December 23, 2022

The analysis of FIN7, a Russian advanced persistent threat (APT) group known for ransomware, espionage, and creating fake infosec firms to deceive security experts, by Prodaft Cyber has revealed details about FIN7’s mode of operation.

The group’s leader, Alex, lives in Russia, while the majority of the pen-testers and developers live in Ukraine, according to the researchers. Furthermore, the group has compromised over 8,147 victims, from the United States China, Germany, Canada, Italy, and the United Kingdom.

The Prodaft report uncovered links between FIN7 and other threat actors such as DarkSide, REvil, and LockBit. FIN7’s intrusion techniques, according to the report, have progressed past conventional social engineering to include infected USB drives, software supply chain compromise, and the use of stolen credentials obtained from underground markets. To gain a foothold in target environments, it also exploits several Microsoft Exchange flaws, including CVE-2020-0688, CVE-2021-42321, ProxyLogon, and ProxyShell.

It identifies high-profit firms and organizations and monitors traffic to their websites. Data is stolen, files are encrypted, and the ransom is calculated based on the company’s revenue. As part of its illegal money-making scheme, it also resells access to other ransomware groups and re-targets victims, emphasizing its efforts to minimize effort and maximize profits.

Checkmarks, designed to automate mass scans for vulnerable Microsoft Exchange servers and other public-facing web applications, is one of FIN7’s other tools, as is Cobalt Strike for post-exploitation.

The sources for this piece include an article in TheHackerNews.