Security vendor FireEye has published a report entitled “Follow the Money” (registration required) in which it looks at how the FIN6 cyber crime group operates. FIN6 is reported to have been responsible for the theft of up to 20 million credit and payment cards which were being sold at an average price of $21 each. This would have netted the group around $400 million from a single attack.
The whole focus of FIN6 is about stealing payment card data and this report sets out to look at what they did, how they did it and the tools, techniques and ecosystem that helped them be successful. There is, however, a wider security angle here. The way that FIN6 behaved once inside networks is useful information as it shows how easy it was for them to move around. It also highlights how they used tools and exploits from other groups to help them.
Understanding the attack means better defences
For security teams this information is valuable. It means that they can begin to craft defences to monitor for similar activity in their own networks. For example, once the first machine was infected by FIN6 they mapped internal networks, identified future target machines, stole credentials and then cracked passwords.
To move data in and out of the networks they used encrypted traffic by creating their own secure tunnels. These tunnels were later used to route traffic that allowed them to compromise other machines and control them remotely. The data stolen was stored in files that were hidden in directories that are not regularly scanned by many organisations such as c:\windows. Once they had located the target data and wanted to exfiltrate it they simply compressed the data and then sent it to a public file sharing service.
All of this provides opportunities for security teams to identify and intercept attacks. All network traffic should be monitored at the edge of the network. If unexpected SSH tunnels are seen it should raise a flag and be marked for investigation. They may be related to valid applications or, as in this case, used by cyber criminals to penetrate systems and take control.
Public file sharing services also need to be monitored carefully. IT departments need to go down the route of becoming cloud brokers. Companies such as Skyhigh Networks publish a list of enterprise grade cloud services where security and processes are strong. IT should be looking to move users away from services that can be classed as untrusted to those that are more secure. While this won’t stop data being exfiltrated it will move the bar higher for cyber criminals as they will need to work out what services IT allows and what it doesn’t.
Better use of end user security tools, and an improved response to their alerts is needed. The ease with which hackers were able to store data in file formats and directories that were rarely scanned is a problem. This is not a new issue and goes back to older machines where anti-virus scanning impacted users due to the amount of resources it required. The result is that many directories are scanned irregularly and worse, declared “safe”. This means that they are great places to hide malware.
What tools did FIN6 use?
Apart from their own software it appears that FIN6 was a model of the modern cyber security attacker. FireEye admits that it is still unclear as to how FIN6 gained access to so many systems but it does appear that they used credentials stolen by malware created by other hackers such as GRABNEW. It may be that they licensed GRABNEW as part of an earlier intelligence attack or, more likely, simply purchased a list of user credentials.
Once they had valid credentials FIN6 were observed using the Metaploit Framework to further compromise the target machines. Once this was done they used the HARDTACK and SHIPBREAD downloaders to create backdoor access to target machines and connect those machines to their own Command and Communication (CNC) servers.
In addition to using malware, FIN6 also used Windows utilities to do much of their work. This makes it more complicated for security teams to spot activity but not impossible. For example the use of the Windows Credential Editor to give themselves elevated privileges relied on known exploits which could have been patched.
One of the key targets of the attack was SQL databases holding information. FIN6 dumped the SQL schemas for these databases and installed their own Query Express databases. They also used tools that gave them details of active directory, tools that IT security teams should be monitoring for as there is no reason for end-users to be running them. There are other examples in the report that security teams should be taking a note of and addressing.
What is evident from this report is that FIN6 were willing to take advantage of other attacks and exploits to make their job easier. They utilised known gaps in security and were willing to drop public utilities on computers to gather intelligence from inside the network. They also exploited a lot of poor or at the very least questionable security practices such as not scanning all directories, ignoring certain file extensions and a failure to patch regularly.
The report provides much more information than we have covered here including data on how FIN6 later monetised the cards and data that they had stolen. The most important thing, however, is that IT security teams and CISO’s need to sit down and see what they can learn here. While the report lacks a section on next steps, just checking for some of the activities identified will help improve the security posture of many companies.