CAPEC-457 Metadata
Likelihood of Attack
Low
Typical Severity
High
Overview
Summary
An adversary loads malicious code onto a USB memory stick in order to infect any system which the device is plugged in to. USB drives present a significant security risk for business and government agencies. Given the ability to integrate wireless functionality into a USB stick, it is possible to design malware that not only steals confidential data, but sniffs the network, or monitor keystrokes, and then exfiltrates the stolen data off-site via a Wireless connection. Also, viruses can be transmitted via the USB interface without the specific use of a memory stick. The attacks from USB devices are often of such sophistication that experts conclude they are not the work of single individuals, but suggest state sponsorship. These attacks can be performed by an adversary with direct access to a target system or can be executed via means such as USB Drop Attacks.
Prerequisites
Some level of physical access to the device being attacked. Information pertaining to the target organization on how to best execute a USB Drop Attack.
Execution Flow
| Step | Phase | Description | Techniques |
|---|---|---|---|
| 1 | Explore | [Determine Target System] In certain cases, the adversary will explore an organization's network to determine a specific target machine to exploit based on the information it contains or privileges the main user may possess. |
|
| 2 | Experiment | [Develop or Obtain malware and install on a USB device] The adversary develops or obtains the malicious software necessary to exploit the target system, which they then install on an external USB device such as a USB flash drive. |
|
| 3 | Exploit | [Connect or deceive a user into connecting the infected USB device] Once the malware has been placed on an external USB device, the adversary connects the device to the target system or deceives a user into connecting the device to the target system such as in a USB Drop Attack. |
|
Potential Solutions / Mitigations
Ensure that proper, physical system access is regulated to prevent an adversary from physically connecting a malicious USB device themself. Use anti-virus and anti-malware tools which can prevent malware from executing if it finds its way onto a target system. Additionally, make sure these tools are regularly updated to contain up-to-date virus and malware signatures. Do not connect untrusted USB devices to systems connected on an organizational network. Additionally, use an isolated testing machine to validate untrusted devices and confirm malware does not exist.
Related Weaknesses (CWE)
| CWE ID | Description |
|---|---|
| CWE-1299 | Missing Protection Mechanism for Alternate Hardware Interface |
Related CAPECs
| CAPEC ID | Description |
|---|---|
| CAPEC-456 | An adversary inserts malicious logic into memory enabling them to achieve a negative impact. This logic is often hidden from the user of the system and works behind the scenes to achieve negative impacts. This pattern of attack focuses on systems already fielded and used in operation as opposed to systems that are still under development and part of the supply chain. |
| CAPEC-529 | Adversary uses malware or a similarly controlled application installed inside an organizational perimeter to gather information about the composition, configuration, and security mechanisms of a targeted application, system or network. |
Taxonomy Mappings
Taxonomy: ATTACK
Stay Ahead of Attack Patterns
Understanding CAPEC patterns helps security professionals anticipate and thwart potential attacks. Leverage these insights to enhance threat modeling, strengthen your software development lifecycle, and train your security teams effectively.