Security News > 2022 > April > FIN7 Hackers Leveraging Password Reuse and Software Supply Chain Attacks

The notorious cybercrime group known as FIN7 has diversified its initial access vectors to incorporate software supply chain compromise and the use of stolen credentials, new research has revealed.
"Data theft extortion or ransomware deployment following FIN7-attributed activity at multiple organizations, as well as technical overlaps, suggests that FIN7 actors have been associated with various ransomware operations over time," incident response firm Mandiant said in a Monday analysis.
In one of the attacks, FIN7 was observed compromising a website that sells digital products in order to tweak multiple download links to make them point to an Amazon S3 bucket hosting trojanized versions that contained Atera Agent, a legitimate remote management tool, which then delivered POWERPLANT to the victim's system.
The supply chain attack also marks the group's evolving tradecraft for initial access and the deployment of first-stage malware payloads, which have typically centered around phishing schemes.
Other tools used by the group to facilitate its infiltrations include EASYLOOK, a reconnaissance utility; BOATLAUNCH, a helper module designed to bypass Windows AntiMalware Scan Interface; and BIRDWATCH, a.NET-based downloader employed to fetch and execute next-stage binaries received over HTTP. "Despite indictments of members of FIN7 in 2018 and a related sentencing in 2021 announced by the U.S. Department of Justice, at least some members of FIN7 have remained active and continue to evolve their criminal operations over time," Mandiant researchers said.
"Throughout their evolution, FIN7 has increased the speed of their operational tempo, the scope of their targeting, and even possibly their relationships with other ransomware operations in the cybercriminal underground."
News URL
https://thehackernews.com/2022/04/fin7-hackers-leveraging-password-reuse.html
Related news
- Bybit Hack Traced to Safe{Wallet} Supply Chain Attack Exploited by North Korean Hackers (source)
- Hacker pleads guilty to SIM swap attack on US SEC X account (source)
- North Korea targets crypto developers via NPM supply chain attack (source)
- whoAMI attacks give hackers code execution on Amazon EC2 instances (source)
- Microsoft: Hackers steal emails in device code phishing attacks (source)
- Chinese Hackers Exploit MAVInject.exe to Evade Detection in Targeted Cyber Attacks (source)
- Hackers Exploit Paragon Partition Manager Driver Vulnerability in Ransomware Attacks (source)
- Hackers Exploit AWS Misconfigurations to Launch Phishing Attacks via SES and WorkMail (source)
- China-Linked Silk Typhoon Expands Cyber Attacks to IT Supply Chains for Initial Access (source)
- Silk Typhoon hackers now target IT supply chains to breach networks (source)