FIN6 returns to attack retailer point of sale systems in US, Europe

guest · Sep 5, 2018

FIN6 returns to attack retailer point of sale systems in US, Europe
The secretive cyberattackers are known for stealing credit card data to sell on the Dark Web.
September 5, 2018
https://www.zdnet.com/article/fin6-returns-to-attack-retailers-in-us-europe/

A new malware campaign has been detected which is targeting point-of-sale (PoS) systems across the United States and Europe.

On Wednesday, researchers from IBM X-Force ISIS said the attacks have been attributed to the FIN6 cybercriminal group.

This is only the second time that a campaign has been documented which appears to be the handiwork of FIN6.
FIN6's tools are generally simple and available online, but the threat group's sophistication lies not in its toolkit, but rather, its ability to bypass security systems through stealth.

"While some of these tactics, techniques, and procedures (TTPs) may be side-effects of tools FIN6 actors were using, or specific to the environment in which the actors were operating, we believe many represent new TTPs that could become characteristic of evolved FIN6 standard operating procedures," the researchers say.
Click to expand...

guest · Feb 27, 2019

Fin6 using FrameworkPOS scraping malware in POS attacks
February 27, 2019
https://www.scmagazine.com/home/retail/fin6-using-frameworkpos-scraping-malware-in-pos-attacks/

The threat group Fin6 has been connected to a string of point-of-sale attacks against VMWare Horizon thin clients.
The security firm Morphisec Labs reported the attacks have been taking place for eight to 10 weeks with a particular spike on Feb. 6 that saw numerous attempted downloads of the Cobalt Strike backdoor.

“Based on the initial indicators, we identified FrameworkPOS scraping malware installed on some of the thin clients, after initializing PowerShell/WMI stages that downloaded and reflectively loaded Cobalt-Strike beacon with PowerShell extension directly into the memory,” the report said.

Cobalt Strike is a particularly dangerous payload as it can give attackers full control over the targeted computer along with the ability to move laterally within the host system.
Morphisec researchers are still not entirely sure of the infiltration method being used [...]
Click to expand...

guest · May 2, 2019

FrameworkPOS and the adequate persistent threat
May 1, 2019
https://redcanary.com/blog/frameworkpos-and-the-adequate-persistent-threat/

In this threat detection post, we’ll look at FrameworkPOS, a point-of-sale malware family that has been tied to an organized APT group in the past. In doing so, we’ll show that an adversary doesn’t need advanced techniques to execute and persist; they simply need to be good enough.

[...] establish persistence using two methods
• a Windows Registry autorun key • a Scheduled Task
Neither of these methods are particularly sophisticated; the adversary used a well-known autorun key when they could’ve used far more obscure ones. The task is also relatively simple: it’s just trying to blend in under the guise of a Windows Help tool.

[...] Some quick Google searches unearthed this research from Morphisec, suggesting that we apparently found FrameworkPOS malware!
Looking into Morphisec’s research, there is a possibility that this campaign could be tied to cybercriminal group known commonly as FIN6.
Click to expand...

guest · Aug 29, 2019

FIN6 Switches Up PoS Tactics to Target E-Commerce
The group is using the More_eggs JScript backdoor to anchor its attack
August 29, 2019
https://threatpost.com/fin6-target-ecommerce/147847/

The financial cybergang known as the FIN6 group, known for going after brick-and-mortar point-of-sale (PoS) data in the U.S. and Europe, has changed up its tactics to target e-commerce sites.

According to researchers at IBM X-Force Incident Response and Intelligence Services (IRIS), FIN6 (a.k.a. ITG08) has been spotted injecting malicious card-skimming code into online checkout pages of compromised websites. The code steals payment-card data as it’s entered into shopping-cart forms.
The backdoor code is the More_eggs JScript backdoor malware (a.k.a. Terra Loader or SpicyOmelette), according to IRIS. It’s sold on the Dark Web as a malware-as-a-service (MaaS) offering.

“We believe ITG08 is actively attacking multinational organizations, targeting specific employees with spearphishing emails advertising fake job advertisements,” according to a Thursday writeup by IRIS.
“Lastly, the attackers used Comodo code-signing certificates several times during the course of the campaign,” according to IRIS – another tactic known to be used by the group.

“[This group] has been around for over four years now. Its attacks are financially motivated, sophisticated and persistent,” the firm said.
Click to expand...

IBM X-Force: More_eggs, Anyone? Threat Actor ITG08 Strikes Again

Log in or Sign up

FIN6 returns to attack retailer point of sale systems in US, Europe

guest Guest

guest Guest

guest Guest

guest Guest

Log in or Sign up

FIN6 returns to attack retailer point of sale systems in US, Europe

guest Guest

guest Guest

guest Guest

guest Guest

Useful Searches