The FBI is reporting that cybercriminals have been soliciting USB drives containing malware via the United States Post Office (USPS) and the United Parcel Service (UPS).
“Since August 2021, the FBI has received reports of several packages containing these USB devices, sent to US businesses in the transportation, insurance, and defense industries,” the Bureau said in a security alert sent recently to US organizations.
“There are two variations of packages—those imitating HHS [US Department of Health and Human Services ] are often accompanied by letters referencing COVID-19 guidelines enclosed with a USB; and those imitating Amazon arrived in a decorative gift box containing a fraudulent thank you letter, counterfeit gift card, and a USB.”
In both cases, the packages contained LilyGO-branded USB devices.
These malicious USB drives can be used in the following ways:
These "BadUSB" attacks are a prime example of Baiting, a Social Engineering attack tactic. Baiting is:
"One of the simplest social engineering techniques since all that it involves is an external storage device. An attacker will leave a malware-infected external storage device in a place where other people can easily find it.
It could be in the washroom of an organization, in the elevator, at the reception desk, on the pavement, or even in the parking lot. Greedy or curious users in an organization will then retrieve the object and hurriedly plug it into their machines. Attackers are normally crafty and will leave files in the flash drive that a victim will be tempted to open."
The FBI believes the group behind these BadUSB attacks is FIN7. FIN7 is the same group behind ransomware attacks like DarkSide and BlackMatter. If "DarkSide" rings a bell, it's because it's the ransomware variant used for the Colonial Pipeline attack on May 6th of last year.
It's mind-boggling, at least to us here at Security7, that people would even be slightly inclined to plug an unknown USB drive into their computer. Whether it's been found in the mail, in the parking lot, or on the floor of an office. It's bad hygiene and explaining why should be an integral part of any organization's cybersecurity awareness training program.
That said, what might be common sense to us isn't necessarily common sense to others and attackers know that. Since the start of the pandemic, Social Engineering Attacks have risen almost 85% (according to the FBI via Security Intelligence) and have accounted for about $1.8 billion in financial losses.
There are a few different methods that can be used to stop this from happening at your place of business:
Other than what's mentioned above, it's up to you regarding what happens if you encounter a strange USB device. If it were up to us though, we'd tell you not to plug it in...
Like our blog? Subscribe using the CTA in the upper right-hand corner of this page. Feel like sharing your thoughts with us? Use the comment section below.
Carl Keyser : Jun 13, 2022 12:03:06 PM
It's no secret that passwords are a pain in the butt. They can be difficult to remember, they're a huge target for cybercriminals, etc.
Carl Keyser : Jun 6, 2022 2:18:48 PM
A newly discovered exploit is using a flaw in Microsoft's Support Diagnostic Tool (MSDT) to remotely take over end-points via compromised Word...
Carl Keyser : May 26, 2022 8:00:00 AM
It used to take a good deal of coding knowledge to build a website or an application. That's not the case anymore. You can build a website in...