French financial institutions face active threats from state-sponsored and financially motivated actors leveraging phishing infrastructure, known C2 nodes, and critical vulnerabilities in widely deployed software. Immediate blocking of identified IOCs and hunting for lateral movement from TA505, Lazarus Group, and FIN7 TTPs is strongly recommended.
#1
Active Phishing Campaign Targeting Financial Credentials via IPFS and Lookalike Domains
CRITICALTA505
TA505, known for large-scale phishing operations against European financial institutions, is leveraging IPFS-hosted payloads and disposable domains to bypass traditional URL filtering. Multiple phishing URLs including IPFS links and typosquat domains are actively distributing credential harvesting or malware delivery pages.
๐ด Indicators of Compromise
IP
162.243.103.246
C2 โ TA505 command and control node
IP
50.16.16.211
C2 โ associated with TA505 phishing infrastructure
Identifies outbound connections from endpoints to known TA505 C2 infrastructure.
DeviceNetworkEvents | where RemoteIP in ('162.243.103.246','50.16.16.211') | where TimeGenerated > ago(7d) | project TimeGenerated, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine
SENTINEL
Detect Traffic to TA505 C2 IPs via CommonSecurityLog
Hunts for firewall or proxy traffic destined to known TA505 C2 nodes.
CommonSecurityLog | where DestinationIP in ('162.243.103.246','50.16.16.211') | where TimeGenerated > ago(7d) | project TimeGenerated, SourceIP, DestinationIP, DestinationPort, ApplicationProtocol, DeviceAction
SENTINEL
Detect Access to Known Phishing Domains
Identifies DNS or proxy requests to confirmed TA505 phishing URLs and domains.
DnsEvents | where Name has_any ('usupholdbit.com','itpageshubinn.com','sportsmanfront.com') | where TimeGenerated > ago(7d) | project TimeGenerated, Computer, Name, IPAddresses
โ Recommended Actions
โBlock all listed phishing URLs and C2 IPs at perimeter firewall and web proxy immediately
โEnable IPFS domain category blocking on proxy solutions as TA505 abuses decentralized hosting
โConduct user awareness alert targeting finance and treasury teams regarding credential phishing
โHunt for process executions following web browser activity to listed domains
#2
Exploitation of ConnectWise ScreenConnect and cPanel Vulnerabilities for Financial Network Intrusion
CRITICALLazarus Group
Lazarus Group, a North Korean state-sponsored actor with a strong focus on financial theft, actively exploits remote access and web management vulnerabilities including ConnectWise ScreenConnect and cPanel/WHM as initial access vectors into financial institutions. Unpatched instances of these platforms in French banking environments represent a critical attack surface aligned with active CISA advisories.
๐ด Indicators of Compromise
IP
34.204.119.63
C2 โ Lazarus Group post-exploitation beacon
IP
27.133.154.218
C2 โ Lazarus Group infrastructure associated with financial sector targeting
URL
https://truea4ewy73kejbcksf5rydis7e-a5h3h7h0ghb2e6ge.z03.azurefd.net/
Suspicious Azure Front Door URL potentially used for C2 proxying or payload delivery
Identifies endpoint connections to Lazarus Group C2 infrastructure associated with financial sector operations.
DeviceNetworkEvents | where RemoteIP in ('34.204.119.63','27.133.154.218') | where TimeGenerated > ago(7d) | project TimeGenerated, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessAccountName
MDE
Detect ScreenConnect Process Spawning Suspicious Children
Hunts for ScreenConnect service processes spawning unusual child processes indicative of exploitation.
DeviceProcessEvents | where InitiatingProcessFileName in~ ('ScreenConnect.ClientService.exe','ScreenConnect.WindowsClient.exe') | where FileName in~ ('cmd.exe','powershell.exe','wscript.exe','mshta.exe','certutil.exe') | where TimeGenerated > ago(7d) | project TimeGenerated, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine
SENTINEL
Detect Traffic to Lazarus C2 and Suspicious Azure CDN Abuse
Monitors for outbound connections to known Lazarus IPs and suspicious Azure Front Door domains used for C2 proxying.
CommonSecurityLog | where DestinationIP in ('34.204.119.63','27.133.154.218') or RequestURL has 'truea4ewy73kejbcksf5rydis7e-a5h3h7h0ghb2e6ge.z03.azurefd.net' | where TimeGenerated > ago(7d) | project TimeGenerated, SourceIP, DestinationIP, RequestURL, DeviceAction
โ Recommended Actions
โApply emergency patches for ConnectWise ScreenConnect (CVE-2024-1709) and cPanel/WHM as per CISA advisory guidance
โIsolate and audit all ScreenConnect and cPanel instances exposed to the internet
โBlock Lazarus Group C2 IPs and suspicious Azure Front Door URL at perimeter and CASB controls
โReview privileged account activity for signs of lateral movement following remote access tool exploitation
#3
Linux Kernel Exploitation and Persistent Access Against Financial Infrastructure
HIGHAPT28
APT28 (Fancy Bear), a Russian GRU-linked actor with demonstrated interest in European financial and critical infrastructure, exploits Linux kernel vulnerabilities as flagged in the current CISA advisory to achieve privilege escalation and persistent access on server infrastructure. French financial institutions running unpatched Linux-based systems, including trading platforms and backend servers, are at elevated risk.
๐ด Indicators of Compromise
IP
178.62.3.223
C2 โ APT28-linked node used for Linux post-exploitation beacon traffic
URL
https://dpd.sarmetaki.cfd/com
Phishing URL mimicking parcel delivery service โ common APT28 social engineering lure
URL
http://www.79367.cc/
Suspicious redirect domain associated with phishing or malware distribution
URL
http://www.60623.xyz/
Disposable phishing domain linked to credential harvesting campaign
URL
http://www.60883.xyz/
Disposable phishing domain linked to credential harvesting campaign
๐ฃ MITRE ATT&CK TTPs
T1068
Exploitation for Privilege Escalation
MITRE โ