While the media is resplendent with articles covering security breaches due to hacks, malware and ransomware, rarely does it cover the end-to-end cycle of a cybercrime, which are becoming more than just a quick drive-swipe of credit card information or personal identifying information (PII).
FireEye Threat Intelligence and iSIGHT Partners recently combined their research to shed light on the activities of one particular threat group known as FIN6, starting with the initial intrusion into a Point-of-Sale (PoS) system through to the sale of the stolen payment card data in an underground marketplace. FIN6 is a cybercriminal group intent on stealing payment card data for monetization. In 2015, FireEye Threat Intelligence supported several Mandiant Consulting investigations in the hospitality and retail sectors where FIN6 actors had aggressively targeted and compromised PoS systems.
FireEye’s recently released report describes FIN6’s tactics, techniques, and procedures, activities, and a look into the criminal ecosystem that supports the payoff for their operations. Most coverage is limited to what malware is used to pull data from the PoS system, said Nart Villeneuve, principal threat intelligence analyst at FireEye, but there’s a bigger ecosystem that includes a relationship between the attack vector and the PoS malware. In more than 70 per cent cases, the initial activity point can be traced to a stolen, legitimate credential. “Those credentials have to come from somewhere.”
Usually the malware that is leveraged to gain access to a PoS system has been around already and spread indiscriminately, often as an email with an attached Microsoft Word document with a nasty macro that executes the malicious code with information stealing capabilities, said Villeneuve. “There is an indiscriminate phase where attackers spread malware.” It gets a little murky, he said, but at a certain point the access to targets is transferred to a group such as FIN6. It’s unknown whether the group is initially responsible for the malware itself.
In Mandiant’s investigations, FIN6 already possessed valid credentials to each victim network and used those credentials to initiate further intrusion activity. In one case, said Villeneuve, GRABNEW malware was found on a victim computer that FIN6 later used in its operations. Speculation is the computer was originally compromised with GRABNEW by a separate threat actor, who used GRABNEW to capture valid user credentials. FIN6 may have obtained those credentials, either through purchase or trade, and used them for its operations.
Villeneuve said once FIN6 is able to get access by leveraging malware, even if they weren’t responsible for its spread, they are the group that comes in after the fact looking to escalate privileges and move laterally. This allows them to put malware on the PoS system and grab credit card data that ultimately ends up in what is called a “dump shop” where criminals can buy the cards.
Again, it’s not always clear who runs what, said Villeneuve. A group like FIN6 may not run the dump shop and may in fact work with several of them to monetize the card theft over time. Some cybercriminals who those cards might be selective, wanting cards from a particular region or financial institution.
Ajay Sood, FireEye Inc.’s general manager for Canada, said it’s also important to remember the persistent mindset of cybercriminal who use what malware is available as a tool to gain unlawful access. “Having intelligence about the hackers is just as important,” he said. “The technology is almost interchangeable.”
The malware that is used to start the process is almost irrelevant, said Sood. It’s the intent behind the tool that matters, not the tool itself, and it’s important to look at those who spread them as organizations, not just a hacker looking to cause enterprises inconvenience.
Malware is constantly being seeded out for groups like FIN6 to leverage, said Villeneuve, and it’s important to understand the relationship it has with organized cybercrime because those defending the networks often dismiss it because it’s so commonplace. Cybercriminals are patient, and are willing to wait to obtain enough card numbers and package up the data into chunks that go up for sale in the underground shops.
Sood said while malware is often responsible for unlawful access to enterprise networks and PoS systems, organizations still need be mindful of controls around data moving out of their walls. “Data is being spit out the front as opposed to being yanked by a fishing rod.”