FIN11 – A Critical Healthcare Cyberthreat

• FIN11 is considered a high-priority threat for healthcare organizations due to their history of targeting the sector and their use of ransomware
• FIN11 is a highly active and sophisticated cybercriminal group that primarily targets companies in North America and Europe.
• They are known for conducting high-volume operations and have a history of targeting the healthcare sector, including pharmaceutical companies.
• While FIN11 has shifted away from phishing campaigns, they continue to exploit zero-day vulnerabilities and deploy ransomware.

Known aliases:

• Odinaff (Symantec)
• Sectoj04 (NSHC Group)
• TA505 (Proofpoint)
• TEMP.Warlock
• Lace Tempest (Microsoft)
• DEV-0950 (Microsoft, defunct)
• Hive0065 (IBM X-Force)
• Group G0092 (Mitre)
• Spandex Tempest (formerly CHIMBORAZO) (Microsoft)

Country of origin:

• Commonwealth of Independent States (CIS)

Most recent attacks:

• Zero-Day Exploitation (since May 2023): FIN11 exploited a zero-day vulnerability in MOVEit Transfer, a secure managed file transfer software, leading to data breaches at numerous organizations, including a national public healthcare system.
• PaperCut MF and NG Exploitation (since at least April 13, 2023): FIN11 exploited vulnerabilities in PaperCut MF and NG, a print management software, to gain access to networks and deploy ransomware.

Known high profile notable attacks:

• Accellion File Transfer Appliance (FTA) Zero-Day Exploitation (December 2020): FIN11 exploited a zero-day vulnerability in Accellion FTA, a file transfer appliance, leading to data breaches at several organizations.
• Windows ZeroLogon Vulnerability Exploitation (October 2020): FIN11 exploited the ZeroLogon vulnerability in Windows to gain access to networks and deploy ransomware.

Common methods of infiltration:

• Phishing campaigns: FIN11 historically relied heavily on phishing campaigns to gain initial access to networks.
• Exploitation of zero-day vulnerabilities: FIN11 actively exploits zero-day vulnerabilities in popular software to gain unauthorized access.
• Malware/ransomware strains used:
  • CL0P ransomware: FIN11 is known to deploy CL0P ransomware, which typically demands ransoms ranging from a few hundred thousand dollars to USD $10 million.
  • LEMURLOOT: Associated with FIN11 and is used for data theft.
  • MINEDOOR/FRIENDSPEAK (aka Get2): Used to gain initial access and deploy other malware.
  • MIXLABEL (aka SDBbot): Used for network reconnaissance and lateral movement.
  • FlawedAmmyy: Historically used by FIN11 for remote access but has not been observed since 2019.
  • FlawedGrace (AKA GraceWire, BARBWIRE): Used for remote access and control.
  • ServHelper: Used for command and control.
  • P2P RAT: Used for peer-to-peer communication and data exfiltration.
  • Raspberry Robin (low confidence): Potentially used by FIN11 for initial access.
  • Cobalt Strike: Used for post-exploitation activities, such as lateral movement and data exfiltration.
  • Truebot (AKA TRUECORE): Used for banking trojan activities.
  • AdFind, Amadey, Azorult (low confidence), BloodHound, Mimikatz, PowerSploit, DEWMODE: These tools are used for credential theft and privilege escalation.