CyberWire Daily - Sophisticated FIN7 criminal group hits payment card data. [Research Saturday]
Episode Date: September 29, 2018Researchers at security firm FireEye have been tracking malicious actors they call FIN7, a group which targets payment card data in the hospitality industry and elsewhere. They make use of targeted ph...ishing campaigns, telephone vishing and even a convincing front company to do their deeds. Nick Carr and Barry Vengerick are coauthors of the research, along with their colleagues Kimberly Goody and Steve Miller. The research is titled On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. It can be found here: https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html  Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and
analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement,
connecting users only to specific apps,
not the entire network,
continuously verifying every request
based on identity and context,
simplifying security management
with AI-powered automation,
and detecting threats using AI
to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
They first came on our radar when we didn't really know who they were or didn't associate
them with the financial group at that time. That's Nick Carr. He's a senior manager of the
advanced practices team at FireEye. The research we're discussing today is titled On the Hunt for
FIN7, Pursuing an Enigmatic and Evasive Global Criminal Operation.
It's research Nick did along with Kimberly Goody, Steve Miller, and Barry Vengerick,
who we'll be hearing from momentarily.
We recorded this interview back in August, just days after the United States District Attorney's Office
for the Western District of Washington had unsealed indictments
and announced the arrests of three individuals
within the leadership ranks of FIN7. We considered them an uncategorized threat
cluster that we were responding to. And our experiences with them started with responding
to and unveiling a bunch of new tools that the group was successfully using to surveil and
attempt to extract payment card data from one of our clients.
Now, this is a group that a lot of vendors refer to as the Carbonac group, just for
clarification there. But you all have made the point that perhaps not all Carbonac use
equates exactly one-to-one with the group you're tracking as FIN7.
About this same time last year, we released a blog post
where we tried to talk a little bit about Carbon Act versus FIN7. That's Barry Vengerich. He's a
technical director on the advanced practices team at FireEye. So we usually try to avoid naming a
threat group after a tool just because we don't like to make a one-to-one association with malware
or a specific tool set with a threat group, primarily
because of cases like this where we can see multiple threat actors or overlapping groups
using the same backdoor.
So what it looks like is Carbonac may have been shared or used by individual operators
transitioning between different groups or criminal gangs for different operations.
So calling all activity that was associated with Carbon Act and the Carbon Act group is
really kind of reductionist and makes it a lot harder to differentiate between different
threat groups.
So what we've actually seen is the understanding from other vendors as well has kind of peeled
back a little bit as time has gone on to show that some of the earlier Carbonac activity that folks like
Kaspersky and ESET reported on is definitely a different cluster than what we've seen being used
by FIN7. And if you look at that blog post that we did last year, we actually broke down some of the
major clusters of activity we saw using Carbonac. Yeah. So overall, FIN7 is a FireEye name that fits our naming convention,
if that helps for background for you. It's similar to the APT, you know, APT1, obviously
some of the APT numbered groups. It represents our promotion of a cluster or multiple clusters
of activity into a high fidelity named either APT group, or in this case, financial
group.
So FIN7 is our terminology for this cluster, and we've been pretty consistent for who these
attackers are throughout.
And we've also tried to be clear in our several blogs as we share new techniques that FIN7
is using, that that is indeed completely
separate. We've maintained that these are separate from what others call a carbonate group, and it's
really hard to get into how other people categorize groups, especially when they start using your
terminology when others use the term Fin7 to describe activity they've observed.
Sure. Well, let's walk through some of what they're up to,
what they go after, and who they're targeting.
Can you take us through that?
I think Fin7 is interesting in that we saw them
kind of hit two major industries and clusters,
and they're not exclusively targeting these industries,
but they're where we saw the vast majority of activity.
So initially, we saw them heavily targeting
the hospitality industry, so hotels and casino gaming. And then we saw them make a transition
into the restaurant industry. So the tactics they were using varied slightly between the
industries they were targeting, particularly in how they were approaching the spearfishing.
But those are kind of the two major industry sectors that we've seen them targeting heavily.
Now, they are fairly sophisticated here, and it seems as though they also have a good amount of resources at their disposal.
I mean, they're using things like spear phishing, actually doing the homework on the people that they're going after, which is resource intensive.
Yeah, we would definitely agree with that assessment.
When you get into the world of saying someone is sophisticated,
we can't measure someone's success and say that that was sophisticated in itself,
because that might have to do more with the maturity of their victims and defenses in place.
But we've tracked them long enough, and we tried to highlight in the blog
some of the things that we felt make Fin7 sophisticated.
All the first things they developed that were completely their own.
Some of their really unique mechanisms they used to compromise clients.
And we walked through some of those innovative things that they deployed.
But like you said, the spear phishing, the quality of that.
deployed but like you said the spear phishing the quality of that i suppose we got insight into
multiple teams working at the same time so not only do they have high quality phishing emails and social engineering schemes based on our the amount of response we did into this group we would
actually be responding to a fin 7 compromise at one client and then see them attempting to get
into several more fire eye
clients with these other techniques. So it really gave us unique visibility into the scope and scale
of this activity. Yeah. And speaking to the sophistication, you know, as loosely as we're
using the term, I think one thing that's easy to talk about, cause it's really easy for people to
conceptualize is how they were doing the initial spear phishing. So they were
almost exclusively targeting customer service personnel. So whether that would be booking
agents at hotels that are responsible for booking large groups or individual restaurant managers who
are kind of the first line for fielding complaints or customer service lines that field complaints
at a restaurant, They were really aware
of who they were targeting and how they were building the spear phishing towards those targets
in order to elicit folks to open the spear phishing attachments that they were sending
all the way down to including detailed instructions on how to bypass some built-in
office security mechanisms like enabling macros and enabling active content in the spear phishing
documents. So they were really aware of the folks that they were choosing to target at the victim
organizations were people that were in customer service roles and would in the normal course of
their jobs be dealing with a lot of people they've never talked to before and a lot of unsolicited
email attachments that they would have to open. So they kind of bypassed a lot of
that best practices, user training stuff that is always being talked about to mitigate spear phishing.
Now, one of the things you highlighted in your research was how they were creating novel
obfuscation methods and that they were varying them at a fairly rapid clip. Can you describe
what they were up to there? Yes. So there was a period where, again, we saw these, what I would categorize as multiple teams,
and the team that was developing their phishing documents, they were developing and testing those
documents on, at one point, a daily basis around, I think, July of 2017, went through. It reached the height of its rapid development.
And they came up with a technique of obfuscating their commands on the command interpreter.
It was so unique, we gave it its own term.
But it was obviously successful because then on a daily basis, we'd saw them tweak and change.
And so it was a grind to stay up with every variation there. And then we'd see those tested in a number of ways and then delivered to our clients, to the FireEye clients, attempt to get into their stores the same day via phishing emails.
Now, another thing that you highlighted, you have a section here describing all the phone calls that they would make to these organizations.
They used the technique of complaining about a lot of things. One of the things that caught my eye is they would lodge
food poisoning complaints, which I love internally. You all called that fin digestion. Love it.
Yes. Describe to me, what was the approach here by these complaining phone calls?
So I think the main takeaway from how they were doing this spear phishing is just like I talked
about a little earlier. They wanted to create a sense of urgency around the communications.
So we would see frequently where they wouldn't even introduce the spear phishing document until
they had had a two or three email exchange with one of the users in the victim organization,
just to build that kind of sense of trust that this is a legitimate
communication I'm having, and then pass along the spear phishing attachment. We saw them use
web complaint forms, so kind of an avenue outside of traditional email. And then we saw scenarios
where they would call the victim after they had sent the spear phishing to elicit them to open
the attachment over the phone call. So really persistent,
more advanced social engineering tactics around actually getting the initial victims to open those
attachments. Yeah. And if you start to break down people calling to simply ask, did you receive my
complaint or did you receive my email? It's a really unique way that Fin7 is able to identify
if a security solution
blocked the phishing email and it didn't make it to them. And if they did receive it, they can walk
them through it or continue to social engineer in ways that you'd expect a very good red team to use.
Yeah, it's interesting to actually make the phone call to make sure that you got the malicious email.
That's not something you hear every day.
One of the things you included in your research was you had a sample letter that they had written that they were claiming to be from the FDA, the Food and Drug Administration.
And it's interesting sort of to contrast some of the obvious shortcomings in this, but yet I guess still successful.
I mean, it says the first word is hello, but hello is misspelled, which is not off to a good start. And there are, you know,
I guess what we sort of joke about all the grammar errors within this, but I guess it's
good enough to work. So this was a unique one because that is so front and center. We almost
didn't include it, but the FDA example, two parts here. You can see the amount of effort
that went into not only the templated email that appears to come from FDA and delivered ostensibly
from the FDA, which was spooked here, but even using the specific center within the FDA.
All of these Photoshop templates that are customized and professional looking,
and then beneath it within the blog, we also show you that that same templating was matched within the encrypted
document where they further social engineer the users to engage with and in this case,
enable macros. But yeah, this was a rare one because it was a one off that went a little
bit more broadly, that we didn't see this language before. So perhaps as this was written as a one-off campaign,
the language didn't go through as much review perhaps
and has a misspelling.
To be honest with you,
the spelling was not typically an issue
if it was emailing or contacting
that they left a backpack here
or calling ahead for special allergies
or making a catering order.
And then to be honest with you,
when customer service
is engaging with the general public, I'm sure that spelling mistakes are pretty common. So,
you know, this one I think stands out a little bit because it appears to come from the FDA on
very official letterhead. So spelling mistakes wouldn't be there. But in other cases, we didn't
see them so much and they probably wouldn't be too big of a deal.
Yeah, I mean, a good example is one that we were just looking at this week where they complained that their daughter had been injured at a location of the restaurant.
And they were trying to send documentation of medical ER visits to treat the injury.
So obviously, once again, building that sense of urgency and really getting into a scenario where whoever receives that email is going to open it as quickly as they can.
Yeah, it's urgency, almost some litigious nature to them as well.
If you look at the kinds of things they submit in, this is something that would be a very bad thing if I don't engage and have a record of responding.
And my suspicion is they move to that because it's much more successful.
We initially used to see them just do things like a catering order or a,
I left my backpack in the store,
but it's almost all transitioned to stuff of a more litigious emergency
nature.
Like the food made me sick or my child got hurt in your store.
Now,
one of the things you all were able to do was to track individual personas over the
course of keeping an eye on this.
Do you have any sense for the scope of this?
How many people are involved or are members of this organization?
At least three.
No.
Outside of the arrests, we tried to, we track certain tool marks that are associated with
each phase and we later determine how relevant something is or how linked it might be
to a particular group so in some cases you might have a tool developer who leaves something they
might not have known they left within a phishing document that you might have someone setting up
infrastructure who makes a mistake in a lot of these cases it's a combination of small mistakes
or small things where attackers might not know what can be identified within there and then
in this case we released some of those personas that we found to be interesting and relevant in
some cases it turns out that personas that we track
are tied to a tool creator that doesn't work in the particular group or someone from the criminal
underground who's serving and sharing and passing around a document. In these cases, the metadata,
a lot of what we're sharing is from an artifact that's pretty new and we suspect the attackers were maybe not aware of it.
I think what the artifacts are actually stuff that we pulled out of the phishing documents
and we went into a little bit in the blog. So as far as scale, we can infer a lot from the
indictments and how they describe the organizations working. So where the three indicted individuals
were kind of more at the top and type of a project
management or overview role, it definitely infers that there's, you know, quite a few folks working
on different aspects of their campaigns against the victims. So folks sending out the spear phishing,
folks doing the actual intrusions, folks harvesting the card data. So some of the
details in the indictment kind of point to a very widespread, large
organization conducting these campaigns and operating against multiple victims at the same
time. Yeah. Since the indictments came down, how have their activities shifted? Have they gone
quiet for a while or are they still at it? So about February of last year and then picking up
towards the end of summer of last year, we were tracking some parallel activity that Proofpoint initially blogged about as a battle war. So it
was a very similar initial stage backdoor, very similar fishing to what we had seen from Fin7.
And that activity has kind of increased as what we had traditionally tracked as Fin7 decreased.
And so we're seeing a lot of parallels from that activity to the Fin7 decreased. And so we're seeing a lot of parallels
from that activity to the Fin7 activity. And it's actually reached a point where we have enough
evidence to say that this is either a direct offshoot or closely related to the previous
Fin7 activity. So that new strain of activity has actually been very consistent through with
the indictment happening and until last week we
have some spear phishing they sent out last week so i think what you're seeing here is with an
organization this large and diverse that taking two or three or four guys out of the equation
is definitely not going to have a significant impact on their day-to-day operations in the
way that some folks think it might just
due to the fact that this is a large criminal organization. So, and there obviously have been
very successful so far. So I don't, we don't see any kind of material impact on the day-to-day
based on the indictment. And I think that's something that FBI and DOJ kind of intimated
when they made the announcement that like, Hey, this isn't going to go away, but we're making progress by doing these indictments. Now, tell me about this company called Combi
Security. You all kept an eye on this group, evidently a front company for Fin7? That's right.
And that was confirmed by the DOJ announcement about Combi Security. This is to me one of the most fascinating pieces of the
Fin7 story was the front company that had a full-on online persona as the world leaders
in protecting large information systems from modern cyber threats. They had headquarters,
they had three different headquarters locations and job advertisements.
It was actually once people knew to look for them, they were out there.
In order to have a digital front company, I suppose you really need to embrace it always.
So they had LinkedIn profiles for several members that had various roles within the team.
One of the things we nuanced this with is it's certainly possible that there were unwitting individuals that were recruited to work for Combi security, you know, Fin7, who may have thought
they were operating a traditional red team or security test. And that access was then used
for criminal purposes. There's no indication that there's a legit side of Combi security and groups are out there freelancing as Fin7. It seems that the whole thing was a front for these criminal activities.
Yes, I can let Barry chime in, but 100% Combi security is believed to be a full front organization.
front organization yeah there's no indication that there was any kind of legitimate security testing being done by combi and it's actually it's kind of an ingenious way to do it you give
yourself some plausible deniability the idea that there may have been folks who were hired by combi
and as unwitting participants is uh interesting and personally i think that after the first couple
of uh pen tests they probably would have figured out what's going on.
But it's really hard to say from our perspective how much individual operators who may have been employed by Combi really knew what they were in for.
Yeah, and as some were developers, according to information available on LinkedIn and things like that, developed capabilities for them.
It's certainly possible that this helped
explain some of the really innovative things they were doing. This is obviously a well-resourced
group after a few of their operations, Combi Security, then has some more money to spend on
Fin7 development. Now, of course, that's speculation. I don't have insight into that.
But for us, it was an interesting way to look back at the activity under this front.
And by the way, not only do we expect this activity to continue to the Fin7 members that have not been arrested here, I would expect, and we have reason to believe, their same behavior with setting up successful front companies would continue on. So we think this, based on this success, this conservative estimate of a billion
dollars in card data taken, this is obviously a successful model for a financial criminal
organization that's operating like this. So we'd expect them to continue to operate and do a lot
of the same things that we saw Combi Security and Fin7 do. Now, what are your recommendations
in terms of people protecting themselves against this if i'm in the hospitality industry how do i protect my organization and my
staff there's a lot of recommendations we give so specific to fin7 we provide not only a lot of
technical details but some other ways to quote unquote hunt through your environment looking
for the kinds of things they do so we tried to provide some insight into behaviors.
From those, there are a lot of things that can be gained
about how it makes sense to secure your environment.
But really, in organizations that can do so,
there's some core recommendations.
We tend to pick up and prevent Fin7 intrusions
with our email security.
So an advanced email security solution you don't want
your users to be the first people to open a document or enable macros it makes sense there's
entire products and industries companies like ours that have developed technology that works
in that regard so there's some technical, there's some policy solutions and recommendations restricting what you enable to run in your environment. Some of these
phishing documents would drop scripts where highly locked down systems and systems with
more up-to-date policies restricting user behavior were able to prevent Fin7 from being successful.
But I think the key here is this is not a user awareness story.
This is not going to be solved by user education.
Barry started this by explaining the kinds of people they targeted,
the people that have to open the email,
the kind of people that have to click the attachment.
There's also mechanisms, and this is obviously stuff that was bypassed in
a few cases where you can have complaint forms to avoid customer service personnel dealing with, or web forms in general, to avoid personnel dealing with
attachments. However, you know, a lot of these forms allowed for an attachment to be provided
as well, or after an email response from the form, an attachment was introduced. So obviously,
Fin7 is aware of kind of these mitigation techniques that
a lot of the victim organizations are putting in place. So it's really kind of a thorny issue
on the initial spear phishing end. But some of the suggestions that Nick mentioned, like,
you know, having really limited isolated systems and user accounts that are responsible for dealing
with those attachments are honestly some of the best ways to go. I think what we also saw is that some of the organizations that were targeted are not well
resourced to deal with this kind of threat in terms of how many controls you really need to
be in place to isolate yourself from this. You know, if you're a small restaurant chain with
a couple dozen locations, this type of stuff is way down
the list of your costs and concerns, especially in the IT front.
So it's really, the real challenge I think is for those small to medium restaurants that
may be processing a huge amount of cards, but just really don't have a robust enough
IT infrastructure to really even think about this in their normal threat model.
So it's really challenging for those smaller organizations.
Oh, I would be remiss if I didn't mention
the most successful defense against FIN7 in our experience.
Now, defense against them achieving their full mission,
which was card data theft first and foremost,
that's their bread and butter, was protecting your point of sale, your POS environment with end-to-end encryption or point-to-point encryption.
So we had several scenarios where Fin7 was able to get past some of those controls, or in a lot of cases, those other controls weren't in place. And once they would attempt to get down and surveil the card environment
and attempt to get that card data and run all their tools custom built
to extract that data, they weren't able to do so.
They had to counter encryption.
And they would try to actually...
We talked a little bit about the things they would do then,
what they would research,
and then how they try to monetize the intrusion overall.
But that is the core Fin7 mission is payment card theft and encrypting
that the end-to-end pos systems was the most successful defense yeah and that's something
that partly explains why most of the fin7 activity that we responded to was in the U.S. The U.S. is kind of the last bastion for
swipe card transactions, which are unencrypted and have card data hitting memory of affected
point-of-sale systems. So I think as we see that transition to chip and PIN and chip and signature
in the U.S., the EMV transactions, we're going to see these type of point of sale compromises go down.
However, there are several very large industries in the US, one being gas stations that are kind
of sunsetted. I guess sunset is not the right word. They have exemptions for swipe transactions
given the capital costs and replacing all the terminals of the gas pumps. I think, Nick,
they're into like 2019 at this point or 2020.
I believe that's right.
They keep pushing it back.
So there's definitely still vulnerable industries
where there's a lot of swipe transaction
and unencrypted card data floating around to be targeted.
Yeah, and sorry, just a narrative side note.
When they did encounter the encryption,
we actually talked up front.
We were unveiled for the first time within our report.
Some of the other things that we saw Fin7 doing to monetize those compromises.
So targeting material non-public information that Fin7 may have used to gain a competitive stock trading advantage.
used to gain a competitive stock trading advantage.
So when they'd run into that encryption and really couldn't figure out how to subvert it,
identifying individuals within the corporate finance team and things like that once they were already in the network.
Yeah, that's interesting. So while we're here, we might as well loot the whole place.
If we can't get what we're after, the main thing we were after,
we shouldn't go home empty-handed.
If we can't get what we're, the main thing we were after, we shouldn't go home empty-handed.
Exactly.
For me, it's simply that Steve, Kim, Barry, and myself had the opportunity to write a blog and spend two days putting this together.
But we wouldn't be able to do this.
This is not a Nick and Barry story or a Kim and Steve story without all of the work that went into this, not only from the many Mandiant engagements and all the people leading those investigations,
all that hard work, but from the industry too. I mean, this was a big security industry story
and something where it was certainly not just FireEye, a lot of people contributing to
stopping this activity, contextualizing, understanding it,
and doing our best to collectively share that with each other as well.
I'd just like to reiterate what Nick mentioned, that we have a great advantage here at FireEye,
that we have kind of unparalleled insight into what some of these attackers are doing within
victim networks through our mandate and instant response. So it really helps us build kind of a
big picture
throughout an attack lifecycle of what attackers are doing.
You know, just want to thank all our mandate incident responders
as well as all the other folks across the company
that really have helped our understanding of Fin7
and, you know, allowed us to contribute to things like the blog.
And that's it.
I'm curious, just from a personal point of view,
when the USDA
comes in and makes these arrests
and that's in large part to
the work that you all have done, when you see
the work you're doing pay off
and that bad guys are being brought
to justice, so there must be a certain amount of
satisfaction and gratification
that comes from that. For me
at least, a lot of what I do
and a lot of what Barry does is
responding to cyber espionage, responding to nation state on nation state activity or nation
state actually on commercial industry or individuals, frankly. And there seem to be
more indictments and more or more rhetoric and calling people out. The interesting part about
a story like this is, you know,
these are extradited and arrested individuals who are at least those caught here
paying the price for the activity.
You don't always get that in a lot of the others.
There might be other geopolitical reasons
to call out a group,
but it won't realistically end in closure,
I think, for people.
So overall, I think it was exciting,
interesting and close to home, certainly, for around three years of this work that we've put in and keeping up,
and getting to know the full identity behind the people we've gotten to know on network.
We kind of know them on keyboard. We know what they do. And it's just fascinating to
get that law enforcement visibility into everything about them.
Our thanks to Nick Carr and Barry Vengerick from FireEye for joining us.
Their research is titled On the Hunt for FIN7, Pursuing an Enigmatic and Evasive Global Criminal Operation.
That's research they did along with Kimberly Goody and Steve Miller.
You can find it on the FireEye website. We'll also have a link in the show notes.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening.