Tag: SSO

IP;C&C domains

45[.]76[.]80[.]199;twiiio-sso[.]com, box-okta[.]org, kucoin-pin[.]com, boxokta[.]com, kucoin-sso[.]com 66[.]42[.]107[.]233;slack-mailchimp[.]com 45[.]32[.]66[.]165;microsoft-sso[.]net, sendgrid-okta[.]org, mlcrosoft[.]info, mlcrosoft[.]cloud 45[.]76[.]238[.]53;ouryahoo-okta[.]org, ouryahooinc-okta[.]com 155[.]138[.]240[.]251;sykes-sso[.]com, internai-customer[.]io, ouryahoo-okta[.]com, ouryahoo-okta[.]net, techmahindra-sso[.]com 149[.]28[.]37[.]137;qualfon-sso[.]com, twiiio[.]net, twiiio[.]org, teleperformanceusa-sso[.]com, tmo-sso[.]net, okta-sso[.]net 149[.]248[.]1[.]50;att-mfa[.]com, att-rsa[.]com 108[.]61[.]119[.]20;mcsupport-okta[.]com, mailgun-okta[.]com, sprint-idg[.]net 149[.]28[.]212[.]53;tmobie[.]net 140[.]82[.]63[.]209;kucoinpin[.]com, kucoinpin[.]net, twiiio-okta[.]net 144[.]202[.]82[.]47;kucoin-pin[.]net, kucoin-sso[.]net 45[.]63[.]39[.]116;telus-sso[.]com 149[.]248[.]62[.]54;rogers-rci[.]net, rogers-ssp[.]com, iqor-duo[.]net, iqor-portal[.]com, cgslnc-okta[.]com, conexusonline[.]com, klaviyo-sso[.]com 66[.]42[.]91[.]138;arise-okta[.]com 216[.]128[.]141[.]52;rogers-rci[.]com,…

Read More
Introduction

Check Point Research uncovers a recent Iranian-based spear-phishing operation aimed against former Israeli officials, high-ranking military personnel, research fellows in research institutions, think tanks, and against Israeli citizens. The attacks use a custom phishing infrastructure, as well as a wide array of fake email accounts to impersonate trusted parties.…

Read More
StellarParticle is a campaign tracked by CrowdStrike as related to the SUNSPOT implant from the SolarWinds intrusion in December 2020 and associated with COZY BEAR (aka APT29, “The Dukes”).  The StellarParticle campaign has continued against multiple organizations, with COZY BEAR using novel tools and techniques to complete their objectives, as identified by CrowdStrike incident responders and the CrowdStrike Intelligence team.…
Read More