We have all been told not to take candy from strangers. The FBI is warning not to take USB's from them either. The FBI has recently warned a new campaign is targeting businesses from the infamous Fin7, or Carbanak Group. Also known as the Navigator Group, the cybercriminals have been tied to more than $1 billion in fraud. The group has a history of infecting point-of-sale devices with malware and using them to steal payment card information.
Researchers at Trustwave SpiderLabs disclosed an attack in which a hospitality company received a USB stick contained in a letter along with a Best Buy gift card. The letter contained a message explaining that the targets were receiving this $50 gift card for being a regular customer, and they could "…spend it on any product from the list of items presented on a USB…" Fortunately, the recipient never inserted the USB into their device. The next question becomes, "What is inside the teddy bear?
The FBI stated in an alert that the USB device is a publicly available tool known as "BadUSB" or "Bad Beetle USB." Also known as "Bash Bunny" attacks, they are relatively rare.
The FBI stated FIN7 has been mailing the malicious USB devices to potential victims, sometimes while simultaneously running a phishing attack. "When plugged into a target system, the USB registers as a Keyboard HID Keyboard Device with a Vendor ID (VID) of 0x2341 and a Product ID (PID) of 0x8037," the alert says. "The USB injects a series of keystroke commands, including the (Windows + R) shortcut to launch the Windows Run Dialog to run a PowerShell command to download and execute a malware payload from an attacker-controlled server. The USB device then calls out to domains or IP addresses that are currently located in Russia."
The FBI says the domains or IP addresses that the device pings then push a copy of Griffon malware back to the device, which has been previously attached to phishing emails sent by FIN7. Griffon gives the attackers a back door for remotely accessing the entire infected system. Potentially, the infected system can also give attackers leverage to the rest of a corporate network.
Running these types of attacks is relatively inexpensive. While attackers can spend $100 or more on a USB device with a full-featured microcontroller, the FBI says the microcontroller used in one of the FIN7 attacks it studied is an ATMEGA24U, each of which retails for $5 to $14, depending on the supplier, (Check the dark web for current prices).
The United States DOJ has previously linked Carbanak to a campaign targeting over 100 US businesses, specifically in the restaurant, gaming, and hospitality industries. Arby's, Chili's, Chipotle Mexican Grill and Jason's Deli are among the data breach victims that have confirmed attacks tied to this group. FIN7 has perpetrated more than $1 billion in fraud, in part, by stealing details for more than 15 million payment card records from more than 6,500 point-of-sale terminals across more than 3,600 business locations, according to the Department of Justice.
In 2018, the Justice Department unsealed indictments against three alleged members of the FIN7 hacking gang: Dmytro Fedorov, Fedir Hladyr, and Andrii Kolpakov. All are Ukrainian nationals. Hladyr, who prosecutors accused of serving as "a high-level systems administrator" for the gang, was arrested in Dresden, Germany, in January 2018, and extradited to the US. Last September, he pleaded guilty to conspiracy to commit wire fraud, which carries a maximum 20-year prison sentence, and conspiracy to commit computer hacking, which carries up to a five-year penalty, and agreed to pay up $2.5 million in restitution. Fedorov was arrested in Bielsko-Biala, Poland, while Kolpakov was arrested in Lepe, Spain. Both were later extradited to the US and pleaded not guilty. A trial against the two men began in August 2019. They each face 26 felony counts, ranging from identity theft to conspiracy to commit computer hacking.
To avoid falling victim to these scams, avoid any "Free Offers" and ensure that your Work from Home employees are notified of these new tricks before they become the latest victims. Fortunately. in this case proper security training prevented the employee from inserting the USB and causing significant damage to the company's network. Red Sky Alliance has previously reported on Fin7's connection to Joker's Stash website used to sell and leak card information obtained during cyber-attacks (IR-18-131-002_JokerStash_201805) and will continue to monitor the group's activities.
Red Sky Alliance is in New Boston, NH USA, and is a Cyber Threat Analysis and Intelligence Service organization. The Red Sky Alliance team of cyber threat analysts has been following groups like Carbanak, their principals, and others that prey upon unsuspecting victims. For questions, comments or assistance, please contact the office directly at 888-RED-XRAY or (888)-733-9729, or email firstname.lastname@example.org