Prodaft details FIN7 cybercrime gang exploiting software supply chains, distributing malicious USB sticks

Cyber threat intelligence firm Prodaft released details of the highly active threat group FIN7 which has been continuously broadening its cybercrime horizons and recently added ransomware to its attack arsenal. FIN7 group is known to hold a notorious status due to their achievement in deploying extensive backdoors in leveraging software supply chains, distributing malicious USB (universal serial bus) sticks, and cooperating with other groups. They have also identified the inner details of various cyber-attack operations conducted against large institutions based in the USA and Europe.

“FIN7 is also attributed to the espionage campaign named Carbanak, and is known to be interacting with other hacker groups well-known under names such as LockBit, Darkside, REvil, or MAZE,” Prodaft researchers wrote in its latest report titled ‘FIN7 Unveiled: A deep dive into notorious cybercrime gang’. “Most notably, FIN7 has gathered several uncategorized hacking teams and created fake infosec firms to trick security researchers into executing ransomware attacks by taking on names such as Combi Security and Bastion Secure.”

The PRODAFT Intelligence Team (PTI) team obtained visibility into the inner workings of the FIN7 threat group. It gained information about their organizational structures, identities, attack vectors, infrastructures, and proof-supported affiliations with other ransomware groups, such as DarkSide, who were behind the Colonial Pipeline attack in 2021, apart from victim targeting, and other relevant observations. All findings are supported by translated conversations among the members of FIN7, including screenshots of their infrastructures.

The report identified that FIN7 uses various techniques to obtain the data they are looking for – intending to monetize them afterward. Some techniques include utilizing public exploits, buying stolen credentials from underground markets, cooperating with other ransomware groups, or using social engineering methods such as distributing malware through malicious USBs and sending spear-phishing emails.

Despite increased detection solutions and awareness within the targeted sectors, utilizing public exploits is a ‘powerful approach’ for gaining access to the victims’ systems. To this date, the FIN7 group compromised and caused monetary damage to 8,147 victims, predominantly residing in the USA (16.74 percent). It is essential to mention that they managed to infiltrate all those high-profile companies after scanning 1,826,508 targets.

Prodaft evaluates that from 2013 onwards, the victims ranging from food producers, and critical infrastructure providers, to healthcare and financial firms have suffered significant magnitude of financial losses caused by this threat group. “While FIN7’s primary objective is to directly steal financial information, they will also steal sensitive information to sell on underground marketplaces, or reuse it in their upcoming ransomware attacks.” 

Moreover, the group appears to be as active as ever, bringing up a relatively greater deal of successful methods on techniques and attack surfaces, such as utilizing the go-to tools called POWERPLANT, ‘rclone,’ and so on, according to the report. The group has specialized in PowerShell programs and unique commands that can be observed across malware infections.

The researchers disclosed that the hackers had mainly exploited Microsoft Exchange vulnerabilities in ProxyShell and ProxyLogon to gain initial access to their targets due to the availability of easy-to-use public tools. “PTI team also identified that the FIN7group developed tailored systems to quickly discover and infiltrate the high-value targets by performing mass scans. Apart from exploitation to gain initial access, it has been observed that FIN7 also performs social engineering attacks or uses already stolen enterprise credentials,” the report added. 

“We discovered several methods of their e-mail phishing techniques with malicious document attachments, as briefly analyzed in the corresponding sections of this report,” the report said. “Stolen credentials were found to be purchased from underground markets and checked with in-house developed scripts/tools. The overall tactics and behaviour of the group reveal habitual patterns.” 

After the initial access, FIN7 proceeds with the execution of the rest of the ransomware attack chain, encrypting the files, leaving a note inside the targeted systems, and directing the institution’s representatives to the chat platforms hosted inside the TOR network, the researchers said. “There they negotiate ransom payments in cryptocurrency with their victims; if the institution refuses to pay the ransom money, the attacker group publicly shares the files stolen from target institutions on a website in the TOR network.” 

However, an unusual action after this chain is that they leave an SSH-based backdoor on the target systems, Prodaft researchers highlight. “It has been concluded that the objective of this backdoor is to re-target the victims with other types of ransomware to gain more profit, whilst this presumption is echoed by the conversations held among the threat actors,” they added. 

The researchers also identified that the owner of the obtained data is an active member of the FIN7 group responsible for providing tailored access to the targeted institutions. The conversation history exposed that the subject threat actor is providing tailored access to other ransomware distributors. 

The report validates that the behavioral patterns, tactics, techniques, and procedures confirmed that FIN7 attempts to filter and prioritize vulnerable targets to minimize their effort and maximize their profit. “They are doing so by considering several parameters, such as annual revenue, foundation date, and the number of employees in the company. A specific page discovered in their management panel shows the value of each vulnerable target. This page demonstrates a particular type of feasibility study considered a unique behaviour among cyber-crime groups,” it added.

In May this year, the U.S. Department of Health and Human Services (HHS) identified that the financially-motivated groups shifting to ransomware operations included the FIN7 and the FIN12. In the case of the FIN7, the shift began at the end of 2021 and into 2022, as ransomware variants used in connection with the group’s operations include Maze, Ryuk, and ALPHV/BlackCat.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.