To breach Exchange Servers, hackers from FIN7 create an auto-attack platform

The notorious hacker group FIN7 uses an automated attack system to exploit Microsoft Exchange and SQL injection weaknesses. This allows them to break into corporate networks and steal data. They also select financial targets as ransomware targets.

Prodaft’s threat intelligence group discovered this system and has been following FIN7 operations closely for many years.

Prodaft shared details with BleepingComputer about FIN7’s internal hierarchy and affiliations to various ransomware project. Prodaft also revealed details of FIN7’s new SSH backdoor that can be used to steal files from compromised networks.

FIN7, a Russian-speaking threat actor with a financial motive has been active since 2012 at the earliest.

These men have been linked to and hiding in teddy bears. to employ ransomware attackers.

Auto-attacking Microsoft Exchange

Prodaft discovered a new auto-attack method called “Checkmarks”. It’s used to scan for privilege-elevation vulnerabilities and remote code execution in Microsoft Exchange such as CVE-202-24473, CVE-202-24523 and CVE-203-21207.

FIN7 began using Checkmarks in June 2021 to detect vulnerable networks within companies and then exploit these to gain access via PowerShell.

FIN7 employed various exploits in order to access the targeted networks. This included their custom code as well as publicly accessible PoCs.

The Checkmarks attack platform features MS Exchange flaws as well as a SQL injection module that uses SQLMap to search for exploitable flaws in a target website.

Checkmark’s SQL injections


Checkmarks performs automatic post-exploitation actions after the initial attack phase, including email extraction from Active Directory or Exchange server information gathering.

Post-intrusion procedure


New victims automatically get added to a central panel, where FIN7 agents can view additional information about compromised endspoints.

Victim details on Checkmarks


Next, FIN7’s internal’marketing team reviews new entries. They add comments to the Checkmarks platform in order to list victims’ revenue, employees and headquarters details. This information helps pentesters decide if it is worth the effort and time of a ransomware attacks.

The that BleepingComputer shared, explains, “If a company is deemed sufficient in market size, then the pentester leaves comments for the administrator on how the server connections can be used and how long they can last. And how far it can go.”

FIN7’s marketing team gathers information from many sources including Owler and Crunchbase as well as Zoominfo and Mustat. This is a testament to the diligence required for evaluating a company’s financial and size.

Owler data view on Checkmarks


Prodaft claims that FIN7’s Checkmarks platform was used by hackers to penetrate 8,147 businesses, primarily based within the United States (16.7%) after having scanned over 1.8million targets.

Heat map of FIN7 victims


Ransomware, SSH backdoors

Sentinel Labs discovered evidence in November 2022 that ransomware gang. However, to Darkside operations.

Prodaft found additional evidence that DarkSide was connected to them after finding ransom notes, encrypted files and ransomware operations.

Researchers also found evidence that ransomware gangs Darkside, REvil and LockBit communicated with them from the retrieved Jabber logs.

These logs reveal that FIN7 enjoys having a SSH backdoor to extorted ransomware victim’s networks, even after ransoms have been paid. This is either to sell access or try a different attack in the future.

This SSH Backdoor allows FIN7 to access files via SFTP through an Onion domain.

Part of the SSH backdoor script


The Checkmarks platform by FIN7 illustrates the ways in which threat actors use public exploits to launch large-scale attacks that have a worldwide impact.

The investigation also revealed that FIN7 does not target only valuable companies, but all firms and then evaluates their value in a second phase.

Prodaft provided IOCs (indicators of compromise) in its report on the SSH-based backdoor as well as other malware that was used in their attacks. Administrators are strongly advised to review this report in order to understand how FIN7 attacks their networks.