The FIN7 hacking group is aiming to get into the lucrative ransomware market by establishing bogus cybersecurity firms that undertake network assaults under the pretence of pentesting. Since 2015, when they first debuted in the cybercrime realm, FIN7 (aka ‘Carbanak’) has been active in hacks and money-stealing schemes, including infecting ATMs with MITM-enabling software.
Gemini Advisory analysts discovered that the website for a bogus cybersecurity business called Bastion Security was made up of stolen and re-compiled information from other websites, removing the thin veil of legitimacy that surrounded this new corporate organisation. Even more revealing, the firm claims to be situated in England, although the website offers Russian-language 404 error pages.
According to Bastion Secure’s ‘About’ tab, it is a subsidiary of the genuine cybersecurity business Convergent Network Solutions Ltd.
Convergent Network Solutions was approached by BleepingComputer to check if they were aware of the site, but they did not respond.
Gemini researchers discovered that FIN7 was paying between $800 and $1,200 every month to hire C++, PHP, and Python programmers, Windows system administrators, and reverse engineering specialists after receiving information from an unknown source.
According to the job criteria, the hacking organisation was searching for pentesters, as system administrators would also be able to map infiltrated corporate systems, execute network reconnaissance, and find backup servers and files.
All of these skill sets are necessary for the pre-encryption stages of ransomware attacks, therefore it appears that this is what FIN7 is aiming for with these hiring rounds. Moreover, Gemini thinks that building bogus cybersecurity organizations to undertake attacks is an attempt to recruit inexpensive labour rather than working with affiliates that demand a considerably bigger 70-80 percent share of any paid ransoms.