Top Cybersecurity Stories / News
The cybersecurity highlights of the month.
#1 NIST SP 1334 — The Government Just Validated Our Entire Pitch
In September 2025, the U.S. National Institute of Standards and Technology (NIST), through its National Cybersecurity Center of Excellence (NCCoE), published NIST SP 1334 — a two-page guide specifically dedicated to reducing the cybersecurity risks of portable storage media in OT environments. Short, dense, and surgically precise. Here’s what it covers:
- Procedural Controls – Every USB device from an external source must be treated as untrusted by default. Organizations must define strict authorization policies: who can use which device, on which system, and for what purpose. Devices must support FIPS hardware encryption. Full traceability logs (user identity, serial number, timestamp) are mandatory. And yes — staff training on procedures is non-negotiable.
- Physical Controls – Approved media must be inventoried, labeled, and stored in secure locations with access controls. Each label must specify who can use the device, on which network, and for what function. This sounds basic — yet it’s exactly what’s missing in the vast majority of industrial environments.
- Technical Controls – This is where it gets serious. NIST explicitly recommends: disabling unnecessary USB ports (logically via BIOS/OS/Group Policy, or physically via port locks), allowlisting file execution, mandatory scanning before AND after use, disabling Autorun, FIPS encryption of stored data, reformatting before reuse on different equipment, and real-time alerts on every insertion or data transfer.
- Transportation & Sanitization – The risk doesn’t stop at the facility door. All media transport between organizations must include hash or checksum integrity verification. And before disposal: complete sanitization with monitoring, approval, and full documentation of actions.
Read NIST SP 1334 Directly Here
Our 2 Cents
Frankly, we’re not going to pretend we’re not pleased. When the leading U.S. cybersecurity authority publishes an official guide that reads like our sales deck… we say thank you 😄. Everything NIST recommends — scanning media before AND after use, treating every external device as untrusted by default, combining physical and technical controls, logging every insertion — is exactly what TYREX kiosks do every single day in industrial environments.
This document sends a clear signal to CISOs and production managers: this is no longer an optional best practice. It’s becoming a regulatory expectation. Those who don’t yet have a USB decontamination protocol in place had better not wait for the next compliance deadline to act.
#2 Transparent Tribe Uses AI to Mass-Produce Malware — The Factory Is Open
Pakistan-aligned threat actor Transparent Tribe (APT36) just crossed a line that most experts were calling ‘the near future’ only two years ago. According to new research from Bitdefender (published March 2026), the group is now using AI-powered coding tools to mass-produce malware implants targeting Indian military personnel, defense contractors, and government officials.
The strategy isn’t to create one ultra-sophisticated piece of malware. It’s to flood targets with a high volume of disposable, polymorphic binaries — developed in obscure programming languages like Nim, Zig, and Crystal, and piggybacking on trusted services like Slack, Discord, and Google Sheets to fly under antivirus radars. The arsenal includes CreepDropper, LuminousStealer, CrystalShell, SupaServ — all likely AI-generated or AI-assisted.
What’s also evolved: the phishing lures. Once riddled with grammatical errors, they’re now alarmingly well-written, personalized, and contextually precise. The barrier to entry for high-level cyberattacks has effectively collapsed.
Read the full Hacker News article here
Our 2 Cents
What’s fascinating — and genuinely alarming — about this story is the paradigm shift. We’re no longer talking about a group that creates one sophisticated malware. We’re talking about an AI-powered malware factory producing variants so fast and in such volume that traditional defenses can barely keep up. The experts who called this ‘the near future’ two years ago? It’s here.
The USB link? Direct. When polymorphic, constantly-changing implants are generated on the fly, signature-based antivirus becomes insufficient. This is precisely why a behavioral and heuristic approach — like the one embedded in TYREX’s detection engine — becomes critical. Detecting what you don’t yet know: that’s the fight of today.
Christophe’s Cybersecurity Geeking Corner
What is Device Certification?
Imagine your office building. Everyone who enters has to show their badge at the door. No badge? No entry. Simple, effective, non-negotiable. Device Certification is exactly that — but for your USB devices.
In the broader cybersecurity world, the concept of certifying a device before granting it access is well established. Network Access Control (NAC) solutions like Cisco ISE or Forescout check that a device meets your security policy before letting it onto the network. PKI (Public Key Infrastructure) uses digital certificates to authenticate equipment in enterprise environments. TPM chips verify system integrity at boot. The common thread? Nothing gets in without proof that it’s trustworthy.
The problem? None of these were designed with USB and removable media in mind. They guard the network edge — not the USB port on your plant floor or maintenance bay.
That’s where Tyrex comes in. After a USB device passes our multi-engine decontamination scan, the station can issue a tamper-proof digital certificate directly to the device — its badge, if you will. Pair that with the TYREX Workstation Protect Agent deployed on your endpoints, and the rule becomes absolute: no certificate, no connection. A drive that hasn’t been through the kiosk simply doesn’t exist as far as your systems are concerned.
Zero Trust, applied to the physical world.
Gérard’s Top Cybersecurity Resources
To become a cybersecurity “informed” thought leader.
NIST SP 1334 — The Must-Read of the Month
We already covered it in the news section, but this one deserves its own spotlight in Resources too. If you work in OT, manufacturing, aerospace, energy, or defense contracting, this two-pager from NIST’s NCCoE is mandatory reading for your security team. Print it. Laminate it. Send it to your CISO.
TYREX USB Security for Aerospace
If this edition’s case study resonated with you — especially if you work in aviation, defense contracting, or MRO — our aerospace-specific USB security page walks through the exact threat landscape and how TYREX addresses CMMC 2.0 and FAA compliance requirements.
Explore TYREX Aerospace Solutions
Cybersecurity Experts We Follow
1 person in cybersecurity we follow from the U.S. and France.
Gérôme Billois 🇫🇷
Partner at Wavestone and one of France’s most respected cybersecurity voices. Gérôme bridges the gap between technical depth and strategic clarity — whether he’s commenting on regulatory developments or dissecting the latest APT campaign. A must-follow for the European perspective on OT security.
USBs Gone Wild
Operation Silent Avionics
The Context: When a Maintenance Bay Becomes Ground Zero
AeroLink Systems (fictional name 😉) is a mid-sized US defense contractor specializing in avionics software updates and electronic flight bag management for a fleet of commercial and military aircraft. Like most aerospace organizations, they operate in a hybrid environment: some systems are cloud-connected, others are strictly air-gapped. USB drives are not optional — they’re the backbone of how firmware updates reach aircraft systems that will never touch the internet. In other words: the perfect target.
The Setup: An Ordinary Tuesday Morning
A maintenance technician at one of AeroLink’s MRO facilities receives what appears to be a routine USB drive from a third-party avionics vendor. The drive supposedly contains a certified firmware update for a flight management system — standard procedure, nothing unusual. The vendor is known, the request is expected, the timing aligns with a scheduled maintenance window. Nobody flags it.
The technician plugs the drive directly into the avionics workstation. Scanning? Not part of the workflow. The team is under pressure to turn the aircraft around in under four hours.
The Attack: Quiet, Patient, Devastating
What was on that drive wasn’t just a firmware update. Buried in the file structure was a variant of a worm with characteristics eerily similar to the AI-generated implants now being churned out by state-sponsored groups — low-signature, polymorphic, designed specifically to evade traditional antivirus detection. Once executed, the malware did three things simultaneously:
- Installed a backdoor into the avionics workstation, creating a persistent communication channel via a legitimate cloud service — invisible to standard network monitoring.
- Quietly copied classified CAD/CAM design files and flight management configuration data to a hidden partition, staging them for exfiltration.
- Propagated to every USB device subsequently connected to that workstation — turning each subsequent drive into a potential carrier for the next facility.
For three weeks, nothing looked wrong. The aircraft flew. The systems reported nominal. The logs showed nothing.
The Discovery: Too Late, Too Costly
The breach was only uncovered during a routine CMMC 2.0 compliance audit, when an assessor flagged anomalous outbound traffic patterns that the internal team had missed. By then, the malware had spread to two additional maintenance bays and an engineering workstation handling classified defense contracts. The investigation took six weeks. The cost? Millions in remediation, a suspended contract, and a very uncomfortable conversation with the DoD.
How the TYREX TOTEM Changes This Story Entirely
- Mandatory scan before entry. Every vendor USB, regardless of source or reputation, passes through the TOTEM before it goes anywhere near a workstation. No exceptions, no shortcuts, no “we know this vendor” bypass.
- Multi-engine detection catches what signatures miss. The TOTEM deploys up to five antivirus engines and two antimalware engines simultaneously, including behavioral and heuristic analysis. The polymorphic worm — invisible to signature-based tools — would have triggered behavioral anomaly detection before a single file executed.
- BadUSB detection at firmware level. If the drive had also been weaponized at the firmware level to impersonate a keyboard or input device, the TOTEM’s firmware analysis would have flagged it immediately.
- Digital certification + Workstation Protect Agent. Only TOTEM-certified devices can connect to protected workstations. An uncertified drive — however legitimate it looks — simply doesn’t get in. Zero Trust, enforced at the hardware level.
- Full audit trail, SIEM integration. Every scan, every detection, every device interaction is logged in real time and pushed to the TYREX Management Server. When the CMMC 2.0 auditor shows up, the evidence trail is already there, clean and complete.
The Lesson
In aerospace, the consequences of a USB breach aren’t just financial. They’re operational, contractual, and in the worst cases, safety-critical. The USB drive that updated a flight management system yesterday could be carrying the next supply chain attack today — especially as AI now allows threat actors to produce custom, targeted malware at industrial scale. The question isn’t whether your vendor is trustworthy. It’s whether their USB drive is.
Up for a Cybersecurity Chat with Gérard & Christophe?
Whether you’re a CISO trying to close compliance gaps, a plant manager worried about your OT environment, or just someone who found a suspicious USB in the parking lot (seriously, don’t plug it in) — we’re here to help.
Here are three ways we can help you:
- You have a business challenge related to cyber — Schedule a 30-minute cybersecurity check-up call with Gérard
- Check our product catalog to keep you safe → us.tyrex-cyber.com
Powered by Tyrex USA
Our mission is to protect organizations worldwide from the rapidly evolving cyber threats from USB drives and other removable media.
