USB peripherals have become a commodity for employees. Anchored in our daily lives, these in-house tools have become favored infection vectors for cybercriminals.
To detect a USB compromise attempt, companies can rely on equipment known as cleaning stations. Using malware detection engines, these stations can analyze and detect the presence of a threat.
A true decontamination airlock, white stations are particularly useful in environments that are heavily targeted by cyber-attacks, such as those in the 35 sectors listed under the European NIS2 directive.
It is in this context that GLIMPS has signed a technological and strategic partnership with TYREX, integrating the detection and analysis capabilities of its GLIMPS MALWARE solution into white stations. Here’s how it works.
While the USB flash drive may seem like a technological relic relegated to the sidelines of CD media, it still enjoys great popularity. For example, in Germany alone, no fewer than 10.8 million USB storage media would have been sold in 2022, according to the latest report from the Statista Institute. A figure that demonstrates the strong adoption of this medium in a country with a population of just 83 million.
What’s more, since COVID and the massive Ransomware attacks, critical and industrial networks have been immediately disconnected to protect themselves from the Internet, mechanically bringing the USB medium back to the fore to transfer data from one network to another.
To take advantage of this widespread adoption, cybercriminals have developed a number of different modus operandi:
The USB Drop modus operandi is relatively simple. A malware-infected USB stick is left on the floor or on a desk, waiting for a victim to plug it into a workstation.
While it’s common sense not to plug an unknown USB device into a company’s information system, according to a University of Illinois study published in 2016, 20% of USB sticks found are plugged in within the hour, and a further 25% within 6 hours. Difficult to identify, the threat is very real.
HID Spoofing is a modus operandi in which the USB key is used as a keyboard without the victim’s knowledge. When the key is activated, a series of commands is run on the machine to take control or exfiltrate data.
Distributing infected USB sticks at trade fairs
Trade shows are a prime target for cybercriminals, particularly for industrial espionage purposes. The malicious USB sticks are then distributed to trade show visitors.
While this may seem a surprising modus operandi, this is precisely what happened to IBM and the ADA (American Dental Association), who unknowingly distributed tens of thousands of infected USB sticks. For both companies, the Chinese manufacturer had itself been the victim of a cyber-attack on its production line, enabling malware to be installed on all the USB media produced.
To curb these threats, cleaning stations can be placed as totems at company entrances, or as deskside consoles, enabling users to scan a specific file or an entire USB stick for immediate removal of suspicion.
According to Rodolphe Bitaud, Business Developer at GLIMPS: “The integration of GLIMPS Malware technology brings an additional detection and analysis capability to the TYREX white station, and at the same time completes its multi-layer protection“.
Agnostic to file format (PDF, Doc, Excel, PowerPoint), whether compiled or not, static analysis by code conceptualization enables the detection of all forms of threats such as ransomware, trojans, rootkits, whether the incriminated file is executed or not.
Based on a macro analysis of the payload, code conceptualization analysis creates a description and the concept-code of a threat, highlighting commonalities between the analyzed file and a known threat, all without the need for decompilation. With its capacity for continuous improvement, based on thousands of daily scans and a database of millions of previously analyzed malware files, GLIMPS Malware technology delivers a verdict (malicious/non-malicious) in a matter of seconds, together with information on the malware’s typology and family.
If static analysis is activated by default, “it is also possible to configure a dynamic analysis detection engine including an optimized sandbox that extracts memory dumps which are then re-injected into the static analysis“, reminds the expert.
According to Rodolphe Bitaud, “the GLIMPS Malware solution can be deployed and configured in just a few minutes, and operates in disconnected mode, making it ideal for a wide range of applications“.
This is why TYREX white stations using GLIMPS Malware technology have been installed in the transport sector (air, sea), a sector frequently constrained by air gap environments. In the maritime transport sector, where the navigation itinerary is shared by USB key, it is essential to ensure the integrity of the USB medium before integrating it into the ship’s information system. This is why a cleaning station is installed on the ship to analyze all USB media before use.
This solution has been enthusiastically welcomed by companies in sectors regulated by the NIS-2 European directive, such as public administrations, banks, and companies in the energy, health and defense sectors. According to Rodolphe Bitaud, “as NIS-2 is based on an all-risk management approach, all companies that have to receive the public on their premises will have to use this type of device“.
Praised for its hardware design quality and analysis relevance, the solution is currently receiving strong commercial demand from markets in North America, Germany and the Middle East, resulting in the opening of a New York office for TYREX and a Toronto office for GLIMPS.
For Laurent Ably, CTO of TYREX, the market’s interest in this partnership can be explained by the need to strengthen the detection capacity of white stations facing ever more sophisticated threats: “In a regulatory or operational context, for online or fully air-gapped environments, white stations today need to be armed to detect more advanced threats, including yet unknown threats. The technological partnership with GLIMPS enhances the capabilities of our TYREX stations tenfold“.
Even if the medium may seem outdated, threats via USB sticks are still a topical issue, all the more so when the use of this tool comes back in force when security is implemented at network level.
To raise awareness of cybersecurity and avoid any compromise, companies need to implement analysis and detection mechanisms to ensure the integration of their information systems.
If you’d like to find out more and see a demo, don’t hesitate to contact our experts