Hackers attack US defense companies with malicious USB packages


Image: Brina Blum

The Federal Bureau of Investigation (FBI) warned US companies in a recently updated flash warning that the financially motivated group of FIN7 cyber criminals is targeting the US defense industry with packages containing malicious USB devices.

The attackers send packages with “BadUSB” or “Bad Beetle USB” devices with the LilyGO logo, which can be purchased on the Internet.

The parcels have been sent to companies in the transport and insurance industry via the United States Postal Service (USPS) and United Parcel Service (UPS) since August 2021, and to defense companies from November 2021.

FIN7 operators pretend to be Amazon and the US Department of Health (HHS) to trick the target people into opening the packages and plugging the USB drives into their systems.

Reports received by the FBI since August have said that these malicious packages may include COVID-19 policy letters or fake gift cards and thank you notes, depending on their identity.

After the targets connect the USB drive to their computers, it is automatically registered as a Human Interface Device (HID) keyboard (so that it can operate with removable storage devices turned off). It then starts injecting keystrokes to install malware payloads on the compromised systems.

The ultimate goal of FIN7 in these attacks is to access victims’ networks and deploy ransomware on a compromised network using various tools including Metasploit, Cobalt Strike, Carbanak malware, the Griffon backdoor and PowerShell scripts.

Spreading malware using teddy bears

These attacks follow another series of incidents the FBI warned about two years ago when FIN7 operators posed as Best Buy and sent similar packages of malicious flash drives to hotels, restaurants and retailers via USPS.

Reports of such attackers surfaced as early as February 2020. Some of the targets also reported that the hackers emailed or called them urging them to connect the drives to their systems.

As of May 2020, the malicious packages sent by FIN7 also contained items such as teddy bears intended to trick the targets into lowering their vigilance.

Attacks like those attempted by FIN7 are known as HID or USB drive-by attacks and can only be successful if victims are willing or tricked into connecting unknown USB devices to their workstations.

Organizations can defend themselves against such attacks by allowing their employees to plug in USB devices only based on their hardware ID or when they are under review by their security team.


About Author

Comments are closed.