FBI warns of hackers mailing malicious USB sticks to businesses

Getty Illustrations or photos

The Federal Bureau of Investigation (FBI) has alerted US businesses to a increase in cyber attacks remaining committed by means of the US postal provider, with hackers mailing malicious USB sticks to victims and deceiving them into putting in malware on machines.

If the USB adhere enclosed in the bundle despatched to victims was plugged into a personal computer, it would direct to a BadUSB attack whereby the USB product would sign-up by itself as a keyboard and execute a amount of pre-configured keystrokes on the victim’s machine, according to the FBI. 

✔ Approved From Our Partners

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code

These keystroke scripts would direct to PowerShell commands getting executed and to the obtain and set up of a wide range of malware strains that acted as backdoors to the victims’ networks to launch potential cyber attacks. Methods the attackers installed included vulnerability-scanning and pentest tools this sort of as Metasploit and Cobalt Strike, as perfectly as BlackMatter and REvil ransomware, amid other individuals.

Effective scenarios have been observed by the FBI in which attackers have been capable to obtain administrator entry to equipment and then move laterally throughout the victim’s network. 

The FBI reported the FIN7 hacking team is guiding the waves of attacks on US industries due to the fact August 2021 – the same team behind the DarkSide and BlackMatter ransomware strategies. 

Most just lately, FIN7 has been concentrating on the US defence industry due to the fact November 2021 but organizations in the transportation and insurance policy sectors ended up receiving destructive offers as considerably again as August 2021.

The FBI also said the attackers were being employing the United States Postal Support (USPS) and United Parcel Service (UPS) to supply the LilyGO-branded USB sticks pre-loaded with malware, and seemingly came from reputable organisations these as Amazon and the US Division of Well being and Human Companies (HHS).

“Due to the fact August 2021, the FBI has received reviews of many deals that contains these USB equipment, despatched to US organizations in the transportation, insurance, and defence industries,” said the FBI in an notify, as claimed by The History. “The deals ended up despatched working with the United States Postal Support and United Parcel Assistance.

“There are two variants of deals – those imitating HHS are normally accompanied by letters referencing COVID-19 rules enclosed with a USB and those people imitating Amazon arrived in a attractive reward box that contains a fraudulent thank you letter, counterfeit reward card, and a USB.”

An historical attack strategy

The strategy of simply just plugging in a malicious USB adhere into a victim’s machine dates again numerous several years and has dubbed a variety of distinct names in the infosec local community throughout that time. The process may well be or else regarded as Rubber Ducky attacks, PoisonTap, USBdriveby, USBharpoon, and BadUSB.

For many years, the method has also been employed by pentesters with a fantastic diploma of good results, leveraging human curiosity to see what is on a USB travel they uncover by opportunity. People today will generally plug a shed, unidentified USB stick into their very own machine right before trying to return it to its rightful operator – a routine cyber criminals have realized to use to their advantage.

“The use of tangible applications for an infection – such as USB sticks, have been and carry on to be ever efficient, primarily in today’s present-day weather,” said Alan Calder, CEO at GRC Global Team to IT Pro. “Working from property is now extra popular than a few several years ago, and the likelihood of somebody acquiring a malicious USB adhere and plugging it into a Laptop in an unsupervised setting is a great deal increased.

“Cyber criminals are knowingly working with this hybrid doing work shift to their advantage, which indicates the will need for typical cyber security risk assessments to outline and mitigate these threats has in no way been increased.”

The BadUSB project was first unveiled at Black Hat in 2014 by security scientists at SR Labs, Karsten Nohl and Jakob Lell. The pair confirmed how the attack approach could be utilised to put in malware, as well as steal knowledge and spoof network playing cards. 

It has since motivated a selection of related jobs with a person hacker making use of the ideas to a Mac-hacking iPhone lightning cable and dropping them close to Def Con in 2019. The malicious iPhone cables allowed attackers to remotely execute commands on a victim’s device and were sold for as very little as $200 less than the radar at the function.

It also isn’t really the 1st time FIN7 has produced use of the postal technique to supply attacks. In a to some degree identical trend, FIN7 in its place impersonated Finest Invest in to mail packages with USB sticks to hospitality and retail enterprises in March 2020.