FIN7, also known as Anunak and Carbanak, is a Russian cybercrime organization focused on credit card information theft. Groups associated with FIN7, such as REvil, DarkSide, BlackMatter, Alphv, and Black Basta have notably transitioned to ransomware operations. 

WithSecure observed several FIN7 attacks that exploited a Veeam Backup process which executed a shell command to download and execute a PowerShell script. The script was revealed to be a Powertrash in-memory dropper, which FIN7 has exploited in the past. The dropper utilized the backdoor Diceloader, which allowed FIN7 to conduct post-exploitation operations.

Veeam announced that the bug allows ransomware operators to obtain encrypted credentials stored in the configuration database. FIN7 was observed using these credentials to move laterally within the Veeam backup database to exfiltrate credentials and achieve persistence for the Diceloader backdoor. CISA has announced warnings regarding the Veeam attacks, and organizations are recommended to update their Backup & Replication instances immediately.

Read More: