Let’s continue to discuss malware during CyberSecurity Awareness Month, and we’ll refer to the video series we looked at previously at https://staysafeonline.org/resource/security-awareness-episodes/ , specifically the following Episode 5: Removable Media, if you’ve not watched it already.
Research, and describe, a news articles describing a publicly-disclosed breach that can be tied to the use of removable media as the entry.
Also, for “bonus points”, what other security errors do you see in this episode? (https://staysafeonline.org/blog/security-best-practices-for-removable-media-and-devices/)
Title: FBI: Hackers Sending Malicious USB Drives & Teddy Bears via USPS
URL: https://www.bleepingcomputer.com/news/security/fbi-hackers-sending-malicious-usb-drives-and-teddy-bears-via-usps/
A hacker group called FIN7 has been sending malicious USB drives to various business such as restaurants, hotels, and retail stores via the United States Postal Service. These USB devices were sometimes accompanied with a gift such as a $50 gift card to Best Buy with a letter mentioning the qualifying items that could be purchased with the gift card were on the USB drive. Once the USB was plugged into the computer, it would be recognized as a keyboard and the execute a PowerShell command which would reach out to domains/IP addresses located in Russia to download a second PowerShell script that would install malware. This was a sophisticated attack that used multiple tools to complete its task such as Metasploit, Cobalt Strike, PowerShell, a cheap USB device, and more to ultimately create a backdoor in the systems.
In the episode “Removable Media”, the employee should not have plugged the USB device he found outside into his work computer, especially if the computer is connected to the network. Also, after the malware installed and began infecting other machines in the office the employee should have given the USB to the IT department and not have just left it on his co-worker’s desk to pass the blame and possibly be unknowingly plugged in again.
Hi,
Nice summary – after working with Metasploit this week as our only tool for engagement I thought about how I would use it in a real scenario. I think your article demostrates that you really need a varierty of tools to perform a complicated attack like this and it really takes some clever engineering to create a malicious orchestration.
Pretty clever for FIN7 to bait victims by saying that the list of rewards are on the USB drive. I think most people would fall for this because who doesn’t like “free” things. Another common theme I have been seeing is Russia is often the source of many cyber attacks. Similarly, the article I wrote this week about the DoD, they believe Russia was behind their attack as well.
Hi Anthony,
This attack seems has some aspects of social engineering in the beginning. The gift and letter tries change the behavior of the victim by wanting free items and getting them to plug in the USB drive.
Absolutely, and already having the physical “gift” in-hand likely made this mail feel more like a legitimate promotion. Many people have been trained to look out for phishing emails that offer things that sound too good to be true but I haven’t heard of many trainings teaching people to look out for unusual physical mail.
This is definitely comes up as a simple attack with a very sophisticated back-end. Unsuspecting employee will be more than happy to find out what is on the USB with such an enticing offer included. The fact that we generally do not expect such bait tactics from hackers, leads to them having more success in an attack of this kind.
Hi Nicholas,
I glanced through the other posts before I wrote about mine, which was the Best Buy $50 gift card scam – apologies for writing about the same topic, but I found it fascinating. I, personally, would either immediately throw the item out or I would call or go to Best Buy and inquire to ensure it’s authenticity. If something appears too good to be true, it probably isn’t, especially in today’s world!
Out of curiosity, I conducted additional research on the FIN7 cybercrime gang and learned that four “alleged” members of the group have been arrested in the last few years:
In May 2020, Ukrainian national Denys Iarmak was extradited from Thailand and arrested in Seattle. He was charged with multiple criminal counts, including wire fraud; conspiracy to commit computer hacking; conspiracy to commit wire and bank fraud; three counts of aggravated identity theft; three counts of accessing a protected computer in furtherance of fraud; three counts of intentional damage to a protected computer; and access device fraud and forfeiture allegations.
In 2018, three high-ranking Ukrainian national “alleged” members of the group – Dmytro Federov, Fedir Hladyr and Andrii Kolpakov – were arrested and charged with 26 felony counts alleging conspiracy, wire fraud, computer hacking, access device fraud, and aggravated identity theft. While Hladyr entered into a plea deal on September 11, 2019 and is scheduled to be sentenced on December 11, 2020, trials for the remaining three defendants are ongoing.
https://www.bankinfosecurity.com/another-alleged-fin7-cybercrime-gang-member-arrested-a-14345
Malicious USB Drives Infect 35,000 Computers With Crypto-Mining Botnet
URL: https://thehackernews.com/2020/04/usb-drive-botnet-malware.html
The botnet, named “VictoryGate,” has been widely used in Latin America since 2019. Attackers use it to infect victims’ devices to mine Monero cryptocurrency. The VictoryGate can spread via USB. Once the victim connects the USB containing this malware to his device, this malicious device will install the malicious payload into the system. Also, this module is connected with the C2 server. It receives another load, to inject arbitrary code into legitimate Windows processes. Compared with other attacks, the VictoryGate has another characteristic. It pays great attention to concealing itself, which makes it more difficult for people to discover it. Moreover, the attacker can change the payloads at any time through the C2 server to achieve different kinds of attacks, which is extremely destructive.
For Episode 5: Removable Media, the employee’s computer is set to automatically run the connected USB device and did not scan it for viruses. By prohibiting the automatic operation of connected USB devices and performing virus scanning on any connected USB devices can effectively stop the infection.
Hi Zhuofu,
Thank you for sharing this article it was interesting. This seems like a very sophisticated malware to constantly scan the infected machine looking for newly connected USB drives and then replace the files on the drive with the malware.
https://www.welivesecurity.com/2020/04/23/eset-discovery-monero-mining-botnet-disrupted/
Hi Nicholas,
Yeah, this self-proliferation behavior is indeed a headache. If the victim does not notice it, It will spread at an alarming rate. People really need to do a viruses scan for the USB drive before they launch it!
This attack is so sophisticated that this possibility probably never crossed the minds of the victims. I could definitely see myself trusting my own USB drive after only plugging it into a friend or colleagues computer! I wonder if they considered that in a social engineering sense when building this attack.
Hi,
As I read this I thought wow that is actually pretty cool, too bad its malicious! After completing this week’s assignment with Metasploit I had ALOT of trial and error trying to get my simple payload to work. This attack is really complex and honestly quite impressive – I can’t help but wonder how an attack like this gets constructed or designed.
Seriously, I had a ton of issues at first too. I could not imagine how sophisticated it is to design malware to take control of a network or even hide itself from AV and other intrusion detection systems.
As cryptocurrency slowly becomes more popular, it seems that more and more attackers revolve around compromising a host to mine some currency to make a quick buck. Security controls need to be ensure when it comes to USB attacks. They can easily be prevented if employees stop plugging in unknown hardware into their company’s network!
Hi Zhuofu,
I was curious about how this botnet was discovered so I did some digging and located an article from ESET. There wasn’t much additional information, which I guess makes sense since the researchers don’t want to give away their “tricks of the trade.”
One of the investigators did warn about the impact of the botnet on victim’s machines, stating ““There is very high resource usage by the botnet, resulting in a constant 90% to 99% CPU load. This slows down the device and can cause overheating and possible damage.”
ESET also offered a free online scanner designed to detect this malware at the following site: https://www.eset.com/int/home/online-scanner/ . Still deciding whether I will give it a go!
Vishwanath Akuthota, a former student at the College of St. Rose located in New York was responsible for a USB cyber/physical attack that results in $51,109 in computer damages and over $7,000 in remediation efforts. In this attack “the USB stick contained a capacitor that stored electricity then rapidly discharged it into a USB port, damaging or destroying the host computer” (Dark Reading, 2019). In class we talked about how malware can target various levels of the operating system and even corrupt hardware. Most often malware is attempting to obtain classified, sensitive or PII data. In this case, the goal was out-right destruction. With hacker-for-hire groups this type of attack method paired with social engineering could be devastating for a business competitor if an attacker could trick an employee into using a malicious USB drive such as this.
https://www.darkreading.com/attacks-breaches/former-student-admits-to-usb-killer-attack/d/d-id/1334469
Security Errors for this week video directly plays into the article I shared and the potential damage a careless employee could cause. In this case the user connects the USB device using the company network which creates a worm like affect on all computers in the domain and instead of taking ownership he leaves the device on another coworker’s desk to potential replicate the attack again if the other coworker is equally as careless.
Hi Kelly,
Thanks for your sharing.
This kind of attack without asking for a reward, it seems that Vishwanath is more prefer to “show off” his skills. Compared with a ransomware attack, this kind of attack is more devastating, because the original intention of the design is to damage the device.
Hi Zhuofu,
I would agree with you comment about Vishwanath wanting to “show off” his skills. It was self incrimination since he video recorded himself and most likely wanted to show the video to a group of people. I wonder what his intent was as he only destroyed one computer.
In addition to showing off his skills I wonder if this destruction of the college’s computers was a result of Vishwanath being angry with the college. Another article mentioned the former student graduated from the college back in 2017 and also videotaped himself destroying the computers with the USB drive.
https://www.zdnet.com/article/former-student-destroys-59-university-computers-using-usb-killer-device/
Hi Kelly,
“Revenge is a dish best served cold.”
My first thought when reading this interesting article was that Vishwanath Akuthota acted out of revenge, rather than pride. A related article reported that Akuthota, who graduated from The College of Saint Rose in Albany, NY with an MBA in 2017, originally pled not guilty to intentionally damaging 59 Windows workstations and seven Apple iMacs on at his alma mater. The attack was carried out on February 14, 2019, which is an interesting choice of dates – Valentine’s Day – that could provide insight into his vengeful motivation.
The article went on to state “The defendant, using his personal iPhone, recorded himself inserting the ‘USB Killer’ device into computers and other hardware owned by the college, and making statements including, “I’m going to kill this guy,” then inserting the ‘USB Killer’ device into a USB port, and – after destroying the host device – stating “it’s dead”, and, in another instance, “it’s gone. Boom.”
Akuthota changed his plea to guilty when faced with evidence from the Albany police department, including campus security cameras that captured him in the act. Akuthota was sentenced to 12 months in prison on August 13, 2019, to be followed by 1 year of supervised release, and he was ordered to pay restitution in the amount of $58,471.
https://nakedsecurity.sophos.com/2019/04/24/killer-usb-key-fries-66-machines/
https://www.justice.gov/usao-ndny/pr/former-student-sentenced-destroying-computers-college-st-rose#:~:text=ALBANY%2C%20NEW%20YORK%20%2D%20Vishwanath%20Akuthota,in%20the%20amount%20of%20%2458%2C471.
https://portswigger.net/daily-swig/usb-phishing-attack-baits-victims-with-50-gift-card
Cybercrooks recently mimicked the notorious Rubber Ducky keystroke injection attack with a new twist. Victims received letters – “supposedly” from Best Buy – that included a $50 gift card and a thumb drive that “supposedly” contained offers for redeemable products. Once plugged in, the device emulates a USB keyboard that establishes a connection to the command and control system controlled by the cybercriminals. First, intelligence is gathered (including usernames, user system privileges, and OS serial numbers) after which the cybercriminals drop the best type of malware based on the information gathered. This occurs without the victim’s knowledge since PC’s trust USB keyboard devices by default.
A Senior Security Research Manager at Trustwave stated that the attack was targeted against a US-Based hospitality company – probably by the FIN7 threat group (whose main objective is to obtain financial gain directly from their campaigns). Other researchers stated that it was a matter of time before such techniques were used since the thumb drives are “cheap and readily available to anyone” but that attacks of this nature are typically targeted.
The moral of the story is “Never plug in a random device into your computer.”
People love free stuff. I remember when the band Nine Inch Nails released an album by dropping a legitimate USB device in a Lisbon bathroom. Its a bit of russian roulette to pick up and plug-in an uknown usb device. You could find something interesting – could destory your machine. This type of attack does a great job of exploiting human weakness for temptation. https://www.spin.com/2013/06/publicity-stunts-kanye-west-jay-z-michael-jackson-daft-punk/130626-nin/
I find USB drive related hacks so interesting because they are sophisticated hacks that aren’t necessarily difficult to take advantage of if you have the knowledge to develop one. I think across the board end users are so unaware of the risk around plugging in these drives that you could get almost anyone to plug an infected device into their machine. I can only speak for myself but up until probably five or so years ago I could have easily fell victim to an attack such as this. The only reason I wouldn’t now is because of my experience in IT risk.
Not a recent article, but in 2008, the United States Department of Defense faced the “worst breach of U.S. military computers in history”. The cyberattack is known as “Operation Buckshot Yankee”. An infected USB drive was left in the parking lot at a military base in the Middle East. The flash drive was used, infecting the DoD’s network with a worm called “Agent.btz”. Soon the virus spread throughout the classified and unclassified systems and networks. The attacker had access to all the data on any of the servers at this point. Overall, it took the DoD 14 months to complete remove the virus from its systems. Immediately after, the DoD banned the use of USB drives.
URL: https://www.wearethemighty.com/history/worst-cyber-attack-usb?rebelltitem=2#rebelltitem2
The security errors I see is that the employee picked up a randomly found USB and connected it to the organization’s computer network. I think he could have tried to unplugged it when it saw something was being downloaded, even though it was probably too late. Lastly, he didn’t report the security incident and left the drive on someone’s desk to find once they get back.
Other than the potential catastrophic exposure the DoD had, this was definitely one costly IT security lesson to the department. At times all it takes is a curious employee inadvertently infecting the entire system.
The entire event is a national security concern. If classified information was exposed, it would put the entire country at risk. This is a case where even the most secure systems are susceptible to cyber attacks and reminds us that humans will always be the weakest link in the security chain.
Exactly, I just read this article where the US National Guard was called into Louisana to thwart a cyber attack. I don’t think the average person understands that we are already in an active cyber war everyday.
https://www.dailymail.co.uk/news/article-8872839/National-Guard-called-thwart-cyberattack-Louisiana-weeks-election.html
This was definitely a costly lesson for the Department of Defense. Possibly disabling the USB ports on government machines and using better defense in depth strategies like segmenting the classified and unclassified networks would help stop any future attacks.
Additionally, it sounds like they would have benefitted from some basic cyber security training for those with access to computers. If they weren’t cautious with stray flash drives, they may be unintentionally taking risks elsewhere.
Apple hit with a Second Wave of Notarized Malware
Apple confirmed the discovery of six new apps that passed the app notarization process, posing as Flash Installers. When downloaded, the apps would then install the OSX/MacOffers adware, known for modifying the search engine in the victim’s browser. All six apps got de-notarized and the developer license revoked. Users were advised not to download/install Flash installers especially due to the impending end-of-life of the flash player.
The first wave of malware notarization involved the OSX/Bundlore and OSX/Shlayer families of malware. Unsurprisingly still involved the download of flash player as a gateway to infect a victim’s computer. There was a total of about 40 malware apps that got notarized in the first wave.
https://www.zdnet.com/article/apple-notarizes-six-malicious-apps-posing-as-flash-installers/?&web_view=true
Hi Humbert,
Thank you for posting this article. I thought it would be interesting to learn more about the first wave. In the August 31, 2020 article titled Apple Approved Malware Hits macOS “For The First Time” author Kate O’Flaherty reported that a security researcher discovered that Apple’s notarization process, which was intended to mitigate the growing amount of malware targeting Apple’s operating system, could be bypassed by new and improved adware. The article went on to explain that although adware does not seem “as scary as other malware” it can still be very dangerous. Another security researcher stated “They (adware) can intercept and decrypt all network traffic, create hidden users with static passwords, make insecure changes to system settings, and generally dig their roots deep into the system so that it is incredibly challenging to eradicate completely.”
It was determined that malicious payloads submitted to Apple were not detected during the notarization process. The payloads appeared to be the insidious, evolving OSX.Shlayer malware, whose goal is to download and persistently install macOS adware. After being informed of this discovery, Apple quickly revoked the certificates and rescinded their notarization status so malicious payloads would no longer run on macOS.
Apple then sent the following email to the first researcher: “Malicious software constantly changes, and Apple’s notarization system helps us keep malware off the Mac and allows us to respond quickly when it’s discovered. Upon learning of this adware, we revoked the identified variant, disabled the developer account, and revoked the associated certificates. We thank the researchers for their assistance in keeping our users safe.”
An Immersive Lab’s application security lead, who also contributed to this article, stated “…it’s also true to say you are your own best defense. Always check what you download, ensure you trust it, and try to only install apps that you need.”
https://www.forbes.com/sites/kateoflahertyuk/2020/08/31/apple-approved-malware-hits-macos-for-the-first-time/#3ef588194a2c
End-users are so vulnerable in situations like these. It’s great to have processes like app notarization in place to catch most malicious apps but users often assume that these processes guarantee security and completely let their guard down.
In addition to the fact that Dave plugged a thumb drive of unknown origin into his laptop, other security errors that I noted during the video were:
– It did not appear that Dave had to enter a username and/or password when he plugged his laptop into the docking station; therefore, he didn’t authenticate himself before accessing the network.
– Dave also failed to safely eject the thumb drive from his laptop.
– Other users screens were plainly visible – screen guards would potentially protect them from shoulder surfing.
Yujing Zhang of China was arrested by the U.S. Secret Service in February, 2019 when she attempted to sneak into one of Donald Trump’s private resorts. She had a handful of devices including a flash drive. One of the Secret Service agents plugged the flash drive into his work computer, which was not isolated from the rest of the network. The agent’s computer began automatically installing files. The agent panicked and pulled the flash drive out.
I was incredibly surprised to read that a secret service agent would make a mistake like this. Other agents pointed to the fact that tensions may have been high in the interrogation and the agent who made the mistake may have been stressed. Articles like these continue to highlight the importance of remaining calm and thinking before acting.
https://techcrunch.com/2019/04/08/secret-service-mar-a-lago/
In the video “Security Best Practices for Removable Media and Devices”, the main character picks up a USB drive outside of his office building and plugs it into his computer. He should have picked up the flash drive and immediately taken it to IT security. When he failed to do this and plugged the flash drive into his computer, he should have turned the drive in immediately after and reported the situation to the IT security team instead of framing a colleague and walking away. Additionally, it does not appear that he has a password set up for his work laptop, and almost all of his colleagues are away from their desks with their computers unlocked/logged in. If a malicious actor were to gain access to this office or if a rogue employee wanted to, they could infect or steal information from multiple computers.
We helped facilitate a penetration test at our organization last year and one of the test steps involved scattering roughly 6 “infected” USB drives throughout just our IT department. As a result, it was noted that a senior member of our database team plugged in 3 of the USB drives into their computers. It truly blew my mind because it wasn’t someone from accounting or acctuary – it was one of our IT people who, in my opinion, really should have known better.
https://www.zdnet.com/article/transparent-tribe-hacking-group-spreads-malware-by-infecting-usb-devices/
This article isn’t necessarily related to a specific breach but it does describe USBWorm, which is a USB attack tool used by the transparent tribe attack group against Government and military personnel. The attack tool is made up of two main components, a file stealer for removable drives and a worm feature for jumping to new, vulnerable machines. The article writes, “If a USB drive is connected to an infected PC, a copy of the Trojan is quietly installed on the removable drive. The malware will list all directories on a drive and then a copy of the Trojan is buried in the root drive directory. The directory attribute is then changed to “hidden” and a fake Windows directly icon is used to lure victims into clicking on and executing the payload when they attempt to access directories.”
“New USBCulprit Espionage Tool Steals Data From Air-Gapped Computers”
https://thehackernews.com/2020/06/air-gap-malware-usbculprit.html
According to the published research by Kaspersky on June 3rd, a new malware from an old established Chinese APT Cycldek was caught.
Researchers mentioned that based on their findings, a new malware from Cycldek, dubbed USBCulprit. This malware is so named because it depends on USB media to steal data. This can be mapped towards the malware’s ability to target air-gapped systems as well.
They have analyzed a NewCore RAT found in these attacks and detect two variants of the malware, which they names BlueCore and RedCore, that formed two clusters of activity.
Despite the differences in the functionalities and the C&C servers, both possessed some similarities
such as using USBCulprit – a previously unreported espionage tool. USBCulprit can scan paths in target devices, steal files with specified extensions, and move them to USB drives when connected.
——————————————————————————————————-
The main security issues that I encountered in the video are as below;
1- Using an unknown source of removable hardware to a network with sensitive information by an employee.
2- Not adequate security training and awareness to employees.
3- Not having mandatory hardware scanning installed on the machines in the network such as antivirus software.
https://latesthackingnews.com/2020/07/07/try2cry-ransomware-targets-windows-systems-as-it-spreads-via-usb-flash-drives/
Sharing the analysis in a post, the researcher Karsten Hahn revealed that the malware is a variant of Stupid ransomware.
It reaches target devices via infected USB flash drives or via Windows shortcut (.lnk) files.
It scans for removable drives and places a copy of itself as ‘Update.exe’ in the root folder of the device. It then hides all original files replacing them with non-original Windows Shortcut files bearing the same icons.