Security
Headlines
HeadlinesLatestCVEs

Headline

To Damage OT Systems, Hackers Tap USBs, Old Bugs & Malware

USBs have something the newest, hottest attack techniques lack: the ability to bridge air gaps.

DARKReading
#vulnerability#ios#apple#auth#zero_day

Source: Mohammad Aaref Barahouei via Alamy Stock Photo

Industrial cyberattackers are increasingly using removable media to penetrate operational technology (OT) networks, then leveraging the same old malware and vulnerabilities to make their mark.

For whatever reason, USB devices are a la mode again with some of the world’s premier threat actors. Nowhere is this more evident than in the OT space where, according to Honeywell’s “2024 USB Threat Report,” attackers are “clearly” turning to USBs to get a foothold in industrial networks.

With that foothold, Honeywell reports, attackers are forgoing sophisticated exploitation techniques, zero-day vulnerabilities, or novel malware. Instead, they’re leveraging old tools and bugs, plus the built-in capabilities of OT control systems to achieve their end goals.

Why USBs?

USBs have something that none of the newest, hottest attack techniques do: the ability to bridge air gaps.

True air gaps are physical separations between OT and IT networks designed to let no malicious attacks pass through. Some also use the term to describe other kinds of setups that distinguish IT and OT systems using access controls, segmentation, and the like. Air gaps are most often used in high-risk industries — think nuclear, military, financial services, etc. — where other means of demarcating IT and OT networks won’t cut it.

“A lot of operational facilities are entirely air gapped,” explains Matt Wiseman, director of OT product marketing at OPSWAT. “Those more modern approaches like email-based attack — something over the network — aren’t really as effective when [the OT systems] are disconnected from the broader Internet. You need to be more creative, think outside the box. USBs and removable media are very interesting because they’re the only threat you can pick up in your pocket and carry beyond that air gap.”

Interestingly, the trend seems to have been born during COVID. In 2019, only 9% of USB-carried cyber threats to industry were actually designed for USBs. By 2022 — and consistently ever since — that number exceeded 50%.

Having crossed that air gap with a USB, attackers are opting for living-off-the-land tactics to perform data collection and exfiltration (observed in 36% of Honeywell’s detected USB attacks), defense evasion (29%), and escalation privileges (18%), ultimately achieving persistence in the operational network.

Clearly novel and powerful malware and vulnerabilities are not the focus, as brand name tools of yesteryear such as BlackEnergy and Industroyer (aka CrashOverride) are still making rounds. The most common vulnerabilities exploited in such attacks — such as CVE-2010-2883 and CVE-2017-11882 — are equally dated. All of the most common CVEs listed in Honeywell’s report have been known since at least 2018.

In most cases, the goal of these attacks is disruption or destruction. Around 80% of USB-based threats every year now are capable of causing disruptions to OT systems, including loss of visibility or control, or worse (ransomware, wipers, etc.).

Defending Against USB Threats

The good news for defenders is that with such antiquated threat vectors, fancy and expensive solutions aren’t necessarily the solution. “You can always go with the fundamentals,” Wiseman says, meaning strict USB policies and procedures.

At many organizations, he says, “You go back a number of years, there was an honor system. ‘Hey, did you scan that?’ Now you have technology that can check to make sure. If you plug something in, it’s not going to work unless it has been scanned and checked by some type of formal security solution.”

This technology often takes the form of a kiosk or “sanitation station” for scanning removable media, placed strategically at the exterior of a sensitive site in order to make sure no malicious ones make their way through. Sometimes those stations are paired with file transfer systems to ensure that no outside device ever actually has to cross the threshold of an industrial control floor.

“We’re seeing more mature conversations now. What’s our mobile program? What’s the process for employees? What’s the process for guests? How do we manage these devices? How do we view the activity that’s occurring? And how do we ensure that we’re ahead of it going forward?” he says. “There’s definitely a massive realization of the threat that these devices can pose.”

About the Author(s)

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes “Malicious Life” – an award-winning Top 20 tech podcast on Apple and Spotify – and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts “The Industrial Security Podcast,” the most popular show in its field.

Related news

SmokeLoader Malware Exploits MS Office Flaws to Steal Browser Credentials

SmokeLoader malware has resurfaced with enhanced capabilities and functionalities, targeting your personal data.

Sidewinder Casts Wide Geographic Net in Latest Attack Spree

The long-active, India-sponsored cyber-threat group targeted multiple entities across Asia, Africa, the Middle East, and even Europe in a recent attack wave that demonstrated the use of a previously unknown post-exploit tool called StealerBot.

macOS Version of HZ RAT Backdoor Targets Chinese Messaging App Users

Users of Chinese instant messaging apps like DingTalk and WeChat are the target of an Apple macOS version of a backdoor named HZ RAT. The artifacts "almost exactly replicate the functionality of the Windows version of the backdoor and differ only in the payload, which is received in the form of shell scripts from the attackers' server," Kaspersky researcher Sergey Puzan said. HZ RAT was first

New SideWinder Cyber Attacks Target Maritime Facilities in Multiple Countries

The nation-state threat actor known as SideWinder has been attributed to a new cyber espionage campaign targeting ports and maritime facilities in the Indian Ocean and Mediterranean Sea. The BlackBerry Research and Intelligence Team, which discovered the activity, said targets of the spear-phishing campaign include countries like Pakistan, Egypt, Sri Lanka, Bangladesh, Myanmar, Nepal, and the

Kimsuky Using TRANSLATEXT Chrome Extension to Steal Sensitive Data

The North Korea-linked threat actor known as Kimsuky has been linked to the use of a new malicious Google Chrome extension that's designed to steal sensitive information as part of an ongoing intelligence collection effort. Zscaler ThreatLabz, which observed the activity in early March 2024, has codenamed the extension TRANSLATEXT, highlighting its ability to gather email addresses, usernames,

Cloud Atlas' Spear-Phishing Attacks Target Russian Agro and Research Companies

The threat actor referred to as Cloud Atlas has been linked to a set of spear-phishing attacks on Russian enterprises. Targets included a Russian agro-industrial enterprise and a state-owned research company, according to a report from F.A.C.C.T., a standalone cybersecurity company formed after Group-IB's formal exit from Russia earlier this year. Cloud Atlas, active since at

New Agent Tesla Malware Variant Using ZPAQ Compression in Email Attacks

A new variant of the Agent Tesla malware has been observed delivered via a lure file with the ZPAQ compression format to harvest data from several email clients and nearly 40 web browsers. "ZPAQ is a file compression format that offers a better compression ratio and journaling function compared to widely used formats like ZIP and RAR," G Data malware analyst Anna Lvova said in a Monday analysis.

Operation Rusty Flag: Azerbaijan Targeted in New Rust-Based Malware Campaign

Targets located in Azerbaijan have been singled out as part of a new campaign that's designed to deploy Rust-based malware on compromised systems. Cybersecurity firm Deep Instinct is tracking the operation under the name Operation Rusty Flag. It has not been associated with any known threat actor or group. "The operation has at least two different initial access vectors," security researchers

Alert: Phishing Campaigns Deliver New SideTwist Backdoor and Agent Tesla Variant

The Iranian threat actor tracked as APT34 has been linked to a new phishing attack that leads to the deployment of a variant of a backdoor called SideTwist. “APT34 has a high level of attack technology, can design different intrusion methods for different types of targets, and has supply chain attack capability,” NSFOCUS Security Labs said in a report published last week. APT34, also known by

Chinese Hackers Keep Targeting Group-IB Cybersecurity Firm

By Deeba Ahmed An APT group known as Tonto Team has tried targeting the Singapore-based Group-IB cybersecurity firm for the second time. This is a post from HackRead.com Read the original post: Chinese Hackers Keep Targeting Group-IB Cybersecurity Firm

Adobe, Apple, Cisco, Microsoft Flaws Make Up Half of KEV Catalog

CISA’s Known Exploited Vulnerabilities Catalog has become a valuable repository of vulnerabilities to be patched. A pair of reports analyze the vulnerabilities under attack to understand the kind of threats organizations should be prioritizing.

Most Q2 Attacks Targeted Old Microsoft Vulnerabilities

The most heavily targeted flaw last quarter was a remote code execution vulnerability in Microsoft Office that was disclosed and patched four years ago.

Emotet Banking Trojan Resurfaces, Skating Past Email Security

The malware is using spreadsheets, documents, and other types of Microsoft Office attachments in a new and improved version that is often able to bypass email gateway-security scanners.

SideWinder Hackers Launched Over a 1,000 Cyber Attacks Over the Past 2 Years

An "aggressive" advanced persistent threat (APT) group known as SideWinder has been linked to over 1,000 new attacks since April 2020. "Some of the main characteristics of this threat actor that make it stand out among the others, are the sheer number, high frequency and persistence of their attacks and the large collection of encrypted and obfuscated malicious components used in their

New Attack Shows Weaponized PDF Files Remain a Threat

Notable new infection chain uses PDF to embed malicious files, load remote exploits, shellcode encryption, and more, new research shows.

DARKReading: Latest News

US Ban on TP-Link Routers More About Politics Than Exploitation Risk