Image: Brina Blum
The Federal Bureau of Investigation (FBI) warned U.S. companies in a recently updated flash alert that the financially motivated cybercriminal group FIN7 was targeting the U.S. defense industry with packages containing malicious USB devices to deploy ransomware.
The attackers sent packages containing “BadUSB” or “Bad Beetle USB” devices with the LilyGO logo, commonly available for sale on the Internet.
They have used the United States Postal Service (USPS) and United Parcel Service (UPS) to email malicious packages to companies in the transportation and insurance industries since August 2021 and to defense companies from November 2021.
BlackMatter or REvil ransomware deployed on breached networks
FIN7 operators have impersonated Amazon and the US Department of Health and Human Services (HHS) to trick targets to open packages and connect USB drives to their systems.
Since August, reports received by the FBI indicate that these malicious packages also contain letters about COVID-19 guidelines or forged gift cards and forged thank you notes, according to the spoofed entity.
After targets plug the USB drive into their computers, it automatically registers as a Human Interface Device (HID) keyboard (allowing it to work even with removable storage devices disabled).
It then starts injecting keystrokes to install malware payloads on compromised systems.
FIN7’s end goal in such attacks is to access victims’ networks and deploy ransomware (including BlackMatter and REvil) within a compromised network using various tools including Metasploit, Cobalt Strike , Carbanak malware, Griffon backdoor, and PowerShell scripts.
Malware pushed using teddy bears
The attacks follow another series of incidents the FBI warned about two years ago when the operators of FIN7 posed as Best Buy and sent similar packages with malicious USB drives through USPS to hotels, restaurants and retail businesses.
Reports of such attackers began to surface in February 2020. Some of the targets also reported that the hackers had emailed or called to force them to connect the drives to their systems.
As of at least May 2020, malicious packages sent by FIN7 also included things like teddy bears designed to trick targets into letting their guard down.
Attacks like those attempted by FIN7 are known as HID or USB drive-by attacks, and they can only be successful if victims are willing or tricked to plug unknown USB devices into their workstations.
Organizations can defend against such attacks by allowing their employees to only connect USB devices based on their hardware ID or if they are controlled by their security team.