To Damage OT Systems, Hackers Tap USBs, Old Bugs & Malware

  /     /     /  
Publicated : 23/11/2024   Category : security


To Damage OT Systems, Hackers Tap USBs, Old Bugs & Malware


USBs have something the newest, hottest attack techniques lack: the ability to bridge air gaps.



Industrial cyberattackers are increasingly using removable media to penetrate operational technology (OT) networks, then leveraging the same old malware and vulnerabilities to make their mark.
For whatever reason,
USB devices are a la mode again
with some of the worlds premier threat actors. Nowhere is this more evident than in the OT space where, according to Honeywells
2024 USB Threat Report
, attackers are clearly turning to USBs to get a foothold in industrial networks.
With that foothold, Honeywell reports, attackers are forgoing sophisticated exploitation techniques, zero-day vulnerabilities, or novel malware. Instead, theyre leveraging old tools and bugs, plus the built-in capabilities of OT control systems to achieve their end goals.
USBs have something that none of the newest, hottest attack techniques do: the ability to bridge air gaps.
True air gaps are physical separations between OT and IT networks designed to let no malicious attacks pass through. Some also use the term to describe other kinds of setups that distinguish IT and OT systems using access controls, segmentation, and the like. Air gaps are most often used in high-risk industries — think nuclear, military, financial services, etc. — where other means of demarcating IT and OT networks wont cut it.
A lot of operational facilities are entirely air gapped, explains Matt Wiseman, director of OT product marketing at OPSWAT. Those more modern approaches like email-based attack — something over the network — arent really as effective when [the OT systems] are disconnected from the broader Internet. You need to be more creative, think outside the box. USBs and removable media are very interesting because theyre the only threat you can pick up in your pocket and carry beyond that air gap.
Interestingly, the trend seems to have been born during COVID. In 2019, only 9% of USB-carried cyber threats to industry were actually designed for USBs. By 2022 — and consistently ever since — that number exceeded 50%.
Having crossed that air gap with a USB, attackers are opting for living-off-the-land tactics to perform data collection and exfiltration (observed in 36% of Honeywells detected USB attacks), defense evasion (29%), and escalation privileges (18%), ultimately achieving persistence in the operational network.
Clearly novel and powerful malware and vulnerabilities are not the focus, as brand name tools of yesteryear such as
BlackEnergy
and
Industroyer (aka CrashOverride)
are still making rounds. The most common vulnerabilities exploited in such attacks — such as
CVE-2010-2883
and
CVE-2017-11882
— are equally dated. All of the most common CVEs listed in Honeywells report have been known since at least 2018.
In most cases, the goal of these attacks is disruption or destruction. Around 80% of USB-based threats every year now are capable of causing disruptions to OT systems, including loss of visibility or control, or worse (ransomware, wipers, etc.).
The good news for defenders is that with such antiquated threat vectors, fancy and expensive solutions arent necessarily the solution. You can always go with the fundamentals, Wiseman says, meaning strict USB policies and procedures.
At many organizations, he says, You go back a number of years, there was an honor system. Hey, did you scan that? Now you have technology that can check to make sure. If you plug something in, its not going to work unless it has been scanned and checked by some type of formal security solution.
This technology often takes the form of a kiosk or sanitation station for scanning removable media, placed strategically at the exterior of a sensitive site in order to make sure no malicious ones make their way through. Sometimes those stations are paired with file transfer systems to ensure that no outside device ever actually has to cross the threshold of an industrial control floor.
Were seeing more mature conversations now. Whats our mobile program? Whats the process for employees? Whats the process for guests? How do we manage these devices? How do we view the activity thats occurring? And how do we ensure that were ahead of it going forward? he says. Theres definitely a massive realization of the threat that these devices can pose.

Last News

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
To Damage OT Systems, Hackers Tap USBs, Old Bugs & Malware