April 25, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Increased Brute-Force Attacks Against VPN and SSH Services Globally – Active IOCs
April 18, 2024APT28 FancyBear Group – Active IOCs
April 18, 2024Increased Brute-Force Attacks Against VPN and SSH Services Globally – Active IOCs
April 18, 2024APT28 FancyBear Group – Active IOCs
April 18, 2024
Severity
High
Analysis Summary
By spear-phishing emails meant for IT department staff, the financially motivated threat actor FIN7 compromised systems with the Anunak backdoor. The target of the attack was a major American automaker.
Researchers said that the attack, which occurred towards the end of the previous year, depended on libraries, scripts, and living-off-the-land binaries (LoLBas). Targets with high levels of privilege were the main focus of the threat actor, who lured them in with links to a rogue URL that appeared to be the genuine Advanced IP Scanner application.
Based on the usage of distinct PowerShell scripts that make use of the adversary's hallmark 'PowerTrash' obfuscated shell code invoker, which was initially observed in a 2022 campaign, the assaults have been confidently linked to FIN7. Previously, corporate networks were observed to be the target of FIN7's deployment of Black Basta and Clop ransomware payloads, in addition to exposed Veeam backup and Microsoft Exchange servers.
The spear-phishing emails that FIN7 used to launch their attack were directed toward highly privileged workers in the IT department of a major American automaker. Email links would direct recipients to "advanced-ip-sccanner[.]com," which is a misspelling of the actual scanner project located at "advanced-ip-scanner.com." The phony website, the researchers found, redirected to "myipscanner[.]com" (which is currently unavailable).
The next screen the visitor would see would be a Dropbox page that offered a malicious executable (called "WsTaskLoad.exe") posing as the official Advanced IP Scanner installer. After the file is run, it starts a multi-step process that includes shell code execution, WAV files, and DLLs. This procedure loads and decrypts a file called "dmxl.bin," which holds the Anunak backdoor payload.
FIN7 uses several malware tools, including Diceloader, Griffon, PowerPlant, Loadout, and Anunak/Carbanak. In addition to installing OpenSSH for persistent access, WsTaskLoad.exe also generates a scheduled task. Researchers said that while FIN7 has utilized OpenSSH for lateral movement in the past, they did not see this in the campaign they examined. Although FIN7 has been active since 2013, it has only recently shifted to more significant targets. Ransomware is typically the ultimate payload. Given their ability to pay higher ransoms, it makes sense for attackers to shift their focus to larger corporations when using ransomware.
Cybersecurity experts note that the attack by FIN7 was unable to progress past the initial stage of infection and into the lateral migration stage. The company advises businesses to protect themselves from phishing, the most prevalent infiltration vector, and to give staff members the necessary training to help them avoid falling for dangerous baits.
Even if an attacker manages to obtain access credentials, it will be more difficult for them to access an employee's account if multi-factor authentication (MFA) is implemented on all user accounts. Basic security measures like creating strong, one-of-a-kind passwords, updating all software, keeping an eye out for unusual activity on the network, and incorporating sophisticated email filtering programs all aid in defending against a variety of attackers.
Impact
- Financial Loss
- Exposure of Sensitive Data
- Unauthorized Access
Indicators of Compromise
Domain Name
- advanced-ip-sccanner.com
- myscannappo.com
MD5
- 87aa5f3f514af2b9ef28db9f092f3249
SHA-256
- ff4c287c60ede1990442115bddd68201d25a735458f76786a938a0aa881d14ef
SHA1
- 20a2de20e662a5bc758808831ac35a6950c64474
Remediation
- Block all threat indicators at your respective controls.
- Search for Indicators of compromise IOCs in your environment utilizing your respective security controls.
- Ensure that all operating systems, software, and applications are regularly updated with the latest security patches.
- Conduct regular security awareness training for users to recognize and avoid phishing emails.
- Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
- Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
- Implement network segmentation to limit lateral movement within the network.
- Implement continuous monitoring of network traffic and endpoint activities to detect any unusual or suspicious behavior.
- Develop and regularly test an incident response plan to ensure a swift and effective response in case of a security incident.
- Implement SIEM solutions to centralize log collection and analysis. This can help in identifying patterns of suspicious behavior and provide timely alerts for potential security incidents.
- Regularly back up critical data and ensure that the backup copies are stored securely.
