#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News

FIN7 | Breaking Cybersecurity News | The Hacker News

Category — FIN7
FIN7 Hacker Group Leverages Malicious Google Ads to Deliver NetSupport RAT

FIN7 Hacker Group Leverages Malicious Google Ads to Deliver NetSupport RAT

May 11, 2024 Malvertising / Malware
The financially motivated threat actor known as  FIN7  has been observed leveraging malicious Google ads spoofing legitimate brands as a means to deliver MSIX installers that culminate in the deployment of  NetSupport RAT . "The threat actors used malicious websites to impersonate well-known brands, including AnyDesk, WinSCP, BlackRock, Asana, Concur, The Wall Street Journal, Workable, and Google Meet," cybersecurity firm eSentire  said  in a report published earlier this week. FIN7 (aka Carbon Spider and Sangria Tempest) is a  persistent e-crime group  that's been active since 2013, initially dabbling in attacks targeting point-of-sale (PoS) devices to steal payment data, before pivoting to breaching large firms via ransomware campaigns. Over the years, the threat actor has refined its tactics and cyber weapon arsenal, adopting  various   custom malware  families such as BIRDWATCH, Carbanak, DICELOADER...
FIN7 Cybercrime Group Targeting U.S. Auto Industry with Carbanak Backdoor

FIN7 Cybercrime Group Targeting U.S. Auto Industry with Carbanak Backdoor

Apr 18, 2024 Cyber Attack / Malware
The infamous cybercrime syndicate known as FIN7 has been linked to a spear-phishing campaign targeting the U.S. automotive industry to deliver a known backdoor called Carbanak (aka Anunak). "FIN7 identified employees at the company who worked in the IT department and had higher levels of administrative rights," the BlackBerry research and intelligence team  said  in a new write-up. "They used the lure of a free IP scanning tool to run their well-known Anunak backdoor and gain an initial foothold utilizing living off the land binaries, scripts, and libraries ( LOLBAS )." FIN7, also known as Carbon Spider, Elbrus, Gold Niagara, ITG14, and Sangria Tempest, is a well-known  financially motivated e-crime group  that has a track record of striking a wide range of industry verticals to deliver malware capable of stealing information from point-of-sale (PoS) systems since 2012. In recent years, the threat actor has  transitioned  to  conducting ransomwar...
How AI Is Transforming IAM and Identity Security

How AI Is Transforming IAM and Identity Security

Nov 15, 2024Machine Learning / Identity Security
In recent years, artificial intelligence (AI) has begun revolutionizing Identity Access Management (IAM), reshaping how cybersecurity is approached in this crucial field. Leveraging AI in IAM is about tapping into its analytical capabilities to monitor access patterns and identify anomalies that could signal a potential security breach. The focus has expanded beyond merely managing human identities — now, autonomous systems, APIs, and connected devices also fall within the realm of AI-driven IAM, creating a dynamic security ecosystem that adapts and evolves in response to sophisticated cyber threats. The Role of AI and Machine Learning in IAM AI and machine learning (ML) are creating a more robust, proactive IAM system that continuously learns from the environment to enhance security. Let's explore how AI impacts key IAM components: Intelligent Monitoring and Anomaly Detection AI enables continuous monitoring of both human and non-human identities , including APIs, service acc...
Carbanak Banking Malware Resurfaces with New Ransomware Tactics

Carbanak Banking Malware Resurfaces with New Ransomware Tactics

Dec 26, 2023 Malware / Cybercrime
The banking malware known as  Carbanak  has been observed being used in  ransomware attacks  with updated tactics. "The malware has adapted to incorporate attack vendors and techniques to diversify its effectiveness," cybersecurity firm NCC Group  said  in an analysis of ransomware attacks that took place in November 2023. "Carbanak returned last month through new distribution chains and has been distributed through compromised websites to impersonate various business-related software." Some of the impersonated tools include popular business-related software such as HubSpot, Veeam, and Xero. Carbanak , detected in the wild since at least 2014, is known for its data exfiltration and remote control features. Starting off as a banking malware, it has been put to use by the  FIN7 cybercrime syndicate . In the latest attack chain documented by NCC Group, the compromised websites are designed to host malicious installer files masquerading as legitimat...
cyber security

Creating, Managing and Securing Non-Human Identities

websitePermisoCybersecurity / Identity Security
A new class of identities has emerged alongside traditional human users: non-human identities (NHIs). Permiso Security's new eBook details everything you need to know about managing and securing non-human identities, and strategies to unify identity security without compromising agility.
Notorious Cyber Gang FIN7 Returns With Cl0p Ransomware in New Wave of Attacks

Notorious Cyber Gang FIN7 Returns With Cl0p Ransomware in New Wave of Attacks

May 20, 2023 Cyber Crime / Ransomware
The notorious cybercrime group known as FIN7 has been observed deploying  Cl0p  (aka Clop) ransomware, marking the threat actor's first ransomware campaign since late 2021. Microsoft, which detected the activity in April 2023, is tracking the financially motivated actor under its new taxonomy  Sangria Tempest . "In these recent attacks, Sangria Tempest uses the PowerShell script POWERTRASH to load the Lizar post-exploitation tool and get a foothold into a target network," the company's threat intelligence team  said . "They then use OpenSSH and Impacket to move laterally and deploy Clop ransomware." FIN7  (aka Carbanak, ELBRUS, and ITG14) has been linked to other ransomware families such as Black Basta, DarkSide, REvil, and LockBit, with the threat actor acting as a precursor for Maze and Ryuk ransomware attacks.  Active since at least 2012, the group has a  track record  of  targeting  a broad spectrum of organizations spanning so...
FIN7 and Ex-Conti Cybercrime Gangs Join Forces in Domino Malware Attacks

FIN7 and Ex-Conti Cybercrime Gangs Join Forces in Domino Malware Attacks

Apr 17, 2023
A new strain of malware developed by threat actors likely affiliated with the FIN7 cybercrime group has been put to use by the members of the now-defunct Conti ransomware gang, indicating collaboration between the two crews. The malware, dubbed  Domino , is primarily designed to facilitate follow-on exploitation on compromised systems, including delivering a lesser-known information stealer that has been advertised for sale on the dark web since December 2021. "Former members of the  TrickBot/Conti syndicate  [...] have been using Domino since at least late February 2023 to deliver either the Project Nemesis information stealer or more capable backdoors such as Cobalt Strike," IBM Security X-Force security researcher Charlotte Hammond  said  in a report published last week. FIN7 , also called Carbanak and ITG14, is a prolific  Russian-speaking cybercriminal syndicate  that's known to employ an array of custom malware to deploy additional payloads ...
FIN7 Cybercrime Syndicate Emerges as a Major Player in Ransomware Landscape

FIN7 Cybercrime Syndicate Emerges as a Major Player in Ransomware Landscape

Dec 22, 2022 Cyber Crime / Ransomware
An exhaustive analysis of  FIN7  has unmasked the cybercrime syndicate's organizational hierarchy, alongside unraveling its role as an affiliate for mounting ransomware attacks. It has also exposed deeper associations between the group and the larger threat ecosystem comprising the now-defunct ransomware  DarkSide ,  REvil , and  LockBit  families. The highly active threat group, also known as Carbanak, is  known  for employing an extensive arsenal of tools and tactics to expand its "cybercrime horizons," including adding ransomware to its playbook and setting up fake security companies to lure researchers into conducting ransomware attacks under the guise of penetration testing. More than 8,147 victims have been compromised by the financially motivated adversary across the world, with a majority of the entities located in the U.S. Other prominent countries include China, Germany, Canada, Italy, and the U.K. FIN7's intrusion techniques, over ...
Researchers Find Links b/w Black Basta Ransomware and FIN7 Hackers

Researchers Find Links b/w Black Basta Ransomware and FIN7 Hackers

Nov 03, 2022
A new analysis of tools put to use by the Black Basta ransomware operation has identified ties between the threat actor and the  FIN7  (aka Carbanak) group. This link "could suggest either that Black Basta and FIN7 maintain a special relationship or that one or more individuals belong to both groups," cybersecurity firm SentinelOne  said  in a technical write-up shared with The Hacker News. Black Basta, which  emerged  earlier this year, has been attributed to a ransomware spree that has claimed over 90 organizations as of September 2022, suggesting that the adversary is both well-organized and well-resourced. One notable aspect that makes the group stand out, per SentinelOne, is the fact that there have been no signs of its operators attempting to recruit affiliates or advertising the malware as a RaaS on darknet forums or crimeware marketplaces. This has raised the possibility that the Black Basta developers either cut out affiliates from the chain a...
Ukrainian FIN7 Hacker Gets 5-Year Sentence in the United States

Ukrainian FIN7 Hacker Gets 5-Year Sentence in the United States

Apr 08, 2022
A 32-year-old Ukrainian national has been  sentenced to five years in prison  in the U.S. for the individual's criminal work as a "high-level hacker" in the financially motivated group FIN7. Denys Iarmak, who worked as a penetration tester for the cartel from November 2016 through November 2018, had been previously arrested in Bangkok, Thailand in November 2019, before being extradited to the U.S. in May 2020. In November 2021, Iarmak had pleaded guilty to one count of conspiracy to commit wire fraud and one count of conspiracy to commit computer hacking. FIN7 has been attributed to a number of attacks that have led to the theft of more than 20 million customer card records from over 6,500 individual point-of-sale terminals at more than 3,600 separate business locations in the U.S, costing the victims $1 billion in losses. The criminal gang, also known as Carbanak Group and the Navigator Group, has a track record of hitting restaurant, gambling, and hospitality indu...
FIN7 Hackers Leveraging Password Reuse and Software Supply Chain Attacks

FIN7 Hackers Leveraging Password Reuse and Software Supply Chain Attacks

Apr 05, 2022
The notorious cybercrime group known as FIN7 has diversified its initial access vectors to incorporate software supply chain compromise and the use of stolen credentials, new research has revealed. "Data theft extortion or ransomware deployment following FIN7-attributed activity at multiple organizations, as well as technical overlaps, suggests that FIN7 actors have been associated with various ransomware operations over time," incident response firm Mandiant  said  in a Monday analysis. The cybercriminal group, since its emergence in the mid-2010s, has gained notoriety for large-scale malware campaigns targeting the point-of-sale (POS) systems aimed at restaurant, gambling, and hospitality industries with credit card-stealing malware. FIN7's shift in monetization strategy towards ransomware follows an October 2021 report from Recorded Future's Gemini Advisory unit, which  found  the adversary setting up a fake front company named Bastion Secure to recruit unwit...
Hackers Set Up Fake Company to Get IT Experts to Launch Ransomware Attacks

Hackers Set Up Fake Company to Get IT Experts to Launch Ransomware Attacks

Oct 22, 2021
The financially motivated FIN7 cybercrime gang has masqueraded as yet another fictitious cybersecurity company called "Bastion Secure" to recruit unwitting software engineers under the guise of penetration testing in a likely lead-up to a ransomware scheme. "With FIN7's latest fake company, the criminal group leveraged true, publicly available information from various legitimate cybersecurity companies to create a thin veil of legitimacy around Bastion Secure," Recorded Future's Gemini Advisory unit said in a report. "FIN7 is adopting disinformation tactics so that if a potential hire or interested party were to fact check Bastion Secure, then a cursory search on Google would return 'true' information for companies with a similar name or industry to FIN7's Bastion Secure." FIN7 , also known as Carbanak, Carbon Spider, and Anunak, has a track record of striking restaurant, gambling, and hospitality industries in the U.S. to infect ...
FIN7 Hackers Using Windows 11 Themed Documents to Drop Javascript Backdoor

FIN7 Hackers Using Windows 11 Themed Documents to Drop Javascript Backdoor

Sep 03, 2021
A recent wave of spear-phishing campaigns leveraged weaponized Windows 11 Alpha-themed Word documents with Visual Basic macros to drop malicious payloads, including a JavaScript implant, against a point-of-sale (PoS) service provider located in the U.S. The attacks, which are believed to have taken place between late June to late July 2021, have been attributed with "moderate confidence" to a financially motivated threat actor dubbed FIN7, according to researchers from cybersecurity firm Anomali. "The specified targeting of the Clearmind domain fits well with FIN7's preferred modus operandi," Anomali Threat Research  said  in a technical analysis published on September 2. "The group's goal appears to have been to deliver a variation of a JavaScript backdoor used by FIN7 since at least 2018." An Eastern European group active since at least mid-2015, FIN7 has a checkered history of targeting restaurant, gambling, and hospitality industries in th...
FIN7 Supervisor Gets 7-Year Jail Term for Stealing Millions of Credit Cards

FIN7 Supervisor Gets 7-Year Jail Term for Stealing Millions of Credit Cards

Jun 25, 2021
A Ukrainian national and a mid-​level supervisor of the hacking group known as FIN7 has been sentenced to seven years in prison for his role as a "pen tester" and perpetuating a criminal scheme that enabled the gang to compromise millions of customers debit and credit cards. Andrii Kolpakov , 33, was arrested in Spain on June 28, 2018, and subsequently extradited to the U.S. the following year on June 1, 2019. In June 2020, Kolpakov pleaded guilty to one count of conspiracy to commit wire fraud and one count of conspiracy to commit computer hacking. The Western District of Washington also ordered Kolpakov to pay $2.5 million in restitution. The defendant, who was involved with the group from April 2016 until his arrest, managed other hackers who were tasked with breaching the point-of-sale systems of companies, both in the U.S. and elsewhere, to deploy malware capable of stealing financial information. FIN7 , also called Anunak, Carbanak Group , and the Navigator Group,...
SysAdmin of Billion-Dollar Hacking Group Gets 10-Year Sentence

SysAdmin of Billion-Dollar Hacking Group Gets 10-Year Sentence

Apr 17, 2021
A high-level manager and systems administrator associated with the FIN7 threat actor has been sentenced to 10 years in prison, the U.S. Department of Justice announced Friday. Fedir Hladyr , a 35-year-old Ukrainian national, is said to have played a crucial role in a criminal scheme that compromised tens of millions of debit and credit cards, in addition to aggregating the stolen information, supervising other members of the group, and maintaining the server infrastructure that FIN7 used to attack and control victims' machines. The development comes after Hladyr pleaded guilty to conspiracy to commit wire fraud and one count of conspiracy to commit computer hacking in September 2019. He was arrested in Dresden, Germany, in 2018 and extradited to the U.S. city of Seattle. Hladyr has also been ordered to pay $2.5 million in restitution. "This criminal organization had more than 70 people organized into business units and teams. Some were hackers, others developed the malwa...
Expert Insights / Articles Videos
Cybersecurity Resources