[TheRecord] Cybercrime gang sets up fake company to hire security experts to aid in ransomware attacks

A cybercrime group known as FIN7 has created a fake security firm earlier this year, used it to hire security researchers, and then trick them into participating in ransomware attacks.

Named Bastion Secure, the company claims to provide penetration testing services for private companies and public sector organizations across the world.

But according to an investigation by Gemini Advisory, a division of Recorded Future, the company is a front for the FIN7 group, which used the Bastion Secure website as a front to post ads on Russian job portals seeking to hire cybersecurity experts for various positions [1234567].

Ads on its website [archived] show that FIN7 recruited reverse engineers, system administrators, C++, Python, and PHP programmers.

Those who applied went through a three-phase interviewing process; the Gemini Advisory team said today after one of its partners went through the process in order to study the shady company.

Phase 1 
The first phase included a basic interview process with an HR representative, typically carried out via Telegram. After a successful interview, the job applicants were told to sign a contract with a non-disclosure agreement and configure their computer by installing several virtual machines and opening certain ports.

Phase 2 
Applicants received legitimate penetration testing security tools from the company to conduct a series of test assignments.

Phase 3 
Applicants were brought in to participate in a “real” assignment where they were told to conduct a penetration test against one of Bastion Secure’s customers.

Gemini Advisory said that this last step in the interviewing process did not include any form of legal documents authorizing the penetration tests, as it’s customary in such cases, or explanation to participants.

Furthermore, Bastion Secure representatives also told applicants to use only specific tools that would not be detected by security software and to specifically look for backups and file storage systems once inside a company’s network.

FIN7 group identified as operators of the Darkside RaaS

Tools shared by Bastion Secure with the Gemini partner who participated in the interviewing process were linked to malware strains like Carbanak and Lizar/Tirion, tools that have been historically part of FIN7’s arsenal.

In addition, Gemini Advisory said that tasks and operations assigned to applicants “matched the steps taken to prepare a ransomware attack.”

The attacks installed ransomware such as Ryuk or REvil, two ransomware strains that have been tied in recent years to FIN7 attacks, according to Gemini Advisory.

Newer attacks would have deployed the DarkSide and BlackMatter ransomware, according to security researchers from Microsoft, who have also been tracking the fake FIN7 security company.

In a talk at the Mandiant Cyber Defense Summit, Microsoft’s Nick Carr and Christopher Glyer said that FIN7 didn’t just deploy the Darkside ransomware (and its later BlackMatter rebrand) in attacks, but that FIN7 also managed the Darkside RaaS (Ransomware-as-a-Service) itself.

Today @cglyer & I are having an on-stage reunion to give the first public insights into our mysterious #MSTIC counter-ransomware unit.
We will share #ELBRUS 🌋 (overlaps: FIN7) ties to ransomware and expose their new front company.
20 minute talk @ 2pm ET: https://t.co/unQs5yE3DG pic.twitter.com/2xAEiHLWGp

— Nick Carr (@ItsReallyNick) October 7, 2021

FIN7 previously operated Combi Secure

But the tactic of operating a fake security firm isn’t particularly new for the FIN7 group, which also did the same thing back in the mid-2010s when they operated another fake security firm called Combi Security.

At the time, FIN7 was primarily engaged in deploying Point-of-Sale malware, and they used Combi Security to recruit penetration testers to breach retail company networks and then deploy said-PoS malware to collect payment card details from the hacked networks, according to an indictment by the US Department of Justice.

Hiring pen-testers is cheaper

As for the reasons why a criminal group like FIN7 would go to such great lengths to operate a fake security company not only once but twice, the answer is simple and has to do with operational costs and money, according to Gemini Advisory.

The reality is that it is cheaper to hire a security researcher than for FIN7 to work with other hacking groups or hackers recruited via underground forums.

A security researcher in Russia typically makes between $800 and $1,200 a month, according to Gemini Advisory, while criminal hackers would most likely want a percentage cut of the ransomware payment, which in some cases can easily reach millions of US dollars, Gemini Advisory said today.

The post Cybercrime gang sets up fake company to hire security experts to aid in ransomware attacks appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[ZDNet] Artwork Archive cloud storage misconfiguration exposed user data, revenue records

All posts, ZDNet

An unsecured bucket exposed PII and sales information. Source: Read More (Latest topics for ZDNet in Security)

Read More

[HackerNews] Critical Flaw in OpenSea Could Have Let Hackers Steal Cryptocurrency From Wallets

All posts, HackerNews

A now-patched critical vulnerability in OpenSea, the world’s largest non-fungible token (NFT) marketplace, could’ve been abused by malicious actors to drain cryptocurrency funds from a victim by sending a specially-crafted token, opening a new attack vector for exploitation. The findings come from cybersecurity firm Check Point Research, which began an investigation into the platform following […]

Read More

[TheRecord] NSA chief predicts U.S. will face ransomware ‘every single day’ for years to come

The U.S. will have to contend with the threat of ransomware daily for at least the next several years, the leader of the country’s premier digital spy agency said Tuesday. “Every single day,” Gen. Paul Nakasone, the director of the National Security Agency and the head of U.S. Cyber Command, answered during a discussion at […]

Read More