Ongoing Cyber-Espionage Campaigns Highlight the Risks of USB-Based Attacks
The Growing Threat
Two recent cyber-espionage campaigns, targeting organizations across multiple sectors and regions, have showcased the need for heightened security measures regarding USB drives and other external devices. The campaigns, attributed to threat actors tracked as TEMP.Hex and UNC4698, have been observed employing malware loaded onto USB flash drives to steal sensitive information and establish a remote foothold on victim systems.
The Tactics
TEMP.Hex, a China-linked threat actor, is using USB drives to spread malware named “Sogu” across infected systems. This capability enables the attacker to potentially compromise air-gapped systems as well. The affected sectors include engineering, construction, government, transportation, health, and business services. Meanwhile, UNC4698’s campaign, primarily targeting oil and gas organizations in Asia, involves the use of infected USB drives to drop a backdoor malware called “SnowyDrive” on victim systems. This allows the attacker to remotely interact with and control the compromised devices.
The Risks and Recent Incidents
While incidents involving infected USB drives are relatively rare compared to other cyberattack vectors, there has been a threefold increase in such attacks in the first half of 2023, according to Mandiant researchers. In December, UNC4191, another China-linked threat actor, was found deploying multiple malware families through USB drives, targeting organizations in Southeast Asia, the US, Europe, and the Asia-Pacific region. Other instances include a China-nexus threat actor gaining access to a hospital network via an infected USB drive, and financially motivated groups distributing ransomware-loaded USBs disguised as official government communications.
Preventive Measures and Recommendations
Mandiant researchers emphasize the importance of implementing restrictions on access to external devices, especially USB drives. If such restrictions are not feasible, organizations should at least scan these devices for malicious files or code before connecting them to their internal networks. This precautionary measure can help prevent the spread of malware and safeguard sensitive information.
Understanding USB-Based Attacks
Sogu and SnowyDrive campaigns rely on users inadvertently inserting rogue USB drives into their systems and following prompts to execute malicious payloads. Key hotspots for infection include hotels and local print shops, where targets might be less vigilant about security while on business trips.
Sogu Malware:
When a user inserts a weaponized USB flash drive, three files are loaded: a legitimate executable, a malicious DLL loader, and an encrypted payload. The legitimate executable sideloads a malicious DLL file named “Korplug”, which then decrypts and loads the Sogu backdoor into memory. The malware conducts various actions such as gathering system metadata, searching for specific file extensions, staging the retrieved information, exfiltrating data, and maintaining a persistent presence on infected systems. Sogu employs various communication protocols to interact with its command-and-control server and supports a wide range of commands for file manipulation, remote desktop access, and keylogging.
SnowyDrive Malware:
Upon inserting the infected USB drive, the user is prompted to click on a malicious executable disguised as a legitimate file. This executable serves as a dropper, writing multiple encrypted malicious files to disk, each containing executables and DLLs. One of these files is SnowyDrive, a shellcode-based backdoor with numerous commands enabling various actions, such as file manipulation, remote shell creation, and search operations. The malware communicates with its hard-coded command-and-control server.
Conclusion
As USB-based attacks continue to gain traction among threat actors, organizations should prioritize implementing safeguards against such attacks. Restricting access to external devices and conducting thorough scans before connecting them to internal networks are essential measures. Users should remain vigilant and avoid inserting unknown or suspicious USB drives into their systems. Heightened awareness and proactive security practices are crucial in mitigating the risks posed by USB-based cyber-espionage campaigns.
<< photo by Lewis Kang’ethe Ngugi >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- FIN8 Evolves Tactics: Unleashing BlackCat Ransomware through Modified ‘Sardonic’ Backdoor
- WooCommerce Vulnerability Exposes Countless Websites to Potential Attacks
- Exploring the Global Impact of Cybercrime: Nigerian Man Receives 8-Year Prison Sentence for $8 Million BEC Scheme
- Exposing the Dark Side: The Unmasking of a Black Hat Hacker
- ShadowPad Malware Strikes Pakistani Entities in Sophisticated Cyberattack
- Security Breach: Hacker Exploits Critical Vulnerability in WooCommerce Payments Plugin to Compromise WordPress Sites