
Domino Effect
Indicators of Compromise
APT Groups1
<b>Description of MISP:</b> Groups targeting financial organizations or people with significant financial assets.<br><br><b>Description of Mitre:</b> Carbanak is a threat group that mainly targets banks. It also refers to malware of the same name (Carbanak). It is sometimes referred to as FIN7, but these appear to be two groups using the same Carbanak malware and are therefore tracked separately. [1] [2]<br><br><b>Description of Etda:</b> FIN7 is a financially-motivated threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. They often use point-of-sale malware. A portion of FIN7 was run out of a front company called Combi Security. FIN7 is sometimes referred to as {{Carbanak, Anunak}}, but these appear to be two groups using the same Carbanak malware and are therefore tracked separately. The reports about arrests made of the mastermind of Carbanak instead of FIN7. However, security research teams keep referring to this arrest for all FIN7 activities since.<br><br>
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
Implement a strategy to prevent unauthorized data theft,especially as it applies to uploading large amounts of data to legitimate cloud storage platforms that attackers can abuse
Employ user behavior analytics to identify potential security incidents.When triggered,assume a breach has taken place.Audit,monitor and quickly act on suspected abuse related to privileged accounts and groups.
Employ multifactor authentication on all remote access points into an enterprice network---with particular care given to secure or disable remote desktop protocol/RDP)access.Multiple ransomware attacks have been known to exploit weak RDP access to gain initial entry into a network.
Use penetration testing to identify weak points in enterprise networks and vulnerabilities that should be prioritized for patching.In particular,we recommend implementing mitigations for CVE-2019-19781,which multipe threat actors have used to gain initial entry into enterprises in 2020--including for ransomware attacks.İn addition,consider prioritizing the immediate remediation,as applicable,of the following frequently exploited software vulnerabilities: