The convergence of IT and OT has unlocked unprecedented efficiency and productivity gains across various industries. However, this also makes OT networks increasingly vulnerable to cybersecurity threats. One significant attack vector that is often overlooked is the USB drive.
Traditionally, OT systems are air-gapped and have strict physical and logical access controls in place. Still, the need for file transfers into and among control systems remains “low-hanging fruit” for attackers, who have turned to removable media like USBs as entry points. The convenience of USB devices poses a significant risk. Whether for data transfer, software updates, or system configuration, the use of USB drives has opened a potential gateway for malicious actors to infiltrate critical infrastructure, as they can be easily infected with malware designed to steal data, disrupt operations, or even deploy ransomware.
OT Environments: The Threat Landscape
OT environments are often targeted due to their critical functions, and many incidents targeting this sector involve USB technology. The consequences of a successful USB-borne attack on OT infrastructure can be severe, ranging from production downtime and financial losses to potential safety hazards and environmental damage.
The types of USB attacks can be sorted into four categories:
Reprogrammable Micro-Controller USB Attacks
These attacks include reprogramming the USB drive’s internal microcontroller and making it look like a particular USB device, even though it carries out the operations of another.
- Rubber Ducky: A keystroke injection attack that resembles an HID (Human Interface Device). Once connected to a computer, it poses as a keyboard and injects a preloaded keystroke sequence to extract sensitive information.
- USBdriveby: A pre-programmed microcontroller emulating a USB drive used to install backdoors and override DNS settings quickly and discreetly for accessing data.
- PHUKD/URFUKED Attack Platforms: Like Rubber Ducky but allow the attacker to choose a dedicated time to run the exploit and inject malicious keystrokes.
Maliciously Reprogrammed USB Peripheral Firmware Attacks
These attacks include reprogramming the USB device's firmware to execute malicious actions.
- Smartphone-Based HID Attacks: The hacker creates custom Android gadget drivers to overwrite how Android interacts with USB devices. The malicious driver interacted with the Android USB gadget API to emulate a keyboard or mouse.
- Hidden Partition Patch: A reprogrammable USB flash drive that acts as a regular flash drive. This device creates a hidden partition that cannot be formatted, allowing for covert data exfiltration.
- Password Protection Bypass Patch: Small adjustments to the USB drive’s firmware enable attackers to bypass password-protected USB flash drives and collect sensitive data from them.
Attacks Based on Unprogrammed USB Devices
These attacks include leveraging flaws in how operating systems normally interact with USB protocols/standards.
- USB Backdoor into Air-Gapped Hosts: An attack used by Fanny Malware which uses hidden storage with USB to store preset commands that map computers in air-gapped networks and store the data on the hidden storage for future reference.
- Data Hiding in USB Mass Storage Devices: A form of USB Phishing which involves hiding malware or stolen data within a USB drive. The attacker creates a stealth partition that can’t be formatted, enabling hidden data exfiltration.
- Buffer Overflow Attacks: These forms of attacks rely on exploiting OS buffer overflows when a USB device is plugged into a computer. The USB exploits vulnerabilities in the operating system while processing the devices and functions during enumeration.
Electrical Attacks
USB Killer is a malicious device designed to physically damage devices by delivering a high-voltage surge through their USB ports which causes a short circuit, which in turn overkills the entire thing.
Real World Consequences of a USB Attack
The consequences of a successful USB attack on OT systems can be devastating.
A prime example of a USB-based attack is the infamous Stuxnet worm. Stuxnet used a combination of social engineering and a specially crafted USB to infiltrate Iranian nuclear facilities, causing extensive damage. The attack was launched when an infected USB drive was plugged into the plant's control system. This was the first known malware attack that resulted in the physical destruction of equipment and was performed by a USB drive, serving as a warning that OT systems may be targeted at any time.
In another concerning instance, the Copperfield campaign targeted critical infrastructure facilities in the Middle East. This attack utilized USB drives infected with a variant of the H-Worm RAT, giving the attackers access to steal data, disrupt operations, or deploy further malware. This incident highlights the need for rigorous security measures in OT environments, as even familiar devices like USB drives can be a dangerous entry point for sophisticated attacks.
Combating the Threat: Adopt a Multi-Layered Security Approach
Given the critical nature of OT environments, organizations must adopt a multi-layered security approach to mitigate the risk of USB attacks. Here are some key measures organizations can take:
- Use Data Encryption: Encrypt sensitive data on USB drives to protect against unauthorized access and theft.
- Educate Staff: Teach users about the risks of inserting unknown USB devices into their computers and encourage them to report suspicious findings.
- Disable AutoRun Feature: Disable the AutoRun feature on computers to prevent the automatic execution of programs when USB devices are connected.
- Regularly Update Systems: Keep operating systems and security software up to date to patch known vulnerabilities that could be exploited by USB attacks.
- Use Security Solutions: Implement endpoint security solutions that can detect malicious activities in the network.