Visa Exploitation Gang Exposed!!!

FireEye dubbed gang name, FIN5, has been causing headaches by obtaining valid user credentials to exploit their targets.  They created their own malware dubbed RawPOS used to target point of sale machines.  In existence since 2008, FIN5, used target organizations Remote Desktop Protocols, Virtual Private Networks, Citrix, or VNC to gain access to their targets.  All of these things deal with networking computers in some form or another.  The interesting thing about this group is that they don’t use spearphishing or remote exploits.

One tool they use is the GET2 Penetrator.  This is a tool that searches, using brute force, for credentials.  These credentials can be hardcoded or remote access. They also use EssentialNet.  EssentialNet is free tool that scans networks for layouts.  As for the RawPOS malware it contains several components.   Duebrew keeps the malware installed on the machine.  FiendCry scrapes memory to steal credit card data.  Driftwood hides the stolen data from analysis tools.

This software works on a multitude of POS systems and is coded to evolve with new systems.  Something unusual about the RawPOS malware is that it is very well commented.  It is coded in an older Russian text.  Authorities believe this is to make the malware seem a legitimate program and for support as well.  Using Windows Credential Editor and the Active Directory, they access legitimate user credentials.  They also sophisticated tools that erase their tracks.

Among those struck by the hacker group are Visa, Goodwill, and an unnamed Casino in Las Vegas.  FireEye is partnering with Visa to create a threat intelligence service.  It will combat this group and others like it.

to see the full article visit:

-Brian Lustick


New NSA Playset research tools

The NSA Ant catalogue consists of tools the NSA and members of the Five Eyes Alliance use for cyber surveillance.  It was first released on December 30, 2013 by a German Newspaper.  Some of the tools were already known to the public and some were not.  At Blackhat in Las Vegas, Michael Ossmann said, “We as a security community as a whole have the benefit of learning from these leaks.”  They can be used to test defenses and build strong defense systems.  Out of the Ant leak grew the NSA Playset which Ossmann and others have been developing for the past year.  The NSA Playset is a group of “toys and tools” that will be made available to the public for research purposes.

One such device is Slotscreamer which is a PCI Express tool that will allow researchers to explore Direct Memory Access attacks.  PCI stands for Peripheral Component Interconnect.  It works by connecting microprocessors to attached devices.  It sends both data and addresses.

Another tool is Tiny Alamo.  It is a form of active radio injection.  This is used to hack into bluetooth keyboards and mice.  These bluetooth devices are very common as well as unsecure.

CongaFlock is an RF retroreflector that when implanted in a keyboard can record keystrokes.  These types of devices are attached to a wire and can pick up different things once attached.

We’ve all heard that the NSA is collecting metadata from our cell phones.  An older tool with the modern name of Leviticus is used to sniff cell phones.  Ossmann likes that this can be run on an “off the shelf” mobile device.

Last is Chuckwagon.  This uses I2C serial busses many people are unaware of.  They have direct access to the motherboard in pcs and can sometimes be accessed via VGA cables and HDMI ports.  Using these busses malware can be put on the system.

For the main article this post is based on see here:

For a brief post on retroreflectors:

For pictures of the above devices and some others:

-Brian Lustick