Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

Hackers Target US Defense Firms With Malicious USB Packages (bleepingcomputer.com) 57

The Federal Bureau of Investigation (FBI) warned US companies in a recently updated flash alert that the financially motivated FIN7 cybercriminals group is targeting the US defense industry with packages containing malicious USB devices. BleepingComputer reports: The attackers are mailing packages containing 'BadUSB' or 'Bad Beetle USB' devices with the LilyGO logo, commonly available for sale on the Internet. The packages have been mailed via the United States Postal Service (USPS) and United Parcel Service (UPS) to businesses in the transportation and insurance industries since August 2021 and defense firms starting with November 2021. FIN7 operators impersonate Amazon and the US Department of Health & Human Services (HHS) to trick the targets into opening the packages and connecting the USB drives to their systems. Since August, reports received by the FBI say that these malicious packages also contain letters about COVID-19 guidelines or counterfeit gift cards and forged thank you notes, depending on the impersonated entity.

After the targets plug the USB drive into their computers, it automatically registers as a Human Interface Device (HID) Keyboard (allowing it to operate even with removable storage devices toggled off). It then starts injecting keystrokes to install malware payloads on the compromised systems. FIN7's end goal in these attacks is to access the victims' networks and deploy ransomware within a compromised network using various tools, including Metasploit, Cobalt Strike, Carbanak malware, the Griffon backdoor, and PowerShell scripts. [...] Companies can defend against such attacks by allowing their employees to connect only USB devices based on their hardware ID or if they're vetted by their security team.

This discussion has been archived. No new comments can be posted.

Hackers Target US Defense Firms With Malicious USB Packages

Comments Filter:
  • There's absolutely NO DEFENSE against a physical USB drive. We should just give up now.

    • by c-A-d ( 77980 )

      Maybe the solution is to be able to enable/disable HID on a per-port basis. Or perhaps, require USB HID devices to be registered with the OS before it can be used as one.

    • I disagree. My company laptop is so locked down that only registered and approved USB devices will be recognized by the operating system and access granted. These approved USB devices are issued by the company. I WILL keep a lookout for these since I work in the targeted industry. Sending e-mail or large zip files to an external address is scrutinized as well.

      Hacking us directly will be difficult.
      • This is good policy. You would have to have access to your USB, clone it, then imitate the Harware ID to start the process. Also the Good USB linux module can be used to whitelist drivers.
        This attack seems a little expensive and likely had a high value target like some dumb general. Its called "physical security" dummies. Lucky for the victims the makers didnt add the capacitors for USB Killer which collects 240 V and then fries the PC s motherboard. But it wasnt outrageously expensive if it was built
    • by gweihir ( 88907 )

      Of course there is. Current systems just lack them. For example, having to confirm that a new USB device is allowed to send keystrokes is one. Eventually, we will need tome way for HIDs to authenticate themselves, but that will take more effort.

      • by Bert64 ( 520050 )

        The problem there is how do you confirm if a new device is able to send input events if you don't already have a working input device with which to issue the confirmation?
        This would only work if you're adding an additional input device to a system which already has one.

        • by gweihir ( 88907 )

          Simple: The first HID gets added without confirmation. Sure, a user can still plug in a BadUSB when not having a keyboard or mouse attached, but you can only do so much to fix user stupidity.

    • Is there any way to force a popup to enable setup of hardware? Also I think we should have data only usb-like devices with their own plug. Don't allow devices, no autorun, no executing programs from it.
  • by hdyoung ( 5182939 ) on Friday January 07, 2022 @07:20PM (#62153943)
    are targeting the frikkin UD defense industry? I get that other state espionage agencies are hacking the US defense sector. Thats fair game - standard espionage. But ransomwware gangs? Holy sheeit the size of the cohones on those guys. They must need a wheelbarrow just to walk around.
    • Especially considering the US has killed the minor children of suspected terrorists on foreign soil because it thought they might be involved in planning an operation somehow. And that they did this with a drone fired hellfire missile.

      It always struck me as a bit naive for hackers to think the ability to "hack the government" represented some kind of invincibility. It never occurs to them that from the government's point of view, security is a problem solved not by implementing secure practices, but by

      • Yeah. Seems like the entire world is losing its mind. I’m generally an optimist, but so many small and medium-sized countries are gearing up for war... I think 2020-2040 are gonna be way more eventful than 2000-2020. I just hope the big nuclear powers hold on to a shred of sanity. If they dont, we’ll set our species back 50-100 years.
  • It is an attack difficult to prevent if the employees of the company do not have minimal knowledge of computer security, so they will easily fall into this attack whose vector is social engineering
  • What??? (Score:4, Funny)

    by cascadingstylesheet ( 140919 ) on Friday January 07, 2022 @07:41PM (#62154027) Journal
    What is the world coming to, when you can't just auto-execute random software that is mailed to you by strangers?? Sheesh!!
  • by gweihir ( 88907 ) on Friday January 07, 2022 @07:54PM (#62154069)

    Maybe the problem here is not those that mail these things. Seems the IT industry urgently needs a bit more evolutionary pressure to finally get crap like this sorted. Yes, here that means having the user confirm a new keyboard, mouse or other HID. As the typical situation is that this will be an additional keyboard, it should not be much of a problem. (The first HID should just be accepted automatically.) Just turning the functionality that is used for the attack off will not work, as there is no way to identify a legitimate keyboard.

    Eventually, I guess, we will need to have HIDs authenticate themselves.

    • I remember having to keep a PS2 keyboard around to access bios and change the USB keyboard enabled setting to "true" when building desktop systems at one company I worked for back in the day...

      It was a pain in the ass.

      • you can still get PS2 adaptors for your USB keyboard.
        • Sure, but having to use a PS2 keyboard because the system did not accept USB HID until it was manually enabled in BIOS sucked -which is why now systems do accept USB HID by default.

    • Sort of why I keep a USB keyboard around, just so the Mac Minis can be configured to use their Bluetooth keyboard. I also keep a PS/2 keyboard around just in case some machine decides it doesn't want to deal with USB at all before it boots, although as time has gone on, this has become far less of an issue.

    • by test321 ( 8891681 ) on Friday January 07, 2022 @09:42PM (#62154297)

      When BadUSB was first exposed, I added a one-liner udev rule (for linux) that prevented new keyboards to be added after boot.

      But that's not perfect (if you unplug a legitimate keyboard you can't plug it back until reboot).

      • by gweihir ( 88907 )

        Well, this needs a way to ask the user. It can be "ask only if there is no other HID active".

    • Its an interesting question - how do you "confirm' the new keyboard without using the keyboard? Computers could have a hardware button for that purpose, but that would need to be standard on ALL new computers for it to be useful.

      This particular attack is fixed by only allowing a single keyboard, but it would be easy to just send someone a hacked keyboard claiming to be from the ergonomics group or something.
      • by gweihir ( 88907 )

        The simple approach is that if you go form zero to one HIDs, that one gets added without question. All others then require user confirmation.

        • Which is the first HID to be accepted when rebooting?
          While rebooting is more obvious to the user, it often is ignored or simply accepted as "normal"

          • by gweihir ( 88907 )

            On boot, you simply accept all. Anybody booting with an unknown USB device is screwed already. _That_ attack may only need a conventional memory stick, depending on BIOS settings.

        • You could have a prompt appear on the screen, with a 10 minute timeout to auto install.
    • by AmiMoJo ( 196126 )

      Even that might not be enough. To recognize that it's a keyboard that was just plugged in, the USB stack has to assign an address to the device and read the various descriptors off it. There is potential for exploits.

      Realistically I think all we can do is try to make sure that USB stack is free of bugs and sandboxed (at least the part handling descriptors).

      • by gweihir ( 88907 )

        Even that might not be enough. To recognize that it's a keyboard that was just plugged in, the USB stack has to assign an address to the device and read the various descriptors off it. There is potential for exploits.

        Realistically I think all we can do is try to make sure that USB stack is free of bugs and sandboxed (at least the part handling descriptors).

        That is a different question and one of secure coding. The BadUSB attack works with a completely secure USB stack. You are mixing different problems here, which is not conductive to solving them. Also, sandboxing the USB stack is really the wrong approach. Core drivers need to be secure by themselves and there is enough secure coding techniques to assure that. Just needs people that know what they are doing.

  • CAPTCHA (Score:4, Interesting)

    by PPH ( 736903 ) on Friday January 07, 2022 @09:18PM (#62154255)

    Plug in random USB device that begins emulating a keyboard.

    Popup: "Hello new keyboard. Before we start, would you mind typing in the following string?"

    • Great idea but one would need also a bypass for devices like a gaming mouse (they declare themselves as keyboards and inject keybord macro commands).

      • by PPH ( 736903 )

        bypass for devices like a gaming mouse

        Pop up an on-screen keyboard. Mouse-click the CAPTCHA string.

        Of course, all this does is verify that what you have is an actual human interface device. The most devious attack some cybercriminal could devise would be a compromised keyboard or mouse.

  • for operating system vendors to block this sort of automatic install?

  • Just how is checking the hardware id going to achieve anything? It's not like a malicious device designed to simulate a keyboard isn't going to masquerade itself as a known reputable brand of keyboard.
    It's not going to be hard for an attacker to work out what brand or even model of keyboards an organisation uses, and then tailor their devices to simulate them.

  • I always wondered why these weren't a vector for trjoan horse attacks.

    In a lot of smaller organizations, branch offices, etc, they are like wire hangers. For every 1 you manage to get rid of, 2 more take their place. A malicious/trojan horse device like this could be shipped anonymously and probably get a reasonable level of use.

    It would require some investment to pull off the device itself, but probably not much if you started with a modified MikroTik platform.

    The whole thing would get you wired access i

If you aren't rich you should always look useful. -- Louis-Ferdinand Celine

Working...