FIN7 Hackers Leverage Password Reuse and Software Supply Chain Attacks

The notorious cybercrime group known as FIN7 has diversified its initial access vectors to incorporate software supply chain compromise and the use of stolen credentials, a new study has found.

“Data extortion or deployment of ransomware following activity attributed to FIN7 across multiple organizations, as well as technical overlap, suggests that FIN7 actors have been associated with various ransomware operations over time,” said incident response company Mandiant. noted in a Monday analysis.

The cybercriminal group, since its emergence in the mid-2010s, has gained notoriety for large-scale malware campaigns targeting point-of-sale (POS) systems serving the restaurant, gambling and gambling industries. hospitality industry with credit card stealing malware.

cyber security

FIN7’s shift in monetization strategy to ransomware follows an October 2021 report from Recorded Future’s Gemini Advisory unit, which revealed that the adversary had created a fake front company named Bastion Secure to recruit unwitting penetration testers before a ransomware attack.

Earlier in January, the US Federal Bureau of Investigation (FBI) Published a flash alert notifying organizations that the financially motivated gang was sending malicious USB drives (aka Bad USB) to US commercial targets in the transportation, insurance, and defense industries to infect systems with malware, including ransomware.

Recent intrusions staged by the actor since 2020 have involved the deployment of an extensive PowerShell backdoor framework called POWERPLANT, continuing the group’s penchant for using PowerShell-based malware for its offensive operations.

“There’s no doubt about it, PowerShell is the love language of FIN7,” the Mandiant researchers said.

In one of the attacks, FIN7 was observed compromising a website that sells digital products to modify several download links to point to an Amazon S3 bucket hosting trojanized versions containing Atera Agent, a remote management tool which then delivered POWERPLANT to the victim’s system.

The supply chain attack also marks the evolution of the group’s craft for initial access and deployment of first-stage malware payloads, which have typically focused on phishing schemes.

cyber security

Other tools used by the group to facilitate its infiltrations include EASYLOOK, a reconnaissance utility; BOATLAUNCH, a helper module designed to bypass the Windows AntiMalware Scan Interface (AMSI); and BIRDWATCH, a .NET-based downloader used to fetch and run next-step binaries received over HTTP.

“Despite the indictments of FIN7 members in 2018 and a related conviction in 2021 announced by the U.S. Department of Justice, at least some FIN7 members have remained active and continue to evolve their criminal operations over time,” said Mandiant researchers.

“Throughout their evolution, FIN7 has increased the speed of their operational tempo, the scope of their targeting, and even perhaps their relationship to other ransomware operations in the cybercriminal community.”

Comments are closed.