USB sticks with ransomware - FIN7 hacker group uses hardware!
USB sticks with ransomware are, without security measures, dangerous. Attacks have now been observed in the USA.
Vincent Heinen Abteilungsleiter Offensive Services TL;DR
The FIN7 hacker group mailed physical USB sticks disguised as gift boxes or Covid-19 guidelines to US defence industry targets, sometimes accompanied by follow-up phone calls pressuring recipients to plug them in. Once connected, the BadUSB sticks register as a keyboard and bypass USB storage restrictions to execute malicious commands. Protection requires hardware whitelisting by ID rather than simply blocking storage devices.
Table of Contents (2 sections)
Having USB sticks with ransomware in the real mailbox is an unusual, even if not unrealistic, scenario. In the past, many companies have prepared for this eventuality with various measures. A current case shows that even this threat scenario cannot yet be put ad-acta.
The defense industry in the United States is huge. Some packages, disguised as a gift box or Covid-19 guideline, were delivered. Included were USB sticks with malware. The way of the technology is not particularly innovative.
USB sticks with ransomware log on to the system as a keyboard
Basically, behind the attack is a BadUSB stick with great aspects of a sophisticated social engineering campaign. Thus, the packages are sent in the name of the U.S. Department of Health and Human Services(HHS) rather than anonymously. Also, the USB stick is not the only content. The damaged hardware is accompanied by other letters and information. The recipients were not left alone with the packages. Numerous calls were made to force the insertion of the USB stick. The attack is by no means new.
Once a recipient decides to connect one of the USB sticks with ransomware, they log into the system as a USB keyboard. This opens the door for entries that are otherwise to be prevented by numerous measures. Even blocking or prohibiting USB storage devices does not help at this point.
Allowed devices should be determined. The corresponding hardware IDs can then be allowed according to the whitelisting principle. Attacks are only technically possible if the attacker has knowledge about the hardware used. Careful consideration of an in-house team also makes sense if the company is large enough.
Attack with USB sticks is not new - but the context has been adapted
For those who observe attacks in the scene, the use of USB sticks with ransomware does not seem new. FIN7 group is very creative and just known for using phishing attacks to distribute and activate with malware.
Thus, the group is already attributed a wave of attacks of a similar variety. At the time, however, it was in the name of BestBuy, a US electronics retailer in the States. The target group has also changed. At that time it was more hotels and restaurants.
Monthly Threat Report
Chris Wojzechowski bewertet einmal im Monat die aktuelle Bedrohungslage aus Sicht eines Informationssicherheitsexperten. Sein 30-köpfiges Team ist näher an realen Cyberbedrohungen dran als kaum jemand sonst - mit konkreten Handlungsempfehlungen, die Sie am nächsten Morgen umsetzen können.
Bestseller-Autor (Wiley-VCH) · M.Sc. Internet-Sicherheit · Bekannt aus Handelsblatt & WamS
Zuletzt behandelt
1x im Monat · Kein Spam · Jederzeit abbestellbar · Datenschutz
Next Step
Our certified security experts will advise you on the topics covered in this article — free and without obligation.
Free · 30 minutes · No obligation
