Summary:
Researchers have uncovered new infrastructure linked to the financially motivated cybercrime group FIN7. This discovery, detailed in a report by Team Cymru in collaboration with Silent Push and Stark Industries Solutions, reveals two clusters of FIN7 activity connected to IP addresses from Post Ltd in Russia and SmartApe in Estonia. These findings build on Silent Push's earlier report, which identified Stark Industries IP addresses exclusively hosting FIN7 infrastructure. The latest analysis suggests that this infrastructure was likely acquired through one of Stark's resellers, a common practice in the hosting industry where virtual private server (VPS) providers offer reseller programs. Customers using reseller services must typically adhere to the parent company's terms of service.

Team Cymru's analysis identified four IP addresses associated with Post Ltd, a broadband provider in Southern Russia, and three IP addresses linked to SmartApe, a cloud hosting provider based in Estonia. The Post Ltd cluster has been observed conducting outbound communications with at least 15 Stark-assigned hosts over the past 30 days, previously identified by Silent Push. Similarly, the SmartApe cluster was found communicating with 16 Stark-assigned hosts. An interesting overlap was found between these two clusters, with 12 of the hosts identified in the Post Ltd cluster also appearing in the SmartApe cluster, indicating a possible connection or shared infrastructure between the two. This suggests that FIN7 might be employing redundant or geographically dispersed infrastructure to enhance operational resilience and evade detection.


Security Officer Comments:
Following the responsible disclosure by the research teams, Stark Industries promptly suspended the services associated with the identified IP addresses. The legitimacy of the FIN7-linked infrastructure was corroborated through a detailed analysis of the metadata, including TCP flags and sampled data transfer volumes, confirming established connections between the identified IP addresses and the broader FIN7 infrastructure.

Suggested Corrections:

• The usual advice applies in relation to the IOCs shared in this blog post - block, hunt, mitigate, remediate.
• It goes without saying that malicious activities should be reported to relevant authorities and hosting providers. As a specific reminder, abuse complaints can be sent to abuse@stark-industries[.]solutions for Stark-related matters.

Link(s):
https://thehackernews.com/2024/08/researchers-uncover-new-infrastructure.html