Case Study 2: FIN7 Post-Exploitation Playbook and the 2022 Uber Breach

Part A: FIN7 — The Corporate Cybercrime Enterprise

Background

FIN7 (also known as Carbanak Group and Navigator Group) is one of the most prolific financially motivated cybercrime organizations in history. Active since at least 2013, FIN7 has stolen over $1 billion from financial institutions, restaurants, and hospitality companies worldwide. What distinguishes FIN7 from other cybercrime groups is their corporate-like structure, sophisticated post-exploitation methodology, and the systematic playbooks they developed for every phase of an intrusion.

In 2018, the U.S. Department of Justice indicted several FIN7 members, revealing that the group operated as a structured organization with managers, developers, and penetration testers. They even created a fake cybersecurity company called "Combi Security" to recruit unknowing employees who believed they were performing legitimate penetration testing.

FIN7's Post-Exploitation Playbook

FIN7's operations followed a remarkably consistent and well-documented methodology:

Initial Access: Phishing with Precision

FIN7 initiated attacks through carefully crafted spear phishing emails targeting specific roles within victim organizations -- primarily finance, human resources, and management. Their emails contained:

  • Malicious Word or Excel documents with embedded macros
  • Files mimicking legitimate business communications (invoices, orders, complaints)
  • Documents tailored to the target industry (restaurant supply orders for hospitality, SEC filing notices for finance)

The macros executed a sophisticated PowerShell-based backdoor (HALFBAKED or GRIFFON) that established initial command and control.

Phase 1: Establishing Foothold

Upon initial execution, FIN7's malware performed standard reconnaissance: - System enumeration (hostname, OS version, installed software) - Network configuration and domain membership - Active user sessions and recent login history - Anti-virus and security product detection

Based on this reconnaissance, the C2 operators determined whether the compromised host was worth pursuing. If the target showed promise (domain-joined workstation, financial software installed, point-of-sale related processes), the attackers proceeded to the next phase.

Phase 2: Persistence and Privilege Escalation

FIN7 employed multiple persistence mechanisms simultaneously: - Scheduled tasks executing PowerShell scripts - WMI event subscriptions for fileless persistence - Modified shortcut files (LNK) in Startup folders - Registry Run key entries

Privilege escalation typically involved: - Token impersonation using custom Potato-variant exploits - Credential harvesting from memory using custom tools (avoiding Mimikatz signatures) - Exploiting misconfigured services and group policies

Phase 3: Internal Reconnaissance and Lateral Movement

FIN7's internal reconnaissance was methodical:

  1. Domain enumeration: Map Active Directory structure, identify privileged accounts, locate key servers
  2. Network mapping: Identify network segments, particularly those handling financial transactions or point-of-sale systems
  3. Share enumeration: Search file shares for credentials, financial data, and operational documentation

Lateral movement leveraged: - Pass-the-Hash using harvested NTLM hashes - Remote service execution (PsExec, WMI) - PowerShell Remoting - RDP (often using compromised privileged accounts)

Phase 4: Point-of-Sale (POS) System Targeting

FIN7's ultimate objective in hospitality and retail attacks was the point-of-sale infrastructure. Their approach included:

  1. Identifying POS network segments (often inadequately segmented from the corporate network)
  2. Deploying custom RAM-scraping malware on POS terminals to capture unencrypted card data from memory
  3. Collecting harvested card data to staging servers within the victim network
  4. Exfiltrating data through encrypted channels to attacker infrastructure

Their custom POS malware (PILLOWMINT) was designed to avoid detection by: - Operating entirely in memory - Using legitimate Windows APIs for memory scanning - Encrypting harvested data before writing to disk - Mimicking legitimate process behavior

Phase 5: Data Exfiltration and Monetization

Exfiltration used multiple channels: - HTTPS POST requests to compromised legitimate websites (avoiding suspicious domains) - DNS tunneling for low-bandwidth, high-reliability exfiltration - Cloud storage services (Dropbox, Google Drive) using legitimate APIs

Stolen credit card data was sold on underground markets (known as "dumps" markets), generating significant revenue for the organization.

Operational Structure

FIN7's corporate-like structure included: - Management: Strategic planning, target selection, resource allocation - Developers: Malware development, tool creation, infrastructure maintenance - Operators: Active intrusion operations, post-exploitation, data extraction - Support: Social engineering, phishing campaign management, recruitment

This structure enabled FIN7 to conduct multiple simultaneous intrusions, maintain consistent quality, and scale their operations efficiently.

Part B: The 2022 Uber Breach — A Teenager's Post-Exploitation Masterclass

Background

On September 15, 2022, Uber disclosed a significant security breach. The attacker -- later identified as an 18-year-old affiliated with the Lapsus$ group -- had gained access to Uber's internal systems, including Slack, Google Workspace, AWS consoles, VMware vSphere, and various internal dashboards. The breach demonstrated that sophisticated post-exploitation does not always require sophisticated tools or nation-state resources.

The Attack Chain

Step 1: Social Engineering for Initial Access

The attacker purchased stolen credentials (username and password) for an Uber contractor from the dark web. These credentials had likely been obtained from a previous infostealer malware infection.

The contractor's account was protected by multi-factor authentication (MFA). The attacker used a technique known as "MFA fatigue" or "MFA push bombing": repeatedly sending MFA push notifications to the contractor's phone. After about an hour of constant notifications, the contractor accidentally (or deliberately, to stop the notifications) approved one of the requests.

Alternatively, the attacker also contacted the contractor via WhatsApp, posing as Uber IT support and requesting MFA approval. The combination of push notification fatigue and a convincing social engineering message proved effective.

Step 2: VPN Access and Initial Reconnaissance

With valid credentials and MFA approval, the attacker connected to Uber's corporate VPN. This placed them on Uber's internal network, where they began reconnaissance.

The attacker scanned the internal network and quickly discovered that Uber's network was relatively flat -- internal systems were widely accessible from the VPN connection without additional segmentation or authentication barriers.

Step 3: The Critical Discovery — Hardcoded Credentials

While scanning internal network shares, the attacker found a PowerShell script on an internal file share. This script contained hardcoded credentials for Uber's Privileged Access Management (PAM) system (Thycotic). This single discovery transformed the breach from a VPN compromise into a full organizational compromise.

The hardcoded PAM credentials provided access to: - Domain administrator accounts - Cloud service credentials (AWS, GCP, Azure) - Internal application credentials - Infrastructure management systems

Step 4: Post-Exploitation and Pivoting

With PAM access, the attacker systematically accessed critical systems:

  • Slack: The attacker joined channels, read messages, and eventually posted a message announcing the breach. They accessed Slack's workspace data and communications history.
  • Google Workspace: Internal documents, drive content, and email.
  • AWS and GCP consoles: Cloud infrastructure management access.
  • HackerOne: Uber's bug bounty platform, where the attacker could read vulnerability reports (including unpatched vulnerabilities), potentially exposing additional attack vectors.
  • SentinelOne: Uber's EDR platform, giving the attacker visibility into the organization's detection capabilities and potentially the ability to modify detection rules.
  • VMware vSphere: Virtual infrastructure management.
  • Internal dashboards: Financial data, engineering metrics, and operational information.

Step 5: The Announcement

Rather than maintaining stealth (as APT29 would), the attacker posted a message in Uber's internal Slack:

"I announce I am a hacker and Uber has suffered a data breach."

This announcement, combined with the attacker's bragging on Telegram, eventually led to their identification and arrest.

Comparative Analysis: FIN7 vs. Uber Breach

Aspect FIN7 Uber 2022
Attacker type Organized crime enterprise Individual (teenager, Lapsus$)
Initial access Spear phishing Credential purchase + MFA fatigue
Sophistication Custom malware, advanced tradecraft Minimal tools, primarily social engineering
Post-exploitation Systematic playbook over weeks/months Opportunistic discovery over hours
Objective Financial theft (credit cards) Data access and notoriety
Stealth High -- designed to avoid detection Low -- announced the breach publicly
Key enabler POS network segmentation failures Hardcoded PAM credentials in scripts
Impact >$1 billion stolen Reputational damage, security program exposure

Lessons for Ethical Hackers

  1. Credential storage matters: The Uber breach pivoted on a single PowerShell script with hardcoded PAM credentials. During penetration tests, searching for hardcoded credentials in scripts, configuration files, and code repositories should be a priority.

  2. MFA fatigue is a real threat: Push-based MFA without rate limiting or number matching is vulnerable to fatigue attacks. Testers should evaluate MFA implementation strength, not just its presence.

  3. Network segmentation must be tested: Both FIN7 and the Uber attacker benefited from flat or poorly segmented networks. Post-exploitation should systematically test segmentation boundaries.

  4. Post-exploitation can be simple: The Uber attacker used no custom malware, no exploit code, and no sophisticated tools. Valid credentials and network access were sufficient to compromise the entire organization.

  5. PAM systems are high-value targets: Privileged Access Management systems are the keys to the kingdom. Their security must be tested thoroughly, including how credentials for the PAM system itself are stored and accessed.

Lessons for Defenders

Blue Team Perspective: The Uber breach highlights several critical defensive gaps:

  • Implement MFA number matching: Require users to enter a number displayed on the authentication screen into their authenticator app, preventing blind approval of push notifications.
  • Rate-limit MFA attempts: Alert on and block excessive MFA push notifications to a single account.
  • Never hardcode credentials: Implement secrets management solutions (HashiCorp Vault, AWS Secrets Manager) and scan code repositories and file shares for hardcoded credentials.
  • Segment VPN access: VPN connections should not provide broad network access. Implement zero-trust network access (ZTNA) that authenticates each resource request individually.
  • Monitor for anomalous access patterns: A single user accessing Slack, AWS, GCP, HackerOne, SentinelOne, and vSphere in rapid succession is highly anomalous and should trigger alerts.
  • Protect PAM infrastructure: The PAM system should be among the most heavily protected and monitored systems in the organization. Access should require additional authentication factors and generate high-priority alerts.

Discussion Questions

  1. Compare FIN7's structured, patient approach to post-exploitation with the Uber attacker's rapid, opportunistic approach. Which is more dangerous to a typical organization, and why?

  2. How did the discovery of hardcoded PAM credentials change the scope and impact of the Uber breach? What controls should have been in place to prevent this?

  3. FIN7 operated as a corporate-like organization with defined roles and processes. How does this organizational structure affect their post-exploitation effectiveness compared to individual hackers?

  4. The Uber attacker gained access to Uber's HackerOne bug bounty reports. What are the security implications of an attacker being able to read unpatched vulnerability disclosures?

  5. Both case studies demonstrate the importance of network segmentation. Design a network segmentation strategy that would have limited the impact of either attack.

References

  • U.S. Department of Justice (2018). "Three Members of Notorious International Cybercrime Group 'Fin7' In Custody for Role in Attacking Over 100 U.S. Companies."
  • Mandiant (2017). "FIN7 Evolution and the Phishing LNK." Threat Research Report.
  • Uber (2022). "Security Update." Official company communication.
  • NYT (2022). "Uber Investigating Breach of Its Computer Systems." Initial breach reporting.
  • Group-IB (2018). "Silence: Moving into the Darkside." Report analyzing FIN7 operations.
  • Krebs, B. (2022). "Breach at Uber Highlights Limits of MFA, Need for Phishing-Resistant Auth." KrebsOnSecurity.