2nd Challenge - FIN7

Once you familiarize yourself with Vision One console & how it can help investigate and hunt. Let's move to the 2nd challenge involving FIN7 this time. Constant monitoring of threat groups is one of the ways that security researchers and law enforcement agencies are able defend systems against cybercrime. Among these cybercriminals are financially motivated threat groups Carbanak and FIN7. Although both names have at times been used to refer to the same group, organizations such as MITRE identifies them as two separate entities that wield the Carbanak backdoor in their attacks. However, the groups use not just the Carbanak backdoor but also other types of malware such as Pillowmint, a point-of-sale malware, and Tirion, which is said to be geared to replace Carbanak. A total of 65 techniques across 11 tactics have been identified by MITRE to be related to these threat groups. These groups are infamous for using innovative tradecraft, with efficient surveillance and stealth at the forefront of their strategy. They often rely heavily on scripting, obfuscation, “hiding in plain sight” and fully exploiting the users behind the machine while pillaging an environment. They also leverage a unique spectrum of operational utilities, spanning both sophisticated malware as well as legitimate administrative tools capable of interacting with various platforms (Windows and Linux — including point-of-sale (POS) technologies). Victims of this campaign, a bank lost $7.3 million when its ATMs were programmed to spew cash at certain times that "Henchmen" would then collect, while another had $10 million taken via its online platform.

FIN7 Attack Routine