'The Weirdest Trend in Cybersecurity': Nation-States Returning to USBs

During a keynote presentation this week at CPX 2024 in Las Vegas, the vice president of research at Check Point, Maya Horowitz, highlighted the resurgence of USBs used by Nation-state actors to compromise highly secured government organizations and critical infrastructure facilities. According to Horowitz, three major threat groups employed USBs as their primary initial infection vector in 2023: Chinese Nation-state group Mustang Panda, Russian APT group Gamaredon, and the actors behind the Raspberry Robin worm. While the tactic of employing USBs as an entry point to victim environments has remained quiet for a few years, Horowitz notes that actors are once again starting to turn towards these removable drives, given their success rate and enablement to critical air-gapped systems which internet-based attacks cannot reach.

Security Officer Comments:
A common tactic employed by actors to spread USBs is through the use of delivery services like Amazon, where actors will ship packages to potential victims, which contain drives that are pre-infected with malicious payloads. In particular, Raspberry Robin is a popular payload that is being distributed via these drives due to its worm-like ability to spread to other systems and networks upon initial infection. The malware is also capable of terminating specific processes including those for antivirus solutions and detecting virtual environments as a means to evade defenses, making it a popular choice for threat actors.

Suggested Corrections:
Organizations should have strict policies in place for the use of removable devices. Routine employee training can help bring awareness and defend against the threat posed by USBs. A common tactic employed by organizations to deter USB infections is modifying the registry settings or Group policy on systems to prevent drives from using autorun and execution code upon insertion. Some organizations have also completely sealed USB ports with the help of tape, which can aid in preventing employees from plugging in their drives to mission-critical or sensitive systems.