The FBI is reporting that cybercriminals have been soliciting USB drives containing malware via the United States Post Office (USPS) and the United Parcel Service (UPS).
“Since August 2021, the FBI has received reports of several packages containing these USB devices, sent to US businesses in the transportation, insurance, and defense industries,” the Bureau said in a security alert sent recently to US organizations.
“There are two variations of packages—those imitating HHS [US Department of Health and Human Services ] are often accompanied by letters referencing COVID-19 guidelines enclosed with a USB; and those imitating Amazon arrived in a decorative gift box containing a fraudulent thank you letter, counterfeit gift card, and a USB.”
In both cases, the packages contained LilyGO-branded USB devices.
These malicious USB drives can be used in the following ways:
- To exfiltrate files or install malware – The USB drive will emulate a keyboard and issue commands on behalf of the end-user.
- Spoof a network card – In this case, the USB drive will change the computer’s DNS settings and redirect traffic.
- Boot or install viruses and/or malware – The device can detect when the computer is starting up and running/install a variety of nasty software.
These “BadUSB” attacks are a prime example of Baiting, a Social Engineering attack tactic. Baiting is:
“One of the simplest social engineering techniques since all that it involves is an external storage device. An attacker will leave a malware-infected external storage device in a place where other people can easily find it.
It could be in the washroom of an organization, in the elevator, at the reception desk, on the pavement, or even in the parking lot. Greedy or curious users in an organization will then retrieve the object and hurriedly plug it into their machines. Attackers are normally crafty and will leave files in the flash drive that a victim will be tempted to open.”
The FBI believes the group behind these BadUSB attacks is FIN7. FIN7 is the same group behind ransomware attacks like DarkSide and BlackMatter. If “DarkSide” rings a bell, it’s because it’s the ransomware variant used for the Colonial Pipeline attack on May 6th of last year.
It’s mind-boggling, at least to us here at Security7, that people would even be slightly inclined to plug an unknown USB drive into their computer. Whether it’s been found in the mail, in the parking lot, or on the floor of an office. It’s bad hygiene and explaining why should be an integral part of any organization’s cybersecurity awareness training program.
That said, what might be common sense to us isn’t necessarily common sense to others and attackers know that. Since the start of the pandemic, Social Engineering Attacks have risen almost 85% (according to the FBI via Security Intelligence) and have accounted for about $1.8 billion in financial losses.
There are a few different methods that can be used to stop this from happening at your place of business:
- Implement a cybersecurity awareness training program – People are usually unwilling to adhere to rules that haven’t been explained to them. If you can educate someone on the hazards related to a particular behavior, it’s more likely your end-users will respond positively to any changes made. If you can show them why plugging in a stray USB drive might be detrimental to the business’ health, they’ll be more likely to turn anything they find into a network administrator than they will be to just plug it in.
- Disable USB ports – Why use a scalpel when you’ve got a machete, right? The nuclear option is just to disable all the USB ports on your endpoints. That way, regardless of what’s plugged it won’t be able to work. It might seem simplistic or strong-handed but it works.
Other than what’s mentioned above, it’s up to you regarding what happens if you encounter a strange USB device. If it were up to us though, we’d tell you not to plug it in…
Like our blog? Subscribe using the CTA in the upper right-hand corner of this page. Feel like sharing your thoughts with us? Use the comment section below.
