Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

10/15/2020
06:30 PM
50%
50%

Prolific Cybercrime Group Now Focused on Ransomware

Cybercriminal team previously associated with point-of-sale malware and data theft has now moved almost completely into the more lucrative crimes of ransomware and extortion.

An assortment of ransomware campaigns since 2019 are actually the work of a single group, which has evolved from conducting point-of-sale attacks using malware to infiltrating networks and infecting systems with ransomware, researchers say.

In an analysis of a cluster of malicious activity, FireEye's Mandiant linked the attacks to a single cybercrime group, which the company dubbed FIN11. The group uses attack tools and malware that appear to be unique to its operators, who are also known for their use of high-volume e-mail campaigns to initially infect a user at a targeted company and establish a beachhead. While their activity has significant ramped up through most of 2019 and 2020, their operations appear to stretch back to 2016.

Related Content:

Security Firms & Financial Group Team Up to Take Down Trickbot

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: What's Really Happening in Infosec Hiring Now?

Overall, the group does not display sophisticated tactics, techniques and procedures (TTPs), but they are aggressive in their attempts to gain a foothold in companies, says Kimberly Goody, senior manager of the Mandiant threat intelligence financial crime team at FireEye.

"The main thing that sets this group apart from our perspective is how widespread their campaigns are," she says. "They are sophisticated, but they have a wide reach. And their constant evolution of their TTPs—even though minor—can prevent organizations from being able to adequately defend against their spam campaigns."

The group also highlights a trend observed by FireEye. Since early 2019, financial cybercrime groups once focused on stealing payment-card data are now shifting to compromising corporate networks, infecting a significant number of systems with ransomware, and then extorting the business for large sums, Goody says.

"Point of sale intrusions were very profitable, and we saw actors such as FIN6 and FIN7—all the way back to FIN5—they were targeting payment card data," Goody says. "But ransomware, in terms of actors deploying it post compromise and widely distributing it in one victim's environment, is far more profitable."

FireEye concluded in its analysis that the group likely operates from the Commonwealth of Independent States (CIS), which broke off from the former Soviet Union. The company, however, has not linked their operations to any cyber espionage campaigns. Yet, cybercriminal groups operating in the CIS are likely known to Russian intelligence, and considering that such groups are usually worried enough about Russian law enforcement to avoid infecting systems within Russia, they could be conscripted into such activity, Goody says.

"Right now, we have only seen financially motivated attacks from this group," she says. "But I find it improbable that Russia intelligence is unaware of this operation, and there has been cases of Russian cybercriminal groups—such as Zeus—that have specifically taken actions that appeared to be in line with espionage operations ... so if asked, they would likely have to conduct whatever activity was asked of them."

Trickbot

Earlier this month, Microsoft and a group of security firms worked together to take down the command-and-control channels for the Trickbot botnet, whose operators used the software's modular capabilities to sell access to compromised systems and conduct ransomware attacks for financial gain. Yet, Microsoft—along with the US Cyber Command, reportedly—targeted Trickbot because of concerns that the group behind the malware would use its extensive reach to impact the US elections.

The impact of the takedown is not clear. While some reports have indicated the botnet had suffered disruptions prior to the takedown, ostensibly due to US Cyber Command activities, security firm Proofpoint stated that its researchers had not seen any notable changes in activity.

"The most recent Trickbot campaigns are already using new command and control channels, which shows the threat actors are actively adapting their campaigns," Sherrod DeGrippo, senior director of threat research at Proofpoint, said in a statement to Dark Reading. "[W]e believe it's unlikely we'll see any immediate significant changes in Trickbot delivery volumes as the majority of Trickbot infections appear to come from third party malicious senders at this time."

While FIN11 has its own unique toolsets, the group heavily leverages cybercrime services such as bulletproof hosting providers, private and semi-private malware infrastructure, and the purchase of stolen code-signing certificates, FireEye said in its analysis. 

The largest risk the group poses, however, is its ubiquity, according to FireEye.

"The broad visibility Mandiant experts have into post-compromise activity that has historically followed FIN11's malicious email campaigns suggests that they obtain access to the networks of far more organizations than they are able to successfully monetize," the company stated. "Their high cadence of operations may be an attempt to cast a wide net rather than a reflection of the group's ability to monetize many victims simultaneously."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20934
PUBLISHED: 2020-11-28
An issue was discovered in the Linux kernel before 5.2.6. On NUMA systems, the Linux fair scheduler has a use-after-free in show_numa_stats() because NUMA fault statistics are inappropriately freed, aka CID-16d51a590a8c.
CVE-2020-29368
PUBLISHED: 2020-11-28
An issue was discovered in __split_huge_pmd in mm/huge_memory.c in the Linux kernel before 5.7.5. The copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check, aka CID-c444eb564fb1.
CVE-2020-29369
PUBLISHED: 2020-11-28
An issue was discovered in mm/mmap.c in the Linux kernel before 5.7.11. There is a race condition between certain expand functions (expand_downwards and expand_upwards) and page-table free operations from an munmap call, aka CID-246c320a8cfe.
CVE-2020-29370
PUBLISHED: 2020-11-28
An issue was discovered in kmem_cache_alloc_bulk in mm/slub.c in the Linux kernel before 5.5.11. The slowpath lacks the required TID increment, aka CID-fd4d9c7d0c71.
CVE-2020-29371
PUBLISHED: 2020-11-28
An issue was discovered in romfs_dev_read in fs/romfs/storage.c in the Linux kernel before 5.8.4. Uninitialized memory leaks to userspace, aka CID-bcf85fcedfdd.