From 0075741c28660818af765e34a2e73ae955872f27 Mon Sep 17 00:00:00 2001 From: Marc Ruef Date: Fri, 29 Apr 2022 10:53:50 +0200 Subject: [PATCH] Update --- actors/APP84VN/README.md | 68 +++ actors/APT-C-36/README.md | 107 +++-- actors/APT10/README.md | 4 +- actors/APT16/README.md | 6 +- actors/APT28/README.md | 2 +- actors/APT29/README.md | 48 +- actors/APT33/README.md | 60 +-- actors/APT34/README.md | 33 +- actors/APT35/README.md | 59 +++ actors/APT41/README.md | 4 +- actors/Africa Unknown/README.md | 61 ++- actors/B1txor20/README.md | 76 ++-- actors/BazarLoader/README.md | 129 ++---- actors/BlackCat/README.md | 55 ++- actors/Bouncing Golf/README.md | 2 +- actors/Bunse/README.md | 1 + actors/Candiru/README.md | 72 +-- actors/ChaChi/README.md | 2 +- actors/Cobalt Group/README.md | 45 +- actors/Cobalt Strike/README.md | 140 +++--- actors/Conti/README.md | 125 +++--- actors/DPRK/README.md | 5 +- actors/DarkComet/README.md | 40 +- actors/Dorkbot/README.md | 60 +++ actors/Dust Storm/README.md | 76 ++-- actors/Emotet/README.md | 521 +++++++++++++--------- actors/FIN7/README.md | 104 ++--- actors/FakeAlert/README.md | 2 +- actors/FritzFrog/README.md | 72 +-- actors/Gh0stRAT/README.md | 74 +-- actors/GoGoogle/README.md | 63 +++ actors/Gootkit/README.md | 75 ++++ actors/GreyEnergy/README.md | 2 +- actors/Grizzly Steppe/README.md | 59 +-- actors/Hancitor/README.md | 51 ++- actors/Hive0117/README.md | 36 ++ actors/IcedID/README.md | 135 +++--- actors/Inception/README.md | 52 ++- actors/Kimsuky/README.md | 14 +- actors/Kinsing/README.md | 2 +- actors/Lapsus/README.md | 79 ++++ actors/Lazarus/README.md | 32 +- actors/Liberty Front Press/README.md | 54 ++- actors/LinuxMoose/README.md | 10 +- actors/LoggerMiner/README.md | 2 +- actors/Magecart/README.md | 59 +-- actors/Magic Hound/README.md | 39 +- actors/Molerats/README.md | 2 +- actors/Mustang Panda/README.md | 17 +- actors/NetWalker/README.md | 81 ++++ actors/PYSA/README.md | 104 +++++ actors/Patchwork/README.md | 67 ++- actors/PlugX/README.md | 2 +- actors/PoshC2/README.md | 27 ++ actors/Prophet Spider/README.md | 73 +-- actors/PsiXBot/README.md | 96 ++-- actors/Qakbot/README.md | 219 ++++----- actors/Quantum/README.md | 74 +++ actors/REvil/README.md | 43 +- actors/RedEcho/README.md | 48 +- actors/Remcos/README.md | 48 +- actors/Ripprbot/README.md | 164 ++++--- actors/Sandworm Team/README.md | 2 +- actors/Shuckworm/README.md | 87 ++++ actors/SideCopy/README.md | 2 +- actors/SocGholish/README.md | 86 ++++ actors/TA505/README.md | 5 +- actors/TeamTNT/README.md | 2 +- actors/Thamar Reservoir/README.md | 2 + actors/Tofsee/README.md | 2 +- actors/Tomiris/README.md | 2 +- actors/TrickBot/README.md | 275 +++++++----- actors/Trickster/README.md | 30 ++ actors/UAC-0056/README.md | 54 +-- actors/UAC-0098/README.md | 81 ++++ actors/Ursnif/README.md | 2 +- actors/VBShower/README.md | 52 ++- actors/Valyria/README.md | 80 ++-- actors/WindShift/README.md | 12 +- actors/Wocao/README.md | 83 ++-- actors/Xcnfe/README.md | 7 +- actors/Zebra2104/README.md | 2 +- actors/Zegost/README.md | 92 ++-- actors/xHunt/README.md | 11 +- campaigns/Afghanistan and India/README.md | 1 + campaigns/Anchor/README.md | 83 ++++ campaigns/AppleSeed/README.md | 2 +- campaigns/BLINDINGCAN/README.md | 2 +- campaigns/BazarLoader/README.md | 117 +++++ campaigns/BumbleBee/README.md | 70 +-- campaigns/COVID-19/README.md | 167 ++++++- campaigns/CVE-2021-44207/README.md | 6 +- campaigns/CVE-2021-44228/README.md | 57 +-- campaigns/CatalanGate/README.md | 67 +++ campaigns/Chafer/README.md | 2 +- campaigns/Cloud Hopper/README.md | 4 +- campaigns/Cobalt Strike/README.md | 145 +++--- campaigns/Cryptomining/README.md | 37 +- campaigns/DDoS Ukraine/README.md | 153 +++---- campaigns/DarkWatchman/README.md | 41 ++ campaigns/Diavol/README.md | 71 +++ campaigns/Dust Storm/README.md | 76 ++-- campaigns/Elfin/README.md | 35 +- campaigns/Fallchill/README.md | 33 +- campaigns/GoldBackdoor/README.md | 38 ++ campaigns/Hancitor/README.md | 2 +- campaigns/Hidden Cobra/README.md | 31 +- campaigns/Hildegard/README.md | 1 + campaigns/Hodur/README.md | 5 +- campaigns/Hoplight/README.md | 3 +- campaigns/IcedID/README.md | 152 +++++++ campaigns/Inception/README.md | 52 ++- campaigns/India Power Grid/README.md | 67 +++ campaigns/Log4Shell/README.md | 76 ++-- campaigns/OpBlueRaven/README.md | 2 +- campaigns/PlugX/README.md | 107 +++-- campaigns/Rocket Kitten/README.md | 64 +-- campaigns/Spark/README.md | 5 +- campaigns/Tomiris/README.md | 2 +- campaigns/Ukraine/README.md | 29 +- campaigns/Volgmer/README.md | 63 ++- campaigns/Wocao/README.md | 83 ++-- 122 files changed, 4402 insertions(+), 2402 deletions(-) create mode 100644 actors/APP84VN/README.md create mode 100644 actors/APT35/README.md create mode 100644 actors/Dorkbot/README.md create mode 100644 actors/GoGoogle/README.md create mode 100644 actors/Gootkit/README.md create mode 100644 actors/Hive0117/README.md create mode 100644 actors/Lapsus/README.md create mode 100644 actors/NetWalker/README.md create mode 100644 actors/PYSA/README.md create mode 100644 actors/Quantum/README.md create mode 100644 actors/Shuckworm/README.md create mode 100644 actors/SocGholish/README.md create mode 100644 actors/Trickster/README.md create mode 100644 actors/UAC-0098/README.md create mode 100644 campaigns/Anchor/README.md create mode 100644 campaigns/BazarLoader/README.md create mode 100644 campaigns/CatalanGate/README.md create mode 100644 campaigns/DarkWatchman/README.md create mode 100644 campaigns/Diavol/README.md create mode 100644 campaigns/GoldBackdoor/README.md create mode 100644 campaigns/IcedID/README.md create mode 100644 campaigns/India Power Grid/README.md diff --git a/actors/APP84VN/README.md b/actors/APP84VN/README.md new file mode 100644 index 00000000..d169be51 --- /dev/null +++ b/actors/APP84VN/README.md @@ -0,0 +1,68 @@ +# APP84VN - Cyber Threat Intelligence + +These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APP84VN](https://vuldb.com/?actor.app84vn). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics. + +_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.app84vn](https://vuldb.com/?actor.app84vn) + +## Countries + +These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APP84VN: + +* [CN](https://vuldb.com/?country.cn) +* [US](https://vuldb.com/?country.us) + +## IOC - Indicator of Compromise + +These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of APP84VN. + +ID | IP address | Hostname | Campaign | Confidence +-- | ---------- | -------- | -------- | ---------- +1 | [27.102.66.105](https://vuldb.com/?ip.27.102.66.105) | - | - | High +2 | [27.102.132.235](https://vuldb.com/?ip.27.102.132.235) | - | - | High +3 | [154.207.17.105](https://vuldb.com/?ip.154.207.17.105) | - | - | High +4 | ... | ... | ... | ... + +There are 1 more IOC items available. Please use our online service to access the data. + +## TTP - Tactics, Techniques, Procedures + +_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _APP84VN_. This data is unique as it uses our predictive model for actor profiling. + +ID | Technique | Weakness | Description | Confidence +-- | --------- | -------- | ----------- | ---------- +1 | T1059.007 | CWE-79 | Cross Site Scripting | High +2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High +3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High +4 | ... | ... | ... | ... + +There are 1 more TTP items available. Please use our online service to access the data. + +## IOA - Indicator of Attack + +These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APP84VN. This data is unique as it uses our predictive model for actor profiling. + +ID | Type | Indicator | Confidence +-- | ---- | --------- | ---------- +1 | File | `/anony/mjpg.cgi` | High +2 | File | `/product_list.php` | High +3 | File | `admin/?n=tags&c=index&a=doSaveTags` | High +4 | ... | ... | ... + +There are 15 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. + +## References + +The following list contains _external sources_ which discuss the actor and the associated activities: + +* https://twitter.com/trungduc751995/status/1343822222901669888 + +## Literature + +The following _articles_ explain our unique predictive cyber threat intelligence: + +* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti) +* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022) + +## License + +(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)! diff --git a/actors/APT-C-36/README.md b/actors/APT-C-36/README.md index 7ff7e5b3..bfdf3f76 100644 --- a/actors/APT-C-36/README.md +++ b/actors/APT-C-36/README.md @@ -13,7 +13,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce * [DE](https://vuldb.com/?country.de) * ... -There are 21 more country items available. Please use our online service to access the data. +There are 20 more country items available. Please use our online service to access the data. ## IOC - Indicator of Compromise @@ -35,7 +35,7 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK ID | Technique | Weakness | Description | Confidence -- | --------- | -------- | ----------- | ---------- 1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High -2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High +2 | T1068 | CWE-250, CWE-264, CWE-284 | Execution with Unnecessary Privileges | High 3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High 4 | ... | ... | ... | ... @@ -51,63 +51,62 @@ ID | Type | Indicator | Confidence 2 | File | `/+CSCOE+/logon.html` | High 3 | File | `/assets/ctx` | Medium 4 | File | `/bsms/?page=products` | High -5 | File | `/cloud_config/router_post/check_reg_verify_code` | High -6 | File | `/concat?/%2557EB-INF/web.xml` | High -7 | File | `/config/getuser` | High -8 | File | `/debug/pprof` | Medium -9 | File | `/ext/phar/phar_object.c` | High -10 | File | `/filemanager/php/connector.php` | High -11 | File | `/get_getnetworkconf.cgi` | High -12 | File | `/HNAP1` | Low -13 | File | `/include/chart_generator.php` | High -14 | File | `/index.php?controller=calendar&format=raw&cat[0]=SQLi&task=events` | High -15 | File | `/Main_Login.asp?flag=1&productname=RT-AC88U&url=/downloadmaster/task.asp` | High -16 | File | `/modx/manager/index.php` | High -17 | File | `/osm/REGISTER.cmd` | High -18 | File | `/product_list.php` | High -19 | File | `/replication` | Medium -20 | File | `/siteminderagent/pwcgi/smpwservicescgi.exe` | High -21 | File | `/supervisor/procesa_carga.php` | High -22 | File | `/type.php` | Medium -23 | File | `/uncpath/` | Medium -24 | File | `/usr/bin/pkexec` | High -25 | File | `/zm/index.php` | High -26 | File | `4.2.0.CP09` | Medium -27 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High -28 | File | `802dot1xclientcert.cgi` | High -29 | File | `add.exe` | Low -30 | File | `addentry.php` | Medium -31 | File | `admin-ajax.php` | High -32 | File | `admin.color.php` | High -33 | File | `admin.cropcanvas.php` | High -34 | File | `admin.joomlaradiov5.php` | High -35 | File | `admin.php` | Medium -36 | File | `admin.php?m=Food&a=addsave` | High -37 | File | `admin/conf_users_edit.php` | High -38 | File | `admin/index.php` | High -39 | File | `admin/user.php` | High -40 | File | `admin/write-post.php` | High -41 | File | `administrator/components/com_media/helpers/media.php` | High -42 | File | `admin_events.php` | High -43 | File | `ajax_new_account.php` | High -44 | File | `akocomments.php` | High -45 | File | `allopass-error.php` | High -46 | File | `announcement.php` | High -47 | File | `apply.cgi` | Medium -48 | File | `archiver\index.php` | High -49 | File | `artlinks.dispnew.php` | High -50 | File | `auth.inc.php` | Medium -51 | File | `authorization.do` | High -52 | File | `awstats.pl` | Medium -53 | File | `backoffice/login.asp` | High +5 | File | `/cgi-bin/system_mgr.cgi` | High +6 | File | `/cloud_config/router_post/check_reg_verify_code` | High +7 | File | `/concat?/%2557EB-INF/web.xml` | High +8 | File | `/config/getuser` | High +9 | File | `/debug/pprof` | Medium +10 | File | `/ext/phar/phar_object.c` | High +11 | File | `/filemanager/php/connector.php` | High +12 | File | `/get_getnetworkconf.cgi` | High +13 | File | `/HNAP1` | Low +14 | File | `/include/chart_generator.php` | High +15 | File | `/index.php?controller=calendar&format=raw&cat[0]=SQLi&task=events` | High +16 | File | `/Main_Login.asp?flag=1&productname=RT-AC88U&url=/downloadmaster/task.asp` | High +17 | File | `/modx/manager/index.php` | High +18 | File | `/osm/REGISTER.cmd` | High +19 | File | `/product_list.php` | High +20 | File | `/replication` | Medium +21 | File | `/siteminderagent/pwcgi/smpwservicescgi.exe` | High +22 | File | `/supervisor/procesa_carga.php` | High +23 | File | `/type.php` | Medium +24 | File | `/uncpath/` | Medium +25 | File | `/usr/bin/pkexec` | High +26 | File | `/zm/index.php` | High +27 | File | `4.2.0.CP09` | Medium +28 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High +29 | File | `802dot1xclientcert.cgi` | High +30 | File | `add.exe` | Low +31 | File | `addentry.php` | Medium +32 | File | `admin-ajax.php` | High +33 | File | `admin.color.php` | High +34 | File | `admin.cropcanvas.php` | High +35 | File | `admin.joomlaradiov5.php` | High +36 | File | `admin.php` | Medium +37 | File | `admin.php?m=Food&a=addsave` | High +38 | File | `admin/conf_users_edit.php` | High +39 | File | `admin/index.php` | High +40 | File | `admin/user.php` | High +41 | File | `admin/write-post.php` | High +42 | File | `administrator/components/com_media/helpers/media.php` | High +43 | File | `admin_events.php` | High +44 | File | `ajax_new_account.php` | High +45 | File | `akocomments.php` | High +46 | File | `allopass-error.php` | High +47 | File | `announcement.php` | High +48 | File | `apply.cgi` | Medium +49 | File | `archiver\index.php` | High +50 | File | `artlinks.dispnew.php` | High +51 | File | `auth.inc.php` | Medium +52 | File | `authorization.do` | High +53 | File | `awstats.pl` | Medium 54 | File | `bb_usage_stats.php` | High 55 | File | `binder.c` | Medium 56 | File | `books.php` | Medium 57 | File | `C:\Python27` | Medium -58 | File | `C:\Windows\System32\config\SAM` | High -59 | ... | ... | ... +58 | ... | ... | ... -There are 516 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 510 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/actors/APT10/README.md b/actors/APT10/README.md index a71c5553..ef10c344 100644 --- a/actors/APT10/README.md +++ b/actors/APT10/README.md @@ -18,7 +18,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce * [US](https://vuldb.com/?country.us) * [RU](https://vuldb.com/?country.ru) -* [CH](https://vuldb.com/?country.ch) +* [CN](https://vuldb.com/?country.cn) * ... There are 9 more country items available. Please use our online service to access the data. @@ -109,7 +109,7 @@ ID | Type | Indicator | Confidence 31 | File | `authenticate.c` | High 32 | ... | ... | ... -There are 273 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 270 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/actors/APT16/README.md b/actors/APT16/README.md index e6a3aa9f..655b49d0 100644 --- a/actors/APT16/README.md +++ b/actors/APT16/README.md @@ -35,11 +35,11 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic ID | Type | Indicator | Confidence -- | ---- | --------- | ---------- 1 | File | `/download` | Medium -2 | File | `comment_add.asp` | High -3 | File | `data/gbconfiguration.dat` | High +2 | File | `/oscommerce/admin/currencies.php` | High +3 | File | `comment_add.asp` | High 4 | ... | ... | ... -There are 11 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 14 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/actors/APT28/README.md b/actors/APT28/README.md index b9763d4f..0e4e2f8c 100644 --- a/actors/APT28/README.md +++ b/actors/APT28/README.md @@ -134,7 +134,7 @@ ID | Type | Indicator | Confidence 31 | File | `arch/powerpc/kvm/book3s_rtas.c` | High 32 | ... | ... | ... -There are 277 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 274 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/actors/APT29/README.md b/actors/APT29/README.md index 960461b7..4e8b15bc 100644 --- a/actors/APT29/README.md +++ b/actors/APT29/README.md @@ -90,32 +90,32 @@ ID | Type | Indicator | Confidence 12 | File | `/context/%2e/WEB-INF/web.xml` | High 13 | File | `/crmeb/app/admin/controller/store/CopyTaobao.php` | High 14 | File | `/fudforum/adm/hlplist.php` | High -15 | File | `/login` | Low -16 | File | `/Main_Login.asp?flag=1&productname=RT-AC88U&url=/downloadmaster/task.asp` | High -17 | File | `/monitoring` | Medium -18 | File | `/ms/cms/content/list.do` | High -19 | File | `/new` | Low -20 | File | `/orms/` | Low -21 | File | `/plesk-site-preview/` | High -22 | File | `/proc//status` | High -23 | File | `/public/plugins/` | High -24 | File | `/rom` | Low -25 | File | `/scripts/killpvhost` | High -26 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High -27 | File | `/secure/QueryComponent!Default.jspa` | High -28 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High -29 | File | `/student-grading-system/rms.php?page=grade` | High -30 | File | `/tmp` | Low -31 | File | `/tmp/redis.ds` | High -32 | File | `/uncpath/` | Medium -33 | File | `/wp-admin` | Medium -34 | File | `/wp-json/wc/v3/webhooks` | High -35 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High -36 | File | `ABuffer.cpp` | Medium -37 | File | `AccountManagerService.java` | High +15 | File | `/hocms/classes/Master.php?f=delete_collection` | High +16 | File | `/login` | Low +17 | File | `/Main_Login.asp?flag=1&productname=RT-AC88U&url=/downloadmaster/task.asp` | High +18 | File | `/monitoring` | Medium +19 | File | `/ms/cms/content/list.do` | High +20 | File | `/new` | Low +21 | File | `/orms/` | Low +22 | File | `/plesk-site-preview/` | High +23 | File | `/proc//status` | High +24 | File | `/public/plugins/` | High +25 | File | `/rom` | Low +26 | File | `/scripts/killpvhost` | High +27 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High +28 | File | `/secure/QueryComponent!Default.jspa` | High +29 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High +30 | File | `/student-grading-system/rms.php?page=grade` | High +31 | File | `/tmp` | Low +32 | File | `/tmp/redis.ds` | High +33 | File | `/uncpath/` | Medium +34 | File | `/wp-admin` | Medium +35 | File | `/wp-json/wc/v3/webhooks` | High +36 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High +37 | File | `ABuffer.cpp` | Medium 38 | ... | ... | ... -There are 326 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 325 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/actors/APT33/README.md b/actors/APT33/README.md index 50a33314..e1ff7b2d 100644 --- a/actors/APT33/README.md +++ b/actors/APT33/README.md @@ -17,8 +17,8 @@ The following _campaigns_ are known and can be associated with APT33: These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT33: * [PL](https://vuldb.com/?country.pl) +* [SV](https://vuldb.com/?country.sv) * [DE](https://vuldb.com/?country.de) -* [ES](https://vuldb.com/?country.es) * ... There are 8 more country items available. Please use our online service to access the data. @@ -56,7 +56,7 @@ ID | Technique | Weakness | Description | Confidence -- | --------- | -------- | ----------- | ---------- 1 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High 2 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High -3 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High +3 | T1068 | CWE-250, CWE-264, CWE-284 | Execution with Unnecessary Privileges | High 4 | ... | ... | ... | ... There are 8 more TTP items available. Please use our online service to access the data. @@ -68,34 +68,38 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic ID | Type | Indicator | Confidence -- | ---- | --------- | ---------- 1 | File | `.htaccess` | Medium -2 | File | `/admin.add` | Medium -3 | File | `/admin.php/admin/art/data.html` | High -4 | File | `/admin/?page=user/manage_user` | High -5 | File | `/admin/edit_user.php` | High -6 | File | `/admin/files` | Medium -7 | File | `/admin/login.php` | High -8 | File | `/administrator/components/menu/` | High -9 | File | `/administrator/components/table_manager/` | High -10 | File | `/api/appInternals/1.0/agent/configuration&` | High -11 | File | `/api/appInternals/1.0/agent/diagnostic/logs` | High -12 | File | `/api/fetch` | Medium -13 | File | `/api/user/{ID}` | High -14 | File | `/audit/log/log_management.php` | High -15 | File | `/cloud_config/router_post/register` | High +2 | File | `/admin.php/admin/art/data.html` | High +3 | File | `/admin/goods/update` | High +4 | File | `/admin/login.php` | High +5 | File | `/admin/posts.php` | High +6 | File | `/admin/uesrs.php&action=type&userrole=User` | High +7 | File | `/administrator/alerts/alertLightbox.php` | High +8 | File | `/api/appInternals/1.0/agent/configuration&` | High +9 | File | `/api/appInternals/1.0/agent/diagnostic/logs` | High +10 | File | `/api/fetch` | Medium +11 | File | `/api/user/{ID}` | High +12 | File | `/audit/log/log_management.php` | High +13 | File | `/blog/blog.php` | High +14 | File | `/cloud_config/router_post/register` | High +15 | File | `/cmd?cmd=connect` | High 16 | File | `/config/list` | Medium -17 | File | `/cwms/admin/?page=articles/view_article/` | High -18 | File | `/Hospital-Management-System-master/contact.php` | High -19 | File | `/Hospital-Management-System-master/func.php` | High -20 | File | `/i/:data/ipa.plist` | High -21 | File | `/ManageRoute/postRoute` | High -22 | File | `/ms/cms/content/list.do` | High -23 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High -24 | File | `/setting/NTPSyncWithHost` | High -25 | File | `/system/tool/ping.php` | High -26 | File | `/system/user/resetPwd` | High -27 | ... | ... | ... +17 | File | `/customer_register.php` | High +18 | File | `/cwms/admin/?page=articles/view_article/` | High +19 | File | `/etc/master.passwd` | High +20 | File | `/hocms/classes/Master.php?f=delete_collection` | High +21 | File | `/hocms/classes/Master.php?f=delete_phase` | High +22 | File | `/i/:data/ipa.plist` | High +23 | File | `/index.php?page=reserve` | High +24 | File | `/ManageRoute/postRoute` | High +25 | File | `/module/api.php?mobile/webNasIPS` | High +26 | File | `/modules/eligibility/Student.php` | High +27 | File | `/plesk-site-preview/` | High +28 | File | `/public_html/apply_vacancy` | High +29 | File | `/purchase_order/classes/Master.php?f=delete_item` | High +30 | File | `/reps/classes/Users.php?f=delete_agent` | High +31 | ... | ... | ... -There are 223 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 266 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/actors/APT34/README.md b/actors/APT34/README.md index b55ff332..3414bbad 100644 --- a/actors/APT34/README.md +++ b/actors/APT34/README.md @@ -73,24 +73,23 @@ ID | Type | Indicator | Confidence 13 | File | `/replication` | Medium 14 | File | `/RestAPI` | Medium 15 | File | `/SASWebReportStudio/logonAndRender.do` | High -16 | File | `/tmp/speedtest_urls.xml` | High -17 | File | `/uncpath/` | Medium -18 | File | `/var/log/nginx` | High -19 | File | `/wp-content/plugins/updraftplus/admin.php` | High -20 | File | `actions.hsp` | Medium -21 | File | `addentry.php` | Medium -22 | File | `add_edit_user.asp` | High -23 | File | `add_to_cart.php` | High -24 | File | `admin-ajax.php?action=get_wdtable order[0][dir]` | High -25 | File | `admin/config/confmgr.php` | High -26 | File | `admin/system_manage/save.html` | High -27 | File | `ajax.php` | Medium -28 | File | `apcupsd.pid` | Medium -29 | File | `api/sms/send-sms` | High -30 | File | `api/v1/alarms` | High -31 | ... | ... | ... +16 | File | `/scas/admin/` | Medium +17 | File | `/tmp/speedtest_urls.xml` | High +18 | File | `/uncpath/` | Medium +19 | File | `/var/log/nginx` | High +20 | File | `/wp-content/plugins/updraftplus/admin.php` | High +21 | File | `actions.hsp` | Medium +22 | File | `addentry.php` | Medium +23 | File | `add_edit_user.asp` | High +24 | File | `add_to_cart.php` | High +25 | File | `admin-ajax.php?action=get_wdtable order[0][dir]` | High +26 | File | `admin/config/confmgr.php` | High +27 | File | `admin/system_manage/save.html` | High +28 | File | `ajax.php` | Medium +29 | File | `apcupsd.pid` | Medium +30 | ... | ... | ... -There are 261 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 256 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/actors/APT35/README.md b/actors/APT35/README.md new file mode 100644 index 00000000..8e433e5b --- /dev/null +++ b/actors/APT35/README.md @@ -0,0 +1,59 @@ +# APT35 - Cyber Threat Intelligence + +These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT35](https://vuldb.com/?actor.apt35). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics. + +_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.apt35](https://vuldb.com/?actor.apt35) + +## Countries + +These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT35: + +* [DE](https://vuldb.com/?country.de) +* [US](https://vuldb.com/?country.us) + +## IOC - Indicator of Compromise + +These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of APT35. + +ID | IP address | Hostname | Campaign | Confidence +-- | ---------- | -------- | -------- | ---------- +1 | [107.173.231.114](https://vuldb.com/?ip.107.173.231.114) | 107-173-231-114-host.colocrossing.com | - | High +2 | [148.251.71.182](https://vuldb.com/?ip.148.251.71.182) | static.182.71.251.148.clients.your-server.de | - | High + +## TTP - Tactics, Techniques, Procedures + +_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _APT35_. This data is unique as it uses our predictive model for actor profiling. + +ID | Technique | Weakness | Description | Confidence +-- | --------- | -------- | ----------- | ---------- +1 | T1059.007 | CWE-79 | Cross Site Scripting | High + +## IOA - Indicator of Attack + +These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT35. This data is unique as it uses our predictive model for actor profiling. + +ID | Type | Indicator | Confidence +-- | ---- | --------- | ---------- +1 | File | `data/gbconfiguration.dat` | High +2 | File | `inc/config.php` | High +3 | File | `register/check/username?username` | High +4 | ... | ... | ... + +There are 1 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. + +## References + +The following list contains _external sources_ which discuss the actor and the associated activities: + +* https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/ + +## Literature + +The following _articles_ explain our unique predictive cyber threat intelligence: + +* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti) +* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022) + +## License + +(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)! diff --git a/actors/APT41/README.md b/actors/APT41/README.md index 7ca45360..97f33069 100644 --- a/actors/APT41/README.md +++ b/actors/APT41/README.md @@ -66,7 +66,7 @@ ID | Technique | Weakness | Description | Confidence 3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High 4 | ... | ... | ... | ... -There are 7 more TTP items available. Please use our online service to access the data. +There are 8 more TTP items available. Please use our online service to access the data. ## IOA - Indicator of Attack @@ -116,7 +116,7 @@ ID | Type | Indicator | Confidence 40 | File | `admin/conf_users_edit.php` | High 41 | ... | ... | ... -There are 353 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 354 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/actors/Africa Unknown/README.md b/actors/Africa Unknown/README.md index ea0e1f1e..e3a6a4e0 100644 --- a/actors/Africa Unknown/README.md +++ b/actors/Africa Unknown/README.md @@ -72,38 +72,37 @@ ID | Type | Indicator | Confidence 8 | File | `/file?action=download&file` | High 9 | File | `/home/httpd/cgi-bin/cgi.cgi` | High 10 | File | `/html/includes/graphs/port/mac_acc_total.inc.php` | High -11 | File | `/inc/subscriber_list.php` | High -12 | File | `/install/index.php` | High -13 | File | `/layout/class.xblogcomment.php` | High -14 | File | `/LEPTON_stable_2.2.2/upload/admins/admintools/tool.php` | High -15 | File | `/manager/jsp/test.jsp` | High -16 | File | `/medical/inventories.php` | High -17 | File | `/monitoring` | Medium -18 | File | `/plugins/servlet/audit/resource` | High -19 | File | `/plugins/servlet/project-config/PROJECT/roles` | High -20 | File | `/public/login.htm` | High -21 | File | `/replication` | Medium -22 | File | `/RestAPI` | Medium -23 | File | `/TeleoptiWFM/Administration/GetOneTenant` | High -24 | File | `/tmp/speedtest_urls.xml` | High -25 | File | `/uncpath/` | Medium -26 | File | `/usr/bin/at` | Medium -27 | File | `/var/log/nginx` | High -28 | File | `/_vti_pvt/access.cnf` | High -29 | File | `admin-ajax.php?action=get_wdtable order[0][dir]` | High -30 | File | `admin/e_mesaj_yaz.asp` | High -31 | File | `admin/profile.php` | High -32 | File | `admin/salesadmin.php` | High -33 | File | `admin/systemWebAdminConfig.do` | High -34 | File | `admin11.cgi` | Medium -35 | File | `admincp/auth/checklogin.php` | High -36 | File | `agenda2.php3` | Medium -37 | File | `ajax-actions.php` | High -38 | File | `ajax/deletePage.php` | High -39 | File | `ajouter_tva.php` | High -40 | ... | ... | ... +11 | File | `/install/index.php` | High +12 | File | `/layout/class.xblogcomment.php` | High +13 | File | `/LEPTON_stable_2.2.2/upload/admins/admintools/tool.php` | High +14 | File | `/manager/jsp/test.jsp` | High +15 | File | `/medical/inventories.php` | High +16 | File | `/monitoring` | Medium +17 | File | `/plugins/servlet/audit/resource` | High +18 | File | `/plugins/servlet/project-config/PROJECT/roles` | High +19 | File | `/public/login.htm` | High +20 | File | `/replication` | Medium +21 | File | `/RestAPI` | Medium +22 | File | `/TeleoptiWFM/Administration/GetOneTenant` | High +23 | File | `/tmp/speedtest_urls.xml` | High +24 | File | `/uncpath/` | Medium +25 | File | `/usr/bin/at` | Medium +26 | File | `/var/log/nginx` | High +27 | File | `/_vti_pvt/access.cnf` | High +28 | File | `admin-ajax.php?action=get_wdtable order[0][dir]` | High +29 | File | `admin/e_mesaj_yaz.asp` | High +30 | File | `admin/profile.php` | High +31 | File | `admin/salesadmin.php` | High +32 | File | `admin/systemWebAdminConfig.do` | High +33 | File | `admin11.cgi` | Medium +34 | File | `admincp/auth/checklogin.php` | High +35 | File | `agenda2.php3` | Medium +36 | File | `ajax-actions.php` | High +37 | File | `ajax/deletePage.php` | High +38 | File | `ajouter_tva.php` | High +39 | ... | ... | ... -There are 343 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 339 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/actors/B1txor20/README.md b/actors/B1txor20/README.md index ac2cadc3..e9cfd84b 100644 --- a/actors/B1txor20/README.md +++ b/actors/B1txor20/README.md @@ -46,11 +46,11 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK ID | Technique | Weakness | Description | Confidence -- | --------- | -------- | ----------- | ---------- 1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High -2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High +2 | T1068 | CWE-250, CWE-264, CWE-284 | Execution with Unnecessary Privileges | High 3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High 4 | ... | ... | ... | ... -There are 8 more TTP items available. Please use our online service to access the data. +There are 7 more TTP items available. Please use our online service to access the data. ## IOA - Indicator of Attack @@ -58,41 +58,45 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic ID | Type | Indicator | Confidence -- | ---- | --------- | ---------- -1 | File | `/agenttrayicon` | High -2 | File | `/aqpg/users/login.php` | High -3 | File | `/blog/blog.php` | High -4 | File | `/category.php` | High -5 | File | `/cmd?cmd=connect` | High -6 | File | `/cwms/admin/?page=articles/view_article/` | High -7 | File | `/cwms/classes/Master.php?f=save_contact` | High -8 | File | `/etc/puppetlabs/puppetserver/conf.d/ca.conf` | High -9 | File | `/goform/login_process` | High -10 | File | `/include/chart_generator.php` | High -11 | File | `/include/make.php` | High -12 | File | `/login` | Low -13 | File | `/manager/files` | High -14 | File | `/mims/app/addcustomerHandler.php` | High -15 | File | `/mims/login.php` | High -16 | File | `/nova/bin/detnet` | High -17 | File | `/nova/bin/igmp-proxy` | High -18 | File | `/one_church/churchprofile.php` | High -19 | File | `/one_church/userregister.php` | High -20 | File | `/preauth` | Medium -21 | File | `/scas/admin/` | Medium -22 | File | `/sql/sql_string.h` | High -23 | File | `/src/njs_vmcode.c` | High -24 | File | `/uncpath/` | Medium -25 | File | `/var/log/demisto/` | High -26 | File | `/wbg/core/_includes/authorization.inc.php` | High -27 | File | `/_error` | Low -28 | File | `a2billing/customer/iridium_threed.php` | High -29 | File | `actions/beats_uploader.php` | High -30 | File | `actions/vote_channel.php` | High -31 | File | `admin.php` | Medium -32 | File | `admin/index.php?module=send_ssh` | High -33 | ... | ... | ... +1 | File | `/admin.php/Plugins/update.html` | High +2 | File | `/admin.php?id=posts&action=display&value=1&postid=` | High +3 | File | `/admin.php?id=siteoptions&social=display&value=0&sid=2` | High +4 | File | `/admin.php?id=siteoptions&social=edit&sid=2` | High +5 | File | `/admin.php?r=admin/AdminBackup/del` | High +6 | File | `/admin/edit.php` | High +7 | File | `/admin/inbox.php&action=delete` | High +8 | File | `/admin/inbox.php&action=read` | High +9 | File | `/admin/index.php?mode=content&page=media&action=edit` | High +10 | File | `/admin/pagerole.php&action=edit` | High +11 | File | `/admin/posts.php` | High +12 | File | `/admin/posts.php&action=delete` | High +13 | File | `/admin/posts.php&action=edit` | High +14 | File | `/admin/siteoptions.php&action=displaygoal&value=1&roleid=1` | High +15 | File | `/admin/siteoptions.php&social=remove&sid=2` | High +16 | File | `/admin/uesrs.php&&action=delete&userid=4` | High +17 | File | `/admin/uesrs.php&action=display&value=Hide` | High +18 | File | `/admin/uesrs.php&action=display&value=Show` | High +19 | File | `/admin/uesrs.php&action=type&userrole=User` | High +20 | File | `/administrator/alerts/alertLightbox.php` | High +21 | File | `/agenttrayicon` | High +22 | File | `/api/students/me/messages/` | High +23 | File | `/apps/acs-commons/content/page-compare.html` | High +24 | File | `/aqpg/users/login.php` | High +25 | File | `/blog/blog.php` | High +26 | File | `/category.php` | High +27 | File | `/cdsms/classes/Master.php?f=delete_enrollment` | High +28 | File | `/cdsms/classes/Master.php?f=delete_package` | High +29 | File | `/cgi-bin/main.cgi` | High +30 | File | `/cmd?cmd=connect` | High +31 | File | `/customer_register.php` | High +32 | File | `/cwms/admin/?page=articles/view_article/` | High +33 | File | `/cwms/classes/Master.php?f=save_contact` | High +34 | File | `/demo/module/?module=HERE` | High +35 | File | `/goform/WifiExtraSet` | High +36 | File | `/hocms/classes/Master.php?f=delete_collection` | High +37 | ... | ... | ... -There are 277 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 317 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/actors/BazarLoader/README.md b/actors/BazarLoader/README.md index baf72344..11933437 100644 --- a/actors/BazarLoader/README.md +++ b/actors/BazarLoader/README.md @@ -4,16 +4,23 @@ These _indicators_ were reported, collected, and generated during the [VulDB CTI _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.bazarloader](https://vuldb.com/?actor.bazarloader) +## Campaigns + +The following _campaigns_ are known and can be associated with BazarLoader: + +* Anchor +* Diavol + ## Countries These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with BazarLoader: * [US](https://vuldb.com/?country.us) * [CN](https://vuldb.com/?country.cn) -* [DK](https://vuldb.com/?country.dk) +* [RU](https://vuldb.com/?country.ru) * ... -There are 21 more country items available. Please use our online service to access the data. +There are 1 more country items available. Please use our online service to access the data. ## IOC - Indicator of Compromise @@ -21,26 +28,31 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi ID | IP address | Hostname | Campaign | Confidence -- | ---------- | -------- | -------- | ---------- -1 | [13.225.230.232](https://vuldb.com/?ip.13.225.230.232) | server-13-225-230-232.jfk51.r.cloudfront.net | - | High -2 | [13.226.32.216](https://vuldb.com/?ip.13.226.32.216) | server-13-226-32-216.ewr53.r.cloudfront.net | - | High -3 | [18.67.60.164](https://vuldb.com/?ip.18.67.60.164) | server-18-67-60-164.iad89.r.cloudfront.net | - | High -4 | [23.56.10.219](https://vuldb.com/?ip.23.56.10.219) | a23-56-10-219.deploy.static.akamaitechnologies.com | - | High -5 | [23.62.25.178](https://vuldb.com/?ip.23.62.25.178) | a23-62-25-178.deploy.static.akamaitechnologies.com | - | High -6 | [23.95.238.122](https://vuldb.com/?ip.23.95.238.122) | 23-95-238-122-host.colocrossing.com | - | High -7 | [23.106.223.174](https://vuldb.com/?ip.23.106.223.174) | - | - | High -8 | [23.160.193.217](https://vuldb.com/?ip.23.160.193.217) | unknown.ip-xfer.net | - | High -9 | [23.193.217.119](https://vuldb.com/?ip.23.193.217.119) | a23-193-217-119.deploy.static.akamaitechnologies.com | - | High -10 | [31.171.251.118](https://vuldb.com/?ip.31.171.251.118) | ch.ns.mon0.li | - | High -11 | [31.214.240.203](https://vuldb.com/?ip.31.214.240.203) | - | - | High -12 | [34.209.40.84](https://vuldb.com/?ip.34.209.40.84) | ec2-34-209-40-84.us-west-2.compute.amazonaws.com | - | Medium -13 | [34.221.188.35](https://vuldb.com/?ip.34.221.188.35) | ec2-34-221-188-35.us-west-2.compute.amazonaws.com | - | Medium -14 | [34.222.222.126](https://vuldb.com/?ip.34.222.222.126) | ec2-34-222-222-126.us-west-2.compute.amazonaws.com | - | Medium -15 | [40.76.4.15](https://vuldb.com/?ip.40.76.4.15) | - | - | High -16 | [40.112.72.205](https://vuldb.com/?ip.40.112.72.205) | - | - | High -17 | [40.113.200.201](https://vuldb.com/?ip.40.113.200.201) | - | - | High -18 | ... | ... | ... | ... +1 | [3.101.57.185](https://vuldb.com/?ip.3.101.57.185) | ec2-3-101-57-185.us-west-1.compute.amazonaws.com | - | Medium +2 | [13.225.230.232](https://vuldb.com/?ip.13.225.230.232) | server-13-225-230-232.jfk51.r.cloudfront.net | - | High +3 | [13.226.32.216](https://vuldb.com/?ip.13.226.32.216) | server-13-226-32-216.ewr53.r.cloudfront.net | - | High +4 | [18.67.60.164](https://vuldb.com/?ip.18.67.60.164) | server-18-67-60-164.iad89.r.cloudfront.net | - | High +5 | [23.56.10.219](https://vuldb.com/?ip.23.56.10.219) | a23-56-10-219.deploy.static.akamaitechnologies.com | - | High +6 | [23.62.25.178](https://vuldb.com/?ip.23.62.25.178) | a23-62-25-178.deploy.static.akamaitechnologies.com | - | High +7 | [23.82.19.173](https://vuldb.com/?ip.23.82.19.173) | - | - | High +8 | [23.94.51.80](https://vuldb.com/?ip.23.94.51.80) | 23-94-51-80-host.colocrossing.com | Anchor | High +9 | [23.95.238.122](https://vuldb.com/?ip.23.95.238.122) | 23-95-238-122-host.colocrossing.com | - | High +10 | [23.106.160.77](https://vuldb.com/?ip.23.106.160.77) | - | - | High +11 | [23.106.215.61](https://vuldb.com/?ip.23.106.215.61) | - | - | High +12 | [23.106.223.174](https://vuldb.com/?ip.23.106.223.174) | - | - | High +13 | [23.152.0.22](https://vuldb.com/?ip.23.152.0.22) | anahiem.net | Diavol | High +14 | [23.160.193.217](https://vuldb.com/?ip.23.160.193.217) | unknown.ip-xfer.net | - | High +15 | [23.193.217.119](https://vuldb.com/?ip.23.193.217.119) | a23-193-217-119.deploy.static.akamaitechnologies.com | - | High +16 | [31.171.251.118](https://vuldb.com/?ip.31.171.251.118) | ch.ns.mon0.li | - | High +17 | [31.214.240.203](https://vuldb.com/?ip.31.214.240.203) | - | - | High +18 | [34.209.40.84](https://vuldb.com/?ip.34.209.40.84) | ec2-34-209-40-84.us-west-2.compute.amazonaws.com | - | Medium +19 | [34.210.71.206](https://vuldb.com/?ip.34.210.71.206) | ec2-34-210-71-206.us-west-2.compute.amazonaws.com | Anchor | Medium +20 | [34.221.188.35](https://vuldb.com/?ip.34.221.188.35) | ec2-34-221-188-35.us-west-2.compute.amazonaws.com | - | Medium +21 | [34.222.222.126](https://vuldb.com/?ip.34.222.222.126) | ec2-34-222-222-126.us-west-2.compute.amazonaws.com | - | Medium +22 | [35.165.197.209](https://vuldb.com/?ip.35.165.197.209) | ec2-35-165-197-209.us-west-2.compute.amazonaws.com | - | Medium +23 | ... | ... | ... | ... -There are 68 more IOC items available. Please use our online service to access the data. +There are 88 more IOC items available. Please use our online service to access the data. ## TTP - Tactics, Techniques, Procedures @@ -50,10 +62,10 @@ ID | Technique | Weakness | Description | Confidence -- | --------- | -------- | ----------- | ---------- 1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High 2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High -3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High +3 | T1552 | CWE-319, CWE-522 | Unprotected Storage of Credentials | High 4 | ... | ... | ... | ... -There are 7 more TTP items available. Please use our online service to access the data. +There are 1 more TTP items available. Please use our online service to access the data. ## IOA - Indicator of Attack @@ -61,64 +73,17 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic ID | Type | Indicator | Confidence -- | ---- | --------- | ---------- -1 | File | `.htaccess` | Medium -2 | File | `.user` | Low -3 | File | `/.dbus-keyrings` | High -4 | File | `/api` | Low -5 | File | `/catalog/admin/categories.php?cPath=&action=new_product` | High -6 | File | `/cgi-bin/system_mgr.cgi` | High -7 | File | `/common/ticket_associated_tickets.php` | High -8 | File | `/common/user_profile.php` | High -9 | File | `/Content/Template/root/reverse-shell.aspx` | High -10 | File | `/debug/pprof` | Medium -11 | File | `/getcfg.php` | Medium -12 | File | `/goform/form2userconfig.cgi` | High -13 | File | `/include/makecvs.php` | High -14 | File | `/includes/db_adodb.php` | High -15 | File | `/objects/pluginSwitch.json.php` | High -16 | File | `/PluXml/core/admin/parametres_edittpl.php` | High -17 | File | `/register.do` | Medium -18 | File | `/rest/api/latest/groupuserpicker` | High -19 | File | `/rest/project-templates/1.0/createshared` | High -20 | File | `/restoreinfo.cgi` | High -21 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High -22 | File | `/see_more_details.php` | High -23 | File | `/sendrcpackage?keyid=-2544&keysymbol=-4081` | High -24 | File | `/services` | Medium -25 | File | `/uncpath/` | Medium -26 | File | `/usr/local/vesta/bin` | High -27 | File | `/usr/sbin/suexec` | High -28 | File | `/v3/credentials` | High -29 | File | `/var/log/monkeyd/master.log` | High -30 | File | `/var/passwd` | Medium -31 | File | `/var/run/storage_account_root` | High -32 | File | `/webconsole/APIController` | High -33 | File | `/websocket` | Medium -34 | File | `802dot1xclientcert.cgi` | High -35 | File | `account.asp` | Medium -36 | File | `Account.aspx` | Medium -37 | File | `ActionsAndOperations` | High -38 | File | `adclick.php` | Medium -39 | File | `add.php` | Low -40 | File | `admin/?n=tags&c=index&a=doSaveTags` | High -41 | File | `admin/admin.shtml` | High -42 | File | `admin/db-backup-security/db-backup-security.php` | High -43 | File | `admin/graph_trend.php` | High -44 | File | `administrator/components/com_media/helpers/media.php` | High -45 | File | `adminquery.php` | High -46 | File | `agent_links.pl` | High -47 | File | `ajax/render/widget_php` | High -48 | File | `Ap4StssAtom.cpp` | High -49 | File | `Ap4StszAtom.cpp` | High -50 | File | `apetag.c` | Medium -51 | File | `app/system/language/admin/language_general.class.php` | High -52 | File | `apply_sec.cgi` | High -53 | File | `app\contacts\contact_times.php` | High -54 | File | `Archive.java` | Medium -55 | File | `article.php` | Medium -56 | ... | ... | ... +1 | File | `/api` | Low +2 | File | `/include/makecvs.php` | High +3 | File | `/PluXml/core/admin/parametres_edittpl.php` | High +4 | File | `/usr/local/psa/admin/sbin/wrapper` | High +5 | File | `add.php` | Low +6 | File | `admin/admin.shtml` | High +7 | File | `cat.asp` | Low +8 | File | `class.phpmailer.php` | High +9 | ... | ... | ... -There are 484 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 66 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References @@ -130,6 +95,10 @@ The following list contains _external sources_ which discuss the actor and the a * https://isc.sans.edu/forums/diary/April+2021+Forensic+Quiz+Answers+and+Analysis/27308/ * https://isc.sans.edu/forums/diary/Stolen+Images+Evidence+Campaign+Continues+Pushing+BazarLoader+Malware/27816/ * https://isc.sans.edu/forums/diary/TA551+Shathak+continues+pushing+BazarLoader+infections+lead+to+Cobalt+Strike/27738/ +* https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/ +* https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/ +* https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/ +* https://thedfirreport.com/2021/12/13/diavol-ransomware/ * https://twitter.com/_pr4gma/status/1347617681197961225 ## Literature diff --git a/actors/BlackCat/README.md b/actors/BlackCat/README.md index f2807fd1..c5dd7931 100644 --- a/actors/BlackCat/README.md +++ b/actors/BlackCat/README.md @@ -13,7 +13,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce * [DE](https://vuldb.com/?country.de) * ... -There are 1 more country items available. Please use our online service to access the data. +There are 3 more country items available. Please use our online service to access the data. ## IOC - Indicator of Compromise @@ -52,34 +52,33 @@ ID | Type | Indicator | Confidence 3 | File | `/admin.php/admin/ulog/index.html` | High 4 | File | `/admin.php/admin/website/data.html` | High 5 | File | `/admin.php?id=siteoptions&social=display&value=0&sid=2` | High -6 | File | `/admin/inbox.php&action=read` | High -7 | File | `/admin/posts.php` | High -8 | File | `/admin/posts.php&action=delete` | High -9 | File | `/admin/run_ajax.php` | High -10 | File | `/administrator/components/menu/` | High -11 | File | `/admin_page/all-files-update-ajax.php` | High -12 | File | `/api/crontab` | Medium -13 | File | `/blog/blog.php` | High -14 | File | `/cdsms/classes/Master.php?f=delete_enrollment` | High -15 | File | `/cgi-bin/kerbynet` | High -16 | File | `/cloud_config/router_post/modify_account_pwd` | High -17 | File | `/cloud_config/router_post/register` | High -18 | File | `/config/list` | Medium -19 | File | `/download/` | Medium -20 | File | `/etc/ajenti/config.yml` | High -21 | File | `/etc/cobbler` | Medium -22 | File | `/etc/passwd` | Medium -23 | File | `/export` | Low -24 | File | `/goform/delAd` | High -25 | File | `/goform/form2Reboot.cgi` | High -26 | File | `/home.asp` | Medium -27 | File | `/index.php?act=api&tag=8` | High -28 | File | `/jeecg-boot/sys/user/queryUserByDepId` | High -29 | File | `/languages/index.php` | High -30 | File | `/members/view_member.php` | High -31 | ... | ... | ... +6 | File | `/admin.php?id=siteoptions&social=edit&sid=2` | High +7 | File | `/admin/inbox.php&action=read` | High +8 | File | `/admin/posts.php` | High +9 | File | `/admin/posts.php&action=delete` | High +10 | File | `/admin/run_ajax.php` | High +11 | File | `/admin/siteoptions.php&action=displaygoal&value=1&roleid=1` | High +12 | File | `/admin/uesrs.php&&action=delete&userid=4` | High +13 | File | `/admin/uesrs.php&action=type&userrole=Admin&userid=3` | High +14 | File | `/admin_page/all-files-update-ajax.php` | High +15 | File | `/api/crontab` | Medium +16 | File | `/blog/blog.php` | High +17 | File | `/cdsms/classes/Master.php?f=delete_enrollment` | High +18 | File | `/cgi-bin/kerbynet` | High +19 | File | `/cloud_config/router_post/modify_account_pwd` | High +20 | File | `/cloud_config/router_post/register` | High +21 | File | `/config/list` | Medium +22 | File | `/download/` | Medium +23 | File | `/etc/ajenti/config.yml` | High +24 | File | `/etc/cobbler` | Medium +25 | File | `/etc/passwd` | Medium +26 | File | `/export` | Low +27 | File | `/goform/delAd` | High +28 | File | `/goform/form2Reboot.cgi` | High +29 | File | `/home.asp` | Medium +30 | ... | ... | ... -There are 268 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 259 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/actors/Bouncing Golf/README.md b/actors/Bouncing Golf/README.md index 1239159d..db14631e 100644 --- a/actors/Bouncing Golf/README.md +++ b/actors/Bouncing Golf/README.md @@ -13,7 +13,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce * [RU](https://vuldb.com/?country.ru) * ... -There are 21 more country items available. Please use our online service to access the data. +There are 22 more country items available. Please use our online service to access the data. ## IOC - Indicator of Compromise diff --git a/actors/Bunse/README.md b/actors/Bunse/README.md index b8c5ee07..b01ffb1e 100644 --- a/actors/Bunse/README.md +++ b/actors/Bunse/README.md @@ -14,6 +14,7 @@ The following _campaigns_ are known and can be associated with Bunse: These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Bunse: +* [FR](https://vuldb.com/?country.fr) * [ES](https://vuldb.com/?country.es) * [US](https://vuldb.com/?country.us) diff --git a/actors/Candiru/README.md b/actors/Candiru/README.md index 92523383..94a579b6 100644 --- a/actors/Candiru/README.md +++ b/actors/Candiru/README.md @@ -4,6 +4,12 @@ These _indicators_ were reported, collected, and generated during the [VulDB CTI _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.candiru](https://vuldb.com/?actor.candiru) +## Campaigns + +The following _campaigns_ are known and can be associated with Candiru: + +* CatalanGate + ## Countries These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Candiru: @@ -13,7 +19,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce * [TR](https://vuldb.com/?country.tr) * ... -There are 14 more country items available. Please use our online service to access the data. +There are 13 more country items available. Please use our online service to access the data. ## IOC - Indicator of Compromise @@ -29,7 +35,7 @@ ID | IP address | Hostname | Campaign | Confidence 6 | [5.206.227.93](https://vuldb.com/?ip.5.206.227.93) | noos-proxy | - | High 7 | ... | ... | ... | ... -There are 23 more IOC items available. Please use our online service to access the data. +There are 25 more IOC items available. Please use our online service to access the data. ## TTP - Tactics, Techniques, Procedures @@ -58,43 +64,43 @@ ID | Type | Indicator | Confidence 6 | File | `/article/add` | Medium 7 | File | `/cgi-bin/editBookmark` | High 8 | File | `/cgi-bin/uploadWeiXinPic` | High -9 | File | `/computer/(agent-name)/api` | High -10 | File | `/controller/pay.class.php` | High -11 | File | `/dev/block/mmcblk0rpmb` | High -12 | File | `/dev/kmem` | Medium -13 | File | `/dev/shm` | Medium -14 | File | `/dev/snd/seq` | Medium -15 | File | `/device/device=140/tab=wifi/view` | High -16 | File | `/dl/dl_print.php` | High -17 | File | `/getcfg.php` | Medium -18 | File | `/goform/addressNat` | High -19 | File | `/htdocs/admin/dict.php?id=3` | High -20 | File | `/include/menu_v.inc.php` | High -21 | File | `/includes/rrdtool.inc.php` | High -22 | File | `/irj/servlet/prt/portal/prtroot/com.sap.portal.usermanagement.admin.UserMapping` | High -23 | File | `/jerry-core/ecma/base/ecma-gc.c` | High -24 | File | `/jerry-core/ecma/base/ecma-helpers-conversion.c` | High -25 | File | `/login` | Low -26 | File | `/module/module_frame/index.php` | High -27 | File | `/notice-edit.php` | High -28 | File | `/nova/bin/sniffer` | High -29 | File | `/ofcms/company-c-47` | High -30 | File | `/proc/*/cmdline"` | High -31 | File | `/proc/pid/syscall` | High -32 | File | `/product_list.php` | High -33 | File | `/rest/api/2/user/picker` | High -34 | File | `/rukovoditel_2.4.1/index.php?module=configuration/save&redirect_to=configuration/application` | High -35 | File | `/services/details.asp` | High -36 | File | `/src/core/controllers/cm.php` | High -37 | File | `/storage/app/media/evil.svg` | High -38 | ... | ... | ... +9 | File | `/controller/pay.class.php` | High +10 | File | `/dev/block/mmcblk0rpmb` | High +11 | File | `/dev/kmem` | Medium +12 | File | `/dev/shm` | Medium +13 | File | `/dev/snd/seq` | Medium +14 | File | `/device/device=140/tab=wifi/view` | High +15 | File | `/dl/dl_print.php` | High +16 | File | `/getcfg.php` | Medium +17 | File | `/goform/addressNat` | High +18 | File | `/htdocs/admin/dict.php?id=3` | High +19 | File | `/include/menu_v.inc.php` | High +20 | File | `/irj/servlet/prt/portal/prtroot/com.sap.portal.usermanagement.admin.UserMapping` | High +21 | File | `/jerry-core/ecma/base/ecma-gc.c` | High +22 | File | `/jerry-core/ecma/base/ecma-helpers-conversion.c` | High +23 | File | `/login` | Low +24 | File | `/module/module_frame/index.php` | High +25 | File | `/notice-edit.php` | High +26 | File | `/nova/bin/sniffer` | High +27 | File | `/ofcms/company-c-47` | High +28 | File | `/proc/*/cmdline"` | High +29 | File | `/proc/pid/syscall` | High +30 | File | `/product_list.php` | High +31 | File | `/rest/api/2/user/picker` | High +32 | File | `/rukovoditel_2.4.1/index.php?module=configuration/save&redirect_to=configuration/application` | High +33 | File | `/services/details.asp` | High +34 | File | `/src/core/controllers/cm.php` | High +35 | File | `/storage/app/media/evil.svg` | High +36 | File | `/transmission/web/` | High +37 | ... | ... | ... -There are 325 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 322 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References The following list contains _external sources_ which discuss the actor and the associated activities: +* https://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/ * https://github.com/eset/malware-ioc/tree/master/swc-candiru ## Literature diff --git a/actors/ChaChi/README.md b/actors/ChaChi/README.md index 90bdd99b..ecaf8df7 100644 --- a/actors/ChaChi/README.md +++ b/actors/ChaChi/README.md @@ -80,7 +80,7 @@ ID | Type | Indicator | Confidence 28 | File | `admin/article_category.php?rec=update` | High 29 | ... | ... | ... -There are 245 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 246 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/actors/Cobalt Group/README.md b/actors/Cobalt Group/README.md index 4ecf7414..e8cba59e 100644 --- a/actors/Cobalt Group/README.md +++ b/actors/Cobalt Group/README.md @@ -9,8 +9,8 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Cobalt Group: * [FR](https://vuldb.com/?country.fr) -* [ES](https://vuldb.com/?country.es) -* [DE](https://vuldb.com/?country.de) +* [PL](https://vuldb.com/?country.pl) +* [IT](https://vuldb.com/?country.it) * ... There are 8 more country items available. Please use our online service to access the data. @@ -54,28 +54,27 @@ ID | Type | Indicator | Confidence 4 | File | `/admin/show.php` | High 5 | File | `/administrator/components/menu/` | High 6 | File | `/app/register.php` | High -7 | File | `/controller/CommentAdminController.java` | High -8 | File | `/data/sqldata` | High -9 | File | `/feedback/post/` | High -10 | File | `/goform/SetPptpServerCfg` | High -11 | File | `/hdf5/src/H5Fint.c` | High -12 | File | `/index.php?page=reserve` | High -13 | File | `/jeecg-boot/sys/user/queryUserByDepId` | High -14 | File | `/jerry-core/ecma/base/ecma-literal-storage.c` | High -15 | File | `/jerry-core/ecma/builtin-objects/ecma-builtin-date-prototype.c` | High -16 | File | `/jerry-core/ecma/operations/ecma-objects.c` | High -17 | File | `/public/launchNewWindow.jsp` | High -18 | File | `/purchase_order/admin/?page=user` | High -19 | File | `/reps/admin/?page=agents/manage_agent` | High -20 | File | `/SAP_Information_System/controllers/add_admin.php` | High -21 | File | `/scas/classes/Users.php?f=save_user` | High -22 | File | `/servlets/Jmx_dynamic` | High -23 | File | `/setting/NTPSyncWithHost` | High -24 | File | `/src/njs_object.c` | High -25 | File | `/template/unzip.do` | High -26 | ... | ... | ... +7 | File | `/data/sqldata` | High +8 | File | `/feedback/post/` | High +9 | File | `/goform/SetPptpServerCfg` | High +10 | File | `/hdf5/src/H5Fint.c` | High +11 | File | `/index.php?page=reserve` | High +12 | File | `/jeecg-boot/sys/user/queryUserByDepId` | High +13 | File | `/jerry-core/ecma/base/ecma-literal-storage.c` | High +14 | File | `/jerry-core/ecma/builtin-objects/ecma-builtin-date-prototype.c` | High +15 | File | `/jerry-core/ecma/operations/ecma-objects.c` | High +16 | File | `/public/launchNewWindow.jsp` | High +17 | File | `/purchase_order/admin/?page=user` | High +18 | File | `/reps/admin/?page=agents/manage_agent` | High +19 | File | `/SAP_Information_System/controllers/add_admin.php` | High +20 | File | `/scas/classes/Users.php?f=save_user` | High +21 | File | `/servlets/Jmx_dynamic` | High +22 | File | `/setting/NTPSyncWithHost` | High +23 | File | `/src/njs_object.c` | High +24 | File | `/template/unzip.do` | High +25 | ... | ... | ... -There are 214 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 212 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/actors/Cobalt Strike/README.md b/actors/Cobalt Strike/README.md index 2811e320..799da50c 100644 --- a/actors/Cobalt Strike/README.md +++ b/actors/Cobalt Strike/README.md @@ -9,11 +9,11 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Cobalt Strike: * [US](https://vuldb.com/?country.us) -* [SV](https://vuldb.com/?country.sv) +* [DE](https://vuldb.com/?country.de) * [GB](https://vuldb.com/?country.gb) * ... -There are 10 more country items available. Please use our online service to access the data. +There are 21 more country items available. Please use our online service to access the data. ## IOC - Indicator of Compromise @@ -21,13 +21,17 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi ID | IP address | Hostname | Campaign | Confidence -- | ---------- | -------- | -------- | ---------- -1 | [23.82.140.91](https://vuldb.com/?ip.23.82.140.91) | - | - | High -2 | [23.108.57.108](https://vuldb.com/?ip.23.108.57.108) | - | - | High -3 | [45.134.26.174](https://vuldb.com/?ip.45.134.26.174) | - | - | High -4 | [45.144.29.185](https://vuldb.com/?ip.45.144.29.185) | master.pisyandriy.com | - | High -5 | ... | ... | ... | ... +1 | [5.255.98.144](https://vuldb.com/?ip.5.255.98.144) | - | - | High +2 | [23.19.227.147](https://vuldb.com/?ip.23.19.227.147) | - | - | High +3 | [23.81.246.32](https://vuldb.com/?ip.23.81.246.32) | - | - | High +4 | [23.82.140.91](https://vuldb.com/?ip.23.82.140.91) | - | - | High +5 | [23.108.57.39](https://vuldb.com/?ip.23.108.57.39) | - | - | High +6 | [23.108.57.108](https://vuldb.com/?ip.23.108.57.108) | - | - | High +7 | [23.227.199.10](https://vuldb.com/?ip.23.227.199.10) | 23-227-199-10.static.hvvc.us | - | High +8 | [45.134.26.174](https://vuldb.com/?ip.45.134.26.174) | - | - | High +9 | ... | ... | ... | ... -There are 15 more IOC items available. Please use our online service to access the data. +There are 33 more IOC items available. Please use our online service to access the data. ## TTP - Tactics, Techniques, Procedures @@ -40,7 +44,7 @@ ID | Technique | Weakness | Description | Confidence 3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High 4 | ... | ... | ... | ... -There are 4 more TTP items available. Please use our online service to access the data. +There are 5 more TTP items available. Please use our online service to access the data. ## IOA - Indicator of Attack @@ -48,66 +52,61 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic ID | Type | Indicator | Confidence -- | ---- | --------- | ---------- -1 | File | `/?admin/user.html` | High -2 | File | `/admin/success_story.php` | High -3 | File | `/configuration/httpListenerEdit.jsf` | High +1 | File | `/admin/success_story.php` | High +2 | File | `/category.php` | High +3 | File | `/cgi-bin/supervisor/PwdGrp.cgi` | High 4 | File | `/etc/tomcat8/Catalina/attack` | High 5 | File | `/movie-portal-script/movie.php` | High 6 | File | `/notice-edit.php` | High -7 | File | `/resourceNode/jdbcResourceEdit.jsf` | High -8 | File | `/tmp` | Low -9 | File | `/wp-content/plugins/updraftplus/admin.php` | High -10 | File | `4.2.0.CP08` | Medium -11 | File | `account.asp` | Medium -12 | File | `acerctrl.ocx` | Medium -13 | File | `activate.php` | Medium -14 | File | `add.php` | Low -15 | File | `adm/krgourl.php` | High -16 | File | `admin.php` | Medium -17 | File | `admin/admin.php` | High -18 | File | `admin/adminaddeditdetails.php` | High -19 | File | `admin/ajaxsave.php` | High -20 | File | `admin/auth.php` | High -21 | File | `admin/images.php` | High -22 | File | `admin/import/class-import-settings.php` | High -23 | File | `ADMIN/loginaction.php` | High -24 | File | `admin/member_details.php` | High -25 | File | `admin/preview.php` | High -26 | File | `ajax/addComment.php` | High -27 | File | `and/or` | Low -28 | File | `arch/powerpc/kernel/entry_64.S` | High -29 | File | `archive_read_support_format_rar5.c` | High -30 | File | `article.php` | Medium -31 | File | `asp:.jpg` | Medium -32 | File | `auth2-gss.c` | Medium -33 | File | `backup.php` | Medium -34 | File | `bios.php` | Medium -35 | File | `blanko.preview.php` | High -36 | File | `block/bfq-iosched.c` | High -37 | File | `browse.php` | Medium -38 | File | `browse_ladies.php` | High -39 | File | `burl.c` | Low -40 | File | `cadena_ofertas_ext.php` | High -41 | File | `cal_popup.php` | High -42 | File | `category-delete.php` | High -43 | File | `category.php` | Medium -44 | File | `CFM File Handler` | High -45 | File | `cgi-bin/awstats.pl` | High -46 | File | `Change-password.php` | High -47 | File | `charts.php` | Medium -48 | File | `chat.php` | Medium -49 | File | `classified.php` | High -50 | File | `comments.php` | Medium -51 | File | `config.php` | Medium -52 | File | `core/stack/l2cap/l2cap_sm.c` | High -53 | File | `country_escorts.php` | High -54 | File | `cource.php` | Medium -55 | File | `Crypt32.dll` | Medium -56 | File | `dapur/index.php` | High -57 | File | `default.asp` | Medium -58 | ... | ... | ... +7 | File | `/objects/getSpiritsFromVideo.php` | High +8 | File | `/servlet/webacc` | High +9 | File | `/TeamMate/Upload/DomainObjectDocumentUpload.ashx` | High +10 | File | `/tmp` | Low +11 | File | `/uncpath/` | Medium +12 | File | `/wp-admin/admin-ajax.php` | High +13 | File | `/wp-content/plugins/updraftplus/admin.php` | High +14 | File | `4.2.0.CP08` | Medium +15 | File | `account.asp` | Medium +16 | File | `acerctrl.ocx` | Medium +17 | File | `activate.php` | Medium +18 | File | `add.php` | Low +19 | File | `admin.php` | Medium +20 | File | `admin/admin.php` | High +21 | File | `admin/adminaddeditdetails.php` | High +22 | File | `admin/class-jtrt-responsive-tables-admin.php` | High +23 | File | `admin/images.php` | High +24 | File | `admin/import/class-import-settings.php` | High +25 | File | `admin/infoclass_update.php` | High +26 | File | `admin/member_details.php` | High +27 | File | `admin/preview.php` | High +28 | File | `ajax/addComment.php` | High +29 | File | `allocate_block.cpp` | High +30 | File | `and/or` | Low +31 | File | `app/code/core/Mage/Rss/Helper/Order.php` | High +32 | File | `arch/powerpc/kernel/entry_64.S` | High +33 | File | `archive_read_support_format_rar5.c` | High +34 | File | `article.php` | Medium +35 | File | `asmjs/asmangle.cpp` | High +36 | File | `asp:.jpg` | Medium +37 | File | `auth2-gss.c` | Medium +38 | File | `backup.php` | Medium +39 | File | `bios.php` | Medium +40 | File | `blanko.preview.php` | High +41 | File | `block/bfq-iosched.c` | High +42 | File | `books.php` | Medium +43 | File | `browse_ladies.php` | High +44 | File | `burl.c` | Low +45 | File | `cadena_ofertas_ext.php` | High +46 | File | `category-delete.php` | High +47 | File | `category.php` | Medium +48 | File | `CFM File Handler` | High +49 | File | `cgi-bin/awstats.pl` | High +50 | File | `cgi-bin/write.cgi` | High +51 | File | `Change-password.php` | High +52 | File | `chat.php` | Medium +53 | ... | ... | ... -There are 510 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 460 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References @@ -122,8 +121,19 @@ The following list contains _external sources_ which discuss the actor and the a * https://isc.sans.edu/forums/diary/Qakbot+infection+with+Cobalt+Strike/27158/ * https://research.checkpoint.com/2019/cobalt-group-returns-to-kazakhstan/ * https://securelist.com/owowa-credential-stealer-and-remote-access/105219/ +* https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/ +* https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/ +* https://thedfirreport.com/2021/05/12/conti-ransomware/ +* https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/ +* https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/ +* https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/ +* https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ +* https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/ +* https://thedfirreport.com/2021/12/13/diavol-ransomware/ +* https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ * https://twitter.com/malware_traffic/status/1400876426497253379 * https://twitter.com/malware_traffic/status/1415740795622248452 +* https://twitter.com/TheDFIRReport/status/1508451341844168706 * https://twitter.com/Unit42_Intel/status/1392174941181812737 * https://us-cert.cisa.gov/ncas/alerts/aa21-148a * https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/ diff --git a/actors/Conti/README.md b/actors/Conti/README.md index 5d837121..de6beb85 100644 --- a/actors/Conti/README.md +++ b/actors/Conti/README.md @@ -8,6 +8,7 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com The following _campaigns_ are known and can be associated with Conti: +* BazarLoader * Cobalt Strike ## Countries @@ -34,52 +35,55 @@ ID | IP address | Hostname | Campaign | Confidence 5 | [5.2.78.121](https://vuldb.com/?ip.5.2.78.121) | - | - | High 6 | [5.34.178.185](https://vuldb.com/?ip.5.34.178.185) | hathi1.co.in | - | High 7 | [5.34.181.18](https://vuldb.com/?ip.5.34.181.18) | storage-669286.hosted-by.itldc.com | - | High -8 | [5.181.156.15](https://vuldb.com/?ip.5.181.156.15) | no-rdns.mivocloud.com | - | High -9 | [5.181.156.166](https://vuldb.com/?ip.5.181.156.166) | 5-181-156-166.mivocloud.com | - | High -10 | [5.181.156.226](https://vuldb.com/?ip.5.181.156.226) | no-rdns.mivocloud.com | - | High -11 | [5.183.95.6](https://vuldb.com/?ip.5.183.95.6) | mail.zeakids.de | - | High -12 | [5.196.197.27](https://vuldb.com/?ip.5.196.197.27) | - | - | High -13 | [11.22.33.44](https://vuldb.com/?ip.11.22.33.44) | - | - | High -14 | [23.82.140.137](https://vuldb.com/?ip.23.82.140.137) | - | - | High -15 | [23.95.231.200](https://vuldb.com/?ip.23.95.231.200) | 23-95-231-200-host.colocrossing.com | - | High -16 | [23.106.160.174](https://vuldb.com/?ip.23.106.160.174) | - | - | High -17 | [23.146.242.134](https://vuldb.com/?ip.23.146.242.134) | - | - | High -18 | [23.254.228.234](https://vuldb.com/?ip.23.254.228.234) | hwsrv-935246.hostwindsdns.com | - | High -19 | [24.185.61.99](https://vuldb.com/?ip.24.185.61.99) | ool-18b93d63.dyn.optonline.net | - | High -20 | [31.13.195.26](https://vuldb.com/?ip.31.13.195.26) | - | - | High -21 | [31.13.195.144](https://vuldb.com/?ip.31.13.195.144) | - | - | High -22 | [31.13.195.184](https://vuldb.com/?ip.31.13.195.184) | - | - | High -23 | [31.14.40.95](https://vuldb.com/?ip.31.14.40.95) | - | - | High -24 | [31.14.40.220](https://vuldb.com/?ip.31.14.40.220) | - | - | High -25 | [31.214.157.242](https://vuldb.com/?ip.31.214.157.242) | - | - | High -26 | [37.0.8.166](https://vuldb.com/?ip.37.0.8.166) | - | - | High -27 | [37.1.209.181](https://vuldb.com/?ip.37.1.209.181) | - | - | High -28 | [37.187.24.215](https://vuldb.com/?ip.37.187.24.215) | ns3206394.ip-37-187-24.eu | - | High -29 | [37.220.6.122](https://vuldb.com/?ip.37.220.6.122) | mail.foxlontech.com | - | High -30 | [37.235.53.46](https://vuldb.com/?ip.37.235.53.46) | gw1.mad1.vitalng.com | - | High -31 | [38.88.223.172](https://vuldb.com/?ip.38.88.223.172) | - | - | High -32 | [38.92.176.125](https://vuldb.com/?ip.38.92.176.125) | - | - | High -33 | [38.92.191.89](https://vuldb.com/?ip.38.92.191.89) | - | - | High -34 | [43.126.75.91](https://vuldb.com/?ip.43.126.75.91) | - | - | High -35 | [45.11.183.198](https://vuldb.com/?ip.45.11.183.198) | - | - | High -36 | [45.11.183.211](https://vuldb.com/?ip.45.11.183.211) | - | - | High -37 | [45.14.226.23](https://vuldb.com/?ip.45.14.226.23) | - | - | High -38 | [45.14.226.47](https://vuldb.com/?ip.45.14.226.47) | - | - | High -39 | [45.32.131.223](https://vuldb.com/?ip.45.32.131.223) | - | - | High -40 | [45.32.132.182](https://vuldb.com/?ip.45.32.132.182) | 45.32.132.182.vultr.com | - | Medium -41 | [45.61.136.221](https://vuldb.com/?ip.45.61.136.221) | - | - | High -42 | [45.61.138.153](https://vuldb.com/?ip.45.61.138.153) | - | - | High -43 | [45.67.228.196](https://vuldb.com/?ip.45.67.228.196) | moe.m | - | High -44 | [45.126.75.91](https://vuldb.com/?ip.45.126.75.91) | 43.126.75.91.stargatecommunications.com | - | High -45 | [45.141.101.253](https://vuldb.com/?ip.45.141.101.253) | ongu.golderitu.com | - | High -46 | [45.141.103.194](https://vuldb.com/?ip.45.141.103.194) | ptr.ruvds.com | - | High -47 | [45.143.94.60](https://vuldb.com/?ip.45.143.94.60) | - | - | High -48 | [45.148.120.142](https://vuldb.com/?ip.45.148.120.142) | - | - | High -49 | [45.148.120.192](https://vuldb.com/?ip.45.148.120.192) | - | - | High -50 | [45.153.240.191](https://vuldb.com/?ip.45.153.240.191) | - | - | High -51 | ... | ... | ... | ... +8 | [5.181.80.113](https://vuldb.com/?ip.5.181.80.113) | ip-80-113-bullethost.net | - | High +9 | [5.181.80.214](https://vuldb.com/?ip.5.181.80.214) | ip-80-214-bullethost.net | - | High +10 | [5.181.156.15](https://vuldb.com/?ip.5.181.156.15) | no-rdns.mivocloud.com | - | High +11 | [5.181.156.166](https://vuldb.com/?ip.5.181.156.166) | 5-181-156-166.mivocloud.com | - | High +12 | [5.181.156.226](https://vuldb.com/?ip.5.181.156.226) | no-rdns.mivocloud.com | - | High +13 | [5.183.95.6](https://vuldb.com/?ip.5.183.95.6) | mail.zeakids.de | - | High +14 | [5.196.197.27](https://vuldb.com/?ip.5.196.197.27) | - | - | High +15 | [11.22.33.44](https://vuldb.com/?ip.11.22.33.44) | - | - | High +16 | [13.56.161.214](https://vuldb.com/?ip.13.56.161.214) | ec2-13-56-161-214.us-west-1.compute.amazonaws.com | BazarLoader | Medium +17 | [23.81.246.30](https://vuldb.com/?ip.23.81.246.30) | - | - | High +18 | [23.82.140.137](https://vuldb.com/?ip.23.82.140.137) | - | - | High +19 | [23.95.231.200](https://vuldb.com/?ip.23.95.231.200) | 23-95-231-200-host.colocrossing.com | - | High +20 | [23.106.160.174](https://vuldb.com/?ip.23.106.160.174) | - | - | High +21 | [23.146.242.134](https://vuldb.com/?ip.23.146.242.134) | - | - | High +22 | [23.254.228.234](https://vuldb.com/?ip.23.254.228.234) | hwsrv-935246.hostwindsdns.com | - | High +23 | [24.185.61.99](https://vuldb.com/?ip.24.185.61.99) | ool-18b93d63.dyn.optonline.net | - | High +24 | [31.13.195.26](https://vuldb.com/?ip.31.13.195.26) | - | - | High +25 | [31.13.195.144](https://vuldb.com/?ip.31.13.195.144) | - | - | High +26 | [31.13.195.184](https://vuldb.com/?ip.31.13.195.184) | - | - | High +27 | [31.14.40.95](https://vuldb.com/?ip.31.14.40.95) | - | - | High +28 | [31.14.40.160](https://vuldb.com/?ip.31.14.40.160) | perico.cavepanel.com | BazarLoader | High +29 | [31.14.40.220](https://vuldb.com/?ip.31.14.40.220) | - | - | High +30 | [31.214.157.242](https://vuldb.com/?ip.31.214.157.242) | - | - | High +31 | [34.219.130.241](https://vuldb.com/?ip.34.219.130.241) | ec2-34-219-130-241.us-west-2.compute.amazonaws.com | BazarLoader | Medium +32 | [37.0.8.166](https://vuldb.com/?ip.37.0.8.166) | - | - | High +33 | [37.1.209.181](https://vuldb.com/?ip.37.1.209.181) | - | - | High +34 | [37.187.24.215](https://vuldb.com/?ip.37.187.24.215) | ns3206394.ip-37-187-24.eu | - | High +35 | [37.220.6.122](https://vuldb.com/?ip.37.220.6.122) | mail.foxlontech.com | - | High +36 | [37.235.53.46](https://vuldb.com/?ip.37.235.53.46) | gw1.mad1.vitalng.com | - | High +37 | [38.88.223.172](https://vuldb.com/?ip.38.88.223.172) | - | - | High +38 | [38.92.176.125](https://vuldb.com/?ip.38.92.176.125) | - | - | High +39 | [38.92.191.89](https://vuldb.com/?ip.38.92.191.89) | - | - | High +40 | [38.135.122.194](https://vuldb.com/?ip.38.135.122.194) | h194-us122.fcsrv.net | - | High +41 | [43.126.75.91](https://vuldb.com/?ip.43.126.75.91) | - | - | High +42 | [45.11.183.198](https://vuldb.com/?ip.45.11.183.198) | - | - | High +43 | [45.11.183.211](https://vuldb.com/?ip.45.11.183.211) | - | - | High +44 | [45.14.226.23](https://vuldb.com/?ip.45.14.226.23) | - | - | High +45 | [45.14.226.47](https://vuldb.com/?ip.45.14.226.47) | - | - | High +46 | [45.32.131.223](https://vuldb.com/?ip.45.32.131.223) | - | - | High +47 | [45.32.132.182](https://vuldb.com/?ip.45.32.132.182) | 45.32.132.182.vultr.com | - | Medium +48 | [45.61.136.221](https://vuldb.com/?ip.45.61.136.221) | - | - | High +49 | [45.61.138.153](https://vuldb.com/?ip.45.61.138.153) | - | - | High +50 | [45.67.228.196](https://vuldb.com/?ip.45.67.228.196) | moe.m | - | High +51 | [45.126.75.91](https://vuldb.com/?ip.45.126.75.91) | 43.126.75.91.stargatecommunications.com | - | High +52 | [45.141.101.253](https://vuldb.com/?ip.45.141.101.253) | ongu.golderitu.com | - | High +53 | [45.141.103.194](https://vuldb.com/?ip.45.141.103.194) | ptr.ruvds.com | - | High +54 | ... | ... | ... | ... -There are 202 more IOC items available. Please use our online service to access the data. +There are 213 more IOC items available. Please use our online service to access the data. ## TTP - Tactics, Techniques, Procedures @@ -127,22 +131,22 @@ ID | Type | Indicator | Confidence 25 | File | `/uncpath/` | Medium 26 | File | `/usr/bin/pkexec` | High 27 | File | `/usr/sbin/suexec` | High -28 | File | `/WEB-INF/web.xml` | High -29 | File | `/wp-admin/admin-ajax.php` | High -30 | File | `/wp-json/wc/v3/webhooks` | High -31 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High -32 | File | `AccountManagerService.java` | High -33 | File | `actions/CompanyDetailsSave.php` | High -34 | File | `ActivityManagerService.java` | High -35 | File | `admin.php` | Medium -36 | File | `admin.php?page=languages` | High -37 | File | `admin/add-glossary.php` | High -38 | File | `admin/admin.php` | High -39 | File | `admin/conf_users_edit.php` | High -40 | File | `admin/edit-comments.php` | High +28 | File | `/wp-admin/admin-ajax.php` | High +29 | File | `/wp-json/wc/v3/webhooks` | High +30 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High +31 | File | `AccountManagerService.java` | High +32 | File | `actions/CompanyDetailsSave.php` | High +33 | File | `ActivityManagerService.java` | High +34 | File | `admin.php` | Medium +35 | File | `admin.php?page=languages` | High +36 | File | `admin/add-glossary.php` | High +37 | File | `admin/admin.php` | High +38 | File | `admin/conf_users_edit.php` | High +39 | File | `admin/edit-comments.php` | High +40 | File | `admin/src/containers/InputModalStepperProvider/index.js` | High 41 | ... | ... | ... -There are 357 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 356 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References @@ -150,6 +154,9 @@ The following list contains _external sources_ which discuss the actor and the a * https://ddanchev.blogspot.com/2022/02/exposing-conti-ransomware-gang-osint_28.html * https://github.com/sophoslabs/IoCs/blob/master/Ransomware-Conti.csv +* https://thedfirreport.com/2021/05/12/conti-ransomware/ +* https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/ +* https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/ * https://therecord.media/disgruntled-ransomware-affiliate-leaks-the-conti-gangs-technical-manuals/ * https://twitter.com/cherryblond83/status/1498133186316062724 * https://twitter.com/vxunderground/status/1414809517993435139 diff --git a/actors/DPRK/README.md b/actors/DPRK/README.md index 485492b3..101f66e7 100644 --- a/actors/DPRK/README.md +++ b/actors/DPRK/README.md @@ -13,7 +13,7 @@ The following _campaigns_ are known and can be associated with DPRK: * DrillMalware * ... -There are 2 more campaign items available. Please use our online service to access the data. +There are 3 more campaign items available. Please use our online service to access the data. ## Countries @@ -57,7 +57,7 @@ ID | IP address | Hostname | Campaign | Confidence 27 | [57.73.224.0](https://vuldb.com/?ip.57.73.224.0) | - | - | High 28 | ... | ... | ... | ... -There are 108 more IOC items available. Please use our online service to access the data. +There are 109 more IOC items available. Please use our online service to access the data. ## TTP - Tactics, Techniques, Procedures @@ -125,6 +125,7 @@ The following list contains _external sources_ which discuss the actor and the a * https://github.com/blackorbird/APT_REPORT/tree/master/International%20Strategic/Korea * https://github.com/mandatoryprogrammer/NorthKoreaDNSLeak * https://raidforums.com/Thread-North-Korean-IP-Addresses-300 +* https://stairwell.com/wp-content/uploads/2022/04/Stairwell-threat-report-The-ink-stained-trail-of-GOLDBACKDOOR.pdf * https://us-cert.cisa.gov/ncas/alerts/aa21-048a * https://us-cert.cisa.gov/ncas/analysis-reports/AR19-100A * https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a diff --git a/actors/DarkComet/README.md b/actors/DarkComet/README.md index fe5f0766..fee0f908 100644 --- a/actors/DarkComet/README.md +++ b/actors/DarkComet/README.md @@ -13,7 +13,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce * [ES](https://vuldb.com/?country.es) * ... -There are 8 more country items available. Please use our online service to access the data. +There are 9 more country items available. Please use our online service to access the data. ## IOC - Indicator of Compromise @@ -36,12 +36,13 @@ ID | IP address | Hostname | Campaign | Confidence 13 | [23.36.85.183](https://vuldb.com/?ip.23.36.85.183) | a23-36-85-183.deploy.static.akamaitechnologies.com | - | High 14 | [23.38.131.139](https://vuldb.com/?ip.23.38.131.139) | a23-38-131-139.deploy.static.akamaitechnologies.com | - | High 15 | [23.64.110.64](https://vuldb.com/?ip.23.64.110.64) | a23-64-110-64.deploy.static.akamaitechnologies.com | - | High -16 | [23.78.173.83](https://vuldb.com/?ip.23.78.173.83) | a23-78-173-83.deploy.static.akamaitechnologies.com | - | High -17 | [31.170.166.110](https://vuldb.com/?ip.31.170.166.110) | - | - | High -18 | [31.193.90.60](https://vuldb.com/?ip.31.193.90.60) | - | - | High -19 | ... | ... | ... | ... +16 | [23.67.200.172](https://vuldb.com/?ip.23.67.200.172) | a23-67-200-172.deploy.static.akamaitechnologies.com | - | High +17 | [23.78.173.83](https://vuldb.com/?ip.23.78.173.83) | a23-78-173-83.deploy.static.akamaitechnologies.com | - | High +18 | [31.170.166.110](https://vuldb.com/?ip.31.170.166.110) | - | - | High +19 | [31.193.90.60](https://vuldb.com/?ip.31.193.90.60) | - | - | High +20 | ... | ... | ... | ... -There are 70 more IOC items available. Please use our online service to access the data. +There are 74 more IOC items available. Please use our online service to access the data. ## TTP - Tactics, Techniques, Procedures @@ -51,10 +52,10 @@ ID | Technique | Weakness | Description | Confidence -- | --------- | -------- | ----------- | ---------- 1 | T1059.007 | CWE-79 | Cross Site Scripting | High 2 | T1068 | CWE-250, CWE-264, CWE-284 | Execution with Unnecessary Privileges | High -3 | T1211 | CWE-254 | 7PK Security Features | High +3 | T1110.001 | CWE-307 | Improper Restriction of Excessive Authentication Attempts | High 4 | ... | ... | ... | ... -There are 3 more TTP items available. Please use our online service to access the data. +There are 4 more TTP items available. Please use our online service to access the data. ## IOA - Indicator of Attack @@ -63,22 +64,24 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic ID | Type | Indicator | Confidence -- | ---- | --------- | ---------- 1 | File | `.htaccess` | Medium -2 | File | `/modules/tasks/summary.inc.php` | High -3 | File | `/usr/bin/pkexec` | High -4 | File | `/var/WEB-GUI/cgi-bin/telnet.cgi` | High -5 | File | `/wp-content/plugins/woocommerce/templates/emails/plain/` | High -6 | File | `admin.php` | Medium -7 | File | `adminpasswd.cgi` | High -8 | File | `ajax.php` | Medium -9 | File | `apache2/modsecurity.c` | High -10 | ... | ... | ... +2 | File | `/etc/puppetlabs/puppetserver/conf.d/ca.conf` | High +3 | File | `/modules/tasks/summary.inc.php` | High +4 | File | `/usr/bin/pkexec` | High +5 | File | `/var/WEB-GUI/cgi-bin/telnet.cgi` | High +6 | File | `/wp-content/plugins/woocommerce/templates/emails/plain/` | High +7 | File | `admin.php` | Medium +8 | File | `adminpasswd.cgi` | High +9 | File | `ajax.php` | Medium +10 | File | `apache2/modsecurity.c` | High +11 | ... | ... | ... -There are 79 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 80 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References The following list contains _external sources_ which discuss the actor and the associated activities: +* https://blog.talosintelligence.com/2019/05/threat-roundup-0517-0524.html * https://blog.talosintelligence.com/2021/01/threat-roundup-0122.html * https://blog.talosintelligence.com/2021/02/threat-roundup-0205-0212.html * https://blog.talosintelligence.com/2021/03/threat-roundup-0226-0305.html @@ -89,6 +92,7 @@ The following list contains _external sources_ which discuss the actor and the a * https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.html * https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html * https://blog.talosintelligence.com/2021/09/threat-roundup-0903-0910.html +* https://blog.talosintelligence.com/2022/04/threat-roundup-0325-0401.html ## Literature diff --git a/actors/Dorkbot/README.md b/actors/Dorkbot/README.md new file mode 100644 index 00000000..8c5b37a0 --- /dev/null +++ b/actors/Dorkbot/README.md @@ -0,0 +1,60 @@ +# Dorkbot - Cyber Threat Intelligence + +These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Dorkbot](https://vuldb.com/?actor.dorkbot). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics. + +_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.dorkbot](https://vuldb.com/?actor.dorkbot) + +## Countries + +These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Dorkbot: + +* [US](https://vuldb.com/?country.us) +* [FR](https://vuldb.com/?country.fr) + +## IOC - Indicator of Compromise + +These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Dorkbot. + +ID | IP address | Hostname | Campaign | Confidence +-- | ---------- | -------- | -------- | ---------- +1 | [13.107.21.200](https://vuldb.com/?ip.13.107.21.200) | - | - | High +2 | [204.79.197.200](https://vuldb.com/?ip.204.79.197.200) | a-0001.a-msedge.net | - | High +3 | [212.83.168.196](https://vuldb.com/?ip.212.83.168.196) | 212-83-168-196.rev.poneytelecom.eu | - | High + +## TTP - Tactics, Techniques, Procedures + +_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Dorkbot_. This data is unique as it uses our predictive model for actor profiling. + +ID | Technique | Weakness | Description | Confidence +-- | --------- | -------- | ----------- | ---------- +1 | T1059.007 | CWE-79 | Cross Site Scripting | High + +## IOA - Indicator of Attack + +These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Dorkbot. This data is unique as it uses our predictive model for actor profiling. + +ID | Type | Indicator | Confidence +-- | ---- | --------- | ---------- +1 | File | `countrydetails.php` | High +2 | File | `data/gbconfiguration.dat` | High +3 | File | `db_central_columns.php` | High +4 | ... | ... | ... + +There are 8 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. + +## References + +The following list contains _external sources_ which discuss the actor and the associated activities: + +* https://blog.talosintelligence.com/2019/09/threat-roundup-0830-0906.html + +## Literature + +The following _articles_ explain our unique predictive cyber threat intelligence: + +* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti) +* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022) + +## License + +(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)! diff --git a/actors/Dust Storm/README.md b/actors/Dust Storm/README.md index 75703e46..bf6927c3 100644 --- a/actors/Dust Storm/README.md +++ b/actors/Dust Storm/README.md @@ -17,9 +17,6 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce * [CN](https://vuldb.com/?country.cn) * [US](https://vuldb.com/?country.us) * [GB](https://vuldb.com/?country.gb) -* ... - -There are 1 more country items available. Please use our online service to access the data. ## IOC - Indicator of Compromise @@ -62,44 +59,49 @@ ID | Type | Indicator | Confidence 3 | File | `/#/CampaignManager/users` | High 4 | File | `//` | Low 5 | File | `/admin.php?action=themeinstall` | High -6 | File | `/admin/index.php?id=themes&action=edit_template&filename=blog` | High -7 | File | `/admin/login.php` | High -8 | File | `/apply_noauth.cgi` | High -9 | File | `/article/comment` | High +6 | File | `/admin/?setting-base.htm` | High +7 | File | `/admin/admin_login.php` | High +8 | File | `/admin/login.php` | High +9 | File | `/apply_noauth.cgi` | High 10 | File | `/audit/log/log_management.php` | High -11 | File | `/backup/lispbx-CONF-YYYY-MM-DD.tar` | High -12 | File | `/bin/login` | Medium -13 | File | `/bin/sh` | Low -14 | File | `/cgi-bin/login` | High -15 | File | `/cgi/sshcheck.cgi` | High -16 | File | `/classes/profile.class.php` | High -17 | File | `/crmeb/crmeb/services/UploadService.php` | High -18 | File | `/dev/tty` | Medium -19 | File | `/downloads/` | Medium -20 | File | `/IISADMPWD` | Medium -21 | File | `/inc/session.php` | High -22 | File | `/index.php` | Medium -23 | File | `/mcms/view.do` | High +11 | File | `/bin/login` | Medium +12 | File | `/bin/sh` | Low +13 | File | `/cgi-bin/login` | High +14 | File | `/classes/profile.class.php` | High +15 | File | `/dev/tty` | Medium +16 | File | `/doorgets/app/requests/user/modulecategoryRequest.php` | High +17 | File | `/downloads/` | Medium +18 | File | `/IISADMPWD` | Medium +19 | File | `/inc/session.php` | High +20 | File | `/index.php` | Medium +21 | File | `/login` | Low +22 | File | `/login.html` | Medium +23 | File | `/magnoliaPublic/travel/members/login.html` | High 24 | File | `/member/index/login.html` | High 25 | File | `/modules/certinfo/index.php` | High -26 | File | `/post/editing` | High -27 | File | `/public/plugins/` | High -28 | File | `/restful-services/publish` | High -29 | File | `/ScadaBR/login.htm` | High -30 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High -31 | File | `/system/tool/ping.php` | High -32 | File | `/upload` | Low -33 | File | `/usr/bin/pkexec` | High -34 | File | `/usr/sbin/mini_httpd` | High -35 | File | `/vendor/phpdocumentor/reflection-docblock/tests/phpDocumentor/Reflection/DocBlock/Tag/LinkTagTeet.php` | High -36 | File | `?location=search` | High -37 | File | `account/login.php` | High -38 | File | `add.asp` | Low -39 | File | `admin.home.php` | High -40 | File | `admin.php` | Medium -41 | ... | ... | ... +26 | File | `/restful-services/publish` | High +27 | File | `/ScadaBR/login.htm` | High +28 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High +29 | File | `/system/tool/ping.php` | High +30 | File | `/upload` | Low +31 | File | `/usr/bin/pkexec` | High +32 | File | `/var/adm/btmp` | High +33 | File | `?location=search` | High +34 | File | `account/login.php` | High +35 | File | `add.asp` | Low +36 | File | `add.php` | Low +37 | File | `admin.inc.php` | High +38 | File | `admin.php` | Medium +39 | File | `admin.php?m=backup&c=backup&a=doback` | High +40 | File | `admin/conf_users_edit.php` | High +41 | File | `admin/index.php` | High +42 | File | `admin/login.asp` | High +43 | File | `admin/login.php` | High +44 | File | `admin/nos/login` | High +45 | File | `admin\db\DoSql.php` | High +46 | ... | ... | ... -There are 355 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 396 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/actors/Emotet/README.md b/actors/Emotet/README.md index e5904b11..1f1e59c8 100644 --- a/actors/Emotet/README.md +++ b/actors/Emotet/README.md @@ -10,10 +10,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce * [VN](https://vuldb.com/?country.vn) * [US](https://vuldb.com/?country.us) -* [GB](https://vuldb.com/?country.gb) -* ... - -There are 4 more country items available. Please use our online service to access the data. +* [CN](https://vuldb.com/?country.cn) ## IOC - Indicator of Compromise @@ -46,203 +43,266 @@ ID | IP address | Hostname | Campaign | Confidence 23 | [5.159.57.195](https://vuldb.com/?ip.5.159.57.195) | www-riedle.transfermarkt.de | - | High 24 | [5.196.35.138](https://vuldb.com/?ip.5.196.35.138) | vps10.open-techno.net | - | High 25 | [5.196.73.150](https://vuldb.com/?ip.5.196.73.150) | ns3000085.ip-5-196-73.eu | - | High -26 | [5.230.193.41](https://vuldb.com/?ip.5.230.193.41) | casagarcia-web.sys.netzfabrik.eu | - | High -27 | [8.4.9.137](https://vuldb.com/?ip.8.4.9.137) | onlinehorizons.net | - | High -28 | [8.247.6.134](https://vuldb.com/?ip.8.247.6.134) | - | - | High -29 | [12.6.183.21](https://vuldb.com/?ip.12.6.183.21) | - | - | High -30 | [12.32.68.154](https://vuldb.com/?ip.12.32.68.154) | mail.sealscoinc.com | - | High -31 | [12.149.72.170](https://vuldb.com/?ip.12.149.72.170) | - | - | High -32 | [12.162.84.2](https://vuldb.com/?ip.12.162.84.2) | - | - | High -33 | [12.163.208.58](https://vuldb.com/?ip.12.163.208.58) | - | - | High -34 | [12.182.146.226](https://vuldb.com/?ip.12.182.146.226) | - | - | High -35 | [12.184.217.101](https://vuldb.com/?ip.12.184.217.101) | - | - | High -36 | [12.222.134.10](https://vuldb.com/?ip.12.222.134.10) | - | - | High -37 | [12.238.114.130](https://vuldb.com/?ip.12.238.114.130) | - | - | High -38 | [23.6.65.194](https://vuldb.com/?ip.23.6.65.194) | a23-6-65-194.deploy.static.akamaitechnologies.com | - | High -39 | [23.36.85.183](https://vuldb.com/?ip.23.36.85.183) | a23-36-85-183.deploy.static.akamaitechnologies.com | - | High -40 | [23.199.63.11](https://vuldb.com/?ip.23.199.63.11) | a23-199-63-11.deploy.static.akamaitechnologies.com | - | High -41 | [23.199.71.185](https://vuldb.com/?ip.23.199.71.185) | a23-199-71-185.deploy.static.akamaitechnologies.com | - | High -42 | [23.239.2.11](https://vuldb.com/?ip.23.239.2.11) | li683-11.members.linode.com | - | High -43 | [23.254.203.51](https://vuldb.com/?ip.23.254.203.51) | hwsrv-779084.hostwindsdns.com | - | High -44 | [24.40.239.62](https://vuldb.com/?ip.24.40.239.62) | 24-40-239-62.fidnet.com | - | High -45 | [24.43.99.75](https://vuldb.com/?ip.24.43.99.75) | rrcs-24-43-99-75.west.biz.rr.com | - | High -46 | [24.101.229.82](https://vuldb.com/?ip.24.101.229.82) | dynamic-acs-24-101-229-82.zoominternet.net | - | High -47 | [24.116.40.208](https://vuldb.com/?ip.24.116.40.208) | 24-116-40-208.cpe.sparklight.net | - | High -48 | [24.119.116.230](https://vuldb.com/?ip.24.119.116.230) | 24-119-116-230.cpe.sparklight.net | - | High -49 | [24.121.176.48](https://vuldb.com/?ip.24.121.176.48) | 24-121-176-48.prkrcmtc01.com.sta.suddenlink.net | - | High -50 | [24.137.76.62](https://vuldb.com/?ip.24.137.76.62) | host-24-137-76-62.public.eastlink.ca | - | High -51 | [24.178.90.49](https://vuldb.com/?ip.24.178.90.49) | 024-178-090-049.res.spectrum.com | - | High -52 | [24.179.13.119](https://vuldb.com/?ip.24.179.13.119) | 024-179-013-119.res.spectrum.com | - | High -53 | [24.201.79.34](https://vuldb.com/?ip.24.201.79.34) | modemcable034.79-201-24.mc.videotron.ca | - | High -54 | [24.203.4.40](https://vuldb.com/?ip.24.203.4.40) | modemcable040.4-203-24.mc.videotron.ca | - | High -55 | [24.217.117.217](https://vuldb.com/?ip.24.217.117.217) | 024-217-117-217.res.spectrum.com | - | High -56 | [24.232.228.233](https://vuldb.com/?ip.24.232.228.233) | OL233-228.fibertel.com.ar | - | High -57 | [24.244.177.40](https://vuldb.com/?ip.24.244.177.40) | - | - | High -58 | [27.50.89.209](https://vuldb.com/?ip.27.50.89.209) | 27-50-89-209.as45671.net | - | High -59 | [27.78.27.110](https://vuldb.com/?ip.27.78.27.110) | localhost | - | High -60 | [27.82.13.10](https://vuldb.com/?ip.27.82.13.10) | KD027082013010.ppp-bb.dion.ne.jp | - | High -61 | [27.109.24.214](https://vuldb.com/?ip.27.109.24.214) | - | - | High -62 | [27.114.9.93](https://vuldb.com/?ip.27.114.9.93) | i27-114-9-93.s41.a011.ap.plala.or.jp | - | High -63 | [31.24.158.56](https://vuldb.com/?ip.31.24.158.56) | bm.servidoresdedicados.com | - | High -64 | [31.167.248.50](https://vuldb.com/?ip.31.167.248.50) | - | - | High -65 | [35.190.87.116](https://vuldb.com/?ip.35.190.87.116) | 116.87.190.35.bc.googleusercontent.com | - | Medium -66 | [36.91.44.183](https://vuldb.com/?ip.36.91.44.183) | - | - | High -67 | [37.46.129.215](https://vuldb.com/?ip.37.46.129.215) | we-too.ru | - | High -68 | [37.97.135.82](https://vuldb.com/?ip.37.97.135.82) | 37-97-135-82.colo.transip.net | - | High -69 | [37.120.175.15](https://vuldb.com/?ip.37.120.175.15) | v220220112692175454.nicesrv.de | - | High -70 | [37.139.21.175](https://vuldb.com/?ip.37.139.21.175) | 37.139.21.175-e2-8080-keep-up | - | High -71 | [37.179.204.33](https://vuldb.com/?ip.37.179.204.33) | - | - | High -72 | [37.187.4.178](https://vuldb.com/?ip.37.187.4.178) | ks2.kku.io | - | High -73 | [37.187.57.57](https://vuldb.com/?ip.37.187.57.57) | ns3357940.ovh.net | - | High -74 | [37.187.72.193](https://vuldb.com/?ip.37.187.72.193) | ns3362285.ip-37-187-72.eu | - | High -75 | [37.187.161.206](https://vuldb.com/?ip.37.187.161.206) | toolbox.alabs.io | - | High -76 | [37.205.9.252](https://vuldb.com/?ip.37.205.9.252) | s1.ithelp24.eu | - | High -77 | [37.221.70.250](https://vuldb.com/?ip.37.221.70.250) | b2b-customer.inftele.net | - | High -78 | [41.76.108.46](https://vuldb.com/?ip.41.76.108.46) | - | - | High -79 | [41.169.36.237](https://vuldb.com/?ip.41.169.36.237) | - | - | High -80 | [41.185.28.84](https://vuldb.com/?ip.41.185.28.84) | brf01-nix01.wadns.net | - | High -81 | [41.185.29.128](https://vuldb.com/?ip.41.185.29.128) | abp79-nix01.wadns.net | - | High -82 | [41.204.202.41](https://vuldb.com/?ip.41.204.202.41) | www41.cpt2.host-h.net | - | High -83 | [41.231.225.139](https://vuldb.com/?ip.41.231.225.139) | - | - | High -84 | [42.62.40.103](https://vuldb.com/?ip.42.62.40.103) | - | - | High -85 | [45.16.226.117](https://vuldb.com/?ip.45.16.226.117) | 45-16-226-117.lightspeed.sndgca.sbcglobal.net | - | High -86 | [45.33.77.42](https://vuldb.com/?ip.45.33.77.42) | li1023-42.members.linode.com | - | High -87 | [45.46.37.97](https://vuldb.com/?ip.45.46.37.97) | cpe-45-46-37-97.maine.res.rr.com | - | High -88 | [45.55.36.51](https://vuldb.com/?ip.45.55.36.51) | - | - | High -89 | [45.55.219.163](https://vuldb.com/?ip.45.55.219.163) | - | - | High -90 | [45.79.95.107](https://vuldb.com/?ip.45.79.95.107) | li1194-107.members.linode.com | - | High -91 | [45.80.148.200](https://vuldb.com/?ip.45.80.148.200) | - | - | High -92 | [45.118.115.99](https://vuldb.com/?ip.45.118.115.99) | - | - | High -93 | [45.118.135.203](https://vuldb.com/?ip.45.118.135.203) | 45-118-135-203.ip.linodeusercontent.com | - | High -94 | [45.142.114.231](https://vuldb.com/?ip.45.142.114.231) | mail.dounutmail.de | - | High -95 | [45.176.232.124](https://vuldb.com/?ip.45.176.232.124) | - | - | High -96 | [45.230.45.171](https://vuldb.com/?ip.45.230.45.171) | - | - | High -97 | [46.4.100.178](https://vuldb.com/?ip.46.4.100.178) | support.wizard-shopservice.de | - | High -98 | [46.4.192.185](https://vuldb.com/?ip.46.4.192.185) | static.185.192.4.46.clients.your-server.de | - | High -99 | [46.28.111.142](https://vuldb.com/?ip.46.28.111.142) | enkindu.jsuchy.net | - | High -100 | [46.32.229.152](https://vuldb.com/?ip.46.32.229.152) | 094882.vps-10.com | - | High -101 | [46.32.233.226](https://vuldb.com/?ip.46.32.233.226) | yetitoolusa.com | - | High -102 | [46.38.238.8](https://vuldb.com/?ip.46.38.238.8) | v2202109122001163131.happysrv.de | - | High -103 | [46.43.2.95](https://vuldb.com/?ip.46.43.2.95) | chris.default.cjenkinson.uk0.bigv.io | - | High -104 | [46.55.222.11](https://vuldb.com/?ip.46.55.222.11) | - | - | High -105 | [46.101.58.37](https://vuldb.com/?ip.46.101.58.37) | 46.101.58.37-e1-8080 | - | High -106 | [46.105.81.76](https://vuldb.com/?ip.46.105.81.76) | myu0.cylipo.sbs | - | High -107 | [46.105.114.137](https://vuldb.com/?ip.46.105.114.137) | ns3188253.ip-46-105-114.eu | - | High -108 | [46.105.131.68](https://vuldb.com/?ip.46.105.131.68) | http.adven.fr | - | High -109 | [46.105.131.69](https://vuldb.com/?ip.46.105.131.69) | epouventaille.adven.fr | - | High -110 | [46.105.131.79](https://vuldb.com/?ip.46.105.131.79) | relay.adven.fr | - | High -111 | [46.105.131.87](https://vuldb.com/?ip.46.105.131.87) | pop.adven.fr | - | High -112 | [46.105.236.18](https://vuldb.com/?ip.46.105.236.18) | - | - | High -113 | [46.165.212.76](https://vuldb.com/?ip.46.165.212.76) | - | - | High -114 | [46.165.254.206](https://vuldb.com/?ip.46.165.254.206) | - | - | High -115 | [46.214.107.142](https://vuldb.com/?ip.46.214.107.142) | 46-214-107-142.next-gen.ro | - | High -116 | [47.36.140.164](https://vuldb.com/?ip.47.36.140.164) | 047-036-140-164.res.spectrum.com | - | High -117 | [47.146.39.147](https://vuldb.com/?ip.47.146.39.147) | - | - | High -118 | [47.150.11.161](https://vuldb.com/?ip.47.150.11.161) | - | - | High -119 | [47.188.131.94](https://vuldb.com/?ip.47.188.131.94) | - | - | High -120 | [47.201.208.154](https://vuldb.com/?ip.47.201.208.154) | - | - | High -121 | [47.246.24.225](https://vuldb.com/?ip.47.246.24.225) | - | - | High -122 | [47.246.24.226](https://vuldb.com/?ip.47.246.24.226) | - | - | High -123 | [47.246.24.230](https://vuldb.com/?ip.47.246.24.230) | - | - | High -124 | [47.246.24.232](https://vuldb.com/?ip.47.246.24.232) | - | - | High -125 | [49.12.121.47](https://vuldb.com/?ip.49.12.121.47) | filezilla-project.org | - | High -126 | [49.50.209.131](https://vuldb.com/?ip.49.50.209.131) | 131.host-49-50-209.euba.megatel.co.nz | - | High -127 | [49.212.135.76](https://vuldb.com/?ip.49.212.135.76) | os3-321-50322.vs.sakura.ne.jp | - | High -128 | [49.212.155.94](https://vuldb.com/?ip.49.212.155.94) | os3-325-52340.vs.sakura.ne.jp | - | High -129 | [50.28.51.143](https://vuldb.com/?ip.50.28.51.143) | - | - | High -130 | [50.30.40.196](https://vuldb.com/?ip.50.30.40.196) | usve255301.serverprofi24.com | - | High -131 | [50.31.146.101](https://vuldb.com/?ip.50.31.146.101) | mail.brillinjurylaw.com | - | High -132 | [50.56.135.44](https://vuldb.com/?ip.50.56.135.44) | - | - | High -133 | [50.62.194.30](https://vuldb.com/?ip.50.62.194.30) | ip-50-62-194-30.ip.secureserver.net | - | High -134 | [50.78.167.65](https://vuldb.com/?ip.50.78.167.65) | millcreek.cc | - | High -135 | [50.91.114.38](https://vuldb.com/?ip.50.91.114.38) | 050-091-114-038.res.spectrum.com | - | High -136 | [50.92.101.60](https://vuldb.com/?ip.50.92.101.60) | d50-92-101-60.bchsia.telus.net | - | High -137 | [50.116.54.215](https://vuldb.com/?ip.50.116.54.215) | li440-215.members.linode.com | - | High -138 | [50.116.78.109](https://vuldb.com/?ip.50.116.78.109) | intersearchmedia.com | - | High -139 | [50.245.107.73](https://vuldb.com/?ip.50.245.107.73) | 50-245-107-73-static.hfc.comcastbusiness.net | - | High -140 | [51.15.4.22](https://vuldb.com/?ip.51.15.4.22) | 51-15-4-22.rev.poneytelecom.eu | - | High -141 | [51.15.7.145](https://vuldb.com/?ip.51.15.7.145) | 51-15-7-145.rev.poneytelecom.eu | - | High -142 | [51.38.201.19](https://vuldb.com/?ip.51.38.201.19) | ip19.ip-51-38-201.eu | - | High -143 | [51.75.33.120](https://vuldb.com/?ip.51.75.33.120) | ip120.ip-51-75-33.eu | - | High -144 | [51.75.33.127](https://vuldb.com/?ip.51.75.33.127) | ip127.ip-51-75-33.eu | - | High -145 | [51.89.36.180](https://vuldb.com/?ip.51.89.36.180) | ip180.ip-51-89-36.eu | - | High -146 | [51.89.199.141](https://vuldb.com/?ip.51.89.199.141) | ip141.ip-51-89-199.eu | - | High -147 | [51.91.7.5](https://vuldb.com/?ip.51.91.7.5) | ns3147667.ip-51-91-7.eu | - | High -148 | [51.91.76.89](https://vuldb.com/?ip.51.91.76.89) | 89.ip-51-91-76.eu | - | High -149 | [51.159.23.217](https://vuldb.com/?ip.51.159.23.217) | jambold.co.uk | - | High -150 | [51.159.35.157](https://vuldb.com/?ip.51.159.35.157) | 51-159-35-157.rev.poneytelecom.eu | - | High -151 | [51.254.140.238](https://vuldb.com/?ip.51.254.140.238) | 238.ip-51-254-140.eu | - | High -152 | [51.255.50.164](https://vuldb.com/?ip.51.255.50.164) | vps-b6cfe010.vps.ovh.net | - | High -153 | [51.255.165.160](https://vuldb.com/?ip.51.255.165.160) | 160.ip-51-255-165.eu | - | High -154 | [52.66.202.63](https://vuldb.com/?ip.52.66.202.63) | ec2-52-66-202-63.ap-south-1.compute.amazonaws.com | - | Medium -155 | [54.38.143.245](https://vuldb.com/?ip.54.38.143.245) | tools.inovato.me | - | High -156 | [58.27.215.3](https://vuldb.com/?ip.58.27.215.3) | 58-27-215-3.wateen.net | - | High -157 | [58.94.58.13](https://vuldb.com/?ip.58.94.58.13) | i58-94-58-13.s41.a014.ap.plala.or.jp | - | High -158 | [58.216.16.130](https://vuldb.com/?ip.58.216.16.130) | - | - | High -159 | [58.227.42.236](https://vuldb.com/?ip.58.227.42.236) | - | - | High -160 | [59.148.253.194](https://vuldb.com/?ip.59.148.253.194) | 059148253194.ctinets.com | - | High -161 | [59.152.93.46](https://vuldb.com/?ip.59.152.93.46) | 46.93.152.59.zipnetltd.com | - | High -162 | [60.93.23.51](https://vuldb.com/?ip.60.93.23.51) | softbank060093023051.bbtec.net | - | High -163 | [60.108.128.186](https://vuldb.com/?ip.60.108.128.186) | softbank060108128186.bbtec.net | - | High -164 | [60.125.114.64](https://vuldb.com/?ip.60.125.114.64) | softbank060125114064.bbtec.net | - | High -165 | [60.249.78.226](https://vuldb.com/?ip.60.249.78.226) | 60-249-78-226.hinet-ip.hinet.net | - | High -166 | [61.19.246.238](https://vuldb.com/?ip.61.19.246.238) | - | - | High -167 | [62.30.7.67](https://vuldb.com/?ip.62.30.7.67) | 67.7-30-62.static.virginmediabusiness.co.uk | - | High -168 | [62.75.141.82](https://vuldb.com/?ip.62.75.141.82) | static-ip-62-75-141-82.inaddr.ip-pool.com | - | High -169 | [62.84.75.50](https://vuldb.com/?ip.62.84.75.50) | mail.saadegrp.com.lb | - | High -170 | [62.171.142.179](https://vuldb.com/?ip.62.171.142.179) | vmi499457.contaboserver.net | - | High -171 | [62.212.34.102](https://vuldb.com/?ip.62.212.34.102) | - | - | High -172 | [64.60.82.82](https://vuldb.com/?ip.64.60.82.82) | 64-60-82-82.static-ip.telepacific.net | - | High -173 | [64.71.36.11](https://vuldb.com/?ip.64.71.36.11) | - | - | High -174 | [64.190.63.136](https://vuldb.com/?ip.64.190.63.136) | - | - | High -175 | [64.207.182.168](https://vuldb.com/?ip.64.207.182.168) | - | - | High -176 | [66.23.200.58](https://vuldb.com/?ip.66.23.200.58) | - | - | High -177 | [66.50.57.73](https://vuldb.com/?ip.66.50.57.73) | 66-50-57-73.prtc.net | - | High -178 | [66.54.51.172](https://vuldb.com/?ip.66.54.51.172) | - | - | High -179 | [66.76.26.33](https://vuldb.com/?ip.66.76.26.33) | 66-76-26-33.hdsncmta01.com.sta.suddenlink.net | - | High -180 | [66.209.69.165](https://vuldb.com/?ip.66.209.69.165) | - | - | High -181 | [66.228.32.31](https://vuldb.com/?ip.66.228.32.31) | li282-31.members.linode.com | - | High -182 | [66.228.61.248](https://vuldb.com/?ip.66.228.61.248) | li318-248.members.linode.com | - | High -183 | [67.19.105.107](https://vuldb.com/?ip.67.19.105.107) | ns2.datatrust.com.br | - | High -184 | [67.68.235.25](https://vuldb.com/?ip.67.68.235.25) | bas10-montrealak-67-68-235-25.dsl.bell.ca | - | High -185 | [67.170.250.203](https://vuldb.com/?ip.67.170.250.203) | c-67-170-250-203.hsd1.ca.comcast.net | - | High -186 | [67.225.218.50](https://vuldb.com/?ip.67.225.218.50) | lb01.parklogic.com | - | High -187 | [68.2.97.91](https://vuldb.com/?ip.68.2.97.91) | ip68-2-97-91.ph.ph.cox.net | - | High -188 | [68.183.170.114](https://vuldb.com/?ip.68.183.170.114) | 68.183.170.114-e1-8080-keep-up | - | High -189 | [68.183.190.199](https://vuldb.com/?ip.68.183.190.199) | 68.183.190.199-e1-8080-keep-up | - | High -190 | [69.17.170.58](https://vuldb.com/?ip.69.17.170.58) | unallocated-static.rogers.com | - | High -191 | [69.43.168.200](https://vuldb.com/?ip.69.43.168.200) | ns0.imunplugged.com | - | High -192 | [69.43.168.232](https://vuldb.com/?ip.69.43.168.232) | - | - | High -193 | [69.45.19.251](https://vuldb.com/?ip.69.45.19.251) | coastinet.com | - | High -194 | [69.163.33.82](https://vuldb.com/?ip.69.163.33.82) | - | - | High -195 | [69.167.152.111](https://vuldb.com/?ip.69.167.152.111) | - | - | High -196 | [69.198.17.20](https://vuldb.com/?ip.69.198.17.20) | 69-198-17-20.customerip.birch.net | - | High -197 | [69.198.17.49](https://vuldb.com/?ip.69.198.17.49) | 69-198-17-49.customerip.birch.net | - | High -198 | [70.32.84.74](https://vuldb.com/?ip.70.32.84.74) | - | - | High -199 | [70.32.89.105](https://vuldb.com/?ip.70.32.89.105) | parties-at-sea.com | - | High -200 | [70.32.92.133](https://vuldb.com/?ip.70.32.92.133) | popdesigngroup.com | - | High -201 | [70.32.115.157](https://vuldb.com/?ip.70.32.115.157) | harpotripofalifetime.com | - | High -202 | [70.36.102.35](https://vuldb.com/?ip.70.36.102.35) | - | - | High -203 | [70.45.30.28](https://vuldb.com/?ip.70.45.30.28) | dynamic.libertypr.net | - | High -204 | [70.168.7.6](https://vuldb.com/?ip.70.168.7.6) | wsip-70-168-7-6.ri.ri.cox.net | - | High -205 | [70.182.77.184](https://vuldb.com/?ip.70.182.77.184) | wsip-70-182-77-184.ok.ok.cox.net | - | High -206 | [70.183.113.54](https://vuldb.com/?ip.70.183.113.54) | wsip-70-183-113-54.no.no.cox.net | - | High -207 | [70.184.125.132](https://vuldb.com/?ip.70.184.125.132) | wsip-70-184-125-132.ph.ph.cox.net | - | High -208 | [71.8.1.188](https://vuldb.com/?ip.71.8.1.188) | 071-008-001-188.res.spectrum.com | - | High -209 | [71.15.245.148](https://vuldb.com/?ip.71.15.245.148) | 071-015-245-148.res.spectrum.com | - | High -210 | [71.40.213.82](https://vuldb.com/?ip.71.40.213.82) | rrcs-71-40-213-82.sw.biz.rr.com | - | High -211 | [71.58.165.119](https://vuldb.com/?ip.71.58.165.119) | c-71-58-165-119.hsd1.pa.comcast.net | - | High -212 | [71.71.3.84](https://vuldb.com/?ip.71.71.3.84) | - | - | High -213 | [71.163.171.106](https://vuldb.com/?ip.71.163.171.106) | static-71-163-171-106.washdc.fios.verizon.net | - | High -214 | [71.165.252.144](https://vuldb.com/?ip.71.165.252.144) | static-71-165-252-144.lsanca.fios.frontiernet.net | - | High -215 | [71.177.184.128](https://vuldb.com/?ip.71.177.184.128) | static-71-177-184-128.lsanca.fios.frontiernet.net | - | High -216 | [71.197.211.156](https://vuldb.com/?ip.71.197.211.156) | c-71-197-211-156.hsd1.wa.comcast.net | - | High -217 | [71.214.17.130](https://vuldb.com/?ip.71.214.17.130) | 71-214-17-130.orlf.qwest.net | - | High -218 | [71.244.60.231](https://vuldb.com/?ip.71.244.60.231) | static-71-244-60-231.dllstx.fios.frontiernet.net | - | High -219 | [72.10.49.117](https://vuldb.com/?ip.72.10.49.117) | rtw7-rfpn.accessdomain.com | - | High -220 | ... | ... | ... | ... +26 | [5.196.133.206](https://vuldb.com/?ip.5.196.133.206) | pixelfed.hosnet.fr | - | High +27 | [5.230.193.41](https://vuldb.com/?ip.5.230.193.41) | casagarcia-web.sys.netzfabrik.eu | - | High +28 | [8.4.9.137](https://vuldb.com/?ip.8.4.9.137) | onlinehorizons.net | - | High +29 | [8.247.6.134](https://vuldb.com/?ip.8.247.6.134) | - | - | High +30 | [12.6.148.4](https://vuldb.com/?ip.12.6.148.4) | mail.carters.com | - | High +31 | [12.6.183.21](https://vuldb.com/?ip.12.6.183.21) | - | - | High +32 | [12.32.68.154](https://vuldb.com/?ip.12.32.68.154) | mail.sealscoinc.com | - | High +33 | [12.149.72.170](https://vuldb.com/?ip.12.149.72.170) | - | - | High +34 | [12.162.84.2](https://vuldb.com/?ip.12.162.84.2) | - | - | High +35 | [12.163.208.58](https://vuldb.com/?ip.12.163.208.58) | - | - | High +36 | [12.182.146.226](https://vuldb.com/?ip.12.182.146.226) | - | - | High +37 | [12.184.217.101](https://vuldb.com/?ip.12.184.217.101) | - | - | High +38 | [12.222.134.10](https://vuldb.com/?ip.12.222.134.10) | - | - | High +39 | [12.238.114.130](https://vuldb.com/?ip.12.238.114.130) | - | - | High +40 | [13.107.21.200](https://vuldb.com/?ip.13.107.21.200) | - | - | High +41 | [14.49.39.215](https://vuldb.com/?ip.14.49.39.215) | - | - | High +42 | [17.56.136.171](https://vuldb.com/?ip.17.56.136.171) | p74-smtp.mail.icloud.com | - | High +43 | [18.209.113.128](https://vuldb.com/?ip.18.209.113.128) | ec2-18-209-113-128.compute-1.amazonaws.com | - | Medium +44 | [18.211.9.206](https://vuldb.com/?ip.18.211.9.206) | ec2-18-211-9-206.compute-1.amazonaws.com | - | Medium +45 | [23.5.231.225](https://vuldb.com/?ip.23.5.231.225) | a23-5-231-225.deploy.static.akamaitechnologies.com | - | High +46 | [23.6.65.194](https://vuldb.com/?ip.23.6.65.194) | a23-6-65-194.deploy.static.akamaitechnologies.com | - | High +47 | [23.6.69.99](https://vuldb.com/?ip.23.6.69.99) | a23-6-69-99.deploy.static.akamaitechnologies.com | - | High +48 | [23.36.85.183](https://vuldb.com/?ip.23.36.85.183) | a23-36-85-183.deploy.static.akamaitechnologies.com | - | High +49 | [23.41.248.194](https://vuldb.com/?ip.23.41.248.194) | a23-41-248-194.deploy.static.akamaitechnologies.com | - | High +50 | [23.46.53.71](https://vuldb.com/?ip.23.46.53.71) | a23-46-53-71.deploy.static.akamaitechnologies.com | - | High +51 | [23.52.7.20](https://vuldb.com/?ip.23.52.7.20) | a23-52-7-20.deploy.static.akamaitechnologies.com | - | High +52 | [23.95.95.18](https://vuldb.com/?ip.23.95.95.18) | 23-95-95-18-host.colocrossing.com | - | High +53 | [23.199.63.11](https://vuldb.com/?ip.23.199.63.11) | a23-199-63-11.deploy.static.akamaitechnologies.com | - | High +54 | [23.199.71.185](https://vuldb.com/?ip.23.199.71.185) | a23-199-71-185.deploy.static.akamaitechnologies.com | - | High +55 | [23.218.127.164](https://vuldb.com/?ip.23.218.127.164) | a23-218-127-164.deploy.static.akamaitechnologies.com | - | High +56 | [23.218.141.31](https://vuldb.com/?ip.23.218.141.31) | a23-218-141-31.deploy.static.akamaitechnologies.com | - | High +57 | [23.221.50.122](https://vuldb.com/?ip.23.221.50.122) | a23-221-50-122.deploy.static.akamaitechnologies.com | - | High +58 | [23.229.190.0](https://vuldb.com/?ip.23.229.190.0) | ip-23-229-190-0.ip.secureserver.net | - | High +59 | [23.239.2.11](https://vuldb.com/?ip.23.239.2.11) | li683-11.members.linode.com | - | High +60 | [23.254.203.51](https://vuldb.com/?ip.23.254.203.51) | hwsrv-779084.hostwindsdns.com | - | High +61 | [24.40.239.62](https://vuldb.com/?ip.24.40.239.62) | 24-40-239-62.fidnet.com | - | High +62 | [24.43.99.75](https://vuldb.com/?ip.24.43.99.75) | rrcs-24-43-99-75.west.biz.rr.com | - | High +63 | [24.101.229.82](https://vuldb.com/?ip.24.101.229.82) | dynamic-acs-24-101-229-82.zoominternet.net | - | High +64 | [24.116.40.208](https://vuldb.com/?ip.24.116.40.208) | 24-116-40-208.cpe.sparklight.net | - | High +65 | [24.119.116.230](https://vuldb.com/?ip.24.119.116.230) | 24-119-116-230.cpe.sparklight.net | - | High +66 | [24.121.176.48](https://vuldb.com/?ip.24.121.176.48) | 24-121-176-48.prkrcmtc01.com.sta.suddenlink.net | - | High +67 | [24.137.76.62](https://vuldb.com/?ip.24.137.76.62) | host-24-137-76-62.public.eastlink.ca | - | High +68 | [24.178.90.49](https://vuldb.com/?ip.24.178.90.49) | 024-178-090-049.res.spectrum.com | - | High +69 | [24.179.13.119](https://vuldb.com/?ip.24.179.13.119) | 024-179-013-119.res.spectrum.com | - | High +70 | [24.190.11.79](https://vuldb.com/?ip.24.190.11.79) | ool-18be0b4f.dyn.optonline.net | - | High +71 | [24.201.79.34](https://vuldb.com/?ip.24.201.79.34) | modemcable034.79-201-24.mc.videotron.ca | - | High +72 | [24.203.4.40](https://vuldb.com/?ip.24.203.4.40) | modemcable040.4-203-24.mc.videotron.ca | - | High +73 | [24.217.117.217](https://vuldb.com/?ip.24.217.117.217) | 024-217-117-217.res.spectrum.com | - | High +74 | [24.232.228.233](https://vuldb.com/?ip.24.232.228.233) | OL233-228.fibertel.com.ar | - | High +75 | [24.244.177.40](https://vuldb.com/?ip.24.244.177.40) | - | - | High +76 | [27.50.89.209](https://vuldb.com/?ip.27.50.89.209) | 27-50-89-209.as45671.net | - | High +77 | [27.78.27.110](https://vuldb.com/?ip.27.78.27.110) | localhost | - | High +78 | [27.82.13.10](https://vuldb.com/?ip.27.82.13.10) | KD027082013010.ppp-bb.dion.ne.jp | - | High +79 | [27.109.24.214](https://vuldb.com/?ip.27.109.24.214) | - | - | High +80 | [27.114.9.93](https://vuldb.com/?ip.27.114.9.93) | i27-114-9-93.s41.a011.ap.plala.or.jp | - | High +81 | [31.24.158.56](https://vuldb.com/?ip.31.24.158.56) | bm.servidoresdedicados.com | - | High +82 | [31.167.248.50](https://vuldb.com/?ip.31.167.248.50) | - | - | High +83 | [31.172.86.183](https://vuldb.com/?ip.31.172.86.183) | - | - | High +84 | [35.190.87.116](https://vuldb.com/?ip.35.190.87.116) | 116.87.190.35.bc.googleusercontent.com | - | Medium +85 | [36.91.44.183](https://vuldb.com/?ip.36.91.44.183) | - | - | High +86 | [37.9.175.14](https://vuldb.com/?ip.37.9.175.14) | 14.175.9.37.in-addr.arpa.websupport.sk | - | High +87 | [37.46.129.215](https://vuldb.com/?ip.37.46.129.215) | we-too.ru | - | High +88 | [37.97.135.82](https://vuldb.com/?ip.37.97.135.82) | 37-97-135-82.colo.transip.net | - | High +89 | [37.120.175.15](https://vuldb.com/?ip.37.120.175.15) | v220220112692175454.nicesrv.de | - | High +90 | [37.139.21.175](https://vuldb.com/?ip.37.139.21.175) | 37.139.21.175-e2-8080-keep-up | - | High +91 | [37.179.204.33](https://vuldb.com/?ip.37.179.204.33) | - | - | High +92 | [37.187.4.178](https://vuldb.com/?ip.37.187.4.178) | ks2.kku.io | - | High +93 | [37.187.57.57](https://vuldb.com/?ip.37.187.57.57) | ns3357940.ovh.net | - | High +94 | [37.187.72.193](https://vuldb.com/?ip.37.187.72.193) | ns3362285.ip-37-187-72.eu | - | High +95 | [37.187.161.206](https://vuldb.com/?ip.37.187.161.206) | toolbox.alabs.io | - | High +96 | [37.205.9.252](https://vuldb.com/?ip.37.205.9.252) | s1.ithelp24.eu | - | High +97 | [37.221.70.250](https://vuldb.com/?ip.37.221.70.250) | b2b-customer.inftele.net | - | High +98 | [40.97.124.18](https://vuldb.com/?ip.40.97.124.18) | - | - | High +99 | [41.76.108.46](https://vuldb.com/?ip.41.76.108.46) | - | - | High +100 | [41.169.36.237](https://vuldb.com/?ip.41.169.36.237) | - | - | High +101 | [41.185.28.84](https://vuldb.com/?ip.41.185.28.84) | brf01-nix01.wadns.net | - | High +102 | [41.185.29.128](https://vuldb.com/?ip.41.185.29.128) | abp79-nix01.wadns.net | - | High +103 | [41.204.202.41](https://vuldb.com/?ip.41.204.202.41) | www41.cpt2.host-h.net | - | High +104 | [41.231.225.139](https://vuldb.com/?ip.41.231.225.139) | - | - | High +105 | [42.62.40.103](https://vuldb.com/?ip.42.62.40.103) | - | - | High +106 | [43.229.62.186](https://vuldb.com/?ip.43.229.62.186) | rocket-cheese.bnr.la | - | High +107 | [45.16.226.117](https://vuldb.com/?ip.45.16.226.117) | 45-16-226-117.lightspeed.sndgca.sbcglobal.net | - | High +108 | [45.33.35.103](https://vuldb.com/?ip.45.33.35.103) | li985-103.members.linode.com | - | High +109 | [45.33.77.42](https://vuldb.com/?ip.45.33.77.42) | li1023-42.members.linode.com | - | High +110 | [45.46.37.97](https://vuldb.com/?ip.45.46.37.97) | cpe-45-46-37-97.maine.res.rr.com | - | High +111 | [45.55.36.51](https://vuldb.com/?ip.45.55.36.51) | - | - | High +112 | [45.55.219.163](https://vuldb.com/?ip.45.55.219.163) | - | - | High +113 | [45.59.204.133](https://vuldb.com/?ip.45.59.204.133) | rrcs-45-59-204-133.west.biz.rr.com | - | High +114 | [45.79.95.107](https://vuldb.com/?ip.45.79.95.107) | li1194-107.members.linode.com | - | High +115 | [45.80.148.200](https://vuldb.com/?ip.45.80.148.200) | - | - | High +116 | [45.118.115.99](https://vuldb.com/?ip.45.118.115.99) | - | - | High +117 | [45.118.135.203](https://vuldb.com/?ip.45.118.135.203) | 45-118-135-203.ip.linodeusercontent.com | - | High +118 | [45.142.114.231](https://vuldb.com/?ip.45.142.114.231) | mail.dounutmail.de | - | High +119 | [45.176.232.124](https://vuldb.com/?ip.45.176.232.124) | - | - | High +120 | [45.230.45.171](https://vuldb.com/?ip.45.230.45.171) | - | - | High +121 | [46.4.100.178](https://vuldb.com/?ip.46.4.100.178) | support.wizard-shopservice.de | - | High +122 | [46.4.192.185](https://vuldb.com/?ip.46.4.192.185) | static.185.192.4.46.clients.your-server.de | - | High +123 | [46.28.111.142](https://vuldb.com/?ip.46.28.111.142) | enkindu.jsuchy.net | - | High +124 | [46.30.213.132](https://vuldb.com/?ip.46.30.213.132) | - | - | High +125 | [46.32.229.152](https://vuldb.com/?ip.46.32.229.152) | 094882.vps-10.com | - | High +126 | [46.32.233.226](https://vuldb.com/?ip.46.32.233.226) | yetitoolusa.com | - | High +127 | [46.38.238.8](https://vuldb.com/?ip.46.38.238.8) | v2202109122001163131.happysrv.de | - | High +128 | [46.43.2.95](https://vuldb.com/?ip.46.43.2.95) | chris.default.cjenkinson.uk0.bigv.io | - | High +129 | [46.55.222.11](https://vuldb.com/?ip.46.55.222.11) | - | - | High +130 | [46.101.58.37](https://vuldb.com/?ip.46.101.58.37) | 46.101.58.37-e1-8080 | - | High +131 | [46.105.81.76](https://vuldb.com/?ip.46.105.81.76) | myu0.cylipo.sbs | - | High +132 | [46.105.114.137](https://vuldb.com/?ip.46.105.114.137) | ns3188253.ip-46-105-114.eu | - | High +133 | [46.105.131.68](https://vuldb.com/?ip.46.105.131.68) | http.adven.fr | - | High +134 | [46.105.131.69](https://vuldb.com/?ip.46.105.131.69) | epouventaille.adven.fr | - | High +135 | [46.105.131.79](https://vuldb.com/?ip.46.105.131.79) | relay.adven.fr | - | High +136 | [46.105.131.87](https://vuldb.com/?ip.46.105.131.87) | pop.adven.fr | - | High +137 | [46.105.236.18](https://vuldb.com/?ip.46.105.236.18) | - | - | High +138 | [46.165.212.76](https://vuldb.com/?ip.46.165.212.76) | - | - | High +139 | [46.165.254.206](https://vuldb.com/?ip.46.165.254.206) | - | - | High +140 | [46.214.107.142](https://vuldb.com/?ip.46.214.107.142) | 46-214-107-142.next-gen.ro | - | High +141 | [47.36.140.164](https://vuldb.com/?ip.47.36.140.164) | 047-036-140-164.res.spectrum.com | - | High +142 | [47.52.19.221](https://vuldb.com/?ip.47.52.19.221) | - | - | High +143 | [47.146.39.147](https://vuldb.com/?ip.47.146.39.147) | - | - | High +144 | [47.150.11.161](https://vuldb.com/?ip.47.150.11.161) | - | - | High +145 | [47.188.131.94](https://vuldb.com/?ip.47.188.131.94) | - | - | High +146 | [47.201.208.154](https://vuldb.com/?ip.47.201.208.154) | - | - | High +147 | [47.246.24.225](https://vuldb.com/?ip.47.246.24.225) | - | - | High +148 | [47.246.24.226](https://vuldb.com/?ip.47.246.24.226) | - | - | High +149 | [47.246.24.230](https://vuldb.com/?ip.47.246.24.230) | - | - | High +150 | [47.246.24.232](https://vuldb.com/?ip.47.246.24.232) | - | - | High +151 | [49.12.121.47](https://vuldb.com/?ip.49.12.121.47) | filezilla-project.org | - | High +152 | [49.50.209.131](https://vuldb.com/?ip.49.50.209.131) | 131.host-49-50-209.euba.megatel.co.nz | - | High +153 | [49.212.135.76](https://vuldb.com/?ip.49.212.135.76) | os3-321-50322.vs.sakura.ne.jp | - | High +154 | [49.212.155.94](https://vuldb.com/?ip.49.212.155.94) | os3-325-52340.vs.sakura.ne.jp | - | High +155 | [50.23.248.182](https://vuldb.com/?ip.50.23.248.182) | b6.f8.1732.ip4.static.sl-reverse.com | - | High +156 | [50.28.51.143](https://vuldb.com/?ip.50.28.51.143) | - | - | High +157 | [50.30.40.196](https://vuldb.com/?ip.50.30.40.196) | usve255301.serverprofi24.com | - | High +158 | [50.31.146.101](https://vuldb.com/?ip.50.31.146.101) | mail.brillinjurylaw.com | - | High +159 | [50.56.135.44](https://vuldb.com/?ip.50.56.135.44) | - | - | High +160 | [50.62.176.42](https://vuldb.com/?ip.50.62.176.42) | p3plcpnl0515.prod.phx3.secureserver.net | - | High +161 | [50.62.176.244](https://vuldb.com/?ip.50.62.176.244) | p3plcpnl0728.prod.phx3.secureserver.net | - | High +162 | [50.62.194.30](https://vuldb.com/?ip.50.62.194.30) | ip-50-62-194-30.ip.secureserver.net | - | High +163 | [50.78.167.65](https://vuldb.com/?ip.50.78.167.65) | millcreek.cc | - | High +164 | [50.87.59.65](https://vuldb.com/?ip.50.87.59.65) | 50-87-59-65.unifiedlayer.com | - | High +165 | [50.87.144.137](https://vuldb.com/?ip.50.87.144.137) | gator3103.hostgator.com | - | High +166 | [50.87.144.197](https://vuldb.com/?ip.50.87.144.197) | gator3161.hostgator.com | - | High +167 | [50.87.150.177](https://vuldb.com/?ip.50.87.150.177) | 50-87-150-177.unifiedlayer.com | - | High +168 | [50.91.114.38](https://vuldb.com/?ip.50.91.114.38) | 050-091-114-038.res.spectrum.com | - | High +169 | [50.92.101.60](https://vuldb.com/?ip.50.92.101.60) | d50-92-101-60.bchsia.telus.net | - | High +170 | [50.116.54.215](https://vuldb.com/?ip.50.116.54.215) | li440-215.members.linode.com | - | High +171 | [50.116.78.109](https://vuldb.com/?ip.50.116.78.109) | intersearchmedia.com | - | High +172 | [50.245.107.73](https://vuldb.com/?ip.50.245.107.73) | 50-245-107-73-static.hfc.comcastbusiness.net | - | High +173 | [51.15.4.22](https://vuldb.com/?ip.51.15.4.22) | 51-15-4-22.rev.poneytelecom.eu | - | High +174 | [51.15.7.145](https://vuldb.com/?ip.51.15.7.145) | 51-15-7-145.rev.poneytelecom.eu | - | High +175 | [51.38.201.19](https://vuldb.com/?ip.51.38.201.19) | ip19.ip-51-38-201.eu | - | High +176 | [51.75.33.120](https://vuldb.com/?ip.51.75.33.120) | ip120.ip-51-75-33.eu | - | High +177 | [51.75.33.127](https://vuldb.com/?ip.51.75.33.127) | ip127.ip-51-75-33.eu | - | High +178 | [51.89.36.180](https://vuldb.com/?ip.51.89.36.180) | ip180.ip-51-89-36.eu | - | High +179 | [51.89.199.141](https://vuldb.com/?ip.51.89.199.141) | ip141.ip-51-89-199.eu | - | High +180 | [51.91.7.5](https://vuldb.com/?ip.51.91.7.5) | ns3147667.ip-51-91-7.eu | - | High +181 | [51.91.76.89](https://vuldb.com/?ip.51.91.76.89) | 89.ip-51-91-76.eu | - | High +182 | [51.159.23.217](https://vuldb.com/?ip.51.159.23.217) | jambold.co.uk | - | High +183 | [51.159.35.157](https://vuldb.com/?ip.51.159.35.157) | 51-159-35-157.rev.poneytelecom.eu | - | High +184 | [51.254.140.238](https://vuldb.com/?ip.51.254.140.238) | 238.ip-51-254-140.eu | - | High +185 | [51.255.50.164](https://vuldb.com/?ip.51.255.50.164) | vps-b6cfe010.vps.ovh.net | - | High +186 | [51.255.165.160](https://vuldb.com/?ip.51.255.165.160) | 160.ip-51-255-165.eu | - | High +187 | [52.31.99.185](https://vuldb.com/?ip.52.31.99.185) | ec2-52-31-99-185.eu-west-1.compute.amazonaws.com | - | Medium +188 | [52.66.202.63](https://vuldb.com/?ip.52.66.202.63) | ec2-52-66-202-63.ap-south-1.compute.amazonaws.com | - | Medium +189 | [52.96.38.82](https://vuldb.com/?ip.52.96.38.82) | - | - | High +190 | [54.38.143.245](https://vuldb.com/?ip.54.38.143.245) | tools.inovato.me | - | High +191 | [58.27.215.3](https://vuldb.com/?ip.58.27.215.3) | 58-27-215-3.wateen.net | - | High +192 | [58.94.58.13](https://vuldb.com/?ip.58.94.58.13) | i58-94-58-13.s41.a014.ap.plala.or.jp | - | High +193 | [58.216.16.130](https://vuldb.com/?ip.58.216.16.130) | - | - | High +194 | [58.227.42.236](https://vuldb.com/?ip.58.227.42.236) | - | - | High +195 | [59.124.1.19](https://vuldb.com/?ip.59.124.1.19) | 59-124-1-19.hinet-ip.hinet.net | - | High +196 | [59.148.253.194](https://vuldb.com/?ip.59.148.253.194) | 059148253194.ctinets.com | - | High +197 | [59.152.93.46](https://vuldb.com/?ip.59.152.93.46) | 46.93.152.59.zipnetltd.com | - | High +198 | [60.93.23.51](https://vuldb.com/?ip.60.93.23.51) | softbank060093023051.bbtec.net | - | High +199 | [60.108.128.186](https://vuldb.com/?ip.60.108.128.186) | softbank060108128186.bbtec.net | - | High +200 | [60.125.114.64](https://vuldb.com/?ip.60.125.114.64) | softbank060125114064.bbtec.net | - | High +201 | [60.249.78.226](https://vuldb.com/?ip.60.249.78.226) | 60-249-78-226.hinet-ip.hinet.net | - | High +202 | [61.19.246.238](https://vuldb.com/?ip.61.19.246.238) | - | - | High +203 | [62.30.7.67](https://vuldb.com/?ip.62.30.7.67) | 67.7-30-62.static.virginmediabusiness.co.uk | - | High +204 | [62.75.141.82](https://vuldb.com/?ip.62.75.141.82) | static-ip-62-75-141-82.inaddr.ip-pool.com | - | High +205 | [62.84.75.50](https://vuldb.com/?ip.62.84.75.50) | mail.saadegrp.com.lb | - | High +206 | [62.171.142.179](https://vuldb.com/?ip.62.171.142.179) | vmi499457.contaboserver.net | - | High +207 | [62.210.127.136](https://vuldb.com/?ip.62.210.127.136) | 62-210-127-136.rev.poneytelecom.eu | - | High +208 | [62.212.34.102](https://vuldb.com/?ip.62.212.34.102) | - | - | High +209 | [64.4.244.68](https://vuldb.com/?ip.64.4.244.68) | - | - | High +210 | [64.26.60.221](https://vuldb.com/?ip.64.26.60.221) | pop5.csee.onr.siteprotect.com | - | High +211 | [64.59.136.142](https://vuldb.com/?ip.64.59.136.142) | mail.shaw.ca | - | High +212 | [64.60.82.82](https://vuldb.com/?ip.64.60.82.82) | 64-60-82-82.static-ip.telepacific.net | - | High +213 | [64.71.36.11](https://vuldb.com/?ip.64.71.36.11) | - | - | High +214 | [64.85.73.16](https://vuldb.com/?ip.64.85.73.16) | - | - | High +215 | [64.90.62.162](https://vuldb.com/?ip.64.90.62.162) | pop.dreamhost.com | - | High +216 | [64.91.228.45](https://vuldb.com/?ip.64.91.228.45) | - | - | High +217 | [64.98.36.5](https://vuldb.com/?ip.64.98.36.5) | mail.b.hostedemail.com | - | High +218 | [64.190.63.136](https://vuldb.com/?ip.64.190.63.136) | - | - | High +219 | [64.207.182.168](https://vuldb.com/?ip.64.207.182.168) | - | - | High +220 | [64.250.117.68](https://vuldb.com/?ip.64.250.117.68) | smtp.movistarcloud.com.ve | - | High +221 | [65.49.60.163](https://vuldb.com/?ip.65.49.60.163) | 65-49-60-163.ip.linodeusercontent.com | - | High +222 | [65.55.72.183](https://vuldb.com/?ip.65.55.72.183) | origin.sn134w.snt134.mail.live.com | - | High +223 | [65.182.102.90](https://vuldb.com/?ip.65.182.102.90) | mail.geantes.com | - | High +224 | [65.254.228.100](https://vuldb.com/?ip.65.254.228.100) | customer.hostcentric.com | - | High +225 | [66.23.200.58](https://vuldb.com/?ip.66.23.200.58) | - | - | High +226 | [66.50.57.73](https://vuldb.com/?ip.66.50.57.73) | 66-50-57-73.prtc.net | - | High +227 | [66.54.51.172](https://vuldb.com/?ip.66.54.51.172) | - | - | High +228 | [66.71.241.102](https://vuldb.com/?ip.66.71.241.102) | mail.nixhost.net | - | High +229 | [66.76.26.33](https://vuldb.com/?ip.66.76.26.33) | 66-76-26-33.hdsncmta01.com.sta.suddenlink.net | - | High +230 | [66.96.134.1](https://vuldb.com/?ip.66.96.134.1) | 1.134.96.66.static.eigbox.net | - | High +231 | [66.96.147.103](https://vuldb.com/?ip.66.96.147.103) | 103.147.96.66.static.eigbox.net | - | High +232 | [66.96.147.110](https://vuldb.com/?ip.66.96.147.110) | 110.147.96.66.static.eigbox.net | - | High +233 | [66.195.202.115](https://vuldb.com/?ip.66.195.202.115) | mail.navarac.com | - | High +234 | [66.209.69.165](https://vuldb.com/?ip.66.209.69.165) | - | - | High +235 | [66.216.234.131](https://vuldb.com/?ip.66.216.234.131) | 066-216-234-131.res.spectrum.com | - | High +236 | [66.220.110.56](https://vuldb.com/?ip.66.220.110.56) | h66-220-110-56.bendor.broadband.dynamic.tds.net | - | High +237 | [66.228.32.31](https://vuldb.com/?ip.66.228.32.31) | li282-31.members.linode.com | - | High +238 | [66.228.45.129](https://vuldb.com/?ip.66.228.45.129) | li326-129.members.linode.com | - | High +239 | [66.228.61.248](https://vuldb.com/?ip.66.228.61.248) | li318-248.members.linode.com | - | High +240 | [67.19.105.107](https://vuldb.com/?ip.67.19.105.107) | ns2.datatrust.com.br | - | High +241 | [67.68.235.25](https://vuldb.com/?ip.67.68.235.25) | bas10-montrealak-67-68-235-25.dsl.bell.ca | - | High +242 | [67.170.250.203](https://vuldb.com/?ip.67.170.250.203) | c-67-170-250-203.hsd1.ca.comcast.net | - | High +243 | [67.177.71.77](https://vuldb.com/?ip.67.177.71.77) | c-67-177-71-77.hsd1.al.comcast.net | - | High +244 | [67.195.197.75](https://vuldb.com/?ip.67.195.197.75) | p9ats-i.geo.vip.bf1.yahoo.com | - | High +245 | [67.195.228.95](https://vuldb.com/?ip.67.195.228.95) | unknown.yahoo.com | - | High +246 | [67.216.131.134](https://vuldb.com/?ip.67.216.131.134) | 134.131.216.67.134.static.hargray.net | - | High +247 | [67.222.2.148](https://vuldb.com/?ip.67.222.2.148) | - | - | High +248 | [67.225.218.50](https://vuldb.com/?ip.67.225.218.50) | lb01.parklogic.com | - | High +249 | [67.225.221.173](https://vuldb.com/?ip.67.225.221.173) | host.hddpool2.net | - | High +250 | [67.241.81.253](https://vuldb.com/?ip.67.241.81.253) | cpe-67-241-81-253.twcny.res.rr.com | - | High +251 | [68.2.97.91](https://vuldb.com/?ip.68.2.97.91) | ip68-2-97-91.ph.ph.cox.net | - | High +252 | [68.66.194.12](https://vuldb.com/?ip.68.66.194.12) | 68.66.194.12.static.a2webhosting.com | - | High +253 | [68.178.213.203](https://vuldb.com/?ip.68.178.213.203) | p3plibsmtp03-v01.prod.phx3.secureserver.net | - | High +254 | [68.183.170.114](https://vuldb.com/?ip.68.183.170.114) | 68.183.170.114-e1-8080-keep-up | - | High +255 | [68.183.190.199](https://vuldb.com/?ip.68.183.190.199) | 68.183.190.199-e1-8080-keep-up | - | High +256 | [69.16.228.14](https://vuldb.com/?ip.69.16.228.14) | kurt.duplika.com | - | High +257 | [69.17.170.58](https://vuldb.com/?ip.69.17.170.58) | unallocated-static.rogers.com | - | High +258 | [69.43.168.200](https://vuldb.com/?ip.69.43.168.200) | ns0.imunplugged.com | - | High +259 | [69.43.168.232](https://vuldb.com/?ip.69.43.168.232) | - | - | High +260 | [69.45.19.251](https://vuldb.com/?ip.69.45.19.251) | coastinet.com | - | High +261 | [69.61.0.198](https://vuldb.com/?ip.69.61.0.198) | alpha01.serverparlor.net | - | High +262 | [69.147.92.11](https://vuldb.com/?ip.69.147.92.11) | e1.ycpi.vip.dca.yahoo.com | - | High +263 | [69.147.92.12](https://vuldb.com/?ip.69.147.92.12) | e2.ycpi.vip.dca.yahoo.com | - | High +264 | [69.156.240.33](https://vuldb.com/?ip.69.156.240.33) | smtp.transportalliance.ca | - | High +265 | [69.163.33.82](https://vuldb.com/?ip.69.163.33.82) | - | - | High +266 | [69.167.152.111](https://vuldb.com/?ip.69.167.152.111) | - | - | High +267 | [69.168.106.36](https://vuldb.com/?ip.69.168.106.36) | mail.windstream.syn-alias.com | - | High +268 | [69.175.31.212](https://vuldb.com/?ip.69.175.31.212) | 212.31.175.69.unassigned.ord.singlehop.net | - | High +269 | [69.198.17.20](https://vuldb.com/?ip.69.198.17.20) | 69-198-17-20.customerip.birch.net | - | High +270 | [69.198.17.49](https://vuldb.com/?ip.69.198.17.49) | 69-198-17-49.customerip.birch.net | - | High +271 | [70.32.84.74](https://vuldb.com/?ip.70.32.84.74) | - | - | High +272 | [70.32.89.105](https://vuldb.com/?ip.70.32.89.105) | parties-at-sea.com | - | High +273 | [70.32.92.133](https://vuldb.com/?ip.70.32.92.133) | popdesigngroup.com | - | High +274 | [70.32.115.157](https://vuldb.com/?ip.70.32.115.157) | harpotripofalifetime.com | - | High +275 | [70.36.102.35](https://vuldb.com/?ip.70.36.102.35) | - | - | High +276 | [70.45.30.28](https://vuldb.com/?ip.70.45.30.28) | dynamic.libertypr.net | - | High +277 | [70.168.7.6](https://vuldb.com/?ip.70.168.7.6) | wsip-70-168-7-6.ri.ri.cox.net | - | High +278 | [70.182.77.184](https://vuldb.com/?ip.70.182.77.184) | wsip-70-182-77-184.ok.ok.cox.net | - | High +279 | [70.183.113.54](https://vuldb.com/?ip.70.183.113.54) | wsip-70-183-113-54.no.no.cox.net | - | High +280 | [70.184.86.103](https://vuldb.com/?ip.70.184.86.103) | wsip-70-184-86-103.ph.ph.cox.net | - | High +281 | [70.184.125.132](https://vuldb.com/?ip.70.184.125.132) | wsip-70-184-125-132.ph.ph.cox.net | - | High +282 | [71.8.1.188](https://vuldb.com/?ip.71.8.1.188) | 071-008-001-188.res.spectrum.com | - | High +283 | ... | ... | ... | ... -There are 877 more IOC items available. Please use our online service to access the data. +There are 1126 more IOC items available. Please use our online service to access the data. ## TTP - Tactics, Techniques, Procedures @@ -250,12 +310,12 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK ID | Technique | Weakness | Description | Confidence -- | --------- | -------- | ----------- | ---------- -1 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High -2 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High -3 | T1068 | CWE-264, CWE-266, CWE-284 | Execution with Unnecessary Privileges | High +1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High +2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High +3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High 4 | ... | ... | ... | ... -There are 6 more TTP items available. Please use our online service to access the data. +There are 3 more TTP items available. Please use our online service to access the data. ## IOA - Indicator of Attack @@ -263,25 +323,22 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic ID | Type | Indicator | Confidence -- | ---- | --------- | ---------- -1 | File | `/admin/index.php?slides` | High -2 | File | `/AvalancheWeb/image` | High -3 | File | `/cgi-bin/adm.cgi` | High -4 | File | `/classes/Comment` | High -5 | File | `/cms/content/list` | High -6 | File | `/customer_register.php` | High -7 | File | `/etc/master.passwd` | High -8 | File | `/example/editor` | High -9 | File | `/goform/login_process` | High -10 | File | `/goform/rlmswitchr_process` | High -11 | File | `/goforms/rlminfo` | High -12 | File | `/include/chart_generator.php` | High -13 | File | `/index.php?page=home` | High -14 | File | `/index.php?page=reserve` | High -15 | File | `/public_html/animals` | High -16 | File | `/public_html/apply_vacancy` | High -17 | ... | ... | ... +1 | File | `/admin.php?id=posts&action=display&value=1&postid=` | High +2 | File | `/admin.php?id=siteoptions&social=display&value=0&sid=2` | High +3 | File | `/admin.php?id=siteoptions&social=edit&sid=2` | High +4 | File | `/admin/inbox.php&action=delete` | High +5 | File | `/admin/inbox.php&action=read` | High +6 | File | `/admin/pagerole.php&action=display&value=1` | High +7 | File | `/admin/pagerole.php&action=edit` | High +8 | File | `/admin/posts.php` | High +9 | File | `/admin/posts.php&action=delete` | High +10 | File | `/admin/posts.php&action=edit` | High +11 | File | `/admin/siteoptions.php&action=displaygoal&value=1&roleid=1` | High +12 | File | `/admin/siteoptions.php&social=remove&sid=2` | High +13 | File | `/admin/uesrs.php&&action=delete&userid=4` | High +14 | ... | ... | ... -There are 142 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 115 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References @@ -291,6 +348,26 @@ The following list contains _external sources_ which discuss the actor and the a * https://blog.talosintelligence.com/2018/07/threat-roundup-0720-0727.html * https://blog.talosintelligence.com/2018/09/threat-roundup-0907-0914.html * https://blog.talosintelligence.com/2018/10/threat-roundup-1005-1012.html +* https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html +* https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html +* https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html +* https://blog.talosintelligence.com/2018/12/threat-roundup-1130-1207.html +* https://blog.talosintelligence.com/2018/12/threat-roundup-1214-1221.html +* https://blog.talosintelligence.com/2019/01/threat-roundup-0111-0118.html +* https://blog.talosintelligence.com/2019/01/threat-roundup-0118-0125.html +* https://blog.talosintelligence.com/2019/02/threat-roundup-0201-0208.html +* https://blog.talosintelligence.com/2019/02/threat-roundup-for-feb-15-to-feb-22.html +* https://blog.talosintelligence.com/2019/03/threat-roundup-0308-0315.html +* https://blog.talosintelligence.com/2019/03/threat-roundup-0315-0322.html +* https://blog.talosintelligence.com/2019/03/threat-roundup-for-feb-22-to-march-1.html +* https://blog.talosintelligence.com/2019/03/threat-roundup-for-mar-01-to-mar-08.html +* https://blog.talosintelligence.com/2019/04/threat-roundup-0329-0405.html +* https://blog.talosintelligence.com/2019/04/threat-roundup-0405-0412.html +* https://blog.talosintelligence.com/2019/04/threat-roundup-0412-0419.html +* https://blog.talosintelligence.com/2019/04/threat-roundup-0419-to-0426.html +* https://blog.talosintelligence.com/2019/05/threat-roundup-0503-0510.html +* https://blog.talosintelligence.com/2019/05/threat-roundup-0517-0524.html +* https://blog.talosintelligence.com/2019/05/threat-roundup-0524-0531.html * https://blog.talosintelligence.com/2019/09/emotet-is-back-after-summer-break.html * https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html * https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html diff --git a/actors/FIN7/README.md b/actors/FIN7/README.md index 9b5d0785..21361dc3 100644 --- a/actors/FIN7/README.md +++ b/actors/FIN7/README.md @@ -82,7 +82,7 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK ID | Technique | Weakness | Description | Confidence -- | --------- | -------- | ----------- | ---------- 1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High -2 | T1068 | CWE-264, CWE-266, CWE-284 | Execution with Unnecessary Privileges | High +2 | T1068 | CWE-250, CWE-264, CWE-266, CWE-284 | Execution with Unnecessary Privileges | High 3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High 4 | ... | ... | ... | ... @@ -96,59 +96,59 @@ ID | Type | Indicator | Confidence -- | ---- | --------- | ---------- 1 | File | `/+CSCOE+/logon.html` | High 2 | File | `/bsms/?page=products` | High -3 | File | `/cloud_config/router_post/check_reg_verify_code` | High -4 | File | `/context/%2e/WEB-INF/web.xml` | High -5 | File | `/debug/pprof` | Medium -6 | File | `/ext/phar/phar_object.c` | High -7 | File | `/filemanager/php/connector.php` | High -8 | File | `/get_getnetworkconf.cgi` | High -9 | File | `/HNAP1` | Low -10 | File | `/include/chart_generator.php` | High -11 | File | `/modx/manager/index.php` | High -12 | File | `/monitoring` | Medium -13 | File | `/new` | Low -14 | File | `/proc//status` | High -15 | File | `/public/login.htm` | High -16 | File | `/public/plugins/` | High -17 | File | `/replication` | Medium -18 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High -19 | File | `/secure/QueryComponent!Default.jspa` | High -20 | File | `/siteminderagent/pwcgi/smpwservicescgi.exe` | High -21 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High -22 | File | `/tmp` | Low -23 | File | `/type.php` | Medium -24 | File | `/uncpath/` | Medium -25 | File | `/usr/bin/pkexec` | High -26 | File | `/wp-json/wc/v3/webhooks` | High -27 | File | `4.2.0.CP09` | Medium -28 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High -29 | File | `802dot1xclientcert.cgi` | High -30 | File | `AccountManagerService.java` | High -31 | File | `actions/CompanyDetailsSave.php` | High -32 | File | `ActivityManagerService.java` | High -33 | File | `add.exe` | Low -34 | File | `admin.color.php` | High -35 | File | `admin.cropcanvas.php` | High -36 | File | `admin.joomlaradiov5.php` | High -37 | File | `admin.php` | Medium -38 | File | `admin.php?m=Food&a=addsave` | High -39 | File | `admin/add-glossary.php` | High -40 | File | `admin/conf_users_edit.php` | High -41 | File | `admin/edit-comments.php` | High -42 | File | `admin/index.php` | High -43 | File | `admin/src/containers/InputModalStepperProvider/index.js` | High -44 | File | `admin/write-post.php` | High -45 | File | `administrator/components/com_media/helpers/media.php` | High -46 | File | `admin_events.php` | High -47 | File | `aidl_const_expressions.cpp` | High -48 | File | `ajax/include.php` | High -49 | File | `AjaxApplication.java` | High -50 | File | `akocomments.php` | High -51 | File | `allopass-error.php` | High -52 | File | `AllowBindAppWidgetActivity.java` | High +3 | File | `/cgi-bin/system_mgr.cgi` | High +4 | File | `/cloud_config/router_post/check_reg_verify_code` | High +5 | File | `/context/%2e/WEB-INF/web.xml` | High +6 | File | `/debug/pprof` | Medium +7 | File | `/ext/phar/phar_object.c` | High +8 | File | `/filemanager/php/connector.php` | High +9 | File | `/get_getnetworkconf.cgi` | High +10 | File | `/HNAP1` | Low +11 | File | `/include/chart_generator.php` | High +12 | File | `/modx/manager/index.php` | High +13 | File | `/monitoring` | Medium +14 | File | `/new` | Low +15 | File | `/proc//status` | High +16 | File | `/public/login.htm` | High +17 | File | `/public/plugins/` | High +18 | File | `/replication` | Medium +19 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High +20 | File | `/secure/QueryComponent!Default.jspa` | High +21 | File | `/siteminderagent/pwcgi/smpwservicescgi.exe` | High +22 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High +23 | File | `/tmp` | Low +24 | File | `/type.php` | Medium +25 | File | `/uncpath/` | Medium +26 | File | `/usr/bin/pkexec` | High +27 | File | `/wp-json/wc/v3/webhooks` | High +28 | File | `4.2.0.CP09` | Medium +29 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High +30 | File | `802dot1xclientcert.cgi` | High +31 | File | `AccountManagerService.java` | High +32 | File | `actions/CompanyDetailsSave.php` | High +33 | File | `ActivityManagerService.java` | High +34 | File | `add.exe` | Low +35 | File | `admin.color.php` | High +36 | File | `admin.cropcanvas.php` | High +37 | File | `admin.joomlaradiov5.php` | High +38 | File | `admin.php` | Medium +39 | File | `admin.php?m=Food&a=addsave` | High +40 | File | `admin/add-glossary.php` | High +41 | File | `admin/conf_users_edit.php` | High +42 | File | `admin/edit-comments.php` | High +43 | File | `admin/index.php` | High +44 | File | `admin/src/containers/InputModalStepperProvider/index.js` | High +45 | File | `admin/write-post.php` | High +46 | File | `administrator/components/com_media/helpers/media.php` | High +47 | File | `admin_events.php` | High +48 | File | `aidl_const_expressions.cpp` | High +49 | File | `ajax/include.php` | High +50 | File | `AjaxApplication.java` | High +51 | File | `akocomments.php` | High +52 | File | `allopass-error.php` | High 53 | ... | ... | ... -There are 460 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 464 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/actors/FakeAlert/README.md b/actors/FakeAlert/README.md index 94d31aca..51ffdf40 100644 --- a/actors/FakeAlert/README.md +++ b/actors/FakeAlert/README.md @@ -10,7 +10,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce * [US](https://vuldb.com/?country.us) * [PT](https://vuldb.com/?country.pt) -* [RU](https://vuldb.com/?country.ru) +* [TR](https://vuldb.com/?country.tr) * ... There are 4 more country items available. Please use our online service to access the data. diff --git a/actors/FritzFrog/README.md b/actors/FritzFrog/README.md index 64e2f46d..ade09082 100644 --- a/actors/FritzFrog/README.md +++ b/actors/FritzFrog/README.md @@ -8,12 +8,12 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with FritzFrog: -* [VN](https://vuldb.com/?country.vn) * [CN](https://vuldb.com/?country.cn) +* [VN](https://vuldb.com/?country.vn) * [ES](https://vuldb.com/?country.es) * ... -There are 12 more country items available. Please use our online service to access the data. +There are 11 more country items available. Please use our online service to access the data. ## IOC - Indicator of Compromise @@ -332,11 +332,11 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK ID | Technique | Weakness | Description | Confidence -- | --------- | -------- | ----------- | ---------- 1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High -2 | T1068 | CWE-250, CWE-264, CWE-266, CWE-284 | Execution with Unnecessary Privileges | High +2 | T1068 | CWE-250, CWE-264, CWE-284 | Execution with Unnecessary Privileges | High 3 | T1110.001 | CWE-307 | Improper Restriction of Excessive Authentication Attempts | High 4 | ... | ... | ... | ... -There are 8 more TTP items available. Please use our online service to access the data. +There are 7 more TTP items available. Please use our online service to access the data. ## IOA - Indicator of Attack @@ -344,41 +344,45 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic ID | Type | Indicator | Confidence -- | ---- | --------- | ---------- -1 | File | `/#/CampaignManager/users` | High -2 | File | `/admin/admin_login.php` | High -3 | File | `/admin/index.php?slides` | High +1 | File | `.procmailrc` | Medium +2 | File | `/#/CampaignManager/users` | High +3 | File | `/admin/admin_login.php` | High 4 | File | `/admin/login.php` | High -5 | File | `/apply.cgi` | Medium +5 | File | `/AvalancheWeb/image` | High 6 | File | `/bin/sh` | Low -7 | File | `/bsms/?page=products` | High -8 | File | `/cgi-bin/portal` | High -9 | File | `/cgi-bin/system_mgr.cgi` | High +7 | File | `/cgi-bin/portal` | High +8 | File | `/cgi-bin/system_mgr.cgi` | High +9 | File | `/dev/tty` | Medium 10 | File | `/doorgets/app/requests/user/modulecategoryRequest.php` | High 11 | File | `/etc/groups` | Medium -12 | File | `/form/index.php?module=getjson` | High -13 | File | `/ghost/preview` | High -14 | File | `/include/chart_generator.php` | High -15 | File | `/login` | Low -16 | File | `/login.html` | Medium -17 | File | `/magnoliaPublic/travel/members/login.html` | High -18 | File | `/member/index/login.html` | High -19 | File | `/nova/bin/detnet` | High -20 | File | `/op/op.LockDocument.php` | High -21 | File | `/public/plugins/` | High -22 | File | `/rest/api/2/search` | High -23 | File | `/rest/api/latest/projectvalidate/key` | High -24 | File | `/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf` | High -25 | File | `/SAP_Information_System/controllers/add_admin.php` | High -26 | File | `/sm/api/v1/firewall/zone/services` | High -27 | File | `/src/njs_vmcode.c` | High -28 | File | `/system/tool/ping.php` | High -29 | File | `/system/user/resetPwd` | High -30 | File | `/tmp/app/.env` | High -31 | File | `/uncpath/` | Medium -32 | File | `/wp-admin/admin-ajax.php` | High -33 | ... | ... | ... +12 | File | `/ghost/preview` | High +13 | File | `/login` | Low +14 | File | `/login.html` | Medium +15 | File | `/magnoliaPublic/travel/members/login.html` | High +16 | File | `/member/index/login.html` | High +17 | File | `/nova/bin/detnet` | High +18 | File | `/proc/self/setgroups` | High +19 | File | `/public/plugins/` | High +20 | File | `/rest/api/latest/user/avatar/temporary` | High +21 | File | `/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf` | High +22 | File | `/sm/api/v1/firewall/zone/services` | High +23 | File | `/src/njs_vmcode.c` | High +24 | File | `/system/user/resetPwd` | High +25 | File | `/tmp/app/.env` | High +26 | File | `/uncpath/` | Medium +27 | File | `/user-utils/users/md5.json` | High +28 | File | `/var/adm/btmp` | High +29 | File | `/websocket/exec` | High +30 | File | `/wp-content/plugins/woocommerce/templates/emails/plain/` | High +31 | File | `/x_program_center/jaxrs/invoke` | High +32 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High +33 | File | `add_vhost.php` | High +34 | File | `admin.inc.php` | High +35 | File | `admin/conf_users_edit.php` | High +36 | File | `admin/index.php` | High +37 | ... | ... | ... -There are 281 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 317 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/actors/Gh0stRAT/README.md b/actors/Gh0stRAT/README.md index c200ad36..aac006e4 100644 --- a/actors/Gh0stRAT/README.md +++ b/actors/Gh0stRAT/README.md @@ -13,7 +13,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce * [VN](https://vuldb.com/?country.vn) * ... -There are 14 more country items available. Please use our online service to access the data. +There are 11 more country items available. Please use our online service to access the data. ## IOC - Indicator of Compromise @@ -91,39 +91,49 @@ ID | Type | Indicator | Confidence 4 | File | `//` | Low 5 | File | `/admin.php?action=themeinstall` | High 6 | File | `/admin/?setting-base.htm` | High -7 | File | `/admin/login.php` | High -8 | File | `/apply_noauth.cgi` | High -9 | File | `/audit/log/log_management.php` | High -10 | File | `/bin/login` | Medium -11 | File | `/bin/sh` | Low -12 | File | `/cgi-bin/login` | High -13 | File | `/classes/profile.class.php` | High -14 | File | `/CMD_ACCOUNT_ADMIN` | High -15 | File | `/core/admin/categories.php` | High -16 | File | `/dev/tty` | Medium +7 | File | `/admin/admin_login.php` | High +8 | File | `/admin/login.php` | High +9 | File | `/apply_noauth.cgi` | High +10 | File | `/audit/log/log_management.php` | High +11 | File | `/bin/login` | Medium +12 | File | `/bin/sh` | Low +13 | File | `/cgi-bin/login` | High +14 | File | `/classes/profile.class.php` | High +15 | File | `/dev/tty` | Medium +16 | File | `/doorgets/app/requests/user/modulecategoryRequest.php` | High 17 | File | `/downloads/` | Medium -18 | File | `/index.php` | Medium -19 | File | `/member/index/login.html` | High -20 | File | `/modules/certinfo/index.php` | High -21 | File | `/MTFWU` | Low -22 | File | `/ptms/classes/Users.php` | High -23 | File | `/ScadaBR/login.htm` | High -24 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High -25 | File | `/system/tool/ping.php` | High -26 | File | `/uncpath/` | Medium -27 | File | `/updown/upload.cgi` | High -28 | File | `/upload` | Low -29 | File | `/usr/bin/pkexec` | High -30 | File | `/wp-json` | Medium -31 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High -32 | File | `?location=search` | High -33 | File | `account/login.php` | High -34 | File | `add.php` | Low -35 | File | `admin.php` | Medium -36 | File | `admin.php?m=backup&c=backup&a=doback` | High -37 | ... | ... | ... +18 | File | `/etc/groups` | Medium +19 | File | `/index.php` | Medium +20 | File | `/login` | Low +21 | File | `/login.html` | Medium +22 | File | `/magnoliaPublic/travel/members/login.html` | High +23 | File | `/member/index/login.html` | High +24 | File | `/modules/certinfo/index.php` | High +25 | File | `/MTFWU` | Low +26 | File | `/ptms/classes/Users.php` | High +27 | File | `/ScadaBR/login.htm` | High +28 | File | `/system/tool/ping.php` | High +29 | File | `/uncpath/` | Medium +30 | File | `/usr/bin/pkexec` | High +31 | File | `/var/adm/btmp` | High +32 | File | `/wp-json` | Medium +33 | File | `?location=search` | High +34 | File | `account/login.php` | High +35 | File | `add.php` | Low +36 | File | `admin.inc.php` | High +37 | File | `admin.php` | Medium +38 | File | `admin.php?m=backup&c=backup&a=doback` | High +39 | File | `admin/conf_users_edit.php` | High +40 | File | `admin/index.php` | High +41 | File | `admin/login.asp` | High +42 | File | `admin/login.php` | High +43 | File | `admin/nos/login` | High +44 | File | `admin\db\DoSql.php` | High +45 | File | `agenda.php3` | Medium +46 | File | `ajaxp.php` | Medium +47 | ... | ... | ... -There are 322 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 410 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/actors/GoGoogle/README.md b/actors/GoGoogle/README.md new file mode 100644 index 00000000..453d5e69 --- /dev/null +++ b/actors/GoGoogle/README.md @@ -0,0 +1,63 @@ +# GoGoogle - Cyber Threat Intelligence + +These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [GoGoogle](https://vuldb.com/?actor.gogoogle). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics. + +_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.gogoogle](https://vuldb.com/?actor.gogoogle) + +## Countries + +These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with GoGoogle: + +* [GB](https://vuldb.com/?country.gb) +* [US](https://vuldb.com/?country.us) +* [IN](https://vuldb.com/?country.in) +* ... + +There are 3 more country items available. Please use our online service to access the data. + +## IOC - Indicator of Compromise + +These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of GoGoogle. + +ID | IP address | Hostname | Campaign | Confidence +-- | ---------- | -------- | -------- | ---------- +1 | [93.174.95.73](https://vuldb.com/?ip.93.174.95.73) | - | - | High + +## TTP - Tactics, Techniques, Procedures + +_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _GoGoogle_. This data is unique as it uses our predictive model for actor profiling. + +ID | Technique | Weakness | Description | Confidence +-- | --------- | -------- | ----------- | ---------- +1 | T1059.007 | CWE-79 | Cross Site Scripting | High +2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High + +## IOA - Indicator of Attack + +These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by GoGoogle. This data is unique as it uses our predictive model for actor profiling. + +ID | Type | Indicator | Confidence +-- | ---- | --------- | ---------- +1 | File | `/api/addusers` | High +2 | File | `/home/httpd/cgi-bin/cgi.cgi` | High +3 | File | `/public/login.htm` | High +4 | ... | ... | ... + +There are 5 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. + +## References + +The following list contains _external sources_ which discuss the actor and the associated activities: + +* https://thedfirreport.com/2020/04/04/gogoogle-ransomware/ + +## Literature + +The following _articles_ explain our unique predictive cyber threat intelligence: + +* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti) +* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022) + +## License + +(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)! diff --git a/actors/Gootkit/README.md b/actors/Gootkit/README.md new file mode 100644 index 00000000..32830a6e --- /dev/null +++ b/actors/Gootkit/README.md @@ -0,0 +1,75 @@ +# Gootkit - Cyber Threat Intelligence + +These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Gootkit](https://vuldb.com/?actor.gootkit). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics. + +_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.gootkit](https://vuldb.com/?actor.gootkit) + +## Countries + +These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Gootkit: + +* [US](https://vuldb.com/?country.us) +* [RU](https://vuldb.com/?country.ru) +* [CN](https://vuldb.com/?country.cn) +* ... + +There are 7 more country items available. Please use our online service to access the data. + +## IOC - Indicator of Compromise + +These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Gootkit. + +ID | IP address | Hostname | Campaign | Confidence +-- | ---------- | -------- | -------- | ---------- +1 | [31.214.157.14](https://vuldb.com/?ip.31.214.157.14) | dev.neto-svedberg.com | - | High +2 | [31.214.157.162](https://vuldb.com/?ip.31.214.157.162) | crm.tuxexpert.com | - | High +3 | [109.230.199.13](https://vuldb.com/?ip.109.230.199.13) | sw1-wg.celo.net | - | High +4 | ... | ... | ... | ... + +There are 11 more IOC items available. Please use our online service to access the data. + +## TTP - Tactics, Techniques, Procedures + +_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Gootkit_. This data is unique as it uses our predictive model for actor profiling. + +ID | Technique | Weakness | Description | Confidence +-- | --------- | -------- | ----------- | ---------- +1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High +2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High +3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High +4 | ... | ... | ... | ... + +There are 3 more TTP items available. Please use our online service to access the data. + +## IOA - Indicator of Attack + +These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Gootkit. This data is unique as it uses our predictive model for actor profiling. + +ID | Type | Indicator | Confidence +-- | ---- | --------- | ---------- +1 | File | `.htaccess` | Medium +2 | File | `/addnews.html` | High +3 | File | `/cgi-bin/supervisor/PwdGrp.cgi` | High +4 | File | `/download` | Medium +5 | File | `/secure/admin/ImporterFinishedPage.jspa` | High +6 | File | `/uncpath/` | Medium +7 | ... | ... | ... + +There are 52 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. + +## References + +The following list contains _external sources_ which discuss the actor and the associated activities: + +* https://blog.talosintelligence.com/2019/10/threat-roundup-1011-1018.html + +## Literature + +The following _articles_ explain our unique predictive cyber threat intelligence: + +* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti) +* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022) + +## License + +(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)! diff --git a/actors/GreyEnergy/README.md b/actors/GreyEnergy/README.md index c823099e..933b863e 100644 --- a/actors/GreyEnergy/README.md +++ b/actors/GreyEnergy/README.md @@ -86,7 +86,7 @@ ID | Type | Indicator | Confidence 35 | File | `admin/edit-comments.php` | High 36 | ... | ... | ... -There are 312 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 310 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/actors/Grizzly Steppe/README.md b/actors/Grizzly Steppe/README.md index d5b88b6d..2c0318dd 100644 --- a/actors/Grizzly Steppe/README.md +++ b/actors/Grizzly Steppe/README.md @@ -175,36 +175,37 @@ ID | Type | Indicator | Confidence 5 | File | `/admin.php/admin/ulog/index.html` | High 6 | File | `/admin/configure.php` | High 7 | File | `/admin/doctors/view_doctor.php` | High -8 | File | `/api/crontab` | Medium -9 | File | `/api/trackedEntityInstances` | High -10 | File | `/AvalancheWeb/image` | High -11 | File | `/category.php` | High -12 | File | `/cgi-bin/uploadAccessCodePic` | High -13 | File | `/cms/ajax.php` | High -14 | File | `/context/%2e/WEB-INF/web.xml` | High -15 | File | `/dev/dri/card1` | High -16 | File | `/export` | Low -17 | File | `/file?action=download&file` | High -18 | File | `/goform/setIPv6Status` | High -19 | File | `/images` | Low -20 | File | `/include/chart_generator.php` | High -21 | File | `/include/make.php` | High -22 | File | `/InternalPages/ExecuteTask.aspx` | High -23 | File | `/music/ajax.php` | High -24 | File | `/nova/bin/sniffer` | High -25 | File | `/pandora_console/ajax.php` | High -26 | File | `/principals` | Medium -27 | File | `/public/plugins/` | High -28 | File | `/SASWebReportStudio/logonAndRender.do` | High -29 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High -30 | File | `/system/bin/osi_bin` | High -31 | File | `/tmp` | Low -32 | File | `/TMS/admin/setting/mail/createorupdate` | High -33 | File | `/uncpath/` | Medium -34 | File | `/web/MCmsAction.java` | High -35 | ... | ... | ... +8 | File | `/admin/siteoptions.php&action=displaygoal&value=1&roleid=1` | High +9 | File | `/api/crontab` | Medium +10 | File | `/api/students/me/messages/` | High +11 | File | `/api/trackedEntityInstances` | High +12 | File | `/AvalancheWeb/image` | High +13 | File | `/category.php` | High +14 | File | `/cdsms/classes/Master.php?f=delete_enrollment` | High +15 | File | `/cdsms/classes/Master.php?f=delete_package` | High +16 | File | `/cgi-bin/uploadAccessCodePic` | High +17 | File | `/common/info.cgi` | High +18 | File | `/context/%2e/WEB-INF/web.xml` | High +19 | File | `/dev/dri/card1` | High +20 | File | `/export` | Low +21 | File | `/file?action=download&file` | High +22 | File | `/goform/setIPv6Status` | High +23 | File | `/goform/WifiExtraSet` | High +24 | File | `/images` | Low +25 | File | `/include/chart_generator.php` | High +26 | File | `/include/make.php` | High +27 | File | `/InternalPages/ExecuteTask.aspx` | High +28 | File | `/nova/bin/sniffer` | High +29 | File | `/principals` | Medium +30 | File | `/public/plugins/` | High +31 | File | `/reps/admin/?page=agents/manage_agent` | High +32 | File | `/reps/classes/Master.php?f=delete_estate` | High +33 | File | `/SASWebReportStudio/logonAndRender.do` | High +34 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High +35 | File | `/system/bin/osi_bin` | High +36 | ... | ... | ... -There are 301 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 306 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/actors/Hancitor/README.md b/actors/Hancitor/README.md index c0a608f8..26f36e43 100644 --- a/actors/Hancitor/README.md +++ b/actors/Hancitor/README.md @@ -13,7 +13,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce * [CN](https://vuldb.com/?country.cn) * ... -There are 14 more country items available. Please use our online service to access the data. +There are 13 more country items available. Please use our online service to access the data. ## IOC - Indicator of Compromise @@ -75,35 +75,34 @@ ID | Type | Indicator | Confidence 10 | File | `/inc/parser/xhtml.php` | High 11 | File | `/login` | Low 12 | File | `/modules/profile/index.php` | High -13 | File | `/objects/getImageMP4.php` | High -14 | File | `/one_church/userregister.php` | High -15 | File | `/out.php` | Medium -16 | File | `/public/plugins/` | High -17 | File | `/replication` | Medium -18 | File | `/req_password_user.php` | High -19 | File | `/SAP_Information_System/controllers/add_admin.php` | High -20 | File | `/SASWebReportStudio/logonAndRender.do` | High -21 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High -22 | File | `/secure/admin/ViewInstrumentation.jspa` | High -23 | File | `/secure/QueryComponent!Default.jspa` | High -24 | File | `/SSOPOST/metaAlias/%realm%/idpv2` | High -25 | File | `/tmp` | Low -26 | File | `/tmp/phpglibccheck` | High -27 | File | `/uncpath/` | Medium -28 | File | `/usr/syno/etc/mount.conf` | High -29 | File | `/WEB-INF/web.xml` | High -30 | File | `/web/entry/en/address/adrsSetUserWizard.cgi` | High -31 | File | `/wp-json/oembed/1.0/embed?url` | High -32 | File | `adclick.php` | Medium -33 | File | `addentry.php` | Medium -34 | File | `admin.cropcanvas.php` | High +13 | File | `/nova/bin/console` | High +14 | File | `/objects/getImageMP4.php` | High +15 | File | `/one_church/userregister.php` | High +16 | File | `/out.php` | Medium +17 | File | `/public/plugins/` | High +18 | File | `/replication` | Medium +19 | File | `/req_password_user.php` | High +20 | File | `/SAP_Information_System/controllers/add_admin.php` | High +21 | File | `/SASWebReportStudio/logonAndRender.do` | High +22 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High +23 | File | `/secure/admin/ViewInstrumentation.jspa` | High +24 | File | `/secure/QueryComponent!Default.jspa` | High +25 | File | `/SSOPOST/metaAlias/%realm%/idpv2` | High +26 | File | `/tmp` | Low +27 | File | `/tmp/phpglibccheck` | High +28 | File | `/uncpath/` | Medium +29 | File | `/usr/syno/etc/mount.conf` | High +30 | File | `/WEB-INF/web.xml` | High +31 | File | `/web/entry/en/address/adrsSetUserWizard.cgi` | High +32 | File | `/wp-json/oembed/1.0/embed?url` | High +33 | File | `adclick.php` | Medium +34 | File | `addentry.php` | Medium 35 | File | `admin.jcomments.php` | High 36 | File | `admin.php` | Medium 37 | File | `admin/conf_users_edit.php` | High -38 | File | `admin/create-package.php` | High -39 | ... | ... | ... +38 | ... | ... | ... -There are 339 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 325 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/actors/Hive0117/README.md b/actors/Hive0117/README.md new file mode 100644 index 00000000..d9824a69 --- /dev/null +++ b/actors/Hive0117/README.md @@ -0,0 +1,36 @@ +# Hive0117 - Cyber Threat Intelligence + +These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Hive0117](https://vuldb.com/?actor.hive0117). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics. + +_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.hive0117](https://vuldb.com/?actor.hive0117) + +## Campaigns + +The following _campaigns_ are known and can be associated with Hive0117: + +* DarkWatchman + +## IOC - Indicator of Compromise + +These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Hive0117. + +ID | IP address | Hostname | Campaign | Confidence +-- | ---------- | -------- | -------- | ---------- +1 | [103.153.157.33](https://vuldb.com/?ip.103.153.157.33) | 103-153-157-33.ip.fulltimehosting.net | DarkWatchman | High + +## References + +The following list contains _external sources_ which discuss the actor and the associated activities: + +* https://securityintelligence.com/posts/hive00117-fileless-malware-delivery-eastern-europe/ + +## Literature + +The following _articles_ explain our unique predictive cyber threat intelligence: + +* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti) +* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022) + +## License + +(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)! diff --git a/actors/IcedID/README.md b/actors/IcedID/README.md index 7c6704dc..62f63a82 100644 --- a/actors/IcedID/README.md +++ b/actors/IcedID/README.md @@ -4,6 +4,12 @@ These _indicators_ were reported, collected, and generated during the [VulDB CTI _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.icedid](https://vuldb.com/?actor.icedid) +## Campaigns + +The following _campaigns_ are known and can be associated with IcedID: + +* Cobalt Strike + ## Countries These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with IcedID: @@ -13,7 +19,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce * [RU](https://vuldb.com/?country.ru) * ... -There are 17 more country items available. Please use our online service to access the data. +There are 20 more country items available. Please use our online service to access the data. ## IOC - Indicator of Compromise @@ -21,25 +27,27 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi ID | IP address | Hostname | Campaign | Confidence -- | ---------- | -------- | -------- | ---------- -1 | [5.149.252.179](https://vuldb.com/?ip.5.149.252.179) | hnh7.arenal.xyz | - | High -2 | [31.24.224.12](https://vuldb.com/?ip.31.24.224.12) | 1f18e00c.setaptr.net | - | High -3 | [31.24.228.170](https://vuldb.com/?ip.31.24.228.170) | 31.24.228.170.static.midphase.com | - | High -4 | [31.184.199.11](https://vuldb.com/?ip.31.184.199.11) | dalesmanager.com | - | High -5 | [45.129.99.241](https://vuldb.com/?ip.45.129.99.241) | 354851-vds-mamozw.gmhost.pp.ua | - | High -6 | [45.138.172.179](https://vuldb.com/?ip.45.138.172.179) | - | - | High -7 | [45.147.228.198](https://vuldb.com/?ip.45.147.228.198) | - | - | High -8 | [45.147.230.82](https://vuldb.com/?ip.45.147.230.82) | - | - | High -9 | [45.147.230.88](https://vuldb.com/?ip.45.147.230.88) | mailnode7.bulletproof-mail.biz | - | High -10 | [45.147.231.113](https://vuldb.com/?ip.45.147.231.113) | - | - | High -11 | [45.153.240.135](https://vuldb.com/?ip.45.153.240.135) | - | - | High -12 | [45.153.241.115](https://vuldb.com/?ip.45.153.241.115) | - | - | High -13 | [46.17.98.191](https://vuldb.com/?ip.46.17.98.191) | - | - | High -14 | [46.249.62.199](https://vuldb.com/?ip.46.249.62.199) | - | - | High -15 | [79.141.161.176](https://vuldb.com/?ip.79.141.161.176) | zzs7bp73.copycomdigital.com | - | High -16 | [79.141.164.241](https://vuldb.com/?ip.79.141.164.241) | x6ts.mtsgamingpro.fun | - | High -17 | ... | ... | ... | ... +1 | [5.61.46.161](https://vuldb.com/?ip.5.61.46.161) | - | - | High +2 | [5.149.252.179](https://vuldb.com/?ip.5.149.252.179) | hnh7.arenal.xyz | - | High +3 | [31.24.224.12](https://vuldb.com/?ip.31.24.224.12) | 1f18e00c.setaptr.net | - | High +4 | [31.24.228.170](https://vuldb.com/?ip.31.24.228.170) | 31.24.228.170.static.midphase.com | - | High +5 | [31.184.199.11](https://vuldb.com/?ip.31.184.199.11) | dalesmanager.com | - | High +6 | [37.120.222.100](https://vuldb.com/?ip.37.120.222.100) | - | - | High +7 | [45.129.99.241](https://vuldb.com/?ip.45.129.99.241) | 354851-vds-mamozw.gmhost.pp.ua | - | High +8 | [45.138.172.179](https://vuldb.com/?ip.45.138.172.179) | - | - | High +9 | [45.147.228.198](https://vuldb.com/?ip.45.147.228.198) | - | - | High +10 | [45.147.230.82](https://vuldb.com/?ip.45.147.230.82) | - | - | High +11 | [45.147.230.88](https://vuldb.com/?ip.45.147.230.88) | mailnode7.bulletproof-mail.biz | - | High +12 | [45.147.231.113](https://vuldb.com/?ip.45.147.231.113) | - | - | High +13 | [45.153.240.135](https://vuldb.com/?ip.45.153.240.135) | - | - | High +14 | [45.153.241.115](https://vuldb.com/?ip.45.153.241.115) | - | - | High +15 | [46.17.98.191](https://vuldb.com/?ip.46.17.98.191) | - | - | High +16 | [46.249.62.199](https://vuldb.com/?ip.46.249.62.199) | - | - | High +17 | [79.141.161.176](https://vuldb.com/?ip.79.141.161.176) | zzs7bp73.copycomdigital.com | - | High +18 | [79.141.164.241](https://vuldb.com/?ip.79.141.164.241) | x6ts.mtsgamingpro.fun | - | High +19 | ... | ... | ... | ... -There are 66 more IOC items available. Please use our online service to access the data. +There are 74 more IOC items available. Please use our online service to access the data. ## TTP - Tactics, Techniques, Procedures @@ -66,52 +74,49 @@ ID | Type | Indicator | Confidence 4 | File | `/anony/mjpg.cgi` | High 5 | File | `/bin/sh` | Low 6 | File | `/cgi-bin/editBookmark` | High -7 | File | `/etc/shadow` | Medium -8 | File | `/EXCU_SHELL` | Medium -9 | File | `/export` | Low -10 | File | `/GetSimpleCMS-3.3.15/admin/log.php` | High -11 | File | `/goform/addressNat` | High -12 | File | `/iisadmpwd` | Medium -13 | File | `/include/menu_v.inc.php` | High -14 | File | `/lms/admin.php` | High -15 | File | `/mc` | Low -16 | File | `/opt/IBM/es/lib/libffq.cryptionjni.so` | High -17 | File | `/opt/novell/ncl/bin/nwrights` | High -18 | File | `/out.php` | Medium -19 | File | `/proc/*/cmdline"` | High -20 | File | `/proc/pid/syscall` | High -21 | File | `/rest/review-coverage-chart/1.0/data//.json` | High -22 | File | `/uncpath/` | Medium -23 | File | `/var/log/pcp/configs.sh` | High -24 | File | `/webconsole/APIController` | High -25 | File | `/WWW//app/admin/controller/admincontroller.php` | High -26 | File | `a-b-membres.php` | High -27 | File | `action.php` | Medium -28 | File | `admin-search.php` | High -29 | File | `admin.jcomments.php` | High -30 | File | `admin/adminsignin.html` | High -31 | File | `admin/index.php` | High -32 | File | `admin/plugin.php` | High -33 | File | `admin/test.php` | High -34 | File | `admin/versions.html` | High -35 | File | `administrator/index.php?option=com_pago&view=comments` | High -36 | File | `Adminlog.asp` | Medium -37 | File | `admin_iplog.php` | High -38 | File | `ajax.php` | Medium -39 | File | `ajax_admin_apis.php` | High -40 | File | `ajax_php_pecl.php` | High -41 | File | `antserver.exe` | High -42 | File | `api.cc` | Low -43 | File | `api/ApiQueryCheckUser.php` | High -44 | File | `app/helpers/application_helper.rb` | High -45 | File | `app\conference_controls\conference_control_details.php` | High -46 | File | `apt/package.py` | High -47 | File | `arch/x86/include/asm/uaccess.h` | High -48 | File | `architext.conf` | High -49 | File | `archive/savedqueries/savequeryfinish.html` | High -50 | ... | ... | ... +7 | File | `/cgi-bin/supervisor/PwdGrp.cgi` | High +8 | File | `/etc/shadow` | Medium +9 | File | `/EXCU_SHELL` | Medium +10 | File | `/export` | Low +11 | File | `/GetSimpleCMS-3.3.15/admin/log.php` | High +12 | File | `/goform/addressNat` | High +13 | File | `/iisadmpwd` | Medium +14 | File | `/include/menu_v.inc.php` | High +15 | File | `/lms/admin.php` | High +16 | File | `/mc` | Low +17 | File | `/opt/IBM/es/lib/libffq.cryptionjni.so` | High +18 | File | `/opt/novell/ncl/bin/nwrights` | High +19 | File | `/out.php` | Medium +20 | File | `/proc/*/cmdline"` | High +21 | File | `/proc/pid/syscall` | High +22 | File | `/rest/review-coverage-chart/1.0/data//.json` | High +23 | File | `/TeamMate/Upload/DomainObjectDocumentUpload.ashx` | High +24 | File | `/uncpath/` | Medium +25 | File | `/var/log/pcp/configs.sh` | High +26 | File | `/webconsole/APIController` | High +27 | File | `/wp-admin/admin-ajax.php` | High +28 | File | `/WWW//app/admin/controller/admincontroller.php` | High +29 | File | `a-b-membres.php` | High +30 | File | `action.php` | Medium +31 | File | `admin-search.php` | High +32 | File | `admin.jcomments.php` | High +33 | File | `admin/adminsignin.html` | High +34 | File | `admin/index.php` | High +35 | File | `admin/infoclass_update.php` | High +36 | File | `admin/plugin.php` | High +37 | File | `admin/test.php` | High +38 | File | `admin/versions.html` | High +39 | File | `administrator/index.php?option=com_pago&view=comments` | High +40 | File | `Adminlog.asp` | Medium +41 | File | `admin_iplog.php` | High +42 | File | `ajax.php` | Medium +43 | File | `ajax_admin_apis.php` | High +44 | File | `ajax_php_pecl.php` | High +45 | File | `allocate_block.cpp` | High +46 | File | `api.cc` | Low +47 | ... | ... | ... -There are 432 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 407 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References @@ -127,6 +132,8 @@ The following list contains _external sources_ which discuss the actor and the a * https://isc.sans.edu/forums/diary/Microsoft+Word+document+with+malicious+macro+pushes+IcedID+Bokbot/26146/ * https://isc.sans.edu/forums/diary/One+Emotet+infection+leads+to+three+followup+malware+infections/24140/ * https://research.checkpoint.com/2021/melting-ice-tracking-icedid-servers-with-a-few-simple-steps/ +* https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/ +* https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ ## Literature diff --git a/actors/Inception/README.md b/actors/Inception/README.md index 1caf8b89..f6bb8781 100644 --- a/actors/Inception/README.md +++ b/actors/Inception/README.md @@ -45,7 +45,7 @@ ID | Technique | Weakness | Description | Confidence 3 | T1068 | CWE-250, CWE-264, CWE-274, CWE-284 | Execution with Unnecessary Privileges | High 4 | ... | ... | ... | ... -There are 8 more TTP items available. Please use our online service to access the data. +There are 7 more TTP items available. Please use our online service to access the data. ## IOA - Indicator of Attack @@ -57,33 +57,31 @@ ID | Type | Indicator | Confidence 2 | File | `/admin/inbox.php&action=read` | High 3 | File | `/admin/news/news_mod.php` | High 4 | File | `/admin/page_edit/3` | High -5 | File | `/apps/acs-commons/content/page-compare.html` | High -6 | File | `/blog/blog.php` | High -7 | File | `/cgi-bin/uploadWeiXinPic` | High -8 | File | `/domain/service/.ewell-known/caldav` | High -9 | File | `/dvcset/sysset/set.cgi` | High -10 | File | `/example/editor` | High -11 | File | `/include/make.php` | High -12 | File | `/jquery_file_upload/server/php/index.php` | High -13 | File | `/mobile/SelectUsers.jsp` | High -14 | File | `/php/ajax.php` | High -15 | File | `/ProteinArraySignificanceTest.json` | High -16 | File | `/ptms/classes/Users.php` | High -17 | File | `/public/admin/index.php?add_product` | High -18 | File | `/system/bin/osi_bin` | High -19 | File | `/usr/local/bin/mjs` | High -20 | File | `/wp-content/uploads/jobmonster/` | High -21 | File | `/zbzedit/php/zbz.php` | High -22 | File | `ActiveServices.java` | High -23 | File | `admin/bad.php` | High -24 | File | `admin/dl_sendmail.php` | High -25 | File | `admin/htaccess/bpsunlock.php` | High -26 | File | `admin/pages/useredit.php` | High -27 | File | `AlertReceiver.java` | High -28 | File | `alfresco/s/admin/admin-nodebrowser` | High -29 | ... | ... | ... +5 | File | `/administrator/alerts/alertLightbox.php` | High +6 | File | `/apps/acs-commons/content/page-compare.html` | High +7 | File | `/blog/blog.php` | High +8 | File | `/cgi-bin/main.cgi` | High +9 | File | `/cgi-bin/uploadWeiXinPic` | High +10 | File | `/controller/Adv.php` | High +11 | File | `/domain/service/.ewell-known/caldav` | High +12 | File | `/dvcset/sysset/set.cgi` | High +13 | File | `/example/editor` | High +14 | File | `/include/make.php` | High +15 | File | `/jquery_file_upload/server/php/index.php` | High +16 | File | `/mobile/SelectUsers.jsp` | High +17 | File | `/php/ajax.php` | High +18 | File | `/ProteinArraySignificanceTest.json` | High +19 | File | `/ptms/classes/Users.php` | High +20 | File | `/public/admin/index.php?add_product` | High +21 | File | `/role/saveOrUpdateRole.do` | High +22 | File | `/system/bin/osi_bin` | High +23 | File | `/usr/local/bin/mjs` | High +24 | File | `/wp-content/uploads/jobmonster/` | High +25 | File | `/zbzedit/php/zbz.php` | High +26 | File | `ActiveServices.java` | High +27 | ... | ... | ... -There are 244 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 224 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/actors/Kimsuky/README.md b/actors/Kimsuky/README.md index a3b6dd25..1a929502 100644 --- a/actors/Kimsuky/README.md +++ b/actors/Kimsuky/README.md @@ -76,15 +76,15 @@ ID | Type | Indicator | Confidence 16 | File | `/public/plugins/` | High 17 | File | `/rest/jpo/1.0/hierarchyConfiguration` | High 18 | File | `/SASWebReportStudio/logonAndRender.do` | High -19 | File | `/tlogin.cgi` | Medium -20 | File | `/tmp/scfgdndf` | High -21 | File | `/uncpath/` | Medium -22 | File | `/upload` | Low -23 | File | `/usr/ucb/mail` | High -24 | File | `/vendor/phpdocumentor/reflection-docblock/tests/phpDocumentor/Reflection/DocBlock/Tag/LinkTagTeet.php` | High +19 | File | `/scas/admin/` | Medium +20 | File | `/tlogin.cgi` | Medium +21 | File | `/tmp/scfgdndf` | High +22 | File | `/uncpath/` | Medium +23 | File | `/upload` | Low +24 | File | `/usr/ucb/mail` | High 25 | ... | ... | ... -There are 205 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 209 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/actors/Kinsing/README.md b/actors/Kinsing/README.md index ae88af3e..844c91e6 100644 --- a/actors/Kinsing/README.md +++ b/actors/Kinsing/README.md @@ -99,7 +99,7 @@ ID | Type | Indicator | Confidence 37 | File | `blog.php` | Medium 38 | ... | ... | ... -There are 328 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 329 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/actors/Lapsus/README.md b/actors/Lapsus/README.md new file mode 100644 index 00000000..7c3acf54 --- /dev/null +++ b/actors/Lapsus/README.md @@ -0,0 +1,79 @@ +# Lapsus - Cyber Threat Intelligence + +These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Lapsus](https://vuldb.com/?actor.lapsus). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics. + +_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.lapsus](https://vuldb.com/?actor.lapsus) + +## Countries + +These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Lapsus: + +* [US](https://vuldb.com/?country.us) +* [GB](https://vuldb.com/?country.gb) +* [GR](https://vuldb.com/?country.gr) +* ... + +There are 8 more country items available. Please use our online service to access the data. + +## IOC - Indicator of Compromise + +These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Lapsus. + +ID | IP address | Hostname | Campaign | Confidence +-- | ---------- | -------- | -------- | ---------- +1 | [104.238.222.158](https://vuldb.com/?ip.104.238.222.158) | - | - | High +2 | [108.61.173.214](https://vuldb.com/?ip.108.61.173.214) | 108.61.173.214.vultrusercontent.com | - | High +3 | [185.169.255.74](https://vuldb.com/?ip.185.169.255.74) | - | - | High + +## TTP - Tactics, Techniques, Procedures + +_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Lapsus_. This data is unique as it uses our predictive model for actor profiling. + +ID | Technique | Weakness | Description | Confidence +-- | --------- | -------- | ----------- | ---------- +1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High +2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High +3 | T1211 | CWE-254, CWE-358 | 7PK Security Features | High +4 | ... | ... | ... | ... + +There are 3 more TTP items available. Please use our online service to access the data. + +## IOA - Indicator of Attack + +These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Lapsus. This data is unique as it uses our predictive model for actor profiling. + +ID | Type | Indicator | Confidence +-- | ---- | --------- | ---------- +1 | File | `/.env` | Low +2 | File | `/cbpos/` | Low +3 | File | `/context/%2e/WEB-INF/web.xml` | High +4 | File | `/forum/away.php` | High +5 | File | `/horde/util/go.php` | High +6 | File | `/plain` | Low +7 | File | `/secure/admin/ImporterFinishedPage.jspa` | High +8 | File | `/uncpath/` | Medium +9 | File | `admin/admin.shtml` | High +10 | File | `admin/import/class-import-settings.php` | High +11 | File | `Administration/Controllers/ImportController.cs` | High +12 | File | `administrator/components/com_media/helpers/media.php` | High +13 | File | `base/PdfString.cpp` | High +14 | ... | ... | ... + +There are 106 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. + +## References + +The following list contains _external sources_ which discuss the actor and the associated activities: + +* https://research.nccgroup.com/2022/04/28/lapsus-recent-techniques-tactics-and-procedures/ + +## Literature + +The following _articles_ explain our unique predictive cyber threat intelligence: + +* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti) +* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022) + +## License + +(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)! diff --git a/actors/Lazarus/README.md b/actors/Lazarus/README.md index 555f4254..245bf706 100644 --- a/actors/Lazarus/README.md +++ b/actors/Lazarus/README.md @@ -20,8 +20,8 @@ There are 7 more campaign items available. Please use our online service to acce These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Lazarus: * [VN](https://vuldb.com/?country.vn) -* [FR](https://vuldb.com/?country.fr) * [IN](https://vuldb.com/?country.in) +* [US](https://vuldb.com/?country.us) * ... There are 4 more country items available. Please use our online service to access the data. @@ -225,12 +225,12 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK ID | Technique | Weakness | Description | Confidence -- | --------- | -------- | ----------- | ---------- -1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High -2 | T1068 | CWE-250, CWE-264, CWE-284 | Execution with Unnecessary Privileges | High -3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High +1 | T1059.007 | CWE-79 | Cross Site Scripting | High +2 | T1068 | CWE-284 | Execution with Unnecessary Privileges | High +3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High 4 | ... | ... | ... | ... -There are 7 more TTP items available. Please use our online service to access the data. +There are 4 more TTP items available. Please use our online service to access the data. ## IOA - Indicator of Attack @@ -243,22 +243,16 @@ ID | Type | Indicator | Confidence 3 | File | `/admin.php?id=siteoptions&social=edit&sid=2` | High 4 | File | `/admin/inbox.php&action=delete` | High 5 | File | `/admin/inbox.php&action=read` | High -6 | File | `/admin/index.php` | High -7 | File | `/admin/pagerole.php&action=display&value=1` | High -8 | File | `/admin/pagerole.php&action=edit` | High -9 | File | `/admin/posts.php` | High -10 | File | `/admin/posts.php&action=delete` | High -11 | File | `/admin/posts.php&action=edit` | High +6 | File | `/admin/pagerole.php&action=display&value=1` | High +7 | File | `/admin/pagerole.php&action=edit` | High +8 | File | `/admin/posts.php` | High +9 | File | `/admin/posts.php&action=delete` | High +10 | File | `/admin/posts.php&action=edit` | High +11 | File | `/admin/siteoptions.php&action=displaygoal&value=1&roleid=1` | High 12 | File | `/admin/siteoptions.php&social=remove&sid=2` | High -13 | File | `/admin/uesrs.php&&action=delete&userid=4` | High -14 | File | `/admin/uesrs.php&action=display&value=Show` | High -15 | File | `/apps/acs-commons/content/page-compare.html` | High -16 | File | `/blog/blog.php` | High -17 | File | `/cdsms/classes/Master.php?f=delete_enrollment` | High -18 | File | `/cdsms/classes/Master.php?f=delete_package` | High -19 | ... | ... | ... +13 | ... | ... | ... -There are 152 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 105 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/actors/Liberty Front Press/README.md b/actors/Liberty Front Press/README.md index d4e6844c..a652bc34 100644 --- a/actors/Liberty Front Press/README.md +++ b/actors/Liberty Front Press/README.md @@ -9,11 +9,11 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Liberty Front Press: * [US](https://vuldb.com/?country.us) -* [CN](https://vuldb.com/?country.cn) * [VN](https://vuldb.com/?country.vn) +* [CN](https://vuldb.com/?country.cn) * ... -There are 24 more country items available. Please use our online service to access the data. +There are 25 more country items available. Please use our online service to access the data. ## IOC - Indicator of Compromise @@ -104,40 +104,36 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic ID | Type | Indicator | Confidence -- | ---- | --------- | ---------- 1 | File | `/.ssh/authorized_keys` | High -2 | File | `/CMD_ACCOUNT_ADMIN` | High -3 | File | `/context/%2e/WEB-INF/web.xml` | High -4 | File | `/core/admin/categories.php` | High -5 | File | `/etc/hosts` | Medium -6 | File | `/etc/sudoers` | Medium -7 | File | `/filemanager/php/connector.php` | High -8 | File | `/forum/away.php` | High -9 | File | `/modules/profile/index.php` | High -10 | File | `/MTFWU` | Low -11 | File | `/new` | Low -12 | File | `/proc//status` | High -13 | File | `/public/plugins/` | High -14 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High -15 | File | `/secure/QueryComponent!Default.jspa` | High -16 | File | `/server-info` | Medium -17 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High -18 | File | `/tmp` | Low -19 | File | `/uncpath/` | Medium -20 | File | `/updown/upload.cgi` | High -21 | File | `/usr/bin/pkexec` | High -22 | File | `/way4acs/enroll` | High +2 | File | `/admin.php` | Medium +3 | File | `/CMD_ACCOUNT_ADMIN` | High +4 | File | `/context/%2e/WEB-INF/web.xml` | High +5 | File | `/core/admin/categories.php` | High +6 | File | `/etc/groups` | Medium +7 | File | `/etc/hosts` | Medium +8 | File | `/etc/sudoers` | Medium +9 | File | `/filemanager/php/connector.php` | High +10 | File | `/forum/away.php` | High +11 | File | `/modules/profile/index.php` | High +12 | File | `/MTFWU` | Low +13 | File | `/new` | Low +14 | File | `/proc//status` | High +15 | File | `/public/plugins/` | High +16 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High +17 | File | `/secure/QueryComponent!Default.jspa` | High +18 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High +19 | File | `/tmp` | Low +20 | File | `/uncpath/` | Medium +21 | File | `/updown/upload.cgi` | High +22 | File | `/usr/bin/pkexec` | High 23 | File | `4.2.0.CP09` | Medium 24 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High 25 | File | `AccountManagerService.java` | High 26 | File | `actions/CompanyDetailsSave.php` | High 27 | File | `ActivityManagerService.java` | High 28 | File | `admin.php` | Medium -29 | File | `admin.php/comments/batchdel/` | High -30 | File | `admin/add-glossary.php` | High -31 | File | `admin/conf_users_edit.php` | High -32 | File | `admin/edit-comments.php` | High -33 | ... | ... | ... +29 | ... | ... | ... -There are 277 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 250 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/actors/LinuxMoose/README.md b/actors/LinuxMoose/README.md index 001003a9..90c0f843 100644 --- a/actors/LinuxMoose/README.md +++ b/actors/LinuxMoose/README.md @@ -81,13 +81,13 @@ ID | Type | Indicator | Confidence 22 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High 23 | File | `AccountManagerService.java` | High 24 | File | `actions/CompanyDetailsSave.php` | High -25 | File | `ActiveServices.java` | High -26 | File | `ActivityManagerService.java` | High -27 | File | `admin.php` | Medium -28 | File | `admin/add-glossary.php` | High +25 | File | `ActivityManagerService.java` | High +26 | File | `admin.php` | Medium +27 | File | `admin/add-glossary.php` | High +28 | File | `admin/conf_users_edit.php` | High 29 | ... | ... | ... -There are 247 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 246 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/actors/LoggerMiner/README.md b/actors/LoggerMiner/README.md index 6b112cc2..a9b86e96 100644 --- a/actors/LoggerMiner/README.md +++ b/actors/LoggerMiner/README.md @@ -9,8 +9,8 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with LoggerMiner: * [CN](https://vuldb.com/?country.cn) +* [JP](https://vuldb.com/?country.jp) * [US](https://vuldb.com/?country.us) -* [GB](https://vuldb.com/?country.gb) * ... There are 1 more country items available. Please use our online service to access the data. diff --git a/actors/Magecart/README.md b/actors/Magecart/README.md index f6c57e83..f4d29d47 100644 --- a/actors/Magecart/README.md +++ b/actors/Magecart/README.md @@ -8,12 +8,12 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Magecart: -* [CN](https://vuldb.com/?country.cn) * [PL](https://vuldb.com/?country.pl) * [FR](https://vuldb.com/?country.fr) +* [CN](https://vuldb.com/?country.cn) * ... -There are 11 more country items available. Please use our online service to access the data. +There are 10 more country items available. Please use our online service to access the data. ## IOC - Indicator of Compromise @@ -39,7 +39,7 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK ID | Technique | Weakness | Description | Confidence -- | --------- | -------- | ----------- | ---------- 1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High -2 | T1068 | CWE-264, CWE-266, CWE-284 | Execution with Unnecessary Privileges | High +2 | T1068 | CWE-250, CWE-264, CWE-284 | Execution with Unnecessary Privileges | High 3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High 4 | ... | ... | ... | ... @@ -54,33 +54,34 @@ ID | Type | Indicator | Confidence 1 | File | `/admin-panel1.php` | High 2 | File | `/admin/delete_image.php` | High 3 | File | `/admin/login.php` | High -4 | File | `/administrator/components/table_manager/` | High -5 | File | `/aqpg/users/login.php` | High -6 | File | `/cloud_config/router_post/check_reg_verify_code` | High -7 | File | `/context/%2e/WEB-INF/web.xml` | High -8 | File | `/data-service/users/` | High -9 | File | `/etc/config/rpcd` | High -10 | File | `/Hospital-Management-System-master/func.php` | High -11 | File | `/jeecg-boot/sys/user/queryUserByDepId` | High -12 | File | `/jerry-core/ecma/builtin-objects/ecma-builtin-date-prototype.c` | High -13 | File | `/js/app.js` | Medium -14 | File | `/ManageRoute/postRoute` | High -15 | File | `/message-bus/_diagnostics` | High -16 | File | `/ms/cms/content/list.do` | High -17 | File | `/one_church/churchprofile.php` | High -18 | File | `/php/ajax.php` | High -19 | File | `/public/plugins/` | High -20 | File | `/public_html/apply_vacancy` | High -21 | File | `/rest-service-fecru/server-v1` | High -22 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High -23 | File | `/secure/EditSubscription.jspa` | High -24 | File | `/secure/QueryComponent!Default.jspa` | High -25 | File | `/tmp` | Low -26 | File | `/tmp/swhkd.sock` | High -27 | File | `/uncpath/` | Medium -28 | ... | ... | ... +4 | File | `/admin/users.php?source=edit_user&id=1` | High +5 | File | `/admin/weixin.php` | High +6 | File | `/administrator/components/table_manager/` | High +7 | File | `/apps/acs-commons/content/page-compare.html` | High +8 | File | `/aqpg/users/login.php` | High +9 | File | `/cloud_config/router_post/check_reg_verify_code` | High +10 | File | `/context/%2e/WEB-INF/web.xml` | High +11 | File | `/data-service/users/` | High +12 | File | `/etc/config/rpcd` | High +13 | File | `/Hospital-Management-System-master/func.php` | High +14 | File | `/jeecg-boot/sys/user/queryUserByDepId` | High +15 | File | `/jerry-core/ecma/builtin-objects/ecma-builtin-date-prototype.c` | High +16 | File | `/js/app.js` | Medium +17 | File | `/ManageRoute/postRoute` | High +18 | File | `/ms/cms/content/list.do` | High +19 | File | `/one_church/churchprofile.php` | High +20 | File | `/php/ajax.php` | High +21 | File | `/public/plugins/` | High +22 | File | `/public_html/apply_vacancy` | High +23 | File | `/purchase_order/admin/?page=user` | High +24 | File | `/rest-service-fecru/server-v1` | High +25 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High +26 | File | `/student-grading-system/rms.php?page=school_year` | High +27 | File | `/tmp` | Low +28 | File | `/tmp/swhkd.sock` | High +29 | ... | ... | ... -There are 241 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 249 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/actors/Magic Hound/README.md b/actors/Magic Hound/README.md index 08e6d4e5..dc126109 100644 --- a/actors/Magic Hound/README.md +++ b/actors/Magic Hound/README.md @@ -61,10 +61,10 @@ ID | Technique | Weakness | Description | Confidence -- | --------- | -------- | ----------- | ---------- 1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High 2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High -3 | T1211 | CWE-254, CWE-358 | 7PK Security Features | High +3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High 4 | ... | ... | ... | ... -There are 4 more TTP items available. Please use our online service to access the data. +There are 6 more TTP items available. Please use our online service to access the data. ## IOA - Indicator of Attack @@ -78,23 +78,26 @@ ID | Type | Indicator | Confidence 4 | File | `/admin/loginc.php` | High 5 | File | `/auditLogAction.do` | High 6 | File | `/cgi-bin/wapopen` | High -7 | File | `/etc/ajenti/config.yml` | High -8 | File | `/getcfg.php` | Medium -9 | File | `/GetCSSashx/?CP=%2fwebconfig` | High -10 | File | `/plugin` | Low -11 | File | `/rating.php` | Medium -12 | File | `/services/prefs.php` | High -13 | File | `/src/njs_object.c` | High -14 | File | `/uncpath/` | Medium -15 | File | `/wordpress-gallery-transformation/gallery.php` | High -16 | File | `adclick.php` | Medium -17 | File | `add_to_cart.php` | High -18 | File | `admin.php` | Medium -19 | File | `admin/config/confmgr.php` | High -20 | File | `admin/index.php` | High -21 | ... | ... | ... +7 | File | `/devices/acurite.c` | High +8 | File | `/etc/ajenti/config.yml` | High +9 | File | `/example/editor` | High +10 | File | `/getcfg.php` | Medium +11 | File | `/GetCSSashx/?CP=%2fwebconfig` | High +12 | File | `/goform/login_process` | High +13 | File | `/goform/rlmswitchr_process` | High +14 | File | `/goforms/rlminfo` | High +15 | File | `/plugin` | Low +16 | File | `/rating.php` | Medium +17 | File | `/scas/admin/` | Medium +18 | File | `/scas/classes/Users.php?f=save_user` | High +19 | File | `/services/prefs.php` | High +20 | File | `/src/njs_object.c` | High +21 | File | `/uncpath/` | Medium +22 | File | `/wordpress-gallery-transformation/gallery.php` | High +23 | File | `adclick.php` | Medium +24 | ... | ... | ... -There are 174 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 196 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/actors/Molerats/README.md b/actors/Molerats/README.md index 43a2d354..4fa2bbc0 100644 --- a/actors/Molerats/README.md +++ b/actors/Molerats/README.md @@ -90,7 +90,7 @@ ID | Type | Indicator | Confidence 29 | File | `apport/hookutils.py` | High 30 | ... | ... | ... -There are 250 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 252 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/actors/Mustang Panda/README.md b/actors/Mustang Panda/README.md index da7a83d1..0b6952fd 100644 --- a/actors/Mustang Panda/README.md +++ b/actors/Mustang Panda/README.md @@ -10,6 +10,7 @@ The following _campaigns_ are known and can be associated with Mustang Panda: * Diànxùn * Hodur +* PlugX ## Countries @@ -34,11 +35,12 @@ ID | IP address | Hostname | Campaign | Confidence 4 | [45.32.50.150](https://vuldb.com/?ip.45.32.50.150) | 45.32.50.150.vultr.com | - | Medium 5 | [45.77.184.12](https://vuldb.com/?ip.45.77.184.12) | comm.phiu.pw | - | High 6 | [45.131.179.179](https://vuldb.com/?ip.45.131.179.179) | - | Hodur | High -7 | [45.154.14.235](https://vuldb.com/?ip.45.154.14.235) | - | Hodur | High -8 | [45.248.87.14](https://vuldb.com/?ip.45.248.87.14) | - | - | High -9 | ... | ... | ... | ... +7 | [45.134.83.41](https://vuldb.com/?ip.45.134.83.41) | - | PlugX | High +8 | [45.154.14.235](https://vuldb.com/?ip.45.154.14.235) | - | Hodur | High +9 | [45.248.87.14](https://vuldb.com/?ip.45.248.87.14) | - | - | High +10 | ... | ... | ... | ... -There are 32 more IOC items available. Please use our online service to access the data. +There are 34 more IOC items available. Please use our online service to access the data. ## TTP - Tactics, Techniques, Procedures @@ -70,9 +72,10 @@ ID | Type | Indicator | Confidence 9 | File | `/uploads/dede` | High 10 | File | `/way4acs/enroll` | High 11 | File | `/webtools/control/httpService` | High -12 | ... | ... | ... +12 | File | `/_error` | Low +13 | ... | ... | ... -There are 97 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 98 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References @@ -80,6 +83,8 @@ The following list contains _external sources_ which discuss the actor and the a * https://github.com/eset/malware-ioc/tree/master/quarterly_reports/2020_Q2 * https://twitter.com/ESETresearch/status/1400165861973966854 +* https://twitter.com/xorhex/status/1406496693735067650 +* https://twitter.com/xorhex/status/1422815329684758537 * https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations * https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-dianxun.pdf * https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/ diff --git a/actors/NetWalker/README.md b/actors/NetWalker/README.md new file mode 100644 index 00000000..3bba71c6 --- /dev/null +++ b/actors/NetWalker/README.md @@ -0,0 +1,81 @@ +# NetWalker - Cyber Threat Intelligence + +These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [NetWalker](https://vuldb.com/?actor.netwalker). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics. + +_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.netwalker](https://vuldb.com/?actor.netwalker) + +## Countries + +These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with NetWalker: + +* [US](https://vuldb.com/?country.us) +* [CO](https://vuldb.com/?country.co) +* [RU](https://vuldb.com/?country.ru) +* ... + +There are 8 more country items available. Please use our online service to access the data. + +## IOC - Indicator of Compromise + +These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of NetWalker. + +ID | IP address | Hostname | Campaign | Confidence +-- | ---------- | -------- | -------- | ---------- +1 | [93.179.69.154](https://vuldb.com/?ip.93.179.69.154) | - | - | High +2 | [141.98.81.191](https://vuldb.com/?ip.141.98.81.191) | - | - | High +3 | [173.232.146.37](https://vuldb.com/?ip.173.232.146.37) | - | - | High +4 | ... | ... | ... | ... + +There are 4 more IOC items available. Please use our online service to access the data. + +## TTP - Tactics, Techniques, Procedures + +_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _NetWalker_. This data is unique as it uses our predictive model for actor profiling. + +ID | Technique | Weakness | Description | Confidence +-- | --------- | -------- | ----------- | ---------- +1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High +2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High +3 | T1211 | CWE-254 | 7PK Security Features | High +4 | ... | ... | ... | ... + +There are 3 more TTP items available. Please use our online service to access the data. + +## IOA - Indicator of Attack + +These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by NetWalker. This data is unique as it uses our predictive model for actor profiling. + +ID | Type | Indicator | Confidence +-- | ---- | --------- | ---------- +1 | File | `/+CSCOE+/logon.html` | High +2 | File | `/apply_noauth.cgi` | High +3 | File | `/cgi-bin/wapopen` | High +4 | File | `/config.cgi?webmin` | High +5 | File | `/lib/` | Low +6 | File | `/public/login.htm` | High +7 | File | `/rom-0` | Low +8 | File | `/uncpath/` | Medium +9 | File | `/var/run/beaker/container_file/` | High +10 | File | `/wordpress/wp-admin/options-general.php` | High +11 | File | `/workspaceCleanup` | High +12 | File | `5.2.9\syscrb.exe` | High +13 | ... | ... | ... + +There are 100 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. + +## References + +The following list contains _external sources_ which discuss the actor and the associated activities: + +* https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/ + +## Literature + +The following _articles_ explain our unique predictive cyber threat intelligence: + +* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti) +* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022) + +## License + +(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)! diff --git a/actors/PYSA/README.md b/actors/PYSA/README.md new file mode 100644 index 00000000..e79f0e5e --- /dev/null +++ b/actors/PYSA/README.md @@ -0,0 +1,104 @@ +# PYSA - Cyber Threat Intelligence + +These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [PYSA](https://vuldb.com/?actor.pysa). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics. + +_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.pysa](https://vuldb.com/?actor.pysa) + +## Countries + +These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with PYSA: + +* [US](https://vuldb.com/?country.us) +* [CN](https://vuldb.com/?country.cn) +* [DE](https://vuldb.com/?country.de) +* ... + +There are 4 more country items available. Please use our online service to access the data. + +## IOC - Indicator of Compromise + +These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of PYSA. + +ID | IP address | Hostname | Campaign | Confidence +-- | ---------- | -------- | -------- | ---------- +1 | [23.129.64.190](https://vuldb.com/?ip.23.129.64.190) | - | - | High +2 | [45.147.231.210](https://vuldb.com/?ip.45.147.231.210) | - | - | High +3 | [185.220.100.240](https://vuldb.com/?ip.185.220.100.240) | tor-exit-13.zbau.f3netze.de | - | High +4 | ... | ... | ... | ... + +There are 2 more IOC items available. Please use our online service to access the data. + +## TTP - Tactics, Techniques, Procedures + +_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _PYSA_. This data is unique as it uses our predictive model for actor profiling. + +ID | Technique | Weakness | Description | Confidence +-- | --------- | -------- | ----------- | ---------- +1 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High +2 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High +3 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High +4 | ... | ... | ... | ... + +There are 9 more TTP items available. Please use our online service to access the data. + +## IOA - Indicator of Attack + +These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by PYSA. This data is unique as it uses our predictive model for actor profiling. + +ID | Type | Indicator | Confidence +-- | ---- | --------- | ---------- +1 | File | `/admin-panel1.php` | High +2 | File | `/admin.php/admin/plog/index.html` | High +3 | File | `/admin.php/admin/website/data.html` | High +4 | File | `/admin.php?id=siteoptions&social=display&value=0&sid=2` | High +5 | File | `/admin.php?id=siteoptions&social=edit&sid=2` | High +6 | File | `/admin/config` | High +7 | File | `/admin/file-manager/` | High +8 | File | `/admin/inbox.php&action=delete` | High +9 | File | `/admin/news/news_mod.php` | High +10 | File | `/admin/posts.php` | High +11 | File | `/administrator/alerts/alertLightbox.php` | High +12 | File | `/admin_page/all-files-update-ajax.php` | High +13 | File | `/agenttrayicon` | High +14 | File | `/api/servers` | Medium +15 | File | `/api/students/me/messages/` | High +16 | File | `/app/controller/Books.php` | High +17 | File | `/app/elkarbackup/src/Binovo/ElkarBackupBundle/Controller/DefaultController.php` | High +18 | File | `/apps/acs-commons/content/page-compare.html` | High +19 | File | `/cgi-bin/uploadWeiXinPic` | High +20 | File | `/config/list` | Medium +21 | File | `/data/sqldata` | High +22 | File | `/export` | Low +23 | File | `/goform/login_process` | High +24 | File | `/goform/setAdInfoDetail` | High +25 | File | `/goform/setFixTools` | High +26 | File | `/goform/SetInternetLanInfo` | High +27 | File | `/goform/setPicListItem` | High +28 | File | `/hocms/classes/Master.php?f=delete_collection` | High +29 | File | `/hocms/classes/Master.php?f=delete_member` | High +30 | File | `/northstar/Admin/changePassword.jsp` | High +31 | File | `/nova/bin/detnet` | High +32 | File | `/ofcms/company-c-47` | High +33 | File | `/ok_jpg.c` | Medium +34 | File | `/ok_png.c` | Medium +35 | File | `/one_church/churchprofile.php` | High +36 | ... | ... | ... + +There are 309 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. + +## References + +The following list contains _external sources_ which discuss the actor and the associated activities: + +* https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/ + +## Literature + +The following _articles_ explain our unique predictive cyber threat intelligence: + +* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti) +* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022) + +## License + +(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)! diff --git a/actors/Patchwork/README.md b/actors/Patchwork/README.md index 89d88138..7eeeaafa 100644 --- a/actors/Patchwork/README.md +++ b/actors/Patchwork/README.md @@ -141,41 +141,40 @@ ID | Type | Indicator | Confidence 19 | File | `/proc/ioports` | High 20 | File | `/property-list/property_view.php` | High 21 | File | `/ptms/classes/Users.php` | High -22 | File | `/rest` | Low -23 | File | `/rest/api/2/search` | High -24 | File | `/s/` | Low -25 | File | `/scripts/cpan_config` | High -26 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High -27 | File | `/services/system/setup.json` | High -28 | File | `/uncpath/` | Medium -29 | File | `/videotalk` | Medium -30 | File | `/web/MCmsAction.java` | High -31 | File | `/webconsole/APIController` | High -32 | File | `/websocket/exec` | High -33 | File | `/wp-admin/admin-ajax.php` | High -34 | File | `/wp-content/plugins/woocommerce/templates/emails/plain/` | High -35 | File | `/wp-json` | Medium -36 | File | `/wp-json/oembed/1.0/embed?url` | High -37 | File | `/_next` | Low -38 | File | `4.edu.php\conn\function.php` | High -39 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High -40 | File | `about.php` | Medium -41 | File | `acl.c` | Low -42 | File | `activity_log.php` | High -43 | File | `adclick.php` | Medium -44 | File | `addentry.php` | Medium -45 | File | `add_vhost.php` | High -46 | File | `admin/admin_admin.php?nav=list_admin_user&admin_p_nav=user` | High -47 | File | `admin/category.inc.php` | High -48 | File | `admin/conf_users_edit.php` | High -49 | File | `admin/default.asp` | High -50 | File | `admin/dl_sendmail.php` | High -51 | File | `admin/getparam.cgi` | High -52 | File | `admin/index.php` | High -53 | File | `admin/index.php?n=ui_set&m=admin&c=index&a=doget_text_content&table=lang&field=1` | High -54 | ... | ... | ... +22 | File | `/rest/api/2/search` | High +23 | File | `/s/` | Low +24 | File | `/scripts/cpan_config` | High +25 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High +26 | File | `/services/system/setup.json` | High +27 | File | `/uncpath/` | Medium +28 | File | `/videotalk` | Medium +29 | File | `/web/MCmsAction.java` | High +30 | File | `/webconsole/APIController` | High +31 | File | `/websocket/exec` | High +32 | File | `/wp-admin/admin-ajax.php` | High +33 | File | `/wp-content/plugins/woocommerce/templates/emails/plain/` | High +34 | File | `/wp-json` | Medium +35 | File | `/wp-json/oembed/1.0/embed?url` | High +36 | File | `/_next` | Low +37 | File | `4.edu.php\conn\function.php` | High +38 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High +39 | File | `about.php` | Medium +40 | File | `acl.c` | Low +41 | File | `activity_log.php` | High +42 | File | `adclick.php` | Medium +43 | File | `addentry.php` | Medium +44 | File | `add_vhost.php` | High +45 | File | `admin/admin_admin.php?nav=list_admin_user&admin_p_nav=user` | High +46 | File | `admin/category.inc.php` | High +47 | File | `admin/conf_users_edit.php` | High +48 | File | `admin/default.asp` | High +49 | File | `admin/dl_sendmail.php` | High +50 | File | `admin/getparam.cgi` | High +51 | File | `admin/index.php` | High +52 | File | `admin/index.php?n=ui_set&m=admin&c=index&a=doget_text_content&table=lang&field=1` | High +53 | ... | ... | ... -There are 472 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 460 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/actors/PlugX/README.md b/actors/PlugX/README.md index d3cad35b..60f40701 100644 --- a/actors/PlugX/README.md +++ b/actors/PlugX/README.md @@ -96,7 +96,7 @@ ID | Type | Indicator | Confidence 42 | File | `addmerchpicform.php` | High 43 | ... | ... | ... -There are 371 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 372 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/actors/PoshC2/README.md b/actors/PoshC2/README.md index 5267b1db..a626f3b0 100644 --- a/actors/PoshC2/README.md +++ b/actors/PoshC2/README.md @@ -4,6 +4,12 @@ These _indicators_ were reported, collected, and generated during the [VulDB CTI _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.poshc2](https://vuldb.com/?actor.poshc2) +## Countries + +These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with PoshC2: + +* [US](https://vuldb.com/?country.us) + ## IOC - Indicator of Compromise These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of PoshC2. @@ -12,6 +18,27 @@ ID | IP address | Hostname | Campaign | Confidence -- | ---------- | -------- | -------- | ---------- 1 | [35.202.253.45](https://vuldb.com/?ip.35.202.253.45) | 45.253.202.35.bc.googleusercontent.com | - | Medium +## TTP - Tactics, Techniques, Procedures + +_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _PoshC2_. This data is unique as it uses our predictive model for actor profiling. + +ID | Technique | Weakness | Description | Confidence +-- | --------- | -------- | ----------- | ---------- +1 | T1059.007 | CWE-79 | Cross Site Scripting | High + +## IOA - Indicator of Attack + +These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by PoshC2. This data is unique as it uses our predictive model for actor profiling. + +ID | Type | Indicator | Confidence +-- | ---- | --------- | ---------- +1 | File | `/thruk/#cgi-bin/extinfo.cgi?type=2` | High +2 | File | `cat.asp` | Low +3 | File | `category.cfm` | Medium +4 | ... | ... | ... + +There are 5 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. + ## References The following list contains _external sources_ which discuss the actor and the associated activities: diff --git a/actors/Prophet Spider/README.md b/actors/Prophet Spider/README.md index c2264a99..9360f2ff 100644 --- a/actors/Prophet Spider/README.md +++ b/actors/Prophet Spider/README.md @@ -16,7 +16,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce * [US](https://vuldb.com/?country.us) * [SC](https://vuldb.com/?country.sc) -* [RU](https://vuldb.com/?country.ru) +* [IL](https://vuldb.com/?country.il) * ... There are 2 more country items available. Please use our online service to access the data. @@ -51,7 +51,7 @@ ID | Technique | Weakness | Description | Confidence 3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High 4 | ... | ... | ... | ... -There are 8 more TTP items available. Please use our online service to access the data. +There are 7 more TTP items available. Please use our online service to access the data. ## IOA - Indicator of Attack @@ -59,40 +59,43 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic ID | Type | Indicator | Confidence -- | ---- | --------- | ---------- -1 | File | `/admin/goods/update` | High -2 | File | `/agenttrayicon` | High -3 | File | `/blog/blog.php` | High -4 | File | `/cmd?cmd=connect` | High -5 | File | `/etc/puppetlabs/puppetserver/conf.d/ca.conf` | High -6 | File | `/goform/login_process` | High -7 | File | `/include/make.php` | High -8 | File | `/login` | Low -9 | File | `/manager/files` | High -10 | File | `/nova/bin/detnet` | High -11 | File | `/nova/bin/igmp-proxy` | High -12 | File | `/ofcms/company-c-47` | High -13 | File | `/php/ajax.php` | High -14 | File | `/preauth` | Medium -15 | File | `/sql/sql_string.h` | High -16 | File | `/src/njs_vmcode.c` | High -17 | File | `/uncpath/` | Medium -18 | File | `/var/log/demisto/` | High -19 | File | `/webminlog/view.cgi` | High -20 | File | `/_error` | Low -21 | File | `a2billing/customer/iridium_threed.php` | High -22 | File | `actions/beats_uploader.php` | High -23 | File | `actions/vote_channel.php` | High -24 | File | `ActiveServices.java` | High -25 | File | `admin.php` | Medium -26 | File | `admin/moduleinterface.php` | High -27 | File | `admin/profile/save` | High -28 | File | `admin/tools/utf8conversion/index.php` | High -29 | File | `ad_manage.php` | High -30 | File | `asm/preproc.c` | High -31 | File | `Atom.CMS_admin_ajax_list-sort.php` | High -32 | ... | ... | ... +1 | File | `/admin.php?id=siteoptions&social=display&value=0&sid=2` | High +2 | File | `/admin.php?id=siteoptions&social=edit&sid=2` | High +3 | File | `/admin.php?r=admin/AdminBackup/del` | High +4 | File | `/admin/edit.php` | High +5 | File | `/admin/inbox.php&action=delete` | High +6 | File | `/admin/inbox.php&action=read` | High +7 | File | `/admin/index.php?mode=content&page=media&action=edit` | High +8 | File | `/admin/pagerole.php&action=edit` | High +9 | File | `/admin/posts.php` | High +10 | File | `/admin/posts.php&action=delete` | High +11 | File | `/admin/posts.php&action=edit` | High +12 | File | `/admin/siteoptions.php&action=displaygoal&value=1&roleid=1` | High +13 | File | `/admin/siteoptions.php&social=remove&sid=2` | High +14 | File | `/admin/uesrs.php&&action=delete&userid=4` | High +15 | File | `/admin/uesrs.php&action=display&value=Hide` | High +16 | File | `/admin/uesrs.php&action=display&value=Show` | High +17 | File | `/admin/uesrs.php&action=type&userrole=Admin&userid=3` | High +18 | File | `/admin/uesrs.php&action=type&userrole=User` | High +19 | File | `/administrator/alerts/alertLightbox.php` | High +20 | File | `/agenttrayicon` | High +21 | File | `/api/students/me/messages/` | High +22 | File | `/apps/acs-commons/content/page-compare.html` | High +23 | File | `/blog/blog.php` | High +24 | File | `/cdsms/classes/Master.php?f=delete_enrollment` | High +25 | File | `/cdsms/classes/Master.php?f=delete_package` | High +26 | File | `/cmd?cmd=connect` | High +27 | File | `/hocms/classes/Master.php?f=delete_collection` | High +28 | File | `/hocms/classes/Master.php?f=delete_member` | High +29 | File | `/hocms/classes/Master.php?f=delete_phase` | High +30 | File | `/index.php?m=admin&c=custom&a=plugindelhandle` | High +31 | File | `/login` | Low +32 | File | `/manager/files` | High +33 | File | `/module/api.php?mobile/wapNasIPS` | High +34 | File | `/module/api.php?mobile/webNasIPS` | High +35 | ... | ... | ... -There are 269 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 304 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/actors/PsiXBot/README.md b/actors/PsiXBot/README.md index d1e05dd0..b1ac9e8c 100644 --- a/actors/PsiXBot/README.md +++ b/actors/PsiXBot/README.md @@ -13,7 +13,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce * [DE](https://vuldb.com/?country.de) * ... -There are 19 more country items available. Please use our online service to access the data. +There are 20 more country items available. Please use our online service to access the data. ## IOC - Indicator of Compromise @@ -66,55 +66,55 @@ ID | Type | Indicator | Confidence 6 | File | `/download` | Medium 7 | File | `/etc/gsissh/sshd_config` | High 8 | File | `/etc/passwd` | Medium -9 | File | `/etc/quantum/quantum.conf` | High -10 | File | `/etc/shadow` | Medium -11 | File | `/forum/away.php` | High -12 | File | `/getcfg.php` | Medium -13 | File | `/goform/telnet` | High -14 | File | `/goform/WanParameterSetting` | High -15 | File | `/inc/extensions.php` | High -16 | File | `/include/makecvs.php` | High -17 | File | `/modules/profile/index.php` | High -18 | File | `/modules/tasks/summary.inc.php` | High -19 | File | `/payu/icpcheckout/` | High -20 | File | `/property-list/property_view.php` | High -21 | File | `/public/login.htm` | High -22 | File | `/req_password_user.php` | High -23 | File | `/resourceNode/jdbcResourceEdit.jsf` | High -24 | File | `/resourceNode/resources.jsf` | High -25 | File | `/rest/project-templates/1.0/createshared` | High -26 | File | `/rom-0` | Low -27 | File | `/secure/QueryComponent!Default.jspa` | High -28 | File | `/trx_addons/v2/get/sc_layout` | High -29 | File | `/uncpath/` | Medium -30 | File | `/usr/local/WowzaStreamingEngine/bin/` | High -31 | File | `/usr/syno/etc/mount.conf` | High -32 | File | `/var/log/nginx` | High -33 | File | `/var/WEB-GUI/cgi-bin/telnet.cgi` | High -34 | File | `/WEB-INF/web.xml` | High -35 | File | `/_next` | Low -36 | File | `3.6.cpj` | Low -37 | File | `404.php` | Low -38 | File | `a-b-membres.php` | High -39 | File | `ActionsAndOperations` | High -40 | File | `adclick.php` | Medium -41 | File | `add_2_basket.asp` | High -42 | File | `admin.asp` | Medium -43 | File | `admin.aspx` | Medium -44 | File | `admin.php` | Medium -45 | File | `admin/aboutus.php` | High -46 | File | `admin/member_details.php` | High -47 | File | `admin_chatconfig.php` | High -48 | File | `ajaxp.php` | Medium -49 | File | `ajax_calls.php` | High -50 | File | `alphabet.php` | Medium -51 | File | `article2/comments.inc.php` | High -52 | File | `articles/edit.php` | High -53 | File | `assp.pl` | Low -54 | File | `auth-gss2.c` | Medium +9 | File | `/etc/puppetlabs/puppetserver/conf.d/ca.conf` | High +10 | File | `/etc/quantum/quantum.conf` | High +11 | File | `/etc/shadow` | Medium +12 | File | `/forum/away.php` | High +13 | File | `/getcfg.php` | Medium +14 | File | `/goform/telnet` | High +15 | File | `/goform/WanParameterSetting` | High +16 | File | `/inc/extensions.php` | High +17 | File | `/include/makecvs.php` | High +18 | File | `/modules/profile/index.php` | High +19 | File | `/modules/tasks/summary.inc.php` | High +20 | File | `/monitoring` | Medium +21 | File | `/nova/bin/console` | High +22 | File | `/payu/icpcheckout/` | High +23 | File | `/property-list/property_view.php` | High +24 | File | `/public/login.htm` | High +25 | File | `/req_password_user.php` | High +26 | File | `/resourceNode/jdbcResourceEdit.jsf` | High +27 | File | `/resourceNode/resources.jsf` | High +28 | File | `/rest/project-templates/1.0/createshared` | High +29 | File | `/rom-0` | Low +30 | File | `/secure/QueryComponent!Default.jspa` | High +31 | File | `/trx_addons/v2/get/sc_layout` | High +32 | File | `/uncpath/` | Medium +33 | File | `/usr/local/WowzaStreamingEngine/bin/` | High +34 | File | `/usr/syno/etc/mount.conf` | High +35 | File | `/var/log/nginx` | High +36 | File | `/var/WEB-GUI/cgi-bin/telnet.cgi` | High +37 | File | `/WEB-INF/web.xml` | High +38 | File | `/_next` | Low +39 | File | `3.6.cpj` | Low +40 | File | `404.php` | Low +41 | File | `a-b-membres.php` | High +42 | File | `ActionsAndOperations` | High +43 | File | `adclick.php` | Medium +44 | File | `add_2_basket.asp` | High +45 | File | `admin.asp` | Medium +46 | File | `admin.aspx` | Medium +47 | File | `admin.php` | Medium +48 | File | `admin/aboutus.php` | High +49 | File | `admin/member_details.php` | High +50 | File | `admin_chatconfig.php` | High +51 | File | `ajaxp.php` | Medium +52 | File | `ajax_calls.php` | High +53 | File | `alphabet.php` | Medium +54 | File | `article2/comments.inc.php` | High 55 | ... | ... | ... -There are 478 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 483 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/actors/Qakbot/README.md b/actors/Qakbot/README.md index 3ac59c60..e60a7732 100644 --- a/actors/Qakbot/README.md +++ b/actors/Qakbot/README.md @@ -31,82 +31,88 @@ ID | IP address | Hostname | Campaign | Confidence 8 | [5.13.74.26](https://vuldb.com/?ip.5.13.74.26) | 5-13-74-26.residential.rdsnet.ro | - | High 9 | [5.13.84.186](https://vuldb.com/?ip.5.13.84.186) | 5-13-84-186.residential.rdsnet.ro | - | High 10 | [5.15.81.52](https://vuldb.com/?ip.5.15.81.52) | 5-15-81-52.residential.rdsnet.ro | - | High -11 | [5.193.61.212](https://vuldb.com/?ip.5.193.61.212) | - | - | High -12 | [5.193.178.241](https://vuldb.com/?ip.5.193.178.241) | - | - | High -13 | [8.209.64.96](https://vuldb.com/?ip.8.209.64.96) | - | - | High -14 | [12.5.37.3](https://vuldb.com/?ip.12.5.37.3) | - | - | High -15 | [23.111.114.52](https://vuldb.com/?ip.23.111.114.52) | - | - | High -16 | [24.42.14.241](https://vuldb.com/?ip.24.42.14.241) | - | - | High -17 | [24.43.22.221](https://vuldb.com/?ip.24.43.22.221) | rrcs-24-43-22-221.west.biz.rr.com | - | High -18 | [24.55.112.61](https://vuldb.com/?ip.24.55.112.61) | dynamic.libertypr.net | - | High -19 | [24.90.160.91](https://vuldb.com/?ip.24.90.160.91) | cpe-24-90-160-91.nyc.res.rr.com | - | High -20 | [24.95.61.62](https://vuldb.com/?ip.24.95.61.62) | cpe-24-95-61-62.columbus.res.rr.com | - | High -21 | [24.110.14.40](https://vuldb.com/?ip.24.110.14.40) | - | - | High -22 | [24.110.96.149](https://vuldb.com/?ip.24.110.96.149) | - | - | High -23 | [24.117.107.120](https://vuldb.com/?ip.24.117.107.120) | 24-117-107-120.cpe.sparklight.net | - | High -24 | [24.139.72.117](https://vuldb.com/?ip.24.139.72.117) | - | - | High -25 | [24.139.132.70](https://vuldb.com/?ip.24.139.132.70) | dynamic.libertypr.net | - | High -26 | [24.152.219.253](https://vuldb.com/?ip.24.152.219.253) | 24.152.219.253.res-cmts.sm.ptd.net | - | High -27 | [24.164.79.147](https://vuldb.com/?ip.24.164.79.147) | cpe-24-164-79-147.cinci.res.rr.com | - | High -28 | [24.165.87.61](https://vuldb.com/?ip.24.165.87.61) | cpe-24-165-87-61.san.res.rr.com | - | High -29 | [24.183.39.93](https://vuldb.com/?ip.24.183.39.93) | 024-183-039-093.res.spectrum.com | - | High -30 | [24.202.42.48](https://vuldb.com/?ip.24.202.42.48) | modemcable048.42-202-24.mc.videotron.ca | - | High -31 | [24.226.156.153](https://vuldb.com/?ip.24.226.156.153) | 24-226-156-153.resi.cgocable.ca | - | High -32 | [24.229.150.54](https://vuldb.com/?ip.24.229.150.54) | 24.229.150.54.cmts-static.sm.ptd.net | - | High -33 | [24.234.86.201](https://vuldb.com/?ip.24.234.86.201) | wsip-24-234-86-201.lv.lv.cox.net | - | High -34 | [27.223.92.142](https://vuldb.com/?ip.27.223.92.142) | - | - | High -35 | [35.142.12.163](https://vuldb.com/?ip.35.142.12.163) | 035-142-012-163.dhcp.bhn.net | - | High -36 | [35.208.146.4](https://vuldb.com/?ip.35.208.146.4) | 4.146.208.35.bc.googleusercontent.com | - | Medium -37 | [36.77.151.211](https://vuldb.com/?ip.36.77.151.211) | - | - | High -38 | [37.156.243.67](https://vuldb.com/?ip.37.156.243.67) | - | - | High -39 | [37.182.238.170](https://vuldb.com/?ip.37.182.238.170) | net-37-182-238-170.cust.vodafonedsl.it | - | High -40 | [39.36.61.58](https://vuldb.com/?ip.39.36.61.58) | - | - | High -41 | [41.34.91.90](https://vuldb.com/?ip.41.34.91.90) | host-41.34.91.90.tedata.net | - | High -42 | [41.97.138.74](https://vuldb.com/?ip.41.97.138.74) | - | - | High -43 | [41.225.231.43](https://vuldb.com/?ip.41.225.231.43) | - | - | High -44 | [41.228.206.99](https://vuldb.com/?ip.41.228.206.99) | - | - | High -45 | [45.32.211.207](https://vuldb.com/?ip.45.32.211.207) | 45.32.211.207.vultr.com | - | Medium -46 | [45.45.51.182](https://vuldb.com/?ip.45.45.51.182) | modemcable182.51-45-45.mc.videotron.ca | - | High -47 | [45.46.53.140](https://vuldb.com/?ip.45.46.53.140) | cpe-45-46-53-140.maine.res.rr.com | - | High -48 | [45.63.107.192](https://vuldb.com/?ip.45.63.107.192) | 45.63.107.192.vultr.com | - | Medium -49 | [45.67.231.247](https://vuldb.com/?ip.45.67.231.247) | vm272927.pq.hosting | - | High -50 | [45.77.115.208](https://vuldb.com/?ip.45.77.115.208) | 45.77.115.208.vultr.com | - | Medium -51 | [45.77.117.108](https://vuldb.com/?ip.45.77.117.108) | 45.77.117.108.vultr.com | - | Medium -52 | [45.77.215.141](https://vuldb.com/?ip.45.77.215.141) | 45.77.215.141.vultr.com | - | Medium -53 | [45.230.228.26](https://vuldb.com/?ip.45.230.228.26) | - | - | High -54 | [46.214.62.199](https://vuldb.com/?ip.46.214.62.199) | 46-214-62-199.next-gen.ro | - | High -55 | [46.228.199.235](https://vuldb.com/?ip.46.228.199.235) | vps2231940.fastwebserver.de | - | High -56 | [47.22.148.6](https://vuldb.com/?ip.47.22.148.6) | ool-2f169406.static.optonline.net | - | High -57 | [47.24.47.218](https://vuldb.com/?ip.47.24.47.218) | 047-024-047-218.res.spectrum.com | - | High -58 | [47.28.135.155](https://vuldb.com/?ip.47.28.135.155) | 047-028-135-155.res.spectrum.com | - | High -59 | [47.44.217.98](https://vuldb.com/?ip.47.44.217.98) | 047-044-217-098.biz.spectrum.com | - | High -60 | [47.138.200.85](https://vuldb.com/?ip.47.138.200.85) | - | - | High -61 | [47.153.115.154](https://vuldb.com/?ip.47.153.115.154) | - | - | High -62 | [47.180.66.10](https://vuldb.com/?ip.47.180.66.10) | static-47-180-66-10.lsan.ca.frontiernet.net | - | High -63 | [47.196.192.184](https://vuldb.com/?ip.47.196.192.184) | - | - | High -64 | [49.144.81.46](https://vuldb.com/?ip.49.144.81.46) | dsl.49.144.81.46.pldt.net | - | High -65 | [49.191.4.245](https://vuldb.com/?ip.49.191.4.245) | n49-191-4-245.mrk1.qld.optusnet.com.au | - | High -66 | [49.207.105.25](https://vuldb.com/?ip.49.207.105.25) | broadband.actcorp.in | - | High -67 | [50.29.166.232](https://vuldb.com/?ip.50.29.166.232) | 50.29.166.232.res-cmts.sth3.ptd.net | - | High -68 | [50.91.114.38](https://vuldb.com/?ip.50.91.114.38) | 050-091-114-038.res.spectrum.com | - | High -69 | [50.104.68.223](https://vuldb.com/?ip.50.104.68.223) | 50-104-68-223.prtg.in.frontiernet.net | - | High -70 | [50.244.112.106](https://vuldb.com/?ip.50.244.112.106) | 50-244-112-106-static.hfc.comcastbusiness.net | - | High -71 | [51.210.14.58](https://vuldb.com/?ip.51.210.14.58) | vps-e6e2a926.vps.ovh.net | - | High -72 | [54.36.108.120](https://vuldb.com/?ip.54.36.108.120) | ns3112762.ip-54-36-108.eu | - | High -73 | [58.233.220.182](https://vuldb.com/?ip.58.233.220.182) | - | - | High -74 | [59.90.246.200](https://vuldb.com/?ip.59.90.246.200) | static.bb.chn.59.90.246.200.bsnl.in | - | High -75 | [59.124.10.133](https://vuldb.com/?ip.59.124.10.133) | 59-124-10-133.hinet-ip.hinet.net | - | High -76 | [62.38.114.12](https://vuldb.com/?ip.62.38.114.12) | ppp062038114012.dsl.hol.gr | - | High -77 | [62.121.123.57](https://vuldb.com/?ip.62.121.123.57) | - | - | High -78 | [64.19.74.29](https://vuldb.com/?ip.64.19.74.29) | primhall.com | - | High -79 | [64.29.151.102](https://vuldb.com/?ip.64.29.151.102) | mail.myfairpoint.net | - | High -80 | [64.121.114.87](https://vuldb.com/?ip.64.121.114.87) | 64-121-114-87.s597.c3-0.smt-ubr1.atw-smt.pa.cable.rcncustomer.com | - | High -81 | [65.100.174.]105](https://vuldb.com/?ip.65.100.174.]105) | - | - | High -82 | [65.100.174.]106](https://vuldb.com/?ip.65.100.174.]106) | - | - | High -83 | [65.100.174.]107](https://vuldb.com/?ip.65.100.174.]107) | - | - | High -84 | ... | ... | ... | ... +11 | [5.136.131.34](https://vuldb.com/?ip.5.136.131.34) | - | - | High +12 | [5.193.61.212](https://vuldb.com/?ip.5.193.61.212) | - | - | High +13 | [5.193.178.241](https://vuldb.com/?ip.5.193.178.241) | - | - | High +14 | [8.209.64.96](https://vuldb.com/?ip.8.209.64.96) | - | - | High +15 | [12.5.37.3](https://vuldb.com/?ip.12.5.37.3) | - | - | High +16 | [12.167.151.79](https://vuldb.com/?ip.12.167.151.79) | - | - | High +17 | [12.167.151.87](https://vuldb.com/?ip.12.167.151.87) | - | - | High +18 | [23.111.114.52](https://vuldb.com/?ip.23.111.114.52) | - | - | High +19 | [24.42.14.241](https://vuldb.com/?ip.24.42.14.241) | - | - | High +20 | [24.43.22.221](https://vuldb.com/?ip.24.43.22.221) | rrcs-24-43-22-221.west.biz.rr.com | - | High +21 | [24.55.112.61](https://vuldb.com/?ip.24.55.112.61) | dynamic.libertypr.net | - | High +22 | [24.90.160.91](https://vuldb.com/?ip.24.90.160.91) | cpe-24-90-160-91.nyc.res.rr.com | - | High +23 | [24.95.61.62](https://vuldb.com/?ip.24.95.61.62) | cpe-24-95-61-62.columbus.res.rr.com | - | High +24 | [24.110.14.40](https://vuldb.com/?ip.24.110.14.40) | - | - | High +25 | [24.110.96.149](https://vuldb.com/?ip.24.110.96.149) | - | - | High +26 | [24.117.107.120](https://vuldb.com/?ip.24.117.107.120) | 24-117-107-120.cpe.sparklight.net | - | High +27 | [24.139.72.117](https://vuldb.com/?ip.24.139.72.117) | - | - | High +28 | [24.139.132.70](https://vuldb.com/?ip.24.139.132.70) | dynamic.libertypr.net | - | High +29 | [24.152.219.253](https://vuldb.com/?ip.24.152.219.253) | 24.152.219.253.res-cmts.sm.ptd.net | - | High +30 | [24.164.79.147](https://vuldb.com/?ip.24.164.79.147) | cpe-24-164-79-147.cinci.res.rr.com | - | High +31 | [24.165.87.61](https://vuldb.com/?ip.24.165.87.61) | cpe-24-165-87-61.san.res.rr.com | - | High +32 | [24.183.39.93](https://vuldb.com/?ip.24.183.39.93) | 024-183-039-093.res.spectrum.com | - | High +33 | [24.202.42.48](https://vuldb.com/?ip.24.202.42.48) | modemcable048.42-202-24.mc.videotron.ca | - | High +34 | [24.226.156.153](https://vuldb.com/?ip.24.226.156.153) | 24-226-156-153.resi.cgocable.ca | - | High +35 | [24.229.150.54](https://vuldb.com/?ip.24.229.150.54) | 24.229.150.54.cmts-static.sm.ptd.net | - | High +36 | [24.234.86.201](https://vuldb.com/?ip.24.234.86.201) | wsip-24-234-86-201.lv.lv.cox.net | - | High +37 | [27.223.92.142](https://vuldb.com/?ip.27.223.92.142) | - | - | High +38 | [35.142.12.163](https://vuldb.com/?ip.35.142.12.163) | 035-142-012-163.dhcp.bhn.net | - | High +39 | [35.208.146.4](https://vuldb.com/?ip.35.208.146.4) | 4.146.208.35.bc.googleusercontent.com | - | Medium +40 | [36.77.151.211](https://vuldb.com/?ip.36.77.151.211) | - | - | High +41 | [37.156.243.67](https://vuldb.com/?ip.37.156.243.67) | - | - | High +42 | [37.182.238.170](https://vuldb.com/?ip.37.182.238.170) | net-37-182-238-170.cust.vodafonedsl.it | - | High +43 | [39.36.61.58](https://vuldb.com/?ip.39.36.61.58) | - | - | High +44 | [41.34.91.90](https://vuldb.com/?ip.41.34.91.90) | host-41.34.91.90.tedata.net | - | High +45 | [41.97.138.74](https://vuldb.com/?ip.41.97.138.74) | - | - | High +46 | [41.225.231.43](https://vuldb.com/?ip.41.225.231.43) | - | - | High +47 | [41.228.22.180](https://vuldb.com/?ip.41.228.22.180) | - | - | High +48 | [41.228.206.99](https://vuldb.com/?ip.41.228.206.99) | - | - | High +49 | [45.32.211.207](https://vuldb.com/?ip.45.32.211.207) | 45.32.211.207.vultr.com | - | Medium +50 | [45.45.51.182](https://vuldb.com/?ip.45.45.51.182) | modemcable182.51-45-45.mc.videotron.ca | - | High +51 | [45.46.53.140](https://vuldb.com/?ip.45.46.53.140) | cpe-45-46-53-140.maine.res.rr.com | - | High +52 | [45.63.107.192](https://vuldb.com/?ip.45.63.107.192) | 45.63.107.192.vultr.com | - | Medium +53 | [45.67.231.247](https://vuldb.com/?ip.45.67.231.247) | vm272927.pq.hosting | - | High +54 | [45.77.115.208](https://vuldb.com/?ip.45.77.115.208) | 45.77.115.208.vultr.com | - | Medium +55 | [45.77.117.108](https://vuldb.com/?ip.45.77.117.108) | 45.77.117.108.vultr.com | - | Medium +56 | [45.77.215.141](https://vuldb.com/?ip.45.77.215.141) | 45.77.215.141.vultr.com | - | Medium +57 | [45.230.228.26](https://vuldb.com/?ip.45.230.228.26) | - | - | High +58 | [46.214.62.199](https://vuldb.com/?ip.46.214.62.199) | 46-214-62-199.next-gen.ro | - | High +59 | [46.228.199.235](https://vuldb.com/?ip.46.228.199.235) | vps2231940.fastwebserver.de | - | High +60 | [47.22.148.6](https://vuldb.com/?ip.47.22.148.6) | ool-2f169406.static.optonline.net | - | High +61 | [47.24.47.218](https://vuldb.com/?ip.47.24.47.218) | 047-024-047-218.res.spectrum.com | - | High +62 | [47.28.135.155](https://vuldb.com/?ip.47.28.135.155) | 047-028-135-155.res.spectrum.com | - | High +63 | [47.44.217.98](https://vuldb.com/?ip.47.44.217.98) | 047-044-217-098.biz.spectrum.com | - | High +64 | [47.138.200.85](https://vuldb.com/?ip.47.138.200.85) | - | - | High +65 | [47.153.115.154](https://vuldb.com/?ip.47.153.115.154) | - | - | High +66 | [47.180.66.10](https://vuldb.com/?ip.47.180.66.10) | static-47-180-66-10.lsan.ca.frontiernet.net | - | High +67 | [47.196.192.184](https://vuldb.com/?ip.47.196.192.184) | - | - | High +68 | [49.144.81.46](https://vuldb.com/?ip.49.144.81.46) | dsl.49.144.81.46.pldt.net | - | High +69 | [49.191.4.245](https://vuldb.com/?ip.49.191.4.245) | n49-191-4-245.mrk1.qld.optusnet.com.au | - | High +70 | [49.207.105.25](https://vuldb.com/?ip.49.207.105.25) | broadband.actcorp.in | - | High +71 | [50.29.166.232](https://vuldb.com/?ip.50.29.166.232) | 50.29.166.232.res-cmts.sth3.ptd.net | - | High +72 | [50.87.150.203](https://vuldb.com/?ip.50.87.150.203) | mail.euroanatolia.eu | - | High +73 | [50.91.114.38](https://vuldb.com/?ip.50.91.114.38) | 050-091-114-038.res.spectrum.com | - | High +74 | [50.104.68.223](https://vuldb.com/?ip.50.104.68.223) | 50-104-68-223.prtg.in.frontiernet.net | - | High +75 | [50.244.112.106](https://vuldb.com/?ip.50.244.112.106) | 50-244-112-106-static.hfc.comcastbusiness.net | - | High +76 | [51.210.14.58](https://vuldb.com/?ip.51.210.14.58) | vps-e6e2a926.vps.ovh.net | - | High +77 | [52.45.143.178](https://vuldb.com/?ip.52.45.143.178) | ec2-52-45-143-178.compute-1.amazonaws.com | - | Medium +78 | [52.201.200.28](https://vuldb.com/?ip.52.201.200.28) | ec2-52-201-200-28.compute-1.amazonaws.com | - | Medium +79 | [54.36.108.120](https://vuldb.com/?ip.54.36.108.120) | ns3112762.ip-54-36-108.eu | - | High +80 | [58.233.220.182](https://vuldb.com/?ip.58.233.220.182) | - | - | High +81 | [59.90.246.200](https://vuldb.com/?ip.59.90.246.200) | static.bb.chn.59.90.246.200.bsnl.in | - | High +82 | [59.124.10.133](https://vuldb.com/?ip.59.124.10.133) | 59-124-10-133.hinet-ip.hinet.net | - | High +83 | [62.38.114.12](https://vuldb.com/?ip.62.38.114.12) | ppp062038114012.dsl.hol.gr | - | High +84 | [62.121.123.57](https://vuldb.com/?ip.62.121.123.57) | - | - | High +85 | [64.19.74.29](https://vuldb.com/?ip.64.19.74.29) | primhall.com | - | High +86 | [64.29.151.102](https://vuldb.com/?ip.64.29.151.102) | mail.myfairpoint.net | - | High +87 | [64.121.114.87](https://vuldb.com/?ip.64.121.114.87) | 64-121-114-87.s597.c3-0.smt-ubr1.atw-smt.pa.cable.rcncustomer.com | - | High +88 | [65.100.174.]105](https://vuldb.com/?ip.65.100.174.]105) | - | - | High +89 | [65.100.174.]106](https://vuldb.com/?ip.65.100.174.]106) | - | - | High +90 | ... | ... | ... | ... -There are 334 more IOC items available. Please use our online service to access the data. +There are 358 more IOC items available. Please use our online service to access the data. ## TTP - Tactics, Techniques, Procedures @@ -127,42 +133,43 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic ID | Type | Indicator | Confidence -- | ---- | --------- | ---------- -1 | File | `%PROGRAMDATA%\OpenVPN Connect\drivers\tap\amd64\win10` | High -2 | File | `/+CSCOE+/logon.html` | High -3 | File | `/../conf/config.properties` | High -4 | File | `/alumni/admin/ajax.php?action=save_settings` | High -5 | File | `/auth/session` | High -6 | File | `/cgi-bin/ExportALLSettings.sh` | High -7 | File | `/cgi-bin/webproc` | High -8 | File | `/config/getuser` | High -9 | File | `/etc/passwd` | Medium -10 | File | `/exponent_constants.php` | High -11 | File | `/front/document.form.php` | High -12 | File | `/ibi_apps/WFServlet.cfg` | High -13 | File | `/include/chart_generator.php` | High -14 | File | `/proc/sysvipc/sem` | High -15 | File | `/replication` | Medium -16 | File | `/rest/collectors/1.0/template/custom` | High -17 | File | `/RestAPI` | Medium -18 | File | `/search.php` | Medium -19 | File | `/tmp` | Low -20 | File | `/trigger` | Medium -21 | File | `/uncpath/` | Medium -22 | File | `/user/login/oauth` | High -23 | File | `/usr/bin/pkexec` | High -24 | File | `/usr/doc` | Medium -25 | File | `/WEB-INF/web.xml` | High -26 | File | `/webpages/data` | High -27 | File | `/wp-admin/admin-ajax.php` | High -28 | File | `/wp-json` | Medium -29 | ... | ... | ... +1 | File | `/+CSCOE+/logon.html` | High +2 | File | `/../conf/config.properties` | High +3 | File | `/alumni/admin/ajax.php?action=save_settings` | High +4 | File | `/auth/session` | High +5 | File | `/cgi-bin/ExportALLSettings.sh` | High +6 | File | `/cgi-bin/webproc` | High +7 | File | `/config/getuser` | High +8 | File | `/etc/passwd` | Medium +9 | File | `/exponent_constants.php` | High +10 | File | `/front/document.form.php` | High +11 | File | `/ibi_apps/WFServlet.cfg` | High +12 | File | `/include/chart_generator.php` | High +13 | File | `/proc/sysvipc/sem` | High +14 | File | `/replication` | Medium +15 | File | `/rest/collectors/1.0/template/custom` | High +16 | File | `/RestAPI` | Medium +17 | File | `/search.php` | Medium +18 | File | `/trigger` | Medium +19 | File | `/uncpath/` | Medium +20 | File | `/user/login/oauth` | High +21 | File | `/usr/bin/pkexec` | High +22 | File | `/usr/doc` | Medium +23 | File | `/WEB-INF/web.xml` | High +24 | File | `/webpages/data` | High +25 | File | `/websocket/exec` | High +26 | File | `/wp-admin/admin-ajax.php` | High +27 | File | `/wp-json` | Medium +28 | ... | ... | ... -There are 248 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 240 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References The following list contains _external sources_ which discuss the actor and the associated activities: +* https://blog.talosintelligence.com/2019/07/threat-roundup-0719-0726.html +* https://blog.talosintelligence.com/2019/08/threat-roundup-0823-0830.html * https://github.com/firehol/blocklist-ipsets/blob/master/bambenek_qakbot.ipset * https://isc.sans.edu/forums/diary/Emotet+Qakbot+more+Emotet/26750/ * https://isc.sans.edu/forums/diary/June+2021+Forensic+Contest+Answers+and+Analysis/27582/ @@ -172,6 +179,8 @@ The following list contains _external sources_ which discuss the actor and the a * https://isc.sans.edu/forums/diary/Recent+Qakbot+Qbot+activity/26862/ * https://pastebin.com/u/MalwareQuinn * https://research.checkpoint.com/2020/exploring-qbots-latest-attack-methods/ +* https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/ +* https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ * https://tria.ge/210511-kvcz7vyfkx * https://twitter.com/Malwar3Ninja/status/1483514897266737154 diff --git a/actors/Quantum/README.md b/actors/Quantum/README.md new file mode 100644 index 00000000..aa0f7dd0 --- /dev/null +++ b/actors/Quantum/README.md @@ -0,0 +1,74 @@ +# Quantum - Cyber Threat Intelligence + +These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Quantum](https://vuldb.com/?actor.quantum). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics. + +_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.quantum](https://vuldb.com/?actor.quantum) + +## Countries + +These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Quantum: + +* [US](https://vuldb.com/?country.us) +* [CN](https://vuldb.com/?country.cn) +* [DE](https://vuldb.com/?country.de) +* ... + +There are 1 more country items available. Please use our online service to access the data. + +## IOC - Indicator of Compromise + +These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Quantum. + +ID | IP address | Hostname | Campaign | Confidence +-- | ---------- | -------- | -------- | ---------- +1 | [138.68.42.130](https://vuldb.com/?ip.138.68.42.130) | prod-sfo2-1.qencode-master-cf283c7cc10911ecb9daa269211215a9 | - | High +2 | [157.245.142.66](https://vuldb.com/?ip.157.245.142.66) | - | - | High +3 | [185.203.118.227](https://vuldb.com/?ip.185.203.118.227) | - | - | High +4 | ... | ... | ... | ... + +There are 1 more IOC items available. Please use our online service to access the data. + +## TTP - Tactics, Techniques, Procedures + +_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Quantum_. This data is unique as it uses our predictive model for actor profiling. + +ID | Technique | Weakness | Description | Confidence +-- | --------- | -------- | ----------- | ---------- +1 | T1059.007 | CWE-79 | Cross Site Scripting | High +2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High +3 | T1222 | CWE-275 | Permission Issues | High +4 | ... | ... | ... | ... + +There are 2 more TTP items available. Please use our online service to access the data. + +## IOA - Indicator of Attack + +These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Quantum. This data is unique as it uses our predictive model for actor profiling. + +ID | Type | Indicator | Confidence +-- | ---- | --------- | ---------- +1 | File | `/etc/shadow` | Medium +2 | File | `/goform/net\_Web\_get_value` | High +3 | File | `/goform/net_WebCSRGen` | High +4 | File | `/goform/WebRSAKEYGen` | High +5 | File | `/uncpath/` | Medium +6 | ... | ... | ... + +There are 39 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. + +## References + +The following list contains _external sources_ which discuss the actor and the associated activities: + +* https://thedfirreport.com/2022/04/25/quantum-ransomware/ + +## Literature + +The following _articles_ explain our unique predictive cyber threat intelligence: + +* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti) +* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022) + +## License + +(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)! diff --git a/actors/REvil/README.md b/actors/REvil/README.md index dc421033..fb6ee336 100644 --- a/actors/REvil/README.md +++ b/actors/REvil/README.md @@ -36,9 +36,10 @@ ID | IP address | Hostname | Campaign | Confidence 7 | [45.33.23.183](https://vuldb.com/?ip.45.33.23.183) | li977-183.members.linode.com | - | High 8 | [45.33.30.197](https://vuldb.com/?ip.45.33.30.197) | li1047-197.members.linode.com | - | High 9 | [45.55.211.79](https://vuldb.com/?ip.45.55.211.79) | - | CVE-2019-2725 | High -10 | ... | ... | ... | ... +10 | [45.56.79.23](https://vuldb.com/?ip.45.56.79.23) | li929-23.members.linode.com | - | High +11 | ... | ... | ... | ... -There are 36 more IOC items available. Please use our online service to access the data. +There are 39 more IOC items available. Please use our online service to access the data. ## TTP - Tactics, Techniques, Procedures @@ -60,25 +61,26 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic ID | Type | Indicator | Confidence -- | ---- | --------- | ---------- 1 | File | `/.htpasswd` | Medium -2 | File | `/category_view.php` | High -3 | File | `/cgi-bin/nasset.cgi` | High -4 | File | `/cgi-bin/webadminget.cgi` | High -5 | File | `/cms/process.php` | High -6 | File | `/etc/shadow` | Medium -7 | File | `/forum/away.php` | High -8 | File | `/goform/SetNetControlList` | High -9 | File | `/index.php/weblinks-categories` | High -10 | File | `/modules/profile/index.php` | High -11 | File | `/movie.php` | Medium -12 | File | `/public/login.htm` | High -13 | File | `/show_news.php` | High -14 | File | `/uncpath/` | Medium -15 | File | `adclick.php` | Medium -16 | File | `admin.asp` | Medium -17 | File | `admin/categories_industry.php` | High -18 | ... | ... | ... +2 | File | `/assets/something/services/AppModule.class` | High +3 | File | `/category_view.php` | High +4 | File | `/cgi-bin/nasset.cgi` | High +5 | File | `/cgi-bin/webadminget.cgi` | High +6 | File | `/cms/process.php` | High +7 | File | `/etc/shadow` | Medium +8 | File | `/forum/away.php` | High +9 | File | `/goform/SetNetControlList` | High +10 | File | `/index.php/weblinks-categories` | High +11 | File | `/modules/profile/index.php` | High +12 | File | `/movie.php` | Medium +13 | File | `/public/login.htm` | High +14 | File | `/service/v1/createUser` | High +15 | File | `/show_news.php` | High +16 | File | `/system?action=ServiceAdmin` | High +17 | File | `/uncpath/` | Medium +18 | File | `adclick.php` | Medium +19 | ... | ... | ... -There are 147 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 158 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References @@ -87,6 +89,7 @@ The following list contains _external sources_ which discuss the actor and the a * https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html * https://blogs.blackberry.com/en/2021/11/revil-under-the-microscope * https://ddanchev.blogspot.com/2022/01/exposing-internet-connected_24.html +* https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ * https://www.darktrace.com/en/blog/darktraces-cyber-ai-analyst-investigates-sodinokibi-r-evil-ransomware/ * https://www.varonis.com/blog/revil-msp-supply-chain-attack/ diff --git a/actors/RedEcho/README.md b/actors/RedEcho/README.md index a8a7ad7f..e080235a 100644 --- a/actors/RedEcho/README.md +++ b/actors/RedEcho/README.md @@ -4,6 +4,12 @@ These _indicators_ were reported, collected, and generated during the [VulDB CTI _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.redecho](https://vuldb.com/?actor.redecho) +## Campaigns + +The following _campaigns_ are known and can be associated with RedEcho: + +* India Power Grid + ## Countries These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with RedEcho: @@ -21,13 +27,18 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi ID | IP address | Hostname | Campaign | Confidence -- | ---------- | -------- | -------- | ---------- -1 | [27.255.92.83](https://vuldb.com/?ip.27.255.92.83) | - | - | High -2 | [27.255.94.21](https://vuldb.com/?ip.27.255.94.21) | - | - | High -3 | [27.255.94.29](https://vuldb.com/?ip.27.255.94.29) | - | - | High -4 | [101.78.177.227](https://vuldb.com/?ip.101.78.177.227) | - | - | High -5 | ... | ... | ... | ... +1 | [14.43.108.22](https://vuldb.com/?ip.14.43.108.22) | - | India Power Grid | High +2 | [27.255.92.83](https://vuldb.com/?ip.27.255.92.83) | - | - | High +3 | [27.255.94.21](https://vuldb.com/?ip.27.255.94.21) | - | - | High +4 | [27.255.94.29](https://vuldb.com/?ip.27.255.94.29) | - | - | High +5 | [59.10.140.47](https://vuldb.com/?ip.59.10.140.47) | - | India Power Grid | High +6 | [59.127.10.132](https://vuldb.com/?ip.59.127.10.132) | 59-127-10-132.hinet-ip.hinet.net | India Power Grid | High +7 | [61.74.255.16](https://vuldb.com/?ip.61.74.255.16) | - | India Power Grid | High +8 | [101.78.177.227](https://vuldb.com/?ip.101.78.177.227) | - | - | High +9 | [101.78.177.242](https://vuldb.com/?ip.101.78.177.242) | - | - | High +10 | ... | ... | ... | ... -There are 17 more IOC items available. Please use our online service to access the data. +There are 34 more IOC items available. Please use our online service to access the data. ## TTP - Tactics, Techniques, Procedures @@ -71,25 +82,26 @@ ID | Type | Indicator | Confidence 21 | File | `/image_zoom.php` | High 22 | File | `/include/config.cache.php` | High 23 | File | `/json/profile/removeStarAjax.do` | High -24 | File | `/oauth/token/request` | High -25 | File | `/plugin/ajax.php` | High -26 | File | `/plugins/servlet/branchreview` | High -27 | File | `/preauth` | Medium -28 | File | `/proc/ioports` | High -29 | File | `/public/plugins/` | High -30 | File | `/rest/api/2/search` | High -31 | File | `/rest/api/latest/groupuserpicker` | High -32 | File | `/rest/api/latest/projectvalidate/key` | High -33 | File | `/rom-0` | Low -34 | File | `/tmp` | Low +24 | File | `/plugin/ajax.php` | High +25 | File | `/plugins/servlet/branchreview` | High +26 | File | `/preauth` | Medium +27 | File | `/proc/ioports` | High +28 | File | `/public/plugins/` | High +29 | File | `/rest/api/2/search` | High +30 | File | `/rest/api/latest/groupuserpicker` | High +31 | File | `/rest/api/latest/projectvalidate/key` | High +32 | File | `/rom-0` | Low +33 | File | `/tmp` | Low +34 | File | `/tmp/connlicj.bin` | High 35 | ... | ... | ... -There are 304 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 301 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References The following list contains _external sources_ which discuss the actor and the associated activities: +* https://go.recordedfuture.com/hubfs/reports/ta-2022-0406.pdf * https://vxug.fakedoma.in/archive/APTs/2021/2021.02.28/RedEcho%20APT.pdf ## Literature diff --git a/actors/Remcos/README.md b/actors/Remcos/README.md index 11cbca99..5ba6a7fe 100644 --- a/actors/Remcos/README.md +++ b/actors/Remcos/README.md @@ -71,9 +71,10 @@ ID | IP address | Hostname | Campaign | Confidence 42 | [37.1.206.16](https://vuldb.com/?ip.37.1.206.16) | free.ispiria.net | - | High 43 | [37.19.193.217](https://vuldb.com/?ip.37.19.193.217) | unn-37-19-193-217.cdn77.com | - | High 44 | [37.120.138.222](https://vuldb.com/?ip.37.120.138.222) | - | - | High -45 | ... | ... | ... | ... +45 | [37.123.118.150](https://vuldb.com/?ip.37.123.118.150) | - | - | High +46 | ... | ... | ... | ... -There are 178 more IOC items available. Please use our online service to access the data. +There are 179 more IOC items available. Please use our online service to access the data. ## TTP - Tactics, Techniques, Procedures @@ -105,29 +106,29 @@ ID | Type | Indicator | Confidence 9 | File | `/inc/parser/xhtml.php` | High 10 | File | `/index.php?page=signup` | High 11 | File | `/login` | Low -12 | File | `/mgmt/shared/authz/users/` | High -13 | File | `/modules/profile/index.php` | High -14 | File | `/one_church/userregister.php` | High -15 | File | `/out.php` | Medium -16 | File | `/public/plugins/` | High -17 | File | `/SAP_Information_System/controllers/add_admin.php` | High -18 | File | `/SASWebReportStudio/logonAndRender.do` | High -19 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High -20 | File | `/secure/admin/ViewInstrumentation.jspa` | High -21 | File | `/system/proxy` | High -22 | File | `/tmp/phpglibccheck` | High -23 | File | `adclick.php` | Medium -24 | File | `add.php` | Low -25 | File | `addentry.php` | Medium -26 | File | `addressbookprovider.php` | High -27 | File | `admin.jcomments.php` | High -28 | File | `admin/pageUploadCSV.php` | High -29 | File | `ajax_udf.php` | Medium -30 | File | `AppCompatCache.exe` | High -31 | File | `application.js.php` | High +12 | File | `/modules/profile/index.php` | High +13 | File | `/one_church/userregister.php` | High +14 | File | `/out.php` | Medium +15 | File | `/public/plugins/` | High +16 | File | `/SAP_Information_System/controllers/add_admin.php` | High +17 | File | `/SASWebReportStudio/logonAndRender.do` | High +18 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High +19 | File | `/secure/admin/ViewInstrumentation.jspa` | High +20 | File | `/system/proxy` | High +21 | File | `/tmp/phpglibccheck` | High +22 | File | `adclick.php` | Medium +23 | File | `add.php` | Low +24 | File | `addentry.php` | Medium +25 | File | `addressbookprovider.php` | High +26 | File | `admin.jcomments.php` | High +27 | File | `admin/pageUploadCSV.php` | High +28 | File | `ajax_udf.php` | Medium +29 | File | `AppCompatCache.exe` | High +30 | File | `application.js.php` | High +31 | File | `arm/lithium-codegen-arm.cc` | High 32 | ... | ... | ... -There are 274 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 268 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References @@ -160,6 +161,7 @@ The following list contains _external sources_ which discuss the actor and the a * https://blog.talosintelligence.com/2022/03/ukraine-invasion-scams-malware.html * https://blog.talosintelligence.com/2022/04/threat-roundup-0401-0408.html * https://isc.sans.edu/forums/diary/Malspam+using+passwordprotected+Word+docs+to+push+Remcos+RAT/25292/ +* https://twitter.com/Paladin3161/status/1197842954037018625 ## Literature diff --git a/actors/Ripprbot/README.md b/actors/Ripprbot/README.md index bcddc1ba..98b80415 100644 --- a/actors/Ripprbot/README.md +++ b/actors/Ripprbot/README.md @@ -33,11 +33,8 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK ID | Technique | Weakness | Description | Confidence -- | --------- | -------- | ----------- | ---------- 1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High -2 | T1068 | CWE-264, CWE-266, CWE-284 | Execution with Unnecessary Privileges | High -3 | T1555 | CWE-312 | Cleartext Storage of Sensitive Information | High -4 | ... | ... | ... | ... - -There are 1 more TTP items available. Please use our online service to access the data. +2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High +3 | T1600 | CWE-311 | Cryptographic Issues | High ## IOA - Indicator of Attack @@ -50,13 +47,13 @@ ID | Type | Indicator | Confidence 3 | File | `/admin.php` | Medium 4 | File | `/admin/doctors/view_doctor.php` | High 5 | File | `/admin/modules/bibliography/index.php` | High -6 | File | `/app/controller/Books.php` | High -7 | File | `/aqpg/users/login.php` | High -8 | File | `/controller/Index.php` | High -9 | File | `/coreframe/app/content/admin/content.php` | High -10 | File | `/dl/dl_print.php` | High -11 | File | `/dus_en/medieninfo_detail/index.php` | High -12 | File | `/etc/passwd` | Medium +6 | File | `/adminlogin.asp` | High +7 | File | `/app/controller/Books.php` | High +8 | File | `/aqpg/users/login.php` | High +9 | File | `/controller/Index.php` | High +10 | File | `/coreframe/app/content/admin/content.php` | High +11 | File | `/dl/dl_print.php` | High +12 | File | `/dus_en/medieninfo_detail/index.php` | High 13 | File | `/Hospital-Management-System-master/contact.php` | High 14 | File | `/include/friends.inc.php` | High 15 | File | `/master/article.php` | High @@ -66,78 +63,79 @@ ID | Type | Indicator | Confidence 19 | File | `/sitemagic/upgrade.php` | High 20 | File | `/userman/inbox.php` | High 21 | File | `/userui/ticket_list.php` | High -22 | File | `/zm/index.php` | High -23 | File | `adaptive-images-script.php` | High -24 | File | `additem.asp` | Medium -25 | File | `addtocart.asp` | High -26 | File | `adherents/subscription/info.php` | High -27 | File | `admin.asp` | Medium -28 | File | `admin.php` | Medium -29 | File | `admin/admin.php` | High -30 | File | `admin/general.php` | High -31 | File | `admin/header.php` | High -32 | File | `admin/inc/change_action.php` | High -33 | File | `admin/index.php` | High -34 | File | `admin/index.php?id=users/action=edit/user_id=1` | High -35 | File | `admin/info.php` | High -36 | File | `admin/login.asp` | High -37 | File | `admin/manage-comments.php` | High -38 | File | `admin/manage-news.php` | High -39 | File | `admin/plugin-settings.php` | High -40 | File | `admin/specials.php` | High -41 | File | `admin:de` | Medium -42 | File | `admincp/auth/checklogin.php` | High -43 | File | `admincp/auth/secure.php` | High -44 | File | `administrator/index.php` | High -45 | File | `admin_login.asp` | High -46 | File | `adv_search.asp` | High -47 | File | `ajax.php` | Medium -48 | File | `ajax_url.php` | Medium -49 | File | `album_portal.php` | High -50 | File | `al_initialize.php` | High -51 | File | `anjel.index.php` | High -52 | File | `annonces-p-f.php` | High -53 | File | `announce.php` | Medium -54 | File | `announcement.php` | High -55 | File | `announcements.php` | High -56 | File | `app/admin/routing/edit-bgp-mapping-search.php` | High -57 | File | `apply.cgi` | Medium -58 | File | `apps/app_article/controller/rating.php` | High -59 | File | `article.php` | Medium -60 | File | `articles.php` | Medium -61 | File | `artikel_anzeige.php` | High -62 | File | `auktion.cgi` | Medium -63 | File | `auth.php` | Medium -64 | File | `basket.php` | Medium -65 | File | `boardData103.php/boardDataJP.php/boardDataNA.php/boardDataWW.php` | High -66 | File | `books.php` | Medium -67 | File | `browse-category.php` | High -68 | File | `browse.php` | Medium -69 | File | `browse_videos.php` | High -70 | File | `BrudaNews/BrudaGB` | High -71 | File | `bwlist_inc.html` | High -72 | File | `calendar.php` | Medium -73 | File | `cart.php` | Medium -74 | File | `cart_add.php` | Medium -75 | File | `case.filemanager.php` | High -76 | File | `catalog.php` | Medium -77 | File | `catalogshop.php` | High -78 | File | `catalogue.asp` | High -79 | File | `category.cfm` | Medium -80 | File | `category.php` | Medium -81 | File | `category_list.php` | High -82 | File | `cgi-bin/awstats.pl` | High -83 | File | `channel.asp` | Medium -84 | File | `ChooseCpSearch.php` | High -85 | File | `comentarii.php` | High -86 | File | `comments.php` | Medium -87 | File | `compose.php` | Medium -88 | File | `config.inc.php` | High -89 | File | `config.php` | Medium -90 | File | `contact.php` | Medium -91 | ... | ... | ... +22 | File | `/wp-admin/options-general.php` | High +23 | File | `/zm/index.php` | High +24 | File | `adaptive-images-script.php` | High +25 | File | `additem.asp` | Medium +26 | File | `addtocart.asp` | High +27 | File | `adherents/subscription/info.php` | High +28 | File | `admin.asp` | Medium +29 | File | `admin.php` | Medium +30 | File | `admin/admin.php` | High +31 | File | `admin/general.php` | High +32 | File | `admin/header.php` | High +33 | File | `admin/inc/change_action.php` | High +34 | File | `admin/index.php` | High +35 | File | `admin/index.php?id=users/action=edit/user_id=1` | High +36 | File | `admin/info.php` | High +37 | File | `admin/login.asp` | High +38 | File | `admin/manage-comments.php` | High +39 | File | `admin/manage-news.php` | High +40 | File | `admin/plugin-settings.php` | High +41 | File | `admin/specials.php` | High +42 | File | `admin:de` | Medium +43 | File | `admincp/auth/checklogin.php` | High +44 | File | `admincp/auth/secure.php` | High +45 | File | `administrator/index.php` | High +46 | File | `admin_login.asp` | High +47 | File | `adv_search.asp` | High +48 | File | `ajax.php` | Medium +49 | File | `ajax_url.php` | Medium +50 | File | `album_portal.php` | High +51 | File | `al_initialize.php` | High +52 | File | `anjel.index.php` | High +53 | File | `annonces-p-f.php` | High +54 | File | `announce.php` | Medium +55 | File | `announcement.php` | High +56 | File | `announcements.php` | High +57 | File | `app/admin/routing/edit-bgp-mapping-search.php` | High +58 | File | `apply.cgi` | Medium +59 | File | `apps/app_article/controller/rating.php` | High +60 | File | `article.php` | Medium +61 | File | `articles.php` | Medium +62 | File | `artikel_anzeige.php` | High +63 | File | `auktion.cgi` | Medium +64 | File | `auth.php` | Medium +65 | File | `basket.php` | Medium +66 | File | `boardData103.php/boardDataJP.php/boardDataNA.php/boardDataWW.php` | High +67 | File | `books.php` | Medium +68 | File | `browse-category.php` | High +69 | File | `browse.php` | Medium +70 | File | `browse_videos.php` | High +71 | File | `BrudaNews/BrudaGB` | High +72 | File | `bwlist_inc.html` | High +73 | File | `calendar.php` | Medium +74 | File | `cart.php` | Medium +75 | File | `cart_add.php` | Medium +76 | File | `case.filemanager.php` | High +77 | File | `catalog.php` | Medium +78 | File | `catalogshop.php` | High +79 | File | `catalogue.asp` | High +80 | File | `category.cfm` | Medium +81 | File | `category.php` | Medium +82 | File | `category_list.php` | High +83 | File | `cgi-bin/awstats.pl` | High +84 | File | `channel.asp` | Medium +85 | File | `ChooseCpSearch.php` | High +86 | File | `comentarii.php` | High +87 | File | `comments.php` | Medium +88 | File | `compose.php` | Medium +89 | File | `config.inc.php` | High +90 | File | `config.php` | Medium +91 | File | `contact.php` | Medium +92 | ... | ... | ... -There are 807 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 813 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/actors/Sandworm Team/README.md b/actors/Sandworm Team/README.md index c1151730..1c2b10e0 100644 --- a/actors/Sandworm Team/README.md +++ b/actors/Sandworm Team/README.md @@ -95,7 +95,7 @@ ID | Type | Indicator | Confidence 35 | File | `actions/CompanyDetailsSave.php` | High 36 | ... | ... | ... -There are 310 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 309 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/actors/Shuckworm/README.md b/actors/Shuckworm/README.md new file mode 100644 index 00000000..31f30eb9 --- /dev/null +++ b/actors/Shuckworm/README.md @@ -0,0 +1,87 @@ +# Shuckworm - Cyber Threat Intelligence + +These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Shuckworm](https://vuldb.com/?actor.shuckworm). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics. + +_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.shuckworm](https://vuldb.com/?actor.shuckworm) + +## Countries + +These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Shuckworm: + +* [US](https://vuldb.com/?country.us) +* [RU](https://vuldb.com/?country.ru) +* [CN](https://vuldb.com/?country.cn) +* ... + +There are 4 more country items available. Please use our online service to access the data. + +## IOC - Indicator of Compromise + +These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Shuckworm. + +ID | IP address | Hostname | Campaign | Confidence +-- | ---------- | -------- | -------- | ---------- +1 | [5.63.157.11](https://vuldb.com/?ip.5.63.157.11) | 5-63-157-11.cloudvps.regruhosting.ru | - | High +2 | [5.252.178.115](https://vuldb.com/?ip.5.252.178.115) | 5-252-178-115.mivocloud.com | - | High +3 | [5.252.178.120](https://vuldb.com/?ip.5.252.178.120) | no-rdns.mivocloud.com | - | High +4 | [5.252.178.145](https://vuldb.com/?ip.5.252.178.145) | 5-252-178-145.mivocloud.com | - | High +5 | [31.31.203.61](https://vuldb.com/?ip.31.31.203.61) | 31-31-203-61.cloudvps.regruhosting.ru | - | High +6 | [37.140.197.165](https://vuldb.com/?ip.37.140.197.165) | 37-140-197-165.cloudvps.regruhosting.ru | - | High +7 | [37.140.197.251](https://vuldb.com/?ip.37.140.197.251) | 37-140-197-251.cloudvps.regruhosting.ru | - | High +8 | [45.76.169.62](https://vuldb.com/?ip.45.76.169.62) | 45.76.169.62.vultrusercontent.com | - | High +9 | [70.34.217.0](https://vuldb.com/?ip.70.34.217.0) | 70.34.217.0.vultrusercontent.com | - | High +10 | [80.78.241.15](https://vuldb.com/?ip.80.78.241.15) | 80-78-241-15.cloudvps.regruhosting.ru | - | High +11 | [80.78.245.226](https://vuldb.com/?ip.80.78.245.226) | srv3.netpatch.ru | - | High +12 | [80.78.253.31](https://vuldb.com/?ip.80.78.253.31) | 80-78-253-31.cloudvps.regruhosting.ru | - | High +13 | ... | ... | ... | ... + +There are 47 more IOC items available. Please use our online service to access the data. + +## TTP - Tactics, Techniques, Procedures + +_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Shuckworm_. This data is unique as it uses our predictive model for actor profiling. + +ID | Technique | Weakness | Description | Confidence +-- | --------- | -------- | ----------- | ---------- +1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High +2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High +3 | T1495 | CWE-494 | Download of Code Without Integrity Check | High +4 | ... | ... | ... | ... + +There are 1 more TTP items available. Please use our online service to access the data. + +## IOA - Indicator of Attack + +These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Shuckworm. This data is unique as it uses our predictive model for actor profiling. + +ID | Type | Indicator | Confidence +-- | ---- | --------- | ---------- +1 | File | `/error` | Low +2 | File | `/forum/away.php` | High +3 | File | `/gena.cgi` | Medium +4 | File | `/login` | Low +5 | File | `/php/ajax.php` | High +6 | File | `/rapi/read_url` | High +7 | File | `/sec/content/sec_asa_users_local_db_add.html` | High +8 | File | `/see_more_details.php` | High +9 | File | `/wp-admin/admin-post.php?es_skip=1&option_name` | High +10 | ... | ... | ... + +There are 72 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. + +## References + +The following list contains _external sources_ which discuss the actor and the associated activities: + +* https://github.com/Symantec/threathunters/blob/main/Shuckworm/network + +## Literature + +The following _articles_ explain our unique predictive cyber threat intelligence: + +* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti) +* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022) + +## License + +(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)! diff --git a/actors/SideCopy/README.md b/actors/SideCopy/README.md index 8788a872..5ae3d34c 100644 --- a/actors/SideCopy/README.md +++ b/actors/SideCopy/README.md @@ -77,7 +77,7 @@ ID | Type | Indicator | Confidence 28 | File | `auth-options.c` | High 29 | ... | ... | ... -There are 248 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 249 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/actors/SocGholish/README.md b/actors/SocGholish/README.md new file mode 100644 index 00000000..1243df9d --- /dev/null +++ b/actors/SocGholish/README.md @@ -0,0 +1,86 @@ +# SocGholish - Cyber Threat Intelligence + +These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [SocGholish](https://vuldb.com/?actor.socgholish). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics. + +_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.socgholish](https://vuldb.com/?actor.socgholish) + +## Countries + +These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with SocGholish: + +* [US](https://vuldb.com/?country.us) +* [RU](https://vuldb.com/?country.ru) +* [ES](https://vuldb.com/?country.es) +* ... + +There are 5 more country items available. Please use our online service to access the data. + +## IOC - Indicator of Compromise + +These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of SocGholish. + +ID | IP address | Hostname | Campaign | Confidence +-- | ---------- | -------- | -------- | ---------- +1 | [5.53.125.173](https://vuldb.com/?ip.5.53.125.173) | authoremail.net | - | High +2 | [77.223.98.12](https://vuldb.com/?ip.77.223.98.12) | cloud12915.coteseuplano1.com.br | - | High +3 | [87.249.50.201](https://vuldb.com/?ip.87.249.50.201) | 832423-cv17319.tmweb.ru | - | High +4 | ... | ... | ... | ... + +There are 3 more IOC items available. Please use our online service to access the data. + +## TTP - Tactics, Techniques, Procedures + +_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _SocGholish_. This data is unique as it uses our predictive model for actor profiling. + +ID | Technique | Weakness | Description | Confidence +-- | --------- | -------- | ----------- | ---------- +1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High +2 | T1068 | CWE-264, CWE-266, CWE-284 | Execution with Unnecessary Privileges | High +3 | T1211 | CWE-254 | 7PK Security Features | High +4 | ... | ... | ... | ... + +There are 7 more TTP items available. Please use our online service to access the data. + +## IOA - Indicator of Attack + +These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by SocGholish. This data is unique as it uses our predictive model for actor profiling. + +ID | Type | Indicator | Confidence +-- | ---- | --------- | ---------- +1 | File | `/addsrv` | Low +2 | File | `/Admin/Views/FileEditor/` | High +3 | File | `/adminlogin.asp` | High +4 | File | `/article/add` | Medium +5 | File | `/controller/pay.class.php` | High +6 | File | `/dev/kmem` | Medium +7 | File | `/dev/snd/seq` | Medium +8 | File | `/device/device=140/tab=wifi/view` | High +9 | File | `/jerry-core/ecma/base/ecma-gc.c` | High +10 | File | `/product_list.php` | High +11 | File | `/rukovoditel_2.4.1/index.php?module=configuration/save&redirect_to=configuration/application` | High +12 | File | `/src/core/controllers/cm.php` | High +13 | File | `/transmission/web/` | High +14 | File | `/uncpath/` | Medium +15 | File | `/usr/local` | Medium +16 | File | `/weibo/publishdata` | High +17 | File | `adm.cgi` | Low +18 | ... | ... | ... + +There are 148 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. + +## References + +The following list contains _external sources_ which discuss the actor and the associated activities: + +* https://www.cybereason.com/blog/threat-analysis-report-socgholish-and-zloader-from-fake-updates-and-installers-to-owning-your-systems + +## Literature + +The following _articles_ explain our unique predictive cyber threat intelligence: + +* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti) +* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022) + +## License + +(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)! diff --git a/actors/TA505/README.md b/actors/TA505/README.md index 3413019c..618af55e 100644 --- a/actors/TA505/README.md +++ b/actors/TA505/README.md @@ -105,9 +105,10 @@ ID | Type | Indicator | Confidence 37 | File | `app/call_centers/cmd.php` | High 38 | File | `arch/x86/kvm/hyperv.c` | High 39 | File | `auction.cgi` | Medium -40 | ... | ... | ... +40 | File | `autologin.jsp` | High +41 | ... | ... | ... -There are 349 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 351 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/actors/TeamTNT/README.md b/actors/TeamTNT/README.md index 1b0edb3f..bd51d17b 100644 --- a/actors/TeamTNT/README.md +++ b/actors/TeamTNT/README.md @@ -18,7 +18,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce * [MO](https://vuldb.com/?country.mo) * [US](https://vuldb.com/?country.us) -* [ES](https://vuldb.com/?country.es) +* [CN](https://vuldb.com/?country.cn) * ... There are 2 more country items available. Please use our online service to access the data. diff --git a/actors/Thamar Reservoir/README.md b/actors/Thamar Reservoir/README.md index d62f247b..0ac3397d 100644 --- a/actors/Thamar Reservoir/README.md +++ b/actors/Thamar Reservoir/README.md @@ -8,6 +8,7 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Thamar Reservoir: +* [RU](https://vuldb.com/?country.ru) * [US](https://vuldb.com/?country.us) * [PL](https://vuldb.com/?country.pl) @@ -28,6 +29,7 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK ID | Technique | Weakness | Description | Confidence -- | --------- | -------- | ----------- | ---------- 1 | T1059.007 | CWE-79 | Cross Site Scripting | High +2 | T1068 | CWE-284 | Execution with Unnecessary Privileges | High ## IOA - Indicator of Attack diff --git a/actors/Tofsee/README.md b/actors/Tofsee/README.md index 9bc992c7..834e574d 100644 --- a/actors/Tofsee/README.md +++ b/actors/Tofsee/README.md @@ -159,7 +159,7 @@ ID | Type | Indicator | Confidence 36 | File | `ActiveServices.java` | High 37 | ... | ... | ... -There are 320 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 318 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/actors/Tomiris/README.md b/actors/Tomiris/README.md index 3d7a5e0a..626b87d8 100644 --- a/actors/Tomiris/README.md +++ b/actors/Tomiris/README.md @@ -41,7 +41,7 @@ ID | Type | Indicator | Confidence 3 | File | `/public/login.htm` | High 4 | ... | ... | ... -There are 9 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 10 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/actors/TrickBot/README.md b/actors/TrickBot/README.md index f0fc23ed..5c0dc85b 100644 --- a/actors/TrickBot/README.md +++ b/actors/TrickBot/README.md @@ -16,10 +16,10 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce * [VN](https://vuldb.com/?country.vn) * [RU](https://vuldb.com/?country.ru) -* [SH](https://vuldb.com/?country.sh) +* [GB](https://vuldb.com/?country.gb) * ... -There are 1 more country items available. Please use our online service to access the data. +There are 3 more country items available. Please use our online service to access the data. ## IOC - Indicator of Compromise @@ -35,106 +35,124 @@ ID | IP address | Hostname | Campaign | Confidence 6 | [5.53.124.49](https://vuldb.com/?ip.5.53.124.49) | dgbtechnologies.com | - | High 7 | [5.59.205.32](https://vuldb.com/?ip.5.59.205.32) | dhcp-32-205-59-5.metro86.ru | - | High 8 | [5.133.179.108](https://vuldb.com/?ip.5.133.179.108) | 5-133-179-108.freeucouponsnow.ru | - | High -9 | [5.182.210.132](https://vuldb.com/?ip.5.182.210.132) | - | - | High -10 | [5.182.210.226](https://vuldb.com/?ip.5.182.210.226) | - | - | High -11 | [5.182.210.230](https://vuldb.com/?ip.5.182.210.230) | - | - | High -12 | [5.182.210.246](https://vuldb.com/?ip.5.182.210.246) | - | - | High -13 | [5.182.210.254](https://vuldb.com/?ip.5.182.210.254) | n01-nlam.kdktech.com | - | High -14 | [14.241.244.60](https://vuldb.com/?ip.14.241.244.60) | - | - | High -15 | [18.233.90.151](https://vuldb.com/?ip.18.233.90.151) | ec2-18-233-90-151.compute-1.amazonaws.com | - | Medium -16 | [23.3.13.88](https://vuldb.com/?ip.23.3.13.88) | a23-3-13-88.deploy.static.akamaitechnologies.com | - | High -17 | [23.3.13.154](https://vuldb.com/?ip.23.3.13.154) | a23-3-13-154.deploy.static.akamaitechnologies.com | - | High -18 | [23.3.125.111](https://vuldb.com/?ip.23.3.125.111) | a23-3-125-111.deploy.static.akamaitechnologies.com | - | High -19 | [23.21.27.29](https://vuldb.com/?ip.23.21.27.29) | ec2-23-21-27-29.compute-1.amazonaws.com | - | Medium -20 | [23.21.48.44](https://vuldb.com/?ip.23.21.48.44) | ec2-23-21-48-44.compute-1.amazonaws.com | - | Medium -21 | [23.21.121.219](https://vuldb.com/?ip.23.21.121.219) | ec2-23-21-121-219.compute-1.amazonaws.com | - | Medium -22 | [23.21.252.4](https://vuldb.com/?ip.23.21.252.4) | ec2-23-21-252-4.compute-1.amazonaws.com | - | Medium -23 | [23.23.83.153](https://vuldb.com/?ip.23.23.83.153) | ec2-23-23-83-153.compute-1.amazonaws.com | - | Medium -24 | [23.23.243.154](https://vuldb.com/?ip.23.23.243.154) | ec2-23-23-243-154.compute-1.amazonaws.com | - | Medium -25 | [23.94.233.210](https://vuldb.com/?ip.23.94.233.210) | 23-94-233-210-host.colocrossing.com | - | High -26 | [23.96.30.229](https://vuldb.com/?ip.23.96.30.229) | - | - | High -27 | [23.160.192.125](https://vuldb.com/?ip.23.160.192.125) | unknown.ip-xfer.net | - | High -28 | [23.160.193.106](https://vuldb.com/?ip.23.160.193.106) | unknown.ip-xfer.net | - | High -29 | [23.202.231.166](https://vuldb.com/?ip.23.202.231.166) | a23-202-231-166.deploy.static.akamaitechnologies.com | - | High -30 | [23.217.138.107](https://vuldb.com/?ip.23.217.138.107) | a23-217-138-107.deploy.static.akamaitechnologies.com | - | High -31 | [24.162.214.166](https://vuldb.com/?ip.24.162.214.166) | cpe-24-162-214-166.elp.res.rr.com | - | High -32 | [27.72.107.215](https://vuldb.com/?ip.27.72.107.215) | dynamic-adsl.viettel.vn | - | High -33 | [31.131.26.122](https://vuldb.com/?ip.31.131.26.122) | - | - | High -34 | [31.134.60.181](https://vuldb.com/?ip.31.134.60.181) | 31-134-60-181.telico.pl | - | High -35 | [31.172.177.90](https://vuldb.com/?ip.31.172.177.90) | poczta.mp-lift.pl | - | High -36 | [31.184.253.6](https://vuldb.com/?ip.31.184.253.6) | - | - | High -37 | [34.117.59.81](https://vuldb.com/?ip.34.117.59.81) | 81.59.117.34.bc.googleusercontent.com | - | Medium -38 | [34.196.181.158](https://vuldb.com/?ip.34.196.181.158) | ec2-34-196-181-158.compute-1.amazonaws.com | - | Medium -39 | [34.233.102.38](https://vuldb.com/?ip.34.233.102.38) | ec2-34-233-102-38.compute-1.amazonaws.com | - | Medium -40 | [36.37.176.6](https://vuldb.com/?ip.36.37.176.6) | - | - | High -41 | [36.89.191.119](https://vuldb.com/?ip.36.89.191.119) | - | - | High -42 | [36.89.193.181](https://vuldb.com/?ip.36.89.193.181) | - | - | High -43 | [36.89.193.235](https://vuldb.com/?ip.36.89.193.235) | - | - | High -44 | [36.89.228.201](https://vuldb.com/?ip.36.89.228.201) | - | - | High -45 | [36.91.88.164](https://vuldb.com/?ip.36.91.88.164) | - | - | High -46 | [36.91.117.231](https://vuldb.com/?ip.36.91.117.231) | - | - | High -47 | [36.91.186.235](https://vuldb.com/?ip.36.91.186.235) | - | - | High -48 | [36.94.27.124](https://vuldb.com/?ip.36.94.27.124) | - | - | High -49 | [36.94.100.202](https://vuldb.com/?ip.36.94.100.202) | - | - | High -50 | [36.95.23.89](https://vuldb.com/?ip.36.95.23.89) | - | - | High -51 | [36.95.27.243](https://vuldb.com/?ip.36.95.27.243) | - | - | High -52 | [37.228.70.134](https://vuldb.com/?ip.37.228.70.134) | - | - | High -53 | [37.228.117.250](https://vuldb.com/?ip.37.228.117.250) | janome.ru | - | High -54 | [37.230.112.146](https://vuldb.com/?ip.37.230.112.146) | audiotop.ru | - | High -55 | [37.230.114.93](https://vuldb.com/?ip.37.230.114.93) | admin1.fvds.ru | - | High -56 | [37.230.114.248](https://vuldb.com/?ip.37.230.114.248) | kosmolot.com | - | High -57 | [37.230.115.129](https://vuldb.com/?ip.37.230.115.129) | dvcarry.fvds.ru | - | High -58 | [37.230.115.133](https://vuldb.com/?ip.37.230.115.133) | wdai.io | - | High -59 | [37.230.115.138](https://vuldb.com/?ip.37.230.115.138) | i2.com | - | High -60 | [37.230.115.171](https://vuldb.com/?ip.37.230.115.171) | geobrox.com | - | High -61 | [37.230.115.184](https://vuldb.com/?ip.37.230.115.184) | 21922vdscom.com | - | High -62 | [38.132.99.174](https://vuldb.com/?ip.38.132.99.174) | - | - | High -63 | [43.245.216.116](https://vuldb.com/?ip.43.245.216.116) | - | - | High -64 | [45.6.16.68](https://vuldb.com/?ip.45.6.16.68) | - | - | High -65 | [45.14.226.115](https://vuldb.com/?ip.45.14.226.115) | - | - | High -66 | [45.36.99.184](https://vuldb.com/?ip.45.36.99.184) | cpe-45-36-99-184.triad.res.rr.com | - | High -67 | [45.115.172.105](https://vuldb.com/?ip.45.115.172.105) | - | - | High -68 | [45.155.173.242](https://vuldb.com/?ip.45.155.173.242) | - | - | High -69 | [45.167.249.126](https://vuldb.com/?ip.45.167.249.126) | - | - | High -70 | [45.178.142.14](https://vuldb.com/?ip.45.178.142.14) | - | - | High -71 | [45.201.134.202](https://vuldb.com/?ip.45.201.134.202) | - | - | High -72 | [45.229.71.211](https://vuldb.com/?ip.45.229.71.211) | static-45-229-71-211.extrememt.com.br | - | High -73 | [45.234.248.154](https://vuldb.com/?ip.45.234.248.154) | 45.-234.248-154.rev.voanet.br | - | High -74 | [46.4.167.250](https://vuldb.com/?ip.46.4.167.250) | ip-subnet46-4-167.unassigned.theideahosting.net | - | High -75 | [46.8.21.10](https://vuldb.com/?ip.46.8.21.10) | 53980.web.hosting-russia.ru | - | High -76 | [46.8.21.113](https://vuldb.com/?ip.46.8.21.113) | 64403.web.hosting-russia.ru | - | High -77 | [46.30.45.208](https://vuldb.com/?ip.46.30.45.208) | vm418209.eurodir.ru | - | High -78 | [46.99.175.217](https://vuldb.com/?ip.46.99.175.217) | - | - | High -79 | [46.209.140.220](https://vuldb.com/?ip.46.209.140.220) | - | - | High -80 | [46.254.128.174](https://vuldb.com/?ip.46.254.128.174) | 46.254.128.174.lanultra.net | - | High -81 | [49.156.34.134](https://vuldb.com/?ip.49.156.34.134) | - | - | High -82 | [50.16.229.140](https://vuldb.com/?ip.50.16.229.140) | ec2-50-16-229-140.compute-1.amazonaws.com | - | Medium -83 | [50.19.247.198](https://vuldb.com/?ip.50.19.247.198) | ec2-50-19-247-198.compute-1.amazonaws.com | - | Medium -84 | [51.38.101.194](https://vuldb.com/?ip.51.38.101.194) | - | - | High -85 | [51.77.92.215](https://vuldb.com/?ip.51.77.92.215) | - | - | High -86 | [51.81.112.144](https://vuldb.com/?ip.51.81.112.144) | - | - | High -87 | [51.89.115.101](https://vuldb.com/?ip.51.89.115.101) | secure-3111.buzztary.com | - | High -88 | [51.89.115.116](https://vuldb.com/?ip.51.89.115.116) | tombe.nationfox.net | - | High -89 | [51.89.115.121](https://vuldb.com/?ip.51.89.115.121) | mail1.cmailer.online | - | High -90 | [51.159.23.217](https://vuldb.com/?ip.51.159.23.217) | jambold.co.uk | - | High -91 | [51.254.83.17](https://vuldb.com/?ip.51.254.83.17) | ip17.ip-51-254-83.eu | - | High -92 | [51.254.164.245](https://vuldb.com/?ip.51.254.164.245) | ip245.ip-51-254-164.eu | - | High -93 | [52.0.197.231](https://vuldb.com/?ip.52.0.197.231) | ec2-52-0-197-231.compute-1.amazonaws.com | - | Medium -94 | [52.20.197.7](https://vuldb.com/?ip.52.20.197.7) | ec2-52-20-197-7.compute-1.amazonaws.com | - | Medium -95 | [52.202.139.131](https://vuldb.com/?ip.52.202.139.131) | ec2-52-202-139-131.compute-1.amazonaws.com | - | Medium -96 | [52.204.109.97](https://vuldb.com/?ip.52.204.109.97) | ec2-52-204-109-97.compute-1.amazonaws.com | - | Medium -97 | [52.206.161.133](https://vuldb.com/?ip.52.206.161.133) | ec2-52-206-161-133.compute-1.amazonaws.com | - | Medium -98 | [54.39.106.25](https://vuldb.com/?ip.54.39.106.25) | ns560342.ip-54-39-106.net | - | High -99 | [54.204.36.156](https://vuldb.com/?ip.54.204.36.156) | ec2-54-204-36-156.compute-1.amazonaws.com | - | Medium -100 | [54.221.253.252](https://vuldb.com/?ip.54.221.253.252) | ec2-54-221-253-252.compute-1.amazonaws.com | - | Medium -101 | [54.235.124.112](https://vuldb.com/?ip.54.235.124.112) | ec2-54-235-124-112.compute-1.amazonaws.com | - | Medium -102 | [54.243.147.226](https://vuldb.com/?ip.54.243.147.226) | ec2-54-243-147-226.compute-1.amazonaws.com | - | Medium -103 | [54.243.198.12](https://vuldb.com/?ip.54.243.198.12) | ec2-54-243-198-12.compute-1.amazonaws.com | - | Medium -104 | [58.97.72.83](https://vuldb.com/?ip.58.97.72.83) | 58-97-72-83.static.asianet.co.th | - | High -105 | [60.51.47.65](https://vuldb.com/?ip.60.51.47.65) | - | - | High -106 | ... | ... | ... | ... +9 | [5.182.210.30](https://vuldb.com/?ip.5.182.210.30) | realestatepromotion.ru | - | High +10 | [5.182.210.132](https://vuldb.com/?ip.5.182.210.132) | - | - | High +11 | [5.182.210.178](https://vuldb.com/?ip.5.182.210.178) | mail.rainingdreams.to | - | High +12 | [5.182.210.226](https://vuldb.com/?ip.5.182.210.226) | - | - | High +13 | [5.182.210.230](https://vuldb.com/?ip.5.182.210.230) | - | - | High +14 | [5.182.210.246](https://vuldb.com/?ip.5.182.210.246) | - | - | High +15 | [5.182.210.254](https://vuldb.com/?ip.5.182.210.254) | n01-nlam.kdktech.com | - | High +16 | [5.196.247.14](https://vuldb.com/?ip.5.196.247.14) | ip14.ip-5-196-247.eu | - | High +17 | [14.241.244.60](https://vuldb.com/?ip.14.241.244.60) | - | - | High +18 | [18.233.90.151](https://vuldb.com/?ip.18.233.90.151) | ec2-18-233-90-151.compute-1.amazonaws.com | - | Medium +19 | [23.3.13.88](https://vuldb.com/?ip.23.3.13.88) | a23-3-13-88.deploy.static.akamaitechnologies.com | - | High +20 | [23.3.13.154](https://vuldb.com/?ip.23.3.13.154) | a23-3-13-154.deploy.static.akamaitechnologies.com | - | High +21 | [23.3.125.111](https://vuldb.com/?ip.23.3.125.111) | a23-3-125-111.deploy.static.akamaitechnologies.com | - | High +22 | [23.21.27.29](https://vuldb.com/?ip.23.21.27.29) | ec2-23-21-27-29.compute-1.amazonaws.com | - | Medium +23 | [23.21.48.44](https://vuldb.com/?ip.23.21.48.44) | ec2-23-21-48-44.compute-1.amazonaws.com | - | Medium +24 | [23.21.121.219](https://vuldb.com/?ip.23.21.121.219) | ec2-23-21-121-219.compute-1.amazonaws.com | - | Medium +25 | [23.21.252.4](https://vuldb.com/?ip.23.21.252.4) | ec2-23-21-252-4.compute-1.amazonaws.com | - | Medium +26 | [23.23.83.153](https://vuldb.com/?ip.23.23.83.153) | ec2-23-23-83-153.compute-1.amazonaws.com | - | Medium +27 | [23.23.243.154](https://vuldb.com/?ip.23.23.243.154) | ec2-23-23-243-154.compute-1.amazonaws.com | - | Medium +28 | [23.94.233.210](https://vuldb.com/?ip.23.94.233.210) | 23-94-233-210-host.colocrossing.com | - | High +29 | [23.96.30.229](https://vuldb.com/?ip.23.96.30.229) | - | - | High +30 | [23.160.192.125](https://vuldb.com/?ip.23.160.192.125) | unknown.ip-xfer.net | - | High +31 | [23.160.193.106](https://vuldb.com/?ip.23.160.193.106) | unknown.ip-xfer.net | - | High +32 | [23.202.231.166](https://vuldb.com/?ip.23.202.231.166) | a23-202-231-166.deploy.static.akamaitechnologies.com | - | High +33 | [23.217.138.107](https://vuldb.com/?ip.23.217.138.107) | a23-217-138-107.deploy.static.akamaitechnologies.com | - | High +34 | [24.162.214.166](https://vuldb.com/?ip.24.162.214.166) | cpe-24-162-214-166.elp.res.rr.com | - | High +35 | [27.72.107.215](https://vuldb.com/?ip.27.72.107.215) | dynamic-adsl.viettel.vn | - | High +36 | [31.131.26.122](https://vuldb.com/?ip.31.131.26.122) | - | - | High +37 | [31.134.60.181](https://vuldb.com/?ip.31.134.60.181) | 31-134-60-181.telico.pl | - | High +38 | [31.134.124.90](https://vuldb.com/?ip.31.134.124.90) | - | - | High +39 | [31.172.177.90](https://vuldb.com/?ip.31.172.177.90) | poczta.mp-lift.pl | - | High +40 | [31.184.253.6](https://vuldb.com/?ip.31.184.253.6) | - | - | High +41 | [31.211.85.110](https://vuldb.com/?ip.31.211.85.110) | - | - | High +42 | [34.117.59.81](https://vuldb.com/?ip.34.117.59.81) | 81.59.117.34.bc.googleusercontent.com | - | Medium +43 | [34.196.181.158](https://vuldb.com/?ip.34.196.181.158) | ec2-34-196-181-158.compute-1.amazonaws.com | - | Medium +44 | [34.233.102.38](https://vuldb.com/?ip.34.233.102.38) | ec2-34-233-102-38.compute-1.amazonaws.com | - | Medium +45 | [36.37.176.6](https://vuldb.com/?ip.36.37.176.6) | - | - | High +46 | [36.89.191.119](https://vuldb.com/?ip.36.89.191.119) | - | - | High +47 | [36.89.193.181](https://vuldb.com/?ip.36.89.193.181) | - | - | High +48 | [36.89.193.235](https://vuldb.com/?ip.36.89.193.235) | - | - | High +49 | [36.89.228.201](https://vuldb.com/?ip.36.89.228.201) | - | - | High +50 | [36.91.45.10](https://vuldb.com/?ip.36.91.45.10) | - | - | High +51 | [36.91.88.164](https://vuldb.com/?ip.36.91.88.164) | - | - | High +52 | [36.91.117.231](https://vuldb.com/?ip.36.91.117.231) | - | - | High +53 | [36.91.186.235](https://vuldb.com/?ip.36.91.186.235) | - | - | High +54 | [36.94.27.124](https://vuldb.com/?ip.36.94.27.124) | - | - | High +55 | [36.94.100.202](https://vuldb.com/?ip.36.94.100.202) | - | - | High +56 | [36.95.23.89](https://vuldb.com/?ip.36.95.23.89) | - | - | High +57 | [36.95.27.243](https://vuldb.com/?ip.36.95.27.243) | - | - | High +58 | [37.228.70.134](https://vuldb.com/?ip.37.228.70.134) | - | - | High +59 | [37.228.117.250](https://vuldb.com/?ip.37.228.117.250) | janome.ru | - | High +60 | [37.230.112.146](https://vuldb.com/?ip.37.230.112.146) | audiotop.ru | - | High +61 | [37.230.114.93](https://vuldb.com/?ip.37.230.114.93) | admin1.fvds.ru | - | High +62 | [37.230.114.248](https://vuldb.com/?ip.37.230.114.248) | kosmolot.com | - | High +63 | [37.230.115.129](https://vuldb.com/?ip.37.230.115.129) | dvcarry.fvds.ru | - | High +64 | [37.230.115.133](https://vuldb.com/?ip.37.230.115.133) | wdai.io | - | High +65 | [37.230.115.138](https://vuldb.com/?ip.37.230.115.138) | i2.com | - | High +66 | [37.230.115.171](https://vuldb.com/?ip.37.230.115.171) | geobrox.com | - | High +67 | [37.230.115.184](https://vuldb.com/?ip.37.230.115.184) | 21922vdscom.com | - | High +68 | [38.132.99.174](https://vuldb.com/?ip.38.132.99.174) | - | - | High +69 | [41.77.134.250](https://vuldb.com/?ip.41.77.134.250) | cliente6386477933.clubnet.mz | - | High +70 | [41.243.29.182](https://vuldb.com/?ip.41.243.29.182) | 182-29-243-41.r.airtel.cd | - | High +71 | [43.245.216.116](https://vuldb.com/?ip.43.245.216.116) | - | - | High +72 | [45.5.152.39](https://vuldb.com/?ip.45.5.152.39) | - | - | High +73 | [45.6.16.68](https://vuldb.com/?ip.45.6.16.68) | - | - | High +74 | [45.14.226.115](https://vuldb.com/?ip.45.14.226.115) | - | - | High +75 | [45.36.99.184](https://vuldb.com/?ip.45.36.99.184) | cpe-45-36-99-184.triad.res.rr.com | - | High +76 | [45.115.172.105](https://vuldb.com/?ip.45.115.172.105) | - | - | High +77 | [45.155.173.242](https://vuldb.com/?ip.45.155.173.242) | - | - | High +78 | [45.167.249.126](https://vuldb.com/?ip.45.167.249.126) | - | - | High +79 | [45.178.142.14](https://vuldb.com/?ip.45.178.142.14) | - | - | High +80 | [45.201.134.202](https://vuldb.com/?ip.45.201.134.202) | - | - | High +81 | [45.229.71.211](https://vuldb.com/?ip.45.229.71.211) | static-45-229-71-211.extrememt.com.br | - | High +82 | [45.234.248.154](https://vuldb.com/?ip.45.234.248.154) | 45.-234.248-154.rev.voanet.br | - | High +83 | [46.4.167.250](https://vuldb.com/?ip.46.4.167.250) | ip-subnet46-4-167.unassigned.theideahosting.net | - | High +84 | [46.8.21.10](https://vuldb.com/?ip.46.8.21.10) | 53980.web.hosting-russia.ru | - | High +85 | [46.8.21.113](https://vuldb.com/?ip.46.8.21.113) | 64403.web.hosting-russia.ru | - | High +86 | [46.30.45.208](https://vuldb.com/?ip.46.30.45.208) | vm418209.eurodir.ru | - | High +87 | [46.99.175.217](https://vuldb.com/?ip.46.99.175.217) | - | - | High +88 | [46.209.140.220](https://vuldb.com/?ip.46.209.140.220) | - | - | High +89 | [46.254.128.174](https://vuldb.com/?ip.46.254.128.174) | 46.254.128.174.lanultra.net | - | High +90 | [49.156.34.134](https://vuldb.com/?ip.49.156.34.134) | - | - | High +91 | [50.16.229.140](https://vuldb.com/?ip.50.16.229.140) | ec2-50-16-229-140.compute-1.amazonaws.com | - | Medium +92 | [50.19.247.198](https://vuldb.com/?ip.50.19.247.198) | ec2-50-19-247-198.compute-1.amazonaws.com | - | Medium +93 | [51.38.101.194](https://vuldb.com/?ip.51.38.101.194) | - | - | High +94 | [51.77.92.215](https://vuldb.com/?ip.51.77.92.215) | - | - | High +95 | [51.81.112.144](https://vuldb.com/?ip.51.81.112.144) | - | - | High +96 | [51.89.115.101](https://vuldb.com/?ip.51.89.115.101) | secure-3111.buzztary.com | - | High +97 | [51.89.115.108](https://vuldb.com/?ip.51.89.115.108) | coms.jt120.com.cn | - | High +98 | [51.89.115.112](https://vuldb.com/?ip.51.89.115.112) | brides-crude.nationfox.net | - | High +99 | [51.89.115.116](https://vuldb.com/?ip.51.89.115.116) | tombe.nationfox.net | - | High +100 | [51.89.115.121](https://vuldb.com/?ip.51.89.115.121) | mail1.cmailer.online | - | High +101 | [51.159.23.217](https://vuldb.com/?ip.51.159.23.217) | jambold.co.uk | - | High +102 | [51.254.83.17](https://vuldb.com/?ip.51.254.83.17) | ip17.ip-51-254-83.eu | - | High +103 | [51.254.164.243](https://vuldb.com/?ip.51.254.164.243) | amortizserv.info | - | High +104 | [51.254.164.245](https://vuldb.com/?ip.51.254.164.245) | ip245.ip-51-254-164.eu | - | High +105 | [52.0.197.231](https://vuldb.com/?ip.52.0.197.231) | ec2-52-0-197-231.compute-1.amazonaws.com | - | Medium +106 | [52.20.197.7](https://vuldb.com/?ip.52.20.197.7) | ec2-52-20-197-7.compute-1.amazonaws.com | - | Medium +107 | [52.202.139.131](https://vuldb.com/?ip.52.202.139.131) | ec2-52-202-139-131.compute-1.amazonaws.com | - | Medium +108 | [52.204.109.97](https://vuldb.com/?ip.52.204.109.97) | ec2-52-204-109-97.compute-1.amazonaws.com | - | Medium +109 | [52.206.161.133](https://vuldb.com/?ip.52.206.161.133) | ec2-52-206-161-133.compute-1.amazonaws.com | - | Medium +110 | [54.39.106.25](https://vuldb.com/?ip.54.39.106.25) | ns560342.ip-54-39-106.net | - | High +111 | [54.204.36.156](https://vuldb.com/?ip.54.204.36.156) | ec2-54-204-36-156.compute-1.amazonaws.com | - | Medium +112 | [54.221.253.252](https://vuldb.com/?ip.54.221.253.252) | ec2-54-221-253-252.compute-1.amazonaws.com | - | Medium +113 | [54.235.124.112](https://vuldb.com/?ip.54.235.124.112) | ec2-54-235-124-112.compute-1.amazonaws.com | - | Medium +114 | [54.243.147.226](https://vuldb.com/?ip.54.243.147.226) | ec2-54-243-147-226.compute-1.amazonaws.com | - | Medium +115 | [54.243.198.12](https://vuldb.com/?ip.54.243.198.12) | ec2-54-243-198-12.compute-1.amazonaws.com | - | Medium +116 | [58.97.72.83](https://vuldb.com/?ip.58.97.72.83) | 58-97-72-83.static.asianet.co.th | - | High +117 | [60.51.47.65](https://vuldb.com/?ip.60.51.47.65) | - | - | High +118 | [62.64.9.237](https://vuldb.com/?ip.62.64.9.237) | clients-62.64.9.237.misp.ru | - | High +119 | [62.69.241.103](https://vuldb.com/?ip.62.69.241.103) | 62-69-241-103.internetia.net.pl | - | High +120 | [62.99.76.213](https://vuldb.com/?ip.62.99.76.213) | 213.62-99-76.static.clientes.euskaltel.es | - | High +121 | [62.109.2.172](https://vuldb.com/?ip.62.109.2.172) | megamart24.ru | - | High +122 | [62.109.6.188](https://vuldb.com/?ip.62.109.6.188) | velomarket31.ru | - | High +123 | [62.109.14.24](https://vuldb.com/?ip.62.109.14.24) | btc-manager1.ru | - | High +124 | ... | ... | ... | ... -There are 421 more IOC items available. Please use our online service to access the data. +There are 493 more IOC items available. Please use our online service to access the data. ## TTP - Tactics, Techniques, Procedures @@ -143,11 +161,11 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK ID | Technique | Weakness | Description | Confidence -- | --------- | -------- | ----------- | ---------- 1 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High -2 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High -3 | T1068 | CWE-264, CWE-266, CWE-274, CWE-284 | Execution with Unnecessary Privileges | High +2 | T1059.007 | CWE-79 | Cross Site Scripting | High +3 | T1068 | CWE-250, CWE-264, CWE-274, CWE-284 | Execution with Unnecessary Privileges | High 4 | ... | ... | ... | ... -There are 7 more TTP items available. Please use our online service to access the data. +There are 8 more TTP items available. Please use our online service to access the data. ## IOA - Indicator of Attack @@ -155,26 +173,32 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic ID | Type | Indicator | Confidence -- | ---- | --------- | ---------- -1 | File | `/admin/config` | High -2 | File | `/admin/export/getcsv/article_db` | High -3 | File | `/admin/goods/update` | High -4 | File | `/api/V2/internal/TaskPermissions/CheckTaskAccess` | High -5 | File | `/apply.cgi` | Medium -6 | File | `/blog/blog.php` | High -7 | File | `/Car_Rental/booking.php` | High -8 | File | `/classes/Comment` | High -9 | File | `/cms/content/list` | High -10 | File | `/devices/acurite.c` | High -11 | File | `/etc/master.passwd` | High -12 | File | `/example/editor` | High -13 | File | `/feedback/post/` | High -14 | File | `/index.php?page=reserve` | High -15 | File | `/public_html/animals` | High -16 | File | `/src/njs_vmcode.c` | High -17 | File | `/system/user/resetPwd` | High -18 | ... | ... | ... +1 | File | `/admin.php?id=posts&action=display&value=1&postid=` | High +2 | File | `/admin.php?id=siteoptions&social=display&value=0&sid=2` | High +3 | File | `/admin.php?id=siteoptions&social=edit&sid=2` | High +4 | File | `/admin/goods/update` | High +5 | File | `/admin/inbox.php&action=delete` | High +6 | File | `/admin/inbox.php&action=read` | High +7 | File | `/admin/pagerole.php&action=display&value=1` | High +8 | File | `/admin/pagerole.php&action=edit` | High +9 | File | `/admin/posts.php` | High +10 | File | `/admin/posts.php&action=delete` | High +11 | File | `/admin/posts.php&action=edit` | High +12 | File | `/admin/siteoptions.php&action=displaygoal&value=1&roleid=1` | High +13 | File | `/admin/siteoptions.php&social=remove&sid=2` | High +14 | File | `/admin/uesrs.php&&action=delete&userid=4` | High +15 | File | `/admin/uesrs.php&action=display&value=Hide` | High +16 | File | `/admin/uesrs.php&action=display&value=Show` | High +17 | File | `/admin/uesrs.php&action=type&userrole=Admin&userid=3` | High +18 | File | `/admin/uesrs.php&action=type&userrole=User` | High +19 | File | `/api/students/me/messages/` | High +20 | File | `/apply.cgi` | Medium +21 | File | `/apps/acs-commons/content/page-compare.html` | High +22 | File | `/blog/blog.php` | High +23 | File | `/Car_Rental/booking.php` | High +24 | ... | ... | ... -There are 144 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 197 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References @@ -213,6 +237,11 @@ The following list contains _external sources_ which discuss the actor and the a * https://research.checkpoint.com/2021/when-old-friends-meet-again-why-emotet-chose-trickbot-for-rebirth/ * https://securelist.com/trickbot-module-descriptions/104603/ * https://securityintelligence.com/posts/new-malware-trickbot-anchordns-backdoor-upgrades-anchormail/ +* https://thedfirreport.com/2020/04/30/tricky-pyxie/ +* https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/ +* https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/ +* https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/ +* https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/ ## Literature diff --git a/actors/Trickster/README.md b/actors/Trickster/README.md new file mode 100644 index 00000000..1ca7cddf --- /dev/null +++ b/actors/Trickster/README.md @@ -0,0 +1,30 @@ +# Trickster - Cyber Threat Intelligence + +These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Trickster](https://vuldb.com/?actor.trickster). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics. + +_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.trickster](https://vuldb.com/?actor.trickster) + +## IOC - Indicator of Compromise + +These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Trickster. + +ID | IP address | Hostname | Campaign | Confidence +-- | ---------- | -------- | -------- | ---------- +1 | [216.218.206.69](https://vuldb.com/?ip.216.218.206.69) | scan-08.shadowserver.org | - | High + +## References + +The following list contains _external sources_ which discuss the actor and the associated activities: + +* https://blog.talosintelligence.com/2019/04/threat-roundup-0412-0419.html + +## Literature + +The following _articles_ explain our unique predictive cyber threat intelligence: + +* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti) +* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022) + +## License + +(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)! diff --git a/actors/UAC-0056/README.md b/actors/UAC-0056/README.md index d1fed021..dc0080e6 100644 --- a/actors/UAC-0056/README.md +++ b/actors/UAC-0056/README.md @@ -63,35 +63,35 @@ ID | Type | Indicator | Confidence 7 | File | `/common/logViewer/logViewer.jsf` | High 8 | File | `/crmeb/app/admin/controller/store/CopyTaobao.php` | High 9 | File | `/forum/away.php` | High -10 | File | `/includes/rrdtool.inc.php` | High -11 | File | `/mc-admin/post.php?state=delete&delete` | High -12 | File | `/mifs/c/i/reg/reg.html` | High -13 | File | `/ms/cms/content/list.do` | High -14 | File | `/orms/` | Low -15 | File | `/plesk-site-preview/` | High -16 | File | `/uncpath/` | Medium -17 | File | `/usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php` | High -18 | File | `/www/ping_response.cgi` | High -19 | File | `ABuffer.cpp` | Medium -20 | File | `account.asp` | Medium -21 | File | `addmember.php` | High -22 | File | `addtocart.asp` | High -23 | File | `addtomylist.asp` | High -24 | File | `admin.php` | Medium -25 | File | `admin.x-shop.php` | High -26 | File | `admin/auth.php` | High -27 | File | `admin/changedata.php` | High -28 | File | `admin/dashboard.php` | High -29 | File | `admin/edit-news.php` | High -30 | File | `admin/gallery.php` | High -31 | File | `admin/index.php` | High -32 | File | `admin/manage-departments.php` | High -33 | File | `admin/sellerupd.php` | High -34 | File | `admin/vqmods.app/vqmods.inc.php` | High -35 | File | `admincp/auth/checklogin.php` | High +10 | File | `/hocms/classes/Master.php?f=delete_collection` | High +11 | File | `/includes/rrdtool.inc.php` | High +12 | File | `/mc-admin/post.php?state=delete&delete` | High +13 | File | `/mifs/c/i/reg/reg.html` | High +14 | File | `/ms/cms/content/list.do` | High +15 | File | `/orms/` | Low +16 | File | `/plesk-site-preview/` | High +17 | File | `/student-grading-system/rms.php?page=grade` | High +18 | File | `/uncpath/` | Medium +19 | File | `/usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php` | High +20 | File | `/www/ping_response.cgi` | High +21 | File | `ABuffer.cpp` | Medium +22 | File | `account.asp` | Medium +23 | File | `addmember.php` | High +24 | File | `addtocart.asp` | High +25 | File | `addtomylist.asp` | High +26 | File | `admin.php` | Medium +27 | File | `admin.x-shop.php` | High +28 | File | `admin/auth.php` | High +29 | File | `admin/changedata.php` | High +30 | File | `admin/dashboard.php` | High +31 | File | `admin/edit-news.php` | High +32 | File | `admin/gallery.php` | High +33 | File | `admin/index.php` | High +34 | File | `admin/manage-departments.php` | High +35 | File | `admin/sellerupd.php` | High 36 | ... | ... | ... -There are 305 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 308 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/actors/UAC-0098/README.md b/actors/UAC-0098/README.md new file mode 100644 index 00000000..918b1744 --- /dev/null +++ b/actors/UAC-0098/README.md @@ -0,0 +1,81 @@ +# UAC-0098 - Cyber Threat Intelligence + +These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [UAC-0098](https://vuldb.com/?actor.uac-0098). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics. + +_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.uac-0098](https://vuldb.com/?actor.uac-0098) + +## Campaigns + +The following _campaigns_ are known and can be associated with UAC-0098: + +* Cobalt Strike +* IcedID + +## Countries + +These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with UAC-0098: + +* [US](https://vuldb.com/?country.us) +* [CN](https://vuldb.com/?country.cn) +* [DE](https://vuldb.com/?country.de) + +## IOC - Indicator of Compromise + +These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of UAC-0098. + +ID | IP address | Hostname | Campaign | Confidence +-- | ---------- | -------- | -------- | ---------- +1 | [84.32.188.29](https://vuldb.com/?ip.84.32.188.29) | - | Cobalt Strike | High +2 | [134.209.144.87](https://vuldb.com/?ip.134.209.144.87) | - | IcedID | High +3 | [138.68.229.0](https://vuldb.com/?ip.138.68.229.0) | - | Cobalt Strike | High +4 | [139.60.160.8](https://vuldb.com/?ip.139.60.160.8) | - | Cobalt Strike | High +5 | [139.60.160.17](https://vuldb.com/?ip.139.60.160.17) | - | Cobalt Strike | High +6 | ... | ... | ... | ... + +There are 19 more IOC items available. Please use our online service to access the data. + +## TTP - Tactics, Techniques, Procedures + +_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _UAC-0098_. This data is unique as it uses our predictive model for actor profiling. + +ID | Technique | Weakness | Description | Confidence +-- | --------- | -------- | ----------- | ---------- +1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High +2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High +3 | T1222 | CWE-275 | Permission Issues | High +4 | ... | ... | ... | ... + +There are 2 more TTP items available. Please use our online service to access the data. + +## IOA - Indicator of Attack + +These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by UAC-0098. This data is unique as it uses our predictive model for actor profiling. + +ID | Type | Indicator | Confidence +-- | ---- | --------- | ---------- +1 | File | `/etc/shadow` | Medium +2 | File | `/goform/net\_Web\_get_value` | High +3 | File | `/goform/net_WebCSRGen` | High +4 | File | `/goform/WebRSAKEYGen` | High +5 | File | `/uncpath/` | Medium +6 | ... | ... | ... + +There are 35 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. + +## References + +The following list contains _external sources_ which discuss the actor and the associated activities: + +* https://cert.gov.ua/article/39609 +* https://cert.gov.ua/article/39708 + +## Literature + +The following _articles_ explain our unique predictive cyber threat intelligence: + +* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti) +* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022) + +## License + +(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)! diff --git a/actors/Ursnif/README.md b/actors/Ursnif/README.md index 5c4deda9..cffed87d 100644 --- a/actors/Ursnif/README.md +++ b/actors/Ursnif/README.md @@ -60,7 +60,7 @@ ID | Technique | Weakness | Description | Confidence 3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High 4 | ... | ... | ... | ... -There are 6 more TTP items available. Please use our online service to access the data. +There are 5 more TTP items available. Please use our online service to access the data. ## IOA - Indicator of Attack diff --git a/actors/VBShower/README.md b/actors/VBShower/README.md index 5d6cca4d..b702f17e 100644 --- a/actors/VBShower/README.md +++ b/actors/VBShower/README.md @@ -35,7 +35,7 @@ ID | Technique | Weakness | Description | Confidence 3 | T1068 | CWE-250, CWE-264, CWE-274, CWE-284 | Execution with Unnecessary Privileges | High 4 | ... | ... | ... | ... -There are 8 more TTP items available. Please use our online service to access the data. +There are 7 more TTP items available. Please use our online service to access the data. ## IOA - Indicator of Attack @@ -47,33 +47,31 @@ ID | Type | Indicator | Confidence 2 | File | `/admin/inbox.php&action=read` | High 3 | File | `/admin/news/news_mod.php` | High 4 | File | `/admin/page_edit/3` | High -5 | File | `/apps/acs-commons/content/page-compare.html` | High -6 | File | `/blog/blog.php` | High -7 | File | `/cgi-bin/uploadWeiXinPic` | High -8 | File | `/domain/service/.ewell-known/caldav` | High -9 | File | `/dvcset/sysset/set.cgi` | High -10 | File | `/example/editor` | High -11 | File | `/include/make.php` | High -12 | File | `/jquery_file_upload/server/php/index.php` | High -13 | File | `/mobile/SelectUsers.jsp` | High -14 | File | `/php/ajax.php` | High -15 | File | `/ProteinArraySignificanceTest.json` | High -16 | File | `/ptms/classes/Users.php` | High -17 | File | `/public/admin/index.php?add_product` | High -18 | File | `/system/bin/osi_bin` | High -19 | File | `/usr/local/bin/mjs` | High -20 | File | `/wp-content/uploads/jobmonster/` | High -21 | File | `/zbzedit/php/zbz.php` | High -22 | File | `ActiveServices.java` | High -23 | File | `admin/bad.php` | High -24 | File | `admin/dl_sendmail.php` | High -25 | File | `admin/htaccess/bpsunlock.php` | High -26 | File | `admin/pages/useredit.php` | High -27 | File | `AlertReceiver.java` | High -28 | File | `alfresco/s/admin/admin-nodebrowser` | High -29 | ... | ... | ... +5 | File | `/administrator/alerts/alertLightbox.php` | High +6 | File | `/apps/acs-commons/content/page-compare.html` | High +7 | File | `/blog/blog.php` | High +8 | File | `/cgi-bin/main.cgi` | High +9 | File | `/cgi-bin/uploadWeiXinPic` | High +10 | File | `/domain/service/.ewell-known/caldav` | High +11 | File | `/dvcset/sysset/set.cgi` | High +12 | File | `/example/editor` | High +13 | File | `/include/make.php` | High +14 | File | `/jquery_file_upload/server/php/index.php` | High +15 | File | `/mobile/SelectUsers.jsp` | High +16 | File | `/php/ajax.php` | High +17 | File | `/ProteinArraySignificanceTest.json` | High +18 | File | `/ptms/classes/Users.php` | High +19 | File | `/public/admin/index.php?add_product` | High +20 | File | `/role/saveOrUpdateRole.do` | High +21 | File | `/system/bin/osi_bin` | High +22 | File | `/usr/local/bin/mjs` | High +23 | File | `/wp-content/uploads/jobmonster/` | High +24 | File | `/zbzedit/php/zbz.php` | High +25 | File | `ActiveServices.java` | High +26 | File | `admin/htaccess/bpsunlock.php` | High +27 | ... | ... | ... -There are 243 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 225 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/actors/Valyria/README.md b/actors/Valyria/README.md index f0f5536b..cc3f76b9 100644 --- a/actors/Valyria/README.md +++ b/actors/Valyria/README.md @@ -10,7 +10,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce * [US](https://vuldb.com/?country.us) * [RU](https://vuldb.com/?country.ru) -* [DE](https://vuldb.com/?country.de) +* [IL](https://vuldb.com/?country.il) * ... There are 6 more country items available. Please use our online service to access the data. @@ -43,7 +43,7 @@ ID | Technique | Weakness | Description | Confidence 3 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High 4 | ... | ... | ... | ... -There are 9 more TTP items available. Please use our online service to access the data. +There are 8 more TTP items available. Please use our online service to access the data. ## IOA - Indicator of Attack @@ -51,43 +51,47 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic ID | Type | Indicator | Confidence -- | ---- | --------- | ---------- -1 | File | `/.htaccess` | Medium -2 | File | `/admin.php/admin/art/data.html` | High -3 | File | `/admin.php/admin/ulog/index.html` | High -4 | File | `/admin.php/admin/vod/data.html` | High -5 | File | `/admin/goods/update` | High -6 | File | `/api/eventinstance` | High -7 | File | `/api /v3/auth` | High -8 | File | `/blog/blog.php` | High -9 | File | `/cgi-bin/uploadAccessCodePic` | High -10 | File | `/cloud_config/router_post/check_reset_pwd_verify_code` | High -11 | File | `/cloud_config/router_post/upgrade_info` | High -12 | File | `/cwms/admin/?page=articles/view_article/` | High -13 | File | `/cwms/classes/Master.php?f=save_contact` | High -14 | File | `/data/sqldata` | High -15 | File | `/DataPackageTable` | High -16 | File | `/download/` | Medium -17 | File | `/etc/puppetlabs/puppetserver/conf.d/ca.conf` | High -18 | File | `/etc/zarafa/license` | High -19 | File | `/factor/avx-ecm/vecarith52.c` | High -20 | File | `/goform/delAd` | High -21 | File | `/goform/form2Reboot.cgi` | High -22 | File | `/goform/login_process` | High -23 | File | `/goform/SetLanInfo` | High -24 | File | `/i/:data/ipa.plist` | High -25 | File | `/include/make.php` | High -26 | File | `/jpg/image.jpg` | High -27 | File | `/login` | Low -28 | File | `/nova/bin/traceroute` | High -29 | File | `/one_church/churchprofile.php` | High -30 | File | `/one_church/userregister.php` | High -31 | File | `/php/ajax.php` | High -32 | File | `/plesk-site-preview/` | High -33 | File | `/public/admin/index.php?add_product` | High -34 | File | `/tmp/swhks.pid` | High -35 | ... | ... | ... +1 | File | `/admin.php/admin/art/data.html` | High +2 | File | `/admin.php/admin/ulog/index.html` | High +3 | File | `/admin.php/admin/vod/data.html` | High +4 | File | `/admin.php?id=siteoptions&social=edit&sid=2` | High +5 | File | `/admin.php?r=admin/AdminBackup/del` | High +6 | File | `/admin/edit.php` | High +7 | File | `/admin/goods/update` | High +8 | File | `/admin/inbox.php&action=delete` | High +9 | File | `/admin/inbox.php&action=read` | High +10 | File | `/admin/pagerole.php&action=edit` | High +11 | File | `/admin/posts.php` | High +12 | File | `/admin/posts.php&action=delete` | High +13 | File | `/admin/siteoptions.php&action=displaygoal&value=1&roleid=1` | High +14 | File | `/admin/siteoptions.php&social=remove&sid=2` | High +15 | File | `/admin/uesrs.php&&action=delete&userid=4` | High +16 | File | `/admin/uesrs.php&action=display&value=Hide` | High +17 | File | `/admin/uesrs.php&action=display&value=Show` | High +18 | File | `/admin/uesrs.php&action=type&userrole=User` | High +19 | File | `/administrator/alerts/alertLightbox.php` | High +20 | File | `/api/eventinstance` | High +21 | File | `/api /v3/auth` | High +22 | File | `/appliance/users?action=edit` | High +23 | File | `/apps/acs-commons/content/page-compare.html` | High +24 | File | `/blog/blog.php` | High +25 | File | `/cdsms/classes/Master.php?f=delete_package` | High +26 | File | `/cmd?cmd=connect` | High +27 | File | `/cwms/admin/?page=articles/view_article/` | High +28 | File | `/cwms/classes/Master.php?f=save_contact` | High +29 | File | `/data/sqldata` | High +30 | File | `/etc/puppetlabs/puppetserver/conf.d/ca.conf` | High +31 | File | `/etc/zarafa/license` | High +32 | File | `/goform/login_process` | High +33 | File | `/hocms/classes/Master.php?f=delete_member` | High +34 | File | `/hocms/classes/Master.php?f=delete_phase` | High +35 | File | `/include/make.php` | High +36 | File | `/index.php?m=admin&c=custom&a=plugindelhandle` | High +37 | File | `/jpg/image.jpg` | High +38 | File | `/login` | Low +39 | ... | ... | ... -There are 301 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 338 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/actors/WindShift/README.md b/actors/WindShift/README.md index c6a859a9..e4a1c600 100644 --- a/actors/WindShift/README.md +++ b/actors/WindShift/README.md @@ -15,8 +15,11 @@ The following _campaigns_ are known and can be associated with WindShift: These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with WindShift: * [US](https://vuldb.com/?country.us) -* [TR](https://vuldb.com/?country.tr) * [RU](https://vuldb.com/?country.ru) +* [TR](https://vuldb.com/?country.tr) +* ... + +There are 3 more country items available. Please use our online service to access the data. ## IOC - Indicator of Compromise @@ -34,6 +37,7 @@ ID | Technique | Weakness | Description | Confidence -- | --------- | -------- | ----------- | ---------- 1 | T1059.007 | CWE-79 | Cross Site Scripting | High 2 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High +3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High ## IOA - Indicator of Attack @@ -42,11 +46,11 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic ID | Type | Indicator | Confidence -- | ---- | --------- | ---------- 1 | File | `.procmailrc` | Medium -2 | File | `/uncpath/` | Medium -3 | File | `base/ErrorHandler.php` | High +2 | File | `/cgi-bin/wapopen` | High +3 | File | `/it-IT/splunkd/__raw/services/get_snapshot` | High 4 | ... | ... | ... -There are 3 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 23 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/actors/Wocao/README.md b/actors/Wocao/README.md index 1ca6db4d..c388a1cd 100644 --- a/actors/Wocao/README.md +++ b/actors/Wocao/README.md @@ -16,10 +16,10 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce * [US](https://vuldb.com/?country.us) * [RU](https://vuldb.com/?country.ru) -* [DE](https://vuldb.com/?country.de) +* [IL](https://vuldb.com/?country.il) * ... -There are 6 more country items available. Please use our online service to access the data. +There are 7 more country items available. Please use our online service to access the data. ## IOC - Indicator of Compromise @@ -45,7 +45,7 @@ ID | Technique | Weakness | Description | Confidence 3 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High 4 | ... | ... | ... | ... -There are 9 more TTP items available. Please use our online service to access the data. +There are 8 more TTP items available. Please use our online service to access the data. ## IOA - Indicator of Attack @@ -53,44 +53,47 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic ID | Type | Indicator | Confidence -- | ---- | --------- | ---------- -1 | File | `/.htaccess` | Medium -2 | File | `/admin.php/admin/art/data.html` | High -3 | File | `/admin.php/admin/ulog/index.html` | High -4 | File | `/admin.php/admin/vod/data.html` | High -5 | File | `/admin/goods/update` | High -6 | File | `/admin/login.php` | High -7 | File | `/admin/templates/template_manage.php` | High -8 | File | `/api/eventinstance` | High -9 | File | `/api /v3/auth` | High -10 | File | `/blog/blog.php` | High -11 | File | `/cgi-bin/uploadAccessCodePic` | High -12 | File | `/cloud_config/router_post/check_reset_pwd_verify_code` | High -13 | File | `/cloud_config/router_post/upgrade_info` | High -14 | File | `/cwms/admin/?page=articles/view_article/` | High -15 | File | `/cwms/classes/Master.php?f=save_contact` | High -16 | File | `/data/sqldata` | High -17 | File | `/DataPackageTable` | High -18 | File | `/download/` | Medium -19 | File | `/etc/puppetlabs/puppetserver/conf.d/ca.conf` | High -20 | File | `/etc/zarafa/license` | High -21 | File | `/factor/avx-ecm/vecarith52.c` | High -22 | File | `/goform/delAd` | High -23 | File | `/goform/form2Reboot.cgi` | High -24 | File | `/goform/login_process` | High -25 | File | `/goform/SetLanInfo` | High -26 | File | `/i/:data/ipa.plist` | High -27 | File | `/include/make.php` | High -28 | File | `/jpg/image.jpg` | High -29 | File | `/login` | Low -30 | File | `/nova/bin/traceroute` | High -31 | File | `/one_church/churchprofile.php` | High -32 | File | `/one_church/userregister.php` | High -33 | File | `/php/ajax.php` | High -34 | File | `/plesk-site-preview/` | High -35 | File | `/public/admin/index.php?add_product` | High -36 | ... | ... | ... +1 | File | `/admin.php/admin/art/data.html` | High +2 | File | `/admin.php/admin/vod/data.html` | High +3 | File | `/admin.php?id=siteoptions&social=edit&sid=2` | High +4 | File | `/admin.php?r=admin/AdminBackup/del` | High +5 | File | `/admin/edit.php` | High +6 | File | `/admin/goods/update` | High +7 | File | `/admin/inbox.php&action=delete` | High +8 | File | `/admin/inbox.php&action=read` | High +9 | File | `/admin/pagerole.php&action=edit` | High +10 | File | `/admin/posts.php` | High +11 | File | `/admin/posts.php&action=delete` | High +12 | File | `/admin/siteoptions.php&action=displaygoal&value=1&roleid=1` | High +13 | File | `/admin/siteoptions.php&social=remove&sid=2` | High +14 | File | `/admin/uesrs.php&&action=delete&userid=4` | High +15 | File | `/admin/uesrs.php&action=display&value=Hide` | High +16 | File | `/admin/uesrs.php&action=display&value=Show` | High +17 | File | `/admin/uesrs.php&action=type&userrole=User` | High +18 | File | `/administrator/alerts/alertLightbox.php` | High +19 | File | `/api/eventinstance` | High +20 | File | `/api /v3/auth` | High +21 | File | `/appliance/users?action=edit` | High +22 | File | `/apps/acs-commons/content/page-compare.html` | High +23 | File | `/blog/blog.php` | High +24 | File | `/cdsms/classes/Master.php?f=delete_package` | High +25 | File | `/cmd?cmd=connect` | High +26 | File | `/cwms/admin/?page=articles/view_article/` | High +27 | File | `/cwms/classes/Master.php?f=save_contact` | High +28 | File | `/etc/puppetlabs/puppetserver/conf.d/ca.conf` | High +29 | File | `/etc/zarafa/license` | High +30 | File | `/goform/login_process` | High +31 | File | `/hocms/classes/Master.php?f=delete_member` | High +32 | File | `/hocms/classes/Master.php?f=delete_phase` | High +33 | File | `/include/make.php` | High +34 | File | `/index.php?m=admin&c=custom&a=plugindelhandle` | High +35 | File | `/jpg/image.jpg` | High +36 | File | `/login` | Low +37 | File | `/manager/files` | High +38 | File | `/module/api.php?mobile/wapNasIPS` | High +39 | ... | ... | ... -There are 304 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 340 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/actors/Xcnfe/README.md b/actors/Xcnfe/README.md index 85fdc60c..4ea49beb 100644 --- a/actors/Xcnfe/README.md +++ b/actors/Xcnfe/README.md @@ -13,14 +13,17 @@ ID | IP address | Hostname | Campaign | Confidence 1 | [8.249.221.254](https://vuldb.com/?ip.8.249.221.254) | - | - | High 2 | [8.249.225.254](https://vuldb.com/?ip.8.249.225.254) | - | - | High 3 | [72.21.81.240](https://vuldb.com/?ip.72.21.81.240) | - | - | High -4 | ... | ... | ... | ... +4 | [104.20.208.21](https://vuldb.com/?ip.104.20.208.21) | - | - | High +5 | ... | ... | ... | ... -There are 11 more IOC items available. Please use our online service to access the data. +There are 15 more IOC items available. Please use our online service to access the data. ## References The following list contains _external sources_ which discuss the actor and the associated activities: +* https://blog.talosintelligence.com/2019/07/threat-roundup-for-0705-0712.html +* https://blog.talosintelligence.com/2019/08/threat-roundup-0816-0823.html * https://blog.talosintelligence.com/2021/05/threat-roundup-0430-0507.html ## Literature diff --git a/actors/Zebra2104/README.md b/actors/Zebra2104/README.md index 04d6c557..38fe7a93 100644 --- a/actors/Zebra2104/README.md +++ b/actors/Zebra2104/README.md @@ -9,8 +9,8 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Zebra2104: * [CF](https://vuldb.com/?country.cf) -* [CN](https://vuldb.com/?country.cn) * [US](https://vuldb.com/?country.us) +* [CN](https://vuldb.com/?country.cn) * ... There are 3 more country items available. Please use our online service to access the data. diff --git a/actors/Zegost/README.md b/actors/Zegost/README.md index 4f7e3aeb..8ae552ce 100644 --- a/actors/Zegost/README.md +++ b/actors/Zegost/README.md @@ -43,7 +43,7 @@ ID | IP address | Hostname | Campaign | Confidence 20 | [50.63.202.73](https://vuldb.com/?ip.50.63.202.73) | ip-50-63-202-73.ip.secureserver.net | - | High 21 | ... | ... | ... | ... -There are 80 more IOC items available. Please use our online service to access the data. +There are 81 more IOC items available. Please use our online service to access the data. ## TTP - Tactics, Techniques, Procedures @@ -70,52 +70,51 @@ ID | Type | Indicator | Confidence 4 | File | `/admin/default.asp` | High 5 | File | `/ajax/networking/get_netcfg.php` | High 6 | File | `/assets/ctx` | Medium -7 | File | `/cgi-bin/supervisor/PwdGrp.cgi` | High -8 | File | `/checkLogin.cgi` | High -9 | File | `/cms/print.php` | High -10 | File | `/concat?/%2557EB-INF/web.xml` | High -11 | File | `/data/remove` | Medium -12 | File | `/etc/ajenti/config.yml` | High -13 | File | `/etc/passwd` | Medium -14 | File | `/goform/telnet` | High -15 | File | `/login` | Low -16 | File | `/modules/profile/index.php` | High -17 | File | `/navigate/navigate_download.php` | High -18 | File | `/owa/auth/logon.aspx` | High -19 | File | `/p` | Low -20 | File | `/password.html` | High -21 | File | `/proc/ioports` | High -22 | File | `/property-list/property_view.php` | High -23 | File | `/ptms/classes/Users.php` | High -24 | File | `/rest` | Low -25 | File | `/rest/api/2/search` | High -26 | File | `/s/` | Low -27 | File | `/scripts/cpan_config` | High -28 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High -29 | File | `/services/system/setup.json` | High -30 | File | `/uncpath/` | Medium -31 | File | `/webconsole/APIController` | High -32 | File | `/websocket/exec` | High -33 | File | `/wp-admin/admin-ajax.php` | High -34 | File | `/wp-json` | Medium -35 | File | `/wp-json/oembed/1.0/embed?url` | High -36 | File | `/_next` | Low -37 | File | `4.edu.php\conn\function.php` | High -38 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High -39 | File | `adclick.php` | Medium -40 | File | `addentry.php` | Medium -41 | File | `add_comment.php` | High -42 | File | `admin/admin.php` | High -43 | File | `admin/category.inc.php` | High -44 | File | `admin/conf_users_edit.php` | High -45 | File | `admin/dl_sendmail.php` | High -46 | File | `admin/index.php` | High -47 | File | `admin/index.php?id=users/action=edit/user_id=1` | High -48 | File | `admin/password_forgotten.php` | High -49 | File | `admin/versions.html` | High -50 | ... | ... | ... +7 | File | `/cgi-bin/login_action.cgi` | High +8 | File | `/cgi-bin/supervisor/PwdGrp.cgi` | High +9 | File | `/checkLogin.cgi` | High +10 | File | `/cms/print.php` | High +11 | File | `/concat?/%2557EB-INF/web.xml` | High +12 | File | `/data/remove` | Medium +13 | File | `/etc/ajenti/config.yml` | High +14 | File | `/etc/passwd` | Medium +15 | File | `/goform/telnet` | High +16 | File | `/login` | Low +17 | File | `/modules/profile/index.php` | High +18 | File | `/navigate/navigate_download.php` | High +19 | File | `/out.php` | Medium +20 | File | `/owa/auth/logon.aspx` | High +21 | File | `/p` | Low +22 | File | `/password.html` | High +23 | File | `/proc/ioports` | High +24 | File | `/property-list/property_view.php` | High +25 | File | `/ptms/classes/Users.php` | High +26 | File | `/rest` | Low +27 | File | `/rest/api/2/search` | High +28 | File | `/rom-0` | Low +29 | File | `/s/` | Low +30 | File | `/scripts/cpan_config` | High +31 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High +32 | File | `/services/system/setup.json` | High +33 | File | `/uncpath/` | Medium +34 | File | `/webconsole/APIController` | High +35 | File | `/websocket/exec` | High +36 | File | `/wp-admin/admin-ajax.php` | High +37 | File | `/wp-json` | Medium +38 | File | `/wp-json/oembed/1.0/embed?url` | High +39 | File | `/_next` | Low +40 | File | `4.edu.php\conn\function.php` | High +41 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High +42 | File | `adclick.php` | Medium +43 | File | `addentry.php` | Medium +44 | File | `admin/admin.php` | High +45 | File | `admin/category.inc.php` | High +46 | File | `admin/conf_users_edit.php` | High +47 | File | `admin/dl_sendmail.php` | High +48 | File | `admin/index.php` | High +49 | ... | ... | ... -There are 432 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 424 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References @@ -138,6 +137,7 @@ The following list contains _external sources_ which discuss the actor and the a * https://blog.talosintelligence.com/2022/02/threat-roundup-0211-0218.html * https://blog.talosintelligence.com/2022/04/threat-roundup-0325-0401.html * https://blog.talosintelligence.com/2022/04/threat-roundup-0401-0408.html +* https://blog.talosintelligence.com/2022/04/threat-roundup-0415-0422.html ## Literature diff --git a/actors/xHunt/README.md b/actors/xHunt/README.md index b343dc4a..936db3a7 100644 --- a/actors/xHunt/README.md +++ b/actors/xHunt/README.md @@ -49,7 +49,7 @@ ID | Technique | Weakness | Description | Confidence 3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High 4 | ... | ... | ... | ... -There are 8 more TTP items available. Please use our online service to access the data. +There are 7 more TTP items available. Please use our online service to access the data. ## IOA - Indicator of Attack @@ -81,9 +81,9 @@ ID | Type | Indicator | Confidence 22 | File | `/new` | Low 23 | File | `/public/plugins/` | High 24 | File | `/sbin/gs_config` | High -25 | File | `/Storage/Emulated/0/Telegram/Telegram` | High -26 | File | `/uncpath/` | Medium -27 | File | `/Upload/admin/index.php?module=forum-management&action=add` | High +25 | File | `/secure/QueryComponent!Default.jspa` | High +26 | File | `/Storage/Emulated/0/Telegram/Telegram` | High +27 | File | `/uncpath/` | Medium 28 | File | `/uploads/dede` | High 29 | File | `/usr/bin/pkexec` | High 30 | File | `/usr/sbin/nagios` | High @@ -101,8 +101,7 @@ ID | Type | Indicator | Confidence 42 | File | `admin/bitrix.xscan_worker.php` | High 43 | File | `admin/conf_users_edit.php` | High 44 | File | `admin/mcart_xls_import.php` | High -45 | File | `admin/ops/reports/ops/news.php` | High -46 | ... | ... | ... +45 | ... | ... | ... There are 394 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. diff --git a/campaigns/Afghanistan and India/README.md b/campaigns/Afghanistan and India/README.md index eba499e9..ac7bf6fe 100644 --- a/campaigns/Afghanistan and India/README.md +++ b/campaigns/Afghanistan and India/README.md @@ -8,6 +8,7 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Afghanistan and India: +* [FR](https://vuldb.com/?country.fr) * [ES](https://vuldb.com/?country.es) * [US](https://vuldb.com/?country.us) diff --git a/campaigns/Anchor/README.md b/campaigns/Anchor/README.md new file mode 100644 index 00000000..9ca24122 --- /dev/null +++ b/campaigns/Anchor/README.md @@ -0,0 +1,83 @@ +# Anchor - Cyber Threat Intelligence + +These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Anchor_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics. + +_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor) + +## Countries + +These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Anchor: + +* [US](https://vuldb.com/?country.us) +* [RU](https://vuldb.com/?country.ru) +* [CN](https://vuldb.com/?country.cn) +* ... + +There are 1 more country items available. Please use our online service to access the data. + +## Actors + +These _actors_ are associated with Anchor or other actors linked to the campaign. + +ID | Actor | Confidence +-- | ----- | ---------- +1 | [TrickBot](https://vuldb.com/?actor.trickbot) | High +2 | [BazarLoader](https://vuldb.com/?actor.bazarloader) | High + +## IOC - Indicator of Compromise + +These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Anchor. + +ID | IP address | Hostname | Actor | Confidence +-- | ---------- | -------- | ----- | ---------- +1 | [23.94.51.80](https://vuldb.com/?ip.23.94.51.80) | 23-94-51-80-host.colocrossing.com | [BazarLoader](https://vuldb.com/?actor.bazarloader) | High +2 | [34.210.71.206](https://vuldb.com/?ip.34.210.71.206) | ec2-34-210-71-206.us-west-2.compute.amazonaws.com | [BazarLoader](https://vuldb.com/?actor.bazarloader) | Medium +3 | [54.176.158.165](https://vuldb.com/?ip.54.176.158.165) | ec2-54-176-158-165.us-west-1.compute.amazonaws.com | [BazarLoader](https://vuldb.com/?actor.bazarloader) | Medium +4 | ... | ... | ... | ... + +There are 6 more IOC items available. Please use our online service to access the data. + +## TTP - Tactics, Techniques, Procedures + +_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used within Anchor. This data is unique as it uses our predictive model for actor profiling. + +ID | Technique | Weakness | Description | Confidence +-- | --------- | -------- | ----------- | ---------- +1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High +2 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High +3 | T1211 | CWE-254 | 7PK Security Features | High +4 | ... | ... | ... | ... + +There are 2 more TTP items available. Please use our online service to access the data. + +## IOA - Indicator of Attack + +These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during Anchor. This data is unique as it uses our predictive model for actor profiling. + +ID | Type | Indicator | Confidence +-- | ---- | --------- | ---------- +1 | File | `/+CSCOE+/logon.html` | High +2 | File | `/forum/away.php` | High +3 | File | `add_comment.php` | High +4 | File | `comment_add.asp` | High +5 | ... | ... | ... + +There are 28 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. + +## References + +The following list contains _external sources_ which discuss the campaign and the associated activities: + +* https://securityintelligence.com/posts/new-malware-trickbot-anchordns-backdoor-upgrades-anchormail/ +* https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/ + +## Literature + +The following _articles_ explain our unique predictive cyber threat intelligence: + +* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti) +* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022) + +## License + +(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)! diff --git a/campaigns/AppleSeed/README.md b/campaigns/AppleSeed/README.md index c963f88a..a098cb6c 100644 --- a/campaigns/AppleSeed/README.md +++ b/campaigns/AppleSeed/README.md @@ -69,7 +69,7 @@ ID | Type | Indicator | Confidence 12 | File | `/SASWebReportStudio/logonAndRender.do` | High 13 | ... | ... | ... -There are 99 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 103 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/campaigns/BLINDINGCAN/README.md b/campaigns/BLINDINGCAN/README.md index b84848ce..880be7d8 100644 --- a/campaigns/BLINDINGCAN/README.md +++ b/campaigns/BLINDINGCAN/README.md @@ -66,7 +66,7 @@ ID | Type | Indicator | Confidence 9 | File | `admin/google_search_console/class-gsc-table.php` | High 10 | ... | ... | ... -There are 73 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 74 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/campaigns/BazarLoader/README.md b/campaigns/BazarLoader/README.md new file mode 100644 index 00000000..2c97e252 --- /dev/null +++ b/campaigns/BazarLoader/README.md @@ -0,0 +1,117 @@ +# BazarLoader - Cyber Threat Intelligence + +These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _BazarLoader_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics. + +_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor) + +## Countries + +These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with BazarLoader: + +* [US](https://vuldb.com/?country.us) +* [CN](https://vuldb.com/?country.cn) +* [RU](https://vuldb.com/?country.ru) +* ... + +There are 1 more country items available. Please use our online service to access the data. + +## Actors + +These _actors_ are associated with BazarLoader or other actors linked to the campaign. + +ID | Actor | Confidence +-- | ----- | ---------- +1 | [BazarLoader](https://vuldb.com/?actor.bazarloader) | High +2 | [Conti](https://vuldb.com/?actor.conti) | High + +## IOC - Indicator of Compromise + +These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of BazarLoader. + +ID | IP address | Hostname | Actor | Confidence +-- | ---------- | -------- | ----- | ---------- +1 | [3.101.57.185](https://vuldb.com/?ip.3.101.57.185) | ec2-3-101-57-185.us-west-1.compute.amazonaws.com | [BazarLoader](https://vuldb.com/?actor.bazarloader) | Medium +2 | [13.56.161.214](https://vuldb.com/?ip.13.56.161.214) | ec2-13-56-161-214.us-west-1.compute.amazonaws.com | [Conti](https://vuldb.com/?actor.conti) | Medium +3 | [13.225.230.232](https://vuldb.com/?ip.13.225.230.232) | server-13-225-230-232.jfk51.r.cloudfront.net | [BazarLoader](https://vuldb.com/?actor.bazarloader) | High +4 | [13.226.32.216](https://vuldb.com/?ip.13.226.32.216) | server-13-226-32-216.ewr53.r.cloudfront.net | [BazarLoader](https://vuldb.com/?actor.bazarloader) | High +5 | [18.67.60.164](https://vuldb.com/?ip.18.67.60.164) | server-18-67-60-164.iad89.r.cloudfront.net | [BazarLoader](https://vuldb.com/?actor.bazarloader) | High +6 | [23.56.10.219](https://vuldb.com/?ip.23.56.10.219) | a23-56-10-219.deploy.static.akamaitechnologies.com | [BazarLoader](https://vuldb.com/?actor.bazarloader) | High +7 | [23.62.25.178](https://vuldb.com/?ip.23.62.25.178) | a23-62-25-178.deploy.static.akamaitechnologies.com | [BazarLoader](https://vuldb.com/?actor.bazarloader) | High +8 | [23.82.19.173](https://vuldb.com/?ip.23.82.19.173) | - | [BazarLoader](https://vuldb.com/?actor.bazarloader) | High +9 | [23.94.51.80](https://vuldb.com/?ip.23.94.51.80) | 23-94-51-80-host.colocrossing.com | [BazarLoader](https://vuldb.com/?actor.bazarloader) | High +10 | [23.95.238.122](https://vuldb.com/?ip.23.95.238.122) | 23-95-238-122-host.colocrossing.com | [BazarLoader](https://vuldb.com/?actor.bazarloader) | High +11 | [23.106.160.77](https://vuldb.com/?ip.23.106.160.77) | - | [BazarLoader](https://vuldb.com/?actor.bazarloader) | High +12 | [23.106.215.61](https://vuldb.com/?ip.23.106.215.61) | - | [BazarLoader](https://vuldb.com/?actor.bazarloader) | High +13 | [23.106.223.174](https://vuldb.com/?ip.23.106.223.174) | - | [BazarLoader](https://vuldb.com/?actor.bazarloader) | High +14 | [23.152.0.22](https://vuldb.com/?ip.23.152.0.22) | anahiem.net | [BazarLoader](https://vuldb.com/?actor.bazarloader) | High +15 | [23.160.193.217](https://vuldb.com/?ip.23.160.193.217) | unknown.ip-xfer.net | [BazarLoader](https://vuldb.com/?actor.bazarloader) | High +16 | [23.193.217.119](https://vuldb.com/?ip.23.193.217.119) | a23-193-217-119.deploy.static.akamaitechnologies.com | [BazarLoader](https://vuldb.com/?actor.bazarloader) | High +17 | [31.14.40.160](https://vuldb.com/?ip.31.14.40.160) | perico.cavepanel.com | [Conti](https://vuldb.com/?actor.conti) | High +18 | [31.171.251.118](https://vuldb.com/?ip.31.171.251.118) | ch.ns.mon0.li | [BazarLoader](https://vuldb.com/?actor.bazarloader) | High +19 | [31.214.240.203](https://vuldb.com/?ip.31.214.240.203) | - | [BazarLoader](https://vuldb.com/?actor.bazarloader) | High +20 | [34.209.40.84](https://vuldb.com/?ip.34.209.40.84) | ec2-34-209-40-84.us-west-2.compute.amazonaws.com | [BazarLoader](https://vuldb.com/?actor.bazarloader) | Medium +21 | [34.210.71.206](https://vuldb.com/?ip.34.210.71.206) | ec2-34-210-71-206.us-west-2.compute.amazonaws.com | [BazarLoader](https://vuldb.com/?actor.bazarloader) | Medium +22 | [34.219.130.241](https://vuldb.com/?ip.34.219.130.241) | ec2-34-219-130-241.us-west-2.compute.amazonaws.com | [Conti](https://vuldb.com/?actor.conti) | Medium +23 | [34.221.188.35](https://vuldb.com/?ip.34.221.188.35) | ec2-34-221-188-35.us-west-2.compute.amazonaws.com | [BazarLoader](https://vuldb.com/?actor.bazarloader) | Medium +24 | ... | ... | ... | ... + +There are 91 more IOC items available. Please use our online service to access the data. + +## TTP - Tactics, Techniques, Procedures + +_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used within BazarLoader. This data is unique as it uses our predictive model for actor profiling. + +ID | Technique | Weakness | Description | Confidence +-- | --------- | -------- | ----------- | ---------- +1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High +2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High +3 | T1552 | CWE-319, CWE-522 | Unprotected Storage of Credentials | High +4 | ... | ... | ... | ... + +There are 1 more TTP items available. Please use our online service to access the data. + +## IOA - Indicator of Attack + +These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during BazarLoader. This data is unique as it uses our predictive model for actor profiling. + +ID | Type | Indicator | Confidence +-- | ---- | --------- | ---------- +1 | File | `/api` | Low +2 | File | `/include/makecvs.php` | High +3 | File | `/PluXml/core/admin/parametres_edittpl.php` | High +4 | File | `/usr/local/psa/admin/sbin/wrapper` | High +5 | File | `add.php` | Low +6 | File | `admin/admin.shtml` | High +7 | File | `cat.asp` | Low +8 | File | `class.phpmailer.php` | High +9 | ... | ... | ... + +There are 66 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. + +## References + +The following list contains _external sources_ which discuss the campaign and the associated activities: + +* https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html +* https://blog.talosintelligence.com/2022/02/threat-roundup-0211-0218.html +* https://blog.talosintelligence.com/2022/03/threat-roundup-0311-0318.html +* https://isc.sans.edu/forums/diary/April+2021+Forensic+Quiz+Answers+and+Analysis/27308/ +* https://isc.sans.edu/forums/diary/Stolen+Images+Evidence+Campaign+Continues+Pushing+BazarLoader+Malware/27816/ +* https://isc.sans.edu/forums/diary/TA551+Shathak+continues+pushing+BazarLoader+infections+lead+to+Cobalt+Strike/27738/ +* https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/ +* https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/ +* https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/ +* https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/ +* https://thedfirreport.com/2021/12/13/diavol-ransomware/ +* https://twitter.com/_pr4gma/status/1347617681197961225 + +## Literature + +The following _articles_ explain our unique predictive cyber threat intelligence: + +* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti) +* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022) + +## License + +(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)! diff --git a/campaigns/BumbleBee/README.md b/campaigns/BumbleBee/README.md index aecb5129..ed1f5560 100644 --- a/campaigns/BumbleBee/README.md +++ b/campaigns/BumbleBee/README.md @@ -70,43 +70,43 @@ ID | Type | Indicator | Confidence 8 | File | `/admin/modules/system/custom_field.php` | High 9 | File | `/api/crontab` | Medium 10 | File | `/app1/admin#foo` | High -11 | File | `/articles/welcome-to-your-site#comments-head` | High -12 | File | `/assets/ctx` | Medium -13 | File | `/bin/boa` | Medium -14 | File | `/cgi-bin/wapopen` | High -15 | File | `/cgi-mod/lookup.cgi` | High -16 | File | `/cgi?1&5` | Medium -17 | File | `/config/getuser` | High -18 | File | `/debug/pprof` | Medium -19 | File | `/export` | Low -20 | File | `/forum/away.php` | High -21 | File | `/gracemedia-media-player/templates/files/ajax_controller.php` | High -22 | File | `/iissamples` | Medium -23 | File | `/interface/main/backup.php` | High -24 | File | `/new` | Low -25 | File | `/public/plugins/` | High -26 | File | `/sbin/gs_config` | High -27 | File | `/Storage/Emulated/0/Telegram/Telegram` | High -28 | File | `/uncpath/` | Medium -29 | File | `/Upload/admin/index.php?module=forum-management&action=add` | High -30 | File | `/uploads/dede` | High -31 | File | `/usr/bin/pkexec` | High -32 | File | `/usr/sbin/nagios` | High -33 | File | `/usr/sbin/suexec` | High -34 | File | `/WEB-INF/web.xml` | High -35 | File | `/webman/info.cgi` | High -36 | File | `/wp-admin/admin-ajax.php` | High -37 | File | `/wp-json/oembed/1.0/embed?url` | High -38 | File | `/wp-json/wc/v3/webhooks` | High -39 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High -40 | File | `admin.php?m=admin&c=site&a=save` | High -41 | File | `admin.php?page=languages` | High -42 | File | `admin/admin_users.php` | High -43 | File | `admin/bitrix.mpbuilder_step2.php` | High -44 | File | `admin/bitrix.xscan_worker.php` | High +11 | File | `/bin/boa` | Medium +12 | File | `/cgi-bin/wapopen` | High +13 | File | `/cgi-mod/lookup.cgi` | High +14 | File | `/cgi?1&5` | Medium +15 | File | `/config/getuser` | High +16 | File | `/debug/pprof` | Medium +17 | File | `/export` | Low +18 | File | `/forum/away.php` | High +19 | File | `/gracemedia-media-player/templates/files/ajax_controller.php` | High +20 | File | `/iissamples` | Medium +21 | File | `/interface/main/backup.php` | High +22 | File | `/new` | Low +23 | File | `/public/plugins/` | High +24 | File | `/sbin/gs_config` | High +25 | File | `/secure/QueryComponent!Default.jspa` | High +26 | File | `/Storage/Emulated/0/Telegram/Telegram` | High +27 | File | `/uncpath/` | Medium +28 | File | `/uploads/dede` | High +29 | File | `/usr/bin/pkexec` | High +30 | File | `/usr/sbin/nagios` | High +31 | File | `/usr/sbin/suexec` | High +32 | File | `/WEB-INF/web.xml` | High +33 | File | `/webman/info.cgi` | High +34 | File | `/wp-admin/admin-ajax.php` | High +35 | File | `/wp-json/oembed/1.0/embed?url` | High +36 | File | `/wp-json/wc/v3/webhooks` | High +37 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High +38 | File | `admin.php?m=admin&c=site&a=save` | High +39 | File | `admin.php?page=languages` | High +40 | File | `admin/admin_users.php` | High +41 | File | `admin/bitrix.mpbuilder_step2.php` | High +42 | File | `admin/bitrix.xscan_worker.php` | High +43 | File | `admin/conf_users_edit.php` | High +44 | File | `admin/mcart_xls_import.php` | High 45 | ... | ... | ... -There are 391 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 388 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/campaigns/COVID-19/README.md b/campaigns/COVID-19/README.md index 14d5e415..81be7bc6 100644 --- a/campaigns/COVID-19/README.md +++ b/campaigns/COVID-19/README.md @@ -8,9 +8,9 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with COVID-19: -* [US](https://vuldb.com/?country.us) -* [CN](https://vuldb.com/?country.cn) * [VN](https://vuldb.com/?country.vn) +* [CN](https://vuldb.com/?country.cn) +* [LA](https://vuldb.com/?country.la) * ... There are 4 more country items available. Please use our online service to access the data. @@ -34,12 +34,116 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi ID | IP address | Hostname | Actor | Confidence -- | ---------- | -------- | ----- | ---------- -1 | [45.123.190.167](https://vuldb.com/?ip.45.123.190.167) | - | [APT29](https://vuldb.com/?actor.apt29) | High -2 | [45.129.229.48](https://vuldb.com/?ip.45.129.229.48) | - | [APT29](https://vuldb.com/?actor.apt29) | High -3 | [46.101.202.66](https://vuldb.com/?ip.46.101.202.66) | grafana.jagu.dev | [Transparent Tribe](https://vuldb.com/?actor.transparent_tribe) | High -4 | ... | ... | ... | ... +1 | [2.47.112.152](https://vuldb.com/?ip.2.47.112.152) | net-2-47-112-152.cust.vodafonedsl.it | [Unknown](https://vuldb.com/?actor.unknown) | High +2 | [2.56.214.178](https://vuldb.com/?ip.2.56.214.178) | - | [Unknown](https://vuldb.com/?actor.unknown) | High +3 | [5.75.75.75](https://vuldb.com/?ip.5.75.75.75) | - | [Unknown](https://vuldb.com/?actor.unknown) | High +4 | [5.101.0.209](https://vuldb.com/?ip.5.101.0.209) | - | [Unknown](https://vuldb.com/?actor.unknown) | High +5 | [5.157.87.204](https://vuldb.com/?ip.5.157.87.204) | redirect.yourhosting.nl | [Unknown](https://vuldb.com/?actor.unknown) | High +6 | [5.181.156.14](https://vuldb.com/?ip.5.181.156.14) | no-rdns.mivocloud.com | [Unknown](https://vuldb.com/?actor.unknown) | High +7 | [5.182.210.2](https://vuldb.com/?ip.5.182.210.2) | server30.flaunt7.com | [Unknown](https://vuldb.com/?actor.unknown) | High +8 | [5.182.210.84](https://vuldb.com/?ip.5.182.210.84) | - | [Unknown](https://vuldb.com/?actor.unknown) | High +9 | [5.188.60.131](https://vuldb.com/?ip.5.188.60.131) | sk.s5.ans1.ns148.ztomy.com | [Unknown](https://vuldb.com/?actor.unknown) | High +10 | [5.189.132.254](https://vuldb.com/?ip.5.189.132.254) | vmi429632.contaboserver.net | [Unknown](https://vuldb.com/?actor.unknown) | High +11 | [5.255.96.187](https://vuldb.com/?ip.5.255.96.187) | - | [Unknown](https://vuldb.com/?actor.unknown) | High +12 | [8.208.15.85](https://vuldb.com/?ip.8.208.15.85) | - | [Unknown](https://vuldb.com/?actor.unknown) | High +13 | [8.208.78.192](https://vuldb.com/?ip.8.208.78.192) | - | [Unknown](https://vuldb.com/?actor.unknown) | High +14 | [8.209.69.101](https://vuldb.com/?ip.8.209.69.101) | - | [Unknown](https://vuldb.com/?actor.unknown) | High +15 | [8.209.70.110](https://vuldb.com/?ip.8.209.70.110) | - | [Unknown](https://vuldb.com/?actor.unknown) | High +16 | [8.250.169.254](https://vuldb.com/?ip.8.250.169.254) | - | [Unknown](https://vuldb.com/?actor.unknown) | High +17 | [8.250.183.254](https://vuldb.com/?ip.8.250.183.254) | - | [Unknown](https://vuldb.com/?actor.unknown) | High +18 | [8.251.5.254](https://vuldb.com/?ip.8.251.5.254) | - | [Unknown](https://vuldb.com/?actor.unknown) | High +19 | [8.251.15.254](https://vuldb.com/?ip.8.251.15.254) | - | [Unknown](https://vuldb.com/?actor.unknown) | High +20 | [8.251.31.254](https://vuldb.com/?ip.8.251.31.254) | - | [Unknown](https://vuldb.com/?actor.unknown) | High +21 | [12.162.84.2](https://vuldb.com/?ip.12.162.84.2) | - | [Unknown](https://vuldb.com/?actor.unknown) | High +22 | [14.161.6.60](https://vuldb.com/?ip.14.161.6.60) | static.vnpt.vn | [Unknown](https://vuldb.com/?actor.unknown) | High +23 | [23.19.227.235](https://vuldb.com/?ip.23.19.227.235) | - | [Unknown](https://vuldb.com/?actor.unknown) | High +24 | [23.227.38.64](https://vuldb.com/?ip.23.227.38.64) | shops.myshopify.com | [Unknown](https://vuldb.com/?actor.unknown) | High +25 | [23.254.215.229](https://vuldb.com/?ip.23.254.215.229) | hwsrv-869108.hostwindsdns.com | [Unknown](https://vuldb.com/?actor.unknown) | High +26 | [24.94.237.248](https://vuldb.com/?ip.24.94.237.248) | cpe-24-94-237-248.sw.res.rr.com | [Unknown](https://vuldb.com/?actor.unknown) | High +27 | [24.196.13.216](https://vuldb.com/?ip.24.196.13.216) | 024-196-013-216.res.spectrum.com | [Unknown](https://vuldb.com/?actor.unknown) | High +28 | [24.247.182.167](https://vuldb.com/?ip.24.247.182.167) | 024-247-182-167.res.spectrum.com | [Unknown](https://vuldb.com/?actor.unknown) | High +29 | [24.247.182.240](https://vuldb.com/?ip.24.247.182.240) | 024-247-182-240.res.spectrum.com | [Unknown](https://vuldb.com/?actor.unknown) | High +30 | [31.31.77.83](https://vuldb.com/?ip.31.31.77.83) | - | [Unknown](https://vuldb.com/?actor.unknown) | High +31 | [31.146.61.34](https://vuldb.com/?ip.31.146.61.34) | 31-146-61-34.dsl.utg.ge | [Unknown](https://vuldb.com/?actor.unknown) | High +32 | [31.202.128.80](https://vuldb.com/?ip.31.202.128.80) | 31-202-128-80-kh.maxnet.ua | [Unknown](https://vuldb.com/?actor.unknown) | High +33 | [35.242.251.130](https://vuldb.com/?ip.35.242.251.130) | 130.251.242.35.bc.googleusercontent.com | [Unknown](https://vuldb.com/?actor.unknown) | Medium +34 | [37.1.209.51](https://vuldb.com/?ip.37.1.209.51) | - | [Unknown](https://vuldb.com/?actor.unknown) | High +35 | [37.1.212.70](https://vuldb.com/?ip.37.1.212.70) | surprisefoun.reveltip.com | [Unknown](https://vuldb.com/?actor.unknown) | High +36 | [37.1.221.65](https://vuldb.com/?ip.37.1.221.65) | - | [Unknown](https://vuldb.com/?actor.unknown) | High +37 | [37.49.226.13](https://vuldb.com/?ip.37.49.226.13) | - | [Unknown](https://vuldb.com/?actor.unknown) | High +38 | [37.49.226.21](https://vuldb.com/?ip.37.49.226.21) | - | [Unknown](https://vuldb.com/?actor.unknown) | High +39 | [37.49.226.142](https://vuldb.com/?ip.37.49.226.142) | - | [Unknown](https://vuldb.com/?actor.unknown) | High +40 | [37.49.226.182](https://vuldb.com/?ip.37.49.226.182) | - | [Unknown](https://vuldb.com/?actor.unknown) | High +41 | [37.70.131.107](https://vuldb.com/?ip.37.70.131.107) | 107.131.70.37.rev.sfr.net | [Unknown](https://vuldb.com/?actor.unknown) | High +42 | [37.152.88.55](https://vuldb.com/?ip.37.152.88.55) | - | [Unknown](https://vuldb.com/?actor.unknown) | High +43 | [37.208.106.146](https://vuldb.com/?ip.37.208.106.146) | mail.joerrens.com | [Unknown](https://vuldb.com/?actor.unknown) | High +44 | [38.132.124.233](https://vuldb.com/?ip.38.132.124.233) | - | [Unknown](https://vuldb.com/?actor.unknown) | High +45 | [41.60.200.34](https://vuldb.com/?ip.41.60.200.34) | 41.60.200.34.liquidtelecom.net | [Unknown](https://vuldb.com/?actor.unknown) | High +46 | [41.185.29.128](https://vuldb.com/?ip.41.185.29.128) | abp79-nix01.wadns.net | [Unknown](https://vuldb.com/?actor.unknown) | High +47 | [41.221.164.77](https://vuldb.com/?ip.41.221.164.77) | - | [Unknown](https://vuldb.com/?actor.unknown) | High +48 | [42.51.192.231](https://vuldb.com/?ip.42.51.192.231) | - | [Unknown](https://vuldb.com/?actor.unknown) | High +49 | [45.55.49.33](https://vuldb.com/?ip.45.55.49.33) | - | [Unknown](https://vuldb.com/?actor.unknown) | High +50 | [45.55.179.121](https://vuldb.com/?ip.45.55.179.121) | - | [Unknown](https://vuldb.com/?actor.unknown) | High +51 | [45.56.64.36](https://vuldb.com/?ip.45.56.64.36) | li914-36.members.linode.com | [Unknown](https://vuldb.com/?actor.unknown) | High +52 | [45.76.218.232](https://vuldb.com/?ip.45.76.218.232) | 45.76.218.232.vultrusercontent.com | [Unknown](https://vuldb.com/?actor.unknown) | High +53 | [45.81.226.17](https://vuldb.com/?ip.45.81.226.17) | vm3471381.43ssd.had.wf | [Unknown](https://vuldb.com/?actor.unknown) | High +54 | [45.95.168.85](https://vuldb.com/?ip.45.95.168.85) | maxko-hosting.com | [Unknown](https://vuldb.com/?actor.unknown) | High +55 | [45.95.168.98](https://vuldb.com/?ip.45.95.168.98) | maxko-hosting.com | [Unknown](https://vuldb.com/?actor.unknown) | High +56 | [45.118.136.92](https://vuldb.com/?ip.45.118.136.92) | - | [Unknown](https://vuldb.com/?actor.unknown) | High +57 | [45.123.190.167](https://vuldb.com/?ip.45.123.190.167) | - | [APT29](https://vuldb.com/?actor.apt29) | High +58 | [45.128.132.55](https://vuldb.com/?ip.45.128.132.55) | - | [Unknown](https://vuldb.com/?actor.unknown) | High +59 | [45.128.134.14](https://vuldb.com/?ip.45.128.134.14) | - | [Unknown](https://vuldb.com/?actor.unknown) | High +60 | [45.128.134.20](https://vuldb.com/?ip.45.128.134.20) | - | [Unknown](https://vuldb.com/?actor.unknown) | High +61 | [45.129.229.48](https://vuldb.com/?ip.45.129.229.48) | - | [APT29](https://vuldb.com/?actor.apt29) | High +62 | [45.138.72.143](https://vuldb.com/?ip.45.138.72.143) | uziel.example.com | [Unknown](https://vuldb.com/?actor.unknown) | High +63 | [45.138.72.155](https://vuldb.com/?ip.45.138.72.155) | sp200177.example.com | [Unknown](https://vuldb.com/?actor.unknown) | High +64 | [45.142.212.126](https://vuldb.com/?ip.45.142.212.126) | ivan.temporary | [Unknown](https://vuldb.com/?actor.unknown) | High +65 | [45.142.212.192](https://vuldb.com/?ip.45.142.212.192) | blackswan95.example1.com | [Unknown](https://vuldb.com/?actor.unknown) | High +66 | [45.142.212.209](https://vuldb.com/?ip.45.142.212.209) | augenweide.com | [Unknown](https://vuldb.com/?actor.unknown) | High +67 | [45.142.213.59](https://vuldb.com/?ip.45.142.213.59) | vm423520.stark-industries.solutions | [Unknown](https://vuldb.com/?actor.unknown) | High +68 | [45.143.138.47](https://vuldb.com/?ip.45.143.138.47) | - | [Unknown](https://vuldb.com/?actor.unknown) | High +69 | [45.148.120.13](https://vuldb.com/?ip.45.148.120.13) | - | [Unknown](https://vuldb.com/?actor.unknown) | High +70 | [45.148.120.153](https://vuldb.com/?ip.45.148.120.153) | - | [Unknown](https://vuldb.com/?actor.unknown) | High +71 | [45.153.40.105](https://vuldb.com/?ip.45.153.40.105) | - | [Unknown](https://vuldb.com/?actor.unknown) | High +72 | [45.153.184.67](https://vuldb.com/?ip.45.153.184.67) | - | [Unknown](https://vuldb.com/?actor.unknown) | High +73 | [45.161.242.102](https://vuldb.com/?ip.45.161.242.102) | 45-161-242-102.megalink.com.br | [Unknown](https://vuldb.com/?actor.unknown) | High +74 | [46.4.157.37](https://vuldb.com/?ip.46.4.157.37) | static.37.157.4.46.clients.your-server.de | [Unknown](https://vuldb.com/?actor.unknown) | High +75 | [46.17.6.116](https://vuldb.com/?ip.46.17.6.116) | 116-6-17-46.static.fxw.nl | [Unknown](https://vuldb.com/?actor.unknown) | High +76 | [46.17.107.65](https://vuldb.com/?ip.46.17.107.65) | ulasiuk21.example.com | [Unknown](https://vuldb.com/?actor.unknown) | High +77 | [46.19.143.155](https://vuldb.com/?ip.46.19.143.155) | growthinside.net | [Unknown](https://vuldb.com/?actor.unknown) | High +78 | [46.20.1.226](https://vuldb.com/?ip.46.20.1.226) | ns1.ceyhunsezer.com | [Unknown](https://vuldb.com/?actor.unknown) | High +79 | [46.28.111.142](https://vuldb.com/?ip.46.28.111.142) | enkindu.jsuchy.net | [Unknown](https://vuldb.com/?actor.unknown) | High +80 | [46.101.202.66](https://vuldb.com/?ip.46.101.202.66) | grafana.jagu.dev | [Transparent Tribe](https://vuldb.com/?actor.transparent_tribe) | High +81 | [46.105.131.87](https://vuldb.com/?ip.46.105.131.87) | pop.adven.fr | [Unknown](https://vuldb.com/?actor.unknown) | High +82 | [46.166.187.223](https://vuldb.com/?ip.46.166.187.223) | . | [Unknown](https://vuldb.com/?actor.unknown) | High +83 | [46.214.11.172](https://vuldb.com/?ip.46.214.11.172) | 46-214-11-172.next-gen.ro | [Unknown](https://vuldb.com/?actor.unknown) | High +84 | [47.150.248.161](https://vuldb.com/?ip.47.150.248.161) | - | [Unknown](https://vuldb.com/?actor.unknown) | High +85 | [50.28.51.143](https://vuldb.com/?ip.50.28.51.143) | - | [Unknown](https://vuldb.com/?actor.unknown) | High +86 | [50.87.253.50](https://vuldb.com/?ip.50.87.253.50) | box2161.bluehost.com | [Unknown](https://vuldb.com/?actor.unknown) | High +87 | [50.116.78.109](https://vuldb.com/?ip.50.116.78.109) | intersearchmedia.com | [Unknown](https://vuldb.com/?actor.unknown) | High +88 | [51.38.93.190](https://vuldb.com/?ip.51.38.93.190) | ip190.ip-51-38-93.eu | [Unknown](https://vuldb.com/?actor.unknown) | High +89 | [51.79.129.4](https://vuldb.com/?ip.51.79.129.4) | ip4.ip-51-79-129.net | [Unknown](https://vuldb.com/?actor.unknown) | High +90 | [51.89.73.158](https://vuldb.com/?ip.51.89.73.158) | ip158.ip-51-89-73.eu | [Unknown](https://vuldb.com/?actor.unknown) | High +91 | [51.159.23.217](https://vuldb.com/?ip.51.159.23.217) | jambold.co.uk | [Unknown](https://vuldb.com/?actor.unknown) | High +92 | [51.254.164.244](https://vuldb.com/?ip.51.254.164.244) | y9gs.gaurented.com | [Unknown](https://vuldb.com/?actor.unknown) | High +93 | [51.254.164.245](https://vuldb.com/?ip.51.254.164.245) | ip245.ip-51-254-164.eu | [Unknown](https://vuldb.com/?actor.unknown) | High +94 | [54.39.139.67](https://vuldb.com/?ip.54.39.139.67) | ip67.ip-54-39-139.net | [Unknown](https://vuldb.com/?actor.unknown) | High +95 | [58.171.38.26](https://vuldb.com/?ip.58.171.38.26) | - | [Unknown](https://vuldb.com/?actor.unknown) | High +96 | [58.177.172.160](https://vuldb.com/?ip.58.177.172.160) | 058177172160.ctinets.com | [Unknown](https://vuldb.com/?actor.unknown) | High +97 | [59.20.65.102](https://vuldb.com/?ip.59.20.65.102) | - | [Unknown](https://vuldb.com/?actor.unknown) | High +98 | [59.120.5.154](https://vuldb.com/?ip.59.120.5.154) | 59-120-5-154.hinet-ip.hinet.net | [Unknown](https://vuldb.com/?actor.unknown) | High +99 | [60.130.173.117](https://vuldb.com/?ip.60.130.173.117) | softbank060130173117.bbtec.net | [Unknown](https://vuldb.com/?actor.unknown) | High +100 | [60.250.78.22](https://vuldb.com/?ip.60.250.78.22) | 60-250-78-22.hinet-ip.hinet.net | [Unknown](https://vuldb.com/?actor.unknown) | High +101 | [61.92.159.208](https://vuldb.com/?ip.61.92.159.208) | 061092159208.ctinets.com | [Unknown](https://vuldb.com/?actor.unknown) | High +102 | [63.142.252.21](https://vuldb.com/?ip.63.142.252.21) | - | [Unknown](https://vuldb.com/?actor.unknown) | High +103 | [63.250.38.195](https://vuldb.com/?ip.63.250.38.195) | business61-5.web-hosting.com | [Unknown](https://vuldb.com/?actor.unknown) | High +104 | [63.250.38.240](https://vuldb.com/?ip.63.250.38.240) | anakmas.org | [Unknown](https://vuldb.com/?actor.unknown) | High +105 | [63.250.47.83](https://vuldb.com/?ip.63.250.47.83) | - | [Unknown](https://vuldb.com/?actor.unknown) | High +106 | [64.44.51.113](https://vuldb.com/?ip.64.44.51.113) | srv44.pahlmeyer.life | [Unknown](https://vuldb.com/?actor.unknown) | High +107 | [64.188.25.205](https://vuldb.com/?ip.64.188.25.205) | 64.188.25.205.static.quadranet.com | [Unknown](https://vuldb.com/?actor.unknown) | High +108 | ... | ... | ... | ... -There are 9 more IOC items available. Please use our online service to access the data. +There are 426 more IOC items available. Please use our online service to access the data. ## TTP - Tactics, Techniques, Procedures @@ -47,8 +151,12 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK ID | Technique | Weakness | Description | Confidence -- | --------- | -------- | ----------- | ---------- -1 | T1059.007 | CWE-79 | Cross Site Scripting | High -2 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High +1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High +2 | T1068 | CWE-264, CWE-266, CWE-284 | Execution with Unnecessary Privileges | High +3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High +4 | ... | ... | ... | ... + +There are 8 more TTP items available. Please use our online service to access the data. ## IOA - Indicator of Attack @@ -56,16 +164,38 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic ID | Type | Indicator | Confidence -- | ---- | --------- | ---------- -1 | File | `/pages/systemcall.php?command={COMMAND}` | High -2 | File | `/phppath/php` | Medium -3 | File | `/uncpath/` | Medium -4 | File | `/WEB-INF/web.xml` | High -5 | File | `abook_database.php` | High -6 | File | `adclick.php` | Medium -7 | File | `admin/conf_users_edit.php` | High -8 | ... | ... | ... +1 | File | `//` | Low +2 | File | `/admin/index.php?slides` | High +3 | File | `/apply.cgi` | Medium +4 | File | `/config/getuser` | High +5 | File | `/domains/list` | High +6 | File | `/form/index.php?module=getjson` | High +7 | File | `/ghost/preview` | High +8 | File | `/include/chart_generator.php` | High +9 | File | `/nova/bin/detnet` | High +10 | File | `/ptms/classes/Users.php` | High +11 | File | `/public/admin.php` | High +12 | File | `/public/login.htm` | High +13 | File | `/public/login.htm?errormsg=&loginurl=%22%3E%3Csvg%20onload=prompt%28/XSS/%29%3E` | High +14 | File | `/rest/api/latest/user/avatar/temporary` | High +15 | File | `/s/` | Low +16 | File | `/SAP_Information_System/controllers/add_admin.php` | High +17 | File | `/scripts/unlock_tasks.php` | High +18 | File | `/tmp/app/.env` | High +19 | File | `/uncpath/` | Medium +20 | File | `/user-utils/users/md5.json` | High +21 | File | `/userfs/bin/tcapi` | High +22 | File | `/usr/bin/pkexec` | High +23 | File | `/wp-admin/admin-ajax.php` | High +24 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High +25 | File | `500page.jsp` | Medium +26 | File | `accountrecoveryendpoint/recoverpassword.do` | High +27 | File | `admin.php` | Medium +28 | File | `admin/conf_users_edit.php` | High +29 | File | `afr.php` | Low +30 | ... | ... | ... -There are 52 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 253 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References @@ -73,6 +203,7 @@ The following list contains _external sources_ which discuss the campaign and th * https://github.com/blackorbird/APT_REPORT/blob/master/International%20Strategic/Russia/Advisory-APT29-targets-COVID-19-vaccine-development.pdf * https://lab52.io/blog/new-transparentribe-operation-targeting-india-with-weaponized-covid-19-lure-documents/ +* https://loreto.ccn-cert.cni.es/index.php/s/oDcNr5Jqqpd5cjn#editor * https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/ * https://us-cert.cisa.gov/ncas/alerts/aa20-225a diff --git a/campaigns/CVE-2021-44207/README.md b/campaigns/CVE-2021-44207/README.md index 4c04db38..58ce3b92 100644 --- a/campaigns/CVE-2021-44207/README.md +++ b/campaigns/CVE-2021-44207/README.md @@ -8,8 +8,8 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with CVE-2021-44207: -* [US](https://vuldb.com/?country.us) * [CN](https://vuldb.com/?country.cn) +* [US](https://vuldb.com/?country.us) * [RU](https://vuldb.com/?country.ru) * ... @@ -47,7 +47,7 @@ ID | Technique | Weakness | Description | Confidence 3 | T1211 | CWE-254 | 7PK Security Features | High 4 | ... | ... | ... | ... -There are 1 more TTP items available. Please use our online service to access the data. +There are 2 more TTP items available. Please use our online service to access the data. ## IOA - Indicator of Attack @@ -61,7 +61,7 @@ ID | Type | Indicator | Confidence 4 | File | `admin.php` | Medium 5 | ... | ... | ... -There are 33 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 34 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/campaigns/CVE-2021-44228/README.md b/campaigns/CVE-2021-44228/README.md index 100d366c..aa839e03 100644 --- a/campaigns/CVE-2021-44228/README.md +++ b/campaigns/CVE-2021-44228/README.md @@ -64,35 +64,36 @@ ID | Type | Indicator | Confidence 2 | File | `/admin.php/admin/plog/index.html` | High 3 | File | `/admin.php/admin/ulog/index.html` | High 4 | File | `/admin.php/admin/website/data.html` | High -5 | File | `/admin/login.php` | High -6 | File | `/administrator/components/menu/` | High -7 | File | `/admin_page/all-files-update-ajax.php` | High -8 | File | `/api/crontab` | Medium -9 | File | `/application/common.php#action_log` | High -10 | File | `/category_view.php` | High -11 | File | `/cgi-bin/kerbynet` | High -12 | File | `/cloud_config/router_post/register` | High -13 | File | `/config/list` | Medium -14 | File | `/download/` | Medium -15 | File | `/etc/ajenti/config.yml` | High -16 | File | `/etc/cobbler` | Medium -17 | File | `/etc/passwd` | Medium -18 | File | `/goform/delAd` | High -19 | File | `/goform/form2Reboot.cgi` | High -20 | File | `/home.asp` | Medium -21 | File | `/index.php?act=api&tag=8` | High -22 | File | `/jerry-core/ecma/base/ecma-lcache.c` | High -23 | File | `/jerry-core/ecma/operations/ecma-objects.c` | High -24 | File | `/jerry-core/parser/js/js-scanner-util.c` | High -25 | File | `/languages/index.php` | High -26 | File | `/leave_system/classes/Login.php` | High -27 | File | `/members/view_member.php` | High -28 | File | `/mims/app/addcustomerHandler.php` | High -29 | File | `/music/ajax.php` | High -30 | File | `/orms/` | Low -31 | ... | ... | ... +5 | File | `/admin.php?id=siteoptions&social=display&value=0&sid=2` | High +6 | File | `/admin/inbox.php&action=read` | High +7 | File | `/admin/login.php` | High +8 | File | `/admin/posts.php&action=delete` | High +9 | File | `/admin/siteoptions.php&action=displaygoal&value=1&roleid=1` | High +10 | File | `/admin/uesrs.php&&action=delete&userid=4` | High +11 | File | `/admin/uesrs.php&action=type&userrole=Admin&userid=3` | High +12 | File | `/administrator/components/menu/` | High +13 | File | `/admin_page/all-files-update-ajax.php` | High +14 | File | `/api/crontab` | Medium +15 | File | `/application/common.php#action_log` | High +16 | File | `/category_view.php` | High +17 | File | `/cdsms/classes/Master.php?f=delete_enrollment` | High +18 | File | `/cgi-bin/kerbynet` | High +19 | File | `/cloud_config/router_post/register` | High +20 | File | `/config/list` | Medium +21 | File | `/download/` | Medium +22 | File | `/etc/ajenti/config.yml` | High +23 | File | `/etc/cobbler` | Medium +24 | File | `/etc/passwd` | Medium +25 | File | `/goform/delAd` | High +26 | File | `/goform/form2Reboot.cgi` | High +27 | File | `/home.asp` | Medium +28 | File | `/index.php?act=api&tag=8` | High +29 | File | `/jerry-core/ecma/base/ecma-lcache.c` | High +30 | File | `/jerry-core/ecma/operations/ecma-objects.c` | High +31 | File | `/jerry-core/parser/js/js-scanner-util.c` | High +32 | ... | ... | ... -There are 263 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 274 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/campaigns/CatalanGate/README.md b/campaigns/CatalanGate/README.md new file mode 100644 index 00000000..31a4f162 --- /dev/null +++ b/campaigns/CatalanGate/README.md @@ -0,0 +1,67 @@ +# CatalanGate - Cyber Threat Intelligence + +These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _CatalanGate_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics. + +_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor) + +## Countries + +These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with CatalanGate: + +* [US](https://vuldb.com/?country.us) + +## Actors + +These _actors_ are associated with CatalanGate or other actors linked to the campaign. + +ID | Actor | Confidence +-- | ----- | ---------- +1 | [Candiru](https://vuldb.com/?actor.candiru) | High + +## IOC - Indicator of Compromise + +These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of CatalanGate. + +ID | IP address | Hostname | Actor | Confidence +-- | ---------- | -------- | ----- | ---------- +1 | [185.181.8.155](https://vuldb.com/?ip.185.181.8.155) | - | [Candiru](https://vuldb.com/?actor.candiru) | High +2 | [185.193.38.113](https://vuldb.com/?ip.185.193.38.113) | - | [Candiru](https://vuldb.com/?actor.candiru) | High + +## TTP - Tactics, Techniques, Procedures + +_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used within CatalanGate. This data is unique as it uses our predictive model for actor profiling. + +ID | Technique | Weakness | Description | Confidence +-- | --------- | -------- | ----------- | ---------- +1 | T1059.007 | CWE-79 | Cross Site Scripting | High +2 | T1600 | CWE-327 | Cryptographic Issues | High + +## IOA - Indicator of Attack + +These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during CatalanGate. This data is unique as it uses our predictive model for actor profiling. + +ID | Type | Indicator | Confidence +-- | ---- | --------- | ---------- +1 | File | `arch/x86/platform/efi/efi.c` | High +2 | File | `cp-demangle.c` | High +3 | File | `jumpin.php` | Medium +4 | ... | ... | ... + +There are 1 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. + +## References + +The following list contains _external sources_ which discuss the campaign and the associated activities: + +* https://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/ + +## Literature + +The following _articles_ explain our unique predictive cyber threat intelligence: + +* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti) +* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022) + +## License + +(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)! diff --git a/campaigns/Chafer/README.md b/campaigns/Chafer/README.md index 2ca902bd..fc7b1935 100644 --- a/campaigns/Chafer/README.md +++ b/campaigns/Chafer/README.md @@ -65,7 +65,7 @@ ID | Type | Indicator | Confidence 7 | File | `/uncpath/` | Medium 8 | ... | ... | ... -There are 57 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 58 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/campaigns/Cloud Hopper/README.md b/campaigns/Cloud Hopper/README.md index d17a876d..da37befe 100644 --- a/campaigns/Cloud Hopper/README.md +++ b/campaigns/Cloud Hopper/README.md @@ -10,7 +10,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce * [US](https://vuldb.com/?country.us) * [RU](https://vuldb.com/?country.ru) -* [CH](https://vuldb.com/?country.ch) +* [CN](https://vuldb.com/?country.cn) * ... There are 9 more country items available. Please use our online service to access the data. @@ -106,7 +106,7 @@ ID | Type | Indicator | Confidence 31 | File | `authenticate.c` | High 32 | ... | ... | ... -There are 271 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 270 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/campaigns/Cobalt Strike/README.md b/campaigns/Cobalt Strike/README.md index 20c34679..49ac64b0 100644 --- a/campaigns/Cobalt Strike/README.md +++ b/campaigns/Cobalt Strike/README.md @@ -10,10 +10,10 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce * [US](https://vuldb.com/?country.us) * [DE](https://vuldb.com/?country.de) -* [SV](https://vuldb.com/?country.sv) +* [GB](https://vuldb.com/?country.gb) * ... -There are 10 more country items available. Please use our online service to access the data. +There are 21 more country items available. Please use our online service to access the data. ## Actors @@ -23,6 +23,10 @@ ID | Actor | Confidence -- | ----- | ---------- 1 | [Cobalt Strike](https://vuldb.com/?actor.cobalt_strike) | High 2 | [Conti](https://vuldb.com/?actor.conti) | High +3 | [Hancitor](https://vuldb.com/?actor.hancitor) | High +4 | ... | ... + +There are 1 more actor items available. Please use our online service to access the data. ## IOC - Indicator of Compromise @@ -30,14 +34,20 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi ID | IP address | Hostname | Actor | Confidence -- | ---------- | -------- | ----- | ---------- -1 | [23.82.140.91](https://vuldb.com/?ip.23.82.140.91) | - | [Cobalt Strike](https://vuldb.com/?actor.cobalt_strike) | High -2 | [23.108.57.108](https://vuldb.com/?ip.23.108.57.108) | - | [Cobalt Strike](https://vuldb.com/?actor.cobalt_strike) | High -3 | [45.134.26.174](https://vuldb.com/?ip.45.134.26.174) | - | [Cobalt Strike](https://vuldb.com/?actor.cobalt_strike) | High -4 | [45.144.29.185](https://vuldb.com/?ip.45.144.29.185) | master.pisyandriy.com | [Cobalt Strike](https://vuldb.com/?actor.cobalt_strike) | High -5 | [62.128.111.176](https://vuldb.com/?ip.62.128.111.176) | - | [Cobalt Strike](https://vuldb.com/?actor.cobalt_strike) | High -6 | ... | ... | ... | ... +1 | [5.255.98.144](https://vuldb.com/?ip.5.255.98.144) | - | [Cobalt Strike](https://vuldb.com/?actor.cobalt_strike) | High +2 | [23.19.227.147](https://vuldb.com/?ip.23.19.227.147) | - | [Cobalt Strike](https://vuldb.com/?actor.cobalt_strike) | High +3 | [23.81.246.32](https://vuldb.com/?ip.23.81.246.32) | - | [Cobalt Strike](https://vuldb.com/?actor.cobalt_strike) | High +4 | [23.82.140.91](https://vuldb.com/?ip.23.82.140.91) | - | [Cobalt Strike](https://vuldb.com/?actor.cobalt_strike) | High +5 | [23.108.57.39](https://vuldb.com/?ip.23.108.57.39) | - | [Cobalt Strike](https://vuldb.com/?actor.cobalt_strike) | High +6 | [23.108.57.108](https://vuldb.com/?ip.23.108.57.108) | - | [Cobalt Strike](https://vuldb.com/?actor.cobalt_strike) | High +7 | [23.227.199.10](https://vuldb.com/?ip.23.227.199.10) | 23-227-199-10.static.hvvc.us | [Cobalt Strike](https://vuldb.com/?actor.cobalt_strike) | High +8 | [45.134.26.174](https://vuldb.com/?ip.45.134.26.174) | - | [Cobalt Strike](https://vuldb.com/?actor.cobalt_strike) | High +9 | [45.144.29.185](https://vuldb.com/?ip.45.144.29.185) | master.pisyandriy.com | [Cobalt Strike](https://vuldb.com/?actor.cobalt_strike) | High +10 | [62.128.111.176](https://vuldb.com/?ip.62.128.111.176) | - | [Cobalt Strike](https://vuldb.com/?actor.cobalt_strike) | High +11 | [65.60.35.141](https://vuldb.com/?ip.65.60.35.141) | duwaer.presembling.vip | [Cobalt Strike](https://vuldb.com/?actor.cobalt_strike) | High +12 | ... | ... | ... | ... -There are 18 more IOC items available. Please use our online service to access the data. +There are 43 more IOC items available. Please use our online service to access the data. ## TTP - Tactics, Techniques, Procedures @@ -58,65 +68,61 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic ID | Type | Indicator | Confidence -- | ---- | --------- | ---------- -1 | File | `/?admin/user.html` | High -2 | File | `/admin/success_story.php` | High -3 | File | `/configuration/httpListenerEdit.jsf` | High +1 | File | `/admin/success_story.php` | High +2 | File | `/category.php` | High +3 | File | `/cgi-bin/supervisor/PwdGrp.cgi` | High 4 | File | `/etc/tomcat8/Catalina/attack` | High 5 | File | `/movie-portal-script/movie.php` | High 6 | File | `/notice-edit.php` | High -7 | File | `/resourceNode/jdbcResourceEdit.jsf` | High +7 | File | `/objects/getSpiritsFromVideo.php` | High 8 | File | `/servlet/webacc` | High -9 | File | `/tmp` | Low -10 | File | `/wp-content/plugins/updraftplus/admin.php` | High -11 | File | `4.2.0.CP08` | Medium -12 | File | `account.asp` | Medium -13 | File | `acerctrl.ocx` | Medium -14 | File | `activate.php` | Medium -15 | File | `add.php` | Low -16 | File | `admin.php` | Medium -17 | File | `admin/admin.php` | High -18 | File | `admin/adminaddeditdetails.php` | High -19 | File | `admin/auth.php` | High -20 | File | `admin/images.php` | High -21 | File | `admin/import/class-import-settings.php` | High -22 | File | `admin/member_details.php` | High -23 | File | `admin/preview.php` | High -24 | File | `ajax/addComment.php` | High -25 | File | `and/or` | Low -26 | File | `app/code/core/Mage/Rss/Helper/Order.php` | High -27 | File | `arch/powerpc/kernel/entry_64.S` | High -28 | File | `archive_read_support_format_rar5.c` | High -29 | File | `article.php` | Medium -30 | File | `asp:.jpg` | Medium -31 | File | `auth2-gss.c` | Medium -32 | File | `backup.php` | Medium -33 | File | `bios.php` | Medium -34 | File | `blanko.preview.php` | High -35 | File | `block/bfq-iosched.c` | High -36 | File | `browse_ladies.php` | High -37 | File | `burl.c` | Low -38 | File | `cadena_ofertas_ext.php` | High -39 | File | `cal_popup.php` | High -40 | File | `category-delete.php` | High -41 | File | `category.php` | Medium -42 | File | `CFM File Handler` | High -43 | File | `cgi-bin/awstats.pl` | High -44 | File | `Change-password.php` | High -45 | File | `charts.php` | Medium -46 | File | `chat.php` | Medium -47 | File | `class.t3lib_formmail.php` | High -48 | File | `comments.php` | Medium -49 | File | `config.php` | Medium -50 | File | `core/stack/l2cap/l2cap_sm.c` | High -51 | File | `country_escorts.php` | High -52 | File | `cource.php` | Medium -53 | File | `Crypt32.dll` | Medium -54 | File | `dapur/index.php` | High -55 | File | `default.asp` | Medium -56 | File | `detail.php` | Medium -57 | ... | ... | ... +9 | File | `/TeamMate/Upload/DomainObjectDocumentUpload.ashx` | High +10 | File | `/tmp` | Low +11 | File | `/uncpath/` | Medium +12 | File | `/wp-admin/admin-ajax.php` | High +13 | File | `/wp-content/plugins/updraftplus/admin.php` | High +14 | File | `4.2.0.CP08` | Medium +15 | File | `account.asp` | Medium +16 | File | `acerctrl.ocx` | Medium +17 | File | `activate.php` | Medium +18 | File | `add.php` | Low +19 | File | `admin.php` | Medium +20 | File | `admin/admin.php` | High +21 | File | `admin/adminaddeditdetails.php` | High +22 | File | `admin/class-jtrt-responsive-tables-admin.php` | High +23 | File | `admin/images.php` | High +24 | File | `admin/import/class-import-settings.php` | High +25 | File | `admin/infoclass_update.php` | High +26 | File | `admin/member_details.php` | High +27 | File | `admin/preview.php` | High +28 | File | `ajax/addComment.php` | High +29 | File | `allocate_block.cpp` | High +30 | File | `and/or` | Low +31 | File | `app/code/core/Mage/Rss/Helper/Order.php` | High +32 | File | `arch/powerpc/kernel/entry_64.S` | High +33 | File | `archive_read_support_format_rar5.c` | High +34 | File | `article.php` | Medium +35 | File | `asmjs/asmangle.cpp` | High +36 | File | `asp:.jpg` | Medium +37 | File | `auth2-gss.c` | Medium +38 | File | `backup.php` | Medium +39 | File | `bios.php` | Medium +40 | File | `blanko.preview.php` | High +41 | File | `block/bfq-iosched.c` | High +42 | File | `books.php` | Medium +43 | File | `browse_ladies.php` | High +44 | File | `burl.c` | Low +45 | File | `cadena_ofertas_ext.php` | High +46 | File | `category-delete.php` | High +47 | File | `category.php` | Medium +48 | File | `CFM File Handler` | High +49 | File | `cgi-bin/awstats.pl` | High +50 | File | `cgi-bin/write.cgi` | High +51 | File | `Change-password.php` | High +52 | File | `chat.php` | Medium +53 | ... | ... | ... -There are 498 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 460 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References @@ -131,9 +137,22 @@ The following list contains _external sources_ which discuss the campaign and th * https://isc.sans.edu/forums/diary/Qakbot+infection+with+Cobalt+Strike/27158/ * https://research.checkpoint.com/2019/cobalt-group-returns-to-kazakhstan/ * https://securelist.com/owowa-credential-stealer-and-remote-access/105219/ +* https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/ +* https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/ +* https://thedfirreport.com/2021/05/12/conti-ransomware/ +* https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/ +* https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/ +* https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/ +* https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/ +* https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/ +* https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ +* https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/ +* https://thedfirreport.com/2021/12/13/diavol-ransomware/ +* https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ * https://therecord.media/disgruntled-ransomware-affiliate-leaks-the-conti-gangs-technical-manuals/ * https://twitter.com/malware_traffic/status/1400876426497253379 * https://twitter.com/malware_traffic/status/1415740795622248452 +* https://twitter.com/TheDFIRReport/status/1508451341844168706 * https://twitter.com/Unit42_Intel/status/1392174941181812737 * https://us-cert.cisa.gov/ncas/alerts/aa21-148a * https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/ diff --git a/campaigns/Cryptomining/README.md b/campaigns/Cryptomining/README.md index 2657a0ef..edb171e6 100644 --- a/campaigns/Cryptomining/README.md +++ b/campaigns/Cryptomining/README.md @@ -9,8 +9,11 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Cryptomining: * [US](https://vuldb.com/?country.us) +* [HU](https://vuldb.com/?country.hu) * [CN](https://vuldb.com/?country.cn) -* [ES](https://vuldb.com/?country.es) +* ... + +There are 6 more country items available. Please use our online service to access the data. ## Actors @@ -27,12 +30,12 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi ID | IP address | Hostname | Actor | Confidence -- | ---------- | -------- | ----- | ---------- -1 | [45.9.148.182](https://vuldb.com/?ip.45.9.148.182) | - | [TeamTNT](https://vuldb.com/?actor.teamtnt) | High -2 | [129.226.180.53](https://vuldb.com/?ip.129.226.180.53) | - | [Unknown](https://vuldb.com/?actor.unknown) | High -3 | [132.162.107.97](https://vuldb.com/?ip.132.162.107.97) | ip-107-97.wireless.oberlin.edu | [Unknown](https://vuldb.com/?actor.unknown) | High +1 | [5.122.15.138](https://vuldb.com/?ip.5.122.15.138) | - | [Unknown](https://vuldb.com/?actor.unknown) | High +2 | [45.9.148.182](https://vuldb.com/?ip.45.9.148.182) | - | [TeamTNT](https://vuldb.com/?actor.teamtnt) | High +3 | [45.136.244.146](https://vuldb.com/?ip.45.136.244.146) | - | [Unknown](https://vuldb.com/?actor.unknown) | High 4 | ... | ... | ... | ... -There are 2 more IOC items available. Please use our online service to access the data. +There are 7 more IOC items available. Please use our online service to access the data. ## TTP - Tactics, Techniques, Procedures @@ -40,12 +43,12 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK ID | Technique | Weakness | Description | Confidence -- | --------- | -------- | ----------- | ---------- -1 | T1059.007 | CWE-79 | Cross Site Scripting | High +1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High 2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High 3 | T1211 | CWE-254 | 7PK Security Features | High 4 | ... | ... | ... | ... -There are 5 more TTP items available. Please use our online service to access the data. +There are 6 more TTP items available. Please use our online service to access the data. ## IOA - Indicator of Attack @@ -54,13 +57,19 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic ID | Type | Indicator | Confidence -- | ---- | --------- | ---------- 1 | File | `/goform/SetNetControlList` | High -2 | File | `/rest/api/2/user/picker` | High -3 | File | `admin/categories_industry.php` | High -4 | File | `admin/content/postcategory` | High -5 | File | `Adminstrator/Users/Edit/` | High -6 | ... | ... | ... +2 | File | `/modules/tasks/summary.inc.php` | High +3 | File | `/rest/api/2/user/picker` | High +4 | File | `/uncpath/` | Medium +5 | File | `admin/categories_industry.php` | High +6 | File | `admin/category.inc.php` | High +7 | File | `admin/content/postcategory` | High +8 | File | `Adminstrator/Users/Edit/` | High +9 | File | `agent.cfg` | Medium +10 | File | `ALL_IN_THE_BOX.OCX` | High +11 | File | `bmp.c` | Low +12 | ... | ... | ... -There are 36 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 97 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References @@ -68,6 +77,8 @@ The following list contains _external sources_ which discuss the campaign and th * https://blog.trendmicro.co.jp/archives/20418 * https://blogs.infoblox.com/cyber-threat-intelligence/cyber-campaign-briefs/log4j-indicators-of-compromise-to-date/ +* https://thedfirreport.com/2020/11/12/cryptominers-exploiting-weblogic-rce-cve-2020-14882/ +* https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer/ * https://www.trendmicro.com/en_us/research/21/k/compromised-docker-hub-accounts-abused-for-cryptomining-linked-t.html ## Literature diff --git a/campaigns/DDoS Ukraine/README.md b/campaigns/DDoS Ukraine/README.md index 50f87fbf..b065bdcc 100644 --- a/campaigns/DDoS Ukraine/README.md +++ b/campaigns/DDoS Ukraine/README.md @@ -74,83 +74,84 @@ ID | Type | Indicator | Confidence 15 | File | `/master/article.php` | High 16 | File | `/members/profiles.php` | High 17 | File | `/members/view_member.php` | High -18 | File | `/servlet/webacc` | High -19 | File | `/sitemagic/upgrade.php` | High -20 | File | `/tmp` | Low -21 | File | `/userman/inbox.php` | High -22 | File | `/userui/ticket_list.php` | High -23 | File | `/wp-admin/options-general.php` | High -24 | File | `/zm/index.php` | High -25 | File | `adaptive-images-script.php` | High -26 | File | `additem.asp` | Medium -27 | File | `addtocart.asp` | High -28 | File | `adherents/subscription/info.php` | High -29 | File | `admin.asp` | Medium -30 | File | `admin.php` | Medium -31 | File | `admin/admin.php` | High -32 | File | `admin/general.php` | High -33 | File | `admin/header.php` | High -34 | File | `admin/inc/change_action.php` | High -35 | File | `admin/index.php` | High -36 | File | `admin/index.php?id=users/action=edit/user_id=1` | High -37 | File | `admin/info.php` | High -38 | File | `admin/login.asp` | High -39 | File | `admin/manage-comments.php` | High -40 | File | `admin/manage-news.php` | High -41 | File | `admin/plugin-settings.php` | High -42 | File | `admin/specials.php` | High -43 | File | `admin:de` | Medium -44 | File | `admincp/auth/checklogin.php` | High -45 | File | `admincp/auth/secure.php` | High -46 | File | `administrator/index.php` | High -47 | File | `admin_login.asp` | High -48 | File | `adv_search.asp` | High -49 | File | `ajax.php` | Medium -50 | File | `ajax_url.php` | Medium -51 | File | `album_portal.php` | High -52 | File | `al_initialize.php` | High -53 | File | `anjel.index.php` | High -54 | File | `annonces-p-f.php` | High -55 | File | `announce.php` | Medium -56 | File | `announcement.php` | High -57 | File | `announcements.php` | High -58 | File | `app/admin/routing/edit-bgp-mapping-search.php` | High -59 | File | `apply.cgi` | Medium -60 | File | `apps/app_article/controller/rating.php` | High -61 | File | `article.php` | Medium -62 | File | `articles.php` | Medium -63 | File | `artikel_anzeige.php` | High -64 | File | `auktion.cgi` | Medium -65 | File | `auth.php` | Medium -66 | File | `basket.php` | Medium -67 | File | `boardData103.php/boardDataJP.php/boardDataNA.php/boardDataWW.php` | High -68 | File | `books.php` | Medium -69 | File | `browse-category.php` | High -70 | File | `browse.php` | Medium -71 | File | `browse_videos.php` | High -72 | File | `BrudaNews/BrudaGB` | High -73 | File | `bwlist_inc.html` | High -74 | File | `calendar.php` | Medium -75 | File | `cart.php` | Medium -76 | File | `cart_add.php` | Medium -77 | File | `case.filemanager.php` | High -78 | File | `catalog.php` | Medium -79 | File | `catalogshop.php` | High -80 | File | `catalogue.asp` | High -81 | File | `category.cfm` | Medium -82 | File | `category.php` | Medium -83 | File | `category_list.php` | High -84 | File | `cgi-bin/awstats.pl` | High -85 | File | `channel.asp` | Medium -86 | File | `ChooseCpSearch.php` | High -87 | File | `comentarii.php` | High -88 | File | `comments.php` | Medium -89 | File | `config.inc.php` | High -90 | File | `config.php` | Medium -91 | File | `contact.php` | Medium -92 | ... | ... | ... +18 | File | `/scas/admin/` | Medium +19 | File | `/servlet/webacc` | High +20 | File | `/sitemagic/upgrade.php` | High +21 | File | `/tmp` | Low +22 | File | `/userman/inbox.php` | High +23 | File | `/userui/ticket_list.php` | High +24 | File | `/wp-admin/options-general.php` | High +25 | File | `/zm/index.php` | High +26 | File | `adaptive-images-script.php` | High +27 | File | `additem.asp` | Medium +28 | File | `addtocart.asp` | High +29 | File | `adherents/subscription/info.php` | High +30 | File | `admin.asp` | Medium +31 | File | `admin.php` | Medium +32 | File | `admin/admin.php` | High +33 | File | `admin/general.php` | High +34 | File | `admin/header.php` | High +35 | File | `admin/inc/change_action.php` | High +36 | File | `admin/index.php` | High +37 | File | `admin/index.php?id=users/action=edit/user_id=1` | High +38 | File | `admin/info.php` | High +39 | File | `admin/login.asp` | High +40 | File | `admin/manage-comments.php` | High +41 | File | `admin/manage-news.php` | High +42 | File | `admin/plugin-settings.php` | High +43 | File | `admin/specials.php` | High +44 | File | `admin:de` | Medium +45 | File | `admincp/auth/checklogin.php` | High +46 | File | `admincp/auth/secure.php` | High +47 | File | `administrator/index.php` | High +48 | File | `admin_login.asp` | High +49 | File | `adv_search.asp` | High +50 | File | `ajax.php` | Medium +51 | File | `ajax_url.php` | Medium +52 | File | `album_portal.php` | High +53 | File | `al_initialize.php` | High +54 | File | `anjel.index.php` | High +55 | File | `annonces-p-f.php` | High +56 | File | `announce.php` | Medium +57 | File | `announcement.php` | High +58 | File | `announcements.php` | High +59 | File | `app/admin/routing/edit-bgp-mapping-search.php` | High +60 | File | `apply.cgi` | Medium +61 | File | `apps/app_article/controller/rating.php` | High +62 | File | `article.php` | Medium +63 | File | `articles.php` | Medium +64 | File | `artikel_anzeige.php` | High +65 | File | `auktion.cgi` | Medium +66 | File | `auth.php` | Medium +67 | File | `basket.php` | Medium +68 | File | `boardData103.php/boardDataJP.php/boardDataNA.php/boardDataWW.php` | High +69 | File | `books.php` | Medium +70 | File | `browse-category.php` | High +71 | File | `browse.php` | Medium +72 | File | `browse_videos.php` | High +73 | File | `BrudaNews/BrudaGB` | High +74 | File | `bwlist_inc.html` | High +75 | File | `calendar.php` | Medium +76 | File | `cart.php` | Medium +77 | File | `cart_add.php` | Medium +78 | File | `case.filemanager.php` | High +79 | File | `catalog.php` | Medium +80 | File | `catalogshop.php` | High +81 | File | `catalogue.asp` | High +82 | File | `category.cfm` | Medium +83 | File | `category.php` | Medium +84 | File | `category_list.php` | High +85 | File | `cgi-bin/awstats.pl` | High +86 | File | `channel.asp` | Medium +87 | File | `ChooseCpSearch.php` | High +88 | File | `comentarii.php` | High +89 | File | `comments.php` | Medium +90 | File | `config.inc.php` | High +91 | File | `config.php` | Medium +92 | File | `contact.php` | Medium +93 | ... | ... | ... -There are 813 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 819 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/campaigns/DarkWatchman/README.md b/campaigns/DarkWatchman/README.md new file mode 100644 index 00000000..2a67ea08 --- /dev/null +++ b/campaigns/DarkWatchman/README.md @@ -0,0 +1,41 @@ +# DarkWatchman - Cyber Threat Intelligence + +These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _DarkWatchman_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics. + +_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor) + +## Actors + +These _actors_ are associated with DarkWatchman or other actors linked to the campaign. + +ID | Actor | Confidence +-- | ----- | ---------- +1 | [DarkWatchman](https://vuldb.com/?actor.darkwatchman) | High +2 | [Hive0117](https://vuldb.com/?actor.hive0117) | High + +## IOC - Indicator of Compromise + +These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of DarkWatchman. + +ID | IP address | Hostname | Actor | Confidence +-- | ---------- | -------- | ----- | ---------- +1 | [45.156.27.245](https://vuldb.com/?ip.45.156.27.245) | dasee-1.net7.dns.cloudbackbone.net | [DarkWatchman](https://vuldb.com/?actor.darkwatchman) | High +2 | [103.153.157.33](https://vuldb.com/?ip.103.153.157.33) | 103-153-157-33.ip.fulltimehosting.net | [Hive0117](https://vuldb.com/?actor.hive0117) | High + +## References + +The following list contains _external sources_ which discuss the campaign and the associated activities: + +* https://securityintelligence.com/posts/hive00117-fileless-malware-delivery-eastern-europe/ +* https://www.prevailion.com/darkwatchman-new-fileless-techniques/ + +## Literature + +The following _articles_ explain our unique predictive cyber threat intelligence: + +* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti) +* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022) + +## License + +(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)! diff --git a/campaigns/Diavol/README.md b/campaigns/Diavol/README.md new file mode 100644 index 00000000..b0e73068 --- /dev/null +++ b/campaigns/Diavol/README.md @@ -0,0 +1,71 @@ +# Diavol - Cyber Threat Intelligence + +These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Diavol_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics. + +_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor) + +## Countries + +These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Diavol: + +* [US](https://vuldb.com/?country.us) +* [CN](https://vuldb.com/?country.cn) + +## Actors + +These _actors_ are associated with Diavol or other actors linked to the campaign. + +ID | Actor | Confidence +-- | ----- | ---------- +1 | [BazarLoader](https://vuldb.com/?actor.bazarloader) | High + +## IOC - Indicator of Compromise + +These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Diavol. + +ID | IP address | Hostname | Actor | Confidence +-- | ---------- | -------- | ----- | ---------- +1 | [23.152.0.22](https://vuldb.com/?ip.23.152.0.22) | anahiem.net | [BazarLoader](https://vuldb.com/?actor.bazarloader) | High +2 | [159.223.31.75](https://vuldb.com/?ip.159.223.31.75) | - | [BazarLoader](https://vuldb.com/?actor.bazarloader) | High +3 | [192.52.167.210](https://vuldb.com/?ip.192.52.167.210) | web1.surfacetension.no | [BazarLoader](https://vuldb.com/?actor.bazarloader) | High +4 | ... | ... | ... | ... + +There are 1 more IOC items available. Please use our online service to access the data. + +## TTP - Tactics, Techniques, Procedures + +_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used within Diavol. This data is unique as it uses our predictive model for actor profiling. + +ID | Technique | Weakness | Description | Confidence +-- | --------- | -------- | ----------- | ---------- +1 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High + +## IOA - Indicator of Attack + +These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during Diavol. This data is unique as it uses our predictive model for actor profiling. + +ID | Type | Indicator | Confidence +-- | ---- | --------- | ---------- +1 | File | `detail.php` | Medium +2 | File | `products.php` | Medium +3 | File | `shop_display_products.php` | High +4 | ... | ... | ... + +There are 4 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. + +## References + +The following list contains _external sources_ which discuss the campaign and the associated activities: + +* https://thedfirreport.com/2021/12/13/diavol-ransomware/ + +## Literature + +The following _articles_ explain our unique predictive cyber threat intelligence: + +* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti) +* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022) + +## License + +(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)! diff --git a/campaigns/Dust Storm/README.md b/campaigns/Dust Storm/README.md index 8fab2a99..f62fdaa5 100644 --- a/campaigns/Dust Storm/README.md +++ b/campaigns/Dust Storm/README.md @@ -11,9 +11,6 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce * [CN](https://vuldb.com/?country.cn) * [US](https://vuldb.com/?country.us) * [GB](https://vuldb.com/?country.gb) -* ... - -There are 1 more country items available. Please use our online service to access the data. ## Actors @@ -64,44 +61,49 @@ ID | Type | Indicator | Confidence 3 | File | `/#/CampaignManager/users` | High 4 | File | `//` | Low 5 | File | `/admin.php?action=themeinstall` | High -6 | File | `/admin/index.php?id=themes&action=edit_template&filename=blog` | High -7 | File | `/admin/login.php` | High -8 | File | `/apply_noauth.cgi` | High -9 | File | `/article/comment` | High +6 | File | `/admin/?setting-base.htm` | High +7 | File | `/admin/admin_login.php` | High +8 | File | `/admin/login.php` | High +9 | File | `/apply_noauth.cgi` | High 10 | File | `/audit/log/log_management.php` | High -11 | File | `/backup/lispbx-CONF-YYYY-MM-DD.tar` | High -12 | File | `/bin/login` | Medium -13 | File | `/bin/sh` | Low -14 | File | `/cgi-bin/login` | High -15 | File | `/cgi/sshcheck.cgi` | High -16 | File | `/classes/profile.class.php` | High -17 | File | `/crmeb/crmeb/services/UploadService.php` | High -18 | File | `/dev/tty` | Medium -19 | File | `/downloads/` | Medium -20 | File | `/IISADMPWD` | Medium -21 | File | `/inc/session.php` | High -22 | File | `/index.php` | Medium -23 | File | `/mcms/view.do` | High +11 | File | `/bin/login` | Medium +12 | File | `/bin/sh` | Low +13 | File | `/cgi-bin/login` | High +14 | File | `/classes/profile.class.php` | High +15 | File | `/dev/tty` | Medium +16 | File | `/doorgets/app/requests/user/modulecategoryRequest.php` | High +17 | File | `/downloads/` | Medium +18 | File | `/IISADMPWD` | Medium +19 | File | `/inc/session.php` | High +20 | File | `/index.php` | Medium +21 | File | `/login` | Low +22 | File | `/login.html` | Medium +23 | File | `/magnoliaPublic/travel/members/login.html` | High 24 | File | `/member/index/login.html` | High 25 | File | `/modules/certinfo/index.php` | High -26 | File | `/post/editing` | High -27 | File | `/public/plugins/` | High -28 | File | `/restful-services/publish` | High -29 | File | `/ScadaBR/login.htm` | High -30 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High -31 | File | `/system/tool/ping.php` | High -32 | File | `/upload` | Low -33 | File | `/usr/bin/pkexec` | High -34 | File | `/usr/sbin/mini_httpd` | High -35 | File | `/vendor/phpdocumentor/reflection-docblock/tests/phpDocumentor/Reflection/DocBlock/Tag/LinkTagTeet.php` | High -36 | File | `?location=search` | High -37 | File | `account/login.php` | High -38 | File | `add.asp` | Low -39 | File | `admin.home.php` | High -40 | File | `admin.php` | Medium -41 | ... | ... | ... +26 | File | `/restful-services/publish` | High +27 | File | `/ScadaBR/login.htm` | High +28 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High +29 | File | `/system/tool/ping.php` | High +30 | File | `/upload` | Low +31 | File | `/usr/bin/pkexec` | High +32 | File | `/var/adm/btmp` | High +33 | File | `?location=search` | High +34 | File | `account/login.php` | High +35 | File | `add.asp` | Low +36 | File | `add.php` | Low +37 | File | `admin.inc.php` | High +38 | File | `admin.php` | Medium +39 | File | `admin.php?m=backup&c=backup&a=doback` | High +40 | File | `admin/conf_users_edit.php` | High +41 | File | `admin/index.php` | High +42 | File | `admin/login.asp` | High +43 | File | `admin/login.php` | High +44 | File | `admin/nos/login` | High +45 | File | `admin\db\DoSql.php` | High +46 | ... | ... | ... -There are 355 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 396 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/campaigns/Elfin/README.md b/campaigns/Elfin/README.md index d93c6369..0d186cdd 100644 --- a/campaigns/Elfin/README.md +++ b/campaigns/Elfin/README.md @@ -71,24 +71,25 @@ ID | Type | Indicator | Confidence 9 | File | `/crmeb/app/admin/controller/store/CopyTaobao.php` | High 10 | File | `/export` | Low 11 | File | `/forum/away.php` | High -12 | File | `/horde/util/go.php` | High -13 | File | `/index.php` | Medium -14 | File | `/mifs/c/i/reg/reg.html` | High -15 | File | `/ms/cms/content/list.do` | High -16 | File | `/orms/` | Low -17 | File | `/public/login.htm` | High -18 | File | `/show_news.php` | High -19 | File | `/style/` | Low -20 | File | `/uncpath/` | Medium -21 | File | `ABuffer.cpp` | Medium -22 | File | `account.asp` | Medium -23 | File | `adclick.php` | Medium -24 | File | `admin.php` | Medium -25 | File | `admin/changedata.php` | High -26 | File | `admin/dashboard.php` | High -27 | ... | ... | ... +12 | File | `/hocms/classes/Master.php?f=delete_collection` | High +13 | File | `/horde/util/go.php` | High +14 | File | `/index.php` | Medium +15 | File | `/mifs/c/i/reg/reg.html` | High +16 | File | `/ms/cms/content/list.do` | High +17 | File | `/orms/` | Low +18 | File | `/plesk-site-preview/` | High +19 | File | `/public/login.htm` | High +20 | File | `/show_news.php` | High +21 | File | `/student-grading-system/rms.php?page=grade` | High +22 | File | `/style/` | Low +23 | File | `/uncpath/` | Medium +24 | File | `ABuffer.cpp` | Medium +25 | File | `account.asp` | Medium +26 | File | `adclick.php` | Medium +27 | File | `admin.php` | Medium +28 | ... | ... | ... -There are 228 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 233 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/campaigns/Fallchill/README.md b/campaigns/Fallchill/README.md index 38bb530e..81652458 100644 --- a/campaigns/Fallchill/README.md +++ b/campaigns/Fallchill/README.md @@ -53,10 +53,10 @@ ID | Technique | Weakness | Description | Confidence -- | --------- | -------- | ----------- | ---------- 1 | T1059.007 | CWE-79 | Cross Site Scripting | High 2 | T1068 | CWE-250, CWE-284 | Execution with Unnecessary Privileges | High -3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High +3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High 4 | ... | ... | ... | ... -There are 6 more TTP items available. Please use our online service to access the data. +There are 4 more TTP items available. Please use our online service to access the data. ## IOA - Indicator of Attack @@ -67,24 +67,19 @@ ID | Type | Indicator | Confidence 1 | File | `/admin.php?id=posts&action=display&value=1&postid=` | High 2 | File | `/admin.php?id=siteoptions&social=display&value=0&sid=2` | High 3 | File | `/admin.php?id=siteoptions&social=edit&sid=2` | High -4 | File | `/admin/inbox.php&action=delete` | High -5 | File | `/admin/inbox.php&action=read` | High -6 | File | `/admin/index.php` | High -7 | File | `/admin/pagerole.php&action=display&value=1` | High -8 | File | `/admin/pagerole.php&action=edit` | High -9 | File | `/admin/posts.php` | High -10 | File | `/admin/posts.php&action=delete` | High -11 | File | `/admin/posts.php&action=edit` | High -12 | File | `/admin/siteoptions.php&social=remove&sid=2` | High -13 | File | `/admin/uesrs.php&&action=delete&userid=4` | High -14 | File | `/admin/uesrs.php&action=display&value=Show` | High -15 | File | `/apps/acs-commons/content/page-compare.html` | High -16 | File | `/blog/blog.php` | High -17 | File | `/cdsms/classes/Master.php?f=delete_enrollment` | High -18 | File | `/cdsms/classes/Master.php?f=delete_package` | High -19 | ... | ... | ... +4 | File | `/admin.php?r=admin/AdminBackup/del` | High +5 | File | `/admin/edit.php` | High +6 | File | `/admin/inbox.php&action=delete` | High +7 | File | `/admin/inbox.php&action=read` | High +8 | File | `/admin/index.php/template/ajax?action=delete` | High +9 | File | `/admin/index.php?mode=content&page=media&action=edit` | High +10 | File | `/admin/pagerole.php&action=display&value=1` | High +11 | File | `/admin/pagerole.php&action=edit` | High +12 | File | `/admin/posts.php` | High +13 | File | `/admin/posts.php&action=delete` | High +14 | ... | ... | ... -There are 154 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 113 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/campaigns/GoldBackdoor/README.md b/campaigns/GoldBackdoor/README.md new file mode 100644 index 00000000..c7c62481 --- /dev/null +++ b/campaigns/GoldBackdoor/README.md @@ -0,0 +1,38 @@ +# GoldBackdoor - Cyber Threat Intelligence + +These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _GoldBackdoor_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics. + +_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor) + +## Actors + +These _actors_ are associated with GoldBackdoor or other actors linked to the campaign. + +ID | Actor | Confidence +-- | ----- | ---------- +1 | [DPRK](https://vuldb.com/?actor.dprk) | High + +## IOC - Indicator of Compromise + +These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of GoldBackdoor. + +ID | IP address | Hostname | Actor | Confidence +-- | ---------- | -------- | ----- | ---------- +1 | [142.93.201.77](https://vuldb.com/?ip.142.93.201.77) | - | [DPRK](https://vuldb.com/?actor.dprk) | High + +## References + +The following list contains _external sources_ which discuss the campaign and the associated activities: + +* https://stairwell.com/wp-content/uploads/2022/04/Stairwell-threat-report-The-ink-stained-trail-of-GOLDBACKDOOR.pdf + +## Literature + +The following _articles_ explain our unique predictive cyber threat intelligence: + +* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti) +* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022) + +## License + +(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)! diff --git a/campaigns/Hancitor/README.md b/campaigns/Hancitor/README.md index ff2e0533..73516f2f 100644 --- a/campaigns/Hancitor/README.md +++ b/campaigns/Hancitor/README.md @@ -115,7 +115,7 @@ ID | Type | Indicator | Confidence 37 | File | `admin/conf_users_edit.php` | High 38 | ... | ... | ... -There are 326 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 325 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/campaigns/Hidden Cobra/README.md b/campaigns/Hidden Cobra/README.md index 36d3bea7..0bba24dd 100644 --- a/campaigns/Hidden Cobra/README.md +++ b/campaigns/Hidden Cobra/README.md @@ -169,7 +169,7 @@ ID | Technique | Weakness | Description | Confidence 3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High 4 | ... | ... | ... | ... -There are 7 more TTP items available. Please use our online service to access the data. +There are 6 more TTP items available. Please use our online service to access the data. ## IOA - Indicator of Attack @@ -185,22 +185,21 @@ ID | Type | Indicator | Confidence 6 | File | `/forum/away.php` | High 7 | File | `/graphStatus/displayServiceStatus.php` | High 8 | File | `/modules/profile/index.php` | High -9 | File | `/osm/REGISTER.cmd` | High -10 | File | `/out.php` | Medium -11 | File | `/pages/items` | Medium -12 | File | `/proc/pid/syscall` | High -13 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High -14 | File | `/secure/admin/ViewInstrumentation.jspa` | High -15 | File | `/servlet.gupld` | High -16 | File | `/sql/sql_type.cc` | High -17 | File | `/status` | Low -18 | File | `/tools/developerConsoleOperations.jsp` | High -19 | File | `/uncpath/` | Medium -20 | File | `/usr/bin/pkexec` | High -21 | File | `/WEB-INF/web.xml` | High -22 | ... | ... | ... +9 | File | `/out.php` | Medium +10 | File | `/pages/items` | Medium +11 | File | `/proc/pid/syscall` | High +12 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High +13 | File | `/secure/admin/ViewInstrumentation.jspa` | High +14 | File | `/servlet.gupld` | High +15 | File | `/sql/sql_type.cc` | High +16 | File | `/status` | Low +17 | File | `/tools/developerConsoleOperations.jsp` | High +18 | File | `/uncpath/` | Medium +19 | File | `/usr/bin/pkexec` | High +20 | File | `/WEB-INF/web.xml` | High +21 | ... | ... | ... -There are 179 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 170 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/campaigns/Hildegard/README.md b/campaigns/Hildegard/README.md index 24c636c3..196a49e8 100644 --- a/campaigns/Hildegard/README.md +++ b/campaigns/Hildegard/README.md @@ -10,6 +10,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce * [US](https://vuldb.com/?country.us) * [ES](https://vuldb.com/?country.es) +* [CN](https://vuldb.com/?country.cn) ## Actors diff --git a/campaigns/Hodur/README.md b/campaigns/Hodur/README.md index 0f5d0b8d..ffc53ba1 100644 --- a/campaigns/Hodur/README.md +++ b/campaigns/Hodur/README.md @@ -9,6 +9,7 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Hodur: * [CN](https://vuldb.com/?country.cn) +* [US](https://vuldb.com/?country.us) * [FR](https://vuldb.com/?country.fr) ## Actors @@ -38,7 +39,7 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK ID | Technique | Weakness | Description | Confidence -- | --------- | -------- | ----------- | ---------- -1 | T1059.007 | CWE-79 | Cross Site Scripting | High +1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High 2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High 3 | T1222 | CWE-275 | Permission Issues | High 4 | ... | ... | ... | ... @@ -56,7 +57,7 @@ ID | Type | Indicator | Confidence 3 | File | `next.config.js` | High 4 | ... | ... | ... -There are 5 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 7 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/campaigns/Hoplight/README.md b/campaigns/Hoplight/README.md index dba78cd3..fb96391d 100644 --- a/campaigns/Hoplight/README.md +++ b/campaigns/Hoplight/README.md @@ -91,8 +91,7 @@ ID | Type | Indicator | Confidence 31 | File | `/rest/api/latest/projectvalidate/key` | High 32 | File | `/rom-0` | Low 33 | File | `/tmp` | Low -34 | File | `/tmp/connlicj.bin` | High -35 | ... | ... | ... +34 | ... | ... | ... There are 295 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. diff --git a/campaigns/IcedID/README.md b/campaigns/IcedID/README.md new file mode 100644 index 00000000..7a5010a5 --- /dev/null +++ b/campaigns/IcedID/README.md @@ -0,0 +1,152 @@ +# IcedID - Cyber Threat Intelligence + +These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _IcedID_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics. + +_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor) + +## Countries + +These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with IcedID: + +* [US](https://vuldb.com/?country.us) +* [SC](https://vuldb.com/?country.sc) +* [RU](https://vuldb.com/?country.ru) +* ... + +There are 20 more country items available. Please use our online service to access the data. + +## Actors + +These _actors_ are associated with IcedID or other actors linked to the campaign. + +ID | Actor | Confidence +-- | ----- | ---------- +1 | [IcedID](https://vuldb.com/?actor.icedid) | High +2 | [UAC-0098](https://vuldb.com/?actor.uac-0098) | High + +## IOC - Indicator of Compromise + +These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of IcedID. + +ID | IP address | Hostname | Actor | Confidence +-- | ---------- | -------- | ----- | ---------- +1 | [5.61.46.161](https://vuldb.com/?ip.5.61.46.161) | - | [IcedID](https://vuldb.com/?actor.icedid) | High +2 | [5.149.252.179](https://vuldb.com/?ip.5.149.252.179) | hnh7.arenal.xyz | [IcedID](https://vuldb.com/?actor.icedid) | High +3 | [31.24.224.12](https://vuldb.com/?ip.31.24.224.12) | 1f18e00c.setaptr.net | [IcedID](https://vuldb.com/?actor.icedid) | High +4 | [31.24.228.170](https://vuldb.com/?ip.31.24.228.170) | 31.24.228.170.static.midphase.com | [IcedID](https://vuldb.com/?actor.icedid) | High +5 | [31.184.199.11](https://vuldb.com/?ip.31.184.199.11) | dalesmanager.com | [IcedID](https://vuldb.com/?actor.icedid) | High +6 | [37.120.222.100](https://vuldb.com/?ip.37.120.222.100) | - | [IcedID](https://vuldb.com/?actor.icedid) | High +7 | [45.129.99.241](https://vuldb.com/?ip.45.129.99.241) | 354851-vds-mamozw.gmhost.pp.ua | [IcedID](https://vuldb.com/?actor.icedid) | High +8 | [45.138.172.179](https://vuldb.com/?ip.45.138.172.179) | - | [IcedID](https://vuldb.com/?actor.icedid) | High +9 | [45.147.228.198](https://vuldb.com/?ip.45.147.228.198) | - | [IcedID](https://vuldb.com/?actor.icedid) | High +10 | [45.147.230.82](https://vuldb.com/?ip.45.147.230.82) | - | [IcedID](https://vuldb.com/?actor.icedid) | High +11 | [45.147.230.88](https://vuldb.com/?ip.45.147.230.88) | mailnode7.bulletproof-mail.biz | [IcedID](https://vuldb.com/?actor.icedid) | High +12 | [45.147.231.113](https://vuldb.com/?ip.45.147.231.113) | - | [IcedID](https://vuldb.com/?actor.icedid) | High +13 | [45.153.240.135](https://vuldb.com/?ip.45.153.240.135) | - | [IcedID](https://vuldb.com/?actor.icedid) | High +14 | [45.153.241.115](https://vuldb.com/?ip.45.153.241.115) | - | [IcedID](https://vuldb.com/?actor.icedid) | High +15 | [46.17.98.191](https://vuldb.com/?ip.46.17.98.191) | - | [IcedID](https://vuldb.com/?actor.icedid) | High +16 | [46.249.62.199](https://vuldb.com/?ip.46.249.62.199) | - | [IcedID](https://vuldb.com/?actor.icedid) | High +17 | [79.141.161.176](https://vuldb.com/?ip.79.141.161.176) | zzs7bp73.copycomdigital.com | [IcedID](https://vuldb.com/?actor.icedid) | High +18 | [79.141.164.241](https://vuldb.com/?ip.79.141.164.241) | x6ts.mtsgamingpro.fun | [IcedID](https://vuldb.com/?actor.icedid) | High +19 | [79.141.166.39](https://vuldb.com/?ip.79.141.166.39) | webimpa.com | [IcedID](https://vuldb.com/?actor.icedid) | High +20 | ... | ... | ... | ... + +There are 76 more IOC items available. Please use our online service to access the data. + +## TTP - Tactics, Techniques, Procedures + +_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used within IcedID. This data is unique as it uses our predictive model for actor profiling. + +ID | Technique | Weakness | Description | Confidence +-- | --------- | -------- | ----------- | ---------- +1 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High +2 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High +3 | T1068 | CWE-264, CWE-274, CWE-284 | Execution with Unnecessary Privileges | High +4 | ... | ... | ... | ... + +There are 10 more TTP items available. Please use our online service to access the data. + +## IOA - Indicator of Attack + +These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during IcedID. This data is unique as it uses our predictive model for actor profiling. + +ID | Type | Indicator | Confidence +-- | ---- | --------- | ---------- +1 | File | `/.vnc/sesman_${username}_passwd` | High +2 | File | `/admin-document/@@share` | High +3 | File | `/admin/index.php` | High +4 | File | `/anony/mjpg.cgi` | High +5 | File | `/bin/sh` | Low +6 | File | `/cgi-bin/editBookmark` | High +7 | File | `/cgi-bin/supervisor/PwdGrp.cgi` | High +8 | File | `/etc/shadow` | Medium +9 | File | `/EXCU_SHELL` | Medium +10 | File | `/export` | Low +11 | File | `/GetSimpleCMS-3.3.15/admin/log.php` | High +12 | File | `/goform/addressNat` | High +13 | File | `/iisadmpwd` | Medium +14 | File | `/include/menu_v.inc.php` | High +15 | File | `/lms/admin.php` | High +16 | File | `/mc` | Low +17 | File | `/opt/IBM/es/lib/libffq.cryptionjni.so` | High +18 | File | `/opt/novell/ncl/bin/nwrights` | High +19 | File | `/out.php` | Medium +20 | File | `/proc/*/cmdline"` | High +21 | File | `/proc/pid/syscall` | High +22 | File | `/rest/review-coverage-chart/1.0/data//.json` | High +23 | File | `/TeamMate/Upload/DomainObjectDocumentUpload.ashx` | High +24 | File | `/uncpath/` | Medium +25 | File | `/var/log/pcp/configs.sh` | High +26 | File | `/webconsole/APIController` | High +27 | File | `/wp-admin/admin-ajax.php` | High +28 | File | `/WWW//app/admin/controller/admincontroller.php` | High +29 | File | `a-b-membres.php` | High +30 | File | `action.php` | Medium +31 | File | `admin-search.php` | High +32 | File | `admin.jcomments.php` | High +33 | File | `admin/adminsignin.html` | High +34 | File | `admin/index.php` | High +35 | File | `admin/infoclass_update.php` | High +36 | File | `admin/plugin.php` | High +37 | File | `admin/test.php` | High +38 | File | `admin/versions.html` | High +39 | File | `administrator/index.php?option=com_pago&view=comments` | High +40 | File | `Adminlog.asp` | Medium +41 | File | `admin_iplog.php` | High +42 | File | `ajax.php` | Medium +43 | File | `ajax_admin_apis.php` | High +44 | File | `ajax_php_pecl.php` | High +45 | File | `allocate_block.cpp` | High +46 | File | `api.cc` | Low +47 | ... | ... | ... + +There are 407 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. + +## References + +The following list contains _external sources_ which discuss the campaign and the associated activities: + +* https://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html +* https://cert.gov.ua/article/39609 +* https://isc.sans.edu/forums/diary/Analysis+from+March+2021+Traffic+Analysis+Quiz/27232/ +* https://isc.sans.edu/forums/diary/Emotet+infection+with+IcedID+banking+Trojan/24312/ +* https://isc.sans.edu/forums/diary/Emotet+infections+and+followup+malware/24532/ +* https://isc.sans.edu/forums/diary/Malspam+links+to+passwordprotected+Word+docs+that+push+IcedID+Bokbot/24428/ +* https://isc.sans.edu/forums/diary/Malspam+with+links+to+Word+docs+pushes+IcedID+Bokbot/25640/ +* https://isc.sans.edu/forums/diary/Malspam+with+passwordprotected+word+docs+still+pushing+IcedID+Bokbot+with+Trickbot/24708/ +* https://isc.sans.edu/forums/diary/Microsoft+Word+document+with+malicious+macro+pushes+IcedID+Bokbot/26146/ +* https://isc.sans.edu/forums/diary/One+Emotet+infection+leads+to+three+followup+malware+infections/24140/ +* https://research.checkpoint.com/2021/melting-ice-tracking-icedid-servers-with-a-few-simple-steps/ +* https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/ +* https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ + +## Literature + +The following _articles_ explain our unique predictive cyber threat intelligence: + +* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti) +* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022) + +## License + +(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)! diff --git a/campaigns/Inception/README.md b/campaigns/Inception/README.md index 9f8a722f..a564f8bc 100644 --- a/campaigns/Inception/README.md +++ b/campaigns/Inception/README.md @@ -47,7 +47,7 @@ ID | Technique | Weakness | Description | Confidence 3 | T1068 | CWE-250, CWE-264, CWE-274, CWE-284 | Execution with Unnecessary Privileges | High 4 | ... | ... | ... | ... -There are 8 more TTP items available. Please use our online service to access the data. +There are 7 more TTP items available. Please use our online service to access the data. ## IOA - Indicator of Attack @@ -59,33 +59,31 @@ ID | Type | Indicator | Confidence 2 | File | `/admin/inbox.php&action=read` | High 3 | File | `/admin/news/news_mod.php` | High 4 | File | `/admin/page_edit/3` | High -5 | File | `/apps/acs-commons/content/page-compare.html` | High -6 | File | `/blog/blog.php` | High -7 | File | `/cgi-bin/uploadWeiXinPic` | High -8 | File | `/domain/service/.ewell-known/caldav` | High -9 | File | `/dvcset/sysset/set.cgi` | High -10 | File | `/example/editor` | High -11 | File | `/include/make.php` | High -12 | File | `/jquery_file_upload/server/php/index.php` | High -13 | File | `/mobile/SelectUsers.jsp` | High -14 | File | `/php/ajax.php` | High -15 | File | `/ProteinArraySignificanceTest.json` | High -16 | File | `/ptms/classes/Users.php` | High -17 | File | `/public/admin/index.php?add_product` | High -18 | File | `/system/bin/osi_bin` | High -19 | File | `/usr/local/bin/mjs` | High -20 | File | `/wp-content/uploads/jobmonster/` | High -21 | File | `/zbzedit/php/zbz.php` | High -22 | File | `ActiveServices.java` | High -23 | File | `admin/bad.php` | High -24 | File | `admin/dl_sendmail.php` | High -25 | File | `admin/htaccess/bpsunlock.php` | High -26 | File | `admin/pages/useredit.php` | High -27 | File | `AlertReceiver.java` | High -28 | File | `alfresco/s/admin/admin-nodebrowser` | High -29 | ... | ... | ... +5 | File | `/administrator/alerts/alertLightbox.php` | High +6 | File | `/apps/acs-commons/content/page-compare.html` | High +7 | File | `/blog/blog.php` | High +8 | File | `/cgi-bin/main.cgi` | High +9 | File | `/cgi-bin/uploadWeiXinPic` | High +10 | File | `/controller/Adv.php` | High +11 | File | `/domain/service/.ewell-known/caldav` | High +12 | File | `/dvcset/sysset/set.cgi` | High +13 | File | `/example/editor` | High +14 | File | `/include/make.php` | High +15 | File | `/jquery_file_upload/server/php/index.php` | High +16 | File | `/mobile/SelectUsers.jsp` | High +17 | File | `/php/ajax.php` | High +18 | File | `/ProteinArraySignificanceTest.json` | High +19 | File | `/ptms/classes/Users.php` | High +20 | File | `/public/admin/index.php?add_product` | High +21 | File | `/role/saveOrUpdateRole.do` | High +22 | File | `/system/bin/osi_bin` | High +23 | File | `/usr/local/bin/mjs` | High +24 | File | `/wp-content/uploads/jobmonster/` | High +25 | File | `/zbzedit/php/zbz.php` | High +26 | File | `ActiveServices.java` | High +27 | ... | ... | ... -There are 244 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 224 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/campaigns/India Power Grid/README.md b/campaigns/India Power Grid/README.md new file mode 100644 index 00000000..d5124cac --- /dev/null +++ b/campaigns/India Power Grid/README.md @@ -0,0 +1,67 @@ +# India Power Grid - Cyber Threat Intelligence + +These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _India Power Grid_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics. + +_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor) + +## Countries + +These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with India Power Grid: + +* [CN](https://vuldb.com/?country.cn) + +## Actors + +These _actors_ are associated with India Power Grid or other actors linked to the campaign. + +ID | Actor | Confidence +-- | ----- | ---------- +1 | [RedEcho](https://vuldb.com/?actor.redecho) | High + +## IOC - Indicator of Compromise + +These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of India Power Grid. + +ID | IP address | Hostname | Actor | Confidence +-- | ---------- | -------- | ----- | ---------- +1 | [14.43.108.22](https://vuldb.com/?ip.14.43.108.22) | - | [RedEcho](https://vuldb.com/?actor.redecho) | High +2 | [59.10.140.47](https://vuldb.com/?ip.59.10.140.47) | - | [RedEcho](https://vuldb.com/?actor.redecho) | High +3 | [59.127.10.132](https://vuldb.com/?ip.59.127.10.132) | 59-127-10-132.hinet-ip.hinet.net | [RedEcho](https://vuldb.com/?actor.redecho) | High +4 | [61.74.255.16](https://vuldb.com/?ip.61.74.255.16) | - | [RedEcho](https://vuldb.com/?actor.redecho) | High +5 | ... | ... | ... | ... + +There are 18 more IOC items available. Please use our online service to access the data. + +## TTP - Tactics, Techniques, Procedures + +_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used within India Power Grid. This data is unique as it uses our predictive model for actor profiling. + +ID | Technique | Weakness | Description | Confidence +-- | --------- | -------- | ----------- | ---------- +1 | T1059.007 | CWE-79 | Cross Site Scripting | High + +## IOA - Indicator of Attack + +These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during India Power Grid. This data is unique as it uses our predictive model for actor profiling. + +ID | Type | Indicator | Confidence +-- | ---- | --------- | ---------- +1 | File | `lists/admin/template.php` | High +2 | File | `PSOutputDev.cc` | High + +## References + +The following list contains _external sources_ which discuss the campaign and the associated activities: + +* https://go.recordedfuture.com/hubfs/reports/ta-2022-0406.pdf + +## Literature + +The following _articles_ explain our unique predictive cyber threat intelligence: + +* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti) +* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022) + +## License + +(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)! diff --git a/campaigns/Log4Shell/README.md b/campaigns/Log4Shell/README.md index 180a065a..4acbc90e 100644 --- a/campaigns/Log4Shell/README.md +++ b/campaigns/Log4Shell/README.md @@ -13,7 +13,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce * [GB](https://vuldb.com/?country.gb) * ... -There are 12 more country items available. Please use our online service to access the data. +There are 10 more country items available. Please use our online service to access the data. ## Actors @@ -101,7 +101,7 @@ ID | Technique | Weakness | Description | Confidence 3 | T1068 | CWE-264, CWE-274, CWE-284 | Execution with Unnecessary Privileges | High 4 | ... | ... | ... | ... -There are 9 more TTP items available. Please use our online service to access the data. +There are 8 more TTP items available. Please use our online service to access the data. ## IOA - Indicator of Attack @@ -111,44 +111,44 @@ ID | Type | Indicator | Confidence -- | ---- | --------- | ---------- 1 | File | `/admin.php/admin/ulog/index.html` | High 2 | File | `/admin.php/admin/website/data.html` | High -3 | File | `/admin.php?id=siteoptions&social=edit&sid=2` | High -4 | File | `/admin/config` | High -5 | File | `/admin/inbox.php&action=delete` | High -6 | File | `/admin/pagerole.php&action=display&value=1` | High -7 | File | `/admin/posts.php&action=delete` | High -8 | File | `/admin/show.php` | High -9 | File | `/agenttrayicon` | High -10 | File | `/api/crontab` | Medium -11 | File | `/app/controller/Books.php` | High -12 | File | `/app/elkarbackup/src/Binovo/ElkarBackupBundle/Controller/DefaultController.php` | High -13 | File | `/apply.cgi` | Medium -14 | File | `/cdsms/classes/Master.php?f=delete_package` | High -15 | File | `/cgi-bin/uploadWeiXinPic` | High -16 | File | `/cwms/admin/?page=articles/view_article/` | High -17 | File | `/data/sqldata` | High -18 | File | `/etc/ajenti/config.yml` | High -19 | File | `/etc/master.passwd` | High -20 | File | `/etc/zarafa/license` | High -21 | File | `/export` | Low -22 | File | `/goform/form2Reboot.cgi` | High -23 | File | `/goform/login_process` | High -24 | File | `/goform/setAdInfoDetail` | High -25 | File | `/goform/setFixTools` | High -26 | File | `/goform/SetInternetLanInfo` | High -27 | File | `/goform/setPicListItem` | High -28 | File | `/include/chart_generator.php` | High -29 | File | `/include/up.php` | High -30 | File | `/jpg/image.jpg` | High -31 | File | `/lan.asp` | Medium -32 | File | `/mims/app/addcustomerHandler.php` | High -33 | File | `/modules/eligibility/Student.php` | High -34 | File | `/one_church/churchprofile.php` | High -35 | File | `/preauth` | Medium -36 | File | `/ptms/?page=user` | High -37 | File | `/ptms/classes/Users.php` | High +3 | File | `/admin.php/Plugins/update.html` | High +4 | File | `/admin.php?id=siteoptions&social=edit&sid=2` | High +5 | File | `/admin/config` | High +6 | File | `/admin/inbox.php&action=delete` | High +7 | File | `/admin/pagerole.php&action=display&value=1` | High +8 | File | `/admin/posts.php` | High +9 | File | `/admin/posts.php&action=delete` | High +10 | File | `/admin/siteoptions.php&action=displaygoal&value=1&roleid=1` | High +11 | File | `/admin/uesrs.php&action=type&userrole=User` | High +12 | File | `/administrator/alerts/alertLightbox.php` | High +13 | File | `/agenttrayicon` | High +14 | File | `/api/crontab` | Medium +15 | File | `/api/students/me/messages/` | High +16 | File | `/app/controller/Books.php` | High +17 | File | `/app/elkarbackup/src/Binovo/ElkarBackupBundle/Controller/DefaultController.php` | High +18 | File | `/apply.cgi` | Medium +19 | File | `/apps/acs-commons/content/page-compare.html` | High +20 | File | `/cdsms/classes/Master.php?f=delete_enrollment` | High +21 | File | `/cdsms/classes/Master.php?f=delete_package` | High +22 | File | `/customer_register.php` | High +23 | File | `/cwms/admin/?page=articles/view_article/` | High +24 | File | `/etc/ajenti/config.yml` | High +25 | File | `/etc/master.passwd` | High +26 | File | `/etc/zarafa/license` | High +27 | File | `/export` | Low +28 | File | `/goform/login_process` | High +29 | File | `/hocms/classes/Master.php?f=delete_collection` | High +30 | File | `/hocms/classes/Master.php?f=delete_member` | High +31 | File | `/include/chart_generator.php` | High +32 | File | `/include/up.php` | High +33 | File | `/jpg/image.jpg` | High +34 | File | `/lan.asp` | Medium +35 | File | `/mims/app/addcustomerHandler.php` | High +36 | File | `/modules/eligibility/Student.php` | High +37 | File | `/one_church/churchprofile.php` | High 38 | ... | ... | ... -There are 324 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 331 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/campaigns/OpBlueRaven/README.md b/campaigns/OpBlueRaven/README.md index 0730a63e..18be030b 100644 --- a/campaigns/OpBlueRaven/README.md +++ b/campaigns/OpBlueRaven/README.md @@ -100,7 +100,7 @@ ID | Type | Indicator | Confidence 35 | File | `admin.php` | Medium 36 | ... | ... | ... -There are 307 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 310 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/campaigns/PlugX/README.md b/campaigns/PlugX/README.md index 5600ef24..d356c9bc 100644 --- a/campaigns/PlugX/README.md +++ b/campaigns/PlugX/README.md @@ -10,7 +10,10 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce * [CN](https://vuldb.com/?country.cn) * [US](https://vuldb.com/?country.us) -* [DE](https://vuldb.com/?country.de) +* [RU](https://vuldb.com/?country.ru) +* ... + +There are 8 more country items available. Please use our online service to access the data. ## Actors @@ -20,6 +23,7 @@ ID | Actor | Confidence -- | ----- | ---------- 1 | [TA459](https://vuldb.com/?actor.ta459) | High 2 | [PlugX](https://vuldb.com/?actor.plugx) | High +3 | [Mustang Panda](https://vuldb.com/?actor.mustang_panda) | High ## IOC - Indicator of Compromise @@ -27,12 +31,17 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi ID | IP address | Hostname | Actor | Confidence -- | ---------- | -------- | ----- | ---------- -1 | [34.92.30.54](https://vuldb.com/?ip.34.92.30.54) | 54.30.92.34.bc.googleusercontent.com | [PlugX](https://vuldb.com/?actor.plugx) | Medium -2 | [35.220.176.90](https://vuldb.com/?ip.35.220.176.90) | 90.176.220.35.bc.googleusercontent.com | [PlugX](https://vuldb.com/?actor.plugx) | Medium -3 | [43.252.175.119](https://vuldb.com/?ip.43.252.175.119) | - | [TA459](https://vuldb.com/?actor.ta459) | High -4 | ... | ... | ... | ... +1 | [13.213.157.52](https://vuldb.com/?ip.13.213.157.52) | ec2-13-213-157-52.ap-southeast-1.compute.amazonaws.com | [PlugX](https://vuldb.com/?actor.plugx) | Medium +2 | [18.138.107.235](https://vuldb.com/?ip.18.138.107.235) | ec2-18-138-107-235.ap-southeast-1.compute.amazonaws.com | [PlugX](https://vuldb.com/?actor.plugx) | Medium +3 | [34.92.30.54](https://vuldb.com/?ip.34.92.30.54) | 54.30.92.34.bc.googleusercontent.com | [PlugX](https://vuldb.com/?actor.plugx) | Medium +4 | [34.96.224.146](https://vuldb.com/?ip.34.96.224.146) | 146.224.96.34.bc.googleusercontent.com | [PlugX](https://vuldb.com/?actor.plugx) | Medium +5 | [35.220.176.90](https://vuldb.com/?ip.35.220.176.90) | 90.176.220.35.bc.googleusercontent.com | [PlugX](https://vuldb.com/?actor.plugx) | Medium +6 | [35.220.214.142](https://vuldb.com/?ip.35.220.214.142) | 142.214.220.35.bc.googleusercontent.com | [PlugX](https://vuldb.com/?actor.plugx) | Medium +7 | [43.252.175.119](https://vuldb.com/?ip.43.252.175.119) | - | [TA459](https://vuldb.com/?actor.ta459) | High +8 | [45.32.125.79](https://vuldb.com/?ip.45.32.125.79) | manages.space | [PlugX](https://vuldb.com/?actor.plugx) | High +9 | ... | ... | ... | ... -There are 9 more IOC items available. Please use our online service to access the data. +There are 34 more IOC items available. Please use our online service to access the data. ## TTP - Tactics, Techniques, Procedures @@ -42,10 +51,10 @@ ID | Technique | Weakness | Description | Confidence -- | --------- | -------- | ----------- | ---------- 1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High 2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High -3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High +3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High 4 | ... | ... | ... | ... -There are 5 more TTP items available. Please use our online service to access the data. +There are 6 more TTP items available. Please use our online service to access the data. ## IOA - Indicator of Attack @@ -54,46 +63,62 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic ID | Type | Indicator | Confidence -- | ---- | --------- | ---------- 1 | File | `$JENKINS_HOME/jenkins.security.RekeySecretAdminMonitor/backups` | High -2 | File | `/admin/` | Low -3 | File | `/admin/?/plugin/comment/settings` | High -4 | File | `/admin/ajax/file-browser/upload/` | High -5 | File | `/admin/index.php` | High -6 | File | `/api/filemanager` | High -7 | File | `/api/request/?OPERATION_NAME` | High -8 | File | `/apparel--accessories` | High -9 | File | `/apply_noauth.cgi` | High -10 | File | `/catalog/admin/categories.php?cPath=&action=new_product` | High -11 | File | `/domains/index.fts` | High -12 | File | `/DroboAccess/delete_user` | High -13 | File | `/foundry/modules/news/newscolumns.php` | High -14 | File | `/GponForm/device_Form?script/` | High -15 | File | `/media/api` | Medium -16 | File | `/member/test/points` | High -17 | File | `/Mum.Geo.Services/DataAccessService.svc` | High -18 | File | `/port_3480` | Medium -19 | File | `/q` | Low -20 | File | `/service-list` | High -21 | File | `/smstest.html` | High -22 | File | `/tmp` | Low -23 | File | `/tmp/kamailio_fifo` | High -24 | File | `/tmp/scfgdndf` | High -25 | File | `/view/friend_profile.php` | High -26 | File | `AccessManagerCoreService.exe` | High -27 | File | `actions/doreport.php` | High -28 | File | `addlyricsform.php` | High -29 | File | `addmerchpicform.php` | High -30 | File | `addresses_export.php` | High -31 | File | `adherents/cartes/carte.php` | High -32 | File | `admin.php?m=Member&a=adminaddsave` | High -33 | ... | ... | ... +2 | File | `/+CSCOE+/logon.html` | High +3 | File | `/admin/` | Low +4 | File | `/admin/?/plugin/comment/settings` | High +5 | File | `/admin/ajax/file-browser/upload/` | High +6 | File | `/admin/index.php` | High +7 | File | `/api/filemanager` | High +8 | File | `/api/request/?OPERATION_NAME` | High +9 | File | `/api/trackedEntityInstances` | High +10 | File | `/apparel--accessories` | High +11 | File | `/apply_noauth.cgi` | High +12 | File | `/context/%2e/WEB-INF/web.xml` | High +13 | File | `/domains/index.fts` | High +14 | File | `/download` | Medium +15 | File | `/DroboAccess/delete_user` | High +16 | File | `/foundry/modules/news/newscolumns.php` | High +17 | File | `/ghost/preview` | High +18 | File | `/GponForm/device_Form?script/` | High +19 | File | `/LDMS/frm_splitfrm.aspx` | High +20 | File | `/media/api` | Medium +21 | File | `/member/test/points` | High +22 | File | `/modules/profile/index.php` | High +23 | File | `/Mum.Geo.Services/DataAccessService.svc` | High +24 | File | `/NAGErrors` | Medium +25 | File | `/port_3480` | Medium +26 | File | `/q` | Low +27 | File | `/secure/QueryComponent!Default.jspa` | High +28 | File | `/service-list` | High +29 | File | `/smstest.html` | High +30 | File | `/start-stop` | Medium +31 | File | `/tmp` | Low +32 | File | `/tmp/kamailio_fifo` | High +33 | File | `/tmp/scfgdndf` | High +34 | File | `/uncpath/` | Medium +35 | File | `/view/friend_profile.php` | High +36 | File | `/WEB-INF/web.xml` | High +37 | File | `/wp-json/oembed/1.0/embed?url` | High +38 | File | `AccessManagerCoreService.exe` | High +39 | File | `actions/authenticate.php` | High +40 | File | `actions/doreport.php` | High +41 | File | `addlyricsform.php` | High +42 | File | `addmerchpicform.php` | High +43 | ... | ... | ... -There are 280 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 372 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References The following list contains _external sources_ which discuss the campaign and the associated activities: +* https://twitter.com/0xrb/status/1469184108030955529 +* https://twitter.com/0xrb/status/1470678183301181441 +* https://twitter.com/0xrb/status/1478253942123347968 * https://twitter.com/0xrb/status/1482976719300890629 +* https://twitter.com/0xrb/status/1484467191445475328 +* https://twitter.com/xorhex/status/1406496693735067650 +* https://twitter.com/xorhex/status/1422815329684758537 * https://www.threatminer.org/report.php?q=InPursuitofOpticalFibersandTroopIntel_TargetedAttackDistributesPlugXinRussia_Proofpoint.pdf&y=2015 ## Literature diff --git a/campaigns/Rocket Kitten/README.md b/campaigns/Rocket Kitten/README.md index 4ba38e94..b0c2f88e 100644 --- a/campaigns/Rocket Kitten/README.md +++ b/campaigns/Rocket Kitten/README.md @@ -22,6 +22,7 @@ These _actors_ are associated with Rocket Kitten or other actors linked to the c ID | Actor | Confidence -- | ----- | ---------- 1 | [Magic Hound](https://vuldb.com/?actor.magic_hound) | High +2 | [Rocket Kitten](https://vuldb.com/?actor.rocket_kitten) | High ## IOC - Indicator of Compromise @@ -38,17 +39,18 @@ ID | IP address | Hostname | Actor | Confidence 7 | [5.145.151.6](https://vuldb.com/?ip.5.145.151.6) | ip-5-145-151-6.hosts.businesscomnetworks.com | [Magic Hound](https://vuldb.com/?actor.magic_hound) | High 8 | [5.145.151.7](https://vuldb.com/?ip.5.145.151.7) | ip-5-145-151-7.hosts.businesscomnetworks.com | [Magic Hound](https://vuldb.com/?actor.magic_hound) | High 9 | [31.192.105.10](https://vuldb.com/?ip.31.192.105.10) | - | [Magic Hound](https://vuldb.com/?actor.magic_hound) | High -10 | [84.11.146.52](https://vuldb.com/?ip.84.11.146.52) | host-84-11-146-52.customer.teleport-iabg.de | [Magic Hound](https://vuldb.com/?actor.magic_hound) | High -11 | [84.11.146.53](https://vuldb.com/?ip.84.11.146.53) | host-84-11-146-53.customer.teleport-iabg.de | [Magic Hound](https://vuldb.com/?actor.magic_hound) | High -12 | [84.11.146.54](https://vuldb.com/?ip.84.11.146.54) | host-84-11-146-54.customer.teleport-iabg.de | [Magic Hound](https://vuldb.com/?actor.magic_hound) | High -13 | [84.11.146.55](https://vuldb.com/?ip.84.11.146.55) | host-84-11-146-55.customer.teleport-iabg.de | [Magic Hound](https://vuldb.com/?actor.magic_hound) | High -14 | [84.11.146.56](https://vuldb.com/?ip.84.11.146.56) | host-84-11-146-56.customer.teleport-iabg.de | [Magic Hound](https://vuldb.com/?actor.magic_hound) | High -15 | [84.11.146.57](https://vuldb.com/?ip.84.11.146.57) | host-84-11-146-57.customer.teleport-iabg.de | [Magic Hound](https://vuldb.com/?actor.magic_hound) | High -16 | [84.11.146.58](https://vuldb.com/?ip.84.11.146.58) | host-84-11-146-58.customer.teleport-iabg.de | [Magic Hound](https://vuldb.com/?actor.magic_hound) | High -17 | [84.11.146.59](https://vuldb.com/?ip.84.11.146.59) | host-84-11-146-59.customer.teleport-iabg.de | [Magic Hound](https://vuldb.com/?actor.magic_hound) | High -18 | ... | ... | ... | ... +10 | [83.170.33.37](https://vuldb.com/?ip.83.170.33.37) | host-83-170-33-37.customer.teleport-iabg.de | [Rocket Kitten](https://vuldb.com/?actor.rocket_kitten) | High +11 | [83.170.33.60](https://vuldb.com/?ip.83.170.33.60) | host-83-170-33-60.customer.teleport-iabg.de | [Rocket Kitten](https://vuldb.com/?actor.rocket_kitten) | High +12 | [83.170.33.80](https://vuldb.com/?ip.83.170.33.80) | host-83-170-33-80.customer.teleport-iabg.de | [Rocket Kitten](https://vuldb.com/?actor.rocket_kitten) | High +13 | [83.170.43.67](https://vuldb.com/?ip.83.170.43.67) | host-83-170-43-67.customer.teleport-iabg.de | [Rocket Kitten](https://vuldb.com/?actor.rocket_kitten) | High +14 | [84.11.75.220](https://vuldb.com/?ip.84.11.75.220) | host-84-11-75-220.customer.teleport-iabg.de | [Rocket Kitten](https://vuldb.com/?actor.rocket_kitten) | High +15 | [84.11.146.52](https://vuldb.com/?ip.84.11.146.52) | host-84-11-146-52.customer.teleport-iabg.de | [Magic Hound](https://vuldb.com/?actor.magic_hound) | High +16 | [84.11.146.53](https://vuldb.com/?ip.84.11.146.53) | host-84-11-146-53.customer.teleport-iabg.de | [Magic Hound](https://vuldb.com/?actor.magic_hound) | High +17 | [84.11.146.54](https://vuldb.com/?ip.84.11.146.54) | host-84-11-146-54.customer.teleport-iabg.de | [Magic Hound](https://vuldb.com/?actor.magic_hound) | High +18 | [84.11.146.55](https://vuldb.com/?ip.84.11.146.55) | host-84-11-146-55.customer.teleport-iabg.de | [Magic Hound](https://vuldb.com/?actor.magic_hound) | High +19 | ... | ... | ... | ... -There are 69 more IOC items available. Please use our online service to access the data. +There are 73 more IOC items available. Please use our online service to access the data. ## TTP - Tactics, Techniques, Procedures @@ -58,10 +60,10 @@ ID | Technique | Weakness | Description | Confidence -- | --------- | -------- | ----------- | ---------- 1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High 2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High -3 | T1211 | CWE-254, CWE-358 | 7PK Security Features | High +3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High 4 | ... | ... | ... | ... -There are 4 more TTP items available. Please use our online service to access the data. +There are 6 more TTP items available. Please use our online service to access the data. ## IOA - Indicator of Attack @@ -75,30 +77,34 @@ ID | Type | Indicator | Confidence 4 | File | `/admin/loginc.php` | High 5 | File | `/auditLogAction.do` | High 6 | File | `/cgi-bin/wapopen` | High -7 | File | `/etc/ajenti/config.yml` | High -8 | File | `/etc/sudoers` | Medium -9 | File | `/getcfg.php` | Medium -10 | File | `/GetCSSashx/?CP=%2fwebconfig` | High -11 | File | `/plugin` | Low -12 | File | `/rating.php` | Medium -13 | File | `/services/prefs.php` | High -14 | File | `/src/njs_object.c` | High -15 | File | `/uncpath/` | Medium -16 | File | `/wordpress-gallery-transformation/gallery.php` | High -17 | File | `adclick.php` | Medium -18 | File | `add_to_cart.php` | High -19 | File | `admin.php` | Medium -20 | File | `admin/config/confmgr.php` | High -21 | File | `admin/index.php` | High -22 | ... | ... | ... +7 | File | `/devices/acurite.c` | High +8 | File | `/etc/ajenti/config.yml` | High +9 | File | `/etc/sudoers` | Medium +10 | File | `/example/editor` | High +11 | File | `/getcfg.php` | Medium +12 | File | `/GetCSSashx/?CP=%2fwebconfig` | High +13 | File | `/goform/login_process` | High +14 | File | `/goform/rlmswitchr_process` | High +15 | File | `/goforms/rlminfo` | High +16 | File | `/plugin` | Low +17 | File | `/rating.php` | Medium +18 | File | `/scas/admin/` | Medium +19 | File | `/scas/classes/Users.php?f=save_user` | High +20 | File | `/services/prefs.php` | High +21 | File | `/src/njs_object.c` | High +22 | File | `/uncpath/` | Medium +23 | File | `/wordpress-gallery-transformation/gallery.php` | High +24 | File | `adclick.php` | Medium +25 | ... | ... | ... -There are 187 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 209 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References The following list contains _external sources_ which discuss the campaign and the associated activities: * https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf +* https://isc.sans.edu/forums/diary/Rocket+Kitten+Is+it+still+APT+if+you+can+buy+it+off+the+shelf/19123/ ## Literature diff --git a/campaigns/Spark/README.md b/campaigns/Spark/README.md index ddaac55b..1a4a0df9 100644 --- a/campaigns/Spark/README.md +++ b/campaigns/Spark/README.md @@ -77,9 +77,10 @@ ID | Type | Indicator | Confidence 19 | File | `apport/hookutils.py` | High 20 | File | `auth_changepassword.php` | High 21 | File | `auth_profile.php` | High -22 | ... | ... | ... +22 | File | `base/PdfParser.cpp` | High +23 | ... | ... | ... -There are 187 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 188 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/campaigns/Tomiris/README.md b/campaigns/Tomiris/README.md index 8723f12b..75631433 100644 --- a/campaigns/Tomiris/README.md +++ b/campaigns/Tomiris/README.md @@ -50,7 +50,7 @@ ID | Type | Indicator | Confidence 3 | File | `/public/login.htm` | High 4 | ... | ... | ... -There are 9 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 10 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/campaigns/Ukraine/README.md b/campaigns/Ukraine/README.md index 33b622c3..1c1384ae 100644 --- a/campaigns/Ukraine/README.md +++ b/campaigns/Ukraine/README.md @@ -76,11 +76,11 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK ID | Technique | Weakness | Description | Confidence -- | --------- | -------- | ----------- | ---------- 1 | T1059.007 | CWE-79 | Cross Site Scripting | High -2 | T1068 | CWE-250, CWE-274, CWE-284 | Execution with Unnecessary Privileges | High -3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High +2 | T1068 | CWE-284 | Execution with Unnecessary Privileges | High +3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High 4 | ... | ... | ... | ... -There are 6 more TTP items available. Please use our online service to access the data. +There are 3 more TTP items available. Please use our online service to access the data. ## IOA - Indicator of Attack @@ -93,22 +93,15 @@ ID | Type | Indicator | Confidence 3 | File | `/admin.php?id=siteoptions&social=edit&sid=2` | High 4 | File | `/admin/inbox.php&action=delete` | High 5 | File | `/admin/inbox.php&action=read` | High -6 | File | `/admin/index.php` | High -7 | File | `/admin/login.php` | High -8 | File | `/admin/pagerole.php&action=display&value=1` | High -9 | File | `/admin/pagerole.php&action=edit` | High -10 | File | `/admin/posts.php` | High -11 | File | `/admin/posts.php&action=delete` | High -12 | File | `/admin/posts.php&action=edit` | High -13 | File | `/admin/siteoptions.php&social=remove&sid=2` | High -14 | File | `/admin/uesrs.php&action=display&value=Show` | High -15 | File | `/admin/uploads.php` | High -16 | File | `/apps/acs-commons/content/page-compare.html` | High -17 | File | `/blog/blog.php` | High -18 | File | `/cdsms/classes/Master.php?f=delete_enrollment` | High -19 | ... | ... | ... +6 | File | `/admin/pagerole.php&action=display&value=1` | High +7 | File | `/admin/pagerole.php&action=edit` | High +8 | File | `/admin/posts.php` | High +9 | File | `/admin/posts.php&action=delete` | High +10 | File | `/admin/posts.php&action=edit` | High +11 | File | `/admin/siteoptions.php&action=displaygoal&value=1&roleid=1` | High +12 | ... | ... | ... -There are 160 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 96 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/campaigns/Volgmer/README.md b/campaigns/Volgmer/README.md index 2f23a3dc..f497f69a 100644 --- a/campaigns/Volgmer/README.md +++ b/campaigns/Volgmer/README.md @@ -74,39 +74,38 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic ID | Type | Indicator | Confidence -- | ---- | --------- | ---------- -1 | File | `%PROGRAMDATA%\OpenVPN Connect\drivers\tap\amd64\win10` | High -2 | File | `/+CSCOE+/logon.html` | High -3 | File | `/../conf/config.properties` | High -4 | File | `/alumni/admin/ajax.php?action=save_settings` | High -5 | File | `/auth/session` | High -6 | File | `/catcompany.php` | High -7 | File | `/cgi-bin/webproc` | High -8 | File | `/etc/passwd` | Medium -9 | File | `/exponent_constants.php` | High -10 | File | `/export` | Low -11 | File | `/forgetpassword.php` | High -12 | File | `/forum/away.php` | High -13 | File | `/front/document.form.php` | High -14 | File | `/ibi_apps/WFServlet.cfg` | High -15 | File | `/include/chart_generator.php` | High -16 | File | `/modules/profile/index.php` | High -17 | File | `/out.php` | Medium -18 | File | `/proc/sysvipc/sem` | High -19 | File | `/rest/collectors/1.0/template/custom` | High -20 | File | `/RestAPI` | Medium -21 | File | `/search.php` | Medium -22 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High -23 | File | `/secure/admin/ViewInstrumentation.jspa` | High -24 | File | `/trigger` | Medium -25 | File | `/uncpath/` | Medium -26 | File | `/user/login/oauth` | High -27 | File | `/usr/bin/pkexec` | High -28 | File | `/usr/doc` | Medium -29 | File | `/WEB-INF/web.xml` | High -30 | File | `/webpages/data` | High -31 | ... | ... | ... +1 | File | `/+CSCOE+/logon.html` | High +2 | File | `/../conf/config.properties` | High +3 | File | `/alumni/admin/ajax.php?action=save_settings` | High +4 | File | `/auth/session` | High +5 | File | `/catcompany.php` | High +6 | File | `/cgi-bin/webproc` | High +7 | File | `/etc/passwd` | Medium +8 | File | `/exponent_constants.php` | High +9 | File | `/export` | Low +10 | File | `/forgetpassword.php` | High +11 | File | `/forum/away.php` | High +12 | File | `/front/document.form.php` | High +13 | File | `/ibi_apps/WFServlet.cfg` | High +14 | File | `/include/chart_generator.php` | High +15 | File | `/modules/profile/index.php` | High +16 | File | `/out.php` | Medium +17 | File | `/proc/sysvipc/sem` | High +18 | File | `/rest/collectors/1.0/template/custom` | High +19 | File | `/RestAPI` | Medium +20 | File | `/search.php` | Medium +21 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High +22 | File | `/secure/admin/ViewInstrumentation.jspa` | High +23 | File | `/trigger` | Medium +24 | File | `/uncpath/` | Medium +25 | File | `/user/login/oauth` | High +26 | File | `/usr/bin/pkexec` | High +27 | File | `/usr/doc` | Medium +28 | File | `/WEB-INF/web.xml` | High +29 | File | `/webpages/data` | High +30 | ... | ... | ... -There are 260 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 259 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References diff --git a/campaigns/Wocao/README.md b/campaigns/Wocao/README.md index 3f82ee88..ae560d49 100644 --- a/campaigns/Wocao/README.md +++ b/campaigns/Wocao/README.md @@ -10,10 +10,10 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce * [US](https://vuldb.com/?country.us) * [RU](https://vuldb.com/?country.ru) -* [DE](https://vuldb.com/?country.de) +* [IL](https://vuldb.com/?country.il) * ... -There are 6 more country items available. Please use our online service to access the data. +There are 7 more country items available. Please use our online service to access the data. ## Actors @@ -47,7 +47,7 @@ ID | Technique | Weakness | Description | Confidence 3 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High 4 | ... | ... | ... | ... -There are 9 more TTP items available. Please use our online service to access the data. +There are 8 more TTP items available. Please use our online service to access the data. ## IOA - Indicator of Attack @@ -55,44 +55,47 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic ID | Type | Indicator | Confidence -- | ---- | --------- | ---------- -1 | File | `/.htaccess` | Medium -2 | File | `/admin.php/admin/art/data.html` | High -3 | File | `/admin.php/admin/ulog/index.html` | High -4 | File | `/admin.php/admin/vod/data.html` | High -5 | File | `/admin/goods/update` | High -6 | File | `/admin/login.php` | High -7 | File | `/admin/templates/template_manage.php` | High -8 | File | `/api/eventinstance` | High -9 | File | `/api /v3/auth` | High -10 | File | `/blog/blog.php` | High -11 | File | `/cgi-bin/uploadAccessCodePic` | High -12 | File | `/cloud_config/router_post/check_reset_pwd_verify_code` | High -13 | File | `/cloud_config/router_post/upgrade_info` | High -14 | File | `/cwms/admin/?page=articles/view_article/` | High -15 | File | `/cwms/classes/Master.php?f=save_contact` | High -16 | File | `/data/sqldata` | High -17 | File | `/DataPackageTable` | High -18 | File | `/download/` | Medium -19 | File | `/etc/puppetlabs/puppetserver/conf.d/ca.conf` | High -20 | File | `/etc/zarafa/license` | High -21 | File | `/factor/avx-ecm/vecarith52.c` | High -22 | File | `/goform/delAd` | High -23 | File | `/goform/form2Reboot.cgi` | High -24 | File | `/goform/login_process` | High -25 | File | `/goform/SetLanInfo` | High -26 | File | `/i/:data/ipa.plist` | High -27 | File | `/include/make.php` | High -28 | File | `/jpg/image.jpg` | High -29 | File | `/login` | Low -30 | File | `/nova/bin/traceroute` | High -31 | File | `/one_church/churchprofile.php` | High -32 | File | `/one_church/userregister.php` | High -33 | File | `/php/ajax.php` | High -34 | File | `/plesk-site-preview/` | High -35 | File | `/public/admin/index.php?add_product` | High -36 | ... | ... | ... +1 | File | `/admin.php/admin/art/data.html` | High +2 | File | `/admin.php/admin/vod/data.html` | High +3 | File | `/admin.php?id=siteoptions&social=edit&sid=2` | High +4 | File | `/admin.php?r=admin/AdminBackup/del` | High +5 | File | `/admin/edit.php` | High +6 | File | `/admin/goods/update` | High +7 | File | `/admin/inbox.php&action=delete` | High +8 | File | `/admin/inbox.php&action=read` | High +9 | File | `/admin/pagerole.php&action=edit` | High +10 | File | `/admin/posts.php` | High +11 | File | `/admin/posts.php&action=delete` | High +12 | File | `/admin/siteoptions.php&action=displaygoal&value=1&roleid=1` | High +13 | File | `/admin/siteoptions.php&social=remove&sid=2` | High +14 | File | `/admin/uesrs.php&&action=delete&userid=4` | High +15 | File | `/admin/uesrs.php&action=display&value=Hide` | High +16 | File | `/admin/uesrs.php&action=display&value=Show` | High +17 | File | `/admin/uesrs.php&action=type&userrole=User` | High +18 | File | `/administrator/alerts/alertLightbox.php` | High +19 | File | `/api/eventinstance` | High +20 | File | `/api /v3/auth` | High +21 | File | `/appliance/users?action=edit` | High +22 | File | `/apps/acs-commons/content/page-compare.html` | High +23 | File | `/blog/blog.php` | High +24 | File | `/cdsms/classes/Master.php?f=delete_package` | High +25 | File | `/cmd?cmd=connect` | High +26 | File | `/cwms/admin/?page=articles/view_article/` | High +27 | File | `/cwms/classes/Master.php?f=save_contact` | High +28 | File | `/etc/puppetlabs/puppetserver/conf.d/ca.conf` | High +29 | File | `/etc/zarafa/license` | High +30 | File | `/goform/login_process` | High +31 | File | `/hocms/classes/Master.php?f=delete_member` | High +32 | File | `/hocms/classes/Master.php?f=delete_phase` | High +33 | File | `/include/make.php` | High +34 | File | `/index.php?m=admin&c=custom&a=plugindelhandle` | High +35 | File | `/jpg/image.jpg` | High +36 | File | `/login` | Low +37 | File | `/manager/files` | High +38 | File | `/module/api.php?mobile/wapNasIPS` | High +39 | ... | ... | ... -There are 304 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. +There are 340 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data. ## References