Recent detections by Prodraft’s threat Intelligence team of hackers in Microsoft Exchange, by the hacker group FIN7 via an automated attack system. This was in an effort to commit the following illegal activities:
- To steal data, infiltrate corporate networks.
- Data theft
- Based on financial resources of the network, adaptive ransomware attacks.
This security agency has been closely following FIN7’s operations for years. Prodaft has revealed a lot of information about FIN7’s operations behind the scenes:
- Hierarchy at the internal level
- There are many ransomware-related affiliations.
- A new SSH backdoor system.
FIN7, a Russian-speaking terror group, has been around at least since 2012. Its motivations appear to be financial.
This threat group has been the target of a number attacks, including:
- ATMs are under attack
- Use of teddy bears for hiding malware-carrying
- Hire pentesters for ransomware analysis by creating a fake cybersecurity company.
Prodaft discovered a Checkmarks system that allows for automated attacks. Prodaft discovered Checkmarks, a system for automatic attacks. It scans vulnerabilities in Microsoft Exchange that can lead to remote code execution and privilege elevation.
It has been actively using Checkmarks to find vulnerable corporate endpoints, exploit them and use PowerShell to drop shells. This enabled FIN7 access to corporate network resources.
FIN7 employed multiple exploits to access the targeted networks as part of an attack. This included its custom code and public Proof Of Concepts.
Other flaws can also be exploited by the Checkmarks attack platforms, including the MS Exchange vulnerabilities. A SQL injection module uses SQLMap to detect potential exploitable vulnerabilities.
8.147 companies were already infiltrated after FIN7’s Checkmarks platform scans over 1.8million targets. The most striking thing about this is the fact that these companies are mostly based in America.
Communication with the C&C Server
Security analysts found evidence from Jabber logs that numerous ransomware organizations were communicating with FIN7.
One particular thing that stands out in the logs is the fact that FIN7 loves to keep an SSH backdoor open on victims networks who were extorted with ransomware.
This could be used to gain access to others groups, or test new attacks in the future. This SSH backdoor, which is part of FIN7’s extensive arsenal of backdoors and other sophisticated tools, is a completely new addition.
Checkmarks, which is part of the FIN7 Group, shows just how simple it will be to exploit public exploits by threat actors to carry out large-scale attacks that could affect the whole world.
Moreover, this platform also allows threat actors to industrialize public exploits.
Secure Web Gateway, Web Filter Rules Activity Tracking and Malware Protection.