• Daniel O’Neill, Director Managed Detection and Response Security Operations at Bitdefender


• 27.09.2021 10:31 am

Answers by Daniel O’Neill, Director Managed Detection and Response Security Operations at Bitdefender

Q: Who are FIN8, what is Sardonic and what did Bitdefender research uncover?

A: FIN8 is a financially motivated cyber gang known to launch tailored spear phishing campaigns targeting primarily the retail, restaurant, and hospitality industries. FIN8 most likely operates out of the Commonwealth of Independent States (CIS) region and are experts at stealing credit card data to use and/or sell on the dark web. The group demonstrates advanced security defense evasion techniques and are extremely capable of conducting sophisticated operations.

Our discovery of the new backdoor we are labeling ‘Sardonic” is further confirmation that FIN8 is actively building up its arsenal and improving its infrastructure after a 1.5 year hiatus. In March 2021, FIN8 resurfaced with significant updates to its BADHATCH backdoor and actively targeted organizations.

Unique about Sardonic is unlike BADHATCH, it uses plugin architecture allowing FIN8 to add new attack capabilities without needing to update its malware fully. This means a targeted system only has be infected once rather than multiple times for the gang to execute its latest attacks.

Q: Why should financial institutions be worried about this discovery?  

Financial institutions should be concerned first because we have seen first-hand that FIN8 is expanding its focus beyond their traditional targets of retail, restaurant, and hospitality organizations and targeting banks.  Second, we know from past experience and analysis of their attacks that they are very good at what they do (stealing money) and equally as good at evading detection and moving laterally across systems and escalating privileges once they gain a foothold.

Q: How can financial institutions do to better protect themselves from malicious actors exploiting backdoors in their security?

There are several ways financial institutions can better protect themselves:

• Even the most sophisticated attacks usually start with email phishing and social engineering. Educate and continuously train employees on the dangers of clicking of links and opening attachments from unknown sources. Employees will always remain a primary first line of defense for organizations.
• Make sure security platforms such as endpoint detection and response (EDR) and extended detection and response (XDR) are configured and updated to detect and block known FIN8 indicators of compromise (IOC). At the same time, use processes such as threat hunting and threat intelligence underpinned by security analytics and human expertise to recognize Indicators of Attack (IOA). This means becoming more proactive detecting and responding to anomalous behavior and suspicious activity, not just waiting for an alert.
• If your organization lacks necessary expertise to incorporate processes for proactive detection and response to IOAs, consider the managed detection and response (MDR) model.  When supplemented with in-house security teams, MDR practitioners preform active threat hunts as well as analyze and correlate telemetry with threat intelligence across the entire environment including endpoints, networks and clouds.
• Is MDR and threat hunting gaining traction across the financial services industry?

Most industries (financial services included) now are accepting of the need to take a more proactive approach to cybersecurity, especially after the high profile ransomware attacks we have witnessed over recent years. Traditionally and, understandably, in financial services, the emphasis tended to be on compliance, adhering to regulatory governance and imposing necessary controls based on perceived risk. The result was a governance, risk management, and compliance (GRC) first approach rather than a focus on strengthening security operations. Of course, GRC is still necessary and applicable, but given advanced attackers and nation-state actors are equally targeting big financial institutions for monetary gain or to simply cause massive disruptions, most organizations seek to have a layer of powerful proactive security in place. If an adversary manages to break the perimeter and circumnavigate the first line of defence, the means to quickly detect and contain the threat is in place.

It is now accepted, that given enough time, sophisticated threat actors will eventually get over the fence. Strong cybersecurity should be focussed on an organizations’ ability to rapidly detect, respond, contain and remediate threats to minimise operational impact. That is why MDR and proactive threat hunting driven by threat intelligence has been gaining steady traction across the financial services industry. Nowadays, if organizations rely purely on the old ways of implementing security technologies a la “set it and forget it” mentality, there is a high chance the internal security team may be sitting by blissfully unaware that a sophisticated adversary is already inside the environment marching steadily towards its objective.

• Is there a cyber-security skills gap across the financial services industry and how can businesses ensure they have right expertise in place to ensure they are detecting and responding to bad actors?

Yes, there is a cybersecurity skills gap regardless of industry or vertical that is why the MDR model continues to grow exponentially. Under-resourced security teams are overwhelmed managing day-to-day operations as the attack surface continues to grow through cloud services and new devices connecting to the networks. They are effectively managing security technology, not actually conducting continuous monitoring and detection and response security operations.

Businesses, service providers and government organizations all face increasing competition to find and retain security talent. It is not just a numbers game; it is about having the right type of experience and skills to carry out proactive security operations such as threat intelligence analysis and correlation. The challenge becomes one of competition, which inevitably leads to finance. However, most cyber security analysts not driven by salary alone. They want to be challenged, using cutting-edge technology and know they are going against the latest threats. As a high-profile target, the financial services sector can offer a fast-paced challenging environment.

Another often under-utilized avenue to consider for strengthening internal security teams is to recruit interns from universities and the military. Both are excellent pools of talent of people who have a true passion for cybersecurity, a thirst for knowledge and eagerness to learn. Recruits from the military are often battle tested and have real-world experience in both offensive and defensive scenarios bringing a unique advantage to the corporate world.