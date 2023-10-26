Two months ago we reported on the enormous computer security problem that Japan had suffered. The National Incident Preparedness Center and Cybersecurity Strategy (NISC) of the country had not managed to control a leak of internal data in time, a scenario that has had several implications.

But time has taught us that not even governments are safe from increasingly persistent cyber attacks. According to Bleeping Computer, Kaspersky’s Global Research and Analysis Team has identified an ongoing threat that compromises the functionality of advanced security USB drives with software encryption.

When a device with advanced security cannot fulfill its function

There are a wide variety of USB drives with advanced security on the market. These types of storage devices are often widely used by companies and governments, mainly when they have software-based encryption features. But, like anything in the digital world, they are not 100% foolproof.

Kaspersky notes that a specific type of software-encrypted USB drive, whose make and model have not been disclosed, has been targeted by sophisticated, possibly state-sponsored, cybercriminal groups for years. The result? The theft of information supposedly password protected.

The victims, according to specialists, have been government entities of the Asia-Pacific region. Given the sophistication of the attack, everything seems to indicate that these were highly targeted espionage efforts. They also point out that the same method may have been used to steal financial data.





How has it been possible to compromise a USB drive with hardware encryption? Let’s look at some interesting aspects of the method used by malicious actors. The storage devices in question have a part that is encrypted and another part that is not encrypted, which has the software in charge of decrypting the content.

The attack begins by infecting the victim’s computer with a payload called AcroShell which, through a command and control server, downloads additional malicious components that allow the type of USB sticks used by the target to be identified. Later a malware called XMKR comes into action.

XMKR compromises the security of USB drives based on previously stolen information, directly affecting the files on the unencrypted partition, that is, those responsible for opening the door to encrypted files. In all cases, the attack is carried out on Windows and with other complex modules.

From Kaspersky they point out that malicious actors also resort to virtualization techniques to hide and protect malicious code of their programs, making them almost imperceptible by security systems. Likewise, self-replicating methods to propagate in the victim’s computer network.

Images: Brina Blum | Sebastian Chia

