1 day Ago
Goffee hackers target USB flash drive data. Hackers are nothing if not creative. When it comes to uncovering previously unknown vulnerabilities in Google products and services or earning big money from Microsoft bug bounty programs, that’s a good thing.
Perhaps less so if zero-day vulnerabilities are being sought for sale to the Russian government , or those skills are being used for purely malicious purposes . We have all got used to reading about how best to mitigate the risk of hackers attacking your smartphone , or Windows computer , and hardware threats continue to evolve as recent reports of attackers using your GPU to steal your passwords prove. But now it would appear that your humble USB flash drive is in the hacking crosshairs.
Here’s what you need to know about the flash drive data-stealing Goffee threat. You probably haven’t heard of this particular threat actor before; I can’t say that I had to be honest, and I spent my entire life immersed in threat intelligence. Maybe it’s time to wake up and smell the Goffee.
This advanced persistent threat hacking group has been active since at least 2022, but it wasn’t until the second half of 2024 that threat intelligence experts, primarily in Russia, started to take it very seriously indeed. The reason is that Goffee was targeting strategic sectors in Russia, including government agencies, critical infrastructure such as energy providers, as well as media and telecoms. A new report from Kaspersky threat intelligence analysts has revealed how the Goffee hackers are targeting the data held on removable USB flash drives.
Although these attacks are still, apparently, limited to Russian victims, the technology used could easily be aimed at anyone, anywhere. As such, it’s imperative to take note and take mitigating action. Writing at Kaspersky’s threat research portal, Securelist , Kaspersky security researcher Oleg Kupreev confirmed that there are two components within the Goffee attack arsenal that are used specifically to target removable media.
These are FlashFileGrabberOffline and FlashFileGrabber. OK, so maybe I should take it back about hackers being creative, at least when it comes to naming attack tools. The offline variant “searches removable media for files with specific extensions, and when found, copies them to the local disk,” Kupreev said.
It does this by using a a number of newly created subdirectories in the TEMP folder, as well as a free.db file that is used to store metadata for those copied files. FlashFile Grabber, meanwhile, does much the same but adds functionality so as to be able to communicate with a server to which the stolen files are despatched.
To mitigate the flash drive data threat, you have to move up the attack chain and look to where fit all begins, and that’s with a phishing campaign. All the usual advice, therefore, when it comes to preventing phishing attacks needs to be taken into consideration. You might want to ensure that all removable flash drive data is securely encrypted.
.
