FIN7: Notorious threat group that operates with automated attack system

A sophisticated and well-organized criminal organization known as FIN7, also said to be linked to Carbanak, is responsible for creating and distributing a variety of malware, including the FIN7 virus. The FIN7 virus is a Trojan that is primarily intended to steal sensitive data from targeted companies, such as credit card numbers. The gang is renowned for its advanced techniques, which are used to get into a victim’s network and install the malware. These tactics include social engineering and spear-phishing attacks.

The notorious FIN7 hacker organization breaks into business networks, steals data, and chooses targets for ransomware attacks based on financial size. They use an automated attack system that exploits Microsoft Exchange and SQL injection vulnerabilities.

Checkmarks, the automated attack system, scans for various vulnerabilities related to privilege escalation and remote code execution in Microsoft Exchange, including CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. Since June 2021, FIN7 has been using Checkmarks to automatically identify weak endpoints within organizations’ networks and exploit them in order to get access.

To access the target networks, FIN7 employs several exploits, including their own original code and freely accessible Proofs-of-Concept. Following the first attack phase, Checkmarks automatically carries out post-exploitation tactics including email extraction from Active Directory and information collection from Exchange servers. A central panel where FIN7 operators may view more information about the compromised endpoint is automatically updated with new victims.

It has been utilized in a number of well-publicized attacks on companies across a range of industries, including the banking, restaurant, hotel, and retail sectors in nations including the United States, Canada, Germany, France, the United Kingdom, and Australia, among others.

 

For more information and actionable recommendations, download SISA’s detailed technical advisory on FIN7 APT.

 

References:

  1. https://www.bleepingcomputer.com/news/security/fin7-hackers-create-auto-attack-platform-to-breach-exchange-servers/
  2. https://www.zdnet.com/article/fin7-hackers-evolve-operations-with-ransomware-novel-backdoor/
SISA’s Latest
close slider