FIN7 Hackers Use Checkmarks to Exploit Microsoft Exchange Servers
The Auto-Attack Platform Automatically Scans for Vulnerabilities.
To compromise corporate networks, steal data, and pursue targets for ransomware attacks based on financial size, recent finds show the FIN7 hacking group is using an automated attack system that exploits Microsoft Exchange and SQL injection vulnerabilities.
The attack system was discovered by Prodaft’s threat intelligence team, which at this point has been closely following FIN7 operations for years.
In their report, Prodaft reveals details about FIN7’s internal structure, such as hierarchy, affiliations with various ransomware projects, and a new SSH backdoor system used for stealing files from compromised networks.
FIN7 in the Spotlight
FIN7 is a Russian-speaking, financially motivated threat actor, that has been active since at least ten years. In a previous post, we covered the links between FIN7 and the Black Basta ransomware gang. Then, researchers found signs that a developer for FIN7 also authored the EDR (Endpoint Detection and Response) evasion tools used exclusively by Black Basta. Further evidence linked the IP addresses and specific TTPs used by FIN7 in early 2022 which were seen months later in Black Basta attacks.
According to BleepingComputer, FIN7 have been associated with attacks against ATMs, hiding malware-carrying USB drives inside teddy bears and setting up fake cybersecurity firms to hire pentesters for ransomware attacks, among other things.
Auto-Attacking Microsoft Exchange
Checkmarks, the auto-attack system discovered by Prodaft is a scanner for multiple Microsoft Exchange remote code execution and privilege elevation vulnerabilities like CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207.
Since June 2021, Checkmarks was used to automatically discover vulnerable endpoints inside organizations’ networks and exploit them to gain access by dropping web shells via PowerShell.
FIN7 gained access to networks by using various exploits, including their own custom code and publicly available PoCs.
In addition to the MS Exchange flaws, the Checkmarks platform also features a SQL injection module using SQLMap to scan for potentially exploitable flaws on a target’s website.
Checkmarks automatically performs post-exploitation steps, such as email extraction from Active Directory and Exchange server information gathering, after the initial attack stage.
A central panel where FIN7 operators can see additional details about compromised endpoints is automatically created for new victims.
The internal ‘marketing’ team of FIN7 reviews each new entry and adds comments on the Checkmarks platform to list victims’ current revenue, number of employees, domain, headquarters, and other information, so pentesters can determine if a ransomware attack is worth the effort and time.
If a firm is deemed to have a sufficient market size, the pentester leaves a comment for the admin on how the server connection can be used, how long the attack can last, and how far it can go.
Prodaft further claims that FIN7’s Checkmarks platform has already been used to infiltrate 8,147 companies, most of them based in the United States (16.7%), after scanning over 1.8 million targets.
Heat map of FIN7 victims.
Ransomware and SSH Backdoors
The researchers additionally found abundant evidence of communications with multiple ransomware gangs, including Darkside, REvil, and LockBit. According to the logs found by researchers, FIN7 likes to maintain a SSH backdoor on extorted ransomware victims’ networks even after ransoms are paid, either to sell access to other groups or to try a new attack themselves in the future.
Through reverse SSH connections (SFTP) through an Onion domain, FIN7 can steal files from breached devices using this SSH backdoor.
FIN7’s Checkmarks platform illustrates how threat actors are industrializing public exploits to carry out global attacks. The investigation also reveals that FIN7 targets everyone and evaluates their value in a second phase rather than specifically targeting valuable firms.
In their report, Prodaft provides indicators of compromise (IOCs) for the SSH-based backdoor and other malware. It is strongly recommended that all admins review the report to learn how FIN7 targets their networks.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.