FIN11 – A Critical Healthcare Cyberthreat

FIN11, also known as DEV-0950, Lace Tempest, TA505, TEMP.Warlock, and UNC902, is a cybercrime group that has been conducting financially-motivated intrusions since at least 2017.
FIN11
Table of Contents
    Add a header to begin generating the table of contents
    • FIN11 is considered a high-priority threat for healthcare organizations due to their history of targeting the sector and their use of ransomware
    • FIN11 is a highly active and sophisticated cybercriminal group that primarily targets companies in North America and Europe.
    • They are known for conducting high-volume operations and have a history of targeting the healthcare sector, including pharmaceutical companies.
    • While FIN11 has shifted away from phishing campaigns, they continue to exploit zero-day vulnerabilities and deploy ransomware.

    Known aliases:

    • Odinaff (Symantec)
    • Sectoj04 (NSHC Group)
    • TA505 (Proofpoint)
    • TEMP.Warlock
    • Lace Tempest (Microsoft)
    • DEV-0950 (Microsoft, defunct)
    • Hive0065 (IBM X-Force)
    • Group G0092 (Mitre)
    • Spandex Tempest (formerly CHIMBORAZO) (Microsoft)

    Country of origin:

    • Commonwealth of Independent States (CIS)

    Most recent attacks:

    • Zero-Day Exploitation (since May 2023): FIN11 exploited a zero-day vulnerability in MOVEit Transfer, a secure managed file transfer software, leading to data breaches at numerous organizations, including a national public healthcare system.
    • PaperCut MF and NG Exploitation (since at least April 13, 2023): FIN11 exploited vulnerabilities in PaperCut MF and NG, a print management software, to gain access to networks and deploy ransomware.

    Known high profile notable attacks:

    • Accellion File Transfer Appliance (FTA) Zero-Day Exploitation (December 2020): FIN11 exploited a zero-day vulnerability in Accellion FTA, a file transfer appliance, leading to data breaches at several organizations.
    • Windows ZeroLogon Vulnerability Exploitation (October 2020): FIN11 exploited the ZeroLogon vulnerability in Windows to gain access to networks and deploy ransomware.

    Common methods of infiltration:

    • Phishing campaigns: FIN11 historically relied heavily on phishing campaigns to gain initial access to networks.
    • Exploitation of zero-day vulnerabilities: FIN11 actively exploits zero-day vulnerabilities in popular software to gain unauthorized access.
    • Malware/ransomware strains used:
      • CL0P ransomware: FIN11 is known to deploy CL0P ransomware, which typically demands ransoms ranging from a few hundred thousand dollars to USD $10 million.
      • LEMURLOOT: Associated with FIN11 and is used for data theft.
      • MINEDOOR/FRIENDSPEAK (aka Get2): Used to gain initial access and deploy other malware.
      • MIXLABEL (aka SDBbot): Used for network reconnaissance and lateral movement.
      • FlawedAmmyy: Historically used by FIN11 for remote access but has not been observed since 2019.
      • FlawedGrace (AKA GraceWire, BARBWIRE): Used for remote access and control.
      • ServHelper: Used for command and control.
      • P2P RAT: Used for peer-to-peer communication and data exfiltration.
      • Raspberry Robin (low confidence): Potentially used by FIN11 for initial access.
      • Cobalt Strike: Used for post-exploitation activities, such as lateral movement and data exfiltration.
      • Truebot (AKA TRUECORE): Used for banking trojan activities.
      • AdFind, Amadey, Azorult (low confidence), BloodHound, Mimikatz, PowerSploit, DEWMODE: These tools are used for credential theft and privilege escalation.
    • Phishing campaigns: FIN11 historically relied heavily on phishing campaigns to gain initial access to networks.
    • Exploitation of zero-day vulnerabilities: FIN11 actively exploits zero-day vulnerabilities in popular software to gain unauthorized access.
    • Malware/ransomware strains used:
      • CL0P ransomware: FIN11 is known to deploy CL0P ransomware, which typically demands ransoms ranging from a few hundred thousand dollars to USD $10 million.
      • LEMURLOOT: Associated with FIN11 and is used for data theft.
      • MINEDOOR/FRIENDSPEAK (aka Get2): Used to gain initial access and deploy other malware.
      • MIXLABEL (aka SDBbot): Used for network reconnaissance and lateral movement.
      • FlawedAmmyy: Historically used by FIN11 for remote access but has not been observed since 2019.
      • FlawedGrace (AKA GraceWire, BARBWIRE): Used for remote access and control.
      • ServHelper: Used for command and control.
      • P2P RAT: Used for peer-to-peer communication and data exfiltration.
      • Raspberry Robin (low confidence): Potentially used by FIN11 for initial access.
      • Cobalt Strike: Used for post-exploitation activities, such as lateral movement and data exfiltration.
      • Truebot (AKA TRUECORE): Used for banking trojan activities.
      • AdFind, Amadey, Azorult (low confidence), BloodHound, Mimikatz, PowerSploit, DEWMODE: These tools are used for credential theft and privilege escalation.
    Trending

    Daily Briefing Newsletter

    Subscribe to the Daily Security Review Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

    Related Posts