Need Info? Hack an Exec

Friday, December 5, 2014 @ 03:12 PM gHale

If you want to find out insider information, go straight to the top and hack an executive, new research found.

FIN4, a new hacking group consisting of native English speakers, has a “deep familiarity with business deals and corporate communications, and their effects on financial markets,” said researchers at security firm FireEye.

RELATED STORIES
Data Loss, Downtime Costs Big Bucks
Breach: When Minutes Count
Data Breach Awareness on Rise
Malware Creation Skyrockets in Q3

Their targets are top executives, legal counsel, outside consultants, regulatory, risk, and compliance personnel, advisors and researchers believed to have inside knowledge about potential mergers and acquisitions, deals and new research results.

Operational since at least mid-2013, the group targeted these job titles in over 100 publicly traded companies and advisory firms, the majority of which are in the healthcare and pharmaceutical industries.

“We believe FIN4 heavily targets healthcare and pharmaceutical companies as stocks in these industries can move dramatically in response to news of clinical trial results, regulatory decisions, or safety and legal issues,” the researchers said.

Their weapons of choice are extremely well crafted and personalized spear-phishing emails meant to lead recipients to phishing pages impersonating the Outlook Web App login page and trick them into sharing their Microsoft Outlook login credentials.

“FIN4 knows their targets. Their spear phishing themes appear to be written by native English speakers familiar with both investment terminology and the inner workings of public companies,” the researchers said in a whitepaper.

“FIN4 uses their knowledge to craft convincing phishing lures, most often sent from other victims’ email accounts and through hijacked email threads. These lures appeal to common investor and shareholder concerns, enticing the intended victims into opening the weaponized document and entering their email credentials.”

The weaponized documents they are talking about are stolen mergers & acquisitions documents and SEC-themed documents with embedded Visual Basic for Applications (VBA) macros, meant to steal the targets’ Microsoft Outlook usernames and passwords.

“FIN4 also uses existing email threads in a victim’s inbox to spread their weaponized documents. We’ve seen the actors seamlessly inject themselves into email threads,” the researchers said. “FIN4’s emails would be incredibly difficult to distinguish from a legitimate email sent from a previously compromised victim’s email account. The actors have also Bcc’d all recipients, making it even more difficult for recipients to decipher a malicious email from a legitimate one,” the researchers said.

By using such believable phishing emails, and by using the harvested login credentials to simply peruse the targets’ communication exchanges, the attackers have made it difficult for companies to spot the intrusions. In addition, they also create a rule in victims’ Microsoft Outlook accounts that automatically deletes any emails that contain words such as “hacked,” “phish,” or “malware,” so even if another target suspects the sender of the email suffered a compromise, it will be difficult to inform him of these suspicions via email.

The researchers said the attackers’ goal seems obvious: Gain insider knowledge about things that affect the companies’ stock price or future revenue, and act upon that information in a way that would earn them money.

As the attacks are still ongoing, the researchers advise organizations’ network defenders to disable VBA macros in Microsoft Office by default (if possible), block a number of C&C domains currently in use (listed in the whitepaper), and enable two-factor authentication for OWA and any other remote access mechanisms.

“Companies can also check their network logs for OWA logins from known Tor exit nodes if they suspect they are victimized. Typically, legitimate users do not use Tor for accessing email. While not conclusive, if paired with known targeting by this group, the access from Tor exit nodes can serve as an indicator of the group’s illicit logins,” they said.



Leave a Reply

You must be logged in to post a comment.