As the country entered into the second weekend of 2022, the FBI issued an alert to industry on January 6 to be wary of unexpected gifts. The alert, which according to the Record, was only available to those who are members of the FBI-hosted Infragard, details how the FIN7 cybercrime group (Darkside and BlackMatter) is loading up USB sticks, and sending them to targeted entities as either an innocuous thank you or important COVID-19 information.
FIN7 has seemingly taken a page from the criminal antics of 20 years ago when criminals and those engaged in industrial espionage would drop USB sticks in company parking lots in the hope a curious employee would pick it up and stick it in a networked computer. In this iteration, FIN7 used both the United States Postal System and United Parcel Service (UPS) as their delivery mechanisms.
The Record, who obtained a copy of the alert, shared portions of the text of the FBI alert:
“Since August 2021, the FBI has received reports of several packages containing these USB devices, sent to U.S. businesses in the transportation, insurance, and defense industries,” the Bureau said in a security alert sent yesterday to U.S. organizations.
“The packages were sent using the United States Postal Service and United Parcel Service,” the agency added.
“There are two variations of packages—those imitating HHS are often accompanied by letters referencing COVID-19 guidelines enclosed with a USB; and those imitating Amazon arrived in a decorative gift box containing a fraudulent thank you letter, counterfeit gift card, and a USB.”
The Record continued how, the discovered devices are “LilyGo-branded USB devices” and once inserted into a computer executes the BADUSB attack.
Companies that are involved in National Industrial Security Programs (NISP) conduct both cyber and counterintelligence defensive briefs on a regular basis. FSOs should generate an alert to all employees about the above methodology and specifically warn them of this specific threat.
For the IT/Infosec team, the characteristics of the attack should be fully briefed to all responsible personnel. This iteration shows the USB registers itself on the device as a keyboard and then sends a series of automated keystrokes which engage PowerShell commands which ultimate allows for compromise of the device and in some cases have permitted the miscreants to obtain administrative access.
Why the FBI chose to issue the warning via Infragard and not more broadly by issuing the warning in conjunction with CISA is unknown. Therefore, it behooves companies to join the Infragard and receive these exclusive alerts directly.