A blog post authored by researchers Brendan McKeague, Van Ta, Ben Fedore, Geoff Ackerman, Alex Pennino, Andrew Thompson and , said they had found evidence of ransomware when investigating an intrusion at an unnamed customer in the engineering industry.
The intrusion was said to be using stolen credentials, the threat emulation software Cobalt Strike, the exploit database Metasploit, and publicly available tools such as Adfind and 7-Zip to conduct internal reconnaissance, compress data, and aid in the overall mission.
The post, which was full of plugs for products sold by FireEye and its Mandiant group, said the researchers had identified the most evasive techniques used by the FIN6 group.
“Pivoting from these initial leads, analysts identified suspicious SMB connections and Windows Registry artefacts that indicated the attacker had installed malicious Windows services to execute PowerShell commands on remote systems,” they wrote.
“Windows Event Log entries revealed the user account details responsible for the service installation and provided additional indicators of compromise to assist Managed Defence in scoping the compromise and identifying other systems accessed by FIN6. Managed Defence used Windows Registry Shellbag entries to reconstruct FIN6’s actions on compromised systems that were consistent with lateral movement.”
Managed Defence is another name that FireEye uses for Mandiant.
The initial entry point for the intrusion was identified as an Internet-facing system, after which stolen credentials were used to move to other machines in the Windows network. A foothold was established in two ways: by using PowerShell to execute an encoded command and by leveraging the creating of Windows services to execute encoded PowerShell commands.
The researchers found that both the LockerGoga and Ryuk ransomware were being used by FIN6 during this attack. LockerGoga was recently used to attack the Norwegian aluminium company Norsk Hydro.
FireEye is known to be quick to attribute attacks, but this time the group appeared to be somewhat hesitant to do so.
“FIN6 may have evolved as a whole to focus on these extortive intrusions,” the researchers wrote. “However, based on tactical differences between these ransomware incidents and historical FIN6 activity, it is also possible that some FIN6 operators have been carrying out ransomware deployment intrusions independently of the group’s payment card breaches.”