Silent Push, Stark Industries Solutions, and Team Cymru collaborate to map FIN7 infrastructure, uncovering thousands of domains linked to FIN7 or mimicking its TTPs, and identifying two activity clusters hosted on Stark-assigned infrastructure. The post emphasizes collaboration, shares indicators for investigation, and recommends blocking, reporting, and cooperation with hosting providers to curb abusive activity. #FIN7 #SilentPush #StarkIndustriesSolutions #TeamCymru #PostLtd #SmartApe #KrebsonSecurity
Keypoints
- Collaboration between Silent Push, Stark, and Team Cymru against FIN7.
- FIN7 is a financially motivated threat group active for over a decade.
- Recent research identified upwards of 4,000 domains linked to FIN7 or mimicking its TTPs.
- Two clusters of potential FIN7 activity were identified through collaborative analysis.
- Stark-assigned IP addresses were used to host domains associated with FIN7.
- Silent Push provided indicators of FIN7-related activity for further investigation.
- Communications were observed between identified IPs and Stark-assigned hosts.
- Recommendations include blocking and reporting malicious activities.
MITRE Techniques
- [T1078] Initial Access – Use of compromised credentials to access systems. “Use of compromised credentials to access systems.”
- [T1071] Command and Control – Application Layer Protocols for communication with compromised systems. “Application Layer Protocols for communication with compromised systems.”
- [T1041] Exfiltration – Exfiltration over Command and Control channel. “Exfiltration over Command and Control channel.”
- [T1547] Persistence – Creating new services to maintain access. “Creating new services to maintain access.”
Indicators of Compromise
- [IP] Seed infrastructure – 103.113.70.142, 103.35.189.39, and 7 more IPs associated with Stark-hosted FIN7 activity
- [Domain] Seed domains – 2024sharepoint.lat, sharepoint2024.one, and 8 more domains
Read more: https://www.team-cymru.com/post/fin7-the-truth-doesn-t-need-to-be-so-stark