Update
This commit is contained in:
parent
684f97d8c2
commit
4ff50e0f3b
|
@ -16,7 +16,7 @@ These countries are directly (e.g. origin of attacks) or indirectly (e.g. access
|
|||
|
||||
* US
|
||||
* CN
|
||||
* TR
|
||||
* RU
|
||||
* ...
|
||||
|
||||
There are 7 more country items available. Please use our online service to access the data.
|
||||
|
@ -27,26 +27,28 @@ These indicators of compromise indicate associated network ressources which are
|
|||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 43.255.191.255 | - | High
|
||||
2 | 45.76.6.149 | 45.76.6.149.vultr.com | Medium
|
||||
3 | 45.76.75.219 | 45.76.75.219.vultr.com | Medium
|
||||
4 | 45.138.157.78 | vpnru07.12.21.example.com | High
|
||||
5 | 61.78.62.21 | - | High
|
||||
6 | 61.195.98.245 | h61-195-98-245.ablenetvps.ne.jp | High
|
||||
7 | 66.42.48.186 | 66.42.48.186.vultr.com | Medium
|
||||
8 | 66.42.98.220 | 66.42.98.220.vultr.com | Medium
|
||||
9 | 66.42.103.222 | 66.42.103.222.vultr.com | Medium
|
||||
10 | 66.42.107.133 | 66.42.107.133.vultr.com | Medium
|
||||
11 | 66.98.126.203 | 66.98.126.203.16clouds.com | High
|
||||
12 | 67.198.161.250 | 67.198.161.250.CUSTOMER.KRYPT.COM | High
|
||||
13 | 67.198.161.251 | 67.198.161.251.CUSTOMER.KRYPT.COM | High
|
||||
14 | 67.198.161.252 | 67.198.161.252.CUSTOMER.KRYPT.COM | High
|
||||
15 | 74.82.201.8 | 74.82.201.8.16clouds.com | High
|
||||
16 | 91.208.184.78 | wk-azure.biz | High
|
||||
17 | 103.19.3.21 | - | High
|
||||
18 | ... | ... | ...
|
||||
1 | 23.67.95.153 | a23-67-95-153.deploy.static.akamaitechnologies.com | High
|
||||
2 | 43.255.191.255 | - | High
|
||||
3 | 45.76.6.149 | 45.76.6.149.vultr.com | Medium
|
||||
4 | 45.76.75.219 | 45.76.75.219.vultr.com | Medium
|
||||
5 | 45.138.157.78 | vpnru07.12.21.example.com | High
|
||||
6 | 61.78.62.21 | - | High
|
||||
7 | 61.195.98.245 | h61-195-98-245.ablenetvps.ne.jp | High
|
||||
8 | 66.42.48.186 | 66.42.48.186.vultr.com | Medium
|
||||
9 | 66.42.98.220 | 66.42.98.220.vultr.com | Medium
|
||||
10 | 66.42.103.222 | 66.42.103.222.vultr.com | Medium
|
||||
11 | 66.42.107.133 | 66.42.107.133.vultr.com | Medium
|
||||
12 | 66.98.126.203 | 66.98.126.203.16clouds.com | High
|
||||
13 | 67.198.161.250 | 67.198.161.250.CUSTOMER.KRYPT.COM | High
|
||||
14 | 67.198.161.251 | 67.198.161.251.CUSTOMER.KRYPT.COM | High
|
||||
15 | 67.198.161.252 | 67.198.161.252.CUSTOMER.KRYPT.COM | High
|
||||
16 | 74.82.201.8 | 74.82.201.8.16clouds.com | High
|
||||
17 | 91.208.184.78 | wk-azure.biz | High
|
||||
18 | 103.19.3.21 | - | High
|
||||
19 | 103.19.3.109 | - | High
|
||||
20 | ... | ... | ...
|
||||
|
||||
There are 34 more IOC items available. Please use our online service to access the data.
|
||||
There are 38 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -79,13 +81,14 @@ ID | Type | Indicator | Confidence
|
|||
10 | File | `addentry.php` | Medium
|
||||
11 | ... | ... | ...
|
||||
|
||||
There are 98 more IOA items available. Please use our online service to access the data.
|
||||
There are 109 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
|
||||
* https://app.box.com/s/qtqlwejty7xz8wj8osz98webycgo5j9x
|
||||
* https://github.com/blackberry/threat-research-and-intelligence/blob/main/APT41.csv
|
||||
* https://github.com/eset/malware-ioc/tree/master/winnti_group
|
||||
* https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134508/winnti-more-than-just-a-game-130410.pdf
|
||||
* https://vxug.fakedoma.in/archive/APTs/2021/2021.01.14/APT%2041.pdf
|
||||
|
|
|
@ -21,29 +21,29 @@ These indicators of compromise indicate associated network ressources which are
|
|||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 23.152.0.36 | tcts-000036.techtrapes.com | High
|
||||
2 | 34.199.22.139 | ec2-34-199-22-139.compute-1.amazonaws.com | Medium
|
||||
3 | 45.56.79.23 | li929-23.members.linode.com | High
|
||||
4 | 52.2.101.52 | ec2-52-2-101-52.compute-1.amazonaws.com | Medium
|
||||
5 | 52.21.132.24 | ec2-52-21-132-24.compute-1.amazonaws.com | Medium
|
||||
6 | 54.84.252.139 | ec2-54-84-252-139.compute-1.amazonaws.com | Medium
|
||||
7 | 54.87.5.88 | ec2-54-87-5-88.compute-1.amazonaws.com | Medium
|
||||
8 | 54.88.175.149 | ec2-54-88-175-149.compute-1.amazonaws.com | Medium
|
||||
9 | 54.152.181.87 | ec2-54-152-181-87.compute-1.amazonaws.com | Medium
|
||||
10 | 78.128.92.96 | - | High
|
||||
11 | 85.93.0.0 | - | High
|
||||
12 | 87.96.148.0 | h87-96-148-0.cust.a3fiber.se | High
|
||||
13 | 87.97.148.0 | - | High
|
||||
14 | 87.98.148.0 | sbg5-mail-137.bouncer.cloud | High
|
||||
15 | 87.106.18.141 | - | High
|
||||
16 | 91.119.56.0 | 91-119-56-0.dsl.dynamic.surfer.at | High
|
||||
17 | 91.119.216.0 | 91-119-216-0.dsl.dynamic.surfer.at | High
|
||||
18 | 91.120.56.0 | - | High
|
||||
19 | 91.120.216.0 | - | High
|
||||
20 | 91.121.56.0 | - | High
|
||||
1 | 5.196.159.173 | - | High
|
||||
2 | 23.152.0.36 | tcts-000036.techtrapes.com | High
|
||||
3 | 34.199.22.139 | ec2-34-199-22-139.compute-1.amazonaws.com | Medium
|
||||
4 | 45.56.79.23 | li929-23.members.linode.com | High
|
||||
5 | 52.2.101.52 | ec2-52-2-101-52.compute-1.amazonaws.com | Medium
|
||||
6 | 52.21.132.24 | ec2-52-21-132-24.compute-1.amazonaws.com | Medium
|
||||
7 | 54.84.252.139 | ec2-54-84-252-139.compute-1.amazonaws.com | Medium
|
||||
8 | 54.87.5.88 | ec2-54-87-5-88.compute-1.amazonaws.com | Medium
|
||||
9 | 54.88.175.149 | ec2-54-88-175-149.compute-1.amazonaws.com | Medium
|
||||
10 | 54.152.181.87 | ec2-54-152-181-87.compute-1.amazonaws.com | Medium
|
||||
11 | 78.128.92.96 | - | High
|
||||
12 | 85.93.0.0 | - | High
|
||||
13 | 87.96.148.0 | h87-96-148-0.cust.a3fiber.se | High
|
||||
14 | 87.97.148.0 | - | High
|
||||
15 | 87.98.148.0 | sbg5-mail-137.bouncer.cloud | High
|
||||
16 | 87.106.18.141 | - | High
|
||||
17 | 91.119.56.0 | 91-119-56-0.dsl.dynamic.surfer.at | High
|
||||
18 | 91.119.216.0 | 91-119-216-0.dsl.dynamic.surfer.at | High
|
||||
19 | 91.120.56.0 | - | High
|
||||
20 | 91.120.216.0 | - | High
|
||||
21 | ... | ... | ...
|
||||
|
||||
There are 40 more IOC items available. Please use our online service to access the data.
|
||||
There are 41 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -77,7 +77,7 @@ ID | Type | Indicator | Confidence
|
|||
10 | File | `/shell?cmd` | Medium
|
||||
11 | ... | ... | ...
|
||||
|
||||
There are 519 more IOA items available. Please use our online service to access the data.
|
||||
There are 521 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -90,6 +90,7 @@ The following list contains external sources which discuss the actor and the ass
|
|||
* https://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
|
||||
* https://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
|
||||
* https://blog.talosintelligence.com/2021/09/threat-roundup-0917-0924.html
|
||||
* https://blog.talosintelligence.com/2021/10/threat-roundup-0924-1001.html
|
||||
|
||||
## Literature
|
||||
|
||||
|
|
|
@ -9,8 +9,8 @@ Live data and more analysis capabilities are available at [https://vuldb.com/?ac
|
|||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Dridex:
|
||||
|
||||
* DE
|
||||
* NO
|
||||
* US
|
||||
* NO
|
||||
* ...
|
||||
|
||||
There are 28 more country items available. Please use our online service to access the data.
|
||||
|
@ -26,24 +26,24 @@ ID | IP address | Hostname | Confidence
|
|||
3 | 2.58.16.87 | - | High
|
||||
4 | 2.138.111.86 | 86.red-2-138-111.dynamicip.rima-tde.net | High
|
||||
5 | 3.223.115.185 | ec2-3-223-115-185.compute-1.amazonaws.com | Medium
|
||||
6 | 5.9.44.37 | static.37.44.9.5.clients.your-server.de | High
|
||||
7 | 5.9.188.148 | static.148.188.9.5.clients.your-server.de | High
|
||||
8 | 8.210.53.215 | - | High
|
||||
9 | 8.248.159.254 | - | High
|
||||
10 | 8.249.217.254 | - | High
|
||||
11 | 8.249.233.254 | - | High
|
||||
12 | 8.253.45.214 | - | High
|
||||
13 | 8.253.45.249 | - | High
|
||||
14 | 8.253.131.120 | - | High
|
||||
15 | 8.253.131.121 | - | High
|
||||
16 | 8.253.132.120 | - | High
|
||||
17 | 14.98.183.4 | static-4.183.98.14-tataidc.co.in | High
|
||||
18 | 18.195.23.231 | ec2-18-195-23-231.eu-central-1.compute.amazonaws.com | Medium
|
||||
19 | 23.3.13.88 | a23-3-13-88.deploy.static.akamaitechnologies.com | High
|
||||
20 | 23.3.13.153 | a23-3-13-153.deploy.static.akamaitechnologies.com | High
|
||||
6 | 5.2.70.173 | - | High
|
||||
7 | 5.9.44.37 | static.37.44.9.5.clients.your-server.de | High
|
||||
8 | 5.9.188.148 | mta5.offerteora.com | High
|
||||
9 | 5.39.222.84 | - | High
|
||||
10 | 5.39.222.87 | - | High
|
||||
11 | 5.39.222.102 | insideappple.com | High
|
||||
12 | 5.181.158.4 | no-rdns.mivocloud.com | High
|
||||
13 | 5.181.158.185 | no-rdns.mivocloud.com | High
|
||||
14 | 5.181.158.186 | no-rdns.mivocloud.com | High
|
||||
15 | 5.181.158.187 | no-rdns.mivocloud.com | High
|
||||
16 | 8.210.53.215 | - | High
|
||||
17 | 8.248.159.254 | - | High
|
||||
18 | 8.249.217.254 | - | High
|
||||
19 | 8.249.233.254 | - | High
|
||||
20 | 8.253.45.214 | - | High
|
||||
21 | ... | ... | ...
|
||||
|
||||
There are 324 more IOC items available. Please use our online service to access the data.
|
||||
There are 390 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -55,9 +55,10 @@ ID | Technique | Description | Confidence
|
|||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | T1211 | 7PK Security Features | High
|
||||
5 | ... | ... | ...
|
||||
5 | T1222 | Permission Issues | High
|
||||
6 | ... | ... | ...
|
||||
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -67,17 +68,17 @@ ID | Type | Indicator | Confidence
|
|||
-- | ---- | --------- | ----------
|
||||
1 | File | `.DS_Store` | Medium
|
||||
2 | File | `.htaccess` | Medium
|
||||
3 | File | `/.htpasswd` | Medium
|
||||
4 | File | `/admin.php/Foodcat/editsave` | High
|
||||
5 | File | `/admin.php?s=/admin/config/groupsave.html` | High
|
||||
6 | File | `/admin/?req=modules&action=add` | High
|
||||
7 | File | `/admin/api-cms-nav/create-page` | High
|
||||
8 | File | `/admin/index.html` | High
|
||||
9 | File | `/admin/index.php?c=database` | High
|
||||
10 | File | `/admin/index/index.html#listarticle` | High
|
||||
3 | File | `/+CSCOE+/logon.html` | High
|
||||
4 | File | `/.htpasswd` | Medium
|
||||
5 | File | `/admin.php/Foodcat/editsave` | High
|
||||
6 | File | `/admin.php?s=/admin/config/groupsave.html` | High
|
||||
7 | File | `/admin/?req=modules&action=add` | High
|
||||
8 | File | `/admin/api-cms-nav/create-page` | High
|
||||
9 | File | `/admin/index.html` | High
|
||||
10 | File | `/admin/index.php?c=database` | High
|
||||
11 | ... | ... | ...
|
||||
|
||||
There are 1212 more IOA items available. Please use our online service to access the data.
|
||||
There are 1351 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -100,8 +101,10 @@ The following list contains external sources which discuss the actor and the ass
|
|||
* https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.html
|
||||
* https://blog.talosintelligence.com/2021/09/threat-roundup-0827-0903.html
|
||||
* https://blog.talosintelligence.com/2021/09/threat-roundup-0903-0910.html
|
||||
* https://blog.talosintelligence.com/2021/10/threat-roundup-1001-1008.html
|
||||
* https://feodotracker.abuse.ch/downloads/ipblocklist.csv
|
||||
* https://gist.githubusercontent.com/BBcan177/bf29d47ea04391cb3eb0/raw/
|
||||
* https://github.com/blackberry/threat-research-and-intelligence/blob/main/TA575-Dridex.csv
|
||||
* https://github.com/fl0x2208/IOCs-in-CSV-format/blob/6297513d672bd69f1bf488018035892e599e7a9c/Dridex_banking_trojan.xlsx
|
||||
* https://us-cert.cisa.gov/ncas/alerts/aa19-339a
|
||||
* https://vxug.fakedoma.in/archive/APTs/2021/2021.01.04(2)/Dridex.pdf
|
||||
|
|
|
@ -0,0 +1,76 @@
|
|||
# FIN12 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [FIN12](https://vuldb.com/?actor.fin12). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.fin12](https://vuldb.com/?actor.fin12)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with FIN12:
|
||||
|
||||
* US
|
||||
* CN
|
||||
* GB
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of FIN12.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 5.2.72.202 | pieterb.com | High
|
||||
2 | 23.81.246.17 | - | High
|
||||
3 | 95.179.165.239 | 95.179.165.239.vultr.com | Medium
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 2 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by FIN12. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1499 | Resource Consumption | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 1 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by FIN12. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/backups/` | Medium
|
||||
2 | File | `/config/getuser` | High
|
||||
3 | File | `/forum/away.php` | High
|
||||
4 | File | `/includes/session.php` | High
|
||||
5 | File | `/modules/admin/vw_usr_roles.php` | High
|
||||
6 | File | `/modules/projects/vw_files.php` | High
|
||||
7 | File | `/modules/public/calendar.php` | High
|
||||
8 | File | `/services/details.asp` | High
|
||||
9 | File | `/_core/profile/` | High
|
||||
10 | File | `adclick.php` | Medium
|
||||
11 | ... | ... | ...
|
||||
|
||||
There are 112 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
|
||||
* https://www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,70 @@
|
|||
# FontOnLake - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [FontOnLake](https://vuldb.com/?actor.fontonlake). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.fontonlake](https://vuldb.com/?actor.fontonlake)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with FontOnLake:
|
||||
|
||||
* CN
|
||||
* US
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of FontOnLake.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 27.102.130.63 | - | High
|
||||
2 | 47.107.60.212 | - | High
|
||||
3 | 47.112.197.119 | - | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 2 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by FontOnLake. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1068 | Execution with Unnecessary Privileges | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by FontOnLake. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/s/` | Low
|
||||
2 | File | `AdminbaseController.class.php` | High
|
||||
3 | File | `application\User\Controller\ProfileController.class.php` | High
|
||||
4 | File | `exif.c` | Low
|
||||
5 | File | `htimage.exe` | Medium
|
||||
6 | File | `libbfd.c` | Medium
|
||||
7 | File | `opncls.c` | Medium
|
||||
8 | Library | `gdrv.sys` | Medium
|
||||
9 | Argument | `-m/-c` | Low
|
||||
10 | Argument | `imgurl` | Low
|
||||
11 | ... | ... | ...
|
||||
|
||||
There are 5 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
|
||||
* https://www.welivesecurity.com/2021/10/07/fontonlake-previously-unknown-malware-family-targeting-linux/
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
|
@ -10,10 +10,10 @@ These countries are directly (e.g. origin of attacks) or indirectly (e.g. access
|
|||
|
||||
* US
|
||||
* CN
|
||||
* IT
|
||||
* DE
|
||||
* ...
|
||||
|
||||
There are 3 more country items available. Please use our online service to access the data.
|
||||
There are 5 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -25,25 +25,25 @@ ID | IP address | Hostname | Confidence
|
|||
2 | 3.223.115.185 | ec2-3-223-115-185.compute-1.amazonaws.com | Medium
|
||||
3 | 5.134.13.72 | i51.gds.guru.net.uk | High
|
||||
4 | 13.59.53.244 | ec2-13-59-53-244.us-east-2.compute.amazonaws.com | Medium
|
||||
5 | 20.36.253.92 | - | High
|
||||
6 | 23.6.69.99 | a23-6-69-99.deploy.static.akamaitechnologies.com | High
|
||||
7 | 23.227.38.74 | - | High
|
||||
8 | 34.102.136.180 | 180.136.102.34.bc.googleusercontent.com | Medium
|
||||
9 | 34.214.40.214 | ec2-34-214-40-214.us-west-2.compute.amazonaws.com | Medium
|
||||
10 | 34.216.47.14 | ec2-34-216-47-14.us-west-2.compute.amazonaws.com | Medium
|
||||
11 | 34.242.63.192 | ec2-34-242-63-192.eu-west-1.compute.amazonaws.com | Medium
|
||||
12 | 34.243.160.251 | ec2-34-243-160-251.eu-west-1.compute.amazonaws.com | Medium
|
||||
13 | 34.255.61.59 | ec2-34-255-61-59.eu-west-1.compute.amazonaws.com | Medium
|
||||
14 | 35.178.125.63 | ec2-35-178-125-63.eu-west-2.compute.amazonaws.com | Medium
|
||||
15 | 40.77.18.167 | - | High
|
||||
16 | 44.230.27.49 | ec2-44-230-27-49.us-west-2.compute.amazonaws.com | Medium
|
||||
17 | 45.135.229.212 | iad.scarletshark.net | High
|
||||
18 | 47.75.37.155 | - | High
|
||||
19 | 47.111.101.108 | - | High
|
||||
20 | 50.116.94.41 | almanagalleria.com.qa | High
|
||||
5 | 13.107.42.12 | 1drv.ms | High
|
||||
6 | 20.36.253.92 | - | High
|
||||
7 | 23.6.69.99 | a23-6-69-99.deploy.static.akamaitechnologies.com | High
|
||||
8 | 23.227.38.74 | - | High
|
||||
9 | 34.102.136.180 | 180.136.102.34.bc.googleusercontent.com | Medium
|
||||
10 | 34.214.40.214 | ec2-34-214-40-214.us-west-2.compute.amazonaws.com | Medium
|
||||
11 | 34.216.47.14 | ec2-34-216-47-14.us-west-2.compute.amazonaws.com | Medium
|
||||
12 | 34.242.63.192 | ec2-34-242-63-192.eu-west-1.compute.amazonaws.com | Medium
|
||||
13 | 34.243.160.251 | ec2-34-243-160-251.eu-west-1.compute.amazonaws.com | Medium
|
||||
14 | 34.255.61.59 | ec2-34-255-61-59.eu-west-1.compute.amazonaws.com | Medium
|
||||
15 | 35.178.125.63 | ec2-35-178-125-63.eu-west-2.compute.amazonaws.com | Medium
|
||||
16 | 40.77.18.167 | - | High
|
||||
17 | 40.126.26.134 | - | High
|
||||
18 | 44.230.27.49 | ec2-44-230-27-49.us-west-2.compute.amazonaws.com | Medium
|
||||
19 | 45.135.229.212 | iad.scarletshark.net | High
|
||||
20 | 47.75.37.155 | - | High
|
||||
21 | ... | ... | ...
|
||||
|
||||
There are 51 more IOC items available. Please use our online service to access the data.
|
||||
There are 73 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -78,7 +78,7 @@ ID | Type | Indicator | Confidence
|
|||
10 | File | `/admin/admintools/tool.php` | High
|
||||
11 | ... | ... | ...
|
||||
|
||||
There are 2005 more IOA items available. Please use our online service to access the data.
|
||||
There are 2013 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -88,6 +88,7 @@ The following list contains external sources which discuss the actor and the ass
|
|||
* https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.html
|
||||
* https://blog.talosintelligence.com/2021/07/threat-roundup-0723-0730.html
|
||||
* https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.html
|
||||
* https://blog.talosintelligence.com/2021/10/threat-roundup-0924-1001.html
|
||||
|
||||
## Literature
|
||||
|
||||
|
|
|
@ -1,64 +1,77 @@
|
|||
# GandCrab - Cyber Threat Intelligence
|
||||
# Gandcrab - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [GandCrab](https://vuldb.com/?actor.gandcrab). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Gandcrab](https://vuldb.com/?actor.gandcrab). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.gandcrab](https://vuldb.com/?actor.gandcrab)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with GandCrab:
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Gandcrab:
|
||||
|
||||
* CA
|
||||
* US
|
||||
* CA
|
||||
* CN
|
||||
* ...
|
||||
|
||||
There are 3 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of GandCrab.
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Gandcrab.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 5.39.221.60 | - | High
|
||||
2 | 13.76.158.123 | - | High
|
||||
3 | 66.171.248.178 | api1.whatismyipaddress.com | High
|
||||
4 | ... | ... | ...
|
||||
3 | 20.50.64.11 | - | High
|
||||
4 | 34.102.136.180 | 180.136.102.34.bc.googleusercontent.com | Medium
|
||||
5 | 35.205.61.67 | 67.61.205.35.bc.googleusercontent.com | Medium
|
||||
6 | 39.107.34.197 | - | High
|
||||
7 | 45.118.145.96 | - | High
|
||||
8 | 52.116.175.70 | hs20.name.tools | High
|
||||
9 | 54.36.194.90 | ip90.ip-54-36-194.eu | High
|
||||
10 | 66.96.147.103 | 103.147.96.66.static.eigbox.net | High
|
||||
11 | 66.171.248.178 | api1.whatismyipaddress.com | High
|
||||
12 | ... | ... | ...
|
||||
|
||||
There are 5 more IOC items available. Please use our online service to access the data.
|
||||
There are 22 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by GandCrab. This data is unique as it uses our predictive model for actor profiling.
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Gandcrab. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1068 | Execution with Unnecessary Privileges | High
|
||||
2 | T1600 | Cryptographic Issues | High
|
||||
2 | T1587.003 | Improper Certificate Validation | High
|
||||
3 | T1600 | Cryptographic Issues | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by GandCrab. This data is unique as it uses our predictive model for actor profiling.
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Gandcrab. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/cgi-bin/editBookmark` | High
|
||||
2 | File | `/getcfg.php` | Medium
|
||||
3 | File | `AccessPoint.aspx` | High
|
||||
4 | File | `archive.php` | Medium
|
||||
5 | File | `cgi-bin/mainfunction.cgi` | High
|
||||
6 | File | `my.activation.php3` | High
|
||||
7 | File | `shop.php` | Medium
|
||||
8 | Library | `cgi-bin/libagent.cgi` | High
|
||||
9 | Library | `ppctl.dll` | Medium
|
||||
10 | Library | `tmnciesc.sys` | Medium
|
||||
4 | File | `announcement.php` | High
|
||||
5 | File | `archive.php` | Medium
|
||||
6 | File | `cgi-bin/mainfunction.cgi` | High
|
||||
7 | File | `data/gbconfiguration.dat` | High
|
||||
8 | File | `fciv.exe` | Medium
|
||||
9 | File | `fs/inode.c` | Medium
|
||||
10 | File | `my.activation.php3` | High
|
||||
11 | ... | ... | ...
|
||||
|
||||
There are 6 more IOA items available. Please use our online service to access the data.
|
||||
There are 17 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html
|
||||
* https://blog.talosintelligence.com/2021/10/threat-roundup-1001-1008.html
|
||||
* https://community.blueliv.com/#!/s/5afd59bd82df413e376682f2
|
||||
* https://precisionsec.com/threat-intelligence-feeds/gandcrab/
|
||||
|
||||
|
|
|
@ -21,29 +21,29 @@ These indicators of compromise indicate associated network ressources which are
|
|||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 36.43.74.215 | - | High
|
||||
2 | 36.46.114.54 | - | High
|
||||
3 | 39.109.1.246 | - | High
|
||||
4 | 42.51.192.3 | - | High
|
||||
5 | 43.226.152.12 | - | High
|
||||
6 | 43.226.159.201 | - | High
|
||||
7 | 45.119.125.223 | - | High
|
||||
8 | 45.195.203.97 | - | High
|
||||
9 | 45.253.67.78 | - | High
|
||||
10 | 47.93.52.188 | - | High
|
||||
11 | 47.93.245.163 | - | High
|
||||
12 | 47.95.233.18 | - | High
|
||||
13 | 47.111.82.157 | - | High
|
||||
14 | 47.112.30.91 | - | High
|
||||
15 | 58.218.66.21 | - | High
|
||||
16 | 58.218.67.245 | - | High
|
||||
17 | 58.218.199.225 | - | High
|
||||
18 | 58.221.47.41 | - | High
|
||||
19 | 58.221.47.47 | - | High
|
||||
20 | 59.46.12.8 | - | High
|
||||
1 | 13.249.38.69 | server-13-249-38-69.iad89.r.cloudfront.net | High
|
||||
2 | 36.43.74.215 | - | High
|
||||
3 | 36.46.114.54 | - | High
|
||||
4 | 39.109.1.246 | - | High
|
||||
5 | 42.51.192.3 | - | High
|
||||
6 | 43.226.152.12 | - | High
|
||||
7 | 43.226.159.201 | - | High
|
||||
8 | 45.119.125.223 | - | High
|
||||
9 | 45.195.203.97 | - | High
|
||||
10 | 45.253.67.78 | - | High
|
||||
11 | 47.93.52.188 | - | High
|
||||
12 | 47.93.245.163 | - | High
|
||||
13 | 47.95.233.18 | - | High
|
||||
14 | 47.111.82.157 | - | High
|
||||
15 | 47.112.30.91 | - | High
|
||||
16 | 58.218.66.21 | - | High
|
||||
17 | 58.218.67.245 | - | High
|
||||
18 | 58.218.199.225 | - | High
|
||||
19 | 58.221.47.41 | - | High
|
||||
20 | 58.221.47.47 | - | High
|
||||
21 | ... | ... | ...
|
||||
|
||||
There are 72 more IOC items available. Please use our online service to access the data.
|
||||
There are 77 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -93,6 +93,8 @@ The following list contains external sources which discuss the actor and the ass
|
|||
* https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.html
|
||||
* https://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
|
||||
* https://blog.talosintelligence.com/2021/09/threat-roundup-0917-0924.html
|
||||
* https://blog.talosintelligence.com/2021/10/threat-roundup-0924-1001.html
|
||||
* https://blog.talosintelligence.com/2021/10/threat-roundup-1001-1008.html
|
||||
|
||||
## Literature
|
||||
|
||||
|
|
|
@ -8,8 +8,8 @@ Live data and more analysis capabilities are available at [https://vuldb.com/?ac
|
|||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Kuluoz:
|
||||
|
||||
* IL
|
||||
* US
|
||||
* IL
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -17,12 +17,23 @@ These indicators of compromise indicate associated network ressources which are
|
|||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 37.59.24.98 | ns3043472.ip-37-59-24.eu | High
|
||||
2 | 69.64.32.247 | dragon324.dedicatedpanel.com | High
|
||||
3 | 74.221.221.58 | 58.221.221.74.opticip.com | High
|
||||
4 | ... | ... | ...
|
||||
1 | 13.32.208.34 | server-13-32-208-34.iad66.r.cloudfront.net | High
|
||||
2 | 37.59.24.98 | ns3043472.ip-37-59-24.eu | High
|
||||
3 | 69.64.32.247 | dragon324.dedicatedpanel.com | High
|
||||
4 | 74.221.221.58 | 58.221.221.74.opticip.com | High
|
||||
5 | 82.165.155.77 | mail850785786.mywebspace.zone | High
|
||||
6 | 85.12.29.254 | - | High
|
||||
7 | ... | ... | ...
|
||||
|
||||
There are 5 more IOC items available. Please use our online service to access the data.
|
||||
There are 10 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Kuluoz. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -31,13 +42,15 @@ These indicators of attack list the potential fragments used for technical activ
|
|||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `data/gbconfiguration.dat` | High
|
||||
2 | Argument | `Password` | Medium
|
||||
2 | File | `wp-includes/kses.php` | High
|
||||
3 | Argument | `Password` | Medium
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html
|
||||
* https://blog.talosintelligence.com/2021/10/threat-roundup-0924-1001.html
|
||||
|
||||
## Literature
|
||||
|
||||
|
|
|
@ -27,21 +27,23 @@ ID | IP address | Hostname | Confidence
|
|||
4 | 35.247.234.230 | 230.234.247.35.bc.googleusercontent.com | Medium
|
||||
5 | 37.235.1.174 | resolver1.freedns.zone.powered.by.virtexxa.com | High
|
||||
6 | 37.235.1.177 | resolver2.freedns.zone.powered.by.virtexxa.com | High
|
||||
7 | 45.147.229.85 | - | High
|
||||
8 | 50.16.216.118 | ec2-50-16-216-118.compute-1.amazonaws.com | Medium
|
||||
9 | 50.19.92.227 | ec2-50-19-92-227.compute-1.amazonaws.com | Medium
|
||||
10 | 54.225.78.40 | ec2-54-225-78-40.compute-1.amazonaws.com | Medium
|
||||
11 | 54.225.165.85 | ec2-54-225-165-85.compute-1.amazonaws.com | Medium
|
||||
12 | 54.225.245.108 | ec2-54-225-245-108.compute-1.amazonaws.com | Medium
|
||||
13 | 54.235.88.121 | ec2-54-235-88-121.compute-1.amazonaws.com | Medium
|
||||
14 | 63.251.106.25 | - | High
|
||||
15 | 70.32.1.32 | ip-70.32.1.32.hosted.by.gigenet.com | High
|
||||
16 | 79.134.225.70 | - | High
|
||||
17 | 91.195.240.46 | - | High
|
||||
18 | 102.186.213.112 | - | High
|
||||
19 | ... | ... | ...
|
||||
7 | 45.33.83.75 | li1029-75.members.linode.com | High
|
||||
8 | 45.147.229.85 | - | High
|
||||
9 | 50.16.216.118 | ec2-50-16-216-118.compute-1.amazonaws.com | Medium
|
||||
10 | 50.19.92.227 | ec2-50-19-92-227.compute-1.amazonaws.com | Medium
|
||||
11 | 54.225.78.40 | ec2-54-225-78-40.compute-1.amazonaws.com | Medium
|
||||
12 | 54.225.165.85 | ec2-54-225-165-85.compute-1.amazonaws.com | Medium
|
||||
13 | 54.225.245.108 | ec2-54-225-245-108.compute-1.amazonaws.com | Medium
|
||||
14 | 54.235.88.121 | ec2-54-235-88-121.compute-1.amazonaws.com | Medium
|
||||
15 | 63.251.106.25 | - | High
|
||||
16 | 65.254.254.55 | mail.yourhostingaccount.com | High
|
||||
17 | 70.32.1.32 | ip-70.32.1.32.hosted.by.gigenet.com | High
|
||||
18 | 78.128.92.142 | venom8.steeldns.com | High
|
||||
19 | 79.134.225.70 | - | High
|
||||
20 | 91.195.240.46 | - | High
|
||||
21 | ... | ... | ...
|
||||
|
||||
There are 36 more IOC items available. Please use our online service to access the data.
|
||||
There are 40 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -75,7 +77,7 @@ ID | Type | Indicator | Confidence
|
|||
10 | File | `/admin/loginc.php` | High
|
||||
11 | ... | ... | ...
|
||||
|
||||
There are 1119 more IOA items available. Please use our online service to access the data.
|
||||
There are 1121 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -87,6 +89,7 @@ The following list contains external sources which discuss the actor and the ass
|
|||
* https://blog.talosintelligence.com/2021/08/threat-roundup-0820-0827.html
|
||||
* https://blog.talosintelligence.com/2021/09/threat-roundup-0827-0903.html
|
||||
* https://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
|
||||
* https://blog.talosintelligence.com/2021/10/threat-roundup-1001-1008.html
|
||||
* https://vxug.fakedoma.in/archive/APTs/2021/2021.01.06(1)/LokiBot%20Infection%20Chain.pdf
|
||||
|
||||
## Literature
|
||||
|
|
|
@ -0,0 +1,72 @@
|
|||
# MalKamak - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [MalKamak](https://vuldb.com/?actor.malkamak). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.malkamak](https://vuldb.com/?actor.malkamak)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with MalKamak:
|
||||
|
||||
* GhostShell
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with MalKamak:
|
||||
|
||||
* CN
|
||||
* US
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of MalKamak.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 50.116.17.41 | li601-41.members.linode.com | High
|
||||
2 | 139.162.120.150 | li1604-150.members.linode.com | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by MalKamak. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1499 | Resource Consumption | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 1 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by MalKamak. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/domains/list` | High
|
||||
2 | File | `/run/spice-vdagentd/spice-vdagent-sock` | High
|
||||
3 | File | `/tmp` | Low
|
||||
4 | File | `English/pages_MacUS/cgi_lan.cgi` | High
|
||||
5 | File | `ping.cgi` | Medium
|
||||
6 | Argument | `DIA_IPADDRESS` | High
|
||||
7 | Argument | `LAN_TXT24` | Medium
|
||||
8 | Argument | `Product` | Low
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
|
||||
* https://www.cybereason.com/blog/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
|
@ -43,7 +43,7 @@ ID | IP address | Hostname | Confidence
|
|||
20 | 35.224.11.86 | 86.11.224.35.bc.googleusercontent.com | Medium
|
||||
21 | ... | ... | ...
|
||||
|
||||
There are 132 more IOC items available. Please use our online service to access the data.
|
||||
There are 134 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -88,6 +88,7 @@ The following list contains external sources which discuss the actor and the ass
|
|||
* https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.html
|
||||
* https://blog.talosintelligence.com/2021/09/threat-roundup-0903-0910.html
|
||||
* https://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
|
||||
* https://blog.talosintelligence.com/2021/10/threat-roundup-0924-1001.html
|
||||
* https://github.com/firehol/blocklist-ipsets/blob/master/bambenek_ramnit.ipset
|
||||
|
||||
## Literature
|
||||
|
|
|
@ -13,7 +13,7 @@ These countries are directly (e.g. origin of attacks) or indirectly (e.g. access
|
|||
* SE
|
||||
* ...
|
||||
|
||||
There are 11 more country items available. Please use our online service to access the data.
|
||||
There are 12 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -38,12 +38,12 @@ ID | IP address | Hostname | Confidence
|
|||
15 | 23.227.38.74 | - | High
|
||||
16 | 34.102.136.180 | 180.136.102.34.bc.googleusercontent.com | Medium
|
||||
17 | 35.214.144.124 | 124.144.214.35.bc.googleusercontent.com | Medium
|
||||
18 | 37.139.64.106 | - | High
|
||||
19 | 37.230.130.153 | - | High
|
||||
20 | 40.126.28.22 | - | High
|
||||
18 | 37.1.206.16 | free.ispiria.net | High
|
||||
19 | 37.139.64.106 | - | High
|
||||
20 | 37.230.130.153 | - | High
|
||||
21 | ... | ... | ...
|
||||
|
||||
There are 60 more IOC items available. Please use our online service to access the data.
|
||||
There are 64 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -76,7 +76,7 @@ ID | Type | Indicator | Confidence
|
|||
10 | File | `/tmp` | Low
|
||||
11 | ... | ... | ...
|
||||
|
||||
There are 163 more IOA items available. Please use our online service to access the data.
|
||||
There are 170 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -90,6 +90,7 @@ The following list contains external sources which discuss the actor and the ass
|
|||
* https://blog.talosintelligence.com/2021/09/threat-roundup-0827-0903.html
|
||||
* https://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
|
||||
* https://blog.talosintelligence.com/2021/09/threat-roundup-0917-0924.html
|
||||
* https://blog.talosintelligence.com/2021/10/threat-roundup-0924-1001.html
|
||||
|
||||
## Literature
|
||||
|
||||
|
|
|
@ -0,0 +1,38 @@
|
|||
# Sarwent - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Sarwent](https://vuldb.com/?actor.sarwent). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.sarwent](https://vuldb.com/?actor.sarwent)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with Sarwent:
|
||||
|
||||
* Amnesty International and Pegasus
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Sarwent.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 87.249.53.124 | 677515-co39933.tmweb.ru | High
|
||||
2 | 185.215.113.67 | - | High
|
||||
3 | 194.9.71.129 | free.gmhost.hosting | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.talosintelligence.com/2021/09/fakeantipegasusamnesty.html
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
|
@ -9,11 +9,11 @@ Live data and more analysis capabilities are available at [https://vuldb.com/?ac
|
|||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with TeslaCrypt:
|
||||
|
||||
* US
|
||||
* DE
|
||||
* CN
|
||||
* TR
|
||||
* ...
|
||||
|
||||
There are 2 more country items available. Please use our online service to access the data.
|
||||
There are 7 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -24,10 +24,17 @@ ID | IP address | Hostname | Confidence
|
|||
1 | 2.57.138.47 | s27.zenbox.pl | High
|
||||
2 | 5.79.68.109 | - | High
|
||||
3 | 5.79.68.110 | - | High
|
||||
4 | 35.205.61.67 | 67.61.205.35.bc.googleusercontent.com | Medium
|
||||
5 | ... | ... | ...
|
||||
4 | 23.63.245.19 | a23-63-245-19.deploy.static.akamaitechnologies.com | High
|
||||
5 | 23.63.245.50 | a23-63-245-50.deploy.static.akamaitechnologies.com | High
|
||||
6 | 23.196.73.160 | a23-196-73-160.deploy.static.akamaitechnologies.com | High
|
||||
7 | 35.205.61.67 | 67.61.205.35.bc.googleusercontent.com | Medium
|
||||
8 | 35.209.43.160 | 160.43.209.35.bc.googleusercontent.com | Medium
|
||||
9 | 52.216.22.34 | s3-website-us-east-1.amazonaws.com | Medium
|
||||
10 | 52.216.128.178 | s3-website-us-east-1.amazonaws.com | Medium
|
||||
11 | 52.216.142.11 | s3-website-us-east-1.amazonaws.com | Medium
|
||||
12 | ... | ... | ...
|
||||
|
||||
There are 8 more IOC items available. Please use our online service to access the data.
|
||||
There are 22 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -37,10 +44,10 @@ ID | Technique | Description | Confidence
|
|||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | 7PK Security Features | High
|
||||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 2 more TTP items available. Please use our online service to access the data.
|
||||
There are 4 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -52,21 +59,22 @@ ID | Type | Indicator | Confidence
|
|||
2 | File | `/admin/views/freepbx_reload.php` | High
|
||||
3 | File | `/cimom` | Low
|
||||
4 | File | `/dhtml/index.php` | High
|
||||
5 | File | `/drivers/vhost/net.c` | High
|
||||
6 | File | `/flash/mypage.php` | High
|
||||
7 | File | `/forum/away.php` | High
|
||||
8 | File | `/index_amp.php` | High
|
||||
9 | File | `/principals` | Medium
|
||||
10 | File | `/recordings/index.php` | High
|
||||
5 | File | `/downloadmaster/dm_apply.cgi?action_mode=initial&download_type=General&special_cgi=get_language` | High
|
||||
6 | File | `/drivers/vhost/net.c` | High
|
||||
7 | File | `/flash/mypage.php` | High
|
||||
8 | File | `/forum/away.php` | High
|
||||
9 | File | `/index_amp.php` | High
|
||||
10 | File | `/Main_Login.asp?flag=1&productname=RT-AC88U&url=/downloadmaster/task.asp` | High
|
||||
11 | ... | ... | ...
|
||||
|
||||
There are 138 more IOA items available. Please use our online service to access the data.
|
||||
There are 155 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.talosintelligence.com/2021/03/threat-roundup-0226-0305.html
|
||||
* https://blog.talosintelligence.com/2021/10/threat-roundup-1001-1008.html
|
||||
|
||||
## Literature
|
||||
|
||||
|
|
|
@ -13,7 +13,7 @@ These countries are directly (e.g. origin of attacks) or indirectly (e.g. access
|
|||
* RU
|
||||
* ...
|
||||
|
||||
There are 12 more country items available. Please use our online service to access the data.
|
||||
There are 14 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -43,7 +43,7 @@ ID | IP address | Hostname | Confidence
|
|||
20 | 40.76.4.15 | - | High
|
||||
21 | ... | ... | ...
|
||||
|
||||
There are 177 more IOC items available. Please use our online service to access the data.
|
||||
There are 187 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -67,17 +67,17 @@ ID | Type | Indicator | Confidence
|
|||
-- | ---- | --------- | ----------
|
||||
1 | File | `/+CSCOE+/logon.html` | High
|
||||
2 | File | `/admin/blocks/blocks/edit/8` | High
|
||||
3 | File | `/admin/menus/menus/edit/3` | High
|
||||
4 | File | `/admin/nodes/nodes/add/blog` | High
|
||||
5 | File | `/admin/taxonomy/vocabularies` | High
|
||||
6 | File | `/cgi/networkDiag.cgi` | High
|
||||
7 | File | `/exponent_constants.php` | High
|
||||
8 | File | `/forum/away.php` | High
|
||||
9 | File | `/mods/_core/users/admins/my_edit.php` | High
|
||||
10 | File | `/plain` | Low
|
||||
3 | File | `/admin/login/login_check.php` | High
|
||||
4 | File | `/admin/menus/menus/edit/3` | High
|
||||
5 | File | `/admin/nodes/nodes/add/blog` | High
|
||||
6 | File | `/admin/taxonomy/vocabularies` | High
|
||||
7 | File | `/bin/goahead` | Medium
|
||||
8 | File | `/cgi/networkDiag.cgi` | High
|
||||
9 | File | `/exponent_constants.php` | High
|
||||
10 | File | `/forum/away.php` | High
|
||||
11 | ... | ... | ...
|
||||
|
||||
There are 172 more IOA items available. Please use our online service to access the data.
|
||||
There are 189 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -107,6 +107,7 @@ The following list contains external sources which discuss the actor and the ass
|
|||
* https://blog.talosintelligence.com/2021/09/threat-roundup-0903-0910.html
|
||||
* https://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
|
||||
* https://blog.talosintelligence.com/2021/09/threat-roundup-0917-0924.html
|
||||
* https://blog.talosintelligence.com/2021/10/threat-roundup-0924-1001.html
|
||||
|
||||
## Literature
|
||||
|
||||
|
|
|
@ -20,7 +20,7 @@ ID | IP address | Hostname | Confidence
|
|||
-- | ---------- | -------- | ----------
|
||||
1 | 51.195.68.217 | time1.lyhuao.com | High
|
||||
2 | 185.193.126.172 | b9c17eac.host.njalla.net | High
|
||||
3 | 185.193.127.92 | host-185-193-127-92.njalla.net | High
|
||||
3 | 185.193.127.92 | arbf.io | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
|
|
@ -24,7 +24,7 @@ ID | IP address | Hostname | Confidence
|
|||
1 | 5.1.81.68 | mx4.tarifvergleichbhv.net | High
|
||||
2 | 5.2.75.93 | - | High
|
||||
3 | 5.2.75.167 | coms.a9v34.com.cn | High
|
||||
4 | 5.39.47.22 | mail.newsbit.fun | High
|
||||
4 | 5.39.47.22 | mail.dmgs.site | High
|
||||
5 | 5.59.205.32 | dhcp-32-205-59-5.metro86.ru | High
|
||||
6 | 5.133.179.108 | 5-133-179-108.freeucouponsnow.ru | High
|
||||
7 | 5.182.210.132 | - | High
|
||||
|
@ -36,14 +36,14 @@ ID | IP address | Hostname | Confidence
|
|||
13 | 18.233.90.151 | ec2-18-233-90-151.compute-1.amazonaws.com | Medium
|
||||
14 | 23.3.13.88 | a23-3-13-88.deploy.static.akamaitechnologies.com | High
|
||||
15 | 23.3.13.154 | a23-3-13-154.deploy.static.akamaitechnologies.com | High
|
||||
16 | 23.21.27.29 | ec2-23-21-27-29.compute-1.amazonaws.com | Medium
|
||||
17 | 23.21.48.44 | ec2-23-21-48-44.compute-1.amazonaws.com | Medium
|
||||
18 | 23.21.252.4 | ec2-23-21-252-4.compute-1.amazonaws.com | Medium
|
||||
19 | 23.96.30.229 | - | High
|
||||
20 | 23.160.192.125 | unknown.ip-xfer.net | High
|
||||
16 | 23.3.125.111 | a23-3-125-111.deploy.static.akamaitechnologies.com | High
|
||||
17 | 23.21.27.29 | ec2-23-21-27-29.compute-1.amazonaws.com | Medium
|
||||
18 | 23.21.48.44 | ec2-23-21-48-44.compute-1.amazonaws.com | Medium
|
||||
19 | 23.21.252.4 | ec2-23-21-252-4.compute-1.amazonaws.com | Medium
|
||||
20 | 23.96.30.229 | - | High
|
||||
21 | ... | ... | ...
|
||||
|
||||
There are 235 more IOC items available. Please use our online service to access the data.
|
||||
There are 257 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -78,7 +78,7 @@ ID | Type | Indicator | Confidence
|
|||
10 | File | `/admin/config.php?display=backup` | High
|
||||
11 | ... | ... | ...
|
||||
|
||||
There are 966 more IOA items available. Please use our online service to access the data.
|
||||
There are 987 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -92,6 +92,7 @@ The following list contains external sources which discuss the actor and the ass
|
|||
* https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
|
||||
* https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html
|
||||
* https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.html
|
||||
* https://blog.talosintelligence.com/2021/10/threat-roundup-0924-1001.html
|
||||
* https://feodotracker.abuse.ch/downloads/ipblocklist.csv
|
||||
|
||||
## Literature
|
||||
|
|
Loading…
Reference in New Issue