The notorious FIN7 hacking group uses an automated attack system that exploits Microsoft Exchange and SQL injection vulnerabilities to breach corporate networks, steal data, and select targets for ransomware attacks based on financial size.
This system was discovered by Prodaft’s threat intelligence team, which has been closely following FIN7 operations for years now.
In a report shared with BleepingComputer before publication, Prodaft reveals details about FIN7’s internal hierarchy, affiliations with various ransomware projects, and a new SSH backdoor system used for stealing files from compromised networks.
FIN7 is a Russian-speaking and financially motivated threat actor active since at least 2012.
The auto-attack system discovered by Prodaft is called ‘Checkmarks,’ and it’s a scanner for multiple Microsoft Exchange remote code execution and privilege elevation vulnerabilities like CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207.
Starting in June 2021, FIN7 used Checkmarks to automatically discover vulnerable endpoints inside companies’ networks and exploit them to gain access by dropping web shells via PowerShell.
FIN7 used various exploits to gain access to the target networks, including their own custom code and publicly available PoCs.
In addition to the MS Exchange flaws, the Checkmarks attack platform also features a SQL injection module using SQLMap to scan for potentially exploitable flaws on a target’s website.
After the initial attack stage, Checkmarks automatically performs post-exploitation steps, such as email extraction from Active Directory and Exchange server information gathering.
New victims are automatically added to a central panel where FIN7 operators can see additional details about the compromised endpoint.
Next, FIN7’s internal ‘marketing’ team scrutinizes new entries and adds comments on the Checkmarks platform to list victims’ current revenue, number of employees, domain, headquarters details, and other information that helps pentesters determine if the firm is worth the time and effort of a ransomware attack.
“If a firm is deemed to have a sufficient market size, the pentester leaves a comment for the admin on how the server connection can be used, how long the attack can last, and how far it can go,” explains the Prodaft report shared with BleepingComputer.
The due diligence that goes into evaluating a firm’s size and financial status is notable, with FIN7’s marketing team collecting information from diverse sources, including Owler, Crunchbase, DNB, Zoominfo, Mustat, and Similarweb.
Prodaft says FIN7’s Checkmarks platform has already been used to infiltrate 8,147 companies, primarily based in the United States (16.7%), after scanning over 1.8 million targets.
Prodaft’s investigations discovered further evidence of the DarkSide connection after they found what appeared to be ransom notes and encrypted files from the ransomware operation.
Moreover, the researchers found abundant evidence of communications with multiple ransomware gangs, including Darkside, REvil, and LockBit, from retrieved Jabber logs.
One notable detail from these logs is that FIN7 likes to maintain a SSH backdoor on extorted ransomware victims’ networks even after ransoms are paid, either to sell access to other groups or to try a new attack themselves in the future.
This SSH backdoor is a recent addition to FIN7’s arsenal, allowing them to steal files from breached devices using reverse SSH connections (SFTP) through an Onion domain.
FIN7’s Checkmarks platform illustrates how threat actors are industrializing public exploits to perform wide-scale attacks with a global impact.
Furthermore, the investigation shows that instead of specifically targeting valuable firms, FIN7 targets everyone and evaluates how valuable they are in a second phase.
Prodaft has provided indicators of compromise (IOCs) in their report for the SSH-based backdoor and other malware used in their attacks. It is strongly recommended that all admins review the report to learn how FIN7 targets their networks.