#ThreatThursday - FIN6 Phase 2
FIN6 is a cyber crime group that specializes in stealing payment card data and sells it in underground marketplaces. This group, also known as Skeleton Spider and ITG08, has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors since at least 2017. This post takes a deeper dive into the FIN6 Adversary Emulation plan released by MITRE Engenuity’s Center for Threat-Informed Defense and in particular what they call their Phase 2 plan which covers 3 different scenarios.
It’s exciting to see our friends at MITRE creating MITRE’s Adversary Emulation Library. We share in their goal to bring TTP focused defense to the community as we’ve been doing with the SCYTHE Threat Thursday’s and our Community Threats GitHub. The ability to repeatedly and easily emulate a threat’s behaviors is critical to a strong cyber defense. To that point, SCYTHE makes our Threat templates as simple and straightforward as possible to allow for Red, Blue, and Purple teams to work through these adversary emulations in their production environment to test, measure, and improve their people, process, and technology.
Cyber Threat Intelligence
The FIN6 intelligence summary from the document:
FIN6 is thought to be a financially motivated cybercrime group. As such, they appear to take a pragmatic approach toward targeting and exploitation. Their strategic objective over time and across a diverse target set remains the same, monetizing compromised environments. Early on, FIN6 used social engineering to gain unauthorized access to targets that process high-volume point-of-sale (PoS) transactions.
Adversary Emulation Plan
The FIN6 Emulation Plan provided by the Center is separated into “Phases”:
- Privilege Escalation
- Credential Access
- Execution - Point of Sale (POS)
- Persistence - Point of Sale (POS)
- Exfiltration - Point of Sale (POS)
- Execution - Ransomware
- Lateral Movement - Ransomware
- Execution - Ransomware (... again)
For this week’s Threat Thursday, we focused exclusively on the “Phase 2” steps of FIN6 emulation plan. We explored the multiple scenarios that FIN6 has been seen using:
Command and Control
T1071 - Application Layer Protocol
T1105 - Ingress Tool Transfer
T1219 - Remote Access Software
T1573 - Encrypted Channel
T1059 - Command and Scripting Interpreter
T1059.001 - PowerShell
T1059.003 - Windows Command Shell
T1053.005 - Scheduled Task
T1204.002 - Malicious File
T1053.002 - Scheduled Task/Job
T1547.001 - Registry Run Keys / Startup Folder
T1562.004 - Disable or Modify System Firewall
T1070.004 - File Deletion
T1036 - Masquerading
T1112 - Modify Registry
We explore 3 different scenarios for the second phase of FIN6. These different scenarios exist because of how FIN6 changes its objectives strategically. On point of sale systems, it looks to exfiltrate data. On e-commerce sites, it looks to hijack payment portals. On other high value endpoints, it looks to gain through ransomware.
For the various scenarios, we also included various files to stay true to our emulation of Fin 6 Phase 2. For Scenarios 2 and 3, there were a few additional files we added to improve our emulation. One of them is kill.bat, a batch file that FIN6 uses to disable security products.
Thanks to the MITRE Adversary Emulation Library, we were able to quickly and easily port things over to SCYTHE. Moving towards threat templates that are machine readable, easily repeated, customizable, and detail explicit threat actor behaviors are critical for the validation of defenses and defenders. FIN6 was a fantastic initial threat from the Center, as it set the foundation for their syntax while also being a solid general threat for the community to analyze. For all our threats, check out the SCYTHE Community Threats Github.
This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.
SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email firstname.lastname@example.org, or follow on Twitter @scythe_io.