We use cookies on this website. By using this site, you agree that we may store and access cookies on your device Read More Got it!
Exchange Server 3 minute read

FIN7 Ransomware Gang Targeting Vulnerable Exchange Servers with Automated-Attack System

Ravi Singh
Written By
Ravi Singh
Shaun Hardneck
Approved By
Shaun Hardneck
stellar calander
Published on
December 26th, 2022

Summary: FIN7, a notoriously famous hacking group, is targeting Exchange Server and SQL injection vulnerabilities. Learn how they are using an automated-attack system called Checkmarks to infiltrate organizations’ networks and steal data. Also, you’ll learn how to check the Indicators of Compromise (IOC) to verify if FIN7 is targeting your networks.

Free Download for Windows

Contents

  • About FIN7 Ransomware Group
  • How FIN7 is using Auto-Attack System to Target Exchange Servers?
  • How to Protect your Exchange Organization?
  • To Wrap Up

FIN7, a hacking group, is using an automated attack system to breach corporate Exchange Servers, infiltrate networks, and steal data. They are targeting organizations based on their financial size. The hacking group is also found to be associated with a larger threat ecosystem consisting of DarkSide, LockBit, MAZE, and REvil ransomware families.

In this blog, you’ll learn about the FIN7 hacking group and how they are leveraging the Exchange Server and SQL injection vulnerabilities to breach networks.

About FIN7 Ransomware Group

FIN7 is a financially motivated hacking group known for setting up a fake company to hire IT specialists under the disguise of penetration testing for its ransomware attack and hacking point-of-sale registers.

PRODAFT’s Threat Intelligence (PTI) team has discovered the automated attack system, called Checkmarks, used by FIN7 to target vulnerable Exchange Servers.

Also known as Carbanak, the hacking group has more than 8147 victims across the world after scanning more than 1.8 million targets. The majority of its targets are located in the United States (16.7%) and other countries, such as the UK, China, Canada, Italy, and Germany.

The techniques used by the ransomware group have evolved over the years beyond their traditional social engineering, use of stolen credentials, and software supply chain compromise.  

As per PRODAFT report, “Nowadays, its initial approach is to carefully pick high-value companies from the pool of already compromised enterprise systems and force them to pay large ransoms to restore their data or seek unique ways to monetize the data and remote access.”

PRODAFT has also revealed additional details on FIN7’s affiliations with other ransomware projects, its internal hierarchy, and the new SSH backdoor system they are using for stealing data from already compromised networks. 

How FIN7 is using Auto-Attack System to Target Exchange Servers?

PRODAFT has recently discovered an auto-attack system called Checkmarks. The system is being used by the FIN7 ransomware gang as a scanner to scan multiple Remote Code Execution and privilege elevation Exchange vulnerabilities, such as ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207).

In June 2021, the ransomware gang used Checkmarks and various exploits, including publicly available PoCs and their custom code, to discover vulnerable Exchange Servers and gain access to the companies’ networks using web shells.

They are also using the Checkmarks platform’s SQL injection module using SQLMap to find exploitable flaws on the target website.

Once the initial attack is carried out, the attack platform performs an automatic post-exploitation that includes steps, such as email extraction from the Activate Directory and Exchange Server information gathering.

The victims are automatically added to the Checkmarks central panel where the threat actors can check the additional details of the compromised network. The information is then scrutinized by FIN7’s team, which lists the victims based on the firm size, financial status, current revenue, number of employees, headquarters details, etc. The information is used to determine whether the firm is worth its time and effort for a ransomware attack.

details of the victims on chainsmarks
Details of the Victims on Chainsmarks (Source: PRODAFT)

FIN7 maintains an SSH backdoor even after the ransom is paid by the ransomware victims. They use these SSH backdoors to sell access to other threat groups or to use them for new attacks in the future.

How to Protect your Exchange Organization?

It is advised that you download and refer to the PRODAFT’s report on FIN7 to know the Indicators of Compromise (IOCs) and how the financially motivated ransomware group is targeting your networks.

Also, keep your Exchange servers updated. Install the latest Exchange Server Cumulative Updates and Security patches released by Microsoft.

Refer to our previous blog to stay updated on the new Microsoft Exchange remote code execution vulnerabilities, flaws, and fixes.

To Wrap Up

FIN7 is a highly active notorious cybercrime gang known for deploying backdoors in software supply chains, cooperating with other threat actors, and distributing malicious USB sticks. The attack group is continuously broadening its horizons for cybercrime and has recently added ransomware and SSH backdoor to its arsenal. The blog discussed how the FIN7 ransomware gang is using an auto-attack platform – Checkmarks – to target and infiltrate companies’ networks based on their size, financial status, revenue, etc. Their victims are mostly located in the US and other prominent countries. If you find or suspect that your Exchange Server is compromised, consider isolating the Exchange Server from the network and setting up a new server. Use an Exchange recovery tool, such as Stellar Repair for Exchange, to recover and restore user mailboxes from the compromised or failed Exchange Server or corrupt database to the new live Exchange Server.

About The Author

Ravi Singh

Ravi Singh is a Senior Writer at Stellar®. He is an expert Tech Explainer, IoT enthusiast, and a passionate nerd with over 7 years of experience in technical writing. He writes about Microsoft Exchange, Microsoft 365, Email Migration, Linux, Windows, Mac, DIY Tech, and Smart Home. Ravi spends most of his weekends working with IoT (DIY Smart Home) devices and playing Overwatch. He is also a solo traveler who loves hiking and exploring new trails.

Best Selling Products

Stellar Repair for Exchange

Stellar Repair for Exchange

Software recommended by MVPs & Administr

Read More
Stellar Toolkit for Exchange

Stellar Toolkit for Exchange

5-in-1 suite of specialized tools, highl

Read More
Stellar Converter for EDB

Stellar Converter for EDB

Stellar Converter for EDB is a professio

Read More
Stellar Converter for OST

Stellar Converter for OST

Powerful software trusted by Microsoft M

Read More

Table of Contents    arrow

  1. About FIN7 Ransomware Group
  2. How FIN7 is using Auto-Attack System to Target Exchange Servers?
  3. How to Protect your Exchange Organization?
  4. To Wrap Up

Categories

offer banner

Related Posts

related post
Exchange Server

How to Fix the “Windows could not Start Cluster Service on Local Computer” Issue?

Stellar Author Eric Simson January 24, 2023 Read More
related post
Exchange Server

How To Fix Error -Exchange Database Is Mandatory On Usermailbox

Stellar Author Ravi Singh December 23, 2022 Read More
related post
Exchange Server

How to Fix Error – “Cannot be removed from the Database Availability Group because mailbox database has multiple copies”?

Stellar Author Ravi Singh December 16, 2022 Read More

Free Trial for 60 Days

Stellar Official Website

Stellar Data Recovery Inc.
48 Bridge Street Metuchen,
New Jersey 08840,
United States

ALSO AVAILABLE AT

Partner Logo

About

  • About us
  • Career
  • ISMS Policy
  • Privacy Policy
  • Terms of Use
  • License Policy
  • Refund Policy
  • End User License Agreement

RESOURCES

  • Blog
  • Articles
  • Product Videos
  • Knowledge Base
  • Case Studies
  • Whitepapers
  • Software Catalog

NEWS & EVENTS

  • News
  • Events

PARTNERS

  • Affiliates
  • Resellers
  • Distributors

Useful Links

  • Contact Us
  • Support
  • Special Offers
  • Student Discounts
  • Awards & Reviews
  • Downloads
  • Store
  • Sitemap
Follow Us

tw in yt

Stellar & Stellar Data Recovery are Registered Trademarks of Stellar Information Technology Pvt. Ltd. © Copyright 2023 Stellar Information Technology Pvt. Ltd. All Trademarks Acknowledged.

Hippa Logo tuv footer partner logo DMCA.com Protection Status