The FBI is warning of attacks from the FIN7 APT in which victims are sent USB drives via USPS and prompted to examine its contents. This attack is a variation of the “lost USB” or “BadUSB” tactic in which a malicious USB is dropped on site with the intention of a curious employee finding it and inspecting the contents. This version, however, is much more targeted. In one instance, the attackers sent a package containing a USB drive, a letter, and a gift card for a major electronics retailer to a hospitality company. The letter thanked the recipient for being a regular customer and prompted them to use the gift card for any items specified on the USB drive. The FBI warns that many of these packages have been sent to businesses that targeted employees in human resources, IT, or management.
While rare, USB style attacks can happen. The best way to prevent this attack is to avoid using any unknown USBs. In an organization, informing employees about BadUSB attacks and providing a means to report suspicious devices is an important prevention step. Additionally, limiting physical access to machines will help prevent a bad actor on-site from exploiting devices via USB. Some anti- virus programs now provide keyboard authorization, which means that when the antivirus detects that a keyboard has been plugged in, the user must verify that it is indeed a keyboard and not a USB flash drive. BadUSB attacks can take many forms but educating users in combination with proper security controls is the best way to prevent the exploitation of this attack.