cyber_threat_intelligence/DEV-0322/README.md

# DEV-0322 - Cyber Threat Intelligence

These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [DEV-0322](https://vuldb.com/?actor.dev-0322). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.

_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.dev-0322](https://vuldb.com/?actor.dev-0322)

## Campaigns

The following _campaigns_ are known and can be associated with DEV-0322:

* CVE-2021-35211
* ManageEngine ADSelfService Plus

## Countries

These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with DEV-0322:

* US
* CN

## IOC - Indicator of Compromise

These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of DEV-0322.

ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | 24.64.36.238 | mail.target-realty.com | ManageEngine ADSelfService Plus | High
2 | 45.63.62.109 | 45.63.62.109.vultr.com | ManageEngine ADSelfService Plus | Medium
3 | 45.76.173.103 | 45.76.173.103.vultr.com | ManageEngine ADSelfService Plus | Medium
4 | ... | ... | ... | ...

There are 11 more IOC items available. Please use our online service to access the data.

## TTP - Tactics, Techniques, Procedures

_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by DEV-0322. This data is unique as it uses our predictive model for actor profiling.

ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
3 | T1499 | CWE-400, CWE-404 | Resource Consumption | High
4 | ... | ... | ... | ...

There are 2 more TTP items available. Please use our online service to access the data.

## IOA - Indicator of Attack

These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by DEV-0322. This data is unique as it uses our predictive model for actor profiling.

ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `admin/conf_users_edit.php` | High
2 | File | `data/gbconfiguration.dat` | High
3 | File | `flow.php` | Medium
4 | File | `goform/setUsbUnload` | High
5 | ... | ... | ...

There are 27 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

## References

The following list contains _external sources_ which discuss the actor and the associated activities:

* https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/
* https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/

## Literature

The following _articles_ explain our unique predictive cyber threat intelligence:

* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)

## License

(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
Converted from AsciiDoc to Markdown 2021-09-30 09:58:16 +00:00			`# DEV-0322 - Cyber Threat Intelligence`

Update 2022-02-23 08:46:58 +00:00			`These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [DEV-0322](https://vuldb.com/?actor.dev-0322). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.`
Converted from AsciiDoc to Markdown 2021-09-30 09:58:16 +00:00
Update 2022-02-23 08:46:58 +00:00			`_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.dev-0322](https://vuldb.com/?actor.dev-0322)`
Converted from AsciiDoc to Markdown 2021-09-30 09:58:16 +00:00
			`## Campaigns`

Update 2022-02-23 08:46:58 +00:00			`The following _campaigns_ are known and can be associated with DEV-0322:`
Converted from AsciiDoc to Markdown 2021-09-30 09:58:16 +00:00
			`* CVE-2021-35211`
Update 2021-12-18 15:50:27 +00:00			`* ManageEngine ADSelfService Plus`
Converted from AsciiDoc to Markdown 2021-09-30 09:58:16 +00:00
			`## Countries`

Update 2022-02-23 08:46:58 +00:00			`These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with DEV-0322:`
Converted from AsciiDoc to Markdown 2021-09-30 09:58:16 +00:00
Update 2021-12-18 15:50:27 +00:00			`* US`
Converted from AsciiDoc to Markdown 2021-09-30 09:58:16 +00:00			`* CN`

			`## IOC - Indicator of Compromise`

Update 2022-02-23 08:46:58 +00:00			`These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of DEV-0322.`
Converted from AsciiDoc to Markdown 2021-09-30 09:58:16 +00:00
Update 2022-02-23 08:46:58 +00:00			`ID \| IP address \| Hostname \| Campaign \| Confidence`
			`-- \| ---------- \| -------- \| -------- \| ----------`
			`1 \| 24.64.36.238 \| mail.target-realty.com \| ManageEngine ADSelfService Plus \| High`
			`2 \| 45.63.62.109 \| 45.63.62.109.vultr.com \| ManageEngine ADSelfService Plus \| Medium`
			`3 \| 45.76.173.103 \| 45.76.173.103.vultr.com \| ManageEngine ADSelfService Plus \| Medium`
			`4 \| ... \| ... \| ... \| ...`
Update 2021-12-18 15:50:27 +00:00
Update 2022-01-26 14:36:47 +00:00			`There are 11 more IOC items available. Please use our online service to access the data.`
Update 2021-12-18 15:50:27 +00:00
			`## TTP - Tactics, Techniques, Procedures`

Update 2022-02-23 08:46:58 +00:00			`_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by DEV-0322. This data is unique as it uses our predictive model for actor profiling.`
Update 2021-12-18 15:50:27 +00:00
Update 2022-02-23 08:46:58 +00:00			`ID \| Technique \| Weakness \| Description \| Confidence`
			`-- \| --------- \| -------- \| ----------- \| ----------`
			`1 \| T1059.007 \| CWE-79, CWE-80 \| Cross Site Scripting \| High`
			`2 \| T1068 \| CWE-264, CWE-284 \| Execution with Unnecessary Privileges \| High`
			`3 \| T1499 \| CWE-400, CWE-404 \| Resource Consumption \| High`
			`4 \| ... \| ... \| ... \| ...`
Converted from AsciiDoc to Markdown 2021-09-30 09:58:16 +00:00
Update 2021-12-18 15:50:27 +00:00			`There are 2 more TTP items available. Please use our online service to access the data.`
Converted from AsciiDoc to Markdown 2021-09-30 09:58:16 +00:00
			`## IOA - Indicator of Attack`

Update 2022-02-23 08:46:58 +00:00			`These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by DEV-0322. This data is unique as it uses our predictive model for actor profiling.`
Converted from AsciiDoc to Markdown 2021-09-30 09:58:16 +00:00
			`ID \| Type \| Indicator \| Confidence`
			`-- \| ---- \| --------- \| ----------`
Update 2021-12-18 15:50:27 +00:00			1 \| File \| `admin/conf_users_edit.php` \| High
			2 \| File \| `data/gbconfiguration.dat` \| High
			3 \| File \| `flow.php` \| Medium
			4 \| File \| `goform/setUsbUnload` \| High
Update 2022-01-26 14:36:47 +00:00			`5 \| ... \| ... \| ...`
Update 2021-12-18 15:50:27 +00:00
Update 2022-02-23 08:46:58 +00:00			`There are 27 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.`
Converted from AsciiDoc to Markdown 2021-09-30 09:58:16 +00:00
			`## References`

Update 2022-02-23 08:46:58 +00:00			`The following list contains _external sources_ which discuss the actor and the associated activities:`
Converted from AsciiDoc to Markdown 2021-09-30 09:58:16 +00:00
Update 2021-12-18 15:50:27 +00:00			`* https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/`
Converted from AsciiDoc to Markdown 2021-09-30 09:58:16 +00:00			`* https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/`

			`## Literature`

Update 2022-02-23 08:46:58 +00:00			`The following _articles_ explain our unique predictive cyber threat intelligence:`
Converted from AsciiDoc to Markdown 2021-09-30 09:58:16 +00:00
Update 2021-12-18 15:50:27 +00:00			`* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)`
Converted from AsciiDoc to Markdown 2021-09-30 09:58:16 +00:00			`* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)`

			`## License`

Update 2022-01-26 14:36:47 +00:00			`(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!`