HC3 Advises Healthcare Sector to Prioritize Cyber Defense Against FIN11

June 15, 2023 - Amidst a surge of cybersecurity threats, the Health Sector Cybersecurity Coordination Center (HC3) has spotlighted a new one, FIN11, a cybercriminal collective originating from the Commonwealth of Independent States (CIS).

Active since at least 2016, FIN11 has been notoriously associated with extensive phishing campaigns.

The group regularly conducts high-volume operations, primarily leveraging Clop ransomware, to target companies across North America and Europe for data theft. Notably, the healthcare sector, such as pharmaceutical companies have been primary targets of this group."

“The group is behind multiple high-profile, widespread intrusion campaigns leveraging zero-day vulnerabilities. It is likely that FIN11 has access to the networks of far more organizations than they are able to successfully monetize, and choose if exploitation is worth the effort based on the location of the victim, their geographical location, and their security posture.”

Although HC3 cannot pinpoint the exact number of CL0P ransomware attacks attributed to FIN11, it has observed about 30 such incidents in the U.S. Healthcare sector since 2021.

The affected organizations were primarily direct care providers or healthcare plans/payers. CL0P ransom demands often range from a few hundred thousand to USD $10 million.

A recent notable incident involved the widespread exploitation of a zero-day vulnerability in the MOVEit Transfer secure managed file, believed to be orchestrated by FIN11. This has led to data breaches in several organizations, including a national public healthcare system.

“Given FIN11’s history of conducting widespread campaigns exploiting zero-day vulnerabilities in commonly used software in the Healthcare and Public Health (HPH) sector to steal data and deploy ransomware, HC3 recommends that healthcare organizations consider FIN11 a top priority for their security teams,” HC3 wrote.

While much of the malware previously linked with FIN11 may not be in current use by the group, its historical footprint remains significant. Notably, the group had been known for utilizing FlawedAmmyy, though this hasn't been observed since 2019. Additionally, FIN11 had deployed point-of-sale (POS) malware against financial, retail, restaurant, and pharmaceutical sectors.

The group's tactics, techniques, and procedures (TTPs) are multifaceted. These include creating fraudulent download pages and dispatching spearphishing emails embedded with malicious attachments and links. They often use CAPTCHA challenges as a precursor to be delivering malicious documents. Interestingly, FIN11 has been known to re-compromise organizations after initially losing access. Deployment of web shells and the use of bulletproof hosting infrastructure are also within their repertoire.

The exploitation of zero-day vulnerabilities has been a crucial strategy for FIN11. In addition, the group has leveraged ransomware deployment and data theft as methods for monetization and extortion.

Despite the abundance of free resources to enhance threat detection and improve security postures, many healthcare organizations reportedly lack the necessary resources for cybersecurity, as stated in a recent Senate Homeland and Governmental Affairs Committee hearing focused on healthcare cybersecurity.