French financial institutions face active threats from financially motivated APT groups leveraging phishing campaigns, known C2 infrastructure, and critical vulnerabilities in widely deployed software. Immediate hunting and defensive actions are required to mitigate exposure to TA505, FIN7, and Lazarus Group activity.
#1
Active C2 Infrastructure and Meta-Themed Phishing Campaign Targeting Financial Sector
CRITICALTA505
TA505, known for targeting financial institutions globally including French banks, is actively leveraging phishing URLs mimicking Meta invoice and advertising programs to harvest credentials and deliver malware. Multiple C2 IPs are actively observed in conjunction with this campaign infrastructure.
Identifies any device communicating with known TA505 C2 infrastructure over the past 7 days.
DeviceNetworkEvents | where RemoteIP in ('162.243.103.246','50.16.16.211','34.204.119.63','178.62.3.223','27.133.154.218') | where Timestamp > ago(7d) | project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine
SENTINEL
Detect Meta Phishing Domain Access
Identifies users accessing known Meta-themed phishing domains linked to TA505.
CommonSecurityLog | where TimeGenerated > ago(7d) | where DestinationHostName has_any ('invoice-ads-program.com','center-meta-agency.com') | project TimeGenerated, SourceIP, DestinationHostName, DestinationIP, RequestURL
โ Recommended Actions
โBlock all meta-user.invoice-ads-program.com, meta-customer.invoice-ads-program.com, meta-subscriber.invoice-ads-program.com, and confirmation.center-meta-agency.com domains at proxy and DNS level immediately.
โBlock C2 IPs 162.243.103.246 and 50.16.16.211 at perimeter firewall and SIEM alerting rules.
โDeploy email gateway rules to flag or quarantine messages containing invoice-ads-program.com links targeting financial staff.
#2
Exploitation of ConnectWise ScreenConnect and Linux Kernel Vulnerabilities for Financial Intrusion
CRITICALLazarus Group
Lazarus Group, a North Korean state-sponsored actor with a strong focus on financial theft, is known to exploit remote access tool vulnerabilities such as ConnectWise ScreenConnect (CVE-2024-1709/1708) to gain persistent access to financial institution networks. The concurrent CISA advisory for Linux Kernel vulnerabilities further expands the attack surface for lateral movement post-exploitation.
Identifies suspicious child processes spawned by ScreenConnect that may indicate exploitation activity.
DeviceProcessEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName =~ 'ScreenConnect.ClientService.exe' or InitiatingProcessFileName =~ 'ScreenConnect.WindowsClient.exe' | where FileName in ('cmd.exe','powershell.exe','wscript.exe','cscript.exe','mshta.exe','rundll32.exe') | project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName
SENTINEL
Detect C2 Traffic to Lazarus-Linked IPs
Flags outbound connections to Lazarus Group-associated C2 infrastructure from internal hosts.
CommonSecurityLog | where TimeGenerated > ago(7d) | where DestinationIP in ('34.204.119.63','178.62.3.223') | project TimeGenerated, SourceIP, DestinationIP, DestinationPort, ApplicationProtocol, DeviceAction
โ Recommended Actions
โApply ConnectWise ScreenConnect patches immediately (CVE-2024-1709/CVE-2024-1708) and audit all ScreenConnect instances exposed to the internet.
โApply all available Linux kernel security patches across servers hosting financial applications and restrict kernel module loading.
โBlock C2 IPs 34.204.119.63 and 178.62.3.223 at network perimeter and hunt for existing connections in SIEM logs.
#3
cPanel/WHM and WordPress Exploitation Supporting FIN7 Financial Data Harvesting
HIGHFIN7
FIN7 is actively exploiting vulnerabilities in cPanel & WHM and WordPress (WP2) as highlighted in the current CISA advisory, targeting web-facing infrastructure to deploy skimmers and exfiltrate payment card data from financial services. Weebly-hosted phishing pages observed in current data indicate a parallel social engineering effort to supplement exploitation-based initial access.
MDE
Detect Access to FIN7 Phishing and Payload Domains
Identifies endpoint connections to Weebly-hosted phishing pages and suspicious payload delivery sites associated with FIN7.
DeviceNetworkEvents | where Timestamp > ago(7d) | where RemoteUrl has_any ('my-site-106195-102460.weeblysite.com','my-site-106282-103757.weeblysite.com','datmymega.com') | project Timestamp, DeviceName, RemoteUrl, RemoteIP, InitiatingProcessFileName, InitiatingProcessAccountName
SENTINEL
Detect Connections to FIN7 C2 and Phishing Infrastructure
Flags outbound traffic to FIN7-associated C2 IP and known phishing delivery domains.
union CommonSecurityLog, DnsEvents | where TimeGenerated > ago(7d) | where (DestinationIP == '27.133.154.218') or (Name has_any ('weeblysite.com','datmymega.com','789greeting.com')) | project TimeGenerated, SourceIP, DestinationIP, DestinationHostName, Name
โ Recommended Actions
โPatch all cPanel, WHM, and WordPress instances immediately per CISA advisory and audit for signs of webshell or skimmer injection.
โBlock Weebly phishing domains my-site-106195-102460.weeblysite.com and my-site-106282-103757.weeblysite.com, and datmymega.com at DNS and proxy layers.
โBlock C2 IP 27.133.154.218 at perimeter firewall and conduct retroactive log analysis for data exfiltration indicators.