Mar-a-Lago Malware Event: A Study in What NOT to do With Unknown USB Keys

It’s troubling when the world of politics and IT security share headlines.

But on March 30, a Chinese national named Yujing Zhang walked into President Trump’s private resort, Mar-a-Lago, with a suspicious USB key and other electronic gear.

To everyone’s surprise (because you should never do this), a Secret Service member plugged the USB drive device into his work computer and noticed visible changes on the screen to confirm the strong possibility of malware. She was arrested by Security Service. Upon a search of the trespasser’s hotel room, nine more USB keys were found along with other gear.

Hacking 101: The “Lost” USB key

Dropping USB keys in sensitive locations is a valid attack method, and the accused trespasser may just have been trying to do this. This story falls in line with similar attacks on engineers and executives traveling in China.

It has been considered a best practice when in China on business to bring a “burner” laptop that is returned to IT to be reformatted. In many noted cases, unattended laptops in conference or hotel rooms have been infected via USB keys awaiting return to the home network.

When I worked for a well-known company in Mountain View, California, it was common to hear of people throwing USB keys at our lobby doors from the street; some of these I personally found. Every time I go to a retail checkout stand and see an exposed point-of-sale (POS) monitor, I look for exposed USB ports and think of that experience.

In the absence of a publicly released statement from the accused about her intentions with the keys at Mar-a-Lago, IT researchers expect she would try to insert them in a network-connected PC or drop in an employee-only part of the compound to minimize exposure.

According to a study with Google and the universities of Illinois and Michigan, 45% of people who found nearly 300 USB keys plugged them in to their personal devices to either “find the owner” or were just curious.

In another study, 60% of dropped keys found their way into U.S. Government computers. Additionally, eight out of 15 Western Australian government agencies “fell victim” to a similar test. Reasons aside, people insert and inspect these devices at the risk to personal devices or corporate networks.

How do you stop USB attacks?

The first step is education. Do something physical to make an impact. Put a garbage can in the lobby with a sign that says, “Place Found USBs Here.” But, please, take a picture and tag me (@BRChelmo) if you do.

The second step is the use of device control capabilities within an endpoint security solution that stops unknown USB keys from connecting to the endpoint.

With SonicWall Capture Client, for example, administrators can create customized policies for known and unknown USB devices. For instance, they could allow all mice and keyboards, but block unknown USB keys while allowing approved or registered ones.

If you do not have this option, you need to ensure your endpoint solution can stop malware based on behavior, not signatures. The malware found on USB sticks will often not be categorized by your vendor or VirusTotal.

This is why behavior-based anti-malware defense is important. According to the 2019 SonicWall Threat Report, 45 million new forms of malware were identified and blocked. A good part of this number was found via customer submissions to our sandboxing service called Capture ATP, which blocks suspicious code and files until a verdict is found.

In the case of Capture Client, the AI engine is always scouting for malicious behavior. As for the Secret Service member who activated the drive, Capture Client would have either stopped it before or during its execution. If the code on the key would have created system changes, the remediation capabilities would allow the agency to roll back that PC to its last-known good state. The administrator would have been notified of the event via an alert to quickly take action. This level of control is an absolutely critically layer of a sound security posture.

If you’d like to learn more about stopping advanced attacks that hit the endpoint, please watch this recent webcast, “Can You Stop These Two Endpoint Threat Vectors?”