Why USB cyberattacks are still a persistent threat
Although the cyber threat landscape rarely stands still, some age-old attack vectors will continue to be revisited by cyber criminals. For example, the cyber security risks of removable media -- which have persisted for years -- are presenting fresh challenges for security teams.
This is because, thanks to its convenience and cost, removable media remains a cornerstone of the operations of critical national infrastructure (CNI) sectors. Devices such as USB drives are used by CNI operators and their third-party service partners to handle sensitive data, perform physical data transfer, and carry out vital operational tasks such as firmware updates in air-gapped networks.
As USB drives continue to play an important role in keeping critical sectors running, they naturally become an attractive attack vector for threat actors looking to breach isolated and air-gapped systems.
USB-based attack tactics are evolving
Recently, removable media attacks have shown a marked increase in sophistication, with malware bypassing network security layers by exploiting the inherent trust organizations place in USB connections.
For example, last year’s Sogu malware campaign targeted offices of EU and US organizations in countries such as Egypt and Zimbabwe, where operations relied on USB drives. The attack underscored how easily attackers can exploit USB drives to breach isolated systems.
Additionally, techniques such as “Rubber Ducky” attacks -- which involve modifying USB devices to act as keyboards and covertly executing commands -- are becoming more prevalent. Another concerning tactic is manipulating the firmware of human interface devices (HIDs) like keyboards or mice to inject malicious code directly.
Many air-gapped environments contain aged equipment and lack robust defenses against IT malware, making them particularly vulnerable to breaches initiated through removable media. Once attackers infiltrate these systems, they frequently leverage "living-off-the-land" techniques -- exploiting legitimate tools and native services within the compromised infrastructure. This approach enables them to exfiltrate data and disrupt services, while avoiding detection inside OT infrastructure.
The challenges of securing removable media
USB drives pose a particular security risk due to several inherent vulnerabilities and challenges. Governance around the use of removable media is essential. However, organizations may not clearly define what qualifies as “removable media” beyond USB drives, leading to inconsistent policies and gaps in enforcement. Security teams need full visibility and control of any removable media devices so that their content usage is understood and tracked per their organization’s wishes.
In air-gapped or isolated systems, such as those in OT environments, USB drive-based attacks pose a risk due to the lack of network connectivity, which often impairs security monitoring. This can delay threat detection and allow potential vulnerabilities to remain unnoticed for extended periods. Threat groups are well aware of this issue, and USB attacks targeting industrial control systems are particularly prevalent.
Defending against USB-borne attacks requires a multi-layered security strategy to manage the risk.
Implementing controller access and policies
Protecting removable devices against malicious threats requires organizations to establish strict policies and access controls for employees and third parties visiting or working on their sites.
There should be clear rules around scanning and sanitizing all removable media brought on-premises. Once content is “cleaned”, it can be placed in a managed software image vault, and subsequently issued to a verified encrypted USB drive.
Policies can be enforced to control the types of data and software images permitted, significantly reducing the risk of malware entering secure networks. A controlled access approach also allows organizations to verify and authorize the use of the removable devices inside the organization.
Malicious content-loaded USB drives are often introduced to the environment through human error, so employee education is also critical. All personnel should be educated on the potential dangers of unsecured or unverified removable media and how to deal with them appropriately. Similarly, third-party suppliers, such as visiting support and maintenance engineers, must understand and agree to comply with security policies on bringing hardware, software and data in and out of their client’s locations.
Companies with particularly stringent security needs should implement regular audits assessing how well USB policies are followed and identifying any gaps in practice. Audits also allow organizations to adapt policies as needed, addressing new vulnerabilities as they emerge.
Protection through real-time analysis
Operational processes and user training need to be backed up with the right technology. One essential approach is real-time monitoring, where each USB device connected to a system is automatically scanned for malware and suspicious activity. By implementing continuous monitoring, organizations can detect threats immediately, stopping attacks before they infiltrate the network.
Data sanitization is also highly effective protection. Content Disarm and Reconstruction (CDR) techniques strip harmful code from files transferred via USB. This process ensures that only safe, clean data and files enter the network, even if a USB device contains hidden malware.
In high-security settings, cybersecurity kiosks can provide fast and easy access to device sanitization, allowing employees to scan and sanitize all files from USBs before they are introduced into sensitive environments.
No organization can afford to overlook removable media threats
USB drives remain a significant cybersecurity risk in sectors where they facilitate essential, secure data transfers. The large volume of attacks and increasingly sophisticated tactics make it clear that threat actors are putting considerable resources into exploiting these trusted devices.
Any company relying on removable media in its operations must maintain a proactive stance against the threat. A comprehensive approach combining real-time monitoring, access controls, data sanitization, and regular training can significantly reduce the risks associated with USB drives and other removable media.
Image Credit: Ian Allenden / Dreamstime.com
James Neilson is SVP International at OPSWAT.