Cybercriminals are Targeting US Businesses with Malicious USB Drives

The FBI released a warning for US businesses – about a cybercriminal group from Eastern Europe trying to hack into the networks of US companies by mailing these businesses USB drives with malicious code on them.

This cybercriminal group, known as FIN7, is based in Eastern Europe, and US officials believe that they are responsible for billions of dollars in both business and consumer losses in both the US and abroad. The Justice Department has blamed FIN7 for stealing millions of credit card numbers in 47 states, and the FBI has been on the group’s tail for years.

This highly organized and sophisticated group attempts to infiltrate corporate networks by employing a seemingly old-fashioned, yet remarkably effective, tactic: mailing physical USB drives containing malicious code directly to businesses.

One of the most dangerous threats is a "BadUSB" attack. Plugging in a random USB drive, whether found on the ground or received as a freebie at a conference, poses significant cybersecurity risks. This seemingly innocuous act can lead to severe consequences for your computer and personal or corporate data.

These aren't just regular storage devices; their firmware has been reprogrammed to act as other devices, most commonly a keyboard. When plugged in, the BadUSB instantly mimics typing commands, often at superhuman speed, which can then download malware, install ransomware, steal data, or even grant remote control to attackers. It bypasses typical antivirus scans because it's not a "file" being scanned; it's a device behaving maliciously.

These attacks have been going on for decades, primarily targeting companies in the defense, transportation, finance and insurance sectors. The mailed USB drives are often disguised as legitimate deliveries, arriving via services like the U.S. Postal Service and UPS. Some packages pretend to be from the Department of Health and Human Services (HHS), while others mimic Amazon deliveries, complete with fake "thank you" letters and counterfeit gift cards.

When an unsuspecting employee plugs one of these malicious USB drives into a computer, the device immediately registers itself as a Human Interface Device (HID) keyboard, rather than a storage device. This clever trick allows it to bypass many traditional security measures that block removable storage. Once recognized as a keyboard, the USB drive automatically injects a series of preconfigured keystrokes. These commands then download and install additional malware onto the compromised system, granting the cybercriminals remote access.

FIN7's ultimate goal is to gain a foothold within the victim's network, escalate privileges, and then deploy ransomware by gaining back door access to achieve their objectives. The success of this method hinges on human curiosity and the deceptive nature of the packages, making it particularly dangerous in environments where employees might not be rigorously trained on physical media security.

The FBI emphasizes that even a non-administrative account compromise can lead to significant breaches, as the attackers can then conduct reconnaissance and move laterally within the network to gain access to more critical systems. This resurgence of physical media attacks highlights the evolving tactics of cybercriminals and the need for businesses to educate their employees on the dangers of plugging in any unsolicited external devices.

Steps To Protect Your Self and Your Company Data

Thankfully, there are a number of steps that you can take in order to protect yourself and company data. Here are some tips:

• Don’t put any “free” or unknown USB drive into your computer, no matter what. If you find a USB drive, or you are given one from a stranger, you should give it to your IT department or other security personnel. Don’t even put it near your computer – even if you think you can see the owner of the drive.
• You also want to take full advantage of any security features you have access to including strong passwords and encryption on your own USB drives. You also want to make sure that you are backing up any data on those drives in case they are lost.
• Keep your business and personal USB drives in separate places. You shouldn’t use your personal USB drive in your work computer, and vice versa.
• Don’t use Autorun on your computer. This feature causes some types of media, such as DVDs, CDs, and USB drive to automatically open when they are put into a drive. When you disable this feature, if you insert a USB drive that is infected into your PC, it won’t open, and you can prevent the code from being put on your device.
• Use security software and make sure it Is updated. Use antivirus software, a firewall, and anti-spyware programs to make your computer as safe as possible. Also, make sure you update your computer with any updates or patches that come through automatically.