Page 9 - EngineerIT February 2022 UPDATED
P. 9
ICT - SECURITY
FBI warns US Companies to make this tactic more effective.
The bottom line is that if the attackers
are able to gain a foothold – even if it’s
not an admin account – they can escalate
avoid malicious USB devices privileges or conduct reconnaissance from
the inside, which may aid in gaining access
to other systems.
by Brandon Rochat, Cybereason sales director for Africa
Smoke and mirrors
This all sounds highly suspicious, though,
ybercriminals constantly evolve the and makes me wonder if this is a
tactics, techniques, and procedures misdirection or distraction from a different
Cthey use to execute attacks to find or broader attack.
innovative ways to bypass or circumvent This is an old tactic. Even average users
security controls. Sometimes the best should know better than to use an unknown
strategy is the simplest one, though, and USB drive that gets delivered to them.
may succeed in catching targets off guard. It does depend to some extent on how
A new warning from the FBI cautions US convincing the attack is, though. IT and
companies to be on alert for an old tactic cybersecurity professionals are well trained
that is apparently being used again – to not plug in devices such as found or free
tricking users into connecting a malicious flash drives from unknown sources, but the
USB device. average person may not be as cautious.
This is even more true if the person is
Malicious USB campaign convinced the package is from a credible
According to the FBI, threat actors targeted source, or if an offer such as a free gift
companies in the defence, transportation, Brandon Rochat card triggers an emotional response which
and insurance industries in the last half short-circuits rational thought processes.
of 2021 by sending USB thumb drives to operate even if the system has a policy in Still, there are a variety of more
intended targets. place that disables the use of removable effective attack vectors that don’t rely on
The attackers – identified as the storage devices. a potentially traceable and high-touch
FIN7 cybercrime group by the FBI – used The malicious USB uses its campaign like this. it is hard to imagine
the US Postal Service and UPS to send designation as a “keyboard” to inject a reasonable scenario under which most
letters and packages that claimed to keystrokes on the system to install other people would use a USB stick they received
be from the Department of Health and exploits and malicious payloads on the in the mail. If the attackers sent a device
Human Services (HHS), or – in some compromised system. A report from like a USB mouse or some other type of
cases – Amazon. The deliveries included BleepingComputer explains, “FIN7’s gadget, that would probably have much
a USB thumb drive containing malicious end goal in such attacks is to access the higher success just by virtue of being novel.
software, such as BadUSB. victims’ networks and deploy ransomware
Information shared by the FBI indicates (including BlackMatter and REvil) within Look for the big picture
that the packages were designed to a compromised network using various FIN7 is a sophisticated threat actor – which
seem like legitimate thank you notes tools, including Metasploit, Cobalt Strike, is why this all feels like a big misdirection.
or gifts. If the threat actors are smart, Carbanak malware, the Griffon backdoor, You should obviously never insert
they presumably also did at least a and PowerShell scripts.” an unknown USB device into your PC –
little homework to improve the odds of whether it’s one you receive randomly in
success by tailoring the message to the Gaining a foothold the mail, or even a USB device that you just
organisation or individual it was sent to. This attack vector may be an attempt to don’t know when or where it was used last.
Threat actors from FIN7 have also been exploit the work-from-home trend. Delivering Beyond that, though, you need to pay
known to follow up – calling or emailing USB flash drives directly to someone’s home, attention to the big picture when it comes
recipients to reinforce the con and for example, there are fewer guard rails and to cyberattacks. Whether attackers succeed
pressure them into actually connecting the an increase in the likelihood a user will plug in gaining a foothold using a malicious USB
malicious device to their PC. the computer into a work computer, or to drive, or use the delivery of a malicious
their home network to which their work USB drive as a distraction from a different
BadUSB computer is also connected. attack vector, you need to be able to
BadUSB is a particularly sinister piece It is also possible that there are view the entire malicious operation –
of malware that immediately registers organisations or departments that routinely or MalOp™ – across your environment and
the device on the system as a Human employ USB thumb drives – where people recognise Indicators of Behaviour (IOBs)
Interface Device (HID) Keyboard. This little are more likely to use a USB storage device that enable you to quickly identify and stop
trick enables the malicious USB device to without finding it suspicious. That would malicious activity. n
EngineerIT | February 2022 | 7
