A report from Mandiant details the resurfacing of the FIN7 hacking group and the collective’s use of new hacking tools along with an expanding roster of attackers. The group, also known as Carbanak, has allegedly been tying together several uncategorized (UNC) hacking teams under the FIN7 umbrella and has been linked to ransomware implementers such as REvil, Darkside, Blackmatter and ALPHV.
These revelations have also pointed towards a broadening of the FIN7 group’s approach and targets for hacking as well. Whereas in the past the organization had aimed at businesses in the retail and hospitality sectors, the group has seen “notable shifts in activity, including their use of novel malware, incorporation of new initial access vectors, and likely shift in monetization strategies.”
How are FIN7’s methods changing?
FIN7, much like the other hacking groups it is now associated with, has begun leveraging a new backdoor called Powerplant and a downloader called Birdwatch for accessing systems. The group then leverages password reuse for software supply chain attacks, one of the FIN7’s new areas to target. In addition, it is believed that the group has been engaged in data theft and ransomware deployment themselves, indicating the links to more well-known hacking collectives.
“Initial access vectors are becoming more varied and devious and it’s unlikely that any organization can go without falling victim indefinitely,” said Chris Clements, VP of solutions architecture at Cerberus Sentinel. “The question organizations need to ask themselves is ‘what’s next’ in their defense. For far too many organizations the answer begins and ends with endpoint protection like antivirus or [endpoint detection and response]. That brings us to the second key point from the research, namely that threat actors are becoming incredibly sophisticated with implants and malware that bypass many if not all endpoint detection solutions. Understand these two key points and it’s no longer a mystery why just so many institutions fall victim to ransomware and other cyberattacks.”
Mandiant estimates that up to 17 UNCs may be associated with FIN7 to varying degrees, making the group harder to track due to its numerous members and differing methods of hacking, from ransomware to malware and backdoors.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
Ways to avoid falling victim to a cyberattack
“With over 8.4 million passwords in the wild and over 3.5 billion of those passwords tied to actual email addresses, it provides a starting point and easy attack vector for cybercriminals to target various organizations, especially those heavily utilized in a supply chain process,” said James McQuiggan, Security Awareness Advocate at KnowBe4. “Organizations need to protect their users and remote accounts by requiring multi-factor (MFA) authentication from an authenticator app or a hardware token. This action will significantly reduce the risk of unauthorized access via a reused password that could lead to a data breach or ransomware attack.”
As McQuiggan notes, one method for organizations to avoid falling victim through use of MFA to ensure passwords are being properly protected. Additional processes users can take include employing best practices or using password managers when it comes to storing sensitive information. Making sure to have a variety of different passwords used can also prove useful, so that multiple systems cannot be corrupted in case one set of login credentials are compromised. Lastly, always operating with a healthy dose of skepticism can be effective when receiving emails or notifications from unverified sources.
