[BreachExchange] This major criminal hacking group just switched to ransomware attacks

Destry Winant destry at riskbasedsecurity.com
Thu Oct 15 10:37:57 EDT 2020


https://www.zdnet.com/article/this-major-criminal-hacking-group-just-switched-to-ransomware-attacks/

A widespread hacking operation that has been targeting organisations
around the world in a phishing and malware campaign that has been
active since 2016 has now switched to ransomware attacks, reflecting
how successful ransomware has become as a money-making tool for cyber
criminals.

Dubbed FIN11, the campaign has been detailed by cybersecurity
researchers at FireEye Mandiant, who describe the hackers as a
'well-established financial crime group' which has conducted some of
the longest running hacking campaigns.

MORE ON PRIVACY

Microsoft to apply California's privacy law for all US users
Mind-reading technology: The security and privacy threats ahead
How to replace each Google service with a more privacy-friendly alternative
Cyber security 101: Protect your privacy from hackers, spies, and the government

The group started by focusing attacks on banks, retailers and
restaurants but has grown to indiscriminately target a wide range of
sectors in different locations around the world, sending thousands of
phishing emails out and simultaneously conducting attacks against
several organisations at any one time.

For example, in just one week, Mandiant observed concurrent campaigns
targeting pharmaceuticals, shipping and logistics industries in both
North America and Europe.

But despite attacks targeting a wide variety of organisations around
the world, many of the initial phishing campaigns are still customised
on a target by target basis for the maximum possible chance of
encouraging a victim to download a malicious Microsoft Office
attachment that says macros must be enabled.

This starts an infection chain that creates multiple backdoors into
compromised systems, as well as the ability to grab admin credentials
and move laterally across networks.

FIN11 campaigns initially revolved around embedding themselves into
networks in order to steal data, with researchers noting that the
hacking group commonly deployed BlueSteal, a tool used to steal
banking information from Point-of-Sale (POS) terminals.

With finances being the focus of the group, it's likely FIN11 sold
this information to other cyber criminals on the dark web, or simply
exploited the details for their own gain.

But now FIN11 is using its extensive network as a means of delivering
ransomware to compromised networks, with the attackers favouring Clop
ransomware and demanding bitcoin to restore the network.

Put simply, this shift in tactics is all about making as much money as
possible – and ransomware has become a quick and easy way for cyber
criminals to make money from a wider variety of targets.

"FIN11 has likely shifted their primary monetization method to
ransomware deployment because it is more profitable than traditional
methods such as deploying POS malware," Genevieve Stark, analyst at
Mandiant Threat Intelligence, told ZDNet.

"Ransomware also increases the potential victim pool since it can be
deployed at nearly any organization, while POS malware is only
effective against certain targets," she added.

In an effort to blackmail victims into paying the ransom, some
ransomware gangs have taken to using their access to networks to steal
sensitive or personal data and threaten to leak it if they don't
receive payment for the decryption key – and FIN11 have adopted this
tactic, publishing data from victims who don't pay.

"FIN11's adoption of data-theft and extortion to increase leverage on
victims is further evidence that their motivations are exclusively
financial," said Stark.

SEE: My stolen credit card details were used 4,500 miles away. I tried
to find out how it happened

Based on analysis of Russian language in FIN11's files, researchers
say that this purely financially motivated operation is likely
operating out of one of the Commonwealth of Independent States – and
it's highly likely the ransomware attacks will continue.

"We anticipate that FIN11 will continue to conduct widespread phishing
campaigns with consistently evolving delivery tactics for the
foreseeable future," said Stark.

"FIN11 will probably continue conducting ransomware and data-theft
extortion for the immediate future, given many organizations acquiesce
to extortion demands," she added.

The attacks have been prolific and successful, but organisations can
avoid falling victim to campaigns by FIN11 and other financially
motivated groups by following common security advice and applying
patches to prevent attackers using known exploits to gain a foothold
in networks.

And with FIN11 and other hackers exploiting Microsoft Office macros to
conceal malicious payloads, it's recommended that macros are disabled
to stop them being used as a starting point for attacks.


More information about the BreachExchange mailing list