While it is unclear how the cybercriminal group Fin6, known for stealing and monetizing payment card data, compromises victims, a new report from FireEye Threat Intelligence said that one case investigated by Mandiant indicated that a victim computer “was originally compromised with GRABNEW malware by a separate threat actor.”
That actor used the malware to capture legitimate user credentials that were likely obtained by Fin6 to use in its operations. “It's interesting how they established a foothold,” FireEye Principal Threat Intelligence Analyst Nart Villeneuve told SCMagazine.com. “In 70 percent of the cases we respond to, the activity can be traced back to stolen, legitimate credentials.” The use of GRABNEW, which researchers said was not a complete surprise, could indicated “a cyber crime support ecosystem that opens doors to threat actors capable of lateral movement and more damaging activities.”
An earlier group, FIN2, used Citadel compromises to distribute custom tools and gain greater access within a network to infiltrate payment card systems.
In “identifying the whole activity [of FIN6] from end to end,” FireEye was able to call out the “risks posed by different steps,” FireEye Director of ThreatScape Cyber Crime John Miller told SCMagazine.com.
Once FIN6 gains access using valid credentials then establishing preferred backdoors, the group escalates privileges and harvests credentials using Windows Credentials Editor and other public utilities. After the groundwork is laid, “FIN6 began lateral movement using credentials stolen from various systems on which they gathered usernames and password hashes,” the report said.
When the POS systems are located, the group deploys malware that FireEye refers to as Trinity (a.k.a., FrameworkPOS), which Miller said is “spread indiscriminately,” and which is used to find and steal payment card information. That data is then exfiltrated to external CnC servers under FIN6's control.
The report used intelligence from iSIGHT Partners to see how the stolen card data was sold in an underground card shop well-known and frequented by cybercriminals. The information has yielded FIN6 quite a financial haul – in one breach the card shop advertised almost 20 million cards, mostly from the U.S., and selling on average at $21 each, which would total around $400 million.
Miller noted that the activity of FIN6 and others like it is “symptomatic of criminals trying to exploit vulnerable U.S. payment systems while they can,” as merchants take steps to bolster security.