Notorious Fin7 Group Shifts to Ransomware

|

Resurfacing again in the world of cybercrime, the notorious FIN7 group has grabbed attention by shifting tactics. Previously focused on stealing payment card data, the group’s recent switch to ransomware deployment presents a new strategy, extortion. A constant player since 2012 in the cybercrime arena, this recent development marks a new era of attacks for the group as they have started deploying Cl0p ransomware.

Their tactics may have changed, however, their motives remain the same – financial gain. They are exclusively targeting businesses and organizations.

The Cl0p ransomware functions by first stealing, then encrypting the victim’s files, rendering them inaccessible. The attackers then demand a ransom in exchange for the decryption key necessary to regain access to the files.

A few victims who did not pay found their information posted on the CL0P^_- LEAKS’ data leak site, hosted in the dark web.

Tracked under the label ‘Sangria Tempest’ by Microsoft’s Threat Intelligence team, FIN7 has been targeting a broad spectrum of organizations. These span technology, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, and utilities.

In the latest series of attacks, FIN7 has leveraged the POWERTRASH PowerShell script to deploy the Lizar post-exploitation tool. This tactic has allowed them to establish a foothold within target networks. They then use OpenSSH and Impacket to move laterally and deploy the Cl0p ransomware.

FIN7’s recent activities suggest an escalation raising the stakes to a more destructive path forward.

Acreto Solution

Acreto offers a comprehensive approach to addressing the threats posed by ransomware groups like FIN7.

  • Micro-Segmentation and Nano-Segmentation These processes isolate individual or groups of systems on a shared network, limiting access only to systems that need to interoperate together. This directly counters lateral movement tactics used by FIN7, as unauthorized systems won’t have access to the network, thereby limiting the potential spread of ransomware.

  • Isolated Data Flows Isolated data flows limit access to specified sources and destinations, network protocols, and application programs. This mechanism prevents threat actors from communicating with their command and control servers, a necessary step in most ransomware attacks.

  • Encrypted Secure Scan The Encrypted Secure Scan decrypts, scans, and re-encrypts communications in real-time, protecting encrypted communications often exploited by attackers. This function can potentially detect and block the transmission of ransomware before it infiltrates the system.

  • Identity with MFA (Multi-Factor Authentication) This security measure ensures only authorized users can gain access, reducing the likelihood of unauthorized access through stolen credentials – a common initial step in ransomware attacks.

  • Application Protocol and Application Program Control These controls can restrict the use of certain software or tools within the network, such as those used by threat actors to deploy ransomware.

  • Threat Prevention Mechanisms Threat Signature and Zero-Day Behavioral Analysis, both integral to Acreto’s platform, help detect and mitigate known threats, as well as identify new or unknown threats based on behavioral indications. This would include detecting ransomware based on its behavior and blocking it before it can execute.

Acreto ensures that systems interact only with what they need to and that malicious agents can’t easily propagate through the network. This, combined with real-time encrypted scanning and robust threat detection, offers a comprehensive solution against ransomware attacks.

Contact Acreto today for more information or to evaluate Ecosystem security for your organization.

Ecosystem Security Isolation

Ecosystems deliver a dedicated security infrastructure that can be deployed per application, use-case, project or third-party. An Ecosystem inherently limits access only to users, devices, systems and applications that need to interoperate together.

Ecosystems support any technology, on any network, anywhere in the world. These include computers, mobile devices, IoTs, Offices, Clouds, SaaS and Data Centers.

Ecosystems can be configured as:

Open → With inbound or outbound access from or to the Internet or a third-party

Closed → Fully contained with access limited to Ecosystem members

Hybrid → Where some systems have inbound or outbound Internet access while others operate fully contained.

Eliminate the Internet Attack Surface

Eliminates any and all access from the Internet while Ecosystem members can interoperate with authorized systems and applications.

Eliminate the Internal Attack Surface

Ecosystems can easily isolate individual or groups of systems on a shared network or entire networks, to limit access only to systems that need to interoperate together. This is done with

  • Micro-Segmentation Segmenting groups of systems on any shared network, including hostile networks or the entire network.

  • Nano-Segmentation Isolating an individual system, device or application to limit access only to other authorized Ecosystem members.

Isolated Data Flows

Isolated data flows can be defined between two Ecosystem members to limit access to specified sources and destinations, network protocols and ports, application protocols as well as application programs.

Encrypted Secure Scan

Secure Scan addresses a key weakness in many security tools today. 90%+ of all communications is encrypted, yet only 10% of organizations have the means to secure these communications. Encrypted Secure Scan decrypts, scans, and re-encrypts communications inline and in real-time.

Any malicious content embedded in the encrypted payload is blocked, otherwise the clean and validated communication is delivered to its final destination.

Controls

Access Control

Identity with MFA

  • User Authorizes access to the Ecosystem by a user’s identity, including MFA, as authenticated by the organizations’ Directory Services such as Active Directory or LDAP, as well as third-party Identity Service Providers such as Okta, Ping, Duo, and CloudJump among others.

  • Device Specifies a unique identity to each device to validate that a specified device that does not rely on a user to operate – such as an autonomous application or IoT, is allowed to join the Ecosystem.

Network Protocol / Port

Control the network protocol (TCP, UDP, ICMP) and Port (1-65535) any Ecosystem member can use to communicate with any other Ecosystem member or Internet resource by IP, user or device identity. Both inbound and outbound Internet flows are supported.

Application Protocol

Control the application protocol (HTTP, DNS, SMTP, SMB, etc…) any Ecosystem member can use to communicate with any other Ecosystem members or Internet resource by IP, user or device identity. Both inbound and outbound Internet flows are supported.

Application Program

Control the application program (MS-Exchange, Oracle, Facebook, GMail, etc…) any Ecosystem member can use to communicate with any other Ecosystem members or Internet resource by IP, user or device identity. Both inbound and outbound Internet flows are supported.

Content

Content Category

Control communication based on content categories such as Adult, Gambling, Politics, Malware sites among 90+ category options.

File Type Upload / Download Controls

Control upload / download of files by type such .EXE, PDF, XLS, DOC, SCR, and MSI among hundreds of options.

Data Leak Prevention

Prevent data leaks by identifying and mitigating the upload or download of sensitive data such as:

  • Credit Cards Upload / Download Controls

  • Social Security Number Upload / Download Controls

  • RegEx Pattern Upload / Download Controls

Threat Prevention

After verification of network protocol, port, application protocol and application program, a deep inspection is performed on all communications. The effectiveness of this method is amplified by inline Encrypted Secure Scan. Threat prevention capabilities utilize two key methods:

Threat Signature

Identifies and mitigates known bad exploits, malware, botnets and ransomware.

Zero-Day Behavioral Analysis

Looks for behavioral indication of threats based on how system functions react to the payload, immediately and over time.

Simplicity

Acreto Ecosystems are very easy to provision and deploy. There are no hardware dependencies or associated logistics.

Provisioning an Ecosystem takes 3-5 minutes. Simply provide a unique name to the Ecosystem then choose the bandwidth desired and within a few minutes your Ecosystem providing a dedicated security infrastructure is ready.

Depending on your connection options for Ecosystem members, deployment can take between 10 minutes to a few hours.

Sustainability

Acreto Ecosystems utilize a sustainable model without any dependency on products and their associated logistics. There are no more updates, upgrades or technology refreshes.

Change Management

Different Ecosystems operate completely independently from one-another. Therefore, change management impacts only members of a specified Ecosystem, not the entire organization. This simplifies the traditionally complex change management process.

Policy Management

Policy management also benefits from Ecosystems. Because Ecosystems are specific to a customer scenario such as an application, use-case, project or third-party, all policies apply to the scenario. Moreover, when its time for policy cleanup, when an application or use-case is retired, disabling or deleting the Ecosystem automatically prunes the policies. This has traditionally been a complex task that is at best inaccurate.

Mechanism of Attack

  • Utilization of Cl0p Ransomware Cl0p (aka Clop) is a type of ransomware used by the FIN7 group. It’s a malware that encrypts files on a computer system, rendering them inaccessible until a ransom is paid.

  • Use of the PowerShell Script POWERTRASH POWERTRASH is a PowerShell script used by the group to load the Lizar post-exploitation tool. This allows the group to get a foothold into the target network.

  • Loading of Lizar Post-Exploitation Tool After the POWERTRASH script is used, the Lizar post-exploitation tool is loaded. This tool gives the group greater access to the compromised system.

  • Lateral Movement with OpenSSH and Impacket Once inside the network, the group uses OpenSSH and Impacket to move laterally, spreading their reach within the network to access other systems or segments.

  • Deployment of Cl0p Ransomware Once the desired systems are accessed, the group deploys Cl0p ransomware. This encrypts the data on the systems, making it inaccessible until a ransom is paid.

  • Use of Various Ransomware Families Aside from Cl0p, FIN7 has been linked to other ransomware families such as Black Basta, DarkSide, REvil, LockBit, Maze, and Ryuk.

  • Exploitation of Software Vulnerabilities The group has also been reported to exploit software vulnerabilities to gain initial access to systems. An example is the high-severity flaw in Veeam Backup & Replication software (CVE-2023-27532) they exploited.

  • Pivot from Data Theft to Extortion Historically known for stealing payment card data, FIN7 has shifted its strategy towards extortion, specifically via ransomware attacks.

  • Creation of Fake Security Companies As part of their tactics, the group sets up fake security companies, such as Combi Security and Bastion Secure, to recruit employees for conducting ransomware attacks and other operations.

About Acreto

Acreto delivers full-stack cybersecurity without products, logistics or significant security expertise. It creates and consolidates the best of cybersecurity into a single plug-and-play platform with automated updates to stay ahead of threats. Acreto activates enterprise-grade security instantly, so organizations can run safely, easily, and without interruption.

About The Author: Acreto Threat Labs

Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.




    Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.




      Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.




        Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.