September 4th, 2018

The FIN7 Attacks: What They Tell Us About the Latest Hacking Techniques

At the start of the month, the Justice Department laid charges against three key members of FIN7, one of the most sophisticated cyber-criminal rings that has ever been seen. The arrests came as a result of cooperation between government agencies such as the FBI, credit card companies Visa and Mastercard, and threat analysts from FireEye. While the charges probably won’t put a stop to such a well-resourced group, the investigation has given us insight into some of the latest techniques that are being used by hackers.

Who Are FIN7?

According to Wired, FIN7 are responsible for attacks on more than 3,600 business locations, stealing over 15 million credit card numbers–and that’s just from their US activities. Some of the affected businesses include Arby’s, Chipotle and Chili’s, although FireEye reports that they have targeted a range of sectors in both the US and Europe, ranging from government and finance to gaming and travel. The hacking group’s attacks are so lucrative that the CTO of Gemini Advisori, Dmitry Chorine, estimated them to be making $50 million each month, with a total of over $1 billion in the years that they have been active.

The three suspects were all Ukrainian nationals and the hacking group is tied to a front company named Combi Security, whose website claimed to have offices in Haifa, Odessa and Moscow. The Justice Department’s press release states that Combi Security masqueraded as a security provider that offered penetration testing and other services. It acted as a front in order to seek out skilled hackers who would participate in its attacks. It is not yet clear whether these employees were aware that they were penetrating the target systems without permission from the companies.

What’s So Alarming About These Attacks?

FIN7 certainly isn’t the first hacking group that authorities have started to crack down on, however the surrounding investigation has revealed a number of details that show just how sophisticated a well-organized hacking group can be.

Brian Barrett of Wired has described the group’s skills as “…of a caliber usually reserved for nation-state groups.” In an analysis of one of the group’s past attacks, a Morphisec report stated that “FIN7 constantly upgrades their attacks and evasion techniques, thus becoming even more dangerous and unpredictable. The analysis of this attack shows how easy it is for them to bypass static, dynamic and behavior-based solutions. These attacks pose a severe risk to enterprises.”

As one of the most sophisticated cyber-criminal groups we have seen, their techniques also give insight into what we can expect to see more of in the future:

FIN7’s Obfuscation Techniques

FireEye has identified some of FIN7’s methods of obfuscation that operate at both the cmd.exe and JavaScript levels. They involve hiding LNK files in RTF and DOCX documents that are attached as part of phishing emails. When these techniques were first discovered, no antivirus engines were detecting the shortcut files.

The Carbanak Malware

According to the FBI, FIN7 have been using and adapting Carbanak malware, which was previously used in a spate of attacks against the banking industry. It allows threat actors to spy on their victims with capabilities that include taking screenshots of desktop activity and video recording. This allows an attacker to steal network information and credentials from their targets. FIN7 would use the Carbanak malware to gain access into their targets’ systems, then they would search for valuable information, such as credit card data, which they would extract and sell.

New Targets

One of the more interesting revelations is that FIN7 have been specifically targeting personnel involved in Security and Exchange Commission (SEC) filings at a range of organizations. Information from FireEye suggests that there are several possible motivations as to why these individuals are being targeted, although they are yet to be confirmed. One theory is that FIN7 are trying to compromise those involved in SEC filings because of the information they have access to, with the long-term hope that they may be able to use it to commit securities fraud.

Complex Social Engineering Methods

FIN7’s social engineering techniques focus on creating scenarios that seem more authentic than most other phishing attacks. According to Christopher Glyer from FireEye, they will often begin the attack by contacting a company through their website’s contact form, in order not to raise suspicions. After a brief exchange about a complaint or some other seemingly legitimate business, they will then tell the target to refer to the attached document for further details.

In order to increase the odds of the target opening the malware-riddled attachment, someone from FIN7 will often call and discuss the contents of the email with the victim before or after it is sent. This makes the victim much less likely to expect any foul play and can lead them into opening attachments that they wouldn’t have otherwise.

How Can You Keep Safe From These Cutting-Edge Attacks?

The threat landscape is constantly evolving and you need to make sure that your defenses are keeping up with these changes. FIN7 use an ever-adapting range of techniques in their attacks, but their point of entry is generally through phishing. This makes phishing defenses a crucial element of cybersecurity plans.

Effective email filtering is one key component for defense against phishing attacks. LuxSci’s HIPAA-compliant email filtering is one of the trusted services that can help your organization cross-reference emails against blacklists and search for other indicators of spam. While email filters aren’t foolproof, they do help users avoid the vast majority of phishing scams that try to find their way into their inboxes.

Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC) are important tools that help to ensure that incoming emails are legitimate. SPF shows which servers are allowed to send mail from a specific domain, which helps to determine whether a sender’s email address is an authorized representative of the domain. DKIM uses a public/private key signing process to verify that an email’s contents haven’t been tampered with after leaving the initial mail server. DMARC is a validation system to discover and stop email spoofing.

If businesses want to reduce the chances of being infiltrated by sophisticated attackers like FIN7, they need to make sure that their employee email accounts are equipped with each of these tools to help prevent threat actors from gaining a foothold through phishing.

Organizations also need to make sure that they have clearly enforced policies when it comes to responding to unsolicited emails. These should involve some kind of verification through another channel, such as over the phone or through collaboration apps such as Slack.

Ensuring that employees are following your company’s cybersecurity policies is just as important as having the policy in the first place. This is why training and awareness are such crucial aspects, especially when it comes to phishing. Regular testing and education are important parts of implementing and retaining a company culture that takes its security seriously. When it comes to defending your business against complex attacks like we are seeing from FIN7, a little paranoia is always a good thing.

Leave a Comment

You must be connected or logged in to post a comment. This is to reduce spam comments.

If you have not previously commented, you can connect using existing social media account, or register with a new username and password.