S4E05: The Wonderful World of Web Shells
about 7 days ago.
Updated a long time ago.
“FIN7”: It’s a matter of “when, not if” for organizations and breaches, and the same goes for criminals and getting caught. The U.S. District Attorney’s Office for the Western District of Washington recently unsealed indictments and announced the arrests of three leaders in a criminal organization we have tracked since 2015 as FIN7. Referred to by many vendors as “Carbanak Group” (although we don’t attribute all usage of the CARBANAK backdoor with the group), FIN7 is well-known for the technical innovation, social engineering ingenuity, and other creativity that has fueled their success. We open up this episode by talking about all things FIN7, including their tools, their tactics, techniques and procedures (TTPs), and some of the ways FIN7 activity changed following arrests made as far back as January.
• On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation
• To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence
• FIN7 Evolution and the Phishing LNK
• FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings
• Tracking a Cyber Crime Group: FIN7 at a Glance
“Special Guest Katie Nickels (@likethecoins)”: Katie Nickels attended a liberal arts school and intended to get into journalism, but instead she took on a researcher role and the rest is history. Now Katie is the Lead Cyber Security Engineer at MITRE. MITRE is a not-for-profit that operates federally funded research and development centers (FFRDC) responsible for R&D that helps the U.S. government. Katie specializes in cyber threat intelligence and how it can improve network defenses. Part of that involves applying threat intelligence to ATT&CK, a knowledge base of real-world attacker tactics, techniques and procedures (TTPs) that is used to assist analysts. Very cool stuff! During our chat, Katie talked about how her team processes new intel as it’s made public (she said she was really excited about our latest FIN7 blog post – thanks Katie!), and about a new ATT&CK philosophy paper MITRE recently released that describes the collaborative process of incorporating new TTPs. We also talked about PRE-ATT&CK, which focuses on what threat actors do to prepare for an attack, such as reconnaissance and weaponizing.
“Special Guest Matt Graeber (@mattifestation)”: Early in Matt Graeber’s professional life he was a rock climbing instructor, but then he joined the Navy and that decision kicked off his journey into the wonderful world of InfoSec. Matt is now a security Researcher at SpecterOps, a company that provides adversary-focused solutions to help organizations better defend themselves against the types of attacks we see every day. At SpecterOps, Matt specializes in reverse engineering and advancement of attacker tradecraft and detection. Prior to SpecterOps, Matt did a stint with FireEye on a team that would go on to become our FLARE unit, so of course we took a moment to go down memory lane. Some of the other topics we covered include PowerShell, Matt’s “Subverting Sysmon” Black Hat USA 2018 talk, and the things that Matt will do in the name of a good cause.
“Special Guest Sean Metcalf (@Pyrotek)”: Sean Metcalf is a trailblazer in the InfoSec field who is most well-known for his expertise in Active Directory security. He’s given talks on the topic at several security conferences, including Black Hat USA, DEF CON, DerbyCon and BSides. Fun fact about Sean: he is one of roughly 100 Microsoft Certified Masters (MCMs) in Directory Services in the world. Active Directory security plays a huge part in his current role as Founder and Chief Technology Officer of Trimarc Security. Trimarc is a company that protects organizations primarily through the security of Active Directory, Microsoft Exchange, and VMware virtual infrastructure. During our chat, Sean explained how he got started in the world of Active Directory security about a decade and a half ago when he was as an Active Directory engineer. He discussed some of the challenges he faced between then and now while traversing relatively uncharted territory. He also provided a brief overview of the talk he gave at Black Hat USA 2018 on why secure administration isn’t so secure.