ScarCruft Uses Zoho WorkDrive and USB Malware to Breach Air-Gapped Networks
title: Air Gap, Cloud Sync, USB: Why Your 'Segmentation' Isn't Stopping ScarCruft
date: 2024-06-20
last_updated: 2024-06-20
keywords: air-gap bypass USB malware, Zoho WorkDrive OAuth security, ScarCruft detection, OT segmentation, cloud exfiltration
Who Should Read This?
Target audience: Incident response leads, OT/ICS security managers, cloud architects, enterprise SecOps, security engineers tasked with securing hybrid IT/OT and SaaS environments.
Why 'Air-Gapped' Networks Keep Failing
The belief that physical isolation = security is still getting organizations owned in 2024. Case in point: MITRE ATT&CK T1091—Replication Through Removable Media. Attackers do not need to be creative when basic hygiene is missing.
Recent campaigns (see Kaspersky, 2024; Mandiant, 2022) linked to ScarCruft and similar groups have reportedly chained USB-based initial access and cloud service exfiltration to jump air-gaps. You can blame “advanced” TTPs all day, but misconfigurations and default trust are still your weakest link.
Composite Incident: The USB Policy Time Bomb
Here’s an anonymized composite from multiple IR engagements (2018–2023, OT and financial sectors). If this sounds familiar, it's because it keeps happening.
A restricted "air-gapped" production network allows quarterly data ingestion via “read-only” USBs. GPOs are set, but after a domain refresh, Device Installation Restrictions (GPO: Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions) aren’t reapplied. Endpoint Protection logs show unsigned executables copied from USB at 2:18 a.m.—preceded by Autorun.inf execution and a PowerShell process with encoded command flag (-EncodedCommand). The payload beacons to an external address once the host reconnects to a trusted management network with cloud sync enabled.
Disclosure: This is a redacted composite, not a single point-in-time anecdote. My team led IR during these events.
Why We Keep Falling for This (Again)
1. Compliance ≠ Security (and OAuth Is Still Overprovisioned)
In the wild, we've observed OAuth scope grants in Zoho WorkDrive that allow service accounts to read and export all files by default. The Zoho documentation states that WorkDrive.files.READ and WorkDrive.files.ALL are frequently granted without review. According to [Unit42](https://unit42.paloaltonetworks.com/oath-token-abuse-cloud/", 2023), 53% of SaaS OAuth apps overprovision access in enterprise environments.
ScarCruft and similar APTs abuse these misconfigurations: once initial access is gained via removable media, they pivot to cloud platforms with default or excessive token scopes, exfiltrating "air-gapped" data (Mandiant, 2022).
2. Physical Gaps Don't Mean Logical Security
MITRE T1091 exists for a reason. Any "temporary exception" to plug in a thumb drive, or use cloud file sync for bi-directional data, introduces lateral movement risk. ScarCruft's campaigns leveraged USB malware plus misconfigured cloud sync to achieve persistence and offsite exfiltration, per Kaspersky's 2024 report.
3. Privilege Creep: Containers & Service Accounts
If your containers run as root, odds are your SaaS connectors, cloud service accounts, and automation routines have more permissions than required. The pattern is consistent: privilege sprawl makes lateral movement trivial, whether it's on-prem or in the cloud (Cloud Security Alliance: SaaS Security Best Practices, 2023).
The Real Issue: Network Segmentation Done Wrong
Network diagrams should not look like spaghetti. In almost every compromise, segmentation is cosmetic:
- Flat VLANs shared between IT and OT
- Legacy firewall rules allow any-to-any ICMP
- OT zones allowed SSH/SMB ingress from jump hosts that double as cloud gateways
Best practice: "deny-all" by default, use controlled jump boxes, and push changes through change management. Recommended ACL pattern: deny ip any any with explicit permit statements only for sanctioned ports/protocols. See CISA's network segmentation guidance (2023).
What Actually Works? Mitigations That Matter
Lock Down USB/Removable Media
- Disable Autorun via GPO:
Computer Configuration > Administrative Templates > Windows Components > AutoPlay Policies > Turn off Autoplay = Enabled - Enforce Device Control:
Deploy device control via EDR/NAC (Defender for Endpoint, CrowdStrike, or vendor-neutral solutions), whitelist only specific USB device IDs. - Audit & Monitor:
Collect Event ID 2003 (USB device insert) and log all removable drive access. - Registry Keys:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun=0x000000FF
Secure Your SaaS and Zoho WorkDrive
- Restrict OAuth Scopes:
RemoveWorkDrive.files.ALLunless user/application truly needs it. See Zoho WorkDrive Admin Panel > Settings > Developers > Connected Apps. - Reduce Token Lifetime:
Set minimal OAuth token duration under Admin Console > Security. - Implement Conditional Access:
Restrict cloud access by IP using Trusted IP lists. Enforce this on sensitive folders and service accounts. - Audit Service Accounts:
Regularly review connected app authorizations and remove unused integrations.
Network Segmentation—Actually
- Deny All Inbound OT/ICS to IT by Default
- Segregate Cloud Sync Hosts via Dedicated VLANs
- Use OT “Read-only” Proxies for All File Movement.
- Review All Firewall Rules: Allow only expected protocols (e.g., only SFTP from jump box to DMZ; block SMB, RDP, RPC from cloud-connected subnets).
Detection: What to Watch For
USB Initial Access Detection
- Windows Event ID 4100/4103: New device installation
- Event ID 2003: Removable storage detected
- EDR Query Example (Sigma):
selection: EventID=4100|4103, DeviceClass contains 'USB', ProcessName='powershell.exe', CommandLine contains '-EncodedCommand'
- SIEM Recipe (Splunk):
index=wineventlog (EventCode=4100 OR EventCode=2003) AND DeviceType="USB" AND (process_name="powershell.exe" OR command_line="*EncodedCommand*")
Cloud Token & OAuth Abuse
- Look for anomalous token grants:
- Frequent issuance of
WorkDrive.files.ALLtokens, especially from non-corporate IPs - Review Azure AD, Google Workspace, or Zoho WorkDrive sign-in logs for new app/token grants outside your MFA policy window.
- Frequent issuance of
- Audit WorkDrive Event Logs:
- Monitor download/export events: see Zoho WorkDrive Audit Logs.
- SIEM/EDR Example:
source="zoho_workdrive_audit" action="grant_permission" OR action="download_file" AND src_ip NOT IN ("your_corp_ranges")
MITRE ATT&CK Mapping
- T1091 – Replication Through Removable Media
(MITRE T1091): USB propagation, initial access. - T1528 – Abuse Elevation Control Mechanism
Service account and token overprovisioning. - T1204 – User Execution / Malicious File
Spearphishing, LNK delivery. - T1041 – Exfiltration over C2 Channel
Cloud-to-external transfer via abused WorkDrive access.
No public IOCs are available for the discussed Zoho WorkDrive-specific attacks as of June 2024.
Prioritized Remediation Checklist
| Action | Owner | Effort | Why It Matters |
|---|---|---|---|
| Disable USB Autorun via GPO/EDR | SecOps | Low | Shuts down most opportunistic USB worms |
| Audit/remove overbroad OAuth scopes | CloudSec | Med | Reduces SaaS exfiltration and lateral movement |
| Enforce conditional access for SaaS/Zoho | Cloud/IT | Med | Blocks unauthorized external access |
| Harden segmentation/firewall rules | Network | High | Contains lateral movement, esp. OT -> IT |
| Implement USB device whitelisting control | SecOps | Med | Prevents unauthorized device connection |
| Centralize and retain USB/cloud logs (1yr) | SecEng | Low | Supports retrospective investigation |
Logging & Retention
- Collect:
- Windows Security/Audit logs (USB: 2003, 4100, 4103)
- Zoho WorkDrive Audit Trails and API logs
- Cloud sign-in logs (AAD, Google, Zoho)
- Retain for:
- 12 months minimum
- Centralize analysis:
- SIEM (Splunk, ELK), EDR backend, or equivalent
Further Reading & References
- MITRE ATT&CK T1091 – Removable Media
- Kaspersky: ScarCruft 2024 Tool Set (July 2024)
- Zoho WorkDrive API Documentation: OAuth Scopes
- Mandiant: ScarCruft APT Tactics (2022)
- Cloud Security Alliance: SaaS Security Best Practices (2023)
- CISA Network Segmentation Best Practices
- Unit42: OAuth Token Overprovisioning in the Enterprise
Author Bio
Alex Sorensen
Principal DevSecOps Architect (CISSP, OSCP)
18 years in blue/purple team incident response and secure architecture (OT/ICS, FSI, SaaS platforms). Led IR teams for Fortune 500, critical infrastructure, and regulated environments in North America and APAC. Does not sell security products. For consulting, see disclosure below.
Disclaimer
This analysis is presented for educational and operational defense purposes only. It does not accuse any specific vendor of negligence, and anecdotal cases are composites, not direct client work. The author does not receive compensation from any vendor referenced.
There’s a reason attackers still bother with USB sticks—they work. So unless you enjoy writing breach reports on a Friday, fix the basics. Or keep betting your OT bonus that default settings will finally stop an APT.