In January 2022, the FBI issued a public warning over a USB attack campaign in which numerous USB drives, laced with malicious software, were sent to employees at organizations in the transportation, defense, and insurance sectors between August and November 2021. The USBs came with fake letters impersonating the Department of Health and Human Services and Amazon, sent via the U.S. Postal Service and UPS. The campaign has been dubbed \u201cBadUSB,\u201d and the FIN7 hacker organization has been named as the culprit. Here is what you need to know about BadUSB and mitigating the risks of this USB attack.BadUSB definition\u201cThe BadUSB attack provides the victim with what looks like a physical USB stick and a lure to plug it into the victim\u2019s system, such as promising a gift card as a thank you or invoices that need to be processed,\u201d explains Karl Sigler, senior security research manager at Trustwave SpiderLabs. His malware research team initially discovered the campaign in 2020 while examining a malicious thumb drive as part of a forensic investigation for a U.S. hospitality provider.\u201cThe USB drive is actually configured as a USB keyboard, and the computer will identify it and configure it as such,\u201d he tells CSO. \u201cOnce inserted, the USB keyboard will automatically start typing and will typically invoke a command shell and inject commands to download malware.\u201dSecurity threats posed by BadUSBBadUSB, when successful, acts as an initial downloader for anything from credential grabbers to backdoors and ransomware, Sigler says. These types of attacks are often discussed among security professionals, but are not common. Given the rarity of the attack, it is likely effective in a lot of situations, he adds.\u201cThis attack vector may be an attempt to exploit the work-from-home trend,\u201d wrote Cybereason chief visionary officer and co-founder, Yossi Naar. \u201cThere are fewer guard rails and an increase in the likelihood a user will plug into a work computer or to their home network, to which their work computer is also connected.\u201dNaar also noted that some organizations or departments routinely employ USB thumb drives and people are therefore more likely to use a USB storage device without suspicion. \u201cThat would make this tactic more effective,\u201d he continued, warning that once attackers have gained a foothold, they can escalate privileges or conduct reconnaissance from the inside.Perhaps the riskiest element of BadUSB is the possibility that the campaign is merely a distraction for a different or broader attack, Naar said. \u201cThere are a variety of more effective attack vectors that don\u2019t rely on a potentially traceable and high-touch campaign like this,\u201d he wrote, adding that FIN7 is a sophisticated threat actor, \u201cwhich is why this all feels like a big misdirection.\u201dPreventing BadUSB risksBusiness can take several steps to prevent falling victim to the BadUSB attack. The first is to include this campaign and others like it in security awareness training and make sure that all employees understand they should turn over any unidentified hardware to their internal security team before attempting to insert or connect it to their system, Sigler tells CSO.\u201cSystems would also benefit from up-to-date endpoint protection that can monitor for command shell abuse and any subsequent malware that might be downloaded,\u201d while physical and software-based USB port blockers for critical systems that don\u2019t require any USB accessories are worthwhile, too, Sigler says.If BadUSB is indeed an attack misdirection attempt as Naar stated, organizations need to examine the entire malicious operation across their environment and not simply focus on the USB drive foothold to recognize indicators of behaviors and identify and stop additional malicious activity, he wrote.