Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Mobile devices may also be used to infect PCs with malware if connected via USB.(Citation: Exploiting Smartphone USB ) This infection may be achieved using devices (Android, iOS, etc.) and, in some instances, USB charging cables.(Citation: Windows Malware Infecting Android)(Citation: iPhone Charging Cable Hack) For example, when a smartphone is connected to a system, it may appear to be mounted similar to a USB-connected disk drive. If malware that is compatible with the connected system is on the mobile device, the malware could infect the machine (especially if Autorun features are enabled).
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| UEM-09 | Anti-Malware Detection and Prevention | mitigates | T1091 | Replication Through Removable Media |
Comments
This control describes the implementation of endpoint security, including anti-malware software, to mitigate the risk of exploitation by threat actors. The implementation guidance provides several examples of that the technical measures under Anti-Malware should aid with preventing which include:
Scan installed software and system data content to identify and remove unauthorized code/software.
Prohibit the use of installation of unauthorized software.
Restricting on obtaining malicious data and software from external networks.
Endpoint removable media management.
References
|
| DSP-02 | Secure Disposal | mitigates | T1091 | Replication Through Removable Media |
Comments
Adversaries may may attempt to connect and distribute malware via removable storage. In initial access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself. This control ensures that storage media is securely and irreversibly sanitized using industry‑accepted methods to prevent data recovery, thereby mitigating attacker techniques such as data remanence exploitation, forensic recovery, and unauthorized access to residual sensitive information from discarded or repurposed devices.
References
|