Hackers are conducting widespread exploitation of a critical WooCommerce Payments plugin to gain the privileges of any users, including administrators, on vulnerable WordPress installation. […] Read More
BleepingComputer
The all in one place for non-profit security aid.
Hackers are conducting widespread exploitation of a critical WooCommerce Payments plugin to gain the privileges of any users, including administrators, on vulnerable WordPress installation. […] Read More
BleepingComputer
4000+ Domains Used By FIN7 Actors Mimic Popular Brands
Russian-linked FIN7 (aka Sangria Tempest, ATK32, Carbon Spider, Coreid, ELBRUS, G0008, G0046, and GOLD NIAGARA) is a financial cybercrime group that has been around since 2013 and it specifically targets the US industries.
To achieve this goal, it uses spearphishing, ransomware, malicious browser extensions, and drive-by compromises.
Even after repeated attempts to bring them down, they have still managed to keep operating mainly through the theft of data and credit card information.
Cybersecurity researchers at Silent Push recently identified that more than 4000 domains used by FIN7 actors have been mimicking popular brands.
Are you from SOC/DFIR Teams? – Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files
FIN7 is a group of hackers who are largely based in Russia, and it is made up of more than 70 individuals working in various departments.
They have been involved in elaborate cyber attacks before and they continue to pose a major risk to the global security framework.
However, it still remains active as shown in the current observations by both Microsoft Threat Intelligence and Silent Push.
The group has maintained its TTPs, which are spear phishing campaigns that use shell domains to impersonate various genuine companies.
This new domain, cybercloudsec[.]com shares similarities with one of the previous front businesses of FIN7 known as Combi Security which indicates that the group is still operational despite some of its members being arrested.
To target famous brands, FIN7 employs a complex strategy of turning shell domains into phishing sites.
Targeting particular users through the morphing content, these domains often associate with other similar ones.
The group deploys redirects, multistage phishing campaigns, and sometimes impersonates legitimate-looking open directories that could have such files that are potentially harmful.
FIN7 achieves this by targeting different brands such as tech firms, financial industry players, and property management systems in an elusive manner.
By using bulletproof hosts like Stark Industries with dedicated IPs they do so. In some cases, the MSIX malware is spread via Google ads with a popup for “Requires Browser Extension”.
For example, their tactics consist of misusing technological platforms such as SAP Concur, Microsoft SharePoint, and also developer tools as well.
Investigations into a sample LexisNexis.msix malware disclosed that it is designed to target domain-joined machines in order to gain access to Administrative rights or Active Directory accounts.
This includes opening real websites as diversions and checking the active directory membership. It involves deploying a NetSupport RAT for remote administration after a phishing attack strategy has been performed on them.
Two dedicated IOFA Feeds were created by the cybersecurity researchers under which all the FIN7 domains and IPs were mentioned.
While this data may be exported in different formats or accessed through an API.
Apart from that, a TLP Amber report is being developed for enterprise customers.
The report contains queries, lookups, and scans used to identify FIN7 infrastructure including private parameters omitted from public disclosure for security purposes.
103.113.70[.]142
103.35.191[.]28
89.105.198[.]190
2024sharepoint[.]lat
accountverify.business-helpcase718372649[.]click/
affinitycloudenergy[.]com
americangiftsexpress[.]com
androiddeveloperconsole[.]com
app.rmscloud[.]pro
app-trello[.]com
ariba[.]one
autodesk[.]pm
bloomberg-t[.]com
book.louvre-ticketing[.]com
concur[.]cfd
concur[.]pm
concur[.]re
concuur[.]com
costsco1[.]com
cybercloudsec[.]com
cybercloudsecure[.]com
dr1ve[.]xyz
driv3[.]net
driv7[.]com
escueladeletrados[.]com
ggooleauth[.]xyz
go-ia[.]info
go-ia[.]site
harvardyardcollection[.]com
hcm-paycor[.]org
https-twitter[.]com
hotnotepad[.]com
identity-wpengine[.]com/session_id/login/
kun-quang-api.lordofscan[.]pro/LoginProcess/api/login_submit
lexisnexis[.]day
ln[.]run/supportcenterbusiness
louvre-event[.]com
louvrebil[.]click
miidjourney[.]net
multyimap[.]com
netepadtee[.]com
netfiix-abofrance[.]com
onepassreglons[.]com
paris-journey[.]com
paybx[.]world
quicken-install[.]com
redfinneat[.]com
restproxy[.]com
rupaynews[.]com
techevolveproservice[.]com
themetasupporrtbusiness.nexuslink[.]click
themetasupporrtbusiness.nexuslink[.]click/
thomsonreuter[.]info
tredildlngviw[.]shop
tredildlngviw[.]xyz
treidingviw-web[.]lol
treidingviw-web[.]shop
treidingviw-web[.]xyz
trezor-web[.]io
trydropbox[.]com
wal-streetjournal[.]com
webex-install[.]com
westlaw[.]top
womansvitamin[.]com
wpenglneweb[.]com
www.tivi2[.]com
www.wpenglneweb[.]com
xn--manulfe-kza[.]com
xn--bitwardn-h1a[.]com
zoomms-info[.]com
“Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!”- Free Demo
The post 4000+ Domains Used By FIN7 Actors Mimic Popular Brands appeared first on Cyber Security News.
AT&T Paid $370,000 to Hacker For Deleting Stolen Records
AT&T reportedly paid a hacker approximately $370,000 to delete stolen customer data. The payment was made to ensure the erasure of call and text records that had been illicitly obtained during a series of cyber intrusions earlier this year.
The hacker, associated with the notorious ShinyHunters hacking group, initially demanded $1 million but settled for the lower amount after negotiations. The transaction, which took place in May, was facilitated through Bitcoin, and the deletion of the data was verified through a video demonstration provided by the hacker.
The breach occurred between April 14 and April 25, 2024, and involved unauthorized access to AT&T’s workspace on a third-party cloud platform. The compromised data includes records of customer call and text interactions from May 1 to October 31, 2022, and some records from January 2, 2023.
Are you from SOC/DFIR Teams? – Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files
The data breach exposed call and text metadata belonging to AT&T customers, including phone numbers, communication dates, and call durations. It’s important to note that the breach did not reveal the content of the calls or messages, and it didn’t include subscriber names. However, certain records contained cell site IDs, which might potentially disclose user locations.
A security researcher using the pseudonym Reddington mediated the negotiations between AT&T and the hacker. Reddington, who also received compensation from AT&T for his role, expressed confidence that the sole comprehensive version of the data was eliminated. However, he cautioned that fragments of the data might still exist elsewhere.
The hacker demonstrated the deletion of the stolen data from a shared cloud server, which was used by the hacker and another individual, presumably Binns. The payment was verified through blockchain tracking tools, reads the WIRED report.
Despite the payment and the apparent deletion of the data, residual risks persist for AT&T customers. Other entities may still retain unrecovered data samples, posing ongoing security threats. The FBI and other security agencies are involved in assessing the extent of the breach and its potential repercussions.
The disclosure of the breach was delayed due to potential national security implications. The Department of Justice granted AT&T exemptions to postpone public notification, allowing time for the FBI to conduct a thorough assessment.
AT&T’s decision to pay the ransom underscores the problematic choices companies face when dealing with sophisticated cyber threats.
“Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!”- Free Demo
The post AT&T Paid $370,000 to Hacker For Deleting Stolen Records appeared first on Cyber Security News.
In the EU, the algorithm loses some of its power. US could look to EU as role model for juvenile cybercrime prevention programs.
In the EU, the algorithm loses some of its power. US could look to EU as role model for juvenile cybercrime prevention programs. Read More
The CyberWire