fin11

Threat Actor updated 7 months ago (2024-05-04T18:55:24.812Z)
Download STIX
Preview STIX
FIN11, a threat actor group also known as Lace Tempest or TA505, has been linked to the development and deployment of Cl0p ransomware. This malicious software is believed to be a variant of another ransomware, CryptoMix, and is typically used by FIN11 to encrypt files on a victim's network after stealing information. However, early versions of Cl0p did not show evidence of FIN11 exploiting victim data. Notably, the Clop threat-actor group has associations with other groups identified as TA505 and FIN11, indicating a complex web of cybercriminal activity. In recent years, FIN11 has heavily invested in zero-day exploitation, demonstrating a significant focus on identifying and exploiting such vulnerabilities. From late 2020 to early 2021, the group exploited multiple zero-day vulnerabilities in Accellion’s legacy File Transfer Appliance (FTA). In total, the financially motivated actors exploited ten zero-day vulnerabilities, with FIN11 being one of the most active, exploiting three separate zero-day flaws. Other ransomware groups, including Akira, Clop, LockBit, and Nokoyawa, separately exploited an additional four zero-days. The group has also targeted U.S. healthcare organizations using double extortion tactics, involving both data theft and ransom demands. The Microsoft Threat Intelligence team discovered that Lace Tempest (aka FIN11 and TA505) exploited a zero-day vulnerability in SysAid, a comprehensive IT Service Management software, to gain access to corporate servers and deploy Clop ransomware. Furthermore, this same group was responsible for the MOVEit data theft and extortion campaign, highlighting their wide-ranging and persistent cybercriminal activities.
Description last updated: 2024-05-04T16:20:43.713Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Clop is a possible alias for fin11. Clop, a malicious software (malware), is linked to a Russian-speaking cybercriminal group also known as Cl0p. It is designed to exploit and damage computer systems by stealing personal information, disrupting operations, or holding data hostage for ransom. In May 2023, the Clop group began exploitin
7
TA505 is a possible alias for fin11. TA505, also known as Cl0p Ransomware Gang and Lace Tempest, is a highly active and sophisticated cybercriminal group. The group has been associated with various high-profile cyber-attacks, demonstrating adaptability through a multi-vector approach to their operations. In June 2023, the U.S. Cybersec
5
Lace Tempest is a possible alias for fin11. Lace Tempest, a threat actor known for executing actions with malicious intent, has been identified as the orchestrator behind a series of cyber attacks exploiting a zero-day vulnerability in SysAid. The exploit was first brought to light by SysAid and further detailed in a blog post on TuxCare. Thi
3
Snakefly is a possible alias for fin11. Snakefly, also known as FIN11 and TA505, is a threat actor known for its malicious activities primarily aimed at organizations in North America and Europe. The group is financially motivated and has been active since at least early 2019. Snakefly is particularly associated with the deployment of Cl0
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Exploit
Zero Day
Vulnerability
Microsoft
Moveit
Extortion
Cybercrime
Papercut
Malware
Trojan
Ransom
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Dridex Malware is associated with fin11. Dridex is a notorious malware, specifically a banking Trojan, designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. This malicious software was primarily used by the Russian cybercriminal group, Evil Corp, founded in 2014. The group taUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The CVE-2023-34362 Vulnerability is associated with fin11. CVE-2023-34362 is a critical software vulnerability found in Progress Software's managed file transfer (MFT) solution, MOVEit Transfer. This flaw was an SQL injection vulnerability that allowed for escalated privileges and unauthorized access. The vulnerability became active on May 27, 2023, when itis related to
2
The CVE-2023-27350 Vulnerability is associated with fin11. CVE-2023-27350 represents a significant software vulnerability in PaperCut MF/NG, identified as an improper access control flaw. This weakness allows attackers to bypass authentication processes, providing them with the ability to execute code with system privileges. The vulnerability was first updaUnspecified
2
The vulnerability CVE-2023-27351 is associated with fin11. Unspecified
2
Source Document References
Information about the fin11 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securityaffairs
8 months ago
BankInfoSecurity
8 months ago
CERT-EU
10 months ago
CERT-EU
2 years ago
CERT-EU
a year ago
CERT-EU
a year ago
Checkpoint
a year ago
CERT-EU
a year ago
InfoSecurity-magazine
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
2 years ago
CERT-EU
a year ago
MITRE
2 years ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
CERT-EU
2 years ago