Trustwave Blog

FIN7 Sends BadUSB Devices to U.S. Businesses as Part of Targeted Ransomware Campaign

Written by Karl Sigler | Jan 11, 2022

First reported by The Record, the FBI has issued a new security Flash Alert warning organizations that the cybercrime gang FIN7 is again sending malicious USB drives to U.S. business targets in the transportation, insurance and defense industries through the U.S. Postal Service and United Parcel Service.

This latest wave of attacks began in August 2021 with FIN7, which is also known as Carbanak Group and Navigator Group. The drives can be recognized by the LilyGo label on the case.

The USB drives are accompanied by a socially-engineered letter impersonating Amazon and the U.S. Department of Health & Human Services (HHS) to trick the targets into opening the packages and connecting the USB drives to their systems.. The tactic of using a socially engineered note is similar to what the gang uses in its traditional email phishing attacks. 

This is the second time in two years that the FBI has issued an alert regarding BadUSB. The FBI sent the first alert in March 2020, after Trustwave SpiderLabs intercepted one of the malicious BadUSB devices sent to one of its customers, a U.S. hospitality provider.

Attack Effectiveness and How Organizations Can Defend Against Them

While these types of attacks are often discussed among security professionals, they are not that common in real life attacks. However, the very fact that these types of attacks are rare could make them more effective because organizations simply aren’t prepared.

The good news is most cyber gangs stay away from BadUSB and similar attack vectors. Since this methodology requires purchasing drives and paying for shipping, it expensive to operate on a large scale so it would likely be used in very targeted situations. It's possible that this attack vector was decided on specifically after some initial reconnaissance.

While any such attack is potentially dangerous, there are steps to be taken to defend against this type of attack along with other measures organizations should have in place as protective measures.

These attacks are triggered by a USB stick emulating a USB keyboard, so these attacks are typically blocked by end-point protection software that can monitor access to command shells and sometimes even the speed of typing since the USB keyboards inject keystrokes at an inhuman speed.

For critical systems that don't require any USB accessories, physical and software-based USB port blockers may help prevent this attack. Of course, ongoing security awareness training should include this type of attack and warn against connecting any strange device to your computer.

FIN7: A History of BadUSB and Social Engineering Attacks

In March 2020, Trustwave SpiderLabs posted a detailed description of how FIN7 allegedly attacks its victims using physical media. Much like the current string of attacks, these past attacks saw the gang allegedly sending an envelope with a letter from a well-known source, like a retailer, containing a letter, a gift card, and a malicious USB key.

In the original attacks, the letter accompanying the drive would note that the USB drive contains a list of products that can be purchased with the included gift card. However, in the example tested by Trustwave SpiderLabs, the USB used an Arduino microcontroller ATMEGA32U4 and was programmed to emulate a USB keyboard. Since PCs trust keyboard USB devices by default, once it is plugged in, the keyboard emulator can automatically inject malicious commands.

The FIN7 BadUSB Attack Flow.

Traditionally, FIN7 sends carefully crafted email messages that appear legitimate to a business’s employees and accompanied emails with telephone calls intended to legitimize the email. Once an attached file was opened and activated, FIN7 would use an adapted version of the notorious Carbanak malware in addition to an arsenal of other tools ultimately to access and steal payment card data for the business’s customers. FIN7 has allegedly sold many of the stolen payment card numbers through online underground marketplaces, according to a U.S. Department of Justice statement.

The gang has been operating since about 2015 and has targeted U.S. companies in the restaurant, gaming, and hospitality industries causing an overall estimated amount of damage of $3 billion, according to the Department of Justice.

The federal government credits FIN7 with successfully breaching the computer networks of businesses in all 50 states and the District of Columbia, stealing more than 20 million customer card records from over 6,500 individual point-of-sale terminals at more than 3,600 separate business locations. Additional intrusions occurred abroad, including in the United Kingdom, Australia, and France.  

The Department of Justice has arrested and prosecuted several FIN7 gang members. This includes the April 2021 sentencing of Fedir Hladyr, 35, a Ukranian national who served as a high-level manager and systems administrator for FIN7, to 10 years in prison.

DATA SHEET

Trustwave Managed Detection and Response

Threat actors continue to develop sophisticated attacks that are increasingly difficult to detect. Meanwhile, security operations teams struggle to detect threats in a timely manner and respond effectively, given increasing IT environment complexity and limited security resources.

Trustwave provides Managed Detection and Response services, powered with our proven Trustwave Fusion platform and best-in-class Trustwave SpiderLabs® threat intelligence and expertise. Trustwave’s field-proven service excellence and analyst-lauded approach drives consistent and continuous outcomes.