Hackers Using Secure USB Drives to Attack Government Entities

An ongoing attack on government agencies in the APAC region has been claimed to have compromised a secure USB device with hardware encryption.

The nation’s government agencies utilize these safe USB devices to transfer and save data between computer systems.

The attacks had a very small number of victims and were highly targeted. The attacks are believed to have been conducted by a highly experienced and resourceful threat actor interested in conducting espionage operations in secure and private government networks.

Cyber Espionage via Secure USBs

According to the Kaspersky APT trends report for Q3 2023, this long-running campaign comprises several malicious modules that may execute commands, gather data from infected workstations, and transfer it to further machines using the same or different secure USB drives. 

On the infected computers, the attacks can also carry out additional harmful files.

The attack uses sophisticated tools and methods, such as virtualization-based software obfuscation for malware components, self-replication through connected secure USB drives to spread to other air-gapped systems, and code injection into a legitimate access management program on the USB drive that serves as a loader for the malware on a new machine.

BlindEagle, a financially motivated threat group, has targeted both people and governmental organizations in South America. Although espionage is the threat actor’s main objective, it has demonstrated interest in obtaining financial data.

BlindEagle is characterized by its capacity to cycle through different open-source remote access Trojans (RATs), including AsyncRAT, Lime-RAT, and BitRAT, and utilize them as the ultimate payload to accomplish its goals.

The gang sends spear-phishing emails with Microsoft Office documents attached to its victims. This starts a multi-level infection strategy that results in installing a new Trojan that is primarily made to steal data from the victim’s computer and take over by executing arbitrary commands.

APT campaigns are still widely spread geographically. Attackers have targeted Europe, South America, the Middle East, and other regions of Asia this quarter.

Government, military, defense, gaming, software, entertainment, utilities, banking, and manufacturing are just a few of the industries being attacked.

Cyber espionage continues to be a top priority of APT campaigns, and geopolitics continues to be a major factor in APT development.

“It is therefore very important to build a deep understanding of the TTPs of this threat actor and to watch out for future attacks,” reads the report.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Threat Actors Exploit Google Docs And Weebly Services For Malware Attacks

Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting victims…

12 hours ago

Python NodeStealer: Targeting Facebook Business Accounts to Harvest Login Credentials

The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ advanced…

12 hours ago

XSS Vulnerability in Bing.com Let Attackers Send Crafted Malicious Requests

A significant XSS vulnerability was recently uncovered in Microsoft’s Bing.com, potentially allowing attackers to execute…

15 hours ago

Meta Removed 2 Million Account Linked to Malicious Activities

 Meta has announced the removal of over 2 million accounts connected to malicious activities, including…

18 hours ago

Veritas Enterprise Vault Vulnerabilities Lets Attackers Execute Arbitrary Code Remotely

Critical security vulnerability has been identified in Veritas Enterprise Vault, a widely-used archiving and content…

19 hours ago

7-Zip RCE Vulnerability Let Attackers Execute Remote Code

A critical security vulnerability has been disclosed in the popular file archiving tool 7-Zip, allowing…

19 hours ago