Agent Tesla Malware – Active IOCs
August 19, 2024Multiple Intel Products Vulnerabilities
August 19, 2024Agent Tesla Malware – Active IOCs
August 19, 2024Multiple Intel Products Vulnerabilities
August 19, 2024Severity
High
Analysis Summary
Cybersecurity researchers have found new infrastructure connected to the financially motivated threat actor known as FIN7.
The two clusters of possible FIN7 activity represent incoming communications from IP addresses assigned to Post Ltd (Russia) and SmartApe (Estonia), respectively, to the FIN7 system. The results expand upon a recent revelation by researchers who identified many IP addresses that are exclusively utilized for the hosting of FIN7 infrastructure. According to the report, the hosts connected to the e-crime gang were probably purchased via one of Stark Industries' resellers.
In the hosting business, reseller programs are widespread; numerous major VPS (virtual private server) providers offer them. Clients who purchase infrastructure through resellers are typically bound by the terms of service provided by the "parent" company. Additionally, researchers reported that they have discovered new infrastructure connected to FIN7 activity. These included three IP addresses assigned to SmartApe, an Estonian cloud hosting company, and four IP addresses belonging to Post Ltd, a broadband provider operating in Southern Russia.
At least fifteen Stark-assigned hosts that were previously found throughout the previous thirty days have been spotted engaging in outbound communications with the first cluster. Similarly, it has been determined that the second cluster from Estonia is in communication with a minimum of sixteen hosts designated to Stark.
Furthermore, it was noticed that 12 hosts that were identified in the Post Ltd cluster were also present in the SmartApe cluster. Stark subsequently halted the services after making a responsible disclosure. It was determined through a review of the communications' metadata that these were established connections. The evaluation of sampled data transfer quantities and observed TCP flags form the basis of this assessment.
Impact
- Financial Loss
- Data Theft
Indicators of Compromise
Domain Name
- 2bonmai.buzz
- ttlpcs.lat
- antispam-ms.pro
- blackrock-alladin.pro
- wuriye.com
- meet-goo.org
- gogogogogotests.xyz
IP
- 103.35.188.245
- 103.35.189.143
- 176.120.75.99
- 45.150.65.100
- 45.150.65.46
- 45.89.53.243
- 5.180.24.27
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Ensure that all operating systems, software, and applications are regularly updated with the latest security patches.
- Conduct regular security awareness training for users to recognize and avoid phishing emails.
- Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
- Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
- Implement network segmentation to limit lateral movement within the network.
- Implement continuous monitoring of network traffic and endpoint activities to detect any unusual or suspicious behavior.
- Develop and regularly test an incident response plan to ensure a swift and effective response in case of a security incident.
- Implement SIEM solutions to centralize log collection and analysis. This can help in identifying patterns of suspicious behavior and provide timely alerts for potential security incidents.
- Regularly back up critical data and ensure that the backup copies are stored securely.