FBI warns of hackers mailing malicious USB sticks to businesses

The Federal Bureau of Investigation (FBI) has alerted US businesses to a rise in cyber attacks being committed via the US postal service, with hackers mailing malicious USB sticks to victims and deceiving them into installing malware on machines.

If the USB stick enclosed in the package sent to victims was plugged into a computer, it would lead to a BadUSB attack whereby the USB device would register itself as a keyboard and execute a number of pre-configured keystrokes on the victim's machine, according to the FBI.

These keystroke scripts would lead to PowerShell commands being executed and to the download and installation of a variety of malware strains that acted as backdoors to the victims' networks to launch future cyber attacks. Resources the attackers installed included vulnerability-scanning and pentest tools such as Metasploit and Cobalt Strike, as well as BlackMatter and REvil ransomware, among others.

Successful cases have been observed by the FBI in which attackers were able to gain administrator access to machines and then move laterally across the victim's network.

The FBI said the FIN7 hacking group is behind the waves of attacks on US industries since August 2021 - the same group behind the DarkSide and BlackMatter ransomware campaigns.

Most recently, FIN7 has been targeting the US defence industry since November 2021 but companies in the transportation and insurance sectors were receiving malicious packages as far back as August 2021.

The FBI also said the attackers were using the United States Postal Service (USPS) and United Parcel Service (UPS) to deliver the LilyGO-branded USB sticks pre-loaded with malware, and seemingly came from reputable organisations such as Amazon and the US Department of Health and Human Services (HHS).

"Since August 2021, the FBI has received reports of several packages containing these USB devices, sent to US businesses in the transportation, insurance, and defence industries," said the FBI in an alert, as reported by The Record. "The packages were sent using the United States Postal Service and United Parcel Service.

“There are two variations of packages - those imitating HHS are often accompanied by letters referencing COVID-19 guidelines enclosed with a USB; and those imitating Amazon arrived in a decorative gift box containing a fraudulent thank you letter, counterfeit gift card, and a USB."

An ancient attack method

The method of simply plugging in a malicious USB stick into a victim's machine dates back many years and has dubbed various different names in the infosec community during that time. The method may be otherwise known as Rubber Ducky attacks, PoisonTap, USBdriveby, USBharpoon, and BadUSB.

For years, the method has also been used by pentesters with a good degree of success, leveraging human curiosity to see what's on a USB drive they discover by chance. People will often plug a lost, unknown USB stick into their own machine before attempting to return it to its rightful owner - a habit cyber criminals have learned to use to their advantage.

"The use of tangible tools for infection - such as USB sticks, have been and continue to be ever effective, especially in today’s current climate," said Alan Calder, CEO at GRC International Group to IT Pro. "Working from home is now more widespread than a few years ago, and the likelihood of someone receiving a malicious USB stick and plugging it into a PC in an unsupervised setting is much greater.

"Cyber criminals are knowingly using this hybrid working shift to their advantage, which means the need for regular cyber security risk assessments to outline and mitigate these threats has never been greater."

The BadUSB project was first unveiled at Black Hat in 2014 by security researchers at SR Labs, Karsten Nohl and Jakob Lell. The pair showed how the attack method could be used to install malware, as well as steal data and spoof network cards.

It has since inspired a number of related projects with one hacker applying the principles to a Mac-hacking iPhone lightning cable and dropping them around Def Con in 2019. The malicious iPhone cables allowed attackers to remotely execute commands on a victim's device and were sold for as little as $200 under the radar at the event.

It also isn't the first time FIN7 has made use of the postal system to deliver attacks. In a somewhat similar fashion, FIN7 instead impersonated Best Buy to mail packages with USB sticks to hospitality and retail businesses in March 2020.