Warnings on Fin5 Hacking Group


Wednesday October 14,2015 : CYBER SUMMIT WARNED ON NEW HACKING GROUP
 
Beware Fin5!
 
Delegates at the recent Cyber Defence Summit in Washington DC have been warned about a new hacker group titled Fin5, which researchers reported was responsible for a hack on an unnamed land casino that resulted in the loss of 150,000 gambler credit card details.
 
Researchers Emmanuel Jean-Georges of Mandiant and Barry Vengerik of FireEye said that the casino's inadequately flat IT structure made the hacker group's invasion and theft easier, commenting that the casino lacked even basic firewalls around its payment platforms and did not have logging.
 
"It was a very flat network, single domain, with very limited access controls for access to payment systems," Jean-Georges said. "Had this casino hotel operator had even minimal or basic protections in place like a firewall with default deny systems to limit access to PCI systems … it would have slowed down the attackers and hopefully set off red flags."
 
Fin5 has been linked to over a dozen hacks, with possibly more that have not been reported. Its targets have included at least two payment systems providers and their customers, including the casino used as an example this week at the summit.
 
The incident should serve as a warning to businesses to secure any access that third party organisations have to corporate networks, the researchers observed, noting that Fin5 uses stolen credentials which ensures no flags are tripped on initial penetration. From there, attackers target Active Directory in a bid to unlock more credentials and gain lateral movement.
 
Jean-Georges revealed that the hackers use a rare backdoor codenamed Tornhull and a VPN dubbed Flipside to maintain persistence.
 
He reported that Flipside was overlooked by a rival incident response company after an earlier assault, and Fin5 were sufficiently bold and brazen to return for further thefts after noticing the VPN's survival.
 
The hackers also deploy a custom tool codenamed "Driftwood" which parses designated locations for credit card data dumps created by tools FiendCry and XOR, and encodes it for later collection, Vengerik reported.