Advisory ID: ngCERT-2022-0063
Summary: Security experts have uncovered a new year scheme employed by a cybercrime group to deliver ransomware to targeted organizations. The group has been mailing out USB thumb drives to many organizations in the hope that recipients will plug them into their PCs and install ransomware on their networks. While businesses are being targeted, criminals could soon begin sending infected USB drives to individuals.
Description: The USB drives contain so-called 'BadUSB' attacks. The BadUSB exploits the USB standards versatility and allows an attacker to reprogram a USB drive to emulate a keyboard to create keystrokes and commands on a computer, install malware prior to the operating system booting, or to spoof a network card and redirect traffic. Numerous attack tools are installed in the process that allowed for exploitation of PCs, lateral movement across a network, and installation of additional malware. The tools were used to deploy multiple ransomware strains, including BlackBatter and REvil. This attack has been seen in the US where the USB drives were sent in the mail through the Postal Service and Parcel Service. One type contained a message impersonating the US Department of Health and Human Services and claimed to be a COVID-19 warning. Other malicious USBs were sent in the post with a gift card claiming to be from Amazon.
Consquences: Successful exploitation will allow the attackers to deploy multiple ransomware strains, steal sensitive information, create new commands on the computer, install different types of malicious software, or redirect traffic.
Impact/Probability: Critical/High
Solution: 1. Don’t insert USB drives from unknown sources, even if they’re addressed to you or your organization.
2. If the USB drive comes from a company or a person, you’re familiar with—and you trust– try contacting them to make sure they actually sent you the USB drive.
3. Report any incident of system compromise to ngCERT on for technical assistance.
References
https://www.zdnet.com/article/fbi-cybercriminals-are-mailing-out-usb-drives-that-will-install-ransomware/
https://www.bleepingcomputer.com/news/security/fbi-hackers-use-badusb-to-target-defense-firms-with-ransomware/
https://www.idropnews.com/news/fast-tech/be-careful-if-you-get-a-strange-usb-drive-in-the-mail-it-might-be-a-virus/176987/