Hackers drop physical USB drives in watering holes

In his Semi-Annual Cybersecurity Report 2023, Check Point Software has highlighted numerous exploits so far this year, including new uses of artificial intelligence and an old-school attack vector: USB drives. Cybercriminals and state actors view these devices as the best way to infect air-gapped, segmented and protected networks, according to Check Point.

The report’s authors noted that the Raspberry Robin worm was one of the most common malware variants distributed via USB drives via “autorun.inf” files or clickable LNK files. Check Point also reported that state-aligned threat actors are even launching 10-year-old infections, such as ANDROMEDA, via USB drives.

Chinese spy actor Camaro Dragon, for example, used USB drives as a vector to infect organizations around the world, according to the report’s authors. Additionally, security researchers pointed out that the Russia-aligned Gamaredon group used Shuckworm, supplied on a USB stick, to target the Ukrainian military and associated individuals.

I spoke with Pete Nicoletti, global head of information security for the Americas at Check Point Software, about some of the report’s other key findings. Nicoletti, who has more than 30 years of experience in the field, said AI is a game-changer and that of Check Point Software’s more than 70 engines, AI and machine learning drives 40 of them. The following transcript of my interview with Nicoletti has been edited for length and clarity.

Jump to:

Have you found an orphaned USB drive? Better to leave him alone

Karl Greenberg: I was surprised by the details in the report regarding physical USB drivers as a viable attack vector. Really? Today?

Pete Nicoletti: As a former penetration tester, I thought the days of USB drivers… USB devices used for hacking were going to disappear, but we’ve seen a big increase in the number of companies that are tempted by inserting ‘a USB key. When I was trying to break into businesses, we used a watering hole attack: you go to the bar where the employees go, you go to the office building or the restroom where the employees go, and you drop some USB sticks (these used to be CDs, with labels saying “3rd quarter layoffs” and people would take them). We see the same thing with USB sticks, and it’s dramatic.

Karl Greenberg: Do hackers physically leave USB drives within reach?

Pete Nicoletti: Yes, and this tactic infects organizations. Before COVID, we had better policies against using USB drives in company-owned laptops because those laptops would be inspected. Post-COVID, it’s a BYO device, and there are fewer corporate protections, which is part of why we’re seeing an uptick. We are also seeing a surge in hacktivism, with politically motivated groups launching attacks and misuse of artificial intelligence, for example to write emails. We just saw the release of an AI-based keystroke monitoring tool that has about 85-95% accuracy in understanding keystrokes by sound alone.

Bad bots: AI for spam, spearphishing and malware

Karl Greenberg: How important are AI tools today for cybersecurity practitioners, and what do you think are the main ways hackers are using them?

Pete Nicoletti: If you don’t have AI to fight AI, you’ll be a statistic because AI lowers the bar for attackers. Just for spam, for example, there are now many more people (non-English speakers) who can create emails using very good English.

Basically, hackers use AI in at least two ways: They use AI to write code snippets rather than full-fledged ransomware programs for, say, a zero-day for a common vulnerability and exposure data ; they use it, for example, to write a keystroke collector. And they use AI to automate spam creation using hacked data to generate content. These could, for example, relate to hacked private information about a patient’s information that may have been part of a significant breach; hackers use this data to create personalized emails: “You were just for such and such a procedure, and you owe another $200 on the bill. »

SEE: Check Point announcement AI feature set 2023 (TechRepublic)

AI for defense: spam searches, insurance notices, intrusion tests

Karl Greenberg: How can you prevent or defend against these forms of AI-based spearphishing campaigns?

Pete Nicoletti: All of our major carrier customers use Avanan, an AI-based (email security) tool that we acquired two years ago. Thanks to it, we are able to discover new types of spam that are difficult to detect, and spam remains 89% the preferred vector for successful attacks.

SEE: Check Point Avanan Projectors how business email compromise attacks emulate legitimate web services to lure clicks (TechRepublic)

Karl Greenberg: Besides its use to reduce analyst workload, in what other areas do you see AI being used more today?

Pete Nicoletti: We see people using ChatGPT and other great language models to review their cyber insurance programs. We see people using it to write penetration tests to give them more relevance and a deeper understanding of certain issues. If you don’t use artificial intelligence, you won’t be competitive.

The education sector is the first target

Karl Greenberg: What are the other main findings from the first half?

Pete Nicoletti: We find that the education sector is the number one vertical of attack; we have seen a huge increase in this area.

Carl Greenberg: For what?

Pete Nicoletti: Several reasons, including schools’ transition to outsourced IT and increased use of online educational tools. Additionally, educational institutions do not have the budgets that the commercial sector has. We have seen at least one university go bankrupt for the first time (Lincoln College in May 2022) due to ransomware demands. Globally, education and research remain the main targets of attacks (Figure A).

Figure A

Microsoft: A big house with many doors and “windows”

Karl Greenberg: I’ve noticed that the number of vulnerabilities in commonly used enterprise software is very high; Microsoft is number one. Why does Microsoft have so many CVEs?

Pete Nicoletti: Someone said they rob banks because that’s where the money is. If you’re a hacker, you want to target Microsoft because it’s omnipresent. It’s everywhere: an app development company and an operating system. It is used by everyone. So if you want to find a zero day, whether you’re a state-sponsored hacking group or just a 16 year old in the basement wearing a hoodie, you’ll target Microsoft.

The other thing that a lot of people don’t talk about: when you turn the knob as a company to release products, because companies can take all the time in the world to develop something and test it, but companies want publish it. products now, not tomorrow. And when they turn the knob to compete and gain market share, that’s the type of unspoken development risk that gets you in trouble.

Karl Greenberg: This is why AI tools in DevOps are essential.

Pete Nicoletti: Companies with rapid development workshops choose these tools to increase the security of their development pipeline, containers, and Kubernetes, and it is much cheaper to repair them in the development pipeline rather than in the environment. test or production. Companies are therefore starting to realize this.

Sound and image: the next threats from AI

Karl Greenberg: What about other uses of AI for threats beyond text and code generation?

Pete Nicoletti: We’ve always faced business email compromises; well now it will be voice compromise and video compromise. It absolutely happens. We’re going to start seeing a lot more photos converted to video chat. We have already seen voice compromises, and all banks that use voice confirmation and voice identification can now be fooled. So what if you have any credit cards or banks that use it? Say goodbye. I would not allow this at all anymore.