Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

10/1/2018
08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

USB Devices Still a Threat to Businesses, Kaspersky Finds

The use of removable storage media to deliver malware is declining, but threat actors are putting coin miners into USB devices and targeting emerging areas, a new study by Kaspersky finds.

In recent years, cloud services such as Dropbox have taken on a larger share of file storage and transfer tasks, but USB devices are still being used around the world and continue to be targeted by bad actors who see them as an avenue into a victim's systems, according to researchers with Kaspersky Lab.

Company researchers note in a blog post that data from 2017 found that about every 12 months, one in four users around the globe are impacted by what they call a "local" cyber threat detected directly on the user's compute, with the majority of attacks occurring in emerging markets such as Asia, South America and Africa. These attacks include ones caused by USB devices and other removable media.

Local threats are those that are detected directly on a user's computer, according to researchers.

In addition, many of the infections from USB devices were aimed at spreading malware for mining cryptocurrencies such as Bitcoin and Monero, with infections going back as far as 2015. The most popular bitcoin miner, Trojan.Win64.Miner.all, targeted one in ten of all users who were hit by removable media infections in 2018, and the rate is growing. This year, the miner was found in 9.22% of infections; it was 6.7% last year and 4.2% in 2016, according to Kaspersky. (See Cryptomining Malware Continues to Surge as Cybercriminals Cash In.)

The researchers also noted the Windows LNK family of Trojans, as well as the Stuxnet exploit from 2010, CVE-2010-2568, which is still in the top ten exploits spread through USB devices. In addition, Dark Tequila, banking malware first reported in August, also has been spread primarily through USB devices. The malware targets corporate victims and consumers in Mexico and has been around since at least 2013.

For enterprises, the risks associated with USB drives are declining but still there.

The cloud services and a greater awareness of security risks associated with the devices -- any good security solution will scan removable media for malware before enabling the data to be transferred -- are helping to reduce the threat, Kaspersky researchers told Security Now. However, large numbers of USB devices are still distributed every year at places like trade shows as giveaways that are used in both businesses and homes. Organizations without the right security in place or with workers who have not yet been educated about the risk USB drives post remain vulnerable to attacks through the devices, they said.

Some companies already have taken steps to address the issue. IBM earlier this year banned all USB drives and other portable storage devices -- including SD cards and flash drives -- for its employees in an attempt to improve security. Company officials instead want employees to use IBM's cloud-based file and data-sharing service. (See IBM's USB Ban Earns Some Praise, Some Skepticism.)

The number of threats detected on USB devices has declined over the past four years, with the ratio between a user affected by such a threat and the total number of such threats detected dropping from 1:42 to an estimated 1:22 this year. By comparison, the risk by web-borne attacks is significantly higher. Last year, Kaspersky Lab detected 113.8 million likely removable media threats and almost 1.2 billion attacks launched from online resources, researchers said.

"In light of this, it can be easy to overlook the enduring risks presented by removable media, even though around four million users worldwide will be infected in this way in 2018," the researchers wrote in the blog post.

Cybercriminals like to use USB devices to attack networks not connected to the Internet, including ones that power critical national infrastructure, such as the Stuxnet campaign in 2009 and 2010 that targeted Iran's nuclear facilities. Criminal groups like HackingTeam and Equation Group have use USB devices to deliver malware.

Using USB devices to spread cryptomining malware is uncommon, but it's successful enough so that attackers will continue to use them, researchers told Security Now.

Cybercriminals using removable devices to spread their malware are particularly targeting users in emerging regions. According to Kaspersky analysts, about two thirds of users in some of these countries were victims of a local threat incident -- including drive-root malware infections from removable media -- while fewer than one in four people in developed economies have been victimized.

The countries hardest hit by the LNK exploit being delivered through such devices this year included Vietnam, Algeria and India. The US, Japan and some European countries experienced some attacks.

Threat actors continue to use removable devices to spread malware and even though their use is dropping, the rate of decline is slowing. Combined with the fact that USB devices continue to be widely shipped and used, the risk that comes with them will be around into the future, the researchers said.

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8225
PUBLISHED: 2020-09-18
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
CVE-2020-8237
PUBLISHED: 2020-09-18
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
CVE-2020-8245
PUBLISHED: 2020-09-18
Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11....
CVE-2020-8246
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...
CVE-2020-8247
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...