Today > | 2 Medium vulnerabilities   -   You can now download lists of IOCs here!

Phishing Incident Report: Facts and Timeline

June 25, 2024, 7:52 a.m.

Description

On June 18, 2024, an employee's account at ANY.RUN was compromised and used to carry out a phishing attack against the company's entire contact list. The initial compromise occurred on May 27 through an AiTM phishing campaign targeting the employee. Over the following weeks, the attacker maintained access by registering their device for multi-factor authentication and used tools like PerfectData Software to potentially exfiltrate data from the mailbox. The phishing emails sent on June 18 contained links already flagged as malicious but not properly detected due to a lack of up-to-date security controls. ANY.RUN has taken steps to revoke access, contain the incident, remove persistence mechanisms, and prevent future occurrences.

Date

Published: June 25, 2024, 7:41 a.m.

Created: June 25, 2024, 7:41 a.m.

Modified: June 25, 2024, 7:52 a.m.

Indicators

45.61.169.4

162.244.210.90

140.228.29.111

www.reytorogroup.com

https://www.reytorogroup.com/r/?cmFuZDE9YXpkcVJIbHpZa0kwVVE9PSZzdj1vMzY1XzNfbm9tJnJhbmQyPVVIb3libFEyWjA5NFNBPT0mdWlkPVVTRVIyMDA1MjAyNFVOSVFVRTA2MjQwNTIwMjQyMDI0MjAyNDA1MjAyNDA2MjQmcmFuZDM9VEdscFdFSTNVVzlzZFE9PQ==N0123N%5bEMail%5d

https://threemanshop.com/jsnom.js

https://batimnmlp.click/m/?cmFuZDE9Yldwa2IyRmFZa3hDVWc9PSZzdj1vMzY1XzNfbm9tJnJhbmQyPVJsQjJXbWRPZFZsTE1BPT0mdWlkPVVTRVIyMDA1MjAyNFVOSVFVRTA2MjQwNTIwMjQyMDI0MjAyNDA1MjAyNDA2MjQmcmFuZDM9UlRGWGFUSlNkVFJ0ZWc9PQ==N0123N[EMail]

threemanshop.com

batimnmlp.click

Additional Informations

Technology