Update
This commit is contained in:
parent
7154e3668a
commit
0075741c28
|
@ -0,0 +1,68 @@
|
|||
# APP84VN - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APP84VN](https://vuldb.com/?actor.app84vn). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.app84vn](https://vuldb.com/?actor.app84vn)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APP84VN:
|
||||
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of APP84VN.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [27.102.66.105](https://vuldb.com/?ip.27.102.66.105) | - | - | High
|
||||
2 | [27.102.132.235](https://vuldb.com/?ip.27.102.132.235) | - | - | High
|
||||
3 | [154.207.17.105](https://vuldb.com/?ip.154.207.17.105) | - | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _APP84VN_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APP84VN. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/anony/mjpg.cgi` | High
|
||||
2 | File | `/product_list.php` | High
|
||||
3 | File | `admin/?n=tags&c=index&a=doSaveTags` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 15 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://twitter.com/trungduc751995/status/1343822222901669888
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -13,7 +13,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [DE](https://vuldb.com/?country.de)
|
||||
* ...
|
||||
|
||||
There are 21 more country items available. Please use our online service to access the data.
|
||||
There are 20 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -35,7 +35,7 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
2 | T1068 | CWE-250, CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
|
@ -51,63 +51,62 @@ ID | Type | Indicator | Confidence
|
|||
2 | File | `/+CSCOE+/logon.html` | High
|
||||
3 | File | `/assets/ctx` | Medium
|
||||
4 | File | `/bsms/?page=products` | High
|
||||
5 | File | `/cloud_config/router_post/check_reg_verify_code` | High
|
||||
6 | File | `/concat?/%2557EB-INF/web.xml` | High
|
||||
7 | File | `/config/getuser` | High
|
||||
8 | File | `/debug/pprof` | Medium
|
||||
9 | File | `/ext/phar/phar_object.c` | High
|
||||
10 | File | `/filemanager/php/connector.php` | High
|
||||
11 | File | `/get_getnetworkconf.cgi` | High
|
||||
12 | File | `/HNAP1` | Low
|
||||
13 | File | `/include/chart_generator.php` | High
|
||||
14 | File | `/index.php?controller=calendar&format=raw&cat[0]=SQLi&task=events` | High
|
||||
15 | File | `/Main_Login.asp?flag=1&productname=RT-AC88U&url=/downloadmaster/task.asp` | High
|
||||
16 | File | `/modx/manager/index.php` | High
|
||||
17 | File | `/osm/REGISTER.cmd` | High
|
||||
18 | File | `/product_list.php` | High
|
||||
19 | File | `/replication` | Medium
|
||||
20 | File | `/siteminderagent/pwcgi/smpwservicescgi.exe` | High
|
||||
21 | File | `/supervisor/procesa_carga.php` | High
|
||||
22 | File | `/type.php` | Medium
|
||||
23 | File | `/uncpath/` | Medium
|
||||
24 | File | `/usr/bin/pkexec` | High
|
||||
25 | File | `/zm/index.php` | High
|
||||
26 | File | `4.2.0.CP09` | Medium
|
||||
27 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
28 | File | `802dot1xclientcert.cgi` | High
|
||||
29 | File | `add.exe` | Low
|
||||
30 | File | `addentry.php` | Medium
|
||||
31 | File | `admin-ajax.php` | High
|
||||
32 | File | `admin.color.php` | High
|
||||
33 | File | `admin.cropcanvas.php` | High
|
||||
34 | File | `admin.joomlaradiov5.php` | High
|
||||
35 | File | `admin.php` | Medium
|
||||
36 | File | `admin.php?m=Food&a=addsave` | High
|
||||
37 | File | `admin/conf_users_edit.php` | High
|
||||
38 | File | `admin/index.php` | High
|
||||
39 | File | `admin/user.php` | High
|
||||
40 | File | `admin/write-post.php` | High
|
||||
41 | File | `administrator/components/com_media/helpers/media.php` | High
|
||||
42 | File | `admin_events.php` | High
|
||||
43 | File | `ajax_new_account.php` | High
|
||||
44 | File | `akocomments.php` | High
|
||||
45 | File | `allopass-error.php` | High
|
||||
46 | File | `announcement.php` | High
|
||||
47 | File | `apply.cgi` | Medium
|
||||
48 | File | `archiver\index.php` | High
|
||||
49 | File | `artlinks.dispnew.php` | High
|
||||
50 | File | `auth.inc.php` | Medium
|
||||
51 | File | `authorization.do` | High
|
||||
52 | File | `awstats.pl` | Medium
|
||||
53 | File | `backoffice/login.asp` | High
|
||||
5 | File | `/cgi-bin/system_mgr.cgi` | High
|
||||
6 | File | `/cloud_config/router_post/check_reg_verify_code` | High
|
||||
7 | File | `/concat?/%2557EB-INF/web.xml` | High
|
||||
8 | File | `/config/getuser` | High
|
||||
9 | File | `/debug/pprof` | Medium
|
||||
10 | File | `/ext/phar/phar_object.c` | High
|
||||
11 | File | `/filemanager/php/connector.php` | High
|
||||
12 | File | `/get_getnetworkconf.cgi` | High
|
||||
13 | File | `/HNAP1` | Low
|
||||
14 | File | `/include/chart_generator.php` | High
|
||||
15 | File | `/index.php?controller=calendar&format=raw&cat[0]=SQLi&task=events` | High
|
||||
16 | File | `/Main_Login.asp?flag=1&productname=RT-AC88U&url=/downloadmaster/task.asp` | High
|
||||
17 | File | `/modx/manager/index.php` | High
|
||||
18 | File | `/osm/REGISTER.cmd` | High
|
||||
19 | File | `/product_list.php` | High
|
||||
20 | File | `/replication` | Medium
|
||||
21 | File | `/siteminderagent/pwcgi/smpwservicescgi.exe` | High
|
||||
22 | File | `/supervisor/procesa_carga.php` | High
|
||||
23 | File | `/type.php` | Medium
|
||||
24 | File | `/uncpath/` | Medium
|
||||
25 | File | `/usr/bin/pkexec` | High
|
||||
26 | File | `/zm/index.php` | High
|
||||
27 | File | `4.2.0.CP09` | Medium
|
||||
28 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
29 | File | `802dot1xclientcert.cgi` | High
|
||||
30 | File | `add.exe` | Low
|
||||
31 | File | `addentry.php` | Medium
|
||||
32 | File | `admin-ajax.php` | High
|
||||
33 | File | `admin.color.php` | High
|
||||
34 | File | `admin.cropcanvas.php` | High
|
||||
35 | File | `admin.joomlaradiov5.php` | High
|
||||
36 | File | `admin.php` | Medium
|
||||
37 | File | `admin.php?m=Food&a=addsave` | High
|
||||
38 | File | `admin/conf_users_edit.php` | High
|
||||
39 | File | `admin/index.php` | High
|
||||
40 | File | `admin/user.php` | High
|
||||
41 | File | `admin/write-post.php` | High
|
||||
42 | File | `administrator/components/com_media/helpers/media.php` | High
|
||||
43 | File | `admin_events.php` | High
|
||||
44 | File | `ajax_new_account.php` | High
|
||||
45 | File | `akocomments.php` | High
|
||||
46 | File | `allopass-error.php` | High
|
||||
47 | File | `announcement.php` | High
|
||||
48 | File | `apply.cgi` | Medium
|
||||
49 | File | `archiver\index.php` | High
|
||||
50 | File | `artlinks.dispnew.php` | High
|
||||
51 | File | `auth.inc.php` | Medium
|
||||
52 | File | `authorization.do` | High
|
||||
53 | File | `awstats.pl` | Medium
|
||||
54 | File | `bb_usage_stats.php` | High
|
||||
55 | File | `binder.c` | Medium
|
||||
56 | File | `books.php` | Medium
|
||||
57 | File | `C:\Python27` | Medium
|
||||
58 | File | `C:\Windows\System32\config\SAM` | High
|
||||
59 | ... | ... | ...
|
||||
58 | ... | ... | ...
|
||||
|
||||
There are 516 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 510 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -18,7 +18,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* [CH](https://vuldb.com/?country.ch)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* ...
|
||||
|
||||
There are 9 more country items available. Please use our online service to access the data.
|
||||
|
@ -109,7 +109,7 @@ ID | Type | Indicator | Confidence
|
|||
31 | File | `authenticate.c` | High
|
||||
32 | ... | ... | ...
|
||||
|
||||
There are 273 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 270 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -35,11 +35,11 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/download` | Medium
|
||||
2 | File | `comment_add.asp` | High
|
||||
3 | File | `data/gbconfiguration.dat` | High
|
||||
2 | File | `/oscommerce/admin/currencies.php` | High
|
||||
3 | File | `comment_add.asp` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 11 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 14 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -134,7 +134,7 @@ ID | Type | Indicator | Confidence
|
|||
31 | File | `arch/powerpc/kvm/book3s_rtas.c` | High
|
||||
32 | ... | ... | ...
|
||||
|
||||
There are 277 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 274 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -90,32 +90,32 @@ ID | Type | Indicator | Confidence
|
|||
12 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
13 | File | `/crmeb/app/admin/controller/store/CopyTaobao.php` | High
|
||||
14 | File | `/fudforum/adm/hlplist.php` | High
|
||||
15 | File | `/login` | Low
|
||||
16 | File | `/Main_Login.asp?flag=1&productname=RT-AC88U&url=/downloadmaster/task.asp` | High
|
||||
17 | File | `/monitoring` | Medium
|
||||
18 | File | `/ms/cms/content/list.do` | High
|
||||
19 | File | `/new` | Low
|
||||
20 | File | `/orms/` | Low
|
||||
21 | File | `/plesk-site-preview/` | High
|
||||
22 | File | `/proc/<pid>/status` | High
|
||||
23 | File | `/public/plugins/` | High
|
||||
24 | File | `/rom` | Low
|
||||
25 | File | `/scripts/killpvhost` | High
|
||||
26 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
27 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
28 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
|
||||
29 | File | `/student-grading-system/rms.php?page=grade` | High
|
||||
30 | File | `/tmp` | Low
|
||||
31 | File | `/tmp/redis.ds` | High
|
||||
32 | File | `/uncpath/` | Medium
|
||||
33 | File | `/wp-admin` | Medium
|
||||
34 | File | `/wp-json/wc/v3/webhooks` | High
|
||||
35 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
36 | File | `ABuffer.cpp` | Medium
|
||||
37 | File | `AccountManagerService.java` | High
|
||||
15 | File | `/hocms/classes/Master.php?f=delete_collection` | High
|
||||
16 | File | `/login` | Low
|
||||
17 | File | `/Main_Login.asp?flag=1&productname=RT-AC88U&url=/downloadmaster/task.asp` | High
|
||||
18 | File | `/monitoring` | Medium
|
||||
19 | File | `/ms/cms/content/list.do` | High
|
||||
20 | File | `/new` | Low
|
||||
21 | File | `/orms/` | Low
|
||||
22 | File | `/plesk-site-preview/` | High
|
||||
23 | File | `/proc/<pid>/status` | High
|
||||
24 | File | `/public/plugins/` | High
|
||||
25 | File | `/rom` | Low
|
||||
26 | File | `/scripts/killpvhost` | High
|
||||
27 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
28 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
29 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
|
||||
30 | File | `/student-grading-system/rms.php?page=grade` | High
|
||||
31 | File | `/tmp` | Low
|
||||
32 | File | `/tmp/redis.ds` | High
|
||||
33 | File | `/uncpath/` | Medium
|
||||
34 | File | `/wp-admin` | Medium
|
||||
35 | File | `/wp-json/wc/v3/webhooks` | High
|
||||
36 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
37 | File | `ABuffer.cpp` | Medium
|
||||
38 | ... | ... | ...
|
||||
|
||||
There are 326 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 325 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -17,8 +17,8 @@ The following _campaigns_ are known and can be associated with APT33:
|
|||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT33:
|
||||
|
||||
* [PL](https://vuldb.com/?country.pl)
|
||||
* [SV](https://vuldb.com/?country.sv)
|
||||
* [DE](https://vuldb.com/?country.de)
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* ...
|
||||
|
||||
There are 8 more country items available. Please use our online service to access the data.
|
||||
|
@ -56,7 +56,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
|
||||
2 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
3 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1068 | CWE-250, CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
|
@ -68,34 +68,38 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `.htaccess` | Medium
|
||||
2 | File | `/admin.add` | Medium
|
||||
3 | File | `/admin.php/admin/art/data.html` | High
|
||||
4 | File | `/admin/?page=user/manage_user` | High
|
||||
5 | File | `/admin/edit_user.php` | High
|
||||
6 | File | `/admin/files` | Medium
|
||||
7 | File | `/admin/login.php` | High
|
||||
8 | File | `/administrator/components/menu/` | High
|
||||
9 | File | `/administrator/components/table_manager/` | High
|
||||
10 | File | `/api/appInternals/1.0/agent/configuration&` | High
|
||||
11 | File | `/api/appInternals/1.0/agent/diagnostic/logs` | High
|
||||
12 | File | `/api/fetch` | Medium
|
||||
13 | File | `/api/user/{ID}` | High
|
||||
14 | File | `/audit/log/log_management.php` | High
|
||||
15 | File | `/cloud_config/router_post/register` | High
|
||||
2 | File | `/admin.php/admin/art/data.html` | High
|
||||
3 | File | `/admin/goods/update` | High
|
||||
4 | File | `/admin/login.php` | High
|
||||
5 | File | `/admin/posts.php` | High
|
||||
6 | File | `/admin/uesrs.php&action=type&userrole=User` | High
|
||||
7 | File | `/administrator/alerts/alertLightbox.php` | High
|
||||
8 | File | `/api/appInternals/1.0/agent/configuration&` | High
|
||||
9 | File | `/api/appInternals/1.0/agent/diagnostic/logs` | High
|
||||
10 | File | `/api/fetch` | Medium
|
||||
11 | File | `/api/user/{ID}` | High
|
||||
12 | File | `/audit/log/log_management.php` | High
|
||||
13 | File | `/blog/blog.php` | High
|
||||
14 | File | `/cloud_config/router_post/register` | High
|
||||
15 | File | `/cmd?cmd=connect` | High
|
||||
16 | File | `/config/list` | Medium
|
||||
17 | File | `/cwms/admin/?page=articles/view_article/` | High
|
||||
18 | File | `/Hospital-Management-System-master/contact.php` | High
|
||||
19 | File | `/Hospital-Management-System-master/func.php` | High
|
||||
20 | File | `/i/:data/ipa.plist` | High
|
||||
21 | File | `/ManageRoute/postRoute` | High
|
||||
22 | File | `/ms/cms/content/list.do` | High
|
||||
23 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
24 | File | `/setting/NTPSyncWithHost` | High
|
||||
25 | File | `/system/tool/ping.php` | High
|
||||
26 | File | `/system/user/resetPwd` | High
|
||||
27 | ... | ... | ...
|
||||
17 | File | `/customer_register.php` | High
|
||||
18 | File | `/cwms/admin/?page=articles/view_article/` | High
|
||||
19 | File | `/etc/master.passwd` | High
|
||||
20 | File | `/hocms/classes/Master.php?f=delete_collection` | High
|
||||
21 | File | `/hocms/classes/Master.php?f=delete_phase` | High
|
||||
22 | File | `/i/:data/ipa.plist` | High
|
||||
23 | File | `/index.php?page=reserve` | High
|
||||
24 | File | `/ManageRoute/postRoute` | High
|
||||
25 | File | `/module/api.php?mobile/webNasIPS` | High
|
||||
26 | File | `/modules/eligibility/Student.php` | High
|
||||
27 | File | `/plesk-site-preview/` | High
|
||||
28 | File | `/public_html/apply_vacancy` | High
|
||||
29 | File | `/purchase_order/classes/Master.php?f=delete_item` | High
|
||||
30 | File | `/reps/classes/Users.php?f=delete_agent` | High
|
||||
31 | ... | ... | ...
|
||||
|
||||
There are 223 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 266 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -73,24 +73,23 @@ ID | Type | Indicator | Confidence
|
|||
13 | File | `/replication` | Medium
|
||||
14 | File | `/RestAPI` | Medium
|
||||
15 | File | `/SASWebReportStudio/logonAndRender.do` | High
|
||||
16 | File | `/tmp/speedtest_urls.xml` | High
|
||||
17 | File | `/uncpath/` | Medium
|
||||
18 | File | `/var/log/nginx` | High
|
||||
19 | File | `/wp-content/plugins/updraftplus/admin.php` | High
|
||||
20 | File | `actions.hsp` | Medium
|
||||
21 | File | `addentry.php` | Medium
|
||||
22 | File | `add_edit_user.asp` | High
|
||||
23 | File | `add_to_cart.php` | High
|
||||
24 | File | `admin-ajax.php?action=get_wdtable order[0][dir]` | High
|
||||
25 | File | `admin/config/confmgr.php` | High
|
||||
26 | File | `admin/system_manage/save.html` | High
|
||||
27 | File | `ajax.php` | Medium
|
||||
28 | File | `apcupsd.pid` | Medium
|
||||
29 | File | `api/sms/send-sms` | High
|
||||
30 | File | `api/v1/alarms` | High
|
||||
31 | ... | ... | ...
|
||||
16 | File | `/scas/admin/` | Medium
|
||||
17 | File | `/tmp/speedtest_urls.xml` | High
|
||||
18 | File | `/uncpath/` | Medium
|
||||
19 | File | `/var/log/nginx` | High
|
||||
20 | File | `/wp-content/plugins/updraftplus/admin.php` | High
|
||||
21 | File | `actions.hsp` | Medium
|
||||
22 | File | `addentry.php` | Medium
|
||||
23 | File | `add_edit_user.asp` | High
|
||||
24 | File | `add_to_cart.php` | High
|
||||
25 | File | `admin-ajax.php?action=get_wdtable order[0][dir]` | High
|
||||
26 | File | `admin/config/confmgr.php` | High
|
||||
27 | File | `admin/system_manage/save.html` | High
|
||||
28 | File | `ajax.php` | Medium
|
||||
29 | File | `apcupsd.pid` | Medium
|
||||
30 | ... | ... | ...
|
||||
|
||||
There are 261 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 256 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -0,0 +1,59 @@
|
|||
# APT35 - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT35](https://vuldb.com/?actor.apt35). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.apt35](https://vuldb.com/?actor.apt35)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT35:
|
||||
|
||||
* [DE](https://vuldb.com/?country.de)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of APT35.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [107.173.231.114](https://vuldb.com/?ip.107.173.231.114) | 107-173-231-114-host.colocrossing.com | - | High
|
||||
2 | [148.251.71.182](https://vuldb.com/?ip.148.251.71.182) | static.182.71.251.148.clients.your-server.de | - | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _APT35_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT35. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `data/gbconfiguration.dat` | High
|
||||
2 | File | `inc/config.php` | High
|
||||
3 | File | `register/check/username?username` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 1 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -66,7 +66,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -116,7 +116,7 @@ ID | Type | Indicator | Confidence
|
|||
40 | File | `admin/conf_users_edit.php` | High
|
||||
41 | ... | ... | ...
|
||||
|
||||
There are 353 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 354 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -72,38 +72,37 @@ ID | Type | Indicator | Confidence
|
|||
8 | File | `/file?action=download&file` | High
|
||||
9 | File | `/home/httpd/cgi-bin/cgi.cgi` | High
|
||||
10 | File | `/html/includes/graphs/port/mac_acc_total.inc.php` | High
|
||||
11 | File | `/inc/subscriber_list.php` | High
|
||||
12 | File | `/install/index.php` | High
|
||||
13 | File | `/layout/class.xblogcomment.php` | High
|
||||
14 | File | `/LEPTON_stable_2.2.2/upload/admins/admintools/tool.php` | High
|
||||
15 | File | `/manager/jsp/test.jsp` | High
|
||||
16 | File | `/medical/inventories.php` | High
|
||||
17 | File | `/monitoring` | Medium
|
||||
18 | File | `/plugins/servlet/audit/resource` | High
|
||||
19 | File | `/plugins/servlet/project-config/PROJECT/roles` | High
|
||||
20 | File | `/public/login.htm` | High
|
||||
21 | File | `/replication` | Medium
|
||||
22 | File | `/RestAPI` | Medium
|
||||
23 | File | `/TeleoptiWFM/Administration/GetOneTenant` | High
|
||||
24 | File | `/tmp/speedtest_urls.xml` | High
|
||||
25 | File | `/uncpath/` | Medium
|
||||
26 | File | `/usr/bin/at` | Medium
|
||||
27 | File | `/var/log/nginx` | High
|
||||
28 | File | `/_vti_pvt/access.cnf` | High
|
||||
29 | File | `admin-ajax.php?action=get_wdtable order[0][dir]` | High
|
||||
30 | File | `admin/e_mesaj_yaz.asp` | High
|
||||
31 | File | `admin/profile.php` | High
|
||||
32 | File | `admin/salesadmin.php` | High
|
||||
33 | File | `admin/systemWebAdminConfig.do` | High
|
||||
34 | File | `admin11.cgi` | Medium
|
||||
35 | File | `admincp/auth/checklogin.php` | High
|
||||
36 | File | `agenda2.php3` | Medium
|
||||
37 | File | `ajax-actions.php` | High
|
||||
38 | File | `ajax/deletePage.php` | High
|
||||
39 | File | `ajouter_tva.php` | High
|
||||
40 | ... | ... | ...
|
||||
11 | File | `/install/index.php` | High
|
||||
12 | File | `/layout/class.xblogcomment.php` | High
|
||||
13 | File | `/LEPTON_stable_2.2.2/upload/admins/admintools/tool.php` | High
|
||||
14 | File | `/manager/jsp/test.jsp` | High
|
||||
15 | File | `/medical/inventories.php` | High
|
||||
16 | File | `/monitoring` | Medium
|
||||
17 | File | `/plugins/servlet/audit/resource` | High
|
||||
18 | File | `/plugins/servlet/project-config/PROJECT/roles` | High
|
||||
19 | File | `/public/login.htm` | High
|
||||
20 | File | `/replication` | Medium
|
||||
21 | File | `/RestAPI` | Medium
|
||||
22 | File | `/TeleoptiWFM/Administration/GetOneTenant` | High
|
||||
23 | File | `/tmp/speedtest_urls.xml` | High
|
||||
24 | File | `/uncpath/` | Medium
|
||||
25 | File | `/usr/bin/at` | Medium
|
||||
26 | File | `/var/log/nginx` | High
|
||||
27 | File | `/_vti_pvt/access.cnf` | High
|
||||
28 | File | `admin-ajax.php?action=get_wdtable order[0][dir]` | High
|
||||
29 | File | `admin/e_mesaj_yaz.asp` | High
|
||||
30 | File | `admin/profile.php` | High
|
||||
31 | File | `admin/salesadmin.php` | High
|
||||
32 | File | `admin/systemWebAdminConfig.do` | High
|
||||
33 | File | `admin11.cgi` | Medium
|
||||
34 | File | `admincp/auth/checklogin.php` | High
|
||||
35 | File | `agenda2.php3` | Medium
|
||||
36 | File | `ajax-actions.php` | High
|
||||
37 | File | `ajax/deletePage.php` | High
|
||||
38 | File | `ajouter_tva.php` | High
|
||||
39 | ... | ... | ...
|
||||
|
||||
There are 343 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 339 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -46,11 +46,11 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
2 | T1068 | CWE-250, CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -58,41 +58,45 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/agenttrayicon` | High
|
||||
2 | File | `/aqpg/users/login.php` | High
|
||||
3 | File | `/blog/blog.php` | High
|
||||
4 | File | `/category.php` | High
|
||||
5 | File | `/cmd?cmd=connect` | High
|
||||
6 | File | `/cwms/admin/?page=articles/view_article/` | High
|
||||
7 | File | `/cwms/classes/Master.php?f=save_contact` | High
|
||||
8 | File | `/etc/puppetlabs/puppetserver/conf.d/ca.conf` | High
|
||||
9 | File | `/goform/login_process` | High
|
||||
10 | File | `/include/chart_generator.php` | High
|
||||
11 | File | `/include/make.php` | High
|
||||
12 | File | `/login` | Low
|
||||
13 | File | `/manager/files` | High
|
||||
14 | File | `/mims/app/addcustomerHandler.php` | High
|
||||
15 | File | `/mims/login.php` | High
|
||||
16 | File | `/nova/bin/detnet` | High
|
||||
17 | File | `/nova/bin/igmp-proxy` | High
|
||||
18 | File | `/one_church/churchprofile.php` | High
|
||||
19 | File | `/one_church/userregister.php` | High
|
||||
20 | File | `/preauth` | Medium
|
||||
21 | File | `/scas/admin/` | Medium
|
||||
22 | File | `/sql/sql_string.h` | High
|
||||
23 | File | `/src/njs_vmcode.c` | High
|
||||
24 | File | `/uncpath/` | Medium
|
||||
25 | File | `/var/log/demisto/` | High
|
||||
26 | File | `/wbg/core/_includes/authorization.inc.php` | High
|
||||
27 | File | `/_error` | Low
|
||||
28 | File | `a2billing/customer/iridium_threed.php` | High
|
||||
29 | File | `actions/beats_uploader.php` | High
|
||||
30 | File | `actions/vote_channel.php` | High
|
||||
31 | File | `admin.php` | Medium
|
||||
32 | File | `admin/index.php?module=send_ssh` | High
|
||||
33 | ... | ... | ...
|
||||
1 | File | `/admin.php/Plugins/update.html` | High
|
||||
2 | File | `/admin.php?id=posts&action=display&value=1&postid=` | High
|
||||
3 | File | `/admin.php?id=siteoptions&social=display&value=0&sid=2` | High
|
||||
4 | File | `/admin.php?id=siteoptions&social=edit&sid=2` | High
|
||||
5 | File | `/admin.php?r=admin/AdminBackup/del` | High
|
||||
6 | File | `/admin/edit.php` | High
|
||||
7 | File | `/admin/inbox.php&action=delete` | High
|
||||
8 | File | `/admin/inbox.php&action=read` | High
|
||||
9 | File | `/admin/index.php?mode=content&page=media&action=edit` | High
|
||||
10 | File | `/admin/pagerole.php&action=edit` | High
|
||||
11 | File | `/admin/posts.php` | High
|
||||
12 | File | `/admin/posts.php&action=delete` | High
|
||||
13 | File | `/admin/posts.php&action=edit` | High
|
||||
14 | File | `/admin/siteoptions.php&action=displaygoal&value=1&roleid=1` | High
|
||||
15 | File | `/admin/siteoptions.php&social=remove&sid=2` | High
|
||||
16 | File | `/admin/uesrs.php&&action=delete&userid=4` | High
|
||||
17 | File | `/admin/uesrs.php&action=display&value=Hide` | High
|
||||
18 | File | `/admin/uesrs.php&action=display&value=Show` | High
|
||||
19 | File | `/admin/uesrs.php&action=type&userrole=User` | High
|
||||
20 | File | `/administrator/alerts/alertLightbox.php` | High
|
||||
21 | File | `/agenttrayicon` | High
|
||||
22 | File | `/api/students/me/messages/` | High
|
||||
23 | File | `/apps/acs-commons/content/page-compare.html` | High
|
||||
24 | File | `/aqpg/users/login.php` | High
|
||||
25 | File | `/blog/blog.php` | High
|
||||
26 | File | `/category.php` | High
|
||||
27 | File | `/cdsms/classes/Master.php?f=delete_enrollment` | High
|
||||
28 | File | `/cdsms/classes/Master.php?f=delete_package` | High
|
||||
29 | File | `/cgi-bin/main.cgi` | High
|
||||
30 | File | `/cmd?cmd=connect` | High
|
||||
31 | File | `/customer_register.php` | High
|
||||
32 | File | `/cwms/admin/?page=articles/view_article/` | High
|
||||
33 | File | `/cwms/classes/Master.php?f=save_contact` | High
|
||||
34 | File | `/demo/module/?module=HERE` | High
|
||||
35 | File | `/goform/WifiExtraSet` | High
|
||||
36 | File | `/hocms/classes/Master.php?f=delete_collection` | High
|
||||
37 | ... | ... | ...
|
||||
|
||||
There are 277 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 317 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -4,16 +4,23 @@ These _indicators_ were reported, collected, and generated during the [VulDB CTI
|
|||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.bazarloader](https://vuldb.com/?actor.bazarloader)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following _campaigns_ are known and can be associated with BazarLoader:
|
||||
|
||||
* Anchor
|
||||
* Diavol
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with BazarLoader:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [DK](https://vuldb.com/?country.dk)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* ...
|
||||
|
||||
There are 21 more country items available. Please use our online service to access the data.
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -21,26 +28,31 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [13.225.230.232](https://vuldb.com/?ip.13.225.230.232) | server-13-225-230-232.jfk51.r.cloudfront.net | - | High
|
||||
2 | [13.226.32.216](https://vuldb.com/?ip.13.226.32.216) | server-13-226-32-216.ewr53.r.cloudfront.net | - | High
|
||||
3 | [18.67.60.164](https://vuldb.com/?ip.18.67.60.164) | server-18-67-60-164.iad89.r.cloudfront.net | - | High
|
||||
4 | [23.56.10.219](https://vuldb.com/?ip.23.56.10.219) | a23-56-10-219.deploy.static.akamaitechnologies.com | - | High
|
||||
5 | [23.62.25.178](https://vuldb.com/?ip.23.62.25.178) | a23-62-25-178.deploy.static.akamaitechnologies.com | - | High
|
||||
6 | [23.95.238.122](https://vuldb.com/?ip.23.95.238.122) | 23-95-238-122-host.colocrossing.com | - | High
|
||||
7 | [23.106.223.174](https://vuldb.com/?ip.23.106.223.174) | - | - | High
|
||||
8 | [23.160.193.217](https://vuldb.com/?ip.23.160.193.217) | unknown.ip-xfer.net | - | High
|
||||
9 | [23.193.217.119](https://vuldb.com/?ip.23.193.217.119) | a23-193-217-119.deploy.static.akamaitechnologies.com | - | High
|
||||
10 | [31.171.251.118](https://vuldb.com/?ip.31.171.251.118) | ch.ns.mon0.li | - | High
|
||||
11 | [31.214.240.203](https://vuldb.com/?ip.31.214.240.203) | - | - | High
|
||||
12 | [34.209.40.84](https://vuldb.com/?ip.34.209.40.84) | ec2-34-209-40-84.us-west-2.compute.amazonaws.com | - | Medium
|
||||
13 | [34.221.188.35](https://vuldb.com/?ip.34.221.188.35) | ec2-34-221-188-35.us-west-2.compute.amazonaws.com | - | Medium
|
||||
14 | [34.222.222.126](https://vuldb.com/?ip.34.222.222.126) | ec2-34-222-222-126.us-west-2.compute.amazonaws.com | - | Medium
|
||||
15 | [40.76.4.15](https://vuldb.com/?ip.40.76.4.15) | - | - | High
|
||||
16 | [40.112.72.205](https://vuldb.com/?ip.40.112.72.205) | - | - | High
|
||||
17 | [40.113.200.201](https://vuldb.com/?ip.40.113.200.201) | - | - | High
|
||||
18 | ... | ... | ... | ...
|
||||
1 | [3.101.57.185](https://vuldb.com/?ip.3.101.57.185) | ec2-3-101-57-185.us-west-1.compute.amazonaws.com | - | Medium
|
||||
2 | [13.225.230.232](https://vuldb.com/?ip.13.225.230.232) | server-13-225-230-232.jfk51.r.cloudfront.net | - | High
|
||||
3 | [13.226.32.216](https://vuldb.com/?ip.13.226.32.216) | server-13-226-32-216.ewr53.r.cloudfront.net | - | High
|
||||
4 | [18.67.60.164](https://vuldb.com/?ip.18.67.60.164) | server-18-67-60-164.iad89.r.cloudfront.net | - | High
|
||||
5 | [23.56.10.219](https://vuldb.com/?ip.23.56.10.219) | a23-56-10-219.deploy.static.akamaitechnologies.com | - | High
|
||||
6 | [23.62.25.178](https://vuldb.com/?ip.23.62.25.178) | a23-62-25-178.deploy.static.akamaitechnologies.com | - | High
|
||||
7 | [23.82.19.173](https://vuldb.com/?ip.23.82.19.173) | - | - | High
|
||||
8 | [23.94.51.80](https://vuldb.com/?ip.23.94.51.80) | 23-94-51-80-host.colocrossing.com | Anchor | High
|
||||
9 | [23.95.238.122](https://vuldb.com/?ip.23.95.238.122) | 23-95-238-122-host.colocrossing.com | - | High
|
||||
10 | [23.106.160.77](https://vuldb.com/?ip.23.106.160.77) | - | - | High
|
||||
11 | [23.106.215.61](https://vuldb.com/?ip.23.106.215.61) | - | - | High
|
||||
12 | [23.106.223.174](https://vuldb.com/?ip.23.106.223.174) | - | - | High
|
||||
13 | [23.152.0.22](https://vuldb.com/?ip.23.152.0.22) | anahiem.net | Diavol | High
|
||||
14 | [23.160.193.217](https://vuldb.com/?ip.23.160.193.217) | unknown.ip-xfer.net | - | High
|
||||
15 | [23.193.217.119](https://vuldb.com/?ip.23.193.217.119) | a23-193-217-119.deploy.static.akamaitechnologies.com | - | High
|
||||
16 | [31.171.251.118](https://vuldb.com/?ip.31.171.251.118) | ch.ns.mon0.li | - | High
|
||||
17 | [31.214.240.203](https://vuldb.com/?ip.31.214.240.203) | - | - | High
|
||||
18 | [34.209.40.84](https://vuldb.com/?ip.34.209.40.84) | ec2-34-209-40-84.us-west-2.compute.amazonaws.com | - | Medium
|
||||
19 | [34.210.71.206](https://vuldb.com/?ip.34.210.71.206) | ec2-34-210-71-206.us-west-2.compute.amazonaws.com | Anchor | Medium
|
||||
20 | [34.221.188.35](https://vuldb.com/?ip.34.221.188.35) | ec2-34-221-188-35.us-west-2.compute.amazonaws.com | - | Medium
|
||||
21 | [34.222.222.126](https://vuldb.com/?ip.34.222.222.126) | ec2-34-222-222-126.us-west-2.compute.amazonaws.com | - | Medium
|
||||
22 | [35.165.197.209](https://vuldb.com/?ip.35.165.197.209) | ec2-35-165-197-209.us-west-2.compute.amazonaws.com | - | Medium
|
||||
23 | ... | ... | ... | ...
|
||||
|
||||
There are 68 more IOC items available. Please use our online service to access the data.
|
||||
There are 88 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -50,10 +62,10 @@ ID | Technique | Weakness | Description | Confidence
|
|||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
3 | T1552 | CWE-319, CWE-522 | Unprotected Storage of Credentials | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
There are 1 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -61,64 +73,17 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `.htaccess` | Medium
|
||||
2 | File | `.user` | Low
|
||||
3 | File | `/.dbus-keyrings` | High
|
||||
4 | File | `/api` | Low
|
||||
5 | File | `/catalog/admin/categories.php?cPath=&action=new_product` | High
|
||||
6 | File | `/cgi-bin/system_mgr.cgi` | High
|
||||
7 | File | `/common/ticket_associated_tickets.php` | High
|
||||
8 | File | `/common/user_profile.php` | High
|
||||
9 | File | `/Content/Template/root/reverse-shell.aspx` | High
|
||||
10 | File | `/debug/pprof` | Medium
|
||||
11 | File | `/getcfg.php` | Medium
|
||||
12 | File | `/goform/form2userconfig.cgi` | High
|
||||
13 | File | `/include/makecvs.php` | High
|
||||
14 | File | `/includes/db_adodb.php` | High
|
||||
15 | File | `/objects/pluginSwitch.json.php` | High
|
||||
16 | File | `/PluXml/core/admin/parametres_edittpl.php` | High
|
||||
17 | File | `/register.do` | Medium
|
||||
18 | File | `/rest/api/latest/groupuserpicker` | High
|
||||
19 | File | `/rest/project-templates/1.0/createshared` | High
|
||||
20 | File | `/restoreinfo.cgi` | High
|
||||
21 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
22 | File | `/see_more_details.php` | High
|
||||
23 | File | `/sendrcpackage?keyid=-2544&keysymbol=-4081` | High
|
||||
24 | File | `/services` | Medium
|
||||
25 | File | `/uncpath/` | Medium
|
||||
26 | File | `/usr/local/vesta/bin` | High
|
||||
27 | File | `/usr/sbin/suexec` | High
|
||||
28 | File | `/v3/credentials` | High
|
||||
29 | File | `/var/log/monkeyd/master.log` | High
|
||||
30 | File | `/var/passwd` | Medium
|
||||
31 | File | `/var/run/storage_account_root` | High
|
||||
32 | File | `/webconsole/APIController` | High
|
||||
33 | File | `/websocket` | Medium
|
||||
34 | File | `802dot1xclientcert.cgi` | High
|
||||
35 | File | `account.asp` | Medium
|
||||
36 | File | `Account.aspx` | Medium
|
||||
37 | File | `ActionsAndOperations` | High
|
||||
38 | File | `adclick.php` | Medium
|
||||
39 | File | `add.php` | Low
|
||||
40 | File | `admin/?n=tags&c=index&a=doSaveTags` | High
|
||||
41 | File | `admin/admin.shtml` | High
|
||||
42 | File | `admin/db-backup-security/db-backup-security.php` | High
|
||||
43 | File | `admin/graph_trend.php` | High
|
||||
44 | File | `administrator/components/com_media/helpers/media.php` | High
|
||||
45 | File | `adminquery.php` | High
|
||||
46 | File | `agent_links.pl` | High
|
||||
47 | File | `ajax/render/widget_php` | High
|
||||
48 | File | `Ap4StssAtom.cpp` | High
|
||||
49 | File | `Ap4StszAtom.cpp` | High
|
||||
50 | File | `apetag.c` | Medium
|
||||
51 | File | `app/system/language/admin/language_general.class.php` | High
|
||||
52 | File | `apply_sec.cgi` | High
|
||||
53 | File | `app\contacts\contact_times.php` | High
|
||||
54 | File | `Archive.java` | Medium
|
||||
55 | File | `article.php` | Medium
|
||||
56 | ... | ... | ...
|
||||
1 | File | `/api` | Low
|
||||
2 | File | `/include/makecvs.php` | High
|
||||
3 | File | `/PluXml/core/admin/parametres_edittpl.php` | High
|
||||
4 | File | `/usr/local/psa/admin/sbin/wrapper` | High
|
||||
5 | File | `add.php` | Low
|
||||
6 | File | `admin/admin.shtml` | High
|
||||
7 | File | `cat.asp` | Low
|
||||
8 | File | `class.phpmailer.php` | High
|
||||
9 | ... | ... | ...
|
||||
|
||||
There are 484 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 66 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -130,6 +95,10 @@ The following list contains _external sources_ which discuss the actor and the a
|
|||
* https://isc.sans.edu/forums/diary/April+2021+Forensic+Quiz+Answers+and+Analysis/27308/
|
||||
* https://isc.sans.edu/forums/diary/Stolen+Images+Evidence+Campaign+Continues+Pushing+BazarLoader+Malware/27816/
|
||||
* https://isc.sans.edu/forums/diary/TA551+Shathak+continues+pushing+BazarLoader+infections+lead+to+Cobalt+Strike/27738/
|
||||
* https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/
|
||||
* https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/
|
||||
* https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/
|
||||
* https://thedfirreport.com/2021/12/13/diavol-ransomware/
|
||||
* https://twitter.com/_pr4gma/status/1347617681197961225
|
||||
|
||||
## Literature
|
||||
|
|
|
@ -13,7 +13,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [DE](https://vuldb.com/?country.de)
|
||||
* ...
|
||||
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
There are 3 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -52,34 +52,33 @@ ID | Type | Indicator | Confidence
|
|||
3 | File | `/admin.php/admin/ulog/index.html` | High
|
||||
4 | File | `/admin.php/admin/website/data.html` | High
|
||||
5 | File | `/admin.php?id=siteoptions&social=display&value=0&sid=2` | High
|
||||
6 | File | `/admin/inbox.php&action=read` | High
|
||||
7 | File | `/admin/posts.php` | High
|
||||
8 | File | `/admin/posts.php&action=delete` | High
|
||||
9 | File | `/admin/run_ajax.php` | High
|
||||
10 | File | `/administrator/components/menu/` | High
|
||||
11 | File | `/admin_page/all-files-update-ajax.php` | High
|
||||
12 | File | `/api/crontab` | Medium
|
||||
13 | File | `/blog/blog.php` | High
|
||||
14 | File | `/cdsms/classes/Master.php?f=delete_enrollment` | High
|
||||
15 | File | `/cgi-bin/kerbynet` | High
|
||||
16 | File | `/cloud_config/router_post/modify_account_pwd` | High
|
||||
17 | File | `/cloud_config/router_post/register` | High
|
||||
18 | File | `/config/list` | Medium
|
||||
19 | File | `/download/` | Medium
|
||||
20 | File | `/etc/ajenti/config.yml` | High
|
||||
21 | File | `/etc/cobbler` | Medium
|
||||
22 | File | `/etc/passwd` | Medium
|
||||
23 | File | `/export` | Low
|
||||
24 | File | `/goform/delAd` | High
|
||||
25 | File | `/goform/form2Reboot.cgi` | High
|
||||
26 | File | `/home.asp` | Medium
|
||||
27 | File | `/index.php?act=api&tag=8` | High
|
||||
28 | File | `/jeecg-boot/sys/user/queryUserByDepId` | High
|
||||
29 | File | `/languages/index.php` | High
|
||||
30 | File | `/members/view_member.php` | High
|
||||
31 | ... | ... | ...
|
||||
6 | File | `/admin.php?id=siteoptions&social=edit&sid=2` | High
|
||||
7 | File | `/admin/inbox.php&action=read` | High
|
||||
8 | File | `/admin/posts.php` | High
|
||||
9 | File | `/admin/posts.php&action=delete` | High
|
||||
10 | File | `/admin/run_ajax.php` | High
|
||||
11 | File | `/admin/siteoptions.php&action=displaygoal&value=1&roleid=1` | High
|
||||
12 | File | `/admin/uesrs.php&&action=delete&userid=4` | High
|
||||
13 | File | `/admin/uesrs.php&action=type&userrole=Admin&userid=3` | High
|
||||
14 | File | `/admin_page/all-files-update-ajax.php` | High
|
||||
15 | File | `/api/crontab` | Medium
|
||||
16 | File | `/blog/blog.php` | High
|
||||
17 | File | `/cdsms/classes/Master.php?f=delete_enrollment` | High
|
||||
18 | File | `/cgi-bin/kerbynet` | High
|
||||
19 | File | `/cloud_config/router_post/modify_account_pwd` | High
|
||||
20 | File | `/cloud_config/router_post/register` | High
|
||||
21 | File | `/config/list` | Medium
|
||||
22 | File | `/download/` | Medium
|
||||
23 | File | `/etc/ajenti/config.yml` | High
|
||||
24 | File | `/etc/cobbler` | Medium
|
||||
25 | File | `/etc/passwd` | Medium
|
||||
26 | File | `/export` | Low
|
||||
27 | File | `/goform/delAd` | High
|
||||
28 | File | `/goform/form2Reboot.cgi` | High
|
||||
29 | File | `/home.asp` | Medium
|
||||
30 | ... | ... | ...
|
||||
|
||||
There are 268 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 259 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -13,7 +13,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [RU](https://vuldb.com/?country.ru)
|
||||
* ...
|
||||
|
||||
There are 21 more country items available. Please use our online service to access the data.
|
||||
There are 22 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
|
|
@ -14,6 +14,7 @@ The following _campaigns_ are known and can be associated with Bunse:
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Bunse:
|
||||
|
||||
* [FR](https://vuldb.com/?country.fr)
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
|
||||
|
|
|
@ -4,6 +4,12 @@ These _indicators_ were reported, collected, and generated during the [VulDB CTI
|
|||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.candiru](https://vuldb.com/?actor.candiru)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following _campaigns_ are known and can be associated with Candiru:
|
||||
|
||||
* CatalanGate
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Candiru:
|
||||
|
@ -13,7 +19,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [TR](https://vuldb.com/?country.tr)
|
||||
* ...
|
||||
|
||||
There are 14 more country items available. Please use our online service to access the data.
|
||||
There are 13 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -29,7 +35,7 @@ ID | IP address | Hostname | Campaign | Confidence
|
|||
6 | [5.206.227.93](https://vuldb.com/?ip.5.206.227.93) | noos-proxy | - | High
|
||||
7 | ... | ... | ... | ...
|
||||
|
||||
There are 23 more IOC items available. Please use our online service to access the data.
|
||||
There are 25 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -58,43 +64,43 @@ ID | Type | Indicator | Confidence
|
|||
6 | File | `/article/add` | Medium
|
||||
7 | File | `/cgi-bin/editBookmark` | High
|
||||
8 | File | `/cgi-bin/uploadWeiXinPic` | High
|
||||
9 | File | `/computer/(agent-name)/api` | High
|
||||
10 | File | `/controller/pay.class.php` | High
|
||||
11 | File | `/dev/block/mmcblk0rpmb` | High
|
||||
12 | File | `/dev/kmem` | Medium
|
||||
13 | File | `/dev/shm` | Medium
|
||||
14 | File | `/dev/snd/seq` | Medium
|
||||
15 | File | `/device/device=140/tab=wifi/view` | High
|
||||
16 | File | `/dl/dl_print.php` | High
|
||||
17 | File | `/getcfg.php` | Medium
|
||||
18 | File | `/goform/addressNat` | High
|
||||
19 | File | `/htdocs/admin/dict.php?id=3` | High
|
||||
20 | File | `/include/menu_v.inc.php` | High
|
||||
21 | File | `/includes/rrdtool.inc.php` | High
|
||||
22 | File | `/irj/servlet/prt/portal/prtroot/com.sap.portal.usermanagement.admin.UserMapping` | High
|
||||
23 | File | `/jerry-core/ecma/base/ecma-gc.c` | High
|
||||
24 | File | `/jerry-core/ecma/base/ecma-helpers-conversion.c` | High
|
||||
25 | File | `/login` | Low
|
||||
26 | File | `/module/module_frame/index.php` | High
|
||||
27 | File | `/notice-edit.php` | High
|
||||
28 | File | `/nova/bin/sniffer` | High
|
||||
29 | File | `/ofcms/company-c-47` | High
|
||||
30 | File | `/proc/*/cmdline"` | High
|
||||
31 | File | `/proc/pid/syscall` | High
|
||||
32 | File | `/product_list.php` | High
|
||||
33 | File | `/rest/api/2/user/picker` | High
|
||||
34 | File | `/rukovoditel_2.4.1/index.php?module=configuration/save&redirect_to=configuration/application` | High
|
||||
35 | File | `/services/details.asp` | High
|
||||
36 | File | `/src/core/controllers/cm.php` | High
|
||||
37 | File | `/storage/app/media/evil.svg` | High
|
||||
38 | ... | ... | ...
|
||||
9 | File | `/controller/pay.class.php` | High
|
||||
10 | File | `/dev/block/mmcblk0rpmb` | High
|
||||
11 | File | `/dev/kmem` | Medium
|
||||
12 | File | `/dev/shm` | Medium
|
||||
13 | File | `/dev/snd/seq` | Medium
|
||||
14 | File | `/device/device=140/tab=wifi/view` | High
|
||||
15 | File | `/dl/dl_print.php` | High
|
||||
16 | File | `/getcfg.php` | Medium
|
||||
17 | File | `/goform/addressNat` | High
|
||||
18 | File | `/htdocs/admin/dict.php?id=3` | High
|
||||
19 | File | `/include/menu_v.inc.php` | High
|
||||
20 | File | `/irj/servlet/prt/portal/prtroot/com.sap.portal.usermanagement.admin.UserMapping` | High
|
||||
21 | File | `/jerry-core/ecma/base/ecma-gc.c` | High
|
||||
22 | File | `/jerry-core/ecma/base/ecma-helpers-conversion.c` | High
|
||||
23 | File | `/login` | Low
|
||||
24 | File | `/module/module_frame/index.php` | High
|
||||
25 | File | `/notice-edit.php` | High
|
||||
26 | File | `/nova/bin/sniffer` | High
|
||||
27 | File | `/ofcms/company-c-47` | High
|
||||
28 | File | `/proc/*/cmdline"` | High
|
||||
29 | File | `/proc/pid/syscall` | High
|
||||
30 | File | `/product_list.php` | High
|
||||
31 | File | `/rest/api/2/user/picker` | High
|
||||
32 | File | `/rukovoditel_2.4.1/index.php?module=configuration/save&redirect_to=configuration/application` | High
|
||||
33 | File | `/services/details.asp` | High
|
||||
34 | File | `/src/core/controllers/cm.php` | High
|
||||
35 | File | `/storage/app/media/evil.svg` | High
|
||||
36 | File | `/transmission/web/` | High
|
||||
37 | ... | ... | ...
|
||||
|
||||
There are 325 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 322 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/
|
||||
* https://github.com/eset/malware-ioc/tree/master/swc-candiru
|
||||
|
||||
## Literature
|
||||
|
|
|
@ -80,7 +80,7 @@ ID | Type | Indicator | Confidence
|
|||
28 | File | `admin/article_category.php?rec=update` | High
|
||||
29 | ... | ... | ...
|
||||
|
||||
There are 245 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 246 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -9,8 +9,8 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Cobalt Group:
|
||||
|
||||
* [FR](https://vuldb.com/?country.fr)
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* [DE](https://vuldb.com/?country.de)
|
||||
* [PL](https://vuldb.com/?country.pl)
|
||||
* [IT](https://vuldb.com/?country.it)
|
||||
* ...
|
||||
|
||||
There are 8 more country items available. Please use our online service to access the data.
|
||||
|
@ -54,28 +54,27 @@ ID | Type | Indicator | Confidence
|
|||
4 | File | `/admin/show.php` | High
|
||||
5 | File | `/administrator/components/menu/` | High
|
||||
6 | File | `/app/register.php` | High
|
||||
7 | File | `/controller/CommentAdminController.java` | High
|
||||
8 | File | `/data/sqldata` | High
|
||||
9 | File | `/feedback/post/` | High
|
||||
10 | File | `/goform/SetPptpServerCfg` | High
|
||||
11 | File | `/hdf5/src/H5Fint.c` | High
|
||||
12 | File | `/index.php?page=reserve` | High
|
||||
13 | File | `/jeecg-boot/sys/user/queryUserByDepId` | High
|
||||
14 | File | `/jerry-core/ecma/base/ecma-literal-storage.c` | High
|
||||
15 | File | `/jerry-core/ecma/builtin-objects/ecma-builtin-date-prototype.c` | High
|
||||
16 | File | `/jerry-core/ecma/operations/ecma-objects.c` | High
|
||||
17 | File | `/public/launchNewWindow.jsp` | High
|
||||
18 | File | `/purchase_order/admin/?page=user` | High
|
||||
19 | File | `/reps/admin/?page=agents/manage_agent` | High
|
||||
20 | File | `/SAP_Information_System/controllers/add_admin.php` | High
|
||||
21 | File | `/scas/classes/Users.php?f=save_user` | High
|
||||
22 | File | `/servlets/Jmx_dynamic` | High
|
||||
23 | File | `/setting/NTPSyncWithHost` | High
|
||||
24 | File | `/src/njs_object.c` | High
|
||||
25 | File | `/template/unzip.do` | High
|
||||
26 | ... | ... | ...
|
||||
7 | File | `/data/sqldata` | High
|
||||
8 | File | `/feedback/post/` | High
|
||||
9 | File | `/goform/SetPptpServerCfg` | High
|
||||
10 | File | `/hdf5/src/H5Fint.c` | High
|
||||
11 | File | `/index.php?page=reserve` | High
|
||||
12 | File | `/jeecg-boot/sys/user/queryUserByDepId` | High
|
||||
13 | File | `/jerry-core/ecma/base/ecma-literal-storage.c` | High
|
||||
14 | File | `/jerry-core/ecma/builtin-objects/ecma-builtin-date-prototype.c` | High
|
||||
15 | File | `/jerry-core/ecma/operations/ecma-objects.c` | High
|
||||
16 | File | `/public/launchNewWindow.jsp` | High
|
||||
17 | File | `/purchase_order/admin/?page=user` | High
|
||||
18 | File | `/reps/admin/?page=agents/manage_agent` | High
|
||||
19 | File | `/SAP_Information_System/controllers/add_admin.php` | High
|
||||
20 | File | `/scas/classes/Users.php?f=save_user` | High
|
||||
21 | File | `/servlets/Jmx_dynamic` | High
|
||||
22 | File | `/setting/NTPSyncWithHost` | High
|
||||
23 | File | `/src/njs_object.c` | High
|
||||
24 | File | `/template/unzip.do` | High
|
||||
25 | ... | ... | ...
|
||||
|
||||
There are 214 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 212 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -9,11 +9,11 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Cobalt Strike:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [SV](https://vuldb.com/?country.sv)
|
||||
* [DE](https://vuldb.com/?country.de)
|
||||
* [GB](https://vuldb.com/?country.gb)
|
||||
* ...
|
||||
|
||||
There are 10 more country items available. Please use our online service to access the data.
|
||||
There are 21 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -21,13 +21,17 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [23.82.140.91](https://vuldb.com/?ip.23.82.140.91) | - | - | High
|
||||
2 | [23.108.57.108](https://vuldb.com/?ip.23.108.57.108) | - | - | High
|
||||
3 | [45.134.26.174](https://vuldb.com/?ip.45.134.26.174) | - | - | High
|
||||
4 | [45.144.29.185](https://vuldb.com/?ip.45.144.29.185) | master.pisyandriy.com | - | High
|
||||
5 | ... | ... | ... | ...
|
||||
1 | [5.255.98.144](https://vuldb.com/?ip.5.255.98.144) | - | - | High
|
||||
2 | [23.19.227.147](https://vuldb.com/?ip.23.19.227.147) | - | - | High
|
||||
3 | [23.81.246.32](https://vuldb.com/?ip.23.81.246.32) | - | - | High
|
||||
4 | [23.82.140.91](https://vuldb.com/?ip.23.82.140.91) | - | - | High
|
||||
5 | [23.108.57.39](https://vuldb.com/?ip.23.108.57.39) | - | - | High
|
||||
6 | [23.108.57.108](https://vuldb.com/?ip.23.108.57.108) | - | - | High
|
||||
7 | [23.227.199.10](https://vuldb.com/?ip.23.227.199.10) | 23-227-199-10.static.hvvc.us | - | High
|
||||
8 | [45.134.26.174](https://vuldb.com/?ip.45.134.26.174) | - | - | High
|
||||
9 | ... | ... | ... | ...
|
||||
|
||||
There are 15 more IOC items available. Please use our online service to access the data.
|
||||
There are 33 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -40,7 +44,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 4 more TTP items available. Please use our online service to access the data.
|
||||
There are 5 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -48,66 +52,61 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/?admin/user.html` | High
|
||||
2 | File | `/admin/success_story.php` | High
|
||||
3 | File | `/configuration/httpListenerEdit.jsf` | High
|
||||
1 | File | `/admin/success_story.php` | High
|
||||
2 | File | `/category.php` | High
|
||||
3 | File | `/cgi-bin/supervisor/PwdGrp.cgi` | High
|
||||
4 | File | `/etc/tomcat8/Catalina/attack` | High
|
||||
5 | File | `/movie-portal-script/movie.php` | High
|
||||
6 | File | `/notice-edit.php` | High
|
||||
7 | File | `/resourceNode/jdbcResourceEdit.jsf` | High
|
||||
8 | File | `/tmp` | Low
|
||||
9 | File | `/wp-content/plugins/updraftplus/admin.php` | High
|
||||
10 | File | `4.2.0.CP08` | Medium
|
||||
11 | File | `account.asp` | Medium
|
||||
12 | File | `acerctrl.ocx` | Medium
|
||||
13 | File | `activate.php` | Medium
|
||||
14 | File | `add.php` | Low
|
||||
15 | File | `adm/krgourl.php` | High
|
||||
16 | File | `admin.php` | Medium
|
||||
17 | File | `admin/admin.php` | High
|
||||
18 | File | `admin/adminaddeditdetails.php` | High
|
||||
19 | File | `admin/ajaxsave.php` | High
|
||||
20 | File | `admin/auth.php` | High
|
||||
21 | File | `admin/images.php` | High
|
||||
22 | File | `admin/import/class-import-settings.php` | High
|
||||
23 | File | `ADMIN/loginaction.php` | High
|
||||
24 | File | `admin/member_details.php` | High
|
||||
25 | File | `admin/preview.php` | High
|
||||
26 | File | `ajax/addComment.php` | High
|
||||
27 | File | `and/or` | Low
|
||||
28 | File | `arch/powerpc/kernel/entry_64.S` | High
|
||||
29 | File | `archive_read_support_format_rar5.c` | High
|
||||
30 | File | `article.php` | Medium
|
||||
31 | File | `asp:.jpg` | Medium
|
||||
32 | File | `auth2-gss.c` | Medium
|
||||
33 | File | `backup.php` | Medium
|
||||
34 | File | `bios.php` | Medium
|
||||
35 | File | `blanko.preview.php` | High
|
||||
36 | File | `block/bfq-iosched.c` | High
|
||||
37 | File | `browse.php` | Medium
|
||||
38 | File | `browse_ladies.php` | High
|
||||
39 | File | `burl.c` | Low
|
||||
40 | File | `cadena_ofertas_ext.php` | High
|
||||
41 | File | `cal_popup.php` | High
|
||||
42 | File | `category-delete.php` | High
|
||||
43 | File | `category.php` | Medium
|
||||
44 | File | `CFM File Handler` | High
|
||||
45 | File | `cgi-bin/awstats.pl` | High
|
||||
46 | File | `Change-password.php` | High
|
||||
47 | File | `charts.php` | Medium
|
||||
48 | File | `chat.php` | Medium
|
||||
49 | File | `classified.php` | High
|
||||
50 | File | `comments.php` | Medium
|
||||
51 | File | `config.php` | Medium
|
||||
52 | File | `core/stack/l2cap/l2cap_sm.c` | High
|
||||
53 | File | `country_escorts.php` | High
|
||||
54 | File | `cource.php` | Medium
|
||||
55 | File | `Crypt32.dll` | Medium
|
||||
56 | File | `dapur/index.php` | High
|
||||
57 | File | `default.asp` | Medium
|
||||
58 | ... | ... | ...
|
||||
7 | File | `/objects/getSpiritsFromVideo.php` | High
|
||||
8 | File | `/servlet/webacc` | High
|
||||
9 | File | `/TeamMate/Upload/DomainObjectDocumentUpload.ashx` | High
|
||||
10 | File | `/tmp` | Low
|
||||
11 | File | `/uncpath/` | Medium
|
||||
12 | File | `/wp-admin/admin-ajax.php` | High
|
||||
13 | File | `/wp-content/plugins/updraftplus/admin.php` | High
|
||||
14 | File | `4.2.0.CP08` | Medium
|
||||
15 | File | `account.asp` | Medium
|
||||
16 | File | `acerctrl.ocx` | Medium
|
||||
17 | File | `activate.php` | Medium
|
||||
18 | File | `add.php` | Low
|
||||
19 | File | `admin.php` | Medium
|
||||
20 | File | `admin/admin.php` | High
|
||||
21 | File | `admin/adminaddeditdetails.php` | High
|
||||
22 | File | `admin/class-jtrt-responsive-tables-admin.php` | High
|
||||
23 | File | `admin/images.php` | High
|
||||
24 | File | `admin/import/class-import-settings.php` | High
|
||||
25 | File | `admin/infoclass_update.php` | High
|
||||
26 | File | `admin/member_details.php` | High
|
||||
27 | File | `admin/preview.php` | High
|
||||
28 | File | `ajax/addComment.php` | High
|
||||
29 | File | `allocate_block.cpp` | High
|
||||
30 | File | `and/or` | Low
|
||||
31 | File | `app/code/core/Mage/Rss/Helper/Order.php` | High
|
||||
32 | File | `arch/powerpc/kernel/entry_64.S` | High
|
||||
33 | File | `archive_read_support_format_rar5.c` | High
|
||||
34 | File | `article.php` | Medium
|
||||
35 | File | `asmjs/asmangle.cpp` | High
|
||||
36 | File | `asp:.jpg` | Medium
|
||||
37 | File | `auth2-gss.c` | Medium
|
||||
38 | File | `backup.php` | Medium
|
||||
39 | File | `bios.php` | Medium
|
||||
40 | File | `blanko.preview.php` | High
|
||||
41 | File | `block/bfq-iosched.c` | High
|
||||
42 | File | `books.php` | Medium
|
||||
43 | File | `browse_ladies.php` | High
|
||||
44 | File | `burl.c` | Low
|
||||
45 | File | `cadena_ofertas_ext.php` | High
|
||||
46 | File | `category-delete.php` | High
|
||||
47 | File | `category.php` | Medium
|
||||
48 | File | `CFM File Handler` | High
|
||||
49 | File | `cgi-bin/awstats.pl` | High
|
||||
50 | File | `cgi-bin/write.cgi` | High
|
||||
51 | File | `Change-password.php` | High
|
||||
52 | File | `chat.php` | Medium
|
||||
53 | ... | ... | ...
|
||||
|
||||
There are 510 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 460 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -122,8 +121,19 @@ The following list contains _external sources_ which discuss the actor and the a
|
|||
* https://isc.sans.edu/forums/diary/Qakbot+infection+with+Cobalt+Strike/27158/
|
||||
* https://research.checkpoint.com/2019/cobalt-group-returns-to-kazakhstan/
|
||||
* https://securelist.com/owowa-credential-stealer-and-remote-access/105219/
|
||||
* https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/
|
||||
* https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/
|
||||
* https://thedfirreport.com/2021/05/12/conti-ransomware/
|
||||
* https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/
|
||||
* https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/
|
||||
* https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/
|
||||
* https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
|
||||
* https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/
|
||||
* https://thedfirreport.com/2021/12/13/diavol-ransomware/
|
||||
* https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
|
||||
* https://twitter.com/malware_traffic/status/1400876426497253379
|
||||
* https://twitter.com/malware_traffic/status/1415740795622248452
|
||||
* https://twitter.com/TheDFIRReport/status/1508451341844168706
|
||||
* https://twitter.com/Unit42_Intel/status/1392174941181812737
|
||||
* https://us-cert.cisa.gov/ncas/alerts/aa21-148a
|
||||
* https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/
|
||||
|
|
|
@ -8,6 +8,7 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
|
||||
The following _campaigns_ are known and can be associated with Conti:
|
||||
|
||||
* BazarLoader
|
||||
* Cobalt Strike
|
||||
|
||||
## Countries
|
||||
|
@ -34,52 +35,55 @@ ID | IP address | Hostname | Campaign | Confidence
|
|||
5 | [5.2.78.121](https://vuldb.com/?ip.5.2.78.121) | - | - | High
|
||||
6 | [5.34.178.185](https://vuldb.com/?ip.5.34.178.185) | hathi1.co.in | - | High
|
||||
7 | [5.34.181.18](https://vuldb.com/?ip.5.34.181.18) | storage-669286.hosted-by.itldc.com | - | High
|
||||
8 | [5.181.156.15](https://vuldb.com/?ip.5.181.156.15) | no-rdns.mivocloud.com | - | High
|
||||
9 | [5.181.156.166](https://vuldb.com/?ip.5.181.156.166) | 5-181-156-166.mivocloud.com | - | High
|
||||
10 | [5.181.156.226](https://vuldb.com/?ip.5.181.156.226) | no-rdns.mivocloud.com | - | High
|
||||
11 | [5.183.95.6](https://vuldb.com/?ip.5.183.95.6) | mail.zeakids.de | - | High
|
||||
12 | [5.196.197.27](https://vuldb.com/?ip.5.196.197.27) | - | - | High
|
||||
13 | [11.22.33.44](https://vuldb.com/?ip.11.22.33.44) | - | - | High
|
||||
14 | [23.82.140.137](https://vuldb.com/?ip.23.82.140.137) | - | - | High
|
||||
15 | [23.95.231.200](https://vuldb.com/?ip.23.95.231.200) | 23-95-231-200-host.colocrossing.com | - | High
|
||||
16 | [23.106.160.174](https://vuldb.com/?ip.23.106.160.174) | - | - | High
|
||||
17 | [23.146.242.134](https://vuldb.com/?ip.23.146.242.134) | - | - | High
|
||||
18 | [23.254.228.234](https://vuldb.com/?ip.23.254.228.234) | hwsrv-935246.hostwindsdns.com | - | High
|
||||
19 | [24.185.61.99](https://vuldb.com/?ip.24.185.61.99) | ool-18b93d63.dyn.optonline.net | - | High
|
||||
20 | [31.13.195.26](https://vuldb.com/?ip.31.13.195.26) | - | - | High
|
||||
21 | [31.13.195.144](https://vuldb.com/?ip.31.13.195.144) | - | - | High
|
||||
22 | [31.13.195.184](https://vuldb.com/?ip.31.13.195.184) | - | - | High
|
||||
23 | [31.14.40.95](https://vuldb.com/?ip.31.14.40.95) | - | - | High
|
||||
24 | [31.14.40.220](https://vuldb.com/?ip.31.14.40.220) | - | - | High
|
||||
25 | [31.214.157.242](https://vuldb.com/?ip.31.214.157.242) | - | - | High
|
||||
26 | [37.0.8.166](https://vuldb.com/?ip.37.0.8.166) | - | - | High
|
||||
27 | [37.1.209.181](https://vuldb.com/?ip.37.1.209.181) | - | - | High
|
||||
28 | [37.187.24.215](https://vuldb.com/?ip.37.187.24.215) | ns3206394.ip-37-187-24.eu | - | High
|
||||
29 | [37.220.6.122](https://vuldb.com/?ip.37.220.6.122) | mail.foxlontech.com | - | High
|
||||
30 | [37.235.53.46](https://vuldb.com/?ip.37.235.53.46) | gw1.mad1.vitalng.com | - | High
|
||||
31 | [38.88.223.172](https://vuldb.com/?ip.38.88.223.172) | - | - | High
|
||||
32 | [38.92.176.125](https://vuldb.com/?ip.38.92.176.125) | - | - | High
|
||||
33 | [38.92.191.89](https://vuldb.com/?ip.38.92.191.89) | - | - | High
|
||||
34 | [43.126.75.91](https://vuldb.com/?ip.43.126.75.91) | - | - | High
|
||||
35 | [45.11.183.198](https://vuldb.com/?ip.45.11.183.198) | - | - | High
|
||||
36 | [45.11.183.211](https://vuldb.com/?ip.45.11.183.211) | - | - | High
|
||||
37 | [45.14.226.23](https://vuldb.com/?ip.45.14.226.23) | - | - | High
|
||||
38 | [45.14.226.47](https://vuldb.com/?ip.45.14.226.47) | - | - | High
|
||||
39 | [45.32.131.223](https://vuldb.com/?ip.45.32.131.223) | - | - | High
|
||||
40 | [45.32.132.182](https://vuldb.com/?ip.45.32.132.182) | 45.32.132.182.vultr.com | - | Medium
|
||||
41 | [45.61.136.221](https://vuldb.com/?ip.45.61.136.221) | - | - | High
|
||||
42 | [45.61.138.153](https://vuldb.com/?ip.45.61.138.153) | - | - | High
|
||||
43 | [45.67.228.196](https://vuldb.com/?ip.45.67.228.196) | moe.m | - | High
|
||||
44 | [45.126.75.91](https://vuldb.com/?ip.45.126.75.91) | 43.126.75.91.stargatecommunications.com | - | High
|
||||
45 | [45.141.101.253](https://vuldb.com/?ip.45.141.101.253) | ongu.golderitu.com | - | High
|
||||
46 | [45.141.103.194](https://vuldb.com/?ip.45.141.103.194) | ptr.ruvds.com | - | High
|
||||
47 | [45.143.94.60](https://vuldb.com/?ip.45.143.94.60) | - | - | High
|
||||
48 | [45.148.120.142](https://vuldb.com/?ip.45.148.120.142) | - | - | High
|
||||
49 | [45.148.120.192](https://vuldb.com/?ip.45.148.120.192) | - | - | High
|
||||
50 | [45.153.240.191](https://vuldb.com/?ip.45.153.240.191) | - | - | High
|
||||
51 | ... | ... | ... | ...
|
||||
8 | [5.181.80.113](https://vuldb.com/?ip.5.181.80.113) | ip-80-113-bullethost.net | - | High
|
||||
9 | [5.181.80.214](https://vuldb.com/?ip.5.181.80.214) | ip-80-214-bullethost.net | - | High
|
||||
10 | [5.181.156.15](https://vuldb.com/?ip.5.181.156.15) | no-rdns.mivocloud.com | - | High
|
||||
11 | [5.181.156.166](https://vuldb.com/?ip.5.181.156.166) | 5-181-156-166.mivocloud.com | - | High
|
||||
12 | [5.181.156.226](https://vuldb.com/?ip.5.181.156.226) | no-rdns.mivocloud.com | - | High
|
||||
13 | [5.183.95.6](https://vuldb.com/?ip.5.183.95.6) | mail.zeakids.de | - | High
|
||||
14 | [5.196.197.27](https://vuldb.com/?ip.5.196.197.27) | - | - | High
|
||||
15 | [11.22.33.44](https://vuldb.com/?ip.11.22.33.44) | - | - | High
|
||||
16 | [13.56.161.214](https://vuldb.com/?ip.13.56.161.214) | ec2-13-56-161-214.us-west-1.compute.amazonaws.com | BazarLoader | Medium
|
||||
17 | [23.81.246.30](https://vuldb.com/?ip.23.81.246.30) | - | - | High
|
||||
18 | [23.82.140.137](https://vuldb.com/?ip.23.82.140.137) | - | - | High
|
||||
19 | [23.95.231.200](https://vuldb.com/?ip.23.95.231.200) | 23-95-231-200-host.colocrossing.com | - | High
|
||||
20 | [23.106.160.174](https://vuldb.com/?ip.23.106.160.174) | - | - | High
|
||||
21 | [23.146.242.134](https://vuldb.com/?ip.23.146.242.134) | - | - | High
|
||||
22 | [23.254.228.234](https://vuldb.com/?ip.23.254.228.234) | hwsrv-935246.hostwindsdns.com | - | High
|
||||
23 | [24.185.61.99](https://vuldb.com/?ip.24.185.61.99) | ool-18b93d63.dyn.optonline.net | - | High
|
||||
24 | [31.13.195.26](https://vuldb.com/?ip.31.13.195.26) | - | - | High
|
||||
25 | [31.13.195.144](https://vuldb.com/?ip.31.13.195.144) | - | - | High
|
||||
26 | [31.13.195.184](https://vuldb.com/?ip.31.13.195.184) | - | - | High
|
||||
27 | [31.14.40.95](https://vuldb.com/?ip.31.14.40.95) | - | - | High
|
||||
28 | [31.14.40.160](https://vuldb.com/?ip.31.14.40.160) | perico.cavepanel.com | BazarLoader | High
|
||||
29 | [31.14.40.220](https://vuldb.com/?ip.31.14.40.220) | - | - | High
|
||||
30 | [31.214.157.242](https://vuldb.com/?ip.31.214.157.242) | - | - | High
|
||||
31 | [34.219.130.241](https://vuldb.com/?ip.34.219.130.241) | ec2-34-219-130-241.us-west-2.compute.amazonaws.com | BazarLoader | Medium
|
||||
32 | [37.0.8.166](https://vuldb.com/?ip.37.0.8.166) | - | - | High
|
||||
33 | [37.1.209.181](https://vuldb.com/?ip.37.1.209.181) | - | - | High
|
||||
34 | [37.187.24.215](https://vuldb.com/?ip.37.187.24.215) | ns3206394.ip-37-187-24.eu | - | High
|
||||
35 | [37.220.6.122](https://vuldb.com/?ip.37.220.6.122) | mail.foxlontech.com | - | High
|
||||
36 | [37.235.53.46](https://vuldb.com/?ip.37.235.53.46) | gw1.mad1.vitalng.com | - | High
|
||||
37 | [38.88.223.172](https://vuldb.com/?ip.38.88.223.172) | - | - | High
|
||||
38 | [38.92.176.125](https://vuldb.com/?ip.38.92.176.125) | - | - | High
|
||||
39 | [38.92.191.89](https://vuldb.com/?ip.38.92.191.89) | - | - | High
|
||||
40 | [38.135.122.194](https://vuldb.com/?ip.38.135.122.194) | h194-us122.fcsrv.net | - | High
|
||||
41 | [43.126.75.91](https://vuldb.com/?ip.43.126.75.91) | - | - | High
|
||||
42 | [45.11.183.198](https://vuldb.com/?ip.45.11.183.198) | - | - | High
|
||||
43 | [45.11.183.211](https://vuldb.com/?ip.45.11.183.211) | - | - | High
|
||||
44 | [45.14.226.23](https://vuldb.com/?ip.45.14.226.23) | - | - | High
|
||||
45 | [45.14.226.47](https://vuldb.com/?ip.45.14.226.47) | - | - | High
|
||||
46 | [45.32.131.223](https://vuldb.com/?ip.45.32.131.223) | - | - | High
|
||||
47 | [45.32.132.182](https://vuldb.com/?ip.45.32.132.182) | 45.32.132.182.vultr.com | - | Medium
|
||||
48 | [45.61.136.221](https://vuldb.com/?ip.45.61.136.221) | - | - | High
|
||||
49 | [45.61.138.153](https://vuldb.com/?ip.45.61.138.153) | - | - | High
|
||||
50 | [45.67.228.196](https://vuldb.com/?ip.45.67.228.196) | moe.m | - | High
|
||||
51 | [45.126.75.91](https://vuldb.com/?ip.45.126.75.91) | 43.126.75.91.stargatecommunications.com | - | High
|
||||
52 | [45.141.101.253](https://vuldb.com/?ip.45.141.101.253) | ongu.golderitu.com | - | High
|
||||
53 | [45.141.103.194](https://vuldb.com/?ip.45.141.103.194) | ptr.ruvds.com | - | High
|
||||
54 | ... | ... | ... | ...
|
||||
|
||||
There are 202 more IOC items available. Please use our online service to access the data.
|
||||
There are 213 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -127,22 +131,22 @@ ID | Type | Indicator | Confidence
|
|||
25 | File | `/uncpath/` | Medium
|
||||
26 | File | `/usr/bin/pkexec` | High
|
||||
27 | File | `/usr/sbin/suexec` | High
|
||||
28 | File | `/WEB-INF/web.xml` | High
|
||||
29 | File | `/wp-admin/admin-ajax.php` | High
|
||||
30 | File | `/wp-json/wc/v3/webhooks` | High
|
||||
31 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
32 | File | `AccountManagerService.java` | High
|
||||
33 | File | `actions/CompanyDetailsSave.php` | High
|
||||
34 | File | `ActivityManagerService.java` | High
|
||||
35 | File | `admin.php` | Medium
|
||||
36 | File | `admin.php?page=languages` | High
|
||||
37 | File | `admin/add-glossary.php` | High
|
||||
38 | File | `admin/admin.php` | High
|
||||
39 | File | `admin/conf_users_edit.php` | High
|
||||
40 | File | `admin/edit-comments.php` | High
|
||||
28 | File | `/wp-admin/admin-ajax.php` | High
|
||||
29 | File | `/wp-json/wc/v3/webhooks` | High
|
||||
30 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
31 | File | `AccountManagerService.java` | High
|
||||
32 | File | `actions/CompanyDetailsSave.php` | High
|
||||
33 | File | `ActivityManagerService.java` | High
|
||||
34 | File | `admin.php` | Medium
|
||||
35 | File | `admin.php?page=languages` | High
|
||||
36 | File | `admin/add-glossary.php` | High
|
||||
37 | File | `admin/admin.php` | High
|
||||
38 | File | `admin/conf_users_edit.php` | High
|
||||
39 | File | `admin/edit-comments.php` | High
|
||||
40 | File | `admin/src/containers/InputModalStepperProvider/index.js` | High
|
||||
41 | ... | ... | ...
|
||||
|
||||
There are 357 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 356 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -150,6 +154,9 @@ The following list contains _external sources_ which discuss the actor and the a
|
|||
|
||||
* https://ddanchev.blogspot.com/2022/02/exposing-conti-ransomware-gang-osint_28.html
|
||||
* https://github.com/sophoslabs/IoCs/blob/master/Ransomware-Conti.csv
|
||||
* https://thedfirreport.com/2021/05/12/conti-ransomware/
|
||||
* https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/
|
||||
* https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/
|
||||
* https://therecord.media/disgruntled-ransomware-affiliate-leaks-the-conti-gangs-technical-manuals/
|
||||
* https://twitter.com/cherryblond83/status/1498133186316062724
|
||||
* https://twitter.com/vxunderground/status/1414809517993435139
|
||||
|
|
|
@ -13,7 +13,7 @@ The following _campaigns_ are known and can be associated with DPRK:
|
|||
* DrillMalware
|
||||
* ...
|
||||
|
||||
There are 2 more campaign items available. Please use our online service to access the data.
|
||||
There are 3 more campaign items available. Please use our online service to access the data.
|
||||
|
||||
## Countries
|
||||
|
||||
|
@ -57,7 +57,7 @@ ID | IP address | Hostname | Campaign | Confidence
|
|||
27 | [57.73.224.0](https://vuldb.com/?ip.57.73.224.0) | - | - | High
|
||||
28 | ... | ... | ... | ...
|
||||
|
||||
There are 108 more IOC items available. Please use our online service to access the data.
|
||||
There are 109 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -125,6 +125,7 @@ The following list contains _external sources_ which discuss the actor and the a
|
|||
* https://github.com/blackorbird/APT_REPORT/tree/master/International%20Strategic/Korea
|
||||
* https://github.com/mandatoryprogrammer/NorthKoreaDNSLeak
|
||||
* https://raidforums.com/Thread-North-Korean-IP-Addresses-300
|
||||
* https://stairwell.com/wp-content/uploads/2022/04/Stairwell-threat-report-The-ink-stained-trail-of-GOLDBACKDOOR.pdf
|
||||
* https://us-cert.cisa.gov/ncas/alerts/aa21-048a
|
||||
* https://us-cert.cisa.gov/ncas/analysis-reports/AR19-100A
|
||||
* https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a
|
||||
|
|
|
@ -13,7 +13,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [ES](https://vuldb.com/?country.es)
|
||||
* ...
|
||||
|
||||
There are 8 more country items available. Please use our online service to access the data.
|
||||
There are 9 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -36,12 +36,13 @@ ID | IP address | Hostname | Campaign | Confidence
|
|||
13 | [23.36.85.183](https://vuldb.com/?ip.23.36.85.183) | a23-36-85-183.deploy.static.akamaitechnologies.com | - | High
|
||||
14 | [23.38.131.139](https://vuldb.com/?ip.23.38.131.139) | a23-38-131-139.deploy.static.akamaitechnologies.com | - | High
|
||||
15 | [23.64.110.64](https://vuldb.com/?ip.23.64.110.64) | a23-64-110-64.deploy.static.akamaitechnologies.com | - | High
|
||||
16 | [23.78.173.83](https://vuldb.com/?ip.23.78.173.83) | a23-78-173-83.deploy.static.akamaitechnologies.com | - | High
|
||||
17 | [31.170.166.110](https://vuldb.com/?ip.31.170.166.110) | - | - | High
|
||||
18 | [31.193.90.60](https://vuldb.com/?ip.31.193.90.60) | - | - | High
|
||||
19 | ... | ... | ... | ...
|
||||
16 | [23.67.200.172](https://vuldb.com/?ip.23.67.200.172) | a23-67-200-172.deploy.static.akamaitechnologies.com | - | High
|
||||
17 | [23.78.173.83](https://vuldb.com/?ip.23.78.173.83) | a23-78-173-83.deploy.static.akamaitechnologies.com | - | High
|
||||
18 | [31.170.166.110](https://vuldb.com/?ip.31.170.166.110) | - | - | High
|
||||
19 | [31.193.90.60](https://vuldb.com/?ip.31.193.90.60) | - | - | High
|
||||
20 | ... | ... | ... | ...
|
||||
|
||||
There are 70 more IOC items available. Please use our online service to access the data.
|
||||
There are 74 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -51,10 +52,10 @@ ID | Technique | Weakness | Description | Confidence
|
|||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-250, CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | CWE-254 | 7PK Security Features | High
|
||||
3 | T1110.001 | CWE-307 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 3 more TTP items available. Please use our online service to access the data.
|
||||
There are 4 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -63,22 +64,24 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `.htaccess` | Medium
|
||||
2 | File | `/modules/tasks/summary.inc.php` | High
|
||||
3 | File | `/usr/bin/pkexec` | High
|
||||
4 | File | `/var/WEB-GUI/cgi-bin/telnet.cgi` | High
|
||||
5 | File | `/wp-content/plugins/woocommerce/templates/emails/plain/` | High
|
||||
6 | File | `admin.php` | Medium
|
||||
7 | File | `adminpasswd.cgi` | High
|
||||
8 | File | `ajax.php` | Medium
|
||||
9 | File | `apache2/modsecurity.c` | High
|
||||
10 | ... | ... | ...
|
||||
2 | File | `/etc/puppetlabs/puppetserver/conf.d/ca.conf` | High
|
||||
3 | File | `/modules/tasks/summary.inc.php` | High
|
||||
4 | File | `/usr/bin/pkexec` | High
|
||||
5 | File | `/var/WEB-GUI/cgi-bin/telnet.cgi` | High
|
||||
6 | File | `/wp-content/plugins/woocommerce/templates/emails/plain/` | High
|
||||
7 | File | `admin.php` | Medium
|
||||
8 | File | `adminpasswd.cgi` | High
|
||||
9 | File | `ajax.php` | Medium
|
||||
10 | File | `apache2/modsecurity.c` | High
|
||||
11 | ... | ... | ...
|
||||
|
||||
There are 79 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 80 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.talosintelligence.com/2019/05/threat-roundup-0517-0524.html
|
||||
* https://blog.talosintelligence.com/2021/01/threat-roundup-0122.html
|
||||
* https://blog.talosintelligence.com/2021/02/threat-roundup-0205-0212.html
|
||||
* https://blog.talosintelligence.com/2021/03/threat-roundup-0226-0305.html
|
||||
|
@ -89,6 +92,7 @@ The following list contains _external sources_ which discuss the actor and the a
|
|||
* https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.html
|
||||
* https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html
|
||||
* https://blog.talosintelligence.com/2021/09/threat-roundup-0903-0910.html
|
||||
* https://blog.talosintelligence.com/2022/04/threat-roundup-0325-0401.html
|
||||
|
||||
## Literature
|
||||
|
||||
|
|
|
@ -0,0 +1,60 @@
|
|||
# Dorkbot - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Dorkbot](https://vuldb.com/?actor.dorkbot). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.dorkbot](https://vuldb.com/?actor.dorkbot)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Dorkbot:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [FR](https://vuldb.com/?country.fr)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Dorkbot.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [13.107.21.200](https://vuldb.com/?ip.13.107.21.200) | - | - | High
|
||||
2 | [204.79.197.200](https://vuldb.com/?ip.204.79.197.200) | a-0001.a-msedge.net | - | High
|
||||
3 | [212.83.168.196](https://vuldb.com/?ip.212.83.168.196) | 212-83-168-196.rev.poneytelecom.eu | - | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Dorkbot_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Dorkbot. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `countrydetails.php` | High
|
||||
2 | File | `data/gbconfiguration.dat` | High
|
||||
3 | File | `db_central_columns.php` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 8 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.talosintelligence.com/2019/09/threat-roundup-0830-0906.html
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -17,9 +17,6 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [GB](https://vuldb.com/?country.gb)
|
||||
* ...
|
||||
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -62,44 +59,49 @@ ID | Type | Indicator | Confidence
|
|||
3 | File | `/#/CampaignManager/users` | High
|
||||
4 | File | `//` | Low
|
||||
5 | File | `/admin.php?action=themeinstall` | High
|
||||
6 | File | `/admin/index.php?id=themes&action=edit_template&filename=blog` | High
|
||||
7 | File | `/admin/login.php` | High
|
||||
8 | File | `/apply_noauth.cgi` | High
|
||||
9 | File | `/article/comment` | High
|
||||
6 | File | `/admin/?setting-base.htm` | High
|
||||
7 | File | `/admin/admin_login.php` | High
|
||||
8 | File | `/admin/login.php` | High
|
||||
9 | File | `/apply_noauth.cgi` | High
|
||||
10 | File | `/audit/log/log_management.php` | High
|
||||
11 | File | `/backup/lispbx-CONF-YYYY-MM-DD.tar` | High
|
||||
12 | File | `/bin/login` | Medium
|
||||
13 | File | `/bin/sh` | Low
|
||||
14 | File | `/cgi-bin/login` | High
|
||||
15 | File | `/cgi/sshcheck.cgi` | High
|
||||
16 | File | `/classes/profile.class.php` | High
|
||||
17 | File | `/crmeb/crmeb/services/UploadService.php` | High
|
||||
18 | File | `/dev/tty` | Medium
|
||||
19 | File | `/downloads/` | Medium
|
||||
20 | File | `/IISADMPWD` | Medium
|
||||
21 | File | `/inc/session.php` | High
|
||||
22 | File | `/index.php` | Medium
|
||||
23 | File | `/mcms/view.do` | High
|
||||
11 | File | `/bin/login` | Medium
|
||||
12 | File | `/bin/sh` | Low
|
||||
13 | File | `/cgi-bin/login` | High
|
||||
14 | File | `/classes/profile.class.php` | High
|
||||
15 | File | `/dev/tty` | Medium
|
||||
16 | File | `/doorgets/app/requests/user/modulecategoryRequest.php` | High
|
||||
17 | File | `/downloads/` | Medium
|
||||
18 | File | `/IISADMPWD` | Medium
|
||||
19 | File | `/inc/session.php` | High
|
||||
20 | File | `/index.php` | Medium
|
||||
21 | File | `/login` | Low
|
||||
22 | File | `/login.html` | Medium
|
||||
23 | File | `/magnoliaPublic/travel/members/login.html` | High
|
||||
24 | File | `/member/index/login.html` | High
|
||||
25 | File | `/modules/certinfo/index.php` | High
|
||||
26 | File | `/post/editing` | High
|
||||
27 | File | `/public/plugins/` | High
|
||||
28 | File | `/restful-services/publish` | High
|
||||
29 | File | `/ScadaBR/login.htm` | High
|
||||
30 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
31 | File | `/system/tool/ping.php` | High
|
||||
32 | File | `/upload` | Low
|
||||
33 | File | `/usr/bin/pkexec` | High
|
||||
34 | File | `/usr/sbin/mini_httpd` | High
|
||||
35 | File | `/vendor/phpdocumentor/reflection-docblock/tests/phpDocumentor/Reflection/DocBlock/Tag/LinkTagTeet.php` | High
|
||||
36 | File | `?location=search` | High
|
||||
37 | File | `account/login.php` | High
|
||||
38 | File | `add.asp` | Low
|
||||
39 | File | `admin.home.php` | High
|
||||
40 | File | `admin.php` | Medium
|
||||
41 | ... | ... | ...
|
||||
26 | File | `/restful-services/publish` | High
|
||||
27 | File | `/ScadaBR/login.htm` | High
|
||||
28 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
29 | File | `/system/tool/ping.php` | High
|
||||
30 | File | `/upload` | Low
|
||||
31 | File | `/usr/bin/pkexec` | High
|
||||
32 | File | `/var/adm/btmp` | High
|
||||
33 | File | `?location=search` | High
|
||||
34 | File | `account/login.php` | High
|
||||
35 | File | `add.asp` | Low
|
||||
36 | File | `add.php` | Low
|
||||
37 | File | `admin.inc.php` | High
|
||||
38 | File | `admin.php` | Medium
|
||||
39 | File | `admin.php?m=backup&c=backup&a=doback` | High
|
||||
40 | File | `admin/conf_users_edit.php` | High
|
||||
41 | File | `admin/index.php` | High
|
||||
42 | File | `admin/login.asp` | High
|
||||
43 | File | `admin/login.php` | High
|
||||
44 | File | `admin/nos/login` | High
|
||||
45 | File | `admin\db\DoSql.php` | High
|
||||
46 | ... | ... | ...
|
||||
|
||||
There are 355 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 396 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -10,10 +10,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
|
||||
* [VN](https://vuldb.com/?country.vn)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [GB](https://vuldb.com/?country.gb)
|
||||
* ...
|
||||
|
||||
There are 4 more country items available. Please use our online service to access the data.
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -46,203 +43,266 @@ ID | IP address | Hostname | Campaign | Confidence
|
|||
23 | [5.159.57.195](https://vuldb.com/?ip.5.159.57.195) | www-riedle.transfermarkt.de | - | High
|
||||
24 | [5.196.35.138](https://vuldb.com/?ip.5.196.35.138) | vps10.open-techno.net | - | High
|
||||
25 | [5.196.73.150](https://vuldb.com/?ip.5.196.73.150) | ns3000085.ip-5-196-73.eu | - | High
|
||||
26 | [5.230.193.41](https://vuldb.com/?ip.5.230.193.41) | casagarcia-web.sys.netzfabrik.eu | - | High
|
||||
27 | [8.4.9.137](https://vuldb.com/?ip.8.4.9.137) | onlinehorizons.net | - | High
|
||||
28 | [8.247.6.134](https://vuldb.com/?ip.8.247.6.134) | - | - | High
|
||||
29 | [12.6.183.21](https://vuldb.com/?ip.12.6.183.21) | - | - | High
|
||||
30 | [12.32.68.154](https://vuldb.com/?ip.12.32.68.154) | mail.sealscoinc.com | - | High
|
||||
31 | [12.149.72.170](https://vuldb.com/?ip.12.149.72.170) | - | - | High
|
||||
32 | [12.162.84.2](https://vuldb.com/?ip.12.162.84.2) | - | - | High
|
||||
33 | [12.163.208.58](https://vuldb.com/?ip.12.163.208.58) | - | - | High
|
||||
34 | [12.182.146.226](https://vuldb.com/?ip.12.182.146.226) | - | - | High
|
||||
35 | [12.184.217.101](https://vuldb.com/?ip.12.184.217.101) | - | - | High
|
||||
36 | [12.222.134.10](https://vuldb.com/?ip.12.222.134.10) | - | - | High
|
||||
37 | [12.238.114.130](https://vuldb.com/?ip.12.238.114.130) | - | - | High
|
||||
38 | [23.6.65.194](https://vuldb.com/?ip.23.6.65.194) | a23-6-65-194.deploy.static.akamaitechnologies.com | - | High
|
||||
39 | [23.36.85.183](https://vuldb.com/?ip.23.36.85.183) | a23-36-85-183.deploy.static.akamaitechnologies.com | - | High
|
||||
40 | [23.199.63.11](https://vuldb.com/?ip.23.199.63.11) | a23-199-63-11.deploy.static.akamaitechnologies.com | - | High
|
||||
41 | [23.199.71.185](https://vuldb.com/?ip.23.199.71.185) | a23-199-71-185.deploy.static.akamaitechnologies.com | - | High
|
||||
42 | [23.239.2.11](https://vuldb.com/?ip.23.239.2.11) | li683-11.members.linode.com | - | High
|
||||
43 | [23.254.203.51](https://vuldb.com/?ip.23.254.203.51) | hwsrv-779084.hostwindsdns.com | - | High
|
||||
44 | [24.40.239.62](https://vuldb.com/?ip.24.40.239.62) | 24-40-239-62.fidnet.com | - | High
|
||||
45 | [24.43.99.75](https://vuldb.com/?ip.24.43.99.75) | rrcs-24-43-99-75.west.biz.rr.com | - | High
|
||||
46 | [24.101.229.82](https://vuldb.com/?ip.24.101.229.82) | dynamic-acs-24-101-229-82.zoominternet.net | - | High
|
||||
47 | [24.116.40.208](https://vuldb.com/?ip.24.116.40.208) | 24-116-40-208.cpe.sparklight.net | - | High
|
||||
48 | [24.119.116.230](https://vuldb.com/?ip.24.119.116.230) | 24-119-116-230.cpe.sparklight.net | - | High
|
||||
49 | [24.121.176.48](https://vuldb.com/?ip.24.121.176.48) | 24-121-176-48.prkrcmtc01.com.sta.suddenlink.net | - | High
|
||||
50 | [24.137.76.62](https://vuldb.com/?ip.24.137.76.62) | host-24-137-76-62.public.eastlink.ca | - | High
|
||||
51 | [24.178.90.49](https://vuldb.com/?ip.24.178.90.49) | 024-178-090-049.res.spectrum.com | - | High
|
||||
52 | [24.179.13.119](https://vuldb.com/?ip.24.179.13.119) | 024-179-013-119.res.spectrum.com | - | High
|
||||
53 | [24.201.79.34](https://vuldb.com/?ip.24.201.79.34) | modemcable034.79-201-24.mc.videotron.ca | - | High
|
||||
54 | [24.203.4.40](https://vuldb.com/?ip.24.203.4.40) | modemcable040.4-203-24.mc.videotron.ca | - | High
|
||||
55 | [24.217.117.217](https://vuldb.com/?ip.24.217.117.217) | 024-217-117-217.res.spectrum.com | - | High
|
||||
56 | [24.232.228.233](https://vuldb.com/?ip.24.232.228.233) | OL233-228.fibertel.com.ar | - | High
|
||||
57 | [24.244.177.40](https://vuldb.com/?ip.24.244.177.40) | - | - | High
|
||||
58 | [27.50.89.209](https://vuldb.com/?ip.27.50.89.209) | 27-50-89-209.as45671.net | - | High
|
||||
59 | [27.78.27.110](https://vuldb.com/?ip.27.78.27.110) | localhost | - | High
|
||||
60 | [27.82.13.10](https://vuldb.com/?ip.27.82.13.10) | KD027082013010.ppp-bb.dion.ne.jp | - | High
|
||||
61 | [27.109.24.214](https://vuldb.com/?ip.27.109.24.214) | - | - | High
|
||||
62 | [27.114.9.93](https://vuldb.com/?ip.27.114.9.93) | i27-114-9-93.s41.a011.ap.plala.or.jp | - | High
|
||||
63 | [31.24.158.56](https://vuldb.com/?ip.31.24.158.56) | bm.servidoresdedicados.com | - | High
|
||||
64 | [31.167.248.50](https://vuldb.com/?ip.31.167.248.50) | - | - | High
|
||||
65 | [35.190.87.116](https://vuldb.com/?ip.35.190.87.116) | 116.87.190.35.bc.googleusercontent.com | - | Medium
|
||||
66 | [36.91.44.183](https://vuldb.com/?ip.36.91.44.183) | - | - | High
|
||||
67 | [37.46.129.215](https://vuldb.com/?ip.37.46.129.215) | we-too.ru | - | High
|
||||
68 | [37.97.135.82](https://vuldb.com/?ip.37.97.135.82) | 37-97-135-82.colo.transip.net | - | High
|
||||
69 | [37.120.175.15](https://vuldb.com/?ip.37.120.175.15) | v220220112692175454.nicesrv.de | - | High
|
||||
70 | [37.139.21.175](https://vuldb.com/?ip.37.139.21.175) | 37.139.21.175-e2-8080-keep-up | - | High
|
||||
71 | [37.179.204.33](https://vuldb.com/?ip.37.179.204.33) | - | - | High
|
||||
72 | [37.187.4.178](https://vuldb.com/?ip.37.187.4.178) | ks2.kku.io | - | High
|
||||
73 | [37.187.57.57](https://vuldb.com/?ip.37.187.57.57) | ns3357940.ovh.net | - | High
|
||||
74 | [37.187.72.193](https://vuldb.com/?ip.37.187.72.193) | ns3362285.ip-37-187-72.eu | - | High
|
||||
75 | [37.187.161.206](https://vuldb.com/?ip.37.187.161.206) | toolbox.alabs.io | - | High
|
||||
76 | [37.205.9.252](https://vuldb.com/?ip.37.205.9.252) | s1.ithelp24.eu | - | High
|
||||
77 | [37.221.70.250](https://vuldb.com/?ip.37.221.70.250) | b2b-customer.inftele.net | - | High
|
||||
78 | [41.76.108.46](https://vuldb.com/?ip.41.76.108.46) | - | - | High
|
||||
79 | [41.169.36.237](https://vuldb.com/?ip.41.169.36.237) | - | - | High
|
||||
80 | [41.185.28.84](https://vuldb.com/?ip.41.185.28.84) | brf01-nix01.wadns.net | - | High
|
||||
81 | [41.185.29.128](https://vuldb.com/?ip.41.185.29.128) | abp79-nix01.wadns.net | - | High
|
||||
82 | [41.204.202.41](https://vuldb.com/?ip.41.204.202.41) | www41.cpt2.host-h.net | - | High
|
||||
83 | [41.231.225.139](https://vuldb.com/?ip.41.231.225.139) | - | - | High
|
||||
84 | [42.62.40.103](https://vuldb.com/?ip.42.62.40.103) | - | - | High
|
||||
85 | [45.16.226.117](https://vuldb.com/?ip.45.16.226.117) | 45-16-226-117.lightspeed.sndgca.sbcglobal.net | - | High
|
||||
86 | [45.33.77.42](https://vuldb.com/?ip.45.33.77.42) | li1023-42.members.linode.com | - | High
|
||||
87 | [45.46.37.97](https://vuldb.com/?ip.45.46.37.97) | cpe-45-46-37-97.maine.res.rr.com | - | High
|
||||
88 | [45.55.36.51](https://vuldb.com/?ip.45.55.36.51) | - | - | High
|
||||
89 | [45.55.219.163](https://vuldb.com/?ip.45.55.219.163) | - | - | High
|
||||
90 | [45.79.95.107](https://vuldb.com/?ip.45.79.95.107) | li1194-107.members.linode.com | - | High
|
||||
91 | [45.80.148.200](https://vuldb.com/?ip.45.80.148.200) | - | - | High
|
||||
92 | [45.118.115.99](https://vuldb.com/?ip.45.118.115.99) | - | - | High
|
||||
93 | [45.118.135.203](https://vuldb.com/?ip.45.118.135.203) | 45-118-135-203.ip.linodeusercontent.com | - | High
|
||||
94 | [45.142.114.231](https://vuldb.com/?ip.45.142.114.231) | mail.dounutmail.de | - | High
|
||||
95 | [45.176.232.124](https://vuldb.com/?ip.45.176.232.124) | - | - | High
|
||||
96 | [45.230.45.171](https://vuldb.com/?ip.45.230.45.171) | - | - | High
|
||||
97 | [46.4.100.178](https://vuldb.com/?ip.46.4.100.178) | support.wizard-shopservice.de | - | High
|
||||
98 | [46.4.192.185](https://vuldb.com/?ip.46.4.192.185) | static.185.192.4.46.clients.your-server.de | - | High
|
||||
99 | [46.28.111.142](https://vuldb.com/?ip.46.28.111.142) | enkindu.jsuchy.net | - | High
|
||||
100 | [46.32.229.152](https://vuldb.com/?ip.46.32.229.152) | 094882.vps-10.com | - | High
|
||||
101 | [46.32.233.226](https://vuldb.com/?ip.46.32.233.226) | yetitoolusa.com | - | High
|
||||
102 | [46.38.238.8](https://vuldb.com/?ip.46.38.238.8) | v2202109122001163131.happysrv.de | - | High
|
||||
103 | [46.43.2.95](https://vuldb.com/?ip.46.43.2.95) | chris.default.cjenkinson.uk0.bigv.io | - | High
|
||||
104 | [46.55.222.11](https://vuldb.com/?ip.46.55.222.11) | - | - | High
|
||||
105 | [46.101.58.37](https://vuldb.com/?ip.46.101.58.37) | 46.101.58.37-e1-8080 | - | High
|
||||
106 | [46.105.81.76](https://vuldb.com/?ip.46.105.81.76) | myu0.cylipo.sbs | - | High
|
||||
107 | [46.105.114.137](https://vuldb.com/?ip.46.105.114.137) | ns3188253.ip-46-105-114.eu | - | High
|
||||
108 | [46.105.131.68](https://vuldb.com/?ip.46.105.131.68) | http.adven.fr | - | High
|
||||
109 | [46.105.131.69](https://vuldb.com/?ip.46.105.131.69) | epouventaille.adven.fr | - | High
|
||||
110 | [46.105.131.79](https://vuldb.com/?ip.46.105.131.79) | relay.adven.fr | - | High
|
||||
111 | [46.105.131.87](https://vuldb.com/?ip.46.105.131.87) | pop.adven.fr | - | High
|
||||
112 | [46.105.236.18](https://vuldb.com/?ip.46.105.236.18) | - | - | High
|
||||
113 | [46.165.212.76](https://vuldb.com/?ip.46.165.212.76) | - | - | High
|
||||
114 | [46.165.254.206](https://vuldb.com/?ip.46.165.254.206) | - | - | High
|
||||
115 | [46.214.107.142](https://vuldb.com/?ip.46.214.107.142) | 46-214-107-142.next-gen.ro | - | High
|
||||
116 | [47.36.140.164](https://vuldb.com/?ip.47.36.140.164) | 047-036-140-164.res.spectrum.com | - | High
|
||||
117 | [47.146.39.147](https://vuldb.com/?ip.47.146.39.147) | - | - | High
|
||||
118 | [47.150.11.161](https://vuldb.com/?ip.47.150.11.161) | - | - | High
|
||||
119 | [47.188.131.94](https://vuldb.com/?ip.47.188.131.94) | - | - | High
|
||||
120 | [47.201.208.154](https://vuldb.com/?ip.47.201.208.154) | - | - | High
|
||||
121 | [47.246.24.225](https://vuldb.com/?ip.47.246.24.225) | - | - | High
|
||||
122 | [47.246.24.226](https://vuldb.com/?ip.47.246.24.226) | - | - | High
|
||||
123 | [47.246.24.230](https://vuldb.com/?ip.47.246.24.230) | - | - | High
|
||||
124 | [47.246.24.232](https://vuldb.com/?ip.47.246.24.232) | - | - | High
|
||||
125 | [49.12.121.47](https://vuldb.com/?ip.49.12.121.47) | filezilla-project.org | - | High
|
||||
126 | [49.50.209.131](https://vuldb.com/?ip.49.50.209.131) | 131.host-49-50-209.euba.megatel.co.nz | - | High
|
||||
127 | [49.212.135.76](https://vuldb.com/?ip.49.212.135.76) | os3-321-50322.vs.sakura.ne.jp | - | High
|
||||
128 | [49.212.155.94](https://vuldb.com/?ip.49.212.155.94) | os3-325-52340.vs.sakura.ne.jp | - | High
|
||||
129 | [50.28.51.143](https://vuldb.com/?ip.50.28.51.143) | - | - | High
|
||||
130 | [50.30.40.196](https://vuldb.com/?ip.50.30.40.196) | usve255301.serverprofi24.com | - | High
|
||||
131 | [50.31.146.101](https://vuldb.com/?ip.50.31.146.101) | mail.brillinjurylaw.com | - | High
|
||||
132 | [50.56.135.44](https://vuldb.com/?ip.50.56.135.44) | - | - | High
|
||||
133 | [50.62.194.30](https://vuldb.com/?ip.50.62.194.30) | ip-50-62-194-30.ip.secureserver.net | - | High
|
||||
134 | [50.78.167.65](https://vuldb.com/?ip.50.78.167.65) | millcreek.cc | - | High
|
||||
135 | [50.91.114.38](https://vuldb.com/?ip.50.91.114.38) | 050-091-114-038.res.spectrum.com | - | High
|
||||
136 | [50.92.101.60](https://vuldb.com/?ip.50.92.101.60) | d50-92-101-60.bchsia.telus.net | - | High
|
||||
137 | [50.116.54.215](https://vuldb.com/?ip.50.116.54.215) | li440-215.members.linode.com | - | High
|
||||
138 | [50.116.78.109](https://vuldb.com/?ip.50.116.78.109) | intersearchmedia.com | - | High
|
||||
139 | [50.245.107.73](https://vuldb.com/?ip.50.245.107.73) | 50-245-107-73-static.hfc.comcastbusiness.net | - | High
|
||||
140 | [51.15.4.22](https://vuldb.com/?ip.51.15.4.22) | 51-15-4-22.rev.poneytelecom.eu | - | High
|
||||
141 | [51.15.7.145](https://vuldb.com/?ip.51.15.7.145) | 51-15-7-145.rev.poneytelecom.eu | - | High
|
||||
142 | [51.38.201.19](https://vuldb.com/?ip.51.38.201.19) | ip19.ip-51-38-201.eu | - | High
|
||||
143 | [51.75.33.120](https://vuldb.com/?ip.51.75.33.120) | ip120.ip-51-75-33.eu | - | High
|
||||
144 | [51.75.33.127](https://vuldb.com/?ip.51.75.33.127) | ip127.ip-51-75-33.eu | - | High
|
||||
145 | [51.89.36.180](https://vuldb.com/?ip.51.89.36.180) | ip180.ip-51-89-36.eu | - | High
|
||||
146 | [51.89.199.141](https://vuldb.com/?ip.51.89.199.141) | ip141.ip-51-89-199.eu | - | High
|
||||
147 | [51.91.7.5](https://vuldb.com/?ip.51.91.7.5) | ns3147667.ip-51-91-7.eu | - | High
|
||||
148 | [51.91.76.89](https://vuldb.com/?ip.51.91.76.89) | 89.ip-51-91-76.eu | - | High
|
||||
149 | [51.159.23.217](https://vuldb.com/?ip.51.159.23.217) | jambold.co.uk | - | High
|
||||
150 | [51.159.35.157](https://vuldb.com/?ip.51.159.35.157) | 51-159-35-157.rev.poneytelecom.eu | - | High
|
||||
151 | [51.254.140.238](https://vuldb.com/?ip.51.254.140.238) | 238.ip-51-254-140.eu | - | High
|
||||
152 | [51.255.50.164](https://vuldb.com/?ip.51.255.50.164) | vps-b6cfe010.vps.ovh.net | - | High
|
||||
153 | [51.255.165.160](https://vuldb.com/?ip.51.255.165.160) | 160.ip-51-255-165.eu | - | High
|
||||
154 | [52.66.202.63](https://vuldb.com/?ip.52.66.202.63) | ec2-52-66-202-63.ap-south-1.compute.amazonaws.com | - | Medium
|
||||
155 | [54.38.143.245](https://vuldb.com/?ip.54.38.143.245) | tools.inovato.me | - | High
|
||||
156 | [58.27.215.3](https://vuldb.com/?ip.58.27.215.3) | 58-27-215-3.wateen.net | - | High
|
||||
157 | [58.94.58.13](https://vuldb.com/?ip.58.94.58.13) | i58-94-58-13.s41.a014.ap.plala.or.jp | - | High
|
||||
158 | [58.216.16.130](https://vuldb.com/?ip.58.216.16.130) | - | - | High
|
||||
159 | [58.227.42.236](https://vuldb.com/?ip.58.227.42.236) | - | - | High
|
||||
160 | [59.148.253.194](https://vuldb.com/?ip.59.148.253.194) | 059148253194.ctinets.com | - | High
|
||||
161 | [59.152.93.46](https://vuldb.com/?ip.59.152.93.46) | 46.93.152.59.zipnetltd.com | - | High
|
||||
162 | [60.93.23.51](https://vuldb.com/?ip.60.93.23.51) | softbank060093023051.bbtec.net | - | High
|
||||
163 | [60.108.128.186](https://vuldb.com/?ip.60.108.128.186) | softbank060108128186.bbtec.net | - | High
|
||||
164 | [60.125.114.64](https://vuldb.com/?ip.60.125.114.64) | softbank060125114064.bbtec.net | - | High
|
||||
165 | [60.249.78.226](https://vuldb.com/?ip.60.249.78.226) | 60-249-78-226.hinet-ip.hinet.net | - | High
|
||||
166 | [61.19.246.238](https://vuldb.com/?ip.61.19.246.238) | - | - | High
|
||||
167 | [62.30.7.67](https://vuldb.com/?ip.62.30.7.67) | 67.7-30-62.static.virginmediabusiness.co.uk | - | High
|
||||
168 | [62.75.141.82](https://vuldb.com/?ip.62.75.141.82) | static-ip-62-75-141-82.inaddr.ip-pool.com | - | High
|
||||
169 | [62.84.75.50](https://vuldb.com/?ip.62.84.75.50) | mail.saadegrp.com.lb | - | High
|
||||
170 | [62.171.142.179](https://vuldb.com/?ip.62.171.142.179) | vmi499457.contaboserver.net | - | High
|
||||
171 | [62.212.34.102](https://vuldb.com/?ip.62.212.34.102) | - | - | High
|
||||
172 | [64.60.82.82](https://vuldb.com/?ip.64.60.82.82) | 64-60-82-82.static-ip.telepacific.net | - | High
|
||||
173 | [64.71.36.11](https://vuldb.com/?ip.64.71.36.11) | - | - | High
|
||||
174 | [64.190.63.136](https://vuldb.com/?ip.64.190.63.136) | - | - | High
|
||||
175 | [64.207.182.168](https://vuldb.com/?ip.64.207.182.168) | - | - | High
|
||||
176 | [66.23.200.58](https://vuldb.com/?ip.66.23.200.58) | - | - | High
|
||||
177 | [66.50.57.73](https://vuldb.com/?ip.66.50.57.73) | 66-50-57-73.prtc.net | - | High
|
||||
178 | [66.54.51.172](https://vuldb.com/?ip.66.54.51.172) | - | - | High
|
||||
179 | [66.76.26.33](https://vuldb.com/?ip.66.76.26.33) | 66-76-26-33.hdsncmta01.com.sta.suddenlink.net | - | High
|
||||
180 | [66.209.69.165](https://vuldb.com/?ip.66.209.69.165) | - | - | High
|
||||
181 | [66.228.32.31](https://vuldb.com/?ip.66.228.32.31) | li282-31.members.linode.com | - | High
|
||||
182 | [66.228.61.248](https://vuldb.com/?ip.66.228.61.248) | li318-248.members.linode.com | - | High
|
||||
183 | [67.19.105.107](https://vuldb.com/?ip.67.19.105.107) | ns2.datatrust.com.br | - | High
|
||||
184 | [67.68.235.25](https://vuldb.com/?ip.67.68.235.25) | bas10-montrealak-67-68-235-25.dsl.bell.ca | - | High
|
||||
185 | [67.170.250.203](https://vuldb.com/?ip.67.170.250.203) | c-67-170-250-203.hsd1.ca.comcast.net | - | High
|
||||
186 | [67.225.218.50](https://vuldb.com/?ip.67.225.218.50) | lb01.parklogic.com | - | High
|
||||
187 | [68.2.97.91](https://vuldb.com/?ip.68.2.97.91) | ip68-2-97-91.ph.ph.cox.net | - | High
|
||||
188 | [68.183.170.114](https://vuldb.com/?ip.68.183.170.114) | 68.183.170.114-e1-8080-keep-up | - | High
|
||||
189 | [68.183.190.199](https://vuldb.com/?ip.68.183.190.199) | 68.183.190.199-e1-8080-keep-up | - | High
|
||||
190 | [69.17.170.58](https://vuldb.com/?ip.69.17.170.58) | unallocated-static.rogers.com | - | High
|
||||
191 | [69.43.168.200](https://vuldb.com/?ip.69.43.168.200) | ns0.imunplugged.com | - | High
|
||||
192 | [69.43.168.232](https://vuldb.com/?ip.69.43.168.232) | - | - | High
|
||||
193 | [69.45.19.251](https://vuldb.com/?ip.69.45.19.251) | coastinet.com | - | High
|
||||
194 | [69.163.33.82](https://vuldb.com/?ip.69.163.33.82) | - | - | High
|
||||
195 | [69.167.152.111](https://vuldb.com/?ip.69.167.152.111) | - | - | High
|
||||
196 | [69.198.17.20](https://vuldb.com/?ip.69.198.17.20) | 69-198-17-20.customerip.birch.net | - | High
|
||||
197 | [69.198.17.49](https://vuldb.com/?ip.69.198.17.49) | 69-198-17-49.customerip.birch.net | - | High
|
||||
198 | [70.32.84.74](https://vuldb.com/?ip.70.32.84.74) | - | - | High
|
||||
199 | [70.32.89.105](https://vuldb.com/?ip.70.32.89.105) | parties-at-sea.com | - | High
|
||||
200 | [70.32.92.133](https://vuldb.com/?ip.70.32.92.133) | popdesigngroup.com | - | High
|
||||
201 | [70.32.115.157](https://vuldb.com/?ip.70.32.115.157) | harpotripofalifetime.com | - | High
|
||||
202 | [70.36.102.35](https://vuldb.com/?ip.70.36.102.35) | - | - | High
|
||||
203 | [70.45.30.28](https://vuldb.com/?ip.70.45.30.28) | dynamic.libertypr.net | - | High
|
||||
204 | [70.168.7.6](https://vuldb.com/?ip.70.168.7.6) | wsip-70-168-7-6.ri.ri.cox.net | - | High
|
||||
205 | [70.182.77.184](https://vuldb.com/?ip.70.182.77.184) | wsip-70-182-77-184.ok.ok.cox.net | - | High
|
||||
206 | [70.183.113.54](https://vuldb.com/?ip.70.183.113.54) | wsip-70-183-113-54.no.no.cox.net | - | High
|
||||
207 | [70.184.125.132](https://vuldb.com/?ip.70.184.125.132) | wsip-70-184-125-132.ph.ph.cox.net | - | High
|
||||
208 | [71.8.1.188](https://vuldb.com/?ip.71.8.1.188) | 071-008-001-188.res.spectrum.com | - | High
|
||||
209 | [71.15.245.148](https://vuldb.com/?ip.71.15.245.148) | 071-015-245-148.res.spectrum.com | - | High
|
||||
210 | [71.40.213.82](https://vuldb.com/?ip.71.40.213.82) | rrcs-71-40-213-82.sw.biz.rr.com | - | High
|
||||
211 | [71.58.165.119](https://vuldb.com/?ip.71.58.165.119) | c-71-58-165-119.hsd1.pa.comcast.net | - | High
|
||||
212 | [71.71.3.84](https://vuldb.com/?ip.71.71.3.84) | - | - | High
|
||||
213 | [71.163.171.106](https://vuldb.com/?ip.71.163.171.106) | static-71-163-171-106.washdc.fios.verizon.net | - | High
|
||||
214 | [71.165.252.144](https://vuldb.com/?ip.71.165.252.144) | static-71-165-252-144.lsanca.fios.frontiernet.net | - | High
|
||||
215 | [71.177.184.128](https://vuldb.com/?ip.71.177.184.128) | static-71-177-184-128.lsanca.fios.frontiernet.net | - | High
|
||||
216 | [71.197.211.156](https://vuldb.com/?ip.71.197.211.156) | c-71-197-211-156.hsd1.wa.comcast.net | - | High
|
||||
217 | [71.214.17.130](https://vuldb.com/?ip.71.214.17.130) | 71-214-17-130.orlf.qwest.net | - | High
|
||||
218 | [71.244.60.231](https://vuldb.com/?ip.71.244.60.231) | static-71-244-60-231.dllstx.fios.frontiernet.net | - | High
|
||||
219 | [72.10.49.117](https://vuldb.com/?ip.72.10.49.117) | rtw7-rfpn.accessdomain.com | - | High
|
||||
220 | ... | ... | ... | ...
|
||||
26 | [5.196.133.206](https://vuldb.com/?ip.5.196.133.206) | pixelfed.hosnet.fr | - | High
|
||||
27 | [5.230.193.41](https://vuldb.com/?ip.5.230.193.41) | casagarcia-web.sys.netzfabrik.eu | - | High
|
||||
28 | [8.4.9.137](https://vuldb.com/?ip.8.4.9.137) | onlinehorizons.net | - | High
|
||||
29 | [8.247.6.134](https://vuldb.com/?ip.8.247.6.134) | - | - | High
|
||||
30 | [12.6.148.4](https://vuldb.com/?ip.12.6.148.4) | mail.carters.com | - | High
|
||||
31 | [12.6.183.21](https://vuldb.com/?ip.12.6.183.21) | - | - | High
|
||||
32 | [12.32.68.154](https://vuldb.com/?ip.12.32.68.154) | mail.sealscoinc.com | - | High
|
||||
33 | [12.149.72.170](https://vuldb.com/?ip.12.149.72.170) | - | - | High
|
||||
34 | [12.162.84.2](https://vuldb.com/?ip.12.162.84.2) | - | - | High
|
||||
35 | [12.163.208.58](https://vuldb.com/?ip.12.163.208.58) | - | - | High
|
||||
36 | [12.182.146.226](https://vuldb.com/?ip.12.182.146.226) | - | - | High
|
||||
37 | [12.184.217.101](https://vuldb.com/?ip.12.184.217.101) | - | - | High
|
||||
38 | [12.222.134.10](https://vuldb.com/?ip.12.222.134.10) | - | - | High
|
||||
39 | [12.238.114.130](https://vuldb.com/?ip.12.238.114.130) | - | - | High
|
||||
40 | [13.107.21.200](https://vuldb.com/?ip.13.107.21.200) | - | - | High
|
||||
41 | [14.49.39.215](https://vuldb.com/?ip.14.49.39.215) | - | - | High
|
||||
42 | [17.56.136.171](https://vuldb.com/?ip.17.56.136.171) | p74-smtp.mail.icloud.com | - | High
|
||||
43 | [18.209.113.128](https://vuldb.com/?ip.18.209.113.128) | ec2-18-209-113-128.compute-1.amazonaws.com | - | Medium
|
||||
44 | [18.211.9.206](https://vuldb.com/?ip.18.211.9.206) | ec2-18-211-9-206.compute-1.amazonaws.com | - | Medium
|
||||
45 | [23.5.231.225](https://vuldb.com/?ip.23.5.231.225) | a23-5-231-225.deploy.static.akamaitechnologies.com | - | High
|
||||
46 | [23.6.65.194](https://vuldb.com/?ip.23.6.65.194) | a23-6-65-194.deploy.static.akamaitechnologies.com | - | High
|
||||
47 | [23.6.69.99](https://vuldb.com/?ip.23.6.69.99) | a23-6-69-99.deploy.static.akamaitechnologies.com | - | High
|
||||
48 | [23.36.85.183](https://vuldb.com/?ip.23.36.85.183) | a23-36-85-183.deploy.static.akamaitechnologies.com | - | High
|
||||
49 | [23.41.248.194](https://vuldb.com/?ip.23.41.248.194) | a23-41-248-194.deploy.static.akamaitechnologies.com | - | High
|
||||
50 | [23.46.53.71](https://vuldb.com/?ip.23.46.53.71) | a23-46-53-71.deploy.static.akamaitechnologies.com | - | High
|
||||
51 | [23.52.7.20](https://vuldb.com/?ip.23.52.7.20) | a23-52-7-20.deploy.static.akamaitechnologies.com | - | High
|
||||
52 | [23.95.95.18](https://vuldb.com/?ip.23.95.95.18) | 23-95-95-18-host.colocrossing.com | - | High
|
||||
53 | [23.199.63.11](https://vuldb.com/?ip.23.199.63.11) | a23-199-63-11.deploy.static.akamaitechnologies.com | - | High
|
||||
54 | [23.199.71.185](https://vuldb.com/?ip.23.199.71.185) | a23-199-71-185.deploy.static.akamaitechnologies.com | - | High
|
||||
55 | [23.218.127.164](https://vuldb.com/?ip.23.218.127.164) | a23-218-127-164.deploy.static.akamaitechnologies.com | - | High
|
||||
56 | [23.218.141.31](https://vuldb.com/?ip.23.218.141.31) | a23-218-141-31.deploy.static.akamaitechnologies.com | - | High
|
||||
57 | [23.221.50.122](https://vuldb.com/?ip.23.221.50.122) | a23-221-50-122.deploy.static.akamaitechnologies.com | - | High
|
||||
58 | [23.229.190.0](https://vuldb.com/?ip.23.229.190.0) | ip-23-229-190-0.ip.secureserver.net | - | High
|
||||
59 | [23.239.2.11](https://vuldb.com/?ip.23.239.2.11) | li683-11.members.linode.com | - | High
|
||||
60 | [23.254.203.51](https://vuldb.com/?ip.23.254.203.51) | hwsrv-779084.hostwindsdns.com | - | High
|
||||
61 | [24.40.239.62](https://vuldb.com/?ip.24.40.239.62) | 24-40-239-62.fidnet.com | - | High
|
||||
62 | [24.43.99.75](https://vuldb.com/?ip.24.43.99.75) | rrcs-24-43-99-75.west.biz.rr.com | - | High
|
||||
63 | [24.101.229.82](https://vuldb.com/?ip.24.101.229.82) | dynamic-acs-24-101-229-82.zoominternet.net | - | High
|
||||
64 | [24.116.40.208](https://vuldb.com/?ip.24.116.40.208) | 24-116-40-208.cpe.sparklight.net | - | High
|
||||
65 | [24.119.116.230](https://vuldb.com/?ip.24.119.116.230) | 24-119-116-230.cpe.sparklight.net | - | High
|
||||
66 | [24.121.176.48](https://vuldb.com/?ip.24.121.176.48) | 24-121-176-48.prkrcmtc01.com.sta.suddenlink.net | - | High
|
||||
67 | [24.137.76.62](https://vuldb.com/?ip.24.137.76.62) | host-24-137-76-62.public.eastlink.ca | - | High
|
||||
68 | [24.178.90.49](https://vuldb.com/?ip.24.178.90.49) | 024-178-090-049.res.spectrum.com | - | High
|
||||
69 | [24.179.13.119](https://vuldb.com/?ip.24.179.13.119) | 024-179-013-119.res.spectrum.com | - | High
|
||||
70 | [24.190.11.79](https://vuldb.com/?ip.24.190.11.79) | ool-18be0b4f.dyn.optonline.net | - | High
|
||||
71 | [24.201.79.34](https://vuldb.com/?ip.24.201.79.34) | modemcable034.79-201-24.mc.videotron.ca | - | High
|
||||
72 | [24.203.4.40](https://vuldb.com/?ip.24.203.4.40) | modemcable040.4-203-24.mc.videotron.ca | - | High
|
||||
73 | [24.217.117.217](https://vuldb.com/?ip.24.217.117.217) | 024-217-117-217.res.spectrum.com | - | High
|
||||
74 | [24.232.228.233](https://vuldb.com/?ip.24.232.228.233) | OL233-228.fibertel.com.ar | - | High
|
||||
75 | [24.244.177.40](https://vuldb.com/?ip.24.244.177.40) | - | - | High
|
||||
76 | [27.50.89.209](https://vuldb.com/?ip.27.50.89.209) | 27-50-89-209.as45671.net | - | High
|
||||
77 | [27.78.27.110](https://vuldb.com/?ip.27.78.27.110) | localhost | - | High
|
||||
78 | [27.82.13.10](https://vuldb.com/?ip.27.82.13.10) | KD027082013010.ppp-bb.dion.ne.jp | - | High
|
||||
79 | [27.109.24.214](https://vuldb.com/?ip.27.109.24.214) | - | - | High
|
||||
80 | [27.114.9.93](https://vuldb.com/?ip.27.114.9.93) | i27-114-9-93.s41.a011.ap.plala.or.jp | - | High
|
||||
81 | [31.24.158.56](https://vuldb.com/?ip.31.24.158.56) | bm.servidoresdedicados.com | - | High
|
||||
82 | [31.167.248.50](https://vuldb.com/?ip.31.167.248.50) | - | - | High
|
||||
83 | [31.172.86.183](https://vuldb.com/?ip.31.172.86.183) | - | - | High
|
||||
84 | [35.190.87.116](https://vuldb.com/?ip.35.190.87.116) | 116.87.190.35.bc.googleusercontent.com | - | Medium
|
||||
85 | [36.91.44.183](https://vuldb.com/?ip.36.91.44.183) | - | - | High
|
||||
86 | [37.9.175.14](https://vuldb.com/?ip.37.9.175.14) | 14.175.9.37.in-addr.arpa.websupport.sk | - | High
|
||||
87 | [37.46.129.215](https://vuldb.com/?ip.37.46.129.215) | we-too.ru | - | High
|
||||
88 | [37.97.135.82](https://vuldb.com/?ip.37.97.135.82) | 37-97-135-82.colo.transip.net | - | High
|
||||
89 | [37.120.175.15](https://vuldb.com/?ip.37.120.175.15) | v220220112692175454.nicesrv.de | - | High
|
||||
90 | [37.139.21.175](https://vuldb.com/?ip.37.139.21.175) | 37.139.21.175-e2-8080-keep-up | - | High
|
||||
91 | [37.179.204.33](https://vuldb.com/?ip.37.179.204.33) | - | - | High
|
||||
92 | [37.187.4.178](https://vuldb.com/?ip.37.187.4.178) | ks2.kku.io | - | High
|
||||
93 | [37.187.57.57](https://vuldb.com/?ip.37.187.57.57) | ns3357940.ovh.net | - | High
|
||||
94 | [37.187.72.193](https://vuldb.com/?ip.37.187.72.193) | ns3362285.ip-37-187-72.eu | - | High
|
||||
95 | [37.187.161.206](https://vuldb.com/?ip.37.187.161.206) | toolbox.alabs.io | - | High
|
||||
96 | [37.205.9.252](https://vuldb.com/?ip.37.205.9.252) | s1.ithelp24.eu | - | High
|
||||
97 | [37.221.70.250](https://vuldb.com/?ip.37.221.70.250) | b2b-customer.inftele.net | - | High
|
||||
98 | [40.97.124.18](https://vuldb.com/?ip.40.97.124.18) | - | - | High
|
||||
99 | [41.76.108.46](https://vuldb.com/?ip.41.76.108.46) | - | - | High
|
||||
100 | [41.169.36.237](https://vuldb.com/?ip.41.169.36.237) | - | - | High
|
||||
101 | [41.185.28.84](https://vuldb.com/?ip.41.185.28.84) | brf01-nix01.wadns.net | - | High
|
||||
102 | [41.185.29.128](https://vuldb.com/?ip.41.185.29.128) | abp79-nix01.wadns.net | - | High
|
||||
103 | [41.204.202.41](https://vuldb.com/?ip.41.204.202.41) | www41.cpt2.host-h.net | - | High
|
||||
104 | [41.231.225.139](https://vuldb.com/?ip.41.231.225.139) | - | - | High
|
||||
105 | [42.62.40.103](https://vuldb.com/?ip.42.62.40.103) | - | - | High
|
||||
106 | [43.229.62.186](https://vuldb.com/?ip.43.229.62.186) | rocket-cheese.bnr.la | - | High
|
||||
107 | [45.16.226.117](https://vuldb.com/?ip.45.16.226.117) | 45-16-226-117.lightspeed.sndgca.sbcglobal.net | - | High
|
||||
108 | [45.33.35.103](https://vuldb.com/?ip.45.33.35.103) | li985-103.members.linode.com | - | High
|
||||
109 | [45.33.77.42](https://vuldb.com/?ip.45.33.77.42) | li1023-42.members.linode.com | - | High
|
||||
110 | [45.46.37.97](https://vuldb.com/?ip.45.46.37.97) | cpe-45-46-37-97.maine.res.rr.com | - | High
|
||||
111 | [45.55.36.51](https://vuldb.com/?ip.45.55.36.51) | - | - | High
|
||||
112 | [45.55.219.163](https://vuldb.com/?ip.45.55.219.163) | - | - | High
|
||||
113 | [45.59.204.133](https://vuldb.com/?ip.45.59.204.133) | rrcs-45-59-204-133.west.biz.rr.com | - | High
|
||||
114 | [45.79.95.107](https://vuldb.com/?ip.45.79.95.107) | li1194-107.members.linode.com | - | High
|
||||
115 | [45.80.148.200](https://vuldb.com/?ip.45.80.148.200) | - | - | High
|
||||
116 | [45.118.115.99](https://vuldb.com/?ip.45.118.115.99) | - | - | High
|
||||
117 | [45.118.135.203](https://vuldb.com/?ip.45.118.135.203) | 45-118-135-203.ip.linodeusercontent.com | - | High
|
||||
118 | [45.142.114.231](https://vuldb.com/?ip.45.142.114.231) | mail.dounutmail.de | - | High
|
||||
119 | [45.176.232.124](https://vuldb.com/?ip.45.176.232.124) | - | - | High
|
||||
120 | [45.230.45.171](https://vuldb.com/?ip.45.230.45.171) | - | - | High
|
||||
121 | [46.4.100.178](https://vuldb.com/?ip.46.4.100.178) | support.wizard-shopservice.de | - | High
|
||||
122 | [46.4.192.185](https://vuldb.com/?ip.46.4.192.185) | static.185.192.4.46.clients.your-server.de | - | High
|
||||
123 | [46.28.111.142](https://vuldb.com/?ip.46.28.111.142) | enkindu.jsuchy.net | - | High
|
||||
124 | [46.30.213.132](https://vuldb.com/?ip.46.30.213.132) | - | - | High
|
||||
125 | [46.32.229.152](https://vuldb.com/?ip.46.32.229.152) | 094882.vps-10.com | - | High
|
||||
126 | [46.32.233.226](https://vuldb.com/?ip.46.32.233.226) | yetitoolusa.com | - | High
|
||||
127 | [46.38.238.8](https://vuldb.com/?ip.46.38.238.8) | v2202109122001163131.happysrv.de | - | High
|
||||
128 | [46.43.2.95](https://vuldb.com/?ip.46.43.2.95) | chris.default.cjenkinson.uk0.bigv.io | - | High
|
||||
129 | [46.55.222.11](https://vuldb.com/?ip.46.55.222.11) | - | - | High
|
||||
130 | [46.101.58.37](https://vuldb.com/?ip.46.101.58.37) | 46.101.58.37-e1-8080 | - | High
|
||||
131 | [46.105.81.76](https://vuldb.com/?ip.46.105.81.76) | myu0.cylipo.sbs | - | High
|
||||
132 | [46.105.114.137](https://vuldb.com/?ip.46.105.114.137) | ns3188253.ip-46-105-114.eu | - | High
|
||||
133 | [46.105.131.68](https://vuldb.com/?ip.46.105.131.68) | http.adven.fr | - | High
|
||||
134 | [46.105.131.69](https://vuldb.com/?ip.46.105.131.69) | epouventaille.adven.fr | - | High
|
||||
135 | [46.105.131.79](https://vuldb.com/?ip.46.105.131.79) | relay.adven.fr | - | High
|
||||
136 | [46.105.131.87](https://vuldb.com/?ip.46.105.131.87) | pop.adven.fr | - | High
|
||||
137 | [46.105.236.18](https://vuldb.com/?ip.46.105.236.18) | - | - | High
|
||||
138 | [46.165.212.76](https://vuldb.com/?ip.46.165.212.76) | - | - | High
|
||||
139 | [46.165.254.206](https://vuldb.com/?ip.46.165.254.206) | - | - | High
|
||||
140 | [46.214.107.142](https://vuldb.com/?ip.46.214.107.142) | 46-214-107-142.next-gen.ro | - | High
|
||||
141 | [47.36.140.164](https://vuldb.com/?ip.47.36.140.164) | 047-036-140-164.res.spectrum.com | - | High
|
||||
142 | [47.52.19.221](https://vuldb.com/?ip.47.52.19.221) | - | - | High
|
||||
143 | [47.146.39.147](https://vuldb.com/?ip.47.146.39.147) | - | - | High
|
||||
144 | [47.150.11.161](https://vuldb.com/?ip.47.150.11.161) | - | - | High
|
||||
145 | [47.188.131.94](https://vuldb.com/?ip.47.188.131.94) | - | - | High
|
||||
146 | [47.201.208.154](https://vuldb.com/?ip.47.201.208.154) | - | - | High
|
||||
147 | [47.246.24.225](https://vuldb.com/?ip.47.246.24.225) | - | - | High
|
||||
148 | [47.246.24.226](https://vuldb.com/?ip.47.246.24.226) | - | - | High
|
||||
149 | [47.246.24.230](https://vuldb.com/?ip.47.246.24.230) | - | - | High
|
||||
150 | [47.246.24.232](https://vuldb.com/?ip.47.246.24.232) | - | - | High
|
||||
151 | [49.12.121.47](https://vuldb.com/?ip.49.12.121.47) | filezilla-project.org | - | High
|
||||
152 | [49.50.209.131](https://vuldb.com/?ip.49.50.209.131) | 131.host-49-50-209.euba.megatel.co.nz | - | High
|
||||
153 | [49.212.135.76](https://vuldb.com/?ip.49.212.135.76) | os3-321-50322.vs.sakura.ne.jp | - | High
|
||||
154 | [49.212.155.94](https://vuldb.com/?ip.49.212.155.94) | os3-325-52340.vs.sakura.ne.jp | - | High
|
||||
155 | [50.23.248.182](https://vuldb.com/?ip.50.23.248.182) | b6.f8.1732.ip4.static.sl-reverse.com | - | High
|
||||
156 | [50.28.51.143](https://vuldb.com/?ip.50.28.51.143) | - | - | High
|
||||
157 | [50.30.40.196](https://vuldb.com/?ip.50.30.40.196) | usve255301.serverprofi24.com | - | High
|
||||
158 | [50.31.146.101](https://vuldb.com/?ip.50.31.146.101) | mail.brillinjurylaw.com | - | High
|
||||
159 | [50.56.135.44](https://vuldb.com/?ip.50.56.135.44) | - | - | High
|
||||
160 | [50.62.176.42](https://vuldb.com/?ip.50.62.176.42) | p3plcpnl0515.prod.phx3.secureserver.net | - | High
|
||||
161 | [50.62.176.244](https://vuldb.com/?ip.50.62.176.244) | p3plcpnl0728.prod.phx3.secureserver.net | - | High
|
||||
162 | [50.62.194.30](https://vuldb.com/?ip.50.62.194.30) | ip-50-62-194-30.ip.secureserver.net | - | High
|
||||
163 | [50.78.167.65](https://vuldb.com/?ip.50.78.167.65) | millcreek.cc | - | High
|
||||
164 | [50.87.59.65](https://vuldb.com/?ip.50.87.59.65) | 50-87-59-65.unifiedlayer.com | - | High
|
||||
165 | [50.87.144.137](https://vuldb.com/?ip.50.87.144.137) | gator3103.hostgator.com | - | High
|
||||
166 | [50.87.144.197](https://vuldb.com/?ip.50.87.144.197) | gator3161.hostgator.com | - | High
|
||||
167 | [50.87.150.177](https://vuldb.com/?ip.50.87.150.177) | 50-87-150-177.unifiedlayer.com | - | High
|
||||
168 | [50.91.114.38](https://vuldb.com/?ip.50.91.114.38) | 050-091-114-038.res.spectrum.com | - | High
|
||||
169 | [50.92.101.60](https://vuldb.com/?ip.50.92.101.60) | d50-92-101-60.bchsia.telus.net | - | High
|
||||
170 | [50.116.54.215](https://vuldb.com/?ip.50.116.54.215) | li440-215.members.linode.com | - | High
|
||||
171 | [50.116.78.109](https://vuldb.com/?ip.50.116.78.109) | intersearchmedia.com | - | High
|
||||
172 | [50.245.107.73](https://vuldb.com/?ip.50.245.107.73) | 50-245-107-73-static.hfc.comcastbusiness.net | - | High
|
||||
173 | [51.15.4.22](https://vuldb.com/?ip.51.15.4.22) | 51-15-4-22.rev.poneytelecom.eu | - | High
|
||||
174 | [51.15.7.145](https://vuldb.com/?ip.51.15.7.145) | 51-15-7-145.rev.poneytelecom.eu | - | High
|
||||
175 | [51.38.201.19](https://vuldb.com/?ip.51.38.201.19) | ip19.ip-51-38-201.eu | - | High
|
||||
176 | [51.75.33.120](https://vuldb.com/?ip.51.75.33.120) | ip120.ip-51-75-33.eu | - | High
|
||||
177 | [51.75.33.127](https://vuldb.com/?ip.51.75.33.127) | ip127.ip-51-75-33.eu | - | High
|
||||
178 | [51.89.36.180](https://vuldb.com/?ip.51.89.36.180) | ip180.ip-51-89-36.eu | - | High
|
||||
179 | [51.89.199.141](https://vuldb.com/?ip.51.89.199.141) | ip141.ip-51-89-199.eu | - | High
|
||||
180 | [51.91.7.5](https://vuldb.com/?ip.51.91.7.5) | ns3147667.ip-51-91-7.eu | - | High
|
||||
181 | [51.91.76.89](https://vuldb.com/?ip.51.91.76.89) | 89.ip-51-91-76.eu | - | High
|
||||
182 | [51.159.23.217](https://vuldb.com/?ip.51.159.23.217) | jambold.co.uk | - | High
|
||||
183 | [51.159.35.157](https://vuldb.com/?ip.51.159.35.157) | 51-159-35-157.rev.poneytelecom.eu | - | High
|
||||
184 | [51.254.140.238](https://vuldb.com/?ip.51.254.140.238) | 238.ip-51-254-140.eu | - | High
|
||||
185 | [51.255.50.164](https://vuldb.com/?ip.51.255.50.164) | vps-b6cfe010.vps.ovh.net | - | High
|
||||
186 | [51.255.165.160](https://vuldb.com/?ip.51.255.165.160) | 160.ip-51-255-165.eu | - | High
|
||||
187 | [52.31.99.185](https://vuldb.com/?ip.52.31.99.185) | ec2-52-31-99-185.eu-west-1.compute.amazonaws.com | - | Medium
|
||||
188 | [52.66.202.63](https://vuldb.com/?ip.52.66.202.63) | ec2-52-66-202-63.ap-south-1.compute.amazonaws.com | - | Medium
|
||||
189 | [52.96.38.82](https://vuldb.com/?ip.52.96.38.82) | - | - | High
|
||||
190 | [54.38.143.245](https://vuldb.com/?ip.54.38.143.245) | tools.inovato.me | - | High
|
||||
191 | [58.27.215.3](https://vuldb.com/?ip.58.27.215.3) | 58-27-215-3.wateen.net | - | High
|
||||
192 | [58.94.58.13](https://vuldb.com/?ip.58.94.58.13) | i58-94-58-13.s41.a014.ap.plala.or.jp | - | High
|
||||
193 | [58.216.16.130](https://vuldb.com/?ip.58.216.16.130) | - | - | High
|
||||
194 | [58.227.42.236](https://vuldb.com/?ip.58.227.42.236) | - | - | High
|
||||
195 | [59.124.1.19](https://vuldb.com/?ip.59.124.1.19) | 59-124-1-19.hinet-ip.hinet.net | - | High
|
||||
196 | [59.148.253.194](https://vuldb.com/?ip.59.148.253.194) | 059148253194.ctinets.com | - | High
|
||||
197 | [59.152.93.46](https://vuldb.com/?ip.59.152.93.46) | 46.93.152.59.zipnetltd.com | - | High
|
||||
198 | [60.93.23.51](https://vuldb.com/?ip.60.93.23.51) | softbank060093023051.bbtec.net | - | High
|
||||
199 | [60.108.128.186](https://vuldb.com/?ip.60.108.128.186) | softbank060108128186.bbtec.net | - | High
|
||||
200 | [60.125.114.64](https://vuldb.com/?ip.60.125.114.64) | softbank060125114064.bbtec.net | - | High
|
||||
201 | [60.249.78.226](https://vuldb.com/?ip.60.249.78.226) | 60-249-78-226.hinet-ip.hinet.net | - | High
|
||||
202 | [61.19.246.238](https://vuldb.com/?ip.61.19.246.238) | - | - | High
|
||||
203 | [62.30.7.67](https://vuldb.com/?ip.62.30.7.67) | 67.7-30-62.static.virginmediabusiness.co.uk | - | High
|
||||
204 | [62.75.141.82](https://vuldb.com/?ip.62.75.141.82) | static-ip-62-75-141-82.inaddr.ip-pool.com | - | High
|
||||
205 | [62.84.75.50](https://vuldb.com/?ip.62.84.75.50) | mail.saadegrp.com.lb | - | High
|
||||
206 | [62.171.142.179](https://vuldb.com/?ip.62.171.142.179) | vmi499457.contaboserver.net | - | High
|
||||
207 | [62.210.127.136](https://vuldb.com/?ip.62.210.127.136) | 62-210-127-136.rev.poneytelecom.eu | - | High
|
||||
208 | [62.212.34.102](https://vuldb.com/?ip.62.212.34.102) | - | - | High
|
||||
209 | [64.4.244.68](https://vuldb.com/?ip.64.4.244.68) | - | - | High
|
||||
210 | [64.26.60.221](https://vuldb.com/?ip.64.26.60.221) | pop5.csee.onr.siteprotect.com | - | High
|
||||
211 | [64.59.136.142](https://vuldb.com/?ip.64.59.136.142) | mail.shaw.ca | - | High
|
||||
212 | [64.60.82.82](https://vuldb.com/?ip.64.60.82.82) | 64-60-82-82.static-ip.telepacific.net | - | High
|
||||
213 | [64.71.36.11](https://vuldb.com/?ip.64.71.36.11) | - | - | High
|
||||
214 | [64.85.73.16](https://vuldb.com/?ip.64.85.73.16) | - | - | High
|
||||
215 | [64.90.62.162](https://vuldb.com/?ip.64.90.62.162) | pop.dreamhost.com | - | High
|
||||
216 | [64.91.228.45](https://vuldb.com/?ip.64.91.228.45) | - | - | High
|
||||
217 | [64.98.36.5](https://vuldb.com/?ip.64.98.36.5) | mail.b.hostedemail.com | - | High
|
||||
218 | [64.190.63.136](https://vuldb.com/?ip.64.190.63.136) | - | - | High
|
||||
219 | [64.207.182.168](https://vuldb.com/?ip.64.207.182.168) | - | - | High
|
||||
220 | [64.250.117.68](https://vuldb.com/?ip.64.250.117.68) | smtp.movistarcloud.com.ve | - | High
|
||||
221 | [65.49.60.163](https://vuldb.com/?ip.65.49.60.163) | 65-49-60-163.ip.linodeusercontent.com | - | High
|
||||
222 | [65.55.72.183](https://vuldb.com/?ip.65.55.72.183) | origin.sn134w.snt134.mail.live.com | - | High
|
||||
223 | [65.182.102.90](https://vuldb.com/?ip.65.182.102.90) | mail.geantes.com | - | High
|
||||
224 | [65.254.228.100](https://vuldb.com/?ip.65.254.228.100) | customer.hostcentric.com | - | High
|
||||
225 | [66.23.200.58](https://vuldb.com/?ip.66.23.200.58) | - | - | High
|
||||
226 | [66.50.57.73](https://vuldb.com/?ip.66.50.57.73) | 66-50-57-73.prtc.net | - | High
|
||||
227 | [66.54.51.172](https://vuldb.com/?ip.66.54.51.172) | - | - | High
|
||||
228 | [66.71.241.102](https://vuldb.com/?ip.66.71.241.102) | mail.nixhost.net | - | High
|
||||
229 | [66.76.26.33](https://vuldb.com/?ip.66.76.26.33) | 66-76-26-33.hdsncmta01.com.sta.suddenlink.net | - | High
|
||||
230 | [66.96.134.1](https://vuldb.com/?ip.66.96.134.1) | 1.134.96.66.static.eigbox.net | - | High
|
||||
231 | [66.96.147.103](https://vuldb.com/?ip.66.96.147.103) | 103.147.96.66.static.eigbox.net | - | High
|
||||
232 | [66.96.147.110](https://vuldb.com/?ip.66.96.147.110) | 110.147.96.66.static.eigbox.net | - | High
|
||||
233 | [66.195.202.115](https://vuldb.com/?ip.66.195.202.115) | mail.navarac.com | - | High
|
||||
234 | [66.209.69.165](https://vuldb.com/?ip.66.209.69.165) | - | - | High
|
||||
235 | [66.216.234.131](https://vuldb.com/?ip.66.216.234.131) | 066-216-234-131.res.spectrum.com | - | High
|
||||
236 | [66.220.110.56](https://vuldb.com/?ip.66.220.110.56) | h66-220-110-56.bendor.broadband.dynamic.tds.net | - | High
|
||||
237 | [66.228.32.31](https://vuldb.com/?ip.66.228.32.31) | li282-31.members.linode.com | - | High
|
||||
238 | [66.228.45.129](https://vuldb.com/?ip.66.228.45.129) | li326-129.members.linode.com | - | High
|
||||
239 | [66.228.61.248](https://vuldb.com/?ip.66.228.61.248) | li318-248.members.linode.com | - | High
|
||||
240 | [67.19.105.107](https://vuldb.com/?ip.67.19.105.107) | ns2.datatrust.com.br | - | High
|
||||
241 | [67.68.235.25](https://vuldb.com/?ip.67.68.235.25) | bas10-montrealak-67-68-235-25.dsl.bell.ca | - | High
|
||||
242 | [67.170.250.203](https://vuldb.com/?ip.67.170.250.203) | c-67-170-250-203.hsd1.ca.comcast.net | - | High
|
||||
243 | [67.177.71.77](https://vuldb.com/?ip.67.177.71.77) | c-67-177-71-77.hsd1.al.comcast.net | - | High
|
||||
244 | [67.195.197.75](https://vuldb.com/?ip.67.195.197.75) | p9ats-i.geo.vip.bf1.yahoo.com | - | High
|
||||
245 | [67.195.228.95](https://vuldb.com/?ip.67.195.228.95) | unknown.yahoo.com | - | High
|
||||
246 | [67.216.131.134](https://vuldb.com/?ip.67.216.131.134) | 134.131.216.67.134.static.hargray.net | - | High
|
||||
247 | [67.222.2.148](https://vuldb.com/?ip.67.222.2.148) | - | - | High
|
||||
248 | [67.225.218.50](https://vuldb.com/?ip.67.225.218.50) | lb01.parklogic.com | - | High
|
||||
249 | [67.225.221.173](https://vuldb.com/?ip.67.225.221.173) | host.hddpool2.net | - | High
|
||||
250 | [67.241.81.253](https://vuldb.com/?ip.67.241.81.253) | cpe-67-241-81-253.twcny.res.rr.com | - | High
|
||||
251 | [68.2.97.91](https://vuldb.com/?ip.68.2.97.91) | ip68-2-97-91.ph.ph.cox.net | - | High
|
||||
252 | [68.66.194.12](https://vuldb.com/?ip.68.66.194.12) | 68.66.194.12.static.a2webhosting.com | - | High
|
||||
253 | [68.178.213.203](https://vuldb.com/?ip.68.178.213.203) | p3plibsmtp03-v01.prod.phx3.secureserver.net | - | High
|
||||
254 | [68.183.170.114](https://vuldb.com/?ip.68.183.170.114) | 68.183.170.114-e1-8080-keep-up | - | High
|
||||
255 | [68.183.190.199](https://vuldb.com/?ip.68.183.190.199) | 68.183.190.199-e1-8080-keep-up | - | High
|
||||
256 | [69.16.228.14](https://vuldb.com/?ip.69.16.228.14) | kurt.duplika.com | - | High
|
||||
257 | [69.17.170.58](https://vuldb.com/?ip.69.17.170.58) | unallocated-static.rogers.com | - | High
|
||||
258 | [69.43.168.200](https://vuldb.com/?ip.69.43.168.200) | ns0.imunplugged.com | - | High
|
||||
259 | [69.43.168.232](https://vuldb.com/?ip.69.43.168.232) | - | - | High
|
||||
260 | [69.45.19.251](https://vuldb.com/?ip.69.45.19.251) | coastinet.com | - | High
|
||||
261 | [69.61.0.198](https://vuldb.com/?ip.69.61.0.198) | alpha01.serverparlor.net | - | High
|
||||
262 | [69.147.92.11](https://vuldb.com/?ip.69.147.92.11) | e1.ycpi.vip.dca.yahoo.com | - | High
|
||||
263 | [69.147.92.12](https://vuldb.com/?ip.69.147.92.12) | e2.ycpi.vip.dca.yahoo.com | - | High
|
||||
264 | [69.156.240.33](https://vuldb.com/?ip.69.156.240.33) | smtp.transportalliance.ca | - | High
|
||||
265 | [69.163.33.82](https://vuldb.com/?ip.69.163.33.82) | - | - | High
|
||||
266 | [69.167.152.111](https://vuldb.com/?ip.69.167.152.111) | - | - | High
|
||||
267 | [69.168.106.36](https://vuldb.com/?ip.69.168.106.36) | mail.windstream.syn-alias.com | - | High
|
||||
268 | [69.175.31.212](https://vuldb.com/?ip.69.175.31.212) | 212.31.175.69.unassigned.ord.singlehop.net | - | High
|
||||
269 | [69.198.17.20](https://vuldb.com/?ip.69.198.17.20) | 69-198-17-20.customerip.birch.net | - | High
|
||||
270 | [69.198.17.49](https://vuldb.com/?ip.69.198.17.49) | 69-198-17-49.customerip.birch.net | - | High
|
||||
271 | [70.32.84.74](https://vuldb.com/?ip.70.32.84.74) | - | - | High
|
||||
272 | [70.32.89.105](https://vuldb.com/?ip.70.32.89.105) | parties-at-sea.com | - | High
|
||||
273 | [70.32.92.133](https://vuldb.com/?ip.70.32.92.133) | popdesigngroup.com | - | High
|
||||
274 | [70.32.115.157](https://vuldb.com/?ip.70.32.115.157) | harpotripofalifetime.com | - | High
|
||||
275 | [70.36.102.35](https://vuldb.com/?ip.70.36.102.35) | - | - | High
|
||||
276 | [70.45.30.28](https://vuldb.com/?ip.70.45.30.28) | dynamic.libertypr.net | - | High
|
||||
277 | [70.168.7.6](https://vuldb.com/?ip.70.168.7.6) | wsip-70-168-7-6.ri.ri.cox.net | - | High
|
||||
278 | [70.182.77.184](https://vuldb.com/?ip.70.182.77.184) | wsip-70-182-77-184.ok.ok.cox.net | - | High
|
||||
279 | [70.183.113.54](https://vuldb.com/?ip.70.183.113.54) | wsip-70-183-113-54.no.no.cox.net | - | High
|
||||
280 | [70.184.86.103](https://vuldb.com/?ip.70.184.86.103) | wsip-70-184-86-103.ph.ph.cox.net | - | High
|
||||
281 | [70.184.125.132](https://vuldb.com/?ip.70.184.125.132) | wsip-70-184-125-132.ph.ph.cox.net | - | High
|
||||
282 | [71.8.1.188](https://vuldb.com/?ip.71.8.1.188) | 071-008-001-188.res.spectrum.com | - | High
|
||||
283 | ... | ... | ... | ...
|
||||
|
||||
There are 877 more IOC items available. Please use our online service to access the data.
|
||||
There are 1126 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -250,12 +310,12 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
|
||||
2 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
3 | T1068 | CWE-264, CWE-266, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 6 more TTP items available. Please use our online service to access the data.
|
||||
There are 3 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -263,25 +323,22 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/admin/index.php?slides` | High
|
||||
2 | File | `/AvalancheWeb/image` | High
|
||||
3 | File | `/cgi-bin/adm.cgi` | High
|
||||
4 | File | `/classes/Comment` | High
|
||||
5 | File | `/cms/content/list` | High
|
||||
6 | File | `/customer_register.php` | High
|
||||
7 | File | `/etc/master.passwd` | High
|
||||
8 | File | `/example/editor` | High
|
||||
9 | File | `/goform/login_process` | High
|
||||
10 | File | `/goform/rlmswitchr_process` | High
|
||||
11 | File | `/goforms/rlminfo` | High
|
||||
12 | File | `/include/chart_generator.php` | High
|
||||
13 | File | `/index.php?page=home` | High
|
||||
14 | File | `/index.php?page=reserve` | High
|
||||
15 | File | `/public_html/animals` | High
|
||||
16 | File | `/public_html/apply_vacancy` | High
|
||||
17 | ... | ... | ...
|
||||
1 | File | `/admin.php?id=posts&action=display&value=1&postid=` | High
|
||||
2 | File | `/admin.php?id=siteoptions&social=display&value=0&sid=2` | High
|
||||
3 | File | `/admin.php?id=siteoptions&social=edit&sid=2` | High
|
||||
4 | File | `/admin/inbox.php&action=delete` | High
|
||||
5 | File | `/admin/inbox.php&action=read` | High
|
||||
6 | File | `/admin/pagerole.php&action=display&value=1` | High
|
||||
7 | File | `/admin/pagerole.php&action=edit` | High
|
||||
8 | File | `/admin/posts.php` | High
|
||||
9 | File | `/admin/posts.php&action=delete` | High
|
||||
10 | File | `/admin/posts.php&action=edit` | High
|
||||
11 | File | `/admin/siteoptions.php&action=displaygoal&value=1&roleid=1` | High
|
||||
12 | File | `/admin/siteoptions.php&social=remove&sid=2` | High
|
||||
13 | File | `/admin/uesrs.php&&action=delete&userid=4` | High
|
||||
14 | ... | ... | ...
|
||||
|
||||
There are 142 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 115 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -291,6 +348,26 @@ The following list contains _external sources_ which discuss the actor and the a
|
|||
* https://blog.talosintelligence.com/2018/07/threat-roundup-0720-0727.html
|
||||
* https://blog.talosintelligence.com/2018/09/threat-roundup-0907-0914.html
|
||||
* https://blog.talosintelligence.com/2018/10/threat-roundup-1005-1012.html
|
||||
* https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html
|
||||
* https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html
|
||||
* https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html
|
||||
* https://blog.talosintelligence.com/2018/12/threat-roundup-1130-1207.html
|
||||
* https://blog.talosintelligence.com/2018/12/threat-roundup-1214-1221.html
|
||||
* https://blog.talosintelligence.com/2019/01/threat-roundup-0111-0118.html
|
||||
* https://blog.talosintelligence.com/2019/01/threat-roundup-0118-0125.html
|
||||
* https://blog.talosintelligence.com/2019/02/threat-roundup-0201-0208.html
|
||||
* https://blog.talosintelligence.com/2019/02/threat-roundup-for-feb-15-to-feb-22.html
|
||||
* https://blog.talosintelligence.com/2019/03/threat-roundup-0308-0315.html
|
||||
* https://blog.talosintelligence.com/2019/03/threat-roundup-0315-0322.html
|
||||
* https://blog.talosintelligence.com/2019/03/threat-roundup-for-feb-22-to-march-1.html
|
||||
* https://blog.talosintelligence.com/2019/03/threat-roundup-for-mar-01-to-mar-08.html
|
||||
* https://blog.talosintelligence.com/2019/04/threat-roundup-0329-0405.html
|
||||
* https://blog.talosintelligence.com/2019/04/threat-roundup-0405-0412.html
|
||||
* https://blog.talosintelligence.com/2019/04/threat-roundup-0412-0419.html
|
||||
* https://blog.talosintelligence.com/2019/04/threat-roundup-0419-to-0426.html
|
||||
* https://blog.talosintelligence.com/2019/05/threat-roundup-0503-0510.html
|
||||
* https://blog.talosintelligence.com/2019/05/threat-roundup-0517-0524.html
|
||||
* https://blog.talosintelligence.com/2019/05/threat-roundup-0524-0531.html
|
||||
* https://blog.talosintelligence.com/2019/09/emotet-is-back-after-summer-break.html
|
||||
* https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
|
||||
* https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html
|
||||
|
|
|
@ -82,7 +82,7 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-266, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
2 | T1068 | CWE-250, CWE-264, CWE-266, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
|
@ -96,59 +96,59 @@ ID | Type | Indicator | Confidence
|
|||
-- | ---- | --------- | ----------
|
||||
1 | File | `/+CSCOE+/logon.html` | High
|
||||
2 | File | `/bsms/?page=products` | High
|
||||
3 | File | `/cloud_config/router_post/check_reg_verify_code` | High
|
||||
4 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
5 | File | `/debug/pprof` | Medium
|
||||
6 | File | `/ext/phar/phar_object.c` | High
|
||||
7 | File | `/filemanager/php/connector.php` | High
|
||||
8 | File | `/get_getnetworkconf.cgi` | High
|
||||
9 | File | `/HNAP1` | Low
|
||||
10 | File | `/include/chart_generator.php` | High
|
||||
11 | File | `/modx/manager/index.php` | High
|
||||
12 | File | `/monitoring` | Medium
|
||||
13 | File | `/new` | Low
|
||||
14 | File | `/proc/<pid>/status` | High
|
||||
15 | File | `/public/login.htm` | High
|
||||
16 | File | `/public/plugins/` | High
|
||||
17 | File | `/replication` | Medium
|
||||
18 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
19 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
20 | File | `/siteminderagent/pwcgi/smpwservicescgi.exe` | High
|
||||
21 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
|
||||
22 | File | `/tmp` | Low
|
||||
23 | File | `/type.php` | Medium
|
||||
24 | File | `/uncpath/` | Medium
|
||||
25 | File | `/usr/bin/pkexec` | High
|
||||
26 | File | `/wp-json/wc/v3/webhooks` | High
|
||||
27 | File | `4.2.0.CP09` | Medium
|
||||
28 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
29 | File | `802dot1xclientcert.cgi` | High
|
||||
30 | File | `AccountManagerService.java` | High
|
||||
31 | File | `actions/CompanyDetailsSave.php` | High
|
||||
32 | File | `ActivityManagerService.java` | High
|
||||
33 | File | `add.exe` | Low
|
||||
34 | File | `admin.color.php` | High
|
||||
35 | File | `admin.cropcanvas.php` | High
|
||||
36 | File | `admin.joomlaradiov5.php` | High
|
||||
37 | File | `admin.php` | Medium
|
||||
38 | File | `admin.php?m=Food&a=addsave` | High
|
||||
39 | File | `admin/add-glossary.php` | High
|
||||
40 | File | `admin/conf_users_edit.php` | High
|
||||
41 | File | `admin/edit-comments.php` | High
|
||||
42 | File | `admin/index.php` | High
|
||||
43 | File | `admin/src/containers/InputModalStepperProvider/index.js` | High
|
||||
44 | File | `admin/write-post.php` | High
|
||||
45 | File | `administrator/components/com_media/helpers/media.php` | High
|
||||
46 | File | `admin_events.php` | High
|
||||
47 | File | `aidl_const_expressions.cpp` | High
|
||||
48 | File | `ajax/include.php` | High
|
||||
49 | File | `AjaxApplication.java` | High
|
||||
50 | File | `akocomments.php` | High
|
||||
51 | File | `allopass-error.php` | High
|
||||
52 | File | `AllowBindAppWidgetActivity.java` | High
|
||||
3 | File | `/cgi-bin/system_mgr.cgi` | High
|
||||
4 | File | `/cloud_config/router_post/check_reg_verify_code` | High
|
||||
5 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
6 | File | `/debug/pprof` | Medium
|
||||
7 | File | `/ext/phar/phar_object.c` | High
|
||||
8 | File | `/filemanager/php/connector.php` | High
|
||||
9 | File | `/get_getnetworkconf.cgi` | High
|
||||
10 | File | `/HNAP1` | Low
|
||||
11 | File | `/include/chart_generator.php` | High
|
||||
12 | File | `/modx/manager/index.php` | High
|
||||
13 | File | `/monitoring` | Medium
|
||||
14 | File | `/new` | Low
|
||||
15 | File | `/proc/<pid>/status` | High
|
||||
16 | File | `/public/login.htm` | High
|
||||
17 | File | `/public/plugins/` | High
|
||||
18 | File | `/replication` | Medium
|
||||
19 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
20 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
21 | File | `/siteminderagent/pwcgi/smpwservicescgi.exe` | High
|
||||
22 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
|
||||
23 | File | `/tmp` | Low
|
||||
24 | File | `/type.php` | Medium
|
||||
25 | File | `/uncpath/` | Medium
|
||||
26 | File | `/usr/bin/pkexec` | High
|
||||
27 | File | `/wp-json/wc/v3/webhooks` | High
|
||||
28 | File | `4.2.0.CP09` | Medium
|
||||
29 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
30 | File | `802dot1xclientcert.cgi` | High
|
||||
31 | File | `AccountManagerService.java` | High
|
||||
32 | File | `actions/CompanyDetailsSave.php` | High
|
||||
33 | File | `ActivityManagerService.java` | High
|
||||
34 | File | `add.exe` | Low
|
||||
35 | File | `admin.color.php` | High
|
||||
36 | File | `admin.cropcanvas.php` | High
|
||||
37 | File | `admin.joomlaradiov5.php` | High
|
||||
38 | File | `admin.php` | Medium
|
||||
39 | File | `admin.php?m=Food&a=addsave` | High
|
||||
40 | File | `admin/add-glossary.php` | High
|
||||
41 | File | `admin/conf_users_edit.php` | High
|
||||
42 | File | `admin/edit-comments.php` | High
|
||||
43 | File | `admin/index.php` | High
|
||||
44 | File | `admin/src/containers/InputModalStepperProvider/index.js` | High
|
||||
45 | File | `admin/write-post.php` | High
|
||||
46 | File | `administrator/components/com_media/helpers/media.php` | High
|
||||
47 | File | `admin_events.php` | High
|
||||
48 | File | `aidl_const_expressions.cpp` | High
|
||||
49 | File | `ajax/include.php` | High
|
||||
50 | File | `AjaxApplication.java` | High
|
||||
51 | File | `akocomments.php` | High
|
||||
52 | File | `allopass-error.php` | High
|
||||
53 | ... | ... | ...
|
||||
|
||||
There are 460 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 464 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -10,7 +10,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [PT](https://vuldb.com/?country.pt)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* [TR](https://vuldb.com/?country.tr)
|
||||
* ...
|
||||
|
||||
There are 4 more country items available. Please use our online service to access the data.
|
||||
|
|
|
@ -8,12 +8,12 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with FritzFrog:
|
||||
|
||||
* [VN](https://vuldb.com/?country.vn)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [VN](https://vuldb.com/?country.vn)
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* ...
|
||||
|
||||
There are 12 more country items available. Please use our online service to access the data.
|
||||
There are 11 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -332,11 +332,11 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-250, CWE-264, CWE-266, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
2 | T1068 | CWE-250, CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-307 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -344,41 +344,45 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/#/CampaignManager/users` | High
|
||||
2 | File | `/admin/admin_login.php` | High
|
||||
3 | File | `/admin/index.php?slides` | High
|
||||
1 | File | `.procmailrc` | Medium
|
||||
2 | File | `/#/CampaignManager/users` | High
|
||||
3 | File | `/admin/admin_login.php` | High
|
||||
4 | File | `/admin/login.php` | High
|
||||
5 | File | `/apply.cgi` | Medium
|
||||
5 | File | `/AvalancheWeb/image` | High
|
||||
6 | File | `/bin/sh` | Low
|
||||
7 | File | `/bsms/?page=products` | High
|
||||
8 | File | `/cgi-bin/portal` | High
|
||||
9 | File | `/cgi-bin/system_mgr.cgi` | High
|
||||
7 | File | `/cgi-bin/portal` | High
|
||||
8 | File | `/cgi-bin/system_mgr.cgi` | High
|
||||
9 | File | `/dev/tty` | Medium
|
||||
10 | File | `/doorgets/app/requests/user/modulecategoryRequest.php` | High
|
||||
11 | File | `/etc/groups` | Medium
|
||||
12 | File | `/form/index.php?module=getjson` | High
|
||||
13 | File | `/ghost/preview` | High
|
||||
14 | File | `/include/chart_generator.php` | High
|
||||
15 | File | `/login` | Low
|
||||
16 | File | `/login.html` | Medium
|
||||
17 | File | `/magnoliaPublic/travel/members/login.html` | High
|
||||
18 | File | `/member/index/login.html` | High
|
||||
19 | File | `/nova/bin/detnet` | High
|
||||
20 | File | `/op/op.LockDocument.php` | High
|
||||
21 | File | `/public/plugins/` | High
|
||||
22 | File | `/rest/api/2/search` | High
|
||||
23 | File | `/rest/api/latest/projectvalidate/key` | High
|
||||
24 | File | `/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf` | High
|
||||
25 | File | `/SAP_Information_System/controllers/add_admin.php` | High
|
||||
26 | File | `/sm/api/v1/firewall/zone/services` | High
|
||||
27 | File | `/src/njs_vmcode.c` | High
|
||||
28 | File | `/system/tool/ping.php` | High
|
||||
29 | File | `/system/user/resetPwd` | High
|
||||
30 | File | `/tmp/app/.env` | High
|
||||
31 | File | `/uncpath/` | Medium
|
||||
32 | File | `/wp-admin/admin-ajax.php` | High
|
||||
33 | ... | ... | ...
|
||||
12 | File | `/ghost/preview` | High
|
||||
13 | File | `/login` | Low
|
||||
14 | File | `/login.html` | Medium
|
||||
15 | File | `/magnoliaPublic/travel/members/login.html` | High
|
||||
16 | File | `/member/index/login.html` | High
|
||||
17 | File | `/nova/bin/detnet` | High
|
||||
18 | File | `/proc/self/setgroups` | High
|
||||
19 | File | `/public/plugins/` | High
|
||||
20 | File | `/rest/api/latest/user/avatar/temporary` | High
|
||||
21 | File | `/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf` | High
|
||||
22 | File | `/sm/api/v1/firewall/zone/services` | High
|
||||
23 | File | `/src/njs_vmcode.c` | High
|
||||
24 | File | `/system/user/resetPwd` | High
|
||||
25 | File | `/tmp/app/.env` | High
|
||||
26 | File | `/uncpath/` | Medium
|
||||
27 | File | `/user-utils/users/md5.json` | High
|
||||
28 | File | `/var/adm/btmp` | High
|
||||
29 | File | `/websocket/exec` | High
|
||||
30 | File | `/wp-content/plugins/woocommerce/templates/emails/plain/` | High
|
||||
31 | File | `/x_program_center/jaxrs/invoke` | High
|
||||
32 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
33 | File | `add_vhost.php` | High
|
||||
34 | File | `admin.inc.php` | High
|
||||
35 | File | `admin/conf_users_edit.php` | High
|
||||
36 | File | `admin/index.php` | High
|
||||
37 | ... | ... | ...
|
||||
|
||||
There are 281 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 317 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -13,7 +13,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [VN](https://vuldb.com/?country.vn)
|
||||
* ...
|
||||
|
||||
There are 14 more country items available. Please use our online service to access the data.
|
||||
There are 11 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -91,39 +91,49 @@ ID | Type | Indicator | Confidence
|
|||
4 | File | `//` | Low
|
||||
5 | File | `/admin.php?action=themeinstall` | High
|
||||
6 | File | `/admin/?setting-base.htm` | High
|
||||
7 | File | `/admin/login.php` | High
|
||||
8 | File | `/apply_noauth.cgi` | High
|
||||
9 | File | `/audit/log/log_management.php` | High
|
||||
10 | File | `/bin/login` | Medium
|
||||
11 | File | `/bin/sh` | Low
|
||||
12 | File | `/cgi-bin/login` | High
|
||||
13 | File | `/classes/profile.class.php` | High
|
||||
14 | File | `/CMD_ACCOUNT_ADMIN` | High
|
||||
15 | File | `/core/admin/categories.php` | High
|
||||
16 | File | `/dev/tty` | Medium
|
||||
7 | File | `/admin/admin_login.php` | High
|
||||
8 | File | `/admin/login.php` | High
|
||||
9 | File | `/apply_noauth.cgi` | High
|
||||
10 | File | `/audit/log/log_management.php` | High
|
||||
11 | File | `/bin/login` | Medium
|
||||
12 | File | `/bin/sh` | Low
|
||||
13 | File | `/cgi-bin/login` | High
|
||||
14 | File | `/classes/profile.class.php` | High
|
||||
15 | File | `/dev/tty` | Medium
|
||||
16 | File | `/doorgets/app/requests/user/modulecategoryRequest.php` | High
|
||||
17 | File | `/downloads/` | Medium
|
||||
18 | File | `/index.php` | Medium
|
||||
19 | File | `/member/index/login.html` | High
|
||||
20 | File | `/modules/certinfo/index.php` | High
|
||||
21 | File | `/MTFWU` | Low
|
||||
22 | File | `/ptms/classes/Users.php` | High
|
||||
23 | File | `/ScadaBR/login.htm` | High
|
||||
24 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
25 | File | `/system/tool/ping.php` | High
|
||||
26 | File | `/uncpath/` | Medium
|
||||
27 | File | `/updown/upload.cgi` | High
|
||||
28 | File | `/upload` | Low
|
||||
29 | File | `/usr/bin/pkexec` | High
|
||||
30 | File | `/wp-json` | Medium
|
||||
31 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
32 | File | `?location=search` | High
|
||||
33 | File | `account/login.php` | High
|
||||
34 | File | `add.php` | Low
|
||||
35 | File | `admin.php` | Medium
|
||||
36 | File | `admin.php?m=backup&c=backup&a=doback` | High
|
||||
37 | ... | ... | ...
|
||||
18 | File | `/etc/groups` | Medium
|
||||
19 | File | `/index.php` | Medium
|
||||
20 | File | `/login` | Low
|
||||
21 | File | `/login.html` | Medium
|
||||
22 | File | `/magnoliaPublic/travel/members/login.html` | High
|
||||
23 | File | `/member/index/login.html` | High
|
||||
24 | File | `/modules/certinfo/index.php` | High
|
||||
25 | File | `/MTFWU` | Low
|
||||
26 | File | `/ptms/classes/Users.php` | High
|
||||
27 | File | `/ScadaBR/login.htm` | High
|
||||
28 | File | `/system/tool/ping.php` | High
|
||||
29 | File | `/uncpath/` | Medium
|
||||
30 | File | `/usr/bin/pkexec` | High
|
||||
31 | File | `/var/adm/btmp` | High
|
||||
32 | File | `/wp-json` | Medium
|
||||
33 | File | `?location=search` | High
|
||||
34 | File | `account/login.php` | High
|
||||
35 | File | `add.php` | Low
|
||||
36 | File | `admin.inc.php` | High
|
||||
37 | File | `admin.php` | Medium
|
||||
38 | File | `admin.php?m=backup&c=backup&a=doback` | High
|
||||
39 | File | `admin/conf_users_edit.php` | High
|
||||
40 | File | `admin/index.php` | High
|
||||
41 | File | `admin/login.asp` | High
|
||||
42 | File | `admin/login.php` | High
|
||||
43 | File | `admin/nos/login` | High
|
||||
44 | File | `admin\db\DoSql.php` | High
|
||||
45 | File | `agenda.php3` | Medium
|
||||
46 | File | `ajaxp.php` | Medium
|
||||
47 | ... | ... | ...
|
||||
|
||||
There are 322 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 410 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -0,0 +1,63 @@
|
|||
# GoGoogle - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [GoGoogle](https://vuldb.com/?actor.gogoogle). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.gogoogle](https://vuldb.com/?actor.gogoogle)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with GoGoogle:
|
||||
|
||||
* [GB](https://vuldb.com/?country.gb)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [IN](https://vuldb.com/?country.in)
|
||||
* ...
|
||||
|
||||
There are 3 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of GoGoogle.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [93.174.95.73](https://vuldb.com/?ip.93.174.95.73) | - | - | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _GoGoogle_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by GoGoogle. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/api/addusers` | High
|
||||
2 | File | `/home/httpd/cgi-bin/cgi.cgi` | High
|
||||
3 | File | `/public/login.htm` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 5 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://thedfirreport.com/2020/04/04/gogoogle-ransomware/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,75 @@
|
|||
# Gootkit - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Gootkit](https://vuldb.com/?actor.gootkit). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.gootkit](https://vuldb.com/?actor.gootkit)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Gootkit:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* ...
|
||||
|
||||
There are 7 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Gootkit.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [31.214.157.14](https://vuldb.com/?ip.31.214.157.14) | dev.neto-svedberg.com | - | High
|
||||
2 | [31.214.157.162](https://vuldb.com/?ip.31.214.157.162) | crm.tuxexpert.com | - | High
|
||||
3 | [109.230.199.13](https://vuldb.com/?ip.109.230.199.13) | sw1-wg.celo.net | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 11 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Gootkit_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 3 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Gootkit. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `.htaccess` | Medium
|
||||
2 | File | `/addnews.html` | High
|
||||
3 | File | `/cgi-bin/supervisor/PwdGrp.cgi` | High
|
||||
4 | File | `/download` | Medium
|
||||
5 | File | `/secure/admin/ImporterFinishedPage.jspa` | High
|
||||
6 | File | `/uncpath/` | Medium
|
||||
7 | ... | ... | ...
|
||||
|
||||
There are 52 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.talosintelligence.com/2019/10/threat-roundup-1011-1018.html
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -86,7 +86,7 @@ ID | Type | Indicator | Confidence
|
|||
35 | File | `admin/edit-comments.php` | High
|
||||
36 | ... | ... | ...
|
||||
|
||||
There are 312 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 310 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -175,36 +175,37 @@ ID | Type | Indicator | Confidence
|
|||
5 | File | `/admin.php/admin/ulog/index.html` | High
|
||||
6 | File | `/admin/configure.php` | High
|
||||
7 | File | `/admin/doctors/view_doctor.php` | High
|
||||
8 | File | `/api/crontab` | Medium
|
||||
9 | File | `/api/trackedEntityInstances` | High
|
||||
10 | File | `/AvalancheWeb/image` | High
|
||||
11 | File | `/category.php` | High
|
||||
12 | File | `/cgi-bin/uploadAccessCodePic` | High
|
||||
13 | File | `/cms/ajax.php` | High
|
||||
14 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
15 | File | `/dev/dri/card1` | High
|
||||
16 | File | `/export` | Low
|
||||
17 | File | `/file?action=download&file` | High
|
||||
18 | File | `/goform/setIPv6Status` | High
|
||||
19 | File | `/images` | Low
|
||||
20 | File | `/include/chart_generator.php` | High
|
||||
21 | File | `/include/make.php` | High
|
||||
22 | File | `/InternalPages/ExecuteTask.aspx` | High
|
||||
23 | File | `/music/ajax.php` | High
|
||||
24 | File | `/nova/bin/sniffer` | High
|
||||
25 | File | `/pandora_console/ajax.php` | High
|
||||
26 | File | `/principals` | Medium
|
||||
27 | File | `/public/plugins/` | High
|
||||
28 | File | `/SASWebReportStudio/logonAndRender.do` | High
|
||||
29 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
30 | File | `/system/bin/osi_bin` | High
|
||||
31 | File | `/tmp` | Low
|
||||
32 | File | `/TMS/admin/setting/mail/createorupdate` | High
|
||||
33 | File | `/uncpath/` | Medium
|
||||
34 | File | `/web/MCmsAction.java` | High
|
||||
35 | ... | ... | ...
|
||||
8 | File | `/admin/siteoptions.php&action=displaygoal&value=1&roleid=1` | High
|
||||
9 | File | `/api/crontab` | Medium
|
||||
10 | File | `/api/students/me/messages/` | High
|
||||
11 | File | `/api/trackedEntityInstances` | High
|
||||
12 | File | `/AvalancheWeb/image` | High
|
||||
13 | File | `/category.php` | High
|
||||
14 | File | `/cdsms/classes/Master.php?f=delete_enrollment` | High
|
||||
15 | File | `/cdsms/classes/Master.php?f=delete_package` | High
|
||||
16 | File | `/cgi-bin/uploadAccessCodePic` | High
|
||||
17 | File | `/common/info.cgi` | High
|
||||
18 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
19 | File | `/dev/dri/card1` | High
|
||||
20 | File | `/export` | Low
|
||||
21 | File | `/file?action=download&file` | High
|
||||
22 | File | `/goform/setIPv6Status` | High
|
||||
23 | File | `/goform/WifiExtraSet` | High
|
||||
24 | File | `/images` | Low
|
||||
25 | File | `/include/chart_generator.php` | High
|
||||
26 | File | `/include/make.php` | High
|
||||
27 | File | `/InternalPages/ExecuteTask.aspx` | High
|
||||
28 | File | `/nova/bin/sniffer` | High
|
||||
29 | File | `/principals` | Medium
|
||||
30 | File | `/public/plugins/` | High
|
||||
31 | File | `/reps/admin/?page=agents/manage_agent` | High
|
||||
32 | File | `/reps/classes/Master.php?f=delete_estate` | High
|
||||
33 | File | `/SASWebReportStudio/logonAndRender.do` | High
|
||||
34 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
35 | File | `/system/bin/osi_bin` | High
|
||||
36 | ... | ... | ...
|
||||
|
||||
There are 301 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 306 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -13,7 +13,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [CN](https://vuldb.com/?country.cn)
|
||||
* ...
|
||||
|
||||
There are 14 more country items available. Please use our online service to access the data.
|
||||
There are 13 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -75,35 +75,34 @@ ID | Type | Indicator | Confidence
|
|||
10 | File | `/inc/parser/xhtml.php` | High
|
||||
11 | File | `/login` | Low
|
||||
12 | File | `/modules/profile/index.php` | High
|
||||
13 | File | `/objects/getImageMP4.php` | High
|
||||
14 | File | `/one_church/userregister.php` | High
|
||||
15 | File | `/out.php` | Medium
|
||||
16 | File | `/public/plugins/` | High
|
||||
17 | File | `/replication` | Medium
|
||||
18 | File | `/req_password_user.php` | High
|
||||
19 | File | `/SAP_Information_System/controllers/add_admin.php` | High
|
||||
20 | File | `/SASWebReportStudio/logonAndRender.do` | High
|
||||
21 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
22 | File | `/secure/admin/ViewInstrumentation.jspa` | High
|
||||
23 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
24 | File | `/SSOPOST/metaAlias/%realm%/idpv2` | High
|
||||
25 | File | `/tmp` | Low
|
||||
26 | File | `/tmp/phpglibccheck` | High
|
||||
27 | File | `/uncpath/` | Medium
|
||||
28 | File | `/usr/syno/etc/mount.conf` | High
|
||||
29 | File | `/WEB-INF/web.xml` | High
|
||||
30 | File | `/web/entry/en/address/adrsSetUserWizard.cgi` | High
|
||||
31 | File | `/wp-json/oembed/1.0/embed?url` | High
|
||||
32 | File | `adclick.php` | Medium
|
||||
33 | File | `addentry.php` | Medium
|
||||
34 | File | `admin.cropcanvas.php` | High
|
||||
13 | File | `/nova/bin/console` | High
|
||||
14 | File | `/objects/getImageMP4.php` | High
|
||||
15 | File | `/one_church/userregister.php` | High
|
||||
16 | File | `/out.php` | Medium
|
||||
17 | File | `/public/plugins/` | High
|
||||
18 | File | `/replication` | Medium
|
||||
19 | File | `/req_password_user.php` | High
|
||||
20 | File | `/SAP_Information_System/controllers/add_admin.php` | High
|
||||
21 | File | `/SASWebReportStudio/logonAndRender.do` | High
|
||||
22 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
23 | File | `/secure/admin/ViewInstrumentation.jspa` | High
|
||||
24 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
25 | File | `/SSOPOST/metaAlias/%realm%/idpv2` | High
|
||||
26 | File | `/tmp` | Low
|
||||
27 | File | `/tmp/phpglibccheck` | High
|
||||
28 | File | `/uncpath/` | Medium
|
||||
29 | File | `/usr/syno/etc/mount.conf` | High
|
||||
30 | File | `/WEB-INF/web.xml` | High
|
||||
31 | File | `/web/entry/en/address/adrsSetUserWizard.cgi` | High
|
||||
32 | File | `/wp-json/oembed/1.0/embed?url` | High
|
||||
33 | File | `adclick.php` | Medium
|
||||
34 | File | `addentry.php` | Medium
|
||||
35 | File | `admin.jcomments.php` | High
|
||||
36 | File | `admin.php` | Medium
|
||||
37 | File | `admin/conf_users_edit.php` | High
|
||||
38 | File | `admin/create-package.php` | High
|
||||
39 | ... | ... | ...
|
||||
38 | ... | ... | ...
|
||||
|
||||
There are 339 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 325 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -0,0 +1,36 @@
|
|||
# Hive0117 - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Hive0117](https://vuldb.com/?actor.hive0117). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.hive0117](https://vuldb.com/?actor.hive0117)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following _campaigns_ are known and can be associated with Hive0117:
|
||||
|
||||
* DarkWatchman
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Hive0117.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [103.153.157.33](https://vuldb.com/?ip.103.153.157.33) | 103-153-157-33.ip.fulltimehosting.net | DarkWatchman | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://securityintelligence.com/posts/hive00117-fileless-malware-delivery-eastern-europe/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -4,6 +4,12 @@ These _indicators_ were reported, collected, and generated during the [VulDB CTI
|
|||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.icedid](https://vuldb.com/?actor.icedid)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following _campaigns_ are known and can be associated with IcedID:
|
||||
|
||||
* Cobalt Strike
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with IcedID:
|
||||
|
@ -13,7 +19,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [RU](https://vuldb.com/?country.ru)
|
||||
* ...
|
||||
|
||||
There are 17 more country items available. Please use our online service to access the data.
|
||||
There are 20 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -21,25 +27,27 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [5.149.252.179](https://vuldb.com/?ip.5.149.252.179) | hnh7.arenal.xyz | - | High
|
||||
2 | [31.24.224.12](https://vuldb.com/?ip.31.24.224.12) | 1f18e00c.setaptr.net | - | High
|
||||
3 | [31.24.228.170](https://vuldb.com/?ip.31.24.228.170) | 31.24.228.170.static.midphase.com | - | High
|
||||
4 | [31.184.199.11](https://vuldb.com/?ip.31.184.199.11) | dalesmanager.com | - | High
|
||||
5 | [45.129.99.241](https://vuldb.com/?ip.45.129.99.241) | 354851-vds-mamozw.gmhost.pp.ua | - | High
|
||||
6 | [45.138.172.179](https://vuldb.com/?ip.45.138.172.179) | - | - | High
|
||||
7 | [45.147.228.198](https://vuldb.com/?ip.45.147.228.198) | - | - | High
|
||||
8 | [45.147.230.82](https://vuldb.com/?ip.45.147.230.82) | - | - | High
|
||||
9 | [45.147.230.88](https://vuldb.com/?ip.45.147.230.88) | mailnode7.bulletproof-mail.biz | - | High
|
||||
10 | [45.147.231.113](https://vuldb.com/?ip.45.147.231.113) | - | - | High
|
||||
11 | [45.153.240.135](https://vuldb.com/?ip.45.153.240.135) | - | - | High
|
||||
12 | [45.153.241.115](https://vuldb.com/?ip.45.153.241.115) | - | - | High
|
||||
13 | [46.17.98.191](https://vuldb.com/?ip.46.17.98.191) | - | - | High
|
||||
14 | [46.249.62.199](https://vuldb.com/?ip.46.249.62.199) | - | - | High
|
||||
15 | [79.141.161.176](https://vuldb.com/?ip.79.141.161.176) | zzs7bp73.copycomdigital.com | - | High
|
||||
16 | [79.141.164.241](https://vuldb.com/?ip.79.141.164.241) | x6ts.mtsgamingpro.fun | - | High
|
||||
17 | ... | ... | ... | ...
|
||||
1 | [5.61.46.161](https://vuldb.com/?ip.5.61.46.161) | - | - | High
|
||||
2 | [5.149.252.179](https://vuldb.com/?ip.5.149.252.179) | hnh7.arenal.xyz | - | High
|
||||
3 | [31.24.224.12](https://vuldb.com/?ip.31.24.224.12) | 1f18e00c.setaptr.net | - | High
|
||||
4 | [31.24.228.170](https://vuldb.com/?ip.31.24.228.170) | 31.24.228.170.static.midphase.com | - | High
|
||||
5 | [31.184.199.11](https://vuldb.com/?ip.31.184.199.11) | dalesmanager.com | - | High
|
||||
6 | [37.120.222.100](https://vuldb.com/?ip.37.120.222.100) | - | - | High
|
||||
7 | [45.129.99.241](https://vuldb.com/?ip.45.129.99.241) | 354851-vds-mamozw.gmhost.pp.ua | - | High
|
||||
8 | [45.138.172.179](https://vuldb.com/?ip.45.138.172.179) | - | - | High
|
||||
9 | [45.147.228.198](https://vuldb.com/?ip.45.147.228.198) | - | - | High
|
||||
10 | [45.147.230.82](https://vuldb.com/?ip.45.147.230.82) | - | - | High
|
||||
11 | [45.147.230.88](https://vuldb.com/?ip.45.147.230.88) | mailnode7.bulletproof-mail.biz | - | High
|
||||
12 | [45.147.231.113](https://vuldb.com/?ip.45.147.231.113) | - | - | High
|
||||
13 | [45.153.240.135](https://vuldb.com/?ip.45.153.240.135) | - | - | High
|
||||
14 | [45.153.241.115](https://vuldb.com/?ip.45.153.241.115) | - | - | High
|
||||
15 | [46.17.98.191](https://vuldb.com/?ip.46.17.98.191) | - | - | High
|
||||
16 | [46.249.62.199](https://vuldb.com/?ip.46.249.62.199) | - | - | High
|
||||
17 | [79.141.161.176](https://vuldb.com/?ip.79.141.161.176) | zzs7bp73.copycomdigital.com | - | High
|
||||
18 | [79.141.164.241](https://vuldb.com/?ip.79.141.164.241) | x6ts.mtsgamingpro.fun | - | High
|
||||
19 | ... | ... | ... | ...
|
||||
|
||||
There are 66 more IOC items available. Please use our online service to access the data.
|
||||
There are 74 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -66,52 +74,49 @@ ID | Type | Indicator | Confidence
|
|||
4 | File | `/anony/mjpg.cgi` | High
|
||||
5 | File | `/bin/sh` | Low
|
||||
6 | File | `/cgi-bin/editBookmark` | High
|
||||
7 | File | `/etc/shadow` | Medium
|
||||
8 | File | `/EXCU_SHELL` | Medium
|
||||
9 | File | `/export` | Low
|
||||
10 | File | `/GetSimpleCMS-3.3.15/admin/log.php` | High
|
||||
11 | File | `/goform/addressNat` | High
|
||||
12 | File | `/iisadmpwd` | Medium
|
||||
13 | File | `/include/menu_v.inc.php` | High
|
||||
14 | File | `/lms/admin.php` | High
|
||||
15 | File | `/mc` | Low
|
||||
16 | File | `/opt/IBM/es/lib/libffq.cryptionjni.so` | High
|
||||
17 | File | `/opt/novell/ncl/bin/nwrights` | High
|
||||
18 | File | `/out.php` | Medium
|
||||
19 | File | `/proc/*/cmdline"` | High
|
||||
20 | File | `/proc/pid/syscall` | High
|
||||
21 | File | `/rest/review-coverage-chart/1.0/data/<repository_name>/.json` | High
|
||||
22 | File | `/uncpath/` | Medium
|
||||
23 | File | `/var/log/pcp/configs.sh` | High
|
||||
24 | File | `/webconsole/APIController` | High
|
||||
25 | File | `/WWW//app/admin/controller/admincontroller.php` | High
|
||||
26 | File | `a-b-membres.php` | High
|
||||
27 | File | `action.php` | Medium
|
||||
28 | File | `admin-search.php` | High
|
||||
29 | File | `admin.jcomments.php` | High
|
||||
30 | File | `admin/adminsignin.html` | High
|
||||
31 | File | `admin/index.php` | High
|
||||
32 | File | `admin/plugin.php` | High
|
||||
33 | File | `admin/test.php` | High
|
||||
34 | File | `admin/versions.html` | High
|
||||
35 | File | `administrator/index.php?option=com_pago&view=comments` | High
|
||||
36 | File | `Adminlog.asp` | Medium
|
||||
37 | File | `admin_iplog.php` | High
|
||||
38 | File | `ajax.php` | Medium
|
||||
39 | File | `ajax_admin_apis.php` | High
|
||||
40 | File | `ajax_php_pecl.php` | High
|
||||
41 | File | `antserver.exe` | High
|
||||
42 | File | `api.cc` | Low
|
||||
43 | File | `api/ApiQueryCheckUser.php` | High
|
||||
44 | File | `app/helpers/application_helper.rb` | High
|
||||
45 | File | `app\conference_controls\conference_control_details.php` | High
|
||||
46 | File | `apt/package.py` | High
|
||||
47 | File | `arch/x86/include/asm/uaccess.h` | High
|
||||
48 | File | `architext.conf` | High
|
||||
49 | File | `archive/savedqueries/savequeryfinish.html` | High
|
||||
50 | ... | ... | ...
|
||||
7 | File | `/cgi-bin/supervisor/PwdGrp.cgi` | High
|
||||
8 | File | `/etc/shadow` | Medium
|
||||
9 | File | `/EXCU_SHELL` | Medium
|
||||
10 | File | `/export` | Low
|
||||
11 | File | `/GetSimpleCMS-3.3.15/admin/log.php` | High
|
||||
12 | File | `/goform/addressNat` | High
|
||||
13 | File | `/iisadmpwd` | Medium
|
||||
14 | File | `/include/menu_v.inc.php` | High
|
||||
15 | File | `/lms/admin.php` | High
|
||||
16 | File | `/mc` | Low
|
||||
17 | File | `/opt/IBM/es/lib/libffq.cryptionjni.so` | High
|
||||
18 | File | `/opt/novell/ncl/bin/nwrights` | High
|
||||
19 | File | `/out.php` | Medium
|
||||
20 | File | `/proc/*/cmdline"` | High
|
||||
21 | File | `/proc/pid/syscall` | High
|
||||
22 | File | `/rest/review-coverage-chart/1.0/data/<repository_name>/.json` | High
|
||||
23 | File | `/TeamMate/Upload/DomainObjectDocumentUpload.ashx` | High
|
||||
24 | File | `/uncpath/` | Medium
|
||||
25 | File | `/var/log/pcp/configs.sh` | High
|
||||
26 | File | `/webconsole/APIController` | High
|
||||
27 | File | `/wp-admin/admin-ajax.php` | High
|
||||
28 | File | `/WWW//app/admin/controller/admincontroller.php` | High
|
||||
29 | File | `a-b-membres.php` | High
|
||||
30 | File | `action.php` | Medium
|
||||
31 | File | `admin-search.php` | High
|
||||
32 | File | `admin.jcomments.php` | High
|
||||
33 | File | `admin/adminsignin.html` | High
|
||||
34 | File | `admin/index.php` | High
|
||||
35 | File | `admin/infoclass_update.php` | High
|
||||
36 | File | `admin/plugin.php` | High
|
||||
37 | File | `admin/test.php` | High
|
||||
38 | File | `admin/versions.html` | High
|
||||
39 | File | `administrator/index.php?option=com_pago&view=comments` | High
|
||||
40 | File | `Adminlog.asp` | Medium
|
||||
41 | File | `admin_iplog.php` | High
|
||||
42 | File | `ajax.php` | Medium
|
||||
43 | File | `ajax_admin_apis.php` | High
|
||||
44 | File | `ajax_php_pecl.php` | High
|
||||
45 | File | `allocate_block.cpp` | High
|
||||
46 | File | `api.cc` | Low
|
||||
47 | ... | ... | ...
|
||||
|
||||
There are 432 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 407 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -127,6 +132,8 @@ The following list contains _external sources_ which discuss the actor and the a
|
|||
* https://isc.sans.edu/forums/diary/Microsoft+Word+document+with+malicious+macro+pushes+IcedID+Bokbot/26146/
|
||||
* https://isc.sans.edu/forums/diary/One+Emotet+infection+leads+to+three+followup+malware+infections/24140/
|
||||
* https://research.checkpoint.com/2021/melting-ice-tracking-icedid-servers-with-a-few-simple-steps/
|
||||
* https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/
|
||||
* https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
|
||||
|
||||
## Literature
|
||||
|
||||
|
|
|
@ -45,7 +45,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
3 | T1068 | CWE-250, CWE-264, CWE-274, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -57,33 +57,31 @@ ID | Type | Indicator | Confidence
|
|||
2 | File | `/admin/inbox.php&action=read` | High
|
||||
3 | File | `/admin/news/news_mod.php` | High
|
||||
4 | File | `/admin/page_edit/3` | High
|
||||
5 | File | `/apps/acs-commons/content/page-compare.html` | High
|
||||
6 | File | `/blog/blog.php` | High
|
||||
7 | File | `/cgi-bin/uploadWeiXinPic` | High
|
||||
8 | File | `/domain/service/.ewell-known/caldav` | High
|
||||
9 | File | `/dvcset/sysset/set.cgi` | High
|
||||
10 | File | `/example/editor` | High
|
||||
11 | File | `/include/make.php` | High
|
||||
12 | File | `/jquery_file_upload/server/php/index.php` | High
|
||||
13 | File | `/mobile/SelectUsers.jsp` | High
|
||||
14 | File | `/php/ajax.php` | High
|
||||
15 | File | `/ProteinArraySignificanceTest.json` | High
|
||||
16 | File | `/ptms/classes/Users.php` | High
|
||||
17 | File | `/public/admin/index.php?add_product` | High
|
||||
18 | File | `/system/bin/osi_bin` | High
|
||||
19 | File | `/usr/local/bin/mjs` | High
|
||||
20 | File | `/wp-content/uploads/jobmonster/` | High
|
||||
21 | File | `/zbzedit/php/zbz.php` | High
|
||||
22 | File | `ActiveServices.java` | High
|
||||
23 | File | `admin/bad.php` | High
|
||||
24 | File | `admin/dl_sendmail.php` | High
|
||||
25 | File | `admin/htaccess/bpsunlock.php` | High
|
||||
26 | File | `admin/pages/useredit.php` | High
|
||||
27 | File | `AlertReceiver.java` | High
|
||||
28 | File | `alfresco/s/admin/admin-nodebrowser` | High
|
||||
29 | ... | ... | ...
|
||||
5 | File | `/administrator/alerts/alertLightbox.php` | High
|
||||
6 | File | `/apps/acs-commons/content/page-compare.html` | High
|
||||
7 | File | `/blog/blog.php` | High
|
||||
8 | File | `/cgi-bin/main.cgi` | High
|
||||
9 | File | `/cgi-bin/uploadWeiXinPic` | High
|
||||
10 | File | `/controller/Adv.php` | High
|
||||
11 | File | `/domain/service/.ewell-known/caldav` | High
|
||||
12 | File | `/dvcset/sysset/set.cgi` | High
|
||||
13 | File | `/example/editor` | High
|
||||
14 | File | `/include/make.php` | High
|
||||
15 | File | `/jquery_file_upload/server/php/index.php` | High
|
||||
16 | File | `/mobile/SelectUsers.jsp` | High
|
||||
17 | File | `/php/ajax.php` | High
|
||||
18 | File | `/ProteinArraySignificanceTest.json` | High
|
||||
19 | File | `/ptms/classes/Users.php` | High
|
||||
20 | File | `/public/admin/index.php?add_product` | High
|
||||
21 | File | `/role/saveOrUpdateRole.do` | High
|
||||
22 | File | `/system/bin/osi_bin` | High
|
||||
23 | File | `/usr/local/bin/mjs` | High
|
||||
24 | File | `/wp-content/uploads/jobmonster/` | High
|
||||
25 | File | `/zbzedit/php/zbz.php` | High
|
||||
26 | File | `ActiveServices.java` | High
|
||||
27 | ... | ... | ...
|
||||
|
||||
There are 244 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 224 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -76,15 +76,15 @@ ID | Type | Indicator | Confidence
|
|||
16 | File | `/public/plugins/` | High
|
||||
17 | File | `/rest/jpo/1.0/hierarchyConfiguration` | High
|
||||
18 | File | `/SASWebReportStudio/logonAndRender.do` | High
|
||||
19 | File | `/tlogin.cgi` | Medium
|
||||
20 | File | `/tmp/scfgdndf` | High
|
||||
21 | File | `/uncpath/` | Medium
|
||||
22 | File | `/upload` | Low
|
||||
23 | File | `/usr/ucb/mail` | High
|
||||
24 | File | `/vendor/phpdocumentor/reflection-docblock/tests/phpDocumentor/Reflection/DocBlock/Tag/LinkTagTeet.php` | High
|
||||
19 | File | `/scas/admin/` | Medium
|
||||
20 | File | `/tlogin.cgi` | Medium
|
||||
21 | File | `/tmp/scfgdndf` | High
|
||||
22 | File | `/uncpath/` | Medium
|
||||
23 | File | `/upload` | Low
|
||||
24 | File | `/usr/ucb/mail` | High
|
||||
25 | ... | ... | ...
|
||||
|
||||
There are 205 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 209 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -99,7 +99,7 @@ ID | Type | Indicator | Confidence
|
|||
37 | File | `blog.php` | Medium
|
||||
38 | ... | ... | ...
|
||||
|
||||
There are 328 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 329 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -0,0 +1,79 @@
|
|||
# Lapsus - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Lapsus](https://vuldb.com/?actor.lapsus). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.lapsus](https://vuldb.com/?actor.lapsus)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Lapsus:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [GB](https://vuldb.com/?country.gb)
|
||||
* [GR](https://vuldb.com/?country.gr)
|
||||
* ...
|
||||
|
||||
There are 8 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Lapsus.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [104.238.222.158](https://vuldb.com/?ip.104.238.222.158) | - | - | High
|
||||
2 | [108.61.173.214](https://vuldb.com/?ip.108.61.173.214) | 108.61.173.214.vultrusercontent.com | - | High
|
||||
3 | [185.169.255.74](https://vuldb.com/?ip.185.169.255.74) | - | - | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Lapsus_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | CWE-254, CWE-358 | 7PK Security Features | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 3 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Lapsus. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/.env` | Low
|
||||
2 | File | `/cbpos/` | Low
|
||||
3 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
4 | File | `/forum/away.php` | High
|
||||
5 | File | `/horde/util/go.php` | High
|
||||
6 | File | `/plain` | Low
|
||||
7 | File | `/secure/admin/ImporterFinishedPage.jspa` | High
|
||||
8 | File | `/uncpath/` | Medium
|
||||
9 | File | `admin/admin.shtml` | High
|
||||
10 | File | `admin/import/class-import-settings.php` | High
|
||||
11 | File | `Administration/Controllers/ImportController.cs` | High
|
||||
12 | File | `administrator/components/com_media/helpers/media.php` | High
|
||||
13 | File | `base/PdfString.cpp` | High
|
||||
14 | ... | ... | ...
|
||||
|
||||
There are 106 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://research.nccgroup.com/2022/04/28/lapsus-recent-techniques-tactics-and-procedures/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -20,8 +20,8 @@ There are 7 more campaign items available. Please use our online service to acce
|
|||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Lazarus:
|
||||
|
||||
* [VN](https://vuldb.com/?country.vn)
|
||||
* [FR](https://vuldb.com/?country.fr)
|
||||
* [IN](https://vuldb.com/?country.in)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* ...
|
||||
|
||||
There are 4 more country items available. Please use our online service to access the data.
|
||||
|
@ -225,12 +225,12 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-250, CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
There are 4 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -243,22 +243,16 @@ ID | Type | Indicator | Confidence
|
|||
3 | File | `/admin.php?id=siteoptions&social=edit&sid=2` | High
|
||||
4 | File | `/admin/inbox.php&action=delete` | High
|
||||
5 | File | `/admin/inbox.php&action=read` | High
|
||||
6 | File | `/admin/index.php` | High
|
||||
7 | File | `/admin/pagerole.php&action=display&value=1` | High
|
||||
8 | File | `/admin/pagerole.php&action=edit` | High
|
||||
9 | File | `/admin/posts.php` | High
|
||||
10 | File | `/admin/posts.php&action=delete` | High
|
||||
11 | File | `/admin/posts.php&action=edit` | High
|
||||
6 | File | `/admin/pagerole.php&action=display&value=1` | High
|
||||
7 | File | `/admin/pagerole.php&action=edit` | High
|
||||
8 | File | `/admin/posts.php` | High
|
||||
9 | File | `/admin/posts.php&action=delete` | High
|
||||
10 | File | `/admin/posts.php&action=edit` | High
|
||||
11 | File | `/admin/siteoptions.php&action=displaygoal&value=1&roleid=1` | High
|
||||
12 | File | `/admin/siteoptions.php&social=remove&sid=2` | High
|
||||
13 | File | `/admin/uesrs.php&&action=delete&userid=4` | High
|
||||
14 | File | `/admin/uesrs.php&action=display&value=Show` | High
|
||||
15 | File | `/apps/acs-commons/content/page-compare.html` | High
|
||||
16 | File | `/blog/blog.php` | High
|
||||
17 | File | `/cdsms/classes/Master.php?f=delete_enrollment` | High
|
||||
18 | File | `/cdsms/classes/Master.php?f=delete_package` | High
|
||||
19 | ... | ... | ...
|
||||
13 | ... | ... | ...
|
||||
|
||||
There are 152 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 105 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -9,11 +9,11 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Liberty Front Press:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [VN](https://vuldb.com/?country.vn)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* ...
|
||||
|
||||
There are 24 more country items available. Please use our online service to access the data.
|
||||
There are 25 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -104,40 +104,36 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/.ssh/authorized_keys` | High
|
||||
2 | File | `/CMD_ACCOUNT_ADMIN` | High
|
||||
3 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
4 | File | `/core/admin/categories.php` | High
|
||||
5 | File | `/etc/hosts` | Medium
|
||||
6 | File | `/etc/sudoers` | Medium
|
||||
7 | File | `/filemanager/php/connector.php` | High
|
||||
8 | File | `/forum/away.php` | High
|
||||
9 | File | `/modules/profile/index.php` | High
|
||||
10 | File | `/MTFWU` | Low
|
||||
11 | File | `/new` | Low
|
||||
12 | File | `/proc/<pid>/status` | High
|
||||
13 | File | `/public/plugins/` | High
|
||||
14 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
15 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
16 | File | `/server-info` | Medium
|
||||
17 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
|
||||
18 | File | `/tmp` | Low
|
||||
19 | File | `/uncpath/` | Medium
|
||||
20 | File | `/updown/upload.cgi` | High
|
||||
21 | File | `/usr/bin/pkexec` | High
|
||||
22 | File | `/way4acs/enroll` | High
|
||||
2 | File | `/admin.php` | Medium
|
||||
3 | File | `/CMD_ACCOUNT_ADMIN` | High
|
||||
4 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
5 | File | `/core/admin/categories.php` | High
|
||||
6 | File | `/etc/groups` | Medium
|
||||
7 | File | `/etc/hosts` | Medium
|
||||
8 | File | `/etc/sudoers` | Medium
|
||||
9 | File | `/filemanager/php/connector.php` | High
|
||||
10 | File | `/forum/away.php` | High
|
||||
11 | File | `/modules/profile/index.php` | High
|
||||
12 | File | `/MTFWU` | Low
|
||||
13 | File | `/new` | Low
|
||||
14 | File | `/proc/<pid>/status` | High
|
||||
15 | File | `/public/plugins/` | High
|
||||
16 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
17 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
18 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
|
||||
19 | File | `/tmp` | Low
|
||||
20 | File | `/uncpath/` | Medium
|
||||
21 | File | `/updown/upload.cgi` | High
|
||||
22 | File | `/usr/bin/pkexec` | High
|
||||
23 | File | `4.2.0.CP09` | Medium
|
||||
24 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
25 | File | `AccountManagerService.java` | High
|
||||
26 | File | `actions/CompanyDetailsSave.php` | High
|
||||
27 | File | `ActivityManagerService.java` | High
|
||||
28 | File | `admin.php` | Medium
|
||||
29 | File | `admin.php/comments/batchdel/` | High
|
||||
30 | File | `admin/add-glossary.php` | High
|
||||
31 | File | `admin/conf_users_edit.php` | High
|
||||
32 | File | `admin/edit-comments.php` | High
|
||||
33 | ... | ... | ...
|
||||
29 | ... | ... | ...
|
||||
|
||||
There are 277 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 250 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -81,13 +81,13 @@ ID | Type | Indicator | Confidence
|
|||
22 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
23 | File | `AccountManagerService.java` | High
|
||||
24 | File | `actions/CompanyDetailsSave.php` | High
|
||||
25 | File | `ActiveServices.java` | High
|
||||
26 | File | `ActivityManagerService.java` | High
|
||||
27 | File | `admin.php` | Medium
|
||||
28 | File | `admin/add-glossary.php` | High
|
||||
25 | File | `ActivityManagerService.java` | High
|
||||
26 | File | `admin.php` | Medium
|
||||
27 | File | `admin/add-glossary.php` | High
|
||||
28 | File | `admin/conf_users_edit.php` | High
|
||||
29 | ... | ... | ...
|
||||
|
||||
There are 247 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 246 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -9,8 +9,8 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with LoggerMiner:
|
||||
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [JP](https://vuldb.com/?country.jp)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [GB](https://vuldb.com/?country.gb)
|
||||
* ...
|
||||
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
|
|
|
@ -8,12 +8,12 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Magecart:
|
||||
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [PL](https://vuldb.com/?country.pl)
|
||||
* [FR](https://vuldb.com/?country.fr)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* ...
|
||||
|
||||
There are 11 more country items available. Please use our online service to access the data.
|
||||
There are 10 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -39,7 +39,7 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-266, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
2 | T1068 | CWE-250, CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
|
@ -54,33 +54,34 @@ ID | Type | Indicator | Confidence
|
|||
1 | File | `/admin-panel1.php` | High
|
||||
2 | File | `/admin/delete_image.php` | High
|
||||
3 | File | `/admin/login.php` | High
|
||||
4 | File | `/administrator/components/table_manager/` | High
|
||||
5 | File | `/aqpg/users/login.php` | High
|
||||
6 | File | `/cloud_config/router_post/check_reg_verify_code` | High
|
||||
7 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
8 | File | `/data-service/users/` | High
|
||||
9 | File | `/etc/config/rpcd` | High
|
||||
10 | File | `/Hospital-Management-System-master/func.php` | High
|
||||
11 | File | `/jeecg-boot/sys/user/queryUserByDepId` | High
|
||||
12 | File | `/jerry-core/ecma/builtin-objects/ecma-builtin-date-prototype.c` | High
|
||||
13 | File | `/js/app.js` | Medium
|
||||
14 | File | `/ManageRoute/postRoute` | High
|
||||
15 | File | `/message-bus/_diagnostics` | High
|
||||
16 | File | `/ms/cms/content/list.do` | High
|
||||
17 | File | `/one_church/churchprofile.php` | High
|
||||
18 | File | `/php/ajax.php` | High
|
||||
19 | File | `/public/plugins/` | High
|
||||
20 | File | `/public_html/apply_vacancy` | High
|
||||
21 | File | `/rest-service-fecru/server-v1` | High
|
||||
22 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
23 | File | `/secure/EditSubscription.jspa` | High
|
||||
24 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
25 | File | `/tmp` | Low
|
||||
26 | File | `/tmp/swhkd.sock` | High
|
||||
27 | File | `/uncpath/` | Medium
|
||||
28 | ... | ... | ...
|
||||
4 | File | `/admin/users.php?source=edit_user&id=1` | High
|
||||
5 | File | `/admin/weixin.php` | High
|
||||
6 | File | `/administrator/components/table_manager/` | High
|
||||
7 | File | `/apps/acs-commons/content/page-compare.html` | High
|
||||
8 | File | `/aqpg/users/login.php` | High
|
||||
9 | File | `/cloud_config/router_post/check_reg_verify_code` | High
|
||||
10 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
11 | File | `/data-service/users/` | High
|
||||
12 | File | `/etc/config/rpcd` | High
|
||||
13 | File | `/Hospital-Management-System-master/func.php` | High
|
||||
14 | File | `/jeecg-boot/sys/user/queryUserByDepId` | High
|
||||
15 | File | `/jerry-core/ecma/builtin-objects/ecma-builtin-date-prototype.c` | High
|
||||
16 | File | `/js/app.js` | Medium
|
||||
17 | File | `/ManageRoute/postRoute` | High
|
||||
18 | File | `/ms/cms/content/list.do` | High
|
||||
19 | File | `/one_church/churchprofile.php` | High
|
||||
20 | File | `/php/ajax.php` | High
|
||||
21 | File | `/public/plugins/` | High
|
||||
22 | File | `/public_html/apply_vacancy` | High
|
||||
23 | File | `/purchase_order/admin/?page=user` | High
|
||||
24 | File | `/rest-service-fecru/server-v1` | High
|
||||
25 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
26 | File | `/student-grading-system/rms.php?page=school_year` | High
|
||||
27 | File | `/tmp` | Low
|
||||
28 | File | `/tmp/swhkd.sock` | High
|
||||
29 | ... | ... | ...
|
||||
|
||||
There are 241 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 249 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -61,10 +61,10 @@ ID | Technique | Weakness | Description | Confidence
|
|||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | CWE-254, CWE-358 | 7PK Security Features | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 4 more TTP items available. Please use our online service to access the data.
|
||||
There are 6 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -78,23 +78,26 @@ ID | Type | Indicator | Confidence
|
|||
4 | File | `/admin/loginc.php` | High
|
||||
5 | File | `/auditLogAction.do` | High
|
||||
6 | File | `/cgi-bin/wapopen` | High
|
||||
7 | File | `/etc/ajenti/config.yml` | High
|
||||
8 | File | `/getcfg.php` | Medium
|
||||
9 | File | `/GetCSSashx/?CP=%2fwebconfig` | High
|
||||
10 | File | `/plugin` | Low
|
||||
11 | File | `/rating.php` | Medium
|
||||
12 | File | `/services/prefs.php` | High
|
||||
13 | File | `/src/njs_object.c` | High
|
||||
14 | File | `/uncpath/` | Medium
|
||||
15 | File | `/wordpress-gallery-transformation/gallery.php` | High
|
||||
16 | File | `adclick.php` | Medium
|
||||
17 | File | `add_to_cart.php` | High
|
||||
18 | File | `admin.php` | Medium
|
||||
19 | File | `admin/config/confmgr.php` | High
|
||||
20 | File | `admin/index.php` | High
|
||||
21 | ... | ... | ...
|
||||
7 | File | `/devices/acurite.c` | High
|
||||
8 | File | `/etc/ajenti/config.yml` | High
|
||||
9 | File | `/example/editor` | High
|
||||
10 | File | `/getcfg.php` | Medium
|
||||
11 | File | `/GetCSSashx/?CP=%2fwebconfig` | High
|
||||
12 | File | `/goform/login_process` | High
|
||||
13 | File | `/goform/rlmswitchr_process` | High
|
||||
14 | File | `/goforms/rlminfo` | High
|
||||
15 | File | `/plugin` | Low
|
||||
16 | File | `/rating.php` | Medium
|
||||
17 | File | `/scas/admin/` | Medium
|
||||
18 | File | `/scas/classes/Users.php?f=save_user` | High
|
||||
19 | File | `/services/prefs.php` | High
|
||||
20 | File | `/src/njs_object.c` | High
|
||||
21 | File | `/uncpath/` | Medium
|
||||
22 | File | `/wordpress-gallery-transformation/gallery.php` | High
|
||||
23 | File | `adclick.php` | Medium
|
||||
24 | ... | ... | ...
|
||||
|
||||
There are 174 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 196 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -90,7 +90,7 @@ ID | Type | Indicator | Confidence
|
|||
29 | File | `apport/hookutils.py` | High
|
||||
30 | ... | ... | ...
|
||||
|
||||
There are 250 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 252 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -10,6 +10,7 @@ The following _campaigns_ are known and can be associated with Mustang Panda:
|
|||
|
||||
* Diànxùn
|
||||
* Hodur
|
||||
* PlugX
|
||||
|
||||
## Countries
|
||||
|
||||
|
@ -34,11 +35,12 @@ ID | IP address | Hostname | Campaign | Confidence
|
|||
4 | [45.32.50.150](https://vuldb.com/?ip.45.32.50.150) | 45.32.50.150.vultr.com | - | Medium
|
||||
5 | [45.77.184.12](https://vuldb.com/?ip.45.77.184.12) | comm.phiu.pw | - | High
|
||||
6 | [45.131.179.179](https://vuldb.com/?ip.45.131.179.179) | - | Hodur | High
|
||||
7 | [45.154.14.235](https://vuldb.com/?ip.45.154.14.235) | - | Hodur | High
|
||||
8 | [45.248.87.14](https://vuldb.com/?ip.45.248.87.14) | - | - | High
|
||||
9 | ... | ... | ... | ...
|
||||
7 | [45.134.83.41](https://vuldb.com/?ip.45.134.83.41) | - | PlugX | High
|
||||
8 | [45.154.14.235](https://vuldb.com/?ip.45.154.14.235) | - | Hodur | High
|
||||
9 | [45.248.87.14](https://vuldb.com/?ip.45.248.87.14) | - | - | High
|
||||
10 | ... | ... | ... | ...
|
||||
|
||||
There are 32 more IOC items available. Please use our online service to access the data.
|
||||
There are 34 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -70,9 +72,10 @@ ID | Type | Indicator | Confidence
|
|||
9 | File | `/uploads/dede` | High
|
||||
10 | File | `/way4acs/enroll` | High
|
||||
11 | File | `/webtools/control/httpService` | High
|
||||
12 | ... | ... | ...
|
||||
12 | File | `/_error` | Low
|
||||
13 | ... | ... | ...
|
||||
|
||||
There are 97 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 98 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -80,6 +83,8 @@ The following list contains _external sources_ which discuss the actor and the a
|
|||
|
||||
* https://github.com/eset/malware-ioc/tree/master/quarterly_reports/2020_Q2
|
||||
* https://twitter.com/ESETresearch/status/1400165861973966854
|
||||
* https://twitter.com/xorhex/status/1406496693735067650
|
||||
* https://twitter.com/xorhex/status/1422815329684758537
|
||||
* https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations
|
||||
* https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-dianxun.pdf
|
||||
* https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/
|
||||
|
|
|
@ -0,0 +1,81 @@
|
|||
# NetWalker - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [NetWalker](https://vuldb.com/?actor.netwalker). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.netwalker](https://vuldb.com/?actor.netwalker)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with NetWalker:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CO](https://vuldb.com/?country.co)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* ...
|
||||
|
||||
There are 8 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of NetWalker.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [93.179.69.154](https://vuldb.com/?ip.93.179.69.154) | - | - | High
|
||||
2 | [141.98.81.191](https://vuldb.com/?ip.141.98.81.191) | - | - | High
|
||||
3 | [173.232.146.37](https://vuldb.com/?ip.173.232.146.37) | - | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 4 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _NetWalker_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | CWE-254 | 7PK Security Features | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 3 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by NetWalker. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/+CSCOE+/logon.html` | High
|
||||
2 | File | `/apply_noauth.cgi` | High
|
||||
3 | File | `/cgi-bin/wapopen` | High
|
||||
4 | File | `/config.cgi?webmin` | High
|
||||
5 | File | `/lib/` | Low
|
||||
6 | File | `/public/login.htm` | High
|
||||
7 | File | `/rom-0` | Low
|
||||
8 | File | `/uncpath/` | Medium
|
||||
9 | File | `/var/run/beaker/container_file/` | High
|
||||
10 | File | `/wordpress/wp-admin/options-general.php` | High
|
||||
11 | File | `/workspaceCleanup` | High
|
||||
12 | File | `5.2.9\syscrb.exe` | High
|
||||
13 | ... | ... | ...
|
||||
|
||||
There are 100 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,104 @@
|
|||
# PYSA - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [PYSA](https://vuldb.com/?actor.pysa). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.pysa](https://vuldb.com/?actor.pysa)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with PYSA:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [DE](https://vuldb.com/?country.de)
|
||||
* ...
|
||||
|
||||
There are 4 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of PYSA.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [23.129.64.190](https://vuldb.com/?ip.23.129.64.190) | - | - | High
|
||||
2 | [45.147.231.210](https://vuldb.com/?ip.45.147.231.210) | - | - | High
|
||||
3 | [185.220.100.240](https://vuldb.com/?ip.185.220.100.240) | tor-exit-13.zbau.f3netze.de | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 2 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _PYSA_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
|
||||
2 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
3 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 9 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by PYSA. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/admin-panel1.php` | High
|
||||
2 | File | `/admin.php/admin/plog/index.html` | High
|
||||
3 | File | `/admin.php/admin/website/data.html` | High
|
||||
4 | File | `/admin.php?id=siteoptions&social=display&value=0&sid=2` | High
|
||||
5 | File | `/admin.php?id=siteoptions&social=edit&sid=2` | High
|
||||
6 | File | `/admin/config` | High
|
||||
7 | File | `/admin/file-manager/` | High
|
||||
8 | File | `/admin/inbox.php&action=delete` | High
|
||||
9 | File | `/admin/news/news_mod.php` | High
|
||||
10 | File | `/admin/posts.php` | High
|
||||
11 | File | `/administrator/alerts/alertLightbox.php` | High
|
||||
12 | File | `/admin_page/all-files-update-ajax.php` | High
|
||||
13 | File | `/agenttrayicon` | High
|
||||
14 | File | `/api/servers` | Medium
|
||||
15 | File | `/api/students/me/messages/` | High
|
||||
16 | File | `/app/controller/Books.php` | High
|
||||
17 | File | `/app/elkarbackup/src/Binovo/ElkarBackupBundle/Controller/DefaultController.php` | High
|
||||
18 | File | `/apps/acs-commons/content/page-compare.html` | High
|
||||
19 | File | `/cgi-bin/uploadWeiXinPic` | High
|
||||
20 | File | `/config/list` | Medium
|
||||
21 | File | `/data/sqldata` | High
|
||||
22 | File | `/export` | Low
|
||||
23 | File | `/goform/login_process` | High
|
||||
24 | File | `/goform/setAdInfoDetail` | High
|
||||
25 | File | `/goform/setFixTools` | High
|
||||
26 | File | `/goform/SetInternetLanInfo` | High
|
||||
27 | File | `/goform/setPicListItem` | High
|
||||
28 | File | `/hocms/classes/Master.php?f=delete_collection` | High
|
||||
29 | File | `/hocms/classes/Master.php?f=delete_member` | High
|
||||
30 | File | `/northstar/Admin/changePassword.jsp` | High
|
||||
31 | File | `/nova/bin/detnet` | High
|
||||
32 | File | `/ofcms/company-c-47` | High
|
||||
33 | File | `/ok_jpg.c` | Medium
|
||||
34 | File | `/ok_png.c` | Medium
|
||||
35 | File | `/one_church/churchprofile.php` | High
|
||||
36 | ... | ... | ...
|
||||
|
||||
There are 309 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -141,41 +141,40 @@ ID | Type | Indicator | Confidence
|
|||
19 | File | `/proc/ioports` | High
|
||||
20 | File | `/property-list/property_view.php` | High
|
||||
21 | File | `/ptms/classes/Users.php` | High
|
||||
22 | File | `/rest` | Low
|
||||
23 | File | `/rest/api/2/search` | High
|
||||
24 | File | `/s/` | Low
|
||||
25 | File | `/scripts/cpan_config` | High
|
||||
26 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
27 | File | `/services/system/setup.json` | High
|
||||
28 | File | `/uncpath/` | Medium
|
||||
29 | File | `/videotalk` | Medium
|
||||
30 | File | `/web/MCmsAction.java` | High
|
||||
31 | File | `/webconsole/APIController` | High
|
||||
32 | File | `/websocket/exec` | High
|
||||
33 | File | `/wp-admin/admin-ajax.php` | High
|
||||
34 | File | `/wp-content/plugins/woocommerce/templates/emails/plain/` | High
|
||||
35 | File | `/wp-json` | Medium
|
||||
36 | File | `/wp-json/oembed/1.0/embed?url` | High
|
||||
37 | File | `/_next` | Low
|
||||
38 | File | `4.edu.php\conn\function.php` | High
|
||||
39 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
40 | File | `about.php` | Medium
|
||||
41 | File | `acl.c` | Low
|
||||
42 | File | `activity_log.php` | High
|
||||
43 | File | `adclick.php` | Medium
|
||||
44 | File | `addentry.php` | Medium
|
||||
45 | File | `add_vhost.php` | High
|
||||
46 | File | `admin/admin_admin.php?nav=list_admin_user&admin_p_nav=user` | High
|
||||
47 | File | `admin/category.inc.php` | High
|
||||
48 | File | `admin/conf_users_edit.php` | High
|
||||
49 | File | `admin/default.asp` | High
|
||||
50 | File | `admin/dl_sendmail.php` | High
|
||||
51 | File | `admin/getparam.cgi` | High
|
||||
52 | File | `admin/index.php` | High
|
||||
53 | File | `admin/index.php?n=ui_set&m=admin&c=index&a=doget_text_content&table=lang&field=1` | High
|
||||
54 | ... | ... | ...
|
||||
22 | File | `/rest/api/2/search` | High
|
||||
23 | File | `/s/` | Low
|
||||
24 | File | `/scripts/cpan_config` | High
|
||||
25 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
26 | File | `/services/system/setup.json` | High
|
||||
27 | File | `/uncpath/` | Medium
|
||||
28 | File | `/videotalk` | Medium
|
||||
29 | File | `/web/MCmsAction.java` | High
|
||||
30 | File | `/webconsole/APIController` | High
|
||||
31 | File | `/websocket/exec` | High
|
||||
32 | File | `/wp-admin/admin-ajax.php` | High
|
||||
33 | File | `/wp-content/plugins/woocommerce/templates/emails/plain/` | High
|
||||
34 | File | `/wp-json` | Medium
|
||||
35 | File | `/wp-json/oembed/1.0/embed?url` | High
|
||||
36 | File | `/_next` | Low
|
||||
37 | File | `4.edu.php\conn\function.php` | High
|
||||
38 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
39 | File | `about.php` | Medium
|
||||
40 | File | `acl.c` | Low
|
||||
41 | File | `activity_log.php` | High
|
||||
42 | File | `adclick.php` | Medium
|
||||
43 | File | `addentry.php` | Medium
|
||||
44 | File | `add_vhost.php` | High
|
||||
45 | File | `admin/admin_admin.php?nav=list_admin_user&admin_p_nav=user` | High
|
||||
46 | File | `admin/category.inc.php` | High
|
||||
47 | File | `admin/conf_users_edit.php` | High
|
||||
48 | File | `admin/default.asp` | High
|
||||
49 | File | `admin/dl_sendmail.php` | High
|
||||
50 | File | `admin/getparam.cgi` | High
|
||||
51 | File | `admin/index.php` | High
|
||||
52 | File | `admin/index.php?n=ui_set&m=admin&c=index&a=doget_text_content&table=lang&field=1` | High
|
||||
53 | ... | ... | ...
|
||||
|
||||
There are 472 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 460 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -96,7 +96,7 @@ ID | Type | Indicator | Confidence
|
|||
42 | File | `addmerchpicform.php` | High
|
||||
43 | ... | ... | ...
|
||||
|
||||
There are 371 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 372 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -4,6 +4,12 @@ These _indicators_ were reported, collected, and generated during the [VulDB CTI
|
|||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.poshc2](https://vuldb.com/?actor.poshc2)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with PoshC2:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of PoshC2.
|
||||
|
@ -12,6 +18,27 @@ ID | IP address | Hostname | Campaign | Confidence
|
|||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [35.202.253.45](https://vuldb.com/?ip.35.202.253.45) | 45.253.202.35.bc.googleusercontent.com | - | Medium
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _PoshC2_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by PoshC2. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/thruk/#cgi-bin/extinfo.cgi?type=2` | High
|
||||
2 | File | `cat.asp` | Low
|
||||
3 | File | `category.cfm` | Medium
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 5 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
|
|
@ -16,7 +16,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [SC](https://vuldb.com/?country.sc)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* [IL](https://vuldb.com/?country.il)
|
||||
* ...
|
||||
|
||||
There are 2 more country items available. Please use our online service to access the data.
|
||||
|
@ -51,7 +51,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -59,40 +59,43 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/admin/goods/update` | High
|
||||
2 | File | `/agenttrayicon` | High
|
||||
3 | File | `/blog/blog.php` | High
|
||||
4 | File | `/cmd?cmd=connect` | High
|
||||
5 | File | `/etc/puppetlabs/puppetserver/conf.d/ca.conf` | High
|
||||
6 | File | `/goform/login_process` | High
|
||||
7 | File | `/include/make.php` | High
|
||||
8 | File | `/login` | Low
|
||||
9 | File | `/manager/files` | High
|
||||
10 | File | `/nova/bin/detnet` | High
|
||||
11 | File | `/nova/bin/igmp-proxy` | High
|
||||
12 | File | `/ofcms/company-c-47` | High
|
||||
13 | File | `/php/ajax.php` | High
|
||||
14 | File | `/preauth` | Medium
|
||||
15 | File | `/sql/sql_string.h` | High
|
||||
16 | File | `/src/njs_vmcode.c` | High
|
||||
17 | File | `/uncpath/` | Medium
|
||||
18 | File | `/var/log/demisto/` | High
|
||||
19 | File | `/webminlog/view.cgi` | High
|
||||
20 | File | `/_error` | Low
|
||||
21 | File | `a2billing/customer/iridium_threed.php` | High
|
||||
22 | File | `actions/beats_uploader.php` | High
|
||||
23 | File | `actions/vote_channel.php` | High
|
||||
24 | File | `ActiveServices.java` | High
|
||||
25 | File | `admin.php` | Medium
|
||||
26 | File | `admin/moduleinterface.php` | High
|
||||
27 | File | `admin/profile/save` | High
|
||||
28 | File | `admin/tools/utf8conversion/index.php` | High
|
||||
29 | File | `ad_manage.php` | High
|
||||
30 | File | `asm/preproc.c` | High
|
||||
31 | File | `Atom.CMS_admin_ajax_list-sort.php` | High
|
||||
32 | ... | ... | ...
|
||||
1 | File | `/admin.php?id=siteoptions&social=display&value=0&sid=2` | High
|
||||
2 | File | `/admin.php?id=siteoptions&social=edit&sid=2` | High
|
||||
3 | File | `/admin.php?r=admin/AdminBackup/del` | High
|
||||
4 | File | `/admin/edit.php` | High
|
||||
5 | File | `/admin/inbox.php&action=delete` | High
|
||||
6 | File | `/admin/inbox.php&action=read` | High
|
||||
7 | File | `/admin/index.php?mode=content&page=media&action=edit` | High
|
||||
8 | File | `/admin/pagerole.php&action=edit` | High
|
||||
9 | File | `/admin/posts.php` | High
|
||||
10 | File | `/admin/posts.php&action=delete` | High
|
||||
11 | File | `/admin/posts.php&action=edit` | High
|
||||
12 | File | `/admin/siteoptions.php&action=displaygoal&value=1&roleid=1` | High
|
||||
13 | File | `/admin/siteoptions.php&social=remove&sid=2` | High
|
||||
14 | File | `/admin/uesrs.php&&action=delete&userid=4` | High
|
||||
15 | File | `/admin/uesrs.php&action=display&value=Hide` | High
|
||||
16 | File | `/admin/uesrs.php&action=display&value=Show` | High
|
||||
17 | File | `/admin/uesrs.php&action=type&userrole=Admin&userid=3` | High
|
||||
18 | File | `/admin/uesrs.php&action=type&userrole=User` | High
|
||||
19 | File | `/administrator/alerts/alertLightbox.php` | High
|
||||
20 | File | `/agenttrayicon` | High
|
||||
21 | File | `/api/students/me/messages/` | High
|
||||
22 | File | `/apps/acs-commons/content/page-compare.html` | High
|
||||
23 | File | `/blog/blog.php` | High
|
||||
24 | File | `/cdsms/classes/Master.php?f=delete_enrollment` | High
|
||||
25 | File | `/cdsms/classes/Master.php?f=delete_package` | High
|
||||
26 | File | `/cmd?cmd=connect` | High
|
||||
27 | File | `/hocms/classes/Master.php?f=delete_collection` | High
|
||||
28 | File | `/hocms/classes/Master.php?f=delete_member` | High
|
||||
29 | File | `/hocms/classes/Master.php?f=delete_phase` | High
|
||||
30 | File | `/index.php?m=admin&c=custom&a=plugindelhandle` | High
|
||||
31 | File | `/login` | Low
|
||||
32 | File | `/manager/files` | High
|
||||
33 | File | `/module/api.php?mobile/wapNasIPS` | High
|
||||
34 | File | `/module/api.php?mobile/webNasIPS` | High
|
||||
35 | ... | ... | ...
|
||||
|
||||
There are 269 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 304 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -13,7 +13,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [DE](https://vuldb.com/?country.de)
|
||||
* ...
|
||||
|
||||
There are 19 more country items available. Please use our online service to access the data.
|
||||
There are 20 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -66,55 +66,55 @@ ID | Type | Indicator | Confidence
|
|||
6 | File | `/download` | Medium
|
||||
7 | File | `/etc/gsissh/sshd_config` | High
|
||||
8 | File | `/etc/passwd` | Medium
|
||||
9 | File | `/etc/quantum/quantum.conf` | High
|
||||
10 | File | `/etc/shadow` | Medium
|
||||
11 | File | `/forum/away.php` | High
|
||||
12 | File | `/getcfg.php` | Medium
|
||||
13 | File | `/goform/telnet` | High
|
||||
14 | File | `/goform/WanParameterSetting` | High
|
||||
15 | File | `/inc/extensions.php` | High
|
||||
16 | File | `/include/makecvs.php` | High
|
||||
17 | File | `/modules/profile/index.php` | High
|
||||
18 | File | `/modules/tasks/summary.inc.php` | High
|
||||
19 | File | `/payu/icpcheckout/` | High
|
||||
20 | File | `/property-list/property_view.php` | High
|
||||
21 | File | `/public/login.htm` | High
|
||||
22 | File | `/req_password_user.php` | High
|
||||
23 | File | `/resourceNode/jdbcResourceEdit.jsf` | High
|
||||
24 | File | `/resourceNode/resources.jsf` | High
|
||||
25 | File | `/rest/project-templates/1.0/createshared` | High
|
||||
26 | File | `/rom-0` | Low
|
||||
27 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
28 | File | `/trx_addons/v2/get/sc_layout` | High
|
||||
29 | File | `/uncpath/` | Medium
|
||||
30 | File | `/usr/local/WowzaStreamingEngine/bin/` | High
|
||||
31 | File | `/usr/syno/etc/mount.conf` | High
|
||||
32 | File | `/var/log/nginx` | High
|
||||
33 | File | `/var/WEB-GUI/cgi-bin/telnet.cgi` | High
|
||||
34 | File | `/WEB-INF/web.xml` | High
|
||||
35 | File | `/_next` | Low
|
||||
36 | File | `3.6.cpj` | Low
|
||||
37 | File | `404.php` | Low
|
||||
38 | File | `a-b-membres.php` | High
|
||||
39 | File | `ActionsAndOperations` | High
|
||||
40 | File | `adclick.php` | Medium
|
||||
41 | File | `add_2_basket.asp` | High
|
||||
42 | File | `admin.asp` | Medium
|
||||
43 | File | `admin.aspx` | Medium
|
||||
44 | File | `admin.php` | Medium
|
||||
45 | File | `admin/aboutus.php` | High
|
||||
46 | File | `admin/member_details.php` | High
|
||||
47 | File | `admin_chatconfig.php` | High
|
||||
48 | File | `ajaxp.php` | Medium
|
||||
49 | File | `ajax_calls.php` | High
|
||||
50 | File | `alphabet.php` | Medium
|
||||
51 | File | `article2/comments.inc.php` | High
|
||||
52 | File | `articles/edit.php` | High
|
||||
53 | File | `assp.pl` | Low
|
||||
54 | File | `auth-gss2.c` | Medium
|
||||
9 | File | `/etc/puppetlabs/puppetserver/conf.d/ca.conf` | High
|
||||
10 | File | `/etc/quantum/quantum.conf` | High
|
||||
11 | File | `/etc/shadow` | Medium
|
||||
12 | File | `/forum/away.php` | High
|
||||
13 | File | `/getcfg.php` | Medium
|
||||
14 | File | `/goform/telnet` | High
|
||||
15 | File | `/goform/WanParameterSetting` | High
|
||||
16 | File | `/inc/extensions.php` | High
|
||||
17 | File | `/include/makecvs.php` | High
|
||||
18 | File | `/modules/profile/index.php` | High
|
||||
19 | File | `/modules/tasks/summary.inc.php` | High
|
||||
20 | File | `/monitoring` | Medium
|
||||
21 | File | `/nova/bin/console` | High
|
||||
22 | File | `/payu/icpcheckout/` | High
|
||||
23 | File | `/property-list/property_view.php` | High
|
||||
24 | File | `/public/login.htm` | High
|
||||
25 | File | `/req_password_user.php` | High
|
||||
26 | File | `/resourceNode/jdbcResourceEdit.jsf` | High
|
||||
27 | File | `/resourceNode/resources.jsf` | High
|
||||
28 | File | `/rest/project-templates/1.0/createshared` | High
|
||||
29 | File | `/rom-0` | Low
|
||||
30 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
31 | File | `/trx_addons/v2/get/sc_layout` | High
|
||||
32 | File | `/uncpath/` | Medium
|
||||
33 | File | `/usr/local/WowzaStreamingEngine/bin/` | High
|
||||
34 | File | `/usr/syno/etc/mount.conf` | High
|
||||
35 | File | `/var/log/nginx` | High
|
||||
36 | File | `/var/WEB-GUI/cgi-bin/telnet.cgi` | High
|
||||
37 | File | `/WEB-INF/web.xml` | High
|
||||
38 | File | `/_next` | Low
|
||||
39 | File | `3.6.cpj` | Low
|
||||
40 | File | `404.php` | Low
|
||||
41 | File | `a-b-membres.php` | High
|
||||
42 | File | `ActionsAndOperations` | High
|
||||
43 | File | `adclick.php` | Medium
|
||||
44 | File | `add_2_basket.asp` | High
|
||||
45 | File | `admin.asp` | Medium
|
||||
46 | File | `admin.aspx` | Medium
|
||||
47 | File | `admin.php` | Medium
|
||||
48 | File | `admin/aboutus.php` | High
|
||||
49 | File | `admin/member_details.php` | High
|
||||
50 | File | `admin_chatconfig.php` | High
|
||||
51 | File | `ajaxp.php` | Medium
|
||||
52 | File | `ajax_calls.php` | High
|
||||
53 | File | `alphabet.php` | Medium
|
||||
54 | File | `article2/comments.inc.php` | High
|
||||
55 | ... | ... | ...
|
||||
|
||||
There are 478 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 483 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -31,82 +31,88 @@ ID | IP address | Hostname | Campaign | Confidence
|
|||
8 | [5.13.74.26](https://vuldb.com/?ip.5.13.74.26) | 5-13-74-26.residential.rdsnet.ro | - | High
|
||||
9 | [5.13.84.186](https://vuldb.com/?ip.5.13.84.186) | 5-13-84-186.residential.rdsnet.ro | - | High
|
||||
10 | [5.15.81.52](https://vuldb.com/?ip.5.15.81.52) | 5-15-81-52.residential.rdsnet.ro | - | High
|
||||
11 | [5.193.61.212](https://vuldb.com/?ip.5.193.61.212) | - | - | High
|
||||
12 | [5.193.178.241](https://vuldb.com/?ip.5.193.178.241) | - | - | High
|
||||
13 | [8.209.64.96](https://vuldb.com/?ip.8.209.64.96) | - | - | High
|
||||
14 | [12.5.37.3](https://vuldb.com/?ip.12.5.37.3) | - | - | High
|
||||
15 | [23.111.114.52](https://vuldb.com/?ip.23.111.114.52) | - | - | High
|
||||
16 | [24.42.14.241](https://vuldb.com/?ip.24.42.14.241) | - | - | High
|
||||
17 | [24.43.22.221](https://vuldb.com/?ip.24.43.22.221) | rrcs-24-43-22-221.west.biz.rr.com | - | High
|
||||
18 | [24.55.112.61](https://vuldb.com/?ip.24.55.112.61) | dynamic.libertypr.net | - | High
|
||||
19 | [24.90.160.91](https://vuldb.com/?ip.24.90.160.91) | cpe-24-90-160-91.nyc.res.rr.com | - | High
|
||||
20 | [24.95.61.62](https://vuldb.com/?ip.24.95.61.62) | cpe-24-95-61-62.columbus.res.rr.com | - | High
|
||||
21 | [24.110.14.40](https://vuldb.com/?ip.24.110.14.40) | - | - | High
|
||||
22 | [24.110.96.149](https://vuldb.com/?ip.24.110.96.149) | - | - | High
|
||||
23 | [24.117.107.120](https://vuldb.com/?ip.24.117.107.120) | 24-117-107-120.cpe.sparklight.net | - | High
|
||||
24 | [24.139.72.117](https://vuldb.com/?ip.24.139.72.117) | - | - | High
|
||||
25 | [24.139.132.70](https://vuldb.com/?ip.24.139.132.70) | dynamic.libertypr.net | - | High
|
||||
26 | [24.152.219.253](https://vuldb.com/?ip.24.152.219.253) | 24.152.219.253.res-cmts.sm.ptd.net | - | High
|
||||
27 | [24.164.79.147](https://vuldb.com/?ip.24.164.79.147) | cpe-24-164-79-147.cinci.res.rr.com | - | High
|
||||
28 | [24.165.87.61](https://vuldb.com/?ip.24.165.87.61) | cpe-24-165-87-61.san.res.rr.com | - | High
|
||||
29 | [24.183.39.93](https://vuldb.com/?ip.24.183.39.93) | 024-183-039-093.res.spectrum.com | - | High
|
||||
30 | [24.202.42.48](https://vuldb.com/?ip.24.202.42.48) | modemcable048.42-202-24.mc.videotron.ca | - | High
|
||||
31 | [24.226.156.153](https://vuldb.com/?ip.24.226.156.153) | 24-226-156-153.resi.cgocable.ca | - | High
|
||||
32 | [24.229.150.54](https://vuldb.com/?ip.24.229.150.54) | 24.229.150.54.cmts-static.sm.ptd.net | - | High
|
||||
33 | [24.234.86.201](https://vuldb.com/?ip.24.234.86.201) | wsip-24-234-86-201.lv.lv.cox.net | - | High
|
||||
34 | [27.223.92.142](https://vuldb.com/?ip.27.223.92.142) | - | - | High
|
||||
35 | [35.142.12.163](https://vuldb.com/?ip.35.142.12.163) | 035-142-012-163.dhcp.bhn.net | - | High
|
||||
36 | [35.208.146.4](https://vuldb.com/?ip.35.208.146.4) | 4.146.208.35.bc.googleusercontent.com | - | Medium
|
||||
37 | [36.77.151.211](https://vuldb.com/?ip.36.77.151.211) | - | - | High
|
||||
38 | [37.156.243.67](https://vuldb.com/?ip.37.156.243.67) | - | - | High
|
||||
39 | [37.182.238.170](https://vuldb.com/?ip.37.182.238.170) | net-37-182-238-170.cust.vodafonedsl.it | - | High
|
||||
40 | [39.36.61.58](https://vuldb.com/?ip.39.36.61.58) | - | - | High
|
||||
41 | [41.34.91.90](https://vuldb.com/?ip.41.34.91.90) | host-41.34.91.90.tedata.net | - | High
|
||||
42 | [41.97.138.74](https://vuldb.com/?ip.41.97.138.74) | - | - | High
|
||||
43 | [41.225.231.43](https://vuldb.com/?ip.41.225.231.43) | - | - | High
|
||||
44 | [41.228.206.99](https://vuldb.com/?ip.41.228.206.99) | - | - | High
|
||||
45 | [45.32.211.207](https://vuldb.com/?ip.45.32.211.207) | 45.32.211.207.vultr.com | - | Medium
|
||||
46 | [45.45.51.182](https://vuldb.com/?ip.45.45.51.182) | modemcable182.51-45-45.mc.videotron.ca | - | High
|
||||
47 | [45.46.53.140](https://vuldb.com/?ip.45.46.53.140) | cpe-45-46-53-140.maine.res.rr.com | - | High
|
||||
48 | [45.63.107.192](https://vuldb.com/?ip.45.63.107.192) | 45.63.107.192.vultr.com | - | Medium
|
||||
49 | [45.67.231.247](https://vuldb.com/?ip.45.67.231.247) | vm272927.pq.hosting | - | High
|
||||
50 | [45.77.115.208](https://vuldb.com/?ip.45.77.115.208) | 45.77.115.208.vultr.com | - | Medium
|
||||
51 | [45.77.117.108](https://vuldb.com/?ip.45.77.117.108) | 45.77.117.108.vultr.com | - | Medium
|
||||
52 | [45.77.215.141](https://vuldb.com/?ip.45.77.215.141) | 45.77.215.141.vultr.com | - | Medium
|
||||
53 | [45.230.228.26](https://vuldb.com/?ip.45.230.228.26) | - | - | High
|
||||
54 | [46.214.62.199](https://vuldb.com/?ip.46.214.62.199) | 46-214-62-199.next-gen.ro | - | High
|
||||
55 | [46.228.199.235](https://vuldb.com/?ip.46.228.199.235) | vps2231940.fastwebserver.de | - | High
|
||||
56 | [47.22.148.6](https://vuldb.com/?ip.47.22.148.6) | ool-2f169406.static.optonline.net | - | High
|
||||
57 | [47.24.47.218](https://vuldb.com/?ip.47.24.47.218) | 047-024-047-218.res.spectrum.com | - | High
|
||||
58 | [47.28.135.155](https://vuldb.com/?ip.47.28.135.155) | 047-028-135-155.res.spectrum.com | - | High
|
||||
59 | [47.44.217.98](https://vuldb.com/?ip.47.44.217.98) | 047-044-217-098.biz.spectrum.com | - | High
|
||||
60 | [47.138.200.85](https://vuldb.com/?ip.47.138.200.85) | - | - | High
|
||||
61 | [47.153.115.154](https://vuldb.com/?ip.47.153.115.154) | - | - | High
|
||||
62 | [47.180.66.10](https://vuldb.com/?ip.47.180.66.10) | static-47-180-66-10.lsan.ca.frontiernet.net | - | High
|
||||
63 | [47.196.192.184](https://vuldb.com/?ip.47.196.192.184) | - | - | High
|
||||
64 | [49.144.81.46](https://vuldb.com/?ip.49.144.81.46) | dsl.49.144.81.46.pldt.net | - | High
|
||||
65 | [49.191.4.245](https://vuldb.com/?ip.49.191.4.245) | n49-191-4-245.mrk1.qld.optusnet.com.au | - | High
|
||||
66 | [49.207.105.25](https://vuldb.com/?ip.49.207.105.25) | broadband.actcorp.in | - | High
|
||||
67 | [50.29.166.232](https://vuldb.com/?ip.50.29.166.232) | 50.29.166.232.res-cmts.sth3.ptd.net | - | High
|
||||
68 | [50.91.114.38](https://vuldb.com/?ip.50.91.114.38) | 050-091-114-038.res.spectrum.com | - | High
|
||||
69 | [50.104.68.223](https://vuldb.com/?ip.50.104.68.223) | 50-104-68-223.prtg.in.frontiernet.net | - | High
|
||||
70 | [50.244.112.106](https://vuldb.com/?ip.50.244.112.106) | 50-244-112-106-static.hfc.comcastbusiness.net | - | High
|
||||
71 | [51.210.14.58](https://vuldb.com/?ip.51.210.14.58) | vps-e6e2a926.vps.ovh.net | - | High
|
||||
72 | [54.36.108.120](https://vuldb.com/?ip.54.36.108.120) | ns3112762.ip-54-36-108.eu | - | High
|
||||
73 | [58.233.220.182](https://vuldb.com/?ip.58.233.220.182) | - | - | High
|
||||
74 | [59.90.246.200](https://vuldb.com/?ip.59.90.246.200) | static.bb.chn.59.90.246.200.bsnl.in | - | High
|
||||
75 | [59.124.10.133](https://vuldb.com/?ip.59.124.10.133) | 59-124-10-133.hinet-ip.hinet.net | - | High
|
||||
76 | [62.38.114.12](https://vuldb.com/?ip.62.38.114.12) | ppp062038114012.dsl.hol.gr | - | High
|
||||
77 | [62.121.123.57](https://vuldb.com/?ip.62.121.123.57) | - | - | High
|
||||
78 | [64.19.74.29](https://vuldb.com/?ip.64.19.74.29) | primhall.com | - | High
|
||||
79 | [64.29.151.102](https://vuldb.com/?ip.64.29.151.102) | mail.myfairpoint.net | - | High
|
||||
80 | [64.121.114.87](https://vuldb.com/?ip.64.121.114.87) | 64-121-114-87.s597.c3-0.smt-ubr1.atw-smt.pa.cable.rcncustomer.com | - | High
|
||||
81 | [65.100.174.]105](https://vuldb.com/?ip.65.100.174.]105) | - | - | High
|
||||
82 | [65.100.174.]106](https://vuldb.com/?ip.65.100.174.]106) | - | - | High
|
||||
83 | [65.100.174.]107](https://vuldb.com/?ip.65.100.174.]107) | - | - | High
|
||||
84 | ... | ... | ... | ...
|
||||
11 | [5.136.131.34](https://vuldb.com/?ip.5.136.131.34) | - | - | High
|
||||
12 | [5.193.61.212](https://vuldb.com/?ip.5.193.61.212) | - | - | High
|
||||
13 | [5.193.178.241](https://vuldb.com/?ip.5.193.178.241) | - | - | High
|
||||
14 | [8.209.64.96](https://vuldb.com/?ip.8.209.64.96) | - | - | High
|
||||
15 | [12.5.37.3](https://vuldb.com/?ip.12.5.37.3) | - | - | High
|
||||
16 | [12.167.151.79](https://vuldb.com/?ip.12.167.151.79) | - | - | High
|
||||
17 | [12.167.151.87](https://vuldb.com/?ip.12.167.151.87) | - | - | High
|
||||
18 | [23.111.114.52](https://vuldb.com/?ip.23.111.114.52) | - | - | High
|
||||
19 | [24.42.14.241](https://vuldb.com/?ip.24.42.14.241) | - | - | High
|
||||
20 | [24.43.22.221](https://vuldb.com/?ip.24.43.22.221) | rrcs-24-43-22-221.west.biz.rr.com | - | High
|
||||
21 | [24.55.112.61](https://vuldb.com/?ip.24.55.112.61) | dynamic.libertypr.net | - | High
|
||||
22 | [24.90.160.91](https://vuldb.com/?ip.24.90.160.91) | cpe-24-90-160-91.nyc.res.rr.com | - | High
|
||||
23 | [24.95.61.62](https://vuldb.com/?ip.24.95.61.62) | cpe-24-95-61-62.columbus.res.rr.com | - | High
|
||||
24 | [24.110.14.40](https://vuldb.com/?ip.24.110.14.40) | - | - | High
|
||||
25 | [24.110.96.149](https://vuldb.com/?ip.24.110.96.149) | - | - | High
|
||||
26 | [24.117.107.120](https://vuldb.com/?ip.24.117.107.120) | 24-117-107-120.cpe.sparklight.net | - | High
|
||||
27 | [24.139.72.117](https://vuldb.com/?ip.24.139.72.117) | - | - | High
|
||||
28 | [24.139.132.70](https://vuldb.com/?ip.24.139.132.70) | dynamic.libertypr.net | - | High
|
||||
29 | [24.152.219.253](https://vuldb.com/?ip.24.152.219.253) | 24.152.219.253.res-cmts.sm.ptd.net | - | High
|
||||
30 | [24.164.79.147](https://vuldb.com/?ip.24.164.79.147) | cpe-24-164-79-147.cinci.res.rr.com | - | High
|
||||
31 | [24.165.87.61](https://vuldb.com/?ip.24.165.87.61) | cpe-24-165-87-61.san.res.rr.com | - | High
|
||||
32 | [24.183.39.93](https://vuldb.com/?ip.24.183.39.93) | 024-183-039-093.res.spectrum.com | - | High
|
||||
33 | [24.202.42.48](https://vuldb.com/?ip.24.202.42.48) | modemcable048.42-202-24.mc.videotron.ca | - | High
|
||||
34 | [24.226.156.153](https://vuldb.com/?ip.24.226.156.153) | 24-226-156-153.resi.cgocable.ca | - | High
|
||||
35 | [24.229.150.54](https://vuldb.com/?ip.24.229.150.54) | 24.229.150.54.cmts-static.sm.ptd.net | - | High
|
||||
36 | [24.234.86.201](https://vuldb.com/?ip.24.234.86.201) | wsip-24-234-86-201.lv.lv.cox.net | - | High
|
||||
37 | [27.223.92.142](https://vuldb.com/?ip.27.223.92.142) | - | - | High
|
||||
38 | [35.142.12.163](https://vuldb.com/?ip.35.142.12.163) | 035-142-012-163.dhcp.bhn.net | - | High
|
||||
39 | [35.208.146.4](https://vuldb.com/?ip.35.208.146.4) | 4.146.208.35.bc.googleusercontent.com | - | Medium
|
||||
40 | [36.77.151.211](https://vuldb.com/?ip.36.77.151.211) | - | - | High
|
||||
41 | [37.156.243.67](https://vuldb.com/?ip.37.156.243.67) | - | - | High
|
||||
42 | [37.182.238.170](https://vuldb.com/?ip.37.182.238.170) | net-37-182-238-170.cust.vodafonedsl.it | - | High
|
||||
43 | [39.36.61.58](https://vuldb.com/?ip.39.36.61.58) | - | - | High
|
||||
44 | [41.34.91.90](https://vuldb.com/?ip.41.34.91.90) | host-41.34.91.90.tedata.net | - | High
|
||||
45 | [41.97.138.74](https://vuldb.com/?ip.41.97.138.74) | - | - | High
|
||||
46 | [41.225.231.43](https://vuldb.com/?ip.41.225.231.43) | - | - | High
|
||||
47 | [41.228.22.180](https://vuldb.com/?ip.41.228.22.180) | - | - | High
|
||||
48 | [41.228.206.99](https://vuldb.com/?ip.41.228.206.99) | - | - | High
|
||||
49 | [45.32.211.207](https://vuldb.com/?ip.45.32.211.207) | 45.32.211.207.vultr.com | - | Medium
|
||||
50 | [45.45.51.182](https://vuldb.com/?ip.45.45.51.182) | modemcable182.51-45-45.mc.videotron.ca | - | High
|
||||
51 | [45.46.53.140](https://vuldb.com/?ip.45.46.53.140) | cpe-45-46-53-140.maine.res.rr.com | - | High
|
||||
52 | [45.63.107.192](https://vuldb.com/?ip.45.63.107.192) | 45.63.107.192.vultr.com | - | Medium
|
||||
53 | [45.67.231.247](https://vuldb.com/?ip.45.67.231.247) | vm272927.pq.hosting | - | High
|
||||
54 | [45.77.115.208](https://vuldb.com/?ip.45.77.115.208) | 45.77.115.208.vultr.com | - | Medium
|
||||
55 | [45.77.117.108](https://vuldb.com/?ip.45.77.117.108) | 45.77.117.108.vultr.com | - | Medium
|
||||
56 | [45.77.215.141](https://vuldb.com/?ip.45.77.215.141) | 45.77.215.141.vultr.com | - | Medium
|
||||
57 | [45.230.228.26](https://vuldb.com/?ip.45.230.228.26) | - | - | High
|
||||
58 | [46.214.62.199](https://vuldb.com/?ip.46.214.62.199) | 46-214-62-199.next-gen.ro | - | High
|
||||
59 | [46.228.199.235](https://vuldb.com/?ip.46.228.199.235) | vps2231940.fastwebserver.de | - | High
|
||||
60 | [47.22.148.6](https://vuldb.com/?ip.47.22.148.6) | ool-2f169406.static.optonline.net | - | High
|
||||
61 | [47.24.47.218](https://vuldb.com/?ip.47.24.47.218) | 047-024-047-218.res.spectrum.com | - | High
|
||||
62 | [47.28.135.155](https://vuldb.com/?ip.47.28.135.155) | 047-028-135-155.res.spectrum.com | - | High
|
||||
63 | [47.44.217.98](https://vuldb.com/?ip.47.44.217.98) | 047-044-217-098.biz.spectrum.com | - | High
|
||||
64 | [47.138.200.85](https://vuldb.com/?ip.47.138.200.85) | - | - | High
|
||||
65 | [47.153.115.154](https://vuldb.com/?ip.47.153.115.154) | - | - | High
|
||||
66 | [47.180.66.10](https://vuldb.com/?ip.47.180.66.10) | static-47-180-66-10.lsan.ca.frontiernet.net | - | High
|
||||
67 | [47.196.192.184](https://vuldb.com/?ip.47.196.192.184) | - | - | High
|
||||
68 | [49.144.81.46](https://vuldb.com/?ip.49.144.81.46) | dsl.49.144.81.46.pldt.net | - | High
|
||||
69 | [49.191.4.245](https://vuldb.com/?ip.49.191.4.245) | n49-191-4-245.mrk1.qld.optusnet.com.au | - | High
|
||||
70 | [49.207.105.25](https://vuldb.com/?ip.49.207.105.25) | broadband.actcorp.in | - | High
|
||||
71 | [50.29.166.232](https://vuldb.com/?ip.50.29.166.232) | 50.29.166.232.res-cmts.sth3.ptd.net | - | High
|
||||
72 | [50.87.150.203](https://vuldb.com/?ip.50.87.150.203) | mail.euroanatolia.eu | - | High
|
||||
73 | [50.91.114.38](https://vuldb.com/?ip.50.91.114.38) | 050-091-114-038.res.spectrum.com | - | High
|
||||
74 | [50.104.68.223](https://vuldb.com/?ip.50.104.68.223) | 50-104-68-223.prtg.in.frontiernet.net | - | High
|
||||
75 | [50.244.112.106](https://vuldb.com/?ip.50.244.112.106) | 50-244-112-106-static.hfc.comcastbusiness.net | - | High
|
||||
76 | [51.210.14.58](https://vuldb.com/?ip.51.210.14.58) | vps-e6e2a926.vps.ovh.net | - | High
|
||||
77 | [52.45.143.178](https://vuldb.com/?ip.52.45.143.178) | ec2-52-45-143-178.compute-1.amazonaws.com | - | Medium
|
||||
78 | [52.201.200.28](https://vuldb.com/?ip.52.201.200.28) | ec2-52-201-200-28.compute-1.amazonaws.com | - | Medium
|
||||
79 | [54.36.108.120](https://vuldb.com/?ip.54.36.108.120) | ns3112762.ip-54-36-108.eu | - | High
|
||||
80 | [58.233.220.182](https://vuldb.com/?ip.58.233.220.182) | - | - | High
|
||||
81 | [59.90.246.200](https://vuldb.com/?ip.59.90.246.200) | static.bb.chn.59.90.246.200.bsnl.in | - | High
|
||||
82 | [59.124.10.133](https://vuldb.com/?ip.59.124.10.133) | 59-124-10-133.hinet-ip.hinet.net | - | High
|
||||
83 | [62.38.114.12](https://vuldb.com/?ip.62.38.114.12) | ppp062038114012.dsl.hol.gr | - | High
|
||||
84 | [62.121.123.57](https://vuldb.com/?ip.62.121.123.57) | - | - | High
|
||||
85 | [64.19.74.29](https://vuldb.com/?ip.64.19.74.29) | primhall.com | - | High
|
||||
86 | [64.29.151.102](https://vuldb.com/?ip.64.29.151.102) | mail.myfairpoint.net | - | High
|
||||
87 | [64.121.114.87](https://vuldb.com/?ip.64.121.114.87) | 64-121-114-87.s597.c3-0.smt-ubr1.atw-smt.pa.cable.rcncustomer.com | - | High
|
||||
88 | [65.100.174.]105](https://vuldb.com/?ip.65.100.174.]105) | - | - | High
|
||||
89 | [65.100.174.]106](https://vuldb.com/?ip.65.100.174.]106) | - | - | High
|
||||
90 | ... | ... | ... | ...
|
||||
|
||||
There are 334 more IOC items available. Please use our online service to access the data.
|
||||
There are 358 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -127,42 +133,43 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `%PROGRAMDATA%\OpenVPN Connect\drivers\tap\amd64\win10` | High
|
||||
2 | File | `/+CSCOE+/logon.html` | High
|
||||
3 | File | `/../conf/config.properties` | High
|
||||
4 | File | `/alumni/admin/ajax.php?action=save_settings` | High
|
||||
5 | File | `/auth/session` | High
|
||||
6 | File | `/cgi-bin/ExportALLSettings.sh` | High
|
||||
7 | File | `/cgi-bin/webproc` | High
|
||||
8 | File | `/config/getuser` | High
|
||||
9 | File | `/etc/passwd` | Medium
|
||||
10 | File | `/exponent_constants.php` | High
|
||||
11 | File | `/front/document.form.php` | High
|
||||
12 | File | `/ibi_apps/WFServlet.cfg` | High
|
||||
13 | File | `/include/chart_generator.php` | High
|
||||
14 | File | `/proc/sysvipc/sem` | High
|
||||
15 | File | `/replication` | Medium
|
||||
16 | File | `/rest/collectors/1.0/template/custom` | High
|
||||
17 | File | `/RestAPI` | Medium
|
||||
18 | File | `/search.php` | Medium
|
||||
19 | File | `/tmp` | Low
|
||||
20 | File | `/trigger` | Medium
|
||||
21 | File | `/uncpath/` | Medium
|
||||
22 | File | `/user/login/oauth` | High
|
||||
23 | File | `/usr/bin/pkexec` | High
|
||||
24 | File | `/usr/doc` | Medium
|
||||
25 | File | `/WEB-INF/web.xml` | High
|
||||
26 | File | `/webpages/data` | High
|
||||
27 | File | `/wp-admin/admin-ajax.php` | High
|
||||
28 | File | `/wp-json` | Medium
|
||||
29 | ... | ... | ...
|
||||
1 | File | `/+CSCOE+/logon.html` | High
|
||||
2 | File | `/../conf/config.properties` | High
|
||||
3 | File | `/alumni/admin/ajax.php?action=save_settings` | High
|
||||
4 | File | `/auth/session` | High
|
||||
5 | File | `/cgi-bin/ExportALLSettings.sh` | High
|
||||
6 | File | `/cgi-bin/webproc` | High
|
||||
7 | File | `/config/getuser` | High
|
||||
8 | File | `/etc/passwd` | Medium
|
||||
9 | File | `/exponent_constants.php` | High
|
||||
10 | File | `/front/document.form.php` | High
|
||||
11 | File | `/ibi_apps/WFServlet.cfg` | High
|
||||
12 | File | `/include/chart_generator.php` | High
|
||||
13 | File | `/proc/sysvipc/sem` | High
|
||||
14 | File | `/replication` | Medium
|
||||
15 | File | `/rest/collectors/1.0/template/custom` | High
|
||||
16 | File | `/RestAPI` | Medium
|
||||
17 | File | `/search.php` | Medium
|
||||
18 | File | `/trigger` | Medium
|
||||
19 | File | `/uncpath/` | Medium
|
||||
20 | File | `/user/login/oauth` | High
|
||||
21 | File | `/usr/bin/pkexec` | High
|
||||
22 | File | `/usr/doc` | Medium
|
||||
23 | File | `/WEB-INF/web.xml` | High
|
||||
24 | File | `/webpages/data` | High
|
||||
25 | File | `/websocket/exec` | High
|
||||
26 | File | `/wp-admin/admin-ajax.php` | High
|
||||
27 | File | `/wp-json` | Medium
|
||||
28 | ... | ... | ...
|
||||
|
||||
There are 248 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 240 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.talosintelligence.com/2019/07/threat-roundup-0719-0726.html
|
||||
* https://blog.talosintelligence.com/2019/08/threat-roundup-0823-0830.html
|
||||
* https://github.com/firehol/blocklist-ipsets/blob/master/bambenek_qakbot.ipset
|
||||
* https://isc.sans.edu/forums/diary/Emotet+Qakbot+more+Emotet/26750/
|
||||
* https://isc.sans.edu/forums/diary/June+2021+Forensic+Contest+Answers+and+Analysis/27582/
|
||||
|
@ -172,6 +179,8 @@ The following list contains _external sources_ which discuss the actor and the a
|
|||
* https://isc.sans.edu/forums/diary/Recent+Qakbot+Qbot+activity/26862/
|
||||
* https://pastebin.com/u/MalwareQuinn
|
||||
* https://research.checkpoint.com/2020/exploring-qbots-latest-attack-methods/
|
||||
* https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/
|
||||
* https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
|
||||
* https://tria.ge/210511-kvcz7vyfkx
|
||||
* https://twitter.com/Malwar3Ninja/status/1483514897266737154
|
||||
|
||||
|
|
|
@ -0,0 +1,74 @@
|
|||
# Quantum - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Quantum](https://vuldb.com/?actor.quantum). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.quantum](https://vuldb.com/?actor.quantum)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Quantum:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [DE](https://vuldb.com/?country.de)
|
||||
* ...
|
||||
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Quantum.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [138.68.42.130](https://vuldb.com/?ip.138.68.42.130) | prod-sfo2-1.qencode-master-cf283c7cc10911ecb9daa269211215a9 | - | High
|
||||
2 | [157.245.142.66](https://vuldb.com/?ip.157.245.142.66) | - | - | High
|
||||
3 | [185.203.118.227](https://vuldb.com/?ip.185.203.118.227) | - | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Quantum_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1222 | CWE-275 | Permission Issues | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 2 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Quantum. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/etc/shadow` | Medium
|
||||
2 | File | `/goform/net\_Web\_get_value` | High
|
||||
3 | File | `/goform/net_WebCSRGen` | High
|
||||
4 | File | `/goform/WebRSAKEYGen` | High
|
||||
5 | File | `/uncpath/` | Medium
|
||||
6 | ... | ... | ...
|
||||
|
||||
There are 39 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://thedfirreport.com/2022/04/25/quantum-ransomware/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -36,9 +36,10 @@ ID | IP address | Hostname | Campaign | Confidence
|
|||
7 | [45.33.23.183](https://vuldb.com/?ip.45.33.23.183) | li977-183.members.linode.com | - | High
|
||||
8 | [45.33.30.197](https://vuldb.com/?ip.45.33.30.197) | li1047-197.members.linode.com | - | High
|
||||
9 | [45.55.211.79](https://vuldb.com/?ip.45.55.211.79) | - | CVE-2019-2725 | High
|
||||
10 | ... | ... | ... | ...
|
||||
10 | [45.56.79.23](https://vuldb.com/?ip.45.56.79.23) | li929-23.members.linode.com | - | High
|
||||
11 | ... | ... | ... | ...
|
||||
|
||||
There are 36 more IOC items available. Please use our online service to access the data.
|
||||
There are 39 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -60,25 +61,26 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/.htpasswd` | Medium
|
||||
2 | File | `/category_view.php` | High
|
||||
3 | File | `/cgi-bin/nasset.cgi` | High
|
||||
4 | File | `/cgi-bin/webadminget.cgi` | High
|
||||
5 | File | `/cms/process.php` | High
|
||||
6 | File | `/etc/shadow` | Medium
|
||||
7 | File | `/forum/away.php` | High
|
||||
8 | File | `/goform/SetNetControlList` | High
|
||||
9 | File | `/index.php/weblinks-categories` | High
|
||||
10 | File | `/modules/profile/index.php` | High
|
||||
11 | File | `/movie.php` | Medium
|
||||
12 | File | `/public/login.htm` | High
|
||||
13 | File | `/show_news.php` | High
|
||||
14 | File | `/uncpath/` | Medium
|
||||
15 | File | `adclick.php` | Medium
|
||||
16 | File | `admin.asp` | Medium
|
||||
17 | File | `admin/categories_industry.php` | High
|
||||
18 | ... | ... | ...
|
||||
2 | File | `/assets/something/services/AppModule.class` | High
|
||||
3 | File | `/category_view.php` | High
|
||||
4 | File | `/cgi-bin/nasset.cgi` | High
|
||||
5 | File | `/cgi-bin/webadminget.cgi` | High
|
||||
6 | File | `/cms/process.php` | High
|
||||
7 | File | `/etc/shadow` | Medium
|
||||
8 | File | `/forum/away.php` | High
|
||||
9 | File | `/goform/SetNetControlList` | High
|
||||
10 | File | `/index.php/weblinks-categories` | High
|
||||
11 | File | `/modules/profile/index.php` | High
|
||||
12 | File | `/movie.php` | Medium
|
||||
13 | File | `/public/login.htm` | High
|
||||
14 | File | `/service/v1/createUser` | High
|
||||
15 | File | `/show_news.php` | High
|
||||
16 | File | `/system?action=ServiceAdmin` | High
|
||||
17 | File | `/uncpath/` | Medium
|
||||
18 | File | `adclick.php` | Medium
|
||||
19 | ... | ... | ...
|
||||
|
||||
There are 147 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 158 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -87,6 +89,7 @@ The following list contains _external sources_ which discuss the actor and the a
|
|||
* https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html
|
||||
* https://blogs.blackberry.com/en/2021/11/revil-under-the-microscope
|
||||
* https://ddanchev.blogspot.com/2022/01/exposing-internet-connected_24.html
|
||||
* https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
|
||||
* https://www.darktrace.com/en/blog/darktraces-cyber-ai-analyst-investigates-sodinokibi-r-evil-ransomware/
|
||||
* https://www.varonis.com/blog/revil-msp-supply-chain-attack/
|
||||
|
||||
|
|
|
@ -4,6 +4,12 @@ These _indicators_ were reported, collected, and generated during the [VulDB CTI
|
|||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.redecho](https://vuldb.com/?actor.redecho)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following _campaigns_ are known and can be associated with RedEcho:
|
||||
|
||||
* India Power Grid
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with RedEcho:
|
||||
|
@ -21,13 +27,18 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [27.255.92.83](https://vuldb.com/?ip.27.255.92.83) | - | - | High
|
||||
2 | [27.255.94.21](https://vuldb.com/?ip.27.255.94.21) | - | - | High
|
||||
3 | [27.255.94.29](https://vuldb.com/?ip.27.255.94.29) | - | - | High
|
||||
4 | [101.78.177.227](https://vuldb.com/?ip.101.78.177.227) | - | - | High
|
||||
5 | ... | ... | ... | ...
|
||||
1 | [14.43.108.22](https://vuldb.com/?ip.14.43.108.22) | - | India Power Grid | High
|
||||
2 | [27.255.92.83](https://vuldb.com/?ip.27.255.92.83) | - | - | High
|
||||
3 | [27.255.94.21](https://vuldb.com/?ip.27.255.94.21) | - | - | High
|
||||
4 | [27.255.94.29](https://vuldb.com/?ip.27.255.94.29) | - | - | High
|
||||
5 | [59.10.140.47](https://vuldb.com/?ip.59.10.140.47) | - | India Power Grid | High
|
||||
6 | [59.127.10.132](https://vuldb.com/?ip.59.127.10.132) | 59-127-10-132.hinet-ip.hinet.net | India Power Grid | High
|
||||
7 | [61.74.255.16](https://vuldb.com/?ip.61.74.255.16) | - | India Power Grid | High
|
||||
8 | [101.78.177.227](https://vuldb.com/?ip.101.78.177.227) | - | - | High
|
||||
9 | [101.78.177.242](https://vuldb.com/?ip.101.78.177.242) | - | - | High
|
||||
10 | ... | ... | ... | ...
|
||||
|
||||
There are 17 more IOC items available. Please use our online service to access the data.
|
||||
There are 34 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -71,25 +82,26 @@ ID | Type | Indicator | Confidence
|
|||
21 | File | `/image_zoom.php` | High
|
||||
22 | File | `/include/config.cache.php` | High
|
||||
23 | File | `/json/profile/removeStarAjax.do` | High
|
||||
24 | File | `/oauth/token/request` | High
|
||||
25 | File | `/plugin/ajax.php` | High
|
||||
26 | File | `/plugins/servlet/branchreview` | High
|
||||
27 | File | `/preauth` | Medium
|
||||
28 | File | `/proc/ioports` | High
|
||||
29 | File | `/public/plugins/` | High
|
||||
30 | File | `/rest/api/2/search` | High
|
||||
31 | File | `/rest/api/latest/groupuserpicker` | High
|
||||
32 | File | `/rest/api/latest/projectvalidate/key` | High
|
||||
33 | File | `/rom-0` | Low
|
||||
34 | File | `/tmp` | Low
|
||||
24 | File | `/plugin/ajax.php` | High
|
||||
25 | File | `/plugins/servlet/branchreview` | High
|
||||
26 | File | `/preauth` | Medium
|
||||
27 | File | `/proc/ioports` | High
|
||||
28 | File | `/public/plugins/` | High
|
||||
29 | File | `/rest/api/2/search` | High
|
||||
30 | File | `/rest/api/latest/groupuserpicker` | High
|
||||
31 | File | `/rest/api/latest/projectvalidate/key` | High
|
||||
32 | File | `/rom-0` | Low
|
||||
33 | File | `/tmp` | Low
|
||||
34 | File | `/tmp/connlicj.bin` | High
|
||||
35 | ... | ... | ...
|
||||
|
||||
There are 304 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 301 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://go.recordedfuture.com/hubfs/reports/ta-2022-0406.pdf
|
||||
* https://vxug.fakedoma.in/archive/APTs/2021/2021.02.28/RedEcho%20APT.pdf
|
||||
|
||||
## Literature
|
||||
|
|
|
@ -71,9 +71,10 @@ ID | IP address | Hostname | Campaign | Confidence
|
|||
42 | [37.1.206.16](https://vuldb.com/?ip.37.1.206.16) | free.ispiria.net | - | High
|
||||
43 | [37.19.193.217](https://vuldb.com/?ip.37.19.193.217) | unn-37-19-193-217.cdn77.com | - | High
|
||||
44 | [37.120.138.222](https://vuldb.com/?ip.37.120.138.222) | - | - | High
|
||||
45 | ... | ... | ... | ...
|
||||
45 | [37.123.118.150](https://vuldb.com/?ip.37.123.118.150) | - | - | High
|
||||
46 | ... | ... | ... | ...
|
||||
|
||||
There are 178 more IOC items available. Please use our online service to access the data.
|
||||
There are 179 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -105,29 +106,29 @@ ID | Type | Indicator | Confidence
|
|||
9 | File | `/inc/parser/xhtml.php` | High
|
||||
10 | File | `/index.php?page=signup` | High
|
||||
11 | File | `/login` | Low
|
||||
12 | File | `/mgmt/shared/authz/users/` | High
|
||||
13 | File | `/modules/profile/index.php` | High
|
||||
14 | File | `/one_church/userregister.php` | High
|
||||
15 | File | `/out.php` | Medium
|
||||
16 | File | `/public/plugins/` | High
|
||||
17 | File | `/SAP_Information_System/controllers/add_admin.php` | High
|
||||
18 | File | `/SASWebReportStudio/logonAndRender.do` | High
|
||||
19 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
20 | File | `/secure/admin/ViewInstrumentation.jspa` | High
|
||||
21 | File | `/system/proxy` | High
|
||||
22 | File | `/tmp/phpglibccheck` | High
|
||||
23 | File | `adclick.php` | Medium
|
||||
24 | File | `add.php` | Low
|
||||
25 | File | `addentry.php` | Medium
|
||||
26 | File | `addressbookprovider.php` | High
|
||||
27 | File | `admin.jcomments.php` | High
|
||||
28 | File | `admin/pageUploadCSV.php` | High
|
||||
29 | File | `ajax_udf.php` | Medium
|
||||
30 | File | `AppCompatCache.exe` | High
|
||||
31 | File | `application.js.php` | High
|
||||
12 | File | `/modules/profile/index.php` | High
|
||||
13 | File | `/one_church/userregister.php` | High
|
||||
14 | File | `/out.php` | Medium
|
||||
15 | File | `/public/plugins/` | High
|
||||
16 | File | `/SAP_Information_System/controllers/add_admin.php` | High
|
||||
17 | File | `/SASWebReportStudio/logonAndRender.do` | High
|
||||
18 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
19 | File | `/secure/admin/ViewInstrumentation.jspa` | High
|
||||
20 | File | `/system/proxy` | High
|
||||
21 | File | `/tmp/phpglibccheck` | High
|
||||
22 | File | `adclick.php` | Medium
|
||||
23 | File | `add.php` | Low
|
||||
24 | File | `addentry.php` | Medium
|
||||
25 | File | `addressbookprovider.php` | High
|
||||
26 | File | `admin.jcomments.php` | High
|
||||
27 | File | `admin/pageUploadCSV.php` | High
|
||||
28 | File | `ajax_udf.php` | Medium
|
||||
29 | File | `AppCompatCache.exe` | High
|
||||
30 | File | `application.js.php` | High
|
||||
31 | File | `arm/lithium-codegen-arm.cc` | High
|
||||
32 | ... | ... | ...
|
||||
|
||||
There are 274 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 268 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -160,6 +161,7 @@ The following list contains _external sources_ which discuss the actor and the a
|
|||
* https://blog.talosintelligence.com/2022/03/ukraine-invasion-scams-malware.html
|
||||
* https://blog.talosintelligence.com/2022/04/threat-roundup-0401-0408.html
|
||||
* https://isc.sans.edu/forums/diary/Malspam+using+passwordprotected+Word+docs+to+push+Remcos+RAT/25292/
|
||||
* https://twitter.com/Paladin3161/status/1197842954037018625
|
||||
|
||||
## Literature
|
||||
|
||||
|
|
|
@ -33,11 +33,8 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-266, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1555 | CWE-312 | Cleartext Storage of Sensitive Information | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more TTP items available. Please use our online service to access the data.
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1600 | CWE-311 | Cryptographic Issues | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -50,13 +47,13 @@ ID | Type | Indicator | Confidence
|
|||
3 | File | `/admin.php` | Medium
|
||||
4 | File | `/admin/doctors/view_doctor.php` | High
|
||||
5 | File | `/admin/modules/bibliography/index.php` | High
|
||||
6 | File | `/app/controller/Books.php` | High
|
||||
7 | File | `/aqpg/users/login.php` | High
|
||||
8 | File | `/controller/Index.php` | High
|
||||
9 | File | `/coreframe/app/content/admin/content.php` | High
|
||||
10 | File | `/dl/dl_print.php` | High
|
||||
11 | File | `/dus_en/medieninfo_detail/index.php` | High
|
||||
12 | File | `/etc/passwd` | Medium
|
||||
6 | File | `/adminlogin.asp` | High
|
||||
7 | File | `/app/controller/Books.php` | High
|
||||
8 | File | `/aqpg/users/login.php` | High
|
||||
9 | File | `/controller/Index.php` | High
|
||||
10 | File | `/coreframe/app/content/admin/content.php` | High
|
||||
11 | File | `/dl/dl_print.php` | High
|
||||
12 | File | `/dus_en/medieninfo_detail/index.php` | High
|
||||
13 | File | `/Hospital-Management-System-master/contact.php` | High
|
||||
14 | File | `/include/friends.inc.php` | High
|
||||
15 | File | `/master/article.php` | High
|
||||
|
@ -66,78 +63,79 @@ ID | Type | Indicator | Confidence
|
|||
19 | File | `/sitemagic/upgrade.php` | High
|
||||
20 | File | `/userman/inbox.php` | High
|
||||
21 | File | `/userui/ticket_list.php` | High
|
||||
22 | File | `/zm/index.php` | High
|
||||
23 | File | `adaptive-images-script.php` | High
|
||||
24 | File | `additem.asp` | Medium
|
||||
25 | File | `addtocart.asp` | High
|
||||
26 | File | `adherents/subscription/info.php` | High
|
||||
27 | File | `admin.asp` | Medium
|
||||
28 | File | `admin.php` | Medium
|
||||
29 | File | `admin/admin.php` | High
|
||||
30 | File | `admin/general.php` | High
|
||||
31 | File | `admin/header.php` | High
|
||||
32 | File | `admin/inc/change_action.php` | High
|
||||
33 | File | `admin/index.php` | High
|
||||
34 | File | `admin/index.php?id=users/action=edit/user_id=1` | High
|
||||
35 | File | `admin/info.php` | High
|
||||
36 | File | `admin/login.asp` | High
|
||||
37 | File | `admin/manage-comments.php` | High
|
||||
38 | File | `admin/manage-news.php` | High
|
||||
39 | File | `admin/plugin-settings.php` | High
|
||||
40 | File | `admin/specials.php` | High
|
||||
41 | File | `admin:de` | Medium
|
||||
42 | File | `admincp/auth/checklogin.php` | High
|
||||
43 | File | `admincp/auth/secure.php` | High
|
||||
44 | File | `administrator/index.php` | High
|
||||
45 | File | `admin_login.asp` | High
|
||||
46 | File | `adv_search.asp` | High
|
||||
47 | File | `ajax.php` | Medium
|
||||
48 | File | `ajax_url.php` | Medium
|
||||
49 | File | `album_portal.php` | High
|
||||
50 | File | `al_initialize.php` | High
|
||||
51 | File | `anjel.index.php` | High
|
||||
52 | File | `annonces-p-f.php` | High
|
||||
53 | File | `announce.php` | Medium
|
||||
54 | File | `announcement.php` | High
|
||||
55 | File | `announcements.php` | High
|
||||
56 | File | `app/admin/routing/edit-bgp-mapping-search.php` | High
|
||||
57 | File | `apply.cgi` | Medium
|
||||
58 | File | `apps/app_article/controller/rating.php` | High
|
||||
59 | File | `article.php` | Medium
|
||||
60 | File | `articles.php` | Medium
|
||||
61 | File | `artikel_anzeige.php` | High
|
||||
62 | File | `auktion.cgi` | Medium
|
||||
63 | File | `auth.php` | Medium
|
||||
64 | File | `basket.php` | Medium
|
||||
65 | File | `boardData103.php/boardDataJP.php/boardDataNA.php/boardDataWW.php` | High
|
||||
66 | File | `books.php` | Medium
|
||||
67 | File | `browse-category.php` | High
|
||||
68 | File | `browse.php` | Medium
|
||||
69 | File | `browse_videos.php` | High
|
||||
70 | File | `BrudaNews/BrudaGB` | High
|
||||
71 | File | `bwlist_inc.html` | High
|
||||
72 | File | `calendar.php` | Medium
|
||||
73 | File | `cart.php` | Medium
|
||||
74 | File | `cart_add.php` | Medium
|
||||
75 | File | `case.filemanager.php` | High
|
||||
76 | File | `catalog.php` | Medium
|
||||
77 | File | `catalogshop.php` | High
|
||||
78 | File | `catalogue.asp` | High
|
||||
79 | File | `category.cfm` | Medium
|
||||
80 | File | `category.php` | Medium
|
||||
81 | File | `category_list.php` | High
|
||||
82 | File | `cgi-bin/awstats.pl` | High
|
||||
83 | File | `channel.asp` | Medium
|
||||
84 | File | `ChooseCpSearch.php` | High
|
||||
85 | File | `comentarii.php` | High
|
||||
86 | File | `comments.php` | Medium
|
||||
87 | File | `compose.php` | Medium
|
||||
88 | File | `config.inc.php` | High
|
||||
89 | File | `config.php` | Medium
|
||||
90 | File | `contact.php` | Medium
|
||||
91 | ... | ... | ...
|
||||
22 | File | `/wp-admin/options-general.php` | High
|
||||
23 | File | `/zm/index.php` | High
|
||||
24 | File | `adaptive-images-script.php` | High
|
||||
25 | File | `additem.asp` | Medium
|
||||
26 | File | `addtocart.asp` | High
|
||||
27 | File | `adherents/subscription/info.php` | High
|
||||
28 | File | `admin.asp` | Medium
|
||||
29 | File | `admin.php` | Medium
|
||||
30 | File | `admin/admin.php` | High
|
||||
31 | File | `admin/general.php` | High
|
||||
32 | File | `admin/header.php` | High
|
||||
33 | File | `admin/inc/change_action.php` | High
|
||||
34 | File | `admin/index.php` | High
|
||||
35 | File | `admin/index.php?id=users/action=edit/user_id=1` | High
|
||||
36 | File | `admin/info.php` | High
|
||||
37 | File | `admin/login.asp` | High
|
||||
38 | File | `admin/manage-comments.php` | High
|
||||
39 | File | `admin/manage-news.php` | High
|
||||
40 | File | `admin/plugin-settings.php` | High
|
||||
41 | File | `admin/specials.php` | High
|
||||
42 | File | `admin:de` | Medium
|
||||
43 | File | `admincp/auth/checklogin.php` | High
|
||||
44 | File | `admincp/auth/secure.php` | High
|
||||
45 | File | `administrator/index.php` | High
|
||||
46 | File | `admin_login.asp` | High
|
||||
47 | File | `adv_search.asp` | High
|
||||
48 | File | `ajax.php` | Medium
|
||||
49 | File | `ajax_url.php` | Medium
|
||||
50 | File | `album_portal.php` | High
|
||||
51 | File | `al_initialize.php` | High
|
||||
52 | File | `anjel.index.php` | High
|
||||
53 | File | `annonces-p-f.php` | High
|
||||
54 | File | `announce.php` | Medium
|
||||
55 | File | `announcement.php` | High
|
||||
56 | File | `announcements.php` | High
|
||||
57 | File | `app/admin/routing/edit-bgp-mapping-search.php` | High
|
||||
58 | File | `apply.cgi` | Medium
|
||||
59 | File | `apps/app_article/controller/rating.php` | High
|
||||
60 | File | `article.php` | Medium
|
||||
61 | File | `articles.php` | Medium
|
||||
62 | File | `artikel_anzeige.php` | High
|
||||
63 | File | `auktion.cgi` | Medium
|
||||
64 | File | `auth.php` | Medium
|
||||
65 | File | `basket.php` | Medium
|
||||
66 | File | `boardData103.php/boardDataJP.php/boardDataNA.php/boardDataWW.php` | High
|
||||
67 | File | `books.php` | Medium
|
||||
68 | File | `browse-category.php` | High
|
||||
69 | File | `browse.php` | Medium
|
||||
70 | File | `browse_videos.php` | High
|
||||
71 | File | `BrudaNews/BrudaGB` | High
|
||||
72 | File | `bwlist_inc.html` | High
|
||||
73 | File | `calendar.php` | Medium
|
||||
74 | File | `cart.php` | Medium
|
||||
75 | File | `cart_add.php` | Medium
|
||||
76 | File | `case.filemanager.php` | High
|
||||
77 | File | `catalog.php` | Medium
|
||||
78 | File | `catalogshop.php` | High
|
||||
79 | File | `catalogue.asp` | High
|
||||
80 | File | `category.cfm` | Medium
|
||||
81 | File | `category.php` | Medium
|
||||
82 | File | `category_list.php` | High
|
||||
83 | File | `cgi-bin/awstats.pl` | High
|
||||
84 | File | `channel.asp` | Medium
|
||||
85 | File | `ChooseCpSearch.php` | High
|
||||
86 | File | `comentarii.php` | High
|
||||
87 | File | `comments.php` | Medium
|
||||
88 | File | `compose.php` | Medium
|
||||
89 | File | `config.inc.php` | High
|
||||
90 | File | `config.php` | Medium
|
||||
91 | File | `contact.php` | Medium
|
||||
92 | ... | ... | ...
|
||||
|
||||
There are 807 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 813 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -95,7 +95,7 @@ ID | Type | Indicator | Confidence
|
|||
35 | File | `actions/CompanyDetailsSave.php` | High
|
||||
36 | ... | ... | ...
|
||||
|
||||
There are 310 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 309 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -0,0 +1,87 @@
|
|||
# Shuckworm - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Shuckworm](https://vuldb.com/?actor.shuckworm). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.shuckworm](https://vuldb.com/?actor.shuckworm)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Shuckworm:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* ...
|
||||
|
||||
There are 4 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Shuckworm.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [5.63.157.11](https://vuldb.com/?ip.5.63.157.11) | 5-63-157-11.cloudvps.regruhosting.ru | - | High
|
||||
2 | [5.252.178.115](https://vuldb.com/?ip.5.252.178.115) | 5-252-178-115.mivocloud.com | - | High
|
||||
3 | [5.252.178.120](https://vuldb.com/?ip.5.252.178.120) | no-rdns.mivocloud.com | - | High
|
||||
4 | [5.252.178.145](https://vuldb.com/?ip.5.252.178.145) | 5-252-178-145.mivocloud.com | - | High
|
||||
5 | [31.31.203.61](https://vuldb.com/?ip.31.31.203.61) | 31-31-203-61.cloudvps.regruhosting.ru | - | High
|
||||
6 | [37.140.197.165](https://vuldb.com/?ip.37.140.197.165) | 37-140-197-165.cloudvps.regruhosting.ru | - | High
|
||||
7 | [37.140.197.251](https://vuldb.com/?ip.37.140.197.251) | 37-140-197-251.cloudvps.regruhosting.ru | - | High
|
||||
8 | [45.76.169.62](https://vuldb.com/?ip.45.76.169.62) | 45.76.169.62.vultrusercontent.com | - | High
|
||||
9 | [70.34.217.0](https://vuldb.com/?ip.70.34.217.0) | 70.34.217.0.vultrusercontent.com | - | High
|
||||
10 | [80.78.241.15](https://vuldb.com/?ip.80.78.241.15) | 80-78-241-15.cloudvps.regruhosting.ru | - | High
|
||||
11 | [80.78.245.226](https://vuldb.com/?ip.80.78.245.226) | srv3.netpatch.ru | - | High
|
||||
12 | [80.78.253.31](https://vuldb.com/?ip.80.78.253.31) | 80-78-253-31.cloudvps.regruhosting.ru | - | High
|
||||
13 | ... | ... | ... | ...
|
||||
|
||||
There are 47 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Shuckworm_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1495 | CWE-494 | Download of Code Without Integrity Check | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Shuckworm. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/error` | Low
|
||||
2 | File | `/forum/away.php` | High
|
||||
3 | File | `/gena.cgi` | Medium
|
||||
4 | File | `/login` | Low
|
||||
5 | File | `/php/ajax.php` | High
|
||||
6 | File | `/rapi/read_url` | High
|
||||
7 | File | `/sec/content/sec_asa_users_local_db_add.html` | High
|
||||
8 | File | `/see_more_details.php` | High
|
||||
9 | File | `/wp-admin/admin-post.php?es_skip=1&option_name` | High
|
||||
10 | ... | ... | ...
|
||||
|
||||
There are 72 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://github.com/Symantec/threathunters/blob/main/Shuckworm/network
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -77,7 +77,7 @@ ID | Type | Indicator | Confidence
|
|||
28 | File | `auth-options.c` | High
|
||||
29 | ... | ... | ...
|
||||
|
||||
There are 248 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 249 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -0,0 +1,86 @@
|
|||
# SocGholish - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [SocGholish](https://vuldb.com/?actor.socgholish). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.socgholish](https://vuldb.com/?actor.socgholish)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with SocGholish:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* ...
|
||||
|
||||
There are 5 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of SocGholish.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [5.53.125.173](https://vuldb.com/?ip.5.53.125.173) | authoremail.net | - | High
|
||||
2 | [77.223.98.12](https://vuldb.com/?ip.77.223.98.12) | cloud12915.coteseuplano1.com.br | - | High
|
||||
3 | [87.249.50.201](https://vuldb.com/?ip.87.249.50.201) | 832423-cv17319.tmweb.ru | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 3 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _SocGholish_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-266, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | CWE-254 | 7PK Security Features | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by SocGholish. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/addsrv` | Low
|
||||
2 | File | `/Admin/Views/FileEditor/` | High
|
||||
3 | File | `/adminlogin.asp` | High
|
||||
4 | File | `/article/add` | Medium
|
||||
5 | File | `/controller/pay.class.php` | High
|
||||
6 | File | `/dev/kmem` | Medium
|
||||
7 | File | `/dev/snd/seq` | Medium
|
||||
8 | File | `/device/device=140/tab=wifi/view` | High
|
||||
9 | File | `/jerry-core/ecma/base/ecma-gc.c` | High
|
||||
10 | File | `/product_list.php` | High
|
||||
11 | File | `/rukovoditel_2.4.1/index.php?module=configuration/save&redirect_to=configuration/application` | High
|
||||
12 | File | `/src/core/controllers/cm.php` | High
|
||||
13 | File | `/transmission/web/` | High
|
||||
14 | File | `/uncpath/` | Medium
|
||||
15 | File | `/usr/local` | Medium
|
||||
16 | File | `/weibo/publishdata` | High
|
||||
17 | File | `adm.cgi` | Low
|
||||
18 | ... | ... | ...
|
||||
|
||||
There are 148 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://www.cybereason.com/blog/threat-analysis-report-socgholish-and-zloader-from-fake-updates-and-installers-to-owning-your-systems
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -105,9 +105,10 @@ ID | Type | Indicator | Confidence
|
|||
37 | File | `app/call_centers/cmd.php` | High
|
||||
38 | File | `arch/x86/kvm/hyperv.c` | High
|
||||
39 | File | `auction.cgi` | Medium
|
||||
40 | ... | ... | ...
|
||||
40 | File | `autologin.jsp` | High
|
||||
41 | ... | ... | ...
|
||||
|
||||
There are 349 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 351 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -18,7 +18,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
|
||||
* [MO](https://vuldb.com/?country.mo)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* ...
|
||||
|
||||
There are 2 more country items available. Please use our online service to access the data.
|
||||
|
|
|
@ -8,6 +8,7 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Thamar Reservoir:
|
||||
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [PL](https://vuldb.com/?country.pl)
|
||||
|
||||
|
@ -28,6 +29,7 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-284 | Execution with Unnecessary Privileges | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
|
|
@ -159,7 +159,7 @@ ID | Type | Indicator | Confidence
|
|||
36 | File | `ActiveServices.java` | High
|
||||
37 | ... | ... | ...
|
||||
|
||||
There are 320 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 318 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -41,7 +41,7 @@ ID | Type | Indicator | Confidence
|
|||
3 | File | `/public/login.htm` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 9 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 10 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -16,10 +16,10 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
|
||||
* [VN](https://vuldb.com/?country.vn)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* [SH](https://vuldb.com/?country.sh)
|
||||
* [GB](https://vuldb.com/?country.gb)
|
||||
* ...
|
||||
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
There are 3 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -35,106 +35,124 @@ ID | IP address | Hostname | Campaign | Confidence
|
|||
6 | [5.53.124.49](https://vuldb.com/?ip.5.53.124.49) | dgbtechnologies.com | - | High
|
||||
7 | [5.59.205.32](https://vuldb.com/?ip.5.59.205.32) | dhcp-32-205-59-5.metro86.ru | - | High
|
||||
8 | [5.133.179.108](https://vuldb.com/?ip.5.133.179.108) | 5-133-179-108.freeucouponsnow.ru | - | High
|
||||
9 | [5.182.210.132](https://vuldb.com/?ip.5.182.210.132) | - | - | High
|
||||
10 | [5.182.210.226](https://vuldb.com/?ip.5.182.210.226) | - | - | High
|
||||
11 | [5.182.210.230](https://vuldb.com/?ip.5.182.210.230) | - | - | High
|
||||
12 | [5.182.210.246](https://vuldb.com/?ip.5.182.210.246) | - | - | High
|
||||
13 | [5.182.210.254](https://vuldb.com/?ip.5.182.210.254) | n01-nlam.kdktech.com | - | High
|
||||
14 | [14.241.244.60](https://vuldb.com/?ip.14.241.244.60) | - | - | High
|
||||
15 | [18.233.90.151](https://vuldb.com/?ip.18.233.90.151) | ec2-18-233-90-151.compute-1.amazonaws.com | - | Medium
|
||||
16 | [23.3.13.88](https://vuldb.com/?ip.23.3.13.88) | a23-3-13-88.deploy.static.akamaitechnologies.com | - | High
|
||||
17 | [23.3.13.154](https://vuldb.com/?ip.23.3.13.154) | a23-3-13-154.deploy.static.akamaitechnologies.com | - | High
|
||||
18 | [23.3.125.111](https://vuldb.com/?ip.23.3.125.111) | a23-3-125-111.deploy.static.akamaitechnologies.com | - | High
|
||||
19 | [23.21.27.29](https://vuldb.com/?ip.23.21.27.29) | ec2-23-21-27-29.compute-1.amazonaws.com | - | Medium
|
||||
20 | [23.21.48.44](https://vuldb.com/?ip.23.21.48.44) | ec2-23-21-48-44.compute-1.amazonaws.com | - | Medium
|
||||
21 | [23.21.121.219](https://vuldb.com/?ip.23.21.121.219) | ec2-23-21-121-219.compute-1.amazonaws.com | - | Medium
|
||||
22 | [23.21.252.4](https://vuldb.com/?ip.23.21.252.4) | ec2-23-21-252-4.compute-1.amazonaws.com | - | Medium
|
||||
23 | [23.23.83.153](https://vuldb.com/?ip.23.23.83.153) | ec2-23-23-83-153.compute-1.amazonaws.com | - | Medium
|
||||
24 | [23.23.243.154](https://vuldb.com/?ip.23.23.243.154) | ec2-23-23-243-154.compute-1.amazonaws.com | - | Medium
|
||||
25 | [23.94.233.210](https://vuldb.com/?ip.23.94.233.210) | 23-94-233-210-host.colocrossing.com | - | High
|
||||
26 | [23.96.30.229](https://vuldb.com/?ip.23.96.30.229) | - | - | High
|
||||
27 | [23.160.192.125](https://vuldb.com/?ip.23.160.192.125) | unknown.ip-xfer.net | - | High
|
||||
28 | [23.160.193.106](https://vuldb.com/?ip.23.160.193.106) | unknown.ip-xfer.net | - | High
|
||||
29 | [23.202.231.166](https://vuldb.com/?ip.23.202.231.166) | a23-202-231-166.deploy.static.akamaitechnologies.com | - | High
|
||||
30 | [23.217.138.107](https://vuldb.com/?ip.23.217.138.107) | a23-217-138-107.deploy.static.akamaitechnologies.com | - | High
|
||||
31 | [24.162.214.166](https://vuldb.com/?ip.24.162.214.166) | cpe-24-162-214-166.elp.res.rr.com | - | High
|
||||
32 | [27.72.107.215](https://vuldb.com/?ip.27.72.107.215) | dynamic-adsl.viettel.vn | - | High
|
||||
33 | [31.131.26.122](https://vuldb.com/?ip.31.131.26.122) | - | - | High
|
||||
34 | [31.134.60.181](https://vuldb.com/?ip.31.134.60.181) | 31-134-60-181.telico.pl | - | High
|
||||
35 | [31.172.177.90](https://vuldb.com/?ip.31.172.177.90) | poczta.mp-lift.pl | - | High
|
||||
36 | [31.184.253.6](https://vuldb.com/?ip.31.184.253.6) | - | - | High
|
||||
37 | [34.117.59.81](https://vuldb.com/?ip.34.117.59.81) | 81.59.117.34.bc.googleusercontent.com | - | Medium
|
||||
38 | [34.196.181.158](https://vuldb.com/?ip.34.196.181.158) | ec2-34-196-181-158.compute-1.amazonaws.com | - | Medium
|
||||
39 | [34.233.102.38](https://vuldb.com/?ip.34.233.102.38) | ec2-34-233-102-38.compute-1.amazonaws.com | - | Medium
|
||||
40 | [36.37.176.6](https://vuldb.com/?ip.36.37.176.6) | - | - | High
|
||||
41 | [36.89.191.119](https://vuldb.com/?ip.36.89.191.119) | - | - | High
|
||||
42 | [36.89.193.181](https://vuldb.com/?ip.36.89.193.181) | - | - | High
|
||||
43 | [36.89.193.235](https://vuldb.com/?ip.36.89.193.235) | - | - | High
|
||||
44 | [36.89.228.201](https://vuldb.com/?ip.36.89.228.201) | - | - | High
|
||||
45 | [36.91.88.164](https://vuldb.com/?ip.36.91.88.164) | - | - | High
|
||||
46 | [36.91.117.231](https://vuldb.com/?ip.36.91.117.231) | - | - | High
|
||||
47 | [36.91.186.235](https://vuldb.com/?ip.36.91.186.235) | - | - | High
|
||||
48 | [36.94.27.124](https://vuldb.com/?ip.36.94.27.124) | - | - | High
|
||||
49 | [36.94.100.202](https://vuldb.com/?ip.36.94.100.202) | - | - | High
|
||||
50 | [36.95.23.89](https://vuldb.com/?ip.36.95.23.89) | - | - | High
|
||||
51 | [36.95.27.243](https://vuldb.com/?ip.36.95.27.243) | - | - | High
|
||||
52 | [37.228.70.134](https://vuldb.com/?ip.37.228.70.134) | - | - | High
|
||||
53 | [37.228.117.250](https://vuldb.com/?ip.37.228.117.250) | janome.ru | - | High
|
||||
54 | [37.230.112.146](https://vuldb.com/?ip.37.230.112.146) | audiotop.ru | - | High
|
||||
55 | [37.230.114.93](https://vuldb.com/?ip.37.230.114.93) | admin1.fvds.ru | - | High
|
||||
56 | [37.230.114.248](https://vuldb.com/?ip.37.230.114.248) | kosmolot.com | - | High
|
||||
57 | [37.230.115.129](https://vuldb.com/?ip.37.230.115.129) | dvcarry.fvds.ru | - | High
|
||||
58 | [37.230.115.133](https://vuldb.com/?ip.37.230.115.133) | wdai.io | - | High
|
||||
59 | [37.230.115.138](https://vuldb.com/?ip.37.230.115.138) | i2.com | - | High
|
||||
60 | [37.230.115.171](https://vuldb.com/?ip.37.230.115.171) | geobrox.com | - | High
|
||||
61 | [37.230.115.184](https://vuldb.com/?ip.37.230.115.184) | 21922vdscom.com | - | High
|
||||
62 | [38.132.99.174](https://vuldb.com/?ip.38.132.99.174) | - | - | High
|
||||
63 | [43.245.216.116](https://vuldb.com/?ip.43.245.216.116) | - | - | High
|
||||
64 | [45.6.16.68](https://vuldb.com/?ip.45.6.16.68) | - | - | High
|
||||
65 | [45.14.226.115](https://vuldb.com/?ip.45.14.226.115) | - | - | High
|
||||
66 | [45.36.99.184](https://vuldb.com/?ip.45.36.99.184) | cpe-45-36-99-184.triad.res.rr.com | - | High
|
||||
67 | [45.115.172.105](https://vuldb.com/?ip.45.115.172.105) | - | - | High
|
||||
68 | [45.155.173.242](https://vuldb.com/?ip.45.155.173.242) | - | - | High
|
||||
69 | [45.167.249.126](https://vuldb.com/?ip.45.167.249.126) | - | - | High
|
||||
70 | [45.178.142.14](https://vuldb.com/?ip.45.178.142.14) | - | - | High
|
||||
71 | [45.201.134.202](https://vuldb.com/?ip.45.201.134.202) | - | - | High
|
||||
72 | [45.229.71.211](https://vuldb.com/?ip.45.229.71.211) | static-45-229-71-211.extrememt.com.br | - | High
|
||||
73 | [45.234.248.154](https://vuldb.com/?ip.45.234.248.154) | 45.-234.248-154.rev.voanet.br | - | High
|
||||
74 | [46.4.167.250](https://vuldb.com/?ip.46.4.167.250) | ip-subnet46-4-167.unassigned.theideahosting.net | - | High
|
||||
75 | [46.8.21.10](https://vuldb.com/?ip.46.8.21.10) | 53980.web.hosting-russia.ru | - | High
|
||||
76 | [46.8.21.113](https://vuldb.com/?ip.46.8.21.113) | 64403.web.hosting-russia.ru | - | High
|
||||
77 | [46.30.45.208](https://vuldb.com/?ip.46.30.45.208) | vm418209.eurodir.ru | - | High
|
||||
78 | [46.99.175.217](https://vuldb.com/?ip.46.99.175.217) | - | - | High
|
||||
79 | [46.209.140.220](https://vuldb.com/?ip.46.209.140.220) | - | - | High
|
||||
80 | [46.254.128.174](https://vuldb.com/?ip.46.254.128.174) | 46.254.128.174.lanultra.net | - | High
|
||||
81 | [49.156.34.134](https://vuldb.com/?ip.49.156.34.134) | - | - | High
|
||||
82 | [50.16.229.140](https://vuldb.com/?ip.50.16.229.140) | ec2-50-16-229-140.compute-1.amazonaws.com | - | Medium
|
||||
83 | [50.19.247.198](https://vuldb.com/?ip.50.19.247.198) | ec2-50-19-247-198.compute-1.amazonaws.com | - | Medium
|
||||
84 | [51.38.101.194](https://vuldb.com/?ip.51.38.101.194) | - | - | High
|
||||
85 | [51.77.92.215](https://vuldb.com/?ip.51.77.92.215) | - | - | High
|
||||
86 | [51.81.112.144](https://vuldb.com/?ip.51.81.112.144) | - | - | High
|
||||
87 | [51.89.115.101](https://vuldb.com/?ip.51.89.115.101) | secure-3111.buzztary.com | - | High
|
||||
88 | [51.89.115.116](https://vuldb.com/?ip.51.89.115.116) | tombe.nationfox.net | - | High
|
||||
89 | [51.89.115.121](https://vuldb.com/?ip.51.89.115.121) | mail1.cmailer.online | - | High
|
||||
90 | [51.159.23.217](https://vuldb.com/?ip.51.159.23.217) | jambold.co.uk | - | High
|
||||
91 | [51.254.83.17](https://vuldb.com/?ip.51.254.83.17) | ip17.ip-51-254-83.eu | - | High
|
||||
92 | [51.254.164.245](https://vuldb.com/?ip.51.254.164.245) | ip245.ip-51-254-164.eu | - | High
|
||||
93 | [52.0.197.231](https://vuldb.com/?ip.52.0.197.231) | ec2-52-0-197-231.compute-1.amazonaws.com | - | Medium
|
||||
94 | [52.20.197.7](https://vuldb.com/?ip.52.20.197.7) | ec2-52-20-197-7.compute-1.amazonaws.com | - | Medium
|
||||
95 | [52.202.139.131](https://vuldb.com/?ip.52.202.139.131) | ec2-52-202-139-131.compute-1.amazonaws.com | - | Medium
|
||||
96 | [52.204.109.97](https://vuldb.com/?ip.52.204.109.97) | ec2-52-204-109-97.compute-1.amazonaws.com | - | Medium
|
||||
97 | [52.206.161.133](https://vuldb.com/?ip.52.206.161.133) | ec2-52-206-161-133.compute-1.amazonaws.com | - | Medium
|
||||
98 | [54.39.106.25](https://vuldb.com/?ip.54.39.106.25) | ns560342.ip-54-39-106.net | - | High
|
||||
99 | [54.204.36.156](https://vuldb.com/?ip.54.204.36.156) | ec2-54-204-36-156.compute-1.amazonaws.com | - | Medium
|
||||
100 | [54.221.253.252](https://vuldb.com/?ip.54.221.253.252) | ec2-54-221-253-252.compute-1.amazonaws.com | - | Medium
|
||||
101 | [54.235.124.112](https://vuldb.com/?ip.54.235.124.112) | ec2-54-235-124-112.compute-1.amazonaws.com | - | Medium
|
||||
102 | [54.243.147.226](https://vuldb.com/?ip.54.243.147.226) | ec2-54-243-147-226.compute-1.amazonaws.com | - | Medium
|
||||
103 | [54.243.198.12](https://vuldb.com/?ip.54.243.198.12) | ec2-54-243-198-12.compute-1.amazonaws.com | - | Medium
|
||||
104 | [58.97.72.83](https://vuldb.com/?ip.58.97.72.83) | 58-97-72-83.static.asianet.co.th | - | High
|
||||
105 | [60.51.47.65](https://vuldb.com/?ip.60.51.47.65) | - | - | High
|
||||
106 | ... | ... | ... | ...
|
||||
9 | [5.182.210.30](https://vuldb.com/?ip.5.182.210.30) | realestatepromotion.ru | - | High
|
||||
10 | [5.182.210.132](https://vuldb.com/?ip.5.182.210.132) | - | - | High
|
||||
11 | [5.182.210.178](https://vuldb.com/?ip.5.182.210.178) | mail.rainingdreams.to | - | High
|
||||
12 | [5.182.210.226](https://vuldb.com/?ip.5.182.210.226) | - | - | High
|
||||
13 | [5.182.210.230](https://vuldb.com/?ip.5.182.210.230) | - | - | High
|
||||
14 | [5.182.210.246](https://vuldb.com/?ip.5.182.210.246) | - | - | High
|
||||
15 | [5.182.210.254](https://vuldb.com/?ip.5.182.210.254) | n01-nlam.kdktech.com | - | High
|
||||
16 | [5.196.247.14](https://vuldb.com/?ip.5.196.247.14) | ip14.ip-5-196-247.eu | - | High
|
||||
17 | [14.241.244.60](https://vuldb.com/?ip.14.241.244.60) | - | - | High
|
||||
18 | [18.233.90.151](https://vuldb.com/?ip.18.233.90.151) | ec2-18-233-90-151.compute-1.amazonaws.com | - | Medium
|
||||
19 | [23.3.13.88](https://vuldb.com/?ip.23.3.13.88) | a23-3-13-88.deploy.static.akamaitechnologies.com | - | High
|
||||
20 | [23.3.13.154](https://vuldb.com/?ip.23.3.13.154) | a23-3-13-154.deploy.static.akamaitechnologies.com | - | High
|
||||
21 | [23.3.125.111](https://vuldb.com/?ip.23.3.125.111) | a23-3-125-111.deploy.static.akamaitechnologies.com | - | High
|
||||
22 | [23.21.27.29](https://vuldb.com/?ip.23.21.27.29) | ec2-23-21-27-29.compute-1.amazonaws.com | - | Medium
|
||||
23 | [23.21.48.44](https://vuldb.com/?ip.23.21.48.44) | ec2-23-21-48-44.compute-1.amazonaws.com | - | Medium
|
||||
24 | [23.21.121.219](https://vuldb.com/?ip.23.21.121.219) | ec2-23-21-121-219.compute-1.amazonaws.com | - | Medium
|
||||
25 | [23.21.252.4](https://vuldb.com/?ip.23.21.252.4) | ec2-23-21-252-4.compute-1.amazonaws.com | - | Medium
|
||||
26 | [23.23.83.153](https://vuldb.com/?ip.23.23.83.153) | ec2-23-23-83-153.compute-1.amazonaws.com | - | Medium
|
||||
27 | [23.23.243.154](https://vuldb.com/?ip.23.23.243.154) | ec2-23-23-243-154.compute-1.amazonaws.com | - | Medium
|
||||
28 | [23.94.233.210](https://vuldb.com/?ip.23.94.233.210) | 23-94-233-210-host.colocrossing.com | - | High
|
||||
29 | [23.96.30.229](https://vuldb.com/?ip.23.96.30.229) | - | - | High
|
||||
30 | [23.160.192.125](https://vuldb.com/?ip.23.160.192.125) | unknown.ip-xfer.net | - | High
|
||||
31 | [23.160.193.106](https://vuldb.com/?ip.23.160.193.106) | unknown.ip-xfer.net | - | High
|
||||
32 | [23.202.231.166](https://vuldb.com/?ip.23.202.231.166) | a23-202-231-166.deploy.static.akamaitechnologies.com | - | High
|
||||
33 | [23.217.138.107](https://vuldb.com/?ip.23.217.138.107) | a23-217-138-107.deploy.static.akamaitechnologies.com | - | High
|
||||
34 | [24.162.214.166](https://vuldb.com/?ip.24.162.214.166) | cpe-24-162-214-166.elp.res.rr.com | - | High
|
||||
35 | [27.72.107.215](https://vuldb.com/?ip.27.72.107.215) | dynamic-adsl.viettel.vn | - | High
|
||||
36 | [31.131.26.122](https://vuldb.com/?ip.31.131.26.122) | - | - | High
|
||||
37 | [31.134.60.181](https://vuldb.com/?ip.31.134.60.181) | 31-134-60-181.telico.pl | - | High
|
||||
38 | [31.134.124.90](https://vuldb.com/?ip.31.134.124.90) | - | - | High
|
||||
39 | [31.172.177.90](https://vuldb.com/?ip.31.172.177.90) | poczta.mp-lift.pl | - | High
|
||||
40 | [31.184.253.6](https://vuldb.com/?ip.31.184.253.6) | - | - | High
|
||||
41 | [31.211.85.110](https://vuldb.com/?ip.31.211.85.110) | - | - | High
|
||||
42 | [34.117.59.81](https://vuldb.com/?ip.34.117.59.81) | 81.59.117.34.bc.googleusercontent.com | - | Medium
|
||||
43 | [34.196.181.158](https://vuldb.com/?ip.34.196.181.158) | ec2-34-196-181-158.compute-1.amazonaws.com | - | Medium
|
||||
44 | [34.233.102.38](https://vuldb.com/?ip.34.233.102.38) | ec2-34-233-102-38.compute-1.amazonaws.com | - | Medium
|
||||
45 | [36.37.176.6](https://vuldb.com/?ip.36.37.176.6) | - | - | High
|
||||
46 | [36.89.191.119](https://vuldb.com/?ip.36.89.191.119) | - | - | High
|
||||
47 | [36.89.193.181](https://vuldb.com/?ip.36.89.193.181) | - | - | High
|
||||
48 | [36.89.193.235](https://vuldb.com/?ip.36.89.193.235) | - | - | High
|
||||
49 | [36.89.228.201](https://vuldb.com/?ip.36.89.228.201) | - | - | High
|
||||
50 | [36.91.45.10](https://vuldb.com/?ip.36.91.45.10) | - | - | High
|
||||
51 | [36.91.88.164](https://vuldb.com/?ip.36.91.88.164) | - | - | High
|
||||
52 | [36.91.117.231](https://vuldb.com/?ip.36.91.117.231) | - | - | High
|
||||
53 | [36.91.186.235](https://vuldb.com/?ip.36.91.186.235) | - | - | High
|
||||
54 | [36.94.27.124](https://vuldb.com/?ip.36.94.27.124) | - | - | High
|
||||
55 | [36.94.100.202](https://vuldb.com/?ip.36.94.100.202) | - | - | High
|
||||
56 | [36.95.23.89](https://vuldb.com/?ip.36.95.23.89) | - | - | High
|
||||
57 | [36.95.27.243](https://vuldb.com/?ip.36.95.27.243) | - | - | High
|
||||
58 | [37.228.70.134](https://vuldb.com/?ip.37.228.70.134) | - | - | High
|
||||
59 | [37.228.117.250](https://vuldb.com/?ip.37.228.117.250) | janome.ru | - | High
|
||||
60 | [37.230.112.146](https://vuldb.com/?ip.37.230.112.146) | audiotop.ru | - | High
|
||||
61 | [37.230.114.93](https://vuldb.com/?ip.37.230.114.93) | admin1.fvds.ru | - | High
|
||||
62 | [37.230.114.248](https://vuldb.com/?ip.37.230.114.248) | kosmolot.com | - | High
|
||||
63 | [37.230.115.129](https://vuldb.com/?ip.37.230.115.129) | dvcarry.fvds.ru | - | High
|
||||
64 | [37.230.115.133](https://vuldb.com/?ip.37.230.115.133) | wdai.io | - | High
|
||||
65 | [37.230.115.138](https://vuldb.com/?ip.37.230.115.138) | i2.com | - | High
|
||||
66 | [37.230.115.171](https://vuldb.com/?ip.37.230.115.171) | geobrox.com | - | High
|
||||
67 | [37.230.115.184](https://vuldb.com/?ip.37.230.115.184) | 21922vdscom.com | - | High
|
||||
68 | [38.132.99.174](https://vuldb.com/?ip.38.132.99.174) | - | - | High
|
||||
69 | [41.77.134.250](https://vuldb.com/?ip.41.77.134.250) | cliente6386477933.clubnet.mz | - | High
|
||||
70 | [41.243.29.182](https://vuldb.com/?ip.41.243.29.182) | 182-29-243-41.r.airtel.cd | - | High
|
||||
71 | [43.245.216.116](https://vuldb.com/?ip.43.245.216.116) | - | - | High
|
||||
72 | [45.5.152.39](https://vuldb.com/?ip.45.5.152.39) | - | - | High
|
||||
73 | [45.6.16.68](https://vuldb.com/?ip.45.6.16.68) | - | - | High
|
||||
74 | [45.14.226.115](https://vuldb.com/?ip.45.14.226.115) | - | - | High
|
||||
75 | [45.36.99.184](https://vuldb.com/?ip.45.36.99.184) | cpe-45-36-99-184.triad.res.rr.com | - | High
|
||||
76 | [45.115.172.105](https://vuldb.com/?ip.45.115.172.105) | - | - | High
|
||||
77 | [45.155.173.242](https://vuldb.com/?ip.45.155.173.242) | - | - | High
|
||||
78 | [45.167.249.126](https://vuldb.com/?ip.45.167.249.126) | - | - | High
|
||||
79 | [45.178.142.14](https://vuldb.com/?ip.45.178.142.14) | - | - | High
|
||||
80 | [45.201.134.202](https://vuldb.com/?ip.45.201.134.202) | - | - | High
|
||||
81 | [45.229.71.211](https://vuldb.com/?ip.45.229.71.211) | static-45-229-71-211.extrememt.com.br | - | High
|
||||
82 | [45.234.248.154](https://vuldb.com/?ip.45.234.248.154) | 45.-234.248-154.rev.voanet.br | - | High
|
||||
83 | [46.4.167.250](https://vuldb.com/?ip.46.4.167.250) | ip-subnet46-4-167.unassigned.theideahosting.net | - | High
|
||||
84 | [46.8.21.10](https://vuldb.com/?ip.46.8.21.10) | 53980.web.hosting-russia.ru | - | High
|
||||
85 | [46.8.21.113](https://vuldb.com/?ip.46.8.21.113) | 64403.web.hosting-russia.ru | - | High
|
||||
86 | [46.30.45.208](https://vuldb.com/?ip.46.30.45.208) | vm418209.eurodir.ru | - | High
|
||||
87 | [46.99.175.217](https://vuldb.com/?ip.46.99.175.217) | - | - | High
|
||||
88 | [46.209.140.220](https://vuldb.com/?ip.46.209.140.220) | - | - | High
|
||||
89 | [46.254.128.174](https://vuldb.com/?ip.46.254.128.174) | 46.254.128.174.lanultra.net | - | High
|
||||
90 | [49.156.34.134](https://vuldb.com/?ip.49.156.34.134) | - | - | High
|
||||
91 | [50.16.229.140](https://vuldb.com/?ip.50.16.229.140) | ec2-50-16-229-140.compute-1.amazonaws.com | - | Medium
|
||||
92 | [50.19.247.198](https://vuldb.com/?ip.50.19.247.198) | ec2-50-19-247-198.compute-1.amazonaws.com | - | Medium
|
||||
93 | [51.38.101.194](https://vuldb.com/?ip.51.38.101.194) | - | - | High
|
||||
94 | [51.77.92.215](https://vuldb.com/?ip.51.77.92.215) | - | - | High
|
||||
95 | [51.81.112.144](https://vuldb.com/?ip.51.81.112.144) | - | - | High
|
||||
96 | [51.89.115.101](https://vuldb.com/?ip.51.89.115.101) | secure-3111.buzztary.com | - | High
|
||||
97 | [51.89.115.108](https://vuldb.com/?ip.51.89.115.108) | coms.jt120.com.cn | - | High
|
||||
98 | [51.89.115.112](https://vuldb.com/?ip.51.89.115.112) | brides-crude.nationfox.net | - | High
|
||||
99 | [51.89.115.116](https://vuldb.com/?ip.51.89.115.116) | tombe.nationfox.net | - | High
|
||||
100 | [51.89.115.121](https://vuldb.com/?ip.51.89.115.121) | mail1.cmailer.online | - | High
|
||||
101 | [51.159.23.217](https://vuldb.com/?ip.51.159.23.217) | jambold.co.uk | - | High
|
||||
102 | [51.254.83.17](https://vuldb.com/?ip.51.254.83.17) | ip17.ip-51-254-83.eu | - | High
|
||||
103 | [51.254.164.243](https://vuldb.com/?ip.51.254.164.243) | amortizserv.info | - | High
|
||||
104 | [51.254.164.245](https://vuldb.com/?ip.51.254.164.245) | ip245.ip-51-254-164.eu | - | High
|
||||
105 | [52.0.197.231](https://vuldb.com/?ip.52.0.197.231) | ec2-52-0-197-231.compute-1.amazonaws.com | - | Medium
|
||||
106 | [52.20.197.7](https://vuldb.com/?ip.52.20.197.7) | ec2-52-20-197-7.compute-1.amazonaws.com | - | Medium
|
||||
107 | [52.202.139.131](https://vuldb.com/?ip.52.202.139.131) | ec2-52-202-139-131.compute-1.amazonaws.com | - | Medium
|
||||
108 | [52.204.109.97](https://vuldb.com/?ip.52.204.109.97) | ec2-52-204-109-97.compute-1.amazonaws.com | - | Medium
|
||||
109 | [52.206.161.133](https://vuldb.com/?ip.52.206.161.133) | ec2-52-206-161-133.compute-1.amazonaws.com | - | Medium
|
||||
110 | [54.39.106.25](https://vuldb.com/?ip.54.39.106.25) | ns560342.ip-54-39-106.net | - | High
|
||||
111 | [54.204.36.156](https://vuldb.com/?ip.54.204.36.156) | ec2-54-204-36-156.compute-1.amazonaws.com | - | Medium
|
||||
112 | [54.221.253.252](https://vuldb.com/?ip.54.221.253.252) | ec2-54-221-253-252.compute-1.amazonaws.com | - | Medium
|
||||
113 | [54.235.124.112](https://vuldb.com/?ip.54.235.124.112) | ec2-54-235-124-112.compute-1.amazonaws.com | - | Medium
|
||||
114 | [54.243.147.226](https://vuldb.com/?ip.54.243.147.226) | ec2-54-243-147-226.compute-1.amazonaws.com | - | Medium
|
||||
115 | [54.243.198.12](https://vuldb.com/?ip.54.243.198.12) | ec2-54-243-198-12.compute-1.amazonaws.com | - | Medium
|
||||
116 | [58.97.72.83](https://vuldb.com/?ip.58.97.72.83) | 58-97-72-83.static.asianet.co.th | - | High
|
||||
117 | [60.51.47.65](https://vuldb.com/?ip.60.51.47.65) | - | - | High
|
||||
118 | [62.64.9.237](https://vuldb.com/?ip.62.64.9.237) | clients-62.64.9.237.misp.ru | - | High
|
||||
119 | [62.69.241.103](https://vuldb.com/?ip.62.69.241.103) | 62-69-241-103.internetia.net.pl | - | High
|
||||
120 | [62.99.76.213](https://vuldb.com/?ip.62.99.76.213) | 213.62-99-76.static.clientes.euskaltel.es | - | High
|
||||
121 | [62.109.2.172](https://vuldb.com/?ip.62.109.2.172) | megamart24.ru | - | High
|
||||
122 | [62.109.6.188](https://vuldb.com/?ip.62.109.6.188) | velomarket31.ru | - | High
|
||||
123 | [62.109.14.24](https://vuldb.com/?ip.62.109.14.24) | btc-manager1.ru | - | High
|
||||
124 | ... | ... | ... | ...
|
||||
|
||||
There are 421 more IOC items available. Please use our online service to access the data.
|
||||
There are 493 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -143,11 +161,11 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
|
||||
2 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
3 | T1068 | CWE-264, CWE-266, CWE-274, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
2 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
3 | T1068 | CWE-250, CWE-264, CWE-274, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -155,26 +173,32 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/admin/config` | High
|
||||
2 | File | `/admin/export/getcsv/article_db` | High
|
||||
3 | File | `/admin/goods/update` | High
|
||||
4 | File | `/api/V2/internal/TaskPermissions/CheckTaskAccess` | High
|
||||
5 | File | `/apply.cgi` | Medium
|
||||
6 | File | `/blog/blog.php` | High
|
||||
7 | File | `/Car_Rental/booking.php` | High
|
||||
8 | File | `/classes/Comment` | High
|
||||
9 | File | `/cms/content/list` | High
|
||||
10 | File | `/devices/acurite.c` | High
|
||||
11 | File | `/etc/master.passwd` | High
|
||||
12 | File | `/example/editor` | High
|
||||
13 | File | `/feedback/post/` | High
|
||||
14 | File | `/index.php?page=reserve` | High
|
||||
15 | File | `/public_html/animals` | High
|
||||
16 | File | `/src/njs_vmcode.c` | High
|
||||
17 | File | `/system/user/resetPwd` | High
|
||||
18 | ... | ... | ...
|
||||
1 | File | `/admin.php?id=posts&action=display&value=1&postid=` | High
|
||||
2 | File | `/admin.php?id=siteoptions&social=display&value=0&sid=2` | High
|
||||
3 | File | `/admin.php?id=siteoptions&social=edit&sid=2` | High
|
||||
4 | File | `/admin/goods/update` | High
|
||||
5 | File | `/admin/inbox.php&action=delete` | High
|
||||
6 | File | `/admin/inbox.php&action=read` | High
|
||||
7 | File | `/admin/pagerole.php&action=display&value=1` | High
|
||||
8 | File | `/admin/pagerole.php&action=edit` | High
|
||||
9 | File | `/admin/posts.php` | High
|
||||
10 | File | `/admin/posts.php&action=delete` | High
|
||||
11 | File | `/admin/posts.php&action=edit` | High
|
||||
12 | File | `/admin/siteoptions.php&action=displaygoal&value=1&roleid=1` | High
|
||||
13 | File | `/admin/siteoptions.php&social=remove&sid=2` | High
|
||||
14 | File | `/admin/uesrs.php&&action=delete&userid=4` | High
|
||||
15 | File | `/admin/uesrs.php&action=display&value=Hide` | High
|
||||
16 | File | `/admin/uesrs.php&action=display&value=Show` | High
|
||||
17 | File | `/admin/uesrs.php&action=type&userrole=Admin&userid=3` | High
|
||||
18 | File | `/admin/uesrs.php&action=type&userrole=User` | High
|
||||
19 | File | `/api/students/me/messages/` | High
|
||||
20 | File | `/apply.cgi` | Medium
|
||||
21 | File | `/apps/acs-commons/content/page-compare.html` | High
|
||||
22 | File | `/blog/blog.php` | High
|
||||
23 | File | `/Car_Rental/booking.php` | High
|
||||
24 | ... | ... | ...
|
||||
|
||||
There are 144 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 197 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -213,6 +237,11 @@ The following list contains _external sources_ which discuss the actor and the a
|
|||
* https://research.checkpoint.com/2021/when-old-friends-meet-again-why-emotet-chose-trickbot-for-rebirth/
|
||||
* https://securelist.com/trickbot-module-descriptions/104603/
|
||||
* https://securityintelligence.com/posts/new-malware-trickbot-anchordns-backdoor-upgrades-anchormail/
|
||||
* https://thedfirreport.com/2020/04/30/tricky-pyxie/
|
||||
* https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/
|
||||
* https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/
|
||||
* https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/
|
||||
* https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/
|
||||
|
||||
## Literature
|
||||
|
||||
|
|
|
@ -0,0 +1,30 @@
|
|||
# Trickster - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Trickster](https://vuldb.com/?actor.trickster). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.trickster](https://vuldb.com/?actor.trickster)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Trickster.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [216.218.206.69](https://vuldb.com/?ip.216.218.206.69) | scan-08.shadowserver.org | - | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.talosintelligence.com/2019/04/threat-roundup-0412-0419.html
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -63,35 +63,35 @@ ID | Type | Indicator | Confidence
|
|||
7 | File | `/common/logViewer/logViewer.jsf` | High
|
||||
8 | File | `/crmeb/app/admin/controller/store/CopyTaobao.php` | High
|
||||
9 | File | `/forum/away.php` | High
|
||||
10 | File | `/includes/rrdtool.inc.php` | High
|
||||
11 | File | `/mc-admin/post.php?state=delete&delete` | High
|
||||
12 | File | `/mifs/c/i/reg/reg.html` | High
|
||||
13 | File | `/ms/cms/content/list.do` | High
|
||||
14 | File | `/orms/` | Low
|
||||
15 | File | `/plesk-site-preview/` | High
|
||||
16 | File | `/uncpath/` | Medium
|
||||
17 | File | `/usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php` | High
|
||||
18 | File | `/www/ping_response.cgi` | High
|
||||
19 | File | `ABuffer.cpp` | Medium
|
||||
20 | File | `account.asp` | Medium
|
||||
21 | File | `addmember.php` | High
|
||||
22 | File | `addtocart.asp` | High
|
||||
23 | File | `addtomylist.asp` | High
|
||||
24 | File | `admin.php` | Medium
|
||||
25 | File | `admin.x-shop.php` | High
|
||||
26 | File | `admin/auth.php` | High
|
||||
27 | File | `admin/changedata.php` | High
|
||||
28 | File | `admin/dashboard.php` | High
|
||||
29 | File | `admin/edit-news.php` | High
|
||||
30 | File | `admin/gallery.php` | High
|
||||
31 | File | `admin/index.php` | High
|
||||
32 | File | `admin/manage-departments.php` | High
|
||||
33 | File | `admin/sellerupd.php` | High
|
||||
34 | File | `admin/vqmods.app/vqmods.inc.php` | High
|
||||
35 | File | `admincp/auth/checklogin.php` | High
|
||||
10 | File | `/hocms/classes/Master.php?f=delete_collection` | High
|
||||
11 | File | `/includes/rrdtool.inc.php` | High
|
||||
12 | File | `/mc-admin/post.php?state=delete&delete` | High
|
||||
13 | File | `/mifs/c/i/reg/reg.html` | High
|
||||
14 | File | `/ms/cms/content/list.do` | High
|
||||
15 | File | `/orms/` | Low
|
||||
16 | File | `/plesk-site-preview/` | High
|
||||
17 | File | `/student-grading-system/rms.php?page=grade` | High
|
||||
18 | File | `/uncpath/` | Medium
|
||||
19 | File | `/usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php` | High
|
||||
20 | File | `/www/ping_response.cgi` | High
|
||||
21 | File | `ABuffer.cpp` | Medium
|
||||
22 | File | `account.asp` | Medium
|
||||
23 | File | `addmember.php` | High
|
||||
24 | File | `addtocart.asp` | High
|
||||
25 | File | `addtomylist.asp` | High
|
||||
26 | File | `admin.php` | Medium
|
||||
27 | File | `admin.x-shop.php` | High
|
||||
28 | File | `admin/auth.php` | High
|
||||
29 | File | `admin/changedata.php` | High
|
||||
30 | File | `admin/dashboard.php` | High
|
||||
31 | File | `admin/edit-news.php` | High
|
||||
32 | File | `admin/gallery.php` | High
|
||||
33 | File | `admin/index.php` | High
|
||||
34 | File | `admin/manage-departments.php` | High
|
||||
35 | File | `admin/sellerupd.php` | High
|
||||
36 | ... | ... | ...
|
||||
|
||||
There are 305 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 308 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -0,0 +1,81 @@
|
|||
# UAC-0098 - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [UAC-0098](https://vuldb.com/?actor.uac-0098). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.uac-0098](https://vuldb.com/?actor.uac-0098)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following _campaigns_ are known and can be associated with UAC-0098:
|
||||
|
||||
* Cobalt Strike
|
||||
* IcedID
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with UAC-0098:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [DE](https://vuldb.com/?country.de)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of UAC-0098.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [84.32.188.29](https://vuldb.com/?ip.84.32.188.29) | - | Cobalt Strike | High
|
||||
2 | [134.209.144.87](https://vuldb.com/?ip.134.209.144.87) | - | IcedID | High
|
||||
3 | [138.68.229.0](https://vuldb.com/?ip.138.68.229.0) | - | Cobalt Strike | High
|
||||
4 | [139.60.160.8](https://vuldb.com/?ip.139.60.160.8) | - | Cobalt Strike | High
|
||||
5 | [139.60.160.17](https://vuldb.com/?ip.139.60.160.17) | - | Cobalt Strike | High
|
||||
6 | ... | ... | ... | ...
|
||||
|
||||
There are 19 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _UAC-0098_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1222 | CWE-275 | Permission Issues | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 2 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by UAC-0098. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/etc/shadow` | Medium
|
||||
2 | File | `/goform/net\_Web\_get_value` | High
|
||||
3 | File | `/goform/net_WebCSRGen` | High
|
||||
4 | File | `/goform/WebRSAKEYGen` | High
|
||||
5 | File | `/uncpath/` | Medium
|
||||
6 | ... | ... | ...
|
||||
|
||||
There are 35 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://cert.gov.ua/article/39609
|
||||
* https://cert.gov.ua/article/39708
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -60,7 +60,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 6 more TTP items available. Please use our online service to access the data.
|
||||
There are 5 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
|
|
@ -35,7 +35,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
3 | T1068 | CWE-250, CWE-264, CWE-274, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -47,33 +47,31 @@ ID | Type | Indicator | Confidence
|
|||
2 | File | `/admin/inbox.php&action=read` | High
|
||||
3 | File | `/admin/news/news_mod.php` | High
|
||||
4 | File | `/admin/page_edit/3` | High
|
||||
5 | File | `/apps/acs-commons/content/page-compare.html` | High
|
||||
6 | File | `/blog/blog.php` | High
|
||||
7 | File | `/cgi-bin/uploadWeiXinPic` | High
|
||||
8 | File | `/domain/service/.ewell-known/caldav` | High
|
||||
9 | File | `/dvcset/sysset/set.cgi` | High
|
||||
10 | File | `/example/editor` | High
|
||||
11 | File | `/include/make.php` | High
|
||||
12 | File | `/jquery_file_upload/server/php/index.php` | High
|
||||
13 | File | `/mobile/SelectUsers.jsp` | High
|
||||
14 | File | `/php/ajax.php` | High
|
||||
15 | File | `/ProteinArraySignificanceTest.json` | High
|
||||
16 | File | `/ptms/classes/Users.php` | High
|
||||
17 | File | `/public/admin/index.php?add_product` | High
|
||||
18 | File | `/system/bin/osi_bin` | High
|
||||
19 | File | `/usr/local/bin/mjs` | High
|
||||
20 | File | `/wp-content/uploads/jobmonster/` | High
|
||||
21 | File | `/zbzedit/php/zbz.php` | High
|
||||
22 | File | `ActiveServices.java` | High
|
||||
23 | File | `admin/bad.php` | High
|
||||
24 | File | `admin/dl_sendmail.php` | High
|
||||
25 | File | `admin/htaccess/bpsunlock.php` | High
|
||||
26 | File | `admin/pages/useredit.php` | High
|
||||
27 | File | `AlertReceiver.java` | High
|
||||
28 | File | `alfresco/s/admin/admin-nodebrowser` | High
|
||||
29 | ... | ... | ...
|
||||
5 | File | `/administrator/alerts/alertLightbox.php` | High
|
||||
6 | File | `/apps/acs-commons/content/page-compare.html` | High
|
||||
7 | File | `/blog/blog.php` | High
|
||||
8 | File | `/cgi-bin/main.cgi` | High
|
||||
9 | File | `/cgi-bin/uploadWeiXinPic` | High
|
||||
10 | File | `/domain/service/.ewell-known/caldav` | High
|
||||
11 | File | `/dvcset/sysset/set.cgi` | High
|
||||
12 | File | `/example/editor` | High
|
||||
13 | File | `/include/make.php` | High
|
||||
14 | File | `/jquery_file_upload/server/php/index.php` | High
|
||||
15 | File | `/mobile/SelectUsers.jsp` | High
|
||||
16 | File | `/php/ajax.php` | High
|
||||
17 | File | `/ProteinArraySignificanceTest.json` | High
|
||||
18 | File | `/ptms/classes/Users.php` | High
|
||||
19 | File | `/public/admin/index.php?add_product` | High
|
||||
20 | File | `/role/saveOrUpdateRole.do` | High
|
||||
21 | File | `/system/bin/osi_bin` | High
|
||||
22 | File | `/usr/local/bin/mjs` | High
|
||||
23 | File | `/wp-content/uploads/jobmonster/` | High
|
||||
24 | File | `/zbzedit/php/zbz.php` | High
|
||||
25 | File | `ActiveServices.java` | High
|
||||
26 | File | `admin/htaccess/bpsunlock.php` | High
|
||||
27 | ... | ... | ...
|
||||
|
||||
There are 243 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 225 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -10,7 +10,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* [DE](https://vuldb.com/?country.de)
|
||||
* [IL](https://vuldb.com/?country.il)
|
||||
* ...
|
||||
|
||||
There are 6 more country items available. Please use our online service to access the data.
|
||||
|
@ -43,7 +43,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
3 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 9 more TTP items available. Please use our online service to access the data.
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -51,43 +51,47 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/.htaccess` | Medium
|
||||
2 | File | `/admin.php/admin/art/data.html` | High
|
||||
3 | File | `/admin.php/admin/ulog/index.html` | High
|
||||
4 | File | `/admin.php/admin/vod/data.html` | High
|
||||
5 | File | `/admin/goods/update` | High
|
||||
6 | File | `/api/eventinstance` | High
|
||||
7 | File | `/api /v3/auth` | High
|
||||
8 | File | `/blog/blog.php` | High
|
||||
9 | File | `/cgi-bin/uploadAccessCodePic` | High
|
||||
10 | File | `/cloud_config/router_post/check_reset_pwd_verify_code` | High
|
||||
11 | File | `/cloud_config/router_post/upgrade_info` | High
|
||||
12 | File | `/cwms/admin/?page=articles/view_article/` | High
|
||||
13 | File | `/cwms/classes/Master.php?f=save_contact` | High
|
||||
14 | File | `/data/sqldata` | High
|
||||
15 | File | `/DataPackageTable` | High
|
||||
16 | File | `/download/` | Medium
|
||||
17 | File | `/etc/puppetlabs/puppetserver/conf.d/ca.conf` | High
|
||||
18 | File | `/etc/zarafa/license` | High
|
||||
19 | File | `/factor/avx-ecm/vecarith52.c` | High
|
||||
20 | File | `/goform/delAd` | High
|
||||
21 | File | `/goform/form2Reboot.cgi` | High
|
||||
22 | File | `/goform/login_process` | High
|
||||
23 | File | `/goform/SetLanInfo` | High
|
||||
24 | File | `/i/:data/ipa.plist` | High
|
||||
25 | File | `/include/make.php` | High
|
||||
26 | File | `/jpg/image.jpg` | High
|
||||
27 | File | `/login` | Low
|
||||
28 | File | `/nova/bin/traceroute` | High
|
||||
29 | File | `/one_church/churchprofile.php` | High
|
||||
30 | File | `/one_church/userregister.php` | High
|
||||
31 | File | `/php/ajax.php` | High
|
||||
32 | File | `/plesk-site-preview/` | High
|
||||
33 | File | `/public/admin/index.php?add_product` | High
|
||||
34 | File | `/tmp/swhks.pid` | High
|
||||
35 | ... | ... | ...
|
||||
1 | File | `/admin.php/admin/art/data.html` | High
|
||||
2 | File | `/admin.php/admin/ulog/index.html` | High
|
||||
3 | File | `/admin.php/admin/vod/data.html` | High
|
||||
4 | File | `/admin.php?id=siteoptions&social=edit&sid=2` | High
|
||||
5 | File | `/admin.php?r=admin/AdminBackup/del` | High
|
||||
6 | File | `/admin/edit.php` | High
|
||||
7 | File | `/admin/goods/update` | High
|
||||
8 | File | `/admin/inbox.php&action=delete` | High
|
||||
9 | File | `/admin/inbox.php&action=read` | High
|
||||
10 | File | `/admin/pagerole.php&action=edit` | High
|
||||
11 | File | `/admin/posts.php` | High
|
||||
12 | File | `/admin/posts.php&action=delete` | High
|
||||
13 | File | `/admin/siteoptions.php&action=displaygoal&value=1&roleid=1` | High
|
||||
14 | File | `/admin/siteoptions.php&social=remove&sid=2` | High
|
||||
15 | File | `/admin/uesrs.php&&action=delete&userid=4` | High
|
||||
16 | File | `/admin/uesrs.php&action=display&value=Hide` | High
|
||||
17 | File | `/admin/uesrs.php&action=display&value=Show` | High
|
||||
18 | File | `/admin/uesrs.php&action=type&userrole=User` | High
|
||||
19 | File | `/administrator/alerts/alertLightbox.php` | High
|
||||
20 | File | `/api/eventinstance` | High
|
||||
21 | File | `/api /v3/auth` | High
|
||||
22 | File | `/appliance/users?action=edit` | High
|
||||
23 | File | `/apps/acs-commons/content/page-compare.html` | High
|
||||
24 | File | `/blog/blog.php` | High
|
||||
25 | File | `/cdsms/classes/Master.php?f=delete_package` | High
|
||||
26 | File | `/cmd?cmd=connect` | High
|
||||
27 | File | `/cwms/admin/?page=articles/view_article/` | High
|
||||
28 | File | `/cwms/classes/Master.php?f=save_contact` | High
|
||||
29 | File | `/data/sqldata` | High
|
||||
30 | File | `/etc/puppetlabs/puppetserver/conf.d/ca.conf` | High
|
||||
31 | File | `/etc/zarafa/license` | High
|
||||
32 | File | `/goform/login_process` | High
|
||||
33 | File | `/hocms/classes/Master.php?f=delete_member` | High
|
||||
34 | File | `/hocms/classes/Master.php?f=delete_phase` | High
|
||||
35 | File | `/include/make.php` | High
|
||||
36 | File | `/index.php?m=admin&c=custom&a=plugindelhandle` | High
|
||||
37 | File | `/jpg/image.jpg` | High
|
||||
38 | File | `/login` | Low
|
||||
39 | ... | ... | ...
|
||||
|
||||
There are 301 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 338 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -15,8 +15,11 @@ The following _campaigns_ are known and can be associated with WindShift:
|
|||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with WindShift:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [TR](https://vuldb.com/?country.tr)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* [TR](https://vuldb.com/?country.tr)
|
||||
* ...
|
||||
|
||||
There are 3 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -34,6 +37,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -42,11 +46,11 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `.procmailrc` | Medium
|
||||
2 | File | `/uncpath/` | Medium
|
||||
3 | File | `base/ErrorHandler.php` | High
|
||||
2 | File | `/cgi-bin/wapopen` | High
|
||||
3 | File | `/it-IT/splunkd/__raw/services/get_snapshot` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 3 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 23 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -16,10 +16,10 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* [DE](https://vuldb.com/?country.de)
|
||||
* [IL](https://vuldb.com/?country.il)
|
||||
* ...
|
||||
|
||||
There are 6 more country items available. Please use our online service to access the data.
|
||||
There are 7 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -45,7 +45,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
3 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 9 more TTP items available. Please use our online service to access the data.
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -53,44 +53,47 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/.htaccess` | Medium
|
||||
2 | File | `/admin.php/admin/art/data.html` | High
|
||||
3 | File | `/admin.php/admin/ulog/index.html` | High
|
||||
4 | File | `/admin.php/admin/vod/data.html` | High
|
||||
5 | File | `/admin/goods/update` | High
|
||||
6 | File | `/admin/login.php` | High
|
||||
7 | File | `/admin/templates/template_manage.php` | High
|
||||
8 | File | `/api/eventinstance` | High
|
||||
9 | File | `/api /v3/auth` | High
|
||||
10 | File | `/blog/blog.php` | High
|
||||
11 | File | `/cgi-bin/uploadAccessCodePic` | High
|
||||
12 | File | `/cloud_config/router_post/check_reset_pwd_verify_code` | High
|
||||
13 | File | `/cloud_config/router_post/upgrade_info` | High
|
||||
14 | File | `/cwms/admin/?page=articles/view_article/` | High
|
||||
15 | File | `/cwms/classes/Master.php?f=save_contact` | High
|
||||
16 | File | `/data/sqldata` | High
|
||||
17 | File | `/DataPackageTable` | High
|
||||
18 | File | `/download/` | Medium
|
||||
19 | File | `/etc/puppetlabs/puppetserver/conf.d/ca.conf` | High
|
||||
20 | File | `/etc/zarafa/license` | High
|
||||
21 | File | `/factor/avx-ecm/vecarith52.c` | High
|
||||
22 | File | `/goform/delAd` | High
|
||||
23 | File | `/goform/form2Reboot.cgi` | High
|
||||
24 | File | `/goform/login_process` | High
|
||||
25 | File | `/goform/SetLanInfo` | High
|
||||
26 | File | `/i/:data/ipa.plist` | High
|
||||
27 | File | `/include/make.php` | High
|
||||
28 | File | `/jpg/image.jpg` | High
|
||||
29 | File | `/login` | Low
|
||||
30 | File | `/nova/bin/traceroute` | High
|
||||
31 | File | `/one_church/churchprofile.php` | High
|
||||
32 | File | `/one_church/userregister.php` | High
|
||||
33 | File | `/php/ajax.php` | High
|
||||
34 | File | `/plesk-site-preview/` | High
|
||||
35 | File | `/public/admin/index.php?add_product` | High
|
||||
36 | ... | ... | ...
|
||||
1 | File | `/admin.php/admin/art/data.html` | High
|
||||
2 | File | `/admin.php/admin/vod/data.html` | High
|
||||
3 | File | `/admin.php?id=siteoptions&social=edit&sid=2` | High
|
||||
4 | File | `/admin.php?r=admin/AdminBackup/del` | High
|
||||
5 | File | `/admin/edit.php` | High
|
||||
6 | File | `/admin/goods/update` | High
|
||||
7 | File | `/admin/inbox.php&action=delete` | High
|
||||
8 | File | `/admin/inbox.php&action=read` | High
|
||||
9 | File | `/admin/pagerole.php&action=edit` | High
|
||||
10 | File | `/admin/posts.php` | High
|
||||
11 | File | `/admin/posts.php&action=delete` | High
|
||||
12 | File | `/admin/siteoptions.php&action=displaygoal&value=1&roleid=1` | High
|
||||
13 | File | `/admin/siteoptions.php&social=remove&sid=2` | High
|
||||
14 | File | `/admin/uesrs.php&&action=delete&userid=4` | High
|
||||
15 | File | `/admin/uesrs.php&action=display&value=Hide` | High
|
||||
16 | File | `/admin/uesrs.php&action=display&value=Show` | High
|
||||
17 | File | `/admin/uesrs.php&action=type&userrole=User` | High
|
||||
18 | File | `/administrator/alerts/alertLightbox.php` | High
|
||||
19 | File | `/api/eventinstance` | High
|
||||
20 | File | `/api /v3/auth` | High
|
||||
21 | File | `/appliance/users?action=edit` | High
|
||||
22 | File | `/apps/acs-commons/content/page-compare.html` | High
|
||||
23 | File | `/blog/blog.php` | High
|
||||
24 | File | `/cdsms/classes/Master.php?f=delete_package` | High
|
||||
25 | File | `/cmd?cmd=connect` | High
|
||||
26 | File | `/cwms/admin/?page=articles/view_article/` | High
|
||||
27 | File | `/cwms/classes/Master.php?f=save_contact` | High
|
||||
28 | File | `/etc/puppetlabs/puppetserver/conf.d/ca.conf` | High
|
||||
29 | File | `/etc/zarafa/license` | High
|
||||
30 | File | `/goform/login_process` | High
|
||||
31 | File | `/hocms/classes/Master.php?f=delete_member` | High
|
||||
32 | File | `/hocms/classes/Master.php?f=delete_phase` | High
|
||||
33 | File | `/include/make.php` | High
|
||||
34 | File | `/index.php?m=admin&c=custom&a=plugindelhandle` | High
|
||||
35 | File | `/jpg/image.jpg` | High
|
||||
36 | File | `/login` | Low
|
||||
37 | File | `/manager/files` | High
|
||||
38 | File | `/module/api.php?mobile/wapNasIPS` | High
|
||||
39 | ... | ... | ...
|
||||
|
||||
There are 304 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 340 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -13,14 +13,17 @@ ID | IP address | Hostname | Campaign | Confidence
|
|||
1 | [8.249.221.254](https://vuldb.com/?ip.8.249.221.254) | - | - | High
|
||||
2 | [8.249.225.254](https://vuldb.com/?ip.8.249.225.254) | - | - | High
|
||||
3 | [72.21.81.240](https://vuldb.com/?ip.72.21.81.240) | - | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
4 | [104.20.208.21](https://vuldb.com/?ip.104.20.208.21) | - | - | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 11 more IOC items available. Please use our online service to access the data.
|
||||
There are 15 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.talosintelligence.com/2019/07/threat-roundup-for-0705-0712.html
|
||||
* https://blog.talosintelligence.com/2019/08/threat-roundup-0816-0823.html
|
||||
* https://blog.talosintelligence.com/2021/05/threat-roundup-0430-0507.html
|
||||
|
||||
## Literature
|
||||
|
|
|
@ -9,8 +9,8 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Zebra2104:
|
||||
|
||||
* [CF](https://vuldb.com/?country.cf)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* ...
|
||||
|
||||
There are 3 more country items available. Please use our online service to access the data.
|
||||
|
|
|
@ -43,7 +43,7 @@ ID | IP address | Hostname | Campaign | Confidence
|
|||
20 | [50.63.202.73](https://vuldb.com/?ip.50.63.202.73) | ip-50-63-202-73.ip.secureserver.net | - | High
|
||||
21 | ... | ... | ... | ...
|
||||
|
||||
There are 80 more IOC items available. Please use our online service to access the data.
|
||||
There are 81 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -70,52 +70,51 @@ ID | Type | Indicator | Confidence
|
|||
4 | File | `/admin/default.asp` | High
|
||||
5 | File | `/ajax/networking/get_netcfg.php` | High
|
||||
6 | File | `/assets/ctx` | Medium
|
||||
7 | File | `/cgi-bin/supervisor/PwdGrp.cgi` | High
|
||||
8 | File | `/checkLogin.cgi` | High
|
||||
9 | File | `/cms/print.php` | High
|
||||
10 | File | `/concat?/%2557EB-INF/web.xml` | High
|
||||
11 | File | `/data/remove` | Medium
|
||||
12 | File | `/etc/ajenti/config.yml` | High
|
||||
13 | File | `/etc/passwd` | Medium
|
||||
14 | File | `/goform/telnet` | High
|
||||
15 | File | `/login` | Low
|
||||
16 | File | `/modules/profile/index.php` | High
|
||||
17 | File | `/navigate/navigate_download.php` | High
|
||||
18 | File | `/owa/auth/logon.aspx` | High
|
||||
19 | File | `/p` | Low
|
||||
20 | File | `/password.html` | High
|
||||
21 | File | `/proc/ioports` | High
|
||||
22 | File | `/property-list/property_view.php` | High
|
||||
23 | File | `/ptms/classes/Users.php` | High
|
||||
24 | File | `/rest` | Low
|
||||
25 | File | `/rest/api/2/search` | High
|
||||
26 | File | `/s/` | Low
|
||||
27 | File | `/scripts/cpan_config` | High
|
||||
28 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
29 | File | `/services/system/setup.json` | High
|
||||
30 | File | `/uncpath/` | Medium
|
||||
31 | File | `/webconsole/APIController` | High
|
||||
32 | File | `/websocket/exec` | High
|
||||
33 | File | `/wp-admin/admin-ajax.php` | High
|
||||
34 | File | `/wp-json` | Medium
|
||||
35 | File | `/wp-json/oembed/1.0/embed?url` | High
|
||||
36 | File | `/_next` | Low
|
||||
37 | File | `4.edu.php\conn\function.php` | High
|
||||
38 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
39 | File | `adclick.php` | Medium
|
||||
40 | File | `addentry.php` | Medium
|
||||
41 | File | `add_comment.php` | High
|
||||
42 | File | `admin/admin.php` | High
|
||||
43 | File | `admin/category.inc.php` | High
|
||||
44 | File | `admin/conf_users_edit.php` | High
|
||||
45 | File | `admin/dl_sendmail.php` | High
|
||||
46 | File | `admin/index.php` | High
|
||||
47 | File | `admin/index.php?id=users/action=edit/user_id=1` | High
|
||||
48 | File | `admin/password_forgotten.php` | High
|
||||
49 | File | `admin/versions.html` | High
|
||||
50 | ... | ... | ...
|
||||
7 | File | `/cgi-bin/login_action.cgi` | High
|
||||
8 | File | `/cgi-bin/supervisor/PwdGrp.cgi` | High
|
||||
9 | File | `/checkLogin.cgi` | High
|
||||
10 | File | `/cms/print.php` | High
|
||||
11 | File | `/concat?/%2557EB-INF/web.xml` | High
|
||||
12 | File | `/data/remove` | Medium
|
||||
13 | File | `/etc/ajenti/config.yml` | High
|
||||
14 | File | `/etc/passwd` | Medium
|
||||
15 | File | `/goform/telnet` | High
|
||||
16 | File | `/login` | Low
|
||||
17 | File | `/modules/profile/index.php` | High
|
||||
18 | File | `/navigate/navigate_download.php` | High
|
||||
19 | File | `/out.php` | Medium
|
||||
20 | File | `/owa/auth/logon.aspx` | High
|
||||
21 | File | `/p` | Low
|
||||
22 | File | `/password.html` | High
|
||||
23 | File | `/proc/ioports` | High
|
||||
24 | File | `/property-list/property_view.php` | High
|
||||
25 | File | `/ptms/classes/Users.php` | High
|
||||
26 | File | `/rest` | Low
|
||||
27 | File | `/rest/api/2/search` | High
|
||||
28 | File | `/rom-0` | Low
|
||||
29 | File | `/s/` | Low
|
||||
30 | File | `/scripts/cpan_config` | High
|
||||
31 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
32 | File | `/services/system/setup.json` | High
|
||||
33 | File | `/uncpath/` | Medium
|
||||
34 | File | `/webconsole/APIController` | High
|
||||
35 | File | `/websocket/exec` | High
|
||||
36 | File | `/wp-admin/admin-ajax.php` | High
|
||||
37 | File | `/wp-json` | Medium
|
||||
38 | File | `/wp-json/oembed/1.0/embed?url` | High
|
||||
39 | File | `/_next` | Low
|
||||
40 | File | `4.edu.php\conn\function.php` | High
|
||||
41 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
42 | File | `adclick.php` | Medium
|
||||
43 | File | `addentry.php` | Medium
|
||||
44 | File | `admin/admin.php` | High
|
||||
45 | File | `admin/category.inc.php` | High
|
||||
46 | File | `admin/conf_users_edit.php` | High
|
||||
47 | File | `admin/dl_sendmail.php` | High
|
||||
48 | File | `admin/index.php` | High
|
||||
49 | ... | ... | ...
|
||||
|
||||
There are 432 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 424 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -138,6 +137,7 @@ The following list contains _external sources_ which discuss the actor and the a
|
|||
* https://blog.talosintelligence.com/2022/02/threat-roundup-0211-0218.html
|
||||
* https://blog.talosintelligence.com/2022/04/threat-roundup-0325-0401.html
|
||||
* https://blog.talosintelligence.com/2022/04/threat-roundup-0401-0408.html
|
||||
* https://blog.talosintelligence.com/2022/04/threat-roundup-0415-0422.html
|
||||
|
||||
## Literature
|
||||
|
||||
|
|
|
@ -49,7 +49,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -81,9 +81,9 @@ ID | Type | Indicator | Confidence
|
|||
22 | File | `/new` | Low
|
||||
23 | File | `/public/plugins/` | High
|
||||
24 | File | `/sbin/gs_config` | High
|
||||
25 | File | `/Storage/Emulated/0/Telegram/Telegram` | High
|
||||
26 | File | `/uncpath/` | Medium
|
||||
27 | File | `/Upload/admin/index.php?module=forum-management&action=add` | High
|
||||
25 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
26 | File | `/Storage/Emulated/0/Telegram/Telegram` | High
|
||||
27 | File | `/uncpath/` | Medium
|
||||
28 | File | `/uploads/dede` | High
|
||||
29 | File | `/usr/bin/pkexec` | High
|
||||
30 | File | `/usr/sbin/nagios` | High
|
||||
|
@ -101,8 +101,7 @@ ID | Type | Indicator | Confidence
|
|||
42 | File | `admin/bitrix.xscan_worker.php` | High
|
||||
43 | File | `admin/conf_users_edit.php` | High
|
||||
44 | File | `admin/mcart_xls_import.php` | High
|
||||
45 | File | `admin/ops/reports/ops/news.php` | High
|
||||
46 | ... | ... | ...
|
||||
45 | ... | ... | ...
|
||||
|
||||
There are 394 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
|
|
|
@ -8,6 +8,7 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Afghanistan and India:
|
||||
|
||||
* [FR](https://vuldb.com/?country.fr)
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
|
||||
|
|
|
@ -0,0 +1,83 @@
|
|||
# Anchor - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Anchor_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Anchor:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* ...
|
||||
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Anchor or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [TrickBot](https://vuldb.com/?actor.trickbot) | High
|
||||
2 | [BazarLoader](https://vuldb.com/?actor.bazarloader) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Anchor.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [23.94.51.80](https://vuldb.com/?ip.23.94.51.80) | 23-94-51-80-host.colocrossing.com | [BazarLoader](https://vuldb.com/?actor.bazarloader) | High
|
||||
2 | [34.210.71.206](https://vuldb.com/?ip.34.210.71.206) | ec2-34-210-71-206.us-west-2.compute.amazonaws.com | [BazarLoader](https://vuldb.com/?actor.bazarloader) | Medium
|
||||
3 | [54.176.158.165](https://vuldb.com/?ip.54.176.158.165) | ec2-54-176-158-165.us-west-1.compute.amazonaws.com | [BazarLoader](https://vuldb.com/?actor.bazarloader) | Medium
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 6 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used within Anchor. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | CWE-254 | 7PK Security Features | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 2 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during Anchor. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/+CSCOE+/logon.html` | High
|
||||
2 | File | `/forum/away.php` | High
|
||||
3 | File | `add_comment.php` | High
|
||||
4 | File | `comment_add.asp` | High
|
||||
5 | ... | ... | ...
|
||||
|
||||
There are 28 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://securityintelligence.com/posts/new-malware-trickbot-anchordns-backdoor-upgrades-anchormail/
|
||||
* https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -69,7 +69,7 @@ ID | Type | Indicator | Confidence
|
|||
12 | File | `/SASWebReportStudio/logonAndRender.do` | High
|
||||
13 | ... | ... | ...
|
||||
|
||||
There are 99 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 103 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -66,7 +66,7 @@ ID | Type | Indicator | Confidence
|
|||
9 | File | `admin/google_search_console/class-gsc-table.php` | High
|
||||
10 | ... | ... | ...
|
||||
|
||||
There are 73 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 74 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -0,0 +1,117 @@
|
|||
# BazarLoader - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _BazarLoader_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with BazarLoader:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* ...
|
||||
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with BazarLoader or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [BazarLoader](https://vuldb.com/?actor.bazarloader) | High
|
||||
2 | [Conti](https://vuldb.com/?actor.conti) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of BazarLoader.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [3.101.57.185](https://vuldb.com/?ip.3.101.57.185) | ec2-3-101-57-185.us-west-1.compute.amazonaws.com | [BazarLoader](https://vuldb.com/?actor.bazarloader) | Medium
|
||||
2 | [13.56.161.214](https://vuldb.com/?ip.13.56.161.214) | ec2-13-56-161-214.us-west-1.compute.amazonaws.com | [Conti](https://vuldb.com/?actor.conti) | Medium
|
||||
3 | [13.225.230.232](https://vuldb.com/?ip.13.225.230.232) | server-13-225-230-232.jfk51.r.cloudfront.net | [BazarLoader](https://vuldb.com/?actor.bazarloader) | High
|
||||
4 | [13.226.32.216](https://vuldb.com/?ip.13.226.32.216) | server-13-226-32-216.ewr53.r.cloudfront.net | [BazarLoader](https://vuldb.com/?actor.bazarloader) | High
|
||||
5 | [18.67.60.164](https://vuldb.com/?ip.18.67.60.164) | server-18-67-60-164.iad89.r.cloudfront.net | [BazarLoader](https://vuldb.com/?actor.bazarloader) | High
|
||||
6 | [23.56.10.219](https://vuldb.com/?ip.23.56.10.219) | a23-56-10-219.deploy.static.akamaitechnologies.com | [BazarLoader](https://vuldb.com/?actor.bazarloader) | High
|
||||
7 | [23.62.25.178](https://vuldb.com/?ip.23.62.25.178) | a23-62-25-178.deploy.static.akamaitechnologies.com | [BazarLoader](https://vuldb.com/?actor.bazarloader) | High
|
||||
8 | [23.82.19.173](https://vuldb.com/?ip.23.82.19.173) | - | [BazarLoader](https://vuldb.com/?actor.bazarloader) | High
|
||||
9 | [23.94.51.80](https://vuldb.com/?ip.23.94.51.80) | 23-94-51-80-host.colocrossing.com | [BazarLoader](https://vuldb.com/?actor.bazarloader) | High
|
||||
10 | [23.95.238.122](https://vuldb.com/?ip.23.95.238.122) | 23-95-238-122-host.colocrossing.com | [BazarLoader](https://vuldb.com/?actor.bazarloader) | High
|
||||
11 | [23.106.160.77](https://vuldb.com/?ip.23.106.160.77) | - | [BazarLoader](https://vuldb.com/?actor.bazarloader) | High
|
||||
12 | [23.106.215.61](https://vuldb.com/?ip.23.106.215.61) | - | [BazarLoader](https://vuldb.com/?actor.bazarloader) | High
|
||||
13 | [23.106.223.174](https://vuldb.com/?ip.23.106.223.174) | - | [BazarLoader](https://vuldb.com/?actor.bazarloader) | High
|
||||
14 | [23.152.0.22](https://vuldb.com/?ip.23.152.0.22) | anahiem.net | [BazarLoader](https://vuldb.com/?actor.bazarloader) | High
|
||||
15 | [23.160.193.217](https://vuldb.com/?ip.23.160.193.217) | unknown.ip-xfer.net | [BazarLoader](https://vuldb.com/?actor.bazarloader) | High
|
||||
16 | [23.193.217.119](https://vuldb.com/?ip.23.193.217.119) | a23-193-217-119.deploy.static.akamaitechnologies.com | [BazarLoader](https://vuldb.com/?actor.bazarloader) | High
|
||||
17 | [31.14.40.160](https://vuldb.com/?ip.31.14.40.160) | perico.cavepanel.com | [Conti](https://vuldb.com/?actor.conti) | High
|
||||
18 | [31.171.251.118](https://vuldb.com/?ip.31.171.251.118) | ch.ns.mon0.li | [BazarLoader](https://vuldb.com/?actor.bazarloader) | High
|
||||
19 | [31.214.240.203](https://vuldb.com/?ip.31.214.240.203) | - | [BazarLoader](https://vuldb.com/?actor.bazarloader) | High
|
||||
20 | [34.209.40.84](https://vuldb.com/?ip.34.209.40.84) | ec2-34-209-40-84.us-west-2.compute.amazonaws.com | [BazarLoader](https://vuldb.com/?actor.bazarloader) | Medium
|
||||
21 | [34.210.71.206](https://vuldb.com/?ip.34.210.71.206) | ec2-34-210-71-206.us-west-2.compute.amazonaws.com | [BazarLoader](https://vuldb.com/?actor.bazarloader) | Medium
|
||||
22 | [34.219.130.241](https://vuldb.com/?ip.34.219.130.241) | ec2-34-219-130-241.us-west-2.compute.amazonaws.com | [Conti](https://vuldb.com/?actor.conti) | Medium
|
||||
23 | [34.221.188.35](https://vuldb.com/?ip.34.221.188.35) | ec2-34-221-188-35.us-west-2.compute.amazonaws.com | [BazarLoader](https://vuldb.com/?actor.bazarloader) | Medium
|
||||
24 | ... | ... | ... | ...
|
||||
|
||||
There are 91 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used within BazarLoader. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1552 | CWE-319, CWE-522 | Unprotected Storage of Credentials | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during BazarLoader. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/api` | Low
|
||||
2 | File | `/include/makecvs.php` | High
|
||||
3 | File | `/PluXml/core/admin/parametres_edittpl.php` | High
|
||||
4 | File | `/usr/local/psa/admin/sbin/wrapper` | High
|
||||
5 | File | `add.php` | Low
|
||||
6 | File | `admin/admin.shtml` | High
|
||||
7 | File | `cat.asp` | Low
|
||||
8 | File | `class.phpmailer.php` | High
|
||||
9 | ... | ... | ...
|
||||
|
||||
There are 66 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
|
||||
* https://blog.talosintelligence.com/2022/02/threat-roundup-0211-0218.html
|
||||
* https://blog.talosintelligence.com/2022/03/threat-roundup-0311-0318.html
|
||||
* https://isc.sans.edu/forums/diary/April+2021+Forensic+Quiz+Answers+and+Analysis/27308/
|
||||
* https://isc.sans.edu/forums/diary/Stolen+Images+Evidence+Campaign+Continues+Pushing+BazarLoader+Malware/27816/
|
||||
* https://isc.sans.edu/forums/diary/TA551+Shathak+continues+pushing+BazarLoader+infections+lead+to+Cobalt+Strike/27738/
|
||||
* https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/
|
||||
* https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/
|
||||
* https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/
|
||||
* https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/
|
||||
* https://thedfirreport.com/2021/12/13/diavol-ransomware/
|
||||
* https://twitter.com/_pr4gma/status/1347617681197961225
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -70,43 +70,43 @@ ID | Type | Indicator | Confidence
|
|||
8 | File | `/admin/modules/system/custom_field.php` | High
|
||||
9 | File | `/api/crontab` | Medium
|
||||
10 | File | `/app1/admin#foo` | High
|
||||
11 | File | `/articles/welcome-to-your-site#comments-head` | High
|
||||
12 | File | `/assets/ctx` | Medium
|
||||
13 | File | `/bin/boa` | Medium
|
||||
14 | File | `/cgi-bin/wapopen` | High
|
||||
15 | File | `/cgi-mod/lookup.cgi` | High
|
||||
16 | File | `/cgi?1&5` | Medium
|
||||
17 | File | `/config/getuser` | High
|
||||
18 | File | `/debug/pprof` | Medium
|
||||
19 | File | `/export` | Low
|
||||
20 | File | `/forum/away.php` | High
|
||||
21 | File | `/gracemedia-media-player/templates/files/ajax_controller.php` | High
|
||||
22 | File | `/iissamples` | Medium
|
||||
23 | File | `/interface/main/backup.php` | High
|
||||
24 | File | `/new` | Low
|
||||
25 | File | `/public/plugins/` | High
|
||||
26 | File | `/sbin/gs_config` | High
|
||||
27 | File | `/Storage/Emulated/0/Telegram/Telegram` | High
|
||||
28 | File | `/uncpath/` | Medium
|
||||
29 | File | `/Upload/admin/index.php?module=forum-management&action=add` | High
|
||||
30 | File | `/uploads/dede` | High
|
||||
31 | File | `/usr/bin/pkexec` | High
|
||||
32 | File | `/usr/sbin/nagios` | High
|
||||
33 | File | `/usr/sbin/suexec` | High
|
||||
34 | File | `/WEB-INF/web.xml` | High
|
||||
35 | File | `/webman/info.cgi` | High
|
||||
36 | File | `/wp-admin/admin-ajax.php` | High
|
||||
37 | File | `/wp-json/oembed/1.0/embed?url` | High
|
||||
38 | File | `/wp-json/wc/v3/webhooks` | High
|
||||
39 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
40 | File | `admin.php?m=admin&c=site&a=save` | High
|
||||
41 | File | `admin.php?page=languages` | High
|
||||
42 | File | `admin/admin_users.php` | High
|
||||
43 | File | `admin/bitrix.mpbuilder_step2.php` | High
|
||||
44 | File | `admin/bitrix.xscan_worker.php` | High
|
||||
11 | File | `/bin/boa` | Medium
|
||||
12 | File | `/cgi-bin/wapopen` | High
|
||||
13 | File | `/cgi-mod/lookup.cgi` | High
|
||||
14 | File | `/cgi?1&5` | Medium
|
||||
15 | File | `/config/getuser` | High
|
||||
16 | File | `/debug/pprof` | Medium
|
||||
17 | File | `/export` | Low
|
||||
18 | File | `/forum/away.php` | High
|
||||
19 | File | `/gracemedia-media-player/templates/files/ajax_controller.php` | High
|
||||
20 | File | `/iissamples` | Medium
|
||||
21 | File | `/interface/main/backup.php` | High
|
||||
22 | File | `/new` | Low
|
||||
23 | File | `/public/plugins/` | High
|
||||
24 | File | `/sbin/gs_config` | High
|
||||
25 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
26 | File | `/Storage/Emulated/0/Telegram/Telegram` | High
|
||||
27 | File | `/uncpath/` | Medium
|
||||
28 | File | `/uploads/dede` | High
|
||||
29 | File | `/usr/bin/pkexec` | High
|
||||
30 | File | `/usr/sbin/nagios` | High
|
||||
31 | File | `/usr/sbin/suexec` | High
|
||||
32 | File | `/WEB-INF/web.xml` | High
|
||||
33 | File | `/webman/info.cgi` | High
|
||||
34 | File | `/wp-admin/admin-ajax.php` | High
|
||||
35 | File | `/wp-json/oembed/1.0/embed?url` | High
|
||||
36 | File | `/wp-json/wc/v3/webhooks` | High
|
||||
37 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
38 | File | `admin.php?m=admin&c=site&a=save` | High
|
||||
39 | File | `admin.php?page=languages` | High
|
||||
40 | File | `admin/admin_users.php` | High
|
||||
41 | File | `admin/bitrix.mpbuilder_step2.php` | High
|
||||
42 | File | `admin/bitrix.xscan_worker.php` | High
|
||||
43 | File | `admin/conf_users_edit.php` | High
|
||||
44 | File | `admin/mcart_xls_import.php` | High
|
||||
45 | ... | ... | ...
|
||||
|
||||
There are 391 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 388 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -8,9 +8,9 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with COVID-19:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [VN](https://vuldb.com/?country.vn)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [LA](https://vuldb.com/?country.la)
|
||||
* ...
|
||||
|
||||
There are 4 more country items available. Please use our online service to access the data.
|
||||
|
@ -34,12 +34,116 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [45.123.190.167](https://vuldb.com/?ip.45.123.190.167) | - | [APT29](https://vuldb.com/?actor.apt29) | High
|
||||
2 | [45.129.229.48](https://vuldb.com/?ip.45.129.229.48) | - | [APT29](https://vuldb.com/?actor.apt29) | High
|
||||
3 | [46.101.202.66](https://vuldb.com/?ip.46.101.202.66) | grafana.jagu.dev | [Transparent Tribe](https://vuldb.com/?actor.transparent_tribe) | High
|
||||
4 | ... | ... | ... | ...
|
||||
1 | [2.47.112.152](https://vuldb.com/?ip.2.47.112.152) | net-2-47-112-152.cust.vodafonedsl.it | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
2 | [2.56.214.178](https://vuldb.com/?ip.2.56.214.178) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
3 | [5.75.75.75](https://vuldb.com/?ip.5.75.75.75) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
4 | [5.101.0.209](https://vuldb.com/?ip.5.101.0.209) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
5 | [5.157.87.204](https://vuldb.com/?ip.5.157.87.204) | redirect.yourhosting.nl | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
6 | [5.181.156.14](https://vuldb.com/?ip.5.181.156.14) | no-rdns.mivocloud.com | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
7 | [5.182.210.2](https://vuldb.com/?ip.5.182.210.2) | server30.flaunt7.com | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
8 | [5.182.210.84](https://vuldb.com/?ip.5.182.210.84) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
9 | [5.188.60.131](https://vuldb.com/?ip.5.188.60.131) | sk.s5.ans1.ns148.ztomy.com | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
10 | [5.189.132.254](https://vuldb.com/?ip.5.189.132.254) | vmi429632.contaboserver.net | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
11 | [5.255.96.187](https://vuldb.com/?ip.5.255.96.187) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
12 | [8.208.15.85](https://vuldb.com/?ip.8.208.15.85) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
13 | [8.208.78.192](https://vuldb.com/?ip.8.208.78.192) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
14 | [8.209.69.101](https://vuldb.com/?ip.8.209.69.101) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
15 | [8.209.70.110](https://vuldb.com/?ip.8.209.70.110) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
16 | [8.250.169.254](https://vuldb.com/?ip.8.250.169.254) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
17 | [8.250.183.254](https://vuldb.com/?ip.8.250.183.254) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
18 | [8.251.5.254](https://vuldb.com/?ip.8.251.5.254) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
19 | [8.251.15.254](https://vuldb.com/?ip.8.251.15.254) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
20 | [8.251.31.254](https://vuldb.com/?ip.8.251.31.254) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
21 | [12.162.84.2](https://vuldb.com/?ip.12.162.84.2) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
22 | [14.161.6.60](https://vuldb.com/?ip.14.161.6.60) | static.vnpt.vn | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
23 | [23.19.227.235](https://vuldb.com/?ip.23.19.227.235) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
24 | [23.227.38.64](https://vuldb.com/?ip.23.227.38.64) | shops.myshopify.com | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
25 | [23.254.215.229](https://vuldb.com/?ip.23.254.215.229) | hwsrv-869108.hostwindsdns.com | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
26 | [24.94.237.248](https://vuldb.com/?ip.24.94.237.248) | cpe-24-94-237-248.sw.res.rr.com | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
27 | [24.196.13.216](https://vuldb.com/?ip.24.196.13.216) | 024-196-013-216.res.spectrum.com | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
28 | [24.247.182.167](https://vuldb.com/?ip.24.247.182.167) | 024-247-182-167.res.spectrum.com | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
29 | [24.247.182.240](https://vuldb.com/?ip.24.247.182.240) | 024-247-182-240.res.spectrum.com | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
30 | [31.31.77.83](https://vuldb.com/?ip.31.31.77.83) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
31 | [31.146.61.34](https://vuldb.com/?ip.31.146.61.34) | 31-146-61-34.dsl.utg.ge | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
32 | [31.202.128.80](https://vuldb.com/?ip.31.202.128.80) | 31-202-128-80-kh.maxnet.ua | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
33 | [35.242.251.130](https://vuldb.com/?ip.35.242.251.130) | 130.251.242.35.bc.googleusercontent.com | [Unknown](https://vuldb.com/?actor.unknown) | Medium
|
||||
34 | [37.1.209.51](https://vuldb.com/?ip.37.1.209.51) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
35 | [37.1.212.70](https://vuldb.com/?ip.37.1.212.70) | surprisefoun.reveltip.com | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
36 | [37.1.221.65](https://vuldb.com/?ip.37.1.221.65) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
37 | [37.49.226.13](https://vuldb.com/?ip.37.49.226.13) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
38 | [37.49.226.21](https://vuldb.com/?ip.37.49.226.21) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
39 | [37.49.226.142](https://vuldb.com/?ip.37.49.226.142) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
40 | [37.49.226.182](https://vuldb.com/?ip.37.49.226.182) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
41 | [37.70.131.107](https://vuldb.com/?ip.37.70.131.107) | 107.131.70.37.rev.sfr.net | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
42 | [37.152.88.55](https://vuldb.com/?ip.37.152.88.55) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
43 | [37.208.106.146](https://vuldb.com/?ip.37.208.106.146) | mail.joerrens.com | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
44 | [38.132.124.233](https://vuldb.com/?ip.38.132.124.233) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
45 | [41.60.200.34](https://vuldb.com/?ip.41.60.200.34) | 41.60.200.34.liquidtelecom.net | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
46 | [41.185.29.128](https://vuldb.com/?ip.41.185.29.128) | abp79-nix01.wadns.net | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
47 | [41.221.164.77](https://vuldb.com/?ip.41.221.164.77) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
48 | [42.51.192.231](https://vuldb.com/?ip.42.51.192.231) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
49 | [45.55.49.33](https://vuldb.com/?ip.45.55.49.33) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
50 | [45.55.179.121](https://vuldb.com/?ip.45.55.179.121) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
51 | [45.56.64.36](https://vuldb.com/?ip.45.56.64.36) | li914-36.members.linode.com | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
52 | [45.76.218.232](https://vuldb.com/?ip.45.76.218.232) | 45.76.218.232.vultrusercontent.com | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
53 | [45.81.226.17](https://vuldb.com/?ip.45.81.226.17) | vm3471381.43ssd.had.wf | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
54 | [45.95.168.85](https://vuldb.com/?ip.45.95.168.85) | maxko-hosting.com | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
55 | [45.95.168.98](https://vuldb.com/?ip.45.95.168.98) | maxko-hosting.com | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
56 | [45.118.136.92](https://vuldb.com/?ip.45.118.136.92) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
57 | [45.123.190.167](https://vuldb.com/?ip.45.123.190.167) | - | [APT29](https://vuldb.com/?actor.apt29) | High
|
||||
58 | [45.128.132.55](https://vuldb.com/?ip.45.128.132.55) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
59 | [45.128.134.14](https://vuldb.com/?ip.45.128.134.14) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
60 | [45.128.134.20](https://vuldb.com/?ip.45.128.134.20) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
61 | [45.129.229.48](https://vuldb.com/?ip.45.129.229.48) | - | [APT29](https://vuldb.com/?actor.apt29) | High
|
||||
62 | [45.138.72.143](https://vuldb.com/?ip.45.138.72.143) | uziel.example.com | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
63 | [45.138.72.155](https://vuldb.com/?ip.45.138.72.155) | sp200177.example.com | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
64 | [45.142.212.126](https://vuldb.com/?ip.45.142.212.126) | ivan.temporary | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
65 | [45.142.212.192](https://vuldb.com/?ip.45.142.212.192) | blackswan95.example1.com | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
66 | [45.142.212.209](https://vuldb.com/?ip.45.142.212.209) | augenweide.com | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
67 | [45.142.213.59](https://vuldb.com/?ip.45.142.213.59) | vm423520.stark-industries.solutions | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
68 | [45.143.138.47](https://vuldb.com/?ip.45.143.138.47) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
69 | [45.148.120.13](https://vuldb.com/?ip.45.148.120.13) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
70 | [45.148.120.153](https://vuldb.com/?ip.45.148.120.153) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
71 | [45.153.40.105](https://vuldb.com/?ip.45.153.40.105) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
72 | [45.153.184.67](https://vuldb.com/?ip.45.153.184.67) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
73 | [45.161.242.102](https://vuldb.com/?ip.45.161.242.102) | 45-161-242-102.megalink.com.br | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
74 | [46.4.157.37](https://vuldb.com/?ip.46.4.157.37) | static.37.157.4.46.clients.your-server.de | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
75 | [46.17.6.116](https://vuldb.com/?ip.46.17.6.116) | 116-6-17-46.static.fxw.nl | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
76 | [46.17.107.65](https://vuldb.com/?ip.46.17.107.65) | ulasiuk21.example.com | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
77 | [46.19.143.155](https://vuldb.com/?ip.46.19.143.155) | growthinside.net | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
78 | [46.20.1.226](https://vuldb.com/?ip.46.20.1.226) | ns1.ceyhunsezer.com | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
79 | [46.28.111.142](https://vuldb.com/?ip.46.28.111.142) | enkindu.jsuchy.net | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
80 | [46.101.202.66](https://vuldb.com/?ip.46.101.202.66) | grafana.jagu.dev | [Transparent Tribe](https://vuldb.com/?actor.transparent_tribe) | High
|
||||
81 | [46.105.131.87](https://vuldb.com/?ip.46.105.131.87) | pop.adven.fr | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
82 | [46.166.187.223](https://vuldb.com/?ip.46.166.187.223) | . | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
83 | [46.214.11.172](https://vuldb.com/?ip.46.214.11.172) | 46-214-11-172.next-gen.ro | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
84 | [47.150.248.161](https://vuldb.com/?ip.47.150.248.161) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
85 | [50.28.51.143](https://vuldb.com/?ip.50.28.51.143) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
86 | [50.87.253.50](https://vuldb.com/?ip.50.87.253.50) | box2161.bluehost.com | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
87 | [50.116.78.109](https://vuldb.com/?ip.50.116.78.109) | intersearchmedia.com | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
88 | [51.38.93.190](https://vuldb.com/?ip.51.38.93.190) | ip190.ip-51-38-93.eu | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
89 | [51.79.129.4](https://vuldb.com/?ip.51.79.129.4) | ip4.ip-51-79-129.net | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
90 | [51.89.73.158](https://vuldb.com/?ip.51.89.73.158) | ip158.ip-51-89-73.eu | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
91 | [51.159.23.217](https://vuldb.com/?ip.51.159.23.217) | jambold.co.uk | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
92 | [51.254.164.244](https://vuldb.com/?ip.51.254.164.244) | y9gs.gaurented.com | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
93 | [51.254.164.245](https://vuldb.com/?ip.51.254.164.245) | ip245.ip-51-254-164.eu | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
94 | [54.39.139.67](https://vuldb.com/?ip.54.39.139.67) | ip67.ip-54-39-139.net | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
95 | [58.171.38.26](https://vuldb.com/?ip.58.171.38.26) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
96 | [58.177.172.160](https://vuldb.com/?ip.58.177.172.160) | 058177172160.ctinets.com | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
97 | [59.20.65.102](https://vuldb.com/?ip.59.20.65.102) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
98 | [59.120.5.154](https://vuldb.com/?ip.59.120.5.154) | 59-120-5-154.hinet-ip.hinet.net | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
99 | [60.130.173.117](https://vuldb.com/?ip.60.130.173.117) | softbank060130173117.bbtec.net | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
100 | [60.250.78.22](https://vuldb.com/?ip.60.250.78.22) | 60-250-78-22.hinet-ip.hinet.net | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
101 | [61.92.159.208](https://vuldb.com/?ip.61.92.159.208) | 061092159208.ctinets.com | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
102 | [63.142.252.21](https://vuldb.com/?ip.63.142.252.21) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
103 | [63.250.38.195](https://vuldb.com/?ip.63.250.38.195) | business61-5.web-hosting.com | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
104 | [63.250.38.240](https://vuldb.com/?ip.63.250.38.240) | anakmas.org | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
105 | [63.250.47.83](https://vuldb.com/?ip.63.250.47.83) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
106 | [64.44.51.113](https://vuldb.com/?ip.64.44.51.113) | srv44.pahlmeyer.life | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
107 | [64.188.25.205](https://vuldb.com/?ip.64.188.25.205) | 64.188.25.205.static.quadranet.com | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
108 | ... | ... | ... | ...
|
||||
|
||||
There are 9 more IOC items available. Please use our online service to access the data.
|
||||
There are 426 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -47,8 +151,12 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-266, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -56,16 +164,38 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/pages/systemcall.php?command={COMMAND}` | High
|
||||
2 | File | `/phppath/php` | Medium
|
||||
3 | File | `/uncpath/` | Medium
|
||||
4 | File | `/WEB-INF/web.xml` | High
|
||||
5 | File | `abook_database.php` | High
|
||||
6 | File | `adclick.php` | Medium
|
||||
7 | File | `admin/conf_users_edit.php` | High
|
||||
8 | ... | ... | ...
|
||||
1 | File | `//` | Low
|
||||
2 | File | `/admin/index.php?slides` | High
|
||||
3 | File | `/apply.cgi` | Medium
|
||||
4 | File | `/config/getuser` | High
|
||||
5 | File | `/domains/list` | High
|
||||
6 | File | `/form/index.php?module=getjson` | High
|
||||
7 | File | `/ghost/preview` | High
|
||||
8 | File | `/include/chart_generator.php` | High
|
||||
9 | File | `/nova/bin/detnet` | High
|
||||
10 | File | `/ptms/classes/Users.php` | High
|
||||
11 | File | `/public/admin.php` | High
|
||||
12 | File | `/public/login.htm` | High
|
||||
13 | File | `/public/login.htm?errormsg=&loginurl=%22%3E%3Csvg%20onload=prompt%28/XSS/%29%3E` | High
|
||||
14 | File | `/rest/api/latest/user/avatar/temporary` | High
|
||||
15 | File | `/s/` | Low
|
||||
16 | File | `/SAP_Information_System/controllers/add_admin.php` | High
|
||||
17 | File | `/scripts/unlock_tasks.php` | High
|
||||
18 | File | `/tmp/app/.env` | High
|
||||
19 | File | `/uncpath/` | Medium
|
||||
20 | File | `/user-utils/users/md5.json` | High
|
||||
21 | File | `/userfs/bin/tcapi` | High
|
||||
22 | File | `/usr/bin/pkexec` | High
|
||||
23 | File | `/wp-admin/admin-ajax.php` | High
|
||||
24 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
25 | File | `500page.jsp` | Medium
|
||||
26 | File | `accountrecoveryendpoint/recoverpassword.do` | High
|
||||
27 | File | `admin.php` | Medium
|
||||
28 | File | `admin/conf_users_edit.php` | High
|
||||
29 | File | `afr.php` | Low
|
||||
30 | ... | ... | ...
|
||||
|
||||
There are 52 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 253 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -73,6 +203,7 @@ The following list contains _external sources_ which discuss the campaign and th
|
|||
|
||||
* https://github.com/blackorbird/APT_REPORT/blob/master/International%20Strategic/Russia/Advisory-APT29-targets-COVID-19-vaccine-development.pdf
|
||||
* https://lab52.io/blog/new-transparentribe-operation-targeting-india-with-weaponized-covid-19-lure-documents/
|
||||
* https://loreto.ccn-cert.cni.es/index.php/s/oDcNr5Jqqpd5cjn#editor
|
||||
* https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/
|
||||
* https://us-cert.cisa.gov/ncas/alerts/aa20-225a
|
||||
|
||||
|
|
|
@ -8,8 +8,8 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with CVE-2021-44207:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* ...
|
||||
|
||||
|
@ -47,7 +47,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
3 | T1211 | CWE-254 | 7PK Security Features | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more TTP items available. Please use our online service to access the data.
|
||||
There are 2 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -61,7 +61,7 @@ ID | Type | Indicator | Confidence
|
|||
4 | File | `admin.php` | Medium
|
||||
5 | ... | ... | ...
|
||||
|
||||
There are 33 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 34 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -64,35 +64,36 @@ ID | Type | Indicator | Confidence
|
|||
2 | File | `/admin.php/admin/plog/index.html` | High
|
||||
3 | File | `/admin.php/admin/ulog/index.html` | High
|
||||
4 | File | `/admin.php/admin/website/data.html` | High
|
||||
5 | File | `/admin/login.php` | High
|
||||
6 | File | `/administrator/components/menu/` | High
|
||||
7 | File | `/admin_page/all-files-update-ajax.php` | High
|
||||
8 | File | `/api/crontab` | Medium
|
||||
9 | File | `/application/common.php#action_log` | High
|
||||
10 | File | `/category_view.php` | High
|
||||
11 | File | `/cgi-bin/kerbynet` | High
|
||||
12 | File | `/cloud_config/router_post/register` | High
|
||||
13 | File | `/config/list` | Medium
|
||||
14 | File | `/download/` | Medium
|
||||
15 | File | `/etc/ajenti/config.yml` | High
|
||||
16 | File | `/etc/cobbler` | Medium
|
||||
17 | File | `/etc/passwd` | Medium
|
||||
18 | File | `/goform/delAd` | High
|
||||
19 | File | `/goform/form2Reboot.cgi` | High
|
||||
20 | File | `/home.asp` | Medium
|
||||
21 | File | `/index.php?act=api&tag=8` | High
|
||||
22 | File | `/jerry-core/ecma/base/ecma-lcache.c` | High
|
||||
23 | File | `/jerry-core/ecma/operations/ecma-objects.c` | High
|
||||
24 | File | `/jerry-core/parser/js/js-scanner-util.c` | High
|
||||
25 | File | `/languages/index.php` | High
|
||||
26 | File | `/leave_system/classes/Login.php` | High
|
||||
27 | File | `/members/view_member.php` | High
|
||||
28 | File | `/mims/app/addcustomerHandler.php` | High
|
||||
29 | File | `/music/ajax.php` | High
|
||||
30 | File | `/orms/` | Low
|
||||
31 | ... | ... | ...
|
||||
5 | File | `/admin.php?id=siteoptions&social=display&value=0&sid=2` | High
|
||||
6 | File | `/admin/inbox.php&action=read` | High
|
||||
7 | File | `/admin/login.php` | High
|
||||
8 | File | `/admin/posts.php&action=delete` | High
|
||||
9 | File | `/admin/siteoptions.php&action=displaygoal&value=1&roleid=1` | High
|
||||
10 | File | `/admin/uesrs.php&&action=delete&userid=4` | High
|
||||
11 | File | `/admin/uesrs.php&action=type&userrole=Admin&userid=3` | High
|
||||
12 | File | `/administrator/components/menu/` | High
|
||||
13 | File | `/admin_page/all-files-update-ajax.php` | High
|
||||
14 | File | `/api/crontab` | Medium
|
||||
15 | File | `/application/common.php#action_log` | High
|
||||
16 | File | `/category_view.php` | High
|
||||
17 | File | `/cdsms/classes/Master.php?f=delete_enrollment` | High
|
||||
18 | File | `/cgi-bin/kerbynet` | High
|
||||
19 | File | `/cloud_config/router_post/register` | High
|
||||
20 | File | `/config/list` | Medium
|
||||
21 | File | `/download/` | Medium
|
||||
22 | File | `/etc/ajenti/config.yml` | High
|
||||
23 | File | `/etc/cobbler` | Medium
|
||||
24 | File | `/etc/passwd` | Medium
|
||||
25 | File | `/goform/delAd` | High
|
||||
26 | File | `/goform/form2Reboot.cgi` | High
|
||||
27 | File | `/home.asp` | Medium
|
||||
28 | File | `/index.php?act=api&tag=8` | High
|
||||
29 | File | `/jerry-core/ecma/base/ecma-lcache.c` | High
|
||||
30 | File | `/jerry-core/ecma/operations/ecma-objects.c` | High
|
||||
31 | File | `/jerry-core/parser/js/js-scanner-util.c` | High
|
||||
32 | ... | ... | ...
|
||||
|
||||
There are 263 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 274 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -0,0 +1,67 @@
|
|||
# CatalanGate - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _CatalanGate_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with CatalanGate:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with CatalanGate or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [Candiru](https://vuldb.com/?actor.candiru) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of CatalanGate.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [185.181.8.155](https://vuldb.com/?ip.185.181.8.155) | - | [Candiru](https://vuldb.com/?actor.candiru) | High
|
||||
2 | [185.193.38.113](https://vuldb.com/?ip.185.193.38.113) | - | [Candiru](https://vuldb.com/?actor.candiru) | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used within CatalanGate. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1600 | CWE-327 | Cryptographic Issues | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during CatalanGate. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `arch/x86/platform/efi/efi.c` | High
|
||||
2 | File | `cp-demangle.c` | High
|
||||
3 | File | `jumpin.php` | Medium
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 1 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -65,7 +65,7 @@ ID | Type | Indicator | Confidence
|
|||
7 | File | `/uncpath/` | Medium
|
||||
8 | ... | ... | ...
|
||||
|
||||
There are 57 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 58 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -10,7 +10,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* [CH](https://vuldb.com/?country.ch)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* ...
|
||||
|
||||
There are 9 more country items available. Please use our online service to access the data.
|
||||
|
@ -106,7 +106,7 @@ ID | Type | Indicator | Confidence
|
|||
31 | File | `authenticate.c` | High
|
||||
32 | ... | ... | ...
|
||||
|
||||
There are 271 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 270 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -10,10 +10,10 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [DE](https://vuldb.com/?country.de)
|
||||
* [SV](https://vuldb.com/?country.sv)
|
||||
* [GB](https://vuldb.com/?country.gb)
|
||||
* ...
|
||||
|
||||
There are 10 more country items available. Please use our online service to access the data.
|
||||
There are 21 more country items available. Please use our online service to access the data.
|
||||
|
||||
## Actors
|
||||
|
||||
|
@ -23,6 +23,10 @@ ID | Actor | Confidence
|
|||
-- | ----- | ----------
|
||||
1 | [Cobalt Strike](https://vuldb.com/?actor.cobalt_strike) | High
|
||||
2 | [Conti](https://vuldb.com/?actor.conti) | High
|
||||
3 | [Hancitor](https://vuldb.com/?actor.hancitor) | High
|
||||
4 | ... | ...
|
||||
|
||||
There are 1 more actor items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -30,14 +34,20 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [23.82.140.91](https://vuldb.com/?ip.23.82.140.91) | - | [Cobalt Strike](https://vuldb.com/?actor.cobalt_strike) | High
|
||||
2 | [23.108.57.108](https://vuldb.com/?ip.23.108.57.108) | - | [Cobalt Strike](https://vuldb.com/?actor.cobalt_strike) | High
|
||||
3 | [45.134.26.174](https://vuldb.com/?ip.45.134.26.174) | - | [Cobalt Strike](https://vuldb.com/?actor.cobalt_strike) | High
|
||||
4 | [45.144.29.185](https://vuldb.com/?ip.45.144.29.185) | master.pisyandriy.com | [Cobalt Strike](https://vuldb.com/?actor.cobalt_strike) | High
|
||||
5 | [62.128.111.176](https://vuldb.com/?ip.62.128.111.176) | - | [Cobalt Strike](https://vuldb.com/?actor.cobalt_strike) | High
|
||||
6 | ... | ... | ... | ...
|
||||
1 | [5.255.98.144](https://vuldb.com/?ip.5.255.98.144) | - | [Cobalt Strike](https://vuldb.com/?actor.cobalt_strike) | High
|
||||
2 | [23.19.227.147](https://vuldb.com/?ip.23.19.227.147) | - | [Cobalt Strike](https://vuldb.com/?actor.cobalt_strike) | High
|
||||
3 | [23.81.246.32](https://vuldb.com/?ip.23.81.246.32) | - | [Cobalt Strike](https://vuldb.com/?actor.cobalt_strike) | High
|
||||
4 | [23.82.140.91](https://vuldb.com/?ip.23.82.140.91) | - | [Cobalt Strike](https://vuldb.com/?actor.cobalt_strike) | High
|
||||
5 | [23.108.57.39](https://vuldb.com/?ip.23.108.57.39) | - | [Cobalt Strike](https://vuldb.com/?actor.cobalt_strike) | High
|
||||
6 | [23.108.57.108](https://vuldb.com/?ip.23.108.57.108) | - | [Cobalt Strike](https://vuldb.com/?actor.cobalt_strike) | High
|
||||
7 | [23.227.199.10](https://vuldb.com/?ip.23.227.199.10) | 23-227-199-10.static.hvvc.us | [Cobalt Strike](https://vuldb.com/?actor.cobalt_strike) | High
|
||||
8 | [45.134.26.174](https://vuldb.com/?ip.45.134.26.174) | - | [Cobalt Strike](https://vuldb.com/?actor.cobalt_strike) | High
|
||||
9 | [45.144.29.185](https://vuldb.com/?ip.45.144.29.185) | master.pisyandriy.com | [Cobalt Strike](https://vuldb.com/?actor.cobalt_strike) | High
|
||||
10 | [62.128.111.176](https://vuldb.com/?ip.62.128.111.176) | - | [Cobalt Strike](https://vuldb.com/?actor.cobalt_strike) | High
|
||||
11 | [65.60.35.141](https://vuldb.com/?ip.65.60.35.141) | duwaer.presembling.vip | [Cobalt Strike](https://vuldb.com/?actor.cobalt_strike) | High
|
||||
12 | ... | ... | ... | ...
|
||||
|
||||
There are 18 more IOC items available. Please use our online service to access the data.
|
||||
There are 43 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -58,65 +68,61 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/?admin/user.html` | High
|
||||
2 | File | `/admin/success_story.php` | High
|
||||
3 | File | `/configuration/httpListenerEdit.jsf` | High
|
||||
1 | File | `/admin/success_story.php` | High
|
||||
2 | File | `/category.php` | High
|
||||
3 | File | `/cgi-bin/supervisor/PwdGrp.cgi` | High
|
||||
4 | File | `/etc/tomcat8/Catalina/attack` | High
|
||||
5 | File | `/movie-portal-script/movie.php` | High
|
||||
6 | File | `/notice-edit.php` | High
|
||||
7 | File | `/resourceNode/jdbcResourceEdit.jsf` | High
|
||||
7 | File | `/objects/getSpiritsFromVideo.php` | High
|
||||
8 | File | `/servlet/webacc` | High
|
||||
9 | File | `/tmp` | Low
|
||||
10 | File | `/wp-content/plugins/updraftplus/admin.php` | High
|
||||
11 | File | `4.2.0.CP08` | Medium
|
||||
12 | File | `account.asp` | Medium
|
||||
13 | File | `acerctrl.ocx` | Medium
|
||||
14 | File | `activate.php` | Medium
|
||||
15 | File | `add.php` | Low
|
||||
16 | File | `admin.php` | Medium
|
||||
17 | File | `admin/admin.php` | High
|
||||
18 | File | `admin/adminaddeditdetails.php` | High
|
||||
19 | File | `admin/auth.php` | High
|
||||
20 | File | `admin/images.php` | High
|
||||
21 | File | `admin/import/class-import-settings.php` | High
|
||||
22 | File | `admin/member_details.php` | High
|
||||
23 | File | `admin/preview.php` | High
|
||||
24 | File | `ajax/addComment.php` | High
|
||||
25 | File | `and/or` | Low
|
||||
26 | File | `app/code/core/Mage/Rss/Helper/Order.php` | High
|
||||
27 | File | `arch/powerpc/kernel/entry_64.S` | High
|
||||
28 | File | `archive_read_support_format_rar5.c` | High
|
||||
29 | File | `article.php` | Medium
|
||||
30 | File | `asp:.jpg` | Medium
|
||||
31 | File | `auth2-gss.c` | Medium
|
||||
32 | File | `backup.php` | Medium
|
||||
33 | File | `bios.php` | Medium
|
||||
34 | File | `blanko.preview.php` | High
|
||||
35 | File | `block/bfq-iosched.c` | High
|
||||
36 | File | `browse_ladies.php` | High
|
||||
37 | File | `burl.c` | Low
|
||||
38 | File | `cadena_ofertas_ext.php` | High
|
||||
39 | File | `cal_popup.php` | High
|
||||
40 | File | `category-delete.php` | High
|
||||
41 | File | `category.php` | Medium
|
||||
42 | File | `CFM File Handler` | High
|
||||
43 | File | `cgi-bin/awstats.pl` | High
|
||||
44 | File | `Change-password.php` | High
|
||||
45 | File | `charts.php` | Medium
|
||||
46 | File | `chat.php` | Medium
|
||||
47 | File | `class.t3lib_formmail.php` | High
|
||||
48 | File | `comments.php` | Medium
|
||||
49 | File | `config.php` | Medium
|
||||
50 | File | `core/stack/l2cap/l2cap_sm.c` | High
|
||||
51 | File | `country_escorts.php` | High
|
||||
52 | File | `cource.php` | Medium
|
||||
53 | File | `Crypt32.dll` | Medium
|
||||
54 | File | `dapur/index.php` | High
|
||||
55 | File | `default.asp` | Medium
|
||||
56 | File | `detail.php` | Medium
|
||||
57 | ... | ... | ...
|
||||
9 | File | `/TeamMate/Upload/DomainObjectDocumentUpload.ashx` | High
|
||||
10 | File | `/tmp` | Low
|
||||
11 | File | `/uncpath/` | Medium
|
||||
12 | File | `/wp-admin/admin-ajax.php` | High
|
||||
13 | File | `/wp-content/plugins/updraftplus/admin.php` | High
|
||||
14 | File | `4.2.0.CP08` | Medium
|
||||
15 | File | `account.asp` | Medium
|
||||
16 | File | `acerctrl.ocx` | Medium
|
||||
17 | File | `activate.php` | Medium
|
||||
18 | File | `add.php` | Low
|
||||
19 | File | `admin.php` | Medium
|
||||
20 | File | `admin/admin.php` | High
|
||||
21 | File | `admin/adminaddeditdetails.php` | High
|
||||
22 | File | `admin/class-jtrt-responsive-tables-admin.php` | High
|
||||
23 | File | `admin/images.php` | High
|
||||
24 | File | `admin/import/class-import-settings.php` | High
|
||||
25 | File | `admin/infoclass_update.php` | High
|
||||
26 | File | `admin/member_details.php` | High
|
||||
27 | File | `admin/preview.php` | High
|
||||
28 | File | `ajax/addComment.php` | High
|
||||
29 | File | `allocate_block.cpp` | High
|
||||
30 | File | `and/or` | Low
|
||||
31 | File | `app/code/core/Mage/Rss/Helper/Order.php` | High
|
||||
32 | File | `arch/powerpc/kernel/entry_64.S` | High
|
||||
33 | File | `archive_read_support_format_rar5.c` | High
|
||||
34 | File | `article.php` | Medium
|
||||
35 | File | `asmjs/asmangle.cpp` | High
|
||||
36 | File | `asp:.jpg` | Medium
|
||||
37 | File | `auth2-gss.c` | Medium
|
||||
38 | File | `backup.php` | Medium
|
||||
39 | File | `bios.php` | Medium
|
||||
40 | File | `blanko.preview.php` | High
|
||||
41 | File | `block/bfq-iosched.c` | High
|
||||
42 | File | `books.php` | Medium
|
||||
43 | File | `browse_ladies.php` | High
|
||||
44 | File | `burl.c` | Low
|
||||
45 | File | `cadena_ofertas_ext.php` | High
|
||||
46 | File | `category-delete.php` | High
|
||||
47 | File | `category.php` | Medium
|
||||
48 | File | `CFM File Handler` | High
|
||||
49 | File | `cgi-bin/awstats.pl` | High
|
||||
50 | File | `cgi-bin/write.cgi` | High
|
||||
51 | File | `Change-password.php` | High
|
||||
52 | File | `chat.php` | Medium
|
||||
53 | ... | ... | ...
|
||||
|
||||
There are 498 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 460 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -131,9 +137,22 @@ The following list contains _external sources_ which discuss the campaign and th
|
|||
* https://isc.sans.edu/forums/diary/Qakbot+infection+with+Cobalt+Strike/27158/
|
||||
* https://research.checkpoint.com/2019/cobalt-group-returns-to-kazakhstan/
|
||||
* https://securelist.com/owowa-credential-stealer-and-remote-access/105219/
|
||||
* https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/
|
||||
* https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/
|
||||
* https://thedfirreport.com/2021/05/12/conti-ransomware/
|
||||
* https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/
|
||||
* https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/
|
||||
* https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/
|
||||
* https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/
|
||||
* https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/
|
||||
* https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
|
||||
* https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/
|
||||
* https://thedfirreport.com/2021/12/13/diavol-ransomware/
|
||||
* https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
|
||||
* https://therecord.media/disgruntled-ransomware-affiliate-leaks-the-conti-gangs-technical-manuals/
|
||||
* https://twitter.com/malware_traffic/status/1400876426497253379
|
||||
* https://twitter.com/malware_traffic/status/1415740795622248452
|
||||
* https://twitter.com/TheDFIRReport/status/1508451341844168706
|
||||
* https://twitter.com/Unit42_Intel/status/1392174941181812737
|
||||
* https://us-cert.cisa.gov/ncas/alerts/aa21-148a
|
||||
* https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/
|
||||
|
|
|
@ -9,8 +9,11 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Cryptomining:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [HU](https://vuldb.com/?country.hu)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* ...
|
||||
|
||||
There are 6 more country items available. Please use our online service to access the data.
|
||||
|
||||
## Actors
|
||||
|
||||
|
@ -27,12 +30,12 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [45.9.148.182](https://vuldb.com/?ip.45.9.148.182) | - | [TeamTNT](https://vuldb.com/?actor.teamtnt) | High
|
||||
2 | [129.226.180.53](https://vuldb.com/?ip.129.226.180.53) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
3 | [132.162.107.97](https://vuldb.com/?ip.132.162.107.97) | ip-107-97.wireless.oberlin.edu | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
1 | [5.122.15.138](https://vuldb.com/?ip.5.122.15.138) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
2 | [45.9.148.182](https://vuldb.com/?ip.45.9.148.182) | - | [TeamTNT](https://vuldb.com/?actor.teamtnt) | High
|
||||
3 | [45.136.244.146](https://vuldb.com/?ip.45.136.244.146) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 2 more IOC items available. Please use our online service to access the data.
|
||||
There are 7 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -40,12 +43,12 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | CWE-254 | 7PK Security Features | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 5 more TTP items available. Please use our online service to access the data.
|
||||
There are 6 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -54,13 +57,19 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/goform/SetNetControlList` | High
|
||||
2 | File | `/rest/api/2/user/picker` | High
|
||||
3 | File | `admin/categories_industry.php` | High
|
||||
4 | File | `admin/content/postcategory` | High
|
||||
5 | File | `Adminstrator/Users/Edit/` | High
|
||||
6 | ... | ... | ...
|
||||
2 | File | `/modules/tasks/summary.inc.php` | High
|
||||
3 | File | `/rest/api/2/user/picker` | High
|
||||
4 | File | `/uncpath/` | Medium
|
||||
5 | File | `admin/categories_industry.php` | High
|
||||
6 | File | `admin/category.inc.php` | High
|
||||
7 | File | `admin/content/postcategory` | High
|
||||
8 | File | `Adminstrator/Users/Edit/` | High
|
||||
9 | File | `agent.cfg` | Medium
|
||||
10 | File | `ALL_IN_THE_BOX.OCX` | High
|
||||
11 | File | `bmp.c` | Low
|
||||
12 | ... | ... | ...
|
||||
|
||||
There are 36 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 97 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -68,6 +77,8 @@ The following list contains _external sources_ which discuss the campaign and th
|
|||
|
||||
* https://blog.trendmicro.co.jp/archives/20418
|
||||
* https://blogs.infoblox.com/cyber-threat-intelligence/cyber-campaign-briefs/log4j-indicators-of-compromise-to-date/
|
||||
* https://thedfirreport.com/2020/11/12/cryptominers-exploiting-weblogic-rce-cve-2020-14882/
|
||||
* https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer/
|
||||
* https://www.trendmicro.com/en_us/research/21/k/compromised-docker-hub-accounts-abused-for-cryptomining-linked-t.html
|
||||
|
||||
## Literature
|
||||
|
|
|
@ -74,83 +74,84 @@ ID | Type | Indicator | Confidence
|
|||
15 | File | `/master/article.php` | High
|
||||
16 | File | `/members/profiles.php` | High
|
||||
17 | File | `/members/view_member.php` | High
|
||||
18 | File | `/servlet/webacc` | High
|
||||
19 | File | `/sitemagic/upgrade.php` | High
|
||||
20 | File | `/tmp` | Low
|
||||
21 | File | `/userman/inbox.php` | High
|
||||
22 | File | `/userui/ticket_list.php` | High
|
||||
23 | File | `/wp-admin/options-general.php` | High
|
||||
24 | File | `/zm/index.php` | High
|
||||
25 | File | `adaptive-images-script.php` | High
|
||||
26 | File | `additem.asp` | Medium
|
||||
27 | File | `addtocart.asp` | High
|
||||
28 | File | `adherents/subscription/info.php` | High
|
||||
29 | File | `admin.asp` | Medium
|
||||
30 | File | `admin.php` | Medium
|
||||
31 | File | `admin/admin.php` | High
|
||||
32 | File | `admin/general.php` | High
|
||||
33 | File | `admin/header.php` | High
|
||||
34 | File | `admin/inc/change_action.php` | High
|
||||
35 | File | `admin/index.php` | High
|
||||
36 | File | `admin/index.php?id=users/action=edit/user_id=1` | High
|
||||
37 | File | `admin/info.php` | High
|
||||
38 | File | `admin/login.asp` | High
|
||||
39 | File | `admin/manage-comments.php` | High
|
||||
40 | File | `admin/manage-news.php` | High
|
||||
41 | File | `admin/plugin-settings.php` | High
|
||||
42 | File | `admin/specials.php` | High
|
||||
43 | File | `admin:de` | Medium
|
||||
44 | File | `admincp/auth/checklogin.php` | High
|
||||
45 | File | `admincp/auth/secure.php` | High
|
||||
46 | File | `administrator/index.php` | High
|
||||
47 | File | `admin_login.asp` | High
|
||||
48 | File | `adv_search.asp` | High
|
||||
49 | File | `ajax.php` | Medium
|
||||
50 | File | `ajax_url.php` | Medium
|
||||
51 | File | `album_portal.php` | High
|
||||
52 | File | `al_initialize.php` | High
|
||||
53 | File | `anjel.index.php` | High
|
||||
54 | File | `annonces-p-f.php` | High
|
||||
55 | File | `announce.php` | Medium
|
||||
56 | File | `announcement.php` | High
|
||||
57 | File | `announcements.php` | High
|
||||
58 | File | `app/admin/routing/edit-bgp-mapping-search.php` | High
|
||||
59 | File | `apply.cgi` | Medium
|
||||
60 | File | `apps/app_article/controller/rating.php` | High
|
||||
61 | File | `article.php` | Medium
|
||||
62 | File | `articles.php` | Medium
|
||||
63 | File | `artikel_anzeige.php` | High
|
||||
64 | File | `auktion.cgi` | Medium
|
||||
65 | File | `auth.php` | Medium
|
||||
66 | File | `basket.php` | Medium
|
||||
67 | File | `boardData103.php/boardDataJP.php/boardDataNA.php/boardDataWW.php` | High
|
||||
68 | File | `books.php` | Medium
|
||||
69 | File | `browse-category.php` | High
|
||||
70 | File | `browse.php` | Medium
|
||||
71 | File | `browse_videos.php` | High
|
||||
72 | File | `BrudaNews/BrudaGB` | High
|
||||
73 | File | `bwlist_inc.html` | High
|
||||
74 | File | `calendar.php` | Medium
|
||||
75 | File | `cart.php` | Medium
|
||||
76 | File | `cart_add.php` | Medium
|
||||
77 | File | `case.filemanager.php` | High
|
||||
78 | File | `catalog.php` | Medium
|
||||
79 | File | `catalogshop.php` | High
|
||||
80 | File | `catalogue.asp` | High
|
||||
81 | File | `category.cfm` | Medium
|
||||
82 | File | `category.php` | Medium
|
||||
83 | File | `category_list.php` | High
|
||||
84 | File | `cgi-bin/awstats.pl` | High
|
||||
85 | File | `channel.asp` | Medium
|
||||
86 | File | `ChooseCpSearch.php` | High
|
||||
87 | File | `comentarii.php` | High
|
||||
88 | File | `comments.php` | Medium
|
||||
89 | File | `config.inc.php` | High
|
||||
90 | File | `config.php` | Medium
|
||||
91 | File | `contact.php` | Medium
|
||||
92 | ... | ... | ...
|
||||
18 | File | `/scas/admin/` | Medium
|
||||
19 | File | `/servlet/webacc` | High
|
||||
20 | File | `/sitemagic/upgrade.php` | High
|
||||
21 | File | `/tmp` | Low
|
||||
22 | File | `/userman/inbox.php` | High
|
||||
23 | File | `/userui/ticket_list.php` | High
|
||||
24 | File | `/wp-admin/options-general.php` | High
|
||||
25 | File | `/zm/index.php` | High
|
||||
26 | File | `adaptive-images-script.php` | High
|
||||
27 | File | `additem.asp` | Medium
|
||||
28 | File | `addtocart.asp` | High
|
||||
29 | File | `adherents/subscription/info.php` | High
|
||||
30 | File | `admin.asp` | Medium
|
||||
31 | File | `admin.php` | Medium
|
||||
32 | File | `admin/admin.php` | High
|
||||
33 | File | `admin/general.php` | High
|
||||
34 | File | `admin/header.php` | High
|
||||
35 | File | `admin/inc/change_action.php` | High
|
||||
36 | File | `admin/index.php` | High
|
||||
37 | File | `admin/index.php?id=users/action=edit/user_id=1` | High
|
||||
38 | File | `admin/info.php` | High
|
||||
39 | File | `admin/login.asp` | High
|
||||
40 | File | `admin/manage-comments.php` | High
|
||||
41 | File | `admin/manage-news.php` | High
|
||||
42 | File | `admin/plugin-settings.php` | High
|
||||
43 | File | `admin/specials.php` | High
|
||||
44 | File | `admin:de` | Medium
|
||||
45 | File | `admincp/auth/checklogin.php` | High
|
||||
46 | File | `admincp/auth/secure.php` | High
|
||||
47 | File | `administrator/index.php` | High
|
||||
48 | File | `admin_login.asp` | High
|
||||
49 | File | `adv_search.asp` | High
|
||||
50 | File | `ajax.php` | Medium
|
||||
51 | File | `ajax_url.php` | Medium
|
||||
52 | File | `album_portal.php` | High
|
||||
53 | File | `al_initialize.php` | High
|
||||
54 | File | `anjel.index.php` | High
|
||||
55 | File | `annonces-p-f.php` | High
|
||||
56 | File | `announce.php` | Medium
|
||||
57 | File | `announcement.php` | High
|
||||
58 | File | `announcements.php` | High
|
||||
59 | File | `app/admin/routing/edit-bgp-mapping-search.php` | High
|
||||
60 | File | `apply.cgi` | Medium
|
||||
61 | File | `apps/app_article/controller/rating.php` | High
|
||||
62 | File | `article.php` | Medium
|
||||
63 | File | `articles.php` | Medium
|
||||
64 | File | `artikel_anzeige.php` | High
|
||||
65 | File | `auktion.cgi` | Medium
|
||||
66 | File | `auth.php` | Medium
|
||||
67 | File | `basket.php` | Medium
|
||||
68 | File | `boardData103.php/boardDataJP.php/boardDataNA.php/boardDataWW.php` | High
|
||||
69 | File | `books.php` | Medium
|
||||
70 | File | `browse-category.php` | High
|
||||
71 | File | `browse.php` | Medium
|
||||
72 | File | `browse_videos.php` | High
|
||||
73 | File | `BrudaNews/BrudaGB` | High
|
||||
74 | File | `bwlist_inc.html` | High
|
||||
75 | File | `calendar.php` | Medium
|
||||
76 | File | `cart.php` | Medium
|
||||
77 | File | `cart_add.php` | Medium
|
||||
78 | File | `case.filemanager.php` | High
|
||||
79 | File | `catalog.php` | Medium
|
||||
80 | File | `catalogshop.php` | High
|
||||
81 | File | `catalogue.asp` | High
|
||||
82 | File | `category.cfm` | Medium
|
||||
83 | File | `category.php` | Medium
|
||||
84 | File | `category_list.php` | High
|
||||
85 | File | `cgi-bin/awstats.pl` | High
|
||||
86 | File | `channel.asp` | Medium
|
||||
87 | File | `ChooseCpSearch.php` | High
|
||||
88 | File | `comentarii.php` | High
|
||||
89 | File | `comments.php` | Medium
|
||||
90 | File | `config.inc.php` | High
|
||||
91 | File | `config.php` | Medium
|
||||
92 | File | `contact.php` | Medium
|
||||
93 | ... | ... | ...
|
||||
|
||||
There are 813 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 819 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -0,0 +1,41 @@
|
|||
# DarkWatchman - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _DarkWatchman_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with DarkWatchman or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [DarkWatchman](https://vuldb.com/?actor.darkwatchman) | High
|
||||
2 | [Hive0117](https://vuldb.com/?actor.hive0117) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of DarkWatchman.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [45.156.27.245](https://vuldb.com/?ip.45.156.27.245) | dasee-1.net7.dns.cloudbackbone.net | [DarkWatchman](https://vuldb.com/?actor.darkwatchman) | High
|
||||
2 | [103.153.157.33](https://vuldb.com/?ip.103.153.157.33) | 103-153-157-33.ip.fulltimehosting.net | [Hive0117](https://vuldb.com/?actor.hive0117) | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://securityintelligence.com/posts/hive00117-fileless-malware-delivery-eastern-europe/
|
||||
* https://www.prevailion.com/darkwatchman-new-fileless-techniques/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue