According to this article from Threatpost, a new malware nicknamed FIN7 is using a new technique to spread and avoid detection. The malware is reportedly associated with the Carbanak group and is targeting the restaurant industry. Considering it’s effectiveness though, it’s safe to assume that either this attacker will move to other industry verticals or someone else will mimic the method. With this in mind, now is the perfect time to reiterate the following:
Best practices are great but, like Mike Tyson said, “Everyone has a plan ’till they get punched in the face”.
- Defense is reactive. Best practices are great but, like Mike Tyson said, “Everyone has a plan ’till they get punched in the face”. Have a firewall. Have IDS / IPS. Have antivirus / anti-malware. Segment the network. In the end though, understand that you have to be right 100% of the time and the attacker has to be right once (and then you have to react). When an attacker punches you in the mouth, be ready to react. Have an incident response plan.
- Attackers will continue [ab]using techniques as long as they work. Despite it’s innovative approach to deliver the actual malware, FIN7 still relies on phishing for the initial foothold. It still relies on a malicious attachment for the initial stage of the attack and it relies on the end user clicking ‘Ok’ to let the payload run. These techniques are still popular because *they still work*.
- The user is the last line of defense (and often the weakest link). Despite the firewall, IDS / IPS, antivirus / anti-malware and network segmentation, if a user voluntarily installs malware (e.g., clicks a link, visits a website, inserts a malicious CD / DVD or thumb drive), all of the technical controls in front of them become moot. Training your users and then testing them to reinforce that training is critical and is frequently overlooked (as evidenced by the continued success of phishing attacks).
- The importance of an effective security program cannot be overstated. Document your policy. Distribute that policy as a part of your onboarding process (for employees, contractors, business partners, etc. if applicable) and reinforce it with regular training. Test the policy (internal and vulnerability assessments and penetration testing) to determine if it’s working and, if so, if it’s adequate. Review the results of the tests and use the feedback to improve the policy, training and incident response plan.
For more information about the services that Piratica provides including vulnerability assessment, penetration testing or training, please find our contact information here.
Misc / Erratta
- Threatpost Article – https://threatpost.com/fin7-hitting-restaurants-with-fileless-malware/126213/
- Carbanak – https://en.wikipedia.org/wiki/Carbanak