USB drive malware attacks spiking again in first half of 2023

Posted on by ESET Ireland

According to the Bleeping Computer*, what’s old is new again, with researchers seeing a threefold increase in malware distributed through USB drives in the first half of 2023.

A new report by Mandiant outlines how two USB-delivered malware campaigns have been observed this year; one named ‘Sogu,’ attributed to a hacker group ‘TEMP.HEX,’ and another named ‘Snowydrive,’ attributed to UNC4698, which targets oil and gas firms in Asia.

Mandiant reports that Sogu is currently the most aggressive USB-assisted cyber-espionage campaign, targeting many industries worldwide and attempting to steal data from infected computers.

The victims of Sogu malware are located in the United States, France, the UK, Italy, Poland, Austria, Australia, Switzerland, China, Japan, Ukraine, Singapore, Indonesia, and the Philippines. Most victims belong to the pharmaceutical, IT, energy, communications, health, and logistics sectors, but there are victims across the board.

Commentary by Thomas Uhlemann, Security Specialist at ESET

The reported spike in successful USB based attacks is a good example of “curiosity killed the cat”. The attack vector relies on USB media being picked up or inserted into unattended devices, which itself can be prevented by most basic measures. But it also requires the later victims to run files off of the device and grant them access to their computers. Sadly, it’s no unlikely scenario to happen – at all! In 2016, researchers at the University of Illinois, Michigan and Google distributed 297 USB sticks on their campuses. According to their findings, “98% of the USB sticks left on campus were taken by passersby, and at least 45% of them were plugged into a computer to check the contents.”

To mitigate bad effects only due to curiosity, basic protection should be applied:

  • educate users and family about the dangers of curiosity – especially with unknown media
  • in corporate networks a strict “zero trust” policy should be applied, so that if malware gets executed it can only run with the least available privileges
  • security software can help mitigate the risks even further, if:
    – it can detect and block any suspicious code accessed from USB and other media
    – it can be setup to block unused USB ports and interrupts
    – it can detect abnormal behavior of a machine or a user in a network

More information can be found at https://blog.eset.ie/2023/07/13/the-danger-within-5-steps-you-can-take-to-combat-insider-threats/

*ESET does not bear any responsibility for the accuracy of this information.

Leave a comment