It doesn’t really matter whether Yujing Zhang is a spy for the Chinese government, an enthusiastic sleuth or simply a misguided young woman who heard voices ordering her to fly from Shanghai to Florida and to attempt to talk to President Donald Trump on March 30.
Whatever her motivation, she was clearly unprepared to carry out whatever mission–real or imagined–that she was on, and as a result, she was arrested by the U.S. Secret Service. According to the charging documents, she was carrying four cell phones, a laptop computer with an external drive and a USB thumb drive that contained malware.
That thumb drive may have been her real mission. The reason is that getting an infected thumb drive into a computer on the Mar-a-Lago resort’s network could have released that malware, and depending on specifically what kind of malware it is, could have seriously compromised the resort’s network. Whether the network is connected in some way to the White House communications network that handles the president’s official business seems unlikely, but again, that may not matter. Any network at the resort is certain to contain information about the president’s plans, including when he plans to have activities off the property and how long those activities might last.
Right now we don’t know what sort of malware was actually on that thumb drive, and we may never know for sure unless the Secret Service releases the information or it comes out during legal proceedings. We also may never know for sure whether Zhang was working for the Chinese government, although that seems likely, despite her lack of professionalism. The Chinese intelligence services have long sent out ill-prepared agents, apparently in the belief that with enough of them, eventually they’ll find something.
USB Drives Can Wreak Real Havoc if Not Policed
Right now what matters most to you is that thumb drive. A visitor to your facility with a thumb drive in his/her pocket could wreak havoc with your network, and you might not know about it until it’s too late to do much about it. All that’s necessary is to plug that drive into a random USB port, and your network could be compromised.
What happens next depends on what’s on the thumb drive. You could find yourself with malware, with ransomware or perhaps a back door that will be installed so it can be used later. The question you have to ask yourself and your IT staff is: How do you prevent that thumb drive from compromising your organization? The answers aren’t easy, partly because those thumb drives can be tiny and easy to conceal, and partly because most organizations don’t have any real defenses once they’re physically inside your building.
Once there, a bad guy can leave an attack behind that doesn’t appear until later. A spokesperson for Malwarebytes Lab said that malware can be written so that it has what’s called “delayed detonation,” in which the malware waits, sometimes for weeks or months, before it becomes active. During that time it’s able to be quietly spread through the network, and embedded in your backups, making it hard to remove.
Another type of delayed detonation is malware that gets embedded into a benign network and then simply waits for someone to move data–likely with a thumb drive–to an air-gapped network before it activates.
The first line of defense is physical security. Prohibit thumb drives from your property, at least from areas where security is necessary, and then screen anyone who enters and leaves. You can also prevent access to the USB ports, either through security settings on your computer’s operating system, or by physically blocking access to external USB ports. One agency I know uses glue to block any available ports to prevent plugging in a thumb drive. You can also permanently fasten the USB connectors where your keyboard and mouse attach.
Enterprises Need More than Basic Security
But you need to do more, such as asking your security staff to keep an eye out for USB thumb drives that might be found lying around in parking lots, restrooms or other public areas. You might even want to provide a bounty for your employees who find random thumb drives. Such apparently lost thumb drives have been a favorite vector for delivering malware or other nasty surprises to organizations over the last few years.
You also must be aware that your perimeter defenses may not be enough. Because of this, you need to be aware of anomalies on your network. “Know what your normal is,” the Malwarebytes spokesperson said. That means being familiar with what’s in your system logs so you can spot when something isn’t normal. When it comes to logs, you need to know normal activity is so you can spot abnormal activity.
The spokesperson also said that you should build a 100 percent asset inventory so that you know when something appears on your network that shouldn’t be there, you’ll know about it. In addition, the spokesperson suggests getting rid of services you don’t need so that they can’t be compromised, have an up-to-date risk assessment policy, and have detailed, up-to-date logs so that you can tell when something happened and exactly what it was that happened.
The Malwarebytes spokesperson also said that in the case of Mar-a-Lago, that hotels are nearly impossible to secure, and suggested not having sensitive meetings or even conversations at a hotel. I can confirm that point, since more than once I’ve found devices inside hotel rooms, and hotel networks are nearly always insecure.
The events on March 30 should be a wake-up call for your organization. Find a way to get rid of USB thumb drives, and make sure that even if they’re brought into your company contrary to your policies, that they can’t be used.