux VM though.
Re: (Score:2)
This certainly isn't the first, it's just the first that for some reason someone reported on. I get virus-laden USB crap in the mail all the time.
Some virus laden USB stick is not the same as using BadUSB, an exploit that typically requires intimate knowledge of the target system in order to execute the attack.
doesn't work on a Linux VM though.
No. Neither does the USB stick because you haven't passed it through to the VM, which is precisely the first thing someone would do. After this, it'll work just fine in your Linux instance too.
Re: (Score:2)
What's funny is that there'll come the time these attacks target macOS. There may be a good chance such an attack would bring up a terminal, run curl and execute the payload.
And I bet it would be trivial to have that run in your Linux VM too :)
How? (Score:1)
WTF, is autorun still a thing in Windows?
Re: (Score:2)
Check out sentence 3 of TFS quote after the ASCII em-dash.
Re:How? (Score:5, Informative)
This doesn't rely on autorun, the USB "drive" isn't a flash drive at all (as presented to the OS) it is a normal USB keyboard. And after Windows says "Great, a keyboard, let's use you" it starts sending in a prerecorded sequence of keypresses. This would actually be effective against any OS that blindly accepts inputs from a newly inserted USB keyboard, so... Linux/MacOS/PS3 System Software/etc
rubber ducky is for sale from hak5 (Score:1)
Re: (Score:2)
"BadUSB" is a generic exploit name given to a USB device that enumerates two devices, the actual device to appear legitimate, and a second nefarious device. I think we discussed it quite a few years ago. The exploit has been out a long time but in general it's quite rare as to make use of it without a secondary exploit you need to know enough about a target computer to be useful. e.g. You can setup a wifi card but you need to be within range. You can simulated mouse and keyboard clicks but need to know whic
Re: (Score:2)
If the user expects BestBuy giftcards, then we can expect the user to click whatever pops up, so, there is payload two.
I agree not new/rare, and probably not news (even for nerds), but a welcome distraction to bloody covid-19.
Re: (Score:3)
Some shelther-at-home reading material:
https://www.lmgsecurity.com/bad-usb-very-bad-usb/ [lmgsecurity.com]
https://hackaday.com/tag/badusb/ [hackaday.com]
Re: (Score:1)
Thanks much, super-helpful.
Re: (Score:2)
Nope. This device is a low-end Arduino-type. It emulates a keyboard and starts firing off commands after you plug it in.
Re: (Score:2)
BadUSB has nothing to do with Windows or autorun. But jumping to conclusions and knowing little about security definitely is still a thing on Slashdot in case you're wondering.
Re: (Score:2)
The best way to secure windows is to use polycarbonate instead of glass.
Re: (Score:2)
This wasn't an autorun disk, it was a thumbdrive-shaped script-running keyboard emulator.
Re: (Score:2)
It's not a thumbdrive. It's a thing that looks like a thumb drive but is really a USB HID device. Hak5 makes one called a Rubber Ducky, when they have them in stock, you can buy one here for $50: https://shop.hak5.org/products/usb-rubber-ducky-deluxe [hak5.org]
Windows (Score:2)
I thought windows was locked down these days ?
Arguably you could also attack a misconfigured Linux / Unix machine where someone put sudo / doas with no password globally.
But you have to enable that on a sane distribution
Re: (Score:2)
Re: Windows (Score:2)
Re: (Score:1)
> but then how will we get our Best Buy prizes?
1. Go to Best Buy
2. Grab whatever you want
3. Show the guy at the door your prize claim form / USB stick
4. Profit
Re: (Score:2)
How the fuck do you lock-down against a keyboard?
Real operating systems don't grant regular users with the permissions needed to do damage to the OS or file resources owned by other users. The BadUSB script would have to know a user's password assuming that they have a properly configured suid, or the root password. Having a password prompt appear with no preceding action on the user's part should prompt sudden panic, terror and the urge to back out of whatever might have triggered that. Like pulling an unknown USB stick out and hitting it with a large ha
User-privileged malware (Score:2)
Real operating systems don't grant regular users with the permissions needed to do damage to the OS or file resources owned by other users.
Malware does not need administrative privileges to exfiltrate or encrypt files in a user account.
Having a password prompt appear with no preceding action on the user's part should prompt sudden panic
The preceding action was to plug in the peripheral, which in the user's mind triggered a password prompt to install what is passed off as a driver for this peripheral.
Re: (Score:2)
Locked down? How the fuck do you lock-down against a keyboard? You think any company is going to make it hard for a person to replace a broken (drink spilled on it, for example) keyboard?
Do it like Microsoft with Xbox 360 and Xbox One controllers. Ignore all keyboards that fail to perform a challenge-response authentication.
Its from the HAK 5 website (Score:1)
Who's that Pokemon? (Score:2)
The best part is the Gengar that shows up repeatedly in the "Source: Trustwave" chart. I wonder if they licensed him from Nintendo? Which Pokemon would be used to represent white hats?
In related news ... (Score:2)
... MacBook Air users were lining up to obtain what might finally be a working keyboard for their laptops.
That BadUSB script ... (Score:2)
On a side note: Why isn't the 'US hospitality provider' identified? It wouldn't by any chance be a Trump hotel, would it?
Re: (Score:2)
It wouldn't by any chance be a Trump hotel, would it?
Because these stories rarely ever identify the victim unless it moves their stock price. Don't let common sense get in the way of your conspiracy though, or get in the way of the delusion that any company is smarter than Trump's