FIN7 activities detailed by Prodaft Cyber researchers

Share post:

The analysis of FIN7, a Russian advanced persistent threat (APT) group known for ransomware, espionage, and creating fake infosec firms to deceive security experts, by Prodaft Cyber has revealed details about FIN7’s mode of operation.

The group’s leader, Alex, lives in Russia, while the majority of the pen-testers and developers live in Ukraine, according to the researchers. Furthermore, the group has compromised over 8,147 victims, from the United States China, Germany, Canada, Italy, and the United Kingdom.

The Prodaft report uncovered links between FIN7 and other threat actors such as DarkSide, REvil, and LockBit. FIN7’s intrusion techniques, according to the report, have progressed past conventional social engineering to include infected USB drives, software supply chain compromise, and the use of stolen credentials obtained from underground markets. To gain a foothold in target environments, it also exploits several Microsoft Exchange flaws, including CVE-2020-0688, CVE-2021-42321, ProxyLogon, and ProxyShell.

It identifies high-profit firms and organizations and monitors traffic to their websites. Data is stolen, files are encrypted, and the ransom is calculated based on the company’s revenue. As part of its illegal money-making scheme, it also resells access to other ransomware groups and re-targets victims, emphasizing its efforts to minimize effort and maximize profits.

Checkmarks, designed to automate mass scans for vulnerable Microsoft Exchange servers and other public-facing web applications, is one of FIN7’s other tools, as is Cobalt Strike for post-exploitation.

The sources for this piece include an article in TheHackerNews.

SUBSCRIBE NOW

Related articles

Hackers Plant False Memories in ChatGPT to Steal User Data

A security researcher has uncovered a vulnerability in ChatGPT that could allow hackers to store false information and...

“Octo2” Trojan Targets Bank Accounts by Posing as VPN or Chrome Apps on Android

A new malware variant called “Octo2” is spreading across Android devices by posing as popular apps like NordVPN...

Evilginx – Open source tool can bypass Multi-Factor Authentication (MFA)

Security vendor Abnormal Security is reporting a new cybersecurity tool that is gaining traction among cybercriminals. The tool,...

Kaspersky’s exit from US market frightens some customers

Kaspersky, the Russian cybersecurity firm, has unexpectedly removed its antivirus software from U.S. customers' computers, replacing it with...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways