Hacking Group Fin5 Steals 150,000 Gamblers’ Credit Cards from Casino

The attendees at the recent Cyber Defense Summit, formerly known as Mircon, which took place in Washington DC where warned of a new hacking group titled Fin5, reports The Register. According to researchers, Fin5 is responsible for the recent stealing of 150,000 credit cards from gamblers at an unnamed brick and mortar casino.

Emmanuel Jean-Georges and Barry Vengerik of Mandiant and FireEye said that the hacking group Fin5 successfully managed to skip through the flat IT infrastructure of the casino and attacked its open payment systems.

A Very Easy Hacking Attack

The two researchers pointed out that the poor IT infrastructure made the hacking attack easier. Apparently the unnamed casino was lacking even basic firewalls around its payment systems and it didn’t have logging.
“The casino had a flat network and one domain with limited access controls of payment system access,” said Jean-Georges. “If the casino had employed at least basic or minimal protection measures such as a firewall with default deny systems to limit PCI system access, it would have triggered some red flags,” he added.

The new hacking group has been associated with more than a dozen similar attacks including Goodwill. Some payment card breaches by the group might also not have been reported. The group’s targets have included a minimum of two payment method providers and their players, including the casino that was taken as an example at the Cyber Defense Summit.

How the Attack Happened

Jean-Georges revealed that the attackers used a backdoor codenamed Tornhull as well as a VPN dubbed Flipside in order to maintain persistence. The VPN dubbed Flipside was missed at detection in the first attempt by a rival film that was called in before Mandiant. The hackers noticed that the VPN survived and came back at the end of last year to steal more credit cards.

Fin5 also used another tool codenamed Driftwood which parses specified locations for credit card information dumps and encodes it for future collection. According to Vengerik, this tool is well commented to a level of commentary seen in software sale. The hacking group would steal any residual malware and features and then it would erase logs if it was suspected.

FireEye said in a statement that the most unique feature about Fin5 is that in every attack the company responded and caused by Fin5, a legitimate access was revealed. “The group has legitimate credentials to remotely log into the network,” said Vengerik. “They must have got credentials from somewhere but it’s definitely not from remote exploits or spear phishing.”

To see how payment systems where attacked, Mandiant relied on the AppCompatCache.

The attacked casino has now employed two factor authentication, increased logging and implemented application whitelisting as part of the list of changes.