FIN 11 , Email Campaign on the go

FIN11, a financially-motivated hacker group, has been launching successful hybrid extortion attacks across the Commonwealth of Independent States (CIS) countries. It is believed that the FIN11 operators have changed their TTPs to include a diverse set of sectors and geographic regions.

Hybrid extortion attacks

Recently, the group has switched from large-scale phishing campaigns to ransomware attacks.

  • FIN 11 has shifted its primary monetization method to ransomware deployment, along with data theft, to pressurize their victims into accepting the extortion demands.
  • The report has connected the FIN11 group with several dropper families such as SPOONBEARD, FORKBEARD, and MINEDOOR to drop a variety of associated payloads ( AndroMut, AZORult, CLOP, FlawedAmmyy, FRIENDSPEAK, Meterpreter, MIXLABEL) to target its victims.

FIN11 & TA505 Collaboration

The researchers given a variation between FIN11 and TA505 despite the significant overlap in tactics, techniques, and malware used by both hacker groups. It indicates that some earlier attacks attributed to TA505 were actually undertaken by FIN11. It is suspected that FIN11 is a smaller portion of the bigger TA505 umbrella family.

Attack strategy

The FIN11 group had lured its targets into downloading a malicious Microsoft Office attachment to start an infection chain. The chain creates multiple backdoors into compromised systems, with the capability to grab admin credentials and move laterally across networks.

Recent FIN11 lightson

The group has incorporated additional delivery techniques that are switched over almost on a monthly basis, while also continuing to use techniques from prior campaigns.

  • FIN11 had implemented new evasion techniques to selectively choose which victims (mostly Germany-based) were redirected to domains that delivered malicious Office files.
  • The threat actor continued to modify its delivery tactics during Q3 2020; the changes were relatively minor as the victims had to complete a CAPTCHA challenge before being served an Excel spreadsheet with malicious macro code.

Concluding notes

The tactics adopted by FIN11, including data-theft and extortion, aimed at increasing the pressure on victims suggest that its motivations are emblematic and exclusively financial. FIN11 is expected to continue launching hybrid extortion attacks for more effectiveness and financial

Ransom Gangs with Network Sellers collaboration. Deadly combođź‘ą

Accenture Cyber Threat Intelligence team outlined a trend of collaboration between network access sellers and ransomware gangs. Several cybercriminals are increasingly offering initial network access to already-compromised companies used by Ransomware gangs

Deadly deals

Researchers have warned that hackers are seen selling credentials for RDP connections, Citrix, and Pulse Secure VPN clients to ransomware groups such as Avaddon, Exorcist, Lockbit, Maze, NetWalker, and Sodinokibi.

  • Ransomware operators get direct access to corporate and government networks. Thus, they can concentrate on establishing persistence and moving laterally.
  • The network-access sellers have been observed using attack vectors such as remote working tools, zero-day exploits, or malware such as Cerberus Trojan to attempt corporate network access in the future.
  • The network access credentials are usually offered between $300 and $10,000, depending on the size and revenue of the victim.

The destructive relationship

Accenture has tracked more than 25 persistent network access sellers, as well as the occasional one-off seller, with more entering every week.

  • In August, four actors were seen utilizing the source code of Cerberus Trojan to gain corporate and government network access credentials, which they sold to other cybercrime groups for a handsome profit.
  • In July, the threat actor Frankknox aborted a sale of a self-developed Zero-day targeting a well-known brand of a mail server and began exploiting the vulnerability to gain corporate network access to multiple victims. Until September, Frankknox has advertised access to 36 corporations for between $2,000 and $20,000, of which at least 11 they claim to have sold.

Ngrok Abused

Cybercriminals have been using ngrok—a cross-platform application to expose local development servers to the internet, for malicious purposes for years now.

An organization was targeted by a keylogger, where malicious actors installed a copy of the ngrok tool to obtain specific details about the environment.

Crispy Recent campaigns

  • Recently, threats actors were seen using ngrok to expose several machines within the victim’s networks, making them visible to the outside world.
  • It is believed that the attackers had three requirements: ngrok installed on the internal machine; an administrator account; and the ngrok server domain and port, already in place.
  • Since the attacker had the knowledge of the ngrok-assigned public address, it could connect to the compromised system at any time.

How it’s been used

The service can be abused by threat actors to get unauthorized access to the targeted network, download payloads, exfilteration of data, and crafting unique URLs. In addition, the tunneling service allows cybercriminals to evade detection. It can generate random URLs, making it harder to track, detect, or block.

Recent attacks using the ngrok tool

  • An Iran-based APT Pioneer Kitten was found selling network credentials of corporates on hacker forums. The group is known for its regular use of ngrok.
  • Fox Kitten was observed attacking the US private and government sector. The group is known for using ngrok to target on-premise BIG-IP devices.

Way to mitigate

Organizations must be aware of ngrok and other tunneling services, as these services can be abused by hackers. Experts suggest that organizations using tunneling services should have a secure authorization mechanism for every access level, and its setup should include approval from security teams. In addition to this, the tunnel should be password-protected and IP whitelisting should be enabled.

Zoom 2FA goes for all

Zoom has announced that it has added two-factor authentication (2FA) support to all user accounts to make it simpler to secure them against security breaches and identity theft.

With 2FA, Zoom users will have an extra layer added to the authentication process, blocking attackers from take control of their account by guessing their password or using compromised credentials.

Zoom accounts secured using 2FA will require you to enter a one-time code from a mobile authenticator app or received via SMS or phone call, in addition to the account’s password, before allowing you to sign in to the Zoom web portal, desktop client, mobile app, or Zoom Room.

“With Zoom’s 2FA, users have the option to use authentication apps that support Time-Based One-Time Password (TOTP) protocol (such as Google Authenticator, Microsoft Authenticator, and FreeOTP), or have Zoom send a code via SMS or phone call, as the second factor of the account authentication process,” .

“Zoom offers a range of authentication methods such as SAML, OAuth, and/or password-based authentication, which can be individually enabled or disabled for an account.”

Zoom 2FA