Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware (Apr 5, 2019)
FireEye researchers responded to an incident and found that the activity was conducted by the financially-motivate threat group “FIN6.” Researchers found that the group compromised an internet-facing system of its unnamed target and then moved laterally inside the network utilizing stolen credentials for Windows’ Remote Desktop Protocol (RDP). FIN6 used two techniques to maintain persistence including PowerShell to execute an encoded command that turned out to be a “Cobalt Strike httpsstager,” which would then download a second shellcode payload configured to download a third, unknown payload. The second technique was the creation of a Windows service to execute encoded PowerShell commands that contained a “Metasploit” reverse HTTP shellcode. The objective of the campaign was to use the compromised servers to distribute malware and host tools. The staged malware was found to be the “LockerGoga” and “Ryuk” ransomware families. Using ransomware is a change of tactics for FIN6 from primarily targeting point-of-sale terminals.
Recommendation: Maintaining secure passwords for RDP and other remote access systems is paramount. Intrusion detection systems and intrusion prevention systems can also assist in identifying and preventing attacks against your company's network. Furthermore, always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe). In the case of ransomware infection, the affected systems should be wiped and reformatted, even if the ransom is paid. Other machines on the same network should be scanned for other potential infections.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.