Industrial cyberattackers are more and more utilizing detachable media to penetrate operational know-how (OT) networks, then leveraging the identical previous malware and vulnerabilities to make their mark.
For no matter cause, USB units are a la mode once more with a number of the world’s premier menace actors. Nowhere is that this extra evident than within the OT house the place, in line with Honeywell’s “2024 USB Risk Report,” attackers are “clearly” turning to USBs to get a foothold in industrial networks.
With that foothold, Honeywell stories, attackers are forgoing refined exploitation methods, zero-day vulnerabilities, or novel malware. As an alternative, they’re leveraging previous instruments and bugs, plus the built-in capabilities of OT management techniques to realize their finish targets.
Why USBs?
USBs have one thing that not one of the latest, hottest assault methods do: the power to bridge air gaps.
True air gaps are bodily separations between OT and IT networks designed to let no malicious assaults move via. Some additionally use the time period to explain different kinds of setups that distinguish IT and OT techniques utilizing entry controls, segmentation, and the like. Air gaps are most frequently utilized in high-risk industries — suppose nuclear, navy, monetary companies, and many others. — the place different technique of demarcating IT and OT networks will not lower it.
“Loads of operational services are completely air gapped,” explains Matt Wiseman, director of OT product advertising at OPSWAT. “These extra trendy approaches like email-based assault — one thing over the community — aren’t actually as efficient when [the OT systems] are disconnected from the broader Web. It is advisable be extra inventive, suppose outdoors the field. USBs and detachable media are very fascinating as a result of they’re the one menace you possibly can choose up in your pocket and carry past that air hole.”
Apparently, the pattern appears to have been born throughout COVID. In 2019, solely 9% of USB-carried cyber threats to business had been truly designed for USBs. By 2022 — and persistently ever since — that quantity exceeded 50%.
Having crossed that air hole with a USB, attackers are choosing living-off-the-land ways to carry out knowledge assortment and exfiltration (noticed in 36% of Honeywell’s detected USB assaults), protection evasion (29%), and escalation privileges (18%), finally attaining persistence within the operational community.
Clearly novel and highly effective malware and vulnerabilities should not the main target, as model title instruments of yesteryear comparable to BlackEnergy and Industroyer (aka CrashOverride) are nonetheless making rounds. The commonest vulnerabilities exploited in such assaults — comparable to CVE-2010-2883 and CVE-2017-11882 — are equally dated. All the commonest CVEs listed in Honeywell’s report have been identified since at the very least 2018.
Most often, the objective of those assaults is disruption or destruction. Round 80% of USB-based threats yearly now are able to inflicting disruptions to OT techniques, together with lack of visibility or management, or worse (ransomware, wipers, and many others.).
Defending In opposition to USB Threats
The excellent news for defenders is that with such antiquated menace vectors, fancy and costly options aren’t essentially the answer. “You may all the time go along with the basics,” Wiseman says, which means strict USB insurance policies and procedures.
At many organizations, he says, “You return a variety of years, there was an honor system. ‘Hey, did you scan that?’ Now you’ve gotten know-how that may examine to verify. If you happen to plug one thing in, it is not going to work except it has been scanned and checked by some kind of formal safety answer.”
This know-how typically takes the type of a kiosk or “sanitation station” for scanning detachable media, positioned strategically on the exterior of a delicate web site so as to ensure no malicious ones make their approach via. Typically these stations are paired with file switch techniques to make sure that no outdoors machine ever truly has to cross the edge of an industrial management ground.
“We’re seeing extra mature conversations now. What’s our cell program? What is the course of for workers? What is the course of for friends? How can we handle these units? How can we view the exercise that is occurring? And the way can we be certain that we’re forward of it going ahead?” he says. “There’s positively an enormous realization of the menace that these units can pose.”