fin11

Threat Actor Profile Updated 25 days ago
Download STIX
Preview STIX
FIN11, a threat actor group also known as Lace Tempest or TA505, has been linked to the development and deployment of Cl0p ransomware. This malicious software is believed to be a variant of another ransomware, CryptoMix, and is typically used by FIN11 to encrypt files on a victim's network after stealing information. However, early versions of Cl0p did not show evidence of FIN11 exploiting victim data. Notably, the Clop threat-actor group has associations with other groups identified as TA505 and FIN11, indicating a complex web of cybercriminal activity. In recent years, FIN11 has heavily invested in zero-day exploitation, demonstrating a significant focus on identifying and exploiting such vulnerabilities. From late 2020 to early 2021, the group exploited multiple zero-day vulnerabilities in Accellion’s legacy File Transfer Appliance (FTA). In total, the financially motivated actors exploited ten zero-day vulnerabilities, with FIN11 being one of the most active, exploiting three separate zero-day flaws. Other ransomware groups, including Akira, Clop, LockBit, and Nokoyawa, separately exploited an additional four zero-days. The group has also targeted U.S. healthcare organizations using double extortion tactics, involving both data theft and ransom demands. The Microsoft Threat Intelligence team discovered that Lace Tempest (aka FIN11 and TA505) exploited a zero-day vulnerability in SysAid, a comprehensive IT Service Management software, to gain access to corporate servers and deploy Clop ransomware. Furthermore, this same group was responsible for the MOVEit data theft and extortion campaign, highlighting their wide-ranging and persistent cybercriminal activities.
What's your take? (Question 1 of 5)
396ea265-5181-4b32-a458-976baf9486c1 Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Clop
7
Clop is a malicious software (malware) designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or hold data hostage for ransom. T
TA505
5
TA505, also known as Cl0p Ransomware Gang and Lace Tempest, is a highly active and sophisticated cybercriminal group. The group has been associated with various high-profile cyber-attacks, demonstrating adaptability through a multi-vector approach to their operations. In June 2023, the U.S. Cybersec
Lace Tempest
3
Lace Tempest, a threat actor known for executing actions with malicious intent, has been identified as the orchestrator behind a series of cyber attacks exploiting a zero-day vulnerability in SysAid. The exploit was first brought to light by SysAid and further detailed in a blog post on TuxCare. Thi
CVE-2023-34362
2
CVE-2023-34362 is a critical SQL injection vulnerability discovered in Progress Software's managed file transfer (MFT) solution known as MOVEit Transfer. This flaw in software design or implementation was first exploited by the CL0P Ransomware Gang, also known as TA505, beginning on May 27, 2023. Th
Snakefly
2
Snakefly, also known as FIN11 and TA505, is a threat actor known for its malicious activities primarily aimed at organizations in North America and Europe. The group is financially motivated and has been active since at least early 2019. Snakefly is particularly associated with the deployment of Cl0
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Exploit
Zero Day
Vulnerability
Microsoft
Moveit
Extortion
Cybercrime
Papercut
Malware
Trojan
Ransom
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
DridexUnspecified
2
Dridex is a well-known malware, specifically a banking Trojan, that has been utilized by cybercriminals to exploit and damage computer systems. The malware infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to the user, and can steal personal information, disrupt o
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2023-27350Unspecified
2
CVE-2023-27350 is a significant software vulnerability discovered in PaperCut NG/MF, a popular print management software. This flaw in software design or implementation allows attackers to bypass authentication and execute code with system privileges, posing a serious threat to both server and inter
CVE-2023-27351Unspecified
2
None
Source Document References
Information about the fin11 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Fortinet
10 months ago
Ransomware Roundup - Cl0p | FortiGuard Labs
CERT-EU
a year ago
Half of EDR Tools, Organizations Vulnerable to Clop Ransomware: Research | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
10 months ago
Privacy Briefs: July 2023
CERT-EU
8 months ago
Clop at the top – but for how long?
CERT-EU
a year ago
Microsoft: Cl0p Ransomware Exploited PaperCut Vulnerabilities Since April 13
CERT-EU
8 months ago
Clop at the top – but for how long? | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
Securityaffairs
2 months ago
Google: China dominates government exploitation of zero-day vulnerabilities in 2023
CERT-EU
8 months ago
#mWISE: Why Zero Days Are Set for Highest Year on Record
CERT-EU
9 months ago
Cyber Security Week in Review: September 8, 2023
CERT-EU
a year ago
Clop: Behind MOVEit Lies a Loud, Adaptable and Persistent Threat Group
CERT-EU
10 months ago
TrueBot: Cyber Security Agencies Issue A Warning
InfoSecurity-magazine
a year ago
Microsoft Blames Clop Affiliate for PaperCut Attacks
CERT-EU
a year ago
Netwrix Auditor RCE Bug Abused in Truebot Malware Campaign | IT Security News
CERT-EU
7 months ago
CVE-2023-47246: SysAid Flaw Used in Clop Ransomware Attacks
CERT-EU
a year ago
Unmasking CL0P Ransomware: Understanding the Threat Shaking Up Global Security
CERT-EU
a year ago
Recent PaperCut server attacks linked to Cl0p, Lockbit ransomware
CERT-EU
a year ago
Cyber security week in review: April 28, 2023
MITRE
a year ago
Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies
CERT-EU
a year ago
Web Shells: Understanding Attackers’ Tools and Techniques | F5 Labs
CERT-EU
a year ago
Les vulnérabilités cyber à suivre cette semaine | 12 juin 2023