Subscribe
About

Crypto-mining USB infections on the rise

Kirsten Doyle
By Kirsten Doyle, ITWeb contributor.
Johannesburg, 26 Sep 2018
USBs remain a popular tool for cyber crooks.
USBs remain a popular tool for cyber crooks.

Cyber criminals are using USB devices to spread crypto-mining malware. Although the range and number of attacks is relatively low, the number of victims is growing annually.

This was revealed by a Kaspersky Lab review of USB and removable media threats in 2018.

According to the report, USB devices and other removable media have been used to spread crypto-currency mining software since at least 2015, with certain victims being found to have carried an infection for years.

"One in 10 of all users hit by removable media infections in 2018 was targeted with this crypto-miner (around 9.22%, up from 6.7% in 2017 and 4.2% in 2016)," says Kaspersky.

In addition, the rate of detection for the most popular bitcoin miner, Trojan.Win64.Miner.all, is growing by around one-sixth year-on-year.

Irresistible odds

Two years ago, researchers from the University of Illinois held an experiment, leaving 297 unlabelled USB flash drives lying around the campus. A whopping 98% of the drives were picked up by staff and students, and at least half were plugged into a machine to look at the content.

"For a hacker trying to infect a computer network, those are pretty irresistible odds," says Kaspersky Lab.

Although people are increasingly using cloud services such as Dropbox for file storage and transfer, millions of USB devices are still produced and distributed annually, for personal use, as well as for marketing campaigns and giveaways.

According to Denis Parinov, anti-malware researcher at Kaspersky Lab, while USB devices may be less effective at spreading infection than they were in the past, due to growing awareness of their security weakness and declining use as a business tool, research shows they remain a significant risk that should not be underestimated.

"The medium clearly works for attackers, because they continue to exploit it, and some infections go undetected for years. Fortunately, there are some very easy steps users and businesses can take to stay secure," he adds.

Kaspersky Lab advises users to be careful about the devices they connect to their computer, and to question where they came from. "Invest in encrypted USB devices from trusted brands, and ensure that all data stored on the USB is also encrypted. Also, have a security solution in place that checks all removable media for malware before they are connected to the network."

The company advises businesses to manage the use of USB devices, by defining which ones can be used, by whom and for what. "Educate employees on safe USB practices, particularly if they are moving the device between a home computer and a work device. Lastly, don't leave USBs lying around or on display."

A tool for advanced threat actors

USB devices are also particularly useful to attackers who are trying to infiltrate computer networks that are not connected to the Internet, including those powering critical national infrastructure, the company says.

The most infamous example of this was the Stuxnet campaign, which saw the first piece of weaponised malware disrupt Iranian nuclear facilities in 2009 and 2010.

"USB devices were used to inject malware into the facilities' air-gapped networks. Among other things, the devices included an exploit to a Windows LNK vulnerability (CVE-2010-2568) that enabled remote code execution."

Threat actors such as Equation Group, Flame, Regin and HackingTeam, have all employed removable media to carry out attacks.

Moreover, Kaspersky says the structure of most USB devices enables them to be converted to provide hidden storage compartments, that could be used for the removal of stolen data.

"The ProjectSauron 2016 toolkit was found to include a special module designed to move data from air-gapped networks to Internet-connected systems. This involved USB drives that had been formatted to change the size of the partition on the USB disk, reserving some hidden space (several hundred megabytes) at the end of the disk for malicious purposes."

Share