Thursday, April 9, 2020

Gift USB are they a Problem ?

    The FBI is warning of attacks from the FIN7 APT in which victims are sent USB drives via USPS and prompted to examine its contents. This attack is a variation of the “lost USB” or “BadUSB” tactic in which a malicious USB is dropped on site with the intention of a curious employee finding it and inspecting the contents. This version, however, is much more targeted. In one instance, the attackers sent a package containing a USB drive, a letter, and a gift card for a major electronics retailer to a hospitality company. The letter thanked the recipient for being a regular customer and prompted them to use the gift card for any items specified on the USB drive. The FBI warns that many of these packages have been sent to businesses that targeted employees in human resources, IT, or management.

    Researchers at Trustwave analyzed the USB device and found that once plugged in, the USB emulates a keyboard and downloads a JavaScript backdoor, which the attackers can use to access the machine. The backdoor, known as GRIFFON, is a tool commonly associated with the FIN7 group. Researchers found that the backdoor will contact IP addresses of Russian origin, another indicator of the FIN7 group. In their analysis, researchers were able to match identifiers on the printed circuit board to a malicious USB for sale on an international marketplace. The researchers state that the “USB device used an Arduino microcontroller and was programmed to emulate a USB keyboard. Since PCs trust keyboard USB devices by default, once it is plugged in, the keyboard emulator can automatically inject malicious commands.” This device was able to be purchased for as low as 5 dollars, much cheaper than premium BadUSB devices, which can retail for up to 100 dollars.

    While rare, USB style attacks can happen. The best way to prevent this attack is to avoid using any unknown USBs. In an organization, informing employees about BadUSB attacks and providing a means to report suspicious devices is an important prevention step. Additionally, limiting physical access to machines will help prevent a bad actor on-site from exploiting devices via USB. Some anti- virus programs now provide keyboard authorization, which means that when the antivirus detects that a keyboard has been plugged in, the user must verify that it is indeed a keyboard and not a USB flash drive. BadUSB attacks can take many forms but educating users in combination with proper security controls is the best way to prevent the exploitation of this attack.


Sources: