Hackers exploiting Windows vulnerability that infects via USB

Flaw hits all versions of Windows; infects when USB peripheral is mounted

BadUSB malware could be used to infect ICS systems
BadUSB malware could be used to infect ICS systems

A flaw in all supported versions of Window that allows malware to execute when a USB peripheral is plugged in is being exploited by hackers, according to a Microsoft security disclosure.

According to a security bulletin published by Microsoft, the vulnerability could allow elevation of privilege if an attacker inserts a malicious USB device into a target system.

“An attacker could then write a malicious binary to disk and execute it,” it said. The firm added that that it had received information about this vulnerability through coordinated vulnerability disclosure.

“When this security bulletin was issued, Microsoft has reason to believe that this vulnerability has been used in targeted attacks against customers,” it warned. It gave the flaw a severity rating of “important”.

The problem affects Windows Vista from service pack 2 onwards (both 32-bit and 4-bit). It also affects Windows Server 2008 and 2012, Windows 7, Windows 8 and 8.1, Windows RT and RT 8.1 as well as newly released Windows 10. Again both 32-bit and 64-bit versions of the operating system appear to be affected by the security problem.

Users are warned to update the systems via Windows Update. The patch comes as part of a slew of Patch Tuesday updates for various versions of Windows as well as Office, Internet Explorer and Microsoft's new secure browser Edge.

As well as fixing the flaw through an update, Microsoft has made available software that enables patched computers to log attempts by hackers to exploit the vulnerability.

“The event log will be triggered every time a malicious USB that relies on this vulnerability, is mounted on the system. If such an event is recorded, it means that attempt to exploit the vulnerability is blocked. So once the update is installed, companies auditing event logs will be able to use this as detection mechanism,” said Axel Souchet, Vishal Chauhan from MSRC Vulnerabilities and Mitigations Team in a blog post.

Microsoft also warned users that any installation of language packs would require the USB patch to be installed again.

Mark James, security specialist at ESET told SCMagazineUK.com that while the vulnerability opens “up the possibility of actually infecting a specific flash drive and sending that device to a company in the hope that an individual will just plug it in to see what's on it.”

“Any business could have data that's worth something.,” he said. “Of course the big organisations will be a desirable target but hopefully they have policies in place to limit the use of USB sticks, but that could just be wishful thinking. Medium sized businesses may be a little more relaxed when it comes to restricting access to these type of devices so therefore could end up being the final victim.”

He added that the flaw could enable the attacker to use a standard network account to gain access to areas that they should not have access to. “This could lead to data loss or the installation of further software to enable other malicious activities to take place.”

He added that simplest way is to have policies in place to restrict the use of USB devices.

“With such policies in place, restrictions would limit data to be written or read from a USB or any external media and would therefore stop the infection from happening,” said James.

According to Joe Bursell of Pen Test Partners, while it technically affects millions of machines, it is doubtful that millions would be targeted.

“It sounds like this has been used in a more targeted attack (Microsoft is not currently saying who but it will no doubt come out eventually). Unlike the Stuxnet .LNK vulnerability (which was remotely exploitable) this issue is only exploitable via a physical USB device. Which limits how “spreadable” it is and how useful it is,” he told SCMagazineUK.com.

“As exploits like this sell for a high price on the vulnerability market, it is likely that it has been used for a very specific purpose by someone with money to spend to achieve their goal. It is probably a nation-state sponsored attack,” he added.

Bursell said that if a hacker got someone plug in an infected USB stick to their Windows PC, then they can boobytrap it with whatever malware/code they want. “That could be a simple keylogger, or something more sophisticated that tries to make an outbound connection to the bad guy's remote server and listen for instructions.”

James Maude, senior security engineer at Avecto, said the vulnerability could be used for the start of a prolonged campaign that uses the USB as an initial entry point to begin harvesting credentials and spreading throughout the network.

“It is virtually impossible to identify a malicious USB device so organisations must impose strict controls around the use of unknown and possibly even known USB devices. Some organisations have resorted to disabling USB at the BIOS level and others have physically disabled or blocked USB and DMA ports on laptops due to these growing concerns, “he told SCMagazineUK.com.