Believed to be carried out by a previously unobserved actor or group FireEye calls FIN10, the intrusion operations – mostly casinos and mining organizations in North America, with a focus on Canada – date back to at least 2013, continued through 2016 and were still active as recently as early June, the California-based the intelligence-led security firm reported Friday.
Said intrusions involved attacker(s) compromising organizations’ networks and seeking “to monetize this illicit access by exfiltrating sensitive data and extorting victim organizations,” FIN10: Anatomy of a Cyber Extortion Operation reports.
Pointing out that FIN10 primarily relies on publicly available software, scripts and techniques to gain a foothold into victims’ networks, proof of stolen data is then posted on publicly accessible websites and a ransom made.
In all but one targeted intrusion attributed to FIN10, a sum payable in Bitcooin was demanded. Requested sums ranged from 100 to 500 Bitcoins (roughly $124,000 to $620,000) as of mid-April 2017.
“Failure to pay the threat group could result in the public release of stolen data and potential disruption or destruction of the victim’s information assets and systems,” the report notes.
Although there is insufficient evidence to determine the initial infection vector, it points out, in at least two intrusions, FIN10 leveraged spear phishing emails with malicious attachments, “making it plausible that this methodology was used across all breaches.”
FIN10 used Meterpreter – short for Meta-Interpreter, an advanced payload included in the Metasploit Framework – as the primary method of establishing an initial foothold within victim environments. “Meterpreter and most of its extensions are executed in memory, thus largely evading detection by standard anti-virus.”
In addition, “in the majority of cases, we observed FIN10 leveraging PowerShell Empire (a pen-testing tool that utilizes PowerShell) for elevated persistence, mainly by utilizing the Registry and Scheduled Task options,” it explains. “We have regularly observed FIN10 use scheduled tasks as a persistence mechanism.”
Network degradation activity “typically consisted of the attacker(s) creating scheduled tasks on multiple systems within the targeted network environment to disrupt the normal operations of those systems by rendering their operating systems unusable.”
Once contact was made, “FIN10 also seeks to increase its leverage by sending multiple emails to staff and board members of the victim organizations, notifying them of the breach and potential consequences for non-payment,” the report points out.
“We believe the primary goal of FIN10 is to steal corporate business data, files, records, correspondents and customer PII (personally identifiable information) for the purposes of extorting victim organizations for the non-release of the stolen data.”
“In some cases, when the extortion demand was not met, the attacker(s) destroyed production Windows systems by deleting critical operating system files and then shutting down the impacted systems,” states the report.
“The relative degree of operational success enjoyed by FIN10 makes it highly probable the group will continue to conduct similar extortion-based campaigns at least in the near term,” FireEye reports. “Notably, we already have some evidence to suggest FIN10 has targeted additional victims beyond currently confirmed targets,” the report adds.
Unlike breaches where a containment plan may be able to stop an attacker from stealing more information, it states, “in these disruptive instances, the damage may have already been done by the time the attacker(s) contacts the victim organization.”
Lessons learned from investigating FIN10 and other disruptive breaches suggest affected organizations do the following: