FIN7 Group Advertises Security-Bypassing Tool on Dark Web Forums

Summary:
This report details the activities of the financially motivated threat actor FIN7. FIN7 has been observed using multiple pseudonyms across various underground forums to advertise a security-bypassing tool known as AvNeutralizer. AvNeutralizer has been used by multiple ransomware groups, including Black Basta. The report also explores FIN7’s cybercrime arsenal, which includes tools such as Powertrash, Diceloader, Core Impact, an SSH-based backdoor, and AvNeutralizer. Each of these tools plays a role in different phases of FIN7’s attacks, allowing them to infiltrate, exploit, persist, and evade detection on compromised systems.

This report highlights FIN7's as a financially motivated and evasive threat. Here are some key takeaways:
  • FIN7 is adopting automation: The group is leveraging automated tools for SQL injection attacks against public-facing servers.
  • Evolving toolset: FIN7 is developing and selling its own security evasion tools like AvNeutralizer on underground forums, making these tools available to other cybercriminals.
  • Advanced techniques: FIN7 is continuously innovating its attack methods, making them more sophisticated and difficult to detect.
  • Multiple personas: FIN7 uses multiple pseudonyms online, making attribution a challenge.
  • Collaboration: FIN7 collaborates with other cybercriminal groups, expanding its capabilities.
Security Officer Comments:
This report highlights the growing sophistication of cybercrime groups like FIN7. Their ability to develop and sell custom tools like AvNeutralizer on underground forums demonstrates their technical expertise and their focus on profit. The use of multiple pseudonyms makes it difficult to track FIN7’s activities and attribute attacks to them. This, combined with their use of a diverse arsenal of tools and techniques, makes FIN7 a significant threat to organizations. It is paramount that security professionals are aware of the latest TTPs used by FIN7 and other cybercrime groups as they continue to collaborate more through the cybercriminal marketplace. Defenders should implement a layered security approach that includes endpoint security solutions, user education, and performing offensive research to understand and mitigate FIN7 and their collaborative attacks.

Suggested Corrections:
Organizations can make APT groups’ lives more difficult. Here’s how:
  • Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
  • Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
  • Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
  • Incident response and recovery: Despite preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.
IOCs for these recent FIN7 campaigns are published here.

Link(s):
https://thehackernews.com/2024/07/fin7-group-advertises-security.html

https://www.sentinelone.com/labs/fin7-reboot-cybercrime-gang-enhances-ops-with-new-edr-bypasses-and-automated-attacks/