The U.S. Federal Bureau of Investigation is warning that hackers are sending malicious USB thumb drives via mail to companies hoping that recipients will use them and hence infect their networks.

The malware by mail campaign is being linked to the FIN7 cybercrime gang. “Since August 2021, the FBI has received reports of several packages containing these USB devices that have been sent to US companies in the transportation, insurance and defense industries,” the bureau said in a security warning sent to registered members on Thursday. “The packages were sent using the United States Postal Service and United Parcel Service.”

The campaign does not involve only random USB drives being sent out. In one version of the campaign, the USB thumb drives are sent imitating those from the Department of Health and Human Services and are often accompanied by letters referencing COVID-19 guidelines. The other version imitates Amazon.com Inc., complete with a decorative gift box containing a thank-you note, counterfeit gift card and the malicious USB.

Both variants of the attack contained LilyGO-branded USBs, which when plugged into a device execute a BadUSB attack and infect the victim’s computer with malware that give the hackers access. A BadUSB attack involves exploiting a vulnerability in USB firmware that allows it to act as a human interface device and inject malicious software.

Once access is obtained through the BadUSB attack, the FIN7 hackers then use various malicious tools, including Metasploit, Cobalt Strike, PowerShell scrips, Carbanak, Griffon, Diceloader and Titian, to deploy ransomware.

“This seems like a step back in terms of attack sophistication,” Purandar Das, co-founder and chief executive officer of security solutions company Sotero Inc., told SiliconANGLE today. “In a time when attacks are being executed leveraging third-party and open-source software components this seems like a step back into a bygone era where the attack depended on a human failure or event to start.”

Das believes that this may have been an attempt to capitalize on lowered guards when everyone is talking about the more sophisticated attacks. “Regardless, this demonstrated that the attackers will leave no avenue unexploited,” Das added. “It also demonstrates the potential for payoffs that the attackers are willing to invest in USB drives and physical mailing costs.”

Rick Vanover, senior director of product strategy at data protection firm Veeam Software Inc., noted that portable storage media from floppy disks to compact discs to DVDs have long been a threat vector in regard to cybersecurity.

“Many IT organizations got into the practice of disabling autorun of these media on endpoint devices, but chances are current administrative conditions, the bring your own device behavior and the sheer number of devices in use, make this an untenable practice for 100% compliance,” Vanover explained. “The human firewall is a good part of the solution here. Corporate citizens need a common-sense approach to accessing removable media. ”

Photo: Pixabay