FIN7's Growth and Evolution
Category: Threat Actor Activity | Industry: Global | Level: Tactical | Source: PRODAFT
Researchers from PRODAFT's Intelligence Team (PTI) share an in-depth analysis of the cybercrime group, FIN7 by providing insights into their organizational hierarchy and affiliate role for ransomware. The threat group is observed to cooperate with established ransomware gangs such as LockBit, Darkside, REvil, and Maze. Although FIN7 operators continued to advance and expand their capabilities, their activity is always rooted with financial gains in mind. "Nowadays, its initial approach is to carefully pick high-value companies from the pool of already compromised enterprise systems and force them to pay large ransoms to restore their data or seek unique ways to monetize the data and remote access." The high-value targets include critical infrastructure providers, food suppliers, financial services, and healthcare organizations. From PRODAFT's investigation, more than 1,826,508 scans were initiated by FIN7 against potential targets leading to over 8,147 FIN7 victims being attacked globally. The majority of victims were located in the United States and Europe.
PRODRAFT researchers were able to gain an understanding of FIN7's organizational structure by analyzing leaked Jabber chat logs. FIN7's internal structure comprises of management, developers, pentesters, and affiliates. Members of FIN7 are identified to have areas of expertise including initial access operations, extortion methods, and IT infrastructure management. As with any organization, segregating roles and responsibilities enabled members of the FIN7 group to focus on specific tasks to study and infiltrate their victims. An example of a coordinated effort from FIN7, "The Marketing team at FIN7 first gathers information on potential victims, including their current revenue, number of employees, headquarter details, domain, and website. They then share this information with the Pentesters to determine if the victim is a worthwhile target. If a firm is deemed to have a sufficient market size, the Pentester leaves a comment for the admin on how the server connection can be used, how long the attack can last, and how far it can go."
During FIN7 attacks, the operators are known to use compromised credentials obtained from social engineering campaigns or purchased from cybercrime forums. Other well-known FIN7 initial access techniques include delivering malicious USB drives, sending phishing emails, and exploiting public-facing applications using known vulnerabilities such as ProxyLogon and ProxyShell. To identify vulnerable endpoints, FIN7 operators were observed using an attack platform named, Checkmarks starting on June 1st, 2021. The attack platform enables FIN7 operators to drop web shells onto vulnerable endpoints via PowerShell, launch SQL injection attacks, and extract emails from Active Directory and Microsoft Exchange servers. Other techniques used by FIN7 during post-exploitation are PowerShell scripts, RDP for lateral movement, Cobalt Strike, and Rclone for data exfiltration. To enable FIN7 operators to re-infect a victim, an SSH backdoor is left on the host providing more monetary gains when they opt to strike again.
Anvilogic Use Cases:
- Removable Media Detected
- AVL_UC6591 - Potential ProxyShell
- Exchange New Export Request