Android Malware Intercepts SMS 2FA: We have the Logs!

A couple years ago I was doing some phishing investigations training at the Police School in Santiago, Chile.  One module in my training was called "Logs Don't Lie" which pointed out that in most cases we have everything we need to prioritize a phishing response just by looking at the log files, either on the compromised phishing server, or in the Financial Institutions own logs.

Malware C2 servers are another great place to apply the rule "Logs Don't Lie."  Most security researchers realize that there is a great cloud of fellow researchers on Twitter sharing little tips and glimpses of their investigations.  @LukasStefanko and @nullcookies and I have been looking at a C2 server for a piece of Android malware.  And the Logs are AMAZINGLY helpful at understanding just what kind of damage such a trojan can do!    (Sidenote:  @nullcookies is a monster for finding fresh and interesting phish (and often related tools), while @LukasStefanko is an awesome malware analyst for ESET, specializing in Android-based malware.  You should follow both on Twitter if you care about such things.  Thanks to them both for the pointer that leads to what follows.)

In this case, the malware is believed to be called "Anubis II" and likely uses the "Builder" that is depicted in this YouTube video, titled "Builder Android Bot Anubis 2"

Launcher the APK Builder "Android Botnet Anubis II" 

Malware actor chooses from his list of banking targets

In the comments section of the video, someone has shared a screen shot of the botmaster's control panel.  In this case it is demonstrating that 619 Android phones can be controlled from the botnet:

Phones that can be controlled from Anubis II control panel

In the particular instance referred to by Lukas and NullCookies, the malware seems to have been active primarily in June of 2018.   The server hosting the Anubis II panel has a list of banks that it can present.

The targets which have custom web inject (or phone inject) content include:

• 7 Austrian banks
• 18 Australian banks
• 5 Canadian banks
• 6 Czech banks
• 11 German banks
• 11 Spanish banks
• 11 French banks
• 8 Hong Kong banks
• 11 Indian banks
• 6 Japanese banks
• 1 Kenyan bank
• 4 New Zealand banks
• 32 Polish banks
• 4 Romanian banks
• 9 Turkish banks
• 10 UK banks (Bank of Scotland, Barclays, CSGCSDNMB, Halifax, HSBC, Natwest, Royal Bank of Scotland, Santander, TSB, Ulster)
• 10 US banks (Bank of America, Capital One, Chase, Fifth Third, NetTeller, Skrill, SunTrust, USAA, US Bank, Wells Fargo Mobile)

Fake Android Login Pages for Banks 

While each of the 190 sites has a fake login page available, we thought we would show a sampling from banks around the world . . . 

There are also several Crypto Currency organizations listed:

• blockchaine
• coinbase
• localbitcoin
• unocoin

As well as some Online Payment, Email, and Social Media sites:

• eBay
• Facebook
• Gmail
• PayPal
• ZebPay

Each bank on the list has the equivalent of a phishing page that can be presented if the owner of the android phone attempts to log in to the given bank.

 Some of them have silly typographical errors that will hopefully reduce success, such as this Wells Fargo content, inviting the phone owner to "Sing In" to the bank.  Perhaps there is a Wells Fargo Choir?  Hopefully that will cause victims to NOT fall for this particular malware!

The Wells Fargo Choir?  Sing On!

The SMS Intercepts

One of the main benefits of having access to the server was to see so many examples of successful SMS message intercepts!  At the time of the server dump, this one contained 32,900+ unique "keylog" entries and 52,000+ logged SMS messages from at least 47 unique devices.

Here's an example showing a Bank Two Factor Authentication request being forward to the criminals:

Text: Bank of Redacted: 819881 is your authorization code which expires in 10 minutes. If you didn't request the code, call 1.800.xxx.xxxx for assistance.

Keylogging was also enabled, allowing the criminal to see when a bank app was being used:

06/14/2018, 09:07:34 EDT|(FOCUSED)|[From:, REDACTED BANK, Account Number:, ******6680, Date:, May 30, 2018 10:10:42 AM EDT, Status:, Canceled, Amount:, $100.00, Type:, Deposit, Transfer ID:, 25098675]

In this example, an online payment company is sharing a message:

06/29/2018, 15:28:46 EDT|(CLICKED)|[Friendly reminderThis is Mr. XXXXXXX from REDACTED. This is a friendly reminder that you have a payment due today by 6pm If you have any questions or need to make a payment  via phone call 804-999-9999 or we have a new payment processing system that allows , for your convenience, to simply text in the last 4 digits of a card you've previously used and the security code and we're able to process your payment.  Feel free to call  REDACTED with any questions at 804-xxx-xxxx]

Hundreds of Gmail verification codes were found in the logs:

06/14/2018, 00:19:33 EDT|(FOCUSED)|[G-473953 is your Google verification code., 1 min ago]

Quite a few Uber codes were also found in the logs:

Text: [#] 9299 is your Uber code. qlRnn4A1sbt

Paypal, Quickbooks, LinkedIn, Facebook, Stash, and Stripe all had 2FA codes make appearances in the logs:

Text: FREE PayPal: Your security code is: 321842. Your code expires in 10 minutes. Please don't reply.

Text: [Your QuickBooks Self-Employed Code is 952708, 1 min ago]

Text: 383626 is your Facebook password reset code or reset your password here: https://fb.com/l/9wBUVuGxxxx5zC

Text: Your LinkedIn verification code is 967308.

Text: 103-667 is your Stripe verification code to use your payment info with Theresa.

Text: Your Stash verification code is 912037. Happy Stashing!

Text: Cash App: 157-578 is the sign in code you requested.

Text: Your verification code for GotHookup is: 7074

In a directory called "/numers/" there were also examples of address book dumps from phone contacts.  The small number of these seem to indicate this would be a "triggered" request, where the botnet operator would have to request the address book.  In the example we found, with seven area code (404) numbers, four (770) numbers and four (678) numbers, it is likely an Atlanta, Georgia based victim.

The Keylogging feature also seems to be something that is turned on or off by request of the botnet operators.  There were far fewer devices for which keylogs were found.   Example keylog entries looked like this:

A telephone prompt looked like this:

• 06/15/2018, 14:38:55 EDT|(CLICKED)|[Call management, •, 10m, 4 missed calls, Ashley Brown (3), Mom]
• 06/15/2018, 14:38:59 EDT|(CLICKED)|[Call Ashley Big Cousin, Quick contact for Ashley Brown]
• 06/15/2018, 14:39:01 EDT|(CLICKED)|[1 804-999-9999, Mobile, Call Ashley Brown]

Responding to a message looked like this:

• 06/15/2018, 16:02:34 EDT|(CLICKED)|[Messaging, •, now, Expand button, (804) 999-9999 , Hey Terry can you send the address, REPLY]
• 06/15/2018, 16:02:37 EDT|(FOCUSED)|[Aa]
• 06/15/2018, 16:02:46 EDT|(CLICKED)|[Copy, Forward, Delete]
• 06/15/2018, 16:02:50 EDT|(FOCUSED)|[]
• 06/15/2018, 16:02:54 EDT|(CLICKED)|[Messaging]
• 06/15/2018, 16:02:57 EDT|(CLICKED)|[Enter message]
• 06/15/2018, 16:05:11 EDT|(CLICKED)|[Answer]
• 06/15/2018, 16:05:29 EDT|(CLICKED)|[]
• 06/15/2018, 16:10:50 EDT|(FOCUSED)|[]
• 06/15/2018, 16:10:52 EDT|(CLICKED)|[Enter]
• 06/15/2018, 16:11:01 EDT|(FOCUSED)|[2007 Their Address Ct  North CityTheyTyped OK 11111]
• 06/15/2018, 16:11:03 EDT|(FOCUSED)|[]

A YouTube session looked like this:

• 06/27/2018, 15:23:36 EDT|(CLICKED)|[YouTube]
• 06/27/2018, 15:23:46 EDT|(CLICKED)|[Pause video]
• 06/27/2018, 15:41:19 EDT|(FOCUSED)|[14:46, Go to channel, FINDING OUT THE GENDER!!!, Menu, The Rush Fam · 26K views4 hours ago, 6:12, Go to channel, TRY NOT TO CRY CHALLENGE REACTION WITH KID (SHE ACTUALLY CRIED), Menu, CJ SO COOL · 2.5M views · 1 year ago, SUBSCRIBED]
• 06/27/2018, 15:46:38 EDT|(FOCUSED)|[]
• 06/27/2018, 15:46:41 EDT|(CLICKED)|[Enter]
• 06/27/2018, 15:46:53 EDT|(CLICKED)|[Play video]
• 06/27/2018, 15:48:06 EDT|(CLICKED)|[ · 0:11]
• 06/27/2018, 15:48:09 EDT|(CLICKED)|[ · 0:09]
• 06/27/2018, 15:48:10 EDT|(CLICKED)|[ · 0:08]
• 06/27/2018, 15:54:30 EDT|(CLICKED)|[Suggested: "BREAKING UP IN FRONT OF COMPANY!!" PRANK ON PANTON SQUAD!!!]

Distribution 

From looking for this malware in various collections, such as Virus Total Intelligence, it seems that the malware is fairly common.  Many new versions of the malware show up in their collection every day.   The most common point of distribution seems to be from the Google Play Store.

A popularly reported stream of such apps was reported on by, well, just about everyone in July 2018.  Some of the headlines included:

Anubis Strikes Again: Mobile Malware continues to plague users in Official App Stores  - from IBM X-Force Research's Security Intelligence blog

Best graphic goes to Secure Computing Magazine:

BankBot Anubis campaign targets Turkish Android users with fake apps in Google Play store

https://www.scmagazine.com/

Medium.com had "Hackers Distributing Anubis Malware via Google Play Store to Steal Login credentials, E-wallets, and Payment Cards Details" 

A more recent post, from AlienVault, (20 days ago):  "Anubis Android Malware in the Play Store" 

A search in VirusTotal Intelligence reveals 62 new filehashes ONLY FROM TODAY (September 10, 2018) that match a definition name of "Anubis".  Some of the more popular names for the trojan on VirusTotal include:

DrWeb:  Android.BankBot.1679
Ikarus: Trojan-Banker.AndroidOS.Anubis
Kaspersky: HEUR:Trojan-Dropper.AndroidOS.Hqwar.bbSophos: Andr/BankSpy-AH 

Kaspersky authored a special article on this banking trojan, which they call "HQWar" back in April under the headline "Phantom menace: mobile banking trojan modifications reach all-time high: Mobile banking Trojans hit the list of cyber-headaches in Q2 2018"   In that article they said they have documented 61,000 versions! 

Kaspersky: Phantom Menace

As I mentioned Lukas at the beginning of this blog, ESET has produced an amazing number of articles on Android banking trojans lurking in the Google Play store.  Here are a few of them:

Jul 26, 2018 - Fake banking apps on Google Play leak stolen credit card data 

Dec 11, 2017 - Banking malware on Google Play targets Polish banks 

Nov 21, 2017 - New campaigns spread banking malware through Google Play 

Sep 25, 2017 - Bankbot trojan returns to Google Play with new tricks

Nov 15, 2017 - Multi-stage malware sneaks into Google Play 

Apr 19, 2017 - Turn the light on and give me your passwords!

India's Cosmos Bank Suffers Unlimited ATM Attack

On August 10th, many American Financial Institutions received a warning from the FBI that the Bureau had found evidence that criminals were plotting an "Unlimited Operation."  We've written about these Unlimited Attacks a number of times in the past in this blog, but this is the first time that we know of where the FBI announced the attack before hand.  In these attacks, hackers compromise the internal systems of a bank and gain control of systems that allow them to bypass or reset ATM withdrawal limits.  Then, the magnetic stripe information for a selected number of cards is shared with trusted cash-out gangs around the world, who make physical ATM cards with the stripe information encoded and stand by for the pre-arranged attack to begin.  Once zero-hour arrives, hundreds of cash-out gang members begin draining every ATM machine they can find.  Literally emptying the machines, with the balance available for withdrawal being magically reset in real time by the hackers inside the systems of the targeted bank.

The most famous Unlimited Attack was also one of the earliest, when $9 Million in cash was withdrawn from at least 2100 ATM machines in 280 cities around the world on November 7th and 8th, 2008 in the RBS WorldPay attack.  That was far surpassed in 2013, when cash-out gangs in 26 Countries stole $40M.  More recently, Standard Bank was victimized in the first Japanese Unlimited Attack in 2016, involving at least 14,000 "maximum" ATM withdrawals.

In this case, the FBI's prediction came true almost immediately, even before our favorite security journalist, Brian Krebs, was able to get his story out: FBI Warns of Unlimited ATM Cashout Blitz.

The Times of India reported on August 14th "How hackers siphoned over Rs 94 crore off a co-operative bank in Pune", revealing that the 112 year old Cosmos Bank was the target of the attack.  During this attack hackers were able to cause the ATM Network to approve "Rupay" transactions by validating the requests against a fake payment gateway controlled by the hackers.  In 2.5 hours, from 3 pm to 5:30 pm, 12,000 Visa card transactions withdrew Rs 78 crore (approximately $10.9 Million USD) before Cosmos Bank terminated all ATM Visa Transactions, however Rupay transactions continued until at least 10PM.  RuPay is an India-only card system designed to allow national payments in India without reliance on Visa and Mastercard.  2,890 India-based RuPay transactions totaled an additional Rs 2.5 crore ($351,500 USD).  In addition to the ATM damages, on August 13th, the same hackers wired Rs 13.94 crore (almost $2M  USD) to Hong Kong via a fraudulent SWIFT transfer.  (Three separate MT103 transactions were sent to ALM Trading Limited at Hang Seng Bank in Hong Kong, according to Securonix analysis of the event.  Securonix believes the behavior of the attackers is consistent with the North Korean based APT group known as "Lazarus Group".  MITRE's ATT&CK program (Adversarial Tactics, Techniques & Common Knowledge) provides more information on the Lazarus Group.

As with many previous Unlimited attacks, Cosmos Bank chairman Milind Kale said that no customer accounts were impacted, as these were "dummy" accounts that were established for the attack.  If this attack is like historical ones, many of the follow-up arrests will come from using ATM video footage to identify individual cash-out gangs and try to follow their communications back to the criminals who recruited them for the scheme.

Computer Science and Diversity

Today I saw a tweet quoting Mark Guzdial's blog saying "In last five years, little progress in increasing the fraction of American CS BS degree recipients who are African Americans."  It is a problem I've given quite a bit of thought to, but in my thinking, diversity is a problem I approached from another angle.  I've always been pleased that a large number of women have decided to work on the problems I care about.  When I came to the University of Alabama at Birmingham (UAB) I didn't come to "teach Computer Science."  I came to try to change the way we train, recruit, and equip cyber crime fighters.  I was fortunate that our department chairs in Computer Science (Anthony Skjellum) and Justice Sciences (John Sloan) believed that was something worth doing.  Since then, we've moved from having a certificate in Computer Forensics, to a Masters in Computer Forensics and Security Management, to a full Bachelors degree in Digital Forensics.  But the passion has stayed the same.  How do we train, recruit, and equip cyber crime fighters?

I hadn't realized that we were necessarily doing something unique until I had a visit from Jenn Lesser in April of 2013.  At the time, Jenn was the Security Operations Manager for Facebook.  We had a full agenda of things we were hoping to discuss with her, but something happened that halted all of that.  She came into my office, closed the door, and said  "You have SIX WOMEN working in your lab!  Would you mind if we cancel everything else and just let me interview them?"  At the time my lab was much smaller and that represented about 1/3rd of my employees. What Jenn learned was that most of the women in the lab were there because they wanted to fight crime, right wrongs, and serve the cause of Justice.  When they realized that learning to program and analyze hard drives, network traffic, and email headers could help serve that cause better, they were all in.

This fall, I'll have interactions with 83 students in the classroom and 28 of them are women. 11 of the 48 people on my lab payroll today are women, and I hope we'll hire several more at our job fair later this week! I should note that these are not "Computer Science" courses, but rather Computer Forensics courses being taught for Criminal Justice credit.

How do we recruit women?  It's the same as what our ladies told Jenn Lesser back in 2013.  None of them come to our program because they want to write code.  They come because they want to dedicate themselves to the cause of Justice, and they have learned, perhaps in an introductory course from myself or my colleague Arsh Arora, or perhaps in an introductory course from Criminal Justice professor Martha Earwood, that being skilled in technology is a force multiplier.  If you want to protect the financial assets of the elderly, technology helps.  If you want to identify and stop child predators and human traffickers, technology helps.  If you want to fight against hate speech on the Internet or cyber bullying in the schools, technology helps.  If you want to identify and stop the malware that it is stealing our data, finances, and intellectual property, technology helps.

As I was reading through Guzdial's blog post and following the linked stories, I read Kenneth Bowman's post on African American Computer Science enrollment, and also the 2017 Taulbee Survey on Computer Science Enrollment from the Computer Research Association.

The Taulbee survey has some stark numbers for US Citizen, Female, and African American enrollment in Computer Science at all levels.

At the PhD Level

In the US and Canada, they found 124 Computer Science departments awarded 1,557 PhDs.  891 went to "non-resident aliens."  291 went to Females.  10 went to African Americans.  Of the 291 females, 164 were non-resident aliens.  Of the American females, 64 were White, 27 Asian, 4 Black, and 2 Hispanic.

Of 12,689 PhD students currently studying Computer Science in 135 departments, 8,058 (64.3%) are non-resident aliens, 2,734 (21.1%) are female, and 170 are African American.

What about Masters Level?

132 US Computer Science departments awarded 12,483 Masters degrees last year.  8,813 (73.8%) are non-resident aliens.  26.1% of those students who reported a gender were female (3,162 females and 8,956 males). 111 (0.9%) of the students were Black.  Of the 3,162 females, 2,462 (81%) were non-resident aliens.  Of the American females, 272 were Asian, 250 were White, 32 were Hispanic, and 24 were Black.

Of the 25,126 currently enrolled Masters students in Computer Science, 16,414 are non-resident aliens.  Of the 6,682 females, 5,183 are non-resident aliens.  Of the 1,499 resident females, 661 are White, 620 Asian, 95 Hispanic, and 81 Black.

And at the Bachelor's Level?

131 reporting US Computer Science departments awarded 19,907 Bachelors degrees last year. At the Bachelor's level, we have a much greater percentage of American students.  Only 12.5% of these were non-resident aliens.  But of those remaining 15,433 students, only 547 were Black.  Of the 3,198 female Bachelor's degrees awarded, 2669 went to Americans women.  Of these, 1,110 (35%) were White, 1,104 (35%) were Asian, 200 (6%) were Hispanic, and 93 (3%) were black.

Of the 86,569 students currently enrolled in Computer Science Bachelor's programs, 10,704 were non-resident aliens.  Of the 75,865 citizens in CS BS programs, 13,358 (17.6%) were female. By ethnicity, 39,416 (51.9%) were White, 21,113 (27.8%)  were Asian, 8,395 (11%) were Hispanic, and 3800 (5%) were Black.

The Question

The question that data like this leaves me with is this?  Could it be that the lack of interest in Computer Science from women and minorities (especially African Americans) is similar to what I've found in my lab?  Perhaps the key to encouraging Computer Science is to look at it rather than a Subject to be studied, but as a Tool to be Mastered to enable the study of something else?  Computer Science as a tool (in my case) to improving your ability to help fight for Justice.  Computer Science as a tool to improving your ability to fight disease and illness.  Computer Science as a tool to improving your ability in economics. Computer Science as a tool to improving your ability to fight poverty.

Instead of asking "How to we get more women (or blacks) to study Computer Science?" Perhaps we should be asking "How can we learn what women (and blacks) want to make their life's work and show them how Computer Science can help make them do their life's work better?"

Fin7 and the Perfect Phish

For the past twenty years, one of the main pieces of advice our industry gave to people regarding their email was "don't open attachments from people you don't know."  But what if your JOB is opening attachments from people you don't know?

On August 1st, the US Attorney for the Western District of Washington, Annette Hayes, and the FBI Seattle Special Agent in Charge, Jay Tabb, along with main Justice's head of the Computer Crimes and Intellectual Property Section (CCIPS), Deputy Attorney General Downing, gave a fascinating press conference about the FIN7 or Carbanak Group case.  (The link shows the 31 minute press conference on YouTube, where closed captioning is available.)

As AG Downing explained it, the FIN7 group would use a combination of emails and telephone calls to encourage people involved in catering or group reservations to open their malicious emails.  Imagine that your job is booking hotel rooms for group travel, or handling large catering deliveries for business meetings from your restaurant.  A new potential customer calls and says "I'd like to book forty hotel rooms for our sports team that is coming to play in a tournament in your town next month.  What email should I send the details to?"  Or "We're having an event at my office and need to order lunch for sixty people.  I know that I could use the online order form, but would you mind if I just sent you an email with the details?"  (I've done the latter myself when ordering FIFTY pizzas from Dominos!)

What sales person is NOT GOING TO OPEN THAT ATTACHMENT?  Right.  Every single one will do so!  Here's the flow of the attack that was shared at the Press Conference:

(Image from FBI Seattle FBI Office)

Although the schemes I suggested sound complex, some of the emails shared during the press conference were quite simple:

Spear-phishing Email Image from justice.gov

Spear-phishing Email Image from justice.gov

Three criminals were arrested in this scheme, each on their own indictment.  The first two were actually arrested in January 2018, but their arrest and information about their case remained secret as law enforcement continued to hunt for additional members of the FIN7 team.

Also appearing at the press conference were representatives from Visa and Master Card. Marie Russo, SVP of Cards and Franchise at MasterCard.  Marie praised their participation in the NCFTA (the National Cyber Forensics Training Alliance) who offers a service that helps send stolen credit card information to the . Dan Schott, Senior Director of Visa. Both Ms. Russo and Mr. Schott talked about their proactive means of identifying crime trends and coordinated with banks.  Mr. Schott reminded that every Visa card service in the United States offers "Transaction Alerts" that will notify you when your card is used in a transaction. (Unfortunately Schott also quoted the mythical $600 Billion annual cost of cybercrime.)  

Is This Joker's Stash?

We don't know.  Although many of the victim companies have been anonymized, the indictment does reveal that "Victim-1" was the Emerald Queen Hotel and Casino (EQC) in Pierce County, Washington, "Victim-3" was Chipotle Mexican Grill, Victim-5 was the Boeing Employee Credit Union, Victim-6 was Jason's Deli, Victim-8 was Red Robin Gourmet Burgers and Brews, Victim-9 was Sonic Drive-in, and Victim-10 was Taco John's.  Trend Micro has previously published that FIN7 was also involved in breaches at Trump Hotels, Whole Foods, Saks Fifth Avenue and Lord & Taylor.  That latter group of cards is known to have been trafficked on the criminal card market "Joker's Stash", and TrendMicro actually equates the groups.  Their April 2, 2018 press release, "Bank Card Data of Five Million Stolen in Saks and Lord & Taylor Data Breach," begins with the sentence:  "A hacking syndicate known as JokerStash (also identified as Fin7 and Carbanak) announced the sale of five million payment cards on the dark web last March 28.

Trend Micro (click for full article)

Brian Krebs was one of the journalists who has written extensively about Joker's Stash.  In this image from his blog post "Will the Real Joker's Stash Come Forward", he shares an image of the card "base" "FIRETIGERRR" associated with the Sonic Drive-In databreach, showing a screenshot of the September 26, 2017 announcement on Joker's Stash about the availability of 5 million credit cards:

Sonic Drive-In cards being sold on Joker's Stash (image from krebsonsecurity.com)

The indictments do not make the ties between FIN7 and Joker's Stash quite so strongly.  For example, in the Hladyr indictment:

"between approximately March 24, 2017 and April 18, 2017, FIN7 harvested payment data from point-of-sale devices at certain Victim-3 restaurant locations.  FIN7 stole millions of payment card numbers, many of which have been offered for sale through vending sites, including but not limited to, Joker's Stash, thereby attempting to generate millions of dollars of illicit profits.

Three Ukrainian mastermind arrested

Three Ukrainians, Fedor Gladyr (age 33), Andrey Kolpakov (age 30), and Dmytro Fedorov (age 44) were arrested in the current round of actions, although prosecutors made it clear that there will be more arrests in the future.  They also make clear that the top leader of this scheme  has not yet been arrested.

Fedorov is said to have been the first to be arrested, in January 2018, in Poland.  A KyivPost article in February about a 44-year old Ukrainian hacker being detained in Poland on an Interpol warrant is certainly about him ==> "Ukrainian Hacker detained, Faces 30 years in Prison."  

It is unknown how or if this is related to the Spanish Police arrest of "Dennis-K" said at the time to be the leader of the Carbanak Group when he was arrested on March 26, 2018 in Alacante, Spain.  (A YouTube video about that arrest (in Spanish) is available as "Detenido hacker 1000 millones (Denis-K)"  The Times of London called Denis-K a 30-year old Russian-born Ukrainian citizen, living in Spain, whose malware used in cyber attacks in more than 40 countries, and who owned two million dollar houses.  At the time, Europol said this was the end of a 5-year cybercrime spree that had stolen $1.2 Billion. This does NOT seem to be the same person, despite the age match and the "K" last name, as the US case states that Kolpakov was arrested in "late June" in Lepe, Spain.

It is also unknown how or if this is related to the Ukrainian Police's arrest of members of the COBALT game earlier this year.  Europol says that COBALT and CARBANAK are the same group.  It is believed by this author that the current FBI action in Seattle is targeting CUSTOMERS of the malware author group known as Cobalt/Carbanak.  Hopefully this will get sorted out in the near future.  

(Related stories:  

"Mastermind behind 1 Billion Euro Cyber Bank Robbery Arrested in Spain" (Europol, March 26, 2018)

"Spain breaks up cybercrime gang after $1.2 billion spree" (AP, March 26, 2018) )

The superseding indictment of Fedor Gladyr

Fedor Gladyr, aka das, aka Fyodor, aka AronaXus, "served as a high-level systems administrator for FIN7 who maintained servers and communications channels used by the organization.  For example, FIN7 members requested Gladyr grant them access to servers used by FIN7 to facilitate the malware scheme.  He also played a management role in the scheme by delegating tasks and by providing instruction to other members of the scheme.  Gladyr used Jabber and HipChat to communicate with his teams.  The team used a JIRA server, usually used to track long software development projects, to communicate about the infiltration of their victims. As a few examples:

07SEP2016 - Gladyr opens an "issue" for Victim-6 for his conspirators to upload files of internal credentials for the company network.

JAN2017 - Dmytro Fedorov opens an "issue" for Victim-7 credentials to be posted.

05APR2017 - Fedorov opens an "issue" for Victim-9 credentials to be posted.

Some of the malicious infiltration of the victim networks came by emailing those malware-laden requests for quotes to companies.  Some examples include:

08AUG2016 - Victim-1, email from just_etravel@yahoo.com

08AUG2016 - Victim-1, email from frankjohnson@revital-travel.com

25AUG2016 - Victim-6, email from revital.travel@yahoo.com 

21&23FEB2017 - Victim-2 two emails

24-25MAR2017 - Victim-3 six emails 

05APR2017 - Victim-9 emails from oliver_palmer@yahoo.com 

11APR2017 - Victim-4 email from oliver_palmer@yahoo.com 

10MAR2017 - Victim-5 email 

27MAR2017 - Victim-8 email from ray.donovan84@yahoo.com 

25MAY2017 - Victim-4 email from Adrian.1987clark@yahoo.com (Subject: "takeout order")

12JUN2017 - Victim-10 email from Adrian.1987clark@yahoo.com (Attachment: order.catering.rtf)

In the case of Victim-1, firewall logs indicate that between August 8,  2016 and August 31, 2016, there were at least 3,639 communications between their organization and "revital-travel.com" addresses hosted on an IP address in Russia.

Not all of the emails were the "customer wanting a quote" type.  On 21FEB2017, pen-testers working for the scheme sent emails purporting to be filings@sec.gov to Victim-2.  The email contained a Microsoft Word attachment and alleged that an important filing was due and that the details for the filing were in the attached document.

Sometimes the stolen information targeted not only the business accounts, but also the personal information of the victims.  One FIN7 member posted a Victim-2 employee's information to their JIRA server, showing screenshots from the employee's computer and including a text file with userids and passwords of their personal email account, LinkedIn account, and personal investment and banking accounts.

Once inside an organization, it was trivial for the FIN7 "pen-testers" to expand.  Some documents posted in JIRA included userids and passwords for more than 1,000 employees, and in the case of Victim 3, point-of-sale malware was planted on many cash register computers nationwide, including 33 locations just in the Western District of Washington.

Victim-8 had an associated JIRA "issue" posted that included screenshots and usernames and passwords for the point-of-sale software management solution used by their restaurant chain.   Hundreds of userids and passwords for employees in at least 798 different locations were also stolen from Victim-8 and posted in the JIRA server.

Kolpakov indictment

Andrey Kolpakov, aka santisimo, aka sanisimoz, aka AndreyKS, participated in the scheme from at least September 2015 until June 20, 2018.  In communications to and from Kolpakov, someone in the group referred to Fedir Hladyr and an individual still at large were the "main directors" of the group.  That other individual was also called the "chief manager" of the team.  Kolpakov was introduced to new recruits to the team as their supervisor.  Kolpakov and Dmytro Fedorov had discussions about how to trigger the phishing emails, and which file types would be most effective.  Kolpokov explained to Fedorov on 18SEP2017 that they now had a means to deploy a malware file without requiring the recipient to double-click on it.  Kolpakov's account on the JIRA server was frequently the one that uploaded stolen data in response to the "issues" created by Gladyr.  Many of the uploads mentioned in the Kolpakov indictment are about the particulars of exfiltrated files from password management systems, infrastructure management systems, and in one case an "employee only" web page that the team had altered to gather passwords. Team members regularly communicated on the JIRA server about recommendations for attack vectors to be used against targeted infrastructure.

Dmytro Fedorov Indictment

Dmytro Fedorov's account on the JIRA server was involved in technical exploitation details.  For example, in response to an "issue" created for Victim-7,  Fedorov posted the results of data created by network mapping tools, including IP addresses and network, that helped to explain to the team what addresses should be targeted for further exploitation.

According to his indictment, Fedorov "served as a high-level pen-tester (one tasked with finding vulnerabilities that an attacker may exploit) who managed other pen-testers responsible for breaching the security of victims' computer systems. He specifically created and managed "issues" on the FIN7 JIRA server related to intrusions of multiple companies, including Victim-7 (an automotive retail and repair chain) and Victim-9 (Sonic Drive-Ins).

Fedorov's communications on Jabber seem to indicate that he was controlling the data exfiltration panels associated with malware planted on victim company computers and point-of-sale terminals.  

Combi Security 

Although the current indictments only name ten victim companies, the documentation presented by the US Attorney's office makes it clear that more than 100 companies were attacked by FIN7 hackers working for Combi Security.

FIN7 Attacked at least 3600 locations of 100+ US businesses

If you wanted to have a team of the best hackers available, one option is recruiting people from the dark corners of the Internet, whose names and locations you may not know, and who may have been involved in every sort of trouble.  The other option would be to stand up a cyber security company with offices in Moscow and Haifa, Israel, and advertise for the best trained White Hat hackers to come work for your Penetration Testing (Pen-Testing) team.  FIN7 did the latter.  Using hackers who applied in their real name, showed credentials and certifications, and were in some cases formerly the employees of their respective governments, Combi Security told their hackers that they had been hired to hack various companies, and then those hackers got to work penetrating systems.

Job ads found on a Ukrainian job board indicate that Combi Security had between 21-80 employees.

https://jobs.dou.ua/companies/combi-security/

Google-translation of the ad:

Combi Security is one of the leading international companies in the field of information security. Its headquarters are located in Moscow and Haifa.

We are a team of leading professionals in the field of information security for various organizations working around the world.Our main specialization is a comprehensive audit of projects of any complexity, the supply of software and hardware.

Our main mission is to ensure the security of your activities, minimize the risks of using information technology. Every appeal to us for help is considered with the utmost thoroughness on an individual basis, offering an optimal solution within the framework of the tasks set and the specific needs expressed.

CombiSecurity.com offered their website in Russian, English, and Hebrew:

Their "Contacts" page listed three addresses and telephone numbers:

• Moscow , Presnenskaya naberezhnaya, 10, block C, tel. +7 (495) 3083827
• Haifa , 15-A Palyam St. (36 HaAtzmaut St) tel. +9 (724) 6328732
• Odessa , ul.Uspenskaya, 65 of office 23, 65011 phone. + 38 (048) 7002409

What services did they claim to provide?  Below is their "The Services" page (Google-translated to English), retrieved from Archive.org's Wayback machine entry for CombiSecurity.com:

The services

A qualitatively working security service guarantees an indispensable stability in the operation of your technologies.

Thanks to the active assistance of our technical experts, all the irregularities in the operation of your devices will certainly be detected, analyzed and eliminated. With our professional support, the disrupted monitoring of the security system will turn into a stable process, managed in accordance with established principles and rules.

We provide services:

Penetration test (Pentest)

• Technological penetration test.
  This penetration test is conducted to identify existing vulnerabilities in the elements of the IT infrastructure, practical demonstration of the possibility of using vulnerabilities (by the example of the most critical ones) and the formation of recommendations for the removal of identified vulnerabilities.
  A penetration test can be conducted for the perimeter of the corporate network (external test) and for internal resources (internal test). Work can be conducted with notification to administrators and users of the system under test, or without it. During internal testing, both the auditor's laptop and the customer's standard workplace can be used.
  In the testing process, both tools and manual analysis methods are used.

• Socio-technical penetration test.
  This penetration test is conducted using social engineering techniques. The main purpose of the test is to identify the level of awareness of the Customer's personnel about the requirements for information security. In the process of testing, the response of users and personnel responsible for information security to the organizational methods of penetration used by attackers is determined.
  Methods of social engineering are often used by intruders and are directed, as a rule, to end users. As a result of a successful attack, an attacker can gain control over workstations, obtain confidential Customer documents, use the Customer's resources to organize attacks on the systems of other companies, send out spam, etc.
  The organizational aspects of information security are an important part of the protection system and, often, ordinary users are the weakest link. The given service will allow to reveal those organizational aspects of information security, on which the Customer should pay attention first of all.
  The results obtained during the provision of this service can form the basis for the development of the Security Awareness Program, which is maximally focused on the problem areas identified during the testing. This service can also be useful for checking the effectiveness of the current Customer Awareness Program.

• Integrated penetration test.
  Complex penetration test is closest to the real actions of intruders. Using various technical and socio-engineering methods, auditors try to bypass existing protective mechanisms in order to fulfill the tasks set by the Customer (increasing privileges, gaining access to confidential information, modifying data from DBMS, etc.).
  During testing, the approaches described in the sections "Technological penetration test" and "Sociotechnical penetration test" are used, and the security of the customer's wireless networks is assessed.

The result of the work will be a report containing :

• Methods of testing.
• Conclusions for management, containing an overall assessment of the level of security.
• Description of the identified deficiencies of the ISMS.
• Description of the testing process with information on all identified vulnerabilities and the results of their operation.
• Recommendations for the elimination of identified vulnerabilities.

Controlling the level of security

Due to the rapid detection of vulnerabilities and the introduction of changes to the network infrastructure, the results of a one-time verification of the level of security of the corporate network quickly lose their relevance. The need for new inspections arises after several months, and in companies with a dynamically developing IT infrastructure and a large-scale representation on the Internet, this period can be weeks or even days.

The emergence of new vulnerabilities, the change in the structure of the network perimeter, the modification of the settings of servers, network equipment and security equipment, all this requires in-depth analysis on the effect on the resistance to external unauthorized influences.

In this regard, Combi Security Company offers to your attention services aimed at constant monitoring of the state of information security. These include:

• Monitoring the perimeter security of the corporate network
• Designing and implementing a security management system
• Development of corporate security policy

Evaluation of the level of security

Penetration testing works are aimed at overcoming existing protective mechanisms, but not at a deep assessment of the level of security of a specific information system or technology. The penetration approach of the black box analysis often prevents the auditor from detecting some vulnerabilities that are easily detected by other methods, for example, by analyzing firewall settings.

The work to assess the level of security is aimed at a deep assessment of one or another aspect of information security, or a comprehensive analysis of the entire ISMS in general.

Combi Security offers the following services to assess the level of security of various aspects of information security:

• Integrated audit of information security
• Assessing the security of Web applications
• Analysis of application security on mobile platforms
• Assessing the security of wireless networks
• The effectiveness of the awareness-raising program in the field of information security

 Raising awareness of users

 Preparing for audit in accordance with international standards, for example ISO 27001

Consultations of experts in the field of it- security.

In addition to these services, sometimes there is a need for solving non-standard tasks. If you did not find something that will help you solve the problem before you, you can contact the experts of Combi Security. Perhaps our specialists have already dealt with similar problems.

Our company offers only those services that we can really carry out with very high quality, services where we can fully utilize the rich practical experience of our specialists.