Hackers infiltrate US companies from abroad
Cyber investigators comb through waves of foreign attacks to determine who is responsible for bringing down corporations. Harley Hall Photography

The elusive hacking group known as FIN8 are back in action after a nearly two-year hiatus. The cybercriminal gang has been known to launch financially motivated attacks and has now set its sights at the US hospitality industry.

While some financially motivated hacker groups often target banks and other companies in the financial sector, FIN8 has a long history of attacking point-of-sale (PoS) systems. The hacker group specifically targets entities such as hotels that run PoS systems, using its customized malware to steal payment card information.

Security firm Morphisec said that it stopped FIN8's attack on an unnamed US hotel. Although the identity of the target remains unclear, Cyberscoop reported that the hotel is located in the US.

According to security researchers at Morphisec, the FIN8 hackers are now using a more sophisticated variant of the PunchBuggy backdoor malware. The new variant of the PunchBuggy malware downloads a PowerShell code, which in turn, collects a wide variety of user and network information including usernames, emails, system information, anti-virus version, domain information and more.

According to Morphisec researchers, this new campaign is the first FIN8 activity that has been observed this year. The researchers also identified overlaps with FIN7 attacks. This overlap has previously been observed by other researchers as well, ZDNet reported.

“In addition to this attack by FIN8, we’ve seen multiple attacks by FIN6, FIN7 and others,” Michael Gorelik, Morphisec CTO, said in a blog. “To have such a match you need access to the source code,” Gorelik told Cyberscoop. “So either FIN8 executed the attack again or some of its members joined” other criminal gangs, such as FIN6 or FIN7, he added.

According to Morphisec, PoS systems continue to be sought after targets because many PoS networks are currently still running on Windows 7, which makes them more vulnerable to attacks.

“What’s more, attackers know that many POS systems run with only rudimentary security as traditional antivirus is too heavy and requires constant updating that can interfere with system availability,” Gorelik added. “As we see here, attack syndicates are constantly innovating and learn from their mistakes – the numerous improvements and bug fixes from the previous version of ShellTea are evident. The techniques implemented can easily evade standard POS defenses.”