Skip to content ↓ | Skip to navigation ↓

A notorious cybercrime gang, involved in a series of high profile ransomware attacks, has in recent months been sending out poisoned USB devices to US organisations.

As The Record reports, the FBI has warned that FIN7 – the well-organised cybercrime group believed to behind the Darkside and BlackMatter ransomware operations – has been mailing out malicious USB sticks in the hope that workers will plug them into their computers.

According to the FBI, anyone who plugs in the USB drives into their devices runs the risk of becoming victim of a “BadUSB” attack.

A BadUSB device uses the USB stick’s microcontroller to impersonate a keyboard, and sends malicious commands to any computer to which it is attached. It’s effectively the equivalent of allowing a malicious hacker to walk into your building, sit at an unlocked computer, and start typing.

On this occasion, the automated keystrokes run PowerShell commands that download and install malware onto the computers, and allow malicious hackers to gain unauthorised remote access. Attackers could then use a variety of tools to deploy ransomware inside an organisation.

A security alert issued by the FBI warns that the dangerous USB sticks, which are branded LilyGO, have been mailed out via the United States Postal Service and UPS to businesses working in the transportation, insurance, and defence industries.

The packages are said to often be accompanied by letter which refer to COVID-19 guidelines, or pretend to be a gift sent via Amazon, arriving in “a decorative gift box containing a fraudulent thank you letter, counterfeit gift card, and a USB.”

The FBI warns that it has received reports of the packages being received by targeted organisations since August 2021, and as recently as November a US company working in the defence sector received a malicious USB stick accompanied by a fake Amazon thank you letter.

BadUSB attacks – although a standard part of any penetration-tester’s arsenal – have tended historically to be more of a theoretical threat than a danger that most businesses were likely to encounter.

However, with organised cybercriminal gangs now using the technique in their attempts to break into companies, plant ransomware, and steal data it’s clearly more important than ever before to educate users about the risks of plugging in unknown devices.

One way in which organisations might reduce the threat would be for network administrators to consider disabling PowerShell on users’ workstations if there is no legitimate use for the automation framework.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.