Social engineering, employee training, and protection, in light of the FBI advisory against BadUSB devices
FIN7, a financially motivated cyber threat group associated with Eastern Europe, has been targeting various US industries with BadUSB devices, according to a new FBI flash alert sent to relevant businesses last week. The devices were mailed via the US Postal Service and UPS, as supposedly originating from Amazon or the US Department of Health and Human Services.
According to Bleeping Computer, which first broke this story, the packages were sent to businesses in the transportation and insurance industries as of August 2021, and to defense firms as of November 2021.
Cybersecurity company Recorded Future explains, that according to the FBI, if recipients plug the USB containing the malware into their computers, then the device would register itself as a keyboard, sending a series of preconfigured automated keystrokes to the computer, which would then run PowerShell commands to download and install various malwares that acted as backdoors.
Depending on recipient’s identity, the malicious packages also contained letters regarding supposed Covid-19 guidelines, fake thank you notes, or counterfeit gift cards.
“Cyber criminals are always on the lookout for new attack vehicles, while cybersecurity products are getting better with a tighter grip on enterprises IT assets, there is one attack vehicle that never fails: humans,” says cybersecurity expert Jessica Amado.
Amado is Head of Cyber Research at Sepio System, an Israeli cybersecurity company which specializes in Rogue Device Mitigation (RDM) and in Zero Trust Hardware Access solutions. She spoke with Cybertech Insider via email earlier this week.
“Social engineering techniques can exploit human greed in the form of free giveaways. Greediness often trumps our cautionary instincts, and when we are presented with a free ‘iPhone charger’ as part of a giveaway, it can be all too tempting to turn down.”
“Responsibility lies on employees. Their role in preventing such attacks highlights the importance of recognizing those engineering techniques,” says Amado, adding that employee awareness is becoming increasingly crucial, as hardware-based attacks are occurring more frequently.
Quoting analytics from the latest Honeywell Forge Industrial Cybersecurity USB Threat Report, Amado says that “In 2020, 37% of threats were designed for USB exploitation, nearly double than in 2019. Furthermore, as USB usage rose by 30% in 2020, and again by 37% in 2021, attackers are more likely to be successful.”
While training is very important, Amaro says it is not the silver bullet. “Even with training, employee negligence is the cause of 62% of cyber incidents, especially since hardware-based social engineering techniques can be extremely deceptive and hard to recognize” she says, recommending an extra layer of protection such as Zero Trust Hardware Access.