Why do attackers utilize BadUSB to target Defense organizations with Ransomware?

Why do attackers utilize BadUSB to target Defense organizations with Ransomware?

The FBI (Federal Bureau of Investigation) alerted US firms in a currently updated flash warned that the financially motivated FIN7 cyber attacker’s gang targeted the US defense industry with the packages containing malicious USB devices to set up the ransomware. The threat actor mailed the packages which contain s ‘BadUSB’ or can say ‘Bad Beetle USB’ devices with the LilyGo logo, commonly available for sale on the Internet.

They utilized the United States Postal Service (USPS) and United Parcel Service (UPS) to mail the malicious packages to businesses in the transportation and insurance industries since August 2021 and protection firms initiated with November 2021.

How does BlackMatter or REvil ransomware expand on the Seized Networks?

Fin7 operators impersonated Amazon and the US Department of Health & Human Services (HHS) to victimize the targets into launching the packages and connecting the USB drivers to their systems. Since August, reports collected by the FBI states that these malicious packages also include letters about COVID-19 guidelines or fictitious gift cards and forged thank you notes, relying on the impersonated entity.

After the targets plug the USB drive into their computers, it automatically registers as a Human Interface Device (HID) Keyboard permitting it to run even with removable storage devices toggled off.

It then starts inserting keystrokes to install the malware payloads on the negotiated systems. FIN7’s end goal in some attacks is to access the victim’s networks and set up the ransomware (which includes BlackMatter and REvil) within a negotiated network utilizing various tools, including Metasploit, Cobalt Strike, Carbanak malware, the Griffon backdoor, and PowerShell scripts.

Why-Attacker-utilize-BadUSB-to-target-Defense-Organization-with-Ransomware-iamge1

How is Malware pushed using teddy bears?

These attacks follow another series of incidents the FBI warned about two years ago when FIN7 operators impersonated Best Buy and mailed similar packages with malicious flash drives via USPS to hotels, restaurants, and retail businesses.

Reports of such attackers started surfacing back in February 2020. Some of the targets also reported that the hackers emailed or called to pressure them into connecting the drives to their systems. Beginning with at least May 2020, malicious packages sent by FIN7 also included items such as teddy bears designed to trick the targets’ into lowering their guard.

Attacks like those attempted by FIN7 are known as HID or USB drive-by attacks, and they can only be successful if the victims are willing to or tricked into plugging unknown USB devices into their workstations.

Organizations can defend against such attacks by allowing their employees to connect only USB devices based on their hardware ID or if they’re vetted by their security team.

Leave a Reply