Hackers Target U.S. Defense Firms With Malicious USB Packages

FBI: Hackers Target U.S. Defense Firms With Malicious USB Packages

Picture: Brina blum

The Federal Bureau of Investigation (FBI) warned US companies in a recently updated flash alert that the financially motivated FIN7 cybercriminal group is targeting the US defense industry with packages containing malicious USB devices.

Attackers send packages containing “BadUSB” or “Bad Beetle USB” devices with the LilyGO logo, commonly available for sale on the Internet.

Packages have been mailed via the United States Postal Service (USPS) and United Parcel Service (UPS) to companies in the transportation and insurance industries since August 2021 and to defense companies from November 2021.

FIN7 operators pose as Amazon and the US Department of Health and Human Services (HHS) to trick targets to open packages and connect USB drives to their systems.

Since August, reports received by the FBI indicate that these malicious packages also contain letters about COVID-19 guidelines or forged gift cards and forged thank you notes, according to the spoofed entity.

After targets plug the USB drive into their computers, it automatically registers as a Human Interface Device (HID) keyboard (allowing it to work even with removable storage devices disabled). It then starts injecting keystrokes to install malware payloads on compromised systems.

FIN7’s end goal in these attacks is to gain access to victims’ networks and deploy ransomware within a compromised network using various tools including Metasploit, Cobalt Strike, Carbanak malware, the backdoor. Griffon and PowerShell scripts.

Malware pushed using teddy bears

The attacks follow another series of incidents the FBI warned about two years ago when the operators of FIN7 posed as Best Buy and sent similar packages with malicious USB drives through USPS to hotels, restaurants and retail businesses.

Reports of such attackers began to surface in February 2020. Some of the targets also reported that the hackers had emailed or called to force them to connect the drives to their systems.

As of at least May 2020, malicious packages sent by FIN7 also included things like teddy bears designed to trick targets into letting their guard down.

Attacks like those attempted by FIN7 are known as HID or USB drive-by attacks, and they can only be successful if victims are willing or tricked to plug unknown USB devices into their workstations.

Organizations can defend against such attacks by allowing their employees to only connect USB devices based on their hardware ID or if they are controlled by their security team.


Please enter your comment!
Please enter your name here

Trending this Week