FIN7 Mails Malicious USB Sticks to Drop Ransomware

The FBI warned that attackers are impersonating Health & Human Services and/or Amazon to mail BadUSB-poisoned USB devices to targets in transportation, insurance & defense.

Ransomware gangs are mailing malicious USB drives, posing as the U.S. Department of Health and Human Services (HHS) and/or Amazon to target the transportation, insurance and defense industries for ransomware infection, the FBI warned on Friday.

In a security alert sent to organizations, the FBI said that FIN7 – aka Carbanak or Navigator Group, the infamous, financially motivated cybercrime gang behind the Carbanak backdoor malware – is the guilty party.

FIN7 has been around since at least 2015. Initially, the gang made its reputation by maintaining persistent access at target companies with its custom backdoor malware, and for targeting point-of-sale (PoS) systems with skimmer software. It often targets casual-dining restaurants, casinos and hotels. But in 2020, FIN7 also got into the ransomware/data exfiltration game, with its activities involving REvil or Ryuk as the payload.

Infosec Insiders Newsletter

The FBI said that over the past several months, FIN7 has mailed the malicious USB devices to U.S. companies, in hopes that somebody would plug in the drives, infect systems with malware and thus set them up for future ransomware attacks.

“Since August 2021, the FBI has received reports of several packages containing these USB devices, sent to U.S. businesses in the transportation, insurance, and defense industries,” the Bureau said in the security alert.

Snail-Mailed BadUSB Infection

“The packages were sent using the United States Postal Service and United Parcel Service,” the FBI added.

The attackers gussied up the packages, disguising them as either pandemic-related or as goodies from Amazon, the bureau said: “There are two variations of packages – those imitating HHS are often accompanied by letters referencing COVID-19 guidelines enclosed with a USB; and those imitating Amazon arrived in a decorative gift box containing a fraudulent thank you letter, counterfeit gift card and a USB.”

Either way, the packages contained LilyGO-branded USB devices.

If targets fell for all the tinsel and flimflam and plug in the USB thumb drives, the FBI said that the devices executed a BadUSB attack. BadUSB attacks exploit an inherent vulnerability in USB firmware that enables bad actors to reprogram a USB device so it can act as a human interface device – i.e., as a malicious USB keyboard preloaded with automatically executed keystrokes. After reprogramming, the USB can be used to discreetly execute commands or run malicious programs on a victim’s computer.

Neither BadUSB attacks nor FIN7’s use of them are new. In 2020, the Trustwave SpiderLabs cybersecurity research team initially discovered these USB thumb drive attacks being sent to some of its customers, with the malicious devices similarly contained within packages impersonating Amazon and HHS. This latest attack is a carbon copy of the 2020 attack, when the FBI similarly issued a public alert that named FIN7 as the culprit.

How to Beat Back BadUSB Sticks

You’d think that the sure way to ward off attacks ushered in by evil malware-wielding USB sticks sprinkled through hallways, parking lots or via snail-mail would be drop-dead simple: i.e., don’t plug them in. Human nature being what it is, though, study after study has shown that curiosity or altruism (“I’ll find out whose this is so I can return it!”) kills the cat and triggers system takeover.

Still, you have to at least try to talk people out of their USB curiosity and/or good manners. Karl Sigler, Trustwave SpiderLabs senior security research manager, told Threatpost on Monday that ongoing security-awareness training “should include this type of attack and warn against connecting any strange device to your computer.”

Endpoint protection software can also help prevent these attacks, and it cuts the curious cat clean out of the picture, he said.

“These attacks are triggered by a USB stick emulating a USB keyboard, so an end-point protection software that can monitor access to command shells should take care of most issues,” Sigler said via email.

For critical systems that don’t require USB accessories, physical and software-based USB port blockers may also help prevent this attack, Sigler added.

For its part, the ACA Group has coined the acronym “CAPs” to refer to the standard hygiene that all organizations should actively monitor to prevent a ransomware attack. CAPs refers to Configuration, Access and Patching, with employee awareness and education again being considered critical as well. CAPs refers to:

Configuration management – Reduce the number of entry points an attacker could use to gain access to your system. Many attacks are successful because there are misconfigurations on security devices, cloud configurations and so forth.

Access – Reduce the number of internal access points for an attacker who has entered your system.

Patching – Reduce the chances of an attack happening via an unknown or entry point, a foundation in fixing and security vulnerabilities and other bugs.

Image courtesy of crazydavepromo.co.uk. Licensing details.

Password Reset: On-Demand Event: Fortify 2022 with a password-security strategy built for today’s threats. This Threatpost Security Roundtable, built for infosec professionals, centers on enterprise credential management, the new password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. Register & stream this FREE session today – sponsored by Specops Software.

Suggested articles