Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

FIN7 Sends BadUSB Devices to U.S. Businesses as Part of Targeted Ransomware Campaign

First reported by The Record, the FBI has issued a new security Flash Alert warning organizations that the cybercrime gang FIN7 is again sending malicious USB drives to U.S. business targets in the transportation, insurance and defense industries through the U.S. Postal Service and United Parcel Service.

This latest wave of attacks began in August 2021 with FIN7, which is also known as Carbanak Group and Navigator Group. The drives can be recognized by the LilyGo label on the case.

The USB drives are accompanied by a socially-engineered letter impersonating Amazon and the U.S. Department of Health & Human Services (HHS) to trick the targets into opening the packages and connecting the USB drives to their systems.. The tactic of using a socially engineered note is similar to what the gang uses in its traditional email phishing attacks. 

This is the second time in two years that the FBI has issued an alert regarding BadUSB. The FBI sent the first alert in March 2020, after Trustwave SpiderLabs intercepted one of the malicious BadUSB devices sent to one of its customers, a U.S. hospitality provider.

Attack Effectiveness and How Organizations Can Defend Against Them

While these types of attacks are often discussed among security professionals, they are not that common in real life attacks. However, the very fact that these types of attacks are rare could make them more effective because organizations simply aren’t prepared.

The good news is most cyber gangs stay away from BadUSB and similar attack vectors. Since this methodology requires purchasing drives and paying for shipping, it expensive to operate on a large scale so it would likely be used in very targeted situations. It's possible that this attack vector was decided on specifically after some initial reconnaissance.

While any such attack is potentially dangerous, there are steps to be taken to defend against this type of attack along with other measures organizations should have in place as protective measures.

These attacks are triggered by a USB stick emulating a USB keyboard, so these attacks are typically blocked by end-point protection software that can monitor access to command shells and sometimes even the speed of typing since the USB keyboards inject keystrokes at an inhuman speed.

For critical systems that don't require any USB accessories, physical and software-based USB port blockers may help prevent this attack. Of course, ongoing security awareness training should include this type of attack and warn against connecting any strange device to your computer.

FIN7: A History of BadUSB and Social Engineering Attacks

In March 2020, Trustwave SpiderLabs posted a detailed description of how FIN7 allegedly attacks its victims using physical media. Much like the current string of attacks, these past attacks saw the gang allegedly sending an envelope with a letter from a well-known source, like a retailer, containing a letter, a gift card, and a malicious USB key.

In the original attacks, the letter accompanying the drive would note that the USB drive contains a list of products that can be purchased with the included gift card. However, in the example tested by Trustwave SpiderLabs, the USB used an Arduino microcontroller ATMEGA32U4 and was programmed to emulate a USB keyboard. Since PCs trust keyboard USB devices by default, once it is plugged in, the keyboard emulator can automatically inject malicious commands.


The FIN7 BadUSB Attack Flow.

Traditionally, FIN7 sends carefully crafted email messages that appear legitimate to a business’s employees and accompanied emails with telephone calls intended to legitimize the email. Once an attached file was opened and activated, FIN7 would use an adapted version of the notorious Carbanak malware in addition to an arsenal of other tools ultimately to access and steal payment card data for the business’s customers. FIN7 has allegedly sold many of the stolen payment card numbers through online underground marketplaces, according to a U.S. Department of Justice statement.

The gang has been operating since about 2015 and has targeted U.S. companies in the restaurant, gaming, and hospitality industries causing an overall estimated amount of damage of $3 billion, according to the Department of Justice.

The federal government credits FIN7 with successfully breaching the computer networks of businesses in all 50 states and the District of Columbia, stealing more than 20 million customer card records from over 6,500 individual point-of-sale terminals at more than 3,600 separate business locations. Additional intrusions occurred abroad, including in the United Kingdom, Australia, and France.  

The Department of Justice has arrested and prosecuted several FIN7 gang members. This includes the April 2021 sentencing of Fedir Hladyr, 35, a Ukranian national who served as a high-level manager and systems administrator for FIN7, to 10 years in prison.


Trustwave Managed Detection and Response

Threat actors continue to develop sophisticated attacks that are increasingly difficult to detect. Meanwhile, security operations teams struggle to detect threats in a timely manner and respond effectively, given increasing IT environment complexity and limited security resources.

Trustwave provides Managed Detection and Response services, powered with our proven Trustwave Fusion platform and best-in-class Trustwave SpiderLabs® threat intelligence and expertise. Trustwave’s field-proven service excellence and analyst-lauded approach drives consistent and continuous outcomes.


Latest Trustwave Blogs

Mining Operations: Critical Cybersecurity Threats & Trends Revealed

Cybersecurity professionals often point out that threat actors do not differentiate when choosing a victim. To an attacker, a hospital is as useful a target as a law firm or even a mining operation....

Read More

Phishing: The Grade A Threat to the Education Sector

Phishing is the most common method for an attacker to gain an initial foothold in an educational organization, according to the just released Trustwave SpiderLabs report 2024 Education Threat...

Read More

Unlocking Cyber Resilience: UK’s NCSC Drafts Code of Practice to Elevate Cybersecurity Governance in UK Businesses

In late January, the UK’s National Cyber Security Centre (NCSC) issued the draft of its Code of Practice on Cybersecurity Governance. The document's goal is to raise the profile of cyber issues with...

Read More