Cybercriminals have been sending USB flash drives laced with ransomware to US businesses. Find out how this attack works and what to do about it.
If you receive a USB flash drive in the mail that you were not expecting, resist the urge to plug it into your computer. Cybercriminals have been sending USB drives laced with ransomware to US businesses, according to a security alert issued by the US Federal Bureau of Investigation (FBI) on January 6, 2022. The attackers have been using the United States Postal Service (USPS) and United Parcel Service (UPS) to deliver the malicious drive.
FIN7 Behind the BadUSB Attacks
A cybergang named FIN7 carried out the attacks. It modified off-the-shelf USB drives so that they became what is known as BadUSBs. “BadUSBs are virtual keyboards that can be programmed in advance to type out characters on a computer without physically doing so,” according to security experts.
BadUSBs automatically start running when they are plugged into a computer. They are able to execute preloaded commands extremely fast, including any that require pressing two or more keys simultaneously. This means they can access the Elevated Command Prompt on Windows devices to execute commands with administrative privileges. The BadUSBs just need to type “Win+R” to open the Run dialog box, enter “cmd”, and then type Ctrl+Shift+Enter.
FIN7 programmed its malicious USBs to execute PowerShell commands that:
To entice employees to plug the malicious USB drives into their computers, the cybergang turned to phishing tactics. In some of the attacks, it impersonated Amazon and sent a decorative gift box. The box contained a letter thanking the recipient for being a loyal customer, a counterfeit gift card, and a BadUSB that supposedly listed the goods for which the gift card could be used.
In other attacks, FIN7 impersonated the US Department of Health & Human Services (HHS) and sent companies a letter and a BadUSB that supposedly listed new COVID-19 regulations. The letter was made to look like an official document from HHS. The recipients were instructed to read the new regulations on the malicious USB drive and then go to a specified website, where they would need to confirm that they have read and applied them.
The recent campaign isn’t the first time FIN7 carried out BadUSB attacks. In 2020, it pretended to be the Best Buy electronics chain in a campaign that closely resembled the Amazon one just described. And it won’t be the last time the cybergang sends malicious USB devices to companies. As a result, businesses need to be prepared for this type of attack.
Possible actions to help detect and prevent BadUSB attacks include:
Each of these solutions have their pros and cons. We can help you determine which one is best for your company.