Contact Us

FIN7: Notorious threat group that operates with automated attack system

A sophisticated and well-organized criminal organization known as FIN7, also said to be linked to Carbanak, is responsible for creating and distributing a variety of malware, including the FIN7 virus. The FIN7 virus is a Trojan that is primarily intended to steal sensitive data from targeted companies, such as credit card numbers. The gang is renowned for its advanced techniques, which are used to get into a victim’s network and install the malware. These tactics include social engineering and spear-phishing attacks.

The notorious FIN7 hacker organization breaks into business networks, steals data, and chooses targets for ransomware attacks based on financial size. They use an automated attack system that exploits Microsoft Exchange and SQL injection vulnerabilities.

Checkmarks, the automated attack system, scans for various vulnerabilities related to privilege escalation and remote code execution in Microsoft Exchange, including CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. Since June 2021, FIN7 has been using Checkmarks to automatically identify weak endpoints within organizations’ networks and exploit them in order to get access.

To access the target networks, FIN7 employs several exploits, including their own original code and freely accessible Proofs-of-Concept. Following the first attack phase, Checkmarks automatically carries out post-exploitation tactics including email extraction from Active Directory and information collection from Exchange servers. A central panel where FIN7 operators may view more information about the compromised endpoint is automatically updated with new victims.

It has been utilized in a number of well-publicized attacks on companies across a range of industries, including the banking, restaurant, hotel, and retail sectors in nations including the United States, Canada, Germany, France, the United Kingdom, and Australia, among others.

 

For more information and actionable recommendations, download SISA’s detailed technical advisory on FIN7 APT.

 

References:

  1. https://www.bleepingcomputer.com/news/security/fin7-hackers-create-auto-attack-platform-to-breach-exchange-servers/
  2. https://www.zdnet.com/article/fin7-hackers-evolve-operations-with-ransomware-novel-backdoor/

Related Articles

SISA logo in white

SISA is a global forensics-driven cybersecurity solutions company, trusted by leading organizations for securing their businesses with robust preventive, detective, and corrective cybersecurity solutions. Our problem-first, human-centric approach helps businesses strengthen their cybersecurity posture.

Industry recognition by CREST, CERT-In and PCI SSC serves as a testament to our skill, knowledge, and competence.

We apply the power of forensic intelligence and advanced technology to offer true security to 2,000+ customers in 40+ countries.

Company

Services

Resources

Quick Links

Connect with us

Copyright © 2024 SISA. All Rights Reserved.
SISA’s Latest
close slider

Webinar

Webinar: ANAB accredited certification, Jan 2024, cover image

ANAB Accredited Certification: A Catalyst for Professional Excellence in Payment Security

Webinar: ANAB accredited certification, Jan 2024, cover image

ANAB Accredited Certification: A Catalyst for Professional Excellence in Payment Security

Whitepaper

Bridging the cybersecurity skill gap in payments industry through accredited training - Banner

The Tipping Point: Bridging the Cybersecurity Skill Gap in the Payments Industry Through Accredited Training

Events

SISA Reimagines Cybersecurity with MXDR at RSA 2024

News Room

DSCI and SISA unveils cyber report on ‘MXDR – A New Paradigm for Cyber Defense’

Infosec Report

SISA-DSCI ProACT MXDR Report launch 2024

Blog

The Critical Role of Accredited Certification in Payment Security

Weekly Threat Watch

Critical CVSS 10 vulnerability in PAN-OS sparks urgent action

Case Study

SISA helps a global electronic payment provider strengthen risk management and compliance

Sign up for SISA's Daily
Threat Watch Advisory
Subscribe now!