The FBI recently warned of advanced USB-based attacks by a group called FIN7. The campaign, believed to have started last August, targets American companies, including those in key critical infrastructure industries such as transportation, insurance, and defense. The attackers targeted victims by sending them packages that contain advanced attack tools on the USB devices. These "BadUSBs" pose a significant threat. Here's what you need to know — and do — about them.
The Attack Technique and Tools
It is believed there are two variations of the packages, each of which is designed to trick users into using the USB devices. The first references COVID-19 guidelines, while the second claims to be a gift in decorative packaging with a fake gift card and thank-you letter.
These BadUSBs are actually penetration testing tools. A BadUSB looks like a normal USB, but it presents itself to the operating system of a computer as another device, one that is more naturally trusted by a computer, such as a keyboard. Once inserted into the computer, the device invokes the Windows command line and executes a script that downloads an exploit. This causes an infection on the endpoint that enables attackers to initiate an attack sequence on the organization — in the case of the FIN7 attacks, ransomware.
Sadly, this was not a one-off event or attack technique. There are about 30 clearly defined USB attack tools with new variations appearing on a regular basis. And long gone are the days when all we had to worry about was what malicious files were on a USB. Today, we must think about not only the files on the device, but also the device itself. This should be the standard philosophy for any devices we bring into a secure and trusted environment. Other considerations for keeping organizations safe from device-based threats include:
- Secure your supply chain only from trusted vendors to minimize risk. If a deal seems too good to be true, it probably is — and you may be getting more than you bargain for.
- Approach gifts with caution. As with the FIN7 attack, malicious devices are often disguised as gifts to trick victims.
- Remove unnecessary hardware from your critical environment. There's no reason to keep a drawer full of old USB drives, CDs, DVDs, mice, keyboards, and so on. Malicious devices could be easily mixed in with such collections, or older devices could be altered to act maliciously.
- Create a list of all tested and approved devices. Inventory everything from removable media to keyboards to headsets to and monitors and beyond. Anything and everything used in your facility should be documented to ensure that if something new pops up, there is a visual cue that something is wrong and should be brought to management's or a security team's attention.
- Training can be your first line of defense. We are only as strong as our weakest link. Human beings are curious by nature. Ensure that all employees and site visitors are trained on the latest security practices. Regular training does not need to be complex or cumbersome. The key is to ensure that all employees have access to the latest guidance and are aware of the best practices to follow.
- Removable media security solutions isolate the organization's endpoints against malicious USB and serve as a gateway to safely use the devices.
These best practices can help form the foundation of a removable media security policy, but it's also important to remember that any such policy should be reviewed and assessed on an ongoing basis. For example, would your removable security policy have prevented the recent FIN7 attack? If not, how should it be updated? Organizations should be asking themselves these and other questions about security policy on a regular basis to ensure that they are doing everything possible to keep facilities safe from bad actors.