Several state government offices in the US have received CDs by mail, infected with malware. It's a clumsy attempt, according to an alert the Multi-State Information Sharing and Analysis Center (MS-ISAC) shared with state and local governments. The CD shows up in the mail with a Chinese postmark and accompanied by what MS-ISAC calls a "confusingly worded typed letter with occasional Chinese characters." The CD itself holds Mandarin-language Word files. Some of the documents are seeded with malicious Visual Basic scripts.
The approach may be clumsy, but the selection of targets shows considerable intelligence. It's unknown whether anyone has fallen for the approach, but the agencies that received it form an interesting and instructive list: State Archives, State Historical Societies, and a State Department of Cultural Affairs. What the targets have in common is a likely predisposition to open documents relatively indiscriminately. Experienced information security personnel with recognize a similar vulnerability in human resources and recruiting departments. They too are disposed to open attachments if they appear to be resumes, for example. An archive, a cultural affairs department, or a historical society all will be inclined to accept and take a look at things arriving over the transom.
With the emphasis the security industry gives to concerns about online attack, it's worth remembering that the attacker's goal is to get something from, or do something to, the victim. The attacker isn't interested in technical virtuosity for its own sake. An effective, new school approach to security awareness training should be constructed with a view to defeating scams and blunting the effect of social engineering. And sometimes that social engineering is pretty old school.
KrebsOnSecurity has the story: https://krebsonsecurity.com/2018/07/state-govts-warned-of-malware-laden-cd-sent-via-snail-mail-from-china/
