Technology players know all too well the implications of having malware moving around on USB drives. A single autorun Trojan or ransomware strain can inflict massive disruption and loss of revenue, as cybercrooks increasingly take aim at big business. That’s why companies like IBM prefer to play it safe and ban the use of removable storage in their infrastructures altogether.
But not everyone is on the same page regarding the dangers of moving data via USB drives. Researchers recently uncovered that industries like Oil & Gas, Energy, Chemical Manufacturing, Pulp & Paper, and other manufacturing facilities are severely prone to letting attackers in through this dusty old avenue. And while USB drives are useful vectors of initial infection, attacks leveraging USB drives revealed a tendency for hackers to establish remote access, and to download additional payloads as needed.
Accidental or targeted?
Using a tool dedicated to analyzing USB devices deployed in industrial facilities, Honeywell researchers obtained a relevant snapshot of industrial USB activity. The data sample represented files carried into production control facilities during day-to-day operations via USB removable storage devices, and was collected from across the US, South America, Europe and the Middle East.
A notable first finding in the research was that USB remains a top threat vector, even though many organizations restrict their use today. In 44% of the locations studied, at least one malicious or suspicious file was blocked, suggesting that the risk of infecting industrial facilities via USB is still consistent and statistically relevant.
The malware they found was notably small in volume, but potent. Some 26% of the malware “had the potential to cause a major disruption to an industrial control environment, including loss of view or loss of control, and 16% were targeted specifically against Industrial Control System (ICS) or Internet of Things (IoT) systems.”
15% of all threats detected and blocked were high-profile and well-known, including Stuxnet (2%), Mirai (6%), TRITON (2%), and WannaCry (1%).
“As ICS security experts are well aware, it only takes one instance of malware bypassing security defenses to rapidly execute a successful, widespread attack,” the researchers noted. “Second, the findings also confirm that such threats do exist in the wild, as the high-potency malware was detected among day-to-day routine traffic, not pure research labs or test environments.”
RATs and Droppers take the limelight
The most pervasive malware category was Trojans, representing 55% of all malware detected, followed by Bots (11%), Hacktools (6%), Potentially Unwanted Applications / PUAs (5%), Viruses (3%) and others.
Remote Access Toolkits (RATs) were the most notable functionality used (32%), as well as Droppers (12%) designed to download and install additional malware. Researchers noted that proper process control network architecture would prevent unauthorized connectivity, rendering these two attack vectors useless. Yet they still exist.
“This implies attackers have a reliance upon and expectation of poor network design in the majority of the threats analyzed,” researchers assumed.
Conficker still alive and kicking (10 years later)
Another notable finding was that both old malware and new threat types were detected in the sample size data. The Conficker worm, first discovered more than a decade ago, was detected and blocked. Conficker uses USB autorun Trojans as one method of infection and propagation, and is designed to limit recoverability by compromising backups and deleting restore points.
“Its presence indicates the need to continue checking for known malware of any age, rather than assuming the organization has learned from past incidents,” researchers warned.
The presence of Conficker provides further evidence that old threats persist in day-to-day control system USB usage, outside of intentional malware testing facilities.
Newer threats, such as TRITON (a malware super-family targeting industrial control systems) were also identified and blocked. Researchers estimate that approximately 10% of malware variants were less than a week old.
Calling for more cyber-security education, researchers concluded that USB security hygiene is typically poor amongst the industries polled.
“This can and should be addressed through employee and partner awareness programs, operational personnel cyber security training, and sound security policy development,” they said.