Security researchers have come across an attack where an USB dongle designed to surreptitiously behave like a keyboard was mailed to a company under the guise of a Best Buy gift card.
This technique has been used by security professionals during physical penetration testing engagements in the past, but it has very rarely been observed in the wild. This time it's a known sophisticated cyber criminal group who is likely behind it.
The attack was analysed and disclosed by security researchers from Trustwave SpiderLabs - a Singtel company and the global security arm of Singtel, Optus and NCS - who learned about it from the business associate of one of their team members.
Ziv Mador, vice president for security research Trustwave SpiderLabs, tells CSO that a US company in the hospitality sector received the USB sometime in mid-February.
The package contained an official-looking letter with Best Buy's logo and other branding elements informing the recipient that they've received a $50 gift card for being a regular customer.
"You can spend it on any product from the list of items presented on an USB stick," the letter read. Fortunately, the USB dongle was never inserted into any computers and was passed along for analysis, because the person who received it had security training.
Researchers traced the USB dongle model to a Taiwanese website where it's being sold for the equivalent of $7 under the name BadUSB Leonardo USB ATMEGA32U4.
In 2014, at the Black Hat USA security conference, a team of researchers from Berlin-based Security Research Labs (SRLabs) demonstrated that the firmware of many USB dongles can be reprogrammed so that, when inserted in a computer, it reports that it's actually a keyboard and starts sending commands that could be used to deploy malware.
The attackers dubbed this attack BadUSB and it's different then just putting malware on an USB stick and relying on the user to open it.
The Leonardo USB device that Trustwave received and analysed has an Arduino ATMEGA32U4 micro-controller inside which was programmed to act as a virtual keyboard and execute an obfuscated PowerShell script via the command line.
"The fact that they are also cheap and readily available to anyone meant that it was just a matter of time to see this technique used by criminals in the wild," the Trustwave researchers said in their report.
"Since USB devices are ubiquitous, used and seen everywhere, some consider them innocuous and safe. Others can be very curious about the contents of an unknown USB device. If this story teaches us anything, it's that one should never trust such a device."
Potential FIN7 connection
Mador tells CSO that his team didn't know who the attackers were, but after seeing the information in Trustwave's report, security researchers Costin Raiu from Kaspersky Lab and Michael Yip commented on Twitter that the malware used and infrastructure match that used by the FIN7 gang.
FIN7, also known as Carbanak, is a financially motivated cyber criminal group that has been targeting US-based companies from the retail, restaurant and hospitality sectors since around 2015.
The group is known for using sophisticated techniques to move laterally inside networks and compromised systems with the goal of stealing payment card information. Researchers from security firm Morphisec estimated in the past that FIN7 members earn around $50 million a month from their activities.
The target in the BadUSB attack was a company from the US hospitality sector which is in line with FIN7's previous targeting, but while the malware (GRIFFON) and infrastructure match FIN7, Raiu tells CSO that it's the first time he's seen the group use such this physical USB dongle-based attack vector.
More BadUSB attacks on the way?
Attacks involving USB dongles reprogrammed to act as keyboards have not been used widely until now because they're not very scalable. One such dongle that's popular with penetration testers is the USB Rubber Ducky.
It's made by a company called Hak5 and costs $50, which is not a lot of money for a professional to spend, but adds up quickly if you're an attacker and want to infect many victims, especially since the success rate won't be 100 percent.
However, at $7 apiece (and probably less if bought in large quantities), malicious dongles like the BadUSB Leonardo device make real-word BadUSB attacks much more viable. Attackers don't even have to put in much effort, like to create custom firmware to convert off-the-shelf non-malicious USB sticks into malicious ones. They just need to load their custom payload into a ready-made device and mail it.
Even so, attacks of this type are expected to target a relatively small number of carefully selected companies that attackers have already done some research on. According to Trustwave's Mador, the choice of impersonating Best Buy might not have been an accident. Attackers can use online information to find a company's contractors and suppliers.
Also, in this case, the rogue letter was sent to the business's address, but with senior and other key employees now working from home due to the Covid-19 pandemic the risk is even higher.
At work such letters would probably be received by administrative staff, who might then take the device to the IT or security team if they've been trained properly, so several people might look at the device before it's being used, Mador says.
However, at home there is no security staff and even if the intended recipient received security awareness training at work, the device might be found and used by one of their family members before they have a chance to stop it.
If hackers compromise a device on the victim's home network, they'll eventually succeed to hack into their work computer as well, which will probably provide them with access to the company's network or systems via a VPN connection. That's why security professionals are concerned about the forced work-from-home situation that's currently in effect.
"People know by now that they shouldn't click on links or open attachments from unknown or untrusted sources," Mador says. "But when it comes to USB dongles, many still don't use the right judgement."