Nationwide cyber threat groups are once again turning to USBs to compromise highly protected government organizations and critical infrastructure facilities.
Having fallen out of fashion for some time now, and certainly not helped by COVID lockdowns, USBs are once again proving to be an effective way to allow high-level threat actors to physically bypass the security of particularly sensitive organizations.
In a main presentation This week at CPX 2024 in Las Vegas, Maya Horowitz, vice president of research at Check Point, noted that USBs were the primary infection vector for at least three different large threat groups in 2023: Camaro Dragon (aka Mustang Panda, Bronze President, Earth Preta, Luminous Moth, Red Delta, Majestic Bull); That of Russia Gamaredon (aka Primitive Bear, UNC530, ACTINIUM, Shuckworm, UAC-0010, Aqua Blizzard) and the threat actors behind Raspberry robin.
“For several years we didn’t hear about USB – it was just cyberattacks on the Internet,” Horowitz tells Dark Reading. “But usually there are fads with threat actors: one attack is successful, then others will copy it. I think this is what we’re starting to see with USB drives, this attack vector re-emerging.”
The growing threat of USB
How many times have you opened the door, seen an Amazon package on the welcome mat, and forgotten what you actually ordered two days ago?
“Recently, we worked with an electric company where one of the employees received an Amazon box, with Amazon tape,” Daniel Wiley, Check Point’s threat management manager, recalled during a Wednesday press conference. “Inside was a completely brand new, sealed SanDisk USB. He thought his wife had ordered it. So he opened it, plugged it in. Everything else was a chain reaction. He managed to penetrate their VPN. Let’s just say the power company wasn’t in a good position.”
That it was an employee of an electric company was no coincidence: critical sectors often separate IT and OT networks with air gaps or one-way gateways, through which Internet-based attacks cannot travel. USBs provide a bridge across this gap Stuxnet famously demonstrated this more than a decade ago.
USB attachments can be useful even without this air-gap constraint. Consider an employee from a UK hospital, who not long ago attended a conference in Asia. During the conference, she shared her presentation with other attendees via a USB drive. Unfortunately, one of his colleagues was infected with the Camaro Dragon malware, which the hospital employee then captured and brought with him to the UK, infecting the hospital’s entire corporate network.
As Horowitz recalled in his speech, the malware opened a backdoor in newly infected computers but also behaved like a worm, transmitting itself to all new devices that came into contact via USB. This allowed it to spread beyond Western Europe to countries such as India, Myanmar, Russia and South Korea.
Raspberry Robin is spreading in much the same way, enabling ransomware authors around the world. And Gamaredon USBs brought its LitterDrifter worm to countries as diverse as Chile, Germany, Poland, South Korea, Ukraine, the United States, and Vietnam.
What to do with those pesky USBs
There are simple steps organizations can take to protect themselves from most USB-related threats, such as always separating personal and work devices and treating the latter with greater care.
“Some organizations only scan files downloaded from the Internet,” Horowitz said. “This is wrong, because both threat actors and employees who want to cause harm can bring their own USB drive to bypass the security saved for files downloaded from the Internet.”
Critical infrastructure industries need to take it a step further: sanitation stations, strict policies on removable devices, and tape on a USB port can solve the problem in an instant.
For organizations that don’t want to, or can’t afford, to give up removable media, “Bring Your Own Device (BYOD) is fine, you can do it, but it means you need multiple layers of security,” Horowitz tells Dark Reading.
And most importantly: “Check your orders on Amazon before you open them,” Wiley joked.