FIN7 Targets US Enterprises Via BadUSBFBI Sends Private Flash Alert to Firms in Targeted Sectors
Financially motivated cybercrime gang FIN7 is impersonating the U.S. Department of Health and Human Services, as well as Amazon, to trick enterprises in the country into using a malicious flash drive, according to the FBI.
The threat actor mailed decorative gift boxes containing the USB sticks, a thank-you letter and a counterfeit gift card via the U.S. Postal Service and United Parcel Service to undisclosed companies in the transportation, defense and insurance sectors, according to the cited notification.
The flash drive, which typically has the logo LilyGO on it, instructs the victim's computer to download and execute malware on the device, managed service provider Natural Networks Inc. tweeted. "The USB flash drive is accompanied by a letter claiming to be from the US Department of Health and Human Services and are providing information on COVID-19 guidelines," the tweet says.
How It Works
While often used by penetration testers, BadUSB attacks in the wild are relatively rare (see: Suspect Arrested at Mar-a-Lago With Suspicious USB Drive).
"Penetration testers that perform physical 'pentests' are well versed in dropping 'malicious' USB sticks in a target's parking lot or waiting room," say security researchers Alejandro Baca and Rodel Mendrez in a March 2020 Trustwave blog post.
BadUSB devices are USB storage devices whose firmware has been rewritten to facilitate malicious activities, potentially giving attackers the ability to bypass endpoint antivirus tools and gain remote access to any system into which the USB storage device gets plugged (see: A New Way to Mitigate USB Risks).
"More complex are so-called 'Rubber Ducky' attacks, where what looks like a USB stick is actually, in effect, a malicious USB keyboard preloaded with keystrokes," the researcher say in the blog post. "Those types of attacks are typically so explicitly targeted that it's rare to find them coming from actual attackers in the wild. Rare, but still out there."
In some attacks, simply plugging the device into a system could infect unsuspecting users’ computer without them realizing it, according to the blog post.
Once the targets plug the USB drive into their computers, the USB registers as a Human Interface Device keyboard, the FBI notification says. Then the USB starts injecting keystrokes to install malware payloads on the compromised systems, the agency says.
Chris Morales, chief information security officer at digital IT and security operations company Netenrich, tells Information Security Media Group, "It would just take the right user with the right level of permissions for this to succeed."
Most organizations take the security risks of USB removable media seriously, and many prohibit its use through technical controls, says Jake Williams, a former member of the National Security Agency's elite hacking team.
"In this case however, the USB registers as an input device, bypassing any removable media restrictions. The worst part is that, in my experience, many in security leadership mistakenly believe they have mitigated the threat by 'blocking USBs.' What they fail to realize is that traditional removable media controls do not prevent the use of these alternative input devices and leave them vulnerable and without appropriate detection strategies," Williams tells ISMG.
Netenrich's Morales adds that to disrupt the attack life cycle, one could whitelist approved hardware types, monitor for malicious use of PowerShell, and detect malicious software loaders. "But these process cost money, and require systems and people. Not inserting a random USB drive into a computer would be the simplest option," he says.
The tactic of mailing USB sticks is not new to FIN7. In March 2020, an operator behind the gang mailed a victim a USB storage device with a teddy bear and supposed $50 gift card to Best Buy (see: FBI: Cybercrime Gang Mailing 'BadUSB' Devices to Targets).
FIN7's end goal in such attacks is to access the victims' networks and deploy ransomware -including BlackMatter and REvil - within a compromised network using various tools, including Metasploit, Cobalt Strike, Carbanak malware, the Griffon backdoor and PowerShell scripts, according to a Bleeping Computer report.
Previously, the FIN7 gang was tied to what the U.S. Justice Department described as a "highly sophisticated malware campaign" that has pummeled more than 100 U.S. businesses - especially in the restaurant, gaming and hospitality sectors. Arby’s, Chili’s, Chipotle Mexican Grill and Jason’s Deli are among the data breach victims that have confirmed attacks tied to FIN7 (see: Chipotle: Hackers Dined Out on Most Restaurants).
The notorious gang has already been tied to more than $1 billion in fraud, typically by infecting point-of-sale devices with malware and using it to steal payment card details (see: The Art of the Steal: FIN7's Highly Effective Phishing).