Critical Disruptions: New Exfiltration and Extortion Threat Actor Campaign

What is a Threat Actor Campaign?

You may be wondering what a threat actor is or, better yet, What is a threat actor campaign? To start, a threat actor is a person or a group of people that participate in the exploitation of networks/systems for financial or political gain. These threat actors will use a series of vulnerability exploits and string them together into what is known as a threat actor campaign. This campaign is specifically designed with a common goal and target to exploit. The attackers will preemptively plan out a series of attack strategies against an entity in hopes of exploiting them.

On the defensive side of the house, we call these attack strategies Indicators of Compromise (IoCs). IoCs alone are not necessarily malicious, but when you combine them, they can paint a much larger picture of an attack in progress. As we cover IoCs in our threat courses, you will also see them referred to as tactics, techniques, or procedures (TTP), as this is how MITRE labels them in their ATT&CKⓇ Framework. MITRE does a great job of breaking down IoCs into techniques and sub-techniques to help better identify possible avenues of attack based on known vulnerabilities and exploits that have been proven in the wild.

What is "Exfiltration & Extortion"?

The core methods of attack for this threat actor group are through exfiltration, “the unauthorized removal of data from a device”, and extortion, “obtaining something through force or coercion”. For a threat actor like FIN10 to successfully exfiltrate data out of a compromised network, they need to spend a lot of time triaging the network and gathering enough account permissions to carry out the main phase of the attack. Without proper knowledge of network structure and the means to execute administrative commands on systems, it would be tough for attackers to accomplish anything.

One of the main focus areas of this campaign is establishing persistence, which is a paramount detail for threat actors to succeed. This provides financially motivated attackers with a strong foothold within an organization to ensure their C2 channels (command and control) remain intact and their access on all accounts will stay active. Without properly executing this attack phase, adversaries would have to start over every time they were booted from a system (restart, logoff, etc.).

One of the most important concepts to remember is that this activity observed is only the beginning of what could be a much larger and more complicated attack. Essentially this is just the threat actors walking in the door and kicking their shoes off. By not properly and promptly detecting the takeover of accounts and the persistence activity, you could be in for a terrible breach situation. Most commonly, FIN10 is known for deploying ransomware and demanding bitcoin as payment (anywhere from 100-500 bitcoin). Once an attacker like FIN10 gets to the phase of the attack where they are deploying ransomware across your network, it can be too late to prevent the attack, as they are too nested. This situation would require a full lock down of all affected hosts and most likely a halt to your business operations.

Exfiltration & Extortion courses - The FIN10 Focus

FIN10 is one of many threat groups that focus on exploiting financially regulated industries. According to FireEye, they are labeled as "one of the most disruptive threat actors observed in North America." We decided to create courses surrounding FIN10 because the net scope of who they could target is enormous, and if they do attack, it could be a catastrophic incident to organizations.

The Exfiltration & Extortion threat actor campaign primarily focuses on identifying and detecting the initial compromise, persistence, and enumeration techniques that FIN10 uses to compromise your network. Courses available in this campaign are:

• Registry Run Keys - Covers how the threat actor would go about inserting a payload into the registry to help assist with persistence efforts.

• Lateral Tool Transfer - This course identifies what internal activity may look like if an attacker tries to move tools around from one compromised host to another.

• Obtain Capabilities: Tool - Unlike "Lateral Tool Movement," this course will cover what activity looks like when downloading tools from an external source.

• Scheduled Task - Detecting persistence is critical; seeing how FIN10 creates scheduled tasks to ensure longevity on a system is vital.

• User Discovery - Once persistence is set, they will attempt to locate more accounts with better permissions. This course demonstrates what that activity looks like and how to detect it.

• Local Account - Organizations that do not enforce strong password policies and audit privileged account management can fall victim to attackers who leverage access to local accounts. Quickly identifying when local admin accounts are being used for malicious activity is a necessary action that must be alerted at all costs.

What should you expect after taking these courses?

The Exfiltration & Extortion campaign focuses on the initial point of compromise, persistence, and enumeration of accounts to gather more access. After taking these courses, you will be able to detect the following effectively:

• Registry changes concerning suspicious activity.
• The ability to identify an attacker moving tool sets both internally and externally.
• Persistence is set by observation of the schtask system process.
• Create detections to isolate illegitimate local admin account usage and enumeration activity.
• Bird's eye view of all this activity in your SIEM.

These courses are a great way to fill the knowledge gap for specific threat actors and provide a hands-on view of what can be done within your SIEM to create effective detections and alerts.