U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Researchers uncovered new infrastructure linked to the cybercrime group FIN7

Team Cymru, Silent Push and Stark Industries Solutions researchers uncovered a new infrastructure linked to the cybercrime group FIN7. Researchers from Team Cymru identified two clusters potentially linked to the cybercrime group FIN7. The team collaborated with the cybersecurity experts of Silent Push and Stark Industries Solutions who shared their findings. FIN7 is a Russian criminal group (aka Carbanak) […]

FIN7 cluster 1

Team Cymru, Silent Push and Stark Industries Solutions researchers uncovered a new infrastructure linked to the cybercrime group FIN7.

Researchers from Team Cymru identified two clusters potentially linked to the cybercrime group FIN7. The team collaborated with the cybersecurity experts of Silent Push and Stark Industries Solutions who shared their findings.

FIN7 is a Russian criminal group (aka Carbanak) that has been active since mid-2015, it focuses on restaurants, gambling, and hospitality industries in the US to harvest financial information that was used in attacks or sold in cybercrime marketplaces.

The clusters show communications inbound to FIN7 infrastructure from IP addresses assigned to Post Ltd (Russia) and Smart Ape (Estonia), respectively. The researchers identified 25 Stark-assigned IP addresses used to host domains associated with operations conducted by the FIN7 group.

The experts reported their discovery to the security team at Stark, which promptly suspended the addresses. Stark’s initial feedback suggested that the compromised hosts were likely obtained from one of their resellers. Stark Industries Solutions, a white-label brand, sells services through various resellers. The nine IP addresses identified were used as the starting point for further investigation, allowing the team to trace and disrupt additional FIN7 infrastructure and activities.

The first cluster involved four IP addresses assigned to Post Ltd, a broadband provider operating in the Northern Caucasus region in Russia.

“Over the past 30 days, we observed these IP addresses communicating with at least 15 Stark-assigned hosts, which we associate with the TTPs referenced in the research by Silent Push. These hosts included 86.104.72.16, which was in the original list of indicators from Silent Push.” states the report published by Team Cymru.

FIN7 cluster 1

The second cluster was composed of three IP addresses assigned to SmartApe, a cloud hosting provider in Estonia.

“Over the past 30 days, we observed these IP addresses communicating with at least 16 Stark-assigned hosts, which we associate with the TTPs referenced in the research by Silent Push. Again, these hosts included 86.104.72.16.” continues the report.

The experts also noticed that 12 of the hosts identified in the Post Ltd cluster were also observed in the SmartApe cluster.

FIN7 cluster 2

“In addition to the 19 hosts identified in the two clusters described above, insights from Stark’s security team led to the discovery of a further six hosts, which we assess to be connected to the same activity.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, cybercrime)