The 2024 Finger Protocol ClickFix Malware Attack: Legacy Protocols Reused for Command and Control
Executive Summary
In early 2024, security researchers uncovered that threat actors were actively abusing the decades-old 'finger' protocol—a remote access and user lookup protocol seldom used in modern networks—as a covert command and control (C2) channel for deploying ClickFix malware on Windows devices. Attackers leveraged the unencrypted and often overlooked finger service to quietly retrieve remote commands, allowing compromise of endpoints and escalation of persistent access across targeted corporate environments. The attacks often evaded traditional security controls, highlighting a resurgence of legacy protocol exploitation as a lateral movement and control method that bypasses common detection.
This incident demonstrates the increased ingenuity of malware authors in repurposing overlooked network protocols to evade security controls. As threat actors broaden their toolkits to exploit legacy services, organizations with insufficient east-west segmentation, network visibility, or outdated protocol restrictions remain at risk of similar covert command and control attacks.
Why This Matters Now
The resurgence of legacy protocol abuse, highlighted by the use of 'finger' as a covert C2 channel, underscores urgent gaps in east-west traffic inspection and segmentation. With attackers bypassing conventional defenses through rarely-monitored services, immediate action is needed to assess exposure and enforce zero trust policies across all network layers.
Attack Path Analysis
The attacker initially compromised Windows devices, likely via phishing or software vulnerability, and used the legacy 'finger' protocol to establish a foothold. They elevated privileges to persist and accessed broader system resources. The adversary attempted lateral movement within the environment, seeking additional systems. Using covert command and control over the unencrypted finger protocol, they transmitted commands and potentially uploaded additional payloads. Sensitive data was likely exfiltrated through these channels. Ultimately, the malware could disrupt operations, manipulate data, or maintain long-term persistence.
Kill Chain Progression
Initial Compromise
Description
The attacker compromised Windows devices by exploiting social engineering or endpoint vulnerability to deliver ClickFix malware.
Related CVEs
CVE-1999-0612
CVSS 5A version of finger is running that exposes valid user information to any entity on the network.
Affected Products:
Microsoft Windows NT – All
Microsoft Windows 2000 – All
GNU Finger Service – All
GNU Fingerd – All
Exploit Status:
exploited in the wildCVE-2000-0128
CVSS 7.5The Finger Server 0.82 allows remote attackers to execute commands via shell metacharacters.
Affected Products:
Daniel Beckham The Finger Server – 0.82
Exploit Status:
exploited in the wildCVE-1999-0197
CVSS 5finger 0@host on some systems may print information on some user accounts.
Affected Products:
Multiple Various Systems – All
Exploit Status:
exploited in the wildReferences:
MITRE ATT&CK® Techniques
Web Service
Application Layer Protocol: Web Protocols
User Execution
Command and Scripting Interpreter
Non-Application Layer Protocol
System Binary Proxy Execution
Dynamic Resolution
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS v4.0 – Appropriate Authentication Security
Control ID: 8.1.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Regulation (EU) 2022/2554) – ICT Risk Management Requirements
Control ID: Art. 9(2)
CISA Zero Trust Maturity Model v2.0 – Limit Lateral Movement and Legacy Protocols
Control ID: Network Segmentation (Pillar 3)
NIS2 Directive – Technical and Organizational Risk Management
Control ID: Article 21.2(a)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
ClickFix malware exploiting finger protocol threatens command-and-control operations, requiring enhanced egress security and intrusion prevention for regulatory compliance protection.
Health Care / Life Sciences
Decades-old finger protocol abuse creates HIPAA compliance risks through potential data exfiltration and lateral movement in healthcare network infrastructures.
Government Administration
Command-and-control threats via finger protocol exploitation pose critical risks to government networks requiring zero trust segmentation and threat detection capabilities.
Information Technology/IT
IT sectors face direct exposure to ClickFix malware attacks using finger protocol, demanding comprehensive multicloud visibility and inline IPS protection.
Sources
- Decades-old ‘Finger’ protocol abused in ClickFix malware attackshttps://www.bleepingcomputer.com/news/security/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/Verified
- ClickFix campaign leverages finger.exe to trick users into running malicious commandshttps://cyberpress.org/clickfix-campaign/Verified
- ClickFix Attacks Still Using the Fingerhttps://isc.sans.edu/diary/32566Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, robust egress policies, encrypted traffic enforcement, and real-time anomaly detection would significantly restrict the adversary’s ability to abuse legacy protocols for C2 and limit both lateral movement and data exfiltration opportunities.
Control: Cloud Firewall (ACF)
Mitigation: Blocked known-bad or legacy protocol inbound/outbound connections at perimeter.
Control: Zero Trust Segmentation
Mitigation: Contained blast radius via least-privilege network policies.
Control: East-West Traffic Security
Mitigation: Restricted and monitored internal communications, preventing unauthorized pivots.
Control: Inline IPS (Suricata)
Mitigation: Detected and blocked signature-based and anomalous C2 traffic in real-time.
Control: Egress Security & Policy Enforcement
Mitigation: Prevented unauthorized outbound data transfers.
Triggered alerts and incident response on abnormal behaviors.
Impact at a Glance
Affected Business Functions
- User Authentication
- System Administration
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of user information and unauthorized command execution leading to system compromise.
Recommended Actions
Key Takeaways & Next Steps
- • Implement robust Cloud Firewall and restrict legacy or unused protocols to reduce initial attack surface.
- • Enforce Zero Trust Segmentation and least-privilege access to minimize lateral movement and privilege escalation risks.
- • Deploy East-West Traffic Security controls to monitor and prevent unauthorized internal communications.
- • Enable Egress Security & Policy Enforcement to block suspicious outbound traffic and exfiltration attempts.
- • Continuously monitor for anomalies and utilize inline IPS and real-time threat detection for rapid incident response.
