The FBI has warned of an attack campaign that sends USB drives containing malicious software to employees. Here is what you need to know about BadUSB and mitigating its risks. Credit: M-A-U / Getty Images In January 2022, the FBI issued a public warning over a USB attack campaign in which numerous USB drives, laced with malicious software, were sent to employees at organizations in the transportation, defense, and insurance sectors between August and November 2021. The USBs came with fake letters impersonating the Department of Health and Human Services and Amazon, sent via the U.S. Postal Service and UPS. The campaign has been dubbed “BadUSB,” and the FIN7 hacker organization has been named as the culprit. Here is what you need to know about BadUSB and mitigating the risks of this USB attack.BadUSB definition“The BadUSB attack provides the victim with what looks like a physical USB stick and a lure to plug it into the victim’s system, such as promising a gift card as a thank you or invoices that need to be processed,” explains Karl Sigler, senior security research manager at Trustwave SpiderLabs. His malware research team initially discovered the campaign in 2020 while examining a malicious thumb drive as part of a forensic investigation for a U.S. hospitality provider.“The USB drive is actually configured as a USB keyboard, and the computer will identify it and configure it as such,” he tells CSO. “Once inserted, the USB keyboard will automatically start typing and will typically invoke a command shell and inject commands to download malware.”Security threats posed by BadUSBBadUSB, when successful, acts as an initial downloader for anything from credential grabbers to backdoors and ransomware, Sigler says. These types of attacks are often discussed among security professionals, but are not common. Given the rarity of the attack, it is likely effective in a lot of situations, he adds. “This attack vector may be an attempt to exploit the work-from-home trend,” wrote Cybereason chief visionary officer and co-founder, Yossi Naar. “There are fewer guard rails and an increase in the likelihood a user will plug into a work computer or to their home network, to which their work computer is also connected.”Naar also noted that some organizations or departments routinely employ USB thumb drives and people are therefore more likely to use a USB storage device without suspicion. “That would make this tactic more effective,” he continued, warning that once attackers have gained a foothold, they can escalate privileges or conduct reconnaissance from the inside. Perhaps the riskiest element of BadUSB is the possibility that the campaign is merely a distraction for a different or broader attack, Naar said. “There are a variety of more effective attack vectors that don’t rely on a potentially traceable and high-touch campaign like this,” he wrote, adding that FIN7 is a sophisticated threat actor, “which is why this all feels like a big misdirection.”Preventing BadUSB risksBusiness can take several steps to prevent falling victim to the BadUSB attack. The first is to include this campaign and others like it in security awareness training and make sure that all employees understand they should turn over any unidentified hardware to their internal security team before attempting to insert or connect it to their system, Sigler tells CSO.“Systems would also benefit from up-to-date endpoint protection that can monitor for command shell abuse and any subsequent malware that might be downloaded,” while physical and software-based USB port blockers for critical systems that don’t require any USB accessories are worthwhile, too, Sigler says.If BadUSB is indeed an attack misdirection attempt as Naar stated, organizations need to examine the entire malicious operation across their environment and not simply focus on the USB drive foothold to recognize indicators of behaviors and identify and stop additional malicious activity, he wrote. Related content news Almost 50% of organizations plan to reduce cybersecurity headcounts: Survey While organizations are realizing the need for knowledgeable teams to address unknown threats, they are also looking to reduce their security headcount and infrastructure spending. By Gagandeep Kaur Dec 06, 2023 4 mins IT Jobs Security Practices feature 20 years of Patch Tuesday: it’s time to look outside the Windows when fixing vulnerabilities After two decades of regular and indispensable updates, it’s clear that security teams need take a more holistic approach to applying fixes far beyond the Microsoft ecosystem. By Susan Bradley Dec 06, 2023 6 mins Patch Management Software Threat and Vulnerability Management Windows Security feature What should be in a company-wide policy on low-code/no-code development Low-code/no-code development could bridge the gulf of development backlogs that exists between great ideas and great execution of digital innovation. But not without security policies around areas like access control, code quality, and application vi By Ericka Chickowski Dec 06, 2023 15 mins Application Security Security Practices news analysis Cisco unveils AI-powered assistants to level up security defenses New AI-driven tools aim to simplify and bolster policies, alerts and prevention to reduce complexity when setting security policies and assess traffic without decryption. By Rosalyn Page Dec 05, 2023 5 mins Encryption Cloud Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe