Penelope Iroko Table of Contents
Malicious USB Drives Target Global Organizations: The use of infected USB drives as a method for cyber-attacks has surged in the first half of 2023.
Mandiant has uncovered two notable campaigns, SOGU and SNOWYDRIVE, which target various public and private sector organizations worldwide. These malicious USB drives pose a significant threat to industries globally.
Key Takeaways to Malicious USB Drives Target Global Organizations:
- Infected USB drives have become a popular initial access vector for cyber attacks, experiencing a three-fold increase in the first half of 2023.
- The SOGU campaign is attributed to the China-based cluster TEMP.Hex, is a prevalent USB-based cyber espionage attack targeting organizations across different sectors and regions.
- The SNOWYDRIVE malware, employed by the UNC4698 cluster, focuses on oil and gas organizations in Asia and allows attackers to execute arbitrary payloads on compromised systems.
SOGU: A Pervasive USB-Based Cyber Espionage Campaign
According to the latest report from Mandiant, cyber attacks leveraging infected USB drives as an initial access vector have risen significantly in the first half of 2023.
Among these attacks, the SOGU campaign stands out as the most prevalent USB-based cyber espionage campaign globally.
Attributed to the China-based cluster TEMP.Hex, also known as Camaro Dragon, Earth Preta, and Mustang Panda, SOGU targets organizations across various industries such as construction, engineering, government, healthcare, transportation, and retail in Europe, Asia, and the U.S.
The Attack Chain: Plugging in the Malicious USB Drive
Mandiant’s analysis reveals a common pattern shared by the SOGU campaign and another cyber espionage campaign conducted by Mustang Panda, as uncovered by Check Point.
The attack begins with the insertion of a malicious USB flash drive into a target’s computer, triggering the execution of PlugX (also known as Korplug).
This leads to the decryption and launch of a C-based backdoor called SOGU, which facilitates the exfiltration of sensitive files, keystrokes, and screenshots.
SNOWYDRIVE: Targeting the Oil and Gas Industry in Asia
In addition to the SOGU campaign, Mandiant also detected the USB-based attack campaign known as SNOWYDRIVE. This campaign, orchestrated by the UNC4698 cluster, primarily focuses on organizations in the oil and gas industry in Asia.
SNOWYDRIVE delivers malware that allows threat actors to execute arbitrary payloads on compromised systems. Once loaded, SNOWYDRIVE establishes a backdoor on the host system, granting attackers remote control and enabling the propagation of the malware through other USB flash drives within the network.
Mitigation Measures: Implementing Restrictions and Vigilant Scanning
To safeguard against these USB-based attacks, organizations are advised to prioritize the implementation of access restrictions to external devices like USB drives.
In cases where the complete restriction is not feasible, thorough scanning for malicious files or code should be performed on any external devices before connecting them to internal networks.
This proactive approach can help prevent the introduction of malware and protect against potential data breaches.
Conclusion
The surge in cyber attacks exploiting infected USB drives highlights the need for heightened security measures. The SOGU and SNOWYDRIVE campaigns, both targeting organizations worldwide, demonstrate the severity of the threat.
By implementing access restrictions and conducting comprehensive scanning, organizations can fortify their defenses against these USB-based attacks and mitigate potential risks to their networks and sensitive data.
