File size: 6,853 Bytes
5fe70fd |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 |
{
"type": "bundle",
"id": "bundle--c927b2ed-c149-416c-bf1c-a70469663b37",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-03-22T03:51:04.185Z",
"name": "FIN7",
"description": "[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013 primarily targeting the U.S. retail, restaurant, and hospitality sectors, often using point-of-sale malware. A portion of [FIN7](https://attack.mitre.org/groups/G0046) was run out of a front company called Combi Security. Since 2020 [FIN7](https://attack.mitre.org/groups/G0046) shifted operations to a big game hunting (BGH) approach including use of [REvil](https://attack.mitre.org/software/S0496) ransomware and their own Ransomware as a Service (RaaS), Darkside. [FIN7](https://attack.mitre.org/groups/G0046) may be linked to the [Carbanak](https://attack.mitre.org/groups/G0008) Group, but there appears to be several groups using [Carbanak](https://attack.mitre.org/software/S0030) malware and are therefore tracked separately.(Citation: FireEye FIN7 March 2017)(Citation: FireEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021)",
"aliases": [
"FIN7",
"GOLD NIAGARA",
"ITG14",
"Carbon Spider"
],
"x_mitre_deprecated": false,
"x_mitre_version": "2.2",
"x_mitre_contributors": [
"Edward Millington"
],
"type": "intrusion-set",
"id": "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc",
"created": "2017-05-31T21:32:09.460Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/groups/G0046",
"external_id": "G0046"
},
{
"source_name": "Carbon Spider",
"description": "(Citation: CrowdStrike Carbon Spider August 2021)"
},
{
"source_name": "FIN7",
"description": "(Citation: FireEye FIN7 March 2017) (Citation: FireEye FIN7 April 2017) (Citation: Morphisec FIN7 June 2017) (Citation: FireEye FIN7 Shim Databases) (Citation: FireEye FIN7 Aug 2018)"
},
{
"source_name": "GOLD NIAGARA",
"description": "(Citation: Secureworks GOLD NIAGARA Threat Profile)"
},
{
"source_name": "FireEye CARBANAK June 2017",
"description": "Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.",
"url": "https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html"
},
{
"source_name": "FireEye FIN7 April 2017",
"description": "Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.",
"url": "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html"
},
{
"source_name": "FireEye FIN7 Aug 2018",
"description": "Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.",
"url": "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
},
{
"source_name": "Secureworks GOLD NIAGARA Threat Profile",
"description": "CTU. (n.d.). GOLD NIAGARA. Retrieved September 21, 2021.",
"url": "https://www.secureworks.com/research/threat-profiles/gold-niagara"
},
{
"source_name": "FireEye FIN7 Shim Databases",
"description": "Erickson, J., McWhirt, M., Palombo, D. (2017, May 3). To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence. Retrieved July 18, 2017.",
"url": "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html"
},
{
"source_name": "Morphisec FIN7 June 2017",
"description": "Gorelik, M.. (2017, June 9). FIN7 Takes Another Bite at the Restaurant Industry. Retrieved July 13, 2017.",
"url": "http://blog.morphisec.com/fin7-attacks-restaurant-industry"
},
{
"source_name": "ITG14",
"description": "ITG14 shares campaign overlap with [FIN7](https://attack.mitre.org/groups/G0046).(Citation: IBM Ransomware Trends September 2020)"
},
{
"source_name": "CrowdStrike Carbon Spider August 2021",
"description": "Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.",
"url": "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/"
},
{
"source_name": "FireEye FIN7 March 2017",
"description": "Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.",
"url": "https://web.archive.org/web/20180808125108/https:/www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html"
},
{
"source_name": "IBM Ransomware Trends September 2020",
"description": "Singleton, C. and Kiefer, C. (2020, September 28). Ransomware 2020: Attack Trends Affecting Organizations Worldwide. Retrieved September 20, 2021.",
"url": "https://securityintelligence.com/posts/ransomware-2020-attack-trends-new-techniques-affecting-organizations-worldwide/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_domains": [
"enterprise-attack",
"ics-attack"
],
"x_mitre_attack_spec_version": "3.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
}
]
} |