Threat Intelligence

Exploring the Impact of the ITG08 Threat Group

Play the latest episode
Apr 7, 2020
27 minutes


Listen to the Security Intelligence Podcast wherever you get your podcasts.

Exploring the Impact of the ITG08 Threat Group
April 7, 2020
| |
17 min read

Listen to this podcast on Apple Podcasts, SoundCloud or wherever you find your favorite audio content.

On this week’s Security Intelligence podcast, hosts Pam Cobb and David Moulton are joined by Chris Caridi from IBM’s threat intelligence production team and Ole Villadsen from the threat hunt and discovery team of IBM X-Force Incident Response and Intelligence Services (IRIS) to explore advanced persistent threats (APTs). Specifically, they discuss the unique anatomy and impact of the threat group known as ITG08.

Identifying ITG08

ITG stands for “IBM threat group” and functions as a taxonomy tool to help identify key attacker behaviors, patterns and outcomes. As noted by Caridi, “ITG08, otherwise known as FIN6, is a financially motivated cybercrime group known for stealing payment card data from point-of-sale machines in brick-and-mortar retailers and then selling it for profit on the dark web.”

Historically, this group has targeted the hospitality sector, but X-Force IRIS has more recently observed the group “targeting e-commerce platforms under activity described collectively as Magecart,” with potential ITG08 targets now including “any type of organization that processes credit card transactions.”

The Anatomy of an ITG08 Attack

So how does an ITG08 attack happen? According to Villadsen, “they’re most well-known for their expertise in what I call post-exploitation actions, and this is what I would call core competency or their competitive advantage.”

The ITG08 approach includes network reconnaissance, lateral movement, privilege escalation and data exfiltration, often by using publicly available offensive security tools like Metasploit along with living-off-the-land binaries (LOLBins) such as PowerShell and Windows Management Instrumentation (WMI). Villadsen points out that when it comes to compromising business networks, the threat group typically uses stolen credentials or spear phishing emails.

“When it comes to malware,” he says, “they’re most commonly known for their use of a point-of-sale malware called FrameworkPOS,” which allows them to find and scrape credit card data. More recently, the attackers hatched a new approach with the More_eggs persistent backdoor.

Read more about ITG08 and TrickBot

Closing the Gap

With advanced attacks on the rise, how do organizations effectively defend their assets from the impact of groups like ITG08? Villadsen and Caridi highlight several key strategies, including:

  • Educating employees — Train staff to recognize and report phishing emails.
  • Implementing two-factor authentication (2FA) — 2FA can help frustrate financial attackers who depend on credentials for access.
  • Detecting More_eggs — In a recent blog post, Villadsen offers ways to detect and defeat More_eggs.
  • Flagging suspicious behavior — By enabling PowerShell script logging and monitoring for obfuscation or multiple failed login attempts, companies can catch ITG08 earlier.
  • Regularly pen testing — Companies should regularly test network systems for potential points of compromise.
  • Getting help — IBM’s X-Force IRIS can help bolster network defenses against evolving threat groups. If organizations detect the signs of an imminent threat, they can call the IBM X-Force emergency hotline at (888) 241-9812.

The Cost of Doing Business

Despite ITG08’s penchant for persistence, there’s some good news in all of this. As Villadsen notes, “the kinds of activity we’re seeing ITG08 do, like shifting from point-of-sale to Magecart, does show that, for example, the EMV chips and the point-to-point encryption and other techniques that have been implemented among retailers is kind of forcing the attackers to do different things.”

More importantly, it’s forcing attackers to consider costs and potentially pushing them elsewhere. When new security tools and techniques make traditional methods of compromise ineffective, groups like ITG08 won’t spend their time trying to crack the code — they’ll simply move on.

Advanced persistent threat groups remain a pervasive problem. By understanding attack anatomy and taking a proactive defensive approach, however, companies can help mitigate and manage the impact of ITG08 and similar groups.

Episode Transcript

Hi, listeners. If you’re tuning in around the time this episode goes live, we hope you and your loved ones are safe and well. As the COVID-19 pandemic leaves its impact around the world and changes our daily lives, our podcast team gathered to discuss how we share stories — if at all — during this crisis. What it came down to is that we hope, as we always have, that we can be helpful. With that in mind, we would like to present this episode about threat intelligence research that was recorded before events began to unfold in the United States. We hope it proves helpful as you continue to work to protect your business during these uncertain times.

Pam: David, we’ve had conversations in the past about threat actors, tactics, techniques and procedures or TTPs. We’ve not yet talked about a specific threat group, however. What stood out to you most after talking with Chris and Ole, our guests today?

David: As Chris and Ole shared more about how the group is operating, it made me realize that they run this like a business. There is a combination of strategy and opportunistic behavior from these threat actors. Their market opportunity shifts as defenses harden against a technique that was successful. And so they’ll see an impact to their revenue and they have to shift tactics. And this is just like any real, well-run business. If they see something change, it gives them an opportunity or takes away an opportunity; they have to make changes to their business. This is a sophisticated group and one that we were really happy to share a bit about on the podcast.

Pam: This is the Security Intelligence podcast, where we discuss cybersecurity, industry analysis, tips and success stories. I’m Pam Cobb.

David: And I’m David Moulton.

Chris Caridi and Ole Villadsen are both analysts on the IBM X-Force IRIS team and they join the podcast today to discuss their insights around ITG08. They explained how this threat group differs from others and the ways they’re seeing it evolving. Also, stay tuned at the end for some good news related to the topic. Here’s our conversation.

So, welcome to the show. Can you take a moment to introduce yourselves?

Chris: Sure. So my name is Chris Caridi. I’m from IBM’s threat intelligence production team where we focus on identifying and analyzing the tactical and strategic cyberthreats to various enterprise sectors and industries.

Ole: And my name’s Ole Villadsen and I’m an analyst on the threat hunt and discovery team within IBM X-Force IRIS. And in this role, I investigate and analyze cyberthreat activity and then provide what I like to call direct or tactical intelligence support to our incident response investigations. And then as part of my job, I also do a lot of threat intelligence research on APTs and advanced cybercriminal groups. And then we use that data to populate our databases with current threat information and that helps support future investigations and analytic research.

David: Awesome. So, thanks both of you for being on the show and I think this is a really exciting topic. Before we get too far into this, can we talk about what is an APT? What is that? Advanced persistent threat?

Chris: Sure. So, an APT or advanced persistent threat group is a threat actor who conducts attacks that are typically highly sophisticated and well-funded usually by a nation-state or some state-sponsored entity. And whose targets are rather specific and deliberate.

David: What’s the difference between an APT and a criminal threat group?

Chris: Right. So, a criminal threat group is primarily a group that’s motivated by financial gain. They use a wide range of tactics that range from rudimentary to advanced and are unlikely to be tied to any particular nation-state or political entity.

David: Okay. So the APT might be more likely a government that’s looking to exert some sort of leverage or find out something where a criminal group is looking for an opportunity to make money?

Chris: Absolutely. Yep, that’s correct.

David: So IBM has a way of tracking these distinctions internally as far as I understand it. Can you explain more about the difference between hives and ITGs?

Ole: Sure. So we track a consistent pattern of unattributed malicious activity and campaigns that we discover in the wild as hives. And this takes place when we’re not certain if the activity relates to one or more threat actors or when we observe activity that may only include a limited amount of information or indicators. And so once that activity meets a strict analytic threshold based on a full range of tactics, techniques and procedures, including infrastructure, malware, tools, targeting and so forth, then we make a call to create an IBM threat group or ITG and then we attribute the activity to that ITG. This is exactly the process we learned through with ITG08.

David: Okay. So this is a classification or a taxonomy tool to help the teams keep organized and communicate about the different behaviors and targets that a group might be looking at?

Ole: That’s exactly right.

David: Okay. And then once you’re able to classify and start to understand the different characteristics or the DNA that makes up a group, are you able to go backwards and start to look at things like attribution?

Ole: Right, exactly. So, for us, attribution is the process of linking malicious activity to a particular threat actor. And that includes whether or not they’re sponsored by a nation-state. And so when we would make that attribution, we look at all the activity that we’ve gathered on the threat activity including TTPs and malware, infrastructure, past history and so forth. And also, the targeting and potential motivation for an attack. And we take all that information and throw it up against what we already know about that group, and then other threat groups together with geopolitical assessments all to be able to link activity to a certain APT or criminal threat group.

Chris: Making an effort to properly attribute activity is important because it can help us to better understand the threat, which in turn leads to better recommendations for defense strategies as well as a better understanding of attacks that are likely to happen in the future. So, in this way, it helps us to stay ahead of the threats so to speak. State-sponsored APT group activity is shaped by the goals of a nation and targeting is based on their interest. A criminal threat group, on the other hand, maintain communities on the dark web, which means that we must hunt for them in a different way. For these reasons, you know, it’s important that we do accurate attribution.

David: Do different groups crossover and copy one another or pretend to be something that they’re not?

Ole: So I would say that we do see cases where some threat actors will try to or may be trying to use tactics and techniques and procedures that other groups use in order to try to raise a false flag or misattribute activity to that other threat actor. And what we also see commonly is that a lot of threat actors use the same tools and techniques, whether or not they’re trying to actually attribute themselves to other groups. It’s just that a lot of groups use the same kinds of what we call offensive security tools like Metasploit or Cobalt Strike. And they also use a lot of the same publicly available tools that are out there similar to what ITG08 itself uses. And so that helps cloud their activity and make it much more difficult to nail down attribution to a particular threat group.

David: And so let’s get into the nitty-gritty of ITG08. What, or possibly, who is ITG08?

Chris: ITG08, otherwise known as FIN6 is a financially motivated cybercrime group known for stealing payment card data from point-of-sale machines in brick-and-mortar retailers and then selling it for profit on the dark web. Now, historically they tend to target high volume point of sale terminals in the retail and hospitality sectors. But in recent years we have observed the group targeting e-commerce platforms under activity described collectively as Magecart. So, for example, Magecart Group 6 is the same as ITG08 and has been publicly attributed to attacks on the transportation industry as well.

So in this sense, potential ITG08 targets have moved beyond traditional brick-and-mortar retail and now include any type of organization that processes credit card transactions. They were first spotted by security researchers back in 2015. And IBM X-Force has attributed activity to ITG08 as recently as 2019. And this time there is no information that links this group to a particular nation-state.

David: And just for our listeners, the ITG08 group is that advanced criminal threat that’s out there not necessarily an APT, right?

Chris: That’s correct.

David: So, with that in mind, do they specifically target citizens or, you know, have they expanded what sectors they’re looking at?

Chris: So, typically, we see this group targeting, you know, retailers and organizations in the hospitality business. And again, their main focus and target has been historically payment card data from point-of-sale machines. So think about the things that, you know, when you’re in a store and making a purchase and you swipe your credit card through that machine there at the end. Those are the types of machines that are being compromised by this group.

Additionally, you know, we’ve seen activity from this group where they have begun to target e-commerce platforms. So, similar to a credit card checkout at a brick-and-mortar retailer, these are the types of platforms that you used when you enter your credit card information on a website after you, you know, add items to your cart and you’re ready to make a purchase. So, that’s generally the type of victim that we’re seeing with this group.

David: As you talk about or think about ITG08, what TTPs are they known for?

Ole: They’re most well-known for their expertise in what I call post-exploitation actions. And this is what I would call core competency or their competitive advantage, if you will. So these are activities that take place after a group has managed to get inside of a network. And this includes things like network reconnaissance, lateral movement, escalating privileges and then exfiltrating stolen data like credit card information. And so to do all of that, they use a lot of publicly available offensive security tools like Metasploit, and they also use what we commonly call living-off-the-land binaries like PowerShell or Windows Management Instrumentation or WMI. They use publicly available tools as well, like AdFind, which is used to export windows active directory information, and they use 7-Zip to compress their documents prior to exfiltration.

So, as far as getting into the network in the first place, they use a number of different methods and these range from purchasing or using stolen credentials or using spear phishing emails. And there’s also recent evidence that ITG08 is partnering with the TrickBot Gang and then purchasing or using access that’s gained initially through the TrickBot Trojan. So, in this respect, they’re not, I would call that they’re not master malware developers like some cybercriminal groups. And when they do use malware, it’s usually purchased from underground providers on the dark web.

So when it comes to malware, they’re most commonly known for their use of a point-of-sale malware called FrameworkPOS. And it also has a variant called Grateful POS. And this is malware that’s designed to find and scrape credit card data from a system’s memory. And so over the past year, we’ve also seen ITG08 use what we call the More_eggs backdoor, which is what they use to get a foothold within a network and then establish their persistence.

And so More_eggs is very interesting. It’s actually sold by a rather exclusive underground malware provider that also develops themselves other malware like the stealer one, information stealer and also the PureLocker ransomware, which we wrote about last year together with Intezer. And then finally we also assessed that ITG08 is using a rather newly discovered malware framework that’s called Anchor that’s developed by the TrickBot Gang.

So, an important observation that I wanna make here is that when we attribute cybercriminal activity to ITG08, it can be really challenging because they use all these publicly available tools, they use living-off-the-land techniques and they use malware that’s purchased on the dark web from exclusive vendors. So this means there’s no smoking gun, like a unique piece of malware that only this group uses. And we’ve also found that other actors use many of the same individual tactics and techniques and procedures and tools that are used by ITG08. So, all of that taken into account when we make an attribution to ITG08, it only takes place after we examine the attacker’s full range of activity across the attack life cycle from entry to exfiltration.

David: So, Ole, you used a really interesting set of words in this that I would attribute more to like a business conversation, right? So, competitive advantage, that was a really interesting phrase and I would wonder who are they competing against?

Ole: Right. So, they’re competing against other cyberthreat groups for sure, but they’re also competing against the defenders themselves. So we’ve seen for example how companies are introducing EMV chips and point-to-point encryption in order to better protect their point-of-sale machines from malware. And so in response to that, they’ve taken on this new technique we call Magecart where they go after the e-commerce sites and the checkout pages in order to get around that. So, you’re right. In a lot of ways, we do look at ITG08 as if they were a business. They adopt new technology, they focus on their core competencies, they develop strategic partnerships with other groups and they look at the business environment that they’re in and make changes and adopt what I would call a new business line in response to that while still leveraging those same core competencies.

David: Okay. So, as you’re describing this, I’m curious, how long does it take to get to attribution because they don’t seem to have a smoking gun or a signature move that you would maybe attribute with another group?

Ole: Right. So, it really depends on the incident itself and how much information is available. And that can really vary from incident to incident. And it may take some time in order to get a sufficient number of indicators and activity in order to see a consistent pattern that’s consistent with ITG08.

David: So I understand that the IRIS team recently encountered an incident with ITG08. What kind of activity did you detect?

Ole: Right. So we’ve actually come across ITG08 a few times in the past couple of years doing a variety of attacks. And these include attacks on point-of-sale machines to Magecart activity where they target the e-commerce sites. So, because of these incidents that we responded to, we do know a good deal about ITG08 and their TTPs. And so one incident that is worth mentioning specifically was an attack they conducted where they used the More_eggs backdoor as well as other malware that was sold by that same underground malware provider. We actually published an article about this in August in Security Intelligence. It was titled ”More_eggs Anyone? Threat Group ITG08 Strikes Again.”

And so one of the really interesting things about this attack was that they targeted handpicked employees using LinkedIn messaging and emails to advertise bogus job openings and trick them into checking into these supposed job offers. And so once the victims would click on a malicious link, it would download the More_eggs backdoor and then give the group a foothold into the victim network. And in fact, we still see ITG08 conducting this same campaign using these bogus job offers and More_eggs up till the end of last year or early this year.

David: So, going forward, how do you see this group evolving?

Chris: X-Force IRIS believes that a group like ITG08, whose motivations, as we know, are clearly financial, can and will target basically any industry that may prove to be a lucrative source of payment card data. So, while retail is the obvious choice, since credit card transactions are so prevalent, other industries are potential targets as well as we observed when the group was seen targeting a company in the transportation industry. You know, in that case, people don’t think of a transportation company as a retailer, but of course, in order for them to actually allow for the sale of tickets and other services, they must accept credit card transactions. So in that sense, they are just as likely to be a target or a victim as many traditional retailers.

So, you know, we believe that while payment card data seems to be the main objective of this group, you know, any industry that is in the business of collecting payment card data for operation could be a potential target. In addition to that, we have observed activity indicating that ITG08 may be targeting new industries that do not process credit card transactions with ransomware such as LockerGoga and MegaCortex. We responded to such attacks last year where we observed many TTPs that were very similar to those used by ITG08. And at this time, we are continuing to monitor this development pretty closely. We’re also watching close indications that ITGO8 is partnering with the TrickBot Gang whereby ITG08 is leveraging the access into victim networks obtained through TrickBot infections. Now, given the prevalence of TrickBot, this development would help ITG08 gain access to a much wider range of victims.

David: And so that partnership with TrickBot and it seems like a group that is always evolving their business model, are you concerned that they’re going to start to look at, you know, other things than payment data, maybe valuable PII?

Chris: I think that’s certainly a concern. You know, at this time, it’s a development that is kind of being tracked. So we have no clear indication, but of course, something like that will be possible.

David: Okay. And then, as you think about TrickBot, what type of victims do they target?

Ole: The TrickBot Gang and their targeting tends to be less discriminate and it’s distributed through a variety of mechanisms like regular spam email. And what we think is happening here is when the TrickBot Gang is able to infect an enterprise and have their malware, get their malware installed within an enterprise network, the TrickBot Gang will know this, they’ll figure it out. And from there they can, either themselves or by selling access to another group, then conduct a much more advanced attack against that network.

So, in a sense, they’re getting the initial access into an enterprise. And that could just be by happenstance based on who ended up clicking on a link or opening a malicious attachment and then having their machine infected. And if they can get on the right machine, they can get the right kind of access they need and then sell that to another threat actor like ITG08 who can then conduct a very advanced attack from there to target e-commerce sites and point-of-sale machines and so forth.

So that is a very dangerous development. And we are watching that closely. This is all rather new. But it does open up the door to a lot more enterprises being open for attack against their credit card handling and payment card handling processes by a group like ITG08.

So, just to add then, I would say that one of the additional ways that TrickBot is delivered. In fact, one of the most common ways that we see it delivered is as a payload that’s brought down by the Emotet Trojan, which is another piece of malware that’s used in less discriminate attacks and typically delivered through spam email. So we see that a lot, this pattern of Emotet then downloading TrickBot.

David: So, guys, what you’ve described is a real maturation of the economy of attack. One that’s frightening and I gotta think that our listeners are rightly concerned about that. I’d wonder, now that our researchers and our experts have more information about, you know, this threat group and maybe some others, are there ways that they should go about defending themselves?

Ole: In the blog that I mentioned earlier on More_eggs, which we’ll have linked in the show notes, we also provide a list of recommendations for defenders with specific details on what they can do. And we encourage any interested listeners to take a look at those. But I’d love to go over some of the highlights here now. First on the list would be for organizations to train their employees to recognize phishing emails. Always high on any list and it’s high on ours as well. And also to make sure that they know how to report potentially malicious emails. So if they do end up clicking on something, they can get it to the right security people right away in order to stop the infection right at the beginning.

And we also recommend implementing two-factor authentication, another item that’s high on our list as well. And some other things that they can do. They can leverage their security tools to detect the signatures that are related to More_eggs. And in the blog that we wrote, we provide some more specific information on how More_eggs works and how defenders might do that. Next up on our list, organizations should also monitor for suspicious activity in their networks like internal pivoting and scanning. They can also do things like enabled PowerShell script logging and flag odd behavior like obfuscation or multiple failed login attempts or unauthorized account usage. Detecting all of that activity and having a PowerShell script logging in place to do so will go a long way into detecting and then remediating the activity.

And a couple more things. As far as remote system administration, services like PowerShell remoting and WMI should also be monitored and compared against a baseline of normal activity to see if anything unusual is happening there. And a final couple of things, we also recommend that organizations consider penetration testing. This would be defined unknown vulnerabilities, but also to test their ability to monitor for that unusual behavior that the pen testers will conduct. And then finally also for defenders to conduct regular drilling to prepare for an incident so they know what to do and how to respond should something be detected that looks like an attacker.

David: So how can an organization contact IRIS if they believe they’re under attack?

Chris: If you’re an organization and believe you might be under attack, the best thing for you to do is call the IBM X-Force emergency response hotline. And that number is (888) 241-9812.

David: Guys, thank you so much for unpacking all of this today on the podcast and sharing what our listeners can do to protect themselves.

Chris: Sure thing. And thanks for having us on.

Ole: Thank you very much.

Pam: David, you alluded to this in the intro, so I don’t really think we should waste any time getting to the good news.

David: I agree. And I’ll let our guest say it in his own words.

Ole: One thing that is I guess something that is positive is that the kinds of activity we’re seeing ITG08 do like shifting from point-of-sale to Magecart does show that, for example, the EMV chips and the point-to-point encryption and other techniques that have been implemented amongst retailers is kind of forcing the attackers to do different things.

Pam: It’s encouraging to hear that focusing on security best practices really does make a difference.

David: It really is. It feels like too often we’re reading news that’s really negative and focuses on the things that failed or that didn’t work. In fact, it kind of reminds me of this thing called survivor’s bias. And if you’ve ever read business case studies, you’ll see that they cover the successful stories or the successful companies way more often. They have this massive amount of focus on them and there isn’t as much on the businesses that have failed. And what we really need, you know, as we’re thinking about different business models, business plans and how to go forward and be successful is a combination of what worked and what didn’t.

And I think that in security, we end up finding out a lot about the things that didn’t work, but we don’t spend an equal amount or a balanced amount of time talking about what is working, what are the things that we can do that help us win. And so, you know, in cybersecurity, I think everything from better policies and our vigilance, the tech and innovations that we deploy, those all matter and those all help protect what matters. And we need to hear about it.

And in fact, if you go one step further and come around to maybe the attacker’s point of view, when we put defenses in place, what we’re doing is helping dissuade them from attacking us in the first place because we’ve driven up their cost. That’s a little bit of a different way to look at it. And what I hear from our experts’ research team is that when companies are putting those defenses in place, they’re driving up ITG08’s cost of doing business, which is a great thing.

Pam: And that’s it for this episode. Thanks to Ole and Chris for joining us as guests.

David: Subscribe wherever you get your podcasts. We’re on Apple Podcasts, Google Podcasts, SoundCloud and Spotify. Thanks for listening!

Douglas Bonderud
Freelance Writer

A freelance writer for three years, Doug Bonderud is a Western Canadian with expertise in the fields of technology and innovation. In addition to working for...
read more

Your browser doesn't support HTML5 audio
Press play to continue listening
00:00 00:00