Over 130,000 solar energy monitoring systems exposed online

Security researchers are warning that tens of thousands of photovoltaic (PV) monitoring and diagnostic systems are reachable over the public web, making them potential targets for hackers. […]   Read More 

BleepingComputer 

Related Posts

4000+ Domains Used By FIN7 Actors Mimic Popular Brands

4000+ Domains Used By FIN7 Actors Mimic Popular Brands

Russian-linked FIN7 (aka Sangria Tempest, ATK32, Carbon Spider, Coreid, ELBRUS, G0008, G0046, and GOLD NIAGARA) is a financial cybercrime group that has been around since 2013 and it specifically targets the US industries.

To achieve this goal, it uses spearphishing, ransomware, malicious browser extensions, and drive-by compromises. 

Even after repeated attempts to bring them down, they have still managed to keep operating mainly through the theft of data and credit card information.

Cybersecurity researchers at Silent Push recently identified that more than 4000 domains used by FIN7 actors have been mimicking popular brands.

Are you from SOC/DFIR Teams? – Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files

FIN7 Actors Mimic Popular Brands

FIN7 is a group of hackers who are largely based in Russia, and it is made up of more than 70 individuals working in various departments. 

They have been involved in elaborate cyber attacks before and they continue to pose a major risk to the global security framework.

However, it still remains active as shown in the current observations by both Microsoft Threat Intelligence and Silent Push.

The group has maintained its TTPs, which are spear phishing campaigns that use shell domains to impersonate various genuine companies.

This new domain, cybercloudsec[.]com shares similarities with one of the previous front businesses of FIN7 known as Combi Security which indicates that the group is still operational despite some of its members being arrested.

To target famous brands, FIN7 employs a complex strategy of turning shell domains into phishing sites.

Targeting particular users through the morphing content, these domains often associate with other similar ones.

RMS Cloud portal phishing page (Source – Silent Push)

The group deploys redirects, multistage phishing campaigns, and sometimes impersonates legitimate-looking open directories that could have such files that are potentially harmful.

Open directory (Source – Silent Push)

FIN7 achieves this by targeting different brands such as tech firms, financial industry players, and property management systems in an elusive manner.

By using bulletproof hosts like Stark Industries with dedicated IPs they do so. In some cases, the MSIX malware is spread via Google ads with a popup for “Requires Browser Extension”.

For example, their tactics consist of misusing technological platforms such as SAP Concur, Microsoft SharePoint, and also developer tools as well.

Investigations into a sample LexisNexis.msix malware disclosed that it is designed to target domain-joined machines in order to gain access to Administrative rights or Active Directory accounts.

This includes opening real websites as diversions and checking the active directory membership. It involves deploying a NetSupport RAT for remote administration after a phishing attack strategy has been performed on them.

Two dedicated IOFA Feeds were created by the cybersecurity researchers under which all the FIN7 domains and IPs were mentioned.

While this data may be exported in different formats or accessed through an API.

Apart from that, a TLP Amber report is being developed for enterprise customers.

The report contains queries, lookups, and scans used to identify FIN7 infrastructure including private parameters omitted from public disclosure for security purposes.

IOFAS

103.113.70[.]142

103.35.191[.]28

89.105.198[.]190

2024sharepoint[.]lat

accountverify.business-helpcase718372649[.]click/ 

affinitycloudenergy[.]com

americangiftsexpress[.]com

androiddeveloperconsole[.]com

app.rmscloud[.]pro

app-trello[.]com

ariba[.]one

autodesk[.]pm

bloomberg-t[.]com

book.louvre-ticketing[.]com

concur[.]cfd

concur[.]pm

concur[.]re

concuur[.]com

costsco1[.]com

cybercloudsec[.]com

cybercloudsecure[.]com

dr1ve[.]xyz

driv3[.]net

driv7[.]com

escueladeletrados[.]com

ggooleauth[.]xyz

go-ia[.]info

go-ia[.]site

harvardyardcollection[.]com

hcm-paycor[.]org

https-twitter[.]com

hotnotepad[.]com

identity-wpengine[.]com/session_id/login/

kun-quang-api.lordofscan[.]pro/LoginProcess/api/login_submit

lexisnexis[.]day

ln[.]run/supportcenterbusiness

louvre-event[.]com

louvrebil[.]click

miidjourney[.]net

multyimap[.]com

netepadtee[.]com

netfiix-abofrance[.]com

onepassreglons[.]com

paris-journey[.]com

paybx[.]world

quicken-install[.]com

redfinneat[.]com

restproxy[.]com

rupaynews[.]com

techevolveproservice[.]com

themetasupporrtbusiness.nexuslink[.]click

themetasupporrtbusiness.nexuslink[.]click/ 

thomsonreuter[.]info

tredildlngviw[.]shop

tredildlngviw[.]xyz

treidingviw-web[.]lol

treidingviw-web[.]shop

treidingviw-web[.]xyz

trezor-web[.]io

trydropbox[.]com

wal-streetjournal[.]com

webex-install[.]com

westlaw[.]top

womansvitamin[.]com

wpenglneweb[.]com

www.tivi2[.]com

www.wpenglneweb[.]com

xn--manulfe-kza[.]com

xn--bitwardn-h1a[.]com

zoomms-info[.]com

“Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!”- Free Demo

The post 4000+ Domains Used By FIN7 Actors Mimic Popular Brands appeared first on Cyber Security News.

 Read More 

 

What’s a CNAPP: Cloud-Native Application Protection Platform?
What’s a CNAPP: Cloud-Native Application Protection Platform?

What’s a CNAPP: Cloud-Native Application Protection Platform?

In this episode of CyberWire-X, N2K’s CSO, Chief Analyst, and Senior Fellow, Rick Howard, is joined by Tim Miller, Technical Marketing Engineer for Panoptica, Cisco’s Cloud Application Security solution, (Panoptica is the result of Cisco’s incubation engine (Outshift) for new products and markets), and Kevin Ford, Esri’s CISO. They discuss the complexity reduction need that Cloud-Native Application Protection Platforms (CNAPPs) provide. Outshift by Cisco is our CyberWire-X episode sponsor.   Read More 

The CyberWire 

Beware! Threat Actor Selling Outlook RCE 0-Day on Hacking Forums

Beware! Threat Actor Selling Outlook RCE 0-Day on Hacking Forums

A new threat has emerged on the darker corners of the internet.

A threat actor has reportedly put up for sale a Remote Code Execution (RCE) 0-day exploit targeting various versions of Microsoft Outlook, with a staggering asking price of $1.8 million.

If this exploit is as potent as claimed, it could pose a significant risk to millions of users globally, potentially allowing unauthorized access to sensitive information.

A recent tweet from HackManac shared that the threat actor is selling Outlook RCE 0-Day on Hacking Forums.

#ZeroDay Alert

Outlook RCE 0-Day Exploit on Sale for $1.8M

According to the post, a threat actor is selling an Outlook RCE exploit 0-day, targeting x86/x64 versions of Microsoft Office 2016, 2019, LTSC 2021, and Microsoft 365 Apps for Enterprise.

The asking price is… pic.twitter.com/pWrEr5WNr2

— HackManac (@H4ckManac) May 14, 2024

The Exploit in Detail

The exploit in question targets x86/x64 versions of Microsoft Office 2016, 2019, LTSC 2021, and Microsoft 365 Apps for Enterprise.

The seller boasts a 100% success rate for the exploit, which, if true, underscores a severe vulnerability in widely used email and office suite applications.

The high asking price of $1.8 million reflects the potential impact of the exploit and the sophistication and rarity of such a vulnerability.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

Remote Code Execution (RCE) vulnerabilities are particularly alarming because they allow attackers to execute arbitrary code remotely on a victim’s system.

This could enable various malicious activities, from stealing sensitive data to deploying ransomware.

An RCE 0-day exploit, which exploits a vulnerability not yet known to the software developer or the public, is especially dangerous because there is no existing patch to fix the vulnerability, leaving users defenseless against attacks.

Verification and Response

As of now, the claims made by the seller regarding the exploit’s effectiveness and the asking price have not been independently verified.

The lack of detailed information or proof of concept provided in the sale post adds an element of uncertainty to the situation. However, the mere possibility of such an exploit has already raised alarms within cybersecurity circles.

Microsoft, the developer of Outlook and the targeted software, has yet to respond to these claims.

The cybersecurity community is eagerly awaiting any confirmation or denial from the tech giant and any potential advisories or patches that may be released in response to this threat.

The sale of this exploit highlights the ongoing challenges in cybersecurity, particularly the threats posed by 0-day exploits.

Users and enterprises are advised to stay vigilant, keep their software updated, and follow best practices for cybersecurity.

This includes using complex passwords, enabling multi-factor authentication, and being cautious of suspicious emails and links.

The situation also underscores the importance of proactive cybersecurity measures, such as regular security audits and advanced threat detection and response systems.

As the landscape of cyber threats continues to evolve, it is more crucial than ever to stay one step ahead of potential attackers.

On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free

The post Beware! Threat Actor Selling Outlook RCE 0-Day on Hacking Forums appeared first on Cyber Security News.

 Read More