FBI: Hackers target US defense firms with malicious USB packages

Image: Brina Blum

The Federal Bureau of Investigation (FBI) warned US companies in a recently updated flash alert that the financially motivated FIN7 cybercriminal group targeted the US defense industry with packages containing malicious USB devices to deploy ransomware.

The attackers mailed packages containing 'BadUSB' or 'Bad Beetle USB' devices with the LilyGO logo, commonly available for sale on the Internet.

They used the United States Postal Service (USPS) and United Parcel Service (UPS) to mail the malicious packages to businesses in the transportation and insurance industries since August 2021 and defense firms starting with November 2021.

BlackMatter or REvil ransomware deployed on breached networks

FIN7 operators impersonated Amazon and the US Department of Health & Human Services  (HHS) to trick the targets into opening the packages and connecting the USB drives to their systems.

Since August, reports received by the FBI say that these malicious packages also contain letters about COVID-19 guidelines or counterfeit gift cards and forged thank you notes, depending on the impersonated entity.

After the targets plug the USB drive into their computers, it automatically registers as a Human Interface Device (HID) Keyboard (allowing it to operate even with removable storage devices toggled off). 

It then starts injecting keystrokes to install malware payloads on the compromised systems.

FIN7's end goal in such attacks is to access the victims' networks and deploy ransomware (including BlackMatter and REvil) within a compromised network using various tools, such as Metasploit, Cobalt Strike, Carbanak malware, the Griffon backdoor, and PowerShell scripts.

Attack flow
Attack flow (Trustwave)

Malware pushed using teddy bears

These attacks follow another series of incidents the FBI warned about two years ago when FIN7 operators impersonated Best Buy and mailed similar packages with malicious flash drives via USPS to hotels, restaurants, and retail businesses.

Reports of such attackers started surfacing back in February 2020. Some of the targets also reported that the hackers emailed or called to pressure them into connecting the drives to their systems.

Beginning with at least May 2020, malicious packages sent by FIN7 also included items such as teddy bears designed to trick targets into lowering their guard.

Attacks like those attempted by FIN7 are known as HID or USB drive-by attacks, and they can only be successful if the victims are willing to or tricked into plugging unknown USB devices into their workstations.

Companies can defend against such attacks by allowing their employees to connect only USB devices based on their hardware ID or if they're vetted by their security team.

Related Articles:

Google Chrome to let Isolated Web App access sensitive USB devices

FBI warns of fake law firms targeting crypto scam victims

Alleged Scattered Spider sim-swapper arrested in Spain

FBI recovers 7,000 LockBit keys, urges ransomware victims to reach out

FBI warns of fake remote work ads used for cryptocurrency fraud