The FBI issued a warning that a group of threat actors from the FIN7 cybercrime group has resorted to an old trick—mailing USB sticks loaded with BadUSB malware to companies. The packages are disguised by attackers and appear to recipients to come from the Department of Health and Human Services (HHS) or Amazon.
“Since August 2021, the FBI has received reports of several packages containing these USB devices, sent to US businesses in the transportation, insurance, and defense industries,” said the FBI in an alert, first reported by The Record. “The packages were sent using the United States Postal Service and United Parcel Service,” according to the alert.
The parcels in these cases contained LilyGO-branded USB devices.
USB Exploits: An Old Classic
Cybercriminals continue to use USB sticks as that technique continues to be a successful way to get unsuspecting victims to plug them into their laptops; users are curious and want to see what secrets they contain.
Kurt Markley, managing director, USA, for Apricorn, pointed out that mailing malware-loaded USB sticks was quite common years ago, but has become less so today—which makes the timing right to try the tactic again.
“Why not dust off a classic and see if it still works? No one is expecting an attacker to try this method now,” he said. “All an attacker needs is one employee to take the bait, and this Trojan horse would completely bypass all of the security measures put in place to defend on the cyber level.”
Markley said beyond whitelisting and endpoint control of all USB port activity, the most important defense mechanism any company can implement against this tactic is continuous education for all staff, top to bottom.
“Company security should be driven home at every level, regularly,” he said. “It’s not just a matter of stating the rules of what to do or what not to do; more importantly, it needs to explain the how and why behind these rules. Security policy has to be thoroughly understood to be universally adopted.”
Frequent and regular communication is also key, along with education about policy; possibly with a test that is administered regularly.
“Additionally, stay in front of all employees and management with update news, new developments in attack strategy, new developments in internal security measures,” Markley said.
He pointed out that while this specific attack style was packaged to look like it came from trusted sources—HHS or Amazon—another tactic could disguise the package so that it appears to come from an individual’s company headquarters—possibly from the HR department—and address the malicious USB to the employee.
In this case, it is necessary to educate the employee on the need to report any such package and not to use it unless a second factor is issued, like an email from the HR director alerting the employee about it.
“As always, employees must understand that if they aren’t sure, they need to call the IT dept to confirm,” Markley said.
The Path of Least Resistance
Chris Morales, CISO at Netenrich, a digital IT and security operations company, pointed out the attack vector used for initial compromise has more to do with opportunity and path of least resistance.
“Sending a USB drive in the mail is equivalent to sending a malicious email a user clicks on,” he said. “Two different forms of social engineering in hopes something works; nothing more complicated than that.”
Because a physical device executes with the permissions of the local user, it would just take attackers targeting the right user with the right level of permissions for this kind of attack to succeed.
“Surely there are enough memes on the internet to get the point across to the general population,” Morales said. “This is not an advanced attack, and it is disappointing it still succeeds. We know it succeeds because it is still used.”
He explained that there are many opportunities here to disrupt the attack life cycle, from creating a whitelist of approved hardware types, monitoring for malicious use of PowerShell, detection of malicious software loaders and remote execution by a system to other network systems.
“However, all that costs money and requires systems and people,” Morales said. “Not inserting a random USB drive into a computer would be the simplest option.”
Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify, a provider of cloud identity security solutions, pointed out that organizations can reduce the risks from hardware-based attacks by applying the principle of least privilege to ensure that no matter what gets executed on devices, the blast radius is contained.
“In addition to the principle of least privilege, it is always important to continue cybersecurity awareness training sessions with employees,” Carson said. “You can also prevent applications from being executed via USB devices by using application control technologies that control what and how applications get executed, along with limiting privileges,” he said.
From Carson’s perspective, employee training is critical to reducing the risks from hardware-based attacks. Training and education can go a long way toward ensuring employees understand that unless they know where the device has come from they should never plug it in.
“If they do, use a data blocker device to stop the USB from running any malicious code,” he said. “These attacks continue to be successful; shifting work conditions have not impacted the techniques used by cybercriminals. They will always continue to use hacking techniques that are successful.”