All of the organizations targeted by the group are either publicly traded companies or advisory firms offering services like investor relations, legal counsel or investment banking.
Approximately two thirds of the companies targeted by FIN4 are healthcare and pharmaceutical companies. “We believe FIN4 heavily targets healthcare and pharmaceutical companies as stocks in these industries can move dramatically in response to news of clinical trial results, regulatory decisions, or safety and legal issues,” the report states.
FIN4 focuses on compromising accounts belonging to top executives, legal counsel, scientists and researchers who have access to non-public information about major deals and announcements.?“FireEye believes FIN4 intentionally targets individuals who have inside information about impending market catalysts — events that will cause the price of stocks to rise or fall substantially in a short period of time,” the report states.
The victims are targeted with spear phishing attacks that appear to be written by native English speakers familiar with the targeted companies’ terminology and inner workings. FireEye threat intelligence manager Jen Weedon told Reuters that the researchers are confident FIN4 isn’t based in China, and that it’s likely based either in the United States or Western Europe. Weedon said the hackers were probably trained at Western investment banks.
The victims aren’t infected with malware — the phishing attacks are just aimed at compromising the victims’ email accounts, using VBA macros embedded in legitimate documents to request victims’ Outlook login credentials.
“FIN4 also uses existing email threats in a victim’s inbox to spread their weaponized documents,” the researchers note. “We’ve seen the actors seamlessly inject themselves into email threads. FIN4’s emails would be incredibly difficult to distinguish from a legitimate email sent from a previously compromised victim’s email account.”
In one case, according to FireEye, FIN4 leveraged its previously-acquired access to email accounts at an advisory firm to collect data regarding a potential acquisition of one of the advisory firm’s clients, and to target another advisory firm that was also working with the same client.
FIN4 sometimes creates a rule in victims’ Outlook accounts to automatically delete any incoming email containing the words “virus,” “malware,” “phished,” “phishing,” “phish,” “hacking,” “hacked,” or “hack,” presumably to minimize the chance that victims will be alerted to the compromise.
FireEye recommends that companies consider disabling VBA macros in Microsoft Office by default, enabling two-factor authentication for Outlook Web Access, and blocking the following domains: ellismikepage[.]info, rpgallerynow[.]info, msoutexchange[.]us, outlookscansafe[.]net, outlookexchange[.]net, lifehealthsanfrancisco2015[.]com, dmforever[.]biz, junomaat81[.]us, and nickgoodsite.co[.]uk.
Still, the researchers note, “The relative simplicity of FIN4’s tactics (spear phishing, theft of valid credentials, lack of any malware installed on victim machines) makes their intrusion activity difficult to detect.”
Tripwire security analyst Ken Westin also told eSecurity Planet by email that the fact that FIN4 hackers use Tor to anonymize their activity also provides a way for companies to protect themselves. “Since there is generally no valid reason an employee would log into corporate systems using Tor, all they have to do is flag all the Tor exit node IP addresses in their IPS systems,” he said.