The FIN6 cyber crime group, that has in the past been involved in stealing payment card , has allegedly expanded its activities to deploying Windows ransomware, the firm FireEye claims.

A blog post authored by researchers Brendan McKeague, Van Ta, Ben Fedore, Geoff Ackerman, Alex Pennino, Andrew Thompson and  , said they had found evidence of ransomware when investigating an intrusion at an unnamed customer in the engineering industry.

The intrusion was said to be using stolen credentials, the emulation software Cobalt Strike, the exploit database Metasploit, and publicly available tools such as Adfind and 7-Zip to conduct internal reconnaissance, compress data, and aid in the overall mission.

The post, which was full of plugs for products sold by FireEye and its Mandiant group, said the researchers had identified the most evasive techniques used by the FIN6 group.

“Pivoting from these initial leads, analysts identified suspicious SMB connections and Windows Registry artefacts that indicated the attacker had installed malicious Windows services to execute PowerShell commands on remote systems,” they wrote.

“Windows Event Log entries revealed the user account details responsible for the service installation and provided additional indicators of compromise to assist Managed Defence in scoping the compromise and identifying other systems accessed by FIN6. Managed Defence used Windows Registry Shellbag entries to reconstruct FIN6’s actions on compromised systems that were consistent with lateral movement.”

Managed Defence is another name that FireEye uses for Mandiant.

The initial entry point for the intrusion was identified as an -facing system, after which stolen credentials were used to move to other machines in the Windows network. A foothold was established in two ways: by using PowerShell to execute an encoded command and by leveraging the creating of Windows services to execute encoded PowerShell commands.

The researchers found that both the LockerGoga and Ryuk ransomware were being used by FIN6 during this attack. LockerGoga was recently used to attack the Norwegian aluminium  Norsk Hydro.

FireEye is known to be quick to attribute attacks, but this time the group appeared to be somewhat hesitant to do so.

“FIN6 may have evolved as a whole to focus on these extortive intrusions,” the researchers wrote. “However, based on tactical differences between these ransomware incidents and historical FIN6 activity, it is also possible that some FIN6 operators have been carrying out ransomware deployment intrusions independently of the group’s payment card breaches.”

- logo16 - Cyber crime group FIN6 now using Windows ransomware –

www.extremehacking.org

Sadik Shaikh | Cyber Suraksha Abhiyan, Ethical Hacking Training Institute, CEHv10,CHFI,ECSAv10,CAST,ENSA, CCNA, CCNA SECURITY,MCITP,RHCE,CHECKPOINT, ASA FIREWALL,VMWARE,CLOUD,ANDROID,IPHONE,NETWORKING HARDWARE,TRAINING INSTITUTE IN PUNE, Certified Ethical Hacking,Center For Advanced Security Training in India, ceh v10 course in Pune-India, ceh certification in pune-India, ceh v10 training in Pune-India, Ethical Hacking Course in Pune-India



Source link

No tags for this post.

LEAVE A REPLY

Please enter your comment!
Please enter your name here