CyberWire Daily - FIN7 repositioning focus into ransomware. [Research Saturday]
Episode Date: December 11, 2021Guest Ilya Volovik, Team Lead of Cyber Intelligence at Gemini Advisory, discusses his team's work on "FIN7 Recruits Talent For Push Into Ransomware." The cybercriminal group FIN7 gained notoriety in t...he mid-2010s for large-scale malware campaigns targeting the point-of-sale (POS) systems. In 2018, Gemini Advisory reported FIN7’s compromise of Saks Fifth Avenue and Lord & Taylor stores and the subsequent sale of over 5 million payment cards on the dark web. According to the US Department of Justice, the broader FIN7 carding campaigns have resulted in the theft of over 20 million payment card records and cost victims over $1 billion, making FIN7 one of the most infamous and prolific cybercriminal groups of the last decade. Now with ransomware proving to be cybercriminals’ preferred high-profit, jackpot venture, FIN7 has redeployed their expertise and capacity towards ransomware, with reports indicating that the group was involved in attempted ransomware attacks on US companies as early as 2020. Furthermore, despite focus from law enforcement and the arrest of four FIN7 members from 2018 to 2020, FIN7’s continued activity shows that the group remains a powerful, active threat. The research can be found here: FIN7 Recruits Talent For Push Into Ransomware Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. Hello everyone and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner and this is our weekly conversation with researchers and analysts
tracking down threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
Fin7 is a notoriously famous cybercriminal group,
and I think it's one of the most researched groups that is currently out there.
That's Ilya Volovik.
He's the research team lead at Gemini Advisory, a recorded future company.
The research we're discussing today is titled
Fin7 recruits talent for push into ransomware.
And now a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record payout in 2024, these traditional security
tools expand your attack surface with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools. It's time to rethink your security. Zscaler Zero Trust plus AI
stops attackers by hiding your attack surface, making apps and IPs invisible, eliminating lateral
movement, connecting users only to specific apps, not the entire network, continuously verifying
every request based on identity and context, simplifying security management with AI-powered
automation, and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see. Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com security.
They have really made themselves famous by conducting a lot of malware campaigns that were targeting point of sale systems. And they gained their notoriety in mid 2010s, I would say.
Specifically, the large hack that they had was in 2018 when they compromised Saks Fifth Avenue and Lord & Taylor stores where they have stolen payment cards.
And they subsequently posted about 5 million of those payment cards in the dark web, which we've reported on way back in 2018.
reported on way back in 2018. And with payment card industry, you know, it's kind of has its ups and downs and it's still obviously currently still happening. But cyber criminals are always
looking for new ways and new spheres to expand into. Right. So, OK, yeah, we used to steal
payment cards, but what else is out there? Where else can we make money? And ransomware has been, over the past few years, has also been getting a lot of
high-level visibility. There's a lot of articles that are being written about it. It's been on the
news a lot. And ransomware teams are making quite a bit of money, right? So Fin7, being that they are, you know, a very powerful team, they have incredible infrastructure.
They said, well, listen, how about we expand into this, right?
So why don't we take a piece of that pie?
So it appears that they have been getting involved with this ransomware business.
Because again, you can make a lot of money in
that from the cyber criminals perspective. Right, right. It's, you know, we're a criminal
organization with a lot of moral flexibility. Let's expand into a new area, right?
Absolutely. Absolutely.
Well, let's continue along just some of the background here. Because again, in 2018,
I believe it was the US Department of Justice that released information that Fin7 was posing as another company.
What can you tell us about that?
Correct.
So in 2018, the Justice Department revealed that Fin7 was posing as Combi Security, which was a fake cybersecurity company.
And it was involved in hiring unaware IT specialists, essentially, kind of like what
we're going to talk about today. So this is like a precursor to what they did today. This was a few
years ago. They already tried that out. So this was something they attempted to do. And interestingly, in 2018 as well,
they arrested one of the Justice Department, you know, recently released information that they
have made an arrest in 2018 for a system admin that worked for Fin7 or was involved with Fin7.
They say he was one of the higher ranking individuals within Fin7, who initially
was hired by Combi Security as an IT specialist. So this Combi Security posed as a cyber criminal
company. They hired this system admin to work for them. They pretended to be a legitimate company.
He started working for them. Then he started to say, hmm, you guys are doing something wrong.
Let me get a piece of that pie. So instead of saying, raising a red started to say, hmm, you guys are doing something wrong. Let me get a piece of
that pie. So instead of saying, raising a red flag and saying, hey, this is like wrong, I should
report you guys or I should let somebody know that something is happening. He said, huh, I can make a
lot of money here. So he stayed on with them and he was arrested and he was recently sentenced.
I think in April or March of this year, he was sentenced to 10 years.
Wow.
Well, let's move on to the recent report here.
What is the latest from Fin7?
So the latest.
So it appeared that that tactic that they used in 2018 with Combi Security worked well for them.
You know, they obviously found some individuals that worked for them.
So they decided to repeat the same tactic.
They essentially created this company called Bastion Secure.
For short, BS, as we internally call it.
A BS company.
They created this company and on the surface,
it looks very legitimate.
They had presence on these various job posting sites in former Soviet Union.
They had their own website.
And they were looking to recruit some IT specialists into their company, unwitting, saying,
hey, we're in the cybersphere, come work for us.
company unwitting, saying, hey, you know, we're in the cybersphere, you know, come work for us.
And essentially, they reach out to like a lot of people, I'm sure, saying, hey, you know,
come on board. And what we noticed is that they really operate like a small startup company. Well,
maybe not even a small startup company, but a regular startup company. They have very professional demeanor. Their website looks very professional.
Their communications are very professional.
When they were recruiting our source,
essentially our source had no suspicion
that anything was really wrong.
Because you would think, right, cyber criminals,
they're going to be very criminal
and maybe speak in a certain way
and do things a certain way, right?
Right. A very Hollywood stereotype of what these folks might be like.
Right. Exactly. Exactly. But no, these guys have been around for a while. So very professional
communication. Now, granted, looking back at it, we can say, well, you know, they reached out to
you on, you know, via email and then said, hey, let's talk on Telegram. So there wasn't really a phone call, but, you know, so their initial communications
happened over the Telegram with the HR department.
And, you know, looking back at it now, we can say, well, that was a little suspicious,
but you have to remember that Telegram is really being widely used in Eastern Europe
as a form of communication.
It's really nothing out of the ordinary to use Telegram to communicate with your employer.
So it really didn't raise any red flags at that point.
And they reach out to you and they say, hey, we are Bastion Security.
We are this company. So you go on Google, as anybody would,
and you Google search for that company. And Google would return a lot of companies named Bastion Security
because name is fairly generic,
and it overlaps with similar named entities
and similar named companies.
When you put Bastion Security, you'll have news articles that come out
saying Bastion Secure or Bastion Security or bastion or variations of those words.
So there's, you know, good amount of information on Google for that, particularly on their website.
They listed an address in England.
And when you go to that, you know, and you look up that address, it will show you that there was a company named bastion security.
Right.
That used to be there.
But again, like if you're just doing a surface search without digging into it,
you're going to see, yeah, you know, at that address, there's Bastion Security.
You're not like really paying attention that the Fin7 company is Bastion Secure
or Bastion Security, fairly similar, right?
In terms of attracting the folks to come work for them
and making it appear as though these are legitimate
jobs, what sort of jobs are they hanging out there? Do they say they're looking for pen testers or
red teamers? What are they trying to attract? So they're trying to attract quite a few
individuals. So they're looking for programmers that are proficient in PHP, C++, Python. They're looking for system admins.
They're looking for reverse engineers. So we believe
this is kind of like something they want to build
a staff that is capable of conducting tasks necessary to
do a range of cyber criminal activity. But again, on the surface, if you're
a cybersecurity company looking for these specialties, there's nothing really out of the ordinary. But looking back at
it and you kind of know what they do and you can say, well, why would they look for a system admin?
A system admin is somebody that can really map out a network of a company. They can figure out,
how is this network built? Where would a legitimate system admin of a company, right? They can figure out, well, how is this network built?
Where would a system admin, like a legitimate system admin of that company, where would he hide his backups? How would he use his network? Where he would place all the various things that
are interesting to these ransomware teams? So system admin is like an interesting one.
Same thing with reverse engineer. Maybe they're trying to look at antivirus software right and seeing if that antivirus
software is capable of detecting their malware so we know fin7 is using this malware called
carbonac right so for example they may need to test their malware against the new antivirus
system so they maybe need a reverse engineer
to kind of see, well, you know, how do we make our malware non-detectable by the antivirus?
Now, you mentioned that they're operating out of former Soviet countries. Are these offers,
is it a Russian language situation where they're going after native Russian speakers?
How are they going about that?
Correct.
As many of us know, a lot of cyber criminal activity is happening on the dark web, Russian language dark web, let's put it that way.
And so naturally, of course, they are going for those Russian speakers.
Any of these post-Soviet countries people speak, you know, have that common language.
And, you know, it's not only because they speak Russian, but because the salary that, you know, you get in those countries for performing some of these duties is fairly low.
So say, for example, like, you know, your programmers, your system admins, your engineers, they could be making, you know, $1,000 a month, $1,500 a month, which is really low for them, you know, from our standard.
But in those countries, that's a good salary, you know, that's a perfectly normal salary.
So your contact here, the person who drew your attention to this, how far down the path did they get before they started to realize that something might be up?
And what was it that tipped them off?
So they got fairly well into the process, right?
So they went through the initial HR interviews,
again, which were very professional.
There was really no red flags outside of maybe like,
hey, listen, I really haven't spoken to anybody on the phone
or I haven't been to their office. But otherwise, everything seemed to be fine.
Then they signed some work agreements. Then they signed some other documents.
They were sent some packets about working for the company. Hey, this is what you should do,
shouldn't do. This is how you set up your PC to stay anonymous and things like that.
do. This is how you set up your PC to stay anonymous and things like that. So everything seemed very kind of like
as you would know, you know, as you would come in working for a larger company.
Then there was a test session where
they tested our source. Essentially, again, they were on this messaging
platform and they tested, you know, after the HR
there was a person that tested their knowledge in the IT sphere.
So they asked them a bunch of different questions, seeing how they respond to these questions.
These questions ranged, right? So like, what ports do you use? Or how does this system work?
What's HTTPS and things like that, right? So from very basic to more advanced items.
Once they were done with that, the next stage was like, hey,
we're going to give you some of these tools that we use, which, by the way, were
disguised as, you know, some of the
tools that pen testers, like even in legitimate companies, when they
do pen testing of companies, they use some tools that can be both used
for legitimate pen testing and they can be also used for
illegitimate reasons by cyber criminals. So he was sent a bunch of different
tools. Again, if you look at these tools and you say, well, we're a cybersecurity
company, some of these tools can be used legitimately. However,
some of the other tools, they were really disguised tools. Tools
that say, for example, hey, this is Checkpoint Software, for example, which is a legitimate company that does create legitimate tools.
However, it was just in the name that this was Checkpoint Software.
The actual software that they were using now, software, if you will, was disguised like a control panel.
So again, tools a control panel. So again, you know, tools with disguise.
So at the first look, you're like,
yeah, you know, these are tools.
This is kind of interesting.
There were some other things that were sent to them,
like manuals and things like that.
So at first glance, it's not really a red flag.
Maybe like a yellow flag.
Oh, this is interesting.
I've never worked with any of these tools.
You know, what are some of these tools? So you maybe google them and you research well what is this
tool what is that tool and you kind of get like dual information well yeah this could be used for
pen testing oh yeah cyber criminals do use this so you're like not a red flag but maybe like a
yellow flag so once the process of that training and testing has been complete, that was like kind of the latter stage was like, okay, you are good to go.
You trained up.
In a short time, we're going to start on an actual real-world assignment.
And that's when the kind of red flag was raised and said, well, okay, well, we're going to do this assignment, but do you have any legal paperwork for this?
Do you have – there should be some kind of legal paperwork and why we're doing this and how we're doing this.
So questions started to get asked.
And once you start asking those key questions,
the company is like, well, you're asking too many questions.
So that was kind of like the end of it.
Now, was that the end of it?
I mean, did your source then walk away?
Correct, yes. So that was the end of it? I mean, did your source then walk away? Correct, yes.
So that was the end of it because, again, from the initial stages, it wasn't very suspicious.
But once you start asking questions and you're not getting the answers that you were hoping to receive,
and then you start looking back and saying, well, you know, these tools, they could be used for bad stuff.
On top of that, I'm not really getting any legal paperwork confirmations for what we're about to do.
You know, I've never really met them.
I've only communicated with them on the messengers.
Okay, these are now red flags.
So this is now everything is getting red flagged.
So this person then gets in touch with you and shares some of these tools that were provided by Fin7 going by the name Bastion.
How did you all connect the dots then as you started to look at these tools?
Correct.
So these tools were, you know, once you kind of like start looking deeper into it, you start realizing that, hey, these are post-exploitation tools that are being used by Fin7.
Because again, as we kind of talked about in the beginning,
Fin7 is probably one of the most researched cyber criminal gangs in the world.
So there's a lot of information out there.
What kind of tools are they using?
What kind of tactics are they using?
So, you know, when we looked at these tools and we started to do analysis,
and, you know, we did it in conjunction with Recorded
Future, you know, which is a great resource to us to use, obviously, there were definitely
clear signs, hey, these are the tools that were previously used by Fin7.
These are the tools that were created by Fin7.
So some of the tools that were used by Fin7, let's put it this way, they could be out there,
right?
Like, say, for example, if it's a version one
of certain malware, it's been around for five years,
anybody really could have this tool, right?
Because maybe somebody bought it and they're using it,
they're widely available to anybody.
But some of the tools, they're really like
latest model stuff, right?
So this is like latest iteration,
latest versions of these tools.
So when you're looking at this and you're like,
well, this is like a latest upgrade of the tool that was used in the past, well, who could be
using that? So there were some clear signs that, hey, these are really Fin7, the actual company.
And again, and you kind of parallel that with a fake company, Bastion Secure, very well made.
And you draw a very, very close parallel to what they did in 2018 with Combi Security.
Is Bastion still out there trying to attract would-be employees?
So, you know, it's interesting you mentioned that.
So when we initially started looking at the website, and this was some time ago, quite a bit of time ago, a few months, and their website was built, which was a copy of a CNS website, which is, again, is a legitimate cybersecurity company.
front page looked complete. You start looking at some of the menus, the menus looked complete.
But when you start looking at the sub menus, those sub menus weren't filled in yet,
or they were filled in, but still had the CNS logo or CNS Twitter handle or just sentences mentioning CNS. So it wasn't a complete site. Some pages would outright would give you a 404 error,
meaning the page is not available.
And funnily enough, the error would be in Russian.
So that's like, oh, you see,
these guys are presenting to you this huge international company that has a head office in London or in England.
Why do you have Russian error pages?
A little bit of a red flag there.
Right, for sure.
And the same thing with the source code.
When you look at the source code, it had some references to the CNS site.
Now, over time, up until we published our report, they would patch it up.
So they would actually develop those submenus.
So when we looked at it again, we were like, oh, this submenu was not working before and now it is working.
This submenu did have CNS information, but it no longer has it.
So they edited it.
For example, on their website for vacancies for the jobs, it was really empty.
There was nothing there.
And then we started seeing, okay, now they have postings for jobs on that submenu.
So what that tells us is that this was a big project for them because, again, we can see that they put a lot of time and effort making the page look and appear legitimate.
There was some text that was taken from CNS, but the text was edited to make it so it's not as obvious that it was from CNS.
Some text, again, we caught it before it was edited,
but then we saw, hey, this was already edited.
So they were actively working on this Bastion Secure.
They were actively working on building that image of Bastion Secure
right up until the point where we released our public blog,
where we exposed them.
So we believe that, yes, they were actively searching for individuals to work for them. It seems like it's a tactic they were really planning to use, hiring these unwitting IT specialists to work for them without really revealing who they are.
should be on the lookout for if they spin up yet another company with a new name that attempts to do similar things.
It seems to be perhaps a pattern for them.
Oh, absolutely.
When you're dealing with research and you're dealing with the dark web
and you're dealing with analytics, you can always say,
yes, of course, you have a job market in former Soviet Union, just like any job market, right?
There's a lot of people that are looking for jobs.
There's a lot of IT specialists out there in those countries and, you know, they're looking for a job.
So it's not really out of the ordinary for cyber criminals to go out to that marketplace and try and find somebody that can maybe write a code for them.
Like they'll find a programmer that will write a code for them.
They won't really tell them what the code is for.
Maybe they won't share the whole picture of what that program is for.
So it's not uncommon for them to do that.
But to do it at the scale that Fin7 is doing at it,
building a website, coming up with a name.
They came up with a name with multiple different companies,
creating addresses, creating job posting ads.
And they're not doing it once they're doing it, you know, this is the second instance
where they've done it.
It does seem like they believe that this is a good venue.
Who knows?
Maybe their plan was to create this bashing secure site, this company, and then they would
come to like legitimate companies and offer their services and say, hey, listen, we'll do some pen testing for you
and things like that. So they could be approaching not just
hiring individuals, but also building themselves this fake
enterprise, essentially. Where they maybe would say, hey,
you guys got ransomware? We're going to come and help you negotiate.
We are this company called Bash Insecure, which is, again, you guys got ransomware? We're going to come and help you negotiate. We are this company called Bash Insecure,
which is, again, something we saw in the past
in one of our articles that we wrote
about some ransomware tactics,
ransomware teams' tactics and how they operate.
They'll have these middlemen that will,
once the ransomware attack happens in the company,
they'll have a middleman that will come out
to that victim company and say, oh, listen, I can negotiate with you.
But that person could actually be working for the ransomware team.
So if we're looking, taking a step back, what could have been out of this Bastion Secure?
That could have been one of those things.
They create this fictitious company that would, you know, on the one hand, they would conduct the ransomware attack.
On the other hand, they would come in and say, hey, we're bashing secure, we're going to help you
patch all the holes, we'll help you to negotiate, but you got to pay us or whatever. And so they
could have been double dipping there. The extent of what they could be doing with this is really
quite large. So we're kind of happy that we caught them in this process of still building this
website.
Because again, as I mentioned, a few months ago, it wasn't a complete site.
They were definitely working on it.
It's definitely actively working on that site and on that image.
So it could have been really bad news for some.
Our thanks to Ilya Volovik from Gemini Advisory for joining us.
The research is titled,
Fin7 Recruits Talent for Push into Ransomware.
We'll have a link in the show notes.
Cyber threats are evolving every second, and staying ahead is more than just a challenge it's a necessity that's why we're thrilled to partner with threat locker a cyber security
solution trusted by businesses worldwide threat locker is a full suite of solutions designed to
give you total control stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
The CyberWire Research Saturday is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Trey Hester, Brandon Karp,
Puru Prakash,
Justin Sabey,
Tim Nodar,
Joe Kerrigan,
Carol Terrio,
Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Thanks for listening. We'll see you back here next week.