FIN7 Hackers Leveraging Password Reuse and Software Supply Chain Attacks

The notorious cybercrime group known as FIN7 has diversified its initial access vectors to incorporate software supply chain compromise and the use of stolen credentials, new research has revealed.

“Data theft extortion or ransomware deployment following FIN7-attributed activity at multiple organizations, as well as technical overlaps, suggests that FIN7 actors have been associated with various ransomware operations over time,” incident response firm Mandiant said in a Monday analysis.

The cybercriminal group, since its emergence in the mid-2010s, has gained notoriety for large-scale malware campaigns targeting the point-of-sale (POS) systems aimed at a restaurant, gambling, and hospitality industries with credit card-stealing malware.

FIN7’s shift in monetization strategy towards ransomware follows an October 2021 report from Recorded Future’s Gemini Advisory unit, which found the adversary setting up a fake front company named Bastion Secure to recruit unwitting penetration testers in a lead up to a ransomware attack.

Then earlier this January, the U.S. Federal Bureau of Investigation (FBI) issued a Flash Alert warning organizations that the financially motivated gang was sending malicious USB drives (aka BadUSB) to U.S. business targets in the transportation, insurance, and defense industries to infect systems with malware, including ransomware.

Recent intrusions staged by the actor since 2020 have involved the deployment of a vast PowerShell backdoor framework called POWERPLANT, continuing the group’s penchant for using PowerShell-based malware for its offensive operations.

“There is no doubt about it, PowerShell is FIN7’s love language,” Mandiant researchers said.

In one of the attacks, FIN7 was observed compromising a website that sells digital products in order to tweak multiple download links to make them point to an Amazon S3 bucket hosting trojanized versions that contained Atera Agent, a legitimate remote management tool, which then delivered POWERPLANT to the victim’s system. Read more:

Leave a Reply

Your email address will not be published. Required fields are marked *