FIN7, the Notorious Cybercrime Group, Seeks to Breach Corporate Networks with Microsoft Exchange

Image of a hooded cybercriminal behind a laptop with a question mark on his face.
Cybercrime groups are growing sophisticated and are anonymously targeting high-value corporations.
Source: Pixabay 

A Swiss cybersecurity firm, Prodaft, has recently released a report about FIN7, deeming it one of the deadliest cybercrime groups on the planet that mainly targets corporations with vulnerabilities. The group uses an auto-attack system, Checkmarks, to breach corporate networks with Microsoft Exchange vulnerabilities. It chooses its targets based on financial size, total employees, vulnerability, and other criteria.  

“FIN7 group is known to hold a notorious status due to their achievement in deploying extensive backdoors in leveraging software supply chains, distributing malicious USB sticks, and cooperating with other groups,” read the report’s overview.  

Prodaft claims to have gained a sneak peek into the group’s “inner workings”. The company obtained information about “their organizational structures, identities, attack vectors, infrastructures, and proof-supported affiliations with other ransomware groups.”

Details from Prodaft’s Chilling Report on FIN7 

The image shows the Prodaft blog page titled "Fin7 unveiled: A deep dive into notorious cybercrime gang."
FIN7 are professional criminals, who use intimidation tactics to keep workers from leaving.
Source: Prodaft

FIN7 is a 31-member organization comprising management, penetration testers, developers, and affiliates. Workers aren’t allowed to leave the group and are intimidated and threatened into staying. The Prodaft team got the information below from FIN7’s internal communications.

The group is based mainly in Russia and Ukraine and has a rigid hierarchical structure. The ringleader, “Alex,” participates in all infiltration and ransomware attack operations against corporations. “Rash,” who has links to LockBit and REvil, manages the financial aspects of the ransomware operations. “Sergey-Oleg,” the third key member, is an access specialist who has been instrumental in breaching high-value targets. Those in the lower echelons don’t know how much money FIN7 makes or how the management distributes it. 

In recent years, FIN7 has moved beyond social engineering scams and now employs a diverse mix of attack vectors. These new attack vectors include using infected USB drives, exploiting software supply chains, and purchasing user credentials. Their strategy currently focuses on picking high-value corporate enterprises with known security vulnerabilities and making them pay ransoms.

FIN7 Created the Checkmarks Platform to Exploit Microsoft Exchange Vulnerabilities 

The image shows the FIN7 Checkmark platform with company URLs and other information to identify potential targets.
Cybercriminals are taking their cue from corporations when it comes to business efficiency, internal platforms, and hierarchical models.
Source: The Bleeping Computer

The auto-attack system FIN7 deploys is called Checkmarks. The system scans for Microsoft Exchange vulnerabilities, allowing for remote code execution and privilege escalations. These vulnerabilities include CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. Exploiting these vulnerabilities at the beginning of June 2021, FIN7 auto-attacked several company networks by dropping web shells via PowerShell.

Besides Microsoft Exchange vulnerabilities, FIN7 also uses the Checkmarks platform to launch SQL injection attacks against vulnerable databases. After the initial infiltration, the auto-attack system automatically carries on the post-exploitation steps, including email extraction from Active Directory and gathering Exchange server information. Checkmarks then adds the recent victims to a central panel for additional processing and exploitation. 

In other words, FIN7’s Checkmarks platform is an integrated solution for corporate network penetration. FIN7’s marketing team reviews and marks potential targets based on their corporate information for penetration testers. FIN7 collects information from Owler, Crunchbase, DNB, ZoomInfo, Mustat, and Similarweb to determine if a company is worth an attack. 

After the vetting process, penetration testers search for network vulnerabilities and pass the information up the value chain to the administration/managerial team. This information includes specifics about the duration of the attack, server vulnerabilities and how to exploit them, the scale of the attack, and other related information. 

An Interconnected Network of Cybercrime Groups

The image shows a heatmap distribution of the globe, displaying the density of FIN7 victims per country.
Location is no obstacle for an international crime organization interested in profit.
Source: The Hacker News

FIN7’s Checkmark platform has hit over 8,147 companies out of the 1.8 million potential targets it has scanned, according to Prodaft. Targeted companies are mainly in the US, while others are in China, Italy, the UK, Canada, and Germany. FIN7 exploits publicly known network vulnerabilities to perform large-scale attacks. 

But FIN7 is not a lone actor. Retrieved Jabber logs show communications between FIN7 and Darkside, REvil, LockBit, Black Basta, and more. Because these organizations use different ransomware stacks, it’s hard to profile them, making lines between different cybercrime cartels blurry. 

While FIN7 specializes in ransomware, it has diversified its operations and attacks to further avoid detection. It uses infection sequences to load remote access trojans, such as Carbanak, Lizar (aka Tirion), and IceBot. Further, it leaves an SSH backdoor to exploit victims even after they’ve paid the ransom. 

What Can Network Admins Do about the FIN7 Threat?

Prodaft has described the indicators of compromise (IOCs) in their report for the SSH-based backdoor and other forms of malware FIN7 uses. Firstly, all corporate network admins should read the report to understand how the group works and to see if their network is vulnerable to the type of attacks it employs. Since internet access spans almost the entire globe, anyone can be a potential victim regardless of their location. 

This type of attack vector doesn’t relate to phishing or user credential compromises. Instead, it relies on remote code execution and privilege escalations, primarily on Microsoft Exchange. But, network administrators can use the following best practices to secure their networks against such malicious actors:

  1. Deploy powerful passwords and enable two-factor authentication for all employees
  2. Scan for malware regularly
  3. Configure strong firewalls 
  4. Encrypt data on all devices containing sensitive information
  5. Use automated patching for known security vulnerabilities 
  6. Carry out regular audits in relation to IT vulnerabilities to find the weakest links

Vulnerability scanning is an excellent way to gauge a network’s security. Once a security vulnerability is found, administrators should waste no time patching it. A company may also expose itself unnecessarily by overlooking easy exploits in its efforts to prepare for sophisticated attacks. Overlooked security vulnerabilities are an open invitation to cybercriminals, and they’re ruthlessly unforgiving of such oversights. 

The Corporatization of Cybercrime

FIN7 and other cybercrime groups have become far more sophisticated and organized. In a corporate-like approach to cybercrime, they now follow hierarchical structures and calculate risks vs rewards to maximize profits. And similar to companies collaborating on projects, cybercriminals use the Checkmarks platform to systematically review, access, and revise targets. 

Network administrators are often told to think like cybercriminals. But, cybercriminals are turning the tables and have started to think more like network admins and corporate executives to further their aims. 

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top