Mobiles, Laptops & Gadgets

FIN7 hackers create auto-attack platform to breach Exchange servers

FIN7 hackers create auto-attack platform to breach Exchange servers
FIN7 hackers create auto-attack platform to breach Exchange servers

FIN7 hackers create auto-attack platform to breach Exchange servers

The notorious FIN7 hacking group uses an automated attack system that exploits Microsoft Exchange and SQL injection vulnerabilities to hack into corporate networks, steal data, and select targets for ransomware attacks based on financial size.

The threat intelligence team at Prodaft has been following the operations of FIN7 for years.

In a report shared with BleepingComputer before publication, Prodaft reveals details about FIN7’s internal hierarchy, affiliations with various ransomware projects, and a new backdoor system used for stealing files from compromised networks.

PLAYTop StoriesSamsung and Google fix Microsoft Intune Android 13 enrollment issueRead MoreCorsair keyboard bug makes it type on its own, no malware involvedRead MoreZerobot malware now spreads by exploiting Apache vulnerabilitiesRead MoreRead MoreRussians hacked JFK airport’s taxi dispatch system for profitRead MoreFBI warns of search engine ads pushing malware, phishingRead More1/1Skip AdContinue watchingafter the adLoading PodsVisit Advertiser websiteGO TO PAGESamsung and Google fix Microsoft Intune Android 13 enrollment issue

Russian-speaking threat actor FIN7 has been active since at least 2012.

They’ve been associated with attacks against ATMs, hiding malicious software in teddy bears, and setting up fake cybersecurity firms.

Auto-attacking Microsoft Exchange

There are multiple Microsoft Exchange remote code execution and privilege elevation vulnerabilities that can be detected by the ‘Checkmarks’ auto- attack system discovered by Prodaft.

Checkmarks were used by FIN7 to discover vulnerable endpoints inside companies’ networks and exploit them to gain access.

FIN7 gained access to the target networks through various exploits, including their own custom code and public available PoCs.

The Checkmarks attack platform has flaws of its own, one of which is the MS Exchange flaws.

Checkmark's SQL injections
Checkmark’s SQL injections (Prodaft)

Checkmarks performs post-exploitation steps after the initial attack stage, such as email extract from Active Directory and Exchange server information gathering.

The auto-exploit process
Post-intrusion procedure (Prodaft)

New victims are added to a central panel where operators can see more details about the compromised endpoint.

Victim details on Checkmarks
Victim details on Checkmarks (Prodaft)

Next, FIN7’s internal’marketing’ team scrutinizes new entries and adds comments on the Checkmarks platform to list victims’ current revenue, number of employees, domain, headquarters details, and other information that can be used to determine if the firm is worth the time and effort.

According to the Prodaft report shared with BleepingComputer, if a firm is deemed to have a sufficient market size, the pentester leaves a comment for the admin on how the server connection can be used, how long the attack can last, and how far it can go.”

The due diligence that goes into evaluating a firm’s size and financial status is notable, with the FIN7’s marketing team collecting information from diverse sources, including Owler.

Owler data view on Checkmarks
Owler data view on Checkmarks (Prodaft)

According to Prodaft, FIN7’s Checkmarks platform has already been used to penetrate 8,147 companies, most of them based in the United States.

Map of FIN7 victims
Heat map of FIN7 victims (Prodaft)

Ransomware and SSH backdoors

The Black Basta gang was connected to the FIN7 group in November of 2022, while Mandiant linked the Russian hackers to Darkside operations in April of the same year.

Further evidence of the DarkSide connection was discovered by Prodaft after they found what appeared to be ransom notes and files from the ransomware operation.

Darkside, REvil, and LockBit were found to have communications with each other from the retrieved logs.

According to the logs, FIN7 likes to have a back door on extorted victims’ networks even after they have paid the ransom, either to sell access to other groups or to try a new attack themselves in the future.

A recent addition to FIN7’s arsenal allows them to steal files from breached devices using reverse SSH connections through an onion domain.

Part of the SSH backdoor script
Part of the SSH backdoor script (Prodaft)

The Checkmarks platform shows how threat actors are industrializing public exploits to perform large-scale attacks with a global impact.

According to the investigation, FIN7 targets everyone and evaluates how valuable they are in a second phase.

Prodaft has provided indicators of compromise in their report for the SSH-based backdoor. It is important for admins to review the report to learn how to target their networks.

Related posts
Mobiles, Laptops & Gadgets

Understanding Cyberwarfare: A Deep Dive into Practical Examples

Individual PrivacyMobiles, Laptops & Gadgets

Protecting Your Digital Identity: A Comprehensive Guide to Online Privacy

Individual PrivacyMobiles, Laptops & Gadgets

Secure Mobile Apps: Boost Phone Security, Privacy 2023

Mobiles, Laptops & Gadgets

McDonald’s earnings haven’t been hit by higher prices, as ‘it just