Analysis Summary

FIN7 is a financially motivated advanced persistence threat (APT) group that has been active since at least 2013. The group has targeted restaurant, retail, and hospitality sectors since mid-2015. It has been regarded as one of the most successful criminal hacking groups ever. REvil has also been used by the threat group until they created their own RaaS (ransomware-as-a-service), Darkside. The group has been behind many notorious hacks in 2018 and has also been linked to Ryuk.

Impact

• Information Theft and Espionage

Indicators of Compromise

Domain Name

• concur.cfd
• concur.pm
• hubspot.wf
• wsj.pm
• meet-go.click
• asana.pm

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Ensure that all operating systems, software, and applications are regularly updated with the latest security patches.
• Conduct regular security awareness training for users to recognize and avoid phishing emails.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Implement network segmentation to limit lateral movement within the network.
• Implement continuous monitoring of network traffic and endpoint activities to detect any unusual or suspicious behavior.
• Develop and regularly test an incident response plan to ensure a swift and effective response in case of a security incident.
• Implement SIEM solutions to centralize log collection and analysis. This can help in identifying patterns of suspicious behavior and provide timely alerts for potential security incidents.
• Regularly back up critical data and ensure that the backup copies are stored securely.