FIN11 tactics imitated by Mandiant Red Team to gauge possible reach of ransomware operators in OT environments

A Mandiant Red Team emulated the FIN11 techniques at a European engineering organization to understand the potential reach ransomware operators could have in an OT (operational technology) network. The FIN11 threat group conducted long-running ransomware distribution campaigns across industries, using its techniques to move from a corporate endpoint with regular employee credentials, obtain domain administrator rights, steal critical data, and gain access to OT servers.  

“The nature of OT technology and the challenges of defending it means that many OT networks have security gaps that even less sophisticated actors can leverage,” the Mandiant researchers wrote in a company blog post on Tuesday. “Furthermore, Mandiant has consistently highlighted that some financially motivated groups continue to deploy the same or similar tools and techniques as those used by advanced persistent threats (APTs) during high-profile cyber physical incidents.”

The Mandiant Red Team supported a European engineering organization to visualize the possible impact of a financially motivated actor deploying ransomware in an OT environment. The engagement pursued three goals – emulating a ransomware attacker in the IT environment, propagating from IT to separate OT network segments, and emulating multi-faceted extortion by accessing confidential information to steal and redistribute. These goals were successfully accomplished.

About two years back, Mandiant released details describing how financial crime actors were expanding their reach into OT. Its assessment was based upon two process kill-lists deployed alongside known ransomware strains to amplify the impact of the attacks. These lists were intended to enumerate and terminate software processes, a couple of which were coincidentally related to OT. While there is limited documented information to determine the impact of these process lists, the assessment indicated that by stopping such processes, the hacker could have abruptly terminated and encrypted critical OT functions resulting in added damage to the victim.

“One of the two process kill lists was deployed alongside a CLOP ransomware sample, which we then attributed to a cybercrime actor known as FIN11,” the Mandiant post said. “The group has monetized their operations using point-of-sale (POS) malware, CLOP ransomware, and traditional extortion.”

FIN11 has shown no indication of having specialized OT expertise, and there is no evidence indicating that the process kill list they deployed significantly impacted any victim OT environments, Mandiant said. “However, the actor’s use of a process kill list containing some OT processes brings up further questions about the extent of their capabilities and how they might impact OT in the future,” it added.

In the past, financially motivated actors like FIN11 have used tactics, techniques and procedures (TTPs) that are comparable to those used by state-sponsored actors to support the early stages of the OT targeted attack lifecycle. This includes using publicly available tooling, living–off–the–land techniques, known exploitation frameworks, and tailored malware to compromise victims.

Mandiant adopted an ‘assumed breach’ approach for this engagement, starting from a standard employee account and device on the target’s enterprise domain. Mandiant then utilized FIN11 techniques to continue the intrusion moving across endpoints in different security zones. Some techniques that the researchers used to achieve their objectives in IT and OT included surveillance of web and internal applications, reconnaissance of Active Directory infrastructure, and lateral movement through silver ticket. 

The researchers also discovered several devices vulnerable to CVE-2021-36934 or the ‘SeriousSAM’ vulnerability. Exploiting this vulnerability, Mandiant downloaded the Security Account Manager (SAM) databases of these devices and utilized the Impacket library to extract secrets from them, including the password hashes for local accounts, computer account passwords, and cached domain credentials. Furthermore, the researchers could use privilege escalation through Active Directory Certificate Services. 

Using the information and privileges gathered through the enterprise network compromises, Mandiant identified the best paths to reach the target OT servers. The researchers focused on reaching two specific targets: an isolated legacy OT network and a global OT network with connections across different regions.

The researchers said that Mandiant accessed eight servers within the OT network, one of which was a Human Machine Interface (HMI). Access to this system would allow attackers to interact maliciously with the physical control process using native commands. Once Mandiant established a foothold and had administrative access, the focus shifted to privilege escalation.

Mandiant dumped the SAM database on one of the hosts to retrieve local account password hashes, which we cracked using a dictionary attack, revealing the cleartext password for one of the local administrator accounts. Utilizing local administrator credentials, Mandiant created a memory dump of the Local Security Authority Subsystem Service (LSASS) process on another OT host using the Task Manager application.

Mandiant exfiltrated a memory dump file and retrieved the contained credentials using a specifically packed version of the public tool Mimikatz. The recovered credentials contained the NTLM hash for a Domain Administrator account on the OT network domain. Subsequently, Mandiant completed the objective by utilizing the Domain Administrator account password hash and executing its custom payload on the OT domain controller via remote service creation.

Mandiant escalated privileges within the target’s enterprise domain with an ‘AS-REP roast’ attack using the ‘Impacket’ library to recover multiple user account password hashes for the second attack path. Mandiant cracked password hashes using a dictionary attack, which revealed the cleartext password for one of the accounts. The user account and credentials had RDP privileges onto an additional host, allowing Mandiant to move laterally within the enterprise environment.

The accessed host contained engineering software, which indicated it was likely a jumphost or an application server for engineers. Additionally, the engineering application installed on the host used shortcuts on the desktop that pointed to batch (BAT) files in a directory writeable by non-privileged users. The measure allowed Mandiant to alter the content of the BAT files to launch unauthorized applications when users clicked the shortcut on the desktop.

OT systems are critical for organizations to automate production processes. As a result, they are attractive targets for actors intending to disrupt production either for profit or to produce physical damage. Additionally, the overlaps in TTPs between ransomware operators and OT-focused APTs suggest that protecting against ransomware operations yields defenses against other impactful events, such as a cyber-physical attack.

“As of mid-2022, we have not observed financially motivated actors explicitly targeting OT networks to extort victims, however, we highlight that actors have carried out ransomware attacks that impacted OT processes,” Mandiant said. “Actors with access to OT assets may be empowered to disrupt the victim’s control or visibility over a process in several ways. OT asset owners and operators benefit from ransomware attack emulation by confronting the latest adversary TTPs, identifying vulnerabilities in their environment, and improving breach detection and response capabilities,” it added.

In April, Mandiant proposed deploying proactive security assessments in operational environments involving real-world simulation of adversary techniques. These have proven invaluable methods for uncovering critical security issues and high-risk attack paths in enterprise environments.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.