warning of attacks from the FIN7 APT in which victims are sent USB drives via
USPS and prompted to examine its contents. This attack is a variation of the
“lost USB” or “BadUSB” tactic in which a malicious USB is dropped on site with
the intention of a curious employee finding it and inspecting the contents.
This version, however, is much more targeted. In one instance, the attackers
sent a package containing a USB drive, a letter, and a gift card for a major
electronics retailer to a hospitality company. The letter thanked the
recipient for being a regular customer and prompted them to use the gift card
for any items specified on the USB drive. The FBI warns that many of these
packages have been sent to businesses that targeted employees in human
resources, IT, or management.
Trustwave analyzed the USB device and found that once plugged in, the USB
emulates a keyboard and downloads a JavaScript backdoor, which the attackers
can use to access the machine. The backdoor, known as GRIFFON, is a tool
commonly associated with the FIN7 group. Researchers found that the backdoor
will contact IP addresses of Russian origin, another indicator of the FIN7
group. In their analysis, researchers were able to match identifiers on the
printed circuit board to a malicious USB for sale on an international marketplace. The
researchers state that the “USB device used an Arduino microcontroller and was
programmed to emulate a USB keyboard. Since PCs trust keyboard USB devices by
default, once it is plugged in, the keyboard emulator can automatically inject
malicious commands.” This device was able to be purchased for as low as 5
dollars, much cheaper than premium BadUSB devices, which can retail for up to
100 dollars.
While rare, USB style
attacks can happen.
The best way to prevent
this attack is to avoid using any unknown USBs. In an
organization, informing employees about BadUSB attacks and providing a means to
report suspicious devices is an important prevention step. Additionally,
limiting physical access to machines
will help prevent a bad actor on-site from exploiting devices via USB. Some anti- virus programs now provide
keyboard authorization, which means that when
the antivirus detects that a keyboard has been plugged in, the user must verify
that it is indeed a keyboard and not a USB flash drive. BadUSB attacks can take
many forms but educating users in combination with proper security controls is
the best way to prevent the exploitation of this attack.