digraph {
label=<FIN13 Case 1
Attack by FIN13 against a Latin American bank
Author: Mia Sanchez <msanschez@mitre.org>
Created: 2022-10-27 02:44:54.520000+00:00
Modified: 2024-01-24 15:57:07.127000+00:00>;
labelloc="t";
"attack-action--06617ed8-35b6-42e2-9f14-99e97f57b78f" [label=<
Action: T1595.002 | |
Name | Vulnerability Scanning |
Description | The attacker scanned the perimeter of the victim looking for vulnerable webservices. |
Confidence | Very Probable |
Action: T1190 | |
Name | Exploit Public-Facing Application |
Description | Exploited a vulnerability in the Oracle WebLogic server, and passed malicious content via POST requests to a web page called AsyncResponseServiceHttps, and executed commands |
Confidence | Very Probable |
Action: T1595 | |
Name | Active Scanning |
Description | Scanned the targeted web server again. |
Confidence | Very Probable |
Infrastructure | |
Name | IP Address |
Description | The attacker used IP address 185.193.126.22 to scan the perimeter network and later again to scan the target web server. |
Infrastructure Types | Reconnaissance |
First Seen | 2021-03-01 00:00:00+00:00 |
Tool | |
Name | Nmap |
Tool Types | Information-gathering |
Infrastructure | |
Name | IP Address |
Description | 187.177.170.111 |
Infrastructure Types | Command-and-control |
First Seen | 2021-06-01 00:00:00+00:00 |
Action: T1505.003 | |
Name | Web Shell |
Description | Uploaded and accessed a webshell |
Confidence | Very Probable |
Vulnerability | |
Name | CVE-2019-2729 |
Description | Oracle WebLogic Server Deserialization RCE (aka object injection vulnerability) - user-controllable data is deserialized by a website, allowing an attacker to pass harmful data into an application. This vulnerability is exploitable without authentication. |
Action: T1046 | |
Name | Network Service Discovery |
Description | Attempted to recon the DMZ segment where the infected webserver was operating. |
Confidence | Very Probable |
Action: T1105 | |
Name | Ingress Tool Transfer |
Description | Uploaded a zip archive of tools for various OS via the webshell onto the compromised web server |
Confidence | Very Probable |
Tool | |
Name | Zip File of Tools |
Description | The zip archive contained: BlueAgave (PowerShell HTTP Bind Shell), a Perl version of BlueAgave, PHP webshell, Java Database browser, PortHole (Java Scanner), RawCap (Java packet capture tool), SpinOff SQL Browser, Latchkey (Powersploit script to dump the lsass.exe process) |
Tool Types | network-capture, exploitation, remote-access, credential-exploitation |
Action | |
Name | Defense Evasion |
Description | To avoid detection, the attacker halted activity for about a week |
Confidence | Very Probable |
Action | |
Name | Lateral Movement |
Description | Attacker used a common credential with the Zabbix server to move laterally. |
Confidence | Very Probable |
Action: T1505.003 | |
Name | Web Shell |
Description | Implanted a WSO PHP webshell on the Zabbix server. |
Confidence | Very Probable |
Action: T1505.003 | |
Name | Web Shell |
Description | Attacker dropped a BlueAgave Perl webshell, configured on port 65510 |
Confidence | Very Probable |
Action: T1222 | |
Name | File and Directory Permissions Modification |
Description | Viewed folders and modified permissions to the "/srv/www/htdocs/gif" folder. |
Confidence | Very Probable |
Action: T1033 | |
Name | System Owner/User Discovery |
Description | Enumerated the environment by running "whoami." |
Confidence | Very Probable |
Action: T1555 | |
Name | Credentials from Password Stores |
Description | Viewed the "/etc/shadow" file on the Zabbix server. |
Confidence | Very Probable |
Condition | |
Description | Gained control of the Zabbix server |
Action: T1595.001 | |
Name | Active Scanning: Scanning IP Blocks |
Description | Attacker launched massive ping sweeps against private subnets. |
Confidence | Very Probable |
Condition | |
Description | Machine responds to the ping sweep |
Action: T1570 | |
Name | Lateral Tool Transfer |
Description | PortHole used to verify the first 10,000 TCP ports of any machine that responded to the ping sweep |
Confidence | Very Probable |
Condition | |
Description | Identified Domain Controller through scan of the Backend DMZ Lan and waited 1 week to attack the AD server |
Action: T1570 | |
Name | Lateral Tool Transfer |
Description | Transferred additional tools to the Zabbix from the WebLogic Server |
Confidence | Very Probable |
Tool | |
Name | Transferred Tools |
Description | Malicious tools found in Zabbix server: 65.txt (perl webshell), chart10.php (webshell), p.txt (Java port scanner), pr64.zip (procdump64), bi.txt (perl bind shell), s0b.j (Jar that queries db), str-isis.txt (jdbc connection/credential info), jtds-1.2.1.jar (likely jdbc deriver), and str-bio.txt (jdbc connection/credential info) |
Tool Types | remote-access, information-gathering, exploitation, credential-exploitation |
Action: T1210 | |
Name | Exploitation of Remote Services |
Description | Attacker moved laterally from the Zabbix server to the Oracle Identity Manager server (in the DMZ) |
Confidence | Very Probable |
Action: T1003 | |
Name | OS Credential Dumping |
Description | Attacker dumped the sysadmin account related to the IAM service |
Confidence | Very Probable |
Action: T1040 | |
Name | Network Sniffing |
Description | Sniffed credentials passed by the IAM service to the DMZ servers. |
Confidence | Very Probable |
Tool | |
Name | RawCap |
Description | The attacker installed the Java capture tool RawCap to sniff credentials. |
Tool Types | credential-exploitation |
Condition | |
Description | Attacker intercepted additional domain and local passwords. |
Action | |
Name | Lateral Movement |
Description | Moved laterally to the Backweb server |
Confidence | Very Probable |
Action: T1558.003 | |
Name | Kerberoasting |
Description | Attacker used Kerberoasting technique to collect the ticket from system memory and crack offline to obtain credentials. |
Confidence | Very Probable |
Infrastructure | |
Name | IP Address |
Description | The attacker used external IP addresses to access Backweb server |
Infrastructure Types | command-and-control |
Action: T1505.003 | |
Name | Web Shell |
Description | Decoded PowerShell payload results in a similar PowerShell HTTP Bindshell that listens on port 65512 |
Confidence | Very Probable |
Action: T1595.001 | |
Name | Scanning IP Blocks |
Description | Scanned internal subnets looking for additional servers |
Confidence | Very Probable |
Condition | |
Description | Identified a cluster of RSA SecurID servers |
Action: T1110 | |
Name | Brute Force |
Description | Attacker attempted to access the RSA servers by leveraging service accounts previously stolen through executing dictionary-based access attempts |
Confidence | Very Probable |
Action: T1533 | |
Name | Data from Local System |
Description | The attackers dumped the database containing the SecurID token serials with the corresponding end-user accounts |
Confidence | Very Probable |
Action: T1111 | |
Name | Multi-Factor Authentication Interception |
Description | Attacker harvested token serials from the database and collected daily token transactions in clear text stored inside a service account folder, where the storage procedure was scripted |
Confidence | Very Probable |
Condition | |
Description | Attacker activated the token recovery procedure for bank users |
Action: T1078 | |
Name | Valid Accounts |
Description | Attacker logged into the bank users' accounts |
Confidence | Very Probable |
Action | |
Name | Fraud |
Description | Attacker transferred money from the online banking system |
Confidence | Very Probable |
Threat Actor | |
Name | FIN13 |
Description | FIN13 is a financially-motivated actor primarily focusing on Latin America with activity stretching back to early 2016. FIN13 has a history of highly localized targeting against the financial, retail, and hospitality industries. |
Threat Actor Types | Crime-syndicate |
Aliases | Elephant Beetle, TG2003 |
First Seen | 2016-01-01 00:00:00+00:00 |
Roles | Director |
Goals | financially-motivated and targeting Latin American organizations in financial, retail, and hospitality industries |
Sophistication | Advanced |
Resource Level | Team |
Primary Motivation | organizational-gain |
Campaign | |
Name | FIN13 Case 1 |
Description | This attack began in March 2021 and targeted a Latin American bank. After exploiting the system, the attackers committed fraud between Sept-Oct 2021, impacting hundreds of accounts and stealing a significant amount of money. |
First Seen | 2021-03-01 00:00:00+00:00 |
Last Seen | 2021-10-01 00:00:00+00:00 |
Objective | stealing money for financial gain |
Asset: Oracle Web Server | |
Description | Exposed server running a vulnerable version of WebLogic |
Condition | |
Description | Discovered a vulnerable webserver - Oracle Weblogic |
Condition | |
Description | Discovered a DMZ monitoring server, Auth server, and DMZ DNS server |
Infrastructure | |
Name | web server |
Description | infected web server is used to stage malicious executables for the attacker |
Infrastructure Types | hosting-malware |
Condition | |
Description | Attacker access the webshell again |
Asset: Zabbix server | |
Description | DMZ monitoring service |
Vulnerability | |
Name | Firewall Misconfiguration |
Description | misconfigured firewall allowed the attacker to put the webshell accessible from the Internet by publishing it on a public IP belonging to the victim IPv4 public address space on port TCP/80 |
Action: T1070.002 | |
Name | Clear Linux or Mac System Logs |
Description | Attackers viewed contents in the /var/log/apache2/ folder and removed entries of the access logs |
Confidence | Very Probable |
Condition | |
Description | Attacker checked for file 65510 in /dev/shm |
Tool | |
Name | PortHole |
Description | Java-based port scanner |
Tool Types | information-gathering |
Vulnerability | |
Name | CWE-309 |
Description | Use of Password System for Primary Authentication - the Zabbix root password was also the password for the Oracle Identity Manager server |
Asset: Oracle Identity Manager server | |
Description |
Action: T1021.004 | |
Name | SSH |
Description | Attacker used SSH to access the Oracle IAM server administrative UI |
Confidence | Very Probable |
Action: T1005 | |
Name | Data from Local System |
Description | Attacker dumped the IAM local database of accounts allowing them to find domain accounts |
Confidence | Very Probable |
Action: T1070 | |
Name | Indicator Removal on Host: File Deletion |
Description | Attacker deleted RawCap output files and the RawCap tool |
Confidence | Very Probable |
Asset: Backweb server | |
Description | an internal web portal including domain accounts |
Condition | |
Description | Attacker logged on to the Backweb server |
Action: T1570 | |
Name | Lateral Tool Transfer |
Description | Attacker copied pr64.zip to the Backweb server |
Confidence | Very Probable |
Tool | |
Name | pr64.zip |
Description | renamed procdump |
Tool Types | credential-exploitation |
Action: T1078 | |
Name | Valid Accounts: Local Accounts |
Description | Attacker accessed the Backweb server using customasp local user account |
Confidence | Very Probable |
Action: T1059.001 | |
Name | PowerShell |
Description | Attacker created a service and initialized it with an obfuscated PowerShell payload |
Confidence | Very Probable |
Tool | |
Name | PowerShell HTTP BindShell |
Tool Types | remote-access |
Action: T1570 | |
Name | Lateral Tool Transfer |
Description | Attacker left several files in "Windows\\Temp" directory, such as the Java scanner |
Confidence | Very Probable |
Tool | |
Name | Java Scanner |
Tool Types | information-gathering |
Action: T1590 | |
Name | Gather Victim Network Information |
Description | Attacker enumerated databases in the same network segment as the RSA servers |
Confidence | Very Probable |
Condition | |
Description | Attacker switched tactics to access SecurID server |
Action: T1595 | |
Name | Active Scanning |
Description | Attacker scanned for MS-SQL servers |
Confidence | Very Probable |
Action: T1570 | |
Name | Lateral Tool Transfer |
Description | Attacker moved several tools to the Backweb server |
Confidence | Very Probable |
Tool | |
Name | Added tools |
Description | s0b.j, str-isis.txt, jtds-1.2.1.jar, str-bio.txt |
Tool Types | exploitation |
Tool | |
Name | s0b.j |
Description | Accepts base64 encoded SQL queries and uses a configuration file that contains the connection string and credentials of the target database server |
Tool Types | exploitation |
Condition | |
Description | Using s0b.j, attacker accessed multiple databases, including a database storing the SecurID token serials with corresponding end-user accounts |
Action: T1021.001 | |
Name | Remote Desktop Protocol |
Description | Attacker accessed the Backweb server again multiple times using RDP and the sqlservice and sqlinstall accounts |
Confidence | Very Probable |
Asset: service account folder | |
Description |
Url | |
Value | AsyncResponseServiceHttps |
Defanged | False |
Malware | |
Name | .weblog.jsp |
Description | a jspRAT that can manipulate files and directories and run arbitrary Windows commands |
Malware Types | webshell, remote-access-trojan, trojan |
Is Family | False |
Capabilities | communicates-with-c2, probes-network-environment, installs-other-components |
Asset: DMZ segment | |
Description |
Asset: Auth server | |
Description |
Asset: monitoring server | |
Description |
Asset: DMZ DNS server | |
Description |
Note | |
Content | The report does not specify how or when the attackers got the common credential, but I assume it is with one of the tools uploaded in the zip file. |
Authors | Lauren Parker |
Object Refs | attack-action--8054a193-34be-4318-89c8-7967252f0e0f |
Malware | |
Name | WSO PHP webshell |
Malware Types | webshell |
Is Family | False |
Capabilities | communicates-with-c2, escalates-privileges, exfiltrates-data, infects-files, installs-other-components, fingerprints-host, steals-authentication-credentials |
File | |
Name | /etc/shadow |
Defanged | False |
Process | |
Command Line | whoami |
Defanged | False |
Directory | |
Path | /srv/www/htdocs/gif |
Defanged | False |
Directory | |
Path | /var/log/apache2/ |
Defanged | False |
File | |
Name | 65510 |
Defanged | False |
Directory | |
Path | /dev/shm |
Defanged | False |
Malware | |
Name | 65.txt |
Description | BlueAgave Perl webshell placed on the Zabbix Server |
Malware Types | webshell, trojan |
Is Family | False |
Capabilities | communicates-with-c2, exfiltrates-data, probes-network-environment |
Note | |
Content | Several txt files were found in the unallocated address space of the Zabbix machine that were outputs from these scanning attempts |
Authors | Lauren Parker |
Object Refs | attack-action--273407ed-343c-4dce-849e-68a96326f8fb |
Asset: Oracle IAM server administrative UI | |
Description |
Asset: domain accounts | |
Description |
User Account | |
Account Type | windows-local |
Display Name | customasp |
Defanged | False |
Ipv4 Addr | |
Value | 179.6.92.161 |
Defanged | False |
Directory | |
Path | Windows\\Temp |
Defanged | False |
Asset: RSA SecurID servers | |
Description |
File | |
Name | /var/log/btmp |
Defanged | False |
Note | |
Content | showed the failed SSH connection attempts, indicating a dictionary-based access attempts |
Authors | Lauren Parker |
Object Refs | file--5a85bc98-f407-4aa6-b34d-5f08a2ed1960 |
File | |
Name | srt*.txt |
Defanged | False |
User Account | |
Display Name | sqlservice |
Defanged | False |
User Account | |
Display Name | sqlinstall |
Defanged | False |
Asset: token serials | |
Description |
Asset: daily token transactions | |
Description |
User Account | |
Account Type | windows-domain |
Display Name | sysadmin |
Defanged | False |