To Damage OT Systems, Hackers Tap USBs, Old Bugs & Malware

  /     /     /  
Publicated : 23/11/2024   Category : security

To Damage OT Systems, Hackers Tap USBs, Old Bugs & Malware


USBs have something the newest, hottest attack techniques lack: the ability to bridge air gaps.


Industrial cyberattackers are increasingly using removable media to penetrate operational technology (OT) networks, then leveraging the same old malware and vulnerabilities to make their mark.
For whatever reason,
USB devices are a la mode again
with some of the worlds premier threat actors. Nowhere is this more evident than in the OT space where, according to Honeywells
2024 USB Threat Report
, attackers are clearly turning to USBs to get a foothold in industrial networks.
With that foothold, Honeywell reports, attackers are forgoing sophisticated exploitation techniques, zero-day vulnerabilities, or novel malware. Instead, theyre leveraging old tools and bugs, plus the built-in capabilities of OT control systems to achieve their end goals.
USBs have something that none of the newest, hottest attack techniques do: the ability to bridge air gaps.
True air gaps are physical separations between OT and IT networks designed to let no malicious attacks pass through. Some also use the term to describe other kinds of setups that distinguish IT and OT systems using access controls, segmentation, and the like. Air gaps are most often used in high-risk industries — think nuclear, military, financial services, etc. — where other means of demarcating IT and OT networks wont cut it.
A lot of operational facilities are entirely air gapped, explains Matt Wiseman, director of OT product marketing at OPSWAT. Those more modern approaches like email-based attack — something over the network — arent really as effective when [the OT systems] are disconnected from the broader Internet. You need to be more creative, think outside the box. USBs and removable media are very interesting because theyre the only threat you can pick up in your pocket and carry beyond that air gap.
Interestingly, the trend seems to have been born during COVID. In 2019, only 9% of USB-carried cyber threats to industry were actually designed for USBs. By 2022 — and consistently ever since — that number exceeded 50%.
Having crossed that air gap with a USB, attackers are opting for living-off-the-land tactics to perform data collection and exfiltration (observed in 36% of Honeywells detected USB attacks), defense evasion (29%), and escalation privileges (18%), ultimately achieving persistence in the operational network.
Clearly novel and powerful malware and vulnerabilities are not the focus, as brand name tools of yesteryear such as
BlackEnergy
and
Industroyer (aka CrashOverride)
are still making rounds. The most common vulnerabilities exploited in such attacks — such as
CVE-2010-2883
and
CVE-2017-11882
— are equally dated. All of the most common CVEs listed in Honeywells report have been known since at least 2018.
In most cases, the goal of these attacks is disruption or destruction. Around 80% of USB-based threats every year now are capable of causing disruptions to OT systems, including loss of visibility or control, or worse (ransomware, wipers, etc.).
The good news for defenders is that with such antiquated threat vectors, fancy and expensive solutions arent necessarily the solution. You can always go with the fundamentals, Wiseman says, meaning strict USB policies and procedures.
At many organizations, he says, You go back a number of years, there was an honor system. Hey, did you scan that? Now you have technology that can check to make sure. If you plug something in, its not going to work unless it has been scanned and checked by some type of formal security solution.
This technology often takes the form of a kiosk or sanitation station for scanning removable media, placed strategically at the exterior of a sensitive site in order to make sure no malicious ones make their way through. Sometimes those stations are paired with file transfer systems to ensure that no outside device ever actually has to cross the threshold of an industrial control floor.
Were seeing more mature conversations now. Whats our mobile program? Whats the process for employees? Whats the process for guests? How do we manage these devices? How do we view the activity thats occurring? And how do we ensure that were ahead of it going forward? he says. Theres definitely a massive realization of the threat that these devices can pose.

Last News

▸ ArcSight prepares for future at user conference post HP acquisition. ◂
Discovered: 07/01/2025
Category: security
▸ Samsung Epic 4G: First To Use Media Hub ◂
Discovered: 07/01/2025
Category: security
▸ Many third-party software fails security tests ◂
Discovered: 07/01/2025
Category: security


Cyber Security Categories
Google Dorks Database
 		Exploits Vulnerability
 		Exploit Shellcodes

CVE List
 		Tools/Apps
 		News/Aarticles

Phishing Database
 		Deepfake Detection
 		Trends/Statistics & Live Infos



Tags:
To Damage OT Systems, Hackers Tap USBs, Old Bugs & Malware