Research Saturday 12.11.21
Ep 212 | 12.11.21

FIN7 repositioning focus into ransomware.


Dave Bittner: Hello everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Ilya Volovik: FIN7 is a notoriously famous cybercriminal group, and I think it's one of the most researched groups that is currently out there.

Dave Bittner: That's Ilya Volovik. He's the research team lead at Gemini Advisory, a Recorded Future company. The research we're discussing today is titled, "FIN7 Recruits Talent for Push Into Ransomware."

Ilya Volovik: They have really made themselves famous by conducting a lot of malware campaigns that were targeting point-of-sale systems, and they gained notoriety in mid-2010s, I would say. Specifically, the large hack that they had was in 2018, when they compromised Saks Fifth Avenue and Lord & Taylor stores where they were – they have stolen payment cards, and they subsequently posted about five million of those payment cards on the dark web, which you know, we've reported on way back in 2018.

Ilya Volovik: And with the payment card industry, you know, it kind of has its ups and downs, and it's still obviously currently still happening, but cybercriminals are always looking for new ways and new spheres to expand into, right? So, OK, yeah, we used to steal payment cards, but what else is out there? Where else can we make money? And you know, ransomware has been over the past few years, has also been getting a lot of high-level visibility. There's a lot of articles that is being written about it, it's been on the news a lot, and the ransomware teams are making quite a bit of money, right?

Ilya Volovik: So, FIN7, being that they are, you know, a very powerful team. They have incredible infrastructure. They said, well, listen, how about we expand into this, right? So, why don't we take a piece of that pie? So it appears that they have been getting involved with this ransomware business, because, again, you can make a lot of money in that from the cybercriminals' perspective.

Dave Bittner: Right, right. It's, you know, we're a criminal organization with a lot of moral flexibility – let's expand into a new area, right?

Ilya Volovik: Absolutely, absolutely.

Dave Bittner: Well, let's continue along just some of the background here, because again, in 2018, I believe it was the US Department of Justice that released information that FIN7 was posing as another company. What can you tell us about that?

Ilya Volovik: Correct. So, in 2018, the Justice Department did reveal that FIN7 was posing as Combi Security, which was a fake cybersecurity company. And it was involved in hiring unaware IT specialists, essentially, kind of like what we're going to talk about today. So this is like a precursor to what they did today. This was a few years ago. They already tried that out. So this was something they attempted to do.

Ilya Volovik: And interestingly, in 2018 as well, they arrested one of the – the Justice Department recently released information that they have made an arrest in 2018 for a system admin that worked for FIN7, or was involved with FIN7. They say he was one of the higher-ranking individuals within FIN7, who initially was hired by Combi Security as a IT specialist. So this Combi Security posed as a cybercriminal company, they hired this system admin to work for them, they pretended to be a legitimate company, he started working for them. Then he started to say, hmm, you guys are doing something wrong – let me get a piece of that pie. So instead of saying raising a red flag and saying, hey, this is like wrong, I should report you guys or I should let somebody know that something is happening, he said, huh, I can make a lot of money here. So he stayed on with them and he was arrested and he was recently sentenced, I think in April or March of this year, he was sentenced to ten years.

Dave Bittner: Wow. Well, then let's move on to the recent report here. What is the latest from FIN7?

Ilya Volovik: So, the latest, so it appeared that that tactic that they used in 2018 with Combi Security worked well for them. You know, they obviously found some individuals that worked for them, so they decided to repeat the same tactic. They essentially created this company called Bastion Secure – for short "BS," as we internally call it, a BS company.

Dave Bittner: (Laughs) Nice, nice.

Ilya Volovik: Yeah, they created this company. And on the surface, it looks absolutely – you know, not absolute, but it looks very legitimate, right? They had presence on these various job posting sites in the former Soviet Union. They had their own website and they were looking to recruit some IT specialists into their company, the unwitting, saying, hey, you know, we're in the cyber sphere, you know, come work for us. And essentially, they reached out to a lot of people I'm sure, saying, hey, you know, come on board. And what we noticed is that they really operate like a small startup company. Well, maybe not a small startup company, but a regular startup company. They have very professional demeanor. The website looks very professional. All their communications are very professional. You know, when they were recruiting our source, essentially our source had no suspicion that anything was really wrong, because, you know, you would think like great cybercriminals, they're going to be, like, very criminal and maybe speak in a certain way and do things a certain way, right?

Dave Bittner: Right. A very Hollywood stereotype of what these folks might be like.

Ilya Volovik: Right, exactly, exactly. But no, these guys have been around for a while, so very professional communication. Now, granted, looking back at it, we can say, well, you know, they reached out to you via email and then said, hey, let's talk on Telegram. So there wasn't really a phone call, but, you know, so their initial communications happen over Telegram with the HR department. And, you know, looking back at it now, we can say, well, that was a little suspicious, but you have to remember that Telegram is really being widely used in Eastern Europe as a form of communication, it's really nothing out of the ordinary to use Telegram to communicate with your employer. So it really didn't raise any red flags at that point.

Ilya Volovik: So, you know, and they reach out to you, they say, hey, we are Bastion Secure. You know, we are this company. So you go on Google, you know, as anybody would and you Google search for that company, and the Google would return a lot of companies named "Bastion Security," because kind of like the name is fairly generic and it kind of overlaps with similarly named entities and similarly named companies, right? So when you put Bastion Security, you know, you'll have news articles that come out saying Bastion Secure or Bastion Security or Bastion or variations of those words. So there's, you know, good amount of information on Google for that. Particularly on their website, they listed an address in England. And when you look up that address, it will show you that there was a company named Bastion Security, right, that used to be there.

Ilya Volovik: But again, like, if you're just doing a surface search without digging into it, you're going to see, yeah, you know, at that address, there's Bastion Security. You're not like really paying attention that the FIN7 company, Bastion Secure, Bastion Security, fairly similar, right?

Dave Bittner: In terms of attracting the folks to come work for them and making it appear as though these are legitimate jobs, what sort of jobs are they hanging out there? Do they say they're looking for pentesters or red teamers? What are they trying to attract?

Ilya Volovik: So, they're trying to attract quite a few individuals, so they're looking for programmers that are proficient in PHP, C++, Python. They're looking for system admins. They're looking for reverse engineers. So, we believe this is kind of like something they want to – they want to build a staff that is capable of conducting the tasks necessary to do a range of cybercriminal activity. But again, on the surface, you know, if you're a cybersecurity company looking for these specialties, there's nothing really out of the ordinary. But, you know, looking back at it, and you kind of know what they do and you can say, well, you know, why would they look for a system admin, right? A system admin is somebody that can really map out a network of a company, right? They can figure out, well, how is this network built? Where would a system admin – like a legitimate system admin of that company – where would he hide his backups? How would he use his network? Where would he place all the various things that are interesting to these ransomware teams?

Ilya Volovik: So, system admin is like an interesting one. Same thing with reverse engineer. Maybe, you know, they're trying to look at antivirus software, right? And seeing if that antivirus software is capable of detecting their malware. So we know FIN7 is using this malware called "Carbanak," right? So, for example, they may need to test their malware against the new antivirus system, so they maybe need a reverse engineer to kind of see, well, you know, how do we make our malware not detectable by the antivirus?

Dave Bittner: Now, you mentioned that they're operating out of former Soviet countries. Are these offers – is it a Russian language situation, where they're going after native Russian speakers? Or how are they going about that?

Ilya Volovik: Correct. You know, as many of us know a lot of cybercriminal activities happening on the dark web – Russian-language dark web, let's put it that way. And so naturally, of course, they are going for those Russian speakers, you know, any of these post-Soviet countries, people speak, you know, have that common language. And you know, it's not only because they speak Russian, but because the the salary that you get in those countries for performing some of these duties is fairly low. So, say, for example, like, you know, your programmers, your system admins, your engineers, they could be making, you know, a thousand bucks a month, fifteen-hundred dollars a month, which is really low for them, you know, from our standard. But in those countries, that's a good salary. You know, that's perfectly normal salary.

Dave Bittner: Hmm. So your contact here, the person who drew your attention to this – how far down the path did they get before they started to realize that something might be up? And what was it that tipped them off?

Ilya Volovik: So, they got fairly well into the process, right? So they went through the initial HR interviews – again, which were very professional. There was really no red flags outside of maybe like, hey, listen, I really haven't spoken to anybody on the phone or I haven't been to their office. But otherwise, everything seemed to be fine. Then they, you know, signed some work agreements. Then they signed some other documents. They were sent some packets about working for the company, hey, this is what you should do, shouldn't do. This is how you set up your PC to stay anonymous and things like that. So everything seemed very kind of, like, as you would come in working for a larger company.

Ilya Volovik: Then there was a test session where they tested our source – essentially, again, they were on this messaging platform and they tested, you know, after they charted, there was a person that tested their knowledge in the IT sphere, right? So they asked them a bunch of different questions seeing how they respond to these questions. These questions ranged – so, like, what ports do you use, or how does this system work, what's HTTPS, and things like that, right? So, very basic to more advanced items. Once they were done with that, the the next stage was like, hey, we're going to give you some of these tools that we use, which, by the way, were disguised as, you know, some of the some of the tools that pentesters – like, even in legitimate companies – when they do pentesting of companies, they use some tools that can be both used for legitimate pentests and they can be also used for illegitimate reasons by cybercriminals.

Ilya Volovik: So, he was sent a bunch of different tools. Again, if you look at these tools and you say, well, you know, we're a cybersecurity company, some of these tools can be used legitimately. However, some of the other tools – they were really disguised tools, tools that say, for example, hey, this is Check Point Software, for example, which is a legitimate company that does create legitimate tools. However, it was just in the name that this was Check Point Software – the actual software that they will use was – malware, if you will – was disguised like a control panel. So again, you know, tools would disguise so at the first look, you're like, yeah, you know, these are tools. This is kind of interesting. There were some other things that were sent to them, like manuals and things like that.

Ilya Volovik: So, at first glance, it's not really a red flag, maybe like a yellow flag. Oh, this is interesting, I've never worked with any of these tools, you know, what are some of these tools? So you maybe Google them and you research, well, what is this tool or what is that tool? And you kind of get, like, tool information. Well, yeah, this could be useful for pentesting, you know? Yeah, cybercriminals do use this. So, like, not a red flag, but maybe like a yellow flag.

Ilya Volovik: So once the process of that training and testing has been complete, that was kind of the latter stage, was like, OK, you are good to go. You trained up. In a short time, we're going to start on the actual real world assignment. And that's when the kind of red flag was raised and said, well, OK, well, we're going to do this assignment, but do you have any legal paperwork for this? Do you have – there should be some kind of legal paperwork. Why are we doing this and how are we doing this? So questions started to get asked. And once you start asking those key questions, the company is like, well, you're asking too many questions. So that was kind of like the end of it.

Dave Bittner: Now, was that the end of it? I mean, did your source than walk away?

Ilya Volovik: Correct, yes. So that was the end of it, because, again, there were – again, from the initial stages, it wasn't very suspicious. But once you start asking questions and you're not getting the answers that you were hoping to receive, and then you start looking back and saying, well, you know, these tools, they could be used for bad stuff. On top of that, I'm not really getting any legal paperwork confirmation for what we are about to do. You know, I've never really met them. I've only communicated with them on the messengers. OK, these are now red flags. So now everything is getting red flagged.

Dave Bittner: So this person then gets in touch with you and shares some of these tools that were provided by FIN7, going by the name Bastion. How did you all connect the dots then as you started to look at these tools?

Ilya Volovik: Correct. So these tools were, you know, once you kind of, like, start looking deeper into it, you start realizing that, hey, these are post-exploitation tools that are being used by FIN7. Because again, as we kind of talked about in the beginning, FIN7 is probably one of the most researched cybercriminal gangs in the world. So there's a lot of information out there – what kind of tools are they using? What kind of tactics are they using? So, you know, when we looked at these tools and we started to do analysis and, you know, we did it in conjunction with Recorded Future, and – you know, which is a great resource to us to use, obviously – there were definitely clear signs, hey, these are the tools that were previously used by FIN7. These are the tools that were created by FIN7.

Ilya Volovik: So some of the tools that were used by FIN7, let's put it this way – they could be out there, right? Like, say, for example, if it's a version one of certain malware, it's been around for five years. Anybody really could have this tool, right? Because maybe somebody bought it and they're using it. They're widely available to anybody. But some of the tools, they're really like latest model stuff, right? So this is like latest iteration, latest versions of these tools. So when you're looking at it, you're like, well, this is like a latest upgrade of the tool that was used in the past. Well, who could be using that? So there were some clear signs that, hey, these are really FIN7, the actual company. And again, and you kind of parallel that with a fake company, Bastion Secure, very well-made. And you draw a very, very close parallel to what they did in 2018 with Combi Security.

Dave Bittner: Is Bastion still out there trying to attract would-be employees?

Ilya Volovik: So, you know, it's interesting you mentioned that. So when we initially started looking at the website – and this was some time ago, quite a bit of time ago, a few months – their website was built, which was a copy of a CNS website, which is, again, a legitimate cybersecurity company. Theirs was a copy of that. And when you look at the front page, the front page looked complete. You start looking at some of the menus. The menus looked complete, but when you start looking at the submenus, those submenus weren't filled in yet, or they were filled in, but you still had the CNS logo or CNS Twitter handle or just sentences mentioning CNS. So it wasn't a complete site. Some pages outright would give you a 404 error, meaning the page is not available. And the funnily enough, the error would be in Russian... 

Dave Bittner: (Laughs) 

Ilya Volovik: ...So that's like, oh, you see, you know, these guys are pretending to be this huge international company that has a head office in London or in England, you know, why do you have, like, Russian error pages.

Dave Bittner: A little bit of a red flag there, right?

Dave Bittner: For sure. And the same thing with the source code. When you look at the source code, it had some references to the CNS site. Now, over time, up until we published our report, they would patch it up, right? So they would actually develop those submenus. So when then we looked at it again, we're like, oh, this submenu was not working before, and now it is working. This submenu did have CNS information, but it no longer has it. So they edited it, for example, on their website, for vacancies, for the jobs. It was really empty. There was nothing there. And then we started seeing, OK, now they have postings for jobs on that submenu. So what that tells us is that this was a big project for them, because, again, we can see that, you know, they put a lot of time and effort making the page look and appear legitimate. There was some text that was taken from CNS, but the text was edited to make it, you know, so it's not as obvious that it was from CNS. Some text again, we caught it before it was edited, but then we saw, hey, this was already edited. So they were actively working on this Bastion Secure. They were actively working on building that image of Bastion Secure right up until the point where we released our public blog, where we exposed them. So we believe that, yes, they were actively searching for individuals to work for them. It seems like it's a tactic they were really planning to use hiring these unwitting, you know, IT specialists to work for them without really revealing who they are.

Dave Bittner: So I suppose everyone should be on the lookout for if they spin up yet another company with with a new name that attempts to do similar things. It seems to be, perhaps, a pattern for them.

Ilya Volovik: Oh, absolutely, we really haven't seen – you know, when when you're dealing with research and you're dealing with the dark web and you're dealing with analytics, you can always say like, yes, of course, you know, you have a job market in the former Soviet Union, just like any job market, right? There's a lot of people that are looking for jobs. There's a lot of IT specialists out there in those countries. And, you know, they're all – they're looking for a job. So it's not really out of the ordinary for cybercriminals to go out to that marketplace and try and find somebody that can maybe write a code for them. Like, they'll find a programmer that will write a code for them. They won't really tell them what the code is for. Maybe they won't share the whole picture of what that program is for. So it's not uncommon for them to do that, but to do it at the scale that FIN7 is doing it – you know, building a website, coming up with the name, you know, they came up with the name with multiple different companies, you know, creating addresses, creating job posting ads, and they're not doing it once they're doing it. You know, this is the second instance where they've done it. It does seem like they believe that this is a good venue. Who knows? Maybe their plan was to create this Bastion Secure site, this company, and then they would come to legitimate companies and offer their services and say, hey, listen, we'll do some pentesting for you and things like that.

Ilya Volovik: So, you know, they could be approaching not just hiring individuals, but also building themselves this fake enterprise, essentially, where they maybe would say, hey, oh, you guys got ransomware, we're going to come and help you negotiate. You know, we're this company called Bastion Secure, which is again something we saw in the past. And one of our articles that we wrote in about some ransomware tactics, ransomware teams' tactics and how they operate, they'll have these middlemen that will, you know, once the ransomware attack happens in the company, they'll have a middleman that will come out to that victim company and say, oh, listen, I can negotiate with you, but that person could actually be working for the ransomware team.

Ilya Volovik: So, you know, if we're looking – taking a step back, what could have been out of this Bastion Secure, that could have been one of those things. They create this fictitious company that would, you know, on the one hand, they would conduct the ransomware attack. On the other hand, they would come in and say, hey, we're Bastion Secure, we're going to help you patch all the holes. We'll help you to negotiate, but you've got to pay us or whatever. And so, they could have been double dipping there. The extent of what they could be doing with this is really quite large. So we're kind of happy that we caught them in this process of still building this website. Because again, as I mentioned, you know, a few months ago, it wasn't a complete site. They were definitely working on it. It's definitely actively working on that site and on that image. So it could have been really bad news for some.

Dave Bittner: Our thanks to Ilya Volovik from Gemini Advisory for joining us. The research is titled, "FIN7 Recruits Talent For Push Into Ransomware." We'll have a link in the show notes. 

Dave Bittner: The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.