On August 1, 2018, the US Department of Justice unsealed an indictment against three members of the international cybercrime group known as FIN7. We previously wrote about what FIN7 is, the implications of this indictment and some of the fascinating details of their campaigns, such as the use of a front company that was used to mask the criminal operations. As we did before with the GRU indictment, we wanted to maximize the lessons learned for defenders and therefore used the Mitre ATT&CK framework to replay the FIN7 indictment.

1. 0. Reconnaissance
4. Persistence
6. Credential Access
10. Exfiltration
9. Collection
8. Lateral Movement
MITRE ATT&CK and the FIN7 Indictment
Mitre ATT&CK Stage FIN7 Tactics, Techniques and Procedures Mitigation Advice
• Awareness is required for which information about the
organization and its employees is public, in particular,
email and telephone contact details.
• Certain job titles may be of more interest to attackers due
to the responsibilities and access that specific employees
may have. These employees may require dedicated
training to educate them of the threats that they face as
part of their job.
• Social media searches can be used by attackers to
uncover these employees but also public documents, such
as SEC filings, can reveal these employees and their con-
tact details.
• Security teams need to understand attackers and their
goals, as well as the business processes of their own
organizations.
• Organizations which operate inside a regulated
environment may need to implement additional security
controls (both technical and procedural/administrative) to
verify communications with the regulator.
• Public-facing employees may require dedicated tools to
open potentially malicious attachments safely, such as
sandboxes or cloud services.
• Ensure that antivirus and other detection mechanisms are
fully up-to-date with the latest signatures and heuristics
is essential for increasing the likelihood that obfuscated
payloads are detected and quarantined appropriately.
• Organizations may wish to investigate the usage of EDR
systems for advanced endpoint protection.
• Microsoft’s AMSI can be used to capture obfuscated
PowerShell scripts after they have been deobfuscated.
• Script Block Logging for PowerShell can also be used to
capture PowerShell scripts after they have been
deobfuscated.
• Microsoft have also released an optional patch update
(KB3045645) that will remove the “auto-elevate” flag
within the sdbinst.exe. This will prevent use of application
shimming to bypass UAC.
• Improving credential hygiene by using a password only
once reduces the impact of credential theft. While the
attacker can still access the system that they have
captured the credentials for, lack of password reuse
means that the damage is limited only to that affected
system.
• Blocking egress traffic that is not necessary for the
organization’s requirements can assist with limiting an
attacker’s options in terms of communicating outside of
the organization.
• Web proxies can provide granular controls for restricting
egress traffic types and destinations.
• DNS traffic can be used by attackers for moving data out of
environments where other controls are present, as such,
DNS traffic should be inspected for malicious activity
• Sudden anomalies in the amount of storage used by
particular machines could be an indication of unusual
activity and may be worth investigating.
• Application whitelisting can be used to prevent the
execution of unauthorized code in an environment and can
prevent the execution of certain types of malware.
• Change the security descriptor of the Service Control
Manager (SCM).
• Lateral movement should be restricted as much as
possible via restricting workstation-to-workstation
communication (via firewalling or even private VLANs)
• Principle of least privilege to ensure that only the
necessary personnel have the administration privileges
required for certain actions.
• The ACSC (Australian Cyber Security Centre) recommend
disabling macros as part of their Essential Eight approach
for securing organizations. When disabling macros it is
important to consider the business processes and legiti-
mate business requirements for macros and how to miti-
gate the risk incurred by them.
• OLE package activation can also be disabled where
possible.
• LNK files can be blocked by email filtering gateways to
prevent the files from reaching targeted users.
• Windows Script Host (WSH) can be disabled if possible or
restricted where not to mitigate its risks.
Spearphishing attachment
1. Initial Access
2. Execution
User execution
Application Shimming
Obfuscated Files or Information
Input Capture
Data Compressed, Data Encrypted,
Exfiltration Over Other Network
Medium
Data Compressed, Data Encrypted,
Exfiltration Over Other Network
Medium
Remote Services
5. Defense Evasion
People Information Gathering,
Organizational Information
Gathering, Organizational
Weakness Identification, People
Weakness Identification