Update
This commit is contained in:
parent
bf64d7c421
commit
00d973b85b
|
@ -17,9 +17,11 @@ There are 3 more country items available. Please use our online service to acces
|
|||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with A41APT:
|
||||
These _actors_ are associated with A41APT or other actors linked to the campaign.
|
||||
|
||||
* [APT10](https://vuldb.com/?actor.apt10)
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [APT10](https://vuldb.com/?actor.apt10) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -27,9 +29,9 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [45.138.157.83](https://vuldb.com/?ip.45.138.157.83) | google.com.tm | APT10 | High
|
||||
2 | [88.198.101.58](https://vuldb.com/?ip.88.198.101.58) | static.88.198.101.58.clients.your-server.de | APT10 | High
|
||||
3 | [151.236.30.223](https://vuldb.com/?ip.151.236.30.223) | 223.30.236.151.in-addr.arpa | APT10 | High
|
||||
1 | [45.138.157.83](https://vuldb.com/?ip.45.138.157.83) | google.com.tm | [APT10](https://vuldb.com/?actor.apt10) | High
|
||||
2 | [88.198.101.58](https://vuldb.com/?ip.88.198.101.58) | static.88.198.101.58.clients.your-server.de | [APT10](https://vuldb.com/?actor.apt10) | High
|
||||
3 | [151.236.30.223](https://vuldb.com/?ip.151.236.30.223) | 223.30.236.151.in-addr.arpa | [APT10](https://vuldb.com/?actor.apt10) | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more IOC items available. Please use our online service to access the data.
|
||||
|
|
|
@ -17,9 +17,11 @@ There are 20 more country items available. Please use our online service to acce
|
|||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Accellion FTA Webshell:
|
||||
These _actors_ are associated with Accellion FTA Webshell or other actors linked to the campaign.
|
||||
|
||||
* [Unknown](https://vuldb.com/?actor.unknown)
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -27,9 +29,9 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [45.135.229.179](https://vuldb.com/?ip.45.135.229.179) | ipcore3.example.com | Unknown | High
|
||||
2 | [79.141.162.82](https://vuldb.com/?ip.79.141.162.82) | - | Unknown | High
|
||||
3 | [92.38.135.29](https://vuldb.com/?ip.92.38.135.29) | camerotn1.com | Unknown | High
|
||||
1 | [45.135.229.179](https://vuldb.com/?ip.45.135.229.179) | ipcore3.example.com | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
2 | [79.141.162.82](https://vuldb.com/?ip.79.141.162.82) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
3 | [92.38.135.29](https://vuldb.com/?ip.92.38.135.29) | camerotn1.com | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 6 more IOC items available. Please use our online service to access the data.
|
||||
|
|
|
@ -13,9 +13,11 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Afghanistan and India:
|
||||
These _actors_ are associated with Afghanistan and India or other actors linked to the campaign.
|
||||
|
||||
* [Bunse](https://vuldb.com/?actor.bunse)
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [Bunse](https://vuldb.com/?actor.bunse) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -23,8 +25,8 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [62.171.157.185](https://vuldb.com/?ip.62.171.157.185) | vmi479022.contaboserver.net | Bunse | High
|
||||
2 | [95.111.241.233](https://vuldb.com/?ip.95.111.241.233) | vmi698587.contaboserver.net | Bunse | High
|
||||
1 | [62.171.157.185](https://vuldb.com/?ip.62.171.157.185) | vmi479022.contaboserver.net | [Bunse](https://vuldb.com/?actor.bunse) | High
|
||||
2 | [95.111.241.233](https://vuldb.com/?ip.95.111.241.233) | vmi698587.contaboserver.net | [Bunse](https://vuldb.com/?actor.bunse) | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
|
|
@ -14,9 +14,11 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Ammyy:
|
||||
These _actors_ are associated with Ammyy or other actors linked to the campaign.
|
||||
|
||||
* [TA505](https://vuldb.com/?actor.ta505)
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [TA505](https://vuldb.com/?actor.ta505) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -24,8 +26,8 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [179.60.146.3](https://vuldb.com/?ip.179.60.146.3) | hostby.data-solutions.net | TA505 | High
|
||||
2 | [194.165.16.11](https://vuldb.com/?ip.194.165.16.11) | - | TA505 | High
|
||||
1 | [179.60.146.3](https://vuldb.com/?ip.179.60.146.3) | hostby.data-solutions.net | [TA505](https://vuldb.com/?actor.ta505) | High
|
||||
2 | [194.165.16.11](https://vuldb.com/?ip.194.165.16.11) | - | [TA505](https://vuldb.com/?actor.ta505) | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
|
|
@ -0,0 +1,69 @@
|
|||
# Amnesty International Attacks - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Amnesty International Attacks_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Amnesty International Attacks:
|
||||
|
||||
* [CH](https://vuldb.com/?country.ch)
|
||||
* [GB](https://vuldb.com/?country.gb)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Amnesty International Attacks or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [NSO Group](https://vuldb.com/?actor.nso_group) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Amnesty International Attacks.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [95.183.51.199](https://vuldb.com/?ip.95.183.51.199) | hosted-by.solarcom.ch | [NSO Group](https://vuldb.com/?actor.nso_group) | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within Amnesty International Attacks. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1211 | CWE-254 | 7PK Security Features | High
|
||||
2 | T1222 | CWE-275 | Permission Issues | High
|
||||
3 | T1495 | CWE-494 | Download of Code Without Integrity Check | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during Amnesty International Attacks. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `dwrcs.exe` | Medium
|
||||
2 | File | `save.php` | Medium
|
||||
3 | File | `Util/PHP/eval-stdin.php` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 3 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://citizenlab.ca/2018/07/nso-spyware-targeting-amnesty-international/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,46 @@
|
|||
# Amnesty International and Pegasus - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Amnesty International and Pegasus_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Amnesty International and Pegasus:
|
||||
|
||||
* [UA](https://vuldb.com/?country.ua)
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Amnesty International and Pegasus or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [Sarwent](https://vuldb.com/?actor.sarwent) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Amnesty International and Pegasus.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [87.249.53.124](https://vuldb.com/?ip.87.249.53.124) | 713697-cj66716.tmweb.ru | [Sarwent](https://vuldb.com/?actor.sarwent) | High
|
||||
2 | [185.215.113.67](https://vuldb.com/?ip.185.215.113.67) | - | [Sarwent](https://vuldb.com/?actor.sarwent) | High
|
||||
3 | [194.9.71.129](https://vuldb.com/?ip.194.9.71.129) | free.gmhost.hosting | [Sarwent](https://vuldb.com/?actor.sarwent) | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://blog.talosintelligence.com/2021/09/fakeantipegasusamnesty.html
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,71 @@
|
|||
# AnchorMail - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _AnchorMail_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with AnchorMail:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with AnchorMail or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [TrickBot](https://vuldb.com/?actor.trickbot) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of AnchorMail.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [213.252.247.230](https://vuldb.com/?ip.213.252.247.230) | 15906-28547.bacloud.info | [TrickBot](https://vuldb.com/?actor.trickbot) | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within AnchorMail. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | CWE-254 | 7PK Security Features | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 2 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during AnchorMail. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/+CSCOE+/logon.html` | High
|
||||
2 | File | `inc.login.php` | High
|
||||
3 | File | `mod_tls.c` | Medium
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 1 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://securityintelligence.com/posts/new-malware-trickbot-anchordns-backdoor-upgrades-anchormail/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,39 @@
|
|||
# Anthem - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Anthem_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Anthem or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [TopSec](https://vuldb.com/?actor.topsec) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Anthem.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [142.91.76.134](https://vuldb.com/?ip.142.91.76.134) | mx3.29v.info | [TopSec](https://vuldb.com/?actor.topsec) | High
|
||||
2 | [192.199.254.126](https://vuldb.com/?ip.192.199.254.126) | - | [TopSec](https://vuldb.com/?actor.topsec) | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://www.threatminer.org/report.php?q=Anthem_hack_all_roads_lead_to_China.pdf&y=2015
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,76 @@
|
|||
# Anunak - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Anunak_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Anunak:
|
||||
|
||||
* [SE](https://vuldb.com/?country.se)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* [SL](https://vuldb.com/?country.sl)
|
||||
* ...
|
||||
|
||||
There are 8 more country items available. Please use our online service to access the data.
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Anunak or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [Carbanak](https://vuldb.com/?actor.carbanak) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Anunak.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [95.215.45.94](https://vuldb.com/?ip.95.215.45.94) | 94.electric.215.codezion.nl | [Carbanak](https://vuldb.com/?actor.carbanak) | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within Anunak. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | CWE-254 | 7PK Security Features | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 4 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during Anunak. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/api/addusers` | High
|
||||
2 | File | `/public/login.htm` | High
|
||||
3 | File | `ajax_rulesuggest.php` | High
|
||||
4 | File | `block/bfq-iosched.c` | High
|
||||
5 | ... | ... | ...
|
||||
|
||||
There are 29 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://www.threatminer.org/report.php?q=NewCarbanak-Trustwave.pdf&y=2016
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,87 @@
|
|||
# AppleJeus - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _AppleJeus_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with AppleJeus:
|
||||
|
||||
* [DE](https://vuldb.com/?country.de)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* ...
|
||||
|
||||
There are 3 more country items available. Please use our online service to access the data.
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with AppleJeus or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
2 | [DPRK](https://vuldb.com/?actor.dprk) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of AppleJeus.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [45.33.2.79](https://vuldb.com/?ip.45.33.2.79) | li956-79.members.linode.com | [DPRK](https://vuldb.com/?actor.dprk) | High
|
||||
2 | [45.33.23.183](https://vuldb.com/?ip.45.33.23.183) | li977-183.members.linode.com | [DPRK](https://vuldb.com/?actor.dprk) | High
|
||||
3 | [45.56.79.23](https://vuldb.com/?ip.45.56.79.23) | li929-23.members.linode.com | [DPRK](https://vuldb.com/?actor.dprk) | High
|
||||
4 | [45.79.19.196](https://vuldb.com/?ip.45.79.19.196) | li1118-196.members.linode.com | [DPRK](https://vuldb.com/?actor.dprk) | High
|
||||
5 | [45.199.63.220](https://vuldb.com/?ip.45.199.63.220) | - | [DPRK](https://vuldb.com/?actor.dprk) | High
|
||||
6 | ... | ... | ... | ...
|
||||
|
||||
There are 20 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within AppleJeus. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | CWE-358 | 7PK Security Features | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 2 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during AppleJeus. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/index.php/weblinks-categories` | High
|
||||
2 | File | `admin/mail.php` | High
|
||||
3 | File | `admin_edit_room.php` | High
|
||||
4 | File | `ajax/actions.php` | High
|
||||
5 | File | `AutoUpdater.cs` | High
|
||||
6 | File | `body2.ghp` | Medium
|
||||
7 | ... | ... | ...
|
||||
|
||||
There are 46 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://us-cert.cisa.gov/ncas/alerts/aa21-048a
|
||||
* https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048c
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,83 @@
|
|||
# AppleSeed - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _AppleSeed_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with AppleSeed:
|
||||
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [JP](https://vuldb.com/?country.jp)
|
||||
* ...
|
||||
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with AppleSeed or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [Kimsuky](https://vuldb.com/?actor.kimsuky) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of AppleSeed.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [27.102.107.63](https://vuldb.com/?ip.27.102.107.63) | - | [Kimsuky](https://vuldb.com/?actor.kimsuky) | High
|
||||
2 | [27.102.114.89](https://vuldb.com/?ip.27.102.114.89) | - | [Kimsuky](https://vuldb.com/?actor.kimsuky) | High
|
||||
3 | [45.13.135.103](https://vuldb.com/?ip.45.13.135.103) | - | [Kimsuky](https://vuldb.com/?actor.kimsuky) | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 5 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within AppleSeed. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 4 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during AppleSeed. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/.env` | Low
|
||||
2 | File | `/cgi-bin/webproc` | High
|
||||
3 | File | `/expert_wizard.php` | High
|
||||
4 | File | `/mc` | Low
|
||||
5 | File | `/tlogin.cgi` | Medium
|
||||
6 | File | `/upload` | Low
|
||||
7 | ... | ... | ...
|
||||
|
||||
There are 51 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -13,9 +13,11 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Asylum Ambuscade:
|
||||
These _actors_ are associated with Asylum Ambuscade or other actors linked to the campaign.
|
||||
|
||||
* [Unknown](https://vuldb.com/?actor.unknown)
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -23,9 +25,9 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [45.61.137.231](https://vuldb.com/?ip.45.61.137.231) | - | Unknown | High
|
||||
2 | [84.32.188.96](https://vuldb.com/?ip.84.32.188.96) | - | Unknown | High
|
||||
3 | [157.230.104.79](https://vuldb.com/?ip.157.230.104.79) | - | Unknown | High
|
||||
1 | [45.61.137.231](https://vuldb.com/?ip.45.61.137.231) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
2 | [84.32.188.96](https://vuldb.com/?ip.84.32.188.96) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
3 | [157.230.104.79](https://vuldb.com/?ip.157.230.104.79) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
|
|
@ -0,0 +1,87 @@
|
|||
# AveMaria - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _AveMaria_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with AveMaria:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [IO](https://vuldb.com/?country.io)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* ...
|
||||
|
||||
There are 5 more country items available. Please use our online service to access the data.
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with AveMaria or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [FIN7](https://vuldb.com/?actor.fin7) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of AveMaria.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [91.192.100.62](https://vuldb.com/?ip.91.192.100.62) | 91-192-100-62.gerber.non-logging.vpn | [FIN7](https://vuldb.com/?actor.fin7) | High
|
||||
2 | [168.167.45.162](https://vuldb.com/?ip.168.167.45.162) | gbe-msu2-2-bnkabc.btc.net.bw | [FIN7](https://vuldb.com/?actor.fin7) | High
|
||||
3 | [185.61.138.249](https://vuldb.com/?ip.185.61.138.249) | hosted-by.blazingfast.io | [FIN7](https://vuldb.com/?actor.fin7) | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 2 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within AveMaria. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 2 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during AveMaria. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/anony/mjpg.cgi` | High
|
||||
2 | File | `/etc/shadow` | Medium
|
||||
3 | File | `/plain` | Low
|
||||
4 | File | `/public/login.htm` | High
|
||||
5 | File | `/service/upload` | High
|
||||
6 | File | `/uncpath/` | Medium
|
||||
7 | File | `/upload/catalog/controller/account/password.php` | High
|
||||
8 | File | `admin/record_company.php` | High
|
||||
9 | File | `auth-gss2.c` | Medium
|
||||
10 | File | `awstats.pl` | Medium
|
||||
11 | ... | ... | ...
|
||||
|
||||
There are 81 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -17,10 +17,12 @@ There are 3 more country items available. Please use our online service to acces
|
|||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Azorult:
|
||||
These _actors_ are associated with Azorult or other actors linked to the campaign.
|
||||
|
||||
* [Ramnit](https://vuldb.com/?actor.ramnit)
|
||||
* [Amadey Bot](https://vuldb.com/?actor.amadey bot)
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [Ramnit](https://vuldb.com/?actor.ramnit) | High
|
||||
2 | [Amadey Bot](https://vuldb.com/?actor.amadey_bot) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -28,9 +30,9 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [2.59.42.63](https://vuldb.com/?ip.2.59.42.63) | vds-cw08597.timeweb.ru | Amadey Bot | High
|
||||
2 | [80.87.197.238](https://vuldb.com/?ip.80.87.197.238) | profiapp21.fvds.ru | Ramnit | High
|
||||
3 | [93.189.44.143](https://vuldb.com/?ip.93.189.44.143) | - | Ramnit | High
|
||||
1 | [2.59.42.63](https://vuldb.com/?ip.2.59.42.63) | vds-cw08597.timeweb.ru | [Amadey Bot](https://vuldb.com/?actor.amadey_bot) | High
|
||||
2 | [80.87.197.238](https://vuldb.com/?ip.80.87.197.238) | profiapp21.fvds.ru | [Ramnit](https://vuldb.com/?actor.ramnit) | High
|
||||
3 | [93.189.44.143](https://vuldb.com/?ip.93.189.44.143) | - | [Ramnit](https://vuldb.com/?actor.ramnit) | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 3 more IOC items available. Please use our online service to access the data.
|
||||
|
|
|
@ -0,0 +1,86 @@
|
|||
# BLINDINGCAN - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _BLINDINGCAN_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with BLINDINGCAN:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* [GR](https://vuldb.com/?country.gr)
|
||||
* ...
|
||||
|
||||
There are 10 more country items available. Please use our online service to access the data.
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with BLINDINGCAN or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [DPRK](https://vuldb.com/?actor.dprk) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of BLINDINGCAN.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [51.68.152.96](https://vuldb.com/?ip.51.68.152.96) | ns3122934.ip-51-68-152.eu | [DPRK](https://vuldb.com/?actor.dprk) | High
|
||||
2 | [54.241.91.49](https://vuldb.com/?ip.54.241.91.49) | ec2-54-241-91-49.us-west-1.compute.amazonaws.com | [DPRK](https://vuldb.com/?actor.dprk) | Medium
|
||||
3 | [192.99.20.39](https://vuldb.com/?ip.192.99.20.39) | ns559193.ip-192-99-20.net | [DPRK](https://vuldb.com/?actor.dprk) | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within BLINDINGCAN. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | CWE-254 | 7PK Security Features | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 2 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during BLINDINGCAN. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `.htaccess` | Medium
|
||||
2 | File | `/admin/config.php?display=backup` | High
|
||||
3 | File | `/search.php` | Medium
|
||||
4 | File | `/sources/folders.queries.php` | High
|
||||
5 | File | `/uncpath/` | Medium
|
||||
6 | File | `/var/log/nginx` | High
|
||||
7 | File | `addentry.php` | Medium
|
||||
8 | File | `admin.php` | Medium
|
||||
9 | File | `admin/google_search_console/class-gsc-table.php` | High
|
||||
10 | ... | ... | ...
|
||||
|
||||
There are 71 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,120 @@
|
|||
# BOUNDLESS INFORMANT - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _BOUNDLESS INFORMANT_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with BOUNDLESS INFORMANT:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [GB](https://vuldb.com/?country.gb)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* ...
|
||||
|
||||
There are 25 more country items available. Please use our online service to access the data.
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with BOUNDLESS INFORMANT or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [NSA](https://vuldb.com/?actor.nsa) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of BOUNDLESS INFORMANT.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [31.6.17.94](https://vuldb.com/?ip.31.6.17.94) | - | [NSA](https://vuldb.com/?actor.nsa) | High
|
||||
2 | [37.72.168.84](https://vuldb.com/?ip.37.72.168.84) | 84.168.72.37.static.swiftway.net | [NSA](https://vuldb.com/?actor.nsa) | High
|
||||
3 | [37.130.229.100](https://vuldb.com/?ip.37.130.229.100) | uk.server | [NSA](https://vuldb.com/?actor.nsa) | High
|
||||
4 | [37.130.229.101](https://vuldb.com/?ip.37.130.229.101) | uk.server | [NSA](https://vuldb.com/?actor.nsa) | High
|
||||
5 | [37.220.10.28](https://vuldb.com/?ip.37.220.10.28) | h37-220-10-28.host.redstation.co.uk | [NSA](https://vuldb.com/?actor.nsa) | High
|
||||
6 | [50.115.118.140](https://vuldb.com/?ip.50.115.118.140) | sfaaa.net | [NSA](https://vuldb.com/?actor.nsa) | High
|
||||
7 | ... | ... | ... | ...
|
||||
|
||||
There are 25 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within BOUNDLESS INFORMANT. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 4 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during BOUNDLESS INFORMANT. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `.procmailrc` | Medium
|
||||
2 | File | `/.ssh/authorized_keys2` | High
|
||||
3 | File | `/admin-ajax.php?action=eps_redirect_save` | High
|
||||
4 | File | `/anony/mjpg.cgi` | High
|
||||
5 | File | `/auth` | Low
|
||||
6 | File | `/dashboard/view-chair-list.php` | High
|
||||
7 | File | `/etc/hosts` | Medium
|
||||
8 | File | `/filemanager/upload.php` | High
|
||||
9 | File | `/GponForm/device_Form?script/` | High
|
||||
10 | File | `/GponForm/fsetup_Form` | High
|
||||
11 | File | `/GponForm/usb_restore_Form?script/` | High
|
||||
12 | File | `/html/device-id` | High
|
||||
13 | File | `/includes/decorators/global-translations.jsp` | High
|
||||
14 | File | `/index.php` | Medium
|
||||
15 | File | `/product_list.php` | High
|
||||
16 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
17 | File | `/see_more_details.php` | High
|
||||
18 | File | `/server-status` | High
|
||||
19 | File | `/setSystemAdmin` | High
|
||||
20 | File | `/uncpath/` | Medium
|
||||
21 | File | `/usr/local/WowzaStreamingEngine/bin/` | High
|
||||
22 | File | `/WEB-INF/web.xml` | High
|
||||
23 | File | `actbar3.ocx` | Medium
|
||||
24 | File | `adclick.php` | Medium
|
||||
25 | File | `addentry.php` | Medium
|
||||
26 | File | `admin.php` | Medium
|
||||
27 | File | `admin/executar_login.php` | High
|
||||
28 | File | `admin/mcart_xls_import.php` | High
|
||||
29 | File | `admin/setting.php` | High
|
||||
30 | File | `admin/src/containers/InputModalStepperProvider/index.js` | High
|
||||
31 | File | `admin/users/add` | High
|
||||
32 | File | `administrator/components/com_media/helpers/media.php` | High
|
||||
33 | File | `admin_ranks.php` | High
|
||||
34 | File | `ajax-actions.php` | High
|
||||
35 | File | `ajaxRequest/methodCall.do` | High
|
||||
36 | File | `alipay/alipayapi.php` | High
|
||||
37 | File | `apcupsd.exe` | Medium
|
||||
38 | File | `apply.cgi` | Medium
|
||||
39 | File | `auth.inc.php` | Medium
|
||||
40 | File | `auth.py` | Low
|
||||
41 | ... | ... | ...
|
||||
|
||||
There are 357 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://medium.com/@danchodanchev/how-the-nsa-utilized-iranian-cyber-proxies-to-participate-in-the-boundless-informant-program-e82045d44848
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,38 @@
|
|||
# BabyShark - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _BabyShark_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with BabyShark or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [BabyShark](https://vuldb.com/?actor.babyshark) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of BabyShark.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [173.248.170.149](https://vuldb.com/?ip.173.248.170.149) | - | [BabyShark](https://vuldb.com/?actor.babyshark) | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://www.threatminer.org/_reports/2019/BabySharkMalwarePartTwo%E2%80%93AttacksContinueUsingKimJongRATandPCRat.pdf#viewer.action=download
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,76 @@
|
|||
# Badhatch - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Badhatch_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Badhatch:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [IT](https://vuldb.com/?country.it)
|
||||
* ...
|
||||
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Badhatch or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [FIN8](https://vuldb.com/?actor.fin8) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Badhatch.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [104.168.145.204](https://vuldb.com/?ip.104.168.145.204) | hwsrv-836597.hostwindsdns.com | [FIN8](https://vuldb.com/?actor.fin8) | High
|
||||
2 | [192.52.167.199](https://vuldb.com/?ip.192.52.167.199) | mx312.punkchaine.net | [FIN8](https://vuldb.com/?actor.fin8) | High
|
||||
3 | [192.129.189.73](https://vuldb.com/?ip.192.129.189.73) | hwsrv-830717.hostwindsdns.com | [FIN8](https://vuldb.com/?actor.fin8) | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within Badhatch. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during Badhatch. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `addentry.php` | Medium
|
||||
2 | File | `add_comment.php` | High
|
||||
3 | File | `admin/index.php` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 20 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://vxug.fakedoma.in/archive/APTs/2021/2021.03.10/BADHATCH.pdf
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,83 @@
|
|||
# Badnews - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Badnews_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Badnews:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [DE](https://vuldb.com/?country.de)
|
||||
* ...
|
||||
|
||||
There are 11 more country items available. Please use our online service to access the data.
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Badnews or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [Patchwork](https://vuldb.com/?actor.patchwork) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Badnews.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [5.254.98.68](https://vuldb.com/?ip.5.254.98.68) | - | [Patchwork](https://vuldb.com/?actor.patchwork) | High
|
||||
2 | [43.249.37.173](https://vuldb.com/?ip.43.249.37.173) | - | [Patchwork](https://vuldb.com/?actor.patchwork) | High
|
||||
3 | [85.25.79.230](https://vuldb.com/?ip.85.25.79.230) | mail.sendwithyou.co.uk | [Patchwork](https://vuldb.com/?actor.patchwork) | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within Badnews. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | CWE-254 | 7PK Security Features | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during Badnews. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/adfs/ls` | Medium
|
||||
2 | File | `/admin/config.php?display=disa&view=form` | High
|
||||
3 | File | `/admin/user/add` | High
|
||||
4 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
5 | File | `/webconsole/APIController` | High
|
||||
6 | File | `admin/help.php` | High
|
||||
7 | File | `ajax_ftp_manager.php` | High
|
||||
8 | File | `ashop/basket.php` | High
|
||||
9 | File | `coders/gif.c` | Medium
|
||||
10 | ... | ... | ...
|
||||
|
||||
There are 70 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,40 @@
|
|||
# Bergard - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Bergard_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Bergard or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [C0d0so](https://vuldb.com/?actor.c0d0so) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Bergard.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [42.200.18.194](https://vuldb.com/?ip.42.200.18.194) | - | [C0d0so](https://vuldb.com/?actor.c0d0so) | High
|
||||
2 | [210.181.184.64](https://vuldb.com/?ip.210.181.184.64) | - | [C0d0so](https://vuldb.com/?actor.c0d0so) | High
|
||||
3 | [218.54.139.20](https://vuldb.com/?ip.218.54.139.20) | - | [C0d0so](https://vuldb.com/?actor.c0d0so) | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://www.threatminer.org/report.php?q=ExploringBergard_OldMalwarewithNewTricks_Proofpoint.pdf&y=2016
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,85 @@
|
|||
# Bitterbug - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Bitterbug_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Bitterbug:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* ...
|
||||
|
||||
There are 5 more country items available. Please use our online service to access the data.
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Bitterbug or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [Tranchulas](https://vuldb.com/?actor.tranchulas) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Bitterbug.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [46.4.139.224](https://vuldb.com/?ip.46.4.139.224) | static.224.139.4.46.clients.your-server.de | [Tranchulas](https://vuldb.com/?actor.tranchulas) | High
|
||||
2 | [46.4.139.225](https://vuldb.com/?ip.46.4.139.225) | static.225.139.4.46.clients.your-server.de | [Tranchulas](https://vuldb.com/?actor.tranchulas) | High
|
||||
3 | [184.75.214.10](https://vuldb.com/?ip.184.75.214.10) | - | [Tranchulas](https://vuldb.com/?actor.tranchulas) | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 4 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within Bitterbug. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 4 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during Bitterbug. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/cgi/loginDefaultUser` | High
|
||||
2 | File | `/contentshare/image/data/user/0/com.sony.dtv.photosharingplus/files/_BRAVPSS.TMP/LJYT0010.JPG` | High
|
||||
3 | File | `/etc/shadow` | Medium
|
||||
4 | File | `/proc/ioports` | High
|
||||
5 | File | `/uncpath/` | Medium
|
||||
6 | File | `/webconsole/APIController` | High
|
||||
7 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
8 | File | `AccountStatus.jsp` | High
|
||||
9 | ... | ... | ...
|
||||
|
||||
There are 62 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://www.threatminer.org/report.php?q=ThreatConnect_Operation_Arachnophobia_Report.pdf&y=2014
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,116 @@
|
|||
# BlackEnergy - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _BlackEnergy_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with BlackEnergy:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* ...
|
||||
|
||||
There are 26 more country items available. Please use our online service to access the data.
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with BlackEnergy or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [Sandworm Team](https://vuldb.com/?actor.sandworm_team) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of BlackEnergy.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [5.9.32.230](https://vuldb.com/?ip.5.9.32.230) | static.230.32.9.5.clients.your-server.de | [Sandworm Team](https://vuldb.com/?actor.sandworm_team) | High
|
||||
2 | [5.61.38.31](https://vuldb.com/?ip.5.61.38.31) | - | [Sandworm Team](https://vuldb.com/?actor.sandworm_team) | High
|
||||
3 | [5.79.80.166](https://vuldb.com/?ip.5.79.80.166) | - | [Sandworm Team](https://vuldb.com/?actor.sandworm_team) | High
|
||||
4 | [5.149.254.114](https://vuldb.com/?ip.5.149.254.114) | mail1.auditoriavanzada.info | [Sandworm Team](https://vuldb.com/?actor.sandworm_team) | High
|
||||
5 | [5.255.87.39](https://vuldb.com/?ip.5.255.87.39) | - | [Sandworm Team](https://vuldb.com/?actor.sandworm_team) | High
|
||||
6 | ... | ... | ... | ...
|
||||
|
||||
There are 20 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within BlackEnergy. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-266, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 5 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during BlackEnergy. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/?module=users§ion=cpanel&page=list` | High
|
||||
2 | File | `/admin/powerline` | High
|
||||
3 | File | `/admin/syslog` | High
|
||||
4 | File | `/api/upload` | Medium
|
||||
5 | File | `/cgi-bin` | Medium
|
||||
6 | File | `/cgi-bin/kerbynet` | High
|
||||
7 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
8 | File | `/dcim/sites/add/` | High
|
||||
9 | File | `/EXCU_SHELL` | Medium
|
||||
10 | File | `/forum/away.php` | High
|
||||
11 | File | `/fudforum/adm/hlplist.php` | High
|
||||
12 | File | `/login` | Low
|
||||
13 | File | `/Main_Login.asp?flag=1&productname=RT-AC88U&url=/downloadmaster/task.asp` | High
|
||||
14 | File | `/monitoring` | Medium
|
||||
15 | File | `/new` | Low
|
||||
16 | File | `/proc/<pid>/status` | High
|
||||
17 | File | `/public/plugins/` | High
|
||||
18 | File | `/rom` | Low
|
||||
19 | File | `/scripts/killpvhost` | High
|
||||
20 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
21 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
22 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
|
||||
23 | File | `/tmp` | Low
|
||||
24 | File | `/tmp/redis.ds` | High
|
||||
25 | File | `/uncpath/` | Medium
|
||||
26 | File | `/usr/bin/pkexec` | High
|
||||
27 | File | `/ViewUserHover.jspa` | High
|
||||
28 | File | `/wp-admin` | Medium
|
||||
29 | File | `/wp-json/wc/v3/webhooks` | High
|
||||
30 | File | `AccountManagerService.java` | High
|
||||
31 | File | `actions/CompanyDetailsSave.php` | High
|
||||
32 | File | `ActiveServices.java` | High
|
||||
33 | File | `ActivityManagerService.java` | High
|
||||
34 | File | `addlink.php` | Medium
|
||||
35 | File | `addtocart.asp` | High
|
||||
36 | File | `admin.php` | Medium
|
||||
37 | ... | ... | ...
|
||||
|
||||
There are 315 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://www.threatminer.org/report.php?q=BlackEnergy2_Plugins_Router.pdf&y=2014
|
||||
* https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,81 @@
|
|||
# BlackWater - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _BlackWater_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with BlackWater:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [GB](https://vuldb.com/?country.gb)
|
||||
* [CA](https://vuldb.com/?country.ca)
|
||||
* ...
|
||||
|
||||
There are 2 more country items available. Please use our online service to access the data.
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with BlackWater or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [MuddyWater](https://vuldb.com/?actor.muddywater) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of BlackWater.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [38.132.99.167](https://vuldb.com/?ip.38.132.99.167) | - | [MuddyWater](https://vuldb.com/?actor.muddywater) | High
|
||||
2 | [82.102.8.101](https://vuldb.com/?ip.82.102.8.101) | h82-102-8-101.host.redstation.co.uk | [MuddyWater](https://vuldb.com/?actor.muddywater) | High
|
||||
3 | [94.23.148.194](https://vuldb.com/?ip.94.23.148.194) | ip194.ip-94-23-148.eu | [MuddyWater](https://vuldb.com/?actor.muddywater) | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within BlackWater. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1555 | CWE-312 | Cleartext Storage of Sensitive Information | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 2 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during BlackWater. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `%PROGRAMFILES%\MyQ\PHP\Sessions\` | High
|
||||
2 | File | `/.flatpak-info` | High
|
||||
3 | File | `/nagiosxi/admin/graphtemplates.php` | High
|
||||
4 | File | `/usr/bin/pkexec` | High
|
||||
5 | ... | ... | ...
|
||||
|
||||
There are 33 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,46 @@
|
|||
# Boleto Mestre - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Boleto Mestre_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Boleto Mestre:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [NP](https://vuldb.com/?country.np)
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Boleto Mestre or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [Brazil Unknown](https://vuldb.com/?actor.brazil_unknown) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Boleto Mestre.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [65.181.113.87](https://vuldb.com/?ip.65.181.113.87) | mx1.lifestylefundings.com | [Brazil Unknown](https://vuldb.com/?actor.brazil_unknown) | High
|
||||
2 | [65.181.127.152](https://vuldb.com/?ip.65.181.127.152) | portal2.brewmyidea.com | [Brazil Unknown](https://vuldb.com/?actor.brazil_unknown) | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://unit42.paloaltonetworks.com/unit42-master-channel-the-boleto-mestre-campaign-targets-brazil/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,75 @@
|
|||
# Bronze Union - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Bronze Union_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Bronze Union:
|
||||
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Bronze Union or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [TG-3390](https://vuldb.com/?actor.tg-3390) | High
|
||||
2 | [Bronze Union](https://vuldb.com/?actor.bronze_union) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Bronze Union.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [45.114.9.174](https://vuldb.com/?ip.45.114.9.174) | - | [Bronze Union](https://vuldb.com/?actor.bronze_union) | High
|
||||
2 | [96.90.63.57](https://vuldb.com/?ip.96.90.63.57) | nleq.com | [Bronze Union](https://vuldb.com/?actor.bronze_union) | High
|
||||
3 | [104.130.244.126](https://vuldb.com/?ip.104.130.244.126) | - | [TG-3390](https://vuldb.com/?actor.tg-3390) | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 10 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within Bronze Union. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1548.002 | CWE-285 | Improper Authorization | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during Bronze Union. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/getcfg.php` | Medium
|
||||
2 | File | `http_auth.c` | Medium
|
||||
3 | File | `public/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 5 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://www.secureworks.com/research/bronze-union
|
||||
* https://www.threatminer.org/report.php?q=BRONZEUNIONCyberespionagePersistsDespiteDisclosures_SecureWorks.pdf&y=2017
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,126 @@
|
|||
# BumbleBee - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _BumbleBee_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with BumbleBee:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [NL](https://vuldb.com/?country.nl)
|
||||
* ...
|
||||
|
||||
There are 35 more country items available. Please use our online service to access the data.
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with BumbleBee or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [xHunt](https://vuldb.com/?actor.xhunt) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of BumbleBee.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [23.92.127.18](https://vuldb.com/?ip.23.92.127.18) | - | [xHunt](https://vuldb.com/?actor.xhunt) | High
|
||||
2 | [46.246.3.253](https://vuldb.com/?ip.46.246.3.253) | - | [xHunt](https://vuldb.com/?actor.xhunt) | High
|
||||
3 | [46.246.3.254](https://vuldb.com/?ip.46.246.3.254) | - | [xHunt](https://vuldb.com/?actor.xhunt) | High
|
||||
4 | [77.243.191.20](https://vuldb.com/?ip.77.243.191.20) | - | [xHunt](https://vuldb.com/?actor.xhunt) | High
|
||||
5 | [82.102.21.219](https://vuldb.com/?ip.82.102.21.219) | - | [xHunt](https://vuldb.com/?actor.xhunt) | High
|
||||
6 | [84.17.55.68](https://vuldb.com/?ip.84.17.55.68) | unn-84-17-55-68.cdn77.com | [xHunt](https://vuldb.com/?actor.xhunt) | High
|
||||
7 | ... | ... | ... | ...
|
||||
|
||||
There are 26 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within BumbleBee. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
|
||||
2 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
3 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 9 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during BumbleBee. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/+CSCOE+/logon.html` | High
|
||||
2 | File | `/../../conf/template/uhttpd.json` | High
|
||||
3 | File | `/about.php` | Medium
|
||||
4 | File | `/account/register` | High
|
||||
5 | File | `/app1/admin#foo` | High
|
||||
6 | File | `/articles/welcome-to-your-site#comments-head` | High
|
||||
7 | File | `/assets/ctx` | Medium
|
||||
8 | File | `/bin/boa` | Medium
|
||||
9 | File | `/cgi?1&5` | Medium
|
||||
10 | File | `/config/getuser` | High
|
||||
11 | File | `/configs/application.ini` | High
|
||||
12 | File | `/debug/pprof` | Medium
|
||||
13 | File | `/etc/sudoers` | Medium
|
||||
14 | File | `/export` | Low
|
||||
15 | File | `/forum/away.php` | High
|
||||
16 | File | `/gracemedia-media-player/templates/files/ajax_controller.php` | High
|
||||
17 | File | `/iissamples` | Medium
|
||||
18 | File | `/login` | Low
|
||||
19 | File | `/plugin/file_manager/` | High
|
||||
20 | File | `/public/plugins/` | High
|
||||
21 | File | `/sbin/gs_config` | High
|
||||
22 | File | `/settings` | Medium
|
||||
23 | File | `/Storage/Emulated/0/Telegram/Telegram` | High
|
||||
24 | File | `/uncpath/` | Medium
|
||||
25 | File | `/Upload/admin/index.php?module=forum-management&action=add` | High
|
||||
26 | File | `/uploads/dede` | High
|
||||
27 | File | `/usr/bin/pkexec` | High
|
||||
28 | File | `/WEB-INF/web.xml` | High
|
||||
29 | File | `/webman/info.cgi` | High
|
||||
30 | File | `/wp-json/oembed/1.0/embed?url` | High
|
||||
31 | File | `/wp-json/wc/v3/webhooks` | High
|
||||
32 | File | `/_next` | Low
|
||||
33 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
34 | File | `adclick.php` | Medium
|
||||
35 | File | `admin.php?m=admin&c=site&a=save` | High
|
||||
36 | File | `admin.php?page=languages` | High
|
||||
37 | File | `admin/backupdb.php` | High
|
||||
38 | File | `admin/bitrix.mpbuilder_step2.php` | High
|
||||
39 | File | `admin/bitrix.xscan_worker.php` | High
|
||||
40 | File | `admin/conf_users_edit.php` | High
|
||||
41 | File | `admin/gb-dashboard-widget.php` | High
|
||||
42 | File | `admin/mcart_xls_import.php` | High
|
||||
43 | File | `admin/modules/tools/ip_history_logs.php` | High
|
||||
44 | File | `admin/ops/reports/ops/news.php` | High
|
||||
45 | File | `admin/orion.extfeedbackform_efbf_forms.php` | High
|
||||
46 | File | `adminer.php` | Medium
|
||||
47 | ... | ... | ...
|
||||
|
||||
There are 411 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,83 @@
|
|||
# C-Major - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _C-Major_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with C-Major:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CA](https://vuldb.com/?country.ca)
|
||||
* [SE](https://vuldb.com/?country.se)
|
||||
* ...
|
||||
|
||||
There are 5 more country items available. Please use our online service to access the data.
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with C-Major or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [APT36](https://vuldb.com/?actor.apt36) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of C-Major.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [5.189.137.8](https://vuldb.com/?ip.5.189.137.8) | vending.softjourn.if.ua | [APT36](https://vuldb.com/?actor.apt36) | High
|
||||
2 | [5.189.143.225](https://vuldb.com/?ip.5.189.143.225) | - | [APT36](https://vuldb.com/?actor.apt36) | High
|
||||
3 | [5.189.152.147](https://vuldb.com/?ip.5.189.152.147) | ccloud.armax.de | [APT36](https://vuldb.com/?actor.apt36) | High
|
||||
4 | [5.189.167.23](https://vuldb.com/?ip.5.189.167.23) | mltx.de | [APT36](https://vuldb.com/?actor.apt36) | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 16 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within C-Major. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | CWE-254 | 7PK Security Features | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 3 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during C-Major. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/etc/sudoers` | Medium
|
||||
2 | File | `/forum/away.php` | High
|
||||
3 | File | `/out.php` | Medium
|
||||
4 | File | `/products/details.asp` | High
|
||||
5 | File | `/uncpath/` | Medium
|
||||
6 | ... | ... | ...
|
||||
|
||||
There are 37 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://www.threatminer.org/report.php?q=indian-military-personnel-targeted-by-information-theft-campaign-cmajor.pdf&y=2016
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,57 @@
|
|||
# CCleaner - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _CCleaner_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with CCleaner:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with CCleaner or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [APT17](https://vuldb.com/?actor.apt17) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of CCleaner.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [216.126.225.148](https://vuldb.com/?ip.216.126.225.148) | - | [APT17](https://vuldb.com/?actor.apt17) | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during CCleaner. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/wbg/core/_includes/authorization.inc.php` | High
|
||||
2 | File | `inc/filebrowser/browser.php` | High
|
||||
3 | File | `wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 2 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://www.threatminer.org/report.php?q=EvidenceAuroraOperationStillActive_SupplyChainAttackThroughCCleaner-Intezer.pdf&y=2017
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,83 @@
|
|||
# COVID-19 - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _COVID-19_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with COVID-19:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [VN](https://vuldb.com/?country.vn)
|
||||
* ...
|
||||
|
||||
There are 2 more country items available. Please use our online service to access the data.
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with COVID-19 or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [APT29](https://vuldb.com/?actor.apt29) | High
|
||||
2 | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
3 | [Vicious Panda](https://vuldb.com/?actor.vicious_panda) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of COVID-19.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [45.123.190.167](https://vuldb.com/?ip.45.123.190.167) | - | [APT29](https://vuldb.com/?actor.apt29) | High
|
||||
2 | [45.129.229.48](https://vuldb.com/?ip.45.129.229.48) | - | [APT29](https://vuldb.com/?actor.apt29) | High
|
||||
3 | [95.179.156.97](https://vuldb.com/?ip.95.179.156.97) | 95.179.156.97.vultr.com | [Vicious Panda](https://vuldb.com/?actor.vicious_panda) | Medium
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 7 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within COVID-19. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during COVID-19. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/pages/systemcall.php?command={COMMAND}` | High
|
||||
2 | File | `/phppath/php` | Medium
|
||||
3 | File | `/uncpath/` | Medium
|
||||
4 | File | `/WEB-INF/web.xml` | High
|
||||
5 | File | `abook_database.php` | High
|
||||
6 | File | `adclick.php` | Medium
|
||||
7 | ... | ... | ...
|
||||
|
||||
There are 50 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://github.com/blackorbird/APT_REPORT/blob/master/International%20Strategic/Russia/Advisory-APT29-targets-COVID-19-vaccine-development.pdf
|
||||
* https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/
|
||||
* https://us-cert.cisa.gov/ncas/alerts/aa20-225a
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,76 @@
|
|||
# CTB-Locker - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _CTB-Locker_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with CTB-Locker:
|
||||
|
||||
* [FR](https://vuldb.com/?country.fr)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [IT](https://vuldb.com/?country.it)
|
||||
* ...
|
||||
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with CTB-Locker or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [Crimeware](https://vuldb.com/?actor.crimeware) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of CTB-Locker.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [5.134.122.150](https://vuldb.com/?ip.5.134.122.150) | hpt01.web.l1.armada.it | [Crimeware](https://vuldb.com/?actor.crimeware) | High
|
||||
2 | [64.71.33.177](https://vuldb.com/?ip.64.71.33.177) | - | [Crimeware](https://vuldb.com/?actor.crimeware) | High
|
||||
3 | [188.93.8.7](https://vuldb.com/?ip.188.93.8.7) | - | [Crimeware](https://vuldb.com/?actor.crimeware) | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 4 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within CTB-Locker. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
|
||||
2 | T1587.003 | CWE-295 | Improper Certificate Validation | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during CTB-Locker. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `admin_store_form` | High
|
||||
2 | File | `cscopf.ocx` | Medium
|
||||
3 | File | `fs/inode.c` | Medium
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 4 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://unit42.paloaltonetworks.com/newest-ctb-locker-campaign-bypasses-legacy-security-products/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,38 @@
|
|||
# CVE-2015-5119 - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _CVE-2015-5119_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with CVE-2015-5119 or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [APT3](https://vuldb.com/?actor.apt3) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of CVE-2015-5119.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [137.175.4.132](https://vuldb.com/?ip.137.175.4.132) | - | [APT3](https://vuldb.com/?actor.apt3) | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,39 @@
|
|||
# CVE-2017-1000353 - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _CVE-2017-1000353_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with CVE-2017-1000353 or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [JenkinsMiner](https://vuldb.com/?actor.jenkinsminer) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of CVE-2017-1000353.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [183.136.202.244](https://vuldb.com/?ip.183.136.202.244) | - | [JenkinsMiner](https://vuldb.com/?actor.jenkinsminer) | High
|
||||
2 | [222.184.79.11](https://vuldb.com/?ip.222.184.79.11) | - | [JenkinsMiner](https://vuldb.com/?actor.jenkinsminer) | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://research.checkpoint.com/2018/jenkins-miner-one-biggest-mining-operations-ever-discovered/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,73 @@
|
|||
# CVE-2017-17215 - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _CVE-2017-17215_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with CVE-2017-17215:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with CVE-2017-17215 or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [Gafgyt](https://vuldb.com/?actor.gafgyt) | High
|
||||
2 | [Nexus Zeta](https://vuldb.com/?actor.nexus_zeta) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of CVE-2017-17215.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [7.59.177.0](https://vuldb.com/?ip.7.59.177.0) | - | [Nexus Zeta](https://vuldb.com/?actor.nexus_zeta) | High
|
||||
2 | [93.97.219.0](https://vuldb.com/?ip.93.97.219.0) | 93-97-219-0.zone5.bethere.co.uk | [Nexus Zeta](https://vuldb.com/?actor.nexus_zeta) | High
|
||||
3 | [106.110.90.0](https://vuldb.com/?ip.106.110.90.0) | - | [Nexus Zeta](https://vuldb.com/?actor.nexus_zeta) | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 2 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within CVE-2017-17215. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during CVE-2017-17215. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `AjaxFileUploadHandler.axd` | High
|
||||
2 | File | `fs/ext4/xattr.c` | High
|
||||
3 | File | `wp-admin/media-upload.php` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 2 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://research.checkpoint.com/2017/good-zero-day-skiddie/
|
||||
* https://unit42.paloaltonetworks.com/home-small-office-wireless-routers-exploited-to-attack-gaming-servers/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,77 @@
|
|||
# CVE-2018-2893 - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _CVE-2018-2893_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with CVE-2018-2893:
|
||||
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with CVE-2018-2893 or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [Luoxk](https://vuldb.com/?actor.luoxk) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of CVE-2018-2893.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [27.148.157.89](https://vuldb.com/?ip.27.148.157.89) | - | [Luoxk](https://vuldb.com/?actor.luoxk) | High
|
||||
2 | [43.226.16.26](https://vuldb.com/?ip.43.226.16.26) | - | [Luoxk](https://vuldb.com/?actor.luoxk) | High
|
||||
3 | [103.85.24.97](https://vuldb.com/?ip.103.85.24.97) | - | [Luoxk](https://vuldb.com/?actor.luoxk) | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 4 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within CVE-2018-2893. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 3 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during CVE-2018-2893. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/cgi-bin/portal` | High
|
||||
2 | File | `/forum/away.php` | High
|
||||
3 | File | `/service/upload` | High
|
||||
4 | File | `/tmp` | Low
|
||||
5 | ... | ... | ...
|
||||
|
||||
There are 28 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://blog.netlab.360.com/malicious-campaign-luoxk-is-actively-exploiting-cve-2018-2893/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,52 @@
|
|||
# CVE-2019-19781 - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _CVE-2019-19781_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with CVE-2019-19781:
|
||||
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with CVE-2019-19781 or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [APT41](https://vuldb.com/?actor.apt41) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of CVE-2019-19781.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [66.42.98.220](https://vuldb.com/?ip.66.42.98.220) | 66.42.98.220.vultr.com | [APT41](https://vuldb.com/?actor.apt41) | Medium
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within CVE-2019-19781. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,73 @@
|
|||
# CVE-2019-2725 - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _CVE-2019-2725_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with CVE-2019-2725:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with CVE-2019-2725 or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [REvil](https://vuldb.com/?actor.revil) | High
|
||||
2 | [Muhstik](https://vuldb.com/?actor.muhstik) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of CVE-2019-2725.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [45.55.211.79](https://vuldb.com/?ip.45.55.211.79) | - | [REvil](https://vuldb.com/?actor.revil) | High
|
||||
2 | [130.61.54.136](https://vuldb.com/?ip.130.61.54.136) | - | [REvil](https://vuldb.com/?actor.revil) | High
|
||||
3 | [165.227.78.159](https://vuldb.com/?ip.165.227.78.159) | - | [Muhstik](https://vuldb.com/?actor.muhstik) | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within CVE-2019-2725. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1222 | CWE-275 | Permission Issues | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during CVE-2019-2725. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `ActivityManagerService.java` | High
|
||||
2 | File | `admin/settings.php` | High
|
||||
3 | File | `index.php/holidaygroups/add` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 2 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html
|
||||
* https://unit42.paloaltonetworks.com/muhstik-botnet-exploits-the-latest-weblogic-vulnerability-for-cryptomining-and-ddos-attacks/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,39 @@
|
|||
# CVE-2020-17496 - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _CVE-2020-17496_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with CVE-2020-17496 or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [Shellbot](https://vuldb.com/?actor.shellbot) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of CVE-2020-17496.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [66.7.149.161](https://vuldb.com/?ip.66.7.149.161) | mail.skillscertkart.com | [Shellbot](https://vuldb.com/?actor.shellbot) | High
|
||||
2 | [178.170.117.50](https://vuldb.com/?ip.178.170.117.50) | mail.tkgeo.com | [Shellbot](https://vuldb.com/?actor.shellbot) | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://unit42.paloaltonetworks.com/cve-2020-17496/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,39 @@
|
|||
# CVE-2020-8515 - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _CVE-2020-8515_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with CVE-2020-8515 or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [Bigviktor](https://vuldb.com/?actor.bigviktor) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of CVE-2020-8515.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [91.219.75.87](https://vuldb.com/?ip.91.219.75.87) | - | [Bigviktor](https://vuldb.com/?actor.bigviktor) | High
|
||||
2 | [151.80.235.228](https://vuldb.com/?ip.151.80.235.228) | 228.ip-151-80-235.eu | [Bigviktor](https://vuldb.com/?actor.bigviktor) | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://blog.netlab.360.com/bigviktor-dga-botnet/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,76 @@
|
|||
# CVE-2021-26855 - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _CVE-2021-26855_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with CVE-2021-26855:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [AE](https://vuldb.com/?country.ae)
|
||||
* ...
|
||||
|
||||
There are 3 more country items available. Please use our online service to access the data.
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with CVE-2021-26855 or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of CVE-2021-26855.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [41.237.156.15](https://vuldb.com/?ip.41.237.156.15) | host-41.237.156.15.tedata.net | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
2 | [45.77.140.214](https://vuldb.com/?ip.45.77.140.214) | 45.77.140.214.vultr.com | [Unknown](https://vuldb.com/?actor.unknown) | Medium
|
||||
3 | [63.76.255.110](https://vuldb.com/?ip.63.76.255.110) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 10 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within CVE-2021-26855. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-284 | Execution with Unnecessary Privileges | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during CVE-2021-26855. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/var/log/nginx` | High
|
||||
2 | File | `catalog/productinfo/imageupload` | High
|
||||
3 | File | `core/admin/modules/developer/modules/views/add.php` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 8 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://unit42.paloaltonetworks.com/exchange-server-credential-harvesting/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,63 @@
|
|||
# CVE-2021-35211 - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _CVE-2021-35211_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with CVE-2021-35211:
|
||||
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with CVE-2021-35211 or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [DEV-0322](https://vuldb.com/?actor.dev-0322) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of CVE-2021-35211.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [68.235.178.32](https://vuldb.com/?ip.68.235.178.32) | huntres-cgo-cm1-68-235-178-32.vianet.ca | [DEV-0322](https://vuldb.com/?actor.dev-0322) | High
|
||||
2 | [97.77.97.58](https://vuldb.com/?ip.97.77.97.58) | rrcs-97-77-97-58.sw.biz.rr.com | [DEV-0322](https://vuldb.com/?actor.dev-0322) | High
|
||||
3 | [98.176.196.89](https://vuldb.com/?ip.98.176.196.89) | ip98-176-196-89.sd.sd.cox.net | [DEV-0322](https://vuldb.com/?actor.dev-0322) | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 2 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during CVE-2021-35211. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `flow.php` | Medium
|
||||
2 | File | `options.cpp` | Medium
|
||||
3 | Argument | `--config/--debugger` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 1 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,76 @@
|
|||
# CVE-2021-40539 - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _CVE-2021-40539_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with CVE-2021-40539:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with CVE-2021-40539 or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of CVE-2021-40539.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [24.64.36.238](https://vuldb.com/?ip.24.64.36.238) | mail.target-realty.com | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
2 | [45.63.62.109](https://vuldb.com/?ip.45.63.62.109) | 45.63.62.109.vultr.com | [Unknown](https://vuldb.com/?actor.unknown) | Medium
|
||||
3 | [45.76.173.103](https://vuldb.com/?ip.45.76.173.103) | 45.76.173.103.vultr.com | [Unknown](https://vuldb.com/?actor.unknown) | Medium
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 6 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within CVE-2021-40539. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1548.002 | CWE-285 | Improper Authorization | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during CVE-2021-40539. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `admin/conf_users_edit.php` | High
|
||||
2 | File | `data/gbconfiguration.dat` | High
|
||||
3 | File | `goform/setUsbUnload` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 24 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,90 @@
|
|||
# CVE-2021-42237 - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _CVE-2021-42237_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with CVE-2021-42237:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* ...
|
||||
|
||||
There are 10 more country items available. Please use our online service to access the data.
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with CVE-2021-42237 or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of CVE-2021-42237.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [45.133.181.252](https://vuldb.com/?ip.45.133.181.252) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
2 | [139.180.147.174](https://vuldb.com/?ip.139.180.147.174) | 139.180.147.174.vultr.com | [Unknown](https://vuldb.com/?actor.unknown) | Medium
|
||||
3 | [139.180.153.145](https://vuldb.com/?ip.139.180.153.145) | 139.180.153.145.vultr.com | [Unknown](https://vuldb.com/?actor.unknown) | Medium
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 3 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within CVE-2021-42237. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 6 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during CVE-2021-42237. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/bin/login` | Medium
|
||||
2 | File | `/etc/ajenti/config.yml` | High
|
||||
3 | File | `/rest/api/latest/groupuserpicker` | High
|
||||
4 | File | `/romfile.cfg` | Medium
|
||||
5 | File | `/TeamMate/Upload/DomainObjectDocumentUpload.ashx` | High
|
||||
6 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
7 | File | `ActivityManagerService.java` | High
|
||||
8 | File | `admin/admin_users.php` | High
|
||||
9 | File | `admin/index.php` | High
|
||||
10 | File | `ajaxp_backend.php` | High
|
||||
11 | File | `article_coonepage_rule.php` | High
|
||||
12 | File | `books.php` | Medium
|
||||
13 | File | `cgi-bin/` | Medium
|
||||
14 | ... | ... | ...
|
||||
|
||||
There are 113 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://github.com/hvs-consulting/ioc_signatures/blob/main/SiteCore_CVE-2021-42237/HvS_SiteCoreCVE-2021-42237_2021_11_IOCs.csv
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,107 @@
|
|||
# CVE-2021-44228 - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _CVE-2021-44228_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with CVE-2021-44228:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [FR](https://vuldb.com/?country.fr)
|
||||
* [CA](https://vuldb.com/?country.ca)
|
||||
* ...
|
||||
|
||||
There are 4 more country items available. Please use our online service to access the data.
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with CVE-2021-44228 or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of CVE-2021-44228.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [5.254.101.167](https://vuldb.com/?ip.5.254.101.167) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
2 | [37.120.189.247](https://vuldb.com/?ip.37.120.189.247) | support.lgtron.de | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
3 | [45.83.64.1](https://vuldb.com/?ip.45.83.64.1) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
4 | [45.83.64.62](https://vuldb.com/?ip.45.83.64.62) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
5 | [45.83.64.103](https://vuldb.com/?ip.45.83.64.103) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
6 | [45.83.64.253](https://vuldb.com/?ip.45.83.64.253) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
7 | ... | ... | ... | ...
|
||||
|
||||
There are 23 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within CVE-2021-44228. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1008 | CWE-757 | Algorithm Downgrade | High
|
||||
2 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 11 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during CVE-2021-44228. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/admin/index.php?lfj=member&action=editmember` | High
|
||||
2 | File | `/admin/login.php` | High
|
||||
3 | File | `/admin/produts/controller.php` | High
|
||||
4 | File | `/administrator/components/menu/` | High
|
||||
5 | File | `/admin_page/all-files-update-ajax.php` | High
|
||||
6 | File | `/api/trackedEntityInstances` | High
|
||||
7 | File | `/application/common.php#action_log` | High
|
||||
8 | File | `/category_view.php` | High
|
||||
9 | File | `/damicms-master/admin.php?s=/Article/doedit` | High
|
||||
10 | File | `/etc/cobbler` | Medium
|
||||
11 | File | `/export.html` | Medium
|
||||
12 | File | `/formSetPortTr` | High
|
||||
13 | File | `/formStaticDHCP` | High
|
||||
14 | File | `/jerry-core/ecma/base/ecma-lcache.c` | High
|
||||
15 | File | `/jerry-core/ecma/operations/ecma-objects.c` | High
|
||||
16 | File | `/jerry-core/parser/js/js-scanner-util.c` | High
|
||||
17 | File | `/languages/index.php` | High
|
||||
18 | File | `/leave_system/classes/Login.php` | High
|
||||
19 | File | `/login` | Low
|
||||
20 | File | `/members/view_member.php` | High
|
||||
21 | File | `/music/ajax.php` | High
|
||||
22 | File | `/opensis/functions/GetStuListFnc.php` | High
|
||||
23 | File | `/orms/` | Low
|
||||
24 | File | `/parser/js/js-parser-expr.c` | High
|
||||
25 | File | `/ping.html` | Medium
|
||||
26 | File | `/plugins/servlet/project-config/PROJECT/roles` | High
|
||||
27 | File | `/principals` | Medium
|
||||
28 | ... | ... | ...
|
||||
|
||||
There are 232 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://pastebin.com/PhnaB0ac
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,72 @@
|
|||
# Cache Panda - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Cache Panda_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Cache Panda:
|
||||
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Cache Panda or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [APT10](https://vuldb.com/?actor.apt10) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Cache Panda.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [23.224.75.91](https://vuldb.com/?ip.23.224.75.91) | - | [APT10](https://vuldb.com/?actor.apt10) | High
|
||||
2 | [23.224.75.93](https://vuldb.com/?ip.23.224.75.93) | - | [APT10](https://vuldb.com/?actor.apt10) | High
|
||||
3 | [43.245.196.120](https://vuldb.com/?ip.43.245.196.120) | - | [APT10](https://vuldb.com/?actor.apt10) | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 5 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within Cache Panda. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during Cache Panda. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/debug/pprof` | Medium
|
||||
2 | File | `/index.php?/manage/channel/addchannel` | High
|
||||
3 | File | `/public/plugins/` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 11 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://medium.com/cycraft/supply-chain-attack-targeting-taiwan-financial-sector-bae2f0962934
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,80 @@
|
|||
# Cambodia Attacks - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Cambodia Attacks_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Cambodia Attacks:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* ...
|
||||
|
||||
There are 2 more country items available. Please use our online service to access the data.
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Cambodia Attacks or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [KHRAT](https://vuldb.com/?actor.khrat) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Cambodia Attacks.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [194.87.94.61](https://vuldb.com/?ip.194.87.94.61) | ptr.ruvds.com | [KHRAT](https://vuldb.com/?actor.khrat) | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within Cambodia Attacks. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1555 | CWE-312 | Cleartext Storage of Sensitive Information | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during Cambodia Attacks. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/app/Http/Controllers/Admin/NEditorController.php` | High
|
||||
2 | File | `/mifs/c/i/reg/reg.html` | High
|
||||
3 | File | `/xAdmin/html/cm_doclist_view_uc.jsp` | High
|
||||
4 | File | `adclick.php` | Medium
|
||||
5 | File | `add_comment.php` | High
|
||||
6 | File | `checkout.cfm` | Medium
|
||||
7 | File | `Config/SaveUploadedHotspotLogoFile` | High
|
||||
8 | File | `data/gbconfiguration.dat` | High
|
||||
9 | ... | ... | ...
|
||||
|
||||
There are 64 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://unit42.paloaltonetworks.com/unit42-updated-khrat-malware-used-in-cambodia-attacks/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,83 @@
|
|||
# Camerashy - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Camerashy_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Camerashy:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Camerashy or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [Naikon](https://vuldb.com/?actor.naikon) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Camerashy.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [50.117.115.89](https://vuldb.com/?ip.50.117.115.89) | - | [Naikon](https://vuldb.com/?actor.naikon) | High
|
||||
2 | [50.117.115.90](https://vuldb.com/?ip.50.117.115.90) | - | [Naikon](https://vuldb.com/?actor.naikon) | High
|
||||
3 | [65.19.141.203](https://vuldb.com/?ip.65.19.141.203) | shibakov.org | [Naikon](https://vuldb.com/?actor.naikon) | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 9 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within Camerashy. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 4 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during Camerashy. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `%windir%\Internet Logs\` | High
|
||||
2 | File | `/crypto_keyfile.bin` | High
|
||||
3 | File | `/show_news.php` | High
|
||||
4 | File | `/siteminderagent/pwcgi/smpwservicescgi.exe` | High
|
||||
5 | File | `/squashfs-root/www/HNAP1/control/SetWizardConfig.php` | High
|
||||
6 | File | `500page.jsp` | Medium
|
||||
7 | File | `admin/admin_process.php` | High
|
||||
8 | File | `admin/user_activate_submit.php` | High
|
||||
9 | File | `browse-scategory.php` | High
|
||||
10 | File | `classes/Visualizer/Gutenberg/Block.php` | High
|
||||
11 | ... | ... | ...
|
||||
|
||||
There are 83 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* http://cdn2.hubspot.net/hubfs/454298/Project_CAMERASHY_ThreatConnect_Copyright_2015.pdf
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,77 @@
|
|||
# Canadian Banks - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Canadian Banks_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Canadian Banks:
|
||||
|
||||
* [LA](https://vuldb.com/?country.la)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Canadian Banks or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Canadian Banks.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [111.90.151.82](https://vuldb.com/?ip.111.90.151.82) | server1.kamon.la | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
2 | [111.90.151.83](https://vuldb.com/?ip.111.90.151.83) | server1.kamon.la | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
3 | [111.90.151.84](https://vuldb.com/?ip.111.90.151.84) | server1.kamon.la | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
4 | [111.90.151.112](https://vuldb.com/?ip.111.90.151.112) | server1.kamon.la | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
5 | [176.119.1.76](https://vuldb.com/?ip.176.119.1.76) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
6 | [176.119.1.77](https://vuldb.com/?ip.176.119.1.77) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
7 | ... | ... | ... | ...
|
||||
|
||||
There are 26 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within Canadian Banks. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
|
||||
3 | T1548.002 | CWE-285 | Improper Authorization | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during Canadian Banks. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `app/Model/Event.php` | High
|
||||
2 | File | `application/modules/admin/views/ecommerce/products.php` | High
|
||||
3 | File | `blog.php` | Medium
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 13 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://research.checkpoint.com/2019/canadian-banks-targeted-in-a-massive-phishing-campaign/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,74 @@
|
|||
# Carberp - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Carberp_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Carberp:
|
||||
|
||||
* [FR](https://vuldb.com/?country.fr)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [GB](https://vuldb.com/?country.gb)
|
||||
* ...
|
||||
|
||||
There are 4 more country items available. Please use our online service to access the data.
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Carberp or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [APT28](https://vuldb.com/?actor.apt28) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Carberp.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [66.172.11.207](https://vuldb.com/?ip.66.172.11.207) | ip-66-172-11-207.chunkhost.com | [APT28](https://vuldb.com/?actor.apt28) | High
|
||||
2 | [191.101.31.6](https://vuldb.com/?ip.191.101.31.6) | - | [APT28](https://vuldb.com/?actor.apt28) | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within Carberp. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during Carberp. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/admin/access` | High
|
||||
2 | File | `/admin/index.html` | High
|
||||
3 | File | `/usr/bin/pkexec` | High
|
||||
4 | File | `/wp-admin/admin-ajax.php` | High
|
||||
5 | ... | ... | ...
|
||||
|
||||
There are 29 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://unit42.paloaltonetworks.com/unit42-new-sofacy-attacks-against-us-government-agency/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,87 @@
|
|||
# Cardinal RAT - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Cardinal RAT_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Cardinal RAT:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CR](https://vuldb.com/?country.cr)
|
||||
* [AR](https://vuldb.com/?country.ar)
|
||||
* ...
|
||||
|
||||
There are 5 more country items available. Please use our online service to access the data.
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Cardinal RAT or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [Cardinal RAT](https://vuldb.com/?actor.cardinal_rat) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Cardinal RAT.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [127.194.73.243](https://vuldb.com/?ip.127.194.73.243) | - | [Cardinal RAT](https://vuldb.com/?actor.cardinal_rat) | High
|
||||
2 | [127.194.87.192](https://vuldb.com/?ip.127.194.87.192) | - | [Cardinal RAT](https://vuldb.com/?actor.cardinal_rat) | High
|
||||
3 | [185.20.187.4](https://vuldb.com/?ip.185.20.187.4) | 185.20.187.4.deltahost-ptr | [Cardinal RAT](https://vuldb.com/?actor.cardinal_rat) | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 5 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within Cardinal RAT. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during Cardinal RAT. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/admin/?/plugin/comment/settings` | High
|
||||
2 | File | `/filemanager/upload.php` | High
|
||||
3 | File | `/forum/away.php` | High
|
||||
4 | File | `/inc/parser/xhtml.php` | High
|
||||
5 | File | `/uncpath/` | Medium
|
||||
6 | File | `/webconsole/APIController` | High
|
||||
7 | File | `/webmail/` | Medium
|
||||
8 | File | `adclick.php` | Medium
|
||||
9 | File | `admin.php?s=/Admin/doedit` | High
|
||||
10 | File | `admin/web_config.php` | High
|
||||
11 | ... | ... | ...
|
||||
|
||||
There are 85 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,86 @@
|
|||
# Chafer - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Chafer_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Chafer:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* [GB](https://vuldb.com/?country.gb)
|
||||
* ...
|
||||
|
||||
There are 18 more country items available. Please use our online service to access the data.
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Chafer or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [APT39](https://vuldb.com/?actor.apt39) | High
|
||||
2 | [Chafer](https://vuldb.com/?actor.chafer) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Chafer.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [83.142.230.113](https://vuldb.com/?ip.83.142.230.113) | - | [Chafer](https://vuldb.com/?actor.chafer) | High
|
||||
2 | [89.38.97.112](https://vuldb.com/?ip.89.38.97.112) | 89-38-97-112.hosted-by-worldstream.net | [Chafer](https://vuldb.com/?actor.chafer) | High
|
||||
3 | [89.38.97.115](https://vuldb.com/?ip.89.38.97.115) | 89-38-97-115.hosted-by-worldstream.net | [Chafer](https://vuldb.com/?actor.chafer) | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 7 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within Chafer. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | CWE-254 | 7PK Security Features | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 2 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during Chafer. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `//etc/RT2870STA.dat` | High
|
||||
2 | File | `/admin/index.php?id=themes&action=edit_template&filename=blog` | High
|
||||
3 | File | `/cwp_{SESSION_HASH}/admin/loader_ajax.php` | High
|
||||
4 | File | `/magnoliaPublic/travel/members/login.html` | High
|
||||
5 | File | `/Main_AdmStatus_Content.asp` | High
|
||||
6 | File | `/uncpath/` | Medium
|
||||
7 | ... | ... | ...
|
||||
|
||||
There are 49 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/
|
||||
* https://www.threatminer.org/report.php?q=Chafer_LatestAttacksRevealHeightenedAmbitions_SymantecBlogs.pdf&y=2018
|
||||
* https://www.threatminer.org/_reports/2019/NewPython-BasedPayloadMechaFlounderUsedbyChafer.pdf#viewer.action=download
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,83 @@
|
|||
# Cleaver - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Cleaver_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Cleaver:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CA](https://vuldb.com/?country.ca)
|
||||
* [NL](https://vuldb.com/?country.nl)
|
||||
* ...
|
||||
|
||||
There are 6 more country items available. Please use our online service to access the data.
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Cleaver or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [Cleaver](https://vuldb.com/?actor.cleaver) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Cleaver.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [23.238.17.181](https://vuldb.com/?ip.23.238.17.181) | s1.regulatorfix.com | [Cleaver](https://vuldb.com/?actor.cleaver) | High
|
||||
2 | [50.23.164.161](https://vuldb.com/?ip.50.23.164.161) | a1.a4.1732.ip4.static.sl-reverse.com | [Cleaver](https://vuldb.com/?actor.cleaver) | High
|
||||
3 | [64.120.128.154](https://vuldb.com/?ip.64.120.128.154) | - | [Cleaver](https://vuldb.com/?actor.cleaver) | High
|
||||
4 | [64.120.208.74](https://vuldb.com/?ip.64.120.208.74) | - | [Cleaver](https://vuldb.com/?actor.cleaver) | High
|
||||
5 | [64.120.208.75](https://vuldb.com/?ip.64.120.208.75) | - | [Cleaver](https://vuldb.com/?actor.cleaver) | High
|
||||
6 | [64.120.208.76](https://vuldb.com/?ip.64.120.208.76) | - | [Cleaver](https://vuldb.com/?actor.cleaver) | High
|
||||
7 | [64.120.208.78](https://vuldb.com/?ip.64.120.208.78) | - | [Cleaver](https://vuldb.com/?actor.cleaver) | High
|
||||
8 | [66.96.252.198](https://vuldb.com/?ip.66.96.252.198) | host-66-96-252-198.myrepublic.co.id | [Cleaver](https://vuldb.com/?actor.cleaver) | High
|
||||
9 | ... | ... | ... | ...
|
||||
|
||||
There are 32 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within Cleaver. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1587.003 | CWE-295 | Improper Certificate Validation | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during Cleaver. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/forum/away.php` | High
|
||||
2 | File | `/home/httpd/cgi-bin/cgi.cgi` | High
|
||||
3 | File | `adclick.php` | Medium
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 25 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf
|
||||
* https://www.threatminer.org/report.php?q=Cylance_Operation_Cleaver_Report.pdf&y=2014
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,129 @@
|
|||
# Cloud Hopper - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Cloud Hopper_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Cloud Hopper:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* [CH](https://vuldb.com/?country.ch)
|
||||
* ...
|
||||
|
||||
There are 8 more country items available. Please use our online service to access the data.
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Cloud Hopper or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [menuPass](https://vuldb.com/?actor.menupass) | High
|
||||
2 | [APT10](https://vuldb.com/?actor.apt10) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Cloud Hopper.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [23.89.193.34](https://vuldb.com/?ip.23.89.193.34) | - | [APT10](https://vuldb.com/?actor.apt10) | High
|
||||
2 | [23.110.64.147](https://vuldb.com/?ip.23.110.64.147) | - | [APT10](https://vuldb.com/?actor.apt10) | High
|
||||
3 | [23.252.105.137](https://vuldb.com/?ip.23.252.105.137) | 23.252.105.137.16clouds.com | [APT10](https://vuldb.com/?actor.apt10) | High
|
||||
4 | [31.184.197.215](https://vuldb.com/?ip.31.184.197.215) | 31-184-197-215.static.x5x-noc.ru | [APT10](https://vuldb.com/?actor.apt10) | High
|
||||
5 | [31.184.197.227](https://vuldb.com/?ip.31.184.197.227) | 31-184-197-227.static.x5x-noc.ru | [APT10](https://vuldb.com/?actor.apt10) | High
|
||||
6 | [31.184.198.23](https://vuldb.com/?ip.31.184.198.23) | - | [APT10](https://vuldb.com/?actor.apt10) | High
|
||||
7 | [31.184.198.38](https://vuldb.com/?ip.31.184.198.38) | - | [APT10](https://vuldb.com/?actor.apt10) | High
|
||||
8 | [37.187.7.74](https://vuldb.com/?ip.37.187.7.74) | ns3372567.ip-37-187-7.eu | [APT10](https://vuldb.com/?actor.apt10) | High
|
||||
9 | [37.235.52.18](https://vuldb.com/?ip.37.235.52.18) | 18.52.235.37.in-addr.arpa | [APT10](https://vuldb.com/?actor.apt10) | High
|
||||
10 | [38.72.112.45](https://vuldb.com/?ip.38.72.112.45) | - | [APT10](https://vuldb.com/?actor.apt10) | High
|
||||
11 | [38.72.114.16](https://vuldb.com/?ip.38.72.114.16) | - | [APT10](https://vuldb.com/?actor.apt10) | High
|
||||
12 | [38.72.115.9](https://vuldb.com/?ip.38.72.115.9) | - | [APT10](https://vuldb.com/?actor.apt10) | High
|
||||
13 | [45.62.112.161](https://vuldb.com/?ip.45.62.112.161) | 45.62.112.161.16clouds.com | [APT10](https://vuldb.com/?actor.apt10) | High
|
||||
14 | [46.108.39.134](https://vuldb.com/?ip.46.108.39.134) | - | [APT10](https://vuldb.com/?actor.apt10) | High
|
||||
15 | [50.2.160.104](https://vuldb.com/?ip.50.2.160.104) | - | [APT10](https://vuldb.com/?actor.apt10) | High
|
||||
16 | [52.74.71.131](https://vuldb.com/?ip.52.74.71.131) | ec2-52-74-71-131.ap-southeast-1.compute.amazonaws.com | [APT10](https://vuldb.com/?actor.apt10) | Medium
|
||||
17 | [52.74.213.16](https://vuldb.com/?ip.52.74.213.16) | ec2-52-74-213-16.ap-southeast-1.compute.amazonaws.com | [APT10](https://vuldb.com/?actor.apt10) | Medium
|
||||
18 | [52.76.51.54](https://vuldb.com/?ip.52.76.51.54) | ec2-52-76-51-54.ap-southeast-1.compute.amazonaws.com | [APT10](https://vuldb.com/?actor.apt10) | Medium
|
||||
19 | [54.67.66.177](https://vuldb.com/?ip.54.67.66.177) | ec2-54-67-66-177.us-west-1.compute.amazonaws.com | [APT10](https://vuldb.com/?actor.apt10) | Medium
|
||||
20 | [54.68.71.43](https://vuldb.com/?ip.54.68.71.43) | ec2-54-68-71-43.us-west-2.compute.amazonaws.com | [APT10](https://vuldb.com/?actor.apt10) | Medium
|
||||
21 | ... | ... | ... | ...
|
||||
|
||||
There are 80 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within Cloud Hopper. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 3 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during Cloud Hopper. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `.htpasswd` | Medium
|
||||
2 | File | `/../conf/config.properties` | High
|
||||
3 | File | `/drivers/infiniband/core/cm.c` | High
|
||||
4 | File | `/forum/away.php` | High
|
||||
5 | File | `/horde/util/go.php` | High
|
||||
6 | File | `/images/` | Medium
|
||||
7 | File | `/inc/parser/xhtml.php` | High
|
||||
8 | File | `/login` | Low
|
||||
9 | File | `/mgmt/shared/authz/users/` | High
|
||||
10 | File | `/modules/profile/index.php` | High
|
||||
11 | File | `/out.php` | Medium
|
||||
12 | File | `/public/plugins/` | High
|
||||
13 | File | `/SASWebReportStudio/logonAndRender.do` | High
|
||||
14 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
15 | File | `/secure/admin/ViewInstrumentation.jspa` | High
|
||||
16 | File | `/SSOPOST/metaAlias/%realm%/idpv2` | High
|
||||
17 | File | `/system/proxy` | High
|
||||
18 | File | `/tmp/phpglibccheck` | High
|
||||
19 | File | `/uncpath/` | Medium
|
||||
20 | File | `adclick.php` | Medium
|
||||
21 | File | `add.php` | Low
|
||||
22 | File | `addentry.php` | Medium
|
||||
23 | File | `addressbookprovider.php` | High
|
||||
24 | File | `admin/pageUploadCSV.php` | High
|
||||
25 | File | `ajax_udf.php` | Medium
|
||||
26 | File | `AppCompatCache.exe` | High
|
||||
27 | File | `application.js.php` | High
|
||||
28 | File | `apply.cgi` | Medium
|
||||
29 | File | `arm/lithium-codegen-arm.cc` | High
|
||||
30 | File | `authenticate.c` | High
|
||||
31 | File | `Authenticate.class.php` | High
|
||||
32 | ... | ... | ...
|
||||
|
||||
There are 273 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://github.com/janhenrikdotcom/iocs/blob/master/APT10/Operation%20Cloud%20Hopper%20-%20Indicators%20of%20Compromise%20v3.csv
|
||||
* https://github.com/PwCUK-CTO/OperationCloudHopper/blob/master/cloud-hopper-indicators-of-compromise-v3.csv
|
||||
* https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
|
||||
* https://www.threatminer.org/report.php?q=cloud-hopper-indicators-of-compromise-v3-PwC.pdf&y=2017
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -17,9 +17,11 @@ There are 2 more country items available. Please use our online service to acces
|
|||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Cobalt Kitty:
|
||||
These _actors_ are associated with Cobalt Kitty or other actors linked to the campaign.
|
||||
|
||||
* [APT32](https://vuldb.com/?actor.apt32)
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [APT32](https://vuldb.com/?actor.apt32) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -27,10 +29,10 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [23.227.196.126](https://vuldb.com/?ip.23.227.196.126) | 23-227-196-126.static.hvvc.us | APT32 | High
|
||||
2 | [23.227.199.121](https://vuldb.com/?ip.23.227.199.121) | 23-227-199-121.static.hvvc.us | APT32 | High
|
||||
3 | [27.102.70.211](https://vuldb.com/?ip.27.102.70.211) | - | APT32 | High
|
||||
4 | [45.114.117.137](https://vuldb.com/?ip.45.114.117.137) | - | APT32 | High
|
||||
1 | [23.227.196.126](https://vuldb.com/?ip.23.227.196.126) | 23-227-196-126.static.hvvc.us | [APT32](https://vuldb.com/?actor.apt32) | High
|
||||
2 | [23.227.199.121](https://vuldb.com/?ip.23.227.199.121) | 23-227-199-121.static.hvvc.us | [APT32](https://vuldb.com/?actor.apt32) | High
|
||||
3 | [27.102.70.211](https://vuldb.com/?ip.27.102.70.211) | - | [APT32](https://vuldb.com/?actor.apt32) | High
|
||||
4 | [45.114.117.137](https://vuldb.com/?ip.45.114.117.137) | - | [APT32](https://vuldb.com/?actor.apt32) | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 15 more IOC items available. Please use our online service to access the data.
|
||||
|
|
|
@ -0,0 +1,117 @@
|
|||
# Cobalt Strike - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Cobalt Strike_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Cobalt Strike:
|
||||
|
||||
* [DE](https://vuldb.com/?country.de)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* ...
|
||||
|
||||
There are 10 more country items available. Please use our online service to access the data.
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Cobalt Strike or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [Cobalt Strike](https://vuldb.com/?actor.cobalt_strike) | High
|
||||
2 | [Conti](https://vuldb.com/?actor.conti) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Cobalt Strike.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [23.108.57.108](https://vuldb.com/?ip.23.108.57.108) | - | [Cobalt Strike](https://vuldb.com/?actor.cobalt_strike) | High
|
||||
2 | [62.128.111.176](https://vuldb.com/?ip.62.128.111.176) | - | [Cobalt Strike](https://vuldb.com/?actor.cobalt_strike) | High
|
||||
3 | [82.118.21.1](https://vuldb.com/?ip.82.118.21.1) | 77626-46583.hyperdomen.com | [Conti](https://vuldb.com/?actor.conti) | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 10 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within Cobalt Strike. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | CWE-254, CWE-358 | 7PK Security Features | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during Cobalt Strike. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/.ssh/authorized_keys` | High
|
||||
2 | File | `/admin/success_story.php` | High
|
||||
3 | File | `/bin/bw` | Low
|
||||
4 | File | `/etc/tomcat8/Catalina/attack` | High
|
||||
5 | File | `/movie-portal-script/movie.php` | High
|
||||
6 | File | `/notice-edit.php` | High
|
||||
7 | File | `/servlet/webacc` | High
|
||||
8 | File | `/tmp` | Low
|
||||
9 | File | `/uncpath/` | Medium
|
||||
10 | File | `/wp-content/plugins/updraftplus/admin.php` | High
|
||||
11 | File | `abook_database.php` | High
|
||||
12 | File | `add_comment.php` | High
|
||||
13 | File | `admin/images.php` | High
|
||||
14 | File | `admin/index.php/template/upload` | High
|
||||
15 | File | `admin/preview.php` | High
|
||||
16 | File | `agent/Core/Controller/SendRequest.cpp` | High
|
||||
17 | File | `AjaxResponse.jsp` | High
|
||||
18 | File | `apl_42.c` | Medium
|
||||
19 | File | `app/code/core/Mage/Rss/Helper/Order.php` | High
|
||||
20 | File | `archive_read_support_format_rar5.c` | High
|
||||
21 | File | `blanko.preview.php` | High
|
||||
22 | File | `blueprints/sections/edit/1` | High
|
||||
23 | File | `boardData103.php/boardDataJP.php/boardDataNA.php/boardDataWW.php` | High
|
||||
24 | File | `breadcrumbs_create.php` | High
|
||||
25 | File | `burl.c` | Low
|
||||
26 | File | `cachemgr.cgi` | Medium
|
||||
27 | File | `CFM File Handler` | High
|
||||
28 | File | `cgi-bin/awstats.pl` | High
|
||||
29 | File | `cgi-bin/webproc` | High
|
||||
30 | File | `Change-password.php` | High
|
||||
31 | File | `class.t3lib_formmail.php` | High
|
||||
32 | File | `content/common/cursors/webcursor.cc` | High
|
||||
33 | File | `content/content.systempreferences.php` | High
|
||||
34 | ... | ... | ...
|
||||
|
||||
There are 288 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://research.checkpoint.com/2019/cobalt-group-returns-to-kazakhstan/
|
||||
* https://therecord.media/disgruntled-ransomware-affiliate-leaks-the-conti-gangs-technical-manuals/
|
||||
* https://twitter.com/malware_traffic/status/1400876426497253379
|
||||
* https://twitter.com/malware_traffic/status/1415740795622248452
|
||||
* https://twitter.com/Unit42_Intel/status/1392174941181812737
|
||||
* https://us-cert.cisa.gov/ncas/alerts/aa21-148a
|
||||
* https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -17,9 +17,11 @@ There are 1 more country items available. Please use our online service to acces
|
|||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with CostaRicto:
|
||||
These _actors_ are associated with CostaRicto or other actors linked to the campaign.
|
||||
|
||||
* [Hackers-for-Hire](https://vuldb.com/?actor.hackers-for-hire)
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [Hackers-for-Hire](https://vuldb.com/?actor.hackers-for-hire) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -27,9 +29,9 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [45.89.175.206](https://vuldb.com/?ip.45.89.175.206) | - | Hackers-for-Hire | High
|
||||
2 | [45.138.172.54](https://vuldb.com/?ip.45.138.172.54) | - | Hackers-for-Hire | High
|
||||
3 | [144.217.53.146](https://vuldb.com/?ip.144.217.53.146) | ip146.ip-144-217-53.net | Hackers-for-Hire | High
|
||||
1 | [45.89.175.206](https://vuldb.com/?ip.45.89.175.206) | - | [Hackers-for-Hire](https://vuldb.com/?actor.hackers-for-hire) | High
|
||||
2 | [45.138.172.54](https://vuldb.com/?ip.45.138.172.54) | - | [Hackers-for-Hire](https://vuldb.com/?actor.hackers-for-hire) | High
|
||||
3 | [144.217.53.146](https://vuldb.com/?ip.144.217.53.146) | ip146.ip-144-217-53.net | [Hackers-for-Hire](https://vuldb.com/?actor.hackers-for-hire) | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 3 more IOC items available. Please use our online service to access the data.
|
||||
|
|
|
@ -0,0 +1,81 @@
|
|||
# Cryptomining - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Cryptomining_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Cryptomining:
|
||||
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Cryptomining or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
2 | [TeamTNT](https://vuldb.com/?actor.teamtnt) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Cryptomining.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [45.9.148.182](https://vuldb.com/?ip.45.9.148.182) | - | [TeamTNT](https://vuldb.com/?actor.teamtnt) | High
|
||||
2 | [129.226.180.53](https://vuldb.com/?ip.129.226.180.53) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
3 | [164.52.212.196](https://vuldb.com/?ip.164.52.212.196) | e2e-81-196.ssdcloudindia.net | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within Cryptomining. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | CWE-254 | 7PK Security Features | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 5 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during Cryptomining. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/goform/SetNetControlList` | High
|
||||
2 | File | `/rest/api/2/user/picker` | High
|
||||
3 | File | `admin/categories_industry.php` | High
|
||||
4 | File | `admin/content/postcategory` | High
|
||||
5 | File | `Adminstrator/Users/Edit/` | High
|
||||
6 | ... | ... | ...
|
||||
|
||||
There are 36 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://blogs.infoblox.com/cyber-threat-intelligence/cyber-campaign-briefs/log4j-indicators-of-compromise-to-date/
|
||||
* https://www.trendmicro.com/en_us/research/21/k/compromised-docker-hub-accounts-abused-for-cryptomining-linked-t.html
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,77 @@
|
|||
# Cyber Jihad - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Cyber Jihad_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Cyber Jihad:
|
||||
|
||||
* [LA](https://vuldb.com/?country.la)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* ...
|
||||
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Cyber Jihad or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [GIMF](https://vuldb.com/?actor.gimf) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Cyber Jihad.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [111.90.148.5](https://vuldb.com/?ip.111.90.148.5) | server1.kamon.la | [GIMF](https://vuldb.com/?actor.gimf) | High
|
||||
2 | [151.80.200.124](https://vuldb.com/?ip.151.80.200.124) | ip124.ip-151-80-200.eu | [GIMF](https://vuldb.com/?actor.gimf) | High
|
||||
3 | [159.100.176.171](https://vuldb.com/?ip.159.100.176.171) | - | [GIMF](https://vuldb.com/?actor.gimf) | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 2 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within Cyber Jihad. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1548.002 | CWE-285 | Improper Authorization | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during Cyber Jihad. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `application/modules/admin/views/ecommerce/products.php` | High
|
||||
2 | File | `blog.php` | Medium
|
||||
3 | File | `cgi-bin/iptest.cgi` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 17 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://ddanchev.blogspot.com/2021/06/exposing-currently-active-portfolio-of.html
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,57 @@
|
|||
# Cybersquatting - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Cybersquatting_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Cybersquatting:
|
||||
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Cybersquatting or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Cybersquatting.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [217.182.227.117](https://vuldb.com/?ip.217.182.227.117) | ip117.ip-217-182-227.eu | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during Cybersquatting. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `data/gbconfiguration.dat` | High
|
||||
2 | File | `inc/config.php` | High
|
||||
3 | Argument | `basePath` | Medium
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 1 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://unit42.paloaltonetworks.com/cybersquatting/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -14,12 +14,14 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with DDoS Ukraine:
|
||||
These _actors_ are associated with DDoS Ukraine or other actors linked to the campaign.
|
||||
|
||||
* [Ripprbot](https://vuldb.com/?actor.ripprbot)
|
||||
* [Moobot](https://vuldb.com/?actor.moobot)
|
||||
* [Mirai](https://vuldb.com/?actor.mirai)
|
||||
* ...
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [Mirai](https://vuldb.com/?actor.mirai) | High
|
||||
2 | [Gafgyt](https://vuldb.com/?actor.gafgyt) | High
|
||||
3 | [Moobot](https://vuldb.com/?actor.moobot) | High
|
||||
4 | ... | ...
|
||||
|
||||
There are 1 more actor items available. Please use our online service to access the data.
|
||||
|
||||
|
@ -29,9 +31,9 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [45.61.136.130](https://vuldb.com/?ip.45.61.136.130) | - | Mirai | High
|
||||
2 | [45.61.186.13](https://vuldb.com/?ip.45.61.186.13) | - | Mirai | High
|
||||
3 | [46.29.166.105](https://vuldb.com/?ip.46.29.166.105) | - | Mirai | High
|
||||
1 | [45.61.136.130](https://vuldb.com/?ip.45.61.136.130) | - | [Mirai](https://vuldb.com/?actor.mirai) | High
|
||||
2 | [45.61.186.13](https://vuldb.com/?ip.45.61.186.13) | - | [Mirai](https://vuldb.com/?actor.mirai) | High
|
||||
3 | [46.29.166.105](https://vuldb.com/?ip.46.29.166.105) | - | [Mirai](https://vuldb.com/?actor.mirai) | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 14 more IOC items available. Please use our online service to access the data.
|
||||
|
|
|
@ -0,0 +1,77 @@
|
|||
# DarkHydrus - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _DarkHydrus_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with DarkHydrus:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with DarkHydrus or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [DarkHydrus](https://vuldb.com/?actor.darkhydrus) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of DarkHydrus.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [94.130.88.9](https://vuldb.com/?ip.94.130.88.9) | cm16.debounce.io | [DarkHydrus](https://vuldb.com/?actor.darkhydrus) | High
|
||||
2 | [107.175.75.123](https://vuldb.com/?ip.107.175.75.123) | 107-175-75-123-host.colocrossing.com | [DarkHydrus](https://vuldb.com/?actor.darkhydrus) | High
|
||||
3 | [107.175.150.113](https://vuldb.com/?ip.107.175.150.113) | 107-175-150-113-host.colocrossing.com | [DarkHydrus](https://vuldb.com/?actor.darkhydrus) | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 2 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within DarkHydrus. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during DarkHydrus. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/etc/sudoers` | Medium
|
||||
2 | File | `/opt/IBM/es/lib/libffq.cryptionjni.so` | High
|
||||
3 | File | `/register.do` | Medium
|
||||
4 | File | `4.3.0.CP04` | Medium
|
||||
5 | File | `addentry.php` | Medium
|
||||
6 | File | `add_comment.php` | High
|
||||
7 | ... | ... | ...
|
||||
|
||||
There are 46 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/
|
||||
* https://unit42.paloaltonetworks.com/unit42-darkhydrus-uses-phishery-harvest-credentials-middle-east/
|
||||
* https://www.threatminer.org/report.php?q=NewThreatActorGroupDarkHydrusTargetsMiddleEastGovernment-PaloAltoNetworksBlog.pdf&y=2018
|
||||
* https://www.threatminer.org/_reports/2019/DarkHydrusdeliversnewTrojanthatcanuseGoogleDriveforC2communications.pdf#viewer.action=download
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,72 @@
|
|||
# DarkMusical - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _DarkMusical_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with DarkMusical:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [GB](https://vuldb.com/?country.gb)
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* ...
|
||||
|
||||
There are 3 more country items available. Please use our online service to access the data.
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with DarkMusical or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [Donot](https://vuldb.com/?actor.donot) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of DarkMusical.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [37.120.198.208](https://vuldb.com/?ip.37.120.198.208) | - | [Donot](https://vuldb.com/?actor.donot) | High
|
||||
2 | [51.38.85.227](https://vuldb.com/?ip.51.38.85.227) | ip227.ip-51-38-85.eu | [Donot](https://vuldb.com/?actor.donot) | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within DarkMusical. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during DarkMusical. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/Category` | Medium
|
||||
2 | File | `advanced_component_system/index.php` | High
|
||||
3 | File | `apply.cgi` | Medium
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 16 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,73 @@
|
|||
# Darkside - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Darkside_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Darkside:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Darkside or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [DarkSide](https://vuldb.com/?actor.darkside) | High
|
||||
2 | [UNC2465](https://vuldb.com/?actor.unc2465) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Darkside.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [81.91.177.54](https://vuldb.com/?ip.81.91.177.54) | free.example.com | [UNC2465](https://vuldb.com/?actor.unc2465) | High
|
||||
2 | [99.83.154.118](https://vuldb.com/?ip.99.83.154.118) | a51062ecadbb5a26e.awsglobalaccelerator.com | [DarkSide](https://vuldb.com/?actor.darkside) | High
|
||||
3 | [176.103.62.217](https://vuldb.com/?ip.176.103.62.217) | - | [DarkSide](https://vuldb.com/?actor.darkside) | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 3 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within Darkside. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during Darkside. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `addentry.php` | Medium
|
||||
2 | File | `data/gbconfiguration.dat` | High
|
||||
3 | File | `inc/config.php` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 4 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://us-cert.cisa.gov/ncas/analysis-reports/ar21-189a
|
||||
* https://us-cert.cisa.gov/sites/default/files/publications/AA21-131A.stix.xml
|
||||
* https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,72 @@
|
|||
# Daybreak - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Daybreak_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Daybreak:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [PL](https://vuldb.com/?country.pl)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* ...
|
||||
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Daybreak or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [APT37](https://vuldb.com/?actor.apt37) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Daybreak.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [212.7.217.10](https://vuldb.com/?ip.212.7.217.10) | 212-7-217-10.lukman.pl | [APT37](https://vuldb.com/?actor.apt37) | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within Daybreak. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
|
||||
3 | T1600 | CWE-310 | Cryptographic Issues | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during Daybreak. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `examples/openid.php` | High
|
||||
2 | File | `FormDisplay.php` | High
|
||||
3 | File | `includes/startup.php` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 5 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://securelist.com/operation-daybreak/75100/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,66 @@
|
|||
# DealersChoice - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _DealersChoice_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with DealersChoice:
|
||||
|
||||
* [CH](https://vuldb.com/?country.ch)
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with DealersChoice or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [Sofacy](https://vuldb.com/?actor.sofacy) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of DealersChoice.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [95.183.50.23](https://vuldb.com/?ip.95.183.50.23) | hosted-by.solarcom.ch | [Sofacy](https://vuldb.com/?actor.sofacy) | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within DealersChoice. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1211 | CWE-254 | 7PK Security Features | High
|
||||
2 | T1495 | CWE-494 | Download of Code Without Integrity Check | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during DealersChoice. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `dwrcs.exe` | Medium
|
||||
2 | File | `save.php` | Medium
|
||||
3 | File | `Util/PHP/eval-stdin.php` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 1 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://www.threatminer.org/report.php?q=%E2%80%98DealersChoice%E2%80%99isSofacy%E2%80%99sFlashPlayerExploitPlatform-PaloAltoNetworksBlog.pdf&y=2016
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,38 @@
|
|||
# DeathClick - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _DeathClick_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with DeathClick or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [DeathClick](https://vuldb.com/?actor.deathclick) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of DeathClick.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [24.234.123.133](https://vuldb.com/?ip.24.234.123.133) | wsip-24-234-123-133.lv.lv.cox.net | [DeathClick](https://vuldb.com/?actor.deathclick) | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://www.threatminer.org/report.php?q=Micro-Targeted-Malvertising-WP-10-27-14-1.pdf&y=2014
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,38 @@
|
|||
# Diànxùn - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Diànxùn_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Diànxùn or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [Mustang Panda](https://vuldb.com/?actor.mustang_panda) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Diànxùn.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [159.138.84.217](https://vuldb.com/?ip.159.138.84.217) | ecs-159-138-84-217.compute.hwclouds-dns.com | [Mustang Panda](https://vuldb.com/?actor.mustang_panda) | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-dianxun.pdf
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,124 @@
|
|||
# Double Tap - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Double Tap_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Double Tap:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* ...
|
||||
|
||||
There are 24 more country items available. Please use our online service to access the data.
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Double Tap or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [APT3](https://vuldb.com/?actor.apt3) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Double Tap.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [104.151.248.173](https://vuldb.com/?ip.104.151.248.173) | 173.248-151-104.rdns.scalabledns.com | [APT3](https://vuldb.com/?actor.apt3) | High
|
||||
2 | [192.184.60.229](https://vuldb.com/?ip.192.184.60.229) | unassigned.psychz.net | [APT3](https://vuldb.com/?actor.apt3) | High
|
||||
3 | [198.55.115.71](https://vuldb.com/?ip.198.55.115.71) | hosted-by.securefastserver.com | [APT3](https://vuldb.com/?actor.apt3) | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within Double Tap. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-250, CWE-264, CWE-266, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during Double Tap. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/+CSCOE+/logon.html` | High
|
||||
2 | File | `/.env` | Low
|
||||
3 | File | `/.ssh/authorized_keys` | High
|
||||
4 | File | `/admin/default.asp` | High
|
||||
5 | File | `/ajax/networking/get_netcfg.php` | High
|
||||
6 | File | `/assets/ctx` | Medium
|
||||
7 | File | `/cgi-bin/login_action.cgi` | High
|
||||
8 | File | `/cgi-bin/supervisor/PwdGrp.cgi` | High
|
||||
9 | File | `/checkLogin.cgi` | High
|
||||
10 | File | `/cms/print.php` | High
|
||||
11 | File | `/concat?/%2557EB-INF/web.xml` | High
|
||||
12 | File | `/data/remove` | Medium
|
||||
13 | File | `/etc/passwd` | Medium
|
||||
14 | File | `/forum/away.php` | High
|
||||
15 | File | `/login` | Low
|
||||
16 | File | `/navigate/navigate_download.php` | High
|
||||
17 | File | `/out.php` | Medium
|
||||
18 | File | `/owa/auth/logon.aspx` | High
|
||||
19 | File | `/p` | Low
|
||||
20 | File | `/password.html` | High
|
||||
21 | File | `/proc/ioports` | High
|
||||
22 | File | `/property-list/property_view.php` | High
|
||||
23 | File | `/rest` | Low
|
||||
24 | File | `/rest/api/2/search` | High
|
||||
25 | File | `/s/` | Low
|
||||
26 | File | `/scripts/cpan_config` | High
|
||||
27 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
28 | File | `/services/system/setup.json` | High
|
||||
29 | File | `/uncpath/` | Medium
|
||||
30 | File | `/webconsole/APIController` | High
|
||||
31 | File | `/websocket/exec` | High
|
||||
32 | File | `/wp-admin/admin-ajax.php` | High
|
||||
33 | File | `/wp-json/oembed/1.0/embed?url` | High
|
||||
34 | File | `/_next` | Low
|
||||
35 | File | `4.edu.php\conn\function.php` | High
|
||||
36 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
37 | File | `adclick.php` | Medium
|
||||
38 | File | `addentry.php` | Medium
|
||||
39 | File | `addressbook.php` | High
|
||||
40 | File | `add_comment.php` | High
|
||||
41 | File | `admin/category.inc.php` | High
|
||||
42 | File | `admin/conf_users_edit.php` | High
|
||||
43 | File | `admin/dl_sendmail.php` | High
|
||||
44 | File | `admin/index.php` | High
|
||||
45 | File | `admin/languages.php` | High
|
||||
46 | File | `admin/password_forgotten.php` | High
|
||||
47 | ... | ... | ...
|
||||
|
||||
There are 411 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html
|
||||
* https://www.threatminer.org/report.php?q=OperationDoubleTap.pdf&y=2014
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,44 @@
|
|||
# DrillMalware - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _DrillMalware_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with DrillMalware or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [DPRK](https://vuldb.com/?actor.dprk) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of DrillMalware.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [210.127.188.240](https://vuldb.com/?ip.210.127.188.240) | - | [DPRK](https://vuldb.com/?actor.dprk) | High
|
||||
2 | [210.127.188.242](https://vuldb.com/?ip.210.127.188.242) | - | [DPRK](https://vuldb.com/?actor.dprk) | High
|
||||
3 | [210.127.188.243](https://vuldb.com/?ip.210.127.188.243) | - | [DPRK](https://vuldb.com/?actor.dprk) | High
|
||||
4 | [210.127.188.244](https://vuldb.com/?ip.210.127.188.244) | - | [DPRK](https://vuldb.com/?actor.dprk) | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 17 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://github.com/blackorbird/APT_REPORT/tree/master/International%20Strategic/Korea
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,38 @@
|
|||
# DriveGuard - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _DriveGuard_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with DriveGuard or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [Moses Staff](https://vuldb.com/?actor.moses_staff) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of DriveGuard.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [87.120.8.210](https://vuldb.com/?ip.87.120.8.210) | - | [Moses Staff](https://vuldb.com/?actor.moses_staff) | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://www.fortinet.com/blog/threat-research/guard-your-drive-from-driveguard
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,38 @@
|
|||
# Dropping Elephant - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Dropping Elephant_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Dropping Elephant or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [Patchwork](https://vuldb.com/?actor.patchwork) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Dropping Elephant.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [10.30.4.112](https://vuldb.com/?ip.10.30.4.112) | - | [Patchwork](https://vuldb.com/?actor.patchwork) | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://securelist.com/the-dropping-elephant-actor/75328/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,118 @@
|
|||
# Dust Storm - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Dust Storm_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Dust Storm:
|
||||
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [MS](https://vuldb.com/?country.ms)
|
||||
* ...
|
||||
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Dust Storm or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [Dust Storm](https://vuldb.com/?actor.dust_storm) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Dust Storm.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [6.9.2.1](https://vuldb.com/?ip.6.9.2.1) | - | [Dust Storm](https://vuldb.com/?actor.dust_storm) | High
|
||||
2 | [23.238.229.128](https://vuldb.com/?ip.23.238.229.128) | - | [Dust Storm](https://vuldb.com/?actor.dust_storm) | High
|
||||
3 | [27.255.72.68](https://vuldb.com/?ip.27.255.72.68) | - | [Dust Storm](https://vuldb.com/?actor.dust_storm) | High
|
||||
4 | [27.255.72.69](https://vuldb.com/?ip.27.255.72.69) | - | [Dust Storm](https://vuldb.com/?actor.dust_storm) | High
|
||||
5 | [27.255.72.78](https://vuldb.com/?ip.27.255.72.78) | - | [Dust Storm](https://vuldb.com/?actor.dust_storm) | High
|
||||
6 | [59.120.59.2](https://vuldb.com/?ip.59.120.59.2) | 59-120-59-2.hinet-ip.hinet.net | [Dust Storm](https://vuldb.com/?actor.dust_storm) | High
|
||||
7 | [59.188.13.133](https://vuldb.com/?ip.59.188.13.133) | - | [Dust Storm](https://vuldb.com/?actor.dust_storm) | High
|
||||
8 | ... | ... | ... | ...
|
||||
|
||||
There are 27 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within Dust Storm. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during Dust Storm. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/admin/access` | High
|
||||
2 | File | `/admin/index.php?id=themes&action=edit_template&filename=blog` | High
|
||||
3 | File | `/apply_noauth.cgi` | High
|
||||
4 | File | `/article/comment` | High
|
||||
5 | File | `/backup/lispbx-CONF-YYYY-MM-DD.tar` | High
|
||||
6 | File | `/cgi/sshcheck.cgi` | High
|
||||
7 | File | `/crmeb/crmeb/services/UploadService.php` | High
|
||||
8 | File | `/etc/shadow` | Medium
|
||||
9 | File | `/IISADMPWD` | Medium
|
||||
10 | File | `/inc/session.php` | High
|
||||
11 | File | `/mcms/view.do` | High
|
||||
12 | File | `/modules/projects/list.php` | High
|
||||
13 | File | `/password.html` | High
|
||||
14 | File | `/post/editing` | High
|
||||
15 | File | `/public/plugins/` | High
|
||||
16 | File | `/restful-services/publish` | High
|
||||
17 | File | `/search.php` | Medium
|
||||
18 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
19 | File | `/sys/net/gnrc/routing/rpl/gnrc_rpl_control_messages.c` | High
|
||||
20 | File | `/tmp` | Low
|
||||
21 | File | `/upload` | Low
|
||||
22 | File | `/usr/bin/lua` | Medium
|
||||
23 | File | `/usr/sbin/mini_httpd` | High
|
||||
24 | File | `/v1/continue` | Medium
|
||||
25 | File | `/vendor/phpdocumentor/reflection-docblock/tests/phpDocumentor/Reflection/DocBlock/Tag/LinkTagTeet.php` | High
|
||||
26 | File | `3f.jsp` | Low
|
||||
27 | File | `?location=search` | High
|
||||
28 | File | `add.asp` | Low
|
||||
29 | File | `admin.home.php` | High
|
||||
30 | File | `admin/ajax.config.php` | High
|
||||
31 | File | `admin/categories_industry.php` | High
|
||||
32 | File | `admin/conf_users_edit.php` | High
|
||||
33 | File | `admin/mailIdsConfig.do` | High
|
||||
34 | File | `admin/modul/users/aksi_users.php?act=update` | High
|
||||
35 | File | `admin/viewtheatre.php` | High
|
||||
36 | File | `adsense-deluxe.php` | High
|
||||
37 | File | `album.html` | Medium
|
||||
38 | ... | ... | ...
|
||||
|
||||
There are 328 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://www.threatminer.org/report.php?q=Op_Dust_Storm_Report.pdf&y=2016
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,76 @@
|
|||
# DustySky - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _DustySky_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with DustySky:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [FR](https://vuldb.com/?country.fr)
|
||||
* ...
|
||||
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with DustySky or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [Molerats](https://vuldb.com/?actor.molerats) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of DustySky.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [23.229.3.70](https://vuldb.com/?ip.23.229.3.70) | ebonyha.club | [Molerats](https://vuldb.com/?actor.molerats) | High
|
||||
2 | [84.200.68.163](https://vuldb.com/?ip.84.200.68.163) | - | [Molerats](https://vuldb.com/?actor.molerats) | High
|
||||
3 | [167.160.36.101](https://vuldb.com/?ip.167.160.36.101) | tearzero.net | [Molerats](https://vuldb.com/?actor.molerats) | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 3 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within DustySky. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during DustySky. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/adminlogin.asp` | High
|
||||
2 | File | `/uncpath/` | Medium
|
||||
3 | File | `cart.php` | Medium
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 21 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2_-6.2016_TLP_White.pdf
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,73 @@
|
|||
# Electric Powder - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Electric Powder_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Electric Powder:
|
||||
|
||||
* [GB](https://vuldb.com/?country.gb)
|
||||
* [DE](https://vuldb.com/?country.de)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Electric Powder or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [Gaza Cybergang](https://vuldb.com/?actor.gaza_cybergang) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Electric Powder.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [82.211.30.186](https://vuldb.com/?ip.82.211.30.186) | - | [Gaza Cybergang](https://vuldb.com/?actor.gaza_cybergang) | High
|
||||
2 | [82.211.30.192](https://vuldb.com/?ip.82.211.30.192) | - | [Gaza Cybergang](https://vuldb.com/?actor.gaza_cybergang) | High
|
||||
3 | [82.211.30.212](https://vuldb.com/?ip.82.211.30.212) | - | [Gaza Cybergang](https://vuldb.com/?actor.gaza_cybergang) | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 4 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within Electric Powder. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-284 | Execution with Unnecessary Privileges | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during Electric Powder. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/index.php/newsletter/subscriber/new/` | High
|
||||
2 | File | `crossdomain.xml` | High
|
||||
3 | File | `rzpnk.sys` | Medium
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 2 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://www.threatminer.org/report.php?q=OperationElectricPowder%E2%80%93WhoistargetingIsraelElectricCompany__ClearSkyCybersecurity.pdf&y=2017
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,109 @@
|
|||
# Elfin - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Elfin_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Elfin:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* [DE](https://vuldb.com/?country.de)
|
||||
* ...
|
||||
|
||||
There are 15 more country items available. Please use our online service to access the data.
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Elfin or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [APT33](https://vuldb.com/?actor.apt33) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Elfin.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [5.79.127.177](https://vuldb.com/?ip.5.79.127.177) | - | [APT33](https://vuldb.com/?actor.apt33) | High
|
||||
2 | [5.187.21.70](https://vuldb.com/?ip.5.187.21.70) | - | [APT33](https://vuldb.com/?actor.apt33) | High
|
||||
3 | [5.187.21.71](https://vuldb.com/?ip.5.187.21.71) | - | [APT33](https://vuldb.com/?actor.apt33) | High
|
||||
4 | [8.26.21.117](https://vuldb.com/?ip.8.26.21.117) | 117.21.26.8.serverpronto.com | [APT33](https://vuldb.com/?actor.apt33) | High
|
||||
5 | [8.26.21.119](https://vuldb.com/?ip.8.26.21.119) | ns1.glasscitysoftware.net | [APT33](https://vuldb.com/?actor.apt33) | High
|
||||
6 | [8.26.21.120](https://vuldb.com/?ip.8.26.21.120) | ns2.glasscitysoftware.net | [APT33](https://vuldb.com/?actor.apt33) | High
|
||||
7 | [8.26.21.220](https://vuldb.com/?ip.8.26.21.220) | mail2.boldinbox.com | [APT33](https://vuldb.com/?actor.apt33) | High
|
||||
8 | [8.26.21.221](https://vuldb.com/?ip.8.26.21.221) | mail3.boldinbox.com | [APT33](https://vuldb.com/?actor.apt33) | High
|
||||
9 | ... | ... | ... | ...
|
||||
|
||||
There are 32 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within Elfin. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
|
||||
2 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
3 | T1068 | CWE-250, CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 9 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during Elfin. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/+CSCOE+/logon.html` | High
|
||||
2 | File | `/admin/produts/controller.php` | High
|
||||
3 | File | `/admin/user/team` | High
|
||||
4 | File | `/backupsettings.conf` | High
|
||||
5 | File | `/cgi-bin/supervisor/PwdGrp.cgi` | High
|
||||
6 | File | `/cgi-bin/system_mgr.cgi` | High
|
||||
7 | File | `/common/logViewer/logViewer.jsf` | High
|
||||
8 | File | `/crmeb/app/admin/controller/store/CopyTaobao.php` | High
|
||||
9 | File | `/export` | Low
|
||||
10 | File | `/forum/away.php` | High
|
||||
11 | File | `/horde/util/go.php` | High
|
||||
12 | File | `/index.php` | Medium
|
||||
13 | File | `/mifs/c/i/reg/reg.html` | High
|
||||
14 | File | `/ms/cms/content/list.do` | High
|
||||
15 | File | `/orms/` | Low
|
||||
16 | File | `/public/login.htm` | High
|
||||
17 | File | `/show_news.php` | High
|
||||
18 | File | `/style/` | Low
|
||||
19 | File | `/uncpath/` | Medium
|
||||
20 | File | `ABuffer.cpp` | Medium
|
||||
21 | File | `account.asp` | Medium
|
||||
22 | File | `adclick.php` | Medium
|
||||
23 | File | `admin.php` | Medium
|
||||
24 | File | `admin/changedata.php` | High
|
||||
25 | File | `admin/dashboard.php` | High
|
||||
26 | File | `admin/edit-news.php` | High
|
||||
27 | ... | ... | ...
|
||||
|
||||
There are 228 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/elfin-apt33-espionage
|
||||
* https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,73 @@
|
|||
# EmailThief - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _EmailThief_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with EmailThief:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [GB](https://vuldb.com/?country.gb)
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with EmailThief or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [TEMP.Heretic](https://vuldb.com/?actor.temp.heretic) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of EmailThief.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [108.160.133.32](https://vuldb.com/?ip.108.160.133.32) | 108.160.133.32.vultr.com | [TEMP.Heretic](https://vuldb.com/?actor.temp.heretic) | Medium
|
||||
2 | [172.86.75.158](https://vuldb.com/?ip.172.86.75.158) | - | [TEMP.Heretic](https://vuldb.com/?actor.temp.heretic) | High
|
||||
3 | [206.166.251.141](https://vuldb.com/?ip.206.166.251.141) | - | [TEMP.Heretic](https://vuldb.com/?actor.temp.heretic) | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within EmailThief. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1222 | CWE-275 | Permission Issues | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during EmailThief. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/tmp/csman/0` | Medium
|
||||
2 | File | `/WebMstr7/servlet/mstrWeb` | High
|
||||
3 | File | `inc/config.php` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 9 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,45 @@
|
|||
# Embassy Greece Beijing - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Embassy Greece Beijing_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Embassy Greece Beijing:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Embassy Greece Beijing or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Embassy Greece Beijing.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [74.121.191.33](https://vuldb.com/?ip.74.121.191.33) | - | [Unknown](https://vuldb.com/?actor.unknown) | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://www.threatminer.org/report.php?q=Compromise_Greece_Beijing.pdf&y=2014
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,89 @@
|
|||
# Emissary Panda - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Emissary Panda_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Emissary Panda:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* [IT](https://vuldb.com/?country.it)
|
||||
* ...
|
||||
|
||||
There are 2 more country items available. Please use our online service to access the data.
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Emissary Panda or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [TG-3390](https://vuldb.com/?actor.tg-3390) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Emissary Panda.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [103.59.144.183](https://vuldb.com/?ip.103.59.144.183) | - | [TG-3390](https://vuldb.com/?actor.tg-3390) | High
|
||||
2 | [159.65.80.157](https://vuldb.com/?ip.159.65.80.157) | - | [TG-3390](https://vuldb.com/?actor.tg-3390) | High
|
||||
3 | [185.12.45.134](https://vuldb.com/?ip.185.12.45.134) | server5.cygda.info | [TG-3390](https://vuldb.com/?actor.tg-3390) | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within Emissary Panda. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1008 | CWE-757 | Algorithm Downgrade | High
|
||||
2 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during Emissary Panda. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/cgi-bin/live_api.cgi` | High
|
||||
2 | File | `/etc/shadow` | Medium
|
||||
3 | File | `/infusions/shoutbox_panel/shoutbox_admin.php` | High
|
||||
4 | File | `/oscommerce/admin/currencies.php` | High
|
||||
5 | File | `/proc/pid/syscall` | High
|
||||
6 | File | `/session/list/allActiveSession` | High
|
||||
7 | File | `/syslog_rules` | High
|
||||
8 | File | `/upload` | Low
|
||||
9 | File | `/users/{id}` | Medium
|
||||
10 | File | `/video` | Low
|
||||
11 | File | `ActivityManagerService.java` | High
|
||||
12 | File | `adaptmap_reg.c` | High
|
||||
13 | File | `admin.cgi` | Medium
|
||||
14 | File | `admin.php?action=files` | High
|
||||
15 | ... | ... | ...
|
||||
|
||||
There are 124 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/
|
||||
* https://www.nccgroup.com/uk/about-us/newsroom-and-events/blogs/2018/may/emissary-panda-a-potential-new-malicious-tool/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,98 @@
|
|||
# Emissary - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Emissary_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Emissary:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* [IT](https://vuldb.com/?country.it)
|
||||
* ...
|
||||
|
||||
There are 3 more country items available. Please use our online service to access the data.
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Emissary or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [Lotus Blossom](https://vuldb.com/?actor.lotus_blossom) | High
|
||||
2 | [TG-3390](https://vuldb.com/?actor.tg-3390) | High
|
||||
3 | [Emissary](https://vuldb.com/?actor.emissary) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Emissary.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [101.55.33.92](https://vuldb.com/?ip.101.55.33.92) | - | [Emissary](https://vuldb.com/?actor.emissary) | High
|
||||
2 | [101.55.33.95](https://vuldb.com/?ip.101.55.33.95) | - | [Emissary](https://vuldb.com/?actor.emissary) | High
|
||||
3 | [101.55.121.79](https://vuldb.com/?ip.101.55.121.79) | - | [Emissary](https://vuldb.com/?actor.emissary) | High
|
||||
4 | [103.59.144.183](https://vuldb.com/?ip.103.59.144.183) | - | [TG-3390](https://vuldb.com/?actor.tg-3390) | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 14 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within Emissary. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1008 | CWE-757 | Algorithm Downgrade | High
|
||||
2 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during Emissary. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/cgi-bin/live_api.cgi` | High
|
||||
2 | File | `/etc/shadow` | Medium
|
||||
3 | File | `/infusions/shoutbox_panel/shoutbox_admin.php` | High
|
||||
4 | File | `/oscommerce/admin/currencies.php` | High
|
||||
5 | File | `/proc/pid/syscall` | High
|
||||
6 | File | `/session/list/allActiveSession` | High
|
||||
7 | File | `/syslog_rules` | High
|
||||
8 | File | `/upload` | Low
|
||||
9 | File | `/users/{id}` | Medium
|
||||
10 | File | `/video` | Low
|
||||
11 | File | `ActivityManagerService.java` | High
|
||||
12 | File | `adaptmap_reg.c` | High
|
||||
13 | File | `admin.cgi` | Medium
|
||||
14 | File | `admin.php?action=files` | High
|
||||
15 | File | `app/dialplans/dialplan_detail_edit.php` | High
|
||||
16 | ... | ... | ...
|
||||
|
||||
There are 124 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/
|
||||
* https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/
|
||||
* https://www.nccgroup.com/uk/about-us/newsroom-and-events/blogs/2018/may/emissary-panda-a-potential-new-malicious-tool/
|
||||
* https://www.threatminer.org/report.php?q=EmissaryTrojanChangelog_DidOperationLotusBlossomCauseIttoEvolve_-PaloAltoNetworksBlogPaloAltoNetworksBlog.pdf&y=2016
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,69 @@
|
|||
# Etumbot - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Etumbot_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Etumbot:
|
||||
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* [AR](https://vuldb.com/?country.ar)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Etumbot or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [APT12](https://vuldb.com/?actor.apt12) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Etumbot.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [32.114.251.129](https://vuldb.com/?ip.32.114.251.129) | - | [APT12](https://vuldb.com/?actor.apt12) | High
|
||||
2 | [59.0.249.11](https://vuldb.com/?ip.59.0.249.11) | - | [APT12](https://vuldb.com/?actor.apt12) | High
|
||||
3 | [92.54.232.142](https://vuldb.com/?ip.92.54.232.142) | - | [APT12](https://vuldb.com/?actor.apt12) | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 13 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within Etumbot. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during Etumbot. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/wp-admin/admin-ajax.php` | High
|
||||
2 | Argument | `repeater` | Medium
|
||||
3 | Network Port | `tcp/264` | Low
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://www.threatminer.org/report.php?q=ASERT-Threat-Intelligence-Brief-2014-07-Illuminating-Etumbot-APT.pdf&y=2014
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,83 @@
|
|||
# Exchange Marauder - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Exchange Marauder_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Exchange Marauder:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [KR](https://vuldb.com/?country.kr)
|
||||
* ...
|
||||
|
||||
There are 3 more country items available. Please use our online service to access the data.
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Exchange Marauder or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [Exchange Marauder](https://vuldb.com/?actor.exchange_marauder) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Exchange Marauder.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [5.254.43.18](https://vuldb.com/?ip.5.254.43.18) | - | [Exchange Marauder](https://vuldb.com/?actor.exchange_marauder) | High
|
||||
2 | [80.92.205.81](https://vuldb.com/?ip.80.92.205.81) | vm302679.pq.hosting | [Exchange Marauder](https://vuldb.com/?actor.exchange_marauder) | High
|
||||
3 | [103.77.192.219](https://vuldb.com/?ip.103.77.192.219) | - | [Exchange Marauder](https://vuldb.com/?actor.exchange_marauder) | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 10 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within Exchange Marauder. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during Exchange Marauder. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/filemanager/upload.php` | High
|
||||
2 | File | `/usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php` | High
|
||||
3 | File | `/usr/local/WowzaStreamingEngine/bin/` | High
|
||||
4 | File | `api_poller.php` | High
|
||||
5 | File | `application/controllers/admin/dataentry.php` | High
|
||||
6 | File | `cmd.php?cmd=login_form` | High
|
||||
7 | ... | ... | ...
|
||||
|
||||
There are 46 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://vxug.fakedoma.in/archive/APTs/2021/2021.03.02(1)/Operation%20Exchange%20Marauder.pdf
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,100 @@
|
|||
# Fallchill - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Fallchill_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Fallchill:
|
||||
|
||||
* [VN](https://vuldb.com/?country.vn)
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Fallchill or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Fallchill.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [5.79.99.169](https://vuldb.com/?ip.5.79.99.169) | nsg037-19.divide.nl | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
2 | [27.123.221.66](https://vuldb.com/?ip.27.123.221.66) | 66-221.fiber.net.id | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
3 | [36.71.90.4](https://vuldb.com/?ip.36.71.90.4) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
4 | [41.92.208.194](https://vuldb.com/?ip.41.92.208.194) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
5 | [41.92.208.196](https://vuldb.com/?ip.41.92.208.196) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
6 | [41.92.208.197](https://vuldb.com/?ip.41.92.208.197) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
7 | [50.62.168.157](https://vuldb.com/?ip.50.62.168.157) | p3nwvpweb145.shr.prod.phx3.secureserver.net | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
8 | [59.90.93.138](https://vuldb.com/?ip.59.90.93.138) | static.bb.knl.59.90.93.138.bsnl.in | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
9 | [62.243.45.227](https://vuldb.com/?ip.62.243.45.227) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
10 | [64.29.144.201](https://vuldb.com/?ip.64.29.144.201) | ntfw1c25.carrierzone.com | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
11 | [66.175.41.191](https://vuldb.com/?ip.66.175.41.191) | winVIPnatfl.hostopia.com | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
12 | [66.232.121.65](https://vuldb.com/?ip.66.232.121.65) | 66-232-121-65.static.hvvc.us | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
13 | [66.242.128.11](https://vuldb.com/?ip.66.242.128.11) | hdflns11.fl.hostdepot.net | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
14 | [66.242.128.12](https://vuldb.com/?ip.66.242.128.12) | hdflns12.fl.hostdepot.net | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
15 | [66.242.128.13](https://vuldb.com/?ip.66.242.128.13) | hdflns13.fl.hostdepot.net | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
16 | [66.242.128.134](https://vuldb.com/?ip.66.242.128.134) | hdflsf03.fl.hostdepot.net | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
17 | [66.242.128.140](https://vuldb.com/?ip.66.242.128.140) | hdflsf01.fl.hostdepot.net | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
18 | ... | ... | ... | ...
|
||||
|
||||
There are 69 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within Fallchill. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 4 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during Fallchill. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/admin-panel1.php` | High
|
||||
2 | File | `/admin/?page=members/view_member` | High
|
||||
3 | File | `/admin/?page=user/manage_user` | High
|
||||
4 | File | `/admin/files` | Medium
|
||||
5 | File | `/admin/options` | High
|
||||
6 | File | `/admin/page_edit/3` | High
|
||||
7 | File | `/admin_page/all-files-update-ajax.php` | High
|
||||
8 | File | `/api/servers` | Medium
|
||||
9 | File | `/aya/module/admin/ust_tab_e.inc.php` | High
|
||||
10 | File | `/cbpos/` | Low
|
||||
11 | File | `/etc/passwd` | Medium
|
||||
12 | File | `/goform/SetPptpServerCfg` | High
|
||||
13 | File | `/mdiy/dict/listExcludeApp` | High
|
||||
14 | File | `/members/view_member.php` | High
|
||||
15 | ... | ... | ...
|
||||
|
||||
There are 118 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://us-cert.cisa.gov/ncas/alerts/TA17-318A
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,67 @@
|
|||
# Fractured Block - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Fractured Block_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Fractured Block:
|
||||
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Fractured Block or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [Carrotbat](https://vuldb.com/?actor.carrotbat) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Fractured Block.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [61.14.210.72](https://vuldb.com/?ip.61.14.210.72) | former-enews-out.businessinsider.org.uk | [Carrotbat](https://vuldb.com/?actor.carrotbat) | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within Fractured Block. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
2 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during Fractured Block. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/phppath/php` | Medium
|
||||
2 | File | `anonymous/authenticated` | High
|
||||
3 | File | `auth-gss2.c` | Medium
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 11 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://www.threatminer.org/report.php?q=TheFracturedBlockCampaign_CARROTBATUsedtoDeliverMalwareTargetingSoutheastAsia-PaloAltoNetworksBlog.pdf&y=2018
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,71 @@
|
|||
# FriarFox Browser Extension - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _FriarFox Browser Extension_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with FriarFox Browser Extension:
|
||||
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [GB](https://vuldb.com/?country.gb)
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with FriarFox Browser Extension or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [TA413](https://vuldb.com/?actor.ta413) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of FriarFox Browser Extension.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [115.126.6.47](https://vuldb.com/?ip.115.126.6.47) | - | [TA413](https://vuldb.com/?actor.ta413) | High
|
||||
2 | [118.99.9.47](https://vuldb.com/?ip.118.99.9.47) | - | [TA413](https://vuldb.com/?actor.ta413) | High
|
||||
3 | [167.179.99.136](https://vuldb.com/?ip.167.179.99.136) | 167.179.99.136.vultr.com | [TA413](https://vuldb.com/?actor.ta413) | Medium
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within FriarFox Browser Extension. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during FriarFox Browser Extension. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/public/login.htm` | High
|
||||
2 | File | `/usr/bin/sonia` | High
|
||||
3 | File | `index.php` | Medium
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 11 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://vxug.fakedoma.in/archive/APTs/2021/2021.02.25(2)/FriarFox.pdf
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,66 @@
|
|||
# Fysbis - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Fysbis_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Fysbis:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Fysbis or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [APT28](https://vuldb.com/?actor.apt28) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Fysbis.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [198.105.125.74](https://vuldb.com/?ip.198.105.125.74) | power74.powerupyourknowledge.com | [APT28](https://vuldb.com/?actor.apt28) | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within Fysbis. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1211 | CWE-254 | 7PK Security Features | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during Fysbis. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/icingaweb2/navigation/add` | High
|
||||
2 | File | `/inc/parser/xhtml.php` | High
|
||||
3 | File | `/opt/IBM/es/lib/libffq.cryptionjni.so` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 18 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://unit42.paloaltonetworks.com/a-look-into-fysbis-sofacys-linux-backdoor/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,43 @@
|
|||
# Gauss - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Gauss_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Gauss or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [Equation](https://vuldb.com/?actor.equation) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Gauss.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [109.71.45.115](https://vuldb.com/?ip.109.71.45.115) | smtp-out.wisdomgroup.pt | [Equation](https://vuldb.com/?actor.equation) | High
|
||||
2 | [173.204.235.196](https://vuldb.com/?ip.173.204.235.196) | - | [Equation](https://vuldb.com/?actor.equation) | High
|
||||
3 | [173.204.235.201](https://vuldb.com/?ip.173.204.235.201) | - | [Equation](https://vuldb.com/?actor.equation) | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 2 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134940/kaspersky-lab-gauss.pdf
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,77 @@
|
|||
# Gedit - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Gedit_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Gedit:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [TR](https://vuldb.com/?country.tr)
|
||||
* [DE](https://vuldb.com/?country.de)
|
||||
* ...
|
||||
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Gedit or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [Donot](https://vuldb.com/?actor.donot) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Gedit.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [37.48.122.145](https://vuldb.com/?ip.37.48.122.145) | - | [Donot](https://vuldb.com/?actor.donot) | High
|
||||
2 | [80.255.3.67](https://vuldb.com/?ip.80.255.3.67) | - | [Donot](https://vuldb.com/?actor.donot) | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within Gedit. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | CWE-254 | 7PK Security Features | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 2 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during Gedit. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/event/runquery.do` | High
|
||||
2 | File | `/system/ws/v11/ss/email` | High
|
||||
3 | File | `agent.cfg` | Medium
|
||||
4 | File | `arch/x86/include/asm/fpu/internal.h` | High
|
||||
5 | ... | ... | ...
|
||||
|
||||
There are 34 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,64 @@
|
|||
# Gh0st RAT - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Gh0st RAT_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Gh0st RAT:
|
||||
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Gh0st RAT or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [TG-3390](https://vuldb.com/?actor.tg-3390) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Gh0st RAT.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [43.242.35.13](https://vuldb.com/?ip.43.242.35.13) | - | [TG-3390](https://vuldb.com/?actor.tg-3390) | High
|
||||
2 | [43.242.35.16](https://vuldb.com/?ip.43.242.35.16) | - | [TG-3390](https://vuldb.com/?actor.tg-3390) | High
|
||||
3 | [103.85.27.78](https://vuldb.com/?ip.103.85.27.78) | - | [TG-3390](https://vuldb.com/?actor.tg-3390) | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within Gh0st RAT. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1068 | CWE-284 | Execution with Unnecessary Privileges | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during Gh0st RAT. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/usr/bin/pkexec` | High
|
||||
2 | Library | `ssl/t1_lib.c` | Medium
|
||||
3 | Argument | `length` | Low
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,69 @@
|
|||
# GhostShell - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _GhostShell_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with GhostShell:
|
||||
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with GhostShell or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [MalKamak](https://vuldb.com/?actor.malkamak) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of GhostShell.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [50.116.17.41](https://vuldb.com/?ip.50.116.17.41) | li601-41.members.linode.com | [MalKamak](https://vuldb.com/?actor.malkamak) | High
|
||||
2 | [139.162.120.150](https://vuldb.com/?ip.139.162.120.150) | li1604-150.members.linode.com | [MalKamak](https://vuldb.com/?actor.malkamak) | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within GhostShell. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1555 | CWE-312 | Cleartext Storage of Sensitive Information | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during GhostShell. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/domains/list` | High
|
||||
2 | File | `/run/spice-vdagentd/spice-vdagent-sock` | High
|
||||
3 | File | `/tmp` | Low
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 6 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://www.cybereason.com/blog/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,38 @@
|
|||
# Ghostwriter - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Ghostwriter_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Ghostwriter or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [UNC1151](https://vuldb.com/?actor.unc1151) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Ghostwriter.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [88.99.104.179](https://vuldb.com/?ip.88.99.104.179) | static.179.104.99.88.clients.your-server.de | [UNC1151](https://vuldb.com/?actor.unc1151) | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://github.com/blackorbird/APT_REPORT/blob/master/Ghostwriter/unc1151-ghostwriter-update-report.pdf
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,40 @@
|
|||
# Ghoul - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Ghoul_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Ghoul or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [Ghoul](https://vuldb.com/?actor.ghoul) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Ghoul.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [37.230.110.53](https://vuldb.com/?ip.37.230.110.53) | srvc52.trwww.com | [Ghoul](https://vuldb.com/?actor.ghoul) | High
|
||||
2 | [192.169.82.86](https://vuldb.com/?ip.192.169.82.86) | host.sdserver144.com.br | [Ghoul](https://vuldb.com/?actor.ghoul) | High
|
||||
3 | [192.185.140.232](https://vuldb.com/?ip.192.185.140.232) | 192-185-140-232.unifiedlayer.com | [Ghoul](https://vuldb.com/?actor.ghoul) | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://securelist.com/operation-ghoul-targeted-attacks-on-industrial-and-engineering-organizations/75718/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,87 @@
|
|||
# Global Brute Force - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Global Brute Force_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Global Brute Force:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [RO](https://vuldb.com/?country.ro)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* ...
|
||||
|
||||
There are 11 more country items available. Please use our online service to access the data.
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Global Brute Force or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [APT28](https://vuldb.com/?actor.apt28) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Global Brute Force.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [77.83.247.81](https://vuldb.com/?ip.77.83.247.81) | - | [APT28](https://vuldb.com/?actor.apt28) | High
|
||||
2 | [93.115.28.161](https://vuldb.com/?ip.93.115.28.161) | - | [APT28](https://vuldb.com/?actor.apt28) | High
|
||||
3 | [95.141.36.180](https://vuldb.com/?ip.95.141.36.180) | seflow9.neopoly.de | [APT28](https://vuldb.com/?actor.apt28) | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 7 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within Global Brute Force. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | CWE-254 | 7PK Security Features | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 2 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during Global Brute Force. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `.htaccess` | Medium
|
||||
2 | File | `/loginLess/../../etc/passwd` | High
|
||||
3 | File | `/see_more_details.php` | High
|
||||
4 | File | `/system/proxy` | High
|
||||
5 | File | `/uncpath/` | Medium
|
||||
6 | File | `accountancy/customer/card.php` | High
|
||||
7 | File | `addentry.php` | Medium
|
||||
8 | File | `add_comment.php` | High
|
||||
9 | File | `admin.php` | Medium
|
||||
10 | File | `admin/create-package.php` | High
|
||||
11 | ... | ... | ...
|
||||
|
||||
There are 84 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,92 @@
|
|||
# Grand Mars - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Grand Mars_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Grand Mars:
|
||||
|
||||
* [DE](https://vuldb.com/?country.de)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [GB](https://vuldb.com/?country.gb)
|
||||
* ...
|
||||
|
||||
There are 8 more country items available. Please use our online service to access the data.
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Grand Mars or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [Carbanak](https://vuldb.com/?actor.carbanak) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Grand Mars.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [62.210.25.121](https://vuldb.com/?ip.62.210.25.121) | svgit.festivalscope.com | [Carbanak](https://vuldb.com/?actor.carbanak) | High
|
||||
2 | [80.84.49.61](https://vuldb.com/?ip.80.84.49.61) | 61-49-84-80.rackcentre.redstation.net.uk | [Carbanak](https://vuldb.com/?actor.carbanak) | High
|
||||
3 | [80.84.49.66](https://vuldb.com/?ip.80.84.49.66) | 66-49-84-80.rackcentre.redstation.net.uk | [Carbanak](https://vuldb.com/?actor.carbanak) | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 14 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within Grand Mars. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 3 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during Grand Mars. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `$HOME/.cdrdao` | High
|
||||
2 | File | `/cgi-bin/kerbynet` | High
|
||||
3 | File | `/redbin/rpwebutilities.exe/text` | High
|
||||
4 | File | `/uncpath/` | Medium
|
||||
5 | File | `add_comment.php` | High
|
||||
6 | File | `admin-ajax.php` | High
|
||||
7 | File | `advertiser.php` | High
|
||||
8 | File | `ajax/render/widget_php` | High
|
||||
9 | File | `ardeaCore/lib/core/ardeaInit.php` | High
|
||||
10 | File | `at/create_job.cgi` | High
|
||||
11 | File | `aviso.php` | Medium
|
||||
12 | File | `awstats.pl` | Medium
|
||||
13 | File | `bar.phtml` | Medium
|
||||
14 | File | `channeledit.php` | High
|
||||
15 | File | `chat.php` | Medium
|
||||
16 | ... | ... | ...
|
||||
|
||||
There are 129 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://www.threatminer.org/_reports/2017/OperationGrandMars-Trustwave.pdf#viewer.action=download
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,74 @@
|
|||
# Hafnium - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Hafnium_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Hafnium:
|
||||
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Hafnium or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [Hafnium](https://vuldb.com/?actor.hafnium) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Hafnium.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [172.105.174.117](https://vuldb.com/?ip.172.105.174.117) | 172-105-174-117.ip.linodeusercontent.com | [Hafnium](https://vuldb.com/?actor.hafnium) | High
|
||||
2 | [182.239.123.241](https://vuldb.com/?ip.182.239.123.241) | 182.239.123.241.hk.chinamobile.com | [Hafnium](https://vuldb.com/?actor.hafnium) | High
|
||||
3 | [182.239.124.180](https://vuldb.com/?ip.182.239.124.180) | 182.239.124.180.hk.chinamobile.com | [Hafnium](https://vuldb.com/?actor.hafnium) | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within Hafnium. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | CWE-254 | 7PK Security Features | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during Hafnium. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/.env` | Low
|
||||
2 | File | `/ajax/networking/get_netcfg.php` | High
|
||||
3 | File | `/auth/session` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 22 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://twitter.com/KyleHanslovan/status/1370077442984001537
|
||||
* https://twitter.com/TheDFIRReport/status/1370079472033136640
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,78 @@
|
|||
# Hancitor - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Hancitor_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Hancitor:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [FR](https://vuldb.com/?country.fr)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* ...
|
||||
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Hancitor or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [TA551](https://vuldb.com/?actor.ta551) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Hancitor.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [8.209.76.110](https://vuldb.com/?ip.8.209.76.110) | - | [TA551](https://vuldb.com/?actor.ta551) | High
|
||||
2 | [43.128.225.230](https://vuldb.com/?ip.43.128.225.230) | - | [TA551](https://vuldb.com/?actor.ta551) | High
|
||||
3 | [43.128.229.136](https://vuldb.com/?ip.43.128.229.136) | - | [TA551](https://vuldb.com/?actor.ta551) | High
|
||||
4 | [43.128.232.152](https://vuldb.com/?ip.43.128.232.152) | - | [TA551](https://vuldb.com/?actor.ta551) | High
|
||||
5 | [43.129.239.78](https://vuldb.com/?ip.43.129.239.78) | - | [TA551](https://vuldb.com/?actor.ta551) | High
|
||||
6 | ... | ... | ... | ...
|
||||
|
||||
There are 18 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within Hancitor. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during Hancitor. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/find_v2/_click` | High
|
||||
2 | File | `/forum/away.php` | High
|
||||
3 | File | `adclick.php` | Medium
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 13 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://www.malware-traffic-analysis.net/2021/09/14/index.html
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,222 @@
|
|||
# Hidden Cobra - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Hidden Cobra_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Hidden Cobra:
|
||||
|
||||
* [FR](https://vuldb.com/?country.fr)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [IR](https://vuldb.com/?country.ir)
|
||||
* ...
|
||||
|
||||
There are 6 more country items available. Please use our online service to access the data.
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Hidden Cobra or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Hidden Cobra.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [2.50.22.137](https://vuldb.com/?ip.2.50.22.137) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
2 | [2.50.22.189](https://vuldb.com/?ip.2.50.22.189) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
3 | [2.50.25.205](https://vuldb.com/?ip.2.50.25.205) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
4 | [2.50.27.239](https://vuldb.com/?ip.2.50.27.239) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
5 | [2.50.40.245](https://vuldb.com/?ip.2.50.40.245) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
6 | [2.93.86.36](https://vuldb.com/?ip.2.93.86.36) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
7 | [2.93.86.38](https://vuldb.com/?ip.2.93.86.38) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
8 | [2.93.86.65](https://vuldb.com/?ip.2.93.86.65) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
9 | [2.93.86.89](https://vuldb.com/?ip.2.93.86.89) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
10 | [2.93.86.106](https://vuldb.com/?ip.2.93.86.106) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
11 | [2.93.86.136](https://vuldb.com/?ip.2.93.86.136) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
12 | [2.93.86.150](https://vuldb.com/?ip.2.93.86.150) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
13 | [2.93.86.194](https://vuldb.com/?ip.2.93.86.194) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
14 | [2.93.86.197](https://vuldb.com/?ip.2.93.86.197) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
15 | [2.93.86.224](https://vuldb.com/?ip.2.93.86.224) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
16 | [2.93.86.226](https://vuldb.com/?ip.2.93.86.226) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
17 | [2.93.86.247](https://vuldb.com/?ip.2.93.86.247) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
18 | [2.93.86.251](https://vuldb.com/?ip.2.93.86.251) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
19 | [2.93.86.253](https://vuldb.com/?ip.2.93.86.253) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
20 | [2.93.131.116](https://vuldb.com/?ip.2.93.131.116) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
21 | [2.93.131.179](https://vuldb.com/?ip.2.93.131.179) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
22 | [2.93.238.2](https://vuldb.com/?ip.2.93.238.2) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
23 | [2.93.238.12](https://vuldb.com/?ip.2.93.238.12) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
24 | [2.93.238.20](https://vuldb.com/?ip.2.93.238.20) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
25 | [2.93.238.26](https://vuldb.com/?ip.2.93.238.26) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
26 | [2.93.238.35](https://vuldb.com/?ip.2.93.238.35) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
27 | [2.93.238.93](https://vuldb.com/?ip.2.93.238.93) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
28 | [2.93.238.146](https://vuldb.com/?ip.2.93.238.146) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
29 | [2.93.238.167](https://vuldb.com/?ip.2.93.238.167) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
30 | [2.93.238.176](https://vuldb.com/?ip.2.93.238.176) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
31 | [2.93.238.183](https://vuldb.com/?ip.2.93.238.183) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
32 | [2.93.238.199](https://vuldb.com/?ip.2.93.238.199) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
33 | [2.93.238.213](https://vuldb.com/?ip.2.93.238.213) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
34 | [2.93.238.215](https://vuldb.com/?ip.2.93.238.215) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
35 | [2.93.238.222](https://vuldb.com/?ip.2.93.238.222) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
36 | [2.93.238.252](https://vuldb.com/?ip.2.93.238.252) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
37 | [2.93.238.253](https://vuldb.com/?ip.2.93.238.253) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
38 | [2.93.248.5](https://vuldb.com/?ip.2.93.248.5) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
39 | [2.93.248.46](https://vuldb.com/?ip.2.93.248.46) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
40 | [2.94.53.139](https://vuldb.com/?ip.2.94.53.139) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
41 | [2.94.65.211](https://vuldb.com/?ip.2.94.65.211) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
42 | [2.94.65.246](https://vuldb.com/?ip.2.94.65.246) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
43 | [2.94.82.42](https://vuldb.com/?ip.2.94.82.42) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
44 | [2.94.117.30](https://vuldb.com/?ip.2.94.117.30) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
45 | [2.94.117.46](https://vuldb.com/?ip.2.94.117.46) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
46 | [2.94.117.47](https://vuldb.com/?ip.2.94.117.47) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
47 | [2.94.117.56](https://vuldb.com/?ip.2.94.117.56) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
48 | [2.94.209.30](https://vuldb.com/?ip.2.94.209.30) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
49 | [2.187.99.180](https://vuldb.com/?ip.2.187.99.180) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
50 | [5.22.137.178](https://vuldb.com/?ip.5.22.137.178) | mail.bpdl.co.uk | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
51 | [5.22.140.93](https://vuldb.com/?ip.5.22.140.93) | 5-22-140-93.host.as51043.net | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
52 | [5.41.88.137](https://vuldb.com/?ip.5.41.88.137) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
53 | [5.41.89.32](https://vuldb.com/?ip.5.41.89.32) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
54 | [5.41.94.221](https://vuldb.com/?ip.5.41.94.221) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
55 | [5.41.190.7](https://vuldb.com/?ip.5.41.190.7) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
56 | [5.41.201.151](https://vuldb.com/?ip.5.41.201.151) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
57 | [5.41.237.214](https://vuldb.com/?ip.5.41.237.214) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
58 | [5.98.91.76](https://vuldb.com/?ip.5.98.91.76) | host-5-98-91-76.business.telecomitalia.it | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
59 | [5.141.87.156](https://vuldb.com/?ip.5.141.87.156) | 5-141-97-156.static-adsl.isurgut.ru | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
60 | [5.189.190.67](https://vuldb.com/?ip.5.189.190.67) | m2767.contaboserver.net | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
61 | [5.200.154.208](https://vuldb.com/?ip.5.200.154.208) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
62 | [5.200.177.218](https://vuldb.com/?ip.5.200.177.218) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
63 | [5.200.191.104](https://vuldb.com/?ip.5.200.191.104) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
64 | [5.200.198.10](https://vuldb.com/?ip.5.200.198.10) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
65 | [5.200.202.99](https://vuldb.com/?ip.5.200.202.99) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
66 | [14.140.123.179](https://vuldb.com/?ip.14.140.123.179) | 14.140.123.179.static-pune-vsnl.net.in | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
67 | [14.141.27.100](https://vuldb.com/?ip.14.141.27.100) | 14.141.26.100.static-Mumbai.vsnl.net.in | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
68 | [14.149.149.211](https://vuldb.com/?ip.14.149.149.211) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
69 | [27.96.110.130](https://vuldb.com/?ip.27.96.110.130) | 130.110.96.27.static.m1net.com.sg | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
70 | [27.125.35.229](https://vuldb.com/?ip.27.125.35.229) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
71 | [31.47.47.130](https://vuldb.com/?ip.31.47.47.130) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
72 | [31.54.73.156](https://vuldb.com/?ip.31.54.73.156) | host31-54-73-156.range31-54.btcentralplus.com | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
73 | [31.54.74.176](https://vuldb.com/?ip.31.54.74.176) | host31-54-74-176.range31-54.btcentralplus.com | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
74 | [31.146.136.6](https://vuldb.com/?ip.31.146.136.6) | 31-146-136-6.dsl.utg.ge | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
75 | [31.168.203.44](https://vuldb.com/?ip.31.168.203.44) | bzq-203-168-31-44.red.bezeqint.net | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
76 | [37.34.240.177](https://vuldb.com/?ip.37.34.240.177) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
77 | [37.48.106.69](https://vuldb.com/?ip.37.48.106.69) | high-convey.blockother.com | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
78 | [37.71.50.2](https://vuldb.com/?ip.37.71.50.2) | 2.50.71.37.rev.sfr.net | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
79 | [37.75.0.98](https://vuldb.com/?ip.37.75.0.98) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
80 | [37.75.2.203](https://vuldb.com/?ip.37.75.2.203) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
81 | [37.75.10.194](https://vuldb.com/?ip.37.75.10.194) | mail.kplus.com.tr | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
82 | [37.75.11.162](https://vuldb.com/?ip.37.75.11.162) | 37-75-11-162.rdns.saglayici.net | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
83 | [37.104.24.220](https://vuldb.com/?ip.37.104.24.220) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
84 | [37.104.50.144](https://vuldb.com/?ip.37.104.50.144) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
85 | [37.104.67.33](https://vuldb.com/?ip.37.104.67.33) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
86 | [37.105.234.200](https://vuldb.com/?ip.37.105.234.200) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
87 | [37.106.115.3](https://vuldb.com/?ip.37.106.115.3) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
88 | [37.143.29.10](https://vuldb.com/?ip.37.143.29.10) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
89 | [37.148.209.156](https://vuldb.com/?ip.37.148.209.156) | 37-148-209-156.cizgi.net.tr | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
90 | [37.216.213.70](https://vuldb.com/?ip.37.216.213.70) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
91 | [41.57.108.68](https://vuldb.com/?ip.41.57.108.68) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
92 | [41.67.136.38](https://vuldb.com/?ip.41.67.136.38) | netcomafrica.com | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
93 | [41.67.136.39](https://vuldb.com/?ip.41.67.136.39) | netcomafrica.com | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
94 | [41.72.99.5](https://vuldb.com/?ip.41.72.99.5) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
95 | [41.72.101.138](https://vuldb.com/?ip.41.72.101.138) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
96 | [41.74.166.253](https://vuldb.com/?ip.41.74.166.253) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
97 | [41.110.179.197](https://vuldb.com/?ip.41.110.179.197) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
98 | [41.128.226.60](https://vuldb.com/?ip.41.128.226.60) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
99 | [41.131.49.228](https://vuldb.com/?ip.41.131.49.228) | host-41-131-49-228.static.link.com.eg | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
100 | [41.131.164.156](https://vuldb.com/?ip.41.131.164.156) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
101 | [41.134.208.234](https://vuldb.com/?ip.41.134.208.234) | 41-134-208-234.dsl.mweb.co.za | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
102 | [41.182.252.56](https://vuldb.com/?ip.41.182.252.56) | ADSL-41-182-252-56.ipb.na | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
103 | [41.205.139.34](https://vuldb.com/?ip.41.205.139.34) | ADSL-41-205-139-34.ipb.na | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
104 | [41.208.106.68](https://vuldb.com/?ip.41.208.106.68) | owa.altaqnya.com.ly | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
105 | [41.208.106.70](https://vuldb.com/?ip.41.208.106.70) | dc1.Mail.dsmhlc.ly | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
106 | [41.215.250.40](https://vuldb.com/?ip.41.215.250.40) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
107 | [41.223.30.20](https://vuldb.com/?ip.41.223.30.20) | host30-20.creolink.com | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
108 | [41.224.254.90](https://vuldb.com/?ip.41.224.254.90) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
109 | [45.120.61.145](https://vuldb.com/?ip.45.120.61.145) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
110 | [46.19.101.186](https://vuldb.com/?ip.46.19.101.186) | ip-46-19-101-186.gnc.net | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
111 | [46.52.131.102](https://vuldb.com/?ip.46.52.131.102) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
112 | [46.121.242.180](https://vuldb.com/?ip.46.121.242.180) | 46-121-242-180.static.012.net.il | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
113 | [46.174.116.60](https://vuldb.com/?ip.46.174.116.60) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
114 | [46.174.116.87](https://vuldb.com/?ip.46.174.116.87) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
115 | [46.174.116.90](https://vuldb.com/?ip.46.174.116.90) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
116 | [46.174.116.99](https://vuldb.com/?ip.46.174.116.99) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
117 | [46.174.116.221](https://vuldb.com/?ip.46.174.116.221) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
118 | [46.174.116.231](https://vuldb.com/?ip.46.174.116.231) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
119 | [46.174.116.234](https://vuldb.com/?ip.46.174.116.234) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
120 | [46.174.117.15](https://vuldb.com/?ip.46.174.117.15) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
121 | [46.174.117.32](https://vuldb.com/?ip.46.174.117.32) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
122 | [46.174.117.36](https://vuldb.com/?ip.46.174.117.36) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
123 | [46.174.117.42](https://vuldb.com/?ip.46.174.117.42) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
124 | [46.174.117.44](https://vuldb.com/?ip.46.174.117.44) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
125 | [46.174.117.50](https://vuldb.com/?ip.46.174.117.50) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
126 | ... | ... | ... | ...
|
||||
|
||||
There are 502 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within Hidden Cobra. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during Hidden Cobra. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/catcompany.php` | High
|
||||
2 | File | `/config/netconf.cmd` | High
|
||||
3 | File | `/export` | Low
|
||||
4 | File | `/forgetpassword.php` | High
|
||||
5 | File | `/forum/away.php` | High
|
||||
6 | File | `/graphStatus/displayServiceStatus.php` | High
|
||||
7 | File | `/inc/HTTPClient.php` | High
|
||||
8 | File | `/index.php?controller=calendar&format=raw&cat[0]=SQLi&task=events` | High
|
||||
9 | File | `/modules/profile/index.php` | High
|
||||
10 | File | `/osm/REGISTER.cmd` | High
|
||||
11 | File | `/out.php` | Medium
|
||||
12 | File | `/pages/items` | Medium
|
||||
13 | File | `/proc/pid/syscall` | High
|
||||
14 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
15 | File | `/secure/admin/ViewInstrumentation.jspa` | High
|
||||
16 | File | `/servlet.gupld` | High
|
||||
17 | File | `/status` | Low
|
||||
18 | File | `/tools/developerConsoleOperations.jsp` | High
|
||||
19 | File | `/uncpath/` | Medium
|
||||
20 | File | `/usr/bin/pkexec` | High
|
||||
21 | File | `/WEB-INF/web.xml` | High
|
||||
22 | File | `adclick.php` | Medium
|
||||
23 | File | `addentry.php` | Medium
|
||||
24 | ... | ... | ...
|
||||
|
||||
There are 201 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://us-cert.cisa.gov/ncas/alerts/TA17-164A
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,79 @@
|
|||
# Hildegard - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Hildegard_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Hildegard:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Hildegard or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [TeamTNT](https://vuldb.com/?actor.teamtnt) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Hildegard.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [13.245.9.147](https://vuldb.com/?ip.13.245.9.147) | ec2-13-245-9-147.af-south-1.compute.amazonaws.com | [TeamTNT](https://vuldb.com/?actor.teamtnt) | Medium
|
||||
2 | [45.9.148.108](https://vuldb.com/?ip.45.9.148.108) | mx1.dendrite.network | [TeamTNT](https://vuldb.com/?actor.teamtnt) | High
|
||||
3 | [45.9.150.36](https://vuldb.com/?ip.45.9.150.36) | - | [TeamTNT](https://vuldb.com/?actor.teamtnt) | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 6 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within Hildegard. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | CWE-254 | 7PK Security Features | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 4 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during Hildegard. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/goform/SetNetControlList` | High
|
||||
2 | File | `admin/categories_industry.php` | High
|
||||
3 | File | `admin/content/postcategory` | High
|
||||
4 | File | `Adminstrator/Users/Edit/` | High
|
||||
5 | File | `agent.cfg` | Medium
|
||||
6 | ... | ... | ...
|
||||
|
||||
There are 38 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/
|
||||
* https://vxug.fakedoma.in/archive/APTs/2021/2021.02.03/Hildegard.pdf
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,72 @@
|
|||
# Hogfish - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Hogfish_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Hogfish:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [GB](https://vuldb.com/?country.gb)
|
||||
* [FR](https://vuldb.com/?country.fr)
|
||||
* ...
|
||||
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Hogfish or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [menuPass](https://vuldb.com/?actor.menupass) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Hogfish.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [83.136.106.108](https://vuldb.com/?ip.83.136.106.108) | b108k.mailsensei.uno | [menuPass](https://vuldb.com/?actor.menupass) | High
|
||||
2 | [149.36.63.65](https://vuldb.com/?ip.149.36.63.65) | - | [menuPass](https://vuldb.com/?actor.menupass) | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within Hogfish. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1222 | CWE-275 | Permission Issues | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during Hogfish. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/anony/mjpg.cgi` | High
|
||||
2 | File | `/uncpath/` | Medium
|
||||
3 | File | `com.PhonePe.app` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 7 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,69 @@
|
|||
# Hoplight - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Hoplight_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Hoplight:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [ZW](https://vuldb.com/?country.zw)
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Hoplight or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
2 | [DPRK](https://vuldb.com/?actor.dprk) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Hoplight.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [21.252.107.198](https://vuldb.com/?ip.21.252.107.198) | - | [DPRK](https://vuldb.com/?actor.dprk) | High
|
||||
2 | [26.165.218.44](https://vuldb.com/?ip.26.165.218.44) | - | [DPRK](https://vuldb.com/?actor.dprk) | High
|
||||
3 | [47.206.4.145](https://vuldb.com/?ip.47.206.4.145) | static-47-206-4-145.srst.fl.frontiernet.net | [DPRK](https://vuldb.com/?actor.dprk) | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 12 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within Hoplight. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during Hoplight. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `countedit.cgi` | High
|
||||
2 | File | `p.php` | Low
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://us-cert.cisa.gov/ncas/analysis-reports/AR19-100A
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,68 @@
|
|||
# Hotcroissant - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Hotcroissant_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Hotcroissant:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Hotcroissant or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Hotcroissant.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [94.177.123.138](https://vuldb.com/?ip.94.177.123.138) | - | [Lazarus](https://vuldb.com/?actor.lazarus) | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within Hotcroissant. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-284 | Execution with Unnecessary Privileges | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during Hotcroissant. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/MIME/INBOX-MM-1/` | High
|
||||
2 | File | `coders/dpx.c` | Medium
|
||||
3 | File | `data/gbconfiguration.dat` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 6 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://us-cert.cisa.gov/ncas/analysis-reports/ar20-045d
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,102 @@
|
|||
# Inception - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Inception_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Inception:
|
||||
|
||||
* [SV](https://vuldb.com/?country.sv)
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* [PL](https://vuldb.com/?country.pl)
|
||||
* ...
|
||||
|
||||
There are 4 more country items available. Please use our online service to access the data.
|
||||
|
||||
## Actors
|
||||
|
||||
These _actors_ are associated with Inception or other actors linked to the campaign.
|
||||
|
||||
ID | Actor | Confidence
|
||||
-- | ----- | ----------
|
||||
1 | [Inception](https://vuldb.com/?actor.inception) | High
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Inception.
|
||||
|
||||
ID | IP address | Hostname | Actor | Confidence
|
||||
-- | ---------- | -------- | ----- | ----------
|
||||
1 | [51.255.139.194](https://vuldb.com/?ip.51.255.139.194) | ip194.ip-51-255-139.eu | [Inception](https://vuldb.com/?actor.inception) | High
|
||||
2 | [82.221.100.55](https://vuldb.com/?ip.82.221.100.55) | web.a1yola.com | [Inception](https://vuldb.com/?actor.inception) | High
|
||||
3 | [82.221.100.60](https://vuldb.com/?ip.82.221.100.60) | - | [Inception](https://vuldb.com/?actor.inception) | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 7 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within Inception. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-250, CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during Inception. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/admin/page_edit/3` | High
|
||||
2 | File | `/api/notify.php` | High
|
||||
3 | File | `/domain/service/.ewell-known/caldav` | High
|
||||
4 | File | `/formAdvFirewall` | High
|
||||
5 | File | `/mobile/SelectUsers.jsp` | High
|
||||
6 | File | `/ProteinArraySignificanceTest.json` | High
|
||||
7 | File | `/usr/local/bin/mjs` | High
|
||||
8 | File | `/web` | Low
|
||||
9 | File | `admin/bad.php` | High
|
||||
10 | File | `admin/dl_sendmail.php` | High
|
||||
11 | File | `admin/pages/useredit.php` | High
|
||||
12 | File | `AdminBaseController.class.php` | High
|
||||
13 | File | `AlertReceiver.java` | High
|
||||
14 | File | `alfresco/s/admin/admin-nodebrowser` | High
|
||||
15 | File | `AndroidFuture.java` | High
|
||||
16 | File | `AndroidManifest.xml` | High
|
||||
17 | File | `api/info.php` | Medium
|
||||
18 | File | `attach.c` | Medium
|
||||
19 | File | `box_code_apple.c` | High
|
||||
20 | File | `bugs.aspx` | Medium
|
||||
21 | File | `bug_actiongroup.php` | High
|
||||
22 | File | `bug_report_page.php` | High
|
||||
23 | ... | ... | ...
|
||||
|
||||
There are 196 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the campaign and the associated activities:
|
||||
|
||||
* https://github.com/eset/malware-ioc/tree/master/interception
|
||||
* https://securelist.com/recent-cloud-atlas-activity/92016/
|
||||
* https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/
|
||||
* https://www.threatminer.org/report.php?q=bcs_wp_InceptionReport_EN_v12914.pdf&y=2014
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue