#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Get the Free Newsletter
SaaS Security

FIN7 | Breaking Cybersecurity News | The Hacker News

Carbanak Banking Malware Resurfaces with New Ransomware Tactics

Carbanak Banking Malware Resurfaces with New Ransomware Tactics
Dec 26, 2023 Malware / Cybercrime
The banking malware known as  Carbanak  has been observed being used in  ransomware attacks  with updated tactics. "The malware has adapted to incorporate attack vendors and techniques to diversify its effectiveness," cybersecurity firm NCC Group  said  in an analysis of ransomware attacks that took place in November 2023. "Carbanak returned last month through new distribution chains and has been distributed through compromised websites to impersonate various business-related software." Some of the impersonated tools include popular business-related software such as HubSpot, Veeam, and Xero. Carbanak , detected in the wild since at least 2014, is known for its data exfiltration and remote control features. Starting off as a banking malware, it has been put to use by the  FIN7 cybercrime syndicate . In the latest attack chain documented by NCC Group, the compromised websites are designed to host malicious installer files masquerading as legitimate utilities to

Notorious Cyber Gang FIN7 Returns With Cl0p Ransomware in New Wave of Attacks

Notorious Cyber Gang FIN7 Returns With Cl0p Ransomware in New Wave of Attacks
May 20, 2023 Cyber Crime / Ransomware
The notorious cybercrime group known as FIN7 has been observed deploying  Cl0p  (aka Clop) ransomware, marking the threat actor's first ransomware campaign since late 2021. Microsoft, which detected the activity in April 2023, is tracking the financially motivated actor under its new taxonomy  Sangria Tempest . "In these recent attacks, Sangria Tempest uses the PowerShell script POWERTRASH to load the Lizar post-exploitation tool and get a foothold into a target network," the company's threat intelligence team  said . "They then use OpenSSH and Impacket to move laterally and deploy Clop ransomware." FIN7  (aka Carbanak, ELBRUS, and ITG14) has been linked to other ransomware families such as Black Basta, DarkSide, REvil, and LockBit, with the threat actor acting as a precursor for Maze and Ryuk ransomware attacks.  Active since at least 2012, the group has a  track record  of  targeting  a broad spectrum of organizations spanning software, consulting, f

Making Sense of Operational Technology Attacks: The Past, Present, and Future

Making Sense of Operational Technology Attacks: The Past, Present, and Future
Mar 21, 2024Operational Technology / SCADA Security
When you read reports about cyber-attacks affecting operational technology (OT), it's easy to get caught up in the hype and assume every single one is sophisticated. But are OT environments all over the world really besieged by a constant barrage of complex cyber-attacks? Answering that would require breaking down the different types of OT cyber-attacks and then looking back on all the historical attacks to see how those types compare.  The Types of OT Cyber-Attacks Over the past few decades, there has been a growing awareness of the need for improved cybersecurity practices in IT's lesser-known counterpart, OT. In fact, the lines of what constitutes a cyber-attack on OT have never been well defined, and if anything, they have further blurred over time. Therefore, we'd like to begin this post with a discussion around the ways in which cyber-attacks can either target or just simply impact OT, and why it might be important for us to make the distinction going forward. Figure 1 The Pu

FIN7 and Ex-Conti Cybercrime Gangs Join Forces in Domino Malware Attacks

FIN7 and Ex-Conti Cybercrime Gangs Join Forces in Domino Malware Attacks
Apr 17, 2023
A new strain of malware developed by threat actors likely affiliated with the FIN7 cybercrime group has been put to use by the members of the now-defunct Conti ransomware gang, indicating collaboration between the two crews. The malware, dubbed  Domino , is primarily designed to facilitate follow-on exploitation on compromised systems, including delivering a lesser-known information stealer that has been advertised for sale on the dark web since December 2021. "Former members of the  TrickBot/Conti syndicate  [...] have been using Domino since at least late February 2023 to deliver either the Project Nemesis information stealer or more capable backdoors such as Cobalt Strike," IBM Security X-Force security researcher Charlotte Hammond  said  in a report published last week. FIN7 , also called Carbanak and ITG14, is a prolific  Russian-speaking cybercriminal syndicate  that's known to employ an array of custom malware to deploy additional payloads and broaden its mone

Automated remediation solutions are crucial for security

cyber security
websiteWing SecurityShadow IT / SaaS Security
Especially when it comes to securing employees' SaaS usage, don't settle for a longer to-do list. Auto-remediation is key to achieving SaaS security.

FIN7 Cybercrime Syndicate Emerges as a Major Player in Ransomware Landscape

FIN7 Cybercrime Syndicate Emerges as a Major Player in Ransomware Landscape
Dec 22, 2022 Cyber Crime / Ransomware
An exhaustive analysis of  FIN7  has unmasked the cybercrime syndicate's organizational hierarchy, alongside unraveling its role as an affiliate for mounting ransomware attacks. It has also exposed deeper associations between the group and the larger threat ecosystem comprising the now-defunct ransomware  DarkSide ,  REvil , and  LockBit  families. The highly active threat group, also known as Carbanak, is  known  for employing an extensive arsenal of tools and tactics to expand its "cybercrime horizons," including adding ransomware to its playbook and setting up fake security companies to lure researchers into conducting ransomware attacks under the guise of penetration testing. More than 8,147 victims have been compromised by the financially motivated adversary across the world, with a majority of the entities located in the U.S. Other prominent countries include China, Germany, Canada, Italy, and the U.K. FIN7's intrusion techniques, over the years, have furth

Researchers Find Links b/w Black Basta Ransomware and FIN7 Hackers

Researchers Find Links b/w Black Basta Ransomware and FIN7 Hackers
Nov 03, 2022
A new analysis of tools put to use by the Black Basta ransomware operation has identified ties between the threat actor and the  FIN7  (aka Carbanak) group. This link "could suggest either that Black Basta and FIN7 maintain a special relationship or that one or more individuals belong to both groups," cybersecurity firm SentinelOne  said  in a technical write-up shared with The Hacker News. Black Basta, which  emerged  earlier this year, has been attributed to a ransomware spree that has claimed over 90 organizations as of September 2022, suggesting that the adversary is both well-organized and well-resourced. One notable aspect that makes the group stand out, per SentinelOne, is the fact that there have been no signs of its operators attempting to recruit affiliates or advertising the malware as a RaaS on darknet forums or crimeware marketplaces. This has raised the possibility that the Black Basta developers either cut out affiliates from the chain and deploy the ranso

Ukrainian FIN7 Hacker Gets 5-Year Sentence in the United States

Ukrainian FIN7 Hacker Gets 5-Year Sentence in the United States
Apr 08, 2022
A 32-year-old Ukrainian national has been  sentenced to five years in prison  in the U.S. for the individual's criminal work as a "high-level hacker" in the financially motivated group FIN7. Denys Iarmak, who worked as a penetration tester for the cartel from November 2016 through November 2018, had been previously arrested in Bangkok, Thailand in November 2019, before being extradited to the U.S. in May 2020. In November 2021, Iarmak had pleaded guilty to one count of conspiracy to commit wire fraud and one count of conspiracy to commit computer hacking. FIN7 has been attributed to a number of attacks that have led to the theft of more than 20 million customer card records from over 6,500 individual point-of-sale terminals at more than 3,600 separate business locations in the U.S, costing the victims $1 billion in losses. The criminal gang, also known as Carbanak Group and the Navigator Group, has a track record of hitting restaurant, gambling, and hospitality indu

FIN7 Hackers Leveraging Password Reuse and Software Supply Chain Attacks

FIN7 Hackers Leveraging Password Reuse and Software Supply Chain Attacks
Apr 05, 2022
The notorious cybercrime group known as FIN7 has diversified its initial access vectors to incorporate software supply chain compromise and the use of stolen credentials, new research has revealed. "Data theft extortion or ransomware deployment following FIN7-attributed activity at multiple organizations, as well as technical overlaps, suggests that FIN7 actors have been associated with various ransomware operations over time," incident response firm Mandiant  said  in a Monday analysis. The cybercriminal group, since its emergence in the mid-2010s, has gained notoriety for large-scale malware campaigns targeting the point-of-sale (POS) systems aimed at restaurant, gambling, and hospitality industries with credit card-stealing malware. FIN7's shift in monetization strategy towards ransomware follows an October 2021 report from Recorded Future's Gemini Advisory unit, which  found  the adversary setting up a fake front company named Bastion Secure to recruit unwitt

Hackers Set Up Fake Company to Get IT Experts to Launch Ransomware Attacks

Hackers Set Up Fake Company to Get IT Experts to Launch Ransomware Attacks
Oct 22, 2021
The financially motivated FIN7 cybercrime gang has masqueraded as yet another fictitious cybersecurity company called "Bastion Secure" to recruit unwitting software engineers under the guise of penetration testing in a likely lead-up to a ransomware scheme. "With FIN7's latest fake company, the criminal group leveraged true, publicly available information from various legitimate cybersecurity companies to create a thin veil of legitimacy around Bastion Secure," Recorded Future's Gemini Advisory unit said in a report. "FIN7 is adopting disinformation tactics so that if a potential hire or interested party were to fact check Bastion Secure, then a cursory search on Google would return 'true' information for companies with a similar name or industry to FIN7's Bastion Secure." FIN7 , also known as Carbanak, Carbon Spider, and Anunak, has a track record of striking restaurant, gambling, and hospitality industries in the U.S. to infect

FIN7 Hackers Using Windows 11 Themed Documents to Drop Javascript Backdoor

FIN7 Hackers Using Windows 11 Themed Documents to Drop Javascript Backdoor
Sep 03, 2021
A recent wave of spear-phishing campaigns leveraged weaponized Windows 11 Alpha-themed Word documents with Visual Basic macros to drop malicious payloads, including a JavaScript implant, against a point-of-sale (PoS) service provider located in the U.S. The attacks, which are believed to have taken place between late June to late July 2021, have been attributed with "moderate confidence" to a financially motivated threat actor dubbed FIN7, according to researchers from cybersecurity firm Anomali. "The specified targeting of the Clearmind domain fits well with FIN7's preferred modus operandi," Anomali Threat Research  said  in a technical analysis published on September 2. "The group's goal appears to have been to deliver a variation of a JavaScript backdoor used by FIN7 since at least 2018." An Eastern European group active since at least mid-2015, FIN7 has a checkered history of targeting restaurant, gambling, and hospitality industries in th

FIN7 Supervisor Gets 7-Year Jail Term for Stealing Millions of Credit Cards

FIN7 Supervisor Gets 7-Year Jail Term for Stealing Millions of Credit Cards
Jun 25, 2021
A Ukrainian national and a mid-​level supervisor of the hacking group known as FIN7 has been sentenced to seven years in prison for his role as a "pen tester" and perpetuating a criminal scheme that enabled the gang to compromise millions of customers debit and credit cards. Andrii Kolpakov , 33, was arrested in Spain on June 28, 2018, and subsequently extradited to the U.S. the following year on June 1, 2019. In June 2020, Kolpakov pleaded guilty to one count of conspiracy to commit wire fraud and one count of conspiracy to commit computer hacking. The Western District of Washington also ordered Kolpakov to pay $2.5 million in restitution. The defendant, who was involved with the group from April 2016 until his arrest, managed other hackers who were tasked with breaching the point-of-sale systems of companies, both in the U.S. and elsewhere, to deploy malware capable of stealing financial information. FIN7 , also called Anunak, Carbanak Group , and the Navigator Group,

SysAdmin of Billion-Dollar Hacking Group Gets 10-Year Sentence

SysAdmin of Billion-Dollar Hacking Group Gets 10-Year Sentence
Apr 17, 2021
A high-level manager and systems administrator associated with the FIN7 threat actor has been sentenced to 10 years in prison, the U.S. Department of Justice announced Friday. Fedir Hladyr , a 35-year-old Ukrainian national, is said to have played a crucial role in a criminal scheme that compromised tens of millions of debit and credit cards, in addition to aggregating the stolen information, supervising other members of the group, and maintaining the server infrastructure that FIN7 used to attack and control victims' machines. The development comes after Hladyr pleaded guilty to conspiracy to commit wire fraud and one count of conspiracy to commit computer hacking in September 2019. He was arrested in Dresden, Germany, in 2018 and extradited to the U.S. city of Seattle. Hladyr has also been ordered to pay $2.5 million in restitution. "This criminal organization had more than 70 people organized into business units and teams. Some were hackers, others developed the malwa
Cybersecurity Resources