Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns

A new report from Honeywell’s GARD (Global Analysis, Research, and Defense) team disclosed that overall malware frequency continues to rise as the amount of malware detected and blocked, relative to the total amount of files scanned, increased by approximately 33 percent over the previous year, which in turn was a 700 percent increase year-over-year. Further, the 2024 USB Threat Report said that any number of factors, including malware prevalence, detection efficacy, shifts in malware types and behaviors, end-user practices, and more can influence malware detected. 

“We believe this makes it impossible to correlate the number of files blocked to any specific behavior,” according to the 2024 USB Threat Report from Honeywell GARD. “However, the 2023 increase was significant enough that the GARD team felt it was noteworthy as a general indication that malware exposure via USB has increased to some degree and that this exposure has remained elevated. The GARD team will begin to track additional data points around malware prevalence in hopes of obtaining more insight in the future.”

The report provides a detailed analysis of USB (universal serial bus)-borne malware affecting industrial control systems and critical infrastructures. Drawing data from numerous global OT facilities, the report highlights emerging trends in threats utilizing USB devices to bypass network defenses, evade detection, gather information, establish persistence, and disrupt or damage industrial operations.

The 2024 USB Threat Report highlighted that adversaries possess a deep understanding of industrial environments and their operations. Additionally, it points out their advanced malware capabilities, showcasing a utilization of ‘living off the land’ (LotL) strategies observed in recent global cybersecurity incidents. While the threat activity surged rapidly in the initial years in terms of both quantity and capability, it has since stabilized in recent years.

The report identified that while these metrics do not reveal new insights, it is evident that the majority of blocked malware still has the potential to significantly impact process control. This includes risks such as loss of visibility, loss of control, system outages, and the concerning prevalence of remote capabilities. The focus on industrial targets suggests that the analyzed malware is deliberately exploiting removable media to breach secure network perimeters, commonly known as the ‘air gap.’

Data analysis identified that is well-established that USB drives serve as a common entry point into operational technology (OT). Extensive knowledge has been gained about the characteristics of cyber-physical attacks through the examination of past and current cyber-physical attack campaigns. 

The Honeywell 2024 USB Threat Report determined that cyber-physical attacks require extensive knowledge of the target systems, especially concerning the protocols used within control environments and the points managed by those systems. Also, cyber-physical attacks have become less dependent on exploitation techniques, instead leveraging the inherent capabilities of the control environment. This has culminated in recent examples of LotL attacks against energy infrastructure in Ukraine, which solely use the inherent capabilities of the system against it. 

The research indicated that adversaries have a strong understanding of industrial environments and how they operate. For the fifth year in a row, the threats seen attempting to enter industrial/OT (operational technology) environments have continued to increase in sophistication, frequency, and potential risk to operations. USB-borne malware is clearly being leveraged as part of larger cyberattack campaigns against industrial targets. 

In 2023, the GARD team began tracking additional metrics to help shed more light on this trend, and this year it was able to further support that theory. “By looking closer at malware capabilities, examining the specific tactics and techniques as defined by the MITRE ATT&CK framework, and correlating that against known qualities of industrial targets, we can paint a clearer picture of our view of the real threat that USB media poses against industrial control environments,” it added.

Honeywell data reported that approximately 20 percent of all malware analyzed was classified as content-based. Over 13 percent of all malware blocked specifically leveraged the inherent capabilities of common documents such as Word documents, spreadsheets, scripts, etc. An additional 2 percent of malware specifically targeted known vulnerabilities in common document formats, and an additional 5 percent specifically targeted the applications used to modify and create these file types. 

Some of the latest observations disclosed in the Honeywell GARD USB Threat Report 2024 identified that a significant portion of blocked malware was content-based, using existing documents and scripting functions maliciously rather than attempting to exploit novel vulnerabilities. 

Among the specific exploits that were found, the majority focused on document and package vulnerabilities such as word processing documents. Also, a significant portion of ATT&CK techniques are aligned with observations of real-world cyber-physical attack campaigns, and a shift toward LotL strategies, focusing heavily on OLE and command-line execution techniques. 

In addition to expected target platforms, the Honeywell 2024 USB Threat Report identified that there was an increase in Linux and other target platforms, many of which are often used specifically by purpose-built devices in many industrial facilities, particularly in the areas of asset tracking, quality control, production management and other areas of the industrial supply chain. Together, this indicates that adversaries are well-educated in industrial process control, supply chains, and the day-to-day operations of industrial facilities.

Honeywell analysis also indicates that the occurrence of disruptive malware has remained steady at 82 percent. This means that of the malware detected, the majority of it could cause loss of view or loss of control to industrial control operators. This category of malware includes cyber-physical malware intended to manipulate or disrupt control, ransomware targeting industrial operators, and wiper malware associated with industrial attack campaigns. In the context of the observed techniques, and the correlation between these techniques and those used in recently observed ‘living off the land’ cyber attack strategies, this potential should be concerning to operators, especially operators of critical infrastructures. 

The malware analyzed is consistently capable of enabling adversaries to ‘dig in,’ remain hidden, and manipulate the inherent capabilities of target systems at any time. The findings also support the continuing trend of capable and modular malware frameworks that are typically used in multi-stage attacks. This includes malware associated with cyber-physical attack campaigns, including variants of Black Energy, Industroyer, and Industroyer 2 malware used in attacks against Ukraine’s electricity distribution systems as far back as 2015.

The Honeywell 2024 USB Threat Report also pointed to evidence that continues to indicate that USB removable media is intentionally used as an initial attack vector in industrial control/OT environments. As such, it is recommended that organizations establish a clear USB security policy, and technical controls and enforcement should be established to improve security for the use of USB media and peripherals. 

Additionally, evidence continues to indicate that new threat variants are being introduced more quickly, specifically via USB, and that they are targeting industrials. To this end, existing controls should be reexamined, and OT cybersecurity policies and procedures should be reevaluated in an attempt to close the mean time to remediation (MTTR). External controls to provide real-time detection and protection of key systems should be considered as well as integrated monitoring and incident response procedures. 

The Honeywell 2024 USB Threat Report identified that threats crossing the air gap via USB are used to establish a toe hold into industrial systems, opening backdoors and remote access to install additional payloads and remote command-and-control. Outbound network connectivity from process control networks must be tightly controlled and enforced by network switches, routers, and firewalls. 

The report underlines that security upkeep remains important. Due to the large percentage of threats encountered in OT environments that were able to evade detection by traditional anti-malware software, anti-malware controls must be current to be effective. Anti-virus software deployed in process control facilities needs to be updated daily. Even then, a layered approach to threat detection that includes OT-specific threat intelligence is strongly recommended for maximum efficacy.

Due to the extent of threats capable of establishing persistence and covert remote access to otherwise air-gapped systems, patching and hardening of end nodes – especially those that are exposed to early-stage attacks – is necessary to improve an organization’s ability to prevent eventual breach of process control systems. 

The report identifies that due to the capabilities of cyber-physical attack frameworks – especially newer frameworks such as Industroyer, Industroyer 2, and Incontroller – it is increasingly important to protect infrastructure details about industrial control systems (ICS). Increased attention to the protection of system- and device-level configurations and settings is recommended.

In its conclusion, the Honeywell 2024 USB Threat Report detailed that active USB cybersecurity controls are increasingly important and that more inclusive document management and control are critical. “For the sixth year in a row, the known threats attempting to enter industrial/OT environments have continued to increase in sophistication, frequency, and potential risk to operations. USB-borne malware is clearly being leveraged as part of larger cyber attack campaigns against industrial targets. This indication is supported by the analysis of ATT&CK techniques, together with the presence of malware associated with major cyber-physical attack campaigns,” the report added.

“It remains clear that modern malware variants have adapted to take advantage of the USB standards and are capable of leveraging USB removable media to circumvent network defenses and bypass the air gaps that many industrial facilities depend on for protection,” according to the report. “Once successfully penetrated, techniques focus on information gathering, evading detection, and enabling direct manipulation of target systems over the use of novel exploitations – all consistent with LotL tactics. Exploits that were seen focus heavily on document-based infections and misuse of internal scripting mechanisms.” 

The Honeywell 2024 USB Threat Report added that continued diligence is necessary to defend against the growing USB threat, and strong USB security controls are highly recommended. In addition, an assessment of internal operations, with a focus on document handling and file sharing, is also recommended.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.