Profile picture
Christopher Glyer @cglyer
, 9 tweets, 2 min read Read on Twitter
Reading justice.gov/opa/pr/russian… today reminded me how I got my start in #DFIR in 2008 investigating FIN1. Let's take a walk down memory lane.
FIN1 (in my experience) has had a few major periods of activity (2007-2009, 2011-2012, and 2014-2015) - each with their own distinct set of TTPs. They've significantly improved their capabilities over the years (even though multiple members have been arrested)
FIN1 in the first period had the following TTPs: 1) didn't use backdoors 2) broke in commonly via SQL Injection 3) uploaded new tools by creating temporary tables and exporting the file via BCP 4) deployed a sniffer named sn.exe to identify systems with track data in memory
FIN1 already had intimate knowledge of financial orgs - including how debit card PINs were encrypted, and the hardware security module (HSM) devices and protocols used to encrypt/decrypt the PIN numbers.
I once observed FIN1 identify the HSM, enumerate the protocols it supported, and use it to execute an encryption protocol downgrade attack. The benefit was - they turned a PIN block (an encrypted version of a PIN) that used salting - to a version with no salt applied.
This allowed FIN1 to then calculate every permutation of PINs (e.g 0000 to 9999) with the downgraded encryption protocol - and then perform a lookup against the downgraded PIN blocks.
FIN1 also knew enough about how financial orgs limited ATM withdrawals - & knew (or figured out how) to increase database limits that control # withdrawals per ATM, # withdrawals per day & total amount allowed per day. They increased limits to max amount - and cashed out millions
FIN1 only needed 20-30 cards w/ increased values to perform the cash out. My theory was - they gave a single debut card number to a cash out team. That way they could query the db and know exactly how much that "team" stole - so they could payment % back to the central org
FIN1 in this period was characterized by low opsec, significant knowledge of fin systems/orgs (they might have worked in fin orgs before) & for me at time as a pen tester who knew SQLi really well - FIN1 had amazing SQLi capabilities. They did things I had no idea were possible
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Christopher Glyer
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related hashtags

#DFIR

More from @cglyer see all

Profile picture
Long rumored @TheJusticeDept indictment of #APT10 is out. sc.cnbcfm.com/applications/c…
Here are my observations/highlights from reading the indictment (channeling my inner @pwnallthethings):
-the indictment indicates #APT10 operations started in 2006 and went through 2018. The 2006 activity was likely focused on US Government, Military, and defense contractors

1/n
Interestingly the indictment calls out multiple government organizations by name that were victims including:
@NASAGoddard, @NASAJPL, @LLNL, and the @USNavy

2/n
Read 24 tweets
Profile picture
"You've Got Mail"

@danielcabaniel @CyberAmyntas discussing email phishing and mail server attack trends

#FireEyeSummit
APT34 compromised a trusted partner org - and used that to abuse trust (convinced user to enable macros) and successfully phish victim

Subsequently staged data theft files on the Exchange server as .png files and downloaded from the server.

#FireEyeSummit
C-level credential phished while on vacation - APT34 used account access to phish entire company. Even though infosec team blocked URL on web proxy - employees switched to guest wi-fi to access the URL.

#FireEyeSummit
Read 10 tweets
Profile picture
.@TekDefense introducing our next talk about unmasking APT38 - a North Korean threat actor focused on financial attacks

Blog released today with more details
fireeye.com/blog/threat-re

#FireEyeSummit
APT38 targeted banks (SWIFT messaging initiated wire transfers you've read about in the news) and crypto currency exchanges (among other orgs)

#FireEyeSummit
Yes - you read that right. APT38 has used multiple different (and escalating tactics over time) to destroy evidence including deploying ransomware and running disk wiping malware

#FireEyeSummit
Read 7 tweets

Related threads

Profile picture
Q #2527
“There is a place for everyone”
[Ca__J]
💥 JULY 2017

thehill.com/policy/defense…
💥 JANUARY 2018

cnbc.com/2018/01/30/tru…
Read 19 tweets
Profile picture
Russian National Charged with Interfering in U.S. Political System

@drawandstrike @HNIJohnMiller @catesduane @rising_serpent @_ImperatorRex_ @Debradelai @GodlessNZ @almostjingo @tracybeanz @TheChiIIum

justice.gov/opa/pr/russian…
A criminal complaint was unsealed in Alexandria, Virginia, today charging a Russian national for her alleged role in a Russian conspiracy to interfere in the U.S. political system, including the 2018 midterm election.
Assistant Attorney General for National Security John C. Demers, U.S. Attorney G. Zachary Terwilliger of the Eastern District of Virginia, and FBI Director Christopher Wray made the announcement after the charges were unsealed.
Read 29 tweets
Profile picture
Russian National Charged with Interfering in U.S. Political System justice.gov/opa/pr/russian…
"Khusyaynova, 44, of St. Petersburg, Russia, served as the chief accountant of “Project Lakhta,” a Russian umbrella effort funded by Russian oligarch Yevgeniy Viktorovich Prigozhin and two companies he controls, Concord Management and Consulting LLC, and Concord Catering"
"Between Dec 2016 & May 2018, the conspiracy allegedly used social media and other internet platforms to address a wide variety of topics, including immigration, gun control and #2A, the Confederate flag, race relations, LGBT issues, the Women’s March, & the NFL national anthem"
Read 9 tweets
Profile picture
Russian National Charged in Conspiracy to Act as an Agent of the Russian Federation Within the United States
justice.gov/opa/pr/russian…
DOJ Charges Russian National Maria Butina With Acting As Foreign Agent
huffingtonpost.com/entry/doj-char…
The Justice Department just charged a Russian national with trying to infiltrate the NRA
vox.com/2018/7/16/1757…
Read 3 tweets
Profile picture
Russian National Charged in Conspiracy to Act as an Agent of the Russian Federation Within the United States

@drawandstrike @ThomasWictor @TheChiIIum @HNIJohnMiller @jihadaeon1 @rising_serpent @_ImperatorRex_ @Debradelai @LarrySchweikart

justice.gov/opa/pr/russian…
A criminal complaint was unsealed today in the District of Columbia charging a Russian national with conspiracy to act as an agent of the Russian Federation within the United States without prior notification to the Attorney General.
The announcement was made by Assistant Attorney General for National Security John C. Demers, U.S. Attorney for the District of Columbia Jessie K. Liu, and Nancy McNamara, Assistant Director in Charge of the FBI’s Washington Field Office.
Read 12 tweets
Profile picture
💥Russian National Charged in Conspiracy to Act as an Agent of the Russian Federation Within the United States - Mariia Butina, 29, a Russian citizen residing in Washington D.C., was arrested on July 15, 2018, in Washington, D.C.
justice.gov/opa/pr/russian…
Mariia Butina Criminal complaint - Conspiracy to Act as an Agent of a Foreign Government - from 2015 or earlier up to the present
Item 2d: To infiltrate organizations active in US politics in an effort to advance the interests of the Russian Federation
justice.gov/opa/press-rele…
Affidavit in support of criminal complaint - Mariia Butina
US Person 1 met Butina in Moscow around 2013 and worked with Butina to jointly arrange introductions to US persons, including organization promoting gun rights (aka the NRA)
justice.gov/opa/press-rele…
Read 16 tweets

Trending hashtags

#Libya #Russia #ChildTrafficking #Firtash #PatriotsUnited #MagnitskyMoney #BackYardBrawl #Tchenguiz #China #AshCanSchool #Sputnik #Kushner #American #PodestaArt #WWGOWGA #ParklandShooting #NewYork #Latvia #WhereAreTheChildrenHillary #England #Kremlin #Spadi #PAM #Nikulin #Steele

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!