Dissecting the activities and operations of FIN6 threat actor group

• The FIN6 group is in operation since at least 2015.
• It steals payment card details by compromising point-of-sale (PoS) systems in the hospitality and retail sectors.

The FIN6 cybercriminal group has constantly evolved in the past few years. This financially motivated group has been found using a variety of data-stealing malware to expand its operations across the globe. The group is in operation since at least 2015.

Primary targets

Fin6 is primarily involved in stealing payment card details by compromising point-of-sale (PoS) systems in the hospitality and retail sectors. The cards, thus stolen, are later sold for profit on underground marketplaces. Towards the end of 2018, the group was found targeting multiple high-value eCommerce merchants with malicious documents to compromise payment servers.

Modus Operandi

FIN6 targets organizations that process a significant number of PoS transactions. It typically uses commercial PoS malware to steal payment card data. According to IBM X-Force, the group’s major targets are the retailers in the US and Europe.

For a successful intrusion, the group usually leveraged IT management software to deploy malware. It also abuses Windows Management Instrumentation Command (WMIC) to remotely execute the PowerShell commands and scripts.

Among the other noted activities, the FIN6 TTPs include:

• Widely executing FrameworkPoS on compromised PoS systems;
• Collecting sensitive data in .dll files;
• Extensive use of Metasploit and PowerShell to move laterally within the network’
• Heavy SQL database reconnaissance and data theft;
• Compromising the Active Directory Databases to harvest credentials;
• Using Secure Shell tunnels for SQL database exfiltration.

Noteworthy attacks

Some of the major attacks of FIN6 threat actor group include:

• A massive heist of more than 20 million credit card details which was brought to light by FireEye. The stolen cards were later put up for sale on dark web forums for a price of $21 a card.
• In 2018, the group was found using a credential-stealing backdoor called Grabnew to harvest account details from PoS systems used across the United States and Europe.
• In February 2019, security firm Morphisec Labs discovered that the cybercriminal group was involved in a string of PoS attacks against VMWare Horizon thin clients. These attacks were carried out for eight to ten weeks long. Healthcare and Insurance sectors located primarily in the United States, Japan and India were the main targets of the attack.
• Recently, the group has been found using LockerGoga and Ryuk ransomware to compromise POS systems and extort money from the victims.

The bottom line - FIN6 group hackers are constantly acquiring new tricks and techniques to steal login credentials, bypass antivirus systems and quietly steal millions of credit card details. Therefore, it is very necessary for organizations to identify additional security measures to mitigate the threat to both their networks and their valued customers.