FIN8 Compromised an EMEA Retailer

Category: Threat Actor Activity | Industry: Retail | Source: Darktrace

An intrusion attributed to the financially motivated threat group FIN8, also known as Syssphinx, was detected in a retail organization based in the EMEA region. Darktrace researchers responded to the incident, tracing the origins of suspicious beaconing activity on April 30th, 2023. The activity involved an influx of SSL connections to an IP address flagged with a bad reputation. Later during the day, signs of reconnaissance and privilege escalation activity were observed with over 100 DRSGetNCChanges requests to a domain controller, indicating a potential DCSync attack. The threat actors engaged in lateral movement using the WMI process and accessed SMB and admin shares.

Key activity from the intrusion lasted approximately five and a half hours then on May 1st at 03:31:41 UTC the threat actors were able to exfiltrate data using Rclone. "In total, nine separate devices were involved in this pattern of activity. Five of these devices were labeled as ‘administrative’ devices according to their hostnames. Over the course of the entire exfiltration event, the attackers exfiltrated almost 61 GB of data from the organization’s environment," Darktrace cyber analyst, Adam Potter reports. While Darktrace was unable to identify the initial access vector from the attack it is suspected to have been initiated through a phishing email since social engineering and phishing techniques are favored by FIN8 attackers.