In a recent development, SentinelOne has issued a warning regarding the activities of Fin7, a long-standing financial threat group that has been operating for over a decade. The concern lies in Fin7’s sale of a tool designed to evade detection, particularly by endpoint detection and response (EDR) tools, to other cybercriminals, including ransomware gangs. The tool, known as AvNeutralizer, has been identified by SentinelOne as a potent means for cybercriminals to bypass security measures and gain unauthorized access to systems.
According to Antonio Cocomazzi, a staff offensive security researcher at SentinelOne, Fin7 has been continuously refining its tactics, techniques, and procedures (TTPs) to stay ahead of detection mechanisms. The group has been actively exploiting vulnerabilities to infiltrate victim environments, while also focusing on maintaining persistence once inside. It is believed that Fin7 began marketing the specialized EDR bypass tool in April 2022, with subsequent updates enhancing its capabilities to tamper with security protocols.
The evolving nature of Fin7’s operations is a cause for concern in the cybersecurity landscape. The group has shown adaptability and a willingness to embrace automated attack methods, such as targeting public-facing servers through automated SQL injection attacks. Recent campaigns have demonstrated the group’s increasing sophistication, with AvNeutralizer being updated to exploit Windows’ built-in driver capabilities in a novel manner, resulting in a denial-of-service (DoS) condition on affected systems.
SentinelOne has been monitoring multiple intrusions involving various iterations of AvNeutralizer since early 2023, with a significant number of incidents linked to ransomware activity. Ransomware groups such as AvosLocker, MedusaLocker, BlackCat, and LockBit have been found to utilize this tool to compromise systems and extract valuable data. The rise of ransomware gangs leveraging such evasion tools has raised concerns about the security of endpoints and the ability of traditional antivirus and detection tools to counteract these threats.
It is believed that Fin7 has been offering the AvNeutralizer tool on the dark web for sale, with a reported starting price of $10,000. The tool quickly gained traction among ransomware groups, with Black Basta initially adopting it before discontinuing its use. The close relationship between Fin7 and Black Basta, as indicated by telemetry data, underscores the interconnectivity of different threat actors in the cybercrime ecosystem.
Despite efforts by cybersecurity vendors like SentinelOne to develop anti-tampering mechanisms to counter such threats, the proliferation of specialized evasion tools poses a significant challenge to defenders. The ability of threat actors like Fin7 to continually develop and market sophisticated tools highlights their enduring influence in the threat landscape. Cocomazzi emphasized the importance of ongoing security updates and enhancements to stay ahead of evolving threats and protect against potential vulnerabilities.
In addition to AvNeutralizer, SentinelOne has identified other tools used by Fin7, such as Powertrash, DiceLoader, and Core Impact, each serving specific purposes in the group’s intrusion tactics. The adaptability and technical proficiency displayed by Fin7 underscore the group’s longevity and resilience in the face of law enforcement efforts to disrupt their operations.
As cybersecurity threats continue to evolve, the need for proactive defense measures and collaboration among industry stakeholders becomes increasingly critical. The ongoing efforts of researchers and security professionals to track and counteract the activities of threat groups like Fin7 are essential in safeguarding against potential threats and minimizing the impact of cybercriminal activities on organizations and individuals.