A research from technology firm Honeywell revealed that the severity of USB threats to operational technology (OT) systems doubled over a 12-month period, with the number of threats capable of disrupting OT systems rose from 26% to 59%.
The research, “Honeywell Industrial USB Threat Report,” stated that the total number of threats posed by USB removable media to industrial process control networks remains high, with 45% of locations detecting at least one inbound threat. The number of threats specifically targeting OT systems increased from 16% to 28%.
The research also highlighted that 1 in 5 of all threats was designed to leverage USB removable media as an attack vector, and more than 50% of threats were intended to act as open backdoors, establish persistent remote access, or download additional malicious payloads.
Eric Knapp, Director of Cybersecurity Research and Engineering Fellow at Honeywell, said, “USB-borne malware continues to be a major risk for industrial operators. What is surprising is that we are seeing a much higher density of significant threats that are more targeted and more dangerous. This isn’t a case of accidental exposure to viruses through USB – it’s a trend of using removable media as part of more deliberate and coordinated attacks.”
Cyberattacks via USB Drives
The risk of USB-related cyberattacks on organizations has increased exponentially. Recently, a cybercriminal gang “FIN7 APT” launched social engineering attacks using USB drives. According to the security firm Trustwave Spider Lab, attackers posed as Best Buy officials mailed letters via postal service to the targeted victims, which contained a gift card and USB drive. The matter in the letter contained a socially engineered message intended to lure the recipients to place the USB drive on their computer. The USB drive was programmed to emulate a USB keyboard. Once victims insert the drive, a payload is injected and a malware payload is downloaded. An additional JavaScript is also downloaded to register the infected device with the command-and-control (C2) server, which later sends encoded data containing the info-stealing software.