A widespread hacking operation that has been targeting organisations around the world in a phishing and malware campaign which has been active since 2016 has now switched to ransomware attacks, reflecting how successful ransomware has become a money-making tool for cyber criminals.
Dubbed FIN11, the campaign has been detailed by cybersecurity researchers at FireEye Mandiant, who describe the hackers as a ‘well-established financial crime group’ which has conducted some of the longest running hacking campaigns.
The group started by focusing attacks on banks, retailers and restaurants but has grown to indiscriminately target a wide range of sectors in different locations around the world, sending thousands of phishing emails out and simultaneously conducting attacks against several organisations at any one time.
For example, in just one week, Mandiant observed concurrent campaigns targeting pharmaceuticals, shipping and logistics industries in both North America and Europe.
But despite attacks targeting a wide variety of organisations around the world, many of the initial phishing campaigns are still customised on a target by target basis for the maximum possible chance of encouraging a victim to download a malicious Microsoft Office attachment which says macros must been enabled.
This starts an infection chain which creates multiple backdoors into compromised systems, as well as the ability to grab admin credentials and move laterally across networks.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
FIN11 campaigns initially revolved around embedding themselves into networks in order to steal data, with researchers noting that the hacking group commonly deployed BlueSteal, a tool used to steal banking information from Point-of-Sale (POS) terminals.
With finances being the focus of the group, it’s likely FIN11 sold this information to other cyber criminals on the dark web, or simply exploited the details for their own gain.