fin11

Threat Actor updated 4 months ago (2024-05-04T18:55:24.812Z)

Download STIX

Preview STIX

FIN11, a threat actor group also known as Lace Tempest or TA505, has been linked to the development and deployment of Cl0p ransomware. This malicious software is believed to be a variant of another ransomware, CryptoMix, and is typically used by FIN11 to encrypt files on a victim's network after stealing information. However, early versions of Cl0p did not show evidence of FIN11 exploiting victim data. Notably, the Clop threat-actor group has associations with other groups identified as TA505 and FIN11, indicating a complex web of cybercriminal activity. In recent years, FIN11 has heavily invested in zero-day exploitation, demonstrating a significant focus on identifying and exploiting such vulnerabilities. From late 2020 to early 2021, the group exploited multiple zero-day vulnerabilities in Accellion’s legacy File Transfer Appliance (FTA). In total, the financially motivated actors exploited ten zero-day vulnerabilities, with FIN11 being one of the most active, exploiting three separate zero-day flaws. Other ransomware groups, including Akira, Clop, LockBit, and Nokoyawa, separately exploited an additional four zero-days. The group has also targeted U.S. healthcare organizations using double extortion tactics, involving both data theft and ransom demands. The Microsoft Threat Intelligence team discovered that Lace Tempest (aka FIN11 and TA505) exploited a zero-day vulnerability in SysAid, a comprehensive IT Service Management software, to gain access to corporate servers and deploy Clop ransomware. Furthermore, this same group was responsible for the MOVEit data theft and extortion campaign, highlighting their wide-ranging and persistent cybercriminal activities.

Description last updated: 2024-05-04T16:20:43.713Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Clop	7	Clop, also known as Cl0p, is a notorious ransomware group responsible for several high-profile cyberattacks. The group specializes in exploiting vulnerabilities in software and systems to gain unauthorized access, exfiltrate sensitive data, and then extort victims by threatening to release the stole
TA505	5	TA505, also known as Cl0p Ransomware Gang and Lace Tempest, is a highly active and sophisticated cybercriminal group. The group has been associated with various high-profile cyber-attacks, demonstrating adaptability through a multi-vector approach to their operations. In June 2023, the U.S. Cybersec
Lace Tempest	3	Lace Tempest, a threat actor known for executing actions with malicious intent, has been identified as the orchestrator behind a series of cyber attacks exploiting a zero-day vulnerability in SysAid. The exploit was first brought to light by SysAid and further detailed in a blog post on TuxCare. Thi
CVE-2023-34362	2	CVE-2023-34362 is a critical software vulnerability found in Progress Software's managed file transfer (MFT) solution, MOVEit Transfer. This flaw was an SQL injection vulnerability that allowed for escalated privileges and unauthorized access. The vulnerability became active on May 27, 2023, when it
Snakefly	2	Snakefly, also known as FIN11 and TA505, is a threat actor known for its malicious activities primarily aimed at organizations in North America and Europe. The group is financially motivated and has been active since at least early 2019. Snakefly is particularly associated with the deployment of Cl0

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Exploit

Zero Day

Vulnerability

Microsoft

Moveit

Extortion

Cybercrime

Papercut

Malware

Trojan

Ransom

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Dridex	Unspecified	2	Dridex is a well-known malware, specifically a banking Trojan, that has been utilized by cybercriminals to exploit and damage computer systems. The malware infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to the user, and can steal personal information, disrupt o

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

ID	Type	Votes	Profile Description
CVE-2023-27350	Unspecified	2	CVE-2023-27350 is a significant software vulnerability discovered in PaperCut NG/MF, a popular print management software. This flaw in software design or implementation allows attackers to bypass authentication and execute code with system privileges, posing a serious threat to both server and inter
CVE-2023-27351	Unspecified	2	None

Source Document References

Information about the fin11 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	5 months ago	Google: China dominates government exploitation of zero-day vulnerabilities in 2023
BankInfoSecurity	5 months ago	On the Increase: Zero-Days Being Exploited in the Wild
CERT-EU	8 months ago	The Top 10 Ransomware Groups of 2023
CERT-EU	a year ago	安全事件周报 2023-05-08 第19周 - 360CERT
CERT-EU	10 months ago	Cyber Security Week In Review: November 17, 2023
CERT-EU	10 months ago	SysAid Zero-Day Vulnerability Exploited by Threat Actors
Checkpoint	10 months ago	13th November – Threat Intelligence Report - Check Point Research
CERT-EU	10 months ago	CVE-2023-47246: SysAid Flaw Used in Clop Ransomware Attacks
InfoSecurity-magazine	10 months ago	MOVEit Gang Targets SysAid Customers With Zero-Day Attacks
CERT-EU	a year ago	#mWISE: Why Zero Days Are Set for Highest Year on Record
CERT-EU	a year ago	Clop at the top – but for how long? \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	a year ago	Clop at the top – but for how long?
CERT-EU	a year ago	Cyber Security Week in Review: September 8, 2023
CERT-EU	a year ago	Les vulnérabilités cyber à suivre cette semaine \| 12 juin 2023
CERT-EU	a year ago	Vulnerable PaperCut servers targeted by Iranian hackers
CERT-EU	a year ago	SafeBreach Coverage for US-CERT Alert (AA23-187A) – Truebot Malware
MITRE	2 years ago	Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies
CERT-EU	a year ago	Cyber Security Today, Week in Review for the week ending Friday, June 9, 2023 \| IT World Canada News
BankInfoSecurity	a year ago	Nova Scotia Health Says 100,000 Affected by MOVEit Hack
CERT-EU	a year ago	Cyber security week in review: April 28, 2023