FIN7 Ransomware Gang Targeting Vulnerable Exchange Servers with Automated-Attack System

FIN7, a hacking group, is using an automated attack system to breach corporate Exchange Servers, infiltrate networks, and steal data. They are targeting organizations based on their financial size. The hacking group is also found to be associated with a larger threat ecosystem consisting of DarkSide, LockBit, MAZE, and REvil ransomware families.

In this blog, you’ll learn about the FIN7 hacking group and how they are leveraging the Exchange Server and SQL injection vulnerabilities to breach networks.

About FIN7 Ransomware Group

FIN7 is a financially motivated hacking group known for setting up a fake company to hire IT specialists under the disguise of penetration testing for its ransomware attack and hacking point-of-sale registers.

PRODAFT’s Threat Intelligence (PTI) team has discovered the automated attack system, called Checkmarks, used by FIN7 to target vulnerable Exchange Servers.

Also known as Carbanak, the hacking group has more than 8147 victims across the world after scanning more than 1.8 million targets. The majority of its targets are located in the United States (16.7%) and other countries, such as the UK, China, Canada, Italy, and Germany.

The techniques used by the ransomware group have evolved over the years beyond their traditional social engineering, use of stolen credentials, and software supply chain compromise.  

As per PRODAFT report, “Nowadays, its initial approach is to carefully pick high-value companies from the pool of already compromised enterprise systems and force them to pay large ransoms to restore their data or seek unique ways to monetize the data and remote access.”

PRODAFT has also revealed additional details on FIN7’s affiliations with other ransomware projects, its internal hierarchy, and the new SSH backdoor system they are using for stealing data from already compromised networks. 

How FIN7 is using Auto-Attack System to Target Exchange Servers?

PRODAFT has recently discovered an auto-attack system called Checkmarks. The system is being used by the FIN7 ransomware gang as a scanner to scan multiple Remote Code Execution and privilege elevation Exchange vulnerabilities, such as ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207).

In June 2021, the ransomware gang used Checkmarks and various exploits, including publicly available PoCs and their custom code, to discover vulnerable Exchange Servers and gain access to the companies’ networks using web shells.

They are also using the Checkmarks platform’s SQL injection module using SQLMap to find exploitable flaws on the target website.

Once the initial attack is carried out, the attack platform performs an automatic post-exploitation that includes steps, such as email extraction from the Activate Directory and Exchange Server information gathering.

The victims are automatically added to the Checkmarks central panel where the threat actors can check the additional details of the compromised network. The information is then scrutinized by FIN7’s team, which lists the victims based on the firm size, financial status, current revenue, number of employees, headquarters details, etc. The information is used to determine whether the firm is worth its time and effort for a ransomware attack.

FIN7 maintains an SSH backdoor even after the ransom is paid by the ransomware victims. They use these SSH backdoors to sell access to other threat groups or to use them for new attacks in the future.

How to Protect your Exchange Organization?

It is advised that you download and refer to the PRODAFT’s report on FIN7 to know the Indicators of Compromise (IOCs) and how the financially motivated ransomware group is targeting your networks.

Also, keep your Exchange servers updated. Install the latest Exchange Server Cumulative Updates and Security patches released by Microsoft.

Refer to our previous blog to stay updated on the new Microsoft Exchange remote code execution vulnerabilities, flaws, and fixes.

To Wrap Up

FIN7 is a highly active notorious cybercrime gang known for deploying backdoors in software supply chains, cooperating with other threat actors, and distributing malicious USB sticks. The attack group is continuously broadening its horizons for cybercrime and has recently added ransomware and SSH backdoor to its arsenal. The blog discussed how the FIN7 ransomware gang is using an auto-attack platform – Checkmarks – to target and infiltrate companies’ networks based on their size, financial status, revenue, etc. Their victims are mostly located in the US and other prominent countries. If you find or suspect that your Exchange Server is compromised, consider isolating the Exchange Server from the network and setting up a new server. Use an Exchange recovery tool, such as Stellar Repair for Exchange, to recover and restore user mailboxes from the compromised or failed Exchange Server or corrupt database to the new live Exchange Server.