The dangers of USB flash have been long documented, as recent history is littered with stories of how the ubiquitous USB flash drive has wreaked havoc in organizations around the world. The most famous of these attacks was when a USB flash drive was used to infect Iran’s Natanz nuclear plant with the Stuxnet virus, setting back the country’s nuclear capabilities by at least 10 years.
That hasn’t been the only high-profile USB flash drive attack, though. Consider these three:
- In 2019, a former student at The College of Saint Rose in Albany, New York, pled guilty to destroying more than 50 computerswith a plug-in USB device called the USB Killer.
- Security company Kaspersky say crooks secretly planted USB deviceson computers at big European banks in 2017 and 2018, causing millions of dollars in damages.
- In 2008, an infected flash drive was plugged into a US military laptopin the Middle East and established “a digital beachhead” for a foreign intelligence agency. The malicious code on the drive spread undetected on both classified and unclassified systems enabling data to be transferred to servers under foreign control.
The Latest USB Flash Drive Attack
Most recently, in the four-month span of August to November, the FBI reported that a proliferation of companies had received fake packages from the U.S. Department of Health and Human Services (HHS) and Amazon that included malicious USB flash drives. The packages, which targeted transportation, defense, and insurance companies, have been traced to the Eastern European cybercriminal group, FIN7.
The enclosed USB flash drives were loaded with malicious software that could have given the cybercriminals network access for the purpose of deploying ransomware.
“There are two variations of packages,” The FBI said. “Those imitating HHS are often accompanied by letters referencing COVID-19 guidelines enclosed with a USB; and those imitating Amazon arrived in a decorative gift box containing a fraudulent thank you letter, counterfeit gift card, and a USB.” In both cases, the packages contained LilyGO-branded USB devices.
It was not disclosed whether any of the firms were compromised in the incidents.
The FBI has pursued FIN7 for years, blaming this cybercrime operation for billions of dollars in losses to consumers and businesses in the U.S. and abroad. According to the U.S. Department of Justice, FIN7 has stolen millions of credit card numbers from restaurant and hospitality chains in 47 states.
How to Protect Your Company
Thumb-sized USB flash drives are so prevalent today that most of us don’t give them a second thought – which is part of the problem. We borrow them from colleagues, receive them from vendors, and likely have a collection of them in our desk drawers. These devices are small, cheap, and can store as much as 128 gigabytes of data.
They are the perfect weapon for cyberattacks and the weapon of choice of many cyberattackers, including FIN7. So, to defend yourself against USB drop attacks, heed the following:
- Physically block computer ports with USB port locks, which cost as little as four bucks each, to avoid attack.
- Institute policies about what can and cannot be plugged into company computers and educate staff accordingly.
- Restrict the type of USB device authorized on a computer using Windows or a USB kill code to defend against unauthorized access.
- Keep your security policies and patches up to date.