With sophisticated attempts on Fortune 500 organizations, sensitive governmental sites, healthcare systems, and other critical infrastructure, it’s time to take a closer look at this trending hazard to better understand the implications it will hold for the cybersecurity landscape in 2024.
As the old-fashioned, but effective USB-attack method makes its comeback, the rise of cyber incidents originating via removable media delivered malware, has raised concerns among cyber professionals, especially those in the ICS and OT community.
Recent reports from CheckPoint, Symantec, Mandiant, and even an official warning from the FBI underline the growing threat of removable media malware-based attacks across organizations of all sizes and sectors, with a particular focus on governmental entities and ICS environments equipped with air-gapped networks.
So, what poses an immediate threat to our organization? Which malwares are the ones we should most be aware of and who profits from this shift in attack vector?
The Files Don’t Lie
In a warning issued as early as 2022, the FBI alerted about USB keys circulating within American companies in the defense sector. This marked the initial sign of concerning events related to USB-based threats. In January 2023, Palo Alto Network’s Unit 42 team uncovered a PlugX variant that could hide in USB drives and infects Windows hosts they’re connected to. Cybersecurity company Check Point noted on August 2023, that USB drive infections had resurfaced. Further confirming the escalating threat, a Honeywell Forge report revealed that threats designed for USB exploitation rose to a staggering 52%.
According to Mandiant reports, SOGU is perhaps the most aggressive removable media malware.
Orchestrated by the Chinese espionage group “TEMP.HEX” (AKA Musang Panda), SOGU primarily targets industries such as pharmaceuticals, IT, energy, communications, health, and logistics. It employs a sophisticated payload known as “Korplug” to infiltrate and exfiltrate data from compromised computers. The payload loads the SOGU C shellcode into memory via DLL order hijacking, which requires tricking the victim into executing a legitimate file.
SOGU utilizes various phases, including command execution, file manipulation, remote desktop control, snapping screenshots, reverse shell, and keylogging. Files found by SOGU are copied to two directories and encrypted using base64. Then, they are exfiltrated to the C2 server over TCP or UDP, using HTTP or HTTPS requests. Moreover, any external drives connected to the infected system will automatically receive a copy of the compromised file, enabling lateral movement via the victim’s network
Chinese cyber espionage group Camaro Dragon deployed self-propagating malware via compromised USB drives, causing an inadvertent breach at a European hospital in early 2023. An employee’s USB drive, infected at a conference, introduced the malware upon return, highlighting the increasing threat of USB-based attacks. Mandiant reports a threefold surge in such attacks in early 2023. Check Point further reveals that Camaro Dragon employed USB tactics to infect organizations, emphasizing the risk posed by seemingly harmless drives.
MISTCLOAK, DARKDEW, and BLUEHAZE
Hackers employ USB devices for initial infection and then use signed binaries to introduce malware. This leads to reverse shell access (UNC4191) and self-replication on new removable drives, even infecting air-gapped systems. Mandiant identifies three malware families: MISTCLOAK, DARKDEW, and BLUEHAZE. These malicious programs, coded in C/C++, create reverse shells, allowing control through a command and control server, as per Symulate’s report.
Scanning is Caring
The uprising of USB-based malware in 2023, exemplified by threats like Raspberry Robin, SOGU, USB-borne, and Snowydrive, underscores the critical necessity for fortifying USB security controls. Companies must ensure any removable media connected to their network is safe and clean.
To do so, organizations should either prohibit the use of USBs by blocking any ports or provide scanning stations to ensure the portable media contains files that are safe to use. The most efficient method is using scanning kiosks with CDR technology embedded to ensure true file sanitization. These kiosks are commonly used in air-gapped networks and other highly sensitive environments. More information is available here.