FIN7 Targets American Automaker's IT Staff In Phishing Attacks

Researchers at BlackBerry have disclosed details of a spear-phishing campaign identified in late 2023 that targeted a large automotive manufacturer based in the United States. The campaign has been attributed to a financially motived threat actor called FIN7 and initiated with spear-phishing emails targeting highly privileged employees in the IT department of the unnamed U.S. based manufacturer. These emails contained links to a malicious URL (advanced-ip-sccanner[.]com) masquerading as the legitimate website for Advanced IP scanner, a free online scanner. In this case, the fake site would redirect the victims to another domain called myipscanner[.]com (currently offline), which in turn would further redirect to an attacker-owned Dropbox to initiate the download of a malicious executable called WsTaskLoad[.]exe on the targeted system. Once executed, researchers note that this file will initiate a multi-stage infection chain involving DLL, WAV files, and shellcode execution to run the final payload, which in this case is a backdoor called Anunak/Carbanak.

Security Officer Comments:
FIN7 has been active since 2013 and is known for targeting several sectors including Casinos and Gambling, Construction, Education, Energy, Financial, Government, High-Tech, Hospitality, Retail, Food and Ag, Technology, Telecommunications, Transportation, etc. Last year, the group was observed targeting exposed Veeam backup and Microsoft Exchange servers and deploying ransomware payloads like Black Basta and Clop onto corporate networks. In the latest campaign, BlackBerry notes that early identification of the initial infection and subsequent actions by the threat actor allowed analysts to quickly locate and remove the infected system from the network prior to lateral movement, preventing the actors from installing ransomware and causing further damage.

Suggested Corrections:
In the last couple of years, there has been a trend in FIN7 going after large institutions and organizations. While this definitely takes up a lot of the actors’ time and resources, the potential for bigger ransom payouts from these organizations makes up for this. Given that FIN7 relies on phishing as its initial infection vector, BlackBerry recommends organizations to take the following steps to stay defended:
  • Conduct Regular Security Training. This remains one of the very best ways to protect businesses from phishing attacks. Teach employees basic red flags that are the hallmark of phishing attempts. Workers need to know how to verify the authenticity of emails and avoid clicking on links or downloading attachments from unknown or suspicious sources.
  • Social Engineering Awareness. This is the next step, but an important one. ****Expand your employee’s training to include sessions on how to recognize social engineering tactics, which may include the attacker attempting to engage with them via social platforms, phone, text, or even video call.
  • Phishing Report System. Put a system in place to allow employees to immediately report attempted phishing attacks to your SOC or IT security team. Adding a “Report phishing” button to your email system is a good first step. Enforce a culture of trust so that users feel comfortable reporting phishing incidents.
  • Multi-Factor Authentication. Implement multi-factor authentication (MFA) on all user accounts. This makes it harder for an attacker to access an employee’s account and gain entry to your network, even if they steal password and login details.
  • Password hygiene: Use strong and unique passwords online, and don’t reuse the same password across multiple sites. Better yet, we strongly encourage the use of passwordless (e.g. FIDO2) authentication whenever possible.
  • Security Updates and Patch Management. Keep all employee apps, operating systems and devices updated to apply the latest security fixes.
  • Endpoint Security Solutions. Deploy endpoint security solutions such as antivirus software, endpoint detection and response (EDR) solutions, and email security gateways to detect and block phishing attempts, malware, and other threats at the endpoint.
  • Monitor Suspicious Behavior. Implement monitoring tools and processes to detect suspicious login attempts, unusual user behavior, and unauthorized access. Lock user accounts after a certain number of failed login attempts to deter attackers from guessing passwords.
  • Data Protection and Encryption. Encrypt sensitive data in transit and at rest. This can help protect data from unauthorized access following a successful phishing attack.
  • Email Filtering and Authentication. Implement advanced email filtering solutions to detect and block phishing emails before they reach users' INBOXES. Use Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) to authenticate email senders and detect spoofed emails.
  • Incident Response. Develop and test incident response plans to mitigate security incidents quickly.