Nation-state cyber threat groups are once again turning to USBs to compromise highly guarded government organizations and critical infrastructure facilities.
Having fallen out of fashion for some time, and certainly not helped by COVID lockdowns, USBs are once again proving an effective way for high-level threat actors to physically bypass security at particularly sensitive organizations.
In a keynote presentation this week at CPX 2024 in Las Vegas, Maya Horowitz, vice president of research at Check Point, noted that USBs represented the primary infection vector for at least three different major threat groups in 2023: China’s Camaro Dragon (aka Mustang Panda, Bronze President, Earth Preta, Luminous Moth, Red Delta, Stately Taurus); Russia’s Gamaredon (aka Primitive Bear, UNC530, ACTINIUM, Shuckworm, UAC-0010, Aqua Blizzard), and the threat actors behind Raspberry Robin.
“For quite a few years, we didn’t really hear about USBs — it was all cyberattacks over the Internet,” Horowitz tells Dark Reading. “But usually there are fashions with threat actors — one attack is successful, so others will copy it. I think that this is what we’re starting to see with USB drives, resurfacing this attack vector.”
Resurgent Threat of USBs
How often have you opened your door, seen an Amazon package on your welcome mat, and forgotten what you’d actually ordered two days ago?
“Recently, we worked with a power company where one of the employees received an Amazon box, with Amazon tape,” Daniel Wiley, Check Point head of threat management, recalled at a Wednesday presser. “Inside there was a sealed SanDisk USB — completely brand new. He thought his wife ordered it. So he opened it up, plugged it in. Everything else was a chain reaction. It was able to break in across their VPN. Let’s just say the power company was not in a good place.”
That it was a power company employee was no coincidence — critical industry often separates IT and OT networks with air gaps or unidirectional gateways, through which Internet-based attacks cannot travel. USBs provide a bridge over that gap, as Stuxnet famously demonstrated more than a decade ago.
USB attacks can be useful without that air-gap constraint as well. Consider an employee of a UK hospital, who not long ago attended a conference in Asia. During the conference, he shared his presentation with fellow attendees via a USB drive. Unfortunately, one of his colleagues was infected with Camaro Dragon malware, which the hospital employee then caught and brought back with him to the UK, infecting the hospital’s entire corporate network.
As Horowitz recalled in her keynote, the malware opened up a backdoor into newly infected machines but also acted like a worm, transmitting to any new devices coming into contact via USB. This enabled it to spread beyond Western Europe into countries such as India, Myanmar, Russia, and South Korea.
Raspberry Robin has been spreading in much the same way, enabling ransomware actors worldwide. And Gamaredon’s USBs have taken its LitterDrifter worm to countries as diverse as Chile, Germany, Poland, South Korea, Ukraine, the US, and Vietnam.
What to Do About Those Pesky USBs
There are simple steps organizations can take to protect against most USB-bound threats, like always separating personal and work devices, and treating the latter with increased care.
“Some organizations only scan files that are downloaded from the Internet,” Horowitz said. “That’s wrong, because either threat actors or employees that want to cause damage can bring their own USB drive to bypass that security saved for files that are downloaded from the Internet.”
Critical infrastructure industries need to go a step further: sanitation stations, strict removable device policies, and tape over a USB port can do the trick in a pinch.
For organizations that don’t want to — or can’t afford to — give up on removable media, “Bring Your Own Device (BYOD) is OK, you can do it, but it means that you need more security layers,” Horowitz tells Dark Reading.
And most important of all: “Check your orders on Amazon before you open them,” Wiley quipped.