At a time when the risks of AI-powered and advanced email-borne cybersecurity threats dominate the news agenda, it might be easy to overlook the dangers of some of the age-old attack vectors that continue to be exploited by cybercriminals.
For industries that rely on removable media – such as USB drives – there is a continued need for vigilance as these devices have the potential to trigger damaging and highly costly cyberattacks.
The resurgence of USB-based attacks
USB devices are commonly used in a number of core Critical National Infrastructure (CNI) sectors such as manufacturing, utilities and healthcare. These sectors rely on USB drives to transfer data in environments with limited or no internet access, such as air-gapped systems that isolate critical assets and data from external networks for security purposes.
In operational technology (OT) environments USB drives are often the only practical way to transfer data between systems that are deliberately kept offline, making them a common tool for software updates or data migration.
This widespread use makes USB drives a prime target for cyberattacks. One prominent example is the Sogu malware, deployed by the hacker group UNC53, which used infected USB drives to infiltrate multiple organizations last year. This campaign targeted industries in countries like Egypt and Zimbabwe, where USB drives are integral in day-to-day business operations.
Recent USB-based attack techniques have grown in sophistication, often bypassing advanced security layers by exploiting the inherent trust between the USB device and the host.
Longstanding techniques like “Rubber Ducky” keystroke attacks, which silently copy user activity and send information back to the attacker’s host system, are being deployed in new ways. For example, some human interface devices (HIDs) like mice and keyboards can have their firmware modified to inject the keystrokes to install covert malware.
A favorite for penetration testers and social engineers alike looking to entice unwary employees or visiting partners to pick up and insert a compromised USB device.
SVP International at OPSWAT.
Why securing removable media presents a unique challenge
Managing removable media presents several challenges, particularly in OT-heavy environments.
USB-based attacks bypass traditional network security, allowing attackers to exfiltrate sensitive data or gain long-term access to systems. These attacks are especially dangerous in isolated systems, where the lack of network connectivity can delay detection and prolong attackers' dwell time.
This makes them a perfect vector for malware infections, data breaches, and unauthorized access. Infected USB drives can easily introduce malicious software into systems that aren’t regularly monitored, leading to potential data loss or operational disruptions. Without strict device and data controls, USB drives can introduce malware or allow unauthorized access to sensitive systems.
One of the key challenges that organizations have in addressing these security risks is that they often lack visibility into what people and what devices they connect to their systems or how data is transferred, making policy enforcement more challenging.
It’s not only the security risks of malware that present a problem; the theft or loss of unencrypted data on removable media, poses a significant risk, particularly in highly secure environments.
How to keep malicious data from USB drives out of the system
Mitigating these risks requires a multi-layered approach to security that combines both technical and policy-based solutions. Real-time monitoring of devices is essential; any USB connected to a system should be scanned for malware and suspicious activity, enabling threats to be detected before they compromise the network.
Data sanitization plays a key role in this process. By cleaning files transferred via USB, organizations can remove any hidden malware or malicious content, ensuring that only safe data enters their network.
For organizations in the CNI sector, a more robust solution might include air-gapped systems combined with a cybersecurity kiosk that scans and sanitizes all incoming and outgoing media. Cleaning all files of malicious content using Content Disarm and Reconstruction (CDR) techniques and placed in secure isolated data vaults. Only sanitized and validated data from these vaults being allowed access into the operational technology networks. These systems ensure that any device entering a secure environment is first cleared of potential threats, adding an extra layer of protection.
Controller access and policies are key
In addition to these technical controls, policy measures governing the use of removable media are a vital component of a strong defense.
Organisations should implement strict controls over which USB devices can access critical systems and regulate the types of files that can be transferred onto any removable media. By limiting access to authorised personnel and approved data, companies can minimise the risk of devices compromising their network. Policies and procedures should mandate that any USB drive should be scanned and its contents sanitised before its data is allowed into the organisations. This can be achieved at scale using a dedicated scanning kiosk application.
Employee and supply chain partner education is also crucial. The root cause of USB-based attacks can often be traced back to human error - such as using unsecured or unauthorized devices - and comprehensive training can help mitigate these risks. Users should be taught about encryption, the dangers of using unknown USB devices, and best practices for safely ejecting devices to prevent data corruption or malware. In high-risk sectors, regular audits of how USB drives are being used and how security protocols are being followed can further strengthen an organization's defenses.
Keeping USB drives on the cybersecurity agenda
USB devices remain a significant security threat, especially in sectors where they are essential for data transfer. Even organizations that don’t routinely use removable media in their workflows should be aware of the threat they pose.
A comprehensive approach that combines real-time monitoring, device control, and data sanitization, along with strict access policies and user education, will cover all the bases and minimize the chances of falling victim to USB-borne threats.
We've rated the best identity management software.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
