Replication Through Removable Media (T1091)
Replication Through Removable Media [T1091]
Last updated
Replication Through Removable Media [T1091]
Last updated
Name: Replication Through Removable Media
ID: T1091
Tactics: ,
Replication Through Removable Media (T1091) is a technique identified within the MITRE ATT&CK framework, categorized under lateral movement. Attackers leverage removable media devices, such as USB drives, external hard disks, or optical media, to transfer malicious payloads onto targeted systems. This method allows attackers to bypass network-based security controls, propagate malware across disconnected or air-gapped systems, and achieve persistence or lateral movement within organizations.
Attackers commonly exploit removable media by embedding malicious payloads onto portable devices, enabling malware to execute automatically or upon user interaction. Technical execution methods include:
Autorun Exploitation:
Attackers utilize the Windows Autorun feature (e.g., autorun.inf) to automatically execute malware when removable media is inserted into a system.
Though modern Windows versions have limited Autorun capabilities, legacy systems remain vulnerable.
Shortcut (LNK) Files:
Malicious shortcut files (.lnk) placed on removable media can execute payloads when users click on them.
Attackers disguise shortcuts as legitimate documents or folders to trick users into execution.
Hidden or Obfuscated Files:
Attackers hide malware within legitimate files or use hidden attributes to avoid casual detection.
Malware may leverage file name spoofing or Unicode characters to conceal true file types.
Firmware-Level Attacks:
Advanced adversaries embed malware within device firmware, making detection and removal difficult.
Firmware-level infections persist even after formatting or wiping the removable media.
Physical Access and Social Engineering:
Attackers intentionally leave infected removable media in public or targeted locations, exploiting human curiosity or negligence to induce victims to plug them into corporate systems.
Social engineering tactics include labeling media with enticing or trustworthy labels to increase likelihood of use.
Replication Through Removable Media is typically employed in scenarios such as:
Initial Access:
Attackers gain initial footholds into isolated or air-gapped networks that are otherwise inaccessible via internet or network-based attacks.
Lateral Movement:
Malware propagation between isolated segments or systems within a network where traditional network-based lateral movement is restricted or monitored.
Persistence and Reinfection:
Attackers use removable media to maintain persistence, reinfect systems previously cleaned, or re-establish footholds after detection and remediation.
Targeting Critical Infrastructure and Industrial Control Systems (ICS):
Attackers target sensitive environments, such as ICS or SCADA networks, that commonly employ air-gap security measures, relying heavily on removable media for data transfer.
Supply Chain Attacks:
Malicious actors compromise removable media during manufacturing or distribution stages, infecting end-users upon first use.
Detection methods and indicators of compromise (IoCs) for attacks leveraging removable media include:
Endpoint Security Tools:
Antivirus and Endpoint Detection and Response (EDR) solutions that scan removable media upon insertion.
Detection of suspicious files, known malware signatures, or unusual file types on removable devices.
Monitoring Autorun and Shortcut File Activity:
Monitoring the creation and execution of suspicious .lnk files, autorun.inf, or scripts triggered from removable media.
Device Control and Access Logs:
Implementation of Device Control solutions to log removable media insertions and usage.
Analysis of logs to identify unauthorized or unusual media insertions, especially on critical or sensitive systems.
Behavioral Analytics:
Analyzing anomalous behaviors such as unexpected processes, unusual file accesses, or suspicious script execution triggered immediately after removable media insertion.
Firmware Integrity Checks:
Periodic integrity checks or firmware scans of removable media devices to detect firmware-level compromise.
Specific Indicators of Compromise (IoCs):
Presence of autorun.inf files referencing unknown or suspicious executables.
Suspicious shortcut files (.lnk) pointing to hidden executables.
Hidden files or folders with executable extensions.
Unexpected or unauthorized processes spawned immediately after removable media insertion.
Known malware hashes or signatures identified on removable media.
Early detection and mitigation of replication through removable media is critical due to potential impacts, including:
Bypassing Network Security Controls:
Malware introduced through removable media circumvents perimeter defenses, firewalls, and intrusion detection systems, allowing attackers direct access to endpoints.
Propagation Across Air-Gapped Networks:
Attackers can breach highly secure or isolated environments (e.g., critical infrastructure, military, government networks) that rely on removable media for data transfers.
Persistent Malware Infections:
Malware infections introduced through removable media can persist undetected, repeatedly reinfecting systems even after remediation.
Data Exfiltration and Espionage:
Attackers use removable media to exfiltrate sensitive or classified data from isolated or secured environments without network connectivity.
Operational Disruption and Damage:
Malware introduced via removable media can disrupt critical operations, damage systems, or cause physical harm, especially in industrial or critical infrastructure environments.
Supply Chain Risks:
Compromised removable media introduced through supply chain attacks can infect large numbers of users or organizations simultaneously, multiplying the impact.
Several real-world examples illustrate the use of replication through removable media:
Stuxnet (2010):
Scenario: Advanced malware targeting Iranian nuclear facilities, propagating via infected USB drives into air-gapped industrial control systems.
Tools Used: Utilized zero-day vulnerabilities, Autorun exploitation, and malicious .lnk files.
Impact: Significant physical damage to centrifuges, disruption of nuclear enrichment operations, and heightened global awareness of ICS vulnerabilities.
Conficker Worm (2008-2009):
Scenario: Worm propagated rapidly through removable media and exploited Autorun features to infect millions of Windows systems globally.
Tools Used: Autorun.inf files, malicious executables hidden on USB drives.
Impact: Massive global infection, disruption of services, and costly remediation efforts worldwide.
Agent.BTZ Malware (2008):
Scenario: Malware infected U.S. military networks via removable media, leading to significant security breaches and operational disruptions.
Tools Used: Malicious executables and Autorun exploitation.
Impact: Prompted the U.S. Department of Defense to significantly alter cybersecurity policies, including banning USB drives.
DarkHotel Attacks (2014 onwards):
Scenario: Targeted espionage attacks against hotel guests, including corporate executives, using compromised removable media devices.
Tools Used: Malicious executables, hidden payloads, and social engineering tactics.
Impact: Theft of sensitive corporate and personal data, espionage, and reputational damage to targeted organizations.
BadUSB Attacks (Disclosed in 2014):
Scenario: Exploited firmware-level vulnerabilities in USB devices, turning benign devices into malicious attack vectors.
Tools Used: Firmware-level malware embedded in USB controller chips.
Impact: Persistent infections difficult to detect and remove, widespread risk to all USB device users, and increased awareness of hardware-level vulnerabilities.