Using friendly-looking USB sticks as a vector for malware distribution is a trick as old as the internet itself and, apparently, it’s still quite popular with the criminals.
On Thursday, the FBI warned that a hacker group has been using the U.S. mail to send malware-laden USB drives to companies in the defence, transportation and insurance industries, in the hopes that employees will be gullible enough to stick them into their computers, The Record reports. If plugged into a computer or laptop, criminals have tried to use the USB drives to deploy ransomware or other malicious software onto target systems.
The hacker group behind this bad behaviour — a group called FIN7 — has gone to great lengths to make their parcels appear innocuous, according to the FBI. In some cases, packages were dressed up as if they were sent by the US Department of Health and Human Services, with notes explaining that the drives contained important information about covid-19 guidelines. In other cases, they were delivered as if they had been sent via Amazon, along with a “decorative gift box containing a fraudulent thank you letter, counterfeit gift card, and a USB,” according to the FBI warning.
This little scheme appears to have been going on for at least several months. The FBI says it originally began receiving reports about such activity as far back as last August.
The culprit, FIN7, is a notably sophisticated cybercriminal group that, throughout its career, is reported to have stolen over $US1 ($1) billion via various financial hacking schemes. In the past, it has also been connected to prominent ransomware families — such as DarkSide and BlackMatter — and, last September, security researchers reported that FIN7 had gone to the trouble of creating a fake cybersecurity company in order to recruit IT talent for its criminal operations.
While it might seem ridiculous that anyone would plug a random USB stick into their computer, studies have shown that, actually, that’s exactly what a whole lot of people do when confronted with the opportunity. Thus the popularity of the “drop” trick, in which a malicious drive is left in a company’s parking lot in the hopes that the weakest link at the firm will pick it up and, out of curiosity, plug it into their laptop. Actually, if you believe one high-ranking defence official, a disastrous, worm-fuelled attack on the Pentagon in 2008 was launched just this way.
Hackers have also attempted to use USBs as a vector for ransomware attacks before. Last September, it was reported that gangs had been approaching employees of particular companies and attempting to bribe them into unleashing ransomware on their company’s servers via sticks secured by the hackers.
All of this is a roundabout way of saying a few basic things: Don’t accept gifts from strangers, avoid bribes, and, if you don’t know where that USB stick came from, better leave it alone.