Pierluigi Paganini August 19, 2024

Team Cymru, Silent Push and Stark Industries Solutions researchers uncovered a new infrastructure linked to the cybercrime group FIN7.

Researchers from Team Cymru identified two clusters potentially linked to the cybercrime group FIN7. The team collaborated with the cybersecurity experts of Silent Push and Stark Industries Solutions who shared their findings.

FIN7 is a Russian criminal group (aka Carbanak) that has been active since mid-2015, it focuses on restaurants, gambling, and hospitality industries in the US to harvest financial information that was used in attacks or sold in cybercrime marketplaces.

The clusters show communications inbound to FIN7 infrastructure from IP addresses assigned to Post Ltd (Russia) and Smart Ape (Estonia), respectively. The researchers identified 25 Stark-assigned IP addresses used to host domains associated with operations conducted by the FIN7 group.

The experts reported their discovery to the security team at Stark, which promptly suspended the addresses. Stark’s initial feedback suggested that the compromised hosts were likely obtained from one of their resellers. Stark Industries Solutions, a white-label brand, sells services through various resellers. The nine IP addresses identified were used as the starting point for further investigation, allowing the team to trace and disrupt additional FIN7 infrastructure and activities.

The first cluster involved four IP addresses assigned to Post Ltd, a broadband provider operating in the Northern Caucasus region in Russia.

“Over the past 30 days, we observed these IP addresses communicating with at least 15 Stark-assigned hosts, which we associate with the TTPs referenced in the research by Silent Push. These hosts included 86.104.72.16, which was in the original list of indicators from Silent Push.” states the report published by Team Cymru.

The second cluster was composed of three IP addresses assigned to SmartApe, a cloud hosting provider in Estonia.

“Over the past 30 days, we observed these IP addresses communicating with at least 16 Stark-assigned hosts, which we associate with the TTPs referenced in the research by Silent Push. Again, these hosts included 86.104.72.16.” continues the report.

The experts also noticed that 12 of the hosts identified in the Post Ltd cluster were also observed in the SmartApe cluster.

“In addition to the 19 hosts identified in the two clusters described above, insights from Stark’s security team led to the discovery of a further six hosts, which we assess to be connected to the same activity.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, cybercrime)