Mandiant and FireEye, two American computer security firms, have located a new hacker group called Fin5. The group invaded the security of one online casino and stole at least 150,000 credit cards from the unnamed casino. More astounding, Fin5 is thought to have had access to the casino's database for a year.
FireEye is a California-based network security company which has investigated attacks on JP Morgan Chase, Sony Pictures, Target, and Anthem. Mandiant is a Virginia-based firm which investigated the Chinese cyber-attack on U.S. government databases.
Representatives from Mandiant and FireEye spoke recently at the "Cyber Defence Summit" about an emerging threat to casino databases both in the North America and Europe. This group is confirmed to have attacked a dozen casinos and is suspected of having hacked at least 6 more.
About the Fin5 Crew
The Fin5 crew came to light in an interview with researchers for both companies, Emmanuel Jean-Georges and Barry Vengerik. Mr. Jean-Georges told Hacked that the group had "a very flat network, single domain, with very limited access controls for access to payment systems."
What might be most remarkable about the incident is that it was likely preventable. According to the security experts, Fin5 would have had a much harder time hitting the system, had the casino invested a bit more cash in a basic firewall.
Needed a Firewall with Deny Systems
The experts told Hacked, "Had this casino hotel operator had even minimal or basic protections in place like a firewall with default deny systems to limit access to PCI (payment systems) it would have slowed down the attackers and hopefully set off red flags."
Emmanuel Jean-Georges recently spoke with The Register, a newspaper in the UK. Jean-Georges said his group has investigated at least a dozen attacks by Fin5 over the past year. What's more, he believes at least 6 more attacks are unaccounted for.
"Professional Grade" Hacking Group
Mr. Vengerik describes the group as "professional grade", because it creates its own hacking code. This code helps the group gain access to a computer system, if they pair it with stolen credentials. Because they use these credentials, Fin5 is able to unlock more credentials by probing the Active Directory.
Barry Vengerik, who serves as Fireeye's principal threat analyst, said "One of the most unique things about FIN5 is that in every intrusion we responded to where FIN5 has been active, legitimate access was identified. They had valid user credentials to remotely log into the network. No sexy zero-days, no remote exploits, not even spearphishing. They had credentials from somewhere."
Tools of the Trade
The group uses a rare backdoor named "Tornhull" to gain greater access. In industry-speak, Fin5 usess a "VPN—Flipside", which gives their attack persistence. In some cases, the invasive malware remained for months.
The hacking group also uses GET2 Penetrator. The GET2 Penetrator is a brute force scanning tool. It searches for remote login information and hard-coded credential. The group also uses EssentialNet, a free tool which scans the target network.
Fin5 uses the RawPOS malware, which has several useful components from their point-of-view. This includes Duebrew, which is what maintained persistence on the casino's Windows computers. RawPOS also contains Driftwood, which encodes stolen payment card information. Finally, it uses Fiendcry, a memory scraper. It's a potent assortment of malware, but nothing experts cannot penetrate.
No Casinos Named
The anti-malwart specialists did not name names. Given the nature of their business, it is likely part of their contract that they do not give out names of their clients to the public. That is expected, but one hidden story in this is that the casino described above has not come forward with this information to the public.
On this site, we've reported on a couple of occasions of scandals in which a casino waited months, or perhaps years, to discuss their player database being hacked. In those cases, players were not happy their credit card and banking information might have been at the mercy of hackers for months, yet they were never informed of that danger. Thus, this story sounds like one which might eventually take on something of that character.
