1 © Mandiant, a FireEye Company © Mandiant, a FireEye Company Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years Matt Bromiley Preston Lewis 

2 © Mandiant, a FireEye Company AGENDA § Introductions § Attacker Background § Attacker Lifecycle § Timeline of Known Attacks § Hunting § Recommendations 

3 © Mandiant, a FireEye Company INTRODUCTIONS Matt Bromiley • Dallas, TX • DFIR • BBQ • Whatever else the hell my wife tells me to do Preston Lewis • Houston, TX • IR bro looking for evilz • Spare time: • Running/Cycling • Coffee • Netflix 

4 © Mandiant, a FireEye Company © Mandiant, a FireEye Company. ATTACKER BACKGROUND 

5 © Mandiant, a FireEye Company FIN5: WHAT § FIN 

6 © Mandiant, a FireEye Company FIN5: WHAT § FINancially-motivated threat group § Primary targets: - Payment card track data - Identity Information (Driver’s Licenses, SSNs, etc.) § Highly successful ($$$ PROFIT $$$) 

7 © Mandiant, a FireEye Company FIN5: WHO & WHERE § Most likely Russian-speaking attackers § Relentlessly target-oriented (regardless of noise) § Thorough understanding of payment card brands fraud detection processes 

8 © Mandiant, a FireEye Company FIN5: WHO & WHERE § Operational sophistication - Monitor for detection and notification - “Burn before you sell” § Targeted Industries - Restaurants - Hotels - Gaming (Gambling) 

9 © Mandiant, a FireEye Company FIN5: WHY 

10 © Mandiant, a FireEye Company FIN5: WHEN § 2008 – Now 2016-09-20 03:24:19 UTC 

11 © Mandiant, a FireEye Company FIN5: WHEN (cont.) [RIGHT F$(*ING NOW] 

12 © Mandiant, a FireEye Company FIN5: HOW § Honed attack methodology - RawPOS - Noisy but effective - Predictable attack patterns § Slow software maturity cycle - “If it ain’t broke…” - Malware cash cow 

13 © Mandiant, a FireEye Company © Mandiant, a FireEye Company. ATTACKER LIFECYCLE 

14 © Mandiant, a FireEye Company Attacker Lifecycle Initial Compromise Reconnaissance Escalate Privileges Conduct Mission Complete Mission Move Laterally Maintain Access 

15 © Mandiant, a FireEye Company Initial Compromise § Legitimate Access - Virtual Private Networking - Remote Desktop Protocol - Citrix - Etc. § Remote access maintained by many vendors - Compromise vendor environment 

16 © Mandiant, a FireEye Company Reconnaissance § Essential NetTools - Publically available freeware network scanning tool available from www.tamosoft.com - Map the network to build a target list - NMAP-like capability 

17 © Mandiant, a FireEye Company Reconnaissance (cont.) HKEY_USERS\C__Users__ntuser.dat\Software\ ENT2\NBS\Start | 10.0.0.1 HKEY_USERS\C__Users__ntuser.dat\Software\ ENT2\NBS\End | 10.255.255.255 Red Teamers: What are you leaving behind? Essential NetTools Artifacts 

18 © Mandiant, a FireEye Company Reconnaissance (cont.) § Remote Administration/Deployment - PsExec • Popular Microsoft SysInternals utility for remotely executing commands • Customized version that will automatically accept EULA • “Vxxhjq Service” modified service name (changed from “Service Name: PSEXESVC”) • Named after legitimate McAfee binary • Continuous use of the same modified version. Compile time: 2006/07/11 > psexec \\computer[,computer[,..] [options] command [arguments] Anti-forensics! 

19 © Mandiant, a FireEye Company Reconnaissance (cont.) 

20 © Mandiant, a FireEye Company Reconnaissance (cont.) § FIENDCRY (Stage 1) - Based on ‘MemPDumper’ by DiabloHorn - https://github.com/DiabloHorn/mempdump - Early versions named ramdump.exe - Parses memory for Track1 / Track2 credit card data and PII data using regular expressions ((B(([0-9]{13,16})|([0-9]|\s){13,25})\^[A-Z\s0-9]{0,30}\/[A-Z\s0-9]{0,30}\^(0[7- 9]|1[0-5])((0[1-9])|(1[0-2]))([0-9]|\s){3,50})|([0-9]{15,16}([A-Z]|=)(0[7-9]|1[0- 5])((0[1-9])|(1[0-2]))[0-9]{8,30})|([0- 9]{15,19})|(~CCM[0-9]{15,19}D[0-9]{4}~)) 

21 © Mandiant, a FireEye Company Reconnaissance (cont.) § FIENDCRY (Stage 1) - Triage variant used to violently identify hosts with payment card data • Spray entire environment using PsExec-variant to remotely execute FIENDCRY • Scans all processes for track / target data • Output files of identified card payment data in process memory stored on disk in clear-text • Attackers pull back successful regex hits Automated scripts 

22 © Mandiant, a FireEye Company Reconnaissance (cont.) – FIENDCRY (Stage 1) 

23 © Mandiant, a FireEye Company Conduct Mission FIENDCRY memory scraper DRIFTWOOD obfuscates data Obfuscated Data DUEBREW launcher Track / PII Data 

24 © Mandiant, a FireEye Company Conduct Mission (cont.) FIENDCRY memory scraper DRIFTWOOD obfuscates data Obfuscated Data DUEBREW launcher Track / PII Data 

25 © Mandiant, a FireEye Company Conduct Mission (cont.) § DUEBREW - Track data triage identified POS systems of interest - Service-based persistence (typically a similar named service as a legitimate service and binary) - External launcher of stage two FIENDCRY and DRIFTWOOD collection script - Placed in system folders (system32/syswow64) 

26 © Mandiant, a FireEye Company Conduct Mission (cont.) FIENDCRY memory scraper DRIFTWOOD obfuscates data Obfuscated Data DUEBREW launcher Track / PII Data 

27 © Mandiant, a FireEye Company Conduct Mission (cont.) § FIENDCRY (Stage 2) - Customized for targeted applications that process Payment Card Data - Often vendor-specific - Same regex - Outputs dumped track data in clear text - Placed in system folders (system32/syswow64) 

28 © Mandiant, a FireEye Company Conduct Mission (cont.): FIENDCRY (Stage 2) § Targeted Processes - MICROS - utg2svc.exe - UTG2.exe - SSLgw.exe - visatcp.exe - Interface.exe - IFCTCS.exe - pos32.exe - easipos.exe § Targeted Files - progra~1\cherry\cdi - InfoGenesis\POS_EXE - system32\ArcVCapRender - progra~1\golfpro - progra~1\VisualOne - Progra~1\Infonox\QCPW - PROGRA~1\ATMMS\MCC - Shift4\4Go - Shift4\UTG2 - InfoGenesis\Programs - InfoGenesis\Programs - ResPAKW\Infoge~1 - Progra~1\ResPAK-Services - Progra~1\PCCharge - Progra~1\accesso\Passpo~1 - Progra~1\PCCW - Progra~1\Active-Charge - ICS\Automoney Software\Automoney 

29 © Mandiant, a FireEye Company Conduct Mission (cont.) FIENDCRY memory scraper DRIFTWOOD obfuscates data Obfuscated Data DUEBREW launcher Track / PII Data 

30 © Mandiant, a FireEye Company Conduct Mission (cont.): DRIFTWOOD § After payment card data recon § Perl2Exe compiled Perl script - C:\Windows\Temp\p2xtmp - Trivial to reverse engineer § Parses designated locations for dumps produced by FIENDCRY (Stage 2) § Encodes data with trivial XOR string for later collection - Fake DLL file created in System32 or SysWOW64 - Depending on timing of activities, can be very large in size § Commented code containing release notes (including documented bug fixes!) 

31 © Mandiant, a FireEye Company Conduct Mission (cont.): DRIFTWOOD 

32 © Mandiant, a FireEye Company Conduct Mission (cont.): DRIFTWOOD § Fast, easy development in scripting Perl § Open-source binaries to convert to PE § Noisy - ~50 file artifacts created at each execution C:\Windows\Temp\p2xtmp-27644 C:\Windows\Temp\p2xtmp-27644\auto\B\B.dll C:\Windows\Temp\p2xtmp-27644\auto\Cwd C:\Windows\Temp\p2xtmp-27644\auto\Data\Dumper C:\Windows\Temp\p2xtmp-27644\auto\Digest C:\Windows\Temp\p2xtmp-27644\auto\re\re.dll C:\Windows\Temp\p2xtmp- 27644\auto\Digest\MD5\MD5.dll C:\Windows\Temp\p2xtmp- 27644\auto\Win32\Console\Console.dll C:\Windows\Temp\p2xtmp- 27644\auto\Win32API\Registry\Registry.dll C:\Windows\Temp\p2xtmp- 27644\auto\Win32API\File\File.dll 

33 © Mandiant, a FireEye Company Maintain Access § FLIPSIDE - Simple proxy tool (similar to plink functionality) - Tunnel RDP outbound • DUEBREW persistent configuration - Backdoor > se.exe [source_ip_address] [source_port] [dest_ip_address] [dest_port] 

34 © Mandiant, a FireEye Company Complete Mission § Observe detection - Compromised accounts == email access - Evidence suggests attacker is acutely aware of detection of compromise • 3rd party notifications often align with the beginning of the final phase - “Burn before you sell” § Consolidate & collect encoded data dumps 

35 © Mandiant, a FireEye Company Complete Mission (cont.) 1. Dump passwords 2. Configure FLIPSIDE backdoor 3. SDELETE malware 4. Clear event logs 

36 © Mandiant, a FireEye Company FIN5: Putting It All Together Initial Compromise Reconnaissance Escalate Privileges Conduct Mission Complete Mission Move Laterally Maintain Access • FLIPSIDE • Legitimate access • PsExec • WCE • Batch files • Legitimate access • NetTools • FIENDCRY • PsExec • PwDump • WCE • DUEBREW • FIENDCRY • DRIFTWOOD • Consolidate dumps • Data exfil • FLIPSIDE • WCE • Clear logs • SDELETE • Legitimate access • OWA / O365 • Exchange • Other? Observe evidence of detection 

37 © Mandiant, a FireEye Company © Mandiant, a FireEye Company. TIMELINE OF KNOWN ATTACKS 

38 © Mandiant, a FireEye Company Timeline of Known Attacks 2008 Now 

39 © Mandiant, a FireEye Company Timeline of Known Attacks 2008 Visa Issues an Advisory on Memory-Scraping POS Malware November 2008 – April 2009 

40 © Mandiant, a FireEye Company Timeline of Known Attacks 2009 First Data releases alert on RawPOS malware November 2009 – August 2010 November 2008 – April 2009 

41 © Mandiant, a FireEye Company Timeline of Known Attacks 2010 July 2010 – November 2010 November 2009 – August 2010 

42 © Mandiant, a FireEye Company Timeline of Known Attacks 2013 March 2013 - April 2014 February 2013 – August 2014 December 2013 - October 2015 

43 © Mandiant, a FireEye Company Timeline of Known Attacks 2014 March 2013 - April 2014 February 2013 – August 2014 December 2013 - October 2015 April 2014 - October 2014 February 2014 – August 2014 March 2014 - December 2015 November – December 2014 July 2014 – February 2015 October 2014 – October 2015 Investigation 

44 © Mandiant, a FireEye Company Timeline of Known Attacks 2015 December 2013 - October 2015 March 2014 - December 2015 July 2014 – February 2015 October 2014 – October 2015 March 2015 December 2015 – June 2016 December 2015 – June 2016 Visa & Trend Micro Alert on RawPOS and Attackers Targeting Hospitality 

45 © Mandiant, a FireEye Company Timeline of Known Attacks July 2014 – February 2015 2015-01-19: Exfil 2015-01-27: 3rd Party Notification 

46 © Mandiant, a FireEye Company Timeline of Known Attacks 2016 December 2015 – June 2016 December 2015 – June 2016 October 2016 - ?? SAME ORG February – August 2016 

47 © Mandiant, a FireEye Company Timeline of Known Attacks (cont.) Timeline observations - Crossover points -> Simultaneous footholds - Overlapping timelines -> Operational maturity - Identical C2 Communications -> Reused infrastructure - Media notifications -> Tactics shift 

48 © Mandiant, a FireEye Company © Mandiant, a FireEye Company. HUNTING 

49 © Mandiant, a FireEye Company Hunting § Application Compatibility Cache (“Shim Cache”) - Supports application compatibility issues - Tracks metadata for PE files and scripts - PsExec & DUEBREW • Due to the inherent execution, Shim Cache analysis yields incredible rewards • Quickly and easily correlate activity to identify scope of compromise - Powershell script • Query domain hosts to acquire Shim Cache, parse offline and analyze 

50 © Mandiant, a FireEye Company Hunting (cont.) § System event logs - PsExec service binary - Modified service name - Cleared events (EID: 517, 1102) § VPN Logs - Non-standard GeoIP sources - Vendor accounts - Domain Administrators § Firewall Logs - RDP connectivity 

51 © Mandiant, a FireEye Company Hunting (cont.) § Malware built using Borland Compiler - Exports: • __GetExceptDLLinfo • ___CPPdebugHook - PowerShellArsenal (https://github.com/mattifestation/PowerShellArsenal) • Sweep environment for export IOCs Parse PE file à Export table 

52 © Mandiant, a FireEye Company © Mandiant, a FireEye Company. RECOMMENDATIONS 

53 © Mandiant, a FireEye Company Recommendations § Implement a two-factor authentication (2FA) solution for remote access including VPN, Citrix, and Outlook Web Access (OWA). § Application whitelisting on critical servers (DCs, POS terminals and servers). § Harden the CDE by deploying a dedicated “jump server” that can only be accessed from known CDE administrator workstations, requires additional 2FA, and implements application whitelisting. 

54 © Mandiant, a FireEye Company Recommendations (cont.) § Remove local administrator privileges for users. § Restrict workstation-to-workstation communication. § Consider P2PE solution. - Not fail-proof, but increases complexity. - Ensure encryption keys are stored securely. 

55 © Mandiant, a FireEye Company Recommendations (cont.) § Centralize anti-virus alerts § Actively review anti-virus alerts and whitelisted exceptions. § Create periodic backups of critical infrastructure § Enable VPN logging § Review firewall ACLs § Hunt for anomalies and IOCs 

56 © Mandiant, a FireEye Company BONUS § Find your own FIN5!! § Powershell script to acquire Shim Cache for offline parsing § Pro Tip: Wrap script in a for-loop and iterate over a list of domain hosts § Parse with ShimCacheParser tool PS> Invoke-Command –Computername remotehost {(Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache").AppCompatCache} | Set-Content C:\out.bin -enc byte C:\tools\mandiant\ShimCacheParser> ./ShimCachePaser.py –b C:\out.bin –o output.csv 

57 © Mandiant, a FireEye Company © Mandiant, a FireEye Company. QUESTIONS?