Password reuse and software supply chain attacks are used by FIN7 hackers

Research has revealed that the notorious cybercrime group known as FIN7 is increasingly using supply chain compromise and stolen credentials in its initial access vectors.

Data theft extortion or ransomware deployments following FIN7-attributed activity suggest that the actors behind FIN7 have been associated with various ransomware operations over time,” incident response firm Mandiant said in a Monday report.

The cybercriminal group, since it emerged in the mid-2010s, has gained notoriety for widespread malware campaigns targeting point-of-sale (POS) systems in the restaurant, gambling, and hospitality industries.

FIN7’s shift in monetization strategy towards ransomware follows an October 2021 report from Recorded Future’s Gemini Advisory unit, which found the adversary setting up a fake front company named Bastion Secure to recruit unwitting penetration testers in a lead up to a ransomware attack.

Then earlier this January, the U.S. Federal Bureau of Investigation (FBI) issued a Flash Alert warning organizations that the financially motivated gang was sending malicious USB drives (aka BadUSB) to U.S. business targets in the transportation, insurance, and defense industries to infect systems with malware, including ransomware.

Recent intrusions staged by the actor since 2020 have involved the deployment of a vast PowerShell backdoor framework called POWERPLANT, continuing the group’s penchant for using PowerShell-based malware for its offensive operations.

“There is no doubt about it, PowerShell is FIN7’s love language,” Mandiant researchers said.

In one of the attacks, FIN7 was observed compromising a website that sells digital products in order to tweak multiple download links to make them point to an Amazon S3 bucket hosting trojanized versions that contained Atera Agent, a legitimate remote management tool, which then delivered POWERPLANT to the victim’s system.

The supply chain attack also marks the group’s evolving tradecraft for initial access and the deployment of first-stage malware payloads, which have typically centered around phishing schemes.

Other tools used by the group to facilitate its infiltrations include EASYLOOK, a reconnaissance utility; BOATLAUNCH, a helper module designed to bypass Windows AntiMalware Scan Interface (AMSI); and BIRDWATCH, a .NET-based downloader employed to fetch and execute next-stage binaries received over HTTP.

“Despite indictments of members of FIN7 in 2018 and a related sentencing in 2021 announced by the U.S. Department of Justice, at least some members of FIN7 have remained active and continue to evolve their criminal operations over time,” Mandiant researchers said.

“Throughout their evolution, FIN7 has increased the speed of their operational tempo, the scope of their targeting, and even possibly their relationships with other ransomware operations in the cybercriminal underground.”

Some sections of this post are sourced from:

Add a Comment

Your email address will not be published. Required fields are marked *