Stories
Slash Boxes
Comments

SoylentNews is people

FIN7 'Cyber-Mafia' Group Giving Heartburn to the U.S. Restaurant Industry

posted by martyb on Monday May 29 2017, @08:38AM   Printer-friendly
from the hand-over-your-wallet-and-no-one-gets-e-coli dept.

a-zA-Z0-9$_.+!*'(),- writes:

Chris Bing from CyberScoop notes:

"A sophisticated hacking group with suspected ties to cybercrime gangs operating in Eastern Europe is now actively targeting and breaching prominent brand-name restaurants in the U.S. More than 20 U.S.-based hospitality companies — the sector that includes hotels and restaurants — have been successfully hacked by FIN7 since the summer of 2016..." https://www.cyberscoop.com/chipotle-hack-fin7-carbanak-baja-fresh-ruby-tuesday/ (Javascript required.)

FIN7 is also linked to the Carbanak APT https://en.wikipedia.org/wiki/Carbanak and was accused a string of bank cyber-heists possibly totalling US $1 billion: https://threatpost.com/carbanak-ring-steals-1-billion-from-banks/111054/ https://securelist.com/blog/research/68732/the-great-bank-robbery-the-carbanak-apt/

This group has been described as "the first international cybermafia, a group of cybercriminals from Russia, Ukraine and other parts of Europe and China." and are suspected to have been involved with an SEC impersonation email campaign:

"In the phishing emails, FIN7 spoofed the sender email address as "EDGAR filings@sec.gov" in an email with an attachment reading disguised as a word doc entitled "Important_Changes_to_Form10_K.doc" " -http://www.readingeagle.com/business-weekly/article/scam-report-phishing-emails-target-executives-for-information.

Two other methods are also said to have been used in their attacks: fileless malware https://threatpost.com/hard-target-fileless-malware/125054/ and fake windows compatibility patches http://www.pcworld.com/article/3194523/security/financial-cybercrime-group-abuses-windows-app-compatibility-feature.html.

Original Submission

 
This discussion has been archived. No new comments can be posted.
FIN7 'Cyber-Mafia' Group Giving Heartburn to the U.S. Restaurant Industry | Log In/Create an Account | Top | 7 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by kaszz on Monday May 29 2017, @04:51PM

    by kaszz (4211) on Monday May 29 2017, @04:51PM (#517216) Journal

    So the new modus operandi is to insert bad code into the process memory. This still leaves many exposure surfaces. They still have to phone-home and won't survive reboots unless bad code is written to disc where code is actually executed on reboot. Even if it's a simple batch file, which they seem to use.

    Now for process memory exploits. The obvious thing is that the bad code has to reside somewhere where it will be executed. So I make the assumption it will hide in the process memory of any (hijacked) process. It's time for scanners to open these memory areas and scan them. However it seems this exploit is only really possible if the security model is flawed.

    Btw, don't Microsoft Win10 use the execute no write flags?

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2