Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for March 2016

March Madness Malware: All Top 10 US Sports Sites Serve Up Risk

March Madness Malware: All Top 10 US Sports Sites Serve Up Risk

With March Madness in full swing and the Sweet Sixteen kicking off, there’s some bad news for basketball fans: most of the Top 10 US sport sites have been found to have vulnerabilities, and are serving active code from risky background sites.

Menlo Security examined them to see whether they were running vulnerable versions of web-software code, leaving sports fans susceptible to phishing attacks and malware. All 10 sites were running vulnerable versions of web-software code at the time of testing; and Microsoft-IIS/8.5 was the most prominent vulnerable version reported with known software vulnerabilities.

Also, 60% (6 websites) of the top sites were found to be serving active code from background sites flagged for phishing and other frauds.

What's not obvious to an end user is that a visit to a website almost always also results in the browser loading active content from many other sources. This is to facilitate tracking from CDNs and ad-networks, mostly. But the problem is that the website owner has little to no control over the security posture of these background sites.

Menlo found that by visiting the sports sites, the browser loaded active code from 152 unique background domains. These sites include Yahoo! Sports, ESPN, BleacherReport, CBS Sports, Sports Illustrated, NBC Sports, SB Nation, Fox Sports, Rant Sports and DeadSpin.

“These sites are the most visited around this time with sports fans checking out their bracket to see if their favorite team is advancing to the next stage,” said Kowsik Guruswamy, CTO of Menlo Security, in a blog. “The real question is, can these sites be a prime target for malware and ransomware?”

Guruswamy took a look at where the code came from, how much of it is there and what systems deliver this content. “Knowing these data points should give us insights into which sites are using a lot of scripting, and those that don't,” he said. “More scripts from more sources equate to a higher risk.”

Unfortunately, the top website (Yahoo! Sports, estimated to have 125 million unique visitors per month, according to Alexa rankings) executed 513 scripts from 55 different background domains.

On average, when visiting a top 10 sports site in US, a browser will execute 245 scripts; all top 10 sports sites executed more than 50 scripts.

“There are many legitimate reasons why developers use scripts to enhance the user experience of a website today, but similarly attackers can use scripting capabilities for iframe redirects and malvertising links to compromise browsers,” Guruswammy said. “The main takeaways show that going to any popular website is now associated with some risk, as we see play out in numerous media stories every week.”

He added, “If you knew an employee going to a top 10 sports website in the US exposes their browser to more than 513 scripts, would it make you think twice?”

The problem is not just confined to sports sites of course—though the basketball tournament offers a great opportunity for watering hole attacks at the moment. Last year, Menlo issued a report that found that more than one in three of the top web domains are risky; and one in five of the most trusted sites are vulnerable. And that’s even more reason for surfers to be cautious.

“We've seen a number of breaches in the recent past where a background site was breached and a visit to one of the ranked sites resulted in a malware drop,” Guruswamy said.

Photo © GongTo/Shutterstock.com

Source: Information Security Magazine

EC-Council Website Distributes Angler Exploit Kit

EC-Council Website Distributes Angler Exploit Kit

The website of the security certification provider EC-Council has been serving a malicious drive-by towards the Angler exploit kit since Monday.

According to research by Fox IT, the redirect occurs only when a visitor is using Microsoft’s Internet Explorer as a browser, or the user-agent has to represent Internet Explorer, when the visitor arrives from a search engine link and when the visitor’s IP address is not blacklisted or belongs to a blocked geolocation.

This specific campaign instance of the Angler exploit kit drops ‘TeslaCrypt’ ransomware on the exploited victim’s machine. The redirect occurs on the EC-Council website via PHP code on the webserver, which is injecting the redirect into the webpage.

“A vulnerability in the EC-Council website is most likely exploited as it runs the very popular WordPress CMS which has been a target through vulnerable plug-ins for years,” the research said.

Efforts to contact the EC-Council were without success, as the press contact page leads to a 404. Fox IT said it had reached out and notified the EC-Council, but no corrective action had been taken.

Speaking to Infosecurity, Maartin van Dantzig, senior researcher at Fox-IT said that the issue was found on Monday after several customers were found to be infected. “We wanted to see how they were being infected and we found it was by the EC-Council website, so we tried to contact them but after they responded on Monday they stopped responding and there was nothing we could do about it,” he said.

He explained that he did hear from them and they asked what website was infected and for screenshot, and the next day Fox-IT asked next if they had been able to fix it but got no response, so made the decision to go public as they knew it was a high risk for their customers.

Speaking to Infosecurity, Luis Corrons, Panda Labs technical director, wondered why users of Internet Explorer were affected. Clarifying, van Dantzig said that the Angler exploit kit impacts versions of Internet Explorer previous to IE11 which allow browser plug-ins to run, while Chrome and FireFox block outdated plug-ins and IE 7-10 all allow browser plug-ins to run.

Corrons said: “Most exploit kits have an operating panel to determine who they want to infect, and the old banking Trojans were configured not to infect people in their own country.

“For the blacklisted IP addresses, I’m 99% sure it is a blacklist of anti-malware and anti-virus companies so the bad guys have a blacklist of what the good guys work with, and makes it harder for us to find them.”

Source: Information Security Magazine

Water Treatment Plant Hit by Cyber-attack

Water Treatment Plant Hit by Cyber-attack

It appears not even H2O is safe from cyber-criminals following a recent attack on a water treatment plant.

According to a news report from International Business Times, hackers were able to change the levels of chemicals used to treat tap water during an attack on the outdated IT network of the plant (currently given the fake moniker "Kemuri Water Company" (KWC) due to the sensitive nature of the breach), exploiting its web-accessible payments system and using it to access the company's web server.

Security researchers Verizon Security Solutions were the ones who unearthed the attack after KWC asked the company to look into unauthorized access to its operational technology systems and unexplainable patterns of valve and duct movements that seemed to be manipulating hundreds of Programmable Logic Controllers. The firm’s investigators noticed the IP addresses of the attackers matched that of hackers previously linked to other hacktivist campaigns and it is believed the criminals may have had motives concerning Syria.

Verizon, who included the incident in this month’s breach report, said that although the criminals gained access to the personal and financial records of over 2.5 million customers, the hackers have not sought to use the details and suggested that they may not have even been aware that they were affecting water chemical levels at all. 

Luckily, KWC was able to reverse the changes before customers were affected and apparently nobody got ill – but clearly the attack had the potential for far more serious ramifications.

This is not the only attack on critical infrastructure that we have seen recently, with various Ukrainian power companies and Israel's Electricity Authority falling victim to breaches in the last few months.

“Attacks on critical manufacturing and infrastructures are becoming more common,” Yoni Shohet, Co-Founder & CEO of SCADAfence told Infosecurity, citing increasing connectivity between the IT and operational technology environments as a key factor in the exposure of insecure networks to new risks.

“For companies these attacks can mean significant loss of revenue, reputation damage and loss of competitive edge. For customers, in a worst case scenario situation, these breaches could potentially be deadly. Imagine if products that we consume every day such as drugs, food and water are tampered and manipulated by malicious hackers, the results could be devastating,” he added.

Shohet went on to say that with the use of proper risk management and monitoring tools attacks such as the breach on KWC could be avoided, or at least detected quicker.

“The fact the chemical process was changed and only then the company was able to detect the breach clearly shows that the company did not properly monitor the connections between the IT and OT environments and that they did not monitor the usage of the devices controlling their mission critical systems.”

Source: Information Security Magazine

Met Police Chief: ‘Don’t Reward Fraud Victims for Bad Behavior’

Met Police Chief: ‘Don’t Reward Fraud Victims for Bad Behavior’

Metropolitan police commissioner Bernard Hogan-Howe has claimed that victims of online fraud shouldn’t be compensated by banks if they’ve not taken adequate steps to protect themselves on the internet.

Britain’s most senior police officer told The Times that the public were being “rewarded for bad behavior” instead of being incentivized to improve password management and keep their anti-virus software up-to-date.

“If you are continually rewarded for bad behavior you will probably continue to do it but if the obverse is true you might consider changing behavior,” he told the paper.

“The system is not incentivizing you to protect yourself. If someone said to you, ‘If you’ve not updated your software I will give you half back,’ you would do it.”

Ever since banks began offering their users free anti-virus software several years ago there have been warnings that this would lead to a more uncompromising stance on refunding anyone hacked or defrauded online who is subsequently found to have failed to download or update said software.

That doesn’t seem to have happened yet, however, and although most banks now issue two-factor authentication devices for online banking, their users are still at risk when paying via their cards on other sites or visiting pages potentially loaded with malware.

Fraud could also arise through no fault of their own, if an online provider is breached and their details fall into the wrong hands.

The Year-End 2015 Fraud Update from Financial Fraud Action UK last week revealed that the value of e-commerce fraud jumped 19% from 2014 to 2015 to reach £261.5 million – although card spending increased by an even higher 21%.

In fact, some might argue that the police response to the fraud epidemic has been less than thorough.

Last year it was revealed that the police are following-up fewer than one in 100 frauds, according to The Times.

Richard Law, Chief Executive at identity data firm GBG, argued that fraud prevention is everyone’s responsibility, especially as now it’s not a case of ‘if’ our data will be compromised but ‘when’.

“With so much of our personal data now out in the public domain, it is worrying to assume that people should have sole responsibility for the protection of it, especially when many consumers are found to massively undervalue their identities online,” he argued.

“Personal information is priceless and we all need to be involved in keeping it safe and secure.”

Robin Tombs, CEO at authentication firm Yoti, added that keeping AV software up-to-date is only one piece of the puzzle.

“Millions of usernames and passwords are being hacked every year. Biometrics are set to play a big part in the future of authentication, which will use one or more unique personal identifiers such as face, voice, retina or fingerprint to prove identities online,” he argued.

“Banks like HSBC and MasterCard have recently made announcements around their planned use of biometrics to help make customers' lives easier and more secure.” 

Source: Information Security Magazine

Google Steps Up Certificate Transparency

Google Steps Up Certificate Transparency

Google has taken steps to improve transparency around potentially untrustworthy certificates, by announcing an extension to its Certificate Transparency initiative.

The web giant revealed that it would be creating a new log specifically for CAs that were once trusted and have since been withdrawn from the root programs, and for new CAs “that are on the path to inclusion in browser trusted roots.”

It said that this additional data should help protect users from mis-issued certificates and provide any interested stakeholders with a public record of which certs have been issued for which domains.

Google is inviting third parties to suggest additional roots for inclusion in the new log, dubbed “Submariner," by emailing google-ct-logs@googlegroups.com.

“This log will not be trusted by Chrome, and will provide a public record of certificates that are not accepted by the existing Google-operated logs,” Google software engineer, Martin Smith, said in a blog post.

“The new log is accessible at ct.googleapis.com/submariner and is listed on our Known Logs page. It has the same API as the existing logs.”

First up for inclusion in Submariner will be the certificates “chaining up to the set of root certificates that Symantec recently announced it had discontinued,” as well as some roots pending inclusion in Mozilla.

The move was welcomed by industry experts.

Kevin Bocek, VP of security strategy and threat intelligence at Venafi, argued that it’s a significant step by Google, given that cyber-criminals are increasingly abusing the blind trust put in certificates by organizations, “so they can appear trusted and monitor and impersonate their targets to execute attacks and steal data.”

“As we move to an increasingly connected IoT world, with new agile development methods, the number of certificates being issued is exploding,” he added. “This is making the challenge of knowing what can and can’t be trusted even more obscure and hackers are waiting to profit from the chaos. Certificate reputation is therefore increasingly important, for businesses and consumers alike.”

Brian Spector, CEO at MIRACL, argued that while the move was welcome, it’s an attempt to fix a problem that can’t be fixed.

“The problem is architectural – it’s based on outdated public key infrastructure that creates a single point of compromise on the internet,” he said. “The best thing to do is start over with a new system which distributes trust across multiple points. If we do nothing, fake certificates will destroy the trust architecture on the internet, and once trust is gone, you can't get it back.”

Source: Information Security Magazine

‘Lock Screen’ Ransomware Makes a Comeback

‘Lock Screen’ Ransomware Makes a Comeback

Ransomware authors appear to be revising some old tactics in a bid to persuade their victims to part with their money, after a new strain of malware was found which locks the user’s screen but does not encrypt files.

Cyphort Labs malware researcher, Paul Kimayong, explained in a blog post that the new family of what it generically dubs “Ransom Locker” malware was discovered after his team followed an infection on a porn site.

This in turn redirected visitors to a RIG exploit kit landing page that served up the ransomware in the form of a malicious flash file and binary.

The final payload locks the victim’s computer and covers the screen with a message from Homeland Security with the usual warning that the user has viewed illegal content and must pay a fine or face criminal liability.

It also includes instructions on how to pay in Bitcoin or Vanilla – a prepaid card from Visa or MasterCard.

The researchers weren’t able to boot it in safe mode for further investigation so they analyzed the memory image offline instead.

Using VirusTotal they found four similar samples in the wild, dating back to the start of February 2016 and with very low detection rates.

Interestingly, Kimayong and his team discovered the malware authors have used VirusTotal themselves to test if their ransomware is detected by heuristics.

“The sample we got is version 0.02a-155. This clearly means it is in the early stage of development,” he wrote.

The malware authors have also made use of the Tor anonymizing network in order to stay hidden from the white hats.

“It’s been a while since we have seen a new family of Ransom Locker in-the-wild, probably due to the success of file-encrypting ransomware such as Cryptolocker, Cryptowall, Locky, etc. Also, Ransom Lockers can be easily cleaned by using ‘rescue discs’ so it was not effective for monetization,” concluded Kimayong.

“However, this new discovery is an advancement of ransom locker malware as it is using Tor to communicate to its CnC servers. By using Tor, the attacker adds a layer of anonymity while doing its malicious activity. Also, while the attacker has your machine kidnapped, they create a Tor hidden service that allows the attacker to utilize your system for bitcoin payments or other malicious activity.”

The popularity of cryptographic ransomware variants like CryptoLocker has meant earlier “police ransomware” like this has been virtually wiped out.

Trend Micro stats from earlier this year found that crypto-ransomware variants accounted for 100% of UK enterprise infections in February and 99% in January, for example.

Source: Information Security Magazine

Malicious Domains Hit Near-Record Highs

Malicious Domains Hit Near-Record Highs

Malicious website creation has hit near-record highs, up a momentous 49% in the past two years. An analysis shows that organizations are under near-constant attack, and from some surprise quarters. That includes the RIG exploit kit, heretofore considered to be old and somewhat obsolete.

Because DNS is required for almost all Internet connections, cyber-criminals are constantly creating new domains and subdomains to unleash a variety of threats including exploit kits, phishing, and distributed denial of service (DDoS) attacks.

The Infoblox DNS Threat Index shows that after dipping in Q3 2015, the index increased to reach near the record high established in the second quarter of last year. This represented an increase of 5% from the previous quarter, meaning the number of malicious domains is steadily increasing. This breaks with previous cycles where record high threat levels (indicating the “planting” of malicious new infrastructure) were followed by several quarters of relative quiet as cyber-criminals used that infrastructure to harvest data and harm victims.

“Our findings may indicate we’re entering a new phase of sustained and simultaneous plant/harvest activity,” said Rod Rasmussen, vice president of cybersecurity at Infoblox. “As we see this escalation of efforts by cyber-criminals, it is essential we go after the infrastructure that cyber-criminals are using to host these domains. So, for the first time, we are using the index to highlight the countries with the most hosting locations for bad domains.”

The Infoblox DNS Threat Index tracks the creation of malicious DNS infrastructure, through both registration of new domains and hijacking of previously legitimate domains or hosts. The baseline for the index is 100, which is the average for creation of DNS-based threat infrastructure during the eight quarters of 2013 and 2014. For Q4, the index increased to 128—near the record high of 133 established in the second quarter of 2015.

Because the threat index for all of 2015 has been well above its historical average, organizations of all sizes and types continue to face unrelenting attacks on all of these fronts.

Infoblox found that the clear country of choice for hosting and launching attacks using malicious DNS infrastructure in Q4 2015 was the United States, which accounted for 72% of newly observed malicious domains. Germany (20%) was the only other country to account for more than 2% of the observed malicious sites.

“It is important to note that the geographical information is not an indication of ‘where the bad guys are,’ since exploit kits and other malware can be developed in one country, sold in another and used in a third to launch attacks through systems hosted in a fourth,” Infoblox noted. “But it does suggest which countries tend to have either lax regulations or policing, or both.”

Taken together, full 92% of newly observed malicious domains in Q4 were hosted in either the United States or Germany. While much cybercrime originates from hotspots in Eastern Europe, Southeast Asia, and Africa, this analysis shows the underlying infrastructure used to launch the attacks themselves sits elsewhere—in the backyard of the world’s top economies.

 “It would be a silver lining if US hosting providers were quick to take down malicious content at dangerous domains once they’re identified, but they are not,” said Lars Harvey, vice president of security strategy at Infoblox. “The fact of the matter is that many hosting providers can be slow to respond, allowing exploits to propagate for considerably longer than they should. This should be a key area of focus for improvement.”

Infoblox uncovered that while Angler continues to lead DNS exploit kit activity, RIG—an older kit that has been far back in the pack in usage during previous quarters—has surged into second place.

Exploit kits are a particularly alarming category of malware because they represent the automation of cybercrime. A small number of highly skilled hackers can create the kits, which are packages for delivering a malware payload, and then sell or rent these toolkits to ordinary criminals with little technical experience. This can vastly increase the ranks of malicious attackers capable of going after individuals, businesses, schools, and government agencies.

Infoblox analysis of RIG activity in 2015 shows that it began using domain shadowing techniques similar to those pioneered by Angler to defeat reputation-based blocking strategies. This indicates that as exploit kits are updated in coming years, there may be a reappearance of past threats in a new guise or location.

Photo © Marcos Mesa Sam Wordley

Source: Information Security Magazine

Former US Diplomat Goes to Jail for 'Sextortion'

Former US Diplomat Goes to Jail for 'Sextortion'

A former US State Department employee has been sentenced to 57 months in prison for “sextortion.”

Michael C. Ford, 36, of Atlanta, was convicted of perpetrating a widespread, international email phishing, computer hacking and cyberstalking scheme against hundreds of victims in the United States and abroad.

According to the plea document, Ford admitted that between January 2013 and May 2015, while employed by the U.S. Embassy in London, he used various aliases to target young females, some of whom were students at US colleges and universities, with a particular focus on members of sororities and aspiring models.

Posing as a member of the fictitious “account deletion team” for a well-known email service provider, Ford sent thousands of phishing emails to thousands of potential victims, warning them that their accounts would be deleted if they did not provide their passwords. Ford admitted he then used the passwords to hack into at least 450 email and social media accounts belonging to at least 200 victims, where he searched for sexually explicit photographs and for victims’ personal identifying information (PII), including their home and work addresses, school and employment information, and names and contact information of family members, among other things. 

Using both the photos and PII, Ford admitted that he then emailed at least 75 victims, threatening to release those photos unless they took and sent him sexually explicit videos of “sexy girls” undressing in changing rooms at pools, gyms and clothing stores.

When the victims refused to comply, threatened to go to the police or begged Ford to leave them alone, Ford escalated his threats.  For example, Ford admitted that he wrote in one email “don’t worry, it’s not like I know where you live,” followed by another email with her home address. He also threatened to post her photographs to an “escort/hooker website” along with her phone number and home address.  On several occasions, Ford followed through with his threats, sending his victims’ sexually explicit photographs to family members and friends, according to the plea.

Additionally, at sentencing, the government presented evidence that Ford engaged in a related scheme targeting aspiring models beginning in 2009.  Posing as a model scout, Ford convinced young women to send their personal information, to include dates of birth and measurements, as well as topless photos for consideration for fictitious modeling opportunities. During this ruse, Ford obtained topless and partially nude photos from hundreds of women, including several minors. He also attempted to entice a minor to take voyeuristic videos of her peers in her school locker room. Some of his early model-scout victims became the first victims of his charged cyberstalking scheme.

In December, Ford pleaded guilty to nine counts of cyberstalking, seven counts of computer hacking to extort and one count of wire fraud in connection with his ongoing criminal scheme. The names of the victims are being withheld from the public to protect their privacy.

“Michael Ford hacked hundreds of email accounts, particularly targeting young women so he could extort them into sending him sexually explicit images,” said Assistant Attorney General Leslie Caldwell.  “He preyed on vulnerable victims, leaving them with indelible emotional scars.  His sentence is a necessary step in holding him to account for his crimes and helping his victims move forward with their lives.”

Photo © fizkes

Source: Information Security Magazine

Biometrics Market Set to Skyrocket to $30Bn

Biometrics Market Set to Skyrocket to $30Bn

There’s a perfect storm brewing for the global biometrics market, according to ABI Research. Bosltered by smartphone penetration, geopolitical events and the commercial interest of payment giants, the firm expects revenues to reach more than $30 billion by 2021.

That represents an impressive 118% increase from 2015.

Consumer electronics, particularly smartphones, continue to boost the biometrics market, with embedded fingerprint sensors like Apple’s Touch ID anticipated to reach two billion shipments by 2021 at a 40% CAGR. As a result, consumer confidence in the technology should start to crest.

"Consumers are increasingly putting their trust behind biometric-based authentication and searching for security, convenience and personalization in multiple layers," says Dimitrios Pavlakis, research analyst at ABI Research.

Meanwhile, rising tensions and pressing identification issues in both the Middle East and Europe will also cause a major increase in biometric technologies, ABI predicted. This will, in turn, motivate the respective governments to push for new legislation and regulations for data management and exchange initiatives that include biometrics.

And also, the credit card industry is leading the way with multimodal technologies and a distinct emphasis on facial recognition. MasterCard for instance is set to extend its ‘pay-by-selfie’ facial recognition technology to 14 countries including the UK this summer as part of its ongoing attempt to crack down on identity fraud.

There are other noteworthy initiatives on the way as well. Industry leaders Gemalto, STMicroelectronics, FPC, and Precise Biometrics recently formed a partnership for the development of end-to-end biometric architecture. And Morpho (Safran) has partnered with Airtel to increase user mobility under the UIDAI project in India.

Going forward, interest from law enforcement, retailers, banks and enterprises will drive part of the market as well as IP cameras start to support new surveillance techniques.

"Surveillance is also gearing up, and by 2021, we anticipate more than one in three surveillance cameras shipped to be IP-connected cameras,” Pavlakis said. “This will undoubtedly open up new pathways for facial biometrics and surveillance analytics."

Facial recognition and fingerprint sensors are just the beginning though. "Companies will move more aggressively toward the adoption of these new biometric form factors and technologies," concludes Pavlakis. "Technologies include USB-connected devices; embedded sensors in consumer electronics and payment cards; four-finger, iris, and facial recognition in smartphones; and vein recognition in ATMs."

While North America and the Asia-Pacific region continue to dominate the majority of the biometrics market share, ABI Research market data suggests that Latin America and the Middle East can also expect a boon in terms of new biometric implementations. This will primarily occur in banking and personal finance, followed by the governmental and security sectors, ABI said.

Photo © tloma

Source: Information Security Magazine

Security Experts Discover Airgap-Jumping USB Trojan

Security Experts Discover Airgap-Jumping USB Trojan

Security experts are warning organizations running systems isolated from the internet to be on their guard after discovering a stealthy data-stealer run from a thumb drive which leaves no trace on a compromised computer.

Eset explained in a blog post that the “USB Thief” trojan takes advantage of the increasingly common practice of storing portable versions of popular apps like Firefox on USBs.

The malware typically hides inside a plugin or a dynamically linked library (DLL), so that when such an application is executed, it is also run in the background.

It also contains a sophisticated mechanism to protect itself from copying or reverse engineering by encrypting certain files with AES-128 and with file names generated from cryptographic elements.

The AES encryption key is tied to the particular USB the malware was loaded onto so it can’t be run from any other device, making it doubly difficult to detect or analyze.

There are three loaders, with some anti-AV checks run with the third. The final payload kick-starts the data stealing functionality, although Eset claimed that the malware could be redesigned with another payload.

Eset malware analyst, Tomáš Gardon, explained that the malware was most likely created for targeted attacks against air-gapped systems, and although the sample found is a data stealer, there could be one in the wild which has a more destructive payload designed to hit industrial control systems.

USB ports should be disabled where possible, and if that’s not possible, strict policies should be applied to their use, alongside cybersecurity training to warn staff not to insert any USB they find lying about, he advised.

Peter Stancik, ESET security evangelist, explained that USB Thief is probably “not on a par” with the most sophisticated nation state-level malware out there, “but both the mode of operation and implementation show clever tricks.”

It may have been used by a malicious insider, he told Infosecurity by email.

“However, it might also be spread through an insider whose device has been infected with USB Thief by someone else and who is ‘stealing’ the data unknowingly,” he added.

“Another option could be a dedicated dropper that could be delivered via the internet and then used to drop the USB Thief onto a USB storage when inserted. Then wait for the infected USB storage to be plugged in the targeted air-gapped system.”

Source: Information Security Magazine