Update
This commit is contained in:
parent
256a28ff44
commit
0c11dcfc85
|
@ -1,6 +1,6 @@
|
|||
# 1937CN - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [1937CN](https://vuldb.com/?actor.1937cn). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [1937CN](https://vuldb.com/?actor.1937cn). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.1937cn](https://vuldb.com/?actor.1937cn)
|
||||
|
||||
|
@ -29,9 +29,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# APT-C-07 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [APT-C-07](https://vuldb.com/?actor.apt-c-07). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT-C-07](https://vuldb.com/?actor.apt-c-07). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt-c-07](https://vuldb.com/?actor.apt-c-07)
|
||||
|
||||
|
@ -42,9 +42,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# APT16 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [APT16](https://vuldb.com/?actor.apt16). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT16](https://vuldb.com/?actor.apt16). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt16](https://vuldb.com/?actor.apt16)
|
||||
|
||||
|
@ -37,16 +37,9 @@ ID | Type | Indicator | Confidence
|
|||
1 | File | `/download` | Medium
|
||||
2 | File | `comment_add.asp` | High
|
||||
3 | File | `data/gbconfiguration.dat` | High
|
||||
4 | File | `email.php` | Medium
|
||||
5 | File | `inc/config.php` | High
|
||||
6 | File | `inc/filebrowser/browser.php` | High
|
||||
7 | File | `ogp_show.php` | Medium
|
||||
8 | File | `register.php` | Medium
|
||||
9 | Argument | `basePath` | Medium
|
||||
10 | Argument | `display` | Low
|
||||
11 | ... | ... | ...
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 4 more IOA items available. Please use our online service to access the data.
|
||||
There are 11 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -58,9 +51,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# APT18 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [APT18](https://vuldb.com/?actor.apt18). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT18](https://vuldb.com/?actor.apt18). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt18](https://vuldb.com/?actor.apt18)
|
||||
|
||||
|
@ -34,9 +34,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
104
APT28/README.md
104
APT28/README.md
|
@ -1,6 +1,6 @@
|
|||
# APT28 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [APT28](https://vuldb.com/?actor.apt28). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT28](https://vuldb.com/?actor.apt28). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt28](https://vuldb.com/?actor.apt28)
|
||||
|
||||
|
@ -19,12 +19,12 @@ There are 3 more campaign items available. Please use our online service to acce
|
|||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT28:
|
||||
|
||||
* NL
|
||||
* RO
|
||||
* US
|
||||
* DE
|
||||
* ES
|
||||
* ...
|
||||
|
||||
There are 52 more country items available. Please use our online service to access the data.
|
||||
There are 3 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -51,10 +51,36 @@ ID | IP address | Hostname | Confidence
|
|||
17 | 45.64.105.23 | - | High
|
||||
18 | 45.124.132.127 | - | High
|
||||
19 | 46.19.138.66 | ab2.alchibasystems.in.net | High
|
||||
20 | 46.21.147.55 | 55.147.21.46.in-addr.arpa | High
|
||||
21 | ... | ... | ...
|
||||
20 | 46.21.147.55 | 46-21-147-55.static.hvvc.us | High
|
||||
21 | 46.21.147.71 | 46-21-147-71.static.hvvc.us | High
|
||||
22 | 46.21.147.76 | 46-21-147-76.static.hvvc.us | High
|
||||
23 | 46.148.17.227 | - | High
|
||||
24 | 46.166.162.90 | - | High
|
||||
25 | 46.183.217.74 | ip-217-74.dataclub.info | High
|
||||
26 | 51.38.128.110 | - | High
|
||||
27 | 51.254.76.54 | - | High
|
||||
28 | 51.254.158.57 | - | High
|
||||
29 | 54.37.104.106 | piber.connectedlists.com | High
|
||||
30 | 58.49.58.58 | - | High
|
||||
31 | 62.113.232.197 | - | High
|
||||
32 | 66.172.11.207 | ip-66-172-11-207.chunkhost.com | High
|
||||
33 | 66.172.12.133 | - | High
|
||||
34 | 69.12.73.174 | 69.12.73.174.static.quadranet.com | High
|
||||
35 | 70.85.221.10 | server002.nilsson-it.dk | High
|
||||
36 | 70.85.221.20 | 14.dd.5546.static.theplanet.com | High
|
||||
37 | 76.74.177.251 | ip-76-74-177-251.chunkhost.com | High
|
||||
38 | 77.81.98.122 | no-rdns.clues.ro | High
|
||||
39 | 77.83.247.81 | - | High
|
||||
40 | 78.153.151.222 | smtp33.pristavka-fr.ru | High
|
||||
41 | 80.83.115.187 | host3.smtpnoida.biz | High
|
||||
42 | 80.255.3.93 | - | High
|
||||
43 | 80.255.3.94 | set121.com | High
|
||||
44 | 80.255.6.15 | - | High
|
||||
45 | 80.255.10.236 | - | High
|
||||
46 | 81.17.30.29 | - | High
|
||||
47 | ... | ... | ...
|
||||
|
||||
There are 211 more IOC items available. Please use our online service to access the data.
|
||||
There are 185 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -62,14 +88,12 @@ Tactics, techniques, and procedures summarize the suspected ATT&CK techniques us
|
|||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1040 | Authentication Bypass by Capture-replay | High
|
||||
2 | T1059.007 | Cross Site Scripting | High
|
||||
3 | T1068 | Execution with Unnecessary Privileges | High
|
||||
4 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
5 | T1211 | 7PK Security Features | High
|
||||
6 | ... | ... | ...
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 10 more TTP items available. Please use our online service to access the data.
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -77,19 +101,43 @@ These indicators of attack list the potential fragments used for technical activ
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `.htaccess` | Medium
|
||||
2 | File | `.procmailrc` | Medium
|
||||
3 | File | `/$({curl` | Medium
|
||||
4 | File | `/+CSCOE+/logon.html` | High
|
||||
5 | File | `/.env` | Low
|
||||
6 | File | `/.ssh/authorized_keys` | High
|
||||
7 | File | `/.vnc/sesman_${username}_passwd` | High
|
||||
8 | File | `/account/details.php` | High
|
||||
9 | File | `/admin.php` | Medium
|
||||
10 | File | `/admin/adclass.php` | High
|
||||
11 | ... | ... | ...
|
||||
1 | File | `.travis.yml` | Medium
|
||||
2 | File | `/.env` | Low
|
||||
3 | File | `/admin.php` | Medium
|
||||
4 | File | `/admin/config.php?display=disa&view=form` | High
|
||||
5 | File | `/category_view.php` | High
|
||||
6 | File | `/dev/kmem` | Medium
|
||||
7 | File | `/filemanager/upload.php` | High
|
||||
8 | File | `/medical/inventories.php` | High
|
||||
9 | File | `/monitoring` | Medium
|
||||
10 | File | `/NAGErrors` | Medium
|
||||
11 | File | `/plugins/servlet/audit/resource` | High
|
||||
12 | File | `/plugins/servlet/project-config/PROJECT/roles` | High
|
||||
13 | File | `/proc/ioports` | High
|
||||
14 | File | `/replication` | Medium
|
||||
15 | File | `/reports/rwservlet` | High
|
||||
16 | File | `/RestAPI` | Medium
|
||||
17 | File | `/tmp` | Low
|
||||
18 | File | `/tmp/speedtest_urls.xml` | High
|
||||
19 | File | `/uncpath/` | Medium
|
||||
20 | File | `/var/log/nginx` | High
|
||||
21 | File | `/wp-admin/admin.php` | High
|
||||
22 | File | `admin-ajax.php?action=get_wdtable order[0][dir]` | High
|
||||
23 | File | `admin/app/mediamanager` | High
|
||||
24 | File | `admin/index.php` | High
|
||||
25 | File | `admin\model\catalog\download.php` | High
|
||||
26 | File | `afr.php` | Low
|
||||
27 | File | `apcupsd.pid` | Medium
|
||||
28 | File | `api/it-recht-kanzlei/api-it-recht-kanzlei.php` | High
|
||||
29 | File | `api/sms/send-sms` | High
|
||||
30 | File | `api/v1/alarms` | High
|
||||
31 | File | `application/controller/InstallerController.php` | High
|
||||
32 | File | `arch/powerpc/kvm/book3s_rtas.c` | High
|
||||
33 | File | `arformcontroller.php` | High
|
||||
34 | File | `auth-gss2.c` | Medium
|
||||
35 | ... | ... | ...
|
||||
|
||||
There are 2654 more IOA items available. Please use our online service to access the data.
|
||||
There are 300 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -132,9 +180,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# APT30 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [APT30](https://vuldb.com/?actor.apt30). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT30](https://vuldb.com/?actor.apt30). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt30](https://vuldb.com/?actor.apt30)
|
||||
|
||||
|
@ -24,9 +24,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# APT31 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [APT31](https://vuldb.com/?actor.apt31). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT31](https://vuldb.com/?actor.apt31). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt31](https://vuldb.com/?actor.apt31)
|
||||
|
||||
|
@ -20,12 +20,9 @@ ID | IP address | Hostname | Confidence
|
|||
1 | 105.154.12.165 | - | High
|
||||
2 | 105.157.234.0 | - | High
|
||||
3 | 105.159.122.85 | - | High
|
||||
4 | 110.36.231.150 | WGPON-36231-150.wateen.net | High
|
||||
5 | 115.31.133.26 | - | High
|
||||
6 | 115.133.136.29 | - | High
|
||||
7 | ... | ... | ...
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 10 more IOC items available. Please use our online service to access the data.
|
||||
There are 13 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -44,16 +41,9 @@ ID | Type | Indicator | Confidence
|
|||
1 | File | `/get_getnetworkconf.cgi` | High
|
||||
2 | File | `/horde/util/go.php` | High
|
||||
3 | File | `administrator/components/com_media/helpers/media.php` | High
|
||||
4 | File | `comments.php` | Medium
|
||||
5 | File | `data/gbconfiguration.dat` | High
|
||||
6 | File | `inc/config.php` | High
|
||||
7 | File | `item_details.php` | High
|
||||
8 | File | `KeyHelp.ocx` | Medium
|
||||
9 | File | `phpinfo.php` | Medium
|
||||
10 | File | `picture.php` | Medium
|
||||
11 | ... | ... | ...
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 12 more IOA items available. Please use our online service to access the data.
|
||||
There are 19 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -65,9 +55,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# APT32 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [APT32](https://vuldb.com/?actor.apt32). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT32](https://vuldb.com/?actor.apt32). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt32](https://vuldb.com/?actor.apt32)
|
||||
|
||||
|
@ -17,10 +17,10 @@ These countries are directly (e.g. origin of attacks) or indirectly (e.g. access
|
|||
|
||||
* US
|
||||
* CN
|
||||
* TR
|
||||
* VN
|
||||
* ...
|
||||
|
||||
There are 10 more country items available. Please use our online service to access the data.
|
||||
There are 11 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -35,22 +35,14 @@ ID | IP address | Hostname | Confidence
|
|||
5 | 37.59.198.130 | - | High
|
||||
6 | 37.59.198.131 | - | High
|
||||
7 | 45.32.100.179 | 45.32.100.179.vultr.com | Medium
|
||||
8 | 45.32.105.45 | 45.32.105.45.vultr.com | Medium
|
||||
8 | 45.32.105.45 | - | High
|
||||
9 | 45.32.114.49 | 45.32.114.49.vultr.com | Medium
|
||||
10 | 45.76.147.201 | 45.76.147.201.vultr.com | Medium
|
||||
11 | 45.76.179.28 | 45.76.179.28.vultr.com | Medium
|
||||
12 | 45.76.179.151 | 45.76.179.151.vultr.com | Medium
|
||||
13 | 45.77.39.101 | 45.77.39.101.vultr.com | Medium
|
||||
14 | 45.114.117.137 | - | High
|
||||
15 | 45.114.117.164 | folien.reisnart.com | High
|
||||
16 | 64.62.174.9 | unassigned9.net2.fc.aoindustries.com | High
|
||||
17 | 64.62.174.16 | unassigned16.net2.fc.aoindustries.com | High
|
||||
18 | 64.62.174.17 | unassigned17.net2.fc.aoindustries.com | High
|
||||
19 | 64.62.174.21 | unassigned21.net2.fc.aoindustries.com | High
|
||||
20 | 64.62.174.41 | unassigned41.net2.fc.aoindustries.com | High
|
||||
21 | ... | ... | ...
|
||||
13 | ... | ... | ...
|
||||
|
||||
There are 40 more IOC items available. Please use our online service to access the data.
|
||||
There are 48 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -61,10 +53,9 @@ ID | Technique | Description | Confidence
|
|||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | T1211 | 7PK Security Features | High
|
||||
5 | ... | ... | ...
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 6 more TTP items available. Please use our online service to access the data.
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -74,15 +65,25 @@ ID | Type | Indicator | Confidence
|
|||
-- | ---- | --------- | ----------
|
||||
1 | File | `/cgi-bin/cgiServer.exx` | High
|
||||
2 | File | `/cgi-bin/login_action.cgi` | High
|
||||
3 | File | `/dev/sg0` | Medium
|
||||
4 | File | `/event/runquery.do` | High
|
||||
5 | File | `/forum/away.php` | High
|
||||
6 | File | `/manager?action=getlogcat` | High
|
||||
7 | File | `/password.html` | High
|
||||
8 | File | `/system/ws/v11/ss/email)` | High
|
||||
9 | File | `/uncpath/` | Medium
|
||||
10 | File | `add_vhost.php` | High
|
||||
11 | ... | ... | ...
|
||||
3 | File | `/cgi-bin/webviewer_login_page` | High
|
||||
4 | File | `/dev/sg0` | Medium
|
||||
5 | File | `/event/runquery.do` | High
|
||||
6 | File | `/filemanager/php/connector.php` | High
|
||||
7 | File | `/forum/away.php` | High
|
||||
8 | File | `/goform/setmac` | High
|
||||
9 | File | `/manager?action=getlogcat` | High
|
||||
10 | File | `/password.html` | High
|
||||
11 | File | `/system/ws/v11/ss/email` | High
|
||||
12 | File | `/uncpath/` | Medium
|
||||
13 | File | `add_vhost.php` | High
|
||||
14 | File | `admin/images.aspx` | High
|
||||
15 | File | `admin/index.php` | High
|
||||
16 | File | `adv2.php?action=modify` | High
|
||||
17 | File | `agent.cfg` | Medium
|
||||
18 | File | `arch/x86/include/asm/fpu/internal.h` | High
|
||||
19 | File | `asm/float.c` | Medium
|
||||
20 | File | `asm/nasm.c` | Medium
|
||||
21 | ... | ... | ...
|
||||
|
||||
There are 178 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
|
@ -98,9 +99,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# APT34 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [APT34](https://vuldb.com/?actor.apt34). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT34](https://vuldb.com/?actor.apt34). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt34](https://vuldb.com/?actor.apt34)
|
||||
|
||||
|
@ -10,10 +10,10 @@ These countries are directly (e.g. origin of attacks) or indirectly (e.g. access
|
|||
|
||||
* US
|
||||
* IR
|
||||
* DE
|
||||
* CN
|
||||
* ...
|
||||
|
||||
There are 19 more country items available. Please use our online service to access the data.
|
||||
There are 18 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -35,15 +35,9 @@ ID | IP address | Hostname | Confidence
|
|||
12 | 80.82.79.221 | - | High
|
||||
13 | 80.82.79.240 | - | High
|
||||
14 | 81.17.56.249 | - | High
|
||||
15 | 82.102.14.216 | h82-102-14-216.host.redstation.co.uk | High
|
||||
16 | 82.102.14.219 | h82-102-14-219.host.redstation.co.uk | High
|
||||
17 | 82.102.14.222 | h82-102-14-222.host.redstation.co.uk | High
|
||||
18 | 82.102.14.246 | h82-102-14-246.host.redstation.co.uk | High
|
||||
19 | 83.142.230.138 | - | High
|
||||
20 | 88.99.246.174 | static.174.246.99.88.clients.your-server.de | High
|
||||
21 | ... | ... | ...
|
||||
15 | ... | ... | ...
|
||||
|
||||
There are 52 more IOC items available. Please use our online service to access the data.
|
||||
There are 58 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -54,10 +48,9 @@ ID | Technique | Description | Confidence
|
|||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | T1211 | 7PK Security Features | High
|
||||
5 | ... | ... | ...
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 6 more TTP items available. Please use our online service to access the data.
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -75,9 +68,33 @@ ID | Type | Indicator | Confidence
|
|||
8 | File | `/forum/away.php` | High
|
||||
9 | File | `/getcfg.php` | Medium
|
||||
10 | File | `/GetCSSashx/?CP=%2fwebconfig` | High
|
||||
11 | ... | ... | ...
|
||||
11 | File | `/HNAP1` | Low
|
||||
12 | File | `/horde/util/go.php` | High
|
||||
13 | File | `/includes/rrdtool.inc.php` | High
|
||||
14 | File | `/irj/servlet/prt/portal/prtroot/com.sap.portal.usermanagement.admin.UserMapping` | High
|
||||
15 | File | `/login` | Low
|
||||
16 | File | `/monitoring` | Medium
|
||||
17 | File | `/opt/vyatta/share/vyatta-cfg/templates/system/static-host-mapping/host-name/node.def` | High
|
||||
18 | File | `/proc/#####/fd/3` | High
|
||||
19 | File | `/proc/ioports` | High
|
||||
20 | File | `/rom-0` | Low
|
||||
21 | File | `/squashfs-root/www/HNAP1/control/SetWizardConfig.php` | High
|
||||
22 | File | `/uncpath/` | Medium
|
||||
23 | File | `/wp-content/plugins/updraftplus/admin.php` | High
|
||||
24 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
25 | File | `adclick.php` | Medium
|
||||
26 | File | `addentry.php` | Medium
|
||||
27 | File | `add_edit_user.asp` | High
|
||||
28 | File | `add_to_cart.php` | High
|
||||
29 | File | `admin.php` | Medium
|
||||
30 | File | `admin/class-bulk-editor-list-table.php` | High
|
||||
31 | File | `admin/dl_data.php` | High
|
||||
32 | File | `admin/index.php` | High
|
||||
33 | File | `admin/index.php?n=ui_set&m=admin&c=index&a=doget_text_content&table=lang&field=1` | High
|
||||
34 | File | `admin/system_manage/save.html` | High
|
||||
35 | ... | ... | ...
|
||||
|
||||
There are 376 more IOA items available. Please use our online service to access the data.
|
||||
There are 304 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -96,9 +113,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# APT38 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [APT38](https://vuldb.com/?actor.apt38). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT38](https://vuldb.com/?actor.apt38). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt38](https://vuldb.com/?actor.apt38)
|
||||
|
||||
|
@ -45,16 +45,9 @@ ID | Type | Indicator | Confidence
|
|||
1 | File | `json-stringifier.h` | High
|
||||
2 | File | `mm/memory.c` | Medium
|
||||
3 | File | `\\.\pipe\WPSCloudSvr\WpsCloudSvr` | High
|
||||
4 | Library | `DNSAPI.dll` | Medium
|
||||
5 | Library | `kso.dll` | Low
|
||||
6 | Library | `mshtml.dll` | Medium
|
||||
7 | Library | `system/libraries/Email.php` | High
|
||||
8 | Argument | `content` | Low
|
||||
9 | Argument | `email->from` | Medium
|
||||
10 | Argument | `location.href` | High
|
||||
11 | ... | ... | ...
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 5 more IOA items available. Please use our online service to access the data.
|
||||
There are 12 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -66,9 +59,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -9,6 +9,7 @@ Live data and more analysis capabilities are available at [https://vuldb.com/?ac
|
|||
The following campaigns are known and can be associated with APT41:
|
||||
|
||||
* CVE-2019-19781
|
||||
* MoonBounce
|
||||
|
||||
## Countries
|
||||
|
||||
|
@ -19,7 +20,7 @@ These countries are directly (e.g. origin of attacks) or indirectly (e.g. access
|
|||
* RU
|
||||
* ...
|
||||
|
||||
There are 7 more country items available. Please use our online service to access the data.
|
||||
There are 13 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -27,28 +28,24 @@ These indicators of compromise indicate associated network ressources which are
|
|||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 23.67.95.153 | a23-67-95-153.deploy.static.akamaitechnologies.com | High
|
||||
2 | 43.255.191.255 | - | High
|
||||
3 | 45.76.6.149 | 45.76.6.149.vultr.com | Medium
|
||||
4 | 45.76.75.219 | 45.76.75.219.vultr.com | Medium
|
||||
5 | 45.138.157.78 | vm303301.pq.hosting | High
|
||||
6 | 61.78.62.21 | - | High
|
||||
7 | 61.195.98.245 | h61-195-98-245.ablenetvps.ne.jp | High
|
||||
8 | 66.42.48.186 | 66.42.48.186.vultr.com | Medium
|
||||
9 | 66.42.98.220 | 66.42.98.220.vultr.com | Medium
|
||||
10 | 66.42.103.222 | 66.42.103.222.vultr.com | Medium
|
||||
11 | 66.42.107.133 | 66.42.107.133.vultr.com | Medium
|
||||
12 | 66.98.126.203 | 66.98.126.203.16clouds.com | High
|
||||
13 | 67.198.161.250 | 67.198.161.250.CUSTOMER.KRYPT.COM | High
|
||||
14 | 67.198.161.251 | 67.198.161.251.CUSTOMER.KRYPT.COM | High
|
||||
15 | 67.198.161.252 | 67.198.161.252.CUSTOMER.KRYPT.COM | High
|
||||
16 | 74.82.201.8 | 74.82.201.8.16clouds.com | High
|
||||
17 | 91.208.184.78 | wk-azure.biz | High
|
||||
18 | 103.19.3.21 | 103.19.3.21.static.xtom.com | High
|
||||
19 | 103.19.3.109 | 103.19.3.109.static.xtom.com | High
|
||||
20 | ... | ... | ...
|
||||
1 | 5.183.101.21 | bestofgy.co.uk | High
|
||||
2 | 5.183.101.114 | - | High
|
||||
3 | 5.183.103.122 | - | High
|
||||
4 | 5.188.93.132 | gcorelabs.paris.vpn015 | High
|
||||
5 | 5.188.108.22 | pol1.htjsq.com | High
|
||||
6 | 5.188.108.228 | xc5.exclusivacondominios.com | High
|
||||
7 | 5.189.222.33 | spain466.es | High
|
||||
8 | 23.67.95.153 | a23-67-95-153.deploy.static.akamaitechnologies.com | High
|
||||
9 | 43.255.191.255 | - | High
|
||||
10 | 45.76.6.149 | 45.76.6.149.vultr.com | Medium
|
||||
11 | 45.76.75.219 | 45.76.75.219.vultr.com | Medium
|
||||
12 | 45.128.132.6 | - | High
|
||||
13 | 45.128.135.15 | - | High
|
||||
14 | 45.138.157.78 | srv1.fincantleri.co | High
|
||||
15 | 61.78.62.21 | - | High
|
||||
16 | ... | ... | ...
|
||||
|
||||
There are 38 more IOC items available. Please use our online service to access the data.
|
||||
There are 60 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -58,10 +55,10 @@ ID | Technique | Description | Confidence
|
|||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | 7PK Security Features | High
|
||||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 6 more TTP items available. Please use our online service to access the data.
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -78,10 +75,23 @@ ID | Type | Indicator | Confidence
|
|||
7 | File | `/get_getnetworkconf.cgi` | High
|
||||
8 | File | `/lists/admin/` | High
|
||||
9 | File | `/login.cgi?logout=1` | High
|
||||
10 | File | `/public/login.htm` | High
|
||||
11 | ... | ... | ...
|
||||
10 | File | `/module/admin_logs` | High
|
||||
11 | File | `/public/login.htm` | High
|
||||
12 | File | `/public/plugins/` | High
|
||||
13 | File | `/replication` | Medium
|
||||
14 | File | `/start-stop` | Medium
|
||||
15 | File | `/tmp/app/.env` | High
|
||||
16 | File | `/uncpath/` | Medium
|
||||
17 | File | `/WEB-INF/web.xml` | High
|
||||
18 | File | `/wp-admin/admin-ajax.php` | High
|
||||
19 | File | `/_next` | Low
|
||||
20 | File | `adclick.php` | Medium
|
||||
21 | File | `addentry.php` | Medium
|
||||
22 | File | `addrating.php` | High
|
||||
23 | File | `admin/conf_users_edit.php` | High
|
||||
24 | ... | ... | ...
|
||||
|
||||
There are 126 more IOA items available. Please use our online service to access the data.
|
||||
There are 202 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -91,6 +101,7 @@ The following list contains external sources which discuss the actor and the ass
|
|||
* https://github.com/blackberry/threat-research-and-intelligence/blob/main/APT41.csv
|
||||
* https://github.com/eset/malware-ioc/tree/master/winnti_group
|
||||
* https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134508/winnti-more-than-just-a-game-130410.pdf
|
||||
* https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/
|
||||
* https://vxug.fakedoma.in/archive/APTs/2021/2021.01.14/APT%2041.pdf
|
||||
* https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
|
||||
* https://www.threatminer.org/report.php?q=OfPigsandMalwareExaminingaPossibleMemberoftheWinntiGroup-TrendMicro.pdf&y=2017
|
||||
|
@ -108,4 +119,4 @@ The following articles explain our unique predictive cyber threat intelligence:
|
|||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# ActionRAT - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [ActionRAT](https://vuldb.com/?actor.actionrat). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [ActionRAT](https://vuldb.com/?actor.actionrat). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.actionrat](https://vuldb.com/?actor.actionrat)
|
||||
|
||||
|
@ -48,15 +48,9 @@ ID | Type | Indicator | Confidence
|
|||
2 | File | `admin/index.php` | High
|
||||
3 | File | `books.php` | Medium
|
||||
4 | File | `data/gbconfiguration.dat` | High
|
||||
5 | File | `filter.php` | Medium
|
||||
6 | File | `guestbook.cgi` | High
|
||||
7 | File | `inc/config.php` | High
|
||||
8 | File | `lib/krb5/asn.1/asn1_encode.c` | High
|
||||
9 | File | `login.php` | Medium
|
||||
10 | File | `mdeploy.php` | Medium
|
||||
11 | ... | ... | ...
|
||||
5 | ... | ... | ...
|
||||
|
||||
There are 23 more IOA items available. Please use our online service to access the data.
|
||||
There are 29 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -68,9 +62,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Adwind - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Adwind](https://vuldb.com/?actor.adwind). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Adwind](https://vuldb.com/?actor.adwind). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.adwind](https://vuldb.com/?actor.adwind)
|
||||
|
||||
|
@ -9,11 +9,11 @@ Live data and more analysis capabilities are available at [https://vuldb.com/?ac
|
|||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Adwind:
|
||||
|
||||
* US
|
||||
* CO
|
||||
* RU
|
||||
* FR
|
||||
* ...
|
||||
|
||||
There are 13 more country items available. Please use our online service to access the data.
|
||||
There are 16 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -36,14 +36,19 @@ ID | IP address | Hostname | Confidence
|
|||
13 | 23.227.199.72 | 23-227-199-72.static.hvvc.us | High
|
||||
14 | 23.227.199.118 | 23-227-199-118.static.hvvc.us | High
|
||||
15 | 23.227.199.121 | 23-227-199-121.static.hvvc.us | High
|
||||
16 | 23.231.23.182 | - | High
|
||||
16 | 23.231.23.182 | mx6.touringul.com | High
|
||||
17 | 31.31.196.31 | server31.hosting.reg.ru | High
|
||||
18 | 31.171.155.72 | - | High
|
||||
19 | 37.61.235.30 | - | High
|
||||
20 | 46.20.33.76 | - | High
|
||||
21 | ... | ... | ...
|
||||
21 | 50.7.199.164 | - | High
|
||||
22 | 51.254.21.25 | ip25.ip-51-254-21.eu | High
|
||||
23 | 65.99.225.111 | hv36svg168.neubox.net | High
|
||||
24 | 67.215.4.74 | - | High
|
||||
25 | 67.215.4.75 | - | High
|
||||
26 | ... | ... | ...
|
||||
|
||||
There are 106 more IOC items available. Please use our online service to access the data.
|
||||
There are 101 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -54,10 +59,9 @@ ID | Technique | Description | Confidence
|
|||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | T1211 | 7PK Security Features | High
|
||||
5 | ... | ... | ...
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
There are 3 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -65,19 +69,15 @@ These indicators of attack list the potential fragments used for technical activ
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `%windir%\Internet Logs\` | High
|
||||
2 | File | `/admin/link.php?action=addlink` | High
|
||||
3 | File | `/ajax/GetInheritedProperties` | High
|
||||
4 | File | `/anony/mjpg.cgi` | High
|
||||
5 | File | `/browse.PROJECTKEY` | High
|
||||
6 | File | `/data/admin/#/app/config/` | High
|
||||
7 | File | `/etc/group` | Medium
|
||||
8 | File | `/forum/away.php` | High
|
||||
9 | File | `/info.xml` | Medium
|
||||
10 | File | `/knowage/restful-services/signup/update` | High
|
||||
11 | ... | ... | ...
|
||||
1 | File | `/irj/portal/` | Medium
|
||||
2 | File | `/phppath/php` | Medium
|
||||
3 | File | `/uncpath/` | Medium
|
||||
4 | File | `acl.c` | Low
|
||||
5 | File | `admin/index.php?n=ui_set&m=admin&c=index&a=doget_text_content&table=lang&field=1` | High
|
||||
6 | File | `administrator/components/com_media/helpers/media.php` | High
|
||||
7 | ... | ... | ...
|
||||
|
||||
There are 247 more IOA items available. Please use our online service to access the data.
|
||||
There are 48 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -89,9 +89,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Arid Viper - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Arid Viper](https://vuldb.com/?actor.arid_viper). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Arid Viper](https://vuldb.com/?actor.arid_viper). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.arid_viper](https://vuldb.com/?actor.arid_viper)
|
||||
|
||||
|
@ -47,15 +47,9 @@ ID | Type | Indicator | Confidence
|
|||
2 | File | `add_comment.php` | High
|
||||
3 | File | `admin/index.php` | High
|
||||
4 | File | `data/gbconfiguration.dat` | High
|
||||
5 | File | `e2_header.inc.php` | High
|
||||
6 | File | `email.php` | Medium
|
||||
7 | File | `Forms/tools_admin_1` | High
|
||||
8 | File | `ftpcmd.c` | Medium
|
||||
9 | File | `gb.cgi` | Low
|
||||
10 | File | `inc/config.php` | High
|
||||
11 | ... | ... | ...
|
||||
5 | ... | ... | ...
|
||||
|
||||
There are 19 more IOA items available. Please use our online service to access the data.
|
||||
There are 25 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -68,9 +62,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# BEAR - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [BEAR](https://vuldb.com/?actor.bear). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [BEAR](https://vuldb.com/?actor.bear). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.bear](https://vuldb.com/?actor.bear)
|
||||
|
||||
|
@ -13,7 +13,7 @@ These countries are directly (e.g. origin of attacks) or indirectly (e.g. access
|
|||
* UA
|
||||
* ...
|
||||
|
||||
There are 3 more country items available. Please use our online service to access the data.
|
||||
There are 4 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -50,16 +50,9 @@ ID | Type | Indicator | Confidence
|
|||
1 | File | `/index.php` | Medium
|
||||
2 | File | `/uncpath/` | Medium
|
||||
3 | File | `add_comment.php` | High
|
||||
4 | File | `data/gbconfiguration.dat` | High
|
||||
5 | File | `FlexCell.ocx` | Medium
|
||||
6 | File | `forums.aspx` | Medium
|
||||
7 | File | `forums.php` | Medium
|
||||
8 | File | `index.php` | Medium
|
||||
9 | File | `install.php` | Medium
|
||||
10 | File | `photo-gallery.php` | High
|
||||
11 | ... | ... | ...
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 16 more IOA items available. Please use our online service to access the data.
|
||||
There are 24 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -72,9 +65,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Baldr - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Baldr](https://vuldb.com/?actor.baldr). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Baldr](https://vuldb.com/?actor.baldr). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.baldr](https://vuldb.com/?actor.baldr)
|
||||
|
||||
|
@ -8,12 +8,7 @@ Live data and more analysis capabilities are available at [https://vuldb.com/?ac
|
|||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Baldr:
|
||||
|
||||
* US
|
||||
* CN
|
||||
* RU
|
||||
* ...
|
||||
|
||||
There are 16 more country items available. Please use our online service to access the data.
|
||||
* NL
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -39,11 +34,15 @@ ID | IP address | Hostname | Confidence
|
|||
16 | 18.221.49.166 | ec2-18-221-49-166.us-east-2.compute.amazonaws.com | Medium
|
||||
17 | 23.19.58.101 | - | High
|
||||
18 | 23.95.95.61 | 23-95-95-61-host.colocrossing.com | High
|
||||
19 | 23.254.217.112 | hwsrv-901988.hostwindsdns.com | High
|
||||
20 | 23.254.225.240 | hwsrv-907360.hostwindsdns.com | High
|
||||
21 | ... | ... | ...
|
||||
19 | 23.254.217.112 | hwsrv-930282.hostwindsdns.com | High
|
||||
20 | 23.254.225.240 | sha29.phpautomailer.com | High
|
||||
21 | 45.64.186.10 | 45-64-186-10.static.bangmod-idc.com | High
|
||||
22 | 45.77.252.143 | 45.77.252.143.vultr.com | Medium
|
||||
23 | 46.30.42.130 | assetshub.com | High
|
||||
24 | 46.249.62.196 | - | High
|
||||
25 | ... | ... | ...
|
||||
|
||||
There are 101 more IOC items available. Please use our online service to access the data.
|
||||
There are 97 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -56,7 +55,7 @@ ID | Technique | Description | Confidence
|
|||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 6 more TTP items available. Please use our online service to access the data.
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -64,19 +63,46 @@ These indicators of attack list the potential fragments used for technical activ
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/+CSCOE+/logon.html` | High
|
||||
2 | File | `/admin/functions.php` | High
|
||||
3 | File | `/auth/login` | Medium
|
||||
4 | File | `/download` | Medium
|
||||
5 | File | `/forum/away.php` | High
|
||||
6 | File | `/goform/saveParentControlInfo` | High
|
||||
7 | File | `/inc/lists/edit-list.php` | High
|
||||
8 | File | `/Interface/DevManage/EC.php?cmd=upload` | High
|
||||
9 | File | `/MicroStrategyWS/happyaxis.jsp` | High
|
||||
10 | File | `/modules/projects/vw_files.php` | High
|
||||
11 | ... | ... | ...
|
||||
1 | File | `.travis.yml` | Medium
|
||||
2 | File | `/.env` | Low
|
||||
3 | File | `/admin.php` | Medium
|
||||
4 | File | `/admin/config.php?display=disa&view=form` | High
|
||||
5 | File | `/BRS_netgear_success.html` | High
|
||||
6 | File | `/category_view.php` | High
|
||||
7 | File | `/dev/kmem` | Medium
|
||||
8 | File | `/dev/shm` | Medium
|
||||
9 | File | `/medical/inventories.php` | High
|
||||
10 | File | `/monitoring` | Medium
|
||||
11 | File | `/NAGErrors` | Medium
|
||||
12 | File | `/plugins/servlet/audit/resource` | High
|
||||
13 | File | `/plugins/servlet/project-config/PROJECT/roles` | High
|
||||
14 | File | `/proc/ioports` | High
|
||||
15 | File | `/replication` | Medium
|
||||
16 | File | `/rest/api/2/user/picker` | High
|
||||
17 | File | `/RestAPI` | Medium
|
||||
18 | File | `/rom-0` | Low
|
||||
19 | File | `/tmp` | Low
|
||||
20 | File | `/tmp/speedtest_urls.xml` | High
|
||||
21 | File | `/uncpath/` | Medium
|
||||
22 | File | `/var/log/nginx` | High
|
||||
23 | File | `/wp-admin/admin.php` | High
|
||||
24 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
25 | File | `abook_database.php` | High
|
||||
26 | File | `account.asp` | Medium
|
||||
27 | File | `admin-ajax.php?action=get_wdtable order[0][dir]` | High
|
||||
28 | File | `admin/index.php` | High
|
||||
29 | File | `admin/login.php` | High
|
||||
30 | File | `admincp.php` | Medium
|
||||
31 | File | `admincp.php?app=apps&do=save` | High
|
||||
32 | File | `admincp.php?app=files` | High
|
||||
33 | File | `admin\model\catalog\download.php` | High
|
||||
34 | File | `ajax/render/widget_php` | High
|
||||
35 | File | `apcupsd.pid` | Medium
|
||||
36 | File | `api/sms/send-sms` | High
|
||||
37 | File | `api/v1/alarms` | High
|
||||
38 | ... | ... | ...
|
||||
|
||||
There are 248 more IOA items available. Please use our online service to access the data.
|
||||
There are 323 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -88,9 +114,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Bitter - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Bitter](https://vuldb.com/?actor.bitter). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Bitter](https://vuldb.com/?actor.bitter). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.bitter](https://vuldb.com/?actor.bitter)
|
||||
|
||||
|
@ -43,9 +43,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Bublik - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Bublik](https://vuldb.com/?actor.bublik). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Bublik](https://vuldb.com/?actor.bublik). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.bublik](https://vuldb.com/?actor.bublik)
|
||||
|
||||
|
@ -27,9 +27,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -51,4 +51,4 @@ The following articles explain our unique predictive cyber threat intelligence:
|
|||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -0,0 +1,45 @@
|
|||
# Chalubo - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Chalubo](https://vuldb.com/?actor.chalubo). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.chalubo](https://vuldb.com/?actor.chalubo)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Chalubo:
|
||||
|
||||
* CN
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Chalubo.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 103.27.185.139 | - | High
|
||||
2 | 103.82.143.51 | - | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Chalubo. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
|
||||
* https://twitter.com/zom3y3/status/1229258375189262336
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -1,6 +1,6 @@
|
|||
# Charming Kitten - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Charming Kitten](https://vuldb.com/?actor.charming_kitten). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Charming Kitten](https://vuldb.com/?actor.charming_kitten). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.charming_kitten](https://vuldb.com/?actor.charming_kitten)
|
||||
|
||||
|
@ -8,12 +8,12 @@ Live data and more analysis capabilities are available at [https://vuldb.com/?ac
|
|||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Charming Kitten:
|
||||
|
||||
* US
|
||||
* NL
|
||||
* ES
|
||||
* CN
|
||||
* US
|
||||
* ...
|
||||
|
||||
There are 17 more country items available. Please use our online service to access the data.
|
||||
There are 23 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -40,10 +40,11 @@ ID | IP address | Hostname | Confidence
|
|||
17 | 51.254.254.217 | me14.mecide.com | High
|
||||
18 | 51.255.28.57 | - | High
|
||||
19 | 54.36.217.8 | ip8.ip-54-36-217.eu | High
|
||||
20 | 54.37.164.254 | ip254.ip-54-37-164.eu | High
|
||||
21 | ... | ... | ...
|
||||
20 | 54.37.164.254 | - | High
|
||||
21 | 69.30.221.126 | - | High
|
||||
22 | ... | ... | ...
|
||||
|
||||
There are 87 more IOC items available. Please use our online service to access the data.
|
||||
There are 86 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -51,11 +52,10 @@ Tactics, techniques, and procedures summarize the suspected ATT&CK techniques us
|
|||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1040 | Authentication Bypass by Capture-replay | High
|
||||
2 | T1059.007 | Cross Site Scripting | High
|
||||
3 | T1068 | Execution with Unnecessary Privileges | High
|
||||
4 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
5 | ... | ... | ...
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
|
@ -65,19 +65,39 @@ These indicators of attack list the potential fragments used for technical activ
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `'phpshell.php` | High
|
||||
2 | File | `..\WWWRoot\CustomPages\aspshell.asp` | High
|
||||
3 | File | `/about-us/locations/index` | High
|
||||
4 | File | `/admin/` | Low
|
||||
5 | File | `/admin/account/changepassword` | High
|
||||
6 | File | `/admin/index.php` | High
|
||||
7 | File | `/admin/pin/websitepin` | High
|
||||
8 | File | `/admin_giant/add_gallery.php` | High
|
||||
9 | File | `/admin_giant/add_team_member.php` | High
|
||||
10 | File | `/api/addusers` | High
|
||||
11 | ... | ... | ...
|
||||
1 | File | `.travis.yml` | Medium
|
||||
2 | File | `/.env` | Low
|
||||
3 | File | `/?module=users§ion=cpanel&page=list` | High
|
||||
4 | File | `/admin.php` | Medium
|
||||
5 | File | `/admin/powerline` | High
|
||||
6 | File | `/admin/syslog` | High
|
||||
7 | File | `/api/upload` | Medium
|
||||
8 | File | `/cgi-bin` | Medium
|
||||
9 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
10 | File | `/Main_Login.asp?flag=1&productname=RT-AC88U&url=/downloadmaster/task.asp` | High
|
||||
11 | File | `/medical/inventories.php` | High
|
||||
12 | File | `/monitoring` | Medium
|
||||
13 | File | `/new` | Low
|
||||
14 | File | `/plugins/servlet/audit/resource` | High
|
||||
15 | File | `/plugins/servlet/project-config/PROJECT/roles` | High
|
||||
16 | File | `/proc/<pid>/status` | High
|
||||
17 | File | `/public/plugins/` | High
|
||||
18 | File | `/replication` | Medium
|
||||
19 | File | `/RestAPI` | Medium
|
||||
20 | File | `/scripts/killpvhost` | High
|
||||
21 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
22 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
|
||||
23 | File | `/tmp` | Low
|
||||
24 | File | `/tmp/redis.ds` | High
|
||||
25 | File | `/uncpath/` | Medium
|
||||
26 | File | `/var/log/nginx` | High
|
||||
27 | File | `/wp-admin` | Medium
|
||||
28 | File | `/wp-json/wc/v3/webhooks` | High
|
||||
29 | File | `actions/CompanyDetailsSave.php` | High
|
||||
30 | File | `ActiveServices.java` | High
|
||||
31 | ... | ... | ...
|
||||
|
||||
There are 1236 more IOA items available. Please use our online service to access the data.
|
||||
There are 260 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -91,9 +111,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Chimera - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Chimera](https://vuldb.com/?actor.chimera). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Chimera](https://vuldb.com/?actor.chimera). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.chimera](https://vuldb.com/?actor.chimera)
|
||||
|
||||
|
@ -25,12 +25,9 @@ ID | IP address | Hostname | Confidence
|
|||
2 | 5.254.64.234 | - | High
|
||||
3 | 5.254.112.226 | - | High
|
||||
4 | 14.229.140.66 | static.vnpt.vn | High
|
||||
5 | 23.236.77.94 | - | High
|
||||
6 | 39.109.5.135 | - | High
|
||||
7 | 43.250.200.106 | - | High
|
||||
8 | ... | ... | ...
|
||||
5 | ... | ... | ...
|
||||
|
||||
There are 13 more IOC items available. Please use our online service to access the data.
|
||||
There are 16 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -61,9 +58,12 @@ ID | Type | Indicator | Confidence
|
|||
8 | File | `admin/index.php?n=ui_set&m=admin&c=index&a=doget_text_content&table=lang&field=1` | High
|
||||
9 | File | `administrator/components/com_media/helpers/media.php` | High
|
||||
10 | File | `APPFLT.SYS` | Medium
|
||||
11 | ... | ... | ...
|
||||
11 | File | `auth-gss2.c` | Medium
|
||||
12 | File | `authors.pwd` | Medium
|
||||
13 | File | `CFIDE/componentutils/cfcexplorer.cfc` | High
|
||||
14 | ... | ... | ...
|
||||
|
||||
There are 115 more IOA items available. Please use our online service to access the data.
|
||||
There are 113 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -76,9 +76,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -27,11 +27,9 @@ ID | IP address | Hostname | Confidence
|
|||
1 | 24.64.36.238 | mail.target-realty.com | High
|
||||
2 | 45.63.62.109 | 45.63.62.109.vultr.com | Medium
|
||||
3 | 45.76.173.103 | 45.76.173.103.vultr.com | Medium
|
||||
4 | 45.77.121.232 | 45.77.121.232.vultr.com | Medium
|
||||
5 | 66.42.98.156 | 66.42.98.156.vultr.com | Medium
|
||||
6 | ... | ... | ...
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 9 more IOC items available. Please use our online service to access the data.
|
||||
There are 11 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -56,15 +54,9 @@ ID | Type | Indicator | Confidence
|
|||
2 | File | `data/gbconfiguration.dat` | High
|
||||
3 | File | `flow.php` | Medium
|
||||
4 | File | `goform/setUsbUnload` | High
|
||||
5 | File | `HTTPServerILServlet.java` | High
|
||||
6 | File | `login_meeting.cgi` | High
|
||||
7 | File | `manager.c` | Medium
|
||||
8 | File | `options.cpp` | Medium
|
||||
9 | File | `redir.php` | Medium
|
||||
10 | File | `register.php` | Medium
|
||||
11 | ... | ... | ...
|
||||
5 | ... | ... | ...
|
||||
|
||||
There are 21 more IOA items available. Please use our online service to access the data.
|
||||
There are 27 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -82,4 +74,4 @@ The following articles explain our unique predictive cyber threat intelligence:
|
|||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# DanaBot - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [DanaBot](https://vuldb.com/?actor.danabot). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [DanaBot](https://vuldb.com/?actor.danabot). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.danabot](https://vuldb.com/?actor.danabot)
|
||||
|
||||
|
@ -24,10 +24,9 @@ ID | IP address | Hostname | Confidence
|
|||
1 | 5.8.55.205 | carpbaboon.com | High
|
||||
2 | 31.214.157.12 | mail.private-mail.nl | High
|
||||
3 | 47.74.130.165 | - | High
|
||||
4 | 149.154.157.106 | 106.157.154.149.in-addr.arpa | High
|
||||
5 | ... | ... | ...
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 8 more IOC items available. Please use our online service to access the data.
|
||||
There are 9 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -60,7 +59,7 @@ ID | Type | Indicator | Confidence
|
|||
10 | File | `admin/user.php?form=update_f&user_name` | High
|
||||
11 | ... | ... | ...
|
||||
|
||||
There are 80 more IOA items available. Please use our online service to access the data.
|
||||
There are 81 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -72,9 +71,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Dark Caracal - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Dark Caracal](https://vuldb.com/?actor.dark_caracal). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Dark Caracal](https://vuldb.com/?actor.dark_caracal). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.dark_caracal](https://vuldb.com/?actor.dark_caracal)
|
||||
|
||||
|
@ -10,10 +10,10 @@ These countries are directly (e.g. origin of attacks) or indirectly (e.g. access
|
|||
|
||||
* CZ
|
||||
* US
|
||||
* FR
|
||||
* CN
|
||||
* ...
|
||||
|
||||
There are 3 more country items available. Please use our online service to access the data.
|
||||
There are 5 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -47,16 +47,9 @@ ID | Type | Indicator | Confidence
|
|||
1 | File | `/apply.cgi` | Medium
|
||||
2 | File | `apply.cgi` | Medium
|
||||
3 | File | `data/gbconfiguration.dat` | High
|
||||
4 | File | `inc/config.php` | High
|
||||
5 | File | `ipp.c` | Low
|
||||
6 | File | `product_desc.php` | High
|
||||
7 | File | `software-description.php` | High
|
||||
8 | File | `system/admin/dash_additem.php` | High
|
||||
9 | File | `wp-admin/post.php` | High
|
||||
10 | Argument | `basePath` | Medium
|
||||
11 | ... | ... | ...
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 11 more IOA items available. Please use our online service to access the data.
|
||||
There are 22 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -68,9 +61,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# DarkHydrus - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [DarkHydrus](https://vuldb.com/?actor.darkhydrus). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [DarkHydrus](https://vuldb.com/?actor.darkhydrus). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.darkhydrus](https://vuldb.com/?actor.darkhydrus)
|
||||
|
||||
|
@ -51,13 +51,9 @@ ID | Type | Indicator | Confidence
|
|||
4 | File | `4.3.0.CP04` | Medium
|
||||
5 | File | `addentry.php` | Medium
|
||||
6 | File | `add_comment.php` | High
|
||||
7 | File | `comment_add.asp` | High
|
||||
8 | File | `data/gbconfiguration.dat` | High
|
||||
9 | File | `download.php` | Medium
|
||||
10 | File | `goto.php` | Medium
|
||||
11 | ... | ... | ...
|
||||
7 | ... | ... | ...
|
||||
|
||||
There are 36 more IOA items available. Please use our online service to access the data.
|
||||
There are 46 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -72,9 +68,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -51,4 +51,4 @@ The following articles explain our unique predictive cyber threat intelligence:
|
|||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Dofoil - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Dofoil](https://vuldb.com/?actor.dofoil). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Dofoil](https://vuldb.com/?actor.dofoil). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.dofoil](https://vuldb.com/?actor.dofoil)
|
||||
|
||||
|
@ -26,13 +26,9 @@ ID | IP address | Hostname | Confidence
|
|||
3 | 23.6.24.15 | a23-6-24-15.deploy.static.akamaitechnologies.com | High
|
||||
4 | 23.6.65.194 | a23-6-65-194.deploy.static.akamaitechnologies.com | High
|
||||
5 | 23.209.185.159 | a23-209-185-159.deploy.static.akamaitechnologies.com | High
|
||||
6 | 27.100.36.191 | - | High
|
||||
7 | 45.63.25.55 | 45.63.25.55.vultr.com | Medium
|
||||
8 | 50.3.75.246 | web.netkolik.org | High
|
||||
9 | 50.21.183.63 | - | High
|
||||
10 | ... | ... | ...
|
||||
6 | ... | ... | ...
|
||||
|
||||
There are 16 more IOC items available. Please use our online service to access the data.
|
||||
There are 20 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -59,10 +55,9 @@ ID | Type | Indicator | Confidence
|
|||
7 | File | `catalog.asp` | Medium
|
||||
8 | File | `dapur/index.php` | High
|
||||
9 | File | `data/gbconfiguration.dat` | High
|
||||
10 | File | `dc_categorieslist.asp` | High
|
||||
11 | ... | ... | ...
|
||||
10 | ... | ... | ...
|
||||
|
||||
There are 69 more IOA items available. Please use our online service to access the data.
|
||||
There are 79 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -74,9 +69,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Dokkaebi - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Dokkaebi](https://vuldb.com/?actor.dokkaebi). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Dokkaebi](https://vuldb.com/?actor.dokkaebi). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.dokkaebi](https://vuldb.com/?actor.dokkaebi)
|
||||
|
||||
|
@ -22,9 +22,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,19 +1,26 @@
|
|||
# Donot - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Donot](https://vuldb.com/?actor.donot). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Donot](https://vuldb.com/?actor.donot). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.donot](https://vuldb.com/?actor.donot)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with Donot:
|
||||
|
||||
* DarkMusical
|
||||
* Gedit
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Donot:
|
||||
|
||||
* US
|
||||
* DE
|
||||
* CA
|
||||
* TR
|
||||
* GB
|
||||
* ...
|
||||
|
||||
There are 17 more country items available. Please use our online service to access the data.
|
||||
There are 18 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -23,22 +30,16 @@ ID | IP address | Hostname | Confidence
|
|||
-- | ---------- | -------- | ----------
|
||||
1 | 5.135.19.26 | - | High
|
||||
2 | 5.135.199.0 | - | High
|
||||
3 | 37.120.140.211 | - | High
|
||||
4 | 37.139.3.130 | - | High
|
||||
5 | 37.139.28.208 | - | High
|
||||
6 | 45.33.29.133 | li1046-133.members.linode.com | High
|
||||
7 | 46.101.204.168 | - | High
|
||||
8 | 46.105.40.12 | ip12.ip-46-105-40.eu | High
|
||||
9 | 66.42.75.101 | 66.42.75.101.vultr.com | Medium
|
||||
10 | 72.14.188.71 | li54-71.members.linode.com | High
|
||||
11 | 77.244.211.55 | www21.wricko.net | High
|
||||
12 | 82.196.7.221 | - | High
|
||||
13 | 85.204.74.117 | - | High
|
||||
14 | 89.33.246.99 | - | High
|
||||
15 | 95.85.15.131 | - | High
|
||||
16 | ... | ... | ...
|
||||
3 | 37.48.122.145 | - | High
|
||||
4 | 37.120.140.211 | - | High
|
||||
5 | 37.120.198.208 | - | High
|
||||
6 | 37.139.3.130 | - | High
|
||||
7 | 37.139.28.208 | - | High
|
||||
8 | 45.33.29.133 | li1046-133.members.linode.com | High
|
||||
9 | 46.101.204.168 | - | High
|
||||
10 | ... | ... | ...
|
||||
|
||||
There are 28 more IOC items available. Please use our online service to access the data.
|
||||
There are 38 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -51,7 +52,7 @@ ID | Technique | Description | Confidence
|
|||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 5 more TTP items available. Please use our online service to access the data.
|
||||
There are 6 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -61,31 +62,43 @@ ID | Type | Indicator | Confidence
|
|||
-- | ---- | --------- | ----------
|
||||
1 | File | `/+CSCOE+/logon.html` | High
|
||||
2 | File | `/bin/login.php` | High
|
||||
3 | File | `/de/cgi/dfs_guest/` | High
|
||||
4 | File | `/htmlcode/html/indexdefault.asp` | High
|
||||
5 | File | `/out.php` | Medium
|
||||
6 | File | `/products/details.asp` | High
|
||||
7 | File | `/uncpath/` | Medium
|
||||
8 | File | `/var/www/xms/application/config/config.php` | High
|
||||
9 | File | `/var/www/xms/application/controllers/gatherLogs.php` | High
|
||||
10 | File | `/var/www/xms/application/controllers/verifyLogin.php` | High
|
||||
11 | ... | ... | ...
|
||||
3 | File | `/Category` | Medium
|
||||
4 | File | `/de/cgi/dfs_guest/` | High
|
||||
5 | File | `/event/runquery.do` | High
|
||||
6 | File | `/htmlcode/html/indexdefault.asp` | High
|
||||
7 | File | `/out.php` | Medium
|
||||
8 | File | `/products/details.asp` | High
|
||||
9 | File | `/system/ws/v11/ss/email` | High
|
||||
10 | File | `/uncpath/` | Medium
|
||||
11 | File | `/var/www/xms/application/config/config.php` | High
|
||||
12 | File | `/var/www/xms/application/controllers/gatherLogs.php` | High
|
||||
13 | File | `/var/www/xms/application/controllers/verifyLogin.php` | High
|
||||
14 | File | `/var/www/xms/cleanzip.sh` | High
|
||||
15 | File | `/wp-admin/admin-ajax.php` | High
|
||||
16 | File | `adclick.php` | Medium
|
||||
17 | File | `addentry.php` | Medium
|
||||
18 | File | `admin/user.php` | High
|
||||
19 | File | `agent.cfg` | Medium
|
||||
20 | File | `api/admin/role/save` | High
|
||||
21 | File | `app/controllers/application_controller.rb` | High
|
||||
22 | ... | ... | ...
|
||||
|
||||
There are 132 more IOA items available. Please use our online service to access the data.
|
||||
There are 181 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
|
||||
* https://github.com/faisalusuf/ThreatIntelligence/blob/main/APT%20DONOT%20TEAM/Tracking-DONOT-IOCs.csv
|
||||
* https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Dragonfly 2.0 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Dragonfly 2.0](https://vuldb.com/?actor.dragonfly_2.0). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Dragonfly 2.0](https://vuldb.com/?actor.dragonfly_2.0). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.dragonfly_2.0](https://vuldb.com/?actor.dragonfly_2.0)
|
||||
|
||||
|
@ -24,9 +24,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Dragonfly - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Dragonfly](https://vuldb.com/?actor.dragonfly). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Dragonfly](https://vuldb.com/?actor.dragonfly). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.dragonfly](https://vuldb.com/?actor.dragonfly)
|
||||
|
||||
|
@ -15,8 +15,8 @@ The following campaigns are known and can be associated with Dragonfly:
|
|||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Dragonfly:
|
||||
|
||||
* US
|
||||
* RU
|
||||
* GB
|
||||
* RU
|
||||
* ...
|
||||
|
||||
There are 6 more country items available. Please use our online service to access the data.
|
||||
|
@ -32,12 +32,9 @@ ID | IP address | Hostname | Confidence
|
|||
3 | 5.196.167.184 | ip184.ip-5-196-167.eu | High
|
||||
4 | 37.139.7.16 | - | High
|
||||
5 | 51.159.28.101 | 51-159-28-101.rev.poneytelecom.eu | High
|
||||
6 | 61.78.34.179 | - | High
|
||||
7 | 91.183.104.150 | remote.degeest-audit.be | High
|
||||
8 | 91.227.68.97 | www.socenter.ru | High
|
||||
9 | ... | ... | ...
|
||||
6 | ... | ... | ...
|
||||
|
||||
There are 15 more IOC items available. Please use our online service to access the data.
|
||||
There are 18 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -59,18 +56,17 @@ These indicators of attack list the potential fragments used for technical activ
|
|||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/cgi-bin/system_mgr.cgi` | High
|
||||
2 | File | `/inc/HTTPClient.php` | High
|
||||
3 | File | `/s/` | Low
|
||||
4 | File | `/uncpath/` | Medium
|
||||
5 | File | `/wbg/core/_includes/authorization.inc.php` | High
|
||||
6 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
7 | File | `admin/import/class-import-settings.php` | High
|
||||
8 | File | `ajax/comments.php` | High
|
||||
9 | File | `architext.conf` | High
|
||||
10 | File | `attachment_send.php` | High
|
||||
11 | ... | ... | ...
|
||||
2 | File | `/s/` | Low
|
||||
3 | File | `/uncpath/` | Medium
|
||||
4 | File | `/wbg/core/_includes/authorization.inc.php` | High
|
||||
5 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
6 | File | `admin/import/class-import-settings.php` | High
|
||||
7 | File | `ajax/comments.php` | High
|
||||
8 | File | `architext.conf` | High
|
||||
9 | File | `attachment_send.php` | High
|
||||
10 | ... | ... | ...
|
||||
|
||||
There are 85 more IOA items available. Please use our online service to access the data.
|
||||
There are 79 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -86,9 +82,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
176
Emotet/README.md
176
Emotet/README.md
|
@ -8,12 +8,12 @@ Live data and more analysis capabilities are available at [https://vuldb.com/?ac
|
|||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Emotet:
|
||||
|
||||
* US
|
||||
* VN
|
||||
* CN
|
||||
* ES
|
||||
* US
|
||||
* ...
|
||||
|
||||
There are 40 more country items available. Please use our online service to access the data.
|
||||
There are 5 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -21,29 +21,114 @@ These indicators of compromise indicate associated network ressources which are
|
|||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 1.226.84.243 | - | High
|
||||
2 | 2.58.16.86 | - | High
|
||||
3 | 2.58.16.89 | - | High
|
||||
4 | 2.82.75.215 | bl21-75-215.dsl.telepac.pt | High
|
||||
5 | 5.2.84.232 | momos.alastyr.com | High
|
||||
6 | 5.2.136.90 | static-5-2-136-90.rdsnet.ro | High
|
||||
7 | 5.2.182.7 | static-5-2-182-7.rdsnet.ro | High
|
||||
8 | 5.2.212.254 | static-5-2-212-254.rdsnet.ro | High
|
||||
9 | 5.12.246.155 | 5-12-246-155.residential.rdsnet.ro | High
|
||||
10 | 5.39.91.110 | ns3278366.ip-5-39-91.eu | High
|
||||
11 | 5.79.70.250 | - | High
|
||||
12 | 5.89.33.136 | net-5-89-33-136.cust.vodafonedsl.it | High
|
||||
13 | 5.196.35.138 | vps10.open-techno.net | High
|
||||
14 | 5.230.193.41 | casagarcia-web.sys.netzfabrik.eu | High
|
||||
15 | 8.4.9.137 | onlinehorizons.net | High
|
||||
16 | 12.162.84.2 | - | High
|
||||
17 | 12.163.208.58 | - | High
|
||||
18 | 12.184.217.101 | - | High
|
||||
19 | 23.6.65.194 | a23-6-65-194.deploy.static.akamaitechnologies.com | High
|
||||
20 | 23.36.85.183 | a23-36-85-183.deploy.static.akamaitechnologies.com | High
|
||||
21 | ... | ... | ...
|
||||
1 | 1.186.249.82 | 1.186.249.82.dvois.com | High
|
||||
2 | 1.226.84.243 | - | High
|
||||
3 | 2.58.16.86 | - | High
|
||||
4 | 2.58.16.89 | - | High
|
||||
5 | 2.82.75.215 | bl21-75-215.dsl.telepac.pt | High
|
||||
6 | 5.2.84.232 | momos.alastyr.com | High
|
||||
7 | 5.2.136.90 | static-5-2-136-90.rdsnet.ro | High
|
||||
8 | 5.2.182.7 | static-5-2-182-7.rdsnet.ro | High
|
||||
9 | 5.2.212.254 | static-5-2-212-254.rdsnet.ro | High
|
||||
10 | 5.12.246.155 | 5-12-246-155.residential.rdsnet.ro | High
|
||||
11 | 5.39.91.110 | ns3278366.ip-5-39-91.eu | High
|
||||
12 | 5.79.70.250 | - | High
|
||||
13 | 5.89.33.136 | net-5-89-33-136.cust.vodafonedsl.it | High
|
||||
14 | 5.196.35.138 | vps10.open-techno.net | High
|
||||
15 | 5.230.193.41 | casagarcia-web.sys.netzfabrik.eu | High
|
||||
16 | 8.4.9.137 | host-8-4-9-137.onlinehorizons.net | High
|
||||
17 | 12.32.68.154 | mail.sealscoinc.com | High
|
||||
18 | 12.149.72.170 | - | High
|
||||
19 | 12.162.84.2 | - | High
|
||||
20 | 12.163.208.58 | - | High
|
||||
21 | 12.182.146.226 | - | High
|
||||
22 | 12.184.217.101 | - | High
|
||||
23 | 23.6.65.194 | a23-6-65-194.deploy.static.akamaitechnologies.com | High
|
||||
24 | 23.36.85.183 | a23-36-85-183.deploy.static.akamaitechnologies.com | High
|
||||
25 | 23.199.63.11 | a23-199-63-11.deploy.static.akamaitechnologies.com | High
|
||||
26 | 23.199.71.185 | a23-199-71-185.deploy.static.akamaitechnologies.com | High
|
||||
27 | 23.239.2.11 | li683-11.members.linode.com | High
|
||||
28 | 24.43.99.75 | rrcs-24-43-99-75.west.biz.rr.com | High
|
||||
29 | 24.101.229.82 | dynamic-acs-24-101-229-82.zoominternet.net | High
|
||||
30 | 24.119.116.230 | 24-119-116-230.cpe.sparklight.net | High
|
||||
31 | 24.121.176.48 | 24-121-176-48.prkrcmtc01.com.sta.suddenlink.net | High
|
||||
32 | 24.137.76.62 | host-24-137-76-62.public.eastlink.ca | High
|
||||
33 | 24.178.90.49 | 024-178-090-049.res.spectrum.com | High
|
||||
34 | 24.179.13.119 | 024-179-013-119.res.spectrum.com | High
|
||||
35 | 24.217.117.217 | 024-217-117-217.res.spectrum.com | High
|
||||
36 | 24.232.228.233 | OL233-228.fibertel.com.ar | High
|
||||
37 | 24.244.177.40 | - | High
|
||||
38 | 27.78.27.110 | localhost | High
|
||||
39 | 27.82.13.10 | KD027082013010.ppp-bb.dion.ne.jp | High
|
||||
40 | 27.109.24.214 | - | High
|
||||
41 | 27.114.9.93 | i27-114-9-93.s41.a011.ap.plala.or.jp | High
|
||||
42 | 36.91.44.183 | - | High
|
||||
43 | 37.46.129.215 | we-too.ru | High
|
||||
44 | 37.97.135.82 | 37-97-135-82.colo.transip.net | High
|
||||
45 | 37.139.21.175 | 37.139.21.175-e2-8080-keep-up | High
|
||||
46 | 37.179.204.33 | - | High
|
||||
47 | 37.187.4.178 | ks2.kku.io | High
|
||||
48 | 37.187.57.57 | ns3357940.ovh.net | High
|
||||
49 | 37.187.72.193 | ns3362285.ip-37-187-72.eu | High
|
||||
50 | 37.187.161.206 | toolbox.alabs.io | High
|
||||
51 | 37.205.9.252 | s1.ithelp24.eu | High
|
||||
52 | 37.221.70.250 | b2b-customer.inftele.net | High
|
||||
53 | 41.169.36.237 | - | High
|
||||
54 | 41.185.28.84 | brf01-nix01.wadns.net | High
|
||||
55 | 41.185.29.128 | abp79-nix01.wadns.net | High
|
||||
56 | 41.231.225.139 | - | High
|
||||
57 | 42.62.40.103 | - | High
|
||||
58 | 45.16.226.117 | 45-16-226-117.lightspeed.sndgca.sbcglobal.net | High
|
||||
59 | 45.33.77.42 | li1023-42.members.linode.com | High
|
||||
60 | 45.46.37.97 | cpe-45-46-37-97.maine.res.rr.com | High
|
||||
61 | 45.55.36.51 | - | High
|
||||
62 | 45.55.219.163 | - | High
|
||||
63 | 45.79.95.107 | li1194-107.members.linode.com | High
|
||||
64 | 45.230.45.171 | - | High
|
||||
65 | 46.4.100.178 | support.wizard-shopservice.de | High
|
||||
66 | 46.4.192.185 | static.185.192.4.46.clients.your-server.de | High
|
||||
67 | 46.28.111.142 | enkindu.jsuchy.net | High
|
||||
68 | 46.32.229.152 | 094882.vps-10.com | High
|
||||
69 | 46.32.233.226 | yetitoolusa.com | High
|
||||
70 | 46.38.238.8 | v2202109122001163131.happysrv.de | High
|
||||
71 | 46.43.2.95 | chris.default.cjenkinson.uk0.bigv.io | High
|
||||
72 | 46.101.58.37 | 46.101.58.37-e1-8080 | High
|
||||
73 | 46.105.81.76 | myu0.cylipo.sbs | High
|
||||
74 | 46.105.114.137 | ns3188253.ip-46-105-114.eu | High
|
||||
75 | 46.105.131.68 | http.adven.fr | High
|
||||
76 | 46.105.131.79 | relay.adven.fr | High
|
||||
77 | 46.105.131.87 | pop.adven.fr | High
|
||||
78 | 46.165.254.206 | - | High
|
||||
79 | 47.36.140.164 | 047-036-140-164.res.spectrum.com | High
|
||||
80 | 47.146.39.147 | - | High
|
||||
81 | 47.188.131.94 | - | High
|
||||
82 | 49.12.121.47 | filezilla-project.org | High
|
||||
83 | 49.50.209.131 | 131.host-49-50-209.euba.megatel.co.nz | High
|
||||
84 | 49.212.135.76 | os3-321-50322.vs.sakura.ne.jp | High
|
||||
85 | 49.212.155.94 | os3-325-52340.vs.sakura.ne.jp | High
|
||||
86 | 50.28.51.143 | - | High
|
||||
87 | 50.31.146.101 | mail.brillinjurylaw.com | High
|
||||
88 | 50.91.114.38 | 050-091-114-038.res.spectrum.com | High
|
||||
89 | 50.116.78.109 | intersearchmedia.com | High
|
||||
90 | 50.245.107.73 | 50-245-107-73-static.hfc.comcastbusiness.net | High
|
||||
91 | 51.15.7.145 | 51-15-7-145.rev.poneytelecom.eu | High
|
||||
92 | 51.75.33.127 | ip127.ip-51-75-33.eu | High
|
||||
93 | 51.89.36.180 | ip180.ip-51-89-36.eu | High
|
||||
94 | 51.89.199.141 | ip141.ip-51-89-199.eu | High
|
||||
95 | 51.255.165.160 | 160.ip-51-255-165.eu | High
|
||||
96 | 54.38.143.245 | tools.inovato.me | High
|
||||
97 | 58.27.215.3 | 58-27-215-3.wateen.net | High
|
||||
98 | 58.94.58.13 | i58-94-58-13.s41.a014.ap.plala.or.jp | High
|
||||
99 | 59.148.253.194 | 059148253194.ctinets.com | High
|
||||
100 | 60.93.23.51 | softbank060093023051.bbtec.net | High
|
||||
101 | 60.108.128.186 | softbank060108128186.bbtec.net | High
|
||||
102 | 60.125.114.64 | softbank060125114064.bbtec.net | High
|
||||
103 | 60.249.78.226 | 60-249-78-226.hinet-ip.hinet.net | High
|
||||
104 | 61.19.246.238 | - | High
|
||||
105 | 62.30.7.67 | 67.7-30-62.static.virginmediabusiness.co.uk | High
|
||||
106 | ... | ... | ...
|
||||
|
||||
There are 425 more IOC items available. Please use our online service to access the data.
|
||||
There are 419 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -54,9 +139,7 @@ ID | Technique | Description | Confidence
|
|||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | T1211 | 7PK Security Features | High
|
||||
5 | T1222 | Permission Issues | High
|
||||
6 | ... | ... | ...
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 9 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
|
@ -66,19 +149,28 @@ These indicators of attack list the potential fragments used for technical activ
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `..\WWWRoot\CustomPages\aspshell.asp` | High
|
||||
2 | File | `/.env` | Low
|
||||
3 | File | `/.ssh/authorized_keys` | High
|
||||
4 | File | `/accounts/password_change/` | High
|
||||
5 | File | `/admin/` | Low
|
||||
6 | File | `/admin/account/changepassword` | High
|
||||
7 | File | `/admin/account/changeprofileimage` | High
|
||||
8 | File | `/admin/account/clearcache` | High
|
||||
9 | File | `/admin/cms.php` | High
|
||||
10 | File | `/admin/communitymanagement.php` | High
|
||||
11 | ... | ... | ...
|
||||
1 | File | `./clients/client` | High
|
||||
2 | File | `/?ajax-request=jnews` | High
|
||||
3 | File | `/assets/ctx` | Medium
|
||||
4 | File | `/config/getuser` | High
|
||||
5 | File | `/core/table/query` | High
|
||||
6 | File | `/dev/ion` | Medium
|
||||
7 | File | `/ecma/operations/ecma-objects.c` | High
|
||||
8 | File | `/enduserreg` | Medium
|
||||
9 | File | `/forum/away.php` | High
|
||||
10 | File | `/GetCopiedFile` | High
|
||||
11 | File | `/goform/activate_process` | High
|
||||
12 | File | `/hdf5/src/H5T.c` | High
|
||||
13 | File | `/jerry-core/ecma/base/ecma-gc.c` | High
|
||||
14 | File | `/jerry-core/ecma/base/ecma-helpers-conversion.c` | High
|
||||
15 | File | `/jerry-core/ecma/base/ecma-lcache.c` | High
|
||||
16 | File | `/jerry-core/ecma/operations/ecma-objects.c` | High
|
||||
17 | File | `/jerry-core/vm/vm.c` | High
|
||||
18 | File | `/mobile/SelectUsers.jsp` | High
|
||||
19 | File | `/ms/mdiy/model/importJson.do` | High
|
||||
20 | ... | ... | ...
|
||||
|
||||
There are 736 more IOA items available. Please use our online service to access the data.
|
||||
There are 166 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -94,7 +186,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
* https://blog.talosintelligence.com/2021/10/threat-roundup-1022-1029.html
|
||||
* https://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html
|
||||
* https://community.blueliv.com/#!/s/5fb2ee2482df413eaf344b29
|
||||
* https://pastebin.com/uPn1zM6b
|
||||
* https://unit42.paloaltonetworks.com/emotet-command-and-control/
|
||||
* https://www.trendmicro.com/en_us/research/22/a/emotet-spam-abuses-unconventional-ip-address-formats-spread-malware.html
|
||||
|
||||
## Literature
|
||||
|
||||
|
@ -105,4 +199,4 @@ The following articles explain our unique predictive cyber threat intelligence:
|
|||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Exchange Marauder - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Exchange Marauder](https://vuldb.com/?actor.exchange_marauder). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Exchange Marauder](https://vuldb.com/?actor.exchange_marauder). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.exchange_marauder](https://vuldb.com/?actor.exchange_marauder)
|
||||
|
||||
|
@ -28,13 +28,11 @@ These indicators of compromise indicate associated network ressources which are
|
|||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 5.254.43.18 | - | High
|
||||
2 | 80.92.205.81 | vm224534.pq.hosting | High
|
||||
2 | 80.92.205.81 | vm302679.pq.hosting | High
|
||||
3 | 103.77.192.219 | - | High
|
||||
4 | 104.140.114.110 | reflect59.kelptrade.com | High
|
||||
5 | 104.250.191.110 | - | High
|
||||
6 | ... | ... | ...
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 8 more IOC items available. Please use our online service to access the data.
|
||||
There are 10 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -55,19 +53,15 @@ These indicators of attack list the potential fragments used for technical activ
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php` | High
|
||||
2 | File | `api_poller.php` | High
|
||||
3 | File | `application/controllers/admin/dataentry.php` | High
|
||||
4 | File | `cmd.php?cmd=login_form` | High
|
||||
5 | File | `cng.sys` | Low
|
||||
6 | File | `data/gbconfiguration.dat` | High
|
||||
7 | File | `diag_command.php` | High
|
||||
8 | File | `framework/db/ActiveRecord.php` | High
|
||||
9 | File | `guestbook.cgi` | High
|
||||
10 | File | `inc/config.php` | High
|
||||
11 | ... | ... | ...
|
||||
1 | File | `/filemanager/upload.php` | High
|
||||
2 | File | `/usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php` | High
|
||||
3 | File | `/usr/local/WowzaStreamingEngine/bin/` | High
|
||||
4 | File | `api_poller.php` | High
|
||||
5 | File | `application/controllers/admin/dataentry.php` | High
|
||||
6 | File | `cmd.php?cmd=login_form` | High
|
||||
7 | ... | ... | ...
|
||||
|
||||
There are 38 more IOA items available. Please use our online service to access the data.
|
||||
There are 45 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -79,9 +73,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -33,10 +33,10 @@ ID | Technique | Description | Confidence
|
|||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1222 | Permission Issues | High
|
||||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 2 more TTP items available. Please use our online service to access the data.
|
||||
There are 5 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -54,9 +54,14 @@ ID | Type | Indicator | Confidence
|
|||
8 | File | `/services/details.asp` | High
|
||||
9 | File | `/thruk/#cgi-bin/extinfo.cgi?type=2` | High
|
||||
10 | File | `/_core/profile/` | High
|
||||
11 | ... | ... | ...
|
||||
11 | File | `adclick.php` | Medium
|
||||
12 | File | `additem.asp` | Medium
|
||||
13 | File | `addsite.php` | Medium
|
||||
14 | File | `admin/review.php` | High
|
||||
15 | File | `AdvancedBluetoothDetailsHeaderController.java` | High
|
||||
16 | ... | ... | ...
|
||||
|
||||
There are 122 more IOA items available. Please use our online service to access the data.
|
||||
There are 124 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -73,4 +78,4 @@ The following articles explain our unique predictive cyber threat intelligence:
|
|||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
117
FIN7/README.md
117
FIN7/README.md
|
@ -1,6 +1,6 @@
|
|||
# FIN7 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [FIN7](https://vuldb.com/?actor.fin7). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [FIN7](https://vuldb.com/?actor.fin7). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.fin7](https://vuldb.com/?actor.fin7)
|
||||
|
||||
|
@ -16,11 +16,11 @@ The following campaigns are known and can be associated with FIN7:
|
|||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with FIN7:
|
||||
|
||||
* US
|
||||
* RU
|
||||
* SE
|
||||
* CN
|
||||
* FR
|
||||
* ...
|
||||
|
||||
There are 40 more country items available. Please use our online service to access the data.
|
||||
There are 27 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -37,20 +37,43 @@ ID | IP address | Hostname | Confidence
|
|||
7 | 5.61.32.118 | - | High
|
||||
8 | 5.61.38.52 | - | High
|
||||
9 | 5.135.73.113 | - | High
|
||||
10 | 5.149.250.235 | mapleridge.org.uk | High
|
||||
11 | 5.149.250.241 | - | High
|
||||
10 | 5.149.250.235 | snigist.co.uk | High
|
||||
11 | 5.149.250.241 | flipveranda.co.uk | High
|
||||
12 | 5.149.252.144 | - | High
|
||||
13 | 5.149.253.126 | - | High
|
||||
14 | 5.188.10.102 | - | High
|
||||
15 | 5.188.10.248 | - | High
|
||||
16 | 5.199.169.188 | - | High
|
||||
17 | 5.252.177.23 | 5-252-177-23.mivocloud.com | High
|
||||
18 | 5.252.177.37 | 5-252-177-37.mivocloud.com | High
|
||||
18 | 5.252.177.37 | no-rdns.mivocloud.com | High
|
||||
19 | 8.28.175.68 | phoenixartisanacoutrements.com | High
|
||||
20 | 23.83.133.119 | - | High
|
||||
21 | ... | ... | ...
|
||||
21 | 23.249.162.161 | - | High
|
||||
22 | 31.7.61.136 | hosted-by.securefastserver.com | High
|
||||
23 | 31.18.219.133 | ip1f12db85.dynamic.kabel-deutschland.de | High
|
||||
24 | 31.131.17.125 | - | High
|
||||
25 | 31.131.17.127 | automarinetechnology.com | High
|
||||
26 | 31.131.17.128 | - | High
|
||||
27 | 31.148.219.18 | - | High
|
||||
28 | 31.148.219.44 | - | High
|
||||
29 | 31.148.219.126 | - | High
|
||||
30 | 31.148.219.141 | - | High
|
||||
31 | 31.148.220.107 | - | High
|
||||
32 | 31.148.220.215 | - | High
|
||||
33 | 31.184.234.66 | - | High
|
||||
34 | 31.184.234.71 | - | High
|
||||
35 | 37.1.211.239 | ourdrops.org | High
|
||||
36 | 37.1.215.4 | - | High
|
||||
37 | 37.1.215.72 | - | High
|
||||
38 | 37.235.54.48 | 48.54.235.37.in-addr.arpa | High
|
||||
39 | 37.252.4.131 | - | High
|
||||
40 | 45.77.60.230 | 45.77.60.230.vultr.com | Medium
|
||||
41 | 45.77.204.130 | 45.77.204.130.vultr.com | Medium
|
||||
42 | 45.87.152.64 | free.pq.hosting | High
|
||||
43 | 45.133.216.25 | lisulisimp.example.com | High
|
||||
44 | ... | ... | ...
|
||||
|
||||
There are 195 more IOC items available. Please use our online service to access the data.
|
||||
There are 172 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -58,14 +81,12 @@ Tactics, techniques, and procedures summarize the suspected ATT&CK techniques us
|
|||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1040 | Authentication Bypass by Capture-replay | High
|
||||
2 | T1059.007 | Cross Site Scripting | High
|
||||
3 | T1068 | Execution with Unnecessary Privileges | High
|
||||
4 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
5 | T1211 | 7PK Security Features | High
|
||||
6 | ... | ... | ...
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 10 more TTP items available. Please use our online service to access the data.
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -73,19 +94,55 @@ These indicators of attack list the potential fragments used for technical activ
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/$({curl` | Medium
|
||||
2 | File | `/+CSCOE+/logon.html` | High
|
||||
3 | File | `/anony/mjpg.cgi` | High
|
||||
4 | File | `/api/addusers` | High
|
||||
5 | File | `/backupsettings.conf` | High
|
||||
6 | File | `/bfd/pef.c` | Medium
|
||||
7 | File | `/bin/boa` | Medium
|
||||
8 | File | `/category.php` | High
|
||||
9 | File | `/category_view.php` | High
|
||||
10 | File | `/cms/print.php` | High
|
||||
11 | ... | ... | ...
|
||||
1 | File | `/+CSCOE+/logon.html` | High
|
||||
2 | File | `/?module=users§ion=cpanel&page=list` | High
|
||||
3 | File | `/admin/powerline` | High
|
||||
4 | File | `/admin/syslog` | High
|
||||
5 | File | `/api/upload` | Medium
|
||||
6 | File | `/assets/ctx` | Medium
|
||||
7 | File | `/concat?/%2557EB-INF/web.xml` | High
|
||||
8 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
9 | File | `/get_getnetworkconf.cgi` | High
|
||||
10 | File | `/HNAP1` | Low
|
||||
11 | File | `/index.php?controller=calendar&format=raw&cat[0]=SQLi&task=events` | High
|
||||
12 | File | `/monitoring` | Medium
|
||||
13 | File | `/new` | Low
|
||||
14 | File | `/osm/REGISTER.cmd` | High
|
||||
15 | File | `/proc/<pid>/status` | High
|
||||
16 | File | `/public/plugins/` | High
|
||||
17 | File | `/replication` | Medium
|
||||
18 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
19 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
|
||||
20 | File | `/tmp` | Low
|
||||
21 | File | `/type.php` | Medium
|
||||
22 | File | `/uncpath/` | Medium
|
||||
23 | File | `/wp-json/wc/v3/webhooks` | High
|
||||
24 | File | `4.2.0.CP09` | Medium
|
||||
25 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
26 | File | `actions/CompanyDetailsSave.php` | High
|
||||
27 | File | `ActiveServices.java` | High
|
||||
28 | File | `admin.color.php` | High
|
||||
29 | File | `admin.cropcanvas.php` | High
|
||||
30 | File | `admin.joomlaradiov5.php` | High
|
||||
31 | File | `admin.php` | Medium
|
||||
32 | File | `admin/?n=user&c=admin_user&a=doGetUserInfo` | High
|
||||
33 | File | `admin/add-glossary.php` | High
|
||||
34 | File | `admin/conf_users_edit.php` | High
|
||||
35 | File | `admin/edit-comments.php` | High
|
||||
36 | File | `admin/src/containers/InputModalStepperProvider/index.js` | High
|
||||
37 | File | `admin/write-post.php` | High
|
||||
38 | File | `administrator/components/com_media/helpers/media.php` | High
|
||||
39 | File | `admin_events.php` | High
|
||||
40 | File | `AjaxApplication.java` | High
|
||||
41 | File | `akocomments.php` | High
|
||||
42 | File | `allopass-error.php` | High
|
||||
43 | File | `AllowBindAppWidgetActivity.java` | High
|
||||
44 | File | `AndroidManifest.xml` | High
|
||||
45 | File | `AnnotateActivity.java` | High
|
||||
46 | File | `announcement.php` | High
|
||||
47 | ... | ... | ...
|
||||
|
||||
There are 614 more IOA items available. Please use our online service to access the data.
|
||||
There are 404 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -103,9 +160,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# FIN8 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [FIN8](https://vuldb.com/?actor.fin8). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [FIN8](https://vuldb.com/?actor.fin8). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.fin8](https://vuldb.com/?actor.fin8)
|
||||
|
||||
|
@ -29,7 +29,7 @@ ID | IP address | Hostname | Confidence
|
|||
-- | ---------- | -------- | ----------
|
||||
1 | 104.168.145.204 | hwsrv-836597.hostwindsdns.com | High
|
||||
2 | 104.168.237.21 | hwsrv-850035.hostwindsdns.com | High
|
||||
3 | 192.52.167.199 | mx312.linespree.net | High
|
||||
3 | 192.52.167.199 | mx312.punkchaine.net | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 2 more IOC items available. Please use our online service to access the data.
|
||||
|
@ -52,16 +52,9 @@ ID | Type | Indicator | Confidence
|
|||
1 | File | `addentry.php` | Medium
|
||||
2 | File | `add_comment.php` | High
|
||||
3 | File | `admin/index.php` | High
|
||||
4 | File | `comment_add.asp` | High
|
||||
5 | File | `data/gbconfiguration.dat` | High
|
||||
6 | File | `email.php` | Medium
|
||||
7 | File | `import.php` | Medium
|
||||
8 | File | `inc/config.php` | High
|
||||
9 | File | `register.asp` | Medium
|
||||
10 | File | `register.php` | Medium
|
||||
11 | ... | ... | ...
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 13 more IOA items available. Please use our online service to access the data.
|
||||
There are 20 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -74,9 +67,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -41,16 +41,9 @@ ID | Type | Indicator | Confidence
|
|||
1 | File | `/s/` | Low
|
||||
2 | File | `AdminbaseController.class.php` | High
|
||||
3 | File | `application\User\Controller\ProfileController.class.php` | High
|
||||
4 | File | `exif.c` | Low
|
||||
5 | File | `htimage.exe` | Medium
|
||||
6 | File | `libbfd.c` | Medium
|
||||
7 | File | `opncls.c` | Medium
|
||||
8 | Library | `gdrv.sys` | Medium
|
||||
9 | Argument | `-m/-c` | Low
|
||||
10 | Argument | `imgurl` | Low
|
||||
11 | ... | ... | ...
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 5 more IOA items available. Please use our online service to access the data.
|
||||
There are 12 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -67,4 +60,4 @@ The following articles explain our unique predictive cyber threat intelligence:
|
|||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Foudre - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Foudre](https://vuldb.com/?actor.foudre). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Foudre](https://vuldb.com/?actor.foudre). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.foudre](https://vuldb.com/?actor.foudre)
|
||||
|
||||
|
@ -22,9 +22,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -28,4 +28,4 @@ The following articles explain our unique predictive cyber threat intelligence:
|
|||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# GMERA - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [GMERA](https://vuldb.com/?actor.gmera). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [GMERA](https://vuldb.com/?actor.gmera). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.gmera](https://vuldb.com/?actor.gmera)
|
||||
|
||||
|
@ -46,7 +46,9 @@ ID | Type | Indicator | Confidence
|
|||
1 | File | `view/file/index.php` | High
|
||||
2 | Argument | `$_REQUEST['path']` | High
|
||||
3 | Argument | `__CSRFTOKEN` | Medium
|
||||
4 | Input Value | `12345678` | Medium
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 1 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -58,9 +60,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Gamaredon - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Gamaredon](https://vuldb.com/?actor.gamaredon). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Gamaredon](https://vuldb.com/?actor.gamaredon). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.gamaredon](https://vuldb.com/?actor.gamaredon)
|
||||
|
||||
|
@ -9,8 +9,8 @@ Live data and more analysis capabilities are available at [https://vuldb.com/?ac
|
|||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Gamaredon:
|
||||
|
||||
* RU
|
||||
* CN
|
||||
* LY
|
||||
* US
|
||||
* ...
|
||||
|
||||
There are 2 more country items available. Please use our online service to access the data.
|
||||
|
@ -21,12 +21,12 @@ These indicators of compromise indicate associated network ressources which are
|
|||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 141.8.195.60 | ullir.from.sh | High
|
||||
2 | 142.93.110.250 | - | High
|
||||
3 | 176.57.215.115 | 296606-cl92049.tmweb.ru | High
|
||||
1 | 2.59.41.5 | vds-sizaus.timeweb.ru | High
|
||||
2 | 141.8.195.60 | ullir.from.sh | High
|
||||
3 | 142.93.110.250 | - | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 4 more IOC items available. Please use our online service to access the data.
|
||||
There are 5 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -47,13 +47,9 @@ ID | Type | Indicator | Confidence
|
|||
1 | File | `/manager?action=getlogcat` | High
|
||||
2 | File | `/var/log/nginx` | High
|
||||
3 | File | `index.php` | Medium
|
||||
4 | File | `namazu.cgi` | Medium
|
||||
5 | File | `wp-login.php` | Medium
|
||||
6 | Library | `vpnapi.dll` | Medium
|
||||
7 | Argument | `HOST` | Low
|
||||
8 | Argument | `priority` | Medium
|
||||
9 | Argument | `Referer` | Low
|
||||
10 | Input Value | `1" onmouseover=prompt(947671) bad="` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 7 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -62,14 +58,15 @@ The following list contains external sources which discuss the actor and the ass
|
|||
* https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/
|
||||
* https://github.com/blackorbird/APT_REPORT/blob/master/Gamaredon/Gamaredon202102_ioc1000%2B.csv
|
||||
* https://github.com/SentineLabs/Gamaredon-APT/blob/master/2020-02-04-gamaredon-blog-iocs-vk.misp.csv
|
||||
* https://pastebin.com/Vhb4KF5L
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -9,11 +9,11 @@ Live data and more analysis capabilities are available at [https://vuldb.com/?ac
|
|||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Gh0stRAT:
|
||||
|
||||
* US
|
||||
* ES
|
||||
* FR
|
||||
* VN
|
||||
* CN
|
||||
* ...
|
||||
|
||||
There are 5 more country items available. Please use our online service to access the data.
|
||||
There are 16 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -22,28 +22,30 @@ These indicators of compromise indicate associated network ressources which are
|
|||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 13.249.38.69 | server-13-249-38-69.iad89.r.cloudfront.net | High
|
||||
2 | 36.43.74.215 | - | High
|
||||
3 | 36.46.114.54 | - | High
|
||||
4 | 39.109.1.246 | - | High
|
||||
5 | 42.51.192.3 | - | High
|
||||
6 | 43.226.152.12 | - | High
|
||||
7 | 43.226.159.201 | - | High
|
||||
8 | 45.119.125.223 | - | High
|
||||
9 | 45.195.203.97 | - | High
|
||||
10 | 45.253.67.78 | - | High
|
||||
11 | 47.93.52.188 | - | High
|
||||
12 | 47.93.245.163 | - | High
|
||||
13 | 47.95.233.18 | - | High
|
||||
14 | 47.111.82.157 | - | High
|
||||
15 | 47.112.30.91 | - | High
|
||||
16 | 58.218.66.21 | - | High
|
||||
17 | 58.218.67.245 | - | High
|
||||
18 | 58.218.199.225 | - | High
|
||||
19 | 58.221.47.41 | - | High
|
||||
20 | 58.221.47.47 | - | High
|
||||
21 | ... | ... | ...
|
||||
2 | 20.42.65.92 | - | High
|
||||
3 | 20.189.173.22 | - | High
|
||||
4 | 36.43.74.215 | - | High
|
||||
5 | 36.46.114.54 | - | High
|
||||
6 | 39.109.1.246 | - | High
|
||||
7 | 42.51.192.3 | - | High
|
||||
8 | 43.226.152.12 | - | High
|
||||
9 | 43.226.159.201 | - | High
|
||||
10 | 45.119.125.223 | - | High
|
||||
11 | 45.195.203.97 | - | High
|
||||
12 | 45.253.67.78 | - | High
|
||||
13 | 47.93.52.188 | - | High
|
||||
14 | 47.93.245.163 | - | High
|
||||
15 | 47.95.233.18 | - | High
|
||||
16 | 47.111.82.157 | - | High
|
||||
17 | 47.112.30.91 | - | High
|
||||
18 | 52.168.117.173 | - | High
|
||||
19 | 52.182.143.212 | - | High
|
||||
20 | 58.218.66.21 | - | High
|
||||
21 | 58.218.67.245 | - | High
|
||||
22 | 58.218.199.225 | - | High
|
||||
23 | ... | ... | ...
|
||||
|
||||
There are 77 more IOC items available. Please use our online service to access the data.
|
||||
There are 87 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -53,11 +55,10 @@ ID | Technique | Description | Confidence
|
|||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1222 | Permission Issues | High
|
||||
4 | T1499 | Resource Consumption | High
|
||||
5 | ... | ... | ...
|
||||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 6 more TTP items available. Please use our online service to access the data.
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -65,19 +66,45 @@ These indicators of attack list the potential fragments used for technical activ
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/opt/IBM/es/lib/libffq.cryptionjni.so` | High
|
||||
2 | File | `/router_info.xml` | High
|
||||
3 | File | `add_comment.php` | High
|
||||
4 | File | `admin/viewtheatre.php` | High
|
||||
5 | File | `ajax_crons.php` | High
|
||||
6 | File | `ajax_migration_cpanel.php` | High
|
||||
7 | File | `banner_add_edit.asp` | High
|
||||
8 | File | `cff/cffparse.c` | High
|
||||
9 | File | `cfgexpand.c` | Medium
|
||||
10 | File | `cng.sys` | Low
|
||||
11 | ... | ... | ...
|
||||
1 | File | `/+CSCOE+/logon.html` | High
|
||||
2 | File | `/.env` | Low
|
||||
3 | File | `/.ssh/authorized_keys` | High
|
||||
4 | File | `/admin.php?&m=Public&a=login` | High
|
||||
5 | File | `/ajax/networking/get_netcfg.php` | High
|
||||
6 | File | `/car.php` | Medium
|
||||
7 | File | `/concat?/%2557EB-INF/web.xml` | High
|
||||
8 | File | `/config/getuser` | High
|
||||
9 | File | `/dashboards/#` | High
|
||||
10 | File | `/data/remove` | Medium
|
||||
11 | File | `/etc/controller-agent/agent.conf` | High
|
||||
12 | File | `/etc/postfix/sender_login` | High
|
||||
13 | File | `/etc/sudoers` | Medium
|
||||
14 | File | `/etc/tomcat8/Catalina/attack` | High
|
||||
15 | File | `/filemanager/php/connector.php` | High
|
||||
16 | File | `/forum/away.php` | High
|
||||
17 | File | `/fudforum/adm/hlplist.php` | High
|
||||
18 | File | `/GponForm/fsetup_Form` | High
|
||||
19 | File | `/log_download.cgi` | High
|
||||
20 | File | `/modules/profile/index.php` | High
|
||||
21 | File | `/navigate/navigate_download.php` | High
|
||||
22 | File | `/out.php` | Medium
|
||||
23 | File | `/password.html` | High
|
||||
24 | File | `/property-list/property_view.php` | High
|
||||
25 | File | `/public/plugins/` | High
|
||||
26 | File | `/rest/api/2/search` | High
|
||||
27 | File | `/s/` | Low
|
||||
28 | File | `/scripts/cpan_config` | High
|
||||
29 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
30 | File | `/server-info` | Medium
|
||||
31 | File | `/tmp` | Low
|
||||
32 | File | `/tmp/app/.env` | High
|
||||
33 | File | `/tmp/kamailio_ctl` | High
|
||||
34 | File | `/tmp/kamailio_fifo` | High
|
||||
35 | File | `/ucms/index.php?do=list_edit` | High
|
||||
36 | File | `/uncpath/` | Medium
|
||||
37 | ... | ... | ...
|
||||
|
||||
There are 75 more IOA items available. Please use our online service to access the data.
|
||||
There are 321 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -95,6 +122,8 @@ The following list contains external sources which discuss the actor and the ass
|
|||
* https://blog.talosintelligence.com/2021/09/threat-roundup-0917-0924.html
|
||||
* https://blog.talosintelligence.com/2021/10/threat-roundup-0924-1001.html
|
||||
* https://blog.talosintelligence.com/2021/10/threat-roundup-1001-1008.html
|
||||
* https://blog.talosintelligence.com/2022/01/threat-roundup-0107-0114.html
|
||||
* https://blog.talosintelligence.com/2022/01/threat-roundup-1231-0107.html
|
||||
|
||||
## Literature
|
||||
|
||||
|
@ -105,4 +134,4 @@ The following articles explain our unique predictive cyber threat intelligence:
|
|||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Hafnium - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Hafnium](https://vuldb.com/?actor.hafnium). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Hafnium](https://vuldb.com/?actor.hafnium). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.hafnium](https://vuldb.com/?actor.hafnium)
|
||||
|
||||
|
@ -15,6 +15,7 @@ The following campaigns are known and can be associated with Hafnium:
|
|||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Hafnium:
|
||||
|
||||
* CN
|
||||
* US
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -22,7 +23,7 @@ These indicators of compromise indicate associated network ressources which are
|
|||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 172.105.174.117 | li2083-117.members.linode.com | High
|
||||
1 | 172.105.174.117 | 172-105-174-117.ip.linodeusercontent.com | High
|
||||
2 | 182.239.123.241 | 182.239.123.241.hk.chinamobile.com | High
|
||||
3 | 182.239.124.180 | 182.239.124.180.hk.chinamobile.com | High
|
||||
|
||||
|
@ -45,19 +46,12 @@ These indicators of attack list the potential fragments used for technical activ
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `adclick.php` | Medium
|
||||
2 | File | `add.php` | Low
|
||||
3 | File | `admin/_cmdstat.jsp` | High
|
||||
4 | File | `CFIDE/componentutils/cfcexplorer.cfc` | High
|
||||
5 | File | `index.php` | Medium
|
||||
6 | File | `index.php?m=home&c=message&a=add` | High
|
||||
7 | File | `svcstatus.c` | Medium
|
||||
8 | Argument | `dest` | Low
|
||||
9 | Argument | `destination` | Medium
|
||||
10 | Argument | `path` | Low
|
||||
11 | ... | ... | ...
|
||||
1 | File | `/.env` | Low
|
||||
2 | File | `/ajax/networking/get_netcfg.php` | High
|
||||
3 | File | `/auth/session` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 5 more IOA items available. Please use our online service to access the data.
|
||||
There are 22 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -70,9 +64,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Hupigon - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Hupigon](https://vuldb.com/?actor.hupigon). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Hupigon](https://vuldb.com/?actor.hupigon). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.hupigon](https://vuldb.com/?actor.hupigon)
|
||||
|
||||
|
@ -15,13 +15,9 @@ ID | IP address | Hostname | Confidence
|
|||
3 | 23.3.13.33 | a23-3-13-33.deploy.static.akamaitechnologies.com | High
|
||||
4 | 23.3.13.40 | a23-3-13-40.deploy.static.akamaitechnologies.com | High
|
||||
5 | 65.55.252.93 | - | High
|
||||
6 | 72.21.81.200 | - | High
|
||||
7 | 72.22.185.199 | - | High
|
||||
8 | 72.22.185.207 | - | High
|
||||
9 | 91.199.212.52 | crt.sectigo.com | High
|
||||
10 | ... | ... | ...
|
||||
6 | ... | ... | ...
|
||||
|
||||
There are 17 more IOC items available. Please use our online service to access the data.
|
||||
There are 21 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -34,9 +30,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Inception - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Inception](https://vuldb.com/?actor.inception). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Inception](https://vuldb.com/?actor.inception). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.inception](https://vuldb.com/?actor.inception)
|
||||
|
||||
|
@ -14,12 +14,12 @@ The following campaigns are known and can be associated with Inception:
|
|||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Inception:
|
||||
|
||||
* DE
|
||||
* FR
|
||||
* SV
|
||||
* IT
|
||||
* FR
|
||||
* ...
|
||||
|
||||
There are 8 more country items available. Please use our online service to access the data.
|
||||
There are 4 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -30,10 +30,9 @@ ID | IP address | Hostname | Confidence
|
|||
1 | 51.255.139.194 | ip194.ip-51-255-139.eu | High
|
||||
2 | 82.221.100.55 | web.a1yola.com | High
|
||||
3 | 82.221.100.60 | - | High
|
||||
4 | 83.53.147.144 | 144.red-83-53-147.dynamicip.rima-tde.net | High
|
||||
5 | ... | ... | ...
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 6 more IOC items available. Please use our online service to access the data.
|
||||
There are 7 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -41,14 +40,12 @@ Tactics, techniques, and procedures summarize the suspected ATT&CK techniques us
|
|||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1008 | Algorithm Downgrade | High
|
||||
2 | T1040 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1059.007 | Cross Site Scripting | High
|
||||
4 | T1068 | Execution with Unnecessary Privileges | High
|
||||
5 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
6 | ... | ... | ...
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 11 more TTP items available. Please use our online service to access the data.
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -56,19 +53,33 @@ These indicators of attack list the potential fragments used for technical activ
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `%PROGRAMDATA%\3CXPhone for Windows\PhoneApp` | High
|
||||
2 | File | `%PROGRAMDATA%\WrData\PKG` | High
|
||||
3 | File | `%SYSTEMDRIVE%\totalcmd\TOTALCMD64.EXE` | High
|
||||
4 | File | `.gitolite.rc` | Medium
|
||||
5 | File | `.travis.yml` | Medium
|
||||
6 | File | `.well-known` | Medium
|
||||
7 | File | `/#/CampaignManager/users` | High
|
||||
8 | File | `/#/page` | Low
|
||||
9 | File | `/.htpasswd` | Medium
|
||||
10 | File | `/1.com.php` | Medium
|
||||
11 | ... | ... | ...
|
||||
1 | File | `.travis.yml` | Medium
|
||||
2 | File | `/account/register` | High
|
||||
3 | File | `/api/notify.php` | High
|
||||
4 | File | `/backups/` | Medium
|
||||
5 | File | `/cgi-bin/New_GUI/Igmp.asp` | High
|
||||
6 | File | `/domain/service/.ewell-known/caldav` | High
|
||||
7 | File | `/etc/passwd` | Medium
|
||||
8 | File | `/formAdvFirewall` | High
|
||||
9 | File | `/goods/getGoodsListByConditions/` | High
|
||||
10 | File | `/home/user/dir` | High
|
||||
11 | File | `/master/article.php` | High
|
||||
12 | File | `/mobile/SelectUsers.jsp` | High
|
||||
13 | File | `/ProteinArraySignificanceTest.json` | High
|
||||
14 | File | `/Videos/Id/hls/PlaylistId/SegmentId.SegmentContainer` | High
|
||||
15 | File | `/web` | Low
|
||||
16 | File | `4.edu.php\conn\function.php` | High
|
||||
17 | File | `abc.c` | Low
|
||||
18 | File | `admin/bad.php` | High
|
||||
19 | File | `admin/dl_sendmail.php` | High
|
||||
20 | File | `admin/edit.php` | High
|
||||
21 | File | `admin/pages/useredit.php` | High
|
||||
22 | File | `AdminBaseController.class.php` | High
|
||||
23 | File | `AlertReceiver.java` | High
|
||||
24 | File | `AndroidManifest.xml` | High
|
||||
25 | ... | ... | ...
|
||||
|
||||
There are 2413 more IOA items available. Please use our online service to access the data.
|
||||
There are 213 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -83,9 +94,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# InvisiMole - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [InvisiMole](https://vuldb.com/?actor.invisimole). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [InvisiMole](https://vuldb.com/?actor.invisimole). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.invisimole](https://vuldb.com/?actor.invisimole)
|
||||
|
||||
|
@ -13,7 +13,7 @@ These countries are directly (e.g. origin of attacks) or indirectly (e.g. access
|
|||
* ES
|
||||
* ...
|
||||
|
||||
There are 21 more country items available. Please use our online service to access the data.
|
||||
There are 18 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -24,10 +24,9 @@ ID | IP address | Hostname | Confidence
|
|||
1 | 46.165.230.241 | - | High
|
||||
2 | 46.165.231.85 | - | High
|
||||
3 | 46.165.241.129 | - | High
|
||||
4 | 46.165.241.153 | - | High
|
||||
5 | ... | ... | ...
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 7 more IOC items available. Please use our online service to access the data.
|
||||
There are 8 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -38,10 +37,9 @@ ID | Technique | Description | Confidence
|
|||
1 | T1040 | Authentication Bypass by Capture-replay | High
|
||||
2 | T1059.007 | Cross Site Scripting | High
|
||||
3 | T1068 | Execution with Unnecessary Privileges | High
|
||||
4 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
5 | ... | ... | ...
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
There are 9 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -57,11 +55,56 @@ ID | Type | Indicator | Confidence
|
|||
6 | File | `/cgi-bin/bcm_password` | High
|
||||
7 | File | `/cgi-bin/nobody` | High
|
||||
8 | File | `/cgi-bin/nobody/Search.cgi` | High
|
||||
9 | File | `/cgi-bin/supervisor/CloudSetup.cgi` | High
|
||||
10 | File | `/cgi-bin/webproc` | High
|
||||
11 | ... | ... | ...
|
||||
9 | File | `/cgi-bin/webproc` | High
|
||||
10 | File | `/config/netconf.cmd` | High
|
||||
11 | File | `/etc/passwd` | Medium
|
||||
12 | File | `/etc/services/INET/inet_ipv4.php` | High
|
||||
13 | File | `/forum/away.php` | High
|
||||
14 | File | `/get_getnetworkconf.cgi` | High
|
||||
15 | File | `/goform/saveParentControlInfo` | High
|
||||
16 | File | `/home.jsp` | Medium
|
||||
17 | File | `/horde/util/go.php` | High
|
||||
18 | File | `/include/stat/stat.php` | High
|
||||
19 | File | `/login` | Low
|
||||
20 | File | `/login.cgi?logout=1` | High
|
||||
21 | File | `/Login.do` | Medium
|
||||
22 | File | `/mifs/c/i/reg/reg.html` | High
|
||||
23 | File | `/pages.php` | Medium
|
||||
24 | File | `/pages/items` | Medium
|
||||
25 | File | `/proc/iomem` | Medium
|
||||
26 | File | `/profile/deleteWatch.do` | High
|
||||
27 | File | `/show_news.php` | High
|
||||
28 | File | `/status.js` | Medium
|
||||
29 | File | `/tmp` | Low
|
||||
30 | File | `/uncpath/` | Medium
|
||||
31 | File | `/userRpm/MediaServerFoldersCfgRpm.htm` | High
|
||||
32 | File | `/usr/local/ssl/openssl.cnf` | High
|
||||
33 | File | `/var/log/nginx` | High
|
||||
34 | File | `/wp-admin` | Medium
|
||||
35 | File | `/xampp/guestbook-en.pl` | High
|
||||
36 | File | `abook_database.php` | High
|
||||
37 | File | `AccountStatus.jsp` | High
|
||||
38 | File | `action/usermanager.htm` | High
|
||||
39 | File | `add.php` | Low
|
||||
40 | File | `add_comment.php` | High
|
||||
41 | File | `admin.cgi?action=config_restore` | High
|
||||
42 | File | `admin.php3` | Medium
|
||||
43 | File | `admin/add-news.php` | High
|
||||
44 | File | `admin/ajax/op_kandidat.php` | High
|
||||
45 | File | `admin/gv_mail.php` | High
|
||||
46 | File | `admin/manage-articles.php` | High
|
||||
47 | File | `admin/manage-departments.php` | High
|
||||
48 | File | `admin/systemOutOfBand.do` | High
|
||||
49 | File | `ajax.php` | Medium
|
||||
50 | File | `and/or` | Low
|
||||
51 | File | `Annot.cc` | Medium
|
||||
52 | File | `aoutx.h` | Low
|
||||
53 | File | `app/application.cpp` | High
|
||||
54 | File | `apply.cgi` | Medium
|
||||
55 | File | `apps/app_article/controller/rating.php` | High
|
||||
56 | ... | ... | ...
|
||||
|
||||
There are 614 more IOA items available. Please use our online service to access the data.
|
||||
There are 485 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -73,9 +116,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# KRBanker - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [KRBanker](https://vuldb.com/?actor.krbanker). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [KRBanker](https://vuldb.com/?actor.krbanker). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.krbanker](https://vuldb.com/?actor.krbanker)
|
||||
|
||||
|
@ -28,9 +28,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# KilllSomeOne - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [KilllSomeOne](https://vuldb.com/?actor.killlsomeone). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [KilllSomeOne](https://vuldb.com/?actor.killlsomeone). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.killlsomeone](https://vuldb.com/?actor.killlsomeone)
|
||||
|
||||
|
@ -37,16 +37,9 @@ ID | Type | Indicator | Confidence
|
|||
1 | File | `addentry.php` | Medium
|
||||
2 | File | `admin_add.php` | High
|
||||
3 | File | `assets/add/registrar-accounts.php` | High
|
||||
4 | File | `data/gbconfiguration.dat` | High
|
||||
5 | File | `email.php` | Medium
|
||||
6 | File | `guestbook.cgi` | High
|
||||
7 | File | `guestserver.cgi` | High
|
||||
8 | File | `inc/config.php` | High
|
||||
9 | File | `inc/filebrowser/browser.php` | High
|
||||
10 | File | `index.php` | Medium
|
||||
11 | ... | ... | ...
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 16 more IOA items available. Please use our online service to access the data.
|
||||
There are 23 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -58,9 +51,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -0,0 +1,88 @@
|
|||
# Kinsing - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Kinsing](https://vuldb.com/?actor.kinsing). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.kinsing](https://vuldb.com/?actor.kinsing)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with Kinsing:
|
||||
|
||||
* Log4Shell
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Kinsing:
|
||||
|
||||
* US
|
||||
* RU
|
||||
* CN
|
||||
* ...
|
||||
|
||||
There are 4 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Kinsing.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 3.215.110.66 | ec2-3-215-110-66.compute-1.amazonaws.com | Medium
|
||||
2 | 31.210.20.181 | - | High
|
||||
3 | 34.81.218.76 | 76.218.81.34.bc.googleusercontent.com | Medium
|
||||
4 | 42.112.28.216 | midp.highlatrol.com | High
|
||||
5 | 45.129.2.107 | - | High
|
||||
6 | 45.137.151.106 | - | High
|
||||
7 | ... | ... | ...
|
||||
|
||||
There are 26 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Kinsing. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 4 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Kinsing. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/filemanager/upload.php` | High
|
||||
2 | File | `/includes/event-management/index.php` | High
|
||||
3 | File | `/Main_AdmStatus_Content.asp` | High
|
||||
4 | File | `/member/picture/album` | High
|
||||
5 | File | `/var/WEB-GUI/cgi-bin/telnet.cgi` | High
|
||||
6 | File | `actions.php` | Medium
|
||||
7 | File | `admin.php` | Medium
|
||||
8 | File | `admin\controller\uploadfile.php` | High
|
||||
9 | File | `album_portal.php` | High
|
||||
10 | ... | ... | ...
|
||||
|
||||
There are 75 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
|
||||
* https://gist.github.com/Iansus/050e121170a864c37b13f979c1883ad4
|
||||
* https://twitter.com/iansus/status/1472867647410819073
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -1,6 +1,6 @@
|
|||
# Kobalos - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Kobalos](https://vuldb.com/?actor.kobalos). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Kobalos](https://vuldb.com/?actor.kobalos). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.kobalos](https://vuldb.com/?actor.kobalos)
|
||||
|
||||
|
@ -28,9 +28,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Konni - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Konni](https://vuldb.com/?actor.konni). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Konni](https://vuldb.com/?actor.konni). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.konni](https://vuldb.com/?actor.konni)
|
||||
|
||||
|
@ -18,7 +18,7 @@ These indicators of compromise indicate associated network ressources which are
|
|||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 31.170.160.129 | - | High
|
||||
2 | 31.170.162.63 | - | High
|
||||
2 | 31.170.162.63 | cpl04.main-hosting.eu | High
|
||||
3 | 31.170.163.30 | cpl07.main-hosting.eu | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
|
@ -41,11 +41,9 @@ ID | Type | Indicator | Confidence
|
|||
1 | File | `application\User\Controller\ProfileController.class.php` | High
|
||||
2 | File | `banner-edit.php` | High
|
||||
3 | File | `tmUnblock.cgi` | High
|
||||
4 | File | `wallet.dat` | Medium
|
||||
5 | Argument | `imgurl` | Low
|
||||
6 | Argument | `ttcp_ip` | Low
|
||||
7 | Input Value | `..\` | Low
|
||||
8 | Network Port | `tcp/8080` | Medium
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 5 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -58,9 +56,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Lazarus - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Lazarus](https://vuldb.com/?actor.lazarus). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Lazarus](https://vuldb.com/?actor.lazarus). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.lazarus](https://vuldb.com/?actor.lazarus)
|
||||
|
||||
|
@ -19,12 +19,12 @@ There are 5 more campaign items available. Please use our online service to acce
|
|||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Lazarus:
|
||||
|
||||
* US
|
||||
* ZA
|
||||
* RU
|
||||
* VN
|
||||
* FR
|
||||
* IN
|
||||
* ...
|
||||
|
||||
There are 43 more country items available. Please use our online service to access the data.
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -52,9 +52,169 @@ ID | IP address | Hostname | Confidence
|
|||
18 | 2.93.86.251 | - | High
|
||||
19 | 2.93.86.253 | - | High
|
||||
20 | 2.93.131.116 | - | High
|
||||
21 | ... | ... | ...
|
||||
21 | 2.93.131.179 | - | High
|
||||
22 | 2.93.238.2 | - | High
|
||||
23 | 2.93.238.12 | - | High
|
||||
24 | 2.93.238.20 | - | High
|
||||
25 | 2.93.238.26 | - | High
|
||||
26 | 2.93.238.35 | - | High
|
||||
27 | 2.93.238.93 | - | High
|
||||
28 | 2.93.238.146 | - | High
|
||||
29 | 2.93.238.167 | - | High
|
||||
30 | 2.93.238.176 | - | High
|
||||
31 | 2.93.238.183 | - | High
|
||||
32 | 2.93.238.199 | - | High
|
||||
33 | 2.93.238.213 | - | High
|
||||
34 | 2.93.238.215 | - | High
|
||||
35 | 2.93.238.222 | - | High
|
||||
36 | 2.93.238.252 | - | High
|
||||
37 | 2.93.238.253 | - | High
|
||||
38 | 2.93.248.5 | - | High
|
||||
39 | 2.93.248.46 | - | High
|
||||
40 | 2.94.53.139 | - | High
|
||||
41 | 2.94.65.211 | - | High
|
||||
42 | 2.94.65.246 | - | High
|
||||
43 | 2.94.82.42 | - | High
|
||||
44 | 2.94.117.30 | - | High
|
||||
45 | 2.94.117.46 | - | High
|
||||
46 | 2.94.117.47 | - | High
|
||||
47 | 2.94.117.56 | - | High
|
||||
48 | 2.94.209.30 | - | High
|
||||
49 | 2.187.99.180 | - | High
|
||||
50 | 5.22.137.178 | mail.bpdl.co.uk | High
|
||||
51 | 5.22.140.93 | 5-22-140-93.host.as51043.net | High
|
||||
52 | 5.41.88.137 | - | High
|
||||
53 | 5.41.89.32 | - | High
|
||||
54 | 5.41.94.221 | - | High
|
||||
55 | 5.41.190.7 | - | High
|
||||
56 | 5.41.201.151 | - | High
|
||||
57 | 5.41.237.214 | - | High
|
||||
58 | 5.79.99.169 | nsg037-19.divide.nl | High
|
||||
59 | 5.98.91.76 | host-5-98-91-76.business.telecomitalia.it | High
|
||||
60 | 5.141.87.156 | 5-141-97-156.static-adsl.isurgut.ru | High
|
||||
61 | 5.189.190.67 | m2767.contaboserver.net | High
|
||||
62 | 5.200.154.208 | - | High
|
||||
63 | 5.200.177.218 | - | High
|
||||
64 | 5.200.191.104 | - | High
|
||||
65 | 5.200.198.10 | - | High
|
||||
66 | 5.200.202.99 | - | High
|
||||
67 | 14.102.46.3 | - | High
|
||||
68 | 14.139.125.214 | - | High
|
||||
69 | 14.140.123.179 | 14.140.123.179.static-pune-vsnl.net.in | High
|
||||
70 | 14.141.27.100 | 14.141.26.100.static-Mumbai.vsnl.net.in | High
|
||||
71 | 14.141.129.116 | 14.141.129.116.static-Delhi.vsnl.net.in | High
|
||||
72 | 14.149.149.211 | - | High
|
||||
73 | 21.252.107.198 | - | High
|
||||
74 | 23.152.0.232 | betrp-basisto.seemband.com | High
|
||||
75 | 26.165.218.44 | - | High
|
||||
76 | 27.96.110.130 | 130.110.96.27.static.m1net.com.sg | High
|
||||
77 | 27.114.187.37 | - | High
|
||||
78 | 27.123.221.66 | 66-221.fiber.net.id | High
|
||||
79 | 27.125.35.229 | - | High
|
||||
80 | 31.47.47.130 | - | High
|
||||
81 | 31.54.73.156 | host31-54-73-156.range31-54.btcentralplus.com | High
|
||||
82 | 31.54.74.176 | host31-54-74-176.range31-54.btcentralplus.com | High
|
||||
83 | 31.146.82.22 | 31-146-82-22.dsl.utg.ge | High
|
||||
84 | 31.146.136.6 | 31-146-136-6.dsl.utg.ge | High
|
||||
85 | 31.168.203.44 | bzq-203-168-31-44.red.bezeqint.net | High
|
||||
86 | 36.71.90.4 | - | High
|
||||
87 | 37.34.240.177 | - | High
|
||||
88 | 37.48.106.69 | high-convey.blockother.com | High
|
||||
89 | 37.71.50.2 | 2.50.71.37.rev.sfr.net | High
|
||||
90 | 37.75.0.98 | - | High
|
||||
91 | 37.75.2.203 | - | High
|
||||
92 | 37.75.10.194 | mail.kplus.com.tr | High
|
||||
93 | 37.75.11.162 | 37-75-11-162.rdns.saglayici.net | High
|
||||
94 | 37.98.114.90 | 90.mobinnet.net | High
|
||||
95 | 37.104.24.220 | - | High
|
||||
96 | 37.104.50.144 | - | High
|
||||
97 | 37.104.67.33 | - | High
|
||||
98 | 37.105.234.200 | - | High
|
||||
99 | 37.106.115.3 | - | High
|
||||
100 | 37.143.29.10 | - | High
|
||||
101 | 37.148.209.156 | 37-148-209-156.cizgi.net.tr | High
|
||||
102 | 37.216.67.155 | - | High
|
||||
103 | 37.216.213.70 | - | High
|
||||
104 | 37.235.21.166 | - | High
|
||||
105 | 41.57.108.68 | - | High
|
||||
106 | 41.67.136.38 | netcomafrica.com | High
|
||||
107 | 41.67.136.39 | netcomafrica.com | High
|
||||
108 | 41.72.99.5 | - | High
|
||||
109 | 41.72.101.138 | - | High
|
||||
110 | 41.74.166.253 | - | High
|
||||
111 | 41.92.208.194 | - | High
|
||||
112 | 41.92.208.196 | - | High
|
||||
113 | 41.92.208.197 | - | High
|
||||
114 | 41.110.179.197 | - | High
|
||||
115 | 41.128.226.60 | - | High
|
||||
116 | 41.131.49.228 | host-41-131-49-228.static.link.com.eg | High
|
||||
117 | 41.131.164.156 | - | High
|
||||
118 | 41.134.208.234 | 41-134-208-234.dsl.mweb.co.za | High
|
||||
119 | 41.182.252.56 | ADSL-41-182-252-56.ipb.na | High
|
||||
120 | 41.205.139.34 | ADSL-41-205-139-34.ipb.na | High
|
||||
121 | 41.208.106.68 | owa.altaqnya.com.ly | High
|
||||
122 | 41.208.106.70 | dc1.Mail.dsmhlc.ly | High
|
||||
123 | 41.215.250.40 | - | High
|
||||
124 | 41.223.30.20 | host30-20.creolink.com | High
|
||||
125 | 41.224.254.90 | - | High
|
||||
126 | 43.249.216.6 | - | High
|
||||
127 | 45.33.2.79 | li956-79.members.linode.com | High
|
||||
128 | 45.33.23.183 | li977-183.members.linode.com | High
|
||||
129 | 45.56.79.23 | li929-23.members.linode.com | High
|
||||
130 | 45.79.19.196 | li1118-196.members.linode.com | High
|
||||
131 | 45.118.34.215 | - | High
|
||||
132 | 45.120.61.145 | - | High
|
||||
133 | 45.124.169.36 | - | High
|
||||
134 | 45.199.63.220 | - | High
|
||||
135 | 46.19.101.186 | ip-46-19-101-186.gnc.net | High
|
||||
136 | 46.21.147.161 | 46-21-147-161.static.hvvc.us | High
|
||||
137 | 46.52.131.102 | - | High
|
||||
138 | 46.121.242.180 | 46-121-242-180.static.012.net.il | High
|
||||
139 | 46.174.116.60 | - | High
|
||||
140 | 46.174.116.87 | - | High
|
||||
141 | 46.174.116.90 | - | High
|
||||
142 | 46.174.116.99 | - | High
|
||||
143 | 46.174.116.221 | - | High
|
||||
144 | 46.174.116.231 | - | High
|
||||
145 | 46.174.116.234 | - | High
|
||||
146 | 46.174.117.15 | - | High
|
||||
147 | 46.174.117.32 | - | High
|
||||
148 | 46.174.117.36 | - | High
|
||||
149 | 46.174.117.42 | - | High
|
||||
150 | 46.174.117.44 | - | High
|
||||
151 | 46.174.117.50 | - | High
|
||||
152 | 46.174.117.61 | - | High
|
||||
153 | 46.174.117.77 | - | High
|
||||
154 | 46.174.117.80 | - | High
|
||||
155 | 46.174.117.97 | - | High
|
||||
156 | 46.174.117.98 | - | High
|
||||
157 | 46.174.117.103 | - | High
|
||||
158 | 46.174.117.116 | - | High
|
||||
159 | 46.174.117.121 | - | High
|
||||
160 | 46.174.117.129 | - | High
|
||||
161 | 46.174.117.134 | - | High
|
||||
162 | 46.174.117.153 | - | High
|
||||
163 | 46.174.117.164 | - | High
|
||||
164 | 46.218.127.110 | reverse.completel.fr | High
|
||||
165 | 47.206.4.145 | static-47-206-4-145.srst.fl.frontiernet.net | High
|
||||
166 | 49.206.1.61 | 49.206.1.61.actcorp.in | High
|
||||
167 | 50.62.168.157 | p3nwvpweb145.shr.prod.phx3.secureserver.net | High
|
||||
168 | 50.87.144.227 | somethingaboutmarketing.com | High
|
||||
169 | 51.235.1.216 | - | High
|
||||
170 | 51.235.13.162 | - | High
|
||||
171 | 51.235.17.133 | - | High
|
||||
172 | 51.235.19.202 | - | High
|
||||
173 | 51.235.33.226 | - | High
|
||||
174 | 51.235.49.202 | - | High
|
||||
175 | 54.64.30.175 | vega.mh-tec.co.jp | High
|
||||
176 | 58.82.155.98 | 98.155.82.58.static-corp.jastel.co.th | High
|
||||
177 | 58.185.197.210 | - | High
|
||||
178 | 59.90.93.97 | static.bb.knl.59.90.93.97.bsnl.in | High
|
||||
179 | 59.90.93.138 | static.bb.knl.59.90.93.138.bsnl.in | High
|
||||
180 | 59.90.93.248 | static.bb.knl.59.90.93.248.bsnl.in | High
|
||||
181 | ... | ... | ...
|
||||
|
||||
There are 878 more IOC items available. Please use our online service to access the data.
|
||||
There are 718 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -62,14 +222,12 @@ Tactics, techniques, and procedures summarize the suspected ATT&CK techniques us
|
|||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1040 | Authentication Bypass by Capture-replay | High
|
||||
2 | T1059.007 | Cross Site Scripting | High
|
||||
3 | T1068 | Execution with Unnecessary Privileges | High
|
||||
4 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
5 | T1211 | 7PK Security Features | High
|
||||
6 | ... | ... | ...
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 10 more TTP items available. Please use our online service to access the data.
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -77,19 +235,19 @@ These indicators of attack list the potential fragments used for technical activ
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `#!/system` | Medium
|
||||
2 | File | `$SPLUNK_HOME/etc/splunk-launch.conf` | High
|
||||
3 | File | `%APPDATA%\Securepoint SSL VPN` | High
|
||||
4 | File | `%PROGRAMFILES%\MyQ\PHP\Sessions\` | High
|
||||
5 | File | `.htaccess` | Medium
|
||||
6 | File | `.htpasswd` | Medium
|
||||
7 | File | `.procmailrc` | Medium
|
||||
8 | File | `.travis.yml` | Medium
|
||||
9 | File | `/+CSCOE+/logon.html` | High
|
||||
10 | File | `/.gitolite.rc` | High
|
||||
1 | File | `/admin/login.php` | High
|
||||
2 | File | `/ajax_crud` | Medium
|
||||
3 | File | `/core/table/query` | High
|
||||
4 | File | `/dev/ion` | Medium
|
||||
5 | File | `/ecma/operations/ecma-objects.c` | High
|
||||
6 | File | `/GetCopiedFile` | High
|
||||
7 | File | `/hdf5/src/H5T.c` | High
|
||||
8 | File | `/leave_system/classes/Login.php` | High
|
||||
9 | File | `/risque/administration/referentiel/json/create/categorie` | High
|
||||
10 | File | `/rsms/` | Low
|
||||
11 | ... | ... | ...
|
||||
|
||||
There are 3731 more IOA items available. Please use our online service to access the data.
|
||||
There are 80 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -117,9 +275,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Leviathan - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Leviathan](https://vuldb.com/?actor.leviathan). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Leviathan](https://vuldb.com/?actor.leviathan). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.leviathan](https://vuldb.com/?actor.leviathan)
|
||||
|
||||
|
@ -47,16 +47,9 @@ ID | Type | Indicator | Confidence
|
|||
1 | File | `encrypt.c` | Medium
|
||||
2 | File | `ept.c` | Low
|
||||
3 | File | `index.php` | Medium
|
||||
4 | File | `PGSQL:SubmitQuery.do` | High
|
||||
5 | File | `qemu-dos.com` | Medium
|
||||
6 | File | `wallacepos-master/myaccount/resetpassword.php` | High
|
||||
7 | Argument | `Referer` | Low
|
||||
8 | Argument | `session_id` | Medium
|
||||
9 | Argument | `src` | Low
|
||||
10 | Argument | `token` | Low
|
||||
11 | ... | ... | ...
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 2 more IOA items available. Please use our online service to access the data.
|
||||
There are 9 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -69,9 +62,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -46,16 +46,9 @@ ID | Type | Indicator | Confidence
|
|||
1 | File | `/DbXmlInfo.xml` | High
|
||||
2 | File | `/deviceIP` | Medium
|
||||
3 | File | `/inc/HTTPClient.php` | High
|
||||
4 | File | `BACnOPCServer.exe` | High
|
||||
5 | File | `base/ErrorHandler.php` | High
|
||||
6 | File | `bvlc.c` | Low
|
||||
7 | File | `csv` | Low
|
||||
8 | File | `data/gbconfiguration.dat` | High
|
||||
9 | File | `get/vcs.go` | Medium
|
||||
10 | File | `Illuminate/Encryption/Encrypter.php` | High
|
||||
11 | ... | ... | ...
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 8 more IOA items available. Please use our online service to access the data.
|
||||
There are 15 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -72,4 +65,4 @@ The following articles explain our unique predictive cyber threat intelligence:
|
|||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,12 +1,12 @@
|
|||
# LokiBot - Cyber Threat Intelligence
|
||||
# Lokibot - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [LokiBot](https://vuldb.com/?actor.lokibot). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Lokibot](https://vuldb.com/?actor.lokibot). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.lokibot](https://vuldb.com/?actor.lokibot)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with LokiBot:
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Lokibot:
|
||||
|
||||
* ES
|
||||
* US
|
||||
|
@ -17,7 +17,7 @@ There are 12 more country items available. Please use our online service to acce
|
|||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of LokiBot.
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Lokibot.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
|
@ -47,7 +47,7 @@ There are 65 more IOC items available. Please use our online service to access t
|
|||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by LokiBot. This data is unique as it uses our predictive model for actor profiling.
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Lokibot. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
|
@ -61,7 +61,7 @@ There are 8 more TTP items available. Please use our online service to access th
|
|||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by LokiBot. This data is unique as it uses our predictive model for actor profiling.
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Lokibot. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# LuminousMoth - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [LuminousMoth](https://vuldb.com/?actor.luminousmoth). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [LuminousMoth](https://vuldb.com/?actor.luminousmoth). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.luminousmoth](https://vuldb.com/?actor.luminousmoth)
|
||||
|
||||
|
@ -19,8 +19,8 @@ These indicators of compromise indicate associated network ressources which are
|
|||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 45.204.9.70 | - | High
|
||||
2 | 103.15.28.195 | - | High
|
||||
3 | 202.59.10.253 | begin-user.sizecalm.com | High
|
||||
2 | 103.15.28.195 | gld5.linkadminister.club | High
|
||||
3 | 202.59.10.253 | begin-user.proscarce.org | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -39,7 +39,9 @@ ID | Type | Indicator | Confidence
|
|||
1 | File | `Config/SaveUploadedHotspotLogoFile` | High
|
||||
2 | File | `dede\co_do.php` | High
|
||||
3 | Library | `MOVEit.DMZ.WebApi.dll` | High
|
||||
4 | Argument | `ids` | Low
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 1 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -51,9 +53,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Manul - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Manul](https://vuldb.com/?actor.manul). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Manul](https://vuldb.com/?actor.manul). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.manul](https://vuldb.com/?actor.manul)
|
||||
|
||||
|
@ -28,9 +28,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# MsAttacker - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [MsAttacker](https://vuldb.com/?actor.msattacker). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [MsAttacker](https://vuldb.com/?actor.msattacker). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.msattacker](https://vuldb.com/?actor.msattacker)
|
||||
|
||||
|
@ -42,16 +42,9 @@ ID | Type | Indicator | Confidence
|
|||
1 | File | `/get_getnetworkconf.cgi` | High
|
||||
2 | File | `controllers/Weixin.php` | High
|
||||
3 | File | `functions/functions_filters.asp` | High
|
||||
4 | File | `inc/config.php` | High
|
||||
5 | Library | `system/libraries/Email.php` | High
|
||||
6 | Argument | `basePath` | Medium
|
||||
7 | Argument | `email->from` | Medium
|
||||
8 | Argument | `First Name/Last Name/Address field` | High
|
||||
9 | Argument | `name` | Low
|
||||
10 | Argument | `url` | Low
|
||||
11 | ... | ... | ...
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 1 more IOA items available. Please use our online service to access the data.
|
||||
There are 8 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -63,9 +56,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Mustang Panda - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Mustang Panda](https://vuldb.com/?actor.mustang_panda). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Mustang Panda](https://vuldb.com/?actor.mustang_panda). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.mustang_panda](https://vuldb.com/?actor.mustang_panda)
|
||||
|
||||
|
@ -29,13 +29,9 @@ ID | IP address | Hostname | Confidence
|
|||
3 | 45.77.184.12 | comm.phiu.pw | High
|
||||
4 | 45.248.87.14 | - | High
|
||||
5 | 91.195.240.117 | - | High
|
||||
6 | 95.217.1.81 | static.81.1.217.95.clients.your-server.de | High
|
||||
7 | 149.28.74.41 | 149.28.74.41.vultr.com | Medium
|
||||
8 | 149.28.74.149 | 149.28.74.149.vultr.com | Medium
|
||||
9 | 154.221.24.47 | - | High
|
||||
10 | ... | ... | ...
|
||||
6 | ... | ... | ...
|
||||
|
||||
There are 17 more IOC items available. Please use our online service to access the data.
|
||||
There are 21 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -46,10 +42,9 @@ ID | Technique | Description | Confidence
|
|||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | T1222 | Permission Issues | High
|
||||
5 | ... | ... | ...
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 6 more TTP items available. Please use our online service to access the data.
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -66,8 +61,9 @@ ID | Type | Indicator | Confidence
|
|||
7 | File | `/settings` | Medium
|
||||
8 | File | `/updater.php` | Medium
|
||||
9 | File | `/uploads/dede` | High
|
||||
10 | File | `/webtools/control/httpService` | High
|
||||
11 | ... | ... | ...
|
||||
10 | File | `/way4acs/enroll` | High
|
||||
11 | File | `/webtools/control/httpService` | High
|
||||
12 | ... | ... | ...
|
||||
|
||||
There are 89 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
|
@ -83,9 +79,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# MyKings - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [MyKings](https://vuldb.com/?actor.mykings). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [MyKings](https://vuldb.com/?actor.mykings). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.mykings](https://vuldb.com/?actor.mykings)
|
||||
|
||||
|
@ -38,18 +38,14 @@ ID | IP address | Hostname | Confidence
|
|||
9 | 45.58.133.10 | depending-tcped.landweeks.com | High
|
||||
10 | 45.58.135.106 | - | High
|
||||
11 | 45.58.140.194 | vm194.ebouravi.com | High
|
||||
12 | 45.116.13.219 | - | High
|
||||
12 | 45.116.13.219 | 45.116.13.219.static.xtom.hk | High
|
||||
13 | 54.255.141.50 | ec2-54-255-141-50.ap-southeast-1.compute.amazonaws.com | Medium
|
||||
14 | 60.250.76.52 | 60-250-76-52.hinet-ip.hinet.net | High
|
||||
15 | 64.32.3.186 | - | High
|
||||
16 | 66.117.2.182 | crownwine.net | High
|
||||
17 | 66.117.6.174 | menu-btob.etherraw.com | High
|
||||
18 | 67.21.90.226 | saas-mx0226.profirstin.com | High
|
||||
19 | 67.229.99.82 | kumrye.manibal.co.uk | High
|
||||
20 | 69.30.200.178 | - | High
|
||||
21 | ... | ... | ...
|
||||
17 | ... | ... | ...
|
||||
|
||||
There are 61 more IOC items available. Please use our online service to access the data.
|
||||
There are 65 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -62,7 +58,7 @@ ID | Technique | Description | Confidence
|
|||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 4 more TTP items available. Please use our online service to access the data.
|
||||
There are 5 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -80,9 +76,18 @@ ID | Type | Indicator | Confidence
|
|||
8 | File | `/mysql/api/drobo.php` | High
|
||||
9 | File | `/rating.php` | Medium
|
||||
10 | File | `/rom-0` | Low
|
||||
11 | ... | ... | ...
|
||||
11 | File | `/secure/admin/ConfigureBatching!default.jspa` | High
|
||||
12 | File | `/uncpath/` | Medium
|
||||
13 | File | `/usr/local/WowzaStreamingEngine/bin/` | High
|
||||
14 | File | `/var/log/nginx` | High
|
||||
15 | File | `/wordpress/wp-admin/admin.php` | High
|
||||
16 | File | `/_next` | Low
|
||||
17 | File | `actions.hsp` | Medium
|
||||
18 | File | `addtocart.asp` | High
|
||||
19 | File | `ajax/api/hook/decodeArguments` | High
|
||||
20 | ... | ... | ...
|
||||
|
||||
There are 162 more IOA items available. Please use our online service to access the data.
|
||||
There are 164 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -95,9 +100,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# NSO Group - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [NSO Group](https://vuldb.com/?actor.nso_group). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [NSO Group](https://vuldb.com/?actor.nso_group). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.nso_group](https://vuldb.com/?actor.nso_group)
|
||||
|
||||
|
@ -16,8 +16,8 @@ The following campaigns are known and can be associated with NSO Group:
|
|||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with NSO Group:
|
||||
|
||||
* US
|
||||
* DE
|
||||
* US
|
||||
* CN
|
||||
* ...
|
||||
|
||||
|
@ -37,14 +37,9 @@ ID | IP address | Hostname | Confidence
|
|||
6 | 18.217.13.50 | ec2-18-217-13-50.us-east-2.compute.amazonaws.com | Medium
|
||||
7 | 18.225.12.72 | ec2-18-225-12-72.us-east-2.compute.amazonaws.com | Medium
|
||||
8 | 23.239.16.143 | li685-143.members.linode.com | High
|
||||
9 | 45.60.241.11 | - | High
|
||||
10 | 45.60.251.11 | - | High
|
||||
11 | 45.79.190.38 | li1289-38.members.linode.com | High
|
||||
12 | 52.8.52.166 | ec2-52-8-52-166.us-west-1.compute.amazonaws.com | Medium
|
||||
13 | 52.8.153.44 | ec2-52-8-153-44.us-west-1.compute.amazonaws.com | Medium
|
||||
14 | ... | ... | ...
|
||||
9 | ... | ... | ...
|
||||
|
||||
There are 26 more IOC items available. Please use our online service to access the data.
|
||||
There are 31 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -52,12 +47,12 @@ Tactics, techniques, and procedures summarize the suspected ATT&CK techniques us
|
|||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
1 | T1040 | Authentication Bypass by Capture-replay | High
|
||||
2 | T1059.007 | Cross Site Scripting | High
|
||||
3 | T1068 | Execution with Unnecessary Privileges | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 6 more TTP items available. Please use our online service to access the data.
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -70,14 +65,21 @@ ID | Type | Indicator | Confidence
|
|||
3 | File | `/etc/controller-agent/agent.conf` | High
|
||||
4 | File | `/forms/web_importTFTP` | High
|
||||
5 | File | `/forum/away.php` | High
|
||||
6 | File | `/localhost/u` | Medium
|
||||
7 | File | `/out.php` | Medium
|
||||
8 | File | `/PluXml/core/admin/parametres_edittpl.php` | High
|
||||
9 | File | `/rom-0` | Low
|
||||
10 | File | `/root/run/adm.php?admin-ediy&part=exdiy` | High
|
||||
11 | ... | ... | ...
|
||||
6 | File | `/graphql` | Medium
|
||||
7 | File | `/localhost/u` | Medium
|
||||
8 | File | `/out.php` | Medium
|
||||
9 | File | `/PluXml/core/admin/parametres_edittpl.php` | High
|
||||
10 | File | `/public_html/admin/plugins/bad_behavior2/blacklist.php` | High
|
||||
11 | File | `/rom-0` | Low
|
||||
12 | File | `/root/run/adm.php?admin-ediy&part=exdiy` | High
|
||||
13 | File | `/v2/devices/add` | High
|
||||
14 | File | `/var/ipfire/backup/bin/backup.pl` | High
|
||||
15 | File | `/wp-json/wc/v3/webhooks` | High
|
||||
16 | File | `adclick.php` | Medium
|
||||
17 | File | `AddEvent.php` | Medium
|
||||
18 | ... | ... | ...
|
||||
|
||||
There are 140 more IOA items available. Please use our online service to access the data.
|
||||
There are 147 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -93,9 +95,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -30,12 +30,9 @@ ID | IP address | Hostname | Confidence
|
|||
1 | 8.8.8.8 | dns.google | High
|
||||
2 | 20.42.65.92 | - | High
|
||||
3 | 23.235.221.158 | vps53141.inmotionhosting.com | High
|
||||
4 | 79.134.225.101 | - | High
|
||||
5 | 87.120.37.96 | - | High
|
||||
6 | 104.208.16.94 | - | High
|
||||
7 | ... | ... | ...
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 11 more IOC items available. Please use our online service to access the data.
|
||||
There are 14 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -61,14 +58,9 @@ ID | Type | Indicator | Confidence
|
|||
3 | File | `browser.php` | Medium
|
||||
4 | File | `cat.php` | Low
|
||||
5 | File | `CompanionDeviceManagerService.java` | High
|
||||
6 | File | `config.xml` | Medium
|
||||
7 | File | `dede\co_do.php` | High
|
||||
8 | File | `detail.php` | Medium
|
||||
9 | File | `Dynamiccontenttags.php` | High
|
||||
10 | File | `filemanager/model.php` | High
|
||||
11 | ... | ... | ...
|
||||
6 | ... | ... | ...
|
||||
|
||||
There are 37 more IOA items available. Please use our online service to access the data.
|
||||
There are 42 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -87,4 +79,4 @@ The following articles explain our unique predictive cyber threat intelligence:
|
|||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Necurs - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Necurs](https://vuldb.com/?actor.necurs). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Necurs](https://vuldb.com/?actor.necurs). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.necurs](https://vuldb.com/?actor.necurs)
|
||||
|
||||
|
@ -19,11 +19,9 @@ ID | IP address | Hostname | Confidence
|
|||
1 | 40.121.206.97 | - | High
|
||||
2 | 64.47.209.23 | - | High
|
||||
3 | 64.63.188.85 | - | High
|
||||
4 | 64.231.250.149 | bas3-toronto12-64-231-250-149.dsl.bell.ca | High
|
||||
5 | 65.79.10.48 | freshman-events.nl.edu | High
|
||||
6 | ... | ... | ...
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 8 more IOC items available. Please use our online service to access the data.
|
||||
There are 10 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -52,9 +50,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Needles - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Needles](https://vuldb.com/?actor.needles). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Needles](https://vuldb.com/?actor.needles). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.needles](https://vuldb.com/?actor.needles)
|
||||
|
||||
|
@ -31,9 +31,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -27,14 +27,9 @@ ID | IP address | Hostname | Confidence
|
|||
4 | 45.144.225.219 | - | High
|
||||
5 | 89.249.74.213 | - | High
|
||||
6 | 94.103.80.254 | v702647.hosted-by-vdsina.ru | High
|
||||
7 | 103.150.8.54 | - | High
|
||||
8 | 104.21.70.22 | - | High
|
||||
9 | 142.44.252.19 | ip19.ip-142-44-252.net | High
|
||||
10 | 155.94.198.169 | 155.94.198.169.static.quadranet.com | High
|
||||
11 | 162.159.129.233 | - | High
|
||||
12 | ... | ... | ...
|
||||
7 | ... | ... | ...
|
||||
|
||||
There are 20 more IOC items available. Please use our online service to access the data.
|
||||
There are 25 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -47,7 +42,7 @@ ID | Technique | Description | Confidence
|
|||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 6 more TTP items available. Please use our online service to access the data.
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -65,9 +60,19 @@ ID | Type | Indicator | Confidence
|
|||
8 | File | `/netflow/jspui/linkdownalertConfig.jsp` | High
|
||||
9 | File | `/product.php` | Medium
|
||||
10 | File | `/products/details.asp` | High
|
||||
11 | ... | ... | ...
|
||||
11 | File | `/uncpath/` | Medium
|
||||
12 | File | `123flashchat.php` | High
|
||||
13 | File | `ActionsAndOperations` | High
|
||||
14 | File | `adclick.php` | Medium
|
||||
15 | File | `admin.php` | Medium
|
||||
16 | File | `adminlogin.asp` | High
|
||||
17 | File | `Adminstrator/Users/Edit/` | High
|
||||
18 | File | `binder.c` | Medium
|
||||
19 | File | `books.php` | Medium
|
||||
20 | File | `buy.php` | Low
|
||||
21 | ... | ... | ...
|
||||
|
||||
There are 183 more IOA items available. Please use our online service to access the data.
|
||||
There are 174 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -91,4 +96,4 @@ The following articles explain our unique predictive cyber threat intelligence:
|
|||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Neuron - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Neuron](https://vuldb.com/?actor.neuron). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Neuron](https://vuldb.com/?actor.neuron). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.neuron](https://vuldb.com/?actor.neuron)
|
||||
|
||||
|
@ -39,9 +39,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Nobelium - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Nobelium](https://vuldb.com/?actor.nobelium). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Nobelium](https://vuldb.com/?actor.nobelium). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.nobelium](https://vuldb.com/?actor.nobelium)
|
||||
|
||||
|
@ -10,6 +10,7 @@ These countries are directly (e.g. origin of attacks) or indirectly (e.g. access
|
|||
|
||||
* CN
|
||||
* US
|
||||
* DE
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -35,13 +36,11 @@ These indicators of attack list the potential fragments used for technical activ
|
|||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/notice-edit.php` | High
|
||||
2 | File | `burl.c` | Low
|
||||
3 | File | `http_auth.c` | Medium
|
||||
4 | File | `ViewLog.asp` | Medium
|
||||
5 | Argument | `aid` | Low
|
||||
6 | Argument | `remote_host` | Medium
|
||||
7 | Input Value | `%3bping+-c+3+10.0.99.102%3b%23` | High
|
||||
8 | Input Value | `/%2F` | Low
|
||||
2 | File | `/wp-content/plugins/updraftplus/admin.php` | High
|
||||
3 | File | `burl.c` | Low
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 8 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -53,9 +52,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Oto Gonderici - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Oto Gonderici](https://vuldb.com/?actor.oto_gonderici). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Oto Gonderici](https://vuldb.com/?actor.oto_gonderici). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.oto_gonderici](https://vuldb.com/?actor.oto_gonderici)
|
||||
|
||||
|
@ -50,16 +50,9 @@ ID | Type | Indicator | Confidence
|
|||
1 | File | `/usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php` | High
|
||||
2 | File | `audiohd.exe` | Medium
|
||||
3 | File | `C:\Windupdt` | Medium
|
||||
4 | File | `C:\z_Drivers` | Medium
|
||||
5 | File | `cgi-bin/webproc` | High
|
||||
6 | File | `cheaters.php/confirm_resend.php` | High
|
||||
7 | File | `data/gbconfiguration.dat` | High
|
||||
8 | File | `ext/standard/link_win32.c` | High
|
||||
9 | File | `getfile.asp` | Medium
|
||||
10 | File | `mypage` | Low
|
||||
11 | ... | ... | ...
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 13 more IOA items available. Please use our online service to access the data.
|
||||
There are 21 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -71,9 +64,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -0,0 +1,98 @@
|
|||
# PlugX - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [PlugX](https://vuldb.com/?actor.plugx). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.plugx](https://vuldb.com/?actor.plugx)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with PlugX:
|
||||
|
||||
* CN
|
||||
* US
|
||||
* DE
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of PlugX.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 34.92.30.54 | 54.30.92.34.bc.googleusercontent.com | Medium
|
||||
2 | 35.220.176.90 | 90.176.220.35.bc.googleusercontent.com | Medium
|
||||
3 | 95.179.128.208 | 95.179.128.208.vultr.com | Medium
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 8 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by PlugX. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 6 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by PlugX. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `$JENKINS_HOME/jenkins.security.RekeySecretAdminMonitor/backups` | High
|
||||
2 | File | `/admin/` | Low
|
||||
3 | File | `/admin/?/plugin/comment/settings` | High
|
||||
4 | File | `/admin/ajax/file-browser/upload/` | High
|
||||
5 | File | `/admin/index.php` | High
|
||||
6 | File | `/api/filemanager` | High
|
||||
7 | File | `/api/request/?OPERATION_NAME` | High
|
||||
8 | File | `/apparel--accessories` | High
|
||||
9 | File | `/apply_noauth.cgi` | High
|
||||
10 | File | `/catalog/admin/categories.php?cPath=&action=new_product` | High
|
||||
11 | File | `/domains/index.fts` | High
|
||||
12 | File | `/DroboAccess/delete_user` | High
|
||||
13 | File | `/foundry/modules/news/newscolumns.php` | High
|
||||
14 | File | `/GponForm/device_Form?script/` | High
|
||||
15 | File | `/media/api` | Medium
|
||||
16 | File | `/member/test/points` | High
|
||||
17 | File | `/Mum.Geo.Services/DataAccessService.svc` | High
|
||||
18 | File | `/port_3480` | Medium
|
||||
19 | File | `/q` | Low
|
||||
20 | File | `/service-list` | High
|
||||
21 | File | `/smstest.html` | High
|
||||
22 | File | `/tmp` | Low
|
||||
23 | File | `/tmp/kamailio_fifo` | High
|
||||
24 | File | `/tmp/scfgdndf` | High
|
||||
25 | File | `/view/friend_profile.php` | High
|
||||
26 | File | `AccessManagerCoreService.exe` | High
|
||||
27 | File | `actions/doreport.php` | High
|
||||
28 | File | `addlyricsform.php` | High
|
||||
29 | File | `addmerchpicform.php` | High
|
||||
30 | File | `addresses_export.php` | High
|
||||
31 | File | `adherents/cartes/carte.php` | High
|
||||
32 | File | `admin.php?m=Member&a=adminaddsave` | High
|
||||
33 | ... | ... | ...
|
||||
|
||||
There are 280 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
|
||||
* https://twitter.com/0xrb/status/1482976719300890629
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -1,6 +1,6 @@
|
|||
# ProLock - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [ProLock](https://vuldb.com/?actor.prolock). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [ProLock](https://vuldb.com/?actor.prolock). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.prolock](https://vuldb.com/?actor.prolock)
|
||||
|
||||
|
@ -16,7 +16,7 @@ These indicators of compromise indicate associated network ressources which are
|
|||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 185.212.128.8 | alpha.casino | High
|
||||
1 | 185.212.128.8 | alinac4r1.ptr1.ru | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -35,11 +35,9 @@ ID | Type | Indicator | Confidence
|
|||
1 | File | `category.php` | Medium
|
||||
2 | File | `Unlock.exe` | Medium
|
||||
3 | File | `wp-admin/media-upload.php` | High
|
||||
4 | File | `wp-content/uploads` | High
|
||||
5 | File | `wp-content/uploads/tmm_db_migrate/wp_users.dat` | High
|
||||
6 | Argument | `post_id` | Low
|
||||
7 | Argument | `site` | Low
|
||||
8 | Argument | `user_login/user_pass/user_email` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 5 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -51,9 +49,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Pzchao - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Pzchao](https://vuldb.com/?actor.pzchao). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Pzchao](https://vuldb.com/?actor.pzchao). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.pzchao](https://vuldb.com/?actor.pzchao)
|
||||
|
||||
|
@ -22,9 +22,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Qealler - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Qealler](https://vuldb.com/?actor.qealler). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Qealler](https://vuldb.com/?actor.qealler). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.qealler](https://vuldb.com/?actor.qealler)
|
||||
|
||||
|
@ -8,8 +8,8 @@ Live data and more analysis capabilities are available at [https://vuldb.com/?ac
|
|||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Qealler:
|
||||
|
||||
* RU
|
||||
* US
|
||||
* RU
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -20,6 +20,14 @@ ID | IP address | Hostname | Confidence
|
|||
1 | 139.59.76.44 | server1.agorimtech.com | High
|
||||
2 | 146.185.139.123 | - | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Qealler. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1068 | Execution with Unnecessary Privileges | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
|
@ -30,9 +38,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# REvil - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [REvil](https://vuldb.com/?actor.revil). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [REvil](https://vuldb.com/?actor.revil). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.revil](https://vuldb.com/?actor.revil)
|
||||
|
||||
|
@ -16,7 +16,10 @@ These countries are directly (e.g. origin of attacks) or indirectly (e.g. access
|
|||
|
||||
* US
|
||||
* DE
|
||||
* CN
|
||||
* RU
|
||||
* ...
|
||||
|
||||
There are 7 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -26,10 +29,16 @@ ID | IP address | Hostname | Confidence
|
|||
-- | ---------- | -------- | ----------
|
||||
1 | 5.230.195.226 | - | High
|
||||
2 | 18.223.199.234 | ec2-18-223-199-234.us-east-2.compute.amazonaws.com | Medium
|
||||
3 | 45.55.211.79 | - | High
|
||||
4 | ... | ... | ...
|
||||
3 | 45.9.148.108 | mx1.dendrite.network | High
|
||||
4 | 45.33.2.79 | li956-79.members.linode.com | High
|
||||
5 | 45.33.18.44 | li972-44.members.linode.com | High
|
||||
6 | 45.33.20.235 | li974-235.members.linode.com | High
|
||||
7 | 45.33.23.183 | li977-183.members.linode.com | High
|
||||
8 | 45.33.30.197 | li1047-197.members.linode.com | High
|
||||
9 | 45.55.211.79 | - | High
|
||||
10 | ... | ... | ...
|
||||
|
||||
There are 6 more IOC items available. Please use our online service to access the data.
|
||||
There are 34 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -39,7 +48,10 @@ ID | Technique | Description | Confidence
|
|||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1222 | Permission Issues | High
|
||||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -47,25 +59,32 @@ These indicators of attack list the potential fragments used for technical activ
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/category_view.php` | High
|
||||
2 | File | `/cms/process.php` | High
|
||||
3 | File | `/etc/shadow` | Medium
|
||||
4 | File | `/movie.php` | Medium
|
||||
5 | File | `admin/settings.php` | High
|
||||
6 | File | `data/gbconfiguration.dat` | High
|
||||
7 | File | `instant_service.cc` | High
|
||||
8 | File | `item_show.php` | High
|
||||
9 | File | `language/lang_english/lang_main_album.php` | High
|
||||
10 | File | `maketemp.pl` | Medium
|
||||
11 | ... | ... | ...
|
||||
1 | File | `/.htpasswd` | Medium
|
||||
2 | File | `/category_view.php` | High
|
||||
3 | File | `/cgi-bin/nasset.cgi` | High
|
||||
4 | File | `/cgi-bin/webadminget.cgi` | High
|
||||
5 | File | `/cms/process.php` | High
|
||||
6 | File | `/etc/shadow` | Medium
|
||||
7 | File | `/forum/away.php` | High
|
||||
8 | File | `/goform/SetNetControlList` | High
|
||||
9 | File | `/index.php/weblinks-categories` | High
|
||||
10 | File | `/modules/profile/index.php` | High
|
||||
11 | File | `/movie.php` | Medium
|
||||
12 | File | `/public/login.htm` | High
|
||||
13 | File | `/show_news.php` | High
|
||||
14 | File | `/uncpath/` | Medium
|
||||
15 | File | `adclick.php` | Medium
|
||||
16 | File | `admin.asp` | Medium
|
||||
17 | ... | ... | ...
|
||||
|
||||
There are 13 more IOA items available. Please use our online service to access the data.
|
||||
There are 135 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html
|
||||
* https://ddanchev.blogspot.com/2022/01/exposing-internet-connected_24.html
|
||||
* https://www.darktrace.com/en/blog/darktraces-cyber-ai-analyst-investigates-sodinokibi-r-evil-ransomware/
|
||||
* https://www.varonis.com/blog/revil-msp-supply-chain-attack/
|
||||
|
||||
|
@ -73,9 +92,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -8,12 +8,12 @@ Live data and more analysis capabilities are available at [https://vuldb.com/?ac
|
|||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Ramnit:
|
||||
|
||||
* DE
|
||||
* ES
|
||||
* US
|
||||
* ES
|
||||
* RU
|
||||
* ...
|
||||
|
||||
There are 16 more country items available. Please use our online service to access the data.
|
||||
There are 13 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -41,9 +41,25 @@ ID | IP address | Hostname | Confidence
|
|||
18 | 23.64.109.30 | a23-64-109-30.deploy.static.akamaitechnologies.com | High
|
||||
19 | 23.196.65.196 | a23-196-65-196.deploy.static.akamaitechnologies.com | High
|
||||
20 | 23.218.130.41 | a23-218-130-41.deploy.static.akamaitechnologies.com | High
|
||||
21 | ... | ... | ...
|
||||
21 | 31.44.184.117 | - | High
|
||||
22 | 34.98.99.30 | 30.99.98.34.bc.googleusercontent.com | Medium
|
||||
23 | 34.102.136.180 | 180.136.102.34.bc.googleusercontent.com | Medium
|
||||
24 | 34.197.76.50 | ec2-34-197-76-50.compute-1.amazonaws.com | Medium
|
||||
25 | 34.225.182.233 | ec2-34-225-182-233.compute-1.amazonaws.com | Medium
|
||||
26 | 35.188.161.42 | 42.161.188.35.bc.googleusercontent.com | Medium
|
||||
27 | 35.224.11.86 | 86.11.224.35.bc.googleusercontent.com | Medium
|
||||
28 | 39.107.34.197 | - | High
|
||||
29 | 45.118.145.96 | - | High
|
||||
30 | 46.17.47.67 | fxchfjhtftfr.net | High
|
||||
31 | 46.165.220.141 | - | High
|
||||
32 | 46.165.220.142 | - | High
|
||||
33 | 46.165.220.143 | - | High
|
||||
34 | 46.165.220.144 | - | High
|
||||
35 | 46.165.220.145 | - | High
|
||||
36 | 46.165.220.146 | - | High
|
||||
37 | ... | ... | ...
|
||||
|
||||
There are 158 more IOC items available. Please use our online service to access the data.
|
||||
There are 143 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -51,14 +67,12 @@ Tactics, techniques, and procedures summarize the suspected ATT&CK techniques us
|
|||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1040 | Authentication Bypass by Capture-replay | High
|
||||
2 | T1059.007 | Cross Site Scripting | High
|
||||
3 | T1068 | Execution with Unnecessary Privileges | High
|
||||
4 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
5 | T1211 | 7PK Security Features | High
|
||||
6 | ... | ... | ...
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 9 more TTP items available. Please use our online service to access the data.
|
||||
There are 6 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -66,19 +80,26 @@ These indicators of attack list the potential fragments used for technical activ
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `-X/path/to/wwwroot/file.php.` | High
|
||||
2 | File | `.dbshell` | Medium
|
||||
3 | File | `.gemspec` | Medium
|
||||
4 | File | `.git/hooks/post-update` | High
|
||||
5 | File | `.gitmodules` | Medium
|
||||
6 | File | `.htaccess` | Medium
|
||||
7 | File | `/.kedpm/history` | High
|
||||
8 | File | `/.vnc/sesman_${username}_passwd` | High
|
||||
9 | File | `//etc/RT2870STA.dat` | High
|
||||
10 | File | `/about-us/locations/index` | High
|
||||
11 | ... | ... | ...
|
||||
1 | File | `/admin/admin.php` | High
|
||||
2 | File | `/admin/imageslider/file.php` | High
|
||||
3 | File | `/cgi-bin/luci` | High
|
||||
4 | File | `/core/vb/vurl.php` | High
|
||||
5 | File | `/etc/ldap.conf` | High
|
||||
6 | File | `/importTool/preview` | High
|
||||
7 | File | `/mods/_core/courses/users/create_course.php` | High
|
||||
8 | File | `/phppath/php` | Medium
|
||||
9 | File | `/plugins/Dashboard/Controller.php` | High
|
||||
10 | File | `/server-status` | High
|
||||
11 | File | `/uncpath/` | Medium
|
||||
12 | File | `adclick.php` | Medium
|
||||
13 | File | `addentry.php` | Medium
|
||||
14 | File | `add_comment.php` | High
|
||||
15 | File | `admin-ajax.php` | High
|
||||
16 | File | `admin.php` | Medium
|
||||
17 | File | `admin/class-bulk-editor-list-table.php` | High
|
||||
18 | ... | ... | ...
|
||||
|
||||
There are 3581 more IOA items available. Please use our online service to access the data.
|
||||
There are 149 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -92,6 +113,7 @@ The following list contains external sources which discuss the actor and the ass
|
|||
* https://blog.talosintelligence.com/2021/10/threat-roundup-1015-1022.html
|
||||
* https://blog.talosintelligence.com/2021/10/threat-roundup-1022-1029.html
|
||||
* https://github.com/firehol/blocklist-ipsets/blob/master/bambenek_ramnit.ipset
|
||||
* https://twitter.com/bit_dam/status/1280975679354556429
|
||||
|
||||
## Literature
|
||||
|
||||
|
@ -102,4 +124,4 @@ The following articles explain our unique predictive cyber threat intelligence:
|
|||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Royal Road - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Royal Road](https://vuldb.com/?actor.royal_road). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Royal Road](https://vuldb.com/?actor.royal_road). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.royal_road](https://vuldb.com/?actor.royal_road)
|
||||
|
||||
|
@ -62,10 +62,9 @@ ID | Type | Indicator | Confidence
|
|||
7 | File | `admin/index.php` | High
|
||||
8 | File | `assets/add/registrar.php` | High
|
||||
9 | File | `books.php` | Medium
|
||||
10 | File | `cart.php` | Medium
|
||||
11 | ... | ... | ...
|
||||
10 | ... | ... | ...
|
||||
|
||||
There are 78 more IOA items available. Please use our online service to access the data.
|
||||
There are 79 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -77,9 +76,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Sandworm Team - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Sandworm Team](https://vuldb.com/?actor.sandworm_team). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Sandworm Team](https://vuldb.com/?actor.sandworm_team). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.sandworm_team](https://vuldb.com/?actor.sandworm_team)
|
||||
|
||||
|
@ -34,13 +34,9 @@ ID | IP address | Hostname | Confidence
|
|||
5 | 5.149.254.114 | mail1.auditoriavanzada.info | High
|
||||
6 | 5.255.87.39 | - | High
|
||||
7 | 31.210.111.154 | . | High
|
||||
8 | 37.220.34.56 | - | High
|
||||
9 | 46.4.28.218 | static.218.28.4.46.clients.your-server.de | High
|
||||
10 | 46.165.222.6 | - | High
|
||||
11 | 46.165.222.28 | root.server-ke412.com | High
|
||||
12 | ... | ... | ...
|
||||
8 | ... | ... | ...
|
||||
|
||||
There are 22 more IOC items available. Please use our online service to access the data.
|
||||
There are 26 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -51,11 +47,9 @@ ID | Technique | Description | Confidence
|
|||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | T1211 | 7PK Security Features | High
|
||||
5 | T1222 | Permission Issues | High
|
||||
6 | ... | ... | ...
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
There are 10 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -71,11 +65,36 @@ ID | Type | Indicator | Confidence
|
|||
6 | File | `/cgi-bin/portal` | High
|
||||
7 | File | `/common/vam_editXml.php` | High
|
||||
8 | File | `/configs/application.ini` | High
|
||||
9 | File | `/Monitoring-History.php` | High
|
||||
10 | File | `/nova/bin/diskd` | High
|
||||
11 | ... | ... | ...
|
||||
9 | File | `/dl/dl_print.php` | High
|
||||
10 | File | `/moddable/xs/sources/xsDebug.c` | High
|
||||
11 | File | `/Monitoring-History.php` | High
|
||||
12 | File | `/nova/bin/diskd` | High
|
||||
13 | File | `/phppath/php` | Medium
|
||||
14 | File | `/portal/api/style/edit-theme-set/template-sources` | High
|
||||
15 | File | `/rpc/api` | Medium
|
||||
16 | File | `/rup` | Low
|
||||
17 | File | `/StdC/Ap4StdCFileByteStream.cpp` | High
|
||||
18 | File | `/uncpath/` | Medium
|
||||
19 | File | `/user-utils/users/md5.json` | High
|
||||
20 | File | `/var/log/nginx` | High
|
||||
21 | File | `/webapps/blogs-journals/execute/editBlogEntry` | High
|
||||
22 | File | `/wordpress/wp-admin/admin.php` | High
|
||||
23 | File | `/wp-json` | Medium
|
||||
24 | File | `adclick.php` | Medium
|
||||
25 | File | `add.php` | Low
|
||||
26 | File | `add.php/del.php` | High
|
||||
27 | File | `add_comment.php` | High
|
||||
28 | File | `admin-ajax.php` | High
|
||||
29 | File | `admin.php` | Medium
|
||||
30 | File | `admin/adminsignin.html` | High
|
||||
31 | File | `admin/forums.php` | High
|
||||
32 | File | `admin/google_search_console/class-gsc-table.php` | High
|
||||
33 | File | `admin/infoclass_update.php` | High
|
||||
34 | File | `admin/menus/edit.php` | High
|
||||
35 | File | `admin/system/admin/certificates/delete` | High
|
||||
36 | ... | ... | ...
|
||||
|
||||
There are 319 more IOA items available. Please use our online service to access the data.
|
||||
There are 305 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -91,9 +110,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Silence - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Silence](https://vuldb.com/?actor.silence). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Silence](https://vuldb.com/?actor.silence). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.silence](https://vuldb.com/?actor.silence)
|
||||
|
||||
|
@ -9,11 +9,11 @@ Live data and more analysis capabilities are available at [https://vuldb.com/?ac
|
|||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Silence:
|
||||
|
||||
* US
|
||||
* DE
|
||||
* IT
|
||||
* CN
|
||||
* GB
|
||||
* ...
|
||||
|
||||
There are 19 more country items available. Please use our online service to access the data.
|
||||
There are 25 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -28,7 +28,7 @@ ID | IP address | Hostname | Confidence
|
|||
5 | 5.39.218.210 | mail.qbmail.biz | High
|
||||
6 | 5.39.221.46 | - | High
|
||||
7 | 5.39.221.60 | - | High
|
||||
8 | 5.154.191.105 | out-nc-weeknum.quotawise.com | High
|
||||
8 | 5.154.191.105 | - | High
|
||||
9 | 5.188.231.47 | - | High
|
||||
10 | 5.188.231.89 | - | High
|
||||
11 | 5.200.55.198 | - | High
|
||||
|
@ -41,9 +41,14 @@ ID | IP address | Hostname | Confidence
|
|||
18 | 46.183.221.37 | ip-221-37.dataclub.info | High
|
||||
19 | 46.183.221.89 | ip-221-89.dataclub.info | High
|
||||
20 | 51.255.200.161 | 161.ip-51-255-200.eu | High
|
||||
21 | ... | ... | ...
|
||||
21 | 54.36.191.97 | vps-58b2e5b8.vps.ovh.net | High
|
||||
22 | 62.57.131.114 | 62.57.131.114.dyn.user.ono.com | High
|
||||
23 | 74.220.215.239 | host239.hostmonster.com | High
|
||||
24 | 77.246.145.82 | skoderyaru2.e-vds.ru | High
|
||||
25 | 77.246.145.86 | znatokfinansov.ru | High
|
||||
26 | ... | ... | ...
|
||||
|
||||
There are 106 more IOC items available. Please use our online service to access the data.
|
||||
There are 101 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -51,14 +56,12 @@ Tactics, techniques, and procedures summarize the suspected ATT&CK techniques us
|
|||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1040 | Authentication Bypass by Capture-replay | High
|
||||
2 | T1059.007 | Cross Site Scripting | High
|
||||
3 | T1068 | Execution with Unnecessary Privileges | High
|
||||
4 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
5 | T1211 | 7PK Security Features | High
|
||||
6 | ... | ... | ...
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 10 more TTP items available. Please use our online service to access the data.
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -66,19 +69,44 @@ These indicators of attack list the potential fragments used for technical activ
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `%PROGRAMDATA%\checkmk\agent\local` | High
|
||||
2 | File | `%SYSTEMDRIVE%\ProgramData\exclusions.dat` | High
|
||||
3 | File | `..\WWWRoot\CustomPages\aspshell.asp` | High
|
||||
4 | File | `.git/hooks/post-update` | High
|
||||
5 | File | `.htaccess` | Medium
|
||||
6 | File | `/.env` | Low
|
||||
7 | File | `/.ssh/authorized_keys` | High
|
||||
8 | File | `/1/?type=productinfo&S_id=140` | High
|
||||
9 | File | `/?/admin/page/edit/3` | High
|
||||
10 | File | `/?/admin/plugin/file_manager/browse/` | High
|
||||
11 | ... | ... | ...
|
||||
1 | File | `/?module=users§ion=cpanel&page=list` | High
|
||||
2 | File | `/admin/powerline` | High
|
||||
3 | File | `/admin/syslog` | High
|
||||
4 | File | `/api/upload` | Medium
|
||||
5 | File | `/cgi-bin` | Medium
|
||||
6 | File | `/cgi-bin/kerbynet` | High
|
||||
7 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
8 | File | `/dcim/sites/add/` | High
|
||||
9 | File | `/download` | Medium
|
||||
10 | File | `/EXCU_SHELL` | Medium
|
||||
11 | File | `/forum/away.php` | High
|
||||
12 | File | `/fudforum/adm/hlplist.php` | High
|
||||
13 | File | `/inc/extensions.php` | High
|
||||
14 | File | `/login` | Low
|
||||
15 | File | `/Main_Login.asp?flag=1&productname=RT-AC88U&url=/downloadmaster/task.asp` | High
|
||||
16 | File | `/monitoring` | Medium
|
||||
17 | File | `/new` | Low
|
||||
18 | File | `/proc/<pid>/status` | High
|
||||
19 | File | `/public/plugins/` | High
|
||||
20 | File | `/req_password_user.php` | High
|
||||
21 | File | `/rom` | Low
|
||||
22 | File | `/scripts/killpvhost` | High
|
||||
23 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
24 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
|
||||
25 | File | `/tmp` | Low
|
||||
26 | File | `/tmp/redis.ds` | High
|
||||
27 | File | `/uncpath/` | Medium
|
||||
28 | File | `/ViewUserHover.jspa` | High
|
||||
29 | File | `/WEB-INF/web.xml` | High
|
||||
30 | File | `/wp-admin` | Medium
|
||||
31 | File | `/wp-json/wc/v3/webhooks` | High
|
||||
32 | File | `actions/CompanyDetailsSave.php` | High
|
||||
33 | File | `ActiveServices.java` | High
|
||||
34 | File | `addlink.php` | Medium
|
||||
35 | File | `addtocart.asp` | High
|
||||
36 | ... | ... | ...
|
||||
|
||||
There are 3749 more IOA items available. Please use our online service to access the data.
|
||||
There are 308 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -93,9 +121,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Snake - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Snake](https://vuldb.com/?actor.snake). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Snake](https://vuldb.com/?actor.snake). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.snake](https://vuldb.com/?actor.snake)
|
||||
|
||||
|
@ -56,16 +56,9 @@ ID | Type | Indicator | Confidence
|
|||
1 | File | `/lists/admin/` | High
|
||||
2 | File | `convert.c` | Medium
|
||||
3 | File | `inc/autoload.function.php` | High
|
||||
4 | File | `kernel/trace/ring_buffer.c` | High
|
||||
5 | File | `libr/config/config.c` | High
|
||||
6 | File | `page.php` | Medium
|
||||
7 | File | `register.php` | Medium
|
||||
8 | File | `simpleupload.py` | High
|
||||
9 | File | `syscheck/seechanges.c` | High
|
||||
10 | File | `wp-admin/user-new.php` | High
|
||||
11 | ... | ... | ...
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 7 more IOA items available. Please use our online service to access the data.
|
||||
There are 14 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -77,9 +70,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# StealthyTrident - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [StealthyTrident](https://vuldb.com/?actor.stealthytrident). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [StealthyTrident](https://vuldb.com/?actor.stealthytrident). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.stealthytrident](https://vuldb.com/?actor.stealthytrident)
|
||||
|
||||
|
@ -38,7 +38,7 @@ ID | Technique | Description | Confidence
|
|||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 4 more TTP items available. Please use our online service to access the data.
|
||||
There are 3 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -46,19 +46,66 @@ These indicators of attack list the potential fragments used for technical activ
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `!pwds.txt/!nicks.txt` | High
|
||||
2 | File | `%00` | Low
|
||||
3 | File | `%windir%\Internet Logs\` | High
|
||||
4 | File | `.asppp.fifo` | Medium
|
||||
5 | File | `.folder` | Low
|
||||
6 | File | `.ldaprc` | Low
|
||||
7 | File | `.php` | Low
|
||||
8 | File | `.php.rar` | Medium
|
||||
9 | File | `.user` | Low
|
||||
10 | File | `/*` | Low
|
||||
11 | ... | ... | ...
|
||||
1 | File | `.user` | Low
|
||||
2 | File | `/.perf` | Low
|
||||
3 | File | `/admin/` | Low
|
||||
4 | File | `/caucho-status` | High
|
||||
5 | File | `/cgi-bin/readfile.tcl` | High
|
||||
6 | File | `/etc/password` | High
|
||||
7 | File | `/php/` | Low
|
||||
8 | File | `/Pwrchute` | Medium
|
||||
9 | File | `/status` | Low
|
||||
10 | File | `/var/yp` | Low
|
||||
11 | File | `/_vti_pvt/access.cnf` | High
|
||||
12 | File | `1.TEXT` | Low
|
||||
13 | File | `14all.cgi` | Medium
|
||||
14 | File | `500error.jsp` | Medium
|
||||
15 | File | `ab.c` | Low
|
||||
16 | File | `account_update.php` | High
|
||||
17 | File | `add.php` | Low
|
||||
18 | File | `addentry.cgi` | Medium
|
||||
19 | File | `addressbook.php/options.php/search.php/help.php` | High
|
||||
20 | File | `admin.html` | Medium
|
||||
21 | File | `admin.php` | Medium
|
||||
22 | File | `admin/auth/checksession.php` | High
|
||||
23 | File | `administrator/phpinfo.php` | High
|
||||
24 | File | `AdminViewError/AdminAddadmin` | High
|
||||
25 | File | `admin_ug_auth.php` | High
|
||||
26 | File | `admin_user.db` | High
|
||||
27 | File | `advserver.exe` | High
|
||||
28 | File | `ad_member.php` | High
|
||||
29 | File | `agentadmin.php` | High
|
||||
30 | File | `aolsecurityprivate.class` | High
|
||||
31 | File | `article.php` | Medium
|
||||
32 | File | `artlist.php` | Medium
|
||||
33 | File | `astrocam.cgi` | Medium
|
||||
34 | File | `as_web.exe/as_web4.exe` | High
|
||||
35 | File | `athcgi.exe` | Medium
|
||||
36 | File | `auction.cgi` | Medium
|
||||
37 | File | `auth.inc.php` | Medium
|
||||
38 | File | `axspawn.c` | Medium
|
||||
39 | File | `backend.php/screen.php/comment.php` | High
|
||||
40 | File | `badmin.c` | Medium
|
||||
41 | File | `books.php` | Medium
|
||||
42 | File | `bttv-driver.c` | High
|
||||
43 | File | `bugzilla_email_append.pl` | High
|
||||
44 | File | `bug_update_advanced_page.php/bug_update_page.php/view_bug_advanced_page.php/view_bug_page.php` | High
|
||||
45 | File | `calendar.php` | Medium
|
||||
46 | File | `category.cfm` | Medium
|
||||
47 | File | `cgi-bin` | Low
|
||||
48 | File | `cgi-bin/` | Medium
|
||||
49 | File | `cgicso.c` | Medium
|
||||
50 | File | `cgitest.exe` | Medium
|
||||
51 | File | `charities.cron` | High
|
||||
52 | File | `check_me.mod.php` | High
|
||||
53 | File | `chetcpasswd.cgi` | High
|
||||
54 | File | `cio_main.c` | Medium
|
||||
55 | File | `clear_cookies.php` | High
|
||||
56 | File | `CodeBrws.asp` | Medium
|
||||
57 | File | `colegal.htm` | Medium
|
||||
58 | ... | ... | ...
|
||||
|
||||
There are 6570 more IOA items available. Please use our online service to access the data.
|
||||
There are 507 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -70,9 +117,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Strider - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Strider](https://vuldb.com/?actor.strider). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Strider](https://vuldb.com/?actor.strider). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.strider](https://vuldb.com/?actor.strider)
|
||||
|
||||
|
@ -19,7 +19,7 @@ These countries are directly (e.g. origin of attacks) or indirectly (e.g. access
|
|||
* DE
|
||||
* ...
|
||||
|
||||
There are 4 more country items available. Please use our online service to access the data.
|
||||
There are 5 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -30,10 +30,9 @@ ID | IP address | Hostname | Confidence
|
|||
1 | 37.252.125.88 | - | High
|
||||
2 | 54.209.129.218 | ec2-54-209-129-218.compute-1.amazonaws.com | Medium
|
||||
3 | 66.228.52.133 | li294-133.members.linode.com | High
|
||||
4 | 81.4.108.168 | darkhshadow.co.uk | High
|
||||
5 | ... | ... | ...
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 7 more IOC items available. Please use our online service to access the data.
|
||||
There are 8 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -55,18 +54,11 @@ These indicators of attack list the potential fragments used for technical activ
|
|||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `.procmailrc` | Medium
|
||||
2 | File | `BC_Logon.swf` | Medium
|
||||
3 | File | `C:\Windows\SysWOW64\webcenter\web.exe` | High
|
||||
4 | File | `index.php` | Medium
|
||||
5 | File | `libfaad/bits.c` | High
|
||||
6 | File | `modules/mappers/mod_rewrite.c` | High
|
||||
7 | File | `wp-includes/pluggable.php` | High
|
||||
8 | Library | `C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_4592475aca2acf83\Amd64\printconfig.dll` | High
|
||||
9 | Library | `lib/user/sfBasicSecurityUser.class.php` | High
|
||||
10 | Library | `nvwgf2um/x.dll` | High
|
||||
11 | ... | ... | ...
|
||||
2 | File | `article.php` | Medium
|
||||
3 | File | `BC_Logon.swf` | Medium
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 4 more IOA items available. Please use our online service to access the data.
|
||||
There are 22 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -78,9 +70,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Suckfly - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Suckfly](https://vuldb.com/?actor.suckfly). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Suckfly](https://vuldb.com/?actor.suckfly). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.suckfly](https://vuldb.com/?actor.suckfly)
|
||||
|
||||
|
@ -40,9 +40,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# TA505 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [TA505](https://vuldb.com/?actor.ta505). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [TA505](https://vuldb.com/?actor.ta505). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.ta505](https://vuldb.com/?actor.ta505)
|
||||
|
||||
|
@ -24,7 +24,7 @@ These countries are directly (e.g. origin of attacks) or indirectly (e.g. access
|
|||
* RU
|
||||
* ...
|
||||
|
||||
There are 21 more country items available. Please use our online service to access the data.
|
||||
There are 16 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -36,22 +36,15 @@ ID | IP address | Hostname | Confidence
|
|||
2 | 5.149.254.25 | bmc.srv60.swdc.ams1.nl.fortunix.net | High
|
||||
3 | 27.102.118.143 | - | High
|
||||
4 | 37.59.52.229 | bemta-05.srv.sopeople.net | High
|
||||
5 | 45.8.126.7 | eltopasla.example.com | High
|
||||
5 | 45.8.126.7 | mail01.bivoic.com | High
|
||||
6 | 45.63.101.210 | 45.63.101.210.vultr.com | Medium
|
||||
7 | 45.76.206.149 | 45.76.206.149.vultr.com | Medium
|
||||
8 | 45.76.223.177 | 45.76.223.177.vultr.com | Medium
|
||||
9 | 45.77.16.211 | 45.77.16.211.vultr.com | Medium
|
||||
10 | 46.161.27.241 | - | High
|
||||
11 | 66.42.45.55 | 66.42.45.55.vultr.com | Medium
|
||||
12 | 79.141.171.160 | mouse.panjiva.org.uk | High
|
||||
13 | 91.214.124.20 | - | High
|
||||
14 | 91.214.124.25 | - | High
|
||||
15 | 92.38.135.88 | kingjohn2.com | High
|
||||
16 | 92.38.135.134 | henrykxyealy.com | High
|
||||
17 | 94.44.166.189 | apn-94-44-166-189.vodafone.hu | High
|
||||
18 | ... | ... | ...
|
||||
11 | ... | ... | ...
|
||||
|
||||
There are 34 more IOC items available. Please use our online service to access the data.
|
||||
There are 41 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -62,10 +55,9 @@ ID | Technique | Description | Confidence
|
|||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | T1211 | 7PK Security Features | High
|
||||
5 | ... | ... | ...
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 6 more TTP items available. Please use our online service to access the data.
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -75,17 +67,48 @@ ID | Type | Indicator | Confidence
|
|||
-- | ---- | --------- | ----------
|
||||
1 | File | `/+CSCOE+/logon.html` | High
|
||||
2 | File | `/admin/config.php?display=disa&view=form` | High
|
||||
3 | File | `/api/addusers` | High
|
||||
4 | File | `/cgi-bin/webproc` | High
|
||||
3 | File | `/cgi-bin/webproc` | High
|
||||
4 | File | `/common/ticket_associated_tickets.php` | High
|
||||
5 | File | `/dus/shopliste/index.php` | High
|
||||
6 | File | `/etc/path` | Medium
|
||||
7 | File | `/etc/shadow` | Medium
|
||||
8 | File | `/inc/parser/xhtml.php` | High
|
||||
9 | File | `/modules/tasks/summary.inc.php` | High
|
||||
10 | File | `/nagiosql/admin/checkcommands.php` | High
|
||||
11 | ... | ... | ...
|
||||
9 | File | `/include/chart_generator.php` | High
|
||||
10 | File | `/modules/tasks/summary.inc.php` | High
|
||||
11 | File | `/nagiosql/admin/checkcommands.php` | High
|
||||
12 | File | `/rest/api/2/user/picker` | High
|
||||
13 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
14 | File | `/sendKey` | Medium
|
||||
15 | File | `/tmp` | Low
|
||||
16 | File | `/ui/artifactimport/upload` | High
|
||||
17 | File | `/uncpath/` | Medium
|
||||
18 | File | `/usr/5bin/su` | Medium
|
||||
19 | File | `/usr/bin/mail` | High
|
||||
20 | File | `/var/dt/` | Medium
|
||||
21 | File | `/var/WEB-GUI/cgi-bin/telnet.cgi` | High
|
||||
22 | File | `00.jsp` | Low
|
||||
23 | File | `account_activations/edit` | High
|
||||
24 | File | `adclick.php` | Medium
|
||||
25 | File | `AddResolution.jspa` | High
|
||||
26 | File | `admin.asp` | Medium
|
||||
27 | File | `admin.php` | Medium
|
||||
28 | File | `admin/` | Low
|
||||
29 | File | `admin/manage-comments.php` | High
|
||||
30 | File | `administration/comments.php` | High
|
||||
31 | File | `AdminViewError/AdminAddadmin` | High
|
||||
32 | File | `agentdisplay.php` | High
|
||||
33 | File | `ajax.php` | Medium
|
||||
34 | File | `ajaxhelper.php` | High
|
||||
35 | File | `app/call_centers/cmd.php` | High
|
||||
36 | File | `arch/x86/kvm/hyperv.c` | High
|
||||
37 | File | `ashnews.php/ashheadlines.php` | High
|
||||
38 | File | `auction.cgi` | Medium
|
||||
39 | File | `autologin.jsp` | High
|
||||
40 | File | `axspawn.c` | Medium
|
||||
41 | File | `backup.php` | Medium
|
||||
42 | ... | ... | ...
|
||||
|
||||
There are 423 more IOA items available. Please use our online service to access the data.
|
||||
There are 361 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -104,9 +127,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# TA544 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [TA544](https://vuldb.com/?actor.ta544). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [TA544](https://vuldb.com/?actor.ta544). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.ta544](https://vuldb.com/?actor.ta544)
|
||||
|
||||
|
@ -30,10 +30,9 @@ ID | IP address | Hostname | Confidence
|
|||
1 | 62.109.29.101 | imlejnnn.fvds.ru | High
|
||||
2 | 69.55.49.159 | - | High
|
||||
3 | 69.162.82.26 | 26-82-162-69.static.reverse.lstn.net | High
|
||||
4 | 69.194.192.229 | - | High
|
||||
5 | ... | ... | ...
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 6 more IOC items available. Please use our online service to access the data.
|
||||
There are 7 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -78,9 +77,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Tinba - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Tinba](https://vuldb.com/?actor.tinba). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Tinba](https://vuldb.com/?actor.tinba). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.tinba](https://vuldb.com/?actor.tinba)
|
||||
|
||||
|
@ -27,9 +27,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Tonto Team - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Tonto Team](https://vuldb.com/?actor.tonto_team). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Tonto Team](https://vuldb.com/?actor.tonto_team). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.tonto_team](https://vuldb.com/?actor.tonto_team)
|
||||
|
||||
|
@ -36,8 +36,9 @@ ID | Type | Indicator | Confidence
|
|||
1 | File | `/webmail/` | Medium
|
||||
2 | File | `scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS` | High
|
||||
3 | File | `wap/index.php` | High
|
||||
4 | Argument | `creditsformula` | High
|
||||
5 | Argument | `username` | Medium
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 2 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -49,9 +50,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -8,12 +8,8 @@ Live data and more analysis capabilities are available at [https://vuldb.com/?ac
|
|||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with TrickBot:
|
||||
|
||||
* US
|
||||
* RU
|
||||
* ES
|
||||
* ...
|
||||
|
||||
There are 38 more country items available. Please use our online service to access the data.
|
||||
* VN
|
||||
* CN
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -41,9 +37,50 @@ ID | IP address | Hostname | Confidence
|
|||
18 | 23.21.48.44 | ec2-23-21-48-44.compute-1.amazonaws.com | Medium
|
||||
19 | 23.21.252.4 | ec2-23-21-252-4.compute-1.amazonaws.com | Medium
|
||||
20 | 23.94.233.210 | 23-94-233-210-host.colocrossing.com | High
|
||||
21 | ... | ... | ...
|
||||
21 | 23.96.30.229 | - | High
|
||||
22 | 23.160.192.125 | unknown.ip-xfer.net | High
|
||||
23 | 23.160.193.106 | unknown.ip-xfer.net | High
|
||||
24 | 27.72.107.215 | dynamic-ip-adsl.viettel.vn | High
|
||||
25 | 34.117.59.81 | 81.59.117.34.bc.googleusercontent.com | Medium
|
||||
26 | 36.89.191.119 | - | High
|
||||
27 | 36.89.193.181 | - | High
|
||||
28 | 36.89.193.235 | - | High
|
||||
29 | 36.94.27.124 | - | High
|
||||
30 | 36.94.100.202 | - | High
|
||||
31 | 37.228.70.134 | - | High
|
||||
32 | 37.230.114.93 | admin1.fvds.ru | High
|
||||
33 | 37.230.114.248 | kosmolot.com | High
|
||||
34 | 37.230.115.133 | wdai.io | High
|
||||
35 | 37.230.115.138 | i2.com | High
|
||||
36 | 37.230.115.184 | 21922vdscom.com | High
|
||||
37 | 43.245.216.116 | - | High
|
||||
38 | 45.6.16.68 | - | High
|
||||
39 | 45.167.249.126 | - | High
|
||||
40 | 45.178.142.14 | - | High
|
||||
41 | 45.201.134.202 | - | High
|
||||
42 | 45.229.71.211 | static-45-229-71-211.extrememt.com.br | High
|
||||
43 | 45.234.248.154 | 45.-234.248-154.rev.voanet.br | High
|
||||
44 | 46.8.21.10 | 53980.web.hosting-russia.ru | High
|
||||
45 | 46.8.21.113 | 64403.web.hosting-russia.ru | High
|
||||
46 | 46.209.140.220 | - | High
|
||||
47 | 46.254.128.174 | 46.254.128.174.lanultra.net | High
|
||||
48 | 49.156.34.134 | - | High
|
||||
49 | 51.38.101.194 | - | High
|
||||
50 | 51.77.92.215 | - | High
|
||||
51 | 51.81.112.144 | - | High
|
||||
52 | 51.89.115.116 | tombe.nationfox.net | High
|
||||
53 | 52.0.197.231 | ec2-52-0-197-231.compute-1.amazonaws.com | Medium
|
||||
54 | 52.20.197.7 | ec2-52-20-197-7.compute-1.amazonaws.com | Medium
|
||||
55 | 52.204.109.97 | ec2-52-204-109-97.compute-1.amazonaws.com | Medium
|
||||
56 | 54.39.106.25 | ns560342.ip-54-39-106.net | High
|
||||
57 | 54.221.253.252 | ec2-54-221-253-252.compute-1.amazonaws.com | Medium
|
||||
58 | 62.64.9.237 | clients-62.64.9.237.misp.ru | High
|
||||
59 | 62.109.2.172 | megamart24.ru | High
|
||||
60 | 62.109.6.188 | velomarket31.ru | High
|
||||
61 | 62.109.14.24 | btc-manager1.ru | High
|
||||
62 | ... | ... | ...
|
||||
|
||||
There are 286 more IOC items available. Please use our online service to access the data.
|
||||
There are 245 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -54,11 +91,9 @@ ID | Technique | Description | Confidence
|
|||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | T1211 | 7PK Security Features | High
|
||||
5 | T1222 | Permission Issues | High
|
||||
6 | ... | ... | ...
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
There are 6 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -66,19 +101,20 @@ These indicators of attack list the potential fragments used for technical activ
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `.htaccess` | Medium
|
||||
2 | File | `.user` | Low
|
||||
3 | File | `/$({curl` | Medium
|
||||
4 | File | `/+CSCOE+/logon.html` | High
|
||||
5 | File | `/.env` | Low
|
||||
6 | File | `/accounts/password_change/` | High
|
||||
7 | File | `/addWhiteListDomain.imss` | High
|
||||
8 | File | `/adfs/ls` | Medium
|
||||
9 | File | `/admin/ajax/upload-logo` | High
|
||||
10 | File | `/admin/config.php?display=backup` | High
|
||||
11 | ... | ... | ...
|
||||
1 | File | `/admin/login.php` | High
|
||||
2 | File | `/ajax_crud` | Medium
|
||||
3 | File | `/core/table/query` | High
|
||||
4 | File | `/dev/ion` | Medium
|
||||
5 | File | `/ecma/operations/ecma-objects.c` | High
|
||||
6 | File | `/GetCopiedFile` | High
|
||||
7 | File | `/hdf5/src/H5T.c` | High
|
||||
8 | File | `/leave_system/classes/Login.php` | High
|
||||
9 | File | `/risque/administration/referentiel/json/create/categorie` | High
|
||||
10 | File | `/rsms/` | Low
|
||||
11 | File | `/uncpath/` | Medium
|
||||
12 | ... | ... | ...
|
||||
|
||||
There are 1043 more IOA items available. Please use our online service to access the data.
|
||||
There are 90 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -107,4 +143,4 @@ The following articles explain our unique predictive cyber threat intelligence:
|
|||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Triton - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Triton](https://vuldb.com/?actor.triton). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Triton](https://vuldb.com/?actor.triton). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.triton](https://vuldb.com/?actor.triton)
|
||||
|
||||
|
@ -37,11 +37,9 @@ ID | Type | Indicator | Confidence
|
|||
1 | File | `/+CSCOE+/logon.html` | High
|
||||
2 | File | `cgi-bin/MANGA/admin.cgi` | High
|
||||
3 | File | `index.php` | Medium
|
||||
4 | File | `webmail.php` | Medium
|
||||
5 | Argument | `bauth` | Low
|
||||
6 | Argument | `tag` | Low
|
||||
7 | Input Value | `::$Index_Allocation` | High
|
||||
8 | Network Port | `Web Server Port` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 5 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -53,9 +51,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Turla - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Turla](https://vuldb.com/?actor.turla). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Turla](https://vuldb.com/?actor.turla). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.turla](https://vuldb.com/?actor.turla)
|
||||
|
||||
|
@ -17,10 +17,10 @@ These countries are directly (e.g. origin of attacks) or indirectly (e.g. access
|
|||
|
||||
* FR
|
||||
* US
|
||||
* AT
|
||||
* RO
|
||||
* ...
|
||||
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
There are 2 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -37,15 +37,9 @@ ID | IP address | Hostname | Confidence
|
|||
7 | 72.232.222.58 | HOST.MJSHOSTING.COM | High
|
||||
8 | 77.232.99.77 | - | High
|
||||
9 | 80.74.145.80 | volta.ch-meta.net | High
|
||||
10 | 80.88.134.172 | - | High
|
||||
11 | 80.248.65.183 | - | High
|
||||
12 | 81.223.14.100 | 81-223-14-100.static.upcbusiness.at | High
|
||||
13 | 82.77.184.252 | static.82.77.184.252.constanta.rdsnet.ro | High
|
||||
14 | 82.113.19.72 | 72.19.113.82.monaco-telecom.net | High
|
||||
15 | 82.113.19.75 | 75.19.113.82.monaco-telecom.net | High
|
||||
16 | ... | ... | ...
|
||||
10 | ... | ... | ...
|
||||
|
||||
There are 28 more IOC items available. Please use our online service to access the data.
|
||||
There are 34 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -58,7 +52,7 @@ ID | Technique | Description | Confidence
|
|||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 6 more TTP items available. Please use our online service to access the data.
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -76,9 +70,14 @@ ID | Type | Indicator | Confidence
|
|||
8 | File | `/jsonrpc` | Medium
|
||||
9 | File | `/product.php` | Medium
|
||||
10 | File | `/ram/pckg/advanced-tools/nova/bin/netwatch` | High
|
||||
11 | ... | ... | ...
|
||||
11 | File | `/registerCpe` | Medium
|
||||
12 | File | `/rest/collectors/1.0/template/custom` | High
|
||||
13 | File | `/system?action=ServiceAdmin` | High
|
||||
14 | File | `/uncpath/` | Medium
|
||||
15 | File | `/Uploads` | Medium
|
||||
16 | ... | ... | ...
|
||||
|
||||
There are 132 more IOA items available. Please use our online service to access the data.
|
||||
There are 130 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -98,9 +97,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# UP007 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [UP007](https://vuldb.com/?actor.up007). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [UP007](https://vuldb.com/?actor.up007). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.up007](https://vuldb.com/?actor.up007)
|
||||
|
||||
|
@ -9,6 +9,7 @@ Live data and more analysis capabilities are available at [https://vuldb.com/?ac
|
|||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with UP007:
|
||||
|
||||
* CN
|
||||
* KR
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -42,9 +43,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Vobfus - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Vobfus](https://vuldb.com/?actor.vobfus). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Vobfus](https://vuldb.com/?actor.vobfus). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.vobfus](https://vuldb.com/?actor.vobfus)
|
||||
|
||||
|
@ -51,15 +51,10 @@ ID | Type | Indicator | Confidence
|
|||
2 | File | `/uncpath/` | Medium
|
||||
3 | File | `/webpages/data` | High
|
||||
4 | File | `account.asp` | Medium
|
||||
5 | File | `ajax/api/hook/getHookList` | High
|
||||
6 | File | `burl.c` | Low
|
||||
7 | File | `cgi-bin/` | Medium
|
||||
8 | File | `comersus_optreviewreadexec.asp` | High
|
||||
9 | File | `crontab/run_billing.php` | High
|
||||
10 | File | `daemon.c` | Medium
|
||||
11 | ... | ... | ...
|
||||
5 | File | `admin\model\catalog\download.php` | High
|
||||
6 | ... | ... | ...
|
||||
|
||||
There are 35 more IOA items available. Please use our online service to access the data.
|
||||
There are 43 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -71,9 +66,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Windigo - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Windigo](https://vuldb.com/?actor.windigo). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Windigo](https://vuldb.com/?actor.windigo). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.windigo](https://vuldb.com/?actor.windigo)
|
||||
|
||||
|
@ -45,11 +45,9 @@ ID | Type | Indicator | Confidence
|
|||
1 | File | `/uncpath/` | Medium
|
||||
2 | File | `/var/log/restjavad.0.log` | High
|
||||
3 | File | `init.php` | Medium
|
||||
4 | File | `products.php` | Medium
|
||||
5 | File | `virtualinput.cgi` | High
|
||||
6 | Argument | `id` | Low
|
||||
7 | Argument | `IEM_CookieLogin` | High
|
||||
8 | Input Value | `[\w]*` | Low
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 5 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -61,9 +59,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Wiper - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Wiper](https://vuldb.com/?actor.wiper). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Wiper](https://vuldb.com/?actor.wiper). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.wiper](https://vuldb.com/?actor.wiper)
|
||||
|
||||
|
@ -27,9 +27,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Wirte - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Wirte](https://vuldb.com/?actor.wirte). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Wirte](https://vuldb.com/?actor.wirte). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.wirte](https://vuldb.com/?actor.wirte)
|
||||
|
||||
|
@ -47,9 +47,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Wocao - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Wocao](https://vuldb.com/?actor.wocao). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Wocao](https://vuldb.com/?actor.wocao). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.wocao](https://vuldb.com/?actor.wocao)
|
||||
|
||||
|
@ -15,11 +15,11 @@ The following campaigns are known and can be associated with Wocao:
|
|||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Wocao:
|
||||
|
||||
* US
|
||||
* ES
|
||||
* NZ
|
||||
* RU
|
||||
* DE
|
||||
* ...
|
||||
|
||||
There are 28 more country items available. Please use our online service to access the data.
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -30,12 +30,9 @@ ID | IP address | Hostname | Confidence
|
|||
1 | 23.254.211.108 | hwsrv-871243.hostwindsdns.com | High
|
||||
2 | 31.222.185.215 | 31-222-185-215.static.cloud-ips.co.uk | High
|
||||
3 | 45.77.229.10 | 45.77.229.10.vultr.com | Medium
|
||||
4 | 46.101.153.58 | - | High
|
||||
5 | 46.182.106.190 | tor-exit.critical.cat | High
|
||||
6 | 62.141.37.236 | vps2185324.fastwebserver.de | High
|
||||
7 | ... | ... | ...
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 10 more IOC items available. Please use our online service to access the data.
|
||||
There are 13 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -43,14 +40,12 @@ Tactics, techniques, and procedures summarize the suspected ATT&CK techniques us
|
|||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1008 | Algorithm Downgrade | High
|
||||
2 | T1040 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1059.007 | Cross Site Scripting | High
|
||||
4 | T1068 | Execution with Unnecessary Privileges | High
|
||||
5 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
6 | ... | ... | ...
|
||||
1 | T1040 | Authentication Bypass by Capture-replay | High
|
||||
2 | T1059.007 | Cross Site Scripting | High
|
||||
3 | T1068 | Execution with Unnecessary Privileges | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 11 more TTP items available. Please use our online service to access the data.
|
||||
There are 10 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -58,19 +53,30 @@ These indicators of attack list the potential fragments used for technical activ
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `%LOCALAPPDATA%\SaferVPN\Log` | High
|
||||
2 | File | `%PROGRAMDATA%\ASUS\GamingCenterLib` | High
|
||||
3 | File | `%PROGRAMDATA%\OpenVPN Connect\drivers\tap\amd64\win10` | High
|
||||
4 | File | `%PROGRAMDATA%\Razer Chroma\SDK\Apps` | High
|
||||
5 | File | `%PROGRAMFILES(X86)%/Aternity Information Systems/Assistant/plugins` | High
|
||||
6 | File | `%PROGRAMFILES(X86)%\Teradici\PCoIP.exe` | High
|
||||
7 | File | `%SYSTEMDRIVE%\Course Software Material 18.0.1.9\cmd.exe` | High
|
||||
8 | File | `%SYSTEMDRIVE%\node_modules\.bin\wmic.exe` | High
|
||||
9 | File | `.authlie` | Medium
|
||||
10 | File | `.config/Yubico` | High
|
||||
11 | ... | ... | ...
|
||||
1 | File | `/admin/index.php?lfj=friendlink&action=add` | High
|
||||
2 | File | `/admin/login.php` | High
|
||||
3 | File | `/ajax_crud` | Medium
|
||||
4 | File | `/api/ZRMacClone/mac_addr_clone` | High
|
||||
5 | File | `/base/ecma-helpers-string.c` | High
|
||||
6 | File | `/cms/ajax.php` | High
|
||||
7 | File | `/core/table/query` | High
|
||||
8 | File | `/debug/pprof` | Medium
|
||||
9 | File | `/dev/ion` | Medium
|
||||
10 | File | `/ecma/operations/ecma-objects.c` | High
|
||||
11 | File | `/GetCopiedFile` | High
|
||||
12 | File | `/hdf5/src/H5Dchunk.c` | High
|
||||
13 | File | `/hdf5/src/H5Fint.c` | High
|
||||
14 | File | `/include/web_check.php` | High
|
||||
15 | File | `/jerry-core/ecma/base/ecma-literal-storage.c` | High
|
||||
16 | File | `/jerry-core/ecma/builtin-objects/ecma-builtin-date-prototype.c` | High
|
||||
17 | File | `/jerry-core/parser/js/js-parser-expr.c` | High
|
||||
18 | File | `/leave_system/classes/Login.php` | High
|
||||
19 | File | `/member/post.php?job=postnew&step=post` | High
|
||||
20 | File | `/message-bus/_diagnostics` | High
|
||||
21 | File | `/mobile/SelectUsers.jsp` | High
|
||||
22 | ... | ... | ...
|
||||
|
||||
There are 6479 more IOA items available. Please use our online service to access the data.
|
||||
There are 182 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -82,9 +88,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# XDSpy - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [XDSpy](https://vuldb.com/?actor.xdspy). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [XDSpy](https://vuldb.com/?actor.xdspy). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.xdspy](https://vuldb.com/?actor.xdspy)
|
||||
|
||||
|
@ -40,12 +40,9 @@ ID | Type | Indicator | Confidence
|
|||
1 | File | `data/gbconfiguration.dat` | High
|
||||
2 | File | `functions.inc.php` | High
|
||||
3 | File | `inc/config.php` | High
|
||||
4 | File | `text.ctrl.php` | High
|
||||
5 | Argument | `basePath` | Medium
|
||||
6 | Argument | `Content-Length` | High
|
||||
7 | Argument | `level` | Low
|
||||
8 | Argument | `show_alias` | Medium
|
||||
9 | Pattern | `Content-Length|3A|` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 6 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -57,9 +54,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Xcnfe - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Xcnfe](https://vuldb.com/?actor.xcnfe). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Xcnfe](https://vuldb.com/?actor.xcnfe). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.xcnfe](https://vuldb.com/?actor.xcnfe)
|
||||
|
||||
|
@ -13,11 +13,9 @@ ID | IP address | Hostname | Confidence
|
|||
1 | 8.249.221.254 | - | High
|
||||
2 | 8.249.225.254 | - | High
|
||||
3 | 72.21.81.240 | - | High
|
||||
4 | 104.23.98.190 | - | High
|
||||
5 | 104.23.99.190 | - | High
|
||||
6 | ... | ... | ...
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 9 more IOC items available. Please use our online service to access the data.
|
||||
There are 11 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -29,9 +27,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -9,11 +9,11 @@ Live data and more analysis capabilities are available at [https://vuldb.com/?ac
|
|||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Zbot:
|
||||
|
||||
* US
|
||||
* GR
|
||||
* IT
|
||||
* ES
|
||||
* RU
|
||||
* ...
|
||||
|
||||
There are 15 more country items available. Please use our online service to access the data.
|
||||
There are 16 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -41,9 +41,30 @@ ID | IP address | Hostname | Confidence
|
|||
18 | 45.60.77.201 | - | High
|
||||
19 | 49.212.235.209 | www3469.sakura.ne.jp | High
|
||||
20 | 50.72.177.24 | S01069050ca30b943.wp.shawcable.net | High
|
||||
21 | ... | ... | ...
|
||||
21 | 50.116.43.143 | li480-143.members.linode.com | High
|
||||
22 | 51.178.156.9 | ip9.ip-51-178-156.eu | High
|
||||
23 | 52.85.132.44 | server-52-85-132-44.iad50.r.cloudfront.net | High
|
||||
24 | 52.137.90.34 | - | High
|
||||
25 | 52.185.71.28 | - | High
|
||||
26 | 58.1.158.10 | ntaich204010.aich.nt.ngn.ppp.infoweb.ne.jp | High
|
||||
27 | 58.68.2.214 | - | High
|
||||
28 | 58.185.131.158 | - | High
|
||||
29 | 59.90.221.6 | static.bb.hyd.59.90.221.6.bsnl.in | High
|
||||
30 | 60.244.81.6 | 60-244-81-6.apol.com.tw | High
|
||||
31 | 61.7.235.35 | - | High
|
||||
32 | 61.32.242.131 | - | High
|
||||
33 | 62.49.180.189 | - | High
|
||||
34 | 64.219.121.189 | - | High
|
||||
35 | 65.55.50.189 | - | High
|
||||
36 | 66.34.208.39 | - | High
|
||||
37 | 66.117.77.134 | 66-117-77-134.gohighspeed.com | High
|
||||
38 | 66.151.138.85 | c-66-151-138-85.inap-sj.nfoservers.com | High
|
||||
39 | 66.214.95.108 | 066-214-095-108.res.spectrum.com | High
|
||||
40 | 68.13.34.171 | ip68-13-34-171.om.om.cox.net | High
|
||||
41 | 69.39.74.6 | mail.marrsterry.com | High
|
||||
42 | ... | ... | ...
|
||||
|
||||
There are 186 more IOC items available. Please use our online service to access the data.
|
||||
There are 165 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -56,7 +77,7 @@ ID | Technique | Description | Confidence
|
|||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 3 more TTP items available. Please use our online service to access the data.
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -64,19 +85,27 @@ These indicators of attack list the potential fragments used for technical activ
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/cartstore/cartstoreadmin/orders.php` | High
|
||||
2 | File | `/dev/kvm` | Medium
|
||||
3 | File | `/forum/away.php` | High
|
||||
4 | File | `/mnt/mtd/app/config/ProductConfig.xml` | High
|
||||
5 | File | `/principals` | Medium
|
||||
6 | File | `/uncpath/` | Medium
|
||||
7 | File | `/var/log/nginx` | High
|
||||
8 | File | `/wp-admin/admin-ajax.php` | High
|
||||
9 | File | `4.2.0.CP03` | Medium
|
||||
10 | File | `CGIProxy.fcgi?cmd=setTelnetSwitch` | High
|
||||
11 | ... | ... | ...
|
||||
1 | File | `/?ajax-request=jnews` | High
|
||||
2 | File | `/admin/admin.php` | High
|
||||
3 | File | `/admin/imageslider/file.php` | High
|
||||
4 | File | `/cgi-bin/luci` | High
|
||||
5 | File | `/core/vb/vurl.php` | High
|
||||
6 | File | `/etc/ldap.conf` | High
|
||||
7 | File | `/importTool/preview` | High
|
||||
8 | File | `/mods/_core/courses/users/create_course.php` | High
|
||||
9 | File | `/phppath/php` | Medium
|
||||
10 | File | `/plugins/Dashboard/Controller.php` | High
|
||||
11 | File | `/server-status` | High
|
||||
12 | File | `/uncpath/` | Medium
|
||||
13 | File | `adclick.php` | Medium
|
||||
14 | File | `add_comment.php` | High
|
||||
15 | File | `admin-ajax.php` | High
|
||||
16 | File | `admin.php` | Medium
|
||||
17 | File | `admin/class-bulk-editor-list-table.php` | High
|
||||
18 | File | `ajax/render/widget_php` | High
|
||||
19 | ... | ... | ...
|
||||
|
||||
There are 89 more IOA items available. Please use our online service to access the data.
|
||||
There are 152 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -108,4 +137,4 @@ The following articles explain our unique predictive cyber threat intelligence:
|
|||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Zeus - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Zeus](https://vuldb.com/?actor.zeus). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Zeus](https://vuldb.com/?actor.zeus). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.zeus](https://vuldb.com/?actor.zeus)
|
||||
|
||||
|
@ -8,12 +8,12 @@ Live data and more analysis capabilities are available at [https://vuldb.com/?ac
|
|||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Zeus:
|
||||
|
||||
* DE
|
||||
* ES
|
||||
* US
|
||||
* RU
|
||||
* FR
|
||||
* ...
|
||||
|
||||
There are 24 more country items available. Please use our online service to access the data.
|
||||
There are 7 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -41,9 +41,31 @@ ID | IP address | Hostname | Confidence
|
|||
18 | 60.13.186.5 | - | High
|
||||
19 | 60.241.184.209 | 60-241-184-209.static.tpgi.com.au | High
|
||||
20 | 62.14.215.109 | 109.215.14.62.static.jazztel.es | High
|
||||
21 | ... | ... | ...
|
||||
21 | 63.249.131.74 | - | High
|
||||
22 | 63.249.133.74 | - | High
|
||||
23 | 63.249.138.74 | - | High
|
||||
24 | 63.249.141.74 | - | High
|
||||
25 | 63.249.142.74 | - | High
|
||||
26 | 63.249.143.70 | - | High
|
||||
27 | 63.249.143.74 | - | High
|
||||
28 | 63.249.146.74 | - | High
|
||||
29 | 63.249.147.74 | - | High
|
||||
30 | 63.249.148.74 | - | High
|
||||
31 | 64.70.19.202 | mailrelay.202.website.ws | High
|
||||
32 | 64.74.223.48 | - | High
|
||||
33 | 64.85.233.8 | astound-64-85-233-8.ca.astound.net | High
|
||||
34 | 64.90.187.131 | 64.90.187.131.static.nyinternet.net | High
|
||||
35 | 64.127.71.73 | vcg2-4.slc1.tnltd.net | High
|
||||
36 | 64.182.0.64 | - | High
|
||||
37 | 64.182.1.64 | - | High
|
||||
38 | 64.182.6.64 | - | High
|
||||
39 | 64.182.10.64 | - | High
|
||||
40 | 64.182.12.64 | hobart2.dal01.corespace.com | High
|
||||
41 | 64.182.13.64 | - | High
|
||||
42 | 64.182.16.64 | - | High
|
||||
43 | ... | ... | ...
|
||||
|
||||
There are 189 more IOC items available. Please use our online service to access the data.
|
||||
There are 167 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -54,10 +76,9 @@ ID | Technique | Description | Confidence
|
|||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | T1211 | 7PK Security Features | High
|
||||
5 | ... | ... | ...
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
There are 5 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -65,19 +86,27 @@ These indicators of attack list the potential fragments used for technical activ
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `%2a` | Low
|
||||
2 | File | `%SYSTEMDRIVE%` | High
|
||||
3 | File | `.asp` | Low
|
||||
4 | File | `.htaccess` | Medium
|
||||
5 | File | `.imwheelrc` | Medium
|
||||
6 | File | `.joerc` | Low
|
||||
7 | File | `.jpilot` | Low
|
||||
8 | File | `.php` | Low
|
||||
9 | File | `.plan` | Low
|
||||
10 | File | `.procmailrc` | Medium
|
||||
11 | ... | ... | ...
|
||||
1 | File | `/cgi-bin/user/Config.cgi` | High
|
||||
2 | File | `/htdocs/cgibin` | High
|
||||
3 | File | `/payu/icpcheckout/` | High
|
||||
4 | File | `/uncpath/` | Medium
|
||||
5 | File | `/videotalk` | Medium
|
||||
6 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
7 | File | `activity_log.php` | High
|
||||
8 | File | `adm/systools.asp` | High
|
||||
9 | File | `admin.php` | Medium
|
||||
10 | File | `admin/getparam.cgi` | High
|
||||
11 | File | `adminCons.php` | High
|
||||
12 | File | `ajax_list_accounts.php` | High
|
||||
13 | File | `asn1fix_retrieve.c` | High
|
||||
14 | File | `auth-options.c` | High
|
||||
15 | File | `bigsam_guestbook.php` | High
|
||||
16 | File | `books.php` | Medium
|
||||
17 | File | `card/pay/.../amount` | High
|
||||
18 | File | `category.cfm` | Medium
|
||||
19 | ... | ... | ...
|
||||
|
||||
There are 2494 more IOA items available. Please use our online service to access the data.
|
||||
There are 152 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -89,9 +118,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# xHunt - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [xHunt](https://vuldb.com/?actor.xhunt). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [xHunt](https://vuldb.com/?actor.xhunt). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.xhunt](https://vuldb.com/?actor.xhunt)
|
||||
|
||||
|
@ -15,11 +15,11 @@ The following campaigns are known and can be associated with xHunt:
|
|||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with xHunt:
|
||||
|
||||
* US
|
||||
* GB
|
||||
* CN
|
||||
* NL
|
||||
* ...
|
||||
|
||||
There are 49 more country items available. Please use our online service to access the data.
|
||||
There are 31 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -34,13 +34,9 @@ ID | IP address | Hostname | Confidence
|
|||
5 | 82.102.21.219 | - | High
|
||||
6 | 84.17.55.68 | unn-84-17-55-68.cdn77.com | High
|
||||
7 | 85.203.46.99 | - | High
|
||||
8 | 89.26.241.70 | 70.serverhs.org | High
|
||||
9 | 89.238.137.37 | no-mans-land.m247.com | High
|
||||
10 | 89.238.139.52 | no-mans-land.m247.com | High
|
||||
11 | 91.92.109.59 | - | High
|
||||
12 | ... | ... | ...
|
||||
8 | ... | ... | ...
|
||||
|
||||
There are 22 more IOC items available. Please use our online service to access the data.
|
||||
There are 26 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -51,11 +47,9 @@ ID | Technique | Description | Confidence
|
|||
1 | T1040 | Authentication Bypass by Capture-replay | High
|
||||
2 | T1059.007 | Cross Site Scripting | High
|
||||
3 | T1068 | Execution with Unnecessary Privileges | High
|
||||
4 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
5 | T1211 | 7PK Security Features | High
|
||||
6 | ... | ... | ...
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
There are 9 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -63,19 +57,61 @@ These indicators of attack list the potential fragments used for technical activ
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `.htaccess` | Medium
|
||||
2 | File | `.procmailrc` | Medium
|
||||
3 | File | `/.dbus-keyrings` | High
|
||||
4 | File | `/.env` | Low
|
||||
5 | File | `//etc/RT2870STA.dat` | High
|
||||
6 | File | `/account/register` | High
|
||||
7 | File | `/adfs/ls` | Medium
|
||||
8 | File | `/admin/conferences/list/` | High
|
||||
9 | File | `/admin/login.php` | High
|
||||
10 | File | `/ajax-files/postComment.php` | High
|
||||
11 | ... | ... | ...
|
||||
1 | File | `.procmailrc` | Medium
|
||||
2 | File | `/account/register` | High
|
||||
3 | File | `/app1/admin#foo` | High
|
||||
4 | File | `/articles/welcome-to-your-site#comments-head` | High
|
||||
5 | File | `/assets/ctx` | Medium
|
||||
6 | File | `/cgi-mod/lookup.cgi` | High
|
||||
7 | File | `/cgi?` | Low
|
||||
8 | File | `/cgi?1&5` | Medium
|
||||
9 | File | `/ClickAndBanexDemo/admin/admin.asp` | High
|
||||
10 | File | `/config/getuser` | High
|
||||
11 | File | `/configs/application.ini` | High
|
||||
12 | File | `/debug/pprof` | Medium
|
||||
13 | File | `/forum/away.php` | High
|
||||
14 | File | `/getcfg.php` | Medium
|
||||
15 | File | `/gracemedia-media-player/templates/files/ajax_controller.php` | High
|
||||
16 | File | `/iissamples/sdk/asp/interaction/Form_JScript.asp` | High
|
||||
17 | File | `/index.php?controller=calendar&format=raw&cat[0]=SQLi&task=events` | High
|
||||
18 | File | `/index.pl` | Medium
|
||||
19 | File | `/iwgallery/admin/pictures_edit.asp` | High
|
||||
20 | File | `/osm/REGISTER.cmd` | High
|
||||
21 | File | `/plugin/file_manager/` | High
|
||||
22 | File | `/public/plugins/` | High
|
||||
23 | File | `/replication` | Medium
|
||||
24 | File | `/restapi/v1/certificates/FFM-SSLInspect` | High
|
||||
25 | File | `/sbin/gs_config` | High
|
||||
26 | File | `/settings` | Medium
|
||||
27 | File | `/Storage/Emulated/0/Telegram/Telegram` | High
|
||||
28 | File | `/uncpath/` | Medium
|
||||
29 | File | `/Upload/admin/index.php?module=forum-management&action=add` | High
|
||||
30 | File | `/uploads/dede` | High
|
||||
31 | File | `/var/log/messages` | High
|
||||
32 | File | `/WEB-INF/web.xml` | High
|
||||
33 | File | `/webman/info.cgi` | High
|
||||
34 | File | `/wp-json/wc/v3/webhooks` | High
|
||||
35 | File | `/_next` | Low
|
||||
36 | File | `AccessPoint.aspx` | High
|
||||
37 | File | `actions.hsp` | Medium
|
||||
38 | File | `activateuser.aspx` | High
|
||||
39 | File | `AdHocQuery_Processor.aspx` | High
|
||||
40 | File | `admin.asp` | Medium
|
||||
41 | File | `admin.php?m=admin&c=site&a=save` | High
|
||||
42 | File | `admin/admin.asp` | High
|
||||
43 | File | `admin/backupdb.php` | High
|
||||
44 | File | `admin/bitrix.mpbuilder_step2.php` | High
|
||||
45 | File | `admin/bitrix.xscan_worker.php` | High
|
||||
46 | File | `admin/gb-dashboard-widget.php` | High
|
||||
47 | File | `admin/images.aspx` | High
|
||||
48 | File | `admin/login.asp` | High
|
||||
49 | File | `admin/mcart_xls_import.php` | High
|
||||
50 | File | `admin/modules/tools/ip_history_logs.php` | High
|
||||
51 | File | `admin/orion.extfeedbackform_efbf_forms.php` | High
|
||||
52 | File | `admin/ueditor/uploadFile` | High
|
||||
53 | ... | ... | ...
|
||||
|
||||
There are 1788 more IOA items available. Please use our online service to access the data.
|
||||
There are 458 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -88,9 +124,9 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
Loading…
Reference in New Issue