Update
This commit is contained in:
parent
5dbba81936
commit
5304286881
|
@ -29,9 +29,12 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | CWE-254 | 7PK Security Features | High
|
||||
1 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
2 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
3 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 2 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
|
|
@ -30,9 +30,12 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1555 | CWE-312 | Cleartext Storage of Sensitive Information | High
|
||||
1 | T1006 | CWE-22 | Pathname Traversal | High
|
||||
2 | T1055 | CWE-74 | Injection | High
|
||||
3 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 5 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
|
|
@ -34,8 +34,12 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
1 | T1006 | CWE-22 | Pathname Traversal | High
|
||||
2 | T1055 | CWE-74 | Injection | High
|
||||
3 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 6 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
|
|
@ -13,7 +13,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [DE](https://vuldb.com/?country.de)
|
||||
* ...
|
||||
|
||||
There are 23 more country items available. Please use our online service to access the data.
|
||||
There are 20 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -51,66 +51,65 @@ ID | Type | Indicator | Confidence
|
|||
-- | ---- | --------- | ----------
|
||||
1 | File | `.htaccess` | Medium
|
||||
2 | File | `/+CSCOE+/logon.html` | High
|
||||
3 | File | `/admin/edit_admin_details.php?id=admin` | High
|
||||
4 | File | `/admin/generalsettings.php` | High
|
||||
5 | File | `/admin/payment.php` | High
|
||||
6 | File | `/admin/reports.php` | High
|
||||
7 | File | `/admin_page/all-files-update-ajax.php` | High
|
||||
8 | File | `/assets/ctx` | Medium
|
||||
3 | File | `/admin/conferences/list/` | High
|
||||
4 | File | `/admin/edit_admin_details.php?id=admin` | High
|
||||
5 | File | `/admin/generalsettings.php` | High
|
||||
6 | File | `/admin/payment.php` | High
|
||||
7 | File | `/admin/reports.php` | High
|
||||
8 | File | `/admin_page/all-files-update-ajax.php` | High
|
||||
9 | File | `/bsms/?page=products` | High
|
||||
10 | File | `/cgi-bin/kerbynet` | High
|
||||
11 | File | `/cgi-bin/system_mgr.cgi` | High
|
||||
12 | File | `/cloud_config/router_post/check_reg_verify_code` | High
|
||||
13 | File | `/concat?/%2557EB-INF/web.xml` | High
|
||||
14 | File | `/config/getuser` | High
|
||||
15 | File | `/debug/pprof` | Medium
|
||||
16 | File | `/dms/admin/reports/daily_collection_report.php` | High
|
||||
17 | File | `/ext/phar/phar_object.c` | High
|
||||
18 | File | `/filemanager/php/connector.php` | High
|
||||
19 | File | `/forum/away.php` | High
|
||||
20 | File | `/get_getnetworkconf.cgi` | High
|
||||
21 | File | `/HNAP1` | Low
|
||||
22 | File | `/include/chart_generator.php` | High
|
||||
23 | File | `/index.php?controller=calendar&format=raw&cat[0]=SQLi&task=events` | High
|
||||
24 | File | `/info.cgi` | Medium
|
||||
25 | File | `/Items/*/RemoteImages/Download` | High
|
||||
26 | File | `/lists/admin/` | High
|
||||
27 | File | `/MagickCore/image.c` | High
|
||||
28 | File | `/mgmt/tm/util/bash` | High
|
||||
29 | File | `/modx/manager/index.php` | High
|
||||
30 | File | `/osm/REGISTER.cmd` | High
|
||||
31 | File | `/replication` | Medium
|
||||
32 | File | `/siteminderagent/pwcgi/smpwservicescgi.exe` | High
|
||||
33 | File | `/spip.php` | Medium
|
||||
34 | File | `/TeleoptiWFM/Administration/GetOneTenant` | High
|
||||
35 | File | `/type.php` | Medium
|
||||
36 | File | `/uncpath/` | Medium
|
||||
37 | File | `/usr/bin/pkexec` | High
|
||||
38 | File | `/Wedding-Management/package_detail.php` | High
|
||||
39 | File | `4.2.0.CP09` | Medium
|
||||
40 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
41 | File | `802dot1xclientcert.cgi` | High
|
||||
42 | File | `a2billing/customer/iridium_threed.php` | High
|
||||
43 | File | `AdClass.php` | Medium
|
||||
44 | File | `add.exe` | Low
|
||||
45 | File | `admin-ajax.php` | High
|
||||
46 | File | `admin.color.php` | High
|
||||
47 | File | `admin.cropcanvas.php` | High
|
||||
48 | File | `admin.joomlaradiov5.php` | High
|
||||
49 | File | `admin.php` | Medium
|
||||
50 | File | `admin.php?m=Food&a=addsave` | High
|
||||
51 | File | `admin/conf_users_edit.php` | High
|
||||
52 | File | `admin/index.php` | High
|
||||
53 | File | `admin/limits.php` | High
|
||||
54 | File | `admin/user.php` | High
|
||||
55 | File | `admin/write-post.php` | High
|
||||
56 | File | `administrator/components/com_media/helpers/media.php` | High
|
||||
57 | File | `admin_events.php` | High
|
||||
58 | File | `akocomments.php` | High
|
||||
59 | File | `allopass-error.php` | High
|
||||
60 | ... | ... | ...
|
||||
13 | File | `/debug/pprof` | Medium
|
||||
14 | File | `/dms/admin/reports/daily_collection_report.php` | High
|
||||
15 | File | `/ext/phar/phar_object.c` | High
|
||||
16 | File | `/filemanager/php/connector.php` | High
|
||||
17 | File | `/forum/away.php` | High
|
||||
18 | File | `/get_getnetworkconf.cgi` | High
|
||||
19 | File | `/HNAP1` | Low
|
||||
20 | File | `/include/chart_generator.php` | High
|
||||
21 | File | `/info.cgi` | Medium
|
||||
22 | File | `/Items/*/RemoteImages/Download` | High
|
||||
23 | File | `/lists/admin/` | High
|
||||
24 | File | `/MagickCore/image.c` | High
|
||||
25 | File | `/mgmt/tm/util/bash` | High
|
||||
26 | File | `/modx/manager/index.php` | High
|
||||
27 | File | `/public/launchNewWindow.jsp` | High
|
||||
28 | File | `/replication` | Medium
|
||||
29 | File | `/siteminderagent/pwcgi/smpwservicescgi.exe` | High
|
||||
30 | File | `/spip.php` | Medium
|
||||
31 | File | `/TeleoptiWFM/Administration/GetOneTenant` | High
|
||||
32 | File | `/type.php` | Medium
|
||||
33 | File | `/usr/bin/pkexec` | High
|
||||
34 | File | `/WEB-INF/web.xml` | High
|
||||
35 | File | `/Wedding-Management/package_detail.php` | High
|
||||
36 | File | `/wp-content/plugins/woocommerce/templates/emails/plain/` | High
|
||||
37 | File | `4.2.0.CP09` | Medium
|
||||
38 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
39 | File | `802dot1xclientcert.cgi` | High
|
||||
40 | File | `a2billing/customer/iridium_threed.php` | High
|
||||
41 | File | `AdClass.php` | Medium
|
||||
42 | File | `add.exe` | Low
|
||||
43 | File | `admin.color.php` | High
|
||||
44 | File | `admin.cropcanvas.php` | High
|
||||
45 | File | `admin.joomlaradiov5.php` | High
|
||||
46 | File | `admin.php` | Medium
|
||||
47 | File | `admin.php?m=Food&a=addsave` | High
|
||||
48 | File | `admin/conf_users_edit.php` | High
|
||||
49 | File | `admin/index.php` | High
|
||||
50 | File | `admin/limits.php` | High
|
||||
51 | File | `admin/write-post.php` | High
|
||||
52 | File | `administrator/components/com_media/helpers/media.php` | High
|
||||
53 | File | `admin_events.php` | High
|
||||
54 | File | `akocomments.php` | High
|
||||
55 | File | `allopass-error.php` | High
|
||||
56 | File | `announcement.php` | High
|
||||
57 | File | `apply.cgi` | Medium
|
||||
58 | File | `appointment.php` | High
|
||||
59 | ... | ... | ...
|
||||
|
||||
There are 522 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 515 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -82,36 +82,36 @@ ID | Type | Indicator | Confidence
|
|||
2 | File | `/admin/?page=system_info/contact_info` | High
|
||||
3 | File | `/admin/dl_sendmail.php` | High
|
||||
4 | File | `/admin/login.php` | High
|
||||
5 | File | `/admin/produts/controller.php` | High
|
||||
6 | File | `/Ap4RtpAtom.cpp` | High
|
||||
7 | File | `/app/options.py` | High
|
||||
8 | File | `/bcms/admin/?page=user/list` | High
|
||||
9 | File | `/bsms/?page=manage_account` | High
|
||||
10 | File | `/cgi-bin/login.cgi` | High
|
||||
11 | File | `/ci_hms/massage_room/edit/1` | High
|
||||
12 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
13 | File | `/dashboard/reports/logs/view` | High
|
||||
14 | File | `/debug/pprof` | Medium
|
||||
15 | File | `/etc/hosts` | Medium
|
||||
16 | File | `/fuel/index.php/fuel/logs/items` | High
|
||||
17 | File | `/fuel/sitevariables/delete/4` | High
|
||||
18 | File | `/goform/aspForm` | High
|
||||
19 | File | `/hocms/classes/Master.php?f=delete_collection` | High
|
||||
20 | File | `/hprms/admin/doctors/manage_doctor.php` | High
|
||||
21 | File | `/index/jobfairol/show/` | High
|
||||
22 | File | `/librarian/bookdetails.php` | High
|
||||
23 | File | `/mgmt/tm/util/bash` | High
|
||||
24 | File | `/ms/cms/content/list.do` | High
|
||||
25 | File | `/new` | Low
|
||||
26 | File | `/orms/` | Low
|
||||
27 | File | `/plesk-site-preview/` | High
|
||||
28 | File | `/proc/<PID>/mem` | High
|
||||
29 | File | `/proc/<pid>/status` | High
|
||||
30 | File | `/public/plugins/` | High
|
||||
31 | File | `/school/model/get_admin_profile.php` | High
|
||||
5 | File | `/Ap4RtpAtom.cpp` | High
|
||||
6 | File | `/app/options.py` | High
|
||||
7 | File | `/bcms/admin/?page=user/list` | High
|
||||
8 | File | `/bsms/?page=manage_account` | High
|
||||
9 | File | `/cgi-bin/login.cgi` | High
|
||||
10 | File | `/ci_hms/massage_room/edit/1` | High
|
||||
11 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
12 | File | `/dashboard/reports/logs/view` | High
|
||||
13 | File | `/debug/pprof` | Medium
|
||||
14 | File | `/etc/hosts` | Medium
|
||||
15 | File | `/fuel/index.php/fuel/logs/items` | High
|
||||
16 | File | `/fuel/sitevariables/delete/4` | High
|
||||
17 | File | `/goform/aspForm` | High
|
||||
18 | File | `/hocms/classes/Master.php?f=delete_collection` | High
|
||||
19 | File | `/hprms/admin/doctors/manage_doctor.php` | High
|
||||
20 | File | `/index/jobfairol/show/` | High
|
||||
21 | File | `/librarian/bookdetails.php` | High
|
||||
22 | File | `/mgmt/tm/util/bash` | High
|
||||
23 | File | `/ms/cms/content/list.do` | High
|
||||
24 | File | `/new` | Low
|
||||
25 | File | `/orms/` | Low
|
||||
26 | File | `/plesk-site-preview/` | High
|
||||
27 | File | `/proc/<PID>/mem` | High
|
||||
28 | File | `/proc/<pid>/status` | High
|
||||
29 | File | `/public/plugins/` | High
|
||||
30 | File | `/school/model/get_admin_profile.php` | High
|
||||
31 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
32 | ... | ... | ...
|
||||
|
||||
There are 273 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 272 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -18,10 +18,10 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
|
||||
* [PT](https://vuldb.com/?country.pt)
|
||||
* [SV](https://vuldb.com/?country.sv)
|
||||
* [DE](https://vuldb.com/?country.de)
|
||||
* [FR](https://vuldb.com/?country.fr)
|
||||
* ...
|
||||
|
||||
There are 7 more country items available. Please use our online service to access the data.
|
||||
There are 6 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -76,28 +76,28 @@ ID | Type | Indicator | Confidence
|
|||
6 | File | `/admin/general/change-lang` | High
|
||||
7 | File | `/admin/renewaldue.php` | High
|
||||
8 | File | `/admin/showbad.php` | High
|
||||
9 | File | `/admin/ztliuyan_sendmail.php` | High
|
||||
10 | File | `/ajax/config_rollback/` | High
|
||||
11 | File | `/ajax/remove_sniffer_raw_log/` | High
|
||||
12 | File | `/bsms/?page=manage_account` | High
|
||||
13 | File | `/category.php` | High
|
||||
14 | File | `/ci_hms/massage_room/edit/1` | High
|
||||
15 | File | `/ci_spms/admin/category` | High
|
||||
16 | File | `/classes/Master.php?f=delete_schedule` | High
|
||||
17 | File | `/dashboard/blocks/stacks/view_details/` | High
|
||||
18 | File | `/dashboard/menu-list.php` | High
|
||||
19 | File | `/dev/pts/` | Medium
|
||||
20 | File | `/ffos/classes/Master.php?f=save_category` | High
|
||||
21 | File | `/film-rating.php` | High
|
||||
22 | File | `/jfinal_cms/system/dict/list` | High
|
||||
23 | File | `/list` | Low
|
||||
24 | File | `/mnotice.php?id=2` | High
|
||||
25 | File | `/orrs/admin/reservations/view_details.php` | High
|
||||
26 | File | `/pms/admin/actions/manage_action.php` | High
|
||||
27 | File | `/pms/admin/inmates/view_inmate.php` | High
|
||||
9 | File | `/admin/vca/bia/addacph.cgi` | High
|
||||
10 | File | `/admin/ztliuyan_sendmail.php` | High
|
||||
11 | File | `/ajax/config_rollback/` | High
|
||||
12 | File | `/ajax/remove_sniffer_raw_log/` | High
|
||||
13 | File | `/bsms/?page=manage_account` | High
|
||||
14 | File | `/category.php` | High
|
||||
15 | File | `/ci_hms/massage_room/edit/1` | High
|
||||
16 | File | `/ci_spms/admin/category` | High
|
||||
17 | File | `/classes/Master.php?f=delete_schedule` | High
|
||||
18 | File | `/dashboard/blocks/stacks/view_details/` | High
|
||||
19 | File | `/dashboard/menu-list.php` | High
|
||||
20 | File | `/dev/pts/` | Medium
|
||||
21 | File | `/ffos/classes/Master.php?f=save_category` | High
|
||||
22 | File | `/film-rating.php` | High
|
||||
23 | File | `/index.php` | Medium
|
||||
24 | File | `/jfinal_cms/system/dict/list` | High
|
||||
25 | File | `/list` | Low
|
||||
26 | File | `/orrs/admin/reservations/view_details.php` | High
|
||||
27 | File | `/pms/admin/actions/manage_action.php` | High
|
||||
28 | ... | ... | ...
|
||||
|
||||
There are 240 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 233 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -13,7 +13,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [IR](https://vuldb.com/?country.ir)
|
||||
* ...
|
||||
|
||||
There are 9 more country items available. Please use our online service to access the data.
|
||||
There are 8 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -45,12 +45,13 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 6 more TTP items available. Please use our online service to access the data.
|
||||
There are 16 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -65,14 +66,14 @@ ID | Type | Indicator | Confidence
|
|||
5 | File | `/admin/generalsettings.php` | High
|
||||
6 | File | `/admin/newsletter1.php` | High
|
||||
7 | File | `/admin/payment.php` | High
|
||||
8 | File | `/bdswebui/assignusers/` | High
|
||||
9 | File | `/etc/fstab` | Medium
|
||||
10 | File | `/file?action=download&file` | High
|
||||
11 | File | `/filemanager/upload/drop` | High
|
||||
12 | File | `/irj/servlet/prt/portal/prtroot/com.sap.portal.usermanagement.admin.UserMapping` | High
|
||||
13 | File | `/medical/inventories.php` | High
|
||||
14 | File | `/mgmt/tm/util/bash` | High
|
||||
15 | File | `/monitoring` | Medium
|
||||
8 | File | `/core/conditions/AbstractWrapper.java` | High
|
||||
9 | File | `/file?action=download&file` | High
|
||||
10 | File | `/filemanager/upload/drop` | High
|
||||
11 | File | `/irj/servlet/prt/portal/prtroot/com.sap.portal.usermanagement.admin.UserMapping` | High
|
||||
12 | File | `/medical/inventories.php` | High
|
||||
13 | File | `/mgmt/tm/util/bash` | High
|
||||
14 | File | `/monitoring` | Medium
|
||||
15 | File | `/plugin/LiveChat/getChat.json.php` | High
|
||||
16 | File | `/plugins/servlet/audit/resource` | High
|
||||
17 | File | `/plugins/servlet/project-config/PROJECT/roles` | High
|
||||
18 | File | `/replication` | Medium
|
||||
|
@ -84,9 +85,10 @@ ID | Type | Indicator | Confidence
|
|||
24 | File | `/uncpath/` | Medium
|
||||
25 | File | `/upload` | Low
|
||||
26 | File | `/var/log/nginx` | High
|
||||
27 | ... | ... | ...
|
||||
27 | File | `/var/run/watchman.pid` | High
|
||||
28 | ... | ... | ...
|
||||
|
||||
There are 232 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 233 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -26,7 +26,12 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
1 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
2 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
3 | T1505 | CWE-89 | SQL Injection | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 2 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
|
|
@ -49,12 +49,13 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
|
||||
2 | T1055 | CWE-74 | Injection | High
|
||||
3 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
4 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
There are 15 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -66,43 +67,44 @@ ID | Type | Indicator | Confidence
|
|||
2 | File | `/.env` | Low
|
||||
3 | File | `/admin.php` | Medium
|
||||
4 | File | `/anony/mjpg.cgi` | High
|
||||
5 | File | `/file?action=download&file` | High
|
||||
6 | File | `/html/Solar_Ftp.php` | High
|
||||
7 | File | `/layout/class.xblogcomment.php` | High
|
||||
8 | File | `/manager/jsp/test.jsp` | High
|
||||
9 | File | `/medical/inventories.php` | High
|
||||
10 | File | `/monitoring` | Medium
|
||||
11 | File | `/plugins/servlet/audit/resource` | High
|
||||
12 | File | `/plugins/servlet/project-config/PROJECT/roles` | High
|
||||
13 | File | `/public/login.htm` | High
|
||||
14 | File | `/replication` | Medium
|
||||
15 | File | `/RestAPI` | Medium
|
||||
16 | File | `/tmp/speedtest_urls.xml` | High
|
||||
17 | File | `/tmp/zarafa-vacation-*` | High
|
||||
18 | File | `/uncpath/` | Medium
|
||||
19 | File | `/upload` | Low
|
||||
20 | File | `/usr/bin/at` | Medium
|
||||
21 | File | `/var/log/nginx` | High
|
||||
22 | File | `/_vti_pvt/access.cnf` | High
|
||||
23 | File | `admin-ajax.php?action=get_wdtable order[0][dir]` | High
|
||||
24 | File | `admin/e_mesaj_yaz.asp` | High
|
||||
25 | File | `admin/profile.php` | High
|
||||
26 | File | `admin/salesadmin.php` | High
|
||||
27 | File | `admin/systemWebAdminConfig.do` | High
|
||||
28 | File | `admin11.cgi` | Medium
|
||||
29 | File | `admincp/auth/checklogin.php` | High
|
||||
30 | File | `agenda2.php3` | Medium
|
||||
31 | File | `ajax-actions.php` | High
|
||||
32 | File | `ajax/deletePage.php` | High
|
||||
33 | File | `ajouter_tva.php` | High
|
||||
34 | File | `apcupsd.pid` | Medium
|
||||
35 | File | `api/sms/send-sms` | High
|
||||
36 | File | `api/v1/alarms` | High
|
||||
37 | File | `application/controller/InstallerController.php` | High
|
||||
38 | File | `arch/powerpc/kvm/book3s_rtas.c` | High
|
||||
39 | ... | ... | ...
|
||||
5 | File | `/core/conditions/AbstractWrapper.java` | High
|
||||
6 | File | `/file?action=download&file` | High
|
||||
7 | File | `/html/Solar_Ftp.php` | High
|
||||
8 | File | `/layout/class.xblogcomment.php` | High
|
||||
9 | File | `/manager/jsp/test.jsp` | High
|
||||
10 | File | `/medical/inventories.php` | High
|
||||
11 | File | `/monitoring` | Medium
|
||||
12 | File | `/plugin/LiveChat/getChat.json.php` | High
|
||||
13 | File | `/plugins/servlet/audit/resource` | High
|
||||
14 | File | `/plugins/servlet/project-config/PROJECT/roles` | High
|
||||
15 | File | `/public/login.htm` | High
|
||||
16 | File | `/replication` | Medium
|
||||
17 | File | `/RestAPI` | Medium
|
||||
18 | File | `/tmp/speedtest_urls.xml` | High
|
||||
19 | File | `/tmp/zarafa-vacation-*` | High
|
||||
20 | File | `/uncpath/` | Medium
|
||||
21 | File | `/upload` | Low
|
||||
22 | File | `/usr/bin/at` | Medium
|
||||
23 | File | `/var/log/nginx` | High
|
||||
24 | File | `/var/run/watchman.pid` | High
|
||||
25 | File | `/_vti_pvt/access.cnf` | High
|
||||
26 | File | `admin-ajax.php?action=get_wdtable order[0][dir]` | High
|
||||
27 | File | `admin/e_mesaj_yaz.asp` | High
|
||||
28 | File | `admin/profile.php` | High
|
||||
29 | File | `admin/salesadmin.php` | High
|
||||
30 | File | `admin/systemWebAdminConfig.do` | High
|
||||
31 | File | `admin11.cgi` | Medium
|
||||
32 | File | `admincp/auth/checklogin.php` | High
|
||||
33 | File | `AdxDSrv.exe` | Medium
|
||||
34 | File | `agenda2.php3` | Medium
|
||||
35 | File | `ajax-actions.php` | High
|
||||
36 | File | `ajax/deletePage.php` | High
|
||||
37 | File | `ajouter_tva.php` | High
|
||||
38 | File | `apcupsd.pid` | Medium
|
||||
39 | File | `api/sms/send-sms` | High
|
||||
40 | ... | ... | ...
|
||||
|
||||
There are 332 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 342 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -36,12 +36,14 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-250, CWE-264, CWE-266, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23, CWE-24 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
|
||||
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
6 | ... | ... | ... | ...
|
||||
|
||||
There are 10 more TTP items available. Please use our online service to access the data.
|
||||
There are 20 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -55,51 +57,53 @@ ID | Type | Indicator | Confidence
|
|||
4 | File | `/accountancy/admin/accountmodel.php` | High
|
||||
5 | File | `/admin/default.asp` | High
|
||||
6 | File | `/ajax/networking/get_netcfg.php` | High
|
||||
7 | File | `/assets/ctx` | Medium
|
||||
8 | File | `/cgi-bin/login_action.cgi` | High
|
||||
9 | File | `/cgi-bin/supervisor/PwdGrp.cgi` | High
|
||||
10 | File | `/checkLogin.cgi` | High
|
||||
11 | File | `/cms/print.php` | High
|
||||
12 | File | `/concat?/%2557EB-INF/web.xml` | High
|
||||
13 | File | `/Content/Template/root/reverse-shell.aspx` | High
|
||||
14 | File | `/data/remove` | Medium
|
||||
15 | File | `/DbXmlInfo.xml` | High
|
||||
16 | File | `/download` | Medium
|
||||
17 | File | `/etc/passwd` | Medium
|
||||
18 | File | `/goforms/rlminfo` | High
|
||||
19 | File | `/login` | Low
|
||||
20 | File | `/navigate/navigate_download.php` | High
|
||||
21 | File | `/owa/auth/logon.aspx` | High
|
||||
22 | File | `/p` | Low
|
||||
23 | File | `/password.html` | High
|
||||
24 | File | `/proc/ioports` | High
|
||||
25 | File | `/property-list/property_view.php` | High
|
||||
26 | File | `/ptms/classes/Users.php` | High
|
||||
27 | File | `/rest` | Low
|
||||
28 | File | `/rest/api/2/search` | High
|
||||
29 | File | `/s/` | Low
|
||||
30 | File | `/scripts/cpan_config` | High
|
||||
31 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
32 | File | `/services/system/setup.json` | High
|
||||
33 | File | `/uncpath/` | Medium
|
||||
34 | File | `/vloggers_merch/?p=view_product` | High
|
||||
35 | File | `/webconsole/APIController` | High
|
||||
36 | File | `/websocket/exec` | High
|
||||
37 | File | `/wp-admin/admin-ajax.php` | High
|
||||
38 | File | `/wp-json` | Medium
|
||||
39 | File | `/wp-json/oembed/1.0/embed?url` | High
|
||||
40 | File | `/_next` | Low
|
||||
41 | File | `4.edu.php\conn\function.php` | High
|
||||
42 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
43 | File | `adclick.php` | Medium
|
||||
44 | File | `addentry.php` | Medium
|
||||
45 | File | `admin.php?reqGadget=Components&reqAction=InstallGadget&comp=FileBrowser` | High
|
||||
46 | File | `admin/category.inc.php` | High
|
||||
47 | File | `admin/conf_users_edit.php` | High
|
||||
48 | File | `admin/dl_sendmail.php` | High
|
||||
49 | ... | ... | ...
|
||||
7 | File | `/app/options.py` | High
|
||||
8 | File | `/assets/ctx` | Medium
|
||||
9 | File | `/checkLogin.cgi` | High
|
||||
10 | File | `/ci_spms/admin/category` | High
|
||||
11 | File | `/ci_spms/admin/search/searching/` | High
|
||||
12 | File | `/classes/Master.php?f=delete_train` | High
|
||||
13 | File | `/cms/print.php` | High
|
||||
14 | File | `/concat?/%2557EB-INF/web.xml` | High
|
||||
15 | File | `/Content/Template/root/reverse-shell.aspx` | High
|
||||
16 | File | `/data/remove` | Medium
|
||||
17 | File | `/download` | Medium
|
||||
18 | File | `/etc/passwd` | Medium
|
||||
19 | File | `/goforms/rlminfo` | High
|
||||
20 | File | `/login` | Low
|
||||
21 | File | `/navigate/navigate_download.php` | High
|
||||
22 | File | `/ocwbs/admin/?page=user/manage_user` | High
|
||||
23 | File | `/ofrs/admin/?page=user/manage_user` | High
|
||||
24 | File | `/owa/auth/logon.aspx` | High
|
||||
25 | File | `/p` | Low
|
||||
26 | File | `/password.html` | High
|
||||
27 | File | `/proc/ioports` | High
|
||||
28 | File | `/property-list/property_view.php` | High
|
||||
29 | File | `/ptms/classes/Users.php` | High
|
||||
30 | File | `/rest` | Low
|
||||
31 | File | `/rest/api/2/search` | High
|
||||
32 | File | `/s/` | Low
|
||||
33 | File | `/scripts/cpan_config` | High
|
||||
34 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
35 | File | `/services/system/setup.json` | High
|
||||
36 | File | `/spip.php` | Medium
|
||||
37 | File | `/uncpath/` | Medium
|
||||
38 | File | `/vloggers_merch/?p=view_product` | High
|
||||
39 | File | `/webconsole/APIController` | High
|
||||
40 | File | `/websocket/exec` | High
|
||||
41 | File | `/wp-admin/admin-ajax.php` | High
|
||||
42 | File | `/wp-json` | Medium
|
||||
43 | File | `/wp-json/oembed/1.0/embed?url` | High
|
||||
44 | File | `/_next` | Low
|
||||
45 | File | `4.edu.php\conn\function.php` | High
|
||||
46 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
47 | File | `adclick.php` | Medium
|
||||
48 | File | `addentry.php` | Medium
|
||||
49 | File | `admin.php?reqGadget=Components&reqAction=InstallGadget&comp=FileBrowser` | High
|
||||
50 | File | `admin/category.inc.php` | High
|
||||
51 | ... | ... | ...
|
||||
|
||||
There are 429 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 444 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -0,0 +1,30 @@
|
|||
# Aggah - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Aggah](https://vuldb.com/?actor.aggah). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.aggah](https://vuldb.com/?actor.aggah)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Aggah.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [103.125.190.248](https://vuldb.com/?ip.103.125.190.248) | - | - | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://github.com/executemalware/Malware-IOCs/blob/main/2021-10-18%20Aggah%20IOCs
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -8,7 +8,12 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with AsyncRAT:
|
||||
|
||||
* [DE](https://vuldb.com/?country.de)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [GB](https://vuldb.com/?country.gb)
|
||||
* [FR](https://vuldb.com/?country.fr)
|
||||
* ...
|
||||
|
||||
There are 3 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -16,8 +21,12 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [94.130.207.164](https://vuldb.com/?ip.94.130.207.164) | static.164.207.130.94.clients.your-server.de | - | High
|
||||
2 | [141.95.89.79](https://vuldb.com/?ip.141.95.89.79) | ip79.ip-141-95-89.eu | - | High
|
||||
1 | [23.102.1.5](https://vuldb.com/?ip.23.102.1.5) | - | - | High
|
||||
2 | [62.197.136.69](https://vuldb.com/?ip.62.197.136.69) | - | - | High
|
||||
3 | [79.134.225.35](https://vuldb.com/?ip.79.134.225.35) | - | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 6 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -25,7 +34,12 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1592 | CWE-200 | Configuration | High
|
||||
1 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
2 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
3 | T1068 | CWE-264, CWE-269, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 9 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -33,15 +47,28 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `data/gbconfiguration.dat` | High
|
||||
2 | File | `redirect.php` | Medium
|
||||
3 | Argument | `goto` | Low
|
||||
1 | File | `/cgi-bin/supervisor/PwdGrp.cgi` | High
|
||||
2 | File | `/debug/pprof` | Medium
|
||||
3 | File | `/etc/sudoers` | Medium
|
||||
4 | File | `/info.asp` | Medium
|
||||
5 | File | `/ucms/chk.php` | High
|
||||
6 | File | `/uncpath/` | Medium
|
||||
7 | File | `5.2.9\syscrb.exe` | High
|
||||
8 | ... | ... | ...
|
||||
|
||||
There are 59 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.morphisec.com/tracking-hcrypt-an-active-crypter-as-a-service
|
||||
* https://blog.talosintelligence.com/2022/04/asyncrat-3losh-update.html
|
||||
* https://github.com/executemalware/Malware-IOCs/blob/main/2021-10-20%20AsyncRAT%20IOCs
|
||||
* https://github.com/executemalware/Malware-IOCs/blob/main/2021-10-29%20Various%20RAT%20IOCs
|
||||
* https://github.com/executemalware/Malware-IOCs/blob/main/2022-04-05%20AsyncRAT%20IOCs
|
||||
* https://github.com/executemalware/Malware-IOCs/blob/main/2022-05-25%20Likely%20AsyncRAT%20IOCs
|
||||
* https://github.com/executemalware/Malware-IOCs/blob/main/2022-06-28%20AsyncRAT%20IOCs
|
||||
|
||||
## Literature
|
||||
|
||||
|
|
|
@ -9,11 +9,11 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with B1txor20:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [PT](https://vuldb.com/?country.pt)
|
||||
* ...
|
||||
|
||||
There are 8 more country items available. Please use our online service to access the data.
|
||||
There are 13 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -46,13 +46,13 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-294, CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
2 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
|
||||
4 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
6 | ... | ... | ... | ...
|
||||
|
||||
There are 19 more TTP items available. Please use our online service to access the data.
|
||||
There are 20 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -60,35 +60,30 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/action/import_https_cert_file/` | High
|
||||
2 | File | `/action/remove/` | High
|
||||
3 | File | `/admin/featured.php` | High
|
||||
4 | File | `/admin/inquiries/view_details.php` | High
|
||||
5 | File | `/ajax/config_rollback/` | High
|
||||
6 | File | `/alarm_pi/alarmService.php` | High
|
||||
7 | File | `/api/admin/attachments/upload` | High
|
||||
8 | File | `/bsms/?page=manage_account` | High
|
||||
9 | File | `/cgi-bin/login.cgi` | High
|
||||
10 | File | `/ci_hms/massage_room/edit/1` | High
|
||||
11 | File | `/ci_hms/search` | High
|
||||
12 | File | `/classes/Master.php?f=delete_reservation` | High
|
||||
13 | File | `/classes/Master.php?f=delete_schedule` | High
|
||||
14 | File | `/classes/Master.php?f=delete_train` | High
|
||||
15 | File | `/College/admin/teacher.php` | High
|
||||
16 | File | `/company` | Medium
|
||||
17 | File | `/company/down_resume/total/nature` | High
|
||||
18 | File | `/company/service/increment/add/im` | High
|
||||
19 | File | `/dashboard/blocks/stacks/view_details/` | High
|
||||
20 | File | `/dashboard/reports/logs/view` | High
|
||||
21 | File | `/dashboard/system/express/entities/forms/save_control/[GUID]` | High
|
||||
22 | File | `/forum/away.php` | High
|
||||
23 | File | `/home/campus/campus_job` | High
|
||||
24 | File | `/home/job/index` | High
|
||||
25 | File | `/home/job/map` | High
|
||||
26 | File | `/hprms/admin/doctors/manage_doctor.php` | High
|
||||
27 | ... | ... | ...
|
||||
1 | File | `.encfs6.xml` | Medium
|
||||
2 | File | `.forward` | Medium
|
||||
3 | File | `.python-version` | High
|
||||
4 | File | `/ajax/remove_sniffer_raw_log/` | High
|
||||
5 | File | `/api/sys_username_passwd.cmd` | High
|
||||
6 | File | `/auth/callback` | High
|
||||
7 | File | `/bin/posix/src/ports/POSIX/OpENer` | High
|
||||
8 | File | `/bmis/pages/resident/resident.php` | High
|
||||
9 | File | `/cgi-bin/mesh.cgi?page=upgrade` | High
|
||||
10 | File | `/cgi-bin/nightled.cgi` | High
|
||||
11 | File | `/cgi-bin/nobody` | High
|
||||
12 | File | `/ci_spms/admin/category` | High
|
||||
13 | File | `/conf/` | Low
|
||||
14 | File | `/dashboard/menu-list.php` | High
|
||||
15 | File | `/dashboard/profile.php` | High
|
||||
16 | File | `/dashboard/reports/logs/view` | High
|
||||
17 | File | `/dashboard/table-list.php` | High
|
||||
18 | File | `/dev/pts/` | Medium
|
||||
19 | File | `/editbrand.php` | High
|
||||
20 | File | `/etc/hosts` | Medium
|
||||
21 | File | `/etc/lighttpd.d/ca.pem` | High
|
||||
22 | ... | ... | ...
|
||||
|
||||
There are 230 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 179 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -13,7 +13,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [RU](https://vuldb.com/?country.ru)
|
||||
* ...
|
||||
|
||||
There are 27 more country items available. Please use our online service to access the data.
|
||||
There are 28 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -56,49 +56,49 @@ ID | Type | Indicator | Confidence
|
|||
5 | File | `/ajax/networking/get_netcfg.php` | High
|
||||
6 | File | `/app/options.py` | High
|
||||
7 | File | `/assets/ctx` | Medium
|
||||
8 | File | `/cgi-bin/login_action.cgi` | High
|
||||
9 | File | `/cgi-bin/supervisor/PwdGrp.cgi` | High
|
||||
10 | File | `/checkLogin.cgi` | High
|
||||
11 | File | `/ci_spms/admin/category` | High
|
||||
12 | File | `/ci_spms/admin/search/searching/` | High
|
||||
13 | File | `/classes/Master.php?f=delete_train` | High
|
||||
14 | File | `/cms/print.php` | High
|
||||
15 | File | `/concat?/%2557EB-INF/web.xml` | High
|
||||
16 | File | `/Content/Template/root/reverse-shell.aspx` | High
|
||||
8 | File | `/cgi-bin/supervisor/PwdGrp.cgi` | High
|
||||
9 | File | `/checkLogin.cgi` | High
|
||||
10 | File | `/ci_spms/admin/category` | High
|
||||
11 | File | `/ci_spms/admin/search/searching/` | High
|
||||
12 | File | `/classes/Master.php?f=delete_train` | High
|
||||
13 | File | `/cms/print.php` | High
|
||||
14 | File | `/concat?/%2557EB-INF/web.xml` | High
|
||||
15 | File | `/Content/Template/root/reverse-shell.aspx` | High
|
||||
16 | File | `/dashboard/menu-list.php` | High
|
||||
17 | File | `/data/remove` | Medium
|
||||
18 | File | `/etc/passwd` | Medium
|
||||
19 | File | `/goforms/rlminfo` | High
|
||||
20 | File | `/login` | Low
|
||||
21 | File | `/navigate/navigate_download.php` | High
|
||||
22 | File | `/ocwbs/admin/?page=user/manage_user` | High
|
||||
23 | File | `/ofrs/admin/?page=user/manage_user` | High
|
||||
24 | File | `/oputilsServlet` | High
|
||||
25 | File | `/owa/auth/logon.aspx` | High
|
||||
26 | File | `/p` | Low
|
||||
27 | File | `/password.html` | High
|
||||
28 | File | `/proc/ioports` | High
|
||||
29 | File | `/property-list/property_view.php` | High
|
||||
30 | File | `/ptms/classes/Users.php` | High
|
||||
31 | File | `/rest` | Low
|
||||
32 | File | `/rest/api/2/search` | High
|
||||
33 | File | `/s/` | Low
|
||||
34 | File | `/scripts/cpan_config` | High
|
||||
35 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
36 | File | `/services/system/setup.json` | High
|
||||
37 | File | `/spip.php` | Medium
|
||||
38 | File | `/uncpath/` | Medium
|
||||
39 | File | `/vloggers_merch/?p=view_product` | High
|
||||
40 | File | `/webconsole/APIController` | High
|
||||
41 | File | `/websocket/exec` | High
|
||||
42 | File | `/wp-admin/admin-ajax.php` | High
|
||||
43 | File | `/wp-json` | Medium
|
||||
44 | File | `/wp-json/oembed/1.0/embed?url` | High
|
||||
45 | File | `/_next` | Low
|
||||
46 | File | `4.edu.php\conn\function.php` | High
|
||||
47 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
19 | File | `/ffos/classes/Master.php?f=save_category` | High
|
||||
20 | File | `/goforms/rlminfo` | High
|
||||
21 | File | `/login` | Low
|
||||
22 | File | `/navigate/navigate_download.php` | High
|
||||
23 | File | `/ocwbs/admin/?page=user/manage_user` | High
|
||||
24 | File | `/ofrs/admin/?page=user/manage_user` | High
|
||||
25 | File | `/oputilsServlet` | High
|
||||
26 | File | `/owa/auth/logon.aspx` | High
|
||||
27 | File | `/p` | Low
|
||||
28 | File | `/password.html` | High
|
||||
29 | File | `/proc/ioports` | High
|
||||
30 | File | `/property-list/property_view.php` | High
|
||||
31 | File | `/ptms/classes/Users.php` | High
|
||||
32 | File | `/rest` | Low
|
||||
33 | File | `/rest/api/2/search` | High
|
||||
34 | File | `/s/` | Low
|
||||
35 | File | `/scripts/cpan_config` | High
|
||||
36 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
37 | File | `/services/system/setup.json` | High
|
||||
38 | File | `/spip.php` | Medium
|
||||
39 | File | `/uncpath/` | Medium
|
||||
40 | File | `/vloggers_merch/?p=view_product` | High
|
||||
41 | File | `/webconsole/APIController` | High
|
||||
42 | File | `/websocket/exec` | High
|
||||
43 | File | `/wp-admin/admin-ajax.php` | High
|
||||
44 | File | `/wp-json` | Medium
|
||||
45 | File | `/wp-json/oembed/1.0/embed?url` | High
|
||||
46 | File | `/_next` | Low
|
||||
47 | File | `4.edu.php\conn\function.php` | High
|
||||
48 | ... | ... | ...
|
||||
|
||||
There are 412 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 419 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -0,0 +1,96 @@
|
|||
# BitRAT - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [BitRAT](https://vuldb.com/?actor.bitrat). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.bitrat](https://vuldb.com/?actor.bitrat)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with BitRAT:
|
||||
|
||||
* [DE](https://vuldb.com/?country.de)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of BitRAT.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [135.181.6.215](https://vuldb.com/?ip.135.181.6.215) | static.215.6.181.135.clients.your-server.de | - | High
|
||||
2 | [135.181.140.153](https://vuldb.com/?ip.135.181.140.153) | static.153.140.181.135.clients.your-server.de | - | High
|
||||
3 | [135.181.140.182](https://vuldb.com/?ip.135.181.140.182) | static.182.140.181.135.clients.your-server.de | - | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _BitRAT_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-22 | Pathname Traversal | High
|
||||
2 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
3 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 4 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by BitRAT. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/includes/db_adodb.php` | High
|
||||
2 | File | `/includes/db_connect.php` | High
|
||||
3 | File | `/includes/session.php` | High
|
||||
4 | File | `/modules/admin/vw_usr_roles.php` | High
|
||||
5 | File | `/modules/projects/gantt2.php` | High
|
||||
6 | File | `/modules/projects/vw_files.php` | High
|
||||
7 | File | `/modules/public/date_format.php` | High
|
||||
8 | File | `/modules/tasks/gantt.php` | High
|
||||
9 | File | `/var/WEB-GUI/cgi-bin/telnet.cgi` | High
|
||||
10 | File | `actions/del.php` | High
|
||||
11 | File | `addsite.php` | Medium
|
||||
12 | File | `Admin.PHP` | Medium
|
||||
13 | File | `admin.php` | Medium
|
||||
14 | File | `admin/define.inc.php` | High
|
||||
15 | File | `admin/general.php` | High
|
||||
16 | File | `admin/review.php` | High
|
||||
17 | File | `admincp/auth/secure.php` | High
|
||||
18 | File | `affich.php` | Medium
|
||||
19 | File | `agenda.php3` | Medium
|
||||
20 | File | `agenda2.php3` | Medium
|
||||
21 | File | `akocomments.php` | High
|
||||
22 | File | `album_portal.php` | High
|
||||
23 | File | `al_initialize.php` | High
|
||||
24 | File | `announcements.php` | High
|
||||
25 | File | `apa_phpinclude.inc.php` | High
|
||||
26 | File | `application.php` | High
|
||||
27 | File | `ashnews.php/ashheadlines.php` | High
|
||||
28 | File | `auction\auction_common.php` | High
|
||||
29 | File | `auktion.cgi` | Medium
|
||||
30 | File | `auth.inc.php` | Medium
|
||||
31 | File | `auth.php` | Medium
|
||||
32 | File | `authform.inc.php` | High
|
||||
33 | File | `bad_link.php` | Medium
|
||||
34 | File | `bb_usage_stats.php` | High
|
||||
35 | ... | ... | ...
|
||||
|
||||
There are 299 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -10,7 +10,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [DE](https://vuldb.com/?country.de)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* [FR](https://vuldb.com/?country.fr)
|
||||
* ...
|
||||
|
||||
There are 5 more country items available. Please use our online service to access the data.
|
||||
|
@ -34,12 +34,15 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
|
||||
2 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
3 | T1068 | CWE-250, CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
4 | ... | ... | ... | ...
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23, CWE-425 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-294, CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
|
||||
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
6 | T1068 | CWE-250, CWE-264, CWE-269, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
7 | ... | ... | ... | ...
|
||||
|
||||
There are 11 more TTP items available. Please use our online service to access the data.
|
||||
There are 24 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -62,30 +65,31 @@ ID | Type | Indicator | Confidence
|
|||
13 | File | `/admin/siteoptions.php&action=displaygoal&value=1&roleid=1` | High
|
||||
14 | File | `/admin/uesrs.php&&action=delete&userid=4` | High
|
||||
15 | File | `/admin/uesrs.php&action=type&userrole=Admin&userid=3` | High
|
||||
16 | File | `/api/programs/orgUnits?programs` | High
|
||||
17 | File | `/application/controllers/Users.php` | High
|
||||
18 | File | `/bcms/admin/?page=reports/daily_court_rental_report` | High
|
||||
19 | File | `/bcms/admin/?page=service_transactions/manage_service_transaction` | High
|
||||
20 | File | `/bcms/classes/Master.php?f=delete_court_rental` | High
|
||||
21 | File | `/blog/blog.php` | High
|
||||
22 | File | `/cdsms/classes/Master.php?f=delete_enrollment` | High
|
||||
23 | File | `/cgi-bin/kerbynet` | High
|
||||
24 | File | `/cgi/get_param.cgi` | High
|
||||
25 | File | `/checklogin.jsp` | High
|
||||
26 | File | `/cms/classes/Master.php?f=delete_service` | High
|
||||
27 | File | `/company/account/safety/trade` | High
|
||||
28 | File | `/ctpms/admin/?page=individuals/view_individual` | High
|
||||
29 | File | `/ctpms/classes/Master.php?f=delete_img` | High
|
||||
30 | File | `/dashboard/reports/logs/view` | High
|
||||
31 | File | `/dashboard/snapshot/*?orgId=0` | High
|
||||
32 | File | `/etc/ajenti/config.yml` | High
|
||||
33 | File | `/fuel/sitevariables/delete/4` | High
|
||||
34 | File | `/goform/AdvSetLanIp` | High
|
||||
35 | File | `/goform/aspForm` | High
|
||||
36 | File | `/goform/SetNetControlList` | High
|
||||
37 | ... | ... | ...
|
||||
16 | File | `/ajax/set_sys_time/` | High
|
||||
17 | File | `/api/programs/orgUnits?programs` | High
|
||||
18 | File | `/application/controllers/Users.php` | High
|
||||
19 | File | `/bcms/admin/?page=reports/daily_court_rental_report` | High
|
||||
20 | File | `/bcms/admin/?page=service_transactions/manage_service_transaction` | High
|
||||
21 | File | `/bcms/classes/Master.php?f=delete_court_rental` | High
|
||||
22 | File | `/blog/blog.php` | High
|
||||
23 | File | `/cdsms/classes/Master.php?f=delete_enrollment` | High
|
||||
24 | File | `/cgi-bin/kerbynet` | High
|
||||
25 | File | `/cgi/get_param.cgi` | High
|
||||
26 | File | `/checklogin.jsp` | High
|
||||
27 | File | `/ci_hms/search` | High
|
||||
28 | File | `/classes/Master.php?f=delete_schedule` | High
|
||||
29 | File | `/cms/classes/Master.php?f=delete_service` | High
|
||||
30 | File | `/company/account/safety/trade` | High
|
||||
31 | File | `/ctpms/admin/?page=individuals/view_individual` | High
|
||||
32 | File | `/ctpms/classes/Master.php?f=delete_img` | High
|
||||
33 | File | `/dashboard/reports/logs/view` | High
|
||||
34 | File | `/dashboard/snapshot/*?orgId=0` | High
|
||||
35 | File | `/etc/ajenti/config.yml` | High
|
||||
36 | File | `/fuel/sitevariables/delete/4` | High
|
||||
37 | File | `/goform/AdvSetLanIp` | High
|
||||
38 | ... | ... | ...
|
||||
|
||||
There are 317 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 327 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -9,11 +9,11 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with BlackEnergy:
|
||||
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* ...
|
||||
|
||||
There are 23 more country items available. Please use our online service to access the data.
|
||||
There are 21 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -37,12 +37,13 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-266, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 4 more TTP items available. Please use our online service to access the data.
|
||||
There are 17 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -51,26 +52,26 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `//proc/kcore` | Medium
|
||||
2 | File | `/?module=users§ion=cpanel&page=list` | High
|
||||
3 | File | `/admin/dl_sendmail.php` | High
|
||||
4 | File | `/admin/powerline` | High
|
||||
5 | File | `/admin/syslog` | High
|
||||
6 | File | `/Ap4RtpAtom.cpp` | High
|
||||
7 | File | `/api/upload` | Medium
|
||||
8 | File | `/bcms/admin/?page=user/list` | High
|
||||
9 | File | `/bsms/?page=manage_account` | High
|
||||
10 | File | `/cgi-bin/login.cgi` | High
|
||||
11 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
12 | File | `/dashboard/reports/logs/view` | High
|
||||
13 | File | `/debug/pprof` | Medium
|
||||
14 | File | `/fuel/index.php/fuel/logs/items` | High
|
||||
15 | File | `/fuel/sitevariables/delete/4` | High
|
||||
16 | File | `/hprms/admin/doctors/manage_doctor.php` | High
|
||||
17 | File | `/index/jobfairol/show/` | High
|
||||
18 | File | `/librarian/bookdetails.php` | High
|
||||
19 | File | `/mgmt/tm/util/bash` | High
|
||||
20 | File | `/monitoring` | Medium
|
||||
21 | File | `/new` | Low
|
||||
2 | File | `/admin/dl_sendmail.php` | High
|
||||
3 | File | `/Ap4RtpAtom.cpp` | High
|
||||
4 | File | `/app/options.py` | High
|
||||
5 | File | `/bcms/admin/?page=user/list` | High
|
||||
6 | File | `/bsms/?page=manage_account` | High
|
||||
7 | File | `/cgi-bin/login.cgi` | High
|
||||
8 | File | `/ci_hms/massage_room/edit/1` | High
|
||||
9 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
10 | File | `/dashboard/reports/logs/view` | High
|
||||
11 | File | `/debug/pprof` | Medium
|
||||
12 | File | `/etc/hosts` | Medium
|
||||
13 | File | `/fuel/index.php/fuel/logs/items` | High
|
||||
14 | File | `/fuel/sitevariables/delete/4` | High
|
||||
15 | File | `/hprms/admin/doctors/manage_doctor.php` | High
|
||||
16 | File | `/index/jobfairol/show/` | High
|
||||
17 | File | `/librarian/bookdetails.php` | High
|
||||
18 | File | `/mgmt/tm/util/bash` | High
|
||||
19 | File | `/monitoring` | Medium
|
||||
20 | File | `/new` | Low
|
||||
21 | File | `/proc/<PID>/mem` | High
|
||||
22 | File | `/proc/<pid>/status` | High
|
||||
23 | File | `/public/plugins/` | High
|
||||
24 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
|
@ -79,15 +80,9 @@ ID | Type | Indicator | Confidence
|
|||
27 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
|
||||
28 | File | `/tmp` | Low
|
||||
29 | File | `/uncpath/` | Medium
|
||||
30 | File | `/usr/bin/pkexec` | High
|
||||
31 | File | `/views/directive/sys/SysConfigDataDirective.java` | High
|
||||
32 | File | `/wp-json/wc/v3/webhooks` | High
|
||||
33 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
34 | File | `AccountManagerService.java` | High
|
||||
35 | File | `actions/CompanyDetailsSave.php` | High
|
||||
36 | ... | ... | ...
|
||||
30 | ... | ... | ...
|
||||
|
||||
There are 305 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 252 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -64,17 +64,18 @@ ID | Type | Indicator | Confidence
|
|||
14 | File | `/tmp` | Low
|
||||
15 | File | `/uncpath/` | Medium
|
||||
16 | File | `/userRpm/MediaServerFoldersCfgRpm.htm` | High
|
||||
17 | File | `/ViewUserHover.jspa` | High
|
||||
18 | File | `AccountStatus.jsp` | High
|
||||
19 | File | `adclick.php` | Medium
|
||||
20 | File | `add.php` | Low
|
||||
21 | File | `admin/systemOutOfBand.do` | High
|
||||
22 | File | `app/application.cpp` | High
|
||||
23 | File | `auth-gss2.c` | Medium
|
||||
24 | File | `authent.php4` | Medium
|
||||
25 | ... | ... | ...
|
||||
17 | File | `/vicidial/AST_agent_time_sheet.php` | High
|
||||
18 | File | `/ViewUserHover.jspa` | High
|
||||
19 | File | `AccountStatus.jsp` | High
|
||||
20 | File | `adclick.php` | Medium
|
||||
21 | File | `add.php` | Low
|
||||
22 | File | `admin/systemOutOfBand.do` | High
|
||||
23 | File | `app/application.cpp` | High
|
||||
24 | File | `auth-gss2.c` | Medium
|
||||
25 | File | `authent.php4` | Medium
|
||||
26 | ... | ... | ...
|
||||
|
||||
There are 213 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 216 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -37,9 +37,12 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1548.002 | CWE-285 | Improper Authorization | High
|
||||
1 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
2 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
3 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 5 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
|
|
@ -9,8 +9,8 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Bumblebee:
|
||||
|
||||
* [VN](https://vuldb.com/?country.vn)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [NL](https://vuldb.com/?country.nl)
|
||||
* [IT](https://vuldb.com/?country.it)
|
||||
* [PL](https://vuldb.com/?country.pl)
|
||||
* ...
|
||||
|
||||
There are 2 more country items available. Please use our online service to access the data.
|
||||
|
@ -126,13 +126,13 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-21, CWE-22 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-294, CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
1 | T1006 | CWE-22 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
4 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 14 more TTP items available. Please use our online service to access the data.
|
||||
There are 15 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -140,18 +140,19 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/ci_hms/massage_room/edit/1` | High
|
||||
2 | File | `/ci_hms/search` | High
|
||||
3 | File | `/ci_ssms/index.php/orders/create` | High
|
||||
4 | File | `/College/admin/teacher.php` | High
|
||||
5 | File | `/pdfalto/src/pdfalto.cc` | High
|
||||
6 | File | `/pms/index.php` | High
|
||||
7 | File | `/pms/update_user.php?user_id=1` | High
|
||||
8 | File | `/resources//../` | High
|
||||
9 | File | `/storage/innobase/handler/handler0alter.cc` | High
|
||||
10 | ... | ... | ...
|
||||
1 | File | `/app/options.py` | High
|
||||
2 | File | `/auth/callback` | High
|
||||
3 | File | `/bin/posix/src/ports/POSIX/OpENer` | High
|
||||
4 | File | `/dashboard/menu-list.php` | High
|
||||
5 | File | `/dashboard/profile.php` | High
|
||||
6 | File | `/dashboard/table-list.php` | High
|
||||
7 | File | `/data/vendor/tcl` | High
|
||||
8 | File | `/etc/lighttpd.d/ca.pem` | High
|
||||
9 | File | `/ffos/classes/Master.php?f=save_category` | High
|
||||
10 | File | `/home/iojs/build/ws/out/Release/obj.target/deps/openssl/openssl.cnf` | High
|
||||
11 | ... | ... | ...
|
||||
|
||||
There are 77 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 87 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -48,7 +48,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
|
||||
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
6 | T1068 | CWE-264, CWE-266, CWE-269, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
6 | T1068 | CWE-264, CWE-266, CWE-269, CWE-273, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
7 | ... | ... | ... | ...
|
||||
|
||||
There are 22 more TTP items available. Please use our online service to access the data.
|
||||
|
@ -69,35 +69,35 @@ ID | Type | Indicator | Confidence
|
|||
8 | File | `/Admin/Views/FileEditor/` | High
|
||||
9 | File | `/api/user/{ID}` | High
|
||||
10 | File | `/article/add` | Medium
|
||||
11 | File | `/cgi-bin/editBookmark` | High
|
||||
12 | File | `/cgi-bin/uploadWeiXinPic` | High
|
||||
13 | File | `/controller/pay.class.php` | High
|
||||
14 | File | `/ctpms/admin/?page=applications/view_application` | High
|
||||
15 | File | `/dev/block/mmcblk0rpmb` | High
|
||||
16 | File | `/dev/kmem` | Medium
|
||||
17 | File | `/dev/shm` | Medium
|
||||
18 | File | `/dev/snd/seq` | Medium
|
||||
19 | File | `/device/device=140/tab=wifi/view` | High
|
||||
20 | File | `/dl/dl_print.php` | High
|
||||
21 | File | `/getcfg.php` | Medium
|
||||
22 | File | `/goform/addressNat` | High
|
||||
23 | File | `/goform/SetClientState` | High
|
||||
24 | File | `/htdocs/admin/dict.php?id=3` | High
|
||||
25 | File | `/include/menu_v.inc.php` | High
|
||||
26 | File | `/irj/servlet/prt/portal/prtroot/com.sap.portal.usermanagement.admin.UserMapping` | High
|
||||
27 | File | `/jerry-core/ecma/base/ecma-gc.c` | High
|
||||
28 | File | `/jerry-core/ecma/base/ecma-helpers-conversion.c` | High
|
||||
29 | File | `/librarian/bookdetails.php` | High
|
||||
30 | File | `/login` | Low
|
||||
31 | File | `/mngset/authset` | High
|
||||
32 | File | `/module/module_frame/index.php` | High
|
||||
33 | File | `/nova/bin/sniffer` | High
|
||||
34 | File | `/ofcms/company-c-47` | High
|
||||
35 | File | `/proc/*/cmdline"` | High
|
||||
36 | File | `/proc/pid/syscall` | High
|
||||
11 | File | `/cgi-bin/uploadWeiXinPic` | High
|
||||
12 | File | `/controller/pay.class.php` | High
|
||||
13 | File | `/ctpms/admin/?page=applications/view_application` | High
|
||||
14 | File | `/dev/block/mmcblk0rpmb` | High
|
||||
15 | File | `/dev/kmem` | Medium
|
||||
16 | File | `/dev/shm` | Medium
|
||||
17 | File | `/dev/snd/seq` | Medium
|
||||
18 | File | `/device/device=140/tab=wifi/view` | High
|
||||
19 | File | `/dl/dl_print.php` | High
|
||||
20 | File | `/getcfg.php` | Medium
|
||||
21 | File | `/goform/addressNat` | High
|
||||
22 | File | `/goform/SetClientState` | High
|
||||
23 | File | `/htdocs/admin/dict.php?id=3` | High
|
||||
24 | File | `/include/menu_v.inc.php` | High
|
||||
25 | File | `/irj/servlet/prt/portal/prtroot/com.sap.portal.usermanagement.admin.UserMapping` | High
|
||||
26 | File | `/jerry-core/ecma/base/ecma-gc.c` | High
|
||||
27 | File | `/jerry-core/ecma/base/ecma-helpers-conversion.c` | High
|
||||
28 | File | `/librarian/bookdetails.php` | High
|
||||
29 | File | `/login` | Low
|
||||
30 | File | `/mngset/authset` | High
|
||||
31 | File | `/module/module_frame/index.php` | High
|
||||
32 | File | `/nova/bin/sniffer` | High
|
||||
33 | File | `/ofcms/company-c-47` | High
|
||||
34 | File | `/proc/*/cmdline"` | High
|
||||
35 | File | `/proc/pid/syscall` | High
|
||||
36 | File | `/product_list.php` | High
|
||||
37 | ... | ... | ...
|
||||
|
||||
There are 318 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 313 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -81,9 +81,10 @@ ID | Type | Indicator | Confidence
|
|||
27 | File | `addentry.php` | Medium
|
||||
28 | File | `admin.htm` | Medium
|
||||
29 | File | `admin.php` | Medium
|
||||
30 | ... | ... | ...
|
||||
30 | File | `admin/article_category.php?rec=update` | High
|
||||
31 | ... | ... | ...
|
||||
|
||||
There are 259 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 260 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -15,12 +15,12 @@ The following _campaigns_ are known and can be associated with Charming Kitten:
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Charming Kitten:
|
||||
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [NL](https://vuldb.com/?country.nl)
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* ...
|
||||
|
||||
There are 17 more country items available. Please use our online service to access the data.
|
||||
There are 13 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -66,7 +66,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
4 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 16 more TTP items available. Please use our online service to access the data.
|
||||
There are 18 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -76,38 +76,33 @@ ID | Type | Indicator | Confidence
|
|||
-- | ---- | --------- | ----------
|
||||
1 | File | `//proc/kcore` | Medium
|
||||
2 | File | `/Ap4RtpAtom.cpp` | High
|
||||
3 | File | `/bcms/admin/?page=user/list` | High
|
||||
4 | File | `/bsms/?page=manage_account` | High
|
||||
5 | File | `/cgi-bin/login.cgi` | High
|
||||
6 | File | `/ci_hms/massage_room/edit/1` | High
|
||||
7 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
8 | File | `/core/conditions/AbstractWrapper.java` | High
|
||||
9 | File | `/dashboard/reports/logs/view` | High
|
||||
10 | File | `/debug/pprof` | Medium
|
||||
11 | File | `/file?action=download&file` | High
|
||||
12 | File | `/fuel/index.php/fuel/logs/items` | High
|
||||
13 | File | `/fuel/sitevariables/delete/4` | High
|
||||
14 | File | `/hprms/admin/doctors/manage_doctor.php` | High
|
||||
15 | File | `/index/jobfairol/show/` | High
|
||||
16 | File | `/librarian/bookdetails.php` | High
|
||||
17 | File | `/mgmt/tm/util/bash` | High
|
||||
18 | File | `/monitoring` | Medium
|
||||
19 | File | `/new` | Low
|
||||
3 | File | `/app/options.py` | High
|
||||
4 | File | `/bcms/admin/?page=user/list` | High
|
||||
5 | File | `/bsms/?page=manage_account` | High
|
||||
6 | File | `/cgi-bin/login.cgi` | High
|
||||
7 | File | `/ci_hms/massage_room/edit/1` | High
|
||||
8 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
9 | File | `/core/conditions/AbstractWrapper.java` | High
|
||||
10 | File | `/dashboard/reports/logs/view` | High
|
||||
11 | File | `/debug/pprof` | Medium
|
||||
12 | File | `/etc/hosts` | Medium
|
||||
13 | File | `/file?action=download&file` | High
|
||||
14 | File | `/fuel/index.php/fuel/logs/items` | High
|
||||
15 | File | `/fuel/sitevariables/delete/4` | High
|
||||
16 | File | `/hprms/admin/doctors/manage_doctor.php` | High
|
||||
17 | File | `/index/jobfairol/show/` | High
|
||||
18 | File | `/librarian/bookdetails.php` | High
|
||||
19 | File | `/mgmt/tm/util/bash` | High
|
||||
20 | File | `/plugin/LiveChat/getChat.json.php` | High
|
||||
21 | File | `/plugins/servlet/audit/resource` | High
|
||||
22 | File | `/plugins/servlet/project-config/PROJECT/roles` | High
|
||||
23 | File | `/proc/<pid>/status` | High
|
||||
24 | File | `/public/plugins/` | High
|
||||
25 | File | `/RestAPI` | Medium
|
||||
26 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
27 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
28 | File | `/simple_chat_bot/admin/?page=user/manage_user` | High
|
||||
29 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
|
||||
30 | File | `/tmp` | Low
|
||||
31 | File | `/tmp/zarafa-vacation-*` | High
|
||||
32 | ... | ... | ...
|
||||
21 | File | `/proc/<PID>/mem` | High
|
||||
22 | File | `/public/plugins/` | High
|
||||
23 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
24 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
25 | File | `/simple_chat_bot/admin/?page=user/manage_user` | High
|
||||
26 | File | `/tmp` | Low
|
||||
27 | ... | ... | ...
|
||||
|
||||
There are 270 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 230 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -9,8 +9,8 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Cobalt Group:
|
||||
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* [SV](https://vuldb.com/?country.sv)
|
||||
* [AR](https://vuldb.com/?country.ar)
|
||||
* [SV](https://vuldb.com/?country.sv)
|
||||
* ...
|
||||
|
||||
There are 8 more country items available. Please use our online service to access the data.
|
||||
|
@ -42,7 +42,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
6 | ... | ... | ... | ...
|
||||
|
||||
There are 18 more TTP items available. Please use our online service to access the data.
|
||||
There are 19 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -85,10 +85,9 @@ ID | Type | Indicator | Confidence
|
|||
33 | File | `/ocwbs/admin/services/manage_service.php` | High
|
||||
34 | File | `/ocwbs/classes/Master.php?f=delete_booking` | High
|
||||
35 | File | `/ocwbs/classes/Master.php?f=delete_vehicle` | High
|
||||
36 | File | `/odfs/classes/Master.php?f=save_category` | High
|
||||
37 | ... | ... | ...
|
||||
36 | ... | ... | ...
|
||||
|
||||
There are 318 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 312 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -13,7 +13,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [ES](https://vuldb.com/?country.es)
|
||||
* ...
|
||||
|
||||
There are 15 more country items available. Please use our online service to access the data.
|
||||
There are 16 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -37,16 +37,21 @@ ID | IP address | Hostname | Campaign | Confidence
|
|||
14 | [37.120.198.225](https://vuldb.com/?ip.37.120.198.225) | - | - | High
|
||||
15 | [45.15.131.96](https://vuldb.com/?ip.45.15.131.96) | - | - | High
|
||||
16 | [45.66.158.14](https://vuldb.com/?ip.45.66.158.14) | 14.158-66-45.rdns.scalabledns.com | - | High
|
||||
17 | [45.134.26.174](https://vuldb.com/?ip.45.134.26.174) | - | - | High
|
||||
18 | [45.144.29.185](https://vuldb.com/?ip.45.144.29.185) | master.pisyandriy.com | - | High
|
||||
19 | [45.197.132.72](https://vuldb.com/?ip.45.197.132.72) | - | - | High
|
||||
20 | [46.165.254.166](https://vuldb.com/?ip.46.165.254.166) | - | - | High
|
||||
21 | [51.15.76.60](https://vuldb.com/?ip.51.15.76.60) | 60-76-15-51.instances.scw.cloud | - | High
|
||||
22 | [51.68.91.152](https://vuldb.com/?ip.51.68.91.152) | - | - | High
|
||||
23 | [51.68.93.185](https://vuldb.com/?ip.51.68.93.185) | - | - | High
|
||||
24 | ... | ... | ... | ...
|
||||
17 | [45.84.0.116](https://vuldb.com/?ip.45.84.0.116) | n5336.md | - | High
|
||||
18 | [45.134.26.174](https://vuldb.com/?ip.45.134.26.174) | - | - | High
|
||||
19 | [45.144.29.185](https://vuldb.com/?ip.45.144.29.185) | master.pisyandriy.com | - | High
|
||||
20 | [45.197.132.72](https://vuldb.com/?ip.45.197.132.72) | - | - | High
|
||||
21 | [46.165.254.166](https://vuldb.com/?ip.46.165.254.166) | - | - | High
|
||||
22 | [51.15.76.60](https://vuldb.com/?ip.51.15.76.60) | 60-76-15-51.instances.scw.cloud | - | High
|
||||
23 | [51.68.91.152](https://vuldb.com/?ip.51.68.91.152) | - | - | High
|
||||
24 | [51.68.93.185](https://vuldb.com/?ip.51.68.93.185) | - | - | High
|
||||
25 | [51.81.13.141](https://vuldb.com/?ip.51.81.13.141) | ip141.ip-51-81-13.us | - | High
|
||||
26 | [51.83.15.56](https://vuldb.com/?ip.51.83.15.56) | - | - | High
|
||||
27 | [52.18.235.51](https://vuldb.com/?ip.52.18.235.51) | ec2-52-18-235-51.eu-west-1.compute.amazonaws.com | - | Medium
|
||||
28 | [62.102.148.68](https://vuldb.com/?ip.62.102.148.68) | - | - | High
|
||||
29 | ... | ... | ... | ...
|
||||
|
||||
There are 94 more IOC items available. Please use our online service to access the data.
|
||||
There are 114 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -54,10 +59,10 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23, CWE-24, CWE-36, CWE-425 | Pathname Traversal | High
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23, CWE-24, CWE-36 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
|
||||
4 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
6 | ... | ... | ... | ...
|
||||
|
||||
|
@ -74,13 +79,13 @@ ID | Type | Indicator | Confidence
|
|||
3 | File | `/.dbus-keyrings` | High
|
||||
4 | File | `//proc/kcore` | Medium
|
||||
5 | File | `/admin/conferences/list/` | High
|
||||
6 | File | `/admin/dl_sendmail.php` | High
|
||||
7 | File | `/admin/edit_admin_details.php?id=admin` | High
|
||||
8 | File | `/admin/generalsettings.php` | High
|
||||
9 | File | `/admin/payment.php` | High
|
||||
10 | File | `/admin/reports.php` | High
|
||||
11 | File | `/AgilePointServer/Extension/FetchUsingEncodedData` | High
|
||||
12 | File | `/api/part_categories` | High
|
||||
6 | File | `/admin/curltest.cgi` | High
|
||||
7 | File | `/admin/dl_sendmail.php` | High
|
||||
8 | File | `/admin/edit_admin_details.php?id=admin` | High
|
||||
9 | File | `/admin/generalsettings.php` | High
|
||||
10 | File | `/admin/payment.php` | High
|
||||
11 | File | `/admin/reports.php` | High
|
||||
12 | File | `/AgilePointServer/Extension/FetchUsingEncodedData` | High
|
||||
13 | File | `/api/user/userData?userCode=admin` | High
|
||||
14 | File | `/app/options.py` | High
|
||||
15 | File | `/bsms/?page=manage_account` | High
|
||||
|
@ -103,7 +108,7 @@ ID | Type | Indicator | Confidence
|
|||
32 | File | `/index/notice/show` | High
|
||||
33 | ... | ... | ...
|
||||
|
||||
There are 279 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 283 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -115,6 +120,10 @@ The following list contains _external sources_ which discuss the actor and the a
|
|||
* https://blog.morphisec.com/log4j-exploit-targets-vulnerable-unifi-network-applications
|
||||
* https://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html
|
||||
* https://blogs.infoblox.com/cyber-threat-intelligence/nobelium-campaigns-and-malware/
|
||||
* https://cert.gov.ua/article/37704
|
||||
* https://cert.gov.ua/article/39708
|
||||
* https://cert.gov.ua/article/40559
|
||||
* https://cert.gov.ua/article/703548
|
||||
* https://github.com/executemalware/Malware-IOCs/blob/main/2021-08-17%20Hancitor%20IOCs
|
||||
* https://github.com/executemalware/Malware-IOCs/blob/main/2021-08-18%20Hancitor%20IOCs
|
||||
* https://github.com/executemalware/Malware-IOCs/blob/main/2021-08-26%20Hancitor%20IOCs
|
||||
|
|
|
@ -544,31 +544,31 @@ ID | Type | Indicator | Confidence
|
|||
4 | File | `/admin/extended` | High
|
||||
5 | File | `/admin/featured.php` | High
|
||||
6 | File | `/admin/generalsettings.php` | High
|
||||
7 | File | `/admin/newsletter1.php` | High
|
||||
8 | File | `/admin/payment.php` | High
|
||||
9 | File | `/admin/usermanagement.php` | High
|
||||
10 | File | `/Ap4RtpAtom.cpp` | High
|
||||
11 | File | `/api/addusers` | High
|
||||
12 | File | `/app/options.py` | High
|
||||
13 | File | `/application/common.php#action_log` | High
|
||||
14 | File | `/bcms/admin/?page=user/list` | High
|
||||
15 | File | `/bsms/?page=manage_account` | High
|
||||
16 | File | `/cgi-bin/login.cgi` | High
|
||||
17 | File | `/ci_hms/massage_room/edit/1` | High
|
||||
18 | File | `/core/conditions/AbstractWrapper.java` | High
|
||||
19 | File | `/dashboard/reports/logs/view` | High
|
||||
20 | File | `/debug/pprof` | Medium
|
||||
21 | File | `/designer/add/layout` | High
|
||||
22 | File | `/etc/hosts` | Medium
|
||||
23 | File | `/filemanager/upload/drop` | High
|
||||
24 | File | `/fuel/index.php/fuel/logs/items` | High
|
||||
25 | File | `/fuel/sitevariables/delete/4` | High
|
||||
26 | File | `/hprms/admin/doctors/manage_doctor.php` | High
|
||||
27 | File | `/index/jobfairol/show/` | High
|
||||
28 | File | `/librarian/bookdetails.php` | High
|
||||
7 | File | `/admin/inquiries/view_details.php` | High
|
||||
8 | File | `/admin/newsletter1.php` | High
|
||||
9 | File | `/admin/payment.php` | High
|
||||
10 | File | `/admin/usermanagement.php` | High
|
||||
11 | File | `/Ap4RtpAtom.cpp` | High
|
||||
12 | File | `/api/addusers` | High
|
||||
13 | File | `/app/options.py` | High
|
||||
14 | File | `/application/common.php#action_log` | High
|
||||
15 | File | `/bcms/admin/?page=user/list` | High
|
||||
16 | File | `/bsms/?page=manage_account` | High
|
||||
17 | File | `/cgi-bin/login.cgi` | High
|
||||
18 | File | `/ci_hms/massage_room/edit/1` | High
|
||||
19 | File | `/core/conditions/AbstractWrapper.java` | High
|
||||
20 | File | `/dashboard/reports/logs/view` | High
|
||||
21 | File | `/debug/pprof` | Medium
|
||||
22 | File | `/designer/add/layout` | High
|
||||
23 | File | `/etc/hosts` | Medium
|
||||
24 | File | `/filemanager/upload/drop` | High
|
||||
25 | File | `/fuel/index.php/fuel/logs/items` | High
|
||||
26 | File | `/fuel/sitevariables/delete/4` | High
|
||||
27 | File | `/hprms/admin/doctors/manage_doctor.php` | High
|
||||
28 | File | `/index/jobfairol/show/` | High
|
||||
29 | ... | ... | ...
|
||||
|
||||
There are 244 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 248 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -15,8 +15,8 @@ The following _campaigns_ are known and can be associated with CopyKittens:
|
|||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with CopyKittens:
|
||||
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* [SV](https://vuldb.com/?country.sv)
|
||||
* [PT](https://vuldb.com/?country.pt)
|
||||
* [SV](https://vuldb.com/?country.sv)
|
||||
* ...
|
||||
|
||||
There are 8 more country items available. Please use our online service to access the data.
|
||||
|
@ -61,7 +61,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
6 | ... | ... | ... | ...
|
||||
|
||||
There are 21 more TTP items available. Please use our online service to access the data.
|
||||
There are 22 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -77,34 +77,34 @@ ID | Type | Indicator | Confidence
|
|||
6 | File | `/admin/deluser.php` | High
|
||||
7 | File | `/admin/edit_admin_details.php?id=admin` | High
|
||||
8 | File | `/admin/googleads.php` | High
|
||||
9 | File | `/admin/new-content` | High
|
||||
10 | File | `/admin/operations/tax.php` | High
|
||||
11 | File | `/admin/payment.php` | High
|
||||
12 | File | `/admin/scheprofile.cgi` | High
|
||||
13 | File | `/base/SysEveMenuAuthPointMapper.xml` | High
|
||||
14 | File | `/bcms/admin/courts/manage_court.php` | High
|
||||
15 | File | `/bcms/classes/Master.php?f=save_court_rental` | High
|
||||
16 | File | `/car-rental-management-system/admin/manage_booking.php` | High
|
||||
17 | File | `/catcompany.php` | High
|
||||
18 | File | `/cgi-bin/kerbynet` | High
|
||||
19 | File | `/cgi-bin/readfile.tcl` | High
|
||||
20 | File | `/classes/Users.php?f=save` | High
|
||||
21 | File | `/cms/classes/Master.php?f=delete_client` | High
|
||||
22 | File | `/config` | Low
|
||||
23 | File | `/defaultui/player/modern.html` | High
|
||||
24 | File | `/ffos/admin/categories/manage_category.php` | High
|
||||
25 | File | `/ffos/admin/menus/view_menu.php` | High
|
||||
26 | File | `/gaia-job-admin/user/add` | High
|
||||
27 | File | `/goform/aspForm` | High
|
||||
28 | File | `/goform/setNetworkLan` | High
|
||||
29 | File | `/goform/SetSysTimeCfg` | High
|
||||
30 | File | `/html/Solar_Ftp.php` | High
|
||||
31 | File | `/isms/admin/stocks/view_stock.php` | High
|
||||
32 | File | `/lists/admin/` | High
|
||||
9 | File | `/admin/operations/tax.php` | High
|
||||
10 | File | `/admin/payment.php` | High
|
||||
11 | File | `/admin/scheprofile.cgi` | High
|
||||
12 | File | `/base/SysEveMenuAuthPointMapper.xml` | High
|
||||
13 | File | `/bcms/admin/courts/manage_court.php` | High
|
||||
14 | File | `/bcms/classes/Master.php?f=save_court_rental` | High
|
||||
15 | File | `/car-rental-management-system/admin/manage_booking.php` | High
|
||||
16 | File | `/catcompany.php` | High
|
||||
17 | File | `/cgi-bin/kerbynet` | High
|
||||
18 | File | `/cgi-bin/readfile.tcl` | High
|
||||
19 | File | `/classes/Users.php?f=save` | High
|
||||
20 | File | `/cms/classes/Master.php?f=delete_client` | High
|
||||
21 | File | `/config` | Low
|
||||
22 | File | `/defaultui/player/modern.html` | High
|
||||
23 | File | `/ffos/admin/categories/manage_category.php` | High
|
||||
24 | File | `/ffos/admin/menus/view_menu.php` | High
|
||||
25 | File | `/gaia-job-admin/user/add` | High
|
||||
26 | File | `/goform/aspForm` | High
|
||||
27 | File | `/goform/setNetworkLan` | High
|
||||
28 | File | `/goform/SetSysTimeCfg` | High
|
||||
29 | File | `/html/Solar_Ftp.php` | High
|
||||
30 | File | `/isms/admin/stocks/view_stock.php` | High
|
||||
31 | File | `/lists/admin/` | High
|
||||
32 | File | `/login.php` | Medium
|
||||
33 | File | `/mtms/admin/?page=transaction/send` | High
|
||||
34 | ... | ... | ...
|
||||
|
||||
There are 287 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 288 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -34,8 +34,12 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
1 | T1006 | CWE-22 | Pathname Traversal | High
|
||||
2 | T1055 | CWE-74 | Injection | High
|
||||
3 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
|
|
@ -0,0 +1,74 @@
|
|||
# DEV-0530 - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [DEV-0530](https://vuldb.com/?actor.dev-0530). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.dev-0530](https://vuldb.com/?actor.dev-0530)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following _campaigns_ are known and can be associated with DEV-0530:
|
||||
|
||||
* H0lyGh0st
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with DEV-0530:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of DEV-0530.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [193.56.29.123](https://vuldb.com/?ip.193.56.29.123) | - | H0lyGh0st | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _DEV-0530_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 14 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by DEV-0530. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/admin.php?page=batch_manager&mode=unit` | High
|
||||
2 | File | `/goform/aspForm` | High
|
||||
3 | File | `/omps/seller` | Medium
|
||||
4 | File | `/php/passport/index.php` | High
|
||||
5 | File | `/replication` | Medium
|
||||
6 | File | `/settings` | Medium
|
||||
7 | File | `/staff/tools/custom-fields` | High
|
||||
8 | File | `/strings/ctype-latin1.c` | High
|
||||
9 | ... | ... | ...
|
||||
|
||||
There are 65 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://www.microsoft.com/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -17,31 +17,38 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [2.181.21.179](https://vuldb.com/?ip.2.181.21.179) | - | - | High
|
||||
2 | [3.223.115.185](https://vuldb.com/?ip.3.223.115.185) | ec2-3-223-115-185.compute-1.amazonaws.com | - | Medium
|
||||
3 | [13.107.21.200](https://vuldb.com/?ip.13.107.21.200) | - | - | High
|
||||
4 | [13.107.22.200](https://vuldb.com/?ip.13.107.22.200) | - | - | High
|
||||
5 | [13.107.213.40](https://vuldb.com/?ip.13.107.213.40) | - | - | High
|
||||
6 | [13.107.246.13](https://vuldb.com/?ip.13.107.246.13) | - | - | High
|
||||
7 | [13.107.246.18](https://vuldb.com/?ip.13.107.246.18) | - | - | High
|
||||
8 | [13.107.246.40](https://vuldb.com/?ip.13.107.246.40) | - | - | High
|
||||
9 | [13.107.246.70](https://vuldb.com/?ip.13.107.246.70) | - | - | High
|
||||
10 | [23.5.230.228](https://vuldb.com/?ip.23.5.230.228) | a23-5-230-228.deploy.static.akamaitechnologies.com | - | High
|
||||
11 | [23.6.69.99](https://vuldb.com/?ip.23.6.69.99) | a23-6-69-99.deploy.static.akamaitechnologies.com | - | High
|
||||
12 | [23.10.88.237](https://vuldb.com/?ip.23.10.88.237) | a23-10-88-237.deploy.static.akamaitechnologies.com | - | High
|
||||
13 | [23.36.85.183](https://vuldb.com/?ip.23.36.85.183) | a23-36-85-183.deploy.static.akamaitechnologies.com | - | High
|
||||
14 | [23.38.131.139](https://vuldb.com/?ip.23.38.131.139) | a23-38-131-139.deploy.static.akamaitechnologies.com | - | High
|
||||
15 | [23.64.110.64](https://vuldb.com/?ip.23.64.110.64) | a23-64-110-64.deploy.static.akamaitechnologies.com | - | High
|
||||
16 | [23.67.200.172](https://vuldb.com/?ip.23.67.200.172) | a23-67-200-172.deploy.static.akamaitechnologies.com | - | High
|
||||
17 | [23.78.173.83](https://vuldb.com/?ip.23.78.173.83) | a23-78-173-83.deploy.static.akamaitechnologies.com | - | High
|
||||
18 | [25.109.69.178](https://vuldb.com/?ip.25.109.69.178) | - | - | High
|
||||
19 | [31.170.166.110](https://vuldb.com/?ip.31.170.166.110) | - | - | High
|
||||
20 | [31.193.90.60](https://vuldb.com/?ip.31.193.90.60) | - | - | High
|
||||
21 | [31.202.203.58](https://vuldb.com/?ip.31.202.203.58) | 31.202.203.58.format-tv.net | - | High
|
||||
22 | [34.107.221.82](https://vuldb.com/?ip.34.107.221.82) | 82.221.107.34.bc.googleusercontent.com | - | Medium
|
||||
23 | ... | ... | ... | ...
|
||||
1 | [1.1.1.1](https://vuldb.com/?ip.1.1.1.1) | one.one.one.one | - | High
|
||||
2 | [2.181.21.179](https://vuldb.com/?ip.2.181.21.179) | - | - | High
|
||||
3 | [3.223.115.185](https://vuldb.com/?ip.3.223.115.185) | ec2-3-223-115-185.compute-1.amazonaws.com | - | Medium
|
||||
4 | [13.107.21.200](https://vuldb.com/?ip.13.107.21.200) | - | - | High
|
||||
5 | [13.107.22.200](https://vuldb.com/?ip.13.107.22.200) | - | - | High
|
||||
6 | [13.107.213.40](https://vuldb.com/?ip.13.107.213.40) | - | - | High
|
||||
7 | [13.107.246.13](https://vuldb.com/?ip.13.107.246.13) | - | - | High
|
||||
8 | [13.107.246.18](https://vuldb.com/?ip.13.107.246.18) | - | - | High
|
||||
9 | [13.107.246.40](https://vuldb.com/?ip.13.107.246.40) | - | - | High
|
||||
10 | [13.107.246.70](https://vuldb.com/?ip.13.107.246.70) | - | - | High
|
||||
11 | [20.36.253.92](https://vuldb.com/?ip.20.36.253.92) | - | - | High
|
||||
12 | [23.5.230.228](https://vuldb.com/?ip.23.5.230.228) | a23-5-230-228.deploy.static.akamaitechnologies.com | - | High
|
||||
13 | [23.5.234.11](https://vuldb.com/?ip.23.5.234.11) | a23-5-234-11.deploy.static.akamaitechnologies.com | - | High
|
||||
14 | [23.6.69.99](https://vuldb.com/?ip.23.6.69.99) | a23-6-69-99.deploy.static.akamaitechnologies.com | - | High
|
||||
15 | [23.10.88.237](https://vuldb.com/?ip.23.10.88.237) | a23-10-88-237.deploy.static.akamaitechnologies.com | - | High
|
||||
16 | [23.36.85.183](https://vuldb.com/?ip.23.36.85.183) | a23-36-85-183.deploy.static.akamaitechnologies.com | - | High
|
||||
17 | [23.38.131.139](https://vuldb.com/?ip.23.38.131.139) | a23-38-131-139.deploy.static.akamaitechnologies.com | - | High
|
||||
18 | [23.51.186.146](https://vuldb.com/?ip.23.51.186.146) | a23-51-186-146.deploy.static.akamaitechnologies.com | - | High
|
||||
19 | [23.59.221.43](https://vuldb.com/?ip.23.59.221.43) | a23-59-221-43.deploy.static.akamaitechnologies.com | - | High
|
||||
20 | [23.64.110.64](https://vuldb.com/?ip.23.64.110.64) | a23-64-110-64.deploy.static.akamaitechnologies.com | - | High
|
||||
21 | [23.67.200.172](https://vuldb.com/?ip.23.67.200.172) | a23-67-200-172.deploy.static.akamaitechnologies.com | - | High
|
||||
22 | [23.78.173.83](https://vuldb.com/?ip.23.78.173.83) | a23-78-173-83.deploy.static.akamaitechnologies.com | - | High
|
||||
23 | [23.218.140.208](https://vuldb.com/?ip.23.218.140.208) | a23-218-140-208.deploy.static.akamaitechnologies.com | - | High
|
||||
24 | [25.109.69.178](https://vuldb.com/?ip.25.109.69.178) | - | - | High
|
||||
25 | [31.170.166.110](https://vuldb.com/?ip.31.170.166.110) | - | - | High
|
||||
26 | [31.193.90.60](https://vuldb.com/?ip.31.193.90.60) | - | - | High
|
||||
27 | [31.202.203.58](https://vuldb.com/?ip.31.202.203.58) | 31.202.203.58.format-tv.net | - | High
|
||||
28 | [34.107.221.82](https://vuldb.com/?ip.34.107.221.82) | 82.221.107.34.bc.googleusercontent.com | - | Medium
|
||||
29 | [34.213.158.239](https://vuldb.com/?ip.34.213.158.239) | ec2-34-213-158-239.us-west-2.compute.amazonaws.com | - | Medium
|
||||
30 | ... | ... | ... | ...
|
||||
|
||||
There are 87 more IOC items available. Please use our online service to access the data.
|
||||
There are 115 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -49,7 +56,12 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
|
||||
1 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
|
||||
3 | T1505 | CWE-89 | SQL Injection | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -72,6 +84,12 @@ The following list contains _external sources_ which discuss the actor and the a
|
|||
* https://blog.talosintelligence.com/2019/09/threat-roundup-0906-0913.html
|
||||
* https://blog.talosintelligence.com/2019/11/threat-roundup-1101-1108.html
|
||||
* https://blog.talosintelligence.com/2019/12/threat-roundup-1206-1213.html
|
||||
* https://blog.talosintelligence.com/2020/05/threat-roundup-0424-0501.html
|
||||
* https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
|
||||
* https://blog.talosintelligence.com/2020/07/threat-roundup-0724-0731.html
|
||||
* https://blog.talosintelligence.com/2020/08/tru-0731-0807.html
|
||||
* https://blog.talosintelligence.com/2020/10/threat-roundup-1023-1030.html
|
||||
* https://blog.talosintelligence.com/2020/12/threat-roundup-1211-1218.html
|
||||
* https://blog.talosintelligence.com/2021/01/threat-roundup-0122.html
|
||||
* https://blog.talosintelligence.com/2021/02/threat-roundup-0205-0212.html
|
||||
* https://blog.talosintelligence.com/2021/03/threat-roundup-0226-0305.html
|
||||
|
|
|
@ -9,11 +9,11 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Dridex:
|
||||
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* ...
|
||||
|
||||
There are 25 more country items available. Please use our online service to access the data.
|
||||
There are 23 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -69,63 +69,66 @@ ID | IP address | Hostname | Campaign | Confidence
|
|||
46 | [23.227.202.174](https://vuldb.com/?ip.23.227.202.174) | 23-227-202-174.static.hvvc.us | - | High
|
||||
47 | [23.227.203.228](https://vuldb.com/?ip.23.227.203.228) | 23-227-203-228.static.hvvc.us | - | High
|
||||
48 | [23.227.203.229](https://vuldb.com/?ip.23.227.203.229) | 23-227-203-229.static.hvvc.us | - | High
|
||||
49 | [23.254.211.213](https://vuldb.com/?ip.23.254.211.213) | client-23-254-211-213.hostwindsdns.com | - | High
|
||||
50 | [23.254.215.238](https://vuldb.com/?ip.23.254.215.238) | hwsrv-900801.hostwindsdns.com | - | High
|
||||
51 | [23.254.217.168](https://vuldb.com/?ip.23.254.217.168) | client-23-254-217-168.hostwindsdns.com | - | High
|
||||
52 | [23.254.247.5](https://vuldb.com/?ip.23.254.247.5) | hwsrv-936430.hostwindsdns.com | - | High
|
||||
53 | [23.254.247.55](https://vuldb.com/?ip.23.254.247.55) | client-23-254-247-55.hostwindsdns.com | - | High
|
||||
54 | [24.40.243.66](https://vuldb.com/?ip.24.40.243.66) | 24-40-243-66.fidnet.com | - | High
|
||||
55 | [27.60.164.164](https://vuldb.com/?ip.27.60.164.164) | - | - | High
|
||||
56 | [31.14.41.212](https://vuldb.com/?ip.31.14.41.212) | a856-motor.variouloco.com | - | High
|
||||
57 | [31.14.41.213](https://vuldb.com/?ip.31.14.41.213) | gain-compress.variouloco.com | - | High
|
||||
58 | [31.14.41.214](https://vuldb.com/?ip.31.14.41.214) | a277-exist.variouloco.com | - | High
|
||||
59 | [31.14.41.215](https://vuldb.com/?ip.31.14.41.215) | dubaibuildings.com | - | High
|
||||
60 | [31.24.30.65](https://vuldb.com/?ip.31.24.30.65) | - | - | High
|
||||
61 | [31.41.45.197](https://vuldb.com/?ip.31.41.45.197) | andrewhrenov.example.com | - | High
|
||||
62 | [31.42.177.51](https://vuldb.com/?ip.31.42.177.51) | antiques.managerpray.uk | - | High
|
||||
63 | [31.42.177.52](https://vuldb.com/?ip.31.42.177.52) | touch.managerpray.uk | - | High
|
||||
64 | [37.1.208.21](https://vuldb.com/?ip.37.1.208.21) | - | - | High
|
||||
65 | [37.1.215.144](https://vuldb.com/?ip.37.1.215.144) | - | - | High
|
||||
66 | [37.34.58.210](https://vuldb.com/?ip.37.34.58.210) | 37-34-58-210.colo.transip.net | - | High
|
||||
67 | [37.49.230.49](https://vuldb.com/?ip.37.49.230.49) | - | - | High
|
||||
68 | [37.59.52.64](https://vuldb.com/?ip.37.59.52.64) | ns3265174.ip-37-59-52.eu | - | High
|
||||
69 | [37.120.222.56](https://vuldb.com/?ip.37.120.222.56) | - | - | High
|
||||
70 | [37.120.239.185](https://vuldb.com/?ip.37.120.239.185) | - | - | High
|
||||
71 | [37.187.115.122](https://vuldb.com/?ip.37.187.115.122) | ns328855.ip-37-187-115.eu | - | High
|
||||
72 | [37.247.35.130](https://vuldb.com/?ip.37.247.35.130) | earthquake.kenic.nl | - | High
|
||||
73 | [40.122.160.14](https://vuldb.com/?ip.40.122.160.14) | - | - | High
|
||||
74 | [43.229.206.212](https://vuldb.com/?ip.43.229.206.212) | 212.subnet43-229-206.static.inet.net.id | - | High
|
||||
75 | [43.229.206.244](https://vuldb.com/?ip.43.229.206.244) | 244.subnet43-229-206.static.inet.net.id | - | High
|
||||
76 | [45.33.94.33](https://vuldb.com/?ip.45.33.94.33) | 45-33-94-33.ip.linodeusercontent.com | - | High
|
||||
77 | [45.55.134.126](https://vuldb.com/?ip.45.55.134.126) | - | - | High
|
||||
78 | [45.55.154.235](https://vuldb.com/?ip.45.55.154.235) | - | - | High
|
||||
79 | [45.58.56.12](https://vuldb.com/?ip.45.58.56.12) | - | - | High
|
||||
80 | [45.79.8.25](https://vuldb.com/?ip.45.79.8.25) | li1107-25.members.linode.com | - | High
|
||||
81 | [45.79.33.48](https://vuldb.com/?ip.45.79.33.48) | li1132-48.members.linode.com | - | High
|
||||
82 | [45.123.40.54](https://vuldb.com/?ip.45.123.40.54) | - | - | High
|
||||
83 | [45.153.241.113](https://vuldb.com/?ip.45.153.241.113) | - | - | High
|
||||
84 | [45.177.120.36](https://vuldb.com/?ip.45.177.120.36) | mail.netlimit.net.br | - | High
|
||||
85 | [46.4.232.200](https://vuldb.com/?ip.46.4.232.200) | static.200.232.4.46.clients.your-server.de | - | High
|
||||
86 | [46.36.217.227](https://vuldb.com/?ip.46.36.217.227) | - | - | High
|
||||
87 | [46.55.222.10](https://vuldb.com/?ip.46.55.222.10) | - | - | High
|
||||
88 | [46.101.90.205](https://vuldb.com/?ip.46.101.90.205) | - | - | High
|
||||
89 | [50.28.35.36](https://vuldb.com/?ip.50.28.35.36) | lprod03.ilsols.com | - | High
|
||||
90 | [51.38.124.206](https://vuldb.com/?ip.51.38.124.206) | 206.ip-51-38-124.eu | - | High
|
||||
91 | [51.77.82.110](https://vuldb.com/?ip.51.77.82.110) | web001.xwebsrv.de | - | High
|
||||
92 | [51.81.254.89](https://vuldb.com/?ip.51.81.254.89) | - | - | High
|
||||
93 | [51.91.76.89](https://vuldb.com/?ip.51.91.76.89) | 89.ip-51-91-76.eu | - | High
|
||||
94 | [51.91.156.39](https://vuldb.com/?ip.51.91.156.39) | 39.ip-51-91-156.eu | - | High
|
||||
95 | [51.178.161.32](https://vuldb.com/?ip.51.178.161.32) | srv-web.ffconsulting.com | - | High
|
||||
96 | [52.73.70.149](https://vuldb.com/?ip.52.73.70.149) | ec2-52-73-70-149.compute-1.amazonaws.com | - | Medium
|
||||
97 | [52.114.132.73](https://vuldb.com/?ip.52.114.132.73) | - | - | High
|
||||
98 | [54.38.143.246](https://vuldb.com/?ip.54.38.143.246) | ip246.ip-54-38-143.eu | - | High
|
||||
99 | [54.39.34.24](https://vuldb.com/?ip.54.39.34.24) | ip24.ip-54-39-34.net | - | High
|
||||
100 | [54.39.34.26](https://vuldb.com/?ip.54.39.34.26) | ip26.ip-54-39-34.net | - | High
|
||||
101 | [54.84.136.229](https://vuldb.com/?ip.54.84.136.229) | ec2-54-84-136-229.compute-1.amazonaws.com | - | Medium
|
||||
102 | [54.191.98.150](https://vuldb.com/?ip.54.191.98.150) | ec2-54-191-98-150.us-west-2.compute.amazonaws.com | - | Medium
|
||||
103 | ... | ... | ... | ...
|
||||
49 | [23.246.204.126](https://vuldb.com/?ip.23.246.204.126) | 7e.cc.f617.ip4.static.sl-reverse.com | - | High
|
||||
50 | [23.254.211.213](https://vuldb.com/?ip.23.254.211.213) | client-23-254-211-213.hostwindsdns.com | - | High
|
||||
51 | [23.254.215.238](https://vuldb.com/?ip.23.254.215.238) | hwsrv-900801.hostwindsdns.com | - | High
|
||||
52 | [23.254.217.168](https://vuldb.com/?ip.23.254.217.168) | client-23-254-217-168.hostwindsdns.com | - | High
|
||||
53 | [23.254.247.5](https://vuldb.com/?ip.23.254.247.5) | hwsrv-936430.hostwindsdns.com | - | High
|
||||
54 | [23.254.247.55](https://vuldb.com/?ip.23.254.247.55) | client-23-254-247-55.hostwindsdns.com | - | High
|
||||
55 | [24.40.243.66](https://vuldb.com/?ip.24.40.243.66) | 24-40-243-66.fidnet.com | - | High
|
||||
56 | [27.60.164.164](https://vuldb.com/?ip.27.60.164.164) | - | - | High
|
||||
57 | [31.14.41.212](https://vuldb.com/?ip.31.14.41.212) | a856-motor.variouloco.com | - | High
|
||||
58 | [31.14.41.213](https://vuldb.com/?ip.31.14.41.213) | gain-compress.variouloco.com | - | High
|
||||
59 | [31.14.41.214](https://vuldb.com/?ip.31.14.41.214) | a277-exist.variouloco.com | - | High
|
||||
60 | [31.14.41.215](https://vuldb.com/?ip.31.14.41.215) | dubaibuildings.com | - | High
|
||||
61 | [31.24.30.65](https://vuldb.com/?ip.31.24.30.65) | - | - | High
|
||||
62 | [31.41.45.197](https://vuldb.com/?ip.31.41.45.197) | andrewhrenov.example.com | - | High
|
||||
63 | [31.42.177.51](https://vuldb.com/?ip.31.42.177.51) | antiques.managerpray.uk | - | High
|
||||
64 | [31.42.177.52](https://vuldb.com/?ip.31.42.177.52) | touch.managerpray.uk | - | High
|
||||
65 | [37.1.208.21](https://vuldb.com/?ip.37.1.208.21) | - | - | High
|
||||
66 | [37.1.215.144](https://vuldb.com/?ip.37.1.215.144) | - | - | High
|
||||
67 | [37.34.58.210](https://vuldb.com/?ip.37.34.58.210) | 37-34-58-210.colo.transip.net | - | High
|
||||
68 | [37.49.230.49](https://vuldb.com/?ip.37.49.230.49) | - | - | High
|
||||
69 | [37.59.52.64](https://vuldb.com/?ip.37.59.52.64) | ns3265174.ip-37-59-52.eu | - | High
|
||||
70 | [37.120.222.56](https://vuldb.com/?ip.37.120.222.56) | - | - | High
|
||||
71 | [37.120.239.185](https://vuldb.com/?ip.37.120.239.185) | - | - | High
|
||||
72 | [37.187.115.122](https://vuldb.com/?ip.37.187.115.122) | ns328855.ip-37-187-115.eu | - | High
|
||||
73 | [37.247.35.130](https://vuldb.com/?ip.37.247.35.130) | earthquake.kenic.nl | - | High
|
||||
74 | [40.122.160.14](https://vuldb.com/?ip.40.122.160.14) | - | - | High
|
||||
75 | [43.229.206.212](https://vuldb.com/?ip.43.229.206.212) | 212.subnet43-229-206.static.inet.net.id | - | High
|
||||
76 | [43.229.206.244](https://vuldb.com/?ip.43.229.206.244) | 244.subnet43-229-206.static.inet.net.id | - | High
|
||||
77 | [45.33.94.33](https://vuldb.com/?ip.45.33.94.33) | 45-33-94-33.ip.linodeusercontent.com | - | High
|
||||
78 | [45.55.134.126](https://vuldb.com/?ip.45.55.134.126) | - | - | High
|
||||
79 | [45.55.154.235](https://vuldb.com/?ip.45.55.154.235) | - | - | High
|
||||
80 | [45.58.56.12](https://vuldb.com/?ip.45.58.56.12) | - | - | High
|
||||
81 | [45.77.0.96](https://vuldb.com/?ip.45.77.0.96) | 45.77.0.96.vultrusercontent.com | - | High
|
||||
82 | [45.79.8.25](https://vuldb.com/?ip.45.79.8.25) | li1107-25.members.linode.com | - | High
|
||||
83 | [45.79.33.48](https://vuldb.com/?ip.45.79.33.48) | li1132-48.members.linode.com | - | High
|
||||
84 | [45.123.40.54](https://vuldb.com/?ip.45.123.40.54) | - | - | High
|
||||
85 | [45.153.241.113](https://vuldb.com/?ip.45.153.241.113) | - | - | High
|
||||
86 | [45.177.120.36](https://vuldb.com/?ip.45.177.120.36) | mail.netlimit.net.br | - | High
|
||||
87 | [46.4.232.200](https://vuldb.com/?ip.46.4.232.200) | static.200.232.4.46.clients.your-server.de | - | High
|
||||
88 | [46.36.217.227](https://vuldb.com/?ip.46.36.217.227) | - | - | High
|
||||
89 | [46.55.222.10](https://vuldb.com/?ip.46.55.222.10) | - | - | High
|
||||
90 | [46.101.90.205](https://vuldb.com/?ip.46.101.90.205) | - | - | High
|
||||
91 | [50.28.35.36](https://vuldb.com/?ip.50.28.35.36) | lprod03.ilsols.com | - | High
|
||||
92 | [51.38.124.206](https://vuldb.com/?ip.51.38.124.206) | 206.ip-51-38-124.eu | - | High
|
||||
93 | [51.77.82.110](https://vuldb.com/?ip.51.77.82.110) | web001.xwebsrv.de | - | High
|
||||
94 | [51.81.254.89](https://vuldb.com/?ip.51.81.254.89) | - | - | High
|
||||
95 | [51.83.3.52](https://vuldb.com/?ip.51.83.3.52) | shde-2c579.serverlet.com | - | High
|
||||
96 | [51.91.76.89](https://vuldb.com/?ip.51.91.76.89) | 89.ip-51-91-76.eu | - | High
|
||||
97 | [51.91.156.39](https://vuldb.com/?ip.51.91.156.39) | 39.ip-51-91-156.eu | - | High
|
||||
98 | [51.178.161.32](https://vuldb.com/?ip.51.178.161.32) | srv-web.ffconsulting.com | - | High
|
||||
99 | [52.73.70.149](https://vuldb.com/?ip.52.73.70.149) | ec2-52-73-70-149.compute-1.amazonaws.com | - | Medium
|
||||
100 | [52.114.132.73](https://vuldb.com/?ip.52.114.132.73) | - | - | High
|
||||
101 | [54.38.143.246](https://vuldb.com/?ip.54.38.143.246) | ip246.ip-54-38-143.eu | - | High
|
||||
102 | [54.39.34.24](https://vuldb.com/?ip.54.39.34.24) | ip24.ip-54-39-34.net | - | High
|
||||
103 | [54.39.34.26](https://vuldb.com/?ip.54.39.34.26) | ip26.ip-54-39-34.net | - | High
|
||||
104 | [54.84.136.229](https://vuldb.com/?ip.54.84.136.229) | ec2-54-84-136-229.compute-1.amazonaws.com | - | Medium
|
||||
105 | [54.191.98.150](https://vuldb.com/?ip.54.191.98.150) | ec2-54-191-98-150.us-west-2.compute.amazonaws.com | - | Medium
|
||||
106 | ... | ... | ... | ...
|
||||
|
||||
There are 409 more IOC items available. Please use our online service to access the data.
|
||||
There are 421 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -133,12 +136,13 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-266, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 5 more TTP items available. Please use our online service to access the data.
|
||||
There are 17 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -147,43 +151,36 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `//proc/kcore` | Medium
|
||||
2 | File | `/?module=users§ion=cpanel&page=list` | High
|
||||
3 | File | `/admin/powerline` | High
|
||||
4 | File | `/admin/syslog` | High
|
||||
5 | File | `/Ap4RtpAtom.cpp` | High
|
||||
6 | File | `/api` | Low
|
||||
7 | File | `/api/upload` | Medium
|
||||
8 | File | `/bcms/admin/?page=user/list` | High
|
||||
9 | File | `/cgi-bin` | Medium
|
||||
10 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
11 | File | `/debug/pprof` | Medium
|
||||
2 | File | `/Ap4RtpAtom.cpp` | High
|
||||
3 | File | `/app/options.py` | High
|
||||
4 | File | `/bcms/admin/?page=user/list` | High
|
||||
5 | File | `/bsms/?page=manage_account` | High
|
||||
6 | File | `/cgi-bin/login.cgi` | High
|
||||
7 | File | `/ci_hms/massage_room/edit/1` | High
|
||||
8 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
9 | File | `/dashboard/reports/logs/view` | High
|
||||
10 | File | `/debug/pprof` | Medium
|
||||
11 | File | `/etc/hosts` | Medium
|
||||
12 | File | `/fuel/index.php/fuel/logs/items` | High
|
||||
13 | File | `/fuel/sitevariables/delete/4` | High
|
||||
14 | File | `/Main_Login.asp?flag=1&productname=RT-AC88U&url=/downloadmaster/task.asp` | High
|
||||
15 | File | `/mgmt/tm/util/bash` | High
|
||||
16 | File | `/monitoring` | Medium
|
||||
17 | File | `/new` | Low
|
||||
18 | File | `/proc/<pid>/status` | High
|
||||
19 | File | `/public/plugins/` | High
|
||||
20 | File | `/scripts/killpvhost` | High
|
||||
21 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
22 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
23 | File | `/simple_chat_bot/admin/?page=user/manage_user` | High
|
||||
24 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
|
||||
25 | File | `/SSOPOST/metaAlias/%realm%/idpv2` | High
|
||||
26 | File | `/tmp` | Low
|
||||
27 | File | `/tmp/redis.ds` | High
|
||||
28 | File | `/uncpath/` | Medium
|
||||
29 | File | `/views/directive/sys/SysConfigDataDirective.java` | High
|
||||
30 | File | `/wp-admin` | Medium
|
||||
31 | File | `/wp-json/wc/v3/webhooks` | High
|
||||
32 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
33 | File | `AccountManagerService.java` | High
|
||||
34 | File | `actions/CompanyDetailsSave.php` | High
|
||||
35 | File | `ActiveServices.java` | High
|
||||
36 | ... | ... | ...
|
||||
14 | File | `/hprms/admin/doctors/manage_doctor.php` | High
|
||||
15 | File | `/index/jobfairol/show/` | High
|
||||
16 | File | `/librarian/bookdetails.php` | High
|
||||
17 | File | `/mgmt/tm/util/bash` | High
|
||||
18 | File | `/monitoring` | Medium
|
||||
19 | File | `/new` | Low
|
||||
20 | File | `/owa/auth/logon.aspx` | High
|
||||
21 | File | `/proc/<PID>/mem` | High
|
||||
22 | File | `/proc/<pid>/status` | High
|
||||
23 | File | `/public/plugins/` | High
|
||||
24 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
25 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
26 | File | `/simple_chat_bot/admin/?page=user/manage_user` | High
|
||||
27 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
|
||||
28 | File | `/tmp` | Low
|
||||
29 | ... | ... | ...
|
||||
|
||||
There are 309 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 248 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -224,6 +221,11 @@ The following list contains _external sources_ which discuss the actor and the a
|
|||
* https://feodotracker.abuse.ch/downloads/ipblocklist.csv
|
||||
* https://gist.githubusercontent.com/BBcan177/bf29d47ea04391cb3eb0/raw/
|
||||
* https://github.com/blackberry/threat-research-and-intelligence/blob/main/TA575-Dridex.csv
|
||||
* https://github.com/executemalware/Malware-IOCs/blob/main/2021-10-13%20Dridex%20IOCs
|
||||
* https://github.com/executemalware/Malware-IOCs/blob/main/2021-10-27%20Dridex%20IOCs
|
||||
* https://github.com/executemalware/Malware-IOCs/blob/main/2021-11-22%20Dridex%20IOCs
|
||||
* https://github.com/executemalware/Malware-IOCs/blob/main/2021-11-24%20Dridex%20IOCs
|
||||
* https://github.com/executemalware/Malware-IOCs/blob/main/2021-12-06%20Dridex2%20IOCs
|
||||
* https://github.com/fl0x2208/IOCs-in-CSV-format/blob/6297513d672bd69f1bf488018035892e599e7a9c/Dridex_banking_trojan.xlsx
|
||||
* https://isc.sans.edu/forums/diary/Dridex+malspam+seen+on+Monday+20170410/22280/
|
||||
* https://isc.sans.edu/forums/diary/Malspam+with+links+to+zip+archives+pushes+Dridex+malware/26116/
|
||||
|
|
|
@ -13,7 +13,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [US](https://vuldb.com/?country.us)
|
||||
* ...
|
||||
|
||||
There are 3 more country items available. Please use our online service to access the data.
|
||||
There are 5 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -441,10 +441,10 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23, CWE-425 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
|
||||
4 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 17 more TTP items available. Please use our online service to access the data.
|
||||
|
@ -456,20 +456,21 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `.python-version` | High
|
||||
2 | File | `/api/sys_username_passwd.cmd` | High
|
||||
3 | File | `/app/controller/Books.php` | High
|
||||
4 | File | `/app/options.py` | High
|
||||
5 | File | `/bin/posix/src/ports/POSIX/OpENer` | High
|
||||
6 | File | `/conf/` | Low
|
||||
7 | File | `/dashboard/menu-list.php` | High
|
||||
8 | File | `/dashboard/profile.php` | High
|
||||
9 | File | `/dashboard/table-list.php` | High
|
||||
10 | File | `/etc/lighttpd.d/ca.pem` | High
|
||||
11 | File | `/ffos/classes/Master.php?f=save_category` | High
|
||||
12 | File | `/home/iojs/build/ws/out/Release/obj.target/deps/openssl/openssl.cnf` | High
|
||||
13 | ... | ... | ...
|
||||
2 | File | `/admin/curltest.cgi` | High
|
||||
3 | File | `/admin/vca/bia/addacph.cgi` | High
|
||||
4 | File | `/admin/vca/license/license_tok.cgi` | High
|
||||
5 | File | `/blog/blog.php` | High
|
||||
6 | File | `/bmis/pages/resident/resident.php` | High
|
||||
7 | File | `/cgi-bin/luci/api/auth` | High
|
||||
8 | File | `/cgi-bin/mesh.cgi?page=upgrade` | High
|
||||
9 | File | `/cgi-bin/nightled.cgi` | High
|
||||
10 | File | `/cgi-bin/touchlist_sync.cgi` | High
|
||||
11 | File | `/dashboard/profile.php` | High
|
||||
12 | File | `/donor-wall` | Medium
|
||||
13 | File | `/editbrand.php` | High
|
||||
14 | ... | ... | ...
|
||||
|
||||
There are 104 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 113 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -28,9 +28,12 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1222 | CWE-275 | Permission Issues | High
|
||||
1 | T1006 | CWE-22 | Pathname Traversal | High
|
||||
2 | T1055 | CWE-74 | Injection | High
|
||||
3 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
|
|
@ -64,7 +64,7 @@ ID | Type | Indicator | Confidence
|
|||
17 | File | `AdvancedBluetoothDetailsHeaderController.java` | High
|
||||
18 | ... | ... | ...
|
||||
|
||||
There are 145 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 147 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -15,12 +15,12 @@ The following _campaigns_ are known and can be associated with FIN7:
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with FIN7:
|
||||
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* ...
|
||||
|
||||
There are 22 more country items available. Please use our online service to access the data.
|
||||
There are 18 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -81,12 +81,13 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-250, CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
There are 18 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -96,51 +97,41 @@ ID | Type | Indicator | Confidence
|
|||
-- | ---- | --------- | ----------
|
||||
1 | File | `.htaccess` | Medium
|
||||
2 | File | `//proc/kcore` | Medium
|
||||
3 | File | `/admin_page/all-files-update-ajax.php` | High
|
||||
4 | File | `/Ap4RtpAtom.cpp` | High
|
||||
5 | File | `/bcms/admin/?page=user/list` | High
|
||||
6 | File | `/bsms/?page=manage_account` | High
|
||||
7 | File | `/bsms/?page=products` | High
|
||||
8 | File | `/cgi-bin/kerbynet` | High
|
||||
9 | File | `/cgi-bin/system_mgr.cgi` | High
|
||||
10 | File | `/cloud_config/router_post/check_reg_verify_code` | High
|
||||
11 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
12 | File | `/debug/pprof` | Medium
|
||||
13 | File | `/dms/admin/reports/daily_collection_report.php` | High
|
||||
14 | File | `/ext/phar/phar_object.c` | High
|
||||
15 | File | `/filemanager/php/connector.php` | High
|
||||
16 | File | `/fuel/index.php/fuel/logs/items` | High
|
||||
17 | File | `/fuel/sitevariables/delete/4` | High
|
||||
18 | File | `/include/chart_generator.php` | High
|
||||
19 | File | `/info.cgi` | Medium
|
||||
20 | File | `/lists/admin/` | High
|
||||
21 | File | `/MagickCore/image.c` | High
|
||||
22 | File | `/mgmt/tm/util/bash` | High
|
||||
23 | File | `/modx/manager/index.php` | High
|
||||
24 | File | `/proc/<pid>/status` | High
|
||||
25 | File | `/public/login.htm` | High
|
||||
26 | File | `/public/plugins/` | High
|
||||
27 | File | `/replication` | Medium
|
||||
28 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
29 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
30 | File | `/simple_chat_bot/admin/?page=user/manage_user` | High
|
||||
31 | File | `/siteminderagent/pwcgi/smpwservicescgi.exe` | High
|
||||
32 | File | `/spip.php` | Medium
|
||||
33 | File | `/tmp` | Low
|
||||
34 | File | `/uncpath/` | Medium
|
||||
35 | File | `/usr/bin/pkexec` | High
|
||||
36 | File | `/views/directive/sys/SysConfigDataDirective.java` | High
|
||||
37 | File | `/Wedding-Management/package_detail.php` | High
|
||||
38 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
39 | File | `802dot1xclientcert.cgi` | High
|
||||
40 | File | `a2billing/customer/iridium_threed.php` | High
|
||||
41 | File | `AccountManagerService.java` | High
|
||||
42 | File | `actions/CompanyDetailsSave.php` | High
|
||||
43 | File | `ActiveServices.java` | High
|
||||
44 | File | `ActivityManagerService.java` | High
|
||||
45 | ... | ... | ...
|
||||
3 | File | `/admin/conferences/list/` | High
|
||||
4 | File | `/admin/edit_admin_details.php?id=admin` | High
|
||||
5 | File | `/admin/generalsettings.php` | High
|
||||
6 | File | `/admin/payment.php` | High
|
||||
7 | File | `/admin/reports.php` | High
|
||||
8 | File | `/admin_page/all-files-update-ajax.php` | High
|
||||
9 | File | `/Ap4RtpAtom.cpp` | High
|
||||
10 | File | `/app/options.py` | High
|
||||
11 | File | `/bcms/admin/?page=user/list` | High
|
||||
12 | File | `/bsms/?page=manage_account` | High
|
||||
13 | File | `/bsms/?page=products` | High
|
||||
14 | File | `/cgi-bin/kerbynet` | High
|
||||
15 | File | `/cgi-bin/login.cgi` | High
|
||||
16 | File | `/cgi-bin/system_mgr.cgi` | High
|
||||
17 | File | `/ci_hms/massage_room/edit/1` | High
|
||||
18 | File | `/dashboard/reports/logs/view` | High
|
||||
19 | File | `/debug/pprof` | Medium
|
||||
20 | File | `/dms/admin/reports/daily_collection_report.php` | High
|
||||
21 | File | `/etc/hosts` | Medium
|
||||
22 | File | `/forum/away.php` | High
|
||||
23 | File | `/fuel/index.php/fuel/logs/items` | High
|
||||
24 | File | `/fuel/sitevariables/delete/4` | High
|
||||
25 | File | `/hprms/admin/doctors/manage_doctor.php` | High
|
||||
26 | File | `/include/chart_generator.php` | High
|
||||
27 | File | `/index/jobfairol/show/` | High
|
||||
28 | File | `/info.cgi` | Medium
|
||||
29 | File | `/Items/*/RemoteImages/Download` | High
|
||||
30 | File | `/librarian/bookdetails.php` | High
|
||||
31 | File | `/lists/admin/` | High
|
||||
32 | File | `/MagickCore/image.c` | High
|
||||
33 | File | `/mgmt/tm/util/bash` | High
|
||||
34 | File | `/proc/<PID>/mem` | High
|
||||
35 | ... | ... | ...
|
||||
|
||||
There are 389 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 304 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -36,12 +36,13 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
1 | T1006 | CWE-22 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 4 more TTP items available. Please use our online service to access the data.
|
||||
There are 14 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -63,7 +64,7 @@ ID | Type | Indicator | Confidence
|
|||
12 | File | `/NAGErrors` | Medium
|
||||
13 | ... | ... | ...
|
||||
|
||||
There are 98 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 99 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -30,7 +30,12 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1068 | CWE-284 | Execution with Unnecessary Privileges | High
|
||||
1 | T1006 | CWE-21, CWE-22 | Pathname Traversal | High
|
||||
2 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
3 | T1068 | CWE-269, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 4 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
|
|
@ -62,9 +62,10 @@ ID | IP address | Hostname | Campaign | Confidence
|
|||
33 | [44.194.24.167](https://vuldb.com/?ip.44.194.24.167) | ec2-44-194-24-167.compute-1.amazonaws.com | - | Medium
|
||||
34 | [44.227.65.245](https://vuldb.com/?ip.44.227.65.245) | ec2-44-227-65-245.us-west-2.compute.amazonaws.com | - | Medium
|
||||
35 | [44.230.27.49](https://vuldb.com/?ip.44.230.27.49) | ec2-44-230-27-49.us-west-2.compute.amazonaws.com | - | Medium
|
||||
36 | ... | ... | ... | ...
|
||||
36 | [45.135.229.212](https://vuldb.com/?ip.45.135.229.212) | iad.scarletshark.net | - | High
|
||||
37 | ... | ... | ... | ...
|
||||
|
||||
There are 142 more IOC items available. Please use our online service to access the data.
|
||||
There are 144 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -72,12 +73,12 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | CWE-254 | 7PK Security Features | High
|
||||
1 | T1006 | CWE-22, CWE-23 | Pathname Traversal | High
|
||||
2 | T1055 | CWE-74 | Injection | High
|
||||
3 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 3 more TTP items available. Please use our online service to access the data.
|
||||
There are 12 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -94,13 +95,13 @@ ID | Type | Indicator | Confidence
|
|||
7 | File | `/mgmt/tm/util/bash` | High
|
||||
8 | File | `/modules/projects/vw_files.php` | High
|
||||
9 | File | `/plain` | Low
|
||||
10 | File | `/uncpath/` | Medium
|
||||
11 | File | `/xyhai.php?s=/Auth/editUser` | High
|
||||
12 | File | `/_next` | Low
|
||||
13 | File | `actionHandler/ajax_managed_services.php` | High
|
||||
10 | File | `/staff/tools/custom-fields` | High
|
||||
11 | File | `/uncpath/` | Medium
|
||||
12 | File | `/xyhai.php?s=/Auth/editUser` | High
|
||||
13 | File | `/_next` | Low
|
||||
14 | ... | ... | ...
|
||||
|
||||
There are 111 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 115 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -116,7 +117,10 @@ The following list contains _external sources_ which discuss the actor and the a
|
|||
* https://blog.talosintelligence.com/2021/10/threat-roundup-0924-1001.html
|
||||
* https://blog.talosintelligence.com/2021/11/threat-roundup-1029-1105.html
|
||||
* https://blog.talosintelligence.com/2022/04/threat-roundup-0415-0422.html
|
||||
* https://cert.gov.ua/article/37688
|
||||
* https://github.com/executemalware/Malware-IOCs/blob/main/2021-09-07%20Formbook%20IOCs
|
||||
* https://github.com/executemalware/Malware-IOCs/blob/main/2022-04-13%20Formbook%20IOCs
|
||||
* https://github.com/executemalware/Malware-IOCs/blob/main/2022-06-20%20Formbook%20IOCs
|
||||
* https://isc.sans.edu/forums/diary/Excel+spreasheet+macro+kicks+off+Formbook+infection/26332/
|
||||
|
||||
## Literature
|
||||
|
|
|
@ -72,9 +72,11 @@ ID | IP address | Hostname | Campaign | Confidence
|
|||
48 | [80.78.253.26](https://vuldb.com/?ip.80.78.253.26) | 80-78-253-26.cloudvps.regruhosting.ru | - | High
|
||||
49 | [80.78.253.86](https://vuldb.com/?ip.80.78.253.86) | 80-78-253-86.cloudvps.regruhosting.ru | - | High
|
||||
50 | [80.78.253.196](https://vuldb.com/?ip.80.78.253.196) | 80-78-253-196.cloudvps.regruhosting.ru | - | High
|
||||
51 | ... | ... | ... | ...
|
||||
51 | [80.78.254.238](https://vuldb.com/?ip.80.78.254.238) | 80-78-254-238.cloudvps.regruhosting.ru | - | High
|
||||
52 | [83.166.242.108](https://vuldb.com/?ip.83.166.242.108) | - | - | High
|
||||
53 | ... | ... | ... | ...
|
||||
|
||||
There are 200 more IOC items available. Please use our online service to access the data.
|
||||
There are 206 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -89,6 +91,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/
|
||||
* https://cert.gov.ua/article/10702
|
||||
* https://github.com/blackorbird/APT_REPORT/blob/master/Gamaredon/Gamaredon202102_ioc1000%2B.csv
|
||||
* https://github.com/pan-unit42/iocs/blob/master/Gamaredon/Gamaredon_IoCs_JAN2022.txt
|
||||
* https://github.com/SentineLabs/Gamaredon-APT/blob/master/2020-02-04-gamaredon-blog-iocs-vk.misp.csv
|
||||
|
|
|
@ -31,12 +31,12 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
1 | T1006 | CWE-21, CWE-22 | Pathname Traversal | High
|
||||
2 | T1055 | CWE-74 | Injection | High
|
||||
3 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 4 more TTP items available. Please use our online service to access the data.
|
||||
There are 13 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
|
|
@ -0,0 +1,71 @@
|
|||
# GoMet - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [GoMet](https://vuldb.com/?actor.gomet). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.gomet](https://vuldb.com/?actor.gomet)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following _campaigns_ are known and can be associated with GoMet:
|
||||
|
||||
* Ukraine
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with GoMet:
|
||||
|
||||
* [LA](https://vuldb.com/?country.la)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [GB](https://vuldb.com/?country.gb)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of GoMet.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [111.90.139.122](https://vuldb.com/?ip.111.90.139.122) | server1.kamon.la | Ukraine | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _GoMet_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-22 | Pathname Traversal | High
|
||||
2 | T1055 | CWE-74 | Injection | High
|
||||
3 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 9 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by GoMet. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/admin/dl_sendmail.php` | High
|
||||
2 | File | `application/modules/admin/views/ecommerce/products.php` | High
|
||||
3 | File | `base/ErrorHandler.php` | High
|
||||
4 | File | `blog.php` | Medium
|
||||
5 | ... | ... | ...
|
||||
|
||||
There are 34 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.talosintelligence.com/2022/07/attackers-target-ukraine-using-gomet.html
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -8,12 +8,12 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with GreyEnergy:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [RO](https://vuldb.com/?country.ro)
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* ...
|
||||
|
||||
There are 25 more country items available. Please use our online service to access the data.
|
||||
There are 18 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -36,12 +36,14 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-266, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
|
||||
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
6 | ... | ... | ... | ...
|
||||
|
||||
There are 6 more TTP items available. Please use our online service to access the data.
|
||||
There are 18 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -50,43 +52,38 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `//` | Low
|
||||
2 | File | `/?module=users§ion=cpanel&page=list` | High
|
||||
3 | File | `/admin/powerline` | High
|
||||
4 | File | `/admin/syslog` | High
|
||||
5 | File | `/api/upload` | Medium
|
||||
2 | File | `//proc/kcore` | Medium
|
||||
3 | File | `/admin/dl_sendmail.php` | High
|
||||
4 | File | `/Ap4RtpAtom.cpp` | High
|
||||
5 | File | `/app/options.py` | High
|
||||
6 | File | `/bcms/admin/?page=user/list` | High
|
||||
7 | File | `/cgi-bin` | Medium
|
||||
8 | File | `/cgi-bin/kerbynet` | High
|
||||
9 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
10 | File | `/fuel/index.php/fuel/logs/items` | High
|
||||
11 | File | `/Main_Login.asp?flag=1&productname=RT-AC88U&url=/downloadmaster/task.asp` | High
|
||||
12 | File | `/mgmt/tm/util/bash` | High
|
||||
13 | File | `/monitoring` | Medium
|
||||
14 | File | `/new` | Low
|
||||
15 | File | `/php_action/editProductImage.php` | High
|
||||
16 | File | `/proc/<pid>/status` | High
|
||||
17 | File | `/public/plugins/` | High
|
||||
18 | File | `/REBOOTSYSTEM` | High
|
||||
19 | File | `/scripts/killpvhost` | High
|
||||
20 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
21 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
22 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
|
||||
23 | File | `/tmp` | Low
|
||||
24 | File | `/tmp/redis.ds` | High
|
||||
25 | File | `/uncpath/` | Medium
|
||||
26 | File | `/wp-admin` | Medium
|
||||
27 | File | `/wp-json/wc/v3/webhooks` | High
|
||||
28 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
29 | File | `AccountManagerService.java` | High
|
||||
30 | File | `actions/CompanyDetailsSave.php` | High
|
||||
31 | File | `ActiveServices.java` | High
|
||||
32 | File | `ActivityManagerService.java` | High
|
||||
33 | File | `admin.php` | Medium
|
||||
34 | File | `admin/?n=user&c=admin_user&a=doGetUserInfo` | High
|
||||
35 | File | `admin/add-glossary.php` | High
|
||||
36 | ... | ... | ...
|
||||
7 | File | `/bsms/?page=manage_account` | High
|
||||
8 | File | `/cgi-bin/login.cgi` | High
|
||||
9 | File | `/ci_hms/massage_room/edit/1` | High
|
||||
10 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
11 | File | `/dashboard/reports/logs/view` | High
|
||||
12 | File | `/debug/pprof` | Medium
|
||||
13 | File | `/etc/hosts` | Medium
|
||||
14 | File | `/fuel/index.php/fuel/logs/items` | High
|
||||
15 | File | `/fuel/sitevariables/delete/4` | High
|
||||
16 | File | `/hprms/admin/doctors/manage_doctor.php` | High
|
||||
17 | File | `/index/jobfairol/show/` | High
|
||||
18 | File | `/librarian/bookdetails.php` | High
|
||||
19 | File | `/mgmt/tm/util/bash` | High
|
||||
20 | File | `/new` | Low
|
||||
21 | File | `/php_action/editProductImage.php` | High
|
||||
22 | File | `/proc/<PID>/mem` | High
|
||||
23 | File | `/proc/<pid>/status` | High
|
||||
24 | File | `/public/plugins/` | High
|
||||
25 | File | `/REBOOTSYSTEM` | High
|
||||
26 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
27 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
28 | File | `/simple_chat_bot/admin/?page=user/manage_user` | High
|
||||
29 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
|
||||
30 | File | `/tmp` | Low
|
||||
31 | ... | ... | ...
|
||||
|
||||
There are 311 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 266 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -155,11 +155,12 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23, CWE-425 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
4 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
6 | ... | ... | ... | ...
|
||||
|
||||
There are 18 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
|
@ -178,7 +179,7 @@ ID | Type | Indicator | Confidence
|
|||
7 | File | `/Ap4RtpAtom.cpp` | High
|
||||
8 | File | `/app/options.py` | High
|
||||
9 | File | `/bsms/?page=manage_account` | High
|
||||
10 | File | `/car-rental-management-system/admin/manage_user.php` | High
|
||||
10 | File | `/catcompany.php` | High
|
||||
11 | File | `/cgi-bin/kerbynet` | High
|
||||
12 | File | `/cgi-bin/login.cgi` | High
|
||||
13 | File | `/ci_hms/massage_room/edit/1` | High
|
||||
|
@ -189,16 +190,16 @@ ID | Type | Indicator | Confidence
|
|||
18 | File | `/core/conditions/AbstractWrapper.java` | High
|
||||
19 | File | `/dashboard/reports/logs/view` | High
|
||||
20 | File | `/dashboard/snapshot/*?orgId=0` | High
|
||||
21 | File | `/debug/pprof` | Medium
|
||||
22 | File | `/etc/hosts` | Medium
|
||||
23 | File | `/forum/away.php` | High
|
||||
24 | File | `/fuel/sitevariables/delete/4` | High
|
||||
25 | File | `/getcfg.php` | Medium
|
||||
26 | File | `/goform/SetFirewallCfg` | High
|
||||
27 | File | `/hprms/admin/doctors/manage_doctor.php` | High
|
||||
21 | File | `/etc/hosts` | Medium
|
||||
22 | File | `/forum/away.php` | High
|
||||
23 | File | `/fuel/sitevariables/delete/4` | High
|
||||
24 | File | `/goform/SetFirewallCfg` | High
|
||||
25 | File | `/hprms/admin/doctors/manage_doctor.php` | High
|
||||
26 | File | `/index/jobfairol/show/` | High
|
||||
27 | File | `/itop/webservices/export-v2.php` | High
|
||||
28 | ... | ... | ...
|
||||
|
||||
There are 236 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 238 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -15,11 +15,11 @@ The following _campaigns_ are known and can be associated with Hancitor:
|
|||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Hancitor:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CA](https://vuldb.com/?country.ca)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [CA](https://vuldb.com/?country.ca)
|
||||
* ...
|
||||
|
||||
There are 13 more country items available. Please use our online service to access the data.
|
||||
There are 14 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -78,38 +78,37 @@ ID | Type | Indicator | Confidence
|
|||
4 | File | `/download` | Medium
|
||||
5 | File | `/files.md5` | Medium
|
||||
6 | File | `/forum/away.php` | High
|
||||
7 | File | `/horde/util/go.php` | High
|
||||
8 | File | `/images/` | Medium
|
||||
9 | File | `/inc/extensions.php` | High
|
||||
10 | File | `/inc/parser/xhtml.php` | High
|
||||
11 | File | `/lists/index.php` | High
|
||||
12 | File | `/login` | Low
|
||||
13 | File | `/modules/profile/index.php` | High
|
||||
14 | File | `/nova/bin/console` | High
|
||||
15 | File | `/objects/getImageMP4.php` | High
|
||||
16 | File | `/one_church/userregister.php` | High
|
||||
17 | File | `/out.php` | Medium
|
||||
18 | File | `/owa/auth/logon.aspx` | High
|
||||
19 | File | `/public/plugins/` | High
|
||||
20 | File | `/replication` | Medium
|
||||
21 | File | `/req_password_user.php` | High
|
||||
22 | File | `/SAP_Information_System/controllers/add_admin.php` | High
|
||||
23 | File | `/SASWebReportStudio/logonAndRender.do` | High
|
||||
24 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
25 | File | `/secure/admin/ViewInstrumentation.jspa` | High
|
||||
26 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
27 | File | `/SSOPOST/metaAlias/%realm%/idpv2` | High
|
||||
28 | File | `/tmp` | Low
|
||||
29 | File | `/uncpath/` | Medium
|
||||
30 | File | `/usr/syno/etc/mount.conf` | High
|
||||
31 | File | `/v2/quantum/save-data-upload-big-file` | High
|
||||
32 | File | `/WEB-INF/web.xml` | High
|
||||
33 | File | `/web/entry/en/address/adrsSetUserWizard.cgi` | High
|
||||
34 | File | `/wp-json/oembed/1.0/embed?url` | High
|
||||
35 | File | `4.edu.php` | Medium
|
||||
36 | ... | ... | ...
|
||||
7 | File | `/images/` | Medium
|
||||
8 | File | `/inc/extensions.php` | High
|
||||
9 | File | `/inc/parser/xhtml.php` | High
|
||||
10 | File | `/lists/index.php` | High
|
||||
11 | File | `/login` | Low
|
||||
12 | File | `/modules/profile/index.php` | High
|
||||
13 | File | `/nova/bin/console` | High
|
||||
14 | File | `/objects/getImageMP4.php` | High
|
||||
15 | File | `/one_church/userregister.php` | High
|
||||
16 | File | `/out.php` | Medium
|
||||
17 | File | `/owa/auth/logon.aspx` | High
|
||||
18 | File | `/public/plugins/` | High
|
||||
19 | File | `/replication` | Medium
|
||||
20 | File | `/req_password_user.php` | High
|
||||
21 | File | `/SAP_Information_System/controllers/add_admin.php` | High
|
||||
22 | File | `/SASWebReportStudio/logonAndRender.do` | High
|
||||
23 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
24 | File | `/secure/admin/ViewInstrumentation.jspa` | High
|
||||
25 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
26 | File | `/SSOPOST/metaAlias/%realm%/idpv2` | High
|
||||
27 | File | `/trx_addons/v2/get/sc_layout` | High
|
||||
28 | File | `/uncpath/` | Medium
|
||||
29 | File | `/usr/syno/etc/mount.conf` | High
|
||||
30 | File | `/v2/quantum/save-data-upload-big-file` | High
|
||||
31 | File | `/WEB-INF/web.xml` | High
|
||||
32 | File | `/web/entry/en/address/adrsSetUserWizard.cgi` | High
|
||||
33 | File | `/wp-json/oembed/1.0/embed?url` | High
|
||||
34 | File | `4.edu.php` | Medium
|
||||
35 | ... | ... | ...
|
||||
|
||||
There are 305 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 301 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -30,9 +30,12 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | CWE-254 | 7PK Security Features | High
|
||||
1 | T1006 | CWE-22 | Pathname Traversal | High
|
||||
2 | T1055 | CWE-74 | Injection | High
|
||||
3 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 6 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -47,7 +50,7 @@ ID | Type | Indicator | Confidence
|
|||
5 | File | `/iwguestbook/admin/messages_edit.asp` | High
|
||||
6 | ... | ... | ...
|
||||
|
||||
There are 39 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 40 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -24,6 +24,16 @@ ID | IP address | Hostname | Campaign | Confidence
|
|||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [94.158.244.27](https://vuldb.com/?ip.94.158.244.27) | 94-158-244-27.mivocloud.com | Ukraine | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _HermeticWiper_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1068 | CWE-269 | Execution with Unnecessary Privileges | High
|
||||
2 | T1505 | CWE-89 | SQL Injection | High
|
||||
3 | T1592 | CWE-200 | Configuration | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by HermeticWiper. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
|
|
@ -30,7 +30,12 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
1 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
2 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
3 | T1202 | CWE-77, CWE-78 | Command Injection | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -39,11 +44,11 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/uncpath/` | Medium
|
||||
2 | File | `ajax_admin_apis.php` | High
|
||||
3 | File | `ajax_php_pecl.php` | High
|
||||
2 | File | `adminer.php` | Medium
|
||||
3 | File | `ajax_admin_apis.php` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 6 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 7 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -63,32 +63,32 @@ ID | Type | Indicator | Confidence
|
|||
6 | File | `/admin/featured.php` | High
|
||||
7 | File | `/admin/general.cgi` | High
|
||||
8 | File | `/admin/usermanagement.php` | High
|
||||
9 | File | `/ajax/clear_tools_log/` | High
|
||||
10 | File | `/api/part_categories` | High
|
||||
11 | File | `/api/programs/orgUnits?programs` | High
|
||||
12 | File | `/api/students/me/courses/` | High
|
||||
13 | File | `/base/SysEveMenuAuthPointMapper.xml` | High
|
||||
14 | File | `/bcms/admin/?page=service_transactions/view_details` | High
|
||||
15 | File | `/bcms/classes/Master.php?f=delete_court_rental` | High
|
||||
16 | File | `/bin/posix/src/ports/POSIX/OpENer` | High
|
||||
17 | File | `/cgi-bin/luci/api/diagnose` | High
|
||||
18 | File | `/cgi-mod/lookup.cgi` | High
|
||||
19 | File | `/cgi/ansi` | Medium
|
||||
20 | File | `/classes/Master.php?f=delete_train` | High
|
||||
21 | File | `/cms/classes/Master.php?f=delete_designation` | High
|
||||
22 | File | `/createnewaccount` | High
|
||||
23 | File | `/dashboard/blocks/stacks/view_details/` | High
|
||||
24 | File | `/dev/urandom` | Medium
|
||||
25 | File | `/dl/dl_sendmail.php` | High
|
||||
26 | File | `/ecrire` | Low
|
||||
27 | File | `/etc/fstab` | Medium
|
||||
28 | File | `/etc/sudoers` | Medium
|
||||
29 | File | `/food/admin/all_users.php` | High
|
||||
30 | File | `/genericreport` | High
|
||||
31 | File | `/goform/aspForm` | High
|
||||
9 | File | `/AJAX/ajaxget` | High
|
||||
10 | File | `/ajax/clear_tools_log/` | High
|
||||
11 | File | `/api/part_categories` | High
|
||||
12 | File | `/api/programs/orgUnits?programs` | High
|
||||
13 | File | `/api/students/me/courses/` | High
|
||||
14 | File | `/base/SysEveMenuAuthPointMapper.xml` | High
|
||||
15 | File | `/bcms/admin/?page=service_transactions/view_details` | High
|
||||
16 | File | `/bcms/classes/Master.php?f=delete_court_rental` | High
|
||||
17 | File | `/bin/posix/src/ports/POSIX/OpENer` | High
|
||||
18 | File | `/cgi-bin/luci/api/diagnose` | High
|
||||
19 | File | `/cgi-mod/lookup.cgi` | High
|
||||
20 | File | `/cgi/ansi` | Medium
|
||||
21 | File | `/classes/Master.php?f=delete_train` | High
|
||||
22 | File | `/cms/classes/Master.php?f=delete_designation` | High
|
||||
23 | File | `/createnewaccount` | High
|
||||
24 | File | `/dashboard/blocks/stacks/view_details/` | High
|
||||
25 | File | `/dev/urandom` | Medium
|
||||
26 | File | `/dl/dl_sendmail.php` | High
|
||||
27 | File | `/dotrace.asp` | Medium
|
||||
28 | File | `/ecrire` | Low
|
||||
29 | File | `/etc/fstab` | Medium
|
||||
30 | File | `/etc/sudoers` | Medium
|
||||
31 | File | `/food/admin/all_users.php` | High
|
||||
32 | ... | ... | ...
|
||||
|
||||
There are 269 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 271 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -46,12 +46,12 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
1 | T1006 | CWE-22 | Pathname Traversal | High
|
||||
2 | T1055 | CWE-74 | Injection | High
|
||||
3 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more TTP items available. Please use our online service to access the data.
|
||||
There are 12 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -65,13 +65,13 @@ ID | Type | Indicator | Confidence
|
|||
4 | File | `/mgmt/tm/util/bash` | High
|
||||
5 | File | `/recordings/index.php` | High
|
||||
6 | File | `/uncpath/` | Medium
|
||||
7 | File | `add_vhost.php` | High
|
||||
8 | File | `admin-ajax.php` | High
|
||||
9 | File | `and/or` | Low
|
||||
10 | File | `arsys/servlet/AttachServlet` | High
|
||||
7 | File | `/webssh` | Low
|
||||
8 | File | `add_vhost.php` | High
|
||||
9 | File | `admin-ajax.php` | High
|
||||
10 | File | `and/or` | Low
|
||||
11 | ... | ... | ...
|
||||
|
||||
There are 87 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 88 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -0,0 +1,89 @@
|
|||
# Koobface - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Koobface](https://vuldb.com/?actor.koobface). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.koobface](https://vuldb.com/?actor.koobface)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Koobface:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [IL](https://vuldb.com/?country.il)
|
||||
* [GR](https://vuldb.com/?country.gr)
|
||||
* ...
|
||||
|
||||
There are 11 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Koobface.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [41.214.183.130](https://vuldb.com/?ip.41.214.183.130) | - | - | High
|
||||
2 | [58.241.255.37](https://vuldb.com/?ip.58.241.255.37) | - | - | High
|
||||
3 | [62.0.134.79](https://vuldb.com/?ip.62.0.134.79) | HFA62-0-134-79.bb.netvision.net.il | - | High
|
||||
4 | [67.225.102.105](https://vuldb.com/?ip.67.225.102.105) | 67-225-102-105.prna.hsdb.sasknet.sk.ca | - | High
|
||||
5 | [77.70.108.163](https://vuldb.com/?ip.77.70.108.163) | - | - | High
|
||||
6 | [77.78.197.176](https://vuldb.com/?ip.77.78.197.176) | cable-77-78-197-176.static.telemach.ba | - | High
|
||||
7 | [77.127.81.103](https://vuldb.com/?ip.77.127.81.103) | - | - | High
|
||||
8 | [77.239.21.34](https://vuldb.com/?ip.77.239.21.34) | cable-77-239-0-34.dynamic.telemach.ba | - | High
|
||||
9 | [78.1.251.26](https://vuldb.com/?ip.78.1.251.26) | 78-1-251-26.adsl.net.t-com.hr | - | High
|
||||
10 | [78.3.42.99](https://vuldb.com/?ip.78.3.42.99) | 78-3-42-99.adsl.net.t-com.hr | - | High
|
||||
11 | [78.90.85.7](https://vuldb.com/?ip.78.90.85.7) | - | - | High
|
||||
12 | [78.183.143.188](https://vuldb.com/?ip.78.183.143.188) | 78.183.143.188.dynamic.ttnet.com.tr | - | High
|
||||
13 | [79.113.8.107](https://vuldb.com/?ip.79.113.8.107) | 79-113-8-107.rdsnet.ro | - | High
|
||||
14 | [79.130.252.204](https://vuldb.com/?ip.79.130.252.204) | athedsl-4426972.home.otenet.gr | - | High
|
||||
15 | [79.131.26.192](https://vuldb.com/?ip.79.131.26.192) | athedsl-377538.home.otenet.gr | - | High
|
||||
16 | [79.138.184.253](https://vuldb.com/?ip.79.138.184.253) | 79.138.184.253.bredband.tre.se | - | High
|
||||
17 | [79.173.242.224](https://vuldb.com/?ip.79.173.242.224) | 79.173.x.224.go.com.jo | - | High
|
||||
18 | ... | ... | ... | ...
|
||||
|
||||
There are 69 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Koobface_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-22 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 9 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Koobface. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `.htaccess` | Medium
|
||||
2 | File | `/tmp` | Low
|
||||
3 | File | `/uncpath/` | Medium
|
||||
4 | File | `/var/log/nginx` | High
|
||||
5 | File | `auth-gss2.c` | Medium
|
||||
6 | File | `class.cs_phpmailer.php` | High
|
||||
7 | ... | ... | ...
|
||||
|
||||
There are 44 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://ddanchev.blogspot.com/2018/01/dissecting-koobface-worms-december.html
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -31,12 +31,12 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | CWE-254, CWE-358 | 7PK Security Features | High
|
||||
1 | T1006 | CWE-22 | Pathname Traversal | High
|
||||
2 | T1055 | CWE-74 | Injection | High
|
||||
3 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 3 more TTP items available. Please use our online service to access the data.
|
||||
There are 13 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -45,21 +45,21 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/.env` | Low
|
||||
2 | File | `/cbpos/` | Low
|
||||
3 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
4 | File | `/forum/away.php` | High
|
||||
5 | File | `/horde/util/go.php` | High
|
||||
6 | File | `/plain` | Low
|
||||
7 | File | `/secure/admin/ImporterFinishedPage.jspa` | High
|
||||
8 | File | `/uncpath/` | Medium
|
||||
9 | File | `admin/admin.shtml` | High
|
||||
10 | File | `admin/import/class-import-settings.php` | High
|
||||
11 | File | `Administration/Controllers/ImportController.cs` | High
|
||||
12 | File | `administrator/components/com_media/helpers/media.php` | High
|
||||
13 | File | `base/PdfString.cpp` | High
|
||||
2 | File | `/admin/generalsettings.php` | High
|
||||
3 | File | `/cbpos/` | Low
|
||||
4 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
5 | File | `/forum/away.php` | High
|
||||
6 | File | `/horde/util/go.php` | High
|
||||
7 | File | `/plain` | Low
|
||||
8 | File | `/secure/admin/ImporterFinishedPage.jspa` | High
|
||||
9 | File | `/uncpath/` | Medium
|
||||
10 | File | `admin/admin.shtml` | High
|
||||
11 | File | `admin/import/class-import-settings.php` | High
|
||||
12 | File | `Administration/Controllers/ImportController.cs` | High
|
||||
13 | File | `administrator/components/com_media/helpers/media.php` | High
|
||||
14 | ... | ... | ...
|
||||
|
||||
There are 106 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 107 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -21,11 +21,11 @@ There are 8 more campaign items available. Please use our online service to acce
|
|||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Lazarus:
|
||||
|
||||
* [VN](https://vuldb.com/?country.vn)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [IN](https://vuldb.com/?country.in)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* ...
|
||||
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
There are 3 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -228,8 +228,8 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-22 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23, CWE-425 | Pathname Traversal | High
|
||||
2 | T1055 | CWE-74 | Injection | High
|
||||
3 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
4 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
@ -242,18 +242,21 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/app/options.py` | High
|
||||
2 | File | `/bin/posix/src/ports/POSIX/OpENer` | High
|
||||
3 | File | `/dashboard/menu-list.php` | High
|
||||
4 | File | `/dashboard/profile.php` | High
|
||||
5 | File | `/dashboard/table-list.php` | High
|
||||
6 | File | `/etc/lighttpd.d/ca.pem` | High
|
||||
7 | File | `/ffos/classes/Master.php?f=save_category` | High
|
||||
8 | File | `/home/iojs/build/ws/out/Release/obj.target/deps/openssl/openssl.cnf` | High
|
||||
9 | File | `/pkg/util` | Medium
|
||||
10 | ... | ... | ...
|
||||
1 | File | `.python-version` | High
|
||||
2 | File | `/admin/curltest.cgi` | High
|
||||
3 | File | `/admin/vca/bia/addacph.cgi` | High
|
||||
4 | File | `/admin/vca/license/license_tok.cgi` | High
|
||||
5 | File | `/api/sys_username_passwd.cmd` | High
|
||||
6 | File | `/bin/posix/src/ports/POSIX/OpENer` | High
|
||||
7 | File | `/bmis/pages/resident/resident.php` | High
|
||||
8 | File | `/cgi-bin/luci/api/auth` | High
|
||||
9 | File | `/cgi-bin/mesh.cgi?page=upgrade` | High
|
||||
10 | File | `/cgi-bin/nightled.cgi` | High
|
||||
11 | File | `/cgi-bin/touchlist_sync.cgi` | High
|
||||
12 | File | `/conf/` | Low
|
||||
13 | ... | ... | ...
|
||||
|
||||
There are 74 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 97 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -10,10 +10,10 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
|
||||
* [VN](https://vuldb.com/?country.vn)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [FR](https://vuldb.com/?country.fr)
|
||||
* ...
|
||||
|
||||
There are 2 more country items available. Please use our online service to access the data.
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -39,9 +39,11 @@ ID | IP address | Hostname | Campaign | Confidence
|
|||
16 | [59.111.181.116](https://vuldb.com/?ip.59.111.181.116) | - | - | High
|
||||
17 | [59.175.154.97](https://vuldb.com/?ip.59.175.154.97) | - | - | High
|
||||
18 | [60.10.56.169](https://vuldb.com/?ip.60.10.56.169) | hebei.10.60.in-addr.arpa | - | High
|
||||
19 | ... | ... | ... | ...
|
||||
19 | [60.10.134.93](https://vuldb.com/?ip.60.10.134.93) | hebei.10.60.in-addr.arpa | - | High
|
||||
20 | [60.19.236.50](https://vuldb.com/?ip.60.19.236.50) | - | - | High
|
||||
21 | ... | ... | ... | ...
|
||||
|
||||
There are 71 more IOC items available. Please use our online service to access the data.
|
||||
There are 78 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -49,12 +51,14 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-266, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-294, CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
|
||||
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
6 | ... | ... | ... | ...
|
||||
|
||||
There are 5 more TTP items available. Please use our online service to access the data.
|
||||
There are 22 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -62,49 +66,45 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `//` | Low
|
||||
2 | File | `/cgi-bin/luci` | High
|
||||
3 | File | `/config/getuser` | High
|
||||
4 | File | `/form/index.php?module=getjson` | High
|
||||
5 | File | `/forum/away.php` | High
|
||||
6 | File | `/horde/util/go.php` | High
|
||||
7 | File | `/hostapd` | Medium
|
||||
8 | File | `/include/chart_generator.php` | High
|
||||
9 | File | `/MTFWU` | Low
|
||||
10 | File | `/my_photo_gallery/image.php` | High
|
||||
11 | File | `/ptms/classes/Users.php` | High
|
||||
12 | File | `/public/admin.php` | High
|
||||
13 | File | `/public/login.htm` | High
|
||||
14 | File | `/public/login.htm?errormsg=&loginurl=%22%3E%3Csvg%20onload=prompt%28/XSS/%29%3E` | High
|
||||
15 | File | `/public/plugins/` | High
|
||||
16 | File | `/rest/api/1.0/render` | High
|
||||
17 | File | `/s/` | Low
|
||||
18 | File | `/SAP_Information_System/controllers/add_admin.php` | High
|
||||
19 | File | `/scripts/unlock_tasks.php` | High
|
||||
20 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
21 | File | `/sm/api/v1/firewall/zone/services` | High
|
||||
22 | File | `/sys/attachment/uploaderServlet` | High
|
||||
23 | File | `/uncpath/` | Medium
|
||||
24 | File | `/user-utils/users/md5.json` | High
|
||||
25 | File | `/userfs/bin/tcapi` | High
|
||||
26 | File | `/userRpm/popupSiteSurveyRpm.html` | High
|
||||
27 | File | `/usr/bin/pkexec` | High
|
||||
28 | File | `/wp-admin/admin-ajax.php` | High
|
||||
29 | File | `/wp-json` | Medium
|
||||
30 | File | `102/tcp` | Low
|
||||
31 | File | `accountrecoveryendpoint/recoverpassword.do` | High
|
||||
32 | File | `admin.php` | Medium
|
||||
33 | File | `admin.remository.php` | High
|
||||
34 | File | `admin/conf_users_edit.php` | High
|
||||
35 | File | `adminpanel/modules/pro/inc/ajax.php` | High
|
||||
36 | ... | ... | ...
|
||||
1 | File | `.python-version` | High
|
||||
2 | File | `/admin.php/news/admin/topic/save` | High
|
||||
3 | File | `/advance_push/public/login` | High
|
||||
4 | File | `/api/crontab` | Medium
|
||||
5 | File | `/api/RecordingList/DownloadRecord?file=` | High
|
||||
6 | File | `/app/controller/Books.php` | High
|
||||
7 | File | `/ATL/VQ23` | Medium
|
||||
8 | File | `/bin/protest` | Medium
|
||||
9 | File | `/cgi-bin/supervisor/adcommand.cgi` | High
|
||||
10 | File | `/current_action.php?action=reboot` | High
|
||||
11 | File | `/debug/pprof` | Medium
|
||||
12 | File | `/etc/config/image_sign` | High
|
||||
13 | File | `/etc/hosts` | Medium
|
||||
14 | File | `/etc/quagga` | Medium
|
||||
15 | File | `/filemanager/php/connector.php` | High
|
||||
16 | File | `/forum/away.php` | High
|
||||
17 | File | `/index.php?p=admin/actions/users/send-password-reset-email` | High
|
||||
18 | File | `/language/lang` | High
|
||||
19 | File | `/loginsave.php` | High
|
||||
20 | File | `/menu.html` | Medium
|
||||
21 | File | `/mgmt/tm/util/bash` | High
|
||||
22 | File | `/owa/auth/logon.aspx` | High
|
||||
23 | File | `/public/plugins/` | High
|
||||
24 | File | `/recreate.php` | High
|
||||
25 | File | `/rest/api/latest/user/avatar/temporary` | High
|
||||
26 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
27 | File | `/sql/sql_string.h` | High
|
||||
28 | File | `/sql/sql_type.cc` | High
|
||||
29 | File | `/strings/ctype-latin1.c` | High
|
||||
30 | File | `/strings/ctype-simple.c` | High
|
||||
31 | ... | ... | ...
|
||||
|
||||
There are 304 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 266 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.talosintelligence.com/2020/10/lemon-duck-brings-cryptocurrency-miners.html
|
||||
* https://github.com/guardicore/labs_campaigns/tree/master/Lemon_Duck
|
||||
|
||||
## Literature
|
||||
|
|
|
@ -34,8 +34,12 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
1 | T1006 | CWE-22 | Pathname Traversal | High
|
||||
2 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
3 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 4 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
|
|
@ -8,12 +8,12 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with LinuxMoose:
|
||||
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* [NL](https://vuldb.com/?country.nl)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* ...
|
||||
|
||||
There are 21 more country items available. Please use our online service to access the data.
|
||||
There are 14 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -44,12 +44,13 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-266, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 6 more TTP items available. Please use our online service to access the data.
|
||||
There are 17 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -57,37 +58,35 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `.travis.yml` | Medium
|
||||
2 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
3 | File | `/file?action=download&file` | High
|
||||
4 | File | `/include/chart_generator.php` | High
|
||||
5 | File | `/monitoring` | Medium
|
||||
6 | File | `/new` | Low
|
||||
7 | File | `/plugins/servlet/audit/resource` | High
|
||||
8 | File | `/plugins/servlet/project-config/PROJECT/roles` | High
|
||||
9 | File | `/proc/<pid>/status` | High
|
||||
10 | File | `/public/plugins/` | High
|
||||
11 | File | `/replication` | Medium
|
||||
12 | File | `/rest/api/1.0/render` | High
|
||||
13 | File | `/RestAPI` | Medium
|
||||
14 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
15 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
16 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
|
||||
17 | File | `/tmp` | Low
|
||||
18 | File | `/trx_addons/v2/get/sc_layout` | High
|
||||
19 | File | `/uncpath/` | Medium
|
||||
20 | File | `/var/log/nginx` | High
|
||||
21 | File | `/wp-json/wc/v3/webhooks` | High
|
||||
22 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
23 | File | `AccountManagerService.java` | High
|
||||
24 | File | `actions/CompanyDetailsSave.php` | High
|
||||
25 | File | `ActivityManagerService.java` | High
|
||||
26 | File | `admin.php` | Medium
|
||||
27 | File | `admin/add-glossary.php` | High
|
||||
28 | File | `admin/conf_users_edit.php` | High
|
||||
29 | ... | ... | ...
|
||||
1 | File | `//proc/kcore` | Medium
|
||||
2 | File | `/Ap4RtpAtom.cpp` | High
|
||||
3 | File | `/app/options.py` | High
|
||||
4 | File | `/bcms/admin/?page=user/list` | High
|
||||
5 | File | `/bsms/?page=manage_account` | High
|
||||
6 | File | `/cgi-bin/login.cgi` | High
|
||||
7 | File | `/ci_hms/massage_room/edit/1` | High
|
||||
8 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
9 | File | `/core/conditions/AbstractWrapper.java` | High
|
||||
10 | File | `/dashboard/reports/logs/view` | High
|
||||
11 | File | `/debug/pprof` | Medium
|
||||
12 | File | `/etc/hosts` | Medium
|
||||
13 | File | `/file?action=download&file` | High
|
||||
14 | File | `/fuel/index.php/fuel/logs/items` | High
|
||||
15 | File | `/fuel/sitevariables/delete/4` | High
|
||||
16 | File | `/hprms/admin/doctors/manage_doctor.php` | High
|
||||
17 | File | `/include/chart_generator.php` | High
|
||||
18 | File | `/index/jobfairol/show/` | High
|
||||
19 | File | `/librarian/bookdetails.php` | High
|
||||
20 | File | `/mgmt/tm/util/bash` | High
|
||||
21 | File | `/plugin/LiveChat/getChat.json.php` | High
|
||||
22 | File | `/proc/<PID>/mem` | High
|
||||
23 | File | `/public/plugins/` | High
|
||||
24 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
25 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
26 | File | `/simple_chat_bot/admin/?page=user/manage_user` | High
|
||||
27 | ... | ... | ...
|
||||
|
||||
There are 246 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 230 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -59,7 +59,7 @@ ID | Type | Indicator | Confidence
|
|||
9 | File | `chan_skinny.c` | High
|
||||
10 | ... | ... | ...
|
||||
|
||||
There are 73 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 75 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -22,11 +22,11 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [45.67.231.169](https://vuldb.com/?ip.45.67.231.169) | vm377031.pq.hosting | - | High
|
||||
2 | [103.27.184.27](https://vuldb.com/?ip.103.27.184.27) | - | - | High
|
||||
3 | [103.140.187.183](https://vuldb.com/?ip.103.140.187.183) | - | - | High
|
||||
2 | [45.76.216.40](https://vuldb.com/?ip.45.76.216.40) | 45.76.216.40.vultrusercontent.com | - | High
|
||||
3 | [103.27.184.27](https://vuldb.com/?ip.103.27.184.27) | - | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 8 more IOC items available. Please use our online service to access the data.
|
||||
There are 13 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -49,17 +49,19 @@ ID | Type | Indicator | Confidence
|
|||
-- | ---- | --------- | ----------
|
||||
1 | File | `.htaccess` | Medium
|
||||
2 | File | `/admin/index.php` | High
|
||||
3 | File | `/uncpath/` | Medium
|
||||
4 | File | `/upload` | Low
|
||||
5 | File | `color.php` | Medium
|
||||
6 | ... | ... | ...
|
||||
3 | File | `/app/Http/Controllers/Admin/NEditorController.php` | High
|
||||
4 | File | `/config/getuser` | High
|
||||
5 | File | `/uncpath/` | Medium
|
||||
6 | File | `/upload` | Low
|
||||
7 | ... | ... | ...
|
||||
|
||||
There are 41 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 49 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blogs.jpcert.or.jp/en/2021/02/LODEINFO-3.html
|
||||
* https://blogs.jpcert.or.jp/ja/2020/06/LODEINFO-2.html
|
||||
* https://files.macnica.co.jp/mnc/mpressioncss_ta_report_2019_2.pdf
|
||||
|
||||
|
|
|
@ -1,118 +1,171 @@
|
|||
# LokiBot - Cyber Threat Intelligence
|
||||
# Lokibot - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [LokiBot](https://vuldb.com/?actor.lokibot). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Lokibot](https://vuldb.com/?actor.lokibot). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.lokibot](https://vuldb.com/?actor.lokibot)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with LokiBot:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Lokibot:
|
||||
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [VN](https://vuldb.com/?country.vn)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* ...
|
||||
|
||||
There are 11 more country items available. Please use our online service to access the data.
|
||||
There are 15 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of LokiBot.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Lokibot.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [2.57.186.170](https://vuldb.com/?ip.2.57.186.170) | - | - | High
|
||||
2 | [3.220.57.224](https://vuldb.com/?ip.3.220.57.224) | ec2-3-220-57-224.compute-1.amazonaws.com | - | Medium
|
||||
3 | [3.232.242.170](https://vuldb.com/?ip.3.232.242.170) | ec2-3-232-242-170.compute-1.amazonaws.com | - | Medium
|
||||
4 | [13.107.21.200](https://vuldb.com/?ip.13.107.21.200) | - | - | High
|
||||
5 | [15.197.142.173](https://vuldb.com/?ip.15.197.142.173) | a4ec4c6ea1c92e2e6.awsglobalaccelerator.com | - | High
|
||||
6 | [18.116.152.12](https://vuldb.com/?ip.18.116.152.12) | ec2-18-116-152-12.us-east-2.compute.amazonaws.com | - | Medium
|
||||
7 | [18.188.18.34](https://vuldb.com/?ip.18.188.18.34) | ec2-18-188-18-34.us-east-2.compute.amazonaws.com | - | Medium
|
||||
8 | [20.189.173.20](https://vuldb.com/?ip.20.189.173.20) | - | - | High
|
||||
9 | [23.21.173.155](https://vuldb.com/?ip.23.21.173.155) | ec2-23-21-173-155.compute-1.amazonaws.com | - | Medium
|
||||
10 | [23.21.211.162](https://vuldb.com/?ip.23.21.211.162) | ec2-23-21-211-162.compute-1.amazonaws.com | - | Medium
|
||||
11 | [23.95.132.48](https://vuldb.com/?ip.23.95.132.48) | 23-95-132-48-host.colocrossing.com | - | High
|
||||
12 | [23.205.105.153](https://vuldb.com/?ip.23.205.105.153) | a23-205-105-153.deploy.static.akamaitechnologies.com | - | High
|
||||
13 | [23.205.105.157](https://vuldb.com/?ip.23.205.105.157) | a23-205-105-157.deploy.static.akamaitechnologies.com | - | High
|
||||
14 | [23.222.5.37](https://vuldb.com/?ip.23.222.5.37) | a23-222-5-37.deploy.static.akamaitechnologies.com | - | High
|
||||
15 | [31.41.46.120](https://vuldb.com/?ip.31.41.46.120) | maldova873.example.com | - | High
|
||||
16 | [31.220.52.219](https://vuldb.com/?ip.31.220.52.219) | workshop.piguno.com | - | High
|
||||
17 | [34.98.99.30](https://vuldb.com/?ip.34.98.99.30) | 30.99.98.34.bc.googleusercontent.com | - | Medium
|
||||
18 | [34.102.136.180](https://vuldb.com/?ip.34.102.136.180) | 180.136.102.34.bc.googleusercontent.com | - | Medium
|
||||
19 | [34.117.168.233](https://vuldb.com/?ip.34.117.168.233) | 233.168.117.34.bc.googleusercontent.com | - | Medium
|
||||
20 | [35.186.238.101](https://vuldb.com/?ip.35.186.238.101) | 101.238.186.35.bc.googleusercontent.com | - | Medium
|
||||
21 | [35.247.234.230](https://vuldb.com/?ip.35.247.234.230) | 230.234.247.35.bc.googleusercontent.com | - | Medium
|
||||
22 | [37.235.1.174](https://vuldb.com/?ip.37.235.1.174) | resolver1.freedns.zone.powered.by.virtexxa.com | - | High
|
||||
23 | [37.235.1.177](https://vuldb.com/?ip.37.235.1.177) | resolver2.freedns.zone.powered.by.virtexxa.com | - | High
|
||||
24 | [45.33.83.75](https://vuldb.com/?ip.45.33.83.75) | li1029-75.members.linode.com | - | High
|
||||
25 | [45.122.138.6](https://vuldb.com/?ip.45.122.138.6) | - | - | High
|
||||
26 | [45.128.184.132](https://vuldb.com/?ip.45.128.184.132) | vds107519.mgn-host.ru | - | High
|
||||
27 | [45.147.229.85](https://vuldb.com/?ip.45.147.229.85) | - | - | High
|
||||
28 | [45.154.253.150](https://vuldb.com/?ip.45.154.253.150) | shared04.cust05.proxy.is | - | High
|
||||
29 | ... | ... | ... | ...
|
||||
1 | [1.2.4.8](https://vuldb.com/?ip.1.2.4.8) | public1.sdns.cn | - | High
|
||||
2 | [2.57.186.170](https://vuldb.com/?ip.2.57.186.170) | - | - | High
|
||||
3 | [3.64.163.50](https://vuldb.com/?ip.3.64.163.50) | ec2-3-64-163-50.eu-central-1.compute.amazonaws.com | - | Medium
|
||||
4 | [3.130.204.160](https://vuldb.com/?ip.3.130.204.160) | ec2-3-130-204-160.us-east-2.compute.amazonaws.com | - | Medium
|
||||
5 | [3.220.57.224](https://vuldb.com/?ip.3.220.57.224) | ec2-3-220-57-224.compute-1.amazonaws.com | - | Medium
|
||||
6 | [3.232.242.170](https://vuldb.com/?ip.3.232.242.170) | ec2-3-232-242-170.compute-1.amazonaws.com | - | Medium
|
||||
7 | [5.160.218.88](https://vuldb.com/?ip.5.160.218.88) | ircpanel4.novinhost.org | - | High
|
||||
8 | [5.253.62.214](https://vuldb.com/?ip.5.253.62.214) | - | - | High
|
||||
9 | [5.255.255.80](https://vuldb.com/?ip.5.255.255.80) | yandex.ru | - | High
|
||||
10 | [8.208.76.80](https://vuldb.com/?ip.8.208.76.80) | - | - | High
|
||||
11 | [8.249.245.254](https://vuldb.com/?ip.8.249.245.254) | - | - | High
|
||||
12 | [13.107.21.200](https://vuldb.com/?ip.13.107.21.200) | - | - | High
|
||||
13 | [13.250.255.10](https://vuldb.com/?ip.13.250.255.10) | ec2-13-250-255-10.ap-southeast-1.compute.amazonaws.com | - | Medium
|
||||
14 | [15.197.142.173](https://vuldb.com/?ip.15.197.142.173) | a4ec4c6ea1c92e2e6.awsglobalaccelerator.com | - | High
|
||||
15 | [18.116.152.12](https://vuldb.com/?ip.18.116.152.12) | ec2-18-116-152-12.us-east-2.compute.amazonaws.com | - | Medium
|
||||
16 | [18.118.182.0](https://vuldb.com/?ip.18.118.182.0) | ec2-18-118-182-0.us-east-2.compute.amazonaws.com | - | Medium
|
||||
17 | [18.188.18.34](https://vuldb.com/?ip.18.188.18.34) | ec2-18-188-18-34.us-east-2.compute.amazonaws.com | - | Medium
|
||||
18 | [20.42.65.92](https://vuldb.com/?ip.20.42.65.92) | - | - | High
|
||||
19 | [20.72.235.82](https://vuldb.com/?ip.20.72.235.82) | - | - | High
|
||||
20 | [20.112.52.29](https://vuldb.com/?ip.20.112.52.29) | - | - | High
|
||||
21 | [20.189.173.20](https://vuldb.com/?ip.20.189.173.20) | - | - | High
|
||||
22 | [23.20.239.12](https://vuldb.com/?ip.23.20.239.12) | ec2-23-20-239-12.compute-1.amazonaws.com | - | Medium
|
||||
23 | [23.21.126.66](https://vuldb.com/?ip.23.21.126.66) | ec2-23-21-126-66.compute-1.amazonaws.com | - | Medium
|
||||
24 | [23.21.173.155](https://vuldb.com/?ip.23.21.173.155) | ec2-23-21-173-155.compute-1.amazonaws.com | - | Medium
|
||||
25 | [23.21.211.162](https://vuldb.com/?ip.23.21.211.162) | ec2-23-21-211-162.compute-1.amazonaws.com | - | Medium
|
||||
26 | [23.21.252.4](https://vuldb.com/?ip.23.21.252.4) | ec2-23-21-252-4.compute-1.amazonaws.com | - | Medium
|
||||
27 | [23.95.132.48](https://vuldb.com/?ip.23.95.132.48) | 23-95-132-48-host.colocrossing.com | - | High
|
||||
28 | [23.105.131.228](https://vuldb.com/?ip.23.105.131.228) | - | - | High
|
||||
29 | [23.111.168.182](https://vuldb.com/?ip.23.111.168.182) | netbserverdns02.com | - | High
|
||||
30 | [23.205.105.153](https://vuldb.com/?ip.23.205.105.153) | a23-205-105-153.deploy.static.akamaitechnologies.com | - | High
|
||||
31 | [23.205.105.157](https://vuldb.com/?ip.23.205.105.157) | a23-205-105-157.deploy.static.akamaitechnologies.com | - | High
|
||||
32 | [23.222.5.37](https://vuldb.com/?ip.23.222.5.37) | a23-222-5-37.deploy.static.akamaitechnologies.com | - | High
|
||||
33 | [27.121.64.133](https://vuldb.com/?ip.27.121.64.133) | cp133.ezyreg.com | - | High
|
||||
34 | [31.13.65.174](https://vuldb.com/?ip.31.13.65.174) | instagram-p42-shv-01-atl3.fbcdn.net | - | High
|
||||
35 | [31.41.46.120](https://vuldb.com/?ip.31.41.46.120) | maldova873.example.com | - | High
|
||||
36 | [31.220.52.219](https://vuldb.com/?ip.31.220.52.219) | workshop.piguno.com | - | High
|
||||
37 | [34.77.10.20](https://vuldb.com/?ip.34.77.10.20) | 20.10.77.34.bc.googleusercontent.com | - | Medium
|
||||
38 | [34.98.99.30](https://vuldb.com/?ip.34.98.99.30) | 30.99.98.34.bc.googleusercontent.com | - | Medium
|
||||
39 | [34.102.136.180](https://vuldb.com/?ip.34.102.136.180) | 180.136.102.34.bc.googleusercontent.com | - | Medium
|
||||
40 | [34.117.168.233](https://vuldb.com/?ip.34.117.168.233) | 233.168.117.34.bc.googleusercontent.com | - | Medium
|
||||
41 | [34.205.248.193](https://vuldb.com/?ip.34.205.248.193) | ec2-34-205-248-193.compute-1.amazonaws.com | - | Medium
|
||||
42 | [35.186.238.101](https://vuldb.com/?ip.35.186.238.101) | 101.238.186.35.bc.googleusercontent.com | - | Medium
|
||||
43 | [35.238.161.88](https://vuldb.com/?ip.35.238.161.88) | 88.161.238.35.bc.googleusercontent.com | - | Medium
|
||||
44 | [35.247.234.230](https://vuldb.com/?ip.35.247.234.230) | 230.234.247.35.bc.googleusercontent.com | - | Medium
|
||||
45 | [37.49.224.146](https://vuldb.com/?ip.37.49.224.146) | - | - | High
|
||||
46 | [37.49.224.209](https://vuldb.com/?ip.37.49.224.209) | - | - | High
|
||||
47 | [37.49.225.195](https://vuldb.com/?ip.37.49.225.195) | - | - | High
|
||||
48 | [37.49.225.217](https://vuldb.com/?ip.37.49.225.217) | - | - | High
|
||||
49 | [37.120.146.122](https://vuldb.com/?ip.37.120.146.122) | - | - | High
|
||||
50 | [37.120.146.124](https://vuldb.com/?ip.37.120.146.124) | - | - | High
|
||||
51 | [37.235.1.174](https://vuldb.com/?ip.37.235.1.174) | resolver1.freedns.zone.powered.by.virtexxa.com | - | High
|
||||
52 | [37.235.1.177](https://vuldb.com/?ip.37.235.1.177) | resolver2.freedns.zone.powered.by.virtexxa.com | - | High
|
||||
53 | [40.70.224.146](https://vuldb.com/?ip.40.70.224.146) | - | - | High
|
||||
54 | [40.76.4.15](https://vuldb.com/?ip.40.76.4.15) | - | - | High
|
||||
55 | [43.254.17.15](https://vuldb.com/?ip.43.254.17.15) | 43-254-17-15.static.ip.net.tw | - | High
|
||||
56 | [43.255.154.37](https://vuldb.com/?ip.43.255.154.37) | ip-43-255-154-37.ip.secureserver.net | - | High
|
||||
57 | [45.33.83.75](https://vuldb.com/?ip.45.33.83.75) | li1029-75.members.linode.com | - | High
|
||||
58 | [45.43.35.96](https://vuldb.com/?ip.45.43.35.96) | - | - | High
|
||||
59 | [45.67.14.182](https://vuldb.com/?ip.45.67.14.182) | - | - | High
|
||||
60 | [45.80.132.70](https://vuldb.com/?ip.45.80.132.70) | host-45-80-132-70.superhosting.rs | - | High
|
||||
61 | [45.122.138.6](https://vuldb.com/?ip.45.122.138.6) | - | - | High
|
||||
62 | [45.128.184.132](https://vuldb.com/?ip.45.128.184.132) | vds107519.mgn-host.ru | - | High
|
||||
63 | [45.147.229.85](https://vuldb.com/?ip.45.147.229.85) | - | - | High
|
||||
64 | [45.154.253.150](https://vuldb.com/?ip.45.154.253.150) | shared04.cust05.proxy.is | - | High
|
||||
65 | [45.154.253.152](https://vuldb.com/?ip.45.154.253.152) | shared06.cust05.proxy.is | - | High
|
||||
66 | [46.17.98.105](https://vuldb.com/?ip.46.17.98.105) | - | - | High
|
||||
67 | [46.101.46.83](https://vuldb.com/?ip.46.101.46.83) | - | - | High
|
||||
68 | [47.52.60.150](https://vuldb.com/?ip.47.52.60.150) | - | - | High
|
||||
69 | [47.91.169.15](https://vuldb.com/?ip.47.91.169.15) | - | - | High
|
||||
70 | [47.254.177.155](https://vuldb.com/?ip.47.254.177.155) | - | - | High
|
||||
71 | ... | ... | ... | ...
|
||||
|
||||
There are 112 more IOC items available. Please use our online service to access the data.
|
||||
There are 280 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _LokiBot_. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Lokibot_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-266, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
|
||||
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
6 | ... | ... | ... | ...
|
||||
|
||||
There are 6 more TTP items available. Please use our online service to access the data.
|
||||
There are 20 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by LokiBot. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Lokibot. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/.env` | Low
|
||||
2 | File | `/.ssh/authorized_keys` | High
|
||||
3 | File | `/car.php` | Medium
|
||||
4 | File | `/CMD_ACCOUNT_ADMIN` | High
|
||||
5 | File | `/config/getuser` | High
|
||||
6 | File | `/core/admin/categories.php` | High
|
||||
7 | File | `/dashboards/#` | High
|
||||
8 | File | `/etc/controller-agent/agent.conf` | High
|
||||
9 | File | `/etc/postfix/sender_login` | High
|
||||
10 | File | `/etc/sudoers` | Medium
|
||||
11 | File | `/etc/tomcat8/Catalina/attack` | High
|
||||
12 | File | `/filemanager/php/connector.php` | High
|
||||
13 | File | `/forum/away.php` | High
|
||||
14 | File | `/fudforum/adm/hlplist.php` | High
|
||||
15 | File | `/GponForm/fsetup_Form` | High
|
||||
16 | File | `/log_download.cgi` | High
|
||||
17 | File | `/modules/profile/index.php` | High
|
||||
18 | File | `/MTFWU` | Low
|
||||
19 | File | `/out.php` | Medium
|
||||
20 | File | `/public/plugins/` | High
|
||||
21 | File | `/s/` | Low
|
||||
22 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
23 | File | `/server-info` | Medium
|
||||
24 | File | `/tmp` | Low
|
||||
25 | File | `/tmp/app/.env` | High
|
||||
26 | File | `/tmp/kamailio_ctl` | High
|
||||
27 | File | `/tmp/kamailio_fifo` | High
|
||||
28 | File | `/uncpath/` | Medium
|
||||
29 | File | `/updown/upload.cgi` | High
|
||||
30 | File | `/usr/bin/pkexec` | High
|
||||
31 | File | `/way4acs/enroll` | High
|
||||
32 | File | `/WEB-INF/web.xml` | High
|
||||
33 | File | `/wp-json/wc/v3/webhooks` | High
|
||||
34 | ... | ... | ...
|
||||
1 | File | `//proc/kcore` | Medium
|
||||
2 | File | `/Ap4RtpAtom.cpp` | High
|
||||
3 | File | `/app/options.py` | High
|
||||
4 | File | `/bcms/admin/?page=user/list` | High
|
||||
5 | File | `/bsms/?page=manage_account` | High
|
||||
6 | File | `/cgi-bin/login.cgi` | High
|
||||
7 | File | `/cgi-bin/luci/api/auth` | High
|
||||
8 | File | `/cgi-bin/luci/api/diagnose` | High
|
||||
9 | File | `/ci_hms/massage_room/edit/1` | High
|
||||
10 | File | `/dashboard/reports/logs/view` | High
|
||||
11 | File | `/debug/pprof` | Medium
|
||||
12 | File | `/etc/config/image_sign` | High
|
||||
13 | File | `/etc/groups` | Medium
|
||||
14 | File | `/etc/hosts` | Medium
|
||||
15 | File | `/forum/away.php` | High
|
||||
16 | File | `/fuel/index.php/fuel/logs/items` | High
|
||||
17 | File | `/fuel/sitevariables/delete/4` | High
|
||||
18 | File | `/ghost/preview` | High
|
||||
19 | File | `/hprms/admin/doctors/manage_doctor.php` | High
|
||||
20 | File | `/index/jobfairol/show/` | High
|
||||
21 | File | `/librarian/bookdetails.php` | High
|
||||
22 | File | `/Main_Login.asp?flag=1&productname=RT-AC88U&url=/downloadmaster/task.asp` | High
|
||||
23 | File | `/mgmt/tm/util/bash` | High
|
||||
24 | File | `/MTFWU` | Low
|
||||
25 | File | `/php/passport/index.php` | High
|
||||
26 | File | `/proc/<PID>/mem` | High
|
||||
27 | ... | ... | ...
|
||||
|
||||
There are 290 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 230 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.talosintelligence.com/2019/04/threat-source-april-18-new-attacks.html
|
||||
* https://blog.talosintelligence.com/2019/05/threat-roundup-0524-0531.html
|
||||
* https://blog.talosintelligence.com/2019/06/threat-roundup-0531-0607.html
|
||||
* https://blog.talosintelligence.com/2019/06/threat-roundup-0621-0628.html
|
||||
* https://blog.talosintelligence.com/2019/07/threat-roundup-0719-0726.html
|
||||
* https://blog.talosintelligence.com/2019/10/threat-roundup-1011-1018.html
|
||||
* https://blog.talosintelligence.com/2019/11/threat-roundup-1025-1101.html
|
||||
* https://blog.talosintelligence.com/2019/12/threat-roundup-1129-1206.html
|
||||
* https://blog.talosintelligence.com/2020/04/threat-roundup-0410-0417.html
|
||||
* https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
|
||||
* https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html
|
||||
* https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html
|
||||
* https://blog.talosintelligence.com/2020/08/tru-0731-0807.html
|
||||
* https://blog.talosintelligence.com/2020/10/threat-roundup-1016-1023.html
|
||||
* https://blog.talosintelligence.com/2020/10/threat-roundup-1023-1030.html
|
||||
* https://blog.talosintelligence.com/2020/11/threat-roundup-1113-1120.html
|
||||
* https://blog.talosintelligence.com/2021/04/threat-roundup-0423-0430.html
|
||||
* https://blog.talosintelligence.com/2021/06/threat-roundup-0604-0611.html
|
||||
* https://blog.talosintelligence.com/2021/07/threat-roundup-0716-0723.html
|
||||
|
@ -126,6 +179,15 @@ The following list contains _external sources_ which discuss the actor and the a
|
|||
* https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html
|
||||
* https://blog.talosintelligence.com/2022/03/threat-roundup-0304-0311.html
|
||||
* https://blog.talosintelligence.com/2022/03/threat-roundup-0311-0318.html
|
||||
* https://blog.talosintelligence.com/2022/04/threat-roundup-0401-0408.html
|
||||
* https://blog.talosintelligence.com/2022/04/threat-roundup-0408-0415.html
|
||||
* https://blog.talosintelligence.com/2022/05/threat-roundup-0429-0506.html
|
||||
* https://blog.talosintelligence.com/2022/05/threat-roundup-0506-0513.html
|
||||
* https://github.com/executemalware/Malware-IOCs/blob/main/2021-10-20%20Lokibot%20IOCs
|
||||
* https://github.com/executemalware/Malware-IOCs/blob/main/2021-11-17%20Lokibot%20IOCs
|
||||
* https://github.com/executemalware/Malware-IOCs/blob/main/2022-05-16%20Lokibot%20IOCs
|
||||
* https://isc.sans.edu/forums/diary/3+examples+of+malspam+pushing+LokiBot+malware/23317/
|
||||
* https://isc.sans.edu/forums/diary/HSBCthemed+malspam+uses+ISO+attachments+to+push+Loki+Bot+malware/22942/
|
||||
* https://isc.sans.edu/forums/diary/Malspam+pushing+Lokibot+malware/24372/
|
||||
* https://isc.sans.edu/forums/diary/More+malspam+pushing+Lokibot/23754/
|
||||
* https://vxug.fakedoma.in/archive/APTs/2021/2021.01.06(1)/LokiBot%20Infection%20Chain.pdf
|
||||
|
|
|
@ -0,0 +1,109 @@
|
|||
# Luna Moth - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Luna Moth](https://vuldb.com/?actor.luna_moth). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.luna_moth](https://vuldb.com/?actor.luna_moth)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following _campaigns_ are known and can be associated with Luna Moth:
|
||||
|
||||
* Subscription Scam
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Luna Moth:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Luna Moth.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [23.238.40.28](https://vuldb.com/?ip.23.238.40.28) | hwsrv-979679.hostwindsdns.com | Subscription Scam | High
|
||||
2 | [23.238.40.29](https://vuldb.com/?ip.23.238.40.29) | hwsrv-979677.hostwindsdns.com | Subscription Scam | High
|
||||
3 | [23.238.40.30](https://vuldb.com/?ip.23.238.40.30) | hwsrv-979678.hostwindsdns.com | Subscription Scam | High
|
||||
4 | [23.238.40.31](https://vuldb.com/?ip.23.238.40.31) | hwsrv-979680.hostwindsdns.com | Subscription Scam | High
|
||||
5 | [23.238.40.32](https://vuldb.com/?ip.23.238.40.32) | hwsrv-979681.hostwindsdns.com | Subscription Scam | High
|
||||
6 | [23.254.227.79](https://vuldb.com/?ip.23.254.227.79) | client-23-254-227-79.hostwindsdns.com | Subscription Scam | High
|
||||
7 | [23.254.228.211](https://vuldb.com/?ip.23.254.228.211) | hwsrv-981934.hostwindsdns.com | Subscription Scam | High
|
||||
8 | [23.254.229.90](https://vuldb.com/?ip.23.254.229.90) | client-23-254-229-90.hostwindsdns.com | Subscription Scam | High
|
||||
9 | [104.168.135.71](https://vuldb.com/?ip.104.168.135.71) | hwsrv-975503.hostwindsdns.com | Subscription Scam | High
|
||||
10 | [104.168.164.244](https://vuldb.com/?ip.104.168.164.244) | client-104-168-164-244.hostwindsdns.com | Subscription Scam | High
|
||||
11 | [104.168.171.104](https://vuldb.com/?ip.104.168.171.104) | hwsrv-979189.hostwindsdns.com | Subscription Scam | High
|
||||
12 | [104.168.171.231](https://vuldb.com/?ip.104.168.171.231) | hwsrv-979190.hostwindsdns.com | Subscription Scam | High
|
||||
13 | [104.168.201.87](https://vuldb.com/?ip.104.168.201.87) | client-104-168-201-87.hostwindsdns.com | Subscription Scam | High
|
||||
14 | [104.168.201.100](https://vuldb.com/?ip.104.168.201.100) | client-104-168-201-100.hostwindsdns.com | Subscription Scam | High
|
||||
15 | [104.168.201.121](https://vuldb.com/?ip.104.168.201.121) | client-104-168-201-121.hostwindsdns.com | Subscription Scam | High
|
||||
16 | [104.168.201.129](https://vuldb.com/?ip.104.168.201.129) | client-104-168-201-129.hostwindsdns.com | Subscription Scam | High
|
||||
17 | [104.168.204.231](https://vuldb.com/?ip.104.168.204.231) | client-104-168-204-231.hostwindsdns.com | Subscription Scam | High
|
||||
18 | [104.168.218.242](https://vuldb.com/?ip.104.168.218.242) | hwsrv-975504.hostwindsdns.com | Subscription Scam | High
|
||||
19 | ... | ... | ... | ...
|
||||
|
||||
There are 70 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Luna Moth_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-22 | Pathname Traversal | High
|
||||
2 | T1055 | CWE-74 | Injection | High
|
||||
3 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Luna Moth. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/ajax-files/followBoard.php` | High
|
||||
2 | File | `/includes/lib/detail.php` | High
|
||||
3 | File | `/modules/projects/vw_files.php` | High
|
||||
4 | File | `/see_more_details.php` | High
|
||||
5 | File | `/server-status` | High
|
||||
6 | File | `add-services.php` | High
|
||||
7 | File | `admin.php` | Medium
|
||||
8 | File | `admin/models/Galleries.php` | High
|
||||
9 | File | `affich.php` | Medium
|
||||
10 | File | `affiliate-preview.php` | High
|
||||
11 | File | `akocomments.php` | High
|
||||
12 | File | `album_portal.php` | High
|
||||
13 | File | `application/modules/admin/views/ecommerce/products.php` | High
|
||||
14 | File | `apps/app_article/controller/rating.php` | High
|
||||
15 | File | `app\Http\Controllers\Backend\ProfileController.php` | High
|
||||
16 | File | `auktion.cgi` | Medium
|
||||
17 | File | `basket.php` | Medium
|
||||
18 | File | `big.php` | Low
|
||||
19 | File | `category_list.php` | High
|
||||
20 | File | `closeup.php` | Medium
|
||||
21 | File | `cng.sys` | Low
|
||||
22 | File | `comersus_optreviewreadexec.asp` | High
|
||||
23 | ... | ... | ...
|
||||
|
||||
There are 187 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.sygnia.co/luna-moth-false-subscription-scams
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -19,7 +19,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [RU](https://vuldb.com/?country.ru)
|
||||
* ...
|
||||
|
||||
There are 28 more country items available. Please use our online service to access the data.
|
||||
There are 29 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -40,12 +40,14 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-250, CWE-264, CWE-266, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23, CWE-24 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
|
||||
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
6 | ... | ... | ... | ...
|
||||
|
||||
There are 9 more TTP items available. Please use our online service to access the data.
|
||||
There are 19 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -58,49 +60,49 @@ ID | Type | Indicator | Confidence
|
|||
3 | File | `/.ssh/authorized_keys` | High
|
||||
4 | File | `/admin/default.asp` | High
|
||||
5 | File | `/ajax/networking/get_netcfg.php` | High
|
||||
6 | File | `/assets/ctx` | Medium
|
||||
7 | File | `/checkLogin.cgi` | High
|
||||
8 | File | `/cms/print.php` | High
|
||||
9 | File | `/concat?/%2557EB-INF/web.xml` | High
|
||||
10 | File | `/Content/Template/root/reverse-shell.aspx` | High
|
||||
11 | File | `/course/api/upload/pic` | High
|
||||
12 | File | `/data/remove` | Medium
|
||||
13 | File | `/etc/passwd` | Medium
|
||||
14 | File | `/goforms/rlminfo` | High
|
||||
15 | File | `/login` | Low
|
||||
16 | File | `/navigate/navigate_download.php` | High
|
||||
17 | File | `/ocwbs/admin/?page=user/manage_user` | High
|
||||
18 | File | `/ofrs/admin/?page=user/manage_user` | High
|
||||
19 | File | `/owa/auth/logon.aspx` | High
|
||||
20 | File | `/p` | Low
|
||||
21 | File | `/password.html` | High
|
||||
22 | File | `/proc/ioports` | High
|
||||
23 | File | `/property-list/property_view.php` | High
|
||||
24 | File | `/ptms/classes/Users.php` | High
|
||||
25 | File | `/rest` | Low
|
||||
26 | File | `/rest/api/2/search` | High
|
||||
27 | File | `/s/` | Low
|
||||
28 | File | `/scripts/cpan_config` | High
|
||||
29 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
30 | File | `/services/system/setup.json` | High
|
||||
31 | File | `/uncpath/` | Medium
|
||||
32 | File | `/vloggers_merch/?p=view_product` | High
|
||||
33 | File | `/webconsole/APIController` | High
|
||||
34 | File | `/websocket/exec` | High
|
||||
35 | File | `/wp-admin/admin-ajax.php` | High
|
||||
36 | File | `/wp-content/plugins/updraftplus/admin.php` | High
|
||||
37 | File | `/wp-json` | Medium
|
||||
38 | File | `/wp-json/oembed/1.0/embed?url` | High
|
||||
39 | File | `/_next` | Low
|
||||
40 | File | `4.edu.php\conn\function.php` | High
|
||||
41 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
42 | File | `adclick.php` | Medium
|
||||
43 | File | `addentry.php` | Medium
|
||||
44 | File | `admin/category.inc.php` | High
|
||||
45 | File | `admin/conf_users_edit.php` | High
|
||||
6 | File | `/app/options.py` | High
|
||||
7 | File | `/assets/ctx` | Medium
|
||||
8 | File | `/ci_spms/admin/category` | High
|
||||
9 | File | `/ci_spms/admin/search/searching/` | High
|
||||
10 | File | `/classes/Master.php?f=delete_train` | High
|
||||
11 | File | `/cms/print.php` | High
|
||||
12 | File | `/concat?/%2557EB-INF/web.xml` | High
|
||||
13 | File | `/Content/Template/root/reverse-shell.aspx` | High
|
||||
14 | File | `/course/api/upload/pic` | High
|
||||
15 | File | `/dashboard/menu-list.php` | High
|
||||
16 | File | `/data/remove` | Medium
|
||||
17 | File | `/etc/passwd` | Medium
|
||||
18 | File | `/ffos/classes/Master.php?f=save_category` | High
|
||||
19 | File | `/goforms/rlminfo` | High
|
||||
20 | File | `/login` | Low
|
||||
21 | File | `/navigate/navigate_download.php` | High
|
||||
22 | File | `/ocwbs/admin/?page=user/manage_user` | High
|
||||
23 | File | `/ofrs/admin/?page=user/manage_user` | High
|
||||
24 | File | `/owa/auth/logon.aspx` | High
|
||||
25 | File | `/p` | Low
|
||||
26 | File | `/password.html` | High
|
||||
27 | File | `/pms/index.php` | High
|
||||
28 | File | `/proc/ioports` | High
|
||||
29 | File | `/property-list/property_view.php` | High
|
||||
30 | File | `/ptms/classes/Users.php` | High
|
||||
31 | File | `/rest` | Low
|
||||
32 | File | `/rest/api/2/search` | High
|
||||
33 | File | `/s/` | Low
|
||||
34 | File | `/scripts/cpan_config` | High
|
||||
35 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
36 | File | `/services/system/setup.json` | High
|
||||
37 | File | `/spip.php` | Medium
|
||||
38 | File | `/uncpath/` | Medium
|
||||
39 | File | `/vloggers_merch/?p=view_product` | High
|
||||
40 | File | `/webconsole/APIController` | High
|
||||
41 | File | `/websocket/exec` | High
|
||||
42 | File | `/wp-admin/admin-ajax.php` | High
|
||||
43 | File | `/wp-content/plugins/updraftplus/admin.php` | High
|
||||
44 | File | `/wp-json` | Medium
|
||||
45 | File | `/wp-json/oembed/1.0/embed?url` | High
|
||||
46 | ... | ... | ...
|
||||
|
||||
There are 394 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 399 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -8,8 +8,8 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with MATA:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [LA](https://vuldb.com/?country.la)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* ...
|
||||
|
||||
|
@ -35,12 +35,12 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | CWE-254 | 7PK Security Features | High
|
||||
1 | T1006 | CWE-22 | Pathname Traversal | High
|
||||
2 | T1055 | CWE-74 | Injection | High
|
||||
3 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 2 more TTP items available. Please use our online service to access the data.
|
||||
There are 11 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -48,17 +48,19 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/forum/away.php` | High
|
||||
2 | File | `/out.php` | Medium
|
||||
3 | File | `/phppath/php` | Medium
|
||||
4 | File | `/systemrw/` | Medium
|
||||
5 | File | `adclick.php` | Medium
|
||||
6 | File | `application/modules/admin/views/ecommerce/products.php` | High
|
||||
7 | File | `base/ErrorHandler.php` | High
|
||||
8 | File | `blog.php` | Medium
|
||||
9 | ... | ... | ...
|
||||
1 | File | `/admin/dl_sendmail.php` | High
|
||||
2 | File | `/forum/away.php` | High
|
||||
3 | File | `/out.php` | Medium
|
||||
4 | File | `/phppath/php` | Medium
|
||||
5 | File | `/systemrw/` | Medium
|
||||
6 | File | `adclick.php` | Medium
|
||||
7 | File | `application/modules/admin/views/ecommerce/products.php` | High
|
||||
8 | File | `base/ErrorHandler.php` | High
|
||||
9 | File | `blog.php` | Medium
|
||||
10 | File | `category.php` | Medium
|
||||
11 | ... | ... | ...
|
||||
|
||||
There are 70 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 80 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -34,9 +34,12 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | CWE-254 | 7PK Security Features | High
|
||||
1 | T1055 | CWE-74 | Injection | High
|
||||
2 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
3 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 4 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
|
|
@ -89,16 +89,16 @@ ID | Type | Indicator | Confidence
|
|||
14 | File | `/goforms/rlminfo` | High
|
||||
15 | File | `/newsDia.php` | Medium
|
||||
16 | File | `/plugin` | Low
|
||||
17 | File | `/rating.php` | Medium
|
||||
18 | File | `/scas/admin/` | Medium
|
||||
19 | File | `/scas/classes/Users.php?f=save_user` | High
|
||||
20 | File | `/services/prefs.php` | High
|
||||
21 | File | `/src/njs_object.c` | High
|
||||
22 | File | `/uncpath/` | Medium
|
||||
23 | File | `/wordpress-gallery-transformation/gallery.php` | High
|
||||
17 | File | `/pms/index.php` | High
|
||||
18 | File | `/rating.php` | Medium
|
||||
19 | File | `/scas/admin/` | Medium
|
||||
20 | File | `/scas/classes/Users.php?f=save_user` | High
|
||||
21 | File | `/services/prefs.php` | High
|
||||
22 | File | `/src/njs_object.c` | High
|
||||
23 | File | `/uncpath/` | Medium
|
||||
24 | ... | ... | ...
|
||||
|
||||
There are 201 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 204 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -0,0 +1,60 @@
|
|||
# Matanbuchus - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Matanbuchus](https://vuldb.com/?actor.matanbuchus). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.matanbuchus](https://vuldb.com/?actor.matanbuchus)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Matanbuchus:
|
||||
|
||||
* [TT](https://vuldb.com/?country.tt)
|
||||
* [CO](https://vuldb.com/?country.co)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Matanbuchus.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [213.226.114.15](https://vuldb.com/?ip.213.226.114.15) | - | - | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Matanbuchus_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
|
||||
3 | T1548.002 | CWE-285 | Improper Authorization | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Matanbuchus. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `AdminBaseController.class.php` | High
|
||||
2 | File | `include/ajax.draft.php` | High
|
||||
3 | Argument | `request` | Low
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://github.com/executemalware/Malware-IOCs/blob/main/2022-06-16%20Matanbuchus%20IOCs
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -47,14 +47,14 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
|
||||
1 | T1006 | CWE-22, CWE-23 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-294, CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
|
||||
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
6 | ... | ... | ... | ...
|
||||
|
||||
There are 20 more TTP items available. Please use our online service to access the data.
|
||||
There are 22 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -68,21 +68,21 @@ ID | Type | Indicator | Confidence
|
|||
4 | File | `/admin.php/vod/admin/topic/del` | High
|
||||
5 | File | `/admin/conferences/list/` | High
|
||||
6 | File | `/admin/deluser.php` | High
|
||||
7 | File | `/admin/edit.php` | High
|
||||
8 | File | `/admin/edit_admin_details.php?id=admin` | High
|
||||
9 | File | `/admin/googleads.php` | High
|
||||
10 | File | `/admin/new-content` | High
|
||||
11 | File | `/admin/operations/tax.php` | High
|
||||
12 | File | `/admin/payment.php` | High
|
||||
13 | File | `/admin/scheprofile.cgi` | High
|
||||
14 | File | `/admin/weixin.php` | High
|
||||
15 | File | `/apps/acs-commons/content/page-compare.html` | High
|
||||
16 | File | `/base/SysEveMenuAuthPointMapper.xml` | High
|
||||
17 | File | `/bcms/admin/courts/manage_court.php` | High
|
||||
18 | File | `/bcms/classes/Master.php?f=save_court_rental` | High
|
||||
19 | File | `/car-rental-management-system/admin/manage_booking.php` | High
|
||||
20 | File | `/catcompany.php` | High
|
||||
21 | File | `/cgi-bin/kerbynet` | High
|
||||
7 | File | `/admin/edit_admin_details.php?id=admin` | High
|
||||
8 | File | `/admin/googleads.php` | High
|
||||
9 | File | `/admin/operations/tax.php` | High
|
||||
10 | File | `/admin/payment.php` | High
|
||||
11 | File | `/admin/scheprofile.cgi` | High
|
||||
12 | File | `/admin/vca/license/license_tok.cgi` | High
|
||||
13 | File | `/AJAX/ajaxget` | High
|
||||
14 | File | `/base/SysEveMenuAuthPointMapper.xml` | High
|
||||
15 | File | `/bcms/admin/courts/manage_court.php` | High
|
||||
16 | File | `/bcms/classes/Master.php?f=save_court_rental` | High
|
||||
17 | File | `/car-rental-management-system/admin/manage_booking.php` | High
|
||||
18 | File | `/catcompany.php` | High
|
||||
19 | File | `/cgi-bin/kerbynet` | High
|
||||
20 | File | `/cgi-bin/readfile.tcl` | High
|
||||
21 | File | `/cgi-bin/touchlist_sync.cgi` | High
|
||||
22 | File | `/classes/Users.php?f=save` | High
|
||||
23 | File | `/cms/classes/Master.php?f=delete_client` | High
|
||||
24 | File | `/config` | Low
|
||||
|
@ -94,10 +94,10 @@ ID | Type | Indicator | Confidence
|
|||
30 | File | `/goform/setNetworkLan` | High
|
||||
31 | File | `/goform/SetSysTimeCfg` | High
|
||||
32 | File | `/html/Solar_Ftp.php` | High
|
||||
33 | File | `/lists/admin/` | High
|
||||
33 | File | `/isms/admin/stocks/view_stock.php` | High
|
||||
34 | ... | ... | ...
|
||||
|
||||
There are 287 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 286 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -29,7 +29,7 @@ ID | IP address | Hostname | Campaign | Confidence
|
|||
6 | [23.6.70.227](https://vuldb.com/?ip.23.6.70.227) | a23-6-70-227.deploy.static.akamaitechnologies.com | - | High
|
||||
7 | ... | ... | ... | ...
|
||||
|
||||
There are 22 more IOC items available. Please use our online service to access the data.
|
||||
There are 23 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -37,12 +37,13 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
1 | T1006 | CWE-22, CWE-23 | Pathname Traversal | High
|
||||
2 | T1055 | CWE-74 | Injection | High
|
||||
3 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
4 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 5 more TTP items available. Please use our online service to access the data.
|
||||
There are 15 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -50,17 +51,21 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/admin/sysmon.php` | High
|
||||
2 | File | `/api/content/posts/comments` | High
|
||||
3 | File | `/example/editor` | High
|
||||
4 | File | `/Home/GetAttachment` | High
|
||||
5 | File | `/members/view_member.php` | High
|
||||
6 | File | `/modules/projects/vw_files.php` | High
|
||||
7 | File | `/var/log/demisto/` | High
|
||||
8 | File | `admin/limits.php` | High
|
||||
9 | ... | ... | ...
|
||||
1 | File | `/admin.php/pic/admin/type/pl_save` | High
|
||||
2 | File | `/admin/sysmon.php` | High
|
||||
3 | File | `/api/content/posts/comments` | High
|
||||
4 | File | `/churchcrm/WhyCameEditor.php` | High
|
||||
5 | File | `/example/editor` | High
|
||||
6 | File | `/goform/aspForm` | High
|
||||
7 | File | `/Home/GetAttachment` | High
|
||||
8 | File | `/index.php?page=search/rentals` | High
|
||||
9 | File | `/members/view_member.php` | High
|
||||
10 | File | `/mgmt/tm/util/bash` | High
|
||||
11 | File | `/modules/projects/vw_files.php` | High
|
||||
12 | File | `/spip.php` | Medium
|
||||
13 | ... | ... | ...
|
||||
|
||||
There are 62 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 97 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -68,6 +73,7 @@ The following list contains _external sources_ which discuss the actor and the a
|
|||
|
||||
* https://blog.talosintelligence.com/2019/08/threat-roundup-0726-0802.html
|
||||
* https://blog.talosintelligence.com/2022/03/threat-roundup-0304-0311.html
|
||||
* https://blog.talosintelligence.com/2022/07/threat-roundup-0701-0708.html
|
||||
|
||||
## Literature
|
||||
|
||||
|
|
|
@ -8,9 +8,12 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Miori:
|
||||
|
||||
* [DE](https://vuldb.com/?country.de)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [KR](https://vuldb.com/?country.kr)
|
||||
* [DE](https://vuldb.com/?country.de)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* ...
|
||||
|
||||
There are 6 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -20,6 +23,7 @@ ID | IP address | Hostname | Campaign | Confidence
|
|||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [94.177.226.227](https://vuldb.com/?ip.94.177.226.227) | host227-226-177-94.static.arubacloud.de | - | High
|
||||
2 | [144.202.49.126](https://vuldb.com/?ip.144.202.49.126) | 144.202.49.126.vultrusercontent.com | - | High
|
||||
3 | [179.43.156.214](https://vuldb.com/?ip.179.43.156.214) | xoc.ch | - | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -27,8 +31,12 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-284 | Execution with Unnecessary Privileges | High
|
||||
1 | T1006 | CWE-22 | Pathname Traversal | High
|
||||
2 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
3 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 6 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -36,14 +44,19 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `Advanced_ASUSDDNS_Content.asp` | High
|
||||
2 | File | `data/gbconfiguration.dat` | High
|
||||
1 | File | `.procmailrc` | Medium
|
||||
2 | File | `/debian/patches/load_ppp_generic_if_needed` | High
|
||||
3 | File | `/etc/fstab` | Medium
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 17 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.trendmicro.com/trendlabs-security-intelligence/with-mirai-comes-miori-iot-botnet-delivered-via-thinkphp-remote-code-execution-exploit/
|
||||
* https://twitter.com/albooboo_ioc/status/1548226322219945984
|
||||
|
||||
## Literature
|
||||
|
||||
|
|
|
@ -0,0 +1,65 @@
|
|||
# Mushtik - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Mushtik](https://vuldb.com/?actor.mushtik). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.mushtik](https://vuldb.com/?actor.mushtik)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Mushtik:
|
||||
|
||||
* [TT](https://vuldb.com/?country.tt)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Mushtik.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [18.228.7.109](https://vuldb.com/?ip.18.228.7.109) | ec2-18-228-7-109.sa-east-1.compute.amazonaws.com | - | Medium
|
||||
2 | [138.197.206.223](https://vuldb.com/?ip.138.197.206.223) | - | - | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Mushtik_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
|
||||
2 | T1202 | CWE-78 | Command Injection | High
|
||||
3 | T1222 | CWE-275 | Permission Issues | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 2 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Mushtik. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `admin-ajax.php` | High
|
||||
2 | File | `launchd` | Low
|
||||
3 | Argument | `cookie` | Low
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 1 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blogs.infoblox.com/cyber-threat-intelligence/cyber-campaign-briefs/log4j-indicators-of-compromise-to-date/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -90,7 +90,7 @@ ID | Type | Indicator | Confidence
|
|||
17 | File | `/uploads/dede` | High
|
||||
18 | ... | ... | ...
|
||||
|
||||
There are 148 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 149 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -35,12 +35,14 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
|
||||
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
6 | ... | ... | ... | ...
|
||||
|
||||
There are 6 more TTP items available. Please use our online service to access the data.
|
||||
There are 19 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -89,9 +91,10 @@ ID | Type | Indicator | Confidence
|
|||
39 | File | `admin/change-password.php` | High
|
||||
40 | File | `admin/index.php` | High
|
||||
41 | File | `admin/killsource` | High
|
||||
42 | ... | ... | ...
|
||||
42 | File | `admin/scripts/FileUploader/php.php` | High
|
||||
43 | ... | ... | ...
|
||||
|
||||
There are 367 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 370 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -21,7 +21,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [CN](https://vuldb.com/?country.cn)
|
||||
* ...
|
||||
|
||||
There are 11 more country items available. Please use our online service to access the data.
|
||||
There are 16 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -37,9 +37,11 @@ ID | IP address | Hostname | Campaign | Confidence
|
|||
6 | [18.217.13.50](https://vuldb.com/?ip.18.217.13.50) | ec2-18-217-13-50.us-east-2.compute.amazonaws.com | Pegasus | Medium
|
||||
7 | [18.225.12.72](https://vuldb.com/?ip.18.225.12.72) | ec2-18-225-12-72.us-east-2.compute.amazonaws.com | Pegasus | Medium
|
||||
8 | [23.239.16.143](https://vuldb.com/?ip.23.239.16.143) | li685-143.members.linode.com | Pegasus | High
|
||||
9 | ... | ... | ... | ...
|
||||
9 | [45.32.105.249](https://vuldb.com/?ip.45.32.105.249) | 45.32.105.249.vultrusercontent.com | Pegasus | High
|
||||
10 | [45.60.241.11](https://vuldb.com/?ip.45.60.241.11) | - | - | High
|
||||
11 | ... | ... | ... | ...
|
||||
|
||||
There are 31 more IOC items available. Please use our online service to access the data.
|
||||
There are 42 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -47,12 +49,14 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
|
||||
2 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
3 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
4 | ... | ... | ... | ...
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
|
||||
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
6 | ... | ... | ... | ...
|
||||
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
There are 20 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -60,29 +64,41 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/admin/info.php` | High
|
||||
2 | File | `/cgi?` | Low
|
||||
3 | File | `/etc/controller-agent/agent.conf` | High
|
||||
4 | File | `/forms/web_importTFTP` | High
|
||||
5 | File | `/forum/away.php` | High
|
||||
6 | File | `/graphql` | Medium
|
||||
7 | File | `/jeecg-boot/jmreport/view` | High
|
||||
8 | File | `/localhost/u` | Medium
|
||||
9 | File | `/out.php` | Medium
|
||||
10 | File | `/PluXml/core/admin/parametres_edittpl.php` | High
|
||||
11 | File | `/public_html/admin/plugins/bad_behavior2/blacklist.php` | High
|
||||
12 | File | `/rom-0` | Low
|
||||
13 | File | `/root/run/adm.php?admin-ediy&part=exdiy` | High
|
||||
14 | File | `/v2/devices/add` | High
|
||||
15 | File | `/var/ipfire/backup/bin/backup.pl` | High
|
||||
16 | File | `/wp-json/wc/v3/webhooks` | High
|
||||
17 | File | `accounts/view_details.php` | High
|
||||
18 | File | `adclick.php` | Medium
|
||||
19 | File | `AddEvent.php` | Medium
|
||||
20 | File | `admin.php` | Medium
|
||||
21 | ... | ... | ...
|
||||
1 | File | `/admin.php` | Medium
|
||||
2 | File | `/admin/info.php` | High
|
||||
3 | File | `/cfg` | Low
|
||||
4 | File | `/cgi?` | Low
|
||||
5 | File | `/etc/controller-agent/agent.conf` | High
|
||||
6 | File | `/forms/web_importTFTP` | High
|
||||
7 | File | `/forum/away.php` | High
|
||||
8 | File | `/graphql` | Medium
|
||||
9 | File | `/jeecg-boot/jmreport/view` | High
|
||||
10 | File | `/localhost/u` | Medium
|
||||
11 | File | `/net` | Low
|
||||
12 | File | `/opt/bin/cli` | Medium
|
||||
13 | File | `/out.php` | Medium
|
||||
14 | File | `/PluXml/core/admin/parametres_edittpl.php` | High
|
||||
15 | File | `/public/plugins/` | High
|
||||
16 | File | `/public_html/admin/plugins/bad_behavior2/blacklist.php` | High
|
||||
17 | File | `/rom-0` | Low
|
||||
18 | File | `/root/run/adm.php?admin-ediy&part=exdiy` | High
|
||||
19 | File | `/uncpath/` | Medium
|
||||
20 | File | `/v2/devices/add` | High
|
||||
21 | File | `/var/ipfire/backup/bin/backup.pl` | High
|
||||
22 | File | `/wp-json/wc/v3/webhooks` | High
|
||||
23 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
24 | File | `accounts/view_details.php` | High
|
||||
25 | File | `adclick.php` | Medium
|
||||
26 | File | `AddEvent.php` | Medium
|
||||
27 | File | `admin.jcomments.php` | High
|
||||
28 | File | `admin.php` | Medium
|
||||
29 | File | `admin/admin_process.php` | High
|
||||
30 | File | `admin/conf_users_edit.php` | High
|
||||
31 | File | `admin/index.php` | High
|
||||
32 | File | `admin/scripts/FileUploader/php.php` | High
|
||||
33 | ... | ... | ...
|
||||
|
||||
There are 176 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 282 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -91,6 +107,7 @@ The following list contains _external sources_ which discuss the actor and the a
|
|||
* https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
|
||||
* https://citizenlab.ca/2018/07/nso-spyware-targeting-amnesty-international/
|
||||
* https://citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/
|
||||
* https://citizenlab.ca/2022/07/geckospy-pegasus-spyware-used-against-thailands-pro-democracy-movement/
|
||||
* https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/
|
||||
* https://www.nsogroup.com
|
||||
|
||||
|
|
|
@ -50,7 +50,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
3 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 12 more TTP items available. Please use our online service to access the data.
|
||||
There are 13 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
|
|
@ -12,15 +12,16 @@ ID | IP address | Hostname | Campaign | Confidence
|
|||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [41.77.114.188](https://vuldb.com/?ip.41.77.114.188) | - | - | High
|
||||
2 | [67.212.169.38](https://vuldb.com/?ip.67.212.169.38) | 38.169.212.67.unassigned.ord.singlehop.net | - | High
|
||||
3 | [96.127.159.150](https://vuldb.com/?ip.96.127.159.150) | 190203 | - | High
|
||||
3 | [87.107.133.83](https://vuldb.com/?ip.87.107.133.83) | - | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 7 more IOC items available. Please use our online service to access the data.
|
||||
There are 8 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.malwarebytes.com/threat-analysis/2015/04/a-history-lesson-brought-to-you-by-the-nuclear-exploit-kit/
|
||||
* https://blog.talosintelligence.com/2015/06/domain-shadowing-goes-nuclear-story-in.html
|
||||
* https://isc.sans.edu/forums/diary/Nuclear+EK+traffic+patterns+in+August+2015/20001/
|
||||
|
||||
|
|
|
@ -35,12 +35,13 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 5 more TTP items available. Please use our online service to access the data.
|
||||
There are 14 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -65,7 +66,7 @@ ID | Type | Indicator | Confidence
|
|||
15 | File | `/uncpath/` | Medium
|
||||
16 | ... | ... | ...
|
||||
|
||||
There are 128 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 131 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -34,12 +34,12 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1495 | CWE-494 | Download of Code Without Integrity Check | High
|
||||
1 | T1006 | CWE-22 | Pathname Traversal | High
|
||||
2 | T1055 | CWE-74 | Injection | High
|
||||
3 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 2 more TTP items available. Please use our online service to access the data.
|
||||
There are 11 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -55,7 +55,7 @@ ID | Type | Indicator | Confidence
|
|||
6 | File | `customoid.inc.php` | High
|
||||
7 | ... | ... | ...
|
||||
|
||||
There are 48 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 49 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -16,7 +16,16 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [194.5.98.139](https://vuldb.com/?ip.194.5.98.139) | - | - | High
|
||||
1 | [85.202.169.178](https://vuldb.com/?ip.85.202.169.178) | - | - | High
|
||||
2 | [194.5.98.139](https://vuldb.com/?ip.194.5.98.139) | - | - | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _OrcusRAT_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1505 | CWE-89 | SQL Injection | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -26,16 +35,17 @@ ID | Type | Indicator | Confidence
|
|||
-- | ---- | --------- | ----------
|
||||
1 | File | `dede\co_do.php` | High
|
||||
2 | File | `Dynamiccontenttags.php` | High
|
||||
3 | Argument | `ids` | Low
|
||||
3 | File | `index.php` | Medium
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 2 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 4 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.morphisec.com/new-campaign-delivering-orcus-rat
|
||||
* https://github.com/executemalware/Malware-IOCs/blob/main/2022-02-22%20Orcus%20RAT%20IOCs
|
||||
|
||||
## Literature
|
||||
|
||||
|
|
|
@ -4,6 +4,12 @@ These _indicators_ were reported, collected, and generated during the [VulDB CTI
|
|||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.oski](https://vuldb.com/?actor.oski)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Oski:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Oski.
|
||||
|
@ -12,6 +18,15 @@ ID | IP address | Hostname | Campaign | Confidence
|
|||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [2.56.57.108](https://vuldb.com/?ip.2.56.57.108) | - | - | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Oski. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | Argument | `command` | Low
|
||||
2 | Network Port | `3097` | Low
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
|
|
@ -9,8 +9,11 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with PYSA:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [DE](https://vuldb.com/?country.de)
|
||||
* [JP](https://vuldb.com/?country.jp)
|
||||
* [PT](https://vuldb.com/?country.pt)
|
||||
* [FR](https://vuldb.com/?country.fr)
|
||||
* ...
|
||||
|
||||
There are 8 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -38,7 +41,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
6 | ... | ... | ... | ...
|
||||
|
||||
There are 22 more TTP items available. Please use our online service to access the data.
|
||||
There are 21 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -47,43 +50,40 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `//proc/kcore` | Medium
|
||||
2 | File | `/acms/admin/cargo_types/view_cargo_type.php` | High
|
||||
3 | File | `/acms/classes/Master.php?f=delete_img` | High
|
||||
4 | File | `/admin/?page=system_info/contact_info` | High
|
||||
5 | File | `/admin/featured.php` | High
|
||||
6 | File | `/ajax/config_rollback/` | High
|
||||
7 | File | `/Ap4RtpAtom.cpp` | High
|
||||
8 | File | `/api/part_categories` | High
|
||||
9 | File | `/auditLogAction.do` | High
|
||||
10 | File | `/base/SysEveMenuAuthPointMapper.xml` | High
|
||||
11 | File | `/cgi-bin` | Medium
|
||||
12 | File | `/cgi-bin/webproc` | High
|
||||
13 | File | `/churchcrm/WhyCameEditor.php` | High
|
||||
14 | File | `/cms/admin/?page=client/view_client` | High
|
||||
15 | File | `/cms/admin/?page=invoice/view_invoice` | High
|
||||
16 | File | `/College_Management_System/admin/display-teacher.php` | High
|
||||
17 | File | `/ctpms/admin/?page=individuals/view_individual` | High
|
||||
18 | File | `/ctpms/admin/applications/update_status.php` | High
|
||||
19 | File | `/ctpms/admin/individuals/update_status.php` | High
|
||||
20 | File | `/ctpms/classes/Master.php?f=delete_img` | High
|
||||
21 | File | `/dms/admin/reports/daily_collection_report.php` | High
|
||||
22 | File | `/etc/cron.daily/upstart` | High
|
||||
23 | File | `/fuel/sitevariables/delete/4` | High
|
||||
24 | File | `/goform/aspForm` | High
|
||||
25 | File | `/IISADMPWD` | Medium
|
||||
26 | File | `/index.php?page=reserve` | High
|
||||
27 | File | `/Items/*/RemoteImages/Download` | High
|
||||
28 | File | `/job` | Low
|
||||
29 | File | `/linkedcontent/editfolder.php` | High
|
||||
30 | File | `/mdiy/dict/listExcludeApp` | High
|
||||
31 | File | `/mgmt/tm/util/bash` | High
|
||||
32 | File | `/ofrs/admin/?page=reports` | High
|
||||
33 | File | `/PC/WebService.asmx` | High
|
||||
34 | File | `/pms/admin/actions/view_action.php` | High
|
||||
35 | File | `/pms/admin/cells/manage_cell.php` | High
|
||||
36 | ... | ... | ...
|
||||
2 | File | `/admin/?page=system_info/contact_info` | High
|
||||
3 | File | `/admin/featured.php` | High
|
||||
4 | File | `/ajax/config_rollback/` | High
|
||||
5 | File | `/Ap4RtpAtom.cpp` | High
|
||||
6 | File | `/api/part_categories` | High
|
||||
7 | File | `/auditLogAction.do` | High
|
||||
8 | File | `/cgi-bin` | Medium
|
||||
9 | File | `/cgi-bin/webproc` | High
|
||||
10 | File | `/churchcrm/WhyCameEditor.php` | High
|
||||
11 | File | `/ci_spms/admin/category` | High
|
||||
12 | File | `/dashboard/menu-list.php` | High
|
||||
13 | File | `/dms/admin/reports/daily_collection_report.php` | High
|
||||
14 | File | `/editbrand.php` | High
|
||||
15 | File | `/etc/cron.daily/upstart` | High
|
||||
16 | File | `/etc/lighttpd.d/ca.pem` | High
|
||||
17 | File | `/fuel/sitevariables/delete/4` | High
|
||||
18 | File | `/goform/aspForm` | High
|
||||
19 | File | `/goform/WanParameterSetting` | High
|
||||
20 | File | `/IISADMPWD` | Medium
|
||||
21 | File | `/index.php?page=search/rentals` | High
|
||||
22 | File | `/Items/*/RemoteImages/Download` | High
|
||||
23 | File | `/job` | Low
|
||||
24 | File | `/linkedcontent/editfolder.php` | High
|
||||
25 | File | `/mgmt/tm/util/bash` | High
|
||||
26 | File | `/mhds/clinic/view_details.php` | High
|
||||
27 | File | `/officials/officials.php` | High
|
||||
28 | File | `/ofrs/admin/?page=reports` | High
|
||||
29 | File | `/PC/WebService.asmx` | High
|
||||
30 | File | `/pms/admin/actions/view_action.php` | High
|
||||
31 | File | `/pms/admin/cells/manage_cell.php` | High
|
||||
32 | File | `/pms/admin/inmates/manage_inmate.php` | High
|
||||
33 | ... | ... | ...
|
||||
|
||||
There are 309 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 284 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -20,7 +20,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [RU](https://vuldb.com/?country.ru)
|
||||
* ...
|
||||
|
||||
There are 32 more country items available. Please use our online service to access the data.
|
||||
There are 33 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -107,12 +107,14 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-250, CWE-264, CWE-266, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23, CWE-24 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
|
||||
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
6 | ... | ... | ... | ...
|
||||
|
||||
There are 9 more TTP items available. Please use our online service to access the data.
|
||||
There are 21 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -125,52 +127,51 @@ ID | Type | Indicator | Confidence
|
|||
3 | File | `/admin/default.asp` | High
|
||||
4 | File | `/admin/index.php` | High
|
||||
5 | File | `/ajax/networking/get_netcfg.php` | High
|
||||
6 | File | `/apply_noauth.cgi` | High
|
||||
7 | File | `/cgi-bin/wapopen` | High
|
||||
8 | File | `/cms/print.php` | High
|
||||
9 | File | `/concat?/%2557EB-INF/web.xml` | High
|
||||
10 | File | `/Content/Template/root/reverse-shell.aspx` | High
|
||||
11 | File | `/data/remove` | Medium
|
||||
12 | File | `/goforms/rlminfo` | High
|
||||
13 | File | `/htdocs/cgibin` | High
|
||||
14 | File | `/login` | Low
|
||||
15 | File | `/navigate/navigate_download.php` | High
|
||||
16 | File | `/ocwbs/admin/?page=user/manage_user` | High
|
||||
17 | File | `/ofrs/admin/?page=user/manage_user` | High
|
||||
18 | File | `/owa/auth/logon.aspx` | High
|
||||
19 | File | `/password.html` | High
|
||||
20 | File | `/proc/ioports` | High
|
||||
21 | File | `/property-list/property_view.php` | High
|
||||
22 | File | `/ptms/classes/Users.php` | High
|
||||
23 | File | `/rest/api/2/search` | High
|
||||
24 | File | `/s/` | Low
|
||||
25 | File | `/scripts/cpan_config` | High
|
||||
26 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
27 | File | `/services/system/setup.json` | High
|
||||
28 | File | `/uncpath/` | Medium
|
||||
29 | File | `/videotalk` | Medium
|
||||
30 | File | `/vloggers_merch/?p=view_product` | High
|
||||
31 | File | `/web/MCmsAction.java` | High
|
||||
32 | File | `/webconsole/APIController` | High
|
||||
33 | File | `/websocket/exec` | High
|
||||
34 | File | `/wp-admin/admin-ajax.php` | High
|
||||
35 | File | `/wp-content/plugins/woocommerce/templates/emails/plain/` | High
|
||||
36 | File | `/wp-json` | Medium
|
||||
37 | File | `/wp-json/oembed/1.0/embed?url` | High
|
||||
38 | File | `/_next` | Low
|
||||
39 | File | `4.edu.php\conn\function.php` | High
|
||||
40 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
41 | File | `about.php` | Medium
|
||||
42 | File | `acl.c` | Low
|
||||
43 | File | `activity_log.php` | High
|
||||
44 | File | `addentry.php` | Medium
|
||||
45 | File | `add_vhost.php` | High
|
||||
46 | File | `admin/admin_admin.php?nav=list_admin_user&admin_p_nav=user` | High
|
||||
47 | File | `admin/category.inc.php` | High
|
||||
48 | File | `admin/conf_users_edit.php` | High
|
||||
49 | ... | ... | ...
|
||||
6 | File | `/app/options.py` | High
|
||||
7 | File | `/apply_noauth.cgi` | High
|
||||
8 | File | `/cgi-bin/wapopen` | High
|
||||
9 | File | `/ci_spms/admin/category` | High
|
||||
10 | File | `/ci_spms/admin/search/searching/` | High
|
||||
11 | File | `/classes/Master.php?f=delete_train` | High
|
||||
12 | File | `/cms/print.php` | High
|
||||
13 | File | `/concat?/%2557EB-INF/web.xml` | High
|
||||
14 | File | `/Content/Template/root/reverse-shell.aspx` | High
|
||||
15 | File | `/dashboard/menu-list.php` | High
|
||||
16 | File | `/data/remove` | Medium
|
||||
17 | File | `/ffos/classes/Master.php?f=save_category` | High
|
||||
18 | File | `/goforms/rlminfo` | High
|
||||
19 | File | `/htdocs/cgibin` | High
|
||||
20 | File | `/login` | Low
|
||||
21 | File | `/navigate/navigate_download.php` | High
|
||||
22 | File | `/ocwbs/admin/?page=user/manage_user` | High
|
||||
23 | File | `/ofrs/admin/?page=user/manage_user` | High
|
||||
24 | File | `/owa/auth/logon.aspx` | High
|
||||
25 | File | `/password.html` | High
|
||||
26 | File | `/proc/ioports` | High
|
||||
27 | File | `/property-list/property_view.php` | High
|
||||
28 | File | `/ptms/classes/Users.php` | High
|
||||
29 | File | `/rest/api/2/search` | High
|
||||
30 | File | `/s/` | Low
|
||||
31 | File | `/scripts/cpan_config` | High
|
||||
32 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
33 | File | `/services/system/setup.json` | High
|
||||
34 | File | `/spip.php` | Medium
|
||||
35 | File | `/uncpath/` | Medium
|
||||
36 | File | `/vloggers_merch/?p=view_product` | High
|
||||
37 | File | `/web/MCmsAction.java` | High
|
||||
38 | File | `/webconsole/APIController` | High
|
||||
39 | File | `/websocket/exec` | High
|
||||
40 | File | `/wp-admin/admin-ajax.php` | High
|
||||
41 | File | `/wp-content/plugins/woocommerce/templates/emails/plain/` | High
|
||||
42 | File | `/wp-json` | Medium
|
||||
43 | File | `/wp-json/oembed/1.0/embed?url` | High
|
||||
44 | File | `/_next` | Low
|
||||
45 | File | `4.edu.php\conn\function.php` | High
|
||||
46 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
47 | File | `about.php` | Medium
|
||||
48 | ... | ... | ...
|
||||
|
||||
There are 422 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 420 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -92,7 +92,7 @@ ID | Type | Indicator | Confidence
|
|||
9 | File | `admin/conf_users_edit.php` | High
|
||||
10 | ... | ... | ...
|
||||
|
||||
There are 77 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 78 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -37,12 +37,12 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
2 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
1 | T1006 | CWE-22 | Pathname Traversal | High
|
||||
2 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
3 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 2 more TTP items available. Please use our online service to access the data.
|
||||
There are 6 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
|
|
@ -30,8 +30,12 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
|
||||
1 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
2 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
3 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 2 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
|
|
@ -19,7 +19,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [RU](https://vuldb.com/?country.ru)
|
||||
* ...
|
||||
|
||||
There are 9 more country items available. Please use our online service to access the data.
|
||||
There are 11 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -46,7 +46,7 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-24 | Pathname Traversal | High
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
|
@ -61,27 +61,30 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/.ssh/authorized_keys2` | High
|
||||
2 | File | `/AgilePointServer/Extension/FetchUsingEncodedData` | High
|
||||
1 | File | `.encfs6.xml` | Medium
|
||||
2 | File | `.python-version` | High
|
||||
3 | File | `/ajax/remove_sniffer_raw_log/` | High
|
||||
4 | File | `/api/sys_username_passwd.cmd` | High
|
||||
5 | File | `/app/options.py` | High
|
||||
6 | File | `/auth/callback` | High
|
||||
7 | File | `/bin/posix/src/ports/POSIX/OpENer` | High
|
||||
8 | File | `/cgi-bin/nobody` | High
|
||||
9 | File | `/ci_spms/admin/category` | High
|
||||
10 | File | `/ci_spms/admin/search/searching/` | High
|
||||
11 | File | `/conf/` | Low
|
||||
12 | File | `/dashboard/menu-list.php` | High
|
||||
13 | File | `/dashboard/profile.php` | High
|
||||
14 | File | `/dashboard/table-list.php` | High
|
||||
15 | File | `/dev/pts/` | Medium
|
||||
16 | File | `/etc/lighttpd.d/ca.pem` | High
|
||||
17 | File | `/etc/passwd` | Medium
|
||||
18 | File | `/etc/shadow` | Medium
|
||||
19 | ... | ... | ...
|
||||
5 | File | `/auth/callback` | High
|
||||
6 | File | `/bin/posix/src/ports/POSIX/OpENer` | High
|
||||
7 | File | `/bmis/pages/resident/resident.php` | High
|
||||
8 | File | `/cgi-bin/mesh.cgi?page=upgrade` | High
|
||||
9 | File | `/cgi-bin/nightled.cgi` | High
|
||||
10 | File | `/cgi-bin/nobody` | High
|
||||
11 | File | `/ci_spms/admin/category` | High
|
||||
12 | File | `/ci_spms/admin/search/searching/` | High
|
||||
13 | File | `/conf/` | Low
|
||||
14 | File | `/dashboard/menu-list.php` | High
|
||||
15 | File | `/dashboard/profile.php` | High
|
||||
16 | File | `/dashboard/table-list.php` | High
|
||||
17 | File | `/dev/pts/` | Medium
|
||||
18 | File | `/doping.asp` | Medium
|
||||
19 | File | `/dotrace.asp` | Medium
|
||||
20 | File | `/editbrand.php` | High
|
||||
21 | File | `/etc/lighttpd.d/ca.pem` | High
|
||||
22 | ... | ... | ...
|
||||
|
||||
There are 153 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 180 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -13,7 +13,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [ES](https://vuldb.com/?country.es)
|
||||
* ...
|
||||
|
||||
There are 20 more country items available. Please use our online service to access the data.
|
||||
There are 21 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -45,12 +45,14 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
|
||||
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
6 | ... | ... | ... | ...
|
||||
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
There are 20 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -80,42 +82,41 @@ ID | Type | Indicator | Confidence
|
|||
20 | File | `/modules/tasks/summary.inc.php` | High
|
||||
21 | File | `/monitoring` | Medium
|
||||
22 | File | `/nova/bin/console` | High
|
||||
23 | File | `/payu/icpcheckout/` | High
|
||||
24 | File | `/property-list/property_view.php` | High
|
||||
25 | File | `/public/login.htm` | High
|
||||
26 | File | `/req_password_user.php` | High
|
||||
27 | File | `/resourceNode/jdbcResourceEdit.jsf` | High
|
||||
28 | File | `/resourceNode/resources.jsf` | High
|
||||
29 | File | `/rest/project-templates/1.0/createshared` | High
|
||||
30 | File | `/rom-0` | Low
|
||||
31 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
32 | File | `/trx_addons/v2/get/sc_layout` | High
|
||||
33 | File | `/uncpath/` | Medium
|
||||
34 | File | `/usr/local/WowzaStreamingEngine/bin/` | High
|
||||
35 | File | `/usr/syno/etc/mount.conf` | High
|
||||
36 | File | `/var/log/nginx` | High
|
||||
23 | File | `/out.php` | Medium
|
||||
24 | File | `/payu/icpcheckout/` | High
|
||||
25 | File | `/property-list/property_view.php` | High
|
||||
26 | File | `/public/login.htm` | High
|
||||
27 | File | `/req_password_user.php` | High
|
||||
28 | File | `/resourceNode/jdbcResourceEdit.jsf` | High
|
||||
29 | File | `/resourceNode/resources.jsf` | High
|
||||
30 | File | `/rest/project-templates/1.0/createshared` | High
|
||||
31 | File | `/rom-0` | Low
|
||||
32 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
33 | File | `/trx_addons/v2/get/sc_layout` | High
|
||||
34 | File | `/uncpath/` | Medium
|
||||
35 | File | `/usr/local/WowzaStreamingEngine/bin/` | High
|
||||
36 | File | `/usr/syno/etc/mount.conf` | High
|
||||
37 | File | `/var/WEB-GUI/cgi-bin/telnet.cgi` | High
|
||||
38 | File | `/WEB-INF/web.xml` | High
|
||||
39 | File | `/_next` | Low
|
||||
40 | File | `3.6.cpj` | Low
|
||||
41 | File | `404.php` | Low
|
||||
42 | File | `a-b-membres.php` | High
|
||||
43 | File | `ActionsAndOperations` | High
|
||||
44 | File | `adclick.php` | Medium
|
||||
45 | File | `add_2_basket.asp` | High
|
||||
46 | File | `admin.asp` | Medium
|
||||
47 | File | `admin.aspx` | Medium
|
||||
48 | File | `admin.php` | Medium
|
||||
49 | File | `admin/aboutus.php` | High
|
||||
50 | File | `admin/member_details.php` | High
|
||||
51 | File | `admin_chatconfig.php` | High
|
||||
52 | File | `ajaxp.php` | Medium
|
||||
53 | File | `ajax_calls.php` | High
|
||||
54 | File | `alphabet.php` | Medium
|
||||
55 | File | `article2/comments.inc.php` | High
|
||||
56 | ... | ... | ...
|
||||
43 | File | `acropora/crypto/asn1_common.c` | High
|
||||
44 | File | `ActionsAndOperations` | High
|
||||
45 | File | `adclick.php` | Medium
|
||||
46 | File | `add_2_basket.asp` | High
|
||||
47 | File | `admin.asp` | Medium
|
||||
48 | File | `admin.aspx` | Medium
|
||||
49 | File | `admin.php` | Medium
|
||||
50 | File | `admin/aboutus.php` | High
|
||||
51 | File | `admin/member_details.php` | High
|
||||
52 | File | `admin_chatconfig.php` | High
|
||||
53 | File | `ajaxp.php` | Medium
|
||||
54 | File | `ajax_calls.php` | High
|
||||
55 | ... | ... | ...
|
||||
|
||||
There are 491 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 476 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -1092,12 +1092,12 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23, CWE-24 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
2 | T1055 | CWE-74 | Injection | High
|
||||
3 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
4 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 18 more TTP items available. Please use our online service to access the data.
|
||||
There are 17 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -1106,51 +1106,50 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `.htaccess` | Medium
|
||||
2 | File | `/#/CampaignManager/users` | High
|
||||
3 | File | `/admin/conferences/list/` | High
|
||||
4 | File | `/admin/dl_sendmail.php` | High
|
||||
5 | File | `/admin/edit_admin_details.php?id=admin` | High
|
||||
6 | File | `/admin/generalsettings.php` | High
|
||||
7 | File | `/admin/payment.php` | High
|
||||
8 | File | `/admin/reports.php` | High
|
||||
9 | File | `/admin_page/all-files-update-ajax.php` | High
|
||||
10 | File | `/cgi-bin/kerbynet` | High
|
||||
11 | File | `/componetns/user/class.user.php` | High
|
||||
12 | File | `/debug/pprof` | Medium
|
||||
13 | File | `/dms/admin/reports/daily_collection_report.php` | High
|
||||
14 | File | `/forum/away.php` | High
|
||||
15 | File | `/gaia-job-admin/user/add` | High
|
||||
16 | File | `/HNAP1` | Low
|
||||
17 | File | `/info.cgi` | Medium
|
||||
18 | File | `/Items/*/RemoteImages/Download` | High
|
||||
19 | File | `/lists/admin/` | High
|
||||
20 | File | `/lists/index.php` | High
|
||||
21 | File | `/MagickCore/image.c` | High
|
||||
22 | File | `/mgmt/tm/util/bash` | High
|
||||
23 | File | `/owa/auth/logon.aspx` | High
|
||||
24 | File | `/p1/p2/:name` | Medium
|
||||
25 | File | `/public/launchNewWindow.jsp` | High
|
||||
26 | File | `/rdms/admin/?page=user/manage_user` | High
|
||||
27 | File | `/requests.php` | High
|
||||
28 | File | `/rest/api/latest/projectvalidate/key` | High
|
||||
29 | File | `/saml/login` | Medium
|
||||
30 | File | `/ScadaBR/login.htm` | High
|
||||
31 | File | `/ServletAPI/accounts/login` | High
|
||||
32 | File | `/spip.php` | Medium
|
||||
33 | File | `/TeleoptiWFM/Administration/GetOneTenant` | High
|
||||
34 | File | `/trx_addons/v2/get/sc_layout` | High
|
||||
35 | File | `/uncpath/` | Medium
|
||||
36 | File | `/upload` | Low
|
||||
37 | File | `/var/adm/btmp` | High
|
||||
38 | File | `/WEB-INF/web.xml` | High
|
||||
39 | File | `/Wedding-Management/package_detail.php` | High
|
||||
40 | File | `/wp-admin/admin-ajax.php` | High
|
||||
41 | File | `/wp-content/plugins/woocommerce/templates/emails/plain/` | High
|
||||
42 | File | `a2billing/customer/iridium_threed.php` | High
|
||||
43 | File | `account/login.php` | High
|
||||
44 | ... | ... | ...
|
||||
2 | File | `/admin/conferences/list/` | High
|
||||
3 | File | `/admin/dl_sendmail.php` | High
|
||||
4 | File | `/admin/edit_admin_details.php?id=admin` | High
|
||||
5 | File | `/admin/generalsettings.php` | High
|
||||
6 | File | `/admin/payment.php` | High
|
||||
7 | File | `/admin/reports.php` | High
|
||||
8 | File | `/admin_page/all-files-update-ajax.php` | High
|
||||
9 | File | `/cgi-bin/kerbynet` | High
|
||||
10 | File | `/componetns/user/class.user.php` | High
|
||||
11 | File | `/debug/pprof` | Medium
|
||||
12 | File | `/dms/admin/reports/daily_collection_report.php` | High
|
||||
13 | File | `/forum/away.php` | High
|
||||
14 | File | `/gaia-job-admin/user/add` | High
|
||||
15 | File | `/HNAP1` | Low
|
||||
16 | File | `/info.cgi` | Medium
|
||||
17 | File | `/Items/*/RemoteImages/Download` | High
|
||||
18 | File | `/lists/admin/` | High
|
||||
19 | File | `/lists/index.php` | High
|
||||
20 | File | `/MagickCore/image.c` | High
|
||||
21 | File | `/mgmt/tm/util/bash` | High
|
||||
22 | File | `/owa/auth/logon.aspx` | High
|
||||
23 | File | `/p1/p2/:name` | Medium
|
||||
24 | File | `/public/launchNewWindow.jsp` | High
|
||||
25 | File | `/rdms/admin/?page=user/manage_user` | High
|
||||
26 | File | `/requests.php` | High
|
||||
27 | File | `/rest/api/latest/projectvalidate/key` | High
|
||||
28 | File | `/saml/login` | Medium
|
||||
29 | File | `/ScadaBR/login.htm` | High
|
||||
30 | File | `/ServletAPI/accounts/login` | High
|
||||
31 | File | `/spip.php` | Medium
|
||||
32 | File | `/TeleoptiWFM/Administration/GetOneTenant` | High
|
||||
33 | File | `/trx_addons/v2/get/sc_layout` | High
|
||||
34 | File | `/uncpath/` | Medium
|
||||
35 | File | `/upload` | Low
|
||||
36 | File | `/var/adm/btmp` | High
|
||||
37 | File | `/WEB-INF/web.xml` | High
|
||||
38 | File | `/Wedding-Management/package_detail.php` | High
|
||||
39 | File | `/wp-admin/admin-ajax.php` | High
|
||||
40 | File | `/wp-content/plugins/woocommerce/templates/emails/plain/` | High
|
||||
41 | File | `a2billing/customer/iridium_threed.php` | High
|
||||
42 | File | `account/login.php` | High
|
||||
43 | ... | ... | ...
|
||||
|
||||
There are 385 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 374 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -19,7 +19,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [RU](https://vuldb.com/?country.ru)
|
||||
* ...
|
||||
|
||||
There are 8 more country items available. Please use our online service to access the data.
|
||||
There are 9 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -82,7 +82,7 @@ ID | Type | Indicator | Confidence
|
|||
19 | File | `admin.asp` | Medium
|
||||
20 | ... | ... | ...
|
||||
|
||||
There are 161 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 164 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -9,8 +9,8 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Raccoon Stealer:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* ...
|
||||
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
|
@ -54,26 +54,27 @@ ID | Type | Indicator | Confidence
|
|||
3 | File | `/admin/deluser.php` | High
|
||||
4 | File | `/admin/sign/out` | High
|
||||
5 | File | `/admin/web_config.php&` | High
|
||||
6 | File | `/apps/` | Low
|
||||
7 | File | `/bsms/?page=manage_account` | High
|
||||
8 | File | `/cmscp/ext/collect/fetch_url.do` | High
|
||||
9 | File | `/controllers/MgrDiagnosticTools.php` | High
|
||||
10 | File | `/convert/html` | High
|
||||
11 | File | `/course/api/upload/pic` | High
|
||||
12 | File | `/etc/init.d/S50dropbear.sh` | High
|
||||
13 | File | `/goform/rlmswitchr_process` | High
|
||||
14 | File | `/hocms/classes/Master.php?f=delete_phase` | High
|
||||
15 | File | `/hub/api/user` | High
|
||||
16 | File | `/modules/mindmap/index.php` | High
|
||||
17 | File | `/modules/tasks/summary.inc.php` | High
|
||||
18 | File | `/password.html` | High
|
||||
19 | File | `/pms/admin/inmates/manage_record.php` | High
|
||||
20 | File | `/pms/admin/prisons/manage_prison.php` | High
|
||||
21 | File | `/root/.keeper/` | High
|
||||
22 | File | `/rss.xml` | Medium
|
||||
23 | ... | ... | ...
|
||||
6 | File | `/app/options.py` | High
|
||||
7 | File | `/apps/` | Low
|
||||
8 | File | `/bsms/?page=manage_account` | High
|
||||
9 | File | `/cmscp/ext/collect/fetch_url.do` | High
|
||||
10 | File | `/controllers/MgrDiagnosticTools.php` | High
|
||||
11 | File | `/convert/html` | High
|
||||
12 | File | `/course/api/upload/pic` | High
|
||||
13 | File | `/etc/init.d/S50dropbear.sh` | High
|
||||
14 | File | `/goform/rlmswitchr_process` | High
|
||||
15 | File | `/hocms/classes/Master.php?f=delete_phase` | High
|
||||
16 | File | `/hub/api/user` | High
|
||||
17 | File | `/modules/mindmap/index.php` | High
|
||||
18 | File | `/modules/tasks/summary.inc.php` | High
|
||||
19 | File | `/password.html` | High
|
||||
20 | File | `/pms/admin/inmates/manage_record.php` | High
|
||||
21 | File | `/pms/admin/prisons/manage_prison.php` | High
|
||||
22 | File | `/root/.keeper/` | High
|
||||
23 | File | `/rss.xml` | Medium
|
||||
24 | ... | ... | ...
|
||||
|
||||
There are 194 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 198 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -72,7 +72,7 @@ ID | Type | Indicator | Confidence
|
|||
20 | File | `ajax/autocompletion.php` | High
|
||||
21 | ... | ... | ...
|
||||
|
||||
There are 170 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 172 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -66,7 +66,7 @@ ID | IP address | Hostname | Campaign | Confidence
|
|||
43 | [45.156.24.97](https://vuldb.com/?ip.45.156.24.97) | palmaresk.co.uk | - | High
|
||||
44 | ... | ... | ... | ...
|
||||
|
||||
There are 170 more IOC items available. Please use our online service to access the data.
|
||||
There are 173 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -74,12 +74,13 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
1 | T1006 | CWE-22 | Pathname Traversal | High
|
||||
2 | T1055 | CWE-74 | Injection | High
|
||||
3 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
4 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 3 more TTP items available. Please use our online service to access the data.
|
||||
There are 16 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -103,16 +104,16 @@ ID | Type | Indicator | Confidence
|
|||
14 | File | `/includes/rrdtool.inc.php` | High
|
||||
15 | File | `/Main_AdmStatus_Content.asp` | High
|
||||
16 | File | `/NAGErrors` | Medium
|
||||
17 | File | `/public` | Low
|
||||
18 | File | `/sgms/TreeControl` | High
|
||||
19 | File | `/SSOPOST/metaAlias/%realm%/idpv2` | High
|
||||
20 | File | `/tmp` | Low
|
||||
21 | File | `/uncpath/` | Medium
|
||||
22 | File | `/updown/upload.cgi` | High
|
||||
23 | File | `/var/log/nginx` | High
|
||||
17 | File | `/owa/auth/logon.aspx` | High
|
||||
18 | File | `/public` | Low
|
||||
19 | File | `/sgms/TreeControl` | High
|
||||
20 | File | `/SSOPOST/metaAlias/%realm%/idpv2` | High
|
||||
21 | File | `/tmp` | Low
|
||||
22 | File | `/uncpath/` | Medium
|
||||
23 | File | `/updown/upload.cgi` | High
|
||||
24 | ... | ... | ...
|
||||
|
||||
There are 197 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 199 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -139,6 +140,7 @@ The following list contains _external sources_ which discuss the actor and the a
|
|||
* https://asec.ahnlab.com/en/33569/
|
||||
* https://asec.ahnlab.com/en/33679/
|
||||
* https://asec.ahnlab.com/en/33763/
|
||||
* https://blog.morphisec.com/google-ppc-ads-deliver-redline-taurus-and-mini-redline-infostealers
|
||||
* https://blog.talosintelligence.com/2021/01/threat-roundup-0108-0115.html
|
||||
* https://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.html
|
||||
* https://blog.talosintelligence.com/2021/06/threat-roundup-0528-0604.html
|
||||
|
@ -147,6 +149,8 @@ The following list contains _external sources_ which discuss the actor and the a
|
|||
* https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html
|
||||
* https://blogs.blackberry.com/en/2021/07/threat-thursday-redline-infostealer
|
||||
* https://blogs.blackberry.com/en/2021/10/threat-thursday-redline-infostealer-update
|
||||
* https://github.com/executemalware/Malware-IOCs/blob/main/2022-04-21%20Redline%20IOCs
|
||||
* https://github.com/executemalware/Malware-IOCs/blob/main/2022-05-09%20Redline%20IOCs
|
||||
* https://isc.sans.edu/forums/diary/RedLine+Stealer+Delivered+Through+FTP/28258/
|
||||
|
||||
## Literature
|
||||
|
|
|
@ -4,6 +4,17 @@ These _indicators_ were reported, collected, and generated during the [VulDB CTI
|
|||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.rocket_kitten](https://vuldb.com/?actor.rocket_kitten)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Rocket Kitten:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [IR](https://vuldb.com/?country.ir)
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* ...
|
||||
|
||||
There are 7 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Rocket Kitten.
|
||||
|
@ -17,6 +28,55 @@ ID | IP address | Hostname | Campaign | Confidence
|
|||
|
||||
There are 2 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Rocket Kitten_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-22 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 18 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Rocket Kitten. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `.htaccess` | Medium
|
||||
2 | File | `/admin.php` | Medium
|
||||
3 | File | `/admin/book/create/` | High
|
||||
4 | File | `/admin/loginc.php` | High
|
||||
5 | File | `/auditLogAction.do` | High
|
||||
6 | File | `/cgi-bin/wapopen` | High
|
||||
7 | File | `/devices/acurite.c` | High
|
||||
8 | File | `/etc/ajenti/config.yml` | High
|
||||
9 | File | `/etc/sudoers` | Medium
|
||||
10 | File | `/example/editor` | High
|
||||
11 | File | `/getcfg.php` | Medium
|
||||
12 | File | `/GetCSSashx/?CP=%2fwebconfig` | High
|
||||
13 | File | `/goform/login_process` | High
|
||||
14 | File | `/goform/rlmswitchr_process` | High
|
||||
15 | File | `/goforms/rlminfo` | High
|
||||
16 | File | `/newsDia.php` | Medium
|
||||
17 | File | `/plugin` | Low
|
||||
18 | File | `/rating.php` | Medium
|
||||
19 | File | `/scas/admin/` | Medium
|
||||
20 | File | `/scas/classes/Users.php?f=save_user` | High
|
||||
21 | File | `/services/prefs.php` | High
|
||||
22 | File | `/src/njs_object.c` | High
|
||||
23 | File | `/uncpath/` | Medium
|
||||
24 | File | `/wordpress-gallery-transformation/gallery.php` | High
|
||||
25 | File | `adclick.php` | Medium
|
||||
26 | ... | ... | ...
|
||||
|
||||
There are 214 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
|
|
@ -52,7 +52,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
4 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 16 more TTP items available. Please use our online service to access the data.
|
||||
There are 17 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -71,27 +71,27 @@ ID | Type | Indicator | Confidence
|
|||
9 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
10 | File | `/dashboard/reports/logs/view` | High
|
||||
11 | File | `/debug/pprof` | Medium
|
||||
12 | File | `/dl/dl_print.php` | High
|
||||
13 | File | `/etc/hosts` | Medium
|
||||
14 | File | `/fuel/index.php/fuel/logs/items` | High
|
||||
15 | File | `/fuel/sitevariables/delete/4` | High
|
||||
16 | File | `/hprms/admin/doctors/manage_doctor.php` | High
|
||||
17 | File | `/index/jobfairol/show/` | High
|
||||
18 | File | `/librarian/bookdetails.php` | High
|
||||
19 | File | `/mgmt/tm/util/bash` | High
|
||||
20 | File | `/moddable/xs/sources/xsDebug.c` | High
|
||||
21 | File | `/new` | Low
|
||||
22 | File | `/odfs/classes/Master.php?f=save_category` | High
|
||||
23 | File | `/proc/<PID>/mem` | High
|
||||
24 | File | `/proc/<pid>/status` | High
|
||||
25 | File | `/public/plugins/` | High
|
||||
26 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
27 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
28 | File | `/simple_chat_bot/admin/?page=user/manage_user` | High
|
||||
29 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
|
||||
12 | File | `/etc/hosts` | Medium
|
||||
13 | File | `/fuel/index.php/fuel/logs/items` | High
|
||||
14 | File | `/fuel/sitevariables/delete/4` | High
|
||||
15 | File | `/hprms/admin/doctors/manage_doctor.php` | High
|
||||
16 | File | `/index/jobfairol/show/` | High
|
||||
17 | File | `/librarian/bookdetails.php` | High
|
||||
18 | File | `/mgmt/tm/util/bash` | High
|
||||
19 | File | `/moddable/xs/sources/xsDebug.c` | High
|
||||
20 | File | `/new` | Low
|
||||
21 | File | `/odfs/classes/Master.php?f=save_category` | High
|
||||
22 | File | `/proc/<PID>/mem` | High
|
||||
23 | File | `/proc/<pid>/status` | High
|
||||
24 | File | `/public/plugins/` | High
|
||||
25 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
26 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
27 | File | `/simple_chat_bot/admin/?page=user/manage_user` | High
|
||||
28 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
|
||||
29 | File | `/tmp` | Low
|
||||
30 | ... | ... | ...
|
||||
|
||||
There are 257 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 256 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -43,7 +43,7 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-22, CWE-23 | Pathname Traversal | High
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
|
||||
2 | T1055 | CWE-74 | Injection | High
|
||||
3 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
@ -65,9 +65,10 @@ ID | Type | Indicator | Confidence
|
|||
7 | File | `/rapi/read_url` | High
|
||||
8 | File | `/sec/content/sec_asa_users_local_db_add.html` | High
|
||||
9 | File | `/see_more_details.php` | High
|
||||
10 | ... | ... | ...
|
||||
10 | File | `/vicidial/user_stats.php` | High
|
||||
11 | ... | ... | ...
|
||||
|
||||
There are 78 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 87 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -48,12 +48,14 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
|
||||
2 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
3 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
4 | ... | ... | ... | ...
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-294, CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
|
||||
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
6 | ... | ... | ... | ...
|
||||
|
||||
There are 9 more TTP items available. Please use our online service to access the data.
|
||||
There are 22 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -61,46 +63,49 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/admin/admin_login.php` | High
|
||||
2 | File | `/backups/` | Medium
|
||||
3 | File | `/cgi-bin/wapopen` | High
|
||||
4 | File | `/config/getuser` | High
|
||||
5 | File | `/controllers/MgrDiagnosticTools.php` | High
|
||||
6 | File | `/dev/cuse` | Medium
|
||||
7 | File | `/download` | Medium
|
||||
8 | File | `/etc/config/rpcd` | High
|
||||
9 | File | `/EXCU_SHELL` | Medium
|
||||
10 | File | `/export` | Low
|
||||
11 | File | `/forum/away.php` | High
|
||||
12 | File | `/gena.cgi` | Medium
|
||||
13 | File | `/goform/webSettingProfileSecurity` | High
|
||||
14 | File | `/login` | Low
|
||||
15 | File | `/mgmt/tm/util/bash` | High
|
||||
16 | File | `/MIME/INBOX-MM-1/` | High
|
||||
17 | File | `/ms/file/uploadTemplate.do` | High
|
||||
18 | File | `/netflow/jspui/editProfile.jsp` | High
|
||||
19 | File | `/novel-admin/src/main/java/com/java2nb/common/controller/FileController.java` | High
|
||||
20 | File | `/opt/IBM/es/lib/libffq.cryptionjni.so` | High
|
||||
21 | File | `/out.php` | Medium
|
||||
22 | File | `/php/ajax.php` | High
|
||||
23 | File | `/public/login.htm` | High
|
||||
24 | File | `/rapi/read_url` | High
|
||||
25 | File | `/sec/content/sec_asa_users_local_db_add.html` | High
|
||||
26 | File | `/see_more_details.php` | High
|
||||
27 | File | `/service/v1/createUser` | High
|
||||
28 | File | `/setSystemAdmin` | High
|
||||
29 | File | `/Storage/Emulated/0/Telegram/Telegram` | High
|
||||
30 | File | `/thruk/#cgi-bin/extinfo.cgi?type=2` | High
|
||||
31 | File | `/uncpath/` | Medium
|
||||
32 | File | `/vloggers_merch/admin/?page=orders/view_order` | High
|
||||
33 | File | `/wp-admin/admin-ajax.php` | High
|
||||
34 | File | `/wp-admin/admin-post.php?es_skip=1&option_name` | High
|
||||
35 | File | `/wp-content/plugins/updraftplus/admin.php` | High
|
||||
36 | File | `/_core/profile/` | High
|
||||
37 | File | `adclick.php` | Medium
|
||||
38 | ... | ... | ...
|
||||
1 | File | `/admin/?page=system_info/contact_info` | High
|
||||
2 | File | `/admin/admin_login.php` | High
|
||||
3 | File | `/backups/` | Medium
|
||||
4 | File | `/cgi-bin/wapopen` | High
|
||||
5 | File | `/config/getuser` | High
|
||||
6 | File | `/controllers/MgrDiagnosticTools.php` | High
|
||||
7 | File | `/dashboard/reports/logs/view` | High
|
||||
8 | File | `/dashboard/system/express/entities/forms/save_control/[GUID]` | High
|
||||
9 | File | `/dev/cuse` | Medium
|
||||
10 | File | `/download` | Medium
|
||||
11 | File | `/etc/config/rpcd` | High
|
||||
12 | File | `/EXCU_SHELL` | Medium
|
||||
13 | File | `/export` | Low
|
||||
14 | File | `/forum/away.php` | High
|
||||
15 | File | `/gena.cgi` | Medium
|
||||
16 | File | `/goform/webSettingProfileSecurity` | High
|
||||
17 | File | `/login` | Low
|
||||
18 | File | `/mgmt/tm/util/bash` | High
|
||||
19 | File | `/MIME/INBOX-MM-1/` | High
|
||||
20 | File | `/ms/file/uploadTemplate.do` | High
|
||||
21 | File | `/netflow/jspui/editProfile.jsp` | High
|
||||
22 | File | `/novel-admin/src/main/java/com/java2nb/common/controller/FileController.java` | High
|
||||
23 | File | `/ofrs/admin/?page=requests/view_request` | High
|
||||
24 | File | `/opt/IBM/es/lib/libffq.cryptionjni.so` | High
|
||||
25 | File | `/out.php` | Medium
|
||||
26 | File | `/php/ajax.php` | High
|
||||
27 | File | `/public/login.htm` | High
|
||||
28 | File | `/rapi/read_url` | High
|
||||
29 | File | `/sec/content/sec_asa_users_local_db_add.html` | High
|
||||
30 | File | `/see_more_details.php` | High
|
||||
31 | File | `/service/v1/createUser` | High
|
||||
32 | File | `/setSystemAdmin` | High
|
||||
33 | File | `/Storage/Emulated/0/Telegram/Telegram` | High
|
||||
34 | File | `/thruk/#cgi-bin/extinfo.cgi?type=2` | High
|
||||
35 | File | `/uncpath/` | Medium
|
||||
36 | File | `/user/dls_download.php` | High
|
||||
37 | File | `/vicidial/user_stats.php` | High
|
||||
38 | File | `/vloggers_merch/admin/?page=orders/view_order` | High
|
||||
39 | File | `/wp-admin/admin-ajax.php` | High
|
||||
40 | File | `/wp-admin/admin-post.php?es_skip=1&option_name` | High
|
||||
41 | ... | ... | ...
|
||||
|
||||
There are 330 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 358 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -0,0 +1,46 @@
|
|||
# Sliver - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Sliver](https://vuldb.com/?actor.sliver). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.sliver](https://vuldb.com/?actor.sliver)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Sliver:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [GB](https://vuldb.com/?country.gb)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Sliver.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [23.81.246.193](https://vuldb.com/?ip.23.81.246.193) | - | - | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Sliver_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1505 | CWE-89 | SQL Injection | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://github.com/executemalware/Malware-IOCs/blob/main/2021-10-21%20Sliver%20IOCs
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -34,12 +34,13 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-266, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | CWE-254 | 7PK Security Features | High
|
||||
4 | ... | ... | ... | ...
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
There are 18 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -64,10 +65,10 @@ ID | Type | Indicator | Confidence
|
|||
15 | File | `/transmission/web/` | High
|
||||
16 | File | `/uncpath/` | Medium
|
||||
17 | File | `/usr/local` | Medium
|
||||
18 | File | `/weibo/publishdata` | High
|
||||
18 | File | `/usr/sbin/sendmail` | High
|
||||
19 | ... | ... | ...
|
||||
|
||||
There are 156 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 157 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -0,0 +1,98 @@
|
|||
# SolarWinds - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [SolarWinds](https://vuldb.com/?actor.solarwinds). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.solarwinds](https://vuldb.com/?actor.solarwinds)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with SolarWinds:
|
||||
|
||||
* [GB](https://vuldb.com/?country.gb)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* ...
|
||||
|
||||
There are 6 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of SolarWinds.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [185.225.69.69](https://vuldb.com/?ip.185.225.69.69) | node-69-04-02.xetmail.com | - | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _SolarWinds_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-21, CWE-22 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 18 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by SolarWinds. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `.htaccess` | Medium
|
||||
2 | File | `/.asp` | Low
|
||||
3 | File | `/admin/admin_login.php` | High
|
||||
4 | File | `/advanced/adv_dns.xgi` | High
|
||||
5 | File | `/CFIDE/probe.cfm` | High
|
||||
6 | File | `/etc/config/rpcd` | High
|
||||
7 | File | `/MicroStrategyWS/happyaxis.jsp` | High
|
||||
8 | File | `/nidp/app/login` | High
|
||||
9 | File | `/proc` | Low
|
||||
10 | File | `/rapi/read_url` | High
|
||||
11 | File | `/sbin/conf.d/SuSEconfig.javarunt` | High
|
||||
12 | File | `/setSystemAdmin` | High
|
||||
13 | File | `/start_apply.htm` | High
|
||||
14 | File | `/tmp` | Low
|
||||
15 | File | `/uncpath/` | Medium
|
||||
16 | File | `/upload` | Low
|
||||
17 | File | `/usr/lib/utmp_update` | High
|
||||
18 | File | `/wp-admin/admin-post.php?es_skip=1&option_name` | High
|
||||
19 | File | `admin.php` | Medium
|
||||
20 | File | `admin/graph_trend.php` | High
|
||||
21 | File | `admin/Login.php` | High
|
||||
22 | File | `admin/plugin-index.php` | High
|
||||
23 | File | `administration` | High
|
||||
24 | File | `administrative` | High
|
||||
25 | File | `aolfix.exe` | Medium
|
||||
26 | File | `Ap4DecoderConfigDescriptor.cpp` | High
|
||||
27 | File | `awhost32.exe` | Medium
|
||||
28 | File | `bidhistory.php` | High
|
||||
29 | File | `browser/notifications/notification_ui_manager_impl.cc` | High
|
||||
30 | File | `buffer.c` | Medium
|
||||
31 | File | `c:\aux` | Low
|
||||
32 | File | `cgi-bin/` | Medium
|
||||
33 | File | `cluster.asp` | Medium
|
||||
34 | ... | ... | ...
|
||||
|
||||
There are 289 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blogs.infoblox.com/cyber-threat-intelligence/cyber-threat-advisory/solarwinds-third-update/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -9,11 +9,11 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with SquirtDanger:
|
||||
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* ...
|
||||
|
||||
There are 22 more country items available. Please use our online service to access the data.
|
||||
There are 20 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -55,12 +55,13 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-266, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 4 more TTP items available. Please use our online service to access the data.
|
||||
There are 18 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -69,42 +70,36 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `//proc/kcore` | Medium
|
||||
2 | File | `/?module=users§ion=cpanel&page=list` | High
|
||||
3 | File | `/admin/powerline` | High
|
||||
4 | File | `/admin/syslog` | High
|
||||
5 | File | `/Ap4RtpAtom.cpp` | High
|
||||
6 | File | `/api/upload` | Medium
|
||||
7 | File | `/app/Http/Controllers/Admin/NEditorController.php` | High
|
||||
8 | File | `/bcms/admin/?page=user/list` | High
|
||||
9 | File | `/bsms/?page=manage_account` | High
|
||||
10 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
11 | File | `/dashboard/reports/logs/view` | High
|
||||
12 | File | `/debug/pprof` | Medium
|
||||
13 | File | `/fuel/index.php/fuel/logs/items` | High
|
||||
14 | File | `/fuel/sitevariables/delete/4` | High
|
||||
15 | File | `/librarian/bookdetails.php` | High
|
||||
16 | File | `/mgmt/tm/util/bash` | High
|
||||
17 | File | `/monitoring` | Medium
|
||||
18 | File | `/new` | Low
|
||||
19 | File | `/proc/<pid>/status` | High
|
||||
20 | File | `/public/plugins/` | High
|
||||
21 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
22 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
23 | File | `/simple_chat_bot/admin/?page=user/manage_user` | High
|
||||
24 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
|
||||
25 | File | `/tmp` | Low
|
||||
26 | File | `/uncpath/` | Medium
|
||||
27 | File | `/views/directive/sys/SysConfigDataDirective.java` | High
|
||||
28 | File | `/wp-admin/admin.php?page=wp_file_manager_properties` | High
|
||||
29 | File | `/wp-json/wc/v3/webhooks` | High
|
||||
30 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
31 | File | `AccountManagerService.java` | High
|
||||
32 | File | `actions/CompanyDetailsSave.php` | High
|
||||
33 | File | `ActiveServices.java` | High
|
||||
34 | File | `ActivityManagerService.java` | High
|
||||
35 | ... | ... | ...
|
||||
2 | File | `/Ap4RtpAtom.cpp` | High
|
||||
3 | File | `/app/options.py` | High
|
||||
4 | File | `/bcms/admin/?page=user/list` | High
|
||||
5 | File | `/bsms/?page=manage_account` | High
|
||||
6 | File | `/cgi-bin/login.cgi` | High
|
||||
7 | File | `/ci_hms/massage_room/edit/1` | High
|
||||
8 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
9 | File | `/dashboard/reports/logs/view` | High
|
||||
10 | File | `/debug/pprof` | Medium
|
||||
11 | File | `/etc/hosts` | Medium
|
||||
12 | File | `/fuel/index.php/fuel/logs/items` | High
|
||||
13 | File | `/fuel/sitevariables/delete/4` | High
|
||||
14 | File | `/hprms/admin/doctors/manage_doctor.php` | High
|
||||
15 | File | `/index/jobfairol/show/` | High
|
||||
16 | File | `/librarian/bookdetails.php` | High
|
||||
17 | File | `/mgmt/tm/util/bash` | High
|
||||
18 | File | `/monitoring` | Medium
|
||||
19 | File | `/new` | Low
|
||||
20 | File | `/proc/<PID>/mem` | High
|
||||
21 | File | `/proc/<pid>/status` | High
|
||||
22 | File | `/public/plugins/` | High
|
||||
23 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
24 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
25 | File | `/simple_chat_bot/admin/?page=user/manage_user` | High
|
||||
26 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
|
||||
27 | File | `/tmp` | Low
|
||||
28 | File | `/uncpath/` | Medium
|
||||
29 | ... | ... | ...
|
||||
|
||||
There are 302 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 247 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -0,0 +1,99 @@
|
|||
# Swisyn - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Swisyn](https://vuldb.com/?actor.swisyn). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.swisyn](https://vuldb.com/?actor.swisyn)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Swisyn:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [FR](https://vuldb.com/?country.fr)
|
||||
* [RS](https://vuldb.com/?country.rs)
|
||||
* ...
|
||||
|
||||
There are 10 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Swisyn.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [5.39.72.2](https://vuldb.com/?ip.5.39.72.2) | ns3065363.ip-5-39-72.eu | - | High
|
||||
2 | [13.107.21.200](https://vuldb.com/?ip.13.107.21.200) | - | - | High
|
||||
3 | [20.42.65.92](https://vuldb.com/?ip.20.42.65.92) | - | - | High
|
||||
4 | [51.91.73.194](https://vuldb.com/?ip.51.91.73.194) | ns3164589.ip-51-91-73.eu | - | High
|
||||
5 | [51.254.45.43](https://vuldb.com/?ip.51.254.45.43) | ip-51-254-45-43.ddhosts.net | - | High
|
||||
6 | [58.221.32.3](https://vuldb.com/?ip.58.221.32.3) | - | - | High
|
||||
7 | [58.221.33.111](https://vuldb.com/?ip.58.221.33.111) | - | - | High
|
||||
8 | [58.221.35.121](https://vuldb.com/?ip.58.221.35.121) | - | - | High
|
||||
9 | [59.42.71.178](https://vuldb.com/?ip.59.42.71.178) | - | - | High
|
||||
10 | [59.188.239.165](https://vuldb.com/?ip.59.188.239.165) | - | - | High
|
||||
11 | [61.60.12.164](https://vuldb.com/?ip.61.60.12.164) | 61-60-12-164.GSN-IP.hinet.net | - | High
|
||||
12 | ... | ... | ... | ...
|
||||
|
||||
There are 45 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Swisyn_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-21, CWE-22 | Pathname Traversal | High
|
||||
2 | T1055 | CWE-74 | Injection | High
|
||||
3 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
4 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 18 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Swisyn. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/admin.php/vod/admin/topic/del` | High
|
||||
2 | File | `/admin.php?action=themeinstall` | High
|
||||
3 | File | `/admin/admapi.php` | High
|
||||
4 | File | `/admin/config.php?display=disa&view=form` | High
|
||||
5 | File | `/admin/login.php` | High
|
||||
6 | File | `/admin/posts.php&action=edit` | High
|
||||
7 | File | `/admin/sysmon.php` | High
|
||||
8 | File | `/base/ecma-helpers-string.c` | High
|
||||
9 | File | `/cimom` | Low
|
||||
10 | File | `/ci_spms/admin/search/searching/` | High
|
||||
11 | File | `/EPOAGENTMETA/DisplayMSAPropsDetail.do` | High
|
||||
12 | File | `/etc/sysconfig/tomcat` | High
|
||||
13 | File | `/fantasticblog/single.php` | High
|
||||
14 | File | `/goform/aspForm` | High
|
||||
15 | File | `/jpg/image.jpg` | High
|
||||
16 | ... | ... | ...
|
||||
|
||||
There are 125 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.talosintelligence.com/2019/03/threat-roundup-for-mar-01-to-mar-08.html
|
||||
* https://blog.talosintelligence.com/2019/05/threat-roundup-0517-0524.html
|
||||
* https://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
|
||||
* https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html
|
||||
* https://blog.talosintelligence.com/2021/11/threat-roundup-1112-1119.html
|
||||
* https://blog.talosintelligence.com/2022/01/threat-roundup-0121-0128.html
|
||||
* https://blog.talosintelligence.com/2022/04/threat-roundup-0422-0429.html
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -53,12 +53,13 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-266, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
1 | T1006 | CWE-21, CWE-22 | Pathname Traversal | High
|
||||
2 | T1055 | CWE-74 | Injection | High
|
||||
3 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
4 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 6 more TTP items available. Please use our online service to access the data.
|
||||
There are 18 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -104,9 +105,9 @@ ID | Type | Indicator | Confidence
|
|||
36 | File | `album_portal.php` | High
|
||||
37 | File | `al_initialize.php` | High
|
||||
38 | File | `app/call_centers/cmd.php` | High
|
||||
39 | File | `arch/x86/kvm/hyperv.c` | High
|
||||
40 | File | `auction.cgi` | Medium
|
||||
41 | File | `autologin.jsp` | High
|
||||
39 | File | `apply.cgi` | Medium
|
||||
40 | File | `appointment.php` | High
|
||||
41 | File | `arch/x86/kvm/hyperv.c` | High
|
||||
42 | ... | ... | ...
|
||||
|
||||
There are 358 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
|
|
@ -48,12 +48,13 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
|
||||
2 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
3 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
4 | ... | ... | ... | ...
|
||||
1 | T1006 | CWE-21, CWE-22 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-294, CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
There are 16 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -77,7 +78,7 @@ ID | Type | Indicator | Confidence
|
|||
14 | File | `admin/getparam.cgi` | High
|
||||
15 | ... | ... | ...
|
||||
|
||||
There are 115 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 117 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue