FIN6 GroupA FireEye/iSIGHT investigation has reported on FIN6 [1], a hacker group conducting major attacks on point of sale (POS) systems.FIN6 has been active since 2015, and has targeted the hospitality and retail sectors to steal millions of payment card details. The group makes its money by selling this information onto other actors via underground 'card shops'. It's not quite clear how FIN6 gain initial access to systems. A Mandiant investigation discovered that the group used legitimate credentials on several occasions before moving laterally to reach theiir intended target. Vawtrak [2] credential stealing malware (likely dropped by a phishing email) was found on one compromised machine, but there is no indication that it was used by FIN6. The group may simply have bought credentials that had been previously stolen by another actor.FIN6 uses several publically available tools to extract database and password information as well as the FrameworkPOS [3] (aka. TRINITY) to detect and steal payment card details. FireEye believes that the sale of these details is highly profitable for FIN6, not least because of the sheer volume of stolen numbers: one FIN6-linked dump contained 20 million cards.More information available here [4].SpyEye and COMELEC arrestsTwo hackers responsible for selling the SpyEye [5] botnet kit have been sentenced in Georgia, Krebs reports [6]. Alexandr Andreevich Panin and Hamza Bendelladj were given 9.5 and 15 years respectively, having helped to infect hundreds of thousands of computers with malware in order to stealing millions of dollars.SpyEye is a leading competitor to the Zeus [7] crimeware tool, and has the same functionality and capabilities, with the added 'bonus' of removing Zeus from systems it infects. This is likely due to the fact that Panin received the source code to Zeus from Evgeniy Bogachev, the malware's original creator, in 2010.In other news, authorities in Manila claim to have arrested at least one of the hackers behind the COMELEC [8] data breach that took place late last month. On March 27th, the Commission on Elections website was defaced and its database stolen in two separate attacks related to Anonymous Philippines [9].New Rowhammer tricksResearchers have discovered [10] a new method of employing the exploit/attack technique known as Rowhammer [11], aka. 'bitflipping'. Rowhammer exploits a physical weakness in dynamic random-access memory (DRAM) storage. By quickly and repeatedly accessing specific portions of memory multiple times per second, it's possible to change the bit values in adjacent memory, turning zeros into ones and vice-versa. Theoretically, this technique can allow anything from privilege escalation to sandbox escape, for both users and applications. Rowhammer is relatively difficult to exploit because it works on only a limited number of platforms and mitigation methods do exist to prevent its use. Yet an attack that exploits physical hardware in this fashion is novel and suggests what the future may hold from a defender's perspective.The Silobreaker Team
[1] https://my.silobreaker.com/View360.aspx?Item=11_998849172&q=organization%3a%22FIN6%22&rd=true
[2] https://my.silobreaker.com/View360.aspx?Item=11_623759270&q=keyphrase%3a%22Vawtrak%22&rd=true
[3] https://my.silobreaker.com/View360.aspx?Item=11_775054494&q=keyphrase%3a%22FrameworkPOS%22&rd=true
[4] https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf#FIN%206.indd%3A.11641%3A10
[5] https://my.silobreaker.com/View360.aspx?Item=11_153131376&q=keyphrase%3a%22SpyEye+Trojan%22&rd=true
[6] http://krebsonsecurity.com/2016/04/spyeye-makers-get-24-years-in-prison/
[7] https://my.silobreaker.com/View360.aspx?Item=11_113915666&q=keyphrase%3a%22ZeuS+Botnet%22&rd=true
[8] https://my.silobreaker.com/View360.aspx?Item=11_370914925&q=organization%3a%22Commission+On+Elections%22&rd=true
[9] https://my.silobreaker.com/View360.aspx?Item=11_416471972&q=organization%3a%22Anonymous+Philippines%22&rd=true
[10] http://seclab.cs.sunysb.edu/seclab/pubs/host16.pdf
[11] https://my.silobreaker.com/View360.aspx?Item=11_835448296&q=keyphrase%3a%22Rowhammering%22&rd=true
↧