[BreachExchange] FBI warns of hackers mailing malicious USB sticks to businesses

Mon Jan 10 11:30:54 EST 2022

https://www.itpro.co.uk/security/cyber-attacks/361932/fbi-warning-badusb-attacks-us-businesses

The Federal Bureau of Investigation (FBI) has alerted US businesses to a
rise in cyber attacks being committed via the US postal service, with
hackers mailing malicious USB sticks to victims and deceiving them into
installing malware on machines.

If the USB stick enclosed in the package sent to victims was plugged into a
computer, it would lead to a BadUSB attack whereby the USB device would
register itself as a keyboard and execute a number of pre-configured
keystrokes on the victim's machine, according to the FBI.

These keystroke scripts would lead to PowerShell commands being executed
and to the download and installation of a variety of malware strains that
acted as backdoors to the victims' networks to launch future cyber attacks.
Resources the attackers installed included vulnerability-scanning and
pentest tools such as Metasploit and Cobalt Strike, as well as BlackMatter
and REvil ransomware, among others.

Successful cases have been observed by the FBI in which attackers were able
to gain administrator access to machines and then move laterally across the
victim's network.

The FBI said the FIN7 hacking group is behind the waves of attacks on US
industries since August 2021 - the same group behind the DarkSide and
BlackMatter ransomware campaigns.

Most recently, FIN7 has been targeting the US defence industry since
November 2021 but companies in the transportation and insurance sectors
were receiving malicious packages as far back as August 2021.

The FBI also said the attackers were using the United States Postal Service
(USPS) and United Parcel Service (UPS) to deliver the LilyGO-branded USB
sticks pre-loaded with malware, and seemingly came from reputable
organisations such as Amazon and the US Department of Health and Human
Services (HHS).

"Since August 2021, the FBI has received reports of several packages
containing these USB devices, sent to US businesses in the transportation,
insurance, and defence industries," said the FBI in an alert, as reported
by The Record. "The packages were sent using the United States Postal
Service and United Parcel Service.

“There are two variations of packages - those imitating HHS are often
accompanied by letters referencing COVID-19 guidelines enclosed with a USB;
and those imitating Amazon arrived in a decorative gift box containing a
fraudulent thank you letter, counterfeit gift card, and a USB."

An ancient attack method
The method of simply plugging in a malicious USB stick into a victim's
machine dates back many years and has dubbed various different names in the
infosec community during that time. The method may be otherwise known as
Rubber Ducky attacks, PoisonTap, USBdriveby, USBharpoon, and BadUSB.

For years, the method has also been used by pentesters with a good degree
of success, leveraging human curiosity to see what's on a USB drive they
discover by chance. People will often plug a lost, unknown USB stick into
their own machine before attempting to return it to its rightful owner - a
habit cyber criminals have learned to use to their advantage.

"The use of tangible tools for infection - such as USB sticks, have been
and continue to be ever effective, especially in today’s current climate,"
said Alan Calder, CEO at GRC International Group to IT Pro. "Working from
home is now more widespread than a few years ago, and the likelihood of
someone receiving a malicious USB stick and plugging it into a PC in an
unsupervised setting is much greater.

"Cyber criminals are knowingly using this hybrid working shift to their
advantage, which means the need for regular cyber security risk assessments
to outline and mitigate these threats has never been greater."

The BadUSB project was first unveiled at Black Hat in 2014 by security
researchers at SR Labs, Karsten Nohl and Jakob Lell. The pair showed how
the attack method could be used to install malware, as well as steal data
and spoof network cards.

It has since inspired a number of related projects with one hacker applying
the principles to a Mac-hacking iPhone lightning cable and dropping them
around Def Con in 2019. The malicious iPhone cables allowed attackers to
remotely execute commands on a victim's device and were sold for as little
as $200 under the radar at the event.

It also isn't the first time FIN7 has made use of the postal system to
deliver attacks. In a somewhat similar fashion, FIN7 instead impersonated
Best Buy to mail packages with USB sticks to hospitality and retail
businesses in March 2020.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220110/16c7430a/attachment.html>