Update
This commit is contained in:
rodzic
b6a892236d
commit
5594bbe8c6
|
@ -1,33 +1,33 @@
|
|||
# 1937CN - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [1937CN](https://vuldb.com/?actor.1937cn). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [1937CN](https://vuldb.com/?actor.1937cn). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.1937cn](https://vuldb.com/?actor.1937cn)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.1937cn](https://vuldb.com/?actor.1937cn)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with 1937CN:
|
||||
The following _campaigns_ are known and can be associated with 1937CN:
|
||||
|
||||
* Rehashed RAT
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of 1937CN.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of 1937CN.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 1.3.30.3 | - | High
|
||||
2 | 1.3.33.5 | - | High
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 1.3.30.3 | - | Rehashed RAT | High
|
||||
2 | 1.3.33.5 | - | Rehashed RAT | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://www.threatminer.org/report.php?q=RehashedRATUsedinAPTCampaignAgainstVietnameseOrganizations_FortinetBlog.pdf&y=2017
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,45 +1,45 @@
|
|||
# APT-C-01 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT-C-01](https://vuldb.com/?actor.apt-c-01). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT-C-01](https://vuldb.com/?actor.apt-c-01). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt-c-01](https://vuldb.com/?actor.apt-c-01)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.apt-c-01](https://vuldb.com/?actor.apt-c-01)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT-C-01:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT-C-01:
|
||||
|
||||
* US
|
||||
* CN
|
||||
* RU
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* ...
|
||||
|
||||
There are 3 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of APT-C-01.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of APT-C-01.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 45.32.8.137 | 45.32.8.137.vultr.com | Medium
|
||||
2 | 45.76.125.176 | 45.76.125.176.vultr.com | Medium
|
||||
3 | 45.76.228.61 | - | High
|
||||
4 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [45.32.8.137](https://vuldb.com/?ip.45.32.8.137) | 45.32.8.137.vultr.com | - | Medium
|
||||
2 | [45.76.125.176](https://vuldb.com/?ip.45.76.125.176) | 45.76.125.176.vultr.com | - | Medium
|
||||
3 | [45.76.228.61](https://vuldb.com/?ip.45.76.228.61) | 45.76.228.61.vultr.com | - | Medium
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 4 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by APT-C-01. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by APT-C-01. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT-C-01. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT-C-01. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -49,17 +49,17 @@ ID | Type | Indicator | Confidence
|
|||
4 | File | `2020\Messages\SDNotify.exe` | High
|
||||
5 | ... | ... | ...
|
||||
|
||||
There are 33 more IOA items available. Please use our online service to access the data.
|
||||
There are 33 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://www.threatminer.org/report.php?q=APT-C-01-360.pdf&y=2018
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,64 +1,126 @@
|
|||
# APT-C-36 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT-C-36](https://vuldb.com/?actor.apt-c-36). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT-C-36](https://vuldb.com/?actor.apt-c-36). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt-c-36](https://vuldb.com/?actor.apt-c-36)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.apt-c-36](https://vuldb.com/?actor.apt-c-36)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT-C-36:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT-C-36:
|
||||
|
||||
* US
|
||||
* BR
|
||||
* FR
|
||||
* CN
|
||||
* DE
|
||||
* ...
|
||||
|
||||
There are 3 more country items available. Please use our online service to access the data.
|
||||
There are 20 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of APT-C-36.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of APT-C-36.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 128.90.106.22 | undefined.hostname.localhost | High
|
||||
2 | 128.90.107.21 | undefined.hostname.localhost | High
|
||||
3 | 128.90.107.189 | undefined.hostname.localhost | High
|
||||
4 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 128.90.106.22 | undefined.hostname.localhost | - | High
|
||||
2 | 128.90.107.21 | undefined.hostname.localhost | - | High
|
||||
3 | 128.90.107.189 | undefined.hostname.localhost | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 5 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by APT-C-36. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by APT-C-36. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1499 | Resource Consumption | High
|
||||
2 | T1600 | Cryptographic Issues | High
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT-C-36. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT-C-36. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `.htaccess` | Medium
|
||||
2 | File | `FileSeek.cgi` | Medium
|
||||
3 | File | `includes/dbal.php` | High
|
||||
4 | ... | ... | ...
|
||||
1 | File | `$SPLUNK_HOME/etc/splunk-launch.conf` | High
|
||||
2 | File | `/+CSCOE+/logon.html` | High
|
||||
3 | File | `/admin/model/database.class.php` | High
|
||||
4 | File | `/assets/ctx` | Medium
|
||||
5 | File | `/concat?/%2557EB-INF/web.xml` | High
|
||||
6 | File | `/config/getuser` | High
|
||||
7 | File | `/ext/phar/phar_object.c` | High
|
||||
8 | File | `/filemanager/php/connector.php` | High
|
||||
9 | File | `/get_getnetworkconf.cgi` | High
|
||||
10 | File | `/HNAP1` | Low
|
||||
11 | File | `/index.php?controller=calendar&format=raw&cat[0]=SQLi&task=events` | High
|
||||
12 | File | `/Main_Login.asp?flag=1&productname=RT-AC88U&url=/downloadmaster/task.asp` | High
|
||||
13 | File | `/modx/manager/index.php` | High
|
||||
14 | File | `/osm/REGISTER.cmd` | High
|
||||
15 | File | `/product_list.php` | High
|
||||
16 | File | `/replication` | Medium
|
||||
17 | File | `/see_more_details.php` | High
|
||||
18 | File | `/siteminderagent/pwcgi/smpwservicescgi.exe` | High
|
||||
19 | File | `/supervisor/procesa_carga.php` | High
|
||||
20 | File | `/type.php` | Medium
|
||||
21 | File | `/uncpath/` | Medium
|
||||
22 | File | `/usr/bin/pkexec` | High
|
||||
23 | File | `/zm/index.php` | High
|
||||
24 | File | `4.2.0.CP09` | Medium
|
||||
25 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
26 | File | `802dot1xclientcert.cgi` | High
|
||||
27 | File | `add.exe` | Low
|
||||
28 | File | `addentry.php` | Medium
|
||||
29 | File | `add_edit_user.asp` | High
|
||||
30 | File | `admin-ajax.php` | High
|
||||
31 | File | `admin.color.php` | High
|
||||
32 | File | `admin.cropcanvas.php` | High
|
||||
33 | File | `admin.joomlaradiov5.php` | High
|
||||
34 | File | `admin.php` | Medium
|
||||
35 | File | `admin.php?m=Food&a=addsave` | High
|
||||
36 | File | `admin/category.inc.php` | High
|
||||
37 | File | `admin/conf_users_edit.php` | High
|
||||
38 | File | `admin/index.php` | High
|
||||
39 | File | `admin/user.php` | High
|
||||
40 | File | `admin/write-post.php` | High
|
||||
41 | File | `administrator/components/com_media/helpers/media.php` | High
|
||||
42 | File | `admin_events.php` | High
|
||||
43 | File | `ajax_new_account.php` | High
|
||||
44 | File | `akocomments.php` | High
|
||||
45 | File | `allopass-error.php` | High
|
||||
46 | File | `announcement.php` | High
|
||||
47 | File | `api_poller.php` | High
|
||||
48 | File | `apply.cgi` | Medium
|
||||
49 | File | `archiver\index.php` | High
|
||||
50 | File | `artlinks.dispnew.php` | High
|
||||
51 | File | `auth.inc.php` | Medium
|
||||
52 | File | `authorization.do` | High
|
||||
53 | File | `awstats.pl` | Medium
|
||||
54 | File | `backoffice/login.asp` | High
|
||||
55 | File | `bb_usage_stats.php` | High
|
||||
56 | File | `binder.c` | Medium
|
||||
57 | File | `bl-kernel/ajax/upload-images.php` | High
|
||||
58 | File | `books.php` | Medium
|
||||
59 | File | `C:\Python27` | Medium
|
||||
60 | File | `C:\Windows\System32\config\SAM` | High
|
||||
61 | File | `categorie.php3` | High
|
||||
62 | ... | ... | ...
|
||||
|
||||
There are 17 more IOA items available. Please use our online service to access the data.
|
||||
There are 541 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
125
APT10/README.md
125
APT10/README.md
|
@ -1,19 +1,19 @@
|
|||
# APT10 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT10](https://vuldb.com/?actor.apt10). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT10](https://vuldb.com/?actor.apt10). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt10](https://vuldb.com/?actor.apt10)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.apt10](https://vuldb.com/?actor.apt10)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with APT10:
|
||||
The following _campaigns_ are known and can be associated with APT10:
|
||||
|
||||
* A41APT
|
||||
* Cloud Hopper
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT10:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT10:
|
||||
|
||||
* US
|
||||
* RU
|
||||
|
@ -24,53 +24,53 @@ There are 8 more country items available. Please use our online service to acces
|
|||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of APT10.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of APT10.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 23.89.193.34 | - | High
|
||||
2 | 23.110.64.147 | - | High
|
||||
3 | 23.252.105.137 | 23.252.105.137.16clouds.com | High
|
||||
4 | 27.102.66.67 | - | High
|
||||
5 | 27.102.115.249 | - | High
|
||||
6 | 27.102.127.75 | - | High
|
||||
7 | 27.102.127.80 | - | High
|
||||
8 | 27.102.128.157 | - | High
|
||||
9 | 31.184.197.215 | 31-184-197-215.static.x5x-noc.ru | High
|
||||
10 | 31.184.197.227 | 31-184-197-227.static.x5x-noc.ru | High
|
||||
11 | 31.184.198.23 | - | High
|
||||
12 | 31.184.198.38 | - | High
|
||||
13 | 37.187.7.74 | ns3372567.ip-37-187-7.eu | High
|
||||
14 | 37.235.52.18 | 18.52.235.37.in-addr.arpa | High
|
||||
15 | 38.72.112.45 | - | High
|
||||
16 | 38.72.114.16 | - | High
|
||||
17 | 38.72.115.9 | - | High
|
||||
18 | 45.62.112.161 | 45.62.112.161.16clouds.com | High
|
||||
19 | 45.138.157.83 | vm339806.pq.hosting | High
|
||||
20 | 46.108.39.134 | - | High
|
||||
21 | 50.2.160.104 | - | High
|
||||
22 | 52.74.71.131 | ec2-52-74-71-131.ap-southeast-1.compute.amazonaws.com | Medium
|
||||
23 | 52.74.213.16 | ec2-52-74-213-16.ap-southeast-1.compute.amazonaws.com | Medium
|
||||
24 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 23.89.193.34 | - | Cloud Hopper | High
|
||||
2 | 23.110.64.147 | - | Cloud Hopper | High
|
||||
3 | 23.252.105.137 | 23.252.105.137.16clouds.com | Cloud Hopper | High
|
||||
4 | 27.102.66.67 | - | - | High
|
||||
5 | 27.102.115.249 | - | - | High
|
||||
6 | 27.102.127.75 | - | - | High
|
||||
7 | 27.102.127.80 | - | - | High
|
||||
8 | 27.102.128.157 | - | - | High
|
||||
9 | 31.184.197.215 | 31-184-197-215.static.x5x-noc.ru | Cloud Hopper | High
|
||||
10 | 31.184.197.227 | 31-184-197-227.static.x5x-noc.ru | Cloud Hopper | High
|
||||
11 | 31.184.198.23 | - | Cloud Hopper | High
|
||||
12 | 31.184.198.38 | - | Cloud Hopper | High
|
||||
13 | 37.187.7.74 | ns3372567.ip-37-187-7.eu | Cloud Hopper | High
|
||||
14 | 37.235.52.18 | 18.52.235.37.in-addr.arpa | Cloud Hopper | High
|
||||
15 | 38.72.112.45 | - | Cloud Hopper | High
|
||||
16 | 38.72.114.16 | - | Cloud Hopper | High
|
||||
17 | 38.72.115.9 | - | Cloud Hopper | High
|
||||
18 | 45.62.112.161 | 45.62.112.161.16clouds.com | Cloud Hopper | High
|
||||
19 | 45.138.157.83 | google.com.tm | A41APT | High
|
||||
20 | 46.108.39.134 | - | Cloud Hopper | High
|
||||
21 | 50.2.160.104 | - | Cloud Hopper | High
|
||||
22 | 52.74.71.131 | ec2-52-74-71-131.ap-southeast-1.compute.amazonaws.com | Cloud Hopper | Medium
|
||||
23 | 52.74.213.16 | ec2-52-74-213-16.ap-southeast-1.compute.amazonaws.com | Cloud Hopper | Medium
|
||||
24 | ... | ... | ... | ...
|
||||
|
||||
There are 91 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by APT10. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by APT10. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 4 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT10. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT10. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -86,33 +86,32 @@ ID | Type | Indicator | Confidence
|
|||
10 | File | `/modules/profile/index.php` | High
|
||||
11 | File | `/out.php` | Medium
|
||||
12 | File | `/public/plugins/` | High
|
||||
13 | File | `/SSOPOST/metaAlias/%realm%/idpv2` | High
|
||||
14 | File | `/system/proxy` | High
|
||||
15 | File | `/tmp/phpglibccheck` | High
|
||||
16 | File | `/uncpath/` | Medium
|
||||
17 | File | `adclick.php` | Medium
|
||||
18 | File | `add.php` | Low
|
||||
19 | File | `addentry.php` | Medium
|
||||
20 | File | `addressbookprovider.php` | High
|
||||
21 | File | `admin/htaccess/bpsunlock.php` | High
|
||||
22 | File | `ajax_udf.php` | Medium
|
||||
23 | File | `application.js.php` | High
|
||||
24 | File | `apply.cgi` | Medium
|
||||
25 | File | `arm/lithium-codegen-arm.cc` | High
|
||||
26 | File | `authenticate.c` | High
|
||||
27 | File | `Authenticate.class.php` | High
|
||||
28 | File | `base_maintenance.php` | High
|
||||
29 | File | `booking_details.php` | High
|
||||
30 | File | `browse.php` | Medium
|
||||
31 | File | `browser/thumbnails/render_widget_snapshot_taker.cc` | High
|
||||
32 | File | `bufferobject.c` | High
|
||||
33 | ... | ... | ...
|
||||
13 | File | `/secure/admin/ViewInstrumentation.jspa` | High
|
||||
14 | File | `/SSOPOST/metaAlias/%realm%/idpv2` | High
|
||||
15 | File | `/system/proxy` | High
|
||||
16 | File | `/tmp/phpglibccheck` | High
|
||||
17 | File | `/uncpath/` | Medium
|
||||
18 | File | `adclick.php` | Medium
|
||||
19 | File | `add.php` | Low
|
||||
20 | File | `addentry.php` | Medium
|
||||
21 | File | `addressbookprovider.php` | High
|
||||
22 | File | `admin/htaccess/bpsunlock.php` | High
|
||||
23 | File | `admin/pageUploadCSV.php` | High
|
||||
24 | File | `ajax_udf.php` | Medium
|
||||
25 | File | `application.js.php` | High
|
||||
26 | File | `apply.cgi` | Medium
|
||||
27 | File | `arm/lithium-codegen-arm.cc` | High
|
||||
28 | File | `authenticate.c` | High
|
||||
29 | File | `Authenticate.class.php` | High
|
||||
30 | File | `base_maintenance.php` | High
|
||||
31 | File | `booking_details.php` | High
|
||||
32 | ... | ... | ...
|
||||
|
||||
There are 280 more IOA items available. Please use our online service to access the data.
|
||||
There are 277 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://github.com/janhenrikdotcom/iocs/blob/master/APT10/Operation%20Cloud%20Hopper%20-%20Indicators%20of%20Compromise%20v3.csv
|
||||
* https://github.com/PwCUK-CTO/OperationCloudHopper/blob/master/cloud-hopper-indicators-of-compromise-v3.csv
|
||||
|
@ -124,7 +123,7 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,18 +1,18 @@
|
|||
# APT12 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT12](https://vuldb.com/?actor.apt12). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT12](https://vuldb.com/?actor.apt12). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt12](https://vuldb.com/?actor.apt12)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.apt12](https://vuldb.com/?actor.apt12)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with APT12:
|
||||
The following _campaigns_ are known and can be associated with APT12:
|
||||
|
||||
* Etumbot
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT12:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT12:
|
||||
|
||||
* ES
|
||||
* AR
|
||||
|
@ -20,29 +20,29 @@ These countries are directly (e.g. origin of attacks) or indirectly (e.g. access
|
|||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of APT12.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of APT12.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 32.114.251.129 | - | High
|
||||
2 | 59.0.249.11 | - | High
|
||||
3 | 92.54.232.142 | - | High
|
||||
4 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 32.114.251.129 | - | Etumbot | High
|
||||
2 | 59.0.249.11 | - | Etumbot | High
|
||||
3 | 92.54.232.142 | - | Etumbot | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 14 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by APT12. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by APT12. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1499 | Resource Consumption | High
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1499 | CWE-404 | Resource Consumption | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT12. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT12. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -52,14 +52,14 @@ ID | Type | Indicator | Confidence
|
|||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html
|
||||
* https://www.threatminer.org/report.php?q=ASERT-Threat-Intelligence-Brief-2014-07-Illuminating-Etumbot-APT.pdf&y=2014
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,33 +1,33 @@
|
|||
# APT15 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT15](https://vuldb.com/?actor.apt15). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT15](https://vuldb.com/?actor.apt15). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt15](https://vuldb.com/?actor.apt15)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.apt15](https://vuldb.com/?actor.apt15)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with APT15:
|
||||
The following _campaigns_ are known and can be associated with APT15:
|
||||
|
||||
* Ke3chang
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of APT15.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of APT15.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 61.128.110.38 | - | High
|
||||
2 | 180.149.252.181 | - | High
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [61.128.110.38](https://vuldb.com/?ip.61.128.110.38) | - | Ke3chang | High
|
||||
2 | [180.149.252.181](https://vuldb.com/?ip.180.149.252.181) | - | Ke3chang | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://www.threatminer.org/report.php?q=XSLCmd_OSX.pdf&y=2014
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,36 +1,36 @@
|
|||
# APT16 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT16](https://vuldb.com/?actor.apt16). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT16](https://vuldb.com/?actor.apt16). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt16](https://vuldb.com/?actor.apt16)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.apt16](https://vuldb.com/?actor.apt16)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT16:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT16:
|
||||
|
||||
* US
|
||||
* CN
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of APT16.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of APT16.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 121.127.249.74 | - | High
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 121.127.249.74 | - | - | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by APT16. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by APT16. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT16. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT16. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -39,17 +39,17 @@ ID | Type | Indicator | Confidence
|
|||
3 | File | `data/gbconfiguration.dat` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 11 more IOA items available. Please use our online service to access the data.
|
||||
There are 11 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,18 +1,18 @@
|
|||
# APT17 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT17](https://vuldb.com/?actor.apt17). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT17](https://vuldb.com/?actor.apt17). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt17](https://vuldb.com/?actor.apt17)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.apt17](https://vuldb.com/?actor.apt17)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with APT17:
|
||||
The following _campaigns_ are known and can be associated with APT17:
|
||||
|
||||
* CCleaner
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT17:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT17:
|
||||
|
||||
* DE
|
||||
* US
|
||||
|
@ -23,33 +23,33 @@ There are 2 more country items available. Please use our online service to acces
|
|||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of APT17.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of APT17.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 1.234.52.111 | - | High
|
||||
2 | 69.80.72.165 | - | High
|
||||
3 | 103.250.72.39 | sv01growth.bulks.jp | High
|
||||
4 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 1.234.52.111 | - | - | High
|
||||
2 | 69.80.72.165 | - | - | High
|
||||
3 | 103.250.72.39 | sv01growth.bulks.jp | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 9 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by APT17. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by APT17. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | 7PK Security Features | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | CWE-254 | 7PK Security Features | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT17. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT17. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -58,18 +58,18 @@ ID | Type | Indicator | Confidence
|
|||
3 | File | `data/gbconfiguration.dat` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 10 more IOA items available. Please use our online service to access the data.
|
||||
There are 10 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://github.com/fireeye/iocs/blob/master/APT17/7b9e87c5-b619-4a13-b862-0145614d359a.ioc
|
||||
* https://www.threatminer.org/report.php?q=EvidenceAuroraOperationStillActive_SupplyChainAttackThroughCCleaner-Intezer.pdf&y=2017
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,18 +1,18 @@
|
|||
# APT27 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT27](https://vuldb.com/?actor.apt27). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT27](https://vuldb.com/?actor.apt27). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt27](https://vuldb.com/?actor.apt27)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.apt27](https://vuldb.com/?actor.apt27)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with APT27:
|
||||
The following _campaigns_ are known and can be associated with APT27:
|
||||
|
||||
* SysUpdate
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT27:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT27:
|
||||
|
||||
* US
|
||||
* CN
|
||||
|
@ -23,33 +23,33 @@ There are 5 more country items available. Please use our online service to acces
|
|||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of APT27.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of APT27.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 34.90.207.23 | 23.207.90.34.bc.googleusercontent.com | Medium
|
||||
2 | 34.93.247.126 | 126.247.93.34.bc.googleusercontent.com | Medium
|
||||
3 | 35.187.148.253 | 253.148.187.35.bc.googleusercontent.com | Medium
|
||||
4 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 34.90.207.23 | 23.207.90.34.bc.googleusercontent.com | - | Medium
|
||||
2 | 34.93.247.126 | 126.247.93.34.bc.googleusercontent.com | SysUpdate | Medium
|
||||
3 | 35.187.148.253 | 253.148.187.35.bc.googleusercontent.com | SysUpdate | Medium
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 10 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by APT27. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by APT27. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1008 | Algorithm Downgrade | High
|
||||
2 | T1040 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1059.007 | Cross Site Scripting | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1008 | CWE-757 | Algorithm Downgrade | High
|
||||
2 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 9 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT27. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT27. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -76,11 +76,11 @@ ID | Type | Indicator | Confidence
|
|||
21 | File | `al_initialize.php` | High
|
||||
22 | ... | ... | ...
|
||||
|
||||
There are 179 more IOA items available. Please use our online service to access the data.
|
||||
There are 179 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/
|
||||
* https://vxug.fakedoma.in/archive/APTs/2021/2021.04.09/Iron%20Tiger.pdf
|
||||
|
@ -88,7 +88,7 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
133
APT28/README.md
133
APT28/README.md
|
@ -1,12 +1,12 @@
|
|||
# APT28 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT28](https://vuldb.com/?actor.apt28). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT28](https://vuldb.com/?actor.apt28). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt28](https://vuldb.com/?actor.apt28)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.apt28](https://vuldb.com/?actor.apt28)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with APT28:
|
||||
The following _campaigns_ are known and can be associated with APT28:
|
||||
|
||||
* Carberp
|
||||
* Fysbis
|
||||
|
@ -17,7 +17,7 @@ There are 3 more campaign items available. Please use our online service to acce
|
|||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT28:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT28:
|
||||
|
||||
* NL
|
||||
* RO
|
||||
|
@ -28,76 +28,76 @@ There are 3 more country items available. Please use our online service to acces
|
|||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of APT28.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of APT28.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 5.63.153.177 | 5-63-153-177.ovz.vps.regruhosting.ru | High
|
||||
2 | 5.100.155.82 | 5.100.155-82.publicdomainregistry.com | High
|
||||
3 | 5.100.155.91 | 5.100.155-91.publicdomainregistry.com | High
|
||||
4 | 5.135.183.154 | ns3290077.ip-5-135-183.eu | High
|
||||
5 | 5.199.171.58 | - | High
|
||||
6 | 23.163.0.59 | - | High
|
||||
7 | 23.227.196.21 | 23-227-196-21.static.hvvc.us | High
|
||||
8 | 23.227.196.215 | 23-227-196-215.static.hvvc.us | High
|
||||
9 | 23.227.196.217 | 23-227-196-217.static.hvvc.us | High
|
||||
10 | 31.184.198.23 | - | High
|
||||
11 | 31.184.198.38 | - | High
|
||||
12 | 31.220.43.99 | - | High
|
||||
13 | 31.220.61.251 | - | High
|
||||
14 | 37.235.52.18 | 18.52.235.37.in-addr.arpa | High
|
||||
15 | 45.32.129.185 | 45.32.129.185.vultr.com | Medium
|
||||
16 | 45.32.227.21 | 45.32.227.21.mobiltel.mx | High
|
||||
17 | 45.64.105.23 | - | High
|
||||
18 | 45.124.132.127 | - | High
|
||||
19 | 46.19.138.66 | ab2.alchibasystems.in.net | High
|
||||
20 | 46.21.147.55 | 46-21-147-55.static.hvvc.us | High
|
||||
21 | 46.21.147.71 | 46-21-147-71.static.hvvc.us | High
|
||||
22 | 46.21.147.76 | 46-21-147-76.static.hvvc.us | High
|
||||
23 | 46.148.17.227 | - | High
|
||||
24 | 46.166.162.90 | - | High
|
||||
25 | 46.183.217.74 | ip-217-74.dataclub.info | High
|
||||
26 | 51.38.128.110 | vps-b7b05fc8.vps.ovh.net | High
|
||||
27 | 51.254.76.54 | - | High
|
||||
28 | 51.254.158.57 | - | High
|
||||
29 | 54.37.104.106 | piber.connectedlists.com | High
|
||||
30 | 58.49.58.58 | - | High
|
||||
31 | 62.113.232.197 | - | High
|
||||
32 | 66.172.11.207 | ip-66-172-11-207.chunkhost.com | High
|
||||
33 | 66.172.12.133 | ip-66-172-12-133.chunkhost.com | High
|
||||
34 | 69.12.73.174 | - | High
|
||||
35 | 70.85.221.10 | server002.nilsson-it.dk | High
|
||||
36 | 70.85.221.20 | 14.dd.5546.static.theplanet.com | High
|
||||
37 | 76.74.177.251 | ip-76-74-177-251.chunkhost.com | High
|
||||
38 | 77.81.98.122 | no-rdns.clues.ro | High
|
||||
39 | 77.83.247.81 | - | High
|
||||
40 | 78.153.151.222 | smtp33.pristavka-fr.ru | High
|
||||
41 | 80.83.115.187 | host3.smtpnoida.biz | High
|
||||
42 | 80.255.3.93 | - | High
|
||||
43 | 80.255.3.94 | set121.com | High
|
||||
44 | 80.255.6.15 | - | High
|
||||
45 | 80.255.10.236 | - | High
|
||||
46 | 81.17.30.29 | - | High
|
||||
47 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 5.63.153.177 | 5-63-153-177.ovz.vps.regruhosting.ru | - | High
|
||||
2 | 5.100.155.82 | 5.100.155-82.publicdomainregistry.com | - | High
|
||||
3 | 5.100.155.91 | 5.100.155-91.publicdomainregistry.com | - | High
|
||||
4 | 5.135.183.154 | ns3290077.ip-5-135-183.eu | Sednit | High
|
||||
5 | 5.199.171.58 | - | - | High
|
||||
6 | 23.163.0.59 | naomi.rem2d.com | - | High
|
||||
7 | 23.227.196.21 | 23-227-196-21.static.hvvc.us | - | High
|
||||
8 | 23.227.196.215 | 23-227-196-215.static.hvvc.us | - | High
|
||||
9 | 23.227.196.217 | 23-227-196-217.static.hvvc.us | - | High
|
||||
10 | 31.184.198.23 | - | - | High
|
||||
11 | 31.184.198.38 | - | - | High
|
||||
12 | 31.220.43.99 | - | Sednit | High
|
||||
13 | 31.220.61.251 | - | - | High
|
||||
14 | 37.235.52.18 | 18.52.235.37.in-addr.arpa | - | High
|
||||
15 | 45.32.129.185 | 45.32.129.185.vultr.com | - | Medium
|
||||
16 | 45.32.227.21 | 45.32.227.21.mobiltel.mx | - | High
|
||||
17 | 45.64.105.23 | - | - | High
|
||||
18 | 45.124.132.127 | - | - | High
|
||||
19 | 46.19.138.66 | ab2.alchibasystems.in.net | - | High
|
||||
20 | 46.21.147.55 | 46-21-147-55.static.hvvc.us | - | High
|
||||
21 | 46.21.147.71 | 46-21-147-71.static.hvvc.us | - | High
|
||||
22 | 46.21.147.76 | 46-21-147-76.static.hvvc.us | - | High
|
||||
23 | 46.148.17.227 | - | - | High
|
||||
24 | 46.166.162.90 | - | Pawn Storm | High
|
||||
25 | 46.183.217.74 | ip-217-74.dataclub.info | Pawn Storm | High
|
||||
26 | 51.38.128.110 | vps-0a3489af.vps.ovh.net | - | High
|
||||
27 | 51.254.76.54 | - | - | High
|
||||
28 | 51.254.158.57 | - | - | High
|
||||
29 | 54.37.104.106 | piber.connectedlists.com | - | High
|
||||
30 | 58.49.58.58 | - | - | High
|
||||
31 | 62.113.232.197 | - | - | High
|
||||
32 | 66.172.11.207 | ip-66-172-11-207.chunkhost.com | Carberp | High
|
||||
33 | 66.172.12.133 | - | - | High
|
||||
34 | 69.12.73.174 | 69.12.73.174.static.quadranet.com | Sednit | High
|
||||
35 | 70.85.221.10 | server002.nilsson-it.dk | - | High
|
||||
36 | 70.85.221.20 | 14.dd.5546.static.theplanet.com | Pawn Storm | High
|
||||
37 | 76.74.177.251 | ip-76-74-177-251.chunkhost.com | - | High
|
||||
38 | 77.81.98.122 | no-rdns.clues.ro | - | High
|
||||
39 | 77.83.247.81 | - | Global Brute Force | High
|
||||
40 | 78.153.151.222 | smtp33.pristavka-fr.ru | - | High
|
||||
41 | 80.83.115.187 | host3.smtpnoida.biz | - | High
|
||||
42 | 80.255.3.93 | - | - | High
|
||||
43 | 80.255.3.94 | set121.com | - | High
|
||||
44 | 80.255.6.15 | - | - | High
|
||||
45 | 80.255.10.236 | - | - | High
|
||||
46 | 81.17.30.29 | - | - | High
|
||||
47 | ... | ... | ... | ...
|
||||
|
||||
There are 184 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by APT28. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by APT28. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT28. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT28. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -134,14 +134,13 @@ ID | Type | Indicator | Confidence
|
|||
31 | File | `api/v1/alarms` | High
|
||||
32 | File | `application/controller/InstallerController.php` | High
|
||||
33 | File | `arch/powerpc/kvm/book3s_rtas.c` | High
|
||||
34 | File | `arformcontroller.php` | High
|
||||
35 | ... | ... | ...
|
||||
34 | ... | ... | ...
|
||||
|
||||
There are 297 more IOA items available. Please use our online service to access the data.
|
||||
There are 291 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://documents.trendmicro.com/assets/wp/wp-two-years-of-pawn-storm.pdf
|
||||
* https://github.com/blackorbird/APT_REPORT/blob/master/APT28/IOC/2019-04-05-ioc-mark.txt
|
||||
|
@ -178,7 +177,7 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
157
APT29/README.md
157
APT29/README.md
|
@ -1,123 +1,138 @@
|
|||
# APT29 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT29](https://vuldb.com/?actor.apt29). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT29](https://vuldb.com/?actor.apt29). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt29](https://vuldb.com/?actor.apt29)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.apt29](https://vuldb.com/?actor.apt29)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with APT29:
|
||||
The following _campaigns_ are known and can be associated with APT29:
|
||||
|
||||
* COVID-19
|
||||
* PowerDuke
|
||||
* Wellmail
|
||||
* StellarParticle
|
||||
* ...
|
||||
|
||||
There are 1 more campaign items available. Please use our online service to access the data.
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT29:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT29:
|
||||
|
||||
* US
|
||||
* CN
|
||||
* RU
|
||||
* ES
|
||||
* ...
|
||||
|
||||
There are 18 more country items available. Please use our online service to access the data.
|
||||
There are 26 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of APT29.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of APT29.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 5.45.66.134 | - | High
|
||||
2 | 5.199.174.164 | - | High
|
||||
3 | 27.102.130.115 | - | High
|
||||
4 | 31.7.63.141 | game.bignamegamereviewz.com | High
|
||||
5 | 31.170.107.186 | ohra.supplrald.com | High
|
||||
6 | 45.120.156.69 | - | High
|
||||
7 | 45.123.190.167 | - | High
|
||||
8 | 45.123.190.168 | - | High
|
||||
9 | 45.129.229.48 | - | High
|
||||
10 | 45.152.84.57 | - | High
|
||||
11 | 46.19.143.69 | - | High
|
||||
12 | 46.246.120.178 | - | High
|
||||
13 | 50.7.192.146 | - | High
|
||||
14 | 64.18.143.66 | - | High
|
||||
15 | 65.15.88.243 | adsl-065-015-088-243.sip.asm.bellsouth.net | High
|
||||
16 | 66.29.115.55 | 647807.ds.nac.net | High
|
||||
17 | 66.70.247.215 | ip215.ip-66-70-247.net | High
|
||||
18 | 69.59.28.57 | - | High
|
||||
19 | 79.141.168.109 | - | High
|
||||
20 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 5.45.66.134 | - | - | High
|
||||
2 | 5.199.174.164 | - | - | High
|
||||
3 | 23.29.115.180 | 23-29-115-180.static.hvvc.us | StellarParticle | High
|
||||
4 | 23.82.128.144 | - | StellarParticle | High
|
||||
5 | 27.102.130.115 | - | - | High
|
||||
6 | 31.7.63.141 | game.bignamegamereviewz.com | - | High
|
||||
7 | 31.170.107.186 | ohra.supplrald.com | - | High
|
||||
8 | 45.120.156.69 | - | - | High
|
||||
9 | 45.123.190.167 | - | COVID-19 | High
|
||||
10 | 45.123.190.168 | - | - | High
|
||||
11 | 45.129.229.48 | - | COVID-19 | High
|
||||
12 | 45.152.84.57 | - | - | High
|
||||
13 | 46.19.143.69 | - | - | High
|
||||
14 | 46.246.120.178 | - | - | High
|
||||
15 | 50.7.192.146 | - | - | High
|
||||
16 | 64.18.143.66 | - | - | High
|
||||
17 | 65.15.88.243 | adsl-065-015-088-243.sip.asm.bellsouth.net | PowerDuke | High
|
||||
18 | 66.29.115.55 | 647807.ds.nac.net | - | High
|
||||
19 | 66.70.247.215 | ip215.ip-66-70-247.net | - | High
|
||||
20 | 69.59.28.57 | - | - | High
|
||||
21 | 79.141.168.109 | - | - | High
|
||||
22 | ... | ... | ... | ...
|
||||
|
||||
There are 78 more IOC items available. Please use our online service to access the data.
|
||||
There are 83 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by APT29. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by APT29. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | 7PK Security Features | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-266, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT29. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT29. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `.procmailrc` | Medium
|
||||
2 | File | `/+CSCOE+/logon.html` | High
|
||||
3 | File | `/../../conf/template/uhttpd.json` | High
|
||||
4 | File | `/cgi-bin/portal` | High
|
||||
5 | File | `/CMD_ACCOUNT_ADMIN` | High
|
||||
6 | File | `/etc/shadow` | Medium
|
||||
7 | File | `/etc/sudoers` | Medium
|
||||
8 | File | `/firewall/policy/` | High
|
||||
9 | File | `/icingaweb2/navigation/add` | High
|
||||
10 | File | `/includes/plugins/mobile/scripts/login.php` | High
|
||||
11 | File | `/notice-edit.php` | High
|
||||
12 | File | `/pages/systemcall.php?command={COMMAND}` | High
|
||||
13 | File | `/phppath/php` | Medium
|
||||
14 | File | `/plain` | Low
|
||||
15 | File | `/rest/project-templates/1.0/createshared` | High
|
||||
16 | File | `/rpc/setvmdrive.asp` | High
|
||||
17 | File | `/s/` | Low
|
||||
18 | File | `/secure/admin/ConfigureBatching!default.jspa` | High
|
||||
19 | File | `/server-status` | High
|
||||
20 | File | `/setSystemAdmin` | High
|
||||
21 | File | `/setup.cgi` | Medium
|
||||
22 | File | `/tmp/csman/0` | Medium
|
||||
23 | File | `/uncpath/` | Medium
|
||||
24 | File | `/usr/bin/pkexec` | High
|
||||
25 | File | `/usr/local/psa/admin/sbin/wrapper` | High
|
||||
26 | File | `/usr/local/WowzaStreamingEngine/bin/` | High
|
||||
27 | File | `/var/log/monkeyd/master.log` | High
|
||||
28 | File | `/var/log/salt/minion` | High
|
||||
29 | ... | ... | ...
|
||||
1 | File | `/?module=users§ion=cpanel&page=list` | High
|
||||
2 | File | `/admin/powerline` | High
|
||||
3 | File | `/admin/produts/controller.php` | High
|
||||
4 | File | `/admin/syslog` | High
|
||||
5 | File | `/admin/user/team` | High
|
||||
6 | File | `/api/upload` | Medium
|
||||
7 | File | `/cgi-bin` | Medium
|
||||
8 | File | `/cgi-bin/kerbynet` | High
|
||||
9 | File | `/cgi-bin/system_mgr.cgi` | High
|
||||
10 | File | `/common/logViewer/logViewer.jsf` | High
|
||||
11 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
12 | File | `/crmeb/app/admin/controller/store/CopyTaobao.php` | High
|
||||
13 | File | `/dcim/sites/add/` | High
|
||||
14 | File | `/EXCU_SHELL` | Medium
|
||||
15 | File | `/forum/away.php` | High
|
||||
16 | File | `/fudforum/adm/hlplist.php` | High
|
||||
17 | File | `/login` | Low
|
||||
18 | File | `/Main_Login.asp?flag=1&productname=RT-AC88U&url=/downloadmaster/task.asp` | High
|
||||
19 | File | `/monitoring` | Medium
|
||||
20 | File | `/ms/cms/content/list.do` | High
|
||||
21 | File | `/new` | Low
|
||||
22 | File | `/orms/` | Low
|
||||
23 | File | `/proc/<pid>/status` | High
|
||||
24 | File | `/public/plugins/` | High
|
||||
25 | File | `/rom` | Low
|
||||
26 | File | `/scripts/killpvhost` | High
|
||||
27 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
28 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
|
||||
29 | File | `/tmp` | Low
|
||||
30 | File | `/tmp/redis.ds` | High
|
||||
31 | File | `/uncpath/` | Medium
|
||||
32 | File | `/ViewUserHover.jspa` | High
|
||||
33 | File | `/wp-admin` | Medium
|
||||
34 | File | `/wp-json/wc/v3/webhooks` | High
|
||||
35 | File | `ABuffer.cpp` | Medium
|
||||
36 | File | `AccountManagerService.java` | High
|
||||
37 | File | `actions/CompanyDetailsSave.php` | High
|
||||
38 | ... | ... | ...
|
||||
|
||||
There are 249 more IOA items available. Please use our online service to access the data.
|
||||
There are 329 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf
|
||||
* https://github.com/blackorbird/APT_REPORT/blob/master/International%20Strategic/Russia/Advisory-APT29-targets-COVID-19-vaccine-development.pdf
|
||||
* https://us-cert.cisa.gov/ncas/alerts/aa21-148a
|
||||
* https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c
|
||||
* https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/
|
||||
* https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/
|
||||
* https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf
|
||||
* https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,12 +1,12 @@
|
|||
# APT3 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT3](https://vuldb.com/?actor.apt3). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT3](https://vuldb.com/?actor.apt3). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt3](https://vuldb.com/?actor.apt3)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.apt3](https://vuldb.com/?actor.apt3)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with APT3:
|
||||
The following _campaigns_ are known and can be associated with APT3:
|
||||
|
||||
* CVE-2015-5119
|
||||
* Doubletap
|
||||
|
@ -14,34 +14,100 @@ The following campaigns are known and can be associated with APT3:
|
|||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT3:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT3:
|
||||
|
||||
* US
|
||||
* CN
|
||||
* RU
|
||||
* ...
|
||||
|
||||
There are 24 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of APT3.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of APT3.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 23.99.20.198 | - | High
|
||||
2 | 54.169.89.240 | ec2-54-169-89-240.ap-southeast-1.compute.amazonaws.com | Medium
|
||||
3 | 104.151.248.173 | 173.248-151-104.rdns.scalabledns.com | High
|
||||
4 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 23.99.20.198 | - | - | High
|
||||
2 | 54.169.89.240 | ec2-54-169-89-240.ap-southeast-1.compute.amazonaws.com | - | Medium
|
||||
3 | 104.151.248.173 | 173.248-151-104.rdns.scalabledns.com | Doubletap | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 8 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by APT3. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-250, CWE-264, CWE-266, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT3. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT3. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/forum/away.php` | High
|
||||
1 | File | `/+CSCOE+/logon.html` | High
|
||||
2 | File | `/.env` | Low
|
||||
3 | File | `/.ssh/authorized_keys` | High
|
||||
4 | File | `/admin/default.asp` | High
|
||||
5 | File | `/ajax/networking/get_netcfg.php` | High
|
||||
6 | File | `/assets/ctx` | Medium
|
||||
7 | File | `/cgi-bin/login_action.cgi` | High
|
||||
8 | File | `/cgi-bin/supervisor/PwdGrp.cgi` | High
|
||||
9 | File | `/checkLogin.cgi` | High
|
||||
10 | File | `/cms/print.php` | High
|
||||
11 | File | `/concat?/%2557EB-INF/web.xml` | High
|
||||
12 | File | `/data/remove` | Medium
|
||||
13 | File | `/etc/passwd` | Medium
|
||||
14 | File | `/forum/away.php` | High
|
||||
15 | File | `/login` | Low
|
||||
16 | File | `/navigate/navigate_download.php` | High
|
||||
17 | File | `/out.php` | Medium
|
||||
18 | File | `/owa/auth/logon.aspx` | High
|
||||
19 | File | `/p` | Low
|
||||
20 | File | `/password.html` | High
|
||||
21 | File | `/proc/ioports` | High
|
||||
22 | File | `/property-list/property_view.php` | High
|
||||
23 | File | `/rest` | Low
|
||||
24 | File | `/rest/api/2/search` | High
|
||||
25 | File | `/s/` | Low
|
||||
26 | File | `/scripts/cpan_config` | High
|
||||
27 | File | `/services/system/setup.json` | High
|
||||
28 | File | `/uncpath/` | Medium
|
||||
29 | File | `/webconsole/APIController` | High
|
||||
30 | File | `/websocket/exec` | High
|
||||
31 | File | `/wp-admin/admin-ajax.php` | High
|
||||
32 | File | `/wp-json/oembed/1.0/embed?url` | High
|
||||
33 | File | `/_next` | Low
|
||||
34 | File | `4.edu.php\conn\function.php` | High
|
||||
35 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
36 | File | `adclick.php` | Medium
|
||||
37 | File | `addentry.php` | Medium
|
||||
38 | File | `addressbook.php` | High
|
||||
39 | File | `add_comment.php` | High
|
||||
40 | File | `admin/category.inc.php` | High
|
||||
41 | File | `admin/conf_users_edit.php` | High
|
||||
42 | File | `admin/dl_sendmail.php` | High
|
||||
43 | File | `admin/index.php` | High
|
||||
44 | File | `admin/languages.php` | High
|
||||
45 | File | `admin/password_forgotten.php` | High
|
||||
46 | File | `admin/versions.html` | High
|
||||
47 | ... | ... | ...
|
||||
|
||||
There are 410 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://github.com/fireeye/iocs/blob/master/APT3/62f65dae-9475-44b0-a9eb-c1baebbd9885.ioc
|
||||
* https://github.com/fireeye/iocs/blob/master/APT3/db0b6ac6-874a-498e-892b-ac7c2020e061.ioc
|
||||
|
@ -54,7 +120,7 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,40 +1,40 @@
|
|||
# APT31 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT31](https://vuldb.com/?actor.apt31). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT31](https://vuldb.com/?actor.apt31). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt31](https://vuldb.com/?actor.apt31)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.apt31](https://vuldb.com/?actor.apt31)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT31:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT31:
|
||||
|
||||
* FR
|
||||
* US
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of APT31.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of APT31.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 105.154.12.165 | - | High
|
||||
2 | 105.157.234.0 | - | High
|
||||
3 | 105.159.122.85 | - | High
|
||||
4 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 105.154.12.165 | - | - | High
|
||||
2 | 105.157.234.0 | - | - | High
|
||||
3 | 105.159.122.85 | - | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 13 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by APT31. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by APT31. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1222 | Permission Issues | High
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1222 | CWE-275 | Permission Issues | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT31. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT31. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -43,17 +43,17 @@ ID | Type | Indicator | Confidence
|
|||
3 | File | `administrator/components/com_media/helpers/media.php` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 19 more IOA items available. Please use our online service to access the data.
|
||||
There are 19 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blogs.infoblox.com/cyber-threat-intelligence/cyber-threat-advisory-apt31-targeting-france/
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,19 +1,19 @@
|
|||
# APT32 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT32](https://vuldb.com/?actor.apt32). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT32](https://vuldb.com/?actor.apt32). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt32](https://vuldb.com/?actor.apt32)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.apt32](https://vuldb.com/?actor.apt32)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with APT32:
|
||||
The following _campaigns_ are known and can be associated with APT32:
|
||||
|
||||
* Cobalt Kitty
|
||||
* OceanLotus
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT32:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT32:
|
||||
|
||||
* US
|
||||
* CN
|
||||
|
@ -24,42 +24,42 @@ There are 11 more country items available. Please use our online service to acce
|
|||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of APT32.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of APT32.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 23.227.196.126 | 23-227-196-126.static.hvvc.us | High
|
||||
2 | 23.227.196.210 | 23-227-196-210.static.hvvc.us | High
|
||||
3 | 23.227.199.121 | 23-227-199-121.static.hvvc.us | High
|
||||
4 | 27.102.70.211 | - | High
|
||||
5 | 37.59.198.130 | - | High
|
||||
6 | 37.59.198.131 | - | High
|
||||
7 | 45.32.100.179 | 45.32.100.179.vultr.com | Medium
|
||||
8 | 45.32.105.45 | - | High
|
||||
9 | 45.32.114.49 | 45.32.114.49.vultr.com | Medium
|
||||
10 | 45.76.147.201 | 45.76.147.201.vultr.com | Medium
|
||||
11 | 45.76.179.28 | 45.76.179.28.vultr.com | Medium
|
||||
12 | 45.76.179.151 | 45.76.179.151.vultr.com | Medium
|
||||
13 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 23.227.196.126 | 23-227-196-126.static.hvvc.us | Cobalt Kitty | High
|
||||
2 | 23.227.196.210 | 23-227-196-210.static.hvvc.us | - | High
|
||||
3 | 23.227.199.121 | 23-227-199-121.static.hvvc.us | Cobalt Kitty | High
|
||||
4 | 27.102.70.211 | - | Cobalt Kitty | High
|
||||
5 | 37.59.198.130 | - | OceanLotus | High
|
||||
6 | 37.59.198.131 | - | OceanLotus | High
|
||||
7 | 45.32.100.179 | 45.32.100.179.vultr.com | OceanLotus | Medium
|
||||
8 | 45.32.105.45 | - | OceanLotus | High
|
||||
9 | 45.32.114.49 | 45.32.114.49.vultr.com | OceanLotus | Medium
|
||||
10 | 45.76.147.201 | 45.76.147.201.vultr.com | OceanLotus | Medium
|
||||
11 | 45.76.179.28 | 45.76.179.28.vultr.com | OceanLotus | Medium
|
||||
12 | 45.76.179.151 | 45.76.179.151.vultr.com | OceanLotus | Medium
|
||||
13 | ... | ... | ... | ...
|
||||
|
||||
There are 48 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by APT32. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by APT32. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT32. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT32. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -83,13 +83,14 @@ ID | Type | Indicator | Confidence
|
|||
18 | File | `arch/x86/include/asm/fpu/internal.h` | High
|
||||
19 | File | `asm/float.c` | Medium
|
||||
20 | File | `asm/nasm.c` | Medium
|
||||
21 | ... | ... | ...
|
||||
21 | File | `auth.php` | Medium
|
||||
22 | ... | ... | ...
|
||||
|
||||
There are 178 more IOA items available. Please use our online service to access the data.
|
||||
There are 180 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf
|
||||
* https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html
|
||||
|
@ -97,7 +98,7 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
127
APT33/README.md
127
APT33/README.md
|
@ -1,12 +1,12 @@
|
|||
# APT33 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT33](https://vuldb.com/?actor.apt33). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT33](https://vuldb.com/?actor.apt33). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt33](https://vuldb.com/?actor.apt33)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.apt33](https://vuldb.com/?actor.apt33)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with APT33:
|
||||
The following _campaigns_ are known and can be associated with APT33:
|
||||
|
||||
* Elfin
|
||||
* PoshC2
|
||||
|
@ -14,90 +14,91 @@ The following campaigns are known and can be associated with APT33:
|
|||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT33:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT33:
|
||||
|
||||
* FR
|
||||
* SV
|
||||
* PL
|
||||
* DE
|
||||
* FR
|
||||
* ...
|
||||
|
||||
There are 4 more country items available. Please use our online service to access the data.
|
||||
There are 5 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of APT33.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of APT33.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 5.79.66.241 | - | High
|
||||
2 | 5.79.127.177 | - | High
|
||||
3 | 5.135.120.57 | - | High
|
||||
4 | 5.135.199.25 | - | High
|
||||
5 | 5.187.21.70 | - | High
|
||||
6 | 5.187.21.71 | - | High
|
||||
7 | 8.26.21.117 | 117.21.26.8.serverpronto.com | High
|
||||
8 | 8.26.21.119 | ns1.glasscitysoftware.net | High
|
||||
9 | 8.26.21.120 | ns2.glasscitysoftware.net | High
|
||||
10 | 8.26.21.220 | mail2.boldinbox.com | High
|
||||
11 | 8.26.21.221 | mail3.boldinbox.com | High
|
||||
12 | 8.26.21.222 | mail9.servidorz.com | High
|
||||
13 | 8.26.21.223 | mail5.boldinbox.com | High
|
||||
14 | 31.7.62.48 | - | High
|
||||
15 | 37.48.105.178 | - | High
|
||||
16 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 5.79.66.241 | - | Powerton | High
|
||||
2 | 5.79.127.177 | - | Elfin | High
|
||||
3 | 5.135.120.57 | - | - | High
|
||||
4 | 5.135.199.25 | - | - | High
|
||||
5 | 5.187.21.70 | - | Elfin | High
|
||||
6 | 5.187.21.71 | - | Elfin | High
|
||||
7 | 8.26.21.117 | 117.21.26.8.serverpronto.com | Elfin | High
|
||||
8 | 8.26.21.119 | ns1.glasscitysoftware.net | Elfin | High
|
||||
9 | 8.26.21.120 | ns2.glasscitysoftware.net | Elfin | High
|
||||
10 | 8.26.21.220 | mail2.boldinbox.com | Elfin | High
|
||||
11 | 8.26.21.221 | mail3.boldinbox.com | Elfin | High
|
||||
12 | 8.26.21.222 | mail9.servidorz.com | Elfin | High
|
||||
13 | 8.26.21.223 | mail5.boldinbox.com | Elfin | High
|
||||
14 | 31.7.62.48 | - | - | High
|
||||
15 | 37.48.105.178 | - | Elfin | High
|
||||
16 | ... | ... | ... | ...
|
||||
|
||||
There are 60 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by APT33. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by APT33. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
There are 9 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT33. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT33. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/admin/admin.php?module=admin_access_group_edit&aagID` | High
|
||||
2 | File | `/admin/customers.php?page=1&cID` | High
|
||||
3 | File | `/administrator/components/menu/` | High
|
||||
4 | File | `/administrator/components/table_manager/` | High
|
||||
5 | File | `/api/ZRMesh/set_ZRMesh` | High
|
||||
6 | File | `/damicms-master/admin.php?s=/Article/doedit` | High
|
||||
7 | File | `/etc/quagga` | Medium
|
||||
8 | File | `/fw/index2.do` | High
|
||||
9 | File | `/Hospital-Management-System-master/func.php` | High
|
||||
10 | File | `/jerry-core/ecma/base/ecma-lcache.c` | High
|
||||
11 | File | `/jerry-core/ecma/base/ecma-literal-storage.c` | High
|
||||
12 | File | `/jerry-core/jmem/jmem-heap.c` | High
|
||||
13 | File | `/moddable/xs/sources/xsScript.c` | High
|
||||
14 | File | `/parser/js/js-parser-expr.c` | High
|
||||
15 | File | `/preferences/tags` | High
|
||||
16 | File | `/thruk/#cgi-bin/extinfo.cgi?type=2` | High
|
||||
17 | File | `/transmission/web/` | High
|
||||
18 | File | `/uploads/exam_question/` | High
|
||||
19 | File | `/usr/bin/pkexec` | High
|
||||
20 | File | `/usr/local/bin/mjs` | High
|
||||
21 | File | `1.2.2.pl4` | Medium
|
||||
22 | File | `AccessPoint.java` | High
|
||||
23 | File | `account_sponsor_page.php` | High
|
||||
24 | File | `acknow.php` | Medium
|
||||
25 | ... | ... | ...
|
||||
1 | File | `/admin.add` | Medium
|
||||
2 | File | `/admin/admin.php?module=admin_access_group_edit&aagID` | High
|
||||
3 | File | `/admin/customers.php?page=1&cID` | High
|
||||
4 | File | `/admin/edit_user.php` | High
|
||||
5 | File | `/administrator/components/menu/` | High
|
||||
6 | File | `/administrator/components/table_manager/` | High
|
||||
7 | File | `/api/ZRMesh/set_ZRMesh` | High
|
||||
8 | File | `/damicms-master/admin.php?s=/Article/doedit` | High
|
||||
9 | File | `/fw/index2.do` | High
|
||||
10 | File | `/Hospital-Management-System-master/contact.php` | High
|
||||
11 | File | `/Hospital-Management-System-master/func.php` | High
|
||||
12 | File | `/jerry-core/ecma/base/ecma-lcache.c` | High
|
||||
13 | File | `/jerry-core/ecma/base/ecma-literal-storage.c` | High
|
||||
14 | File | `/jerry-core/jmem/jmem-heap.c` | High
|
||||
15 | File | `/ms/cms/content/list.do` | High
|
||||
16 | File | `/orms/` | Low
|
||||
17 | File | `/parser/js/js-parser-expr.c` | High
|
||||
18 | File | `/thruk/#cgi-bin/extinfo.cgi?type=2` | High
|
||||
19 | File | `/transmission/web/` | High
|
||||
20 | File | `/uploads/exam_question/` | High
|
||||
21 | File | `/usr/bin/pkexec` | High
|
||||
22 | File | `/usr/local/bin/mjs` | High
|
||||
23 | File | `1.2.2.pl4` | Medium
|
||||
24 | File | `AccessPoint.java` | High
|
||||
25 | File | `account_sponsor_page.php` | High
|
||||
26 | ... | ... | ...
|
||||
|
||||
There are 214 more IOA items available. Please use our online service to access the data.
|
||||
There are 214 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/poshc2_apt_33.md
|
||||
* https://securelist.com/twas-the-night-before/91599/
|
||||
|
@ -108,7 +109,7 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
142
APT34/README.md
142
APT34/README.md
|
@ -1,104 +1,102 @@
|
|||
# APT34 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT34](https://vuldb.com/?actor.apt34). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT34](https://vuldb.com/?actor.apt34). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt34](https://vuldb.com/?actor.apt34)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.apt34](https://vuldb.com/?actor.apt34)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT34:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT34:
|
||||
|
||||
* US
|
||||
* IR
|
||||
* CN
|
||||
* [NL](https://vuldb.com/?country.nl)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [IR](https://vuldb.com/?country.ir)
|
||||
* ...
|
||||
|
||||
There are 17 more country items available. Please use our online service to access the data.
|
||||
There are 11 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of APT34.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of APT34.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 23.19.226.69 | - | High
|
||||
2 | 23.106.215.76 | - | High
|
||||
3 | 23.227.201.6 | 23-227-201-6.static.hvvc.us | High
|
||||
4 | 38.132.124.153 | - | High
|
||||
5 | 46.4.69.52 | static.52.69.4.46.clients.your-server.de | High
|
||||
6 | 46.105.221.247 | - | High
|
||||
7 | 46.105.251.42 | ip42.ip-46-105-251.eu | High
|
||||
8 | 46.165.246.196 | - | High
|
||||
9 | 70.36.107.34 | - | High
|
||||
10 | 74.91.19.108 | - | High
|
||||
11 | 74.91.19.122 | - | High
|
||||
12 | 80.82.79.221 | - | High
|
||||
13 | 80.82.79.240 | - | High
|
||||
14 | 81.17.56.249 | - | High
|
||||
15 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [23.19.226.69](https://vuldb.com/?ip.23.19.226.69) | - | - | High
|
||||
2 | [23.106.215.76](https://vuldb.com/?ip.23.106.215.76) | - | - | High
|
||||
3 | [23.227.201.6](https://vuldb.com/?ip.23.227.201.6) | 23-227-201-6.static.hvvc.us | - | High
|
||||
4 | [38.132.124.153](https://vuldb.com/?ip.38.132.124.153) | - | - | High
|
||||
5 | [46.4.69.52](https://vuldb.com/?ip.46.4.69.52) | static.52.69.4.46.clients.your-server.de | - | High
|
||||
6 | [46.105.221.247](https://vuldb.com/?ip.46.105.221.247) | - | - | High
|
||||
7 | [46.105.251.42](https://vuldb.com/?ip.46.105.251.42) | ip42.ip-46-105-251.eu | - | High
|
||||
8 | [46.165.246.196](https://vuldb.com/?ip.46.165.246.196) | - | - | High
|
||||
9 | [70.36.107.34](https://vuldb.com/?ip.70.36.107.34) | - | - | High
|
||||
10 | [74.91.19.108](https://vuldb.com/?ip.74.91.19.108) | - | - | High
|
||||
11 | [74.91.19.122](https://vuldb.com/?ip.74.91.19.122) | - | - | High
|
||||
12 | [80.82.79.221](https://vuldb.com/?ip.80.82.79.221) | - | - | High
|
||||
13 | [80.82.79.240](https://vuldb.com/?ip.80.82.79.240) | - | - | High
|
||||
14 | [81.17.56.249](https://vuldb.com/?ip.81.17.56.249) | - | - | High
|
||||
15 | ... | ... | ... | ...
|
||||
|
||||
There are 58 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by APT34. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by APT34. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT34. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT34. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/admin/index.php` | High
|
||||
2 | File | `/bdswebui/assignusers/` | High
|
||||
3 | File | `/bin/goahead` | Medium
|
||||
4 | File | `/cgi-bin/luci` | High
|
||||
5 | File | `/cgi-bin/supervisor/PwdGrp.cgi` | High
|
||||
6 | File | `/dev/dri/card1` | High
|
||||
7 | File | `/etc/fstab` | Medium
|
||||
8 | File | `/forum/away.php` | High
|
||||
9 | File | `/getcfg.php` | Medium
|
||||
10 | File | `/GetCSSashx/?CP=%2fwebconfig` | High
|
||||
11 | File | `/HNAP1` | Low
|
||||
12 | File | `/horde/util/go.php` | High
|
||||
13 | File | `/includes/rrdtool.inc.php` | High
|
||||
14 | File | `/irj/servlet/prt/portal/prtroot/com.sap.portal.usermanagement.admin.UserMapping` | High
|
||||
15 | File | `/login` | Low
|
||||
16 | File | `/monitoring` | Medium
|
||||
17 | File | `/opt/vyatta/share/vyatta-cfg/templates/system/static-host-mapping/host-name/node.def` | High
|
||||
18 | File | `/proc/#####/fd/3` | High
|
||||
19 | File | `/proc/ioports` | High
|
||||
20 | File | `/rom-0` | Low
|
||||
21 | File | `/squashfs-root/www/HNAP1/control/SetWizardConfig.php` | High
|
||||
22 | File | `/uncpath/` | Medium
|
||||
23 | File | `/wp-content/plugins/updraftplus/admin.php` | High
|
||||
24 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
25 | File | `adclick.php` | Medium
|
||||
26 | File | `addentry.php` | Medium
|
||||
27 | File | `add_edit_user.asp` | High
|
||||
28 | File | `add_to_cart.php` | High
|
||||
29 | File | `admin.php` | Medium
|
||||
30 | File | `admin/class-bulk-editor-list-table.php` | High
|
||||
31 | File | `admin/dl_data.php` | High
|
||||
32 | File | `admin/index.php` | High
|
||||
33 | File | `admin/index.php?n=ui_set&m=admin&c=index&a=doget_text_content&table=lang&field=1` | High
|
||||
34 | File | `admin/system_manage/save.html` | High
|
||||
35 | ... | ... | ...
|
||||
1 | File | `.travis.yml` | Medium
|
||||
2 | File | `/.env` | Low
|
||||
3 | File | `/admin.php` | Medium
|
||||
4 | File | `/bdswebui/assignusers/` | High
|
||||
5 | File | `/etc/fstab` | Medium
|
||||
6 | File | `/includes/rrdtool.inc.php` | High
|
||||
7 | File | `/irj/servlet/prt/portal/prtroot/com.sap.portal.usermanagement.admin.UserMapping` | High
|
||||
8 | File | `/medical/inventories.php` | High
|
||||
9 | File | `/monitoring` | Medium
|
||||
10 | File | `/NAGErrors` | Medium
|
||||
11 | File | `/plugins/servlet/audit/resource` | High
|
||||
12 | File | `/plugins/servlet/project-config/PROJECT/roles` | High
|
||||
13 | File | `/replication` | Medium
|
||||
14 | File | `/RestAPI` | Medium
|
||||
15 | File | `/SASWebReportStudio/logonAndRender.do` | High
|
||||
16 | File | `/tmp` | Low
|
||||
17 | File | `/tmp/speedtest_urls.xml` | High
|
||||
18 | File | `/uncpath/` | Medium
|
||||
19 | File | `/var/log/nginx` | High
|
||||
20 | File | `/wp-content/plugins/updraftplus/admin.php` | High
|
||||
21 | File | `actions.hsp` | Medium
|
||||
22 | File | `addentry.php` | Medium
|
||||
23 | File | `add_edit_user.asp` | High
|
||||
24 | File | `add_to_cart.php` | High
|
||||
25 | File | `admin-ajax.php?action=get_wdtable order[0][dir]` | High
|
||||
26 | File | `admin/config/confmgr.php` | High
|
||||
27 | File | `admin/system_manage/save.html` | High
|
||||
28 | File | `admin\model\catalog\download.php` | High
|
||||
29 | File | `ajax.php` | Medium
|
||||
30 | File | `apcupsd.pid` | Medium
|
||||
31 | File | `api/sms/send-sms` | High
|
||||
32 | File | `api/v1/alarms` | High
|
||||
33 | ... | ... | ...
|
||||
|
||||
There are 303 more IOA items available. Please use our online service to access the data.
|
||||
There are 279 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://github.com/blackorbird/APT_REPORT/tree/master/APT34
|
||||
* https://unit42.paloaltonetworks.com/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/
|
||||
|
@ -111,7 +109,7 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,19 +1,19 @@
|
|||
# APT41 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT41](https://vuldb.com/?actor.apt41). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT41](https://vuldb.com/?actor.apt41). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt41](https://vuldb.com/?actor.apt41)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.apt41](https://vuldb.com/?actor.apt41)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with APT41:
|
||||
The following _campaigns_ are known and can be associated with APT41:
|
||||
|
||||
* CVE-2019-19781
|
||||
* MoonBounce
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT41:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT41:
|
||||
|
||||
* US
|
||||
* CN
|
||||
|
@ -24,45 +24,45 @@ There are 13 more country items available. Please use our online service to acce
|
|||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of APT41.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of APT41.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 5.183.101.21 | bestofgy.co.uk | High
|
||||
2 | 5.183.101.114 | - | High
|
||||
3 | 5.183.103.122 | - | High
|
||||
4 | 5.188.93.132 | gcorelabs.paris.vpn015 | High
|
||||
5 | 5.188.108.22 | pol1.htjsq.com | High
|
||||
6 | 5.188.108.228 | keyvpn.warsawa | High
|
||||
7 | 5.189.222.33 | spain466.es | High
|
||||
8 | 23.67.95.153 | a23-67-95-153.deploy.static.akamaitechnologies.com | High
|
||||
9 | 43.255.191.255 | - | High
|
||||
10 | 45.76.6.149 | 45.76.6.149.vultr.com | Medium
|
||||
11 | 45.76.75.219 | 45.76.75.219.vultr.com | Medium
|
||||
12 | 45.128.132.6 | - | High
|
||||
13 | 45.128.135.15 | - | High
|
||||
14 | 45.138.157.78 | srv1.fincantleri.co | High
|
||||
15 | 61.78.62.21 | - | High
|
||||
16 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 5.183.101.21 | bestofgy.co.uk | MoonBounce | High
|
||||
2 | 5.183.101.114 | - | MoonBounce | High
|
||||
3 | 5.183.103.122 | - | MoonBounce | High
|
||||
4 | 5.188.93.132 | gcorelabs.paris.vpn015 | MoonBounce | High
|
||||
5 | 5.188.108.22 | pol1.htjsq.com | MoonBounce | High
|
||||
6 | 5.188.108.228 | xc5.exclusivacondominios.com | MoonBounce | High
|
||||
7 | 5.189.222.33 | spain466.es | MoonBounce | High
|
||||
8 | 23.67.95.153 | a23-67-95-153.deploy.static.akamaitechnologies.com | - | High
|
||||
9 | 43.255.191.255 | - | - | High
|
||||
10 | 45.76.6.149 | 45.76.6.149.vultr.com | - | Medium
|
||||
11 | 45.76.75.219 | 45.76.75.219.vultr.com | - | Medium
|
||||
12 | 45.128.132.6 | - | MoonBounce | High
|
||||
13 | 45.128.135.15 | - | MoonBounce | High
|
||||
14 | 45.138.157.78 | srv1.fincantleri.co | - | High
|
||||
15 | 61.78.62.21 | - | - | High
|
||||
16 | ... | ... | ... | ...
|
||||
|
||||
There are 60 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by APT41. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by APT41. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT41. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT41. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -79,24 +79,24 @@ ID | Type | Indicator | Confidence
|
|||
11 | File | `/public/login.htm` | High
|
||||
12 | File | `/public/plugins/` | High
|
||||
13 | File | `/replication` | Medium
|
||||
14 | File | `/start-stop` | Medium
|
||||
15 | File | `/tmp/app/.env` | High
|
||||
16 | File | `/uncpath/` | Medium
|
||||
17 | File | `/usr/bin/pkexec` | High
|
||||
18 | File | `/WEB-INF/web.xml` | High
|
||||
19 | File | `/wp-admin/admin-ajax.php` | High
|
||||
20 | File | `/_next` | Low
|
||||
21 | File | `adclick.php` | Medium
|
||||
22 | File | `addentry.php` | Medium
|
||||
23 | File | `addrating.php` | High
|
||||
24 | File | `admin/conf_users_edit.php` | High
|
||||
14 | File | `/SASWebReportStudio/logonAndRender.do` | High
|
||||
15 | File | `/secure/admin/ViewInstrumentation.jspa` | High
|
||||
16 | File | `/start-stop` | Medium
|
||||
17 | File | `/tmp/app/.env` | High
|
||||
18 | File | `/uncpath/` | Medium
|
||||
19 | File | `/upload` | Low
|
||||
20 | File | `/usr/bin/pkexec` | High
|
||||
21 | File | `/WEB-INF/web.xml` | High
|
||||
22 | File | `/wp-admin/admin-ajax.php` | High
|
||||
23 | File | `/_next` | Low
|
||||
24 | File | `adclick.php` | Medium
|
||||
25 | ... | ... | ...
|
||||
|
||||
There are 205 more IOA items available. Please use our online service to access the data.
|
||||
There are 211 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://app.box.com/s/qtqlwejty7xz8wj8osz98webycgo5j9x
|
||||
* https://github.com/blackberry/threat-research-and-intelligence/blob/main/APT41.csv
|
||||
|
@ -113,7 +113,7 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -0,0 +1,52 @@
|
|||
# Abcbot - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Abcbot](https://vuldb.com/?actor.abcbot). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.abcbot](https://vuldb.com/?actor.abcbot)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Abcbot:
|
||||
|
||||
* CN
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Abcbot.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 103.209.103.16 | - | - | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Abcbot. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1211 | CWE-254 | 7PK Security Features | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Abcbot. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | Library | `See.sys` | Low
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.netlab.360.com/abcbot_an_evolving_botnet_en/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -1,46 +1,46 @@
|
|||
# ActionRAT - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [ActionRAT](https://vuldb.com/?actor.actionrat). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [ActionRAT](https://vuldb.com/?actor.actionrat). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.actionrat](https://vuldb.com/?actor.actionrat)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.actionrat](https://vuldb.com/?actor.actionrat)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with ActionRAT:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with ActionRAT:
|
||||
|
||||
* US
|
||||
* DE
|
||||
* CA
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [DE](https://vuldb.com/?country.de)
|
||||
* [CA](https://vuldb.com/?country.ca)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of ActionRAT.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of ActionRAT.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 144.91.65.100 | vmi652772.contaboserver.net | High
|
||||
2 | 144.91.91.236 | vmi512038.contaboserver.net | High
|
||||
3 | 149.248.52.61 | 149.248.52.61.vultr.com | Medium
|
||||
4 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [144.91.65.100](https://vuldb.com/?ip.144.91.65.100) | vmi652772.contaboserver.net | - | High
|
||||
2 | [144.91.91.236](https://vuldb.com/?ip.144.91.91.236) | vmi512038.contaboserver.net | - | High
|
||||
3 | [149.248.52.61](https://vuldb.com/?ip.149.248.52.61) | 149.248.52.61.vultr.com | - | Medium
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by ActionRAT. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by ActionRAT. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1499 | Resource Consumption | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1499 | CWE-400, CWE-404, CWE-770 | Resource Consumption | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 2 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by ActionRAT. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by ActionRAT. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -50,17 +50,17 @@ ID | Type | Indicator | Confidence
|
|||
4 | File | `data/gbconfiguration.dat` | High
|
||||
5 | ... | ... | ...
|
||||
|
||||
There are 29 more IOA items available. Please use our online service to access the data.
|
||||
There are 29 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/594/original/Network_IOCs_list_for_coverage.txt?1625657479
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,31 +1,31 @@
|
|||
# Adrozek - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Adrozek](https://vuldb.com/?actor.adrozek). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Adrozek](https://vuldb.com/?actor.adrozek). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.adrozek](https://vuldb.com/?actor.adrozek)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.adrozek](https://vuldb.com/?actor.adrozek)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Adrozek.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Adrozek.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 104.21.70.96 | - | High
|
||||
2 | 172.67.222.123 | - | High
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 104.21.70.96 | - | - | High
|
||||
2 | 172.67.222.123 | - | - | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,74 +1,75 @@
|
|||
# Agrius - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Agrius](https://vuldb.com/?actor.agrius). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Agrius](https://vuldb.com/?actor.agrius). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.agrius](https://vuldb.com/?actor.agrius)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.agrius](https://vuldb.com/?actor.agrius)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Agrius:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Agrius:
|
||||
|
||||
* US
|
||||
* RU
|
||||
* NL
|
||||
* IR
|
||||
* ...
|
||||
|
||||
There are 9 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Agrius.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Agrius.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 5.2.67.85 | mail.astrilll.com | High
|
||||
2 | 5.2.73.67 | brokendip.cfd | High
|
||||
3 | 37.59.236.232 | 37.59.236.232.rdns.hasaserver.com | High
|
||||
4 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 5.2.67.85 | mail.astrilll.com | - | High
|
||||
2 | 5.2.73.67 | - | - | High
|
||||
3 | 37.59.236.232 | 37.59.236.232.rdns.hasaserver.com | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 9 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Agrius. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Agrius. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | 7PK Security Features | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | CWE-254 | 7PK Security Features | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 4 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Agrius. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Agrius. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/cgi-bin/kerbynet` | High
|
||||
2 | File | `/damicms-master/admin.php?s=/Article/doedit` | High
|
||||
3 | File | `/etc/quagga` | Medium
|
||||
4 | File | `/opt/IBM/es/lib/libffq.cryptionjni.so` | High
|
||||
5 | File | `/plugins/Dashboard/Controller.php` | High
|
||||
6 | File | `/storage/app/media/evil.svg` | High
|
||||
7 | File | `/uncpath/` | Medium
|
||||
8 | File | `admin.asp` | Medium
|
||||
9 | File | `admin.php` | Medium
|
||||
10 | ... | ... | ...
|
||||
4 | File | `/main?cmd=invalid_browser` | High
|
||||
5 | File | `/opt/IBM/es/lib/libffq.cryptionjni.so` | High
|
||||
6 | File | `/plugins/Dashboard/Controller.php` | High
|
||||
7 | File | `/storage/app/media/evil.svg` | High
|
||||
8 | File | `/uncpath/` | Medium
|
||||
9 | File | `/usr/lpp/mmfs/bin/` | High
|
||||
10 | File | `admin.asp` | Medium
|
||||
11 | ... | ... | ...
|
||||
|
||||
There are 75 more IOA items available. Please use our online service to access the data.
|
||||
There are 83 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://github.com/blackorbird/APT_REPORT/blob/master/Agrius/evol-agrius.pdf
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,46 +1,46 @@
|
|||
# Allakore - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Allakore](https://vuldb.com/?actor.allakore). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Allakore](https://vuldb.com/?actor.allakore). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.allakore](https://vuldb.com/?actor.allakore)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.allakore](https://vuldb.com/?actor.allakore)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Allakore:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Allakore:
|
||||
|
||||
* US
|
||||
* DE
|
||||
* CA
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [DE](https://vuldb.com/?country.de)
|
||||
* [CA](https://vuldb.com/?country.ca)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Allakore.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Allakore.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 144.91.65.100 | vmi652772.contaboserver.net | High
|
||||
2 | 144.91.91.236 | vmi512038.contaboserver.net | High
|
||||
3 | 161.97.142.96 | vmi745943.contaboserver.net | High
|
||||
4 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [144.91.65.100](https://vuldb.com/?ip.144.91.65.100) | vmi652772.contaboserver.net | - | High
|
||||
2 | [144.91.91.236](https://vuldb.com/?ip.144.91.91.236) | vmi512038.contaboserver.net | - | High
|
||||
3 | [161.97.142.96](https://vuldb.com/?ip.161.97.142.96) | vmi745943.contaboserver.net | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 4 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Allakore. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Allakore. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1499 | Resource Consumption | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1499 | CWE-400, CWE-404, CWE-770 | Resource Consumption | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 2 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Allakore. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Allakore. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -50,17 +50,17 @@ ID | Type | Indicator | Confidence
|
|||
4 | File | `filter.php` | Medium
|
||||
5 | ... | ... | ...
|
||||
|
||||
There are 26 more IOA items available. Please use our online service to access the data.
|
||||
There are 26 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/594/original/Network_IOCs_list_for_coverage.txt?1625657479
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -0,0 +1,49 @@
|
|||
# Anatsa - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Anatsa](https://vuldb.com/?actor.anatsa). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.anatsa](https://vuldb.com/?actor.anatsa)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Anatsa:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Anatsa.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [91.242.229.85](https://vuldb.com/?ip.91.242.229.85) | vm289569.pq.hosting | - | High
|
||||
2 | [178.63.27.179](https://vuldb.com/?ip.178.63.27.179) | hosted.by.majorcore.com | - | High
|
||||
3 | [195.201.70.88](https://vuldb.com/?ip.195.201.70.88) | static.88.70.201.195.clients.your-server.de | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Anatsa. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | Library | `FARFLT.SYS` | Medium
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,36 @@
|
|||
# ApoMacroSploit - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [ApoMacroSploit](https://vuldb.com/?actor.apomacrosploit). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.apomacrosploit](https://vuldb.com/?actor.apomacrosploit)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with ApoMacroSploit:
|
||||
|
||||
* US
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of ApoMacroSploit.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 185.157.161.109 | 185-157-161-109.pool.ovpn.com | - | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://research.checkpoint.com/2021/apomacrosploit-apocalyptical-fud-race/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -1,12 +1,12 @@
|
|||
# Arid Viper - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Arid Viper](https://vuldb.com/?actor.arid_viper). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Arid Viper](https://vuldb.com/?actor.arid_viper). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.arid_viper](https://vuldb.com/?actor.arid_viper)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.arid_viper](https://vuldb.com/?actor.arid_viper)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Arid Viper:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Arid Viper:
|
||||
|
||||
* US
|
||||
* DE
|
||||
|
@ -17,29 +17,29 @@ There are 1 more country items available. Please use our online service to acces
|
|||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Arid Viper.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Arid Viper.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 54.255.143.112 | ec2-54-255-143-112.ap-southeast-1.compute.amazonaws.com | Medium
|
||||
2 | 173.236.89.19 | 19.89.236.173.unassigned.ord.singlehop.net | High
|
||||
3 | 188.40.75.132 | static.132.75.40.188.clients.your-server.de | High
|
||||
4 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 54.255.143.112 | ec2-54-255-143-112.ap-southeast-1.compute.amazonaws.com | - | Medium
|
||||
2 | 173.236.89.19 | 19.89.236.173.unassigned.ord.singlehop.net | - | High
|
||||
3 | 188.40.75.132 | static.132.75.40.188.clients.your-server.de | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 4 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Arid Viper. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Arid Viper. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Arid Viper. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Arid Viper. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -49,18 +49,18 @@ ID | Type | Indicator | Confidence
|
|||
4 | File | `data/gbconfiguration.dat` | High
|
||||
5 | ... | ... | ...
|
||||
|
||||
There are 25 more IOA items available. Please use our online service to access the data.
|
||||
There are 25 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://www.threatminer.org/report.php?q=operation-arid-viper-whitepaper-en.pdf&y=2015
|
||||
* https://www.threatminer.org/report.php?q=OperationAridViperSlithersBackintoView_Proofpoint.pdf&y=2015
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -0,0 +1,66 @@
|
|||
# Arkei - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Arkei](https://vuldb.com/?actor.arkei). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.arkei](https://vuldb.com/?actor.arkei)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Arkei:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [FR](https://vuldb.com/?country.fr)
|
||||
* ...
|
||||
|
||||
There are 4 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Arkei.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [37.252.15.126](https://vuldb.com/?ip.37.252.15.126) | google.com | - | High
|
||||
2 | [85.208.185.13](https://vuldb.com/?ip.85.208.185.13) | vm3155616.1nvme.had.wf | - | High
|
||||
3 | [185.7.214.239](https://vuldb.com/?ip.185.7.214.239) | - | - | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Arkei. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Arkei. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/getcfg.php` | Medium
|
||||
2 | File | `act.php` | Low
|
||||
3 | File | `admin.php` | Medium
|
||||
4 | File | `data/gbconfiguration.dat` | High
|
||||
5 | ... | ... | ...
|
||||
|
||||
There are 29 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blogs.blackberry.com/en/2022/02/threat-thursday-arkei-infostealer
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -1,12 +1,12 @@
|
|||
# Autoit - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Autoit](https://vuldb.com/?actor.autoit). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Autoit](https://vuldb.com/?actor.autoit). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.autoit](https://vuldb.com/?actor.autoit)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.autoit](https://vuldb.com/?actor.autoit)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Autoit:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Autoit:
|
||||
|
||||
* DE
|
||||
* US
|
||||
|
@ -14,36 +14,36 @@ These countries are directly (e.g. origin of attacks) or indirectly (e.g. access
|
|||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Autoit.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Autoit.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 8.248.165.254 | - | High
|
||||
2 | 8.249.217.254 | - | High
|
||||
3 | 8.253.131.121 | - | High
|
||||
4 | 13.56.128.67 | screenconnect.medsphere.com | High
|
||||
5 | 23.3.13.88 | a23-3-13-88.deploy.static.akamaitechnologies.com | High
|
||||
6 | 23.3.13.154 | a23-3-13-154.deploy.static.akamaitechnologies.com | High
|
||||
7 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 8.248.165.254 | - | - | High
|
||||
2 | 8.249.217.254 | - | - | High
|
||||
3 | 8.253.131.121 | - | - | High
|
||||
4 | 13.56.128.67 | screenconnect.medsphere.com | - | High
|
||||
5 | 23.3.13.88 | a23-3-13-88.deploy.static.akamaitechnologies.com | - | High
|
||||
6 | 23.3.13.154 | a23-3-13-154.deploy.static.akamaitechnologies.com | - | High
|
||||
7 | ... | ... | ... | ...
|
||||
|
||||
There are 24 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Autoit. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Autoit. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Autoit. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Autoit. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -60,11 +60,11 @@ ID | Type | Indicator | Confidence
|
|||
11 | File | `auth.php` | Medium
|
||||
12 | ... | ... | ...
|
||||
|
||||
There are 90 more IOA items available. Please use our online service to access the data.
|
||||
There are 90 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.html
|
||||
* https://blog.talosintelligence.com/2021/09/threat-roundup-0827-0903.html
|
||||
|
@ -72,7 +72,7 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -0,0 +1,30 @@
|
|||
# Babuk - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Babuk](https://vuldb.com/?actor.babuk). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.babuk](https://vuldb.com/?actor.babuk)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Babuk.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [168.119.93.163](https://vuldb.com/?ip.168.119.93.163) | dupa.tk | - | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blogs.blackberry.com/en/2021/12/threat-thursday-babuk-ransomware-shifts-attack-methods-to-double-extortion
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -1,68 +1,111 @@
|
|||
# BackdoorDiplomacy - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [BackdoorDiplomacy](https://vuldb.com/?actor.backdoordiplomacy). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [BackdoorDiplomacy](https://vuldb.com/?actor.backdoordiplomacy). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.backdoordiplomacy](https://vuldb.com/?actor.backdoordiplomacy)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.backdoordiplomacy](https://vuldb.com/?actor.backdoordiplomacy)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with BackdoorDiplomacy:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with BackdoorDiplomacy:
|
||||
|
||||
* CN
|
||||
* US
|
||||
* GB
|
||||
* CN
|
||||
* RU
|
||||
* ...
|
||||
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
There are 24 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of BackdoorDiplomacy.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of BackdoorDiplomacy.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 23.83.224.178 | 23.83.224.178.16clouds.com | High
|
||||
2 | 23.106.140.207 | 23.106.140.207.16clouds.com | High
|
||||
3 | 23.228.203.130 | unassigned.psychz.net | High
|
||||
4 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 23.83.224.178 | 23.83.224.178.16clouds.com | - | High
|
||||
2 | 23.106.140.207 | 23.106.140.207.16clouds.com | - | High
|
||||
3 | 23.228.203.130 | unassigned.psychz.net | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 14 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by BackdoorDiplomacy. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by BackdoorDiplomacy. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1499 | Resource Consumption | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-250, CWE-264, CWE-266, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more TTP items available. Please use our online service to access the data.
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by BackdoorDiplomacy. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by BackdoorDiplomacy. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/clientes/visualizar` | High
|
||||
2 | File | `/oputilsServlet` | High
|
||||
3 | File | `admin/conf_users_edit.php` | High
|
||||
4 | ... | ... | ...
|
||||
1 | File | `/+CSCOE+/logon.html` | High
|
||||
2 | File | `/.env` | Low
|
||||
3 | File | `/.ssh/authorized_keys` | High
|
||||
4 | File | `/admin/default.asp` | High
|
||||
5 | File | `/ajax/networking/get_netcfg.php` | High
|
||||
6 | File | `/assets/ctx` | Medium
|
||||
7 | File | `/cgi-bin/login_action.cgi` | High
|
||||
8 | File | `/cgi-bin/supervisor/PwdGrp.cgi` | High
|
||||
9 | File | `/checkLogin.cgi` | High
|
||||
10 | File | `/clientes/visualizar` | High
|
||||
11 | File | `/cms/print.php` | High
|
||||
12 | File | `/concat?/%2557EB-INF/web.xml` | High
|
||||
13 | File | `/data/remove` | Medium
|
||||
14 | File | `/etc/passwd` | Medium
|
||||
15 | File | `/forum/away.php` | High
|
||||
16 | File | `/login` | Low
|
||||
17 | File | `/navigate/navigate_download.php` | High
|
||||
18 | File | `/oputilsServlet` | High
|
||||
19 | File | `/out.php` | Medium
|
||||
20 | File | `/owa/auth/logon.aspx` | High
|
||||
21 | File | `/p` | Low
|
||||
22 | File | `/password.html` | High
|
||||
23 | File | `/proc/ioports` | High
|
||||
24 | File | `/property-list/property_view.php` | High
|
||||
25 | File | `/rest` | Low
|
||||
26 | File | `/rest/api/2/search` | High
|
||||
27 | File | `/s/` | Low
|
||||
28 | File | `/scripts/cpan_config` | High
|
||||
29 | File | `/services/system/setup.json` | High
|
||||
30 | File | `/uncpath/` | Medium
|
||||
31 | File | `/webconsole/APIController` | High
|
||||
32 | File | `/websocket/exec` | High
|
||||
33 | File | `/wp-admin/admin-ajax.php` | High
|
||||
34 | File | `/wp-json/oembed/1.0/embed?url` | High
|
||||
35 | File | `/_next` | Low
|
||||
36 | File | `4.edu.php\conn\function.php` | High
|
||||
37 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
38 | File | `adclick.php` | Medium
|
||||
39 | File | `addentry.php` | Medium
|
||||
40 | File | `addressbook.php` | High
|
||||
41 | File | `add_comment.php` | High
|
||||
42 | File | `admin/category.inc.php` | High
|
||||
43 | File | `admin/conf_users_edit.php` | High
|
||||
44 | File | `admin/dl_sendmail.php` | High
|
||||
45 | File | `admin/index.php` | High
|
||||
46 | File | `admin/password_forgotten.php` | High
|
||||
47 | ... | ... | ...
|
||||
|
||||
There are 18 more IOA items available. Please use our online service to access the data.
|
||||
There are 411 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
153
Baldr/README.md
153
Baldr/README.md
|
@ -1,65 +1,66 @@
|
|||
# Baldr - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Baldr](https://vuldb.com/?actor.baldr). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Baldr](https://vuldb.com/?actor.baldr). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.baldr](https://vuldb.com/?actor.baldr)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.baldr](https://vuldb.com/?actor.baldr)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Baldr:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Baldr:
|
||||
|
||||
* NL
|
||||
* US
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Baldr.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Baldr.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 5.8.88.198 | - | High
|
||||
2 | 5.45.73.87 | - | High
|
||||
3 | 5.188.60.7 | - | High
|
||||
4 | 5.188.60.18 | - | High
|
||||
5 | 5.188.60.24 | - | High
|
||||
6 | 5.188.60.30 | - | High
|
||||
7 | 5.188.60.54 | - | High
|
||||
8 | 5.188.60.68 | - | High
|
||||
9 | 5.188.60.74 | - | High
|
||||
10 | 5.188.60.101 | - | High
|
||||
11 | 5.188.60.115 | - | High
|
||||
12 | 5.188.60.206 | - | High
|
||||
13 | 5.188.231.96 | - | High
|
||||
14 | 5.188.231.210 | - | High
|
||||
15 | 18.207.217.146 | ec2-18-207-217-146.compute-1.amazonaws.com | Medium
|
||||
16 | 18.221.49.166 | ec2-18-221-49-166.us-east-2.compute.amazonaws.com | Medium
|
||||
17 | 23.19.58.101 | - | High
|
||||
18 | 23.95.95.61 | 23-95-95-61-host.colocrossing.com | High
|
||||
19 | 23.254.217.112 | hwsrv-930282.hostwindsdns.com | High
|
||||
20 | 23.254.225.240 | sha29.phpautomailer.com | High
|
||||
21 | 45.64.186.10 | 45-64-186-10.static.bangmod-idc.com | High
|
||||
22 | 45.77.252.143 | 45.77.252.143.vultr.com | Medium
|
||||
23 | 46.30.42.130 | assetshub.com | High
|
||||
24 | 46.249.62.196 | - | High
|
||||
25 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 5.8.88.198 | - | - | High
|
||||
2 | 5.45.73.87 | - | - | High
|
||||
3 | 5.188.60.7 | - | - | High
|
||||
4 | 5.188.60.18 | - | - | High
|
||||
5 | 5.188.60.24 | - | - | High
|
||||
6 | 5.188.60.30 | - | - | High
|
||||
7 | 5.188.60.54 | - | - | High
|
||||
8 | 5.188.60.68 | - | - | High
|
||||
9 | 5.188.60.74 | - | - | High
|
||||
10 | 5.188.60.101 | - | - | High
|
||||
11 | 5.188.60.115 | - | - | High
|
||||
12 | 5.188.60.206 | - | - | High
|
||||
13 | 5.188.231.96 | - | - | High
|
||||
14 | 5.188.231.210 | - | - | High
|
||||
15 | 18.207.217.146 | ec2-18-207-217-146.compute-1.amazonaws.com | - | Medium
|
||||
16 | 18.221.49.166 | ec2-18-221-49-166.us-east-2.compute.amazonaws.com | - | Medium
|
||||
17 | 23.19.58.101 | - | - | High
|
||||
18 | 23.95.95.61 | 23-95-95-61-host.colocrossing.com | - | High
|
||||
19 | 23.254.217.112 | hwsrv-930282.hostwindsdns.com | - | High
|
||||
20 | 23.254.225.240 | sha29.phpautomailer.com | - | High
|
||||
21 | 45.64.186.10 | 45-64-186-10.static.bangmod-idc.com | - | High
|
||||
22 | 45.77.252.143 | 45.77.252.143.vultr.com | - | Medium
|
||||
23 | 46.30.42.130 | assetshub.com | - | High
|
||||
24 | 46.249.62.196 | - | - | High
|
||||
25 | ... | ... | ... | ...
|
||||
|
||||
There are 97 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Baldr. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Baldr. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Baldr. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Baldr. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -67,52 +68,50 @@ ID | Type | Indicator | Confidence
|
|||
2 | File | `/.env` | Low
|
||||
3 | File | `/admin.php` | Medium
|
||||
4 | File | `/admin/config.php?display=disa&view=form` | High
|
||||
5 | File | `/BRS_netgear_success.html` | High
|
||||
6 | File | `/category_view.php` | High
|
||||
7 | File | `/dev/kmem` | Medium
|
||||
8 | File | `/dev/shm` | Medium
|
||||
9 | File | `/medical/inventories.php` | High
|
||||
10 | File | `/monitoring` | Medium
|
||||
11 | File | `/NAGErrors` | Medium
|
||||
12 | File | `/plugins/servlet/audit/resource` | High
|
||||
13 | File | `/plugins/servlet/project-config/PROJECT/roles` | High
|
||||
14 | File | `/proc/ioports` | High
|
||||
15 | File | `/replication` | Medium
|
||||
16 | File | `/rest/api/2/user/picker` | High
|
||||
17 | File | `/RestAPI` | Medium
|
||||
18 | File | `/rom-0` | Low
|
||||
19 | File | `/tmp` | Low
|
||||
20 | File | `/tmp/speedtest_urls.xml` | High
|
||||
21 | File | `/uncpath/` | Medium
|
||||
22 | File | `/var/log/nginx` | High
|
||||
23 | File | `/wp-admin/admin.php` | High
|
||||
24 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
25 | File | `abook_database.php` | High
|
||||
26 | File | `account.asp` | Medium
|
||||
27 | File | `admin-ajax.php?action=get_wdtable order[0][dir]` | High
|
||||
28 | File | `admin/index.php` | High
|
||||
29 | File | `admin/login.php` | High
|
||||
30 | File | `admincp.php` | Medium
|
||||
31 | File | `admincp.php?app=apps&do=save` | High
|
||||
32 | File | `admincp.php?app=files` | High
|
||||
33 | File | `admin\model\catalog\download.php` | High
|
||||
34 | File | `ajax/render/widget_php` | High
|
||||
35 | File | `apcupsd.pid` | Medium
|
||||
36 | File | `api/sms/send-sms` | High
|
||||
37 | File | `api/v1/alarms` | High
|
||||
38 | ... | ... | ...
|
||||
5 | File | `/category_view.php` | High
|
||||
6 | File | `/dev/kmem` | Medium
|
||||
7 | File | `/dev/shm` | Medium
|
||||
8 | File | `/medical/inventories.php` | High
|
||||
9 | File | `/monitoring` | Medium
|
||||
10 | File | `/NAGErrors` | Medium
|
||||
11 | File | `/plugins/servlet/audit/resource` | High
|
||||
12 | File | `/plugins/servlet/project-config/PROJECT/roles` | High
|
||||
13 | File | `/proc/ioports` | High
|
||||
14 | File | `/replication` | Medium
|
||||
15 | File | `/RestAPI` | Medium
|
||||
16 | File | `/rom-0` | Low
|
||||
17 | File | `/tmp` | Low
|
||||
18 | File | `/tmp/speedtest_urls.xml` | High
|
||||
19 | File | `/uncpath/` | Medium
|
||||
20 | File | `/var/log/nginx` | High
|
||||
21 | File | `/wp-admin/admin.php` | High
|
||||
22 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
23 | File | `abook_database.php` | High
|
||||
24 | File | `account.asp` | Medium
|
||||
25 | File | `addentry.php` | Medium
|
||||
26 | File | `admin-ajax.php?action=get_wdtable order[0][dir]` | High
|
||||
27 | File | `admin/index.php` | High
|
||||
28 | File | `admin/login.php` | High
|
||||
29 | File | `admincp.php?app=files` | High
|
||||
30 | File | `admin\model\catalog\download.php` | High
|
||||
31 | File | `ajax/render/widget_php` | High
|
||||
32 | File | `apcupsd.pid` | Medium
|
||||
33 | File | `api/sms/send-sms` | High
|
||||
34 | File | `api/v1/alarms` | High
|
||||
35 | File | `application/controller/InstallerController.php` | High
|
||||
36 | ... | ... | ...
|
||||
|
||||
There are 323 more IOA items available. Please use our online service to access the data.
|
||||
There are 305 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://github.com/sophoslabs/IoCs/blob/master/Stealer-Baldr
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,48 +1,48 @@
|
|||
# Barys - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Barys](https://vuldb.com/?actor.barys). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Barys](https://vuldb.com/?actor.barys). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.barys](https://vuldb.com/?actor.barys)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.barys](https://vuldb.com/?actor.barys)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Barys:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Barys:
|
||||
|
||||
* US
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Barys.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Barys.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 13.107.21.200 | - | High
|
||||
2 | 13.107.22.200 | - | High
|
||||
3 | 23.225.145.234 | - | High
|
||||
4 | 47.246.136.160 | - | High
|
||||
5 | 52.137.90.34 | - | High
|
||||
6 | 52.185.71.28 | - | High
|
||||
7 | 58.215.145.95 | - | High
|
||||
8 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 13.107.21.200 | - | - | High
|
||||
2 | 13.107.22.200 | - | - | High
|
||||
3 | 23.225.145.234 | - | - | High
|
||||
4 | 47.246.136.160 | - | - | High
|
||||
5 | 52.137.90.34 | - | - | High
|
||||
6 | 52.185.71.28 | - | - | High
|
||||
7 | 58.215.145.95 | - | - | High
|
||||
8 | ... | ... | ... | ...
|
||||
|
||||
There are 30 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Barys. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Barys. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | 7PK Security Features | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | CWE-254, CWE-358 | 7PK Security Features | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 2 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Barys. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Barys. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -99,11 +99,11 @@ ID | Type | Indicator | Confidence
|
|||
51 | File | `compte.php` | Medium
|
||||
52 | ... | ... | ...
|
||||
|
||||
There are 448 more IOA items available. Please use our online service to access the data.
|
||||
There are 448 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.talosintelligence.com/2021/06/threat-roundup-0604-0611.html
|
||||
* https://blog.talosintelligence.com/2021/08/threat-roundup-0820-0827.html
|
||||
|
@ -112,7 +112,7 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,102 +1,102 @@
|
|||
# BazarLoader - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [BazarLoader](https://vuldb.com/?actor.bazarloader). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [BazarLoader](https://vuldb.com/?actor.bazarloader). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.bazarloader](https://vuldb.com/?actor.bazarloader)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.bazarloader](https://vuldb.com/?actor.bazarloader)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with BazarLoader:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with BazarLoader:
|
||||
|
||||
* US
|
||||
* DK
|
||||
* DE
|
||||
* DK
|
||||
* ...
|
||||
|
||||
There are 11 more country items available. Please use our online service to access the data.
|
||||
There are 12 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of BazarLoader.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of BazarLoader.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 31.171.251.118 | ch.ns.mon0.li | High
|
||||
2 | 31.214.240.203 | - | High
|
||||
3 | 34.209.40.84 | ec2-34-209-40-84.us-west-2.compute.amazonaws.com | Medium
|
||||
4 | 34.221.188.35 | ec2-34-221-188-35.us-west-2.compute.amazonaws.com | Medium
|
||||
5 | 45.71.112.70 | host-45-71-112-70.nedetel.net | High
|
||||
6 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 31.171.251.118 | ch.ns.mon0.li | - | High
|
||||
2 | 31.214.240.203 | - | - | High
|
||||
3 | 34.209.40.84 | ec2-34-209-40-84.us-west-2.compute.amazonaws.com | - | Medium
|
||||
4 | 34.221.188.35 | ec2-34-221-188-35.us-west-2.compute.amazonaws.com | - | Medium
|
||||
5 | 45.71.112.70 | host-45-71-112-70.nedetel.net | - | High
|
||||
6 | ... | ... | ... | ...
|
||||
|
||||
There are 22 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by BazarLoader. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by BazarLoader. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by BazarLoader. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by BazarLoader. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `.user` | Low
|
||||
2 | File | `/cgi-bin/system_mgr.cgi` | High
|
||||
3 | File | `/Content/Template/root/reverse-shell.aspx` | High
|
||||
4 | File | `/debug/pprof` | Medium
|
||||
5 | File | `/inc/parser/xhtml.php` | High
|
||||
6 | File | `/includes/db_adodb.php` | High
|
||||
7 | File | `/PluXml/core/admin/parametres_edittpl.php` | High
|
||||
8 | File | `/register.do` | Medium
|
||||
9 | File | `/rest/project-templates/1.0/createshared` | High
|
||||
10 | File | `/restoreinfo.cgi` | High
|
||||
11 | File | `/services` | Medium
|
||||
12 | File | `/var/passwd` | Medium
|
||||
13 | File | `/var/run/storage_account_root` | High
|
||||
14 | File | `/webconsole/APIController` | High
|
||||
15 | File | `802dot1xclientcert.cgi` | High
|
||||
16 | File | `account.asp` | Medium
|
||||
17 | File | `Account.aspx` | Medium
|
||||
18 | File | `ActionsAndOperations` | High
|
||||
19 | File | `adclick.php` | Medium
|
||||
20 | File | `admin/db-backup-security/db-backup-security.php` | High
|
||||
21 | File | `admin/membersearch.php` | High
|
||||
22 | File | `agent_links.pl` | High
|
||||
23 | File | `Ap4StssAtom.cpp` | High
|
||||
24 | File | `Ap4StszAtom.cpp` | High
|
||||
25 | File | `apetag.c` | Medium
|
||||
26 | File | `apply_sec.cgi` | High
|
||||
27 | File | `article.php` | Medium
|
||||
28 | File | `asp` | Low
|
||||
29 | File | `attrs.c` | Low
|
||||
30 | File | `auth-gss2.c` | Medium
|
||||
31 | File | `auth.inc.php` | Medium
|
||||
32 | File | `authuser.php` | Medium
|
||||
33 | File | `bkr/server/widgets.py` | High
|
||||
34 | File | `bson-iter.c` | Medium
|
||||
2 | File | `/.dbus-keyrings` | High
|
||||
3 | File | `/cgi-bin/system_mgr.cgi` | High
|
||||
4 | File | `/Content/Template/root/reverse-shell.aspx` | High
|
||||
5 | File | `/debug/pprof` | Medium
|
||||
6 | File | `/inc/parser/xhtml.php` | High
|
||||
7 | File | `/includes/db_adodb.php` | High
|
||||
8 | File | `/PluXml/core/admin/parametres_edittpl.php` | High
|
||||
9 | File | `/register.do` | Medium
|
||||
10 | File | `/rest/project-templates/1.0/createshared` | High
|
||||
11 | File | `/restoreinfo.cgi` | High
|
||||
12 | File | `/services` | Medium
|
||||
13 | File | `/var/passwd` | Medium
|
||||
14 | File | `/var/run/storage_account_root` | High
|
||||
15 | File | `/webconsole/APIController` | High
|
||||
16 | File | `802dot1xclientcert.cgi` | High
|
||||
17 | File | `account.asp` | Medium
|
||||
18 | File | `Account.aspx` | Medium
|
||||
19 | File | `ActionsAndOperations` | High
|
||||
20 | File | `adclick.php` | Medium
|
||||
21 | File | `admin/db-backup-security/db-backup-security.php` | High
|
||||
22 | File | `admin/membersearch.php` | High
|
||||
23 | File | `agent_links.pl` | High
|
||||
24 | File | `Ap4StssAtom.cpp` | High
|
||||
25 | File | `Ap4StszAtom.cpp` | High
|
||||
26 | File | `apetag.c` | Medium
|
||||
27 | File | `apply_sec.cgi` | High
|
||||
28 | File | `article.php` | Medium
|
||||
29 | File | `asp` | Low
|
||||
30 | File | `attrs.c` | Low
|
||||
31 | File | `auth-gss2.c` | Medium
|
||||
32 | File | `auth.inc.php` | Medium
|
||||
33 | File | `authuser.php` | Medium
|
||||
34 | File | `bkr/server/widgets.py` | High
|
||||
35 | ... | ... | ...
|
||||
|
||||
There are 295 more IOA items available. Please use our online service to access the data.
|
||||
There are 299 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
|
||||
* https://twitter.com/_pr4gma/status/1347617681197961225
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -0,0 +1,37 @@
|
|||
# Bigviktor - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Bigviktor](https://vuldb.com/?actor.bigviktor). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.bigviktor](https://vuldb.com/?actor.bigviktor)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following _campaigns_ are known and can be associated with Bigviktor:
|
||||
|
||||
* CVE-2020-8515
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Bigviktor.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 91.219.75.87 | - | CVE-2020-8515 | High
|
||||
2 | 151.80.235.228 | 228.ip-151-80-235.eu | CVE-2020-8515 | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.netlab.360.com/bigviktor-dga-botnet/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -1,90 +1,90 @@
|
|||
# Black KingDom - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Black KingDom](https://vuldb.com/?actor.black_kingdom). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Black KingDom](https://vuldb.com/?actor.black_kingdom). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.black_kingdom](https://vuldb.com/?actor.black_kingdom)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.black_kingdom](https://vuldb.com/?actor.black_kingdom)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Black KingDom:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Black KingDom:
|
||||
|
||||
* US
|
||||
* FR
|
||||
* RU
|
||||
* SV
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Black KingDom.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Black KingDom.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 104.21.89.10 | - | High
|
||||
2 | 172.64.80.0 | - | High
|
||||
3 | 185.220.101.204 | tor-exit-204.relayon.org | High
|
||||
4 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 104.21.89.10 | - | - | High
|
||||
2 | 172.64.80.0 | - | - | High
|
||||
3 | 185.220.101.204 | tor-exit-204.relayon.org | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Black KingDom. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Black KingDom. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1040 | Authentication Bypass by Capture-replay | High
|
||||
2 | T1059.007 | Cross Site Scripting | High
|
||||
3 | T1068 | Execution with Unnecessary Privileges | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1008 | CWE-757 | Algorithm Downgrade | High
|
||||
2 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 9 more TTP items available. Please use our online service to access the data.
|
||||
There are 10 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Black KingDom. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Black KingDom. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/admin/admin_manage/delete` | High
|
||||
2 | File | `/admin/login.php` | High
|
||||
3 | File | `/administrator/components/table_manager/` | High
|
||||
4 | File | `/ajax_crud` | Medium
|
||||
5 | File | `/api/ZRMacClone/mac_addr_clone` | High
|
||||
6 | File | `/application/common.php#action_log` | High
|
||||
7 | File | `/base/ecma-helpers-string.c` | High
|
||||
8 | File | `/cms/ajax.php` | High
|
||||
9 | File | `/core/table/query` | High
|
||||
10 | File | `/debug/pprof` | Medium
|
||||
11 | File | `/dev/ion` | Medium
|
||||
12 | File | `/ecma/operations/ecma-objects.c` | High
|
||||
13 | File | `/GetCopiedFile` | High
|
||||
14 | File | `/hdf5/src/H5Dchunk.c` | High
|
||||
15 | File | `/hdf5/src/H5Fint.c` | High
|
||||
16 | File | `/jerry-core/ecma/base/ecma-literal-storage.c` | High
|
||||
17 | File | `/jerry-core/ecma/builtin-objects/ecma-builtin-date-prototype.c` | High
|
||||
18 | File | `/jerry-core/parser/js/js-parser-expr.c` | High
|
||||
4 | File | `/adminzone/index.php?page=admin-commandr` | High
|
||||
5 | File | `/ajax_crud` | Medium
|
||||
6 | File | `/anony/mjpg.cgi` | High
|
||||
7 | File | `/application/common.php#action_log` | High
|
||||
8 | File | `/base/ecma-helpers-string.c` | High
|
||||
9 | File | `/cms/ajax.php` | High
|
||||
10 | File | `/core/table/query` | High
|
||||
11 | File | `/data-service/users/` | High
|
||||
12 | File | `/dev/ion` | Medium
|
||||
13 | File | `/ecma/operations/ecma-objects.c` | High
|
||||
14 | File | `/GetCopiedFile` | High
|
||||
15 | File | `/jerry-core/ecma/base/ecma-literal-storage.c` | High
|
||||
16 | File | `/jerry-core/ecma/builtin-objects/ecma-builtin-date-prototype.c` | High
|
||||
17 | File | `/jerry-core/parser/js/js-parser-expr.c` | High
|
||||
18 | File | `/js/app.js` | Medium
|
||||
19 | File | `/leave_system/classes/Login.php` | High
|
||||
20 | File | `/message-bus/_diagnostics` | High
|
||||
21 | File | `/mobile/SelectUsers.jsp` | High
|
||||
22 | File | `/music/ajax.php` | High
|
||||
23 | File | `/orms/` | Low
|
||||
24 | File | `/parser/js/js-parser-mem.c` | High
|
||||
25 | File | `/rest/collectors/1.0/template/custom` | High
|
||||
26 | File | `/RPC2` | Low
|
||||
27 | File | `/UserSelfServiceSettings.jsp` | High
|
||||
28 | File | `/usr/bin/pkexec` | High
|
||||
20 | File | `/music/ajax.php` | High
|
||||
21 | File | `/orms/` | Low
|
||||
22 | File | `/parser/js/js-parser-mem.c` | High
|
||||
23 | File | `/uncpath/` | Medium
|
||||
24 | File | `/user/login/oauth` | High
|
||||
25 | File | `/userRpm/PingIframeRpm.htm` | High
|
||||
26 | File | `/usr/bin/pkexec` | High
|
||||
27 | File | `/usr/local/bin/mjs` | High
|
||||
28 | File | `/usr/local/www/pkg.php` | High
|
||||
29 | ... | ... | ...
|
||||
|
||||
There are 246 more IOA items available. Please use our online service to access the data.
|
||||
There are 250 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://github.com/sophoslabs/IoCs/blob/master/Ransomware_BlackKingDom.csv
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -0,0 +1,65 @@
|
|||
# BlackByte - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [BlackByte](https://vuldb.com/?actor.blackbyte). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.blackbyte](https://vuldb.com/?actor.blackbyte)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with BlackByte:
|
||||
|
||||
* US
|
||||
* ES
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of BlackByte.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 45.9.148.114 | - | - | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by BlackByte. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | CWE-254 | 7PK Security Features | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 5 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by BlackByte. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/goform/SetNetControlList` | High
|
||||
2 | File | `admin/categories_industry.php` | High
|
||||
3 | File | `admin/content/postcategory` | High
|
||||
4 | File | `Adminstrator/Users/Edit/` | High
|
||||
5 | File | `agent.cfg` | Medium
|
||||
6 | ... | ... | ...
|
||||
|
||||
There are 35 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,68 @@
|
|||
# Bondnet - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Bondnet](https://vuldb.com/?actor.bondnet). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.bondnet](https://vuldb.com/?actor.bondnet)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Bondnet:
|
||||
|
||||
* CN
|
||||
* US
|
||||
* FR
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Bondnet.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 47.90.206.226 | - | - | High
|
||||
2 | 50.207.71.22 | 50-207-71-22-static.hfc.comcastbusiness.net | - | High
|
||||
3 | 59.3.127.132 | - | - | High
|
||||
4 | 69.90.114.185 | - | - | High
|
||||
5 | 72.167.201.140 | ip-72-167-201-140.ip.secureserver.net | - | High
|
||||
6 | ... | ... | ... | ...
|
||||
|
||||
There are 22 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Bondnet. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Bondnet. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `awstats.pl` | Medium
|
||||
2 | File | `class.showtime2_image.php` | High
|
||||
3 | File | `data/gbconfiguration.dat` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 7 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://github.com/guardicore/labs_campaigns/tree/master/Bondnet
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -1,12 +1,12 @@
|
|||
# Bouncing Golf - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Bouncing Golf](https://vuldb.com/?actor.bouncing_golf). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Bouncing Golf](https://vuldb.com/?actor.bouncing_golf). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.bouncing_golf](https://vuldb.com/?actor.bouncing_golf)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.bouncing_golf](https://vuldb.com/?actor.bouncing_golf)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Bouncing Golf:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Bouncing Golf:
|
||||
|
||||
* US
|
||||
* FR
|
||||
|
@ -17,33 +17,33 @@ There are 21 more country items available. Please use our online service to acce
|
|||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Bouncing Golf.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Bouncing Golf.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 54.38.51.159 | - | High
|
||||
2 | 82.211.31.181 | - | High
|
||||
3 | 84.234.96.167 | eronn.erivermle.com | High
|
||||
4 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 54.38.51.159 | - | - | High
|
||||
2 | 82.211.31.181 | - | - | High
|
||||
3 | 84.234.96.167 | eronn.erivermle.com | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 4 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Bouncing Golf. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Bouncing Golf. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 5 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Bouncing Golf. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Bouncing Golf. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -62,26 +62,27 @@ ID | Type | Indicator | Confidence
|
|||
13 | File | `/userRpm/MediaServerFoldersCfgRpm.htm` | High
|
||||
14 | File | `/ViewUserHover.jspa` | High
|
||||
15 | File | `AccountStatus.jsp` | High
|
||||
16 | File | `add.php` | Low
|
||||
17 | File | `admin/systemOutOfBand.do` | High
|
||||
18 | File | `app/application.cpp` | High
|
||||
19 | File | `auth-gss2.c` | Medium
|
||||
20 | File | `authent.php4` | Medium
|
||||
21 | File | `base_maintenance.php` | High
|
||||
22 | File | `boardrule.php` | High
|
||||
23 | ... | ... | ...
|
||||
16 | File | `adclick.php` | Medium
|
||||
17 | File | `add.php` | Low
|
||||
18 | File | `admin/systemOutOfBand.do` | High
|
||||
19 | File | `app/application.cpp` | High
|
||||
20 | File | `auth-gss2.c` | Medium
|
||||
21 | File | `authent.php4` | Medium
|
||||
22 | File | `base_maintenance.php` | High
|
||||
23 | File | `boardrule.php` | High
|
||||
24 | ... | ... | ...
|
||||
|
||||
There are 195 more IOA items available. Please use our online service to access the data.
|
||||
There are 198 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://documents.trendmicro.com/assets/appendix-mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east.pdf
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,12 +1,12 @@
|
|||
# Bronze Butler - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Bronze Butler](https://vuldb.com/?actor.bronze_butler). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Bronze Butler](https://vuldb.com/?actor.bronze_butler). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.bronze_butler](https://vuldb.com/?actor.bronze_butler)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.bronze_butler](https://vuldb.com/?actor.bronze_butler)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Bronze Butler:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Bronze Butler:
|
||||
|
||||
* US
|
||||
* CN
|
||||
|
@ -17,33 +17,33 @@ There are 1 more country items available. Please use our online service to acces
|
|||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Bronze Butler.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Bronze Butler.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 27.255.69.209 | - | High
|
||||
2 | 27.255.91.238 | - | High
|
||||
3 | 106.184.5.30 | - | High
|
||||
4 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 27.255.69.209 | - | - | High
|
||||
2 | 27.255.91.238 | - | - | High
|
||||
3 | 106.184.5.30 | - | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 3 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Bronze Butler. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Bronze Butler. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1222 | Permission Issues | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
|
||||
3 | T1222 | CWE-275 | Permission Issues | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Bronze Butler. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Bronze Butler. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -52,17 +52,17 @@ ID | Type | Indicator | Confidence
|
|||
3 | File | `wp-login.php` | Medium
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 6 more IOA items available. Please use our online service to access the data.
|
||||
There are 6 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,12 +1,12 @@
|
|||
# Brunhilda - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Brunhilda](https://vuldb.com/?actor.brunhilda). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Brunhilda](https://vuldb.com/?actor.brunhilda). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.brunhilda](https://vuldb.com/?actor.brunhilda)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.brunhilda](https://vuldb.com/?actor.brunhilda)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Brunhilda:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Brunhilda:
|
||||
|
||||
* FR
|
||||
* US
|
||||
|
@ -14,33 +14,33 @@ These countries are directly (e.g. origin of attacks) or indirectly (e.g. access
|
|||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Brunhilda.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Brunhilda.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 45.142.212.216 | vm324137.pq.hosting | High
|
||||
2 | 95.142.40.68 | vm482228.eurodir.ru | High
|
||||
3 | 185.177.92.213 | ip-185-177-92-213.ah-server.com | High
|
||||
4 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 45.142.212.216 | vm324137.pq.hosting | - | High
|
||||
2 | 95.142.40.68 | vm482228.eurodir.ru | - | High
|
||||
3 | 185.177.92.213 | ip-185-177-92-213.ah-server.com | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 10 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Brunhilda. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Brunhilda. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | 7PK Security Features | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | CWE-254 | 7PK Security Features | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Brunhilda. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Brunhilda. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -49,13 +49,13 @@ ID | Type | Indicator | Confidence
|
|||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://vxug.fakedoma.in/archive/APTs/2021/2021.01.07/BrunHilda.pdf
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,34 +1,34 @@
|
|||
# Bunse - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Bunse](https://vuldb.com/?actor.bunse). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Bunse](https://vuldb.com/?actor.bunse). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.bunse](https://vuldb.com/?actor.bunse)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.bunse](https://vuldb.com/?actor.bunse)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with Bunse:
|
||||
The following _campaigns_ are known and can be associated with Bunse:
|
||||
|
||||
* Afghanistan and India
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Bunse:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Bunse:
|
||||
|
||||
* ES
|
||||
* US
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Bunse.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Bunse.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 62.171.157.185 | vmi479022.contaboserver.net | High
|
||||
2 | 95.111.241.233 | vmi698587.contaboserver.net | High
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 62.171.157.185 | vmi479022.contaboserver.net | Afghanistan and India | High
|
||||
2 | 95.111.241.233 | vmi698587.contaboserver.net | Afghanistan and India | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Bunse. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Bunse. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -38,13 +38,13 @@ ID | Type | Indicator | Confidence
|
|||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -0,0 +1,64 @@
|
|||
# Butter - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Butter](https://vuldb.com/?actor.butter). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.butter](https://vuldb.com/?actor.butter)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Butter:
|
||||
|
||||
* CN
|
||||
* US
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Butter.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 37.187.154.79 | ns320600.ip-37-187-154.eu | - | High
|
||||
2 | 46.105.103.169 | ns383264.ip-46-105-103.eu | - | High
|
||||
3 | 103.51.109.217 | - | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 7 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Butter. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Butter. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/etc/shadow` | Medium
|
||||
2 | File | `awstats.pl` | Medium
|
||||
3 | File | `cjson.c` | Low
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 9 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://github.com/guardicore/labs_campaigns/tree/master/Butter
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -1,19 +1,19 @@
|
|||
# Carbanak - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Carbanak](https://vuldb.com/?actor.carbanak). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Carbanak](https://vuldb.com/?actor.carbanak). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.carbanak](https://vuldb.com/?actor.carbanak)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.carbanak](https://vuldb.com/?actor.carbanak)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with Carbanak:
|
||||
The following _campaigns_ are known and can be associated with Carbanak:
|
||||
|
||||
* Anunak
|
||||
* Grand Mars
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Carbanak:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Carbanak:
|
||||
|
||||
* US
|
||||
* RU
|
||||
|
@ -24,65 +24,65 @@ There are 29 more country items available. Please use our online service to acce
|
|||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Carbanak.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Carbanak.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 5.1.83.133 | mail.printonrug.com | High
|
||||
2 | 5.45.179.173 | mail.kincoss.info | High
|
||||
3 | 5.45.179.185 | - | High
|
||||
4 | 5.45.192.117 | - | High
|
||||
5 | 5.61.32.118 | - | High
|
||||
6 | 5.61.38.52 | - | High
|
||||
7 | 5.101.146.184 | 3928081.securefastserver.com | High
|
||||
8 | 5.135.111.89 | - | High
|
||||
9 | 5.199.169.188 | - | High
|
||||
10 | 10.74.5.100 | - | High
|
||||
11 | 23.227.196.99 | 23-227-196-99.static.hvvc.us | High
|
||||
12 | 31.3.155.123 | swe-net-ip.as51430.net | High
|
||||
13 | 31.131.17.79 | - | High
|
||||
14 | 31.131.17.81 | - | High
|
||||
15 | 31.131.17.125 | - | High
|
||||
16 | 31.131.17.128 | - | High
|
||||
17 | 37.46.114.148 | bg.as51430.net | High
|
||||
18 | 37.59.202.124 | ip124.ip-37-59-202.eu | High
|
||||
19 | 37.235.54.48 | 48.54.235.37.in-addr.arpa | High
|
||||
20 | 45.63.23.135 | 45.63.23.135.vultr.com | Medium
|
||||
21 | 45.63.96.216 | 45.63.96.216.vultr.com | Medium
|
||||
22 | 50.62.171.62 | ip-50-62-171-62.ip.secureserver.net | High
|
||||
23 | 50.115.127.36 | 50.115.127.36.static.westdc.net | High
|
||||
24 | 50.115.127.37 | mail.ingrampartners.com | High
|
||||
25 | 51.254.95.99 | ip99.ip-51-254-95.eu | High
|
||||
26 | 51.254.95.100 | ip100.ip-51-254-95.eu | High
|
||||
27 | 55.198.6.56 | - | High
|
||||
28 | 59.55.142.171 | - | High
|
||||
29 | 60.228.38.213 | cpe-60-228-38-213.bpe6-r-962.pie.wa.bigpond.net.au | High
|
||||
30 | 61.7.219.61 | - | High
|
||||
31 | 62.75.224.229 | prag178.startdedicated.de | High
|
||||
32 | 62.210.25.121 | svgit.festivalscope.com | High
|
||||
33 | 65.19.141.199 | - | High
|
||||
34 | 66.55.133.86 | 66-55-133-86.choopa.net | High
|
||||
35 | 66.232.124.175 | customer.hivelocity.net | High
|
||||
36 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 5.1.83.133 | mail.printonrug.com | - | High
|
||||
2 | 5.45.179.173 | mail.kincoss.info | - | High
|
||||
3 | 5.45.179.185 | - | - | High
|
||||
4 | 5.45.192.117 | - | - | High
|
||||
5 | 5.61.32.118 | - | - | High
|
||||
6 | 5.61.38.52 | - | - | High
|
||||
7 | 5.101.146.184 | 3928081.securefastserver.com | - | High
|
||||
8 | 5.135.111.89 | - | - | High
|
||||
9 | 5.199.169.188 | - | - | High
|
||||
10 | 10.74.5.100 | - | - | High
|
||||
11 | 23.227.196.99 | 23-227-196-99.static.hvvc.us | - | High
|
||||
12 | 31.3.155.123 | swe-net-ip.as51430.net | - | High
|
||||
13 | 31.131.17.79 | - | - | High
|
||||
14 | 31.131.17.81 | - | - | High
|
||||
15 | 31.131.17.125 | - | - | High
|
||||
16 | 31.131.17.128 | - | - | High
|
||||
17 | 37.46.114.148 | bg.as51430.net | - | High
|
||||
18 | 37.59.202.124 | ip124.ip-37-59-202.eu | - | High
|
||||
19 | 37.235.54.48 | 48.54.235.37.in-addr.arpa | - | High
|
||||
20 | 45.63.23.135 | 45.63.23.135.vultr.com | - | Medium
|
||||
21 | 45.63.96.216 | 45.63.96.216.vultr.com | - | Medium
|
||||
22 | 50.62.171.62 | ip-50-62-171-62.ip.secureserver.net | - | High
|
||||
23 | 50.115.127.36 | 50.115.127.36.static.westdc.net | - | High
|
||||
24 | 50.115.127.37 | mail.ingrampartners.com | - | High
|
||||
25 | 51.254.95.99 | ip99.ip-51-254-95.eu | - | High
|
||||
26 | 51.254.95.100 | ip100.ip-51-254-95.eu | - | High
|
||||
27 | 55.198.6.56 | - | - | High
|
||||
28 | 59.55.142.171 | - | - | High
|
||||
29 | 60.228.38.213 | cpe-60-228-38-213.bpe6-r-962.pie.wa.bigpond.net.au | - | High
|
||||
30 | 61.7.219.61 | - | - | High
|
||||
31 | 62.75.224.229 | prag178.startdedicated.de | - | High
|
||||
32 | 62.210.25.121 | svgit.festivalscope.com | Grand Mars | High
|
||||
33 | 65.19.141.199 | - | - | High
|
||||
34 | 66.55.133.86 | 66-55-133-86.choopa.net | - | High
|
||||
35 | 66.232.124.175 | customer.hivelocity.net | - | High
|
||||
36 | ... | ... | ... | ...
|
||||
|
||||
There are 140 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Carbanak. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Carbanak. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-250, CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Carbanak. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Carbanak. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -123,11 +123,11 @@ ID | Type | Indicator | Confidence
|
|||
35 | File | `admin/index.php?n=ui_set&m=admin&c=index&a=doget_text_content&table=lang&field=1` | High
|
||||
36 | ... | ... | ...
|
||||
|
||||
There are 306 more IOA items available. Please use our online service to access the data.
|
||||
There are 306 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf
|
||||
* https://www.forcepoint.com/blog/x-labs/carbanak-group-uses-google-malware-command-and-control
|
||||
|
@ -141,7 +141,7 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -0,0 +1,45 @@
|
|||
# CeidPageLock - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [CeidPageLock](https://vuldb.com/?actor.ceidpagelock). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.ceidpagelock](https://vuldb.com/?actor.ceidpagelock)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with CeidPageLock:
|
||||
|
||||
* CN
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of CeidPageLock.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 42.51.223.86 | - | - | High
|
||||
2 | 118.193.211.11 | - | - | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by CeidPageLock. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://research.checkpoint.com/2018/ceidpagelock-a-chinese-rootkit/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,30 @@
|
|||
# Cerberus - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Cerberus](https://vuldb.com/?actor.cerberus). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.cerberus](https://vuldb.com/?actor.cerberus)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Cerberus.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 91.210.169.114 | 490023-cc75354.tmweb.ru | - | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://research.checkpoint.com/2020/mobile-as-attack-vector-using-mdm/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -1,12 +1,12 @@
|
|||
# Chafer - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Chafer](https://vuldb.com/?actor.chafer). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Chafer](https://vuldb.com/?actor.chafer). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.chafer](https://vuldb.com/?actor.chafer)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.chafer](https://vuldb.com/?actor.chafer)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Chafer:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Chafer:
|
||||
|
||||
* US
|
||||
* RU
|
||||
|
@ -17,33 +17,33 @@ There are 18 more country items available. Please use our online service to acce
|
|||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Chafer.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Chafer.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 83.142.230.113 | - | High
|
||||
2 | 89.38.97.112 | 89-38-97-112.hosted-by-worldstream.net | High
|
||||
3 | 89.38.97.115 | 89-38-97-115.hosted-by-worldstream.net | High
|
||||
4 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 83.142.230.113 | - | - | High
|
||||
2 | 89.38.97.112 | 89-38-97-112.hosted-by-worldstream.net | - | High
|
||||
3 | 89.38.97.115 | 89-38-97-115.hosted-by-worldstream.net | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 7 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Chafer. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Chafer. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | 7PK Security Features | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | CWE-254 | 7PK Security Features | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 3 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Chafer. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Chafer. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -55,18 +55,18 @@ ID | Type | Indicator | Confidence
|
|||
6 | File | `/uncpath/` | Medium
|
||||
7 | ... | ... | ...
|
||||
|
||||
There are 49 more IOA items available. Please use our online service to access the data.
|
||||
There are 49 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://www.threatminer.org/report.php?q=Chafer_LatestAttacksRevealHeightenedAmbitions_SymantecBlogs.pdf&y=2018
|
||||
* https://www.threatminer.org/_reports/2019/NewPython-BasedPayloadMechaFlounderUsedbyChafer.pdf#viewer.action=download
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,12 +1,18 @@
|
|||
# Charming Kitten - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Charming Kitten](https://vuldb.com/?actor.charming_kitten). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Charming Kitten](https://vuldb.com/?actor.charming_kitten). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.charming_kitten](https://vuldb.com/?actor.charming_kitten)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.charming_kitten](https://vuldb.com/?actor.charming_kitten)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following _campaigns_ are known and can be associated with Charming Kitten:
|
||||
|
||||
* Log4Shell
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Charming Kitten:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Charming Kitten:
|
||||
|
||||
* NL
|
||||
* CN
|
||||
|
@ -17,99 +23,100 @@ There are 23 more country items available. Please use our online service to acce
|
|||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Charming Kitten.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Charming Kitten.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 5.79.69.198 | - | High
|
||||
2 | 5.79.69.206 | - | High
|
||||
3 | 5.79.105.153 | - | High
|
||||
4 | 5.79.105.156 | - | High
|
||||
5 | 5.79.105.161 | - | High
|
||||
6 | 5.79.105.165 | - | High
|
||||
7 | 5.152.202.51 | h5-152-202-51.host.redstation.co.uk | High
|
||||
8 | 5.152.202.52 | h5-152-202-52.host.redstation.co.uk | High
|
||||
9 | 31.3.236.90 | h31-3-236-90.host.redstation.co.uk | High
|
||||
10 | 31.3.236.91 | h31-3-236-91.host.redstation.co.uk | High
|
||||
11 | 31.3.236.92 | h31-3-236-92.host.redstation.co.uk | High
|
||||
12 | 37.220.8.13 | h37-220-8-13.host.redstation.co.uk | High
|
||||
13 | 46.17.97.37 | - | High
|
||||
14 | 46.17.97.40 | - | High
|
||||
15 | 46.17.97.240 | - | High
|
||||
16 | 46.17.97.243 | - | High
|
||||
17 | 51.254.254.217 | me14.mecide.com | High
|
||||
18 | 51.255.28.57 | - | High
|
||||
19 | 54.36.217.8 | ip8.ip-54-36-217.eu | High
|
||||
20 | 54.37.164.254 | - | High
|
||||
21 | 69.30.221.126 | - | High
|
||||
22 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 5.79.69.198 | - | - | High
|
||||
2 | 5.79.69.206 | - | - | High
|
||||
3 | 5.79.105.153 | - | - | High
|
||||
4 | 5.79.105.156 | - | - | High
|
||||
5 | 5.79.105.161 | - | - | High
|
||||
6 | 5.79.105.165 | - | - | High
|
||||
7 | 5.152.202.51 | h5-152-202-51.host.redstation.co.uk | - | High
|
||||
8 | 5.152.202.52 | h5-152-202-52.host.redstation.co.uk | - | High
|
||||
9 | 31.3.236.90 | h31-3-236-90.host.redstation.co.uk | - | High
|
||||
10 | 31.3.236.91 | h31-3-236-91.host.redstation.co.uk | - | High
|
||||
11 | 31.3.236.92 | h31-3-236-92.host.redstation.co.uk | - | High
|
||||
12 | 37.220.8.13 | h37-220-8-13.host.redstation.co.uk | - | High
|
||||
13 | 46.17.97.37 | - | - | High
|
||||
14 | 46.17.97.40 | - | - | High
|
||||
15 | 46.17.97.240 | - | - | High
|
||||
16 | 46.17.97.243 | - | - | High
|
||||
17 | 51.254.254.217 | me14.mecide.com | - | High
|
||||
18 | 51.255.28.57 | - | - | High
|
||||
19 | 54.36.217.8 | ip8.ip-54-36-217.eu | - | High
|
||||
20 | 54.37.164.254 | - | - | High
|
||||
21 | 54.38.49.6 | ip6.ip-54-38-49.eu | Log4Shell | High
|
||||
22 | 69.30.221.126 | - | - | High
|
||||
23 | ... | ... | ... | ...
|
||||
|
||||
There are 86 more IOC items available. Please use our online service to access the data.
|
||||
There are 88 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Charming Kitten. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Charming Kitten. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-266, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Charming Kitten. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Charming Kitten. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `.travis.yml` | Medium
|
||||
2 | File | `/.env` | Low
|
||||
3 | File | `/?module=users§ion=cpanel&page=list` | High
|
||||
4 | File | `/admin.php` | Medium
|
||||
5 | File | `/admin/powerline` | High
|
||||
6 | File | `/admin/syslog` | High
|
||||
7 | File | `/api/upload` | Medium
|
||||
8 | File | `/cgi-bin` | Medium
|
||||
9 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
10 | File | `/Main_Login.asp?flag=1&productname=RT-AC88U&url=/downloadmaster/task.asp` | High
|
||||
11 | File | `/medical/inventories.php` | High
|
||||
12 | File | `/monitoring` | Medium
|
||||
13 | File | `/new` | Low
|
||||
14 | File | `/plugins/servlet/audit/resource` | High
|
||||
15 | File | `/plugins/servlet/project-config/PROJECT/roles` | High
|
||||
16 | File | `/proc/<pid>/status` | High
|
||||
17 | File | `/public/plugins/` | High
|
||||
18 | File | `/replication` | Medium
|
||||
19 | File | `/RestAPI` | Medium
|
||||
20 | File | `/scripts/killpvhost` | High
|
||||
21 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
22 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
|
||||
23 | File | `/tmp` | Low
|
||||
24 | File | `/tmp/redis.ds` | High
|
||||
25 | File | `/uncpath/` | Medium
|
||||
26 | File | `/var/log/nginx` | High
|
||||
27 | File | `/wp-admin` | Medium
|
||||
28 | File | `/wp-json/wc/v3/webhooks` | High
|
||||
29 | File | `actions/CompanyDetailsSave.php` | High
|
||||
30 | File | `ActiveServices.java` | High
|
||||
31 | ... | ... | ...
|
||||
4 | File | `/admin/powerline` | High
|
||||
5 | File | `/admin/syslog` | High
|
||||
6 | File | `/api/upload` | Medium
|
||||
7 | File | `/cgi-bin` | Medium
|
||||
8 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
9 | File | `/medical/inventories.php` | High
|
||||
10 | File | `/monitoring` | Medium
|
||||
11 | File | `/new` | Low
|
||||
12 | File | `/plugins/servlet/audit/resource` | High
|
||||
13 | File | `/plugins/servlet/project-config/PROJECT/roles` | High
|
||||
14 | File | `/proc/<pid>/status` | High
|
||||
15 | File | `/public/plugins/` | High
|
||||
16 | File | `/replication` | Medium
|
||||
17 | File | `/RestAPI` | Medium
|
||||
18 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
19 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
|
||||
20 | File | `/tmp` | Low
|
||||
21 | File | `/uncpath/` | Medium
|
||||
22 | File | `/var/log/nginx` | High
|
||||
23 | File | `/wp-json/wc/v3/webhooks` | High
|
||||
24 | File | `AccountManagerService.java` | High
|
||||
25 | File | `actions/CompanyDetailsSave.php` | High
|
||||
26 | File | `ActiveServices.java` | High
|
||||
27 | File | `admin.php` | Medium
|
||||
28 | File | `admin/?n=user&c=admin_user&a=doGetUserInfo` | High
|
||||
29 | File | `admin/add-glossary.php` | High
|
||||
30 | ... | ... | ...
|
||||
|
||||
There are 262 more IOA items available. Please use our online service to access the data.
|
||||
There are 258 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://github.com/blackorbird/APT_REPORT/tree/master/Charming%20Kitten
|
||||
* https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/
|
||||
* https://vxug.fakedoma.in/archive/APTs/2021/2021.01.08/Charming%20Kitten.pdf
|
||||
* https://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,75 +1,83 @@
|
|||
# Cobalt Group - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Cobalt Group](https://vuldb.com/?actor.cobalt_group). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Cobalt Group](https://vuldb.com/?actor.cobalt_group). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.cobalt_group](https://vuldb.com/?actor.cobalt_group)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.cobalt_group](https://vuldb.com/?actor.cobalt_group)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Cobalt Group:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Cobalt Group:
|
||||
|
||||
* DE
|
||||
* PL
|
||||
* IT
|
||||
* DE
|
||||
* SV
|
||||
* ...
|
||||
|
||||
There are 8 more country items available. Please use our online service to access the data.
|
||||
There are 5 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Cobalt Group.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Cobalt Group.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 5.45.66.161 | - | High
|
||||
2 | 5.135.237.216 | - | High
|
||||
3 | 23.152.0.210 | nordns.crowncloud.net | High
|
||||
4 | 23.249.164.26 | - | High
|
||||
5 | 37.1.207.202 | free.ispiria.net | High
|
||||
6 | 46.21.147.61 | 61.147.21.46.in-addr.arpa | High
|
||||
7 | 46.102.152.157 | - | High
|
||||
8 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 5.45.66.161 | - | - | High
|
||||
2 | 5.135.237.216 | - | - | High
|
||||
3 | 23.152.0.210 | nordns.crowncloud.net | - | High
|
||||
4 | 23.249.164.26 | - | - | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 13 more IOC items available. Please use our online service to access the data.
|
||||
There are 16 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Cobalt Group. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Cobalt Group. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1040 | Authentication Bypass by Capture-replay | High
|
||||
2 | T1059.007 | Cross Site Scripting | High
|
||||
3 | T1068 | Execution with Unnecessary Privileges | High
|
||||
4 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
5 | T1211 | 7PK Security Features | High
|
||||
6 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
|
||||
2 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
3 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 10 more TTP items available. Please use our online service to access the data.
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Cobalt Group. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Cobalt Group. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `%PROGRAMDATA%\WrData\PKG` | High
|
||||
2 | File | `%PROGRAMFILES%\Cylance\Desktop\log` | High
|
||||
3 | File | `.gitolite.rc` | Medium
|
||||
4 | File | `.xserverrc` | Medium
|
||||
5 | File | `/+CSCOE+/logon.html` | High
|
||||
6 | File | `/.vnc/sesman_${username}_passwd` | High
|
||||
7 | File | `/32` | Low
|
||||
8 | File | `/?/admin/page/edit/3` | High
|
||||
9 | File | `/?/admin/snippet/add` | High
|
||||
10 | File | `/?mobile=1` | Medium
|
||||
11 | ... | ... | ...
|
||||
1 | File | `/account/login` | High
|
||||
2 | File | `/admin.back` | Medium
|
||||
3 | File | `/admin.html?do=user&act=add` | High
|
||||
4 | File | `/admin/index.php/template/edit` | High
|
||||
5 | File | `/administrator/components/menu/` | High
|
||||
6 | File | `/controller/CommentAdminController.java` | High
|
||||
7 | File | `/event-management/index.php` | High
|
||||
8 | File | `/goform/change_password_process` | High
|
||||
9 | File | `/goform/edit_opt` | High
|
||||
10 | File | `/hdf5/src/H5Fint.c` | High
|
||||
11 | File | `/jeecg-boot/sys/user/queryUserByDepId` | High
|
||||
12 | File | `/jerry-core/ecma/base/ecma-literal-storage.c` | High
|
||||
13 | File | `/jerry-core/ecma/builtin-objects/ecma-builtin-date-prototype.c` | High
|
||||
14 | File | `/jerry-core/ecma/operations/ecma-objects.c` | High
|
||||
15 | File | `/secure/admin/ImporterFinishedPage.jspa` | High
|
||||
16 | File | `/src/njs_object.c` | High
|
||||
17 | File | `/template/unzip.do` | High
|
||||
18 | File | `/wp-json/wc/v3/webhooks` | High
|
||||
19 | File | `AccountManagerService.java` | High
|
||||
20 | File | `account_sponsor_page.php` | High
|
||||
21 | File | `act.php` | Low
|
||||
22 | File | `adduser.do` | Medium
|
||||
23 | File | `admin.php` | Medium
|
||||
24 | ... | ... | ...
|
||||
|
||||
There are 2399 more IOA items available. Please use our online service to access the data.
|
||||
There are 196 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html
|
||||
* https://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-integrates-cve-2017-0199-utilized-cobalt-group-target
|
||||
|
@ -80,11 +88,11 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,12 +1,12 @@
|
|||
# CoinMiner - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [CoinMiner](https://vuldb.com/?actor.coinminer). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [CoinMiner](https://vuldb.com/?actor.coinminer). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.coinminer](https://vuldb.com/?actor.coinminer)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.coinminer](https://vuldb.com/?actor.coinminer)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with CoinMiner:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with CoinMiner:
|
||||
|
||||
* DE
|
||||
* US
|
||||
|
@ -17,41 +17,41 @@ There are 3 more country items available. Please use our online service to acces
|
|||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of CoinMiner.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of CoinMiner.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 5.196.13.29 | 29.ip-5-196-13.eu | High
|
||||
2 | 5.196.23.240 | 240.ip-5-196-23.eu | High
|
||||
3 | 13.107.21.200 | - | High
|
||||
4 | 18.210.126.40 | ec2-18-210-126-40.compute-1.amazonaws.com | Medium
|
||||
5 | 23.21.48.44 | ec2-23-21-48-44.compute-1.amazonaws.com | Medium
|
||||
6 | 23.21.76.253 | ec2-23-21-76-253.compute-1.amazonaws.com | Medium
|
||||
7 | 23.21.126.66 | ec2-23-21-126-66.compute-1.amazonaws.com | Medium
|
||||
8 | 23.21.140.41 | ec2-23-21-140-41.compute-1.amazonaws.com | Medium
|
||||
9 | 23.21.252.4 | ec2-23-21-252-4.compute-1.amazonaws.com | Medium
|
||||
10 | 49.12.80.38 | static.38.80.12.49.clients.your-server.de | High
|
||||
11 | 49.12.80.40 | static.40.80.12.49.clients.your-server.de | High
|
||||
12 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 5.196.13.29 | 29.ip-5-196-13.eu | - | High
|
||||
2 | 5.196.23.240 | 240.ip-5-196-23.eu | - | High
|
||||
3 | 13.107.21.200 | - | - | High
|
||||
4 | 18.210.126.40 | ec2-18-210-126-40.compute-1.amazonaws.com | - | Medium
|
||||
5 | 23.21.48.44 | ec2-23-21-48-44.compute-1.amazonaws.com | - | Medium
|
||||
6 | 23.21.76.253 | ec2-23-21-76-253.compute-1.amazonaws.com | - | Medium
|
||||
7 | 23.21.126.66 | ec2-23-21-126-66.compute-1.amazonaws.com | - | Medium
|
||||
8 | 23.21.140.41 | ec2-23-21-140-41.compute-1.amazonaws.com | - | Medium
|
||||
9 | 23.21.252.4 | ec2-23-21-252-4.compute-1.amazonaws.com | - | Medium
|
||||
10 | 49.12.80.38 | static.38.80.12.49.clients.your-server.de | - | High
|
||||
11 | 49.12.80.40 | static.40.80.12.49.clients.your-server.de | - | High
|
||||
12 | ... | ... | ... | ...
|
||||
|
||||
There are 46 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by CoinMiner. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by CoinMiner. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 6 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by CoinMiner. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by CoinMiner. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -94,17 +94,16 @@ ID | Type | Indicator | Confidence
|
|||
37 | File | `bios.php` | Medium
|
||||
38 | File | `cadastro_usuario.php` | High
|
||||
39 | File | `cartman.php` | Medium
|
||||
40 | File | `cgi-bin/module/sysmanager/admin/SYSAdminUserDialog` | High
|
||||
41 | File | `cgi-bin/NETGEAR_wpn824v3.cfg` | High
|
||||
40 | File | `cdf.c` | Low
|
||||
41 | File | `cgi-bin/module/sysmanager/admin/SYSAdminUserDialog` | High
|
||||
42 | File | `cgi/actions.py` | High
|
||||
43 | File | `cgiproc` | Low
|
||||
44 | ... | ... | ...
|
||||
43 | ... | ... | ...
|
||||
|
||||
There are 376 more IOA items available. Please use our online service to access the data.
|
||||
There are 376 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.html
|
||||
* https://blog.talosintelligence.com/2021/02/threat-roundup-0219-0226.html
|
||||
|
@ -117,7 +116,7 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -0,0 +1,81 @@
|
|||
# Conficker - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Conficker](https://vuldb.com/?actor.conficker). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.conficker](https://vuldb.com/?actor.conficker)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Conficker:
|
||||
|
||||
* US
|
||||
* NL
|
||||
* FR
|
||||
* ...
|
||||
|
||||
There are 10 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Conficker.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 5.79.74.75 | nl1.zoogvpn.com | - | High
|
||||
2 | 50.57.203.17 | - | - | High
|
||||
3 | 64.71.74.227 | 64.71.74.227.hosted.at.cloudsouth.com | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 8 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Conficker. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 2 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Conficker. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `.DS_Store` | Medium
|
||||
2 | File | `/api/addusers` | High
|
||||
3 | File | `/ndxzstudio/install.php?p=2` | High
|
||||
4 | File | `/public/login.htm` | High
|
||||
5 | File | `/rom-0` | Low
|
||||
6 | File | `/tmp/csman/0` | Medium
|
||||
7 | File | `/tmp/phpglibccheck` | High
|
||||
8 | File | `/uncpath/` | Medium
|
||||
9 | File | `/websocket/exec` | High
|
||||
10 | File | `add.php` | Low
|
||||
11 | File | `add_comment.php` | High
|
||||
12 | File | `admin/adminsignin.html` | High
|
||||
13 | ... | ... | ...
|
||||
|
||||
There are 97 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.netlab.360.com/conficker-domain-abuse/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -1,88 +1,133 @@
|
|||
# Confucius - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Confucius](https://vuldb.com/?actor.confucius). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Confucius](https://vuldb.com/?actor.confucius). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.confucius](https://vuldb.com/?actor.confucius)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.confucius](https://vuldb.com/?actor.confucius)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with Confucius:
|
||||
The following _campaigns_ are known and can be associated with Confucius:
|
||||
|
||||
* Tibbar
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Confucius:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Confucius:
|
||||
|
||||
* US
|
||||
* LU
|
||||
* DE
|
||||
* CN
|
||||
* GB
|
||||
* ...
|
||||
|
||||
There are 5 more country items available. Please use our online service to access the data.
|
||||
There are 21 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Confucius.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Confucius.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 5.39.23.192 | ip192.ip-5-39-23.eu | High
|
||||
2 | 5.135.85.16 | flotweb-o20.bestonthenet.fr | High
|
||||
3 | 46.165.207.98 | - | High
|
||||
4 | 46.165.207.99 | - | High
|
||||
5 | 46.165.207.108 | - | High
|
||||
6 | 46.165.207.109 | - | High
|
||||
7 | 46.165.207.112 | - | High
|
||||
8 | 46.165.207.113 | - | High
|
||||
9 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 5.39.23.192 | ip192.ip-5-39-23.eu | - | High
|
||||
2 | 5.135.85.16 | flotweb-o20.bestonthenet.fr | - | High
|
||||
3 | 46.165.207.98 | - | - | High
|
||||
4 | 46.165.207.99 | - | - | High
|
||||
5 | 46.165.207.108 | - | - | High
|
||||
6 | 46.165.207.109 | - | - | High
|
||||
7 | 46.165.207.112 | - | - | High
|
||||
8 | 46.165.207.113 | - | - | High
|
||||
9 | ... | ... | ... | ...
|
||||
|
||||
There are 33 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Confucius. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Confucius. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | 7PK Security Features | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more TTP items available. Please use our online service to access the data.
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Confucius. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Confucius. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `.rediscli_history` | High
|
||||
2 | File | `/admin/index.php` | High
|
||||
3 | File | `/core/vb/vurl.php` | High
|
||||
4 | File | `/forum/away.php` | High
|
||||
5 | File | `/out.php` | Medium
|
||||
6 | File | `/uncpath/` | Medium
|
||||
7 | File | `adclick.php` | Medium
|
||||
8 | File | `admin-ajax.php` | High
|
||||
9 | File | `admin/index.php` | High
|
||||
10 | File | `administrator/components/com_media/helpers/media.php` | High
|
||||
11 | File | `adv_pwd_cgi` | Medium
|
||||
12 | ... | ... | ...
|
||||
1 | File | `$SPLUNK_HOME/etc/splunk-launch.conf` | High
|
||||
2 | File | `/+CSCOE+/logon.html` | High
|
||||
3 | File | `/admin/index.php` | High
|
||||
4 | File | `/admin/model/database.class.php` | High
|
||||
5 | File | `/ajax/ImportCertificate` | High
|
||||
6 | File | `/assets/ctx` | Medium
|
||||
7 | File | `/concat?/%2557EB-INF/web.xml` | High
|
||||
8 | File | `/config/getuser` | High
|
||||
9 | File | `/contact/update.php` | High
|
||||
10 | File | `/ext/phar/phar_object.c` | High
|
||||
11 | File | `/get_getnetworkconf.cgi` | High
|
||||
12 | File | `/HNAP1` | Low
|
||||
13 | File | `/index.php?controller=calendar&format=raw&cat[0]=SQLi&task=events` | High
|
||||
14 | File | `/login` | Low
|
||||
15 | File | `/Main_Login.asp?flag=1&productname=RT-AC88U&url=/downloadmaster/task.asp` | High
|
||||
16 | File | `/osm/REGISTER.cmd` | High
|
||||
17 | File | `/product_list.php` | High
|
||||
18 | File | `/replication` | Medium
|
||||
19 | File | `/see_more_details.php` | High
|
||||
20 | File | `/supervisor/procesa_carga.php` | High
|
||||
21 | File | `/type.php` | Medium
|
||||
22 | File | `/uncpath/` | Medium
|
||||
23 | File | `/usr/bin/pkexec` | High
|
||||
24 | File | `/usr/local/WowzaStreamingEngine/bin/` | High
|
||||
25 | File | `/zm/index.php` | High
|
||||
26 | File | `4.2.0.CP09` | Medium
|
||||
27 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
28 | File | `802dot1xclientcert.cgi` | High
|
||||
29 | File | `addentry.php` | Medium
|
||||
30 | File | `add_edit_user.asp` | High
|
||||
31 | File | `admin-ajax.php` | High
|
||||
32 | File | `admin.color.php` | High
|
||||
33 | File | `admin.cropcanvas.php` | High
|
||||
34 | File | `admin.joomlaradiov5.php` | High
|
||||
35 | File | `admin.php` | Medium
|
||||
36 | File | `admin/category.inc.php` | High
|
||||
37 | File | `admin/conf_users_edit.php` | High
|
||||
38 | File | `admin/user.php` | High
|
||||
39 | File | `admin/write-post.php` | High
|
||||
40 | File | `administrator/components/com_media/helpers/media.php` | High
|
||||
41 | File | `admin_events.php` | High
|
||||
42 | File | `ajax_new_account.php` | High
|
||||
43 | File | `akocomments.php` | High
|
||||
44 | File | `allopass-error.php` | High
|
||||
45 | File | `announcement.php` | High
|
||||
46 | File | `api_poller.php` | High
|
||||
47 | File | `app.php` | Low
|
||||
48 | File | `apply.cgi` | Medium
|
||||
49 | File | `archiver\index.php` | High
|
||||
50 | File | `artlinks.dispnew.php` | High
|
||||
51 | File | `authorization.do` | High
|
||||
52 | File | `awstats.pl` | Medium
|
||||
53 | File | `backoffice/login.asp` | High
|
||||
54 | File | `bb_usage_stats.php` | High
|
||||
55 | File | `binder.c` | Medium
|
||||
56 | File | `bl-kernel/ajax/upload-images.php` | High
|
||||
57 | ... | ... | ...
|
||||
|
||||
There are 88 more IOA items available. Please use our online service to access the data.
|
||||
There are 502 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://github.com/blackorbird/APT_REPORT/blob/master/Confucius/OperationTibbar-A-retaliatory-targeted-attack-from-SouthAsian-APT-Group-Confucius.pdf
|
||||
* https://www.threatminer.org/report.php?q=Confucius%C2%A0Says%E2%80%A6Malware%C2%A0Families%C2%A0Get%C2%A0Further-PaloAltoNetworks.pdf&y=2016
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,18 +1,18 @@
|
|||
# Conti - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Conti](https://vuldb.com/?actor.conti). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Conti](https://vuldb.com/?actor.conti). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.conti](https://vuldb.com/?actor.conti)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.conti](https://vuldb.com/?actor.conti)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with Conti:
|
||||
The following _campaigns_ are known and can be associated with Conti:
|
||||
|
||||
* Cobalt Strike
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Conti:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Conti:
|
||||
|
||||
* DE
|
||||
* US
|
||||
|
@ -23,33 +23,33 @@ There are 4 more country items available. Please use our online service to acces
|
|||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Conti.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Conti.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 23.82.140.137 | - | High
|
||||
2 | 23.106.160.174 | - | High
|
||||
3 | 82.118.21.1 | 77626-46583.hyperdomen.com | High
|
||||
4 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 23.82.140.137 | - | - | High
|
||||
2 | 23.106.160.174 | - | - | High
|
||||
3 | 82.118.21.1 | 77626-46583.hyperdomen.com | Cobalt Strike | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 4 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Conti. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Conti. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | 7PK Security Features | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | CWE-254, CWE-358 | 7PK Security Features | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 2 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Conti. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Conti. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -84,11 +84,11 @@ ID | Type | Indicator | Confidence
|
|||
29 | File | `dapur/index.php` | High
|
||||
30 | ... | ... | ...
|
||||
|
||||
There are 256 more IOA items available. Please use our online service to access the data.
|
||||
There are 256 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://github.com/sophoslabs/IoCs/blob/master/Ransomware-Conti.csv
|
||||
* https://therecord.media/disgruntled-ransomware-affiliate-leaks-the-conti-gangs-technical-manuals/
|
||||
|
@ -96,7 +96,7 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,18 +1,18 @@
|
|||
# CopyKittens - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [CopyKittens](https://vuldb.com/?actor.copykittens). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [CopyKittens](https://vuldb.com/?actor.copykittens). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.copykittens](https://vuldb.com/?actor.copykittens)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.copykittens](https://vuldb.com/?actor.copykittens)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with CopyKittens:
|
||||
The following _campaigns_ are known and can be associated with CopyKittens:
|
||||
|
||||
* Wilted Tulip
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with CopyKittens:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with CopyKittens:
|
||||
|
||||
* PL
|
||||
* FR
|
||||
|
@ -23,47 +23,47 @@ There are 5 more country items available. Please use our online service to acces
|
|||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of CopyKittens.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of CopyKittens.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 5.34.180.252 | vds-uuallex-113169.hosted-by-itldc.com | High
|
||||
2 | 5.34.181.13 | backups231.com | High
|
||||
3 | 31.192.105.16 | down-it-niscat.cosmeticdentistwellesley.com | High
|
||||
4 | 31.192.105.17 | most.muatypecast.com | High
|
||||
5 | 31.192.105.28 | - | High
|
||||
6 | 38.130.75.20 | h20-us75.fcsrv.net | High
|
||||
7 | 51.254.76.54 | - | High
|
||||
8 | 62.109.2.52 | ns.leangroup.ru | High
|
||||
9 | 62.109.2.109 | l2pvp.life | High
|
||||
10 | 66.55.152.164 | 66-55-152-164.choopa.net | High
|
||||
11 | 68.232.180.122 | 68-232-180-122.choopa.net | High
|
||||
12 | 80.179.42.37 | 80.179.42.37.forward.012.net.il | High
|
||||
13 | 80.179.42.44 | lnkrten-dazling.linegrace.com | High
|
||||
14 | 86.105.18.5 | - | High
|
||||
15 | 93.190.138.137 | 93-190-138-137.hosted-by-worldstream.net | High
|
||||
16 | 104.200.128.48 | - | High
|
||||
17 | 104.200.128.58 | - | High
|
||||
18 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 5.34.180.252 | vds-uuallex-113169.hosted-by-itldc.com | Wilted Tulip | High
|
||||
2 | 5.34.181.13 | backups231.com | Wilted Tulip | High
|
||||
3 | 31.192.105.16 | down-it-niscat.cosmeticdentistwellesley.com | Wilted Tulip | High
|
||||
4 | 31.192.105.17 | - | Wilted Tulip | High
|
||||
5 | 31.192.105.28 | - | Wilted Tulip | High
|
||||
6 | 38.130.75.20 | h20-us75.fcsrv.net | Wilted Tulip | High
|
||||
7 | 51.254.76.54 | - | Wilted Tulip | High
|
||||
8 | 62.109.2.52 | ns.leangroup.ru | Wilted Tulip | High
|
||||
9 | 62.109.2.109 | mediclick.ru | - | High
|
||||
10 | 66.55.152.164 | 66-55-152-164.choopa.net | Wilted Tulip | High
|
||||
11 | 68.232.180.122 | 68-232-180-122.choopa.net | Wilted Tulip | High
|
||||
12 | 80.179.42.37 | 80.179.42.37.forward.012.net.il | Wilted Tulip | High
|
||||
13 | 80.179.42.44 | lnkrten-dazling.linegrace.com | - | High
|
||||
14 | 86.105.18.5 | - | - | High
|
||||
15 | 93.190.138.137 | 93-190-138-137.hosted-by-worldstream.net | Wilted Tulip | High
|
||||
16 | 104.200.128.48 | - | Wilted Tulip | High
|
||||
17 | 104.200.128.58 | - | Wilted Tulip | High
|
||||
18 | ... | ... | ... | ...
|
||||
|
||||
There are 67 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by CopyKittens. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by CopyKittens. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1040 | Authentication Bypass by Capture-replay | High
|
||||
2 | T1059.007 | Cross Site Scripting | High
|
||||
3 | T1068 | Execution with Unnecessary Privileges | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1008 | CWE-757 | Algorithm Downgrade | High
|
||||
2 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 9 more TTP items available. Please use our online service to access the data.
|
||||
There are 10 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by CopyKittens. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by CopyKittens. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -73,34 +73,32 @@ ID | Type | Indicator | Confidence
|
|||
4 | File | `/admin/configure.php` | High
|
||||
5 | File | `/admin/index.php?lfj=member&action=editmember` | High
|
||||
6 | File | `/admin/login.php` | High
|
||||
7 | File | `/admin/media/upload` | High
|
||||
8 | File | `/api/notify.php` | High
|
||||
9 | File | `/auth/v1/sso/config/` | High
|
||||
10 | File | `/EXCU_SHELL` | Medium
|
||||
11 | File | `/forgetpassword.php` | High
|
||||
12 | File | `/formAdvFirewall` | High
|
||||
13 | File | `/function/booksave.php` | High
|
||||
14 | File | `/home/user/dir` | High
|
||||
15 | File | `/jerry-core/ecma/base/ecma-helpers-conversion.c` | High
|
||||
16 | File | `/moddable/xs/sources/xsDataView.c` | High
|
||||
17 | File | `abc2ps.c` | Medium
|
||||
18 | File | `acknow.php` | Medium
|
||||
19 | File | `adminlogin.php` | High
|
||||
20 | File | `AdminUpdateController.class.php` | High
|
||||
21 | File | `admin_home.php` | High
|
||||
22 | File | `allocator.cc` | Medium
|
||||
23 | File | `AndroidManifest.xml` | High
|
||||
24 | File | `archeryscores.php` | High
|
||||
25 | File | `archive_read_support_format_iso9660.c` | High
|
||||
26 | File | `AscoServer.exe` | High
|
||||
27 | File | `AudioOutputSpeech.cpp` | High
|
||||
28 | ... | ... | ...
|
||||
7 | File | `/api/notify.php` | High
|
||||
8 | File | `/box_code_base.c` | High
|
||||
9 | File | `/EXCU_SHELL` | Medium
|
||||
10 | File | `/forgetpassword.php` | High
|
||||
11 | File | `/formAdvFirewall` | High
|
||||
12 | File | `/function/booksave.php` | High
|
||||
13 | File | `/home/user/dir` | High
|
||||
14 | File | `/jerry-core/ecma/base/ecma-helpers-conversion.c` | High
|
||||
15 | File | `/moddable/xs/sources/xsDataView.c` | High
|
||||
16 | File | `abc2ps.c` | Medium
|
||||
17 | File | `acknow.php` | Medium
|
||||
18 | File | `adminlogin.php` | High
|
||||
19 | File | `admin_home.php` | High
|
||||
20 | File | `allocator.cc` | Medium
|
||||
21 | File | `AndroidManifest.xml` | High
|
||||
22 | File | `archive_read_support_format_iso9660.c` | High
|
||||
23 | File | `AscoServer.exe` | High
|
||||
24 | File | `AudioOutputSpeech.cpp` | High
|
||||
25 | File | `box_code_base.c` | High
|
||||
26 | ... | ... | ...
|
||||
|
||||
There are 239 more IOA items available. Please use our online service to access the data.
|
||||
There are 216 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf
|
||||
* https://www.clearskysec.com/copykitten-jpost/
|
||||
|
@ -109,7 +107,7 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,31 +1,31 @@
|
|||
# Cridex - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Cridex](https://vuldb.com/?actor.cridex). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Cridex](https://vuldb.com/?actor.cridex). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.cridex](https://vuldb.com/?actor.cridex)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.cridex](https://vuldb.com/?actor.cridex)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Cridex:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Cridex:
|
||||
|
||||
* US
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Cridex.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Cridex.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 5.135.28.118 | - | High
|
||||
2 | 37.187.156.123 | ns323845.ip-37-187-156.eu | High
|
||||
3 | 46.165.241.0 | - | High
|
||||
4 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 5.135.28.118 | - | - | High
|
||||
2 | 37.187.156.123 | ns323845.ip-37-187-156.eu | - | High
|
||||
3 | 46.165.241.0 | - | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 10 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Cridex. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Cridex. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -33,13 +33,13 @@ ID | Type | Indicator | Confidence
|
|||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://gist.githubusercontent.com/BBcan177/bf29d47ea04391cb3eb0/raw/
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,52 +1,52 @@
|
|||
# DEV-0322 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [DEV-0322](https://vuldb.com/?actor.dev-0322). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [DEV-0322](https://vuldb.com/?actor.dev-0322). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.dev-0322](https://vuldb.com/?actor.dev-0322)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.dev-0322](https://vuldb.com/?actor.dev-0322)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with DEV-0322:
|
||||
The following _campaigns_ are known and can be associated with DEV-0322:
|
||||
|
||||
* CVE-2021-35211
|
||||
* ManageEngine ADSelfService Plus
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with DEV-0322:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with DEV-0322:
|
||||
|
||||
* US
|
||||
* CN
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of DEV-0322.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of DEV-0322.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 24.64.36.238 | mail.target-realty.com | High
|
||||
2 | 45.63.62.109 | 45.63.62.109.vultr.com | Medium
|
||||
3 | 45.76.173.103 | 45.76.173.103.vultr.com | Medium
|
||||
4 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 24.64.36.238 | mail.target-realty.com | ManageEngine ADSelfService Plus | High
|
||||
2 | 45.63.62.109 | 45.63.62.109.vultr.com | ManageEngine ADSelfService Plus | Medium
|
||||
3 | 45.76.173.103 | 45.76.173.103.vultr.com | ManageEngine ADSelfService Plus | Medium
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 11 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by DEV-0322. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by DEV-0322. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1499 | Resource Consumption | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1499 | CWE-400, CWE-404 | Resource Consumption | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 2 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by DEV-0322. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by DEV-0322. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -56,18 +56,18 @@ ID | Type | Indicator | Confidence
|
|||
4 | File | `goform/setUsbUnload` | High
|
||||
5 | ... | ... | ...
|
||||
|
||||
There are 27 more IOA items available. Please use our online service to access the data.
|
||||
There are 27 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/
|
||||
* https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,45 +1,45 @@
|
|||
# DNSBirthday - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [DNSBirthday](https://vuldb.com/?actor.dnsbirthday). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [DNSBirthday](https://vuldb.com/?actor.dnsbirthday). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.dnsbirthday](https://vuldb.com/?actor.dnsbirthday)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.dnsbirthday](https://vuldb.com/?actor.dnsbirthday)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with DNSBirthday:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with DNSBirthday:
|
||||
|
||||
* US
|
||||
* RU
|
||||
* FR
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* [FR](https://vuldb.com/?country.fr)
|
||||
* ...
|
||||
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of DNSBirthday.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of DNSBirthday.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 176.31.106.50 | ns392559.ip-176-31-106.eu | High
|
||||
2 | 188.165.205.99 | sys-rbx3-esxi01.ixocloud.com | High
|
||||
3 | 188.214.30.97 | - | High
|
||||
4 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [176.31.106.50](https://vuldb.com/?ip.176.31.106.50) | ns392559.ip-176-31-106.eu | - | High
|
||||
2 | [188.165.205.99](https://vuldb.com/?ip.188.165.205.99) | sys-rbx3-esxi01.ixocloud.com | - | High
|
||||
3 | [188.214.30.97](https://vuldb.com/?ip.188.214.30.97) | - | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by DNSBirthday. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by DNSBirthday. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by DNSBirthday. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by DNSBirthday. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -48,17 +48,17 @@ ID | Type | Indicator | Confidence
|
|||
3 | File | `data/gbconfiguration.dat` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 19 more IOA items available. Please use our online service to access the data.
|
||||
There are 19 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://github.com/eset/malware-ioc/tree/master/dnsbirthday
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,75 +1,79 @@
|
|||
# DanaBot - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [DanaBot](https://vuldb.com/?actor.danabot). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [DanaBot](https://vuldb.com/?actor.danabot). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.danabot](https://vuldb.com/?actor.danabot)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.danabot](https://vuldb.com/?actor.danabot)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with DanaBot:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with DanaBot:
|
||||
|
||||
* US
|
||||
* CN
|
||||
* AT
|
||||
* ...
|
||||
|
||||
There are 2 more country items available. Please use our online service to access the data.
|
||||
There are 5 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of DanaBot.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of DanaBot.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 5.8.55.205 | carpbaboon.com | High
|
||||
2 | 31.214.157.12 | mail.private-mail.nl | High
|
||||
3 | 47.74.130.165 | - | High
|
||||
4 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 5.8.55.205 | carpbaboon.com | - | High
|
||||
2 | 31.214.157.12 | mail.private-mail.nl | - | High
|
||||
3 | 47.74.130.165 | - | - | High
|
||||
4 | 84.54.37.102 | - | - | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 9 more IOC items available. Please use our online service to access the data.
|
||||
There are 18 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by DanaBot. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by DanaBot. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | 7PK Security Features | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | CWE-358 | 7PK Security Features | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 3 more TTP items available. Please use our online service to access the data.
|
||||
There are 4 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by DanaBot. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by DanaBot. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `.htaccess` | Medium
|
||||
2 | File | `/addnews.html` | High
|
||||
3 | File | `/cm/delete` | Medium
|
||||
4 | File | `/redpass.cgi` | Medium
|
||||
5 | File | `/uncpath/` | Medium
|
||||
6 | File | `add-category.php` | High
|
||||
7 | File | `add_comment.php` | High
|
||||
8 | File | `admin.php` | Medium
|
||||
9 | File | `admin/admin.shtml` | High
|
||||
10 | File | `admin/user.php?form=update_f&user_name` | High
|
||||
11 | ... | ... | ...
|
||||
2 | File | `/account/ResetPassword` | High
|
||||
3 | File | `/addnews.html` | High
|
||||
4 | File | `/cm/delete` | Medium
|
||||
5 | File | `/download` | Medium
|
||||
6 | File | `/redpass.cgi` | Medium
|
||||
7 | File | `/uncpath/` | Medium
|
||||
8 | File | `add-category.php` | High
|
||||
9 | File | `add_comment.php` | High
|
||||
10 | File | `admin.php` | Medium
|
||||
11 | File | `admin/admin.shtml` | High
|
||||
12 | File | `admin/user.php?form=update_f&user_name` | High
|
||||
13 | ... | ... | ...
|
||||
|
||||
There are 81 more IOA items available. Please use our online service to access the data.
|
||||
There are 102 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://github.com/eset/malware-ioc/tree/master/danabot
|
||||
* https://research.checkpoint.com/2019/danabot-demands-a-ransom-payment/
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,50 +1,72 @@
|
|||
# Darkode - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Darkode](https://vuldb.com/?actor.darkode). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Darkode](https://vuldb.com/?actor.darkode). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.darkode](https://vuldb.com/?actor.darkode)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.darkode](https://vuldb.com/?actor.darkode)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Darkode:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Darkode:
|
||||
|
||||
* DE
|
||||
* US
|
||||
* RU
|
||||
* IR
|
||||
* ...
|
||||
|
||||
There are 8 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Darkode.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Darkode.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 80.82.66.204 | no-reverse-dns-configured.com | High
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 80.82.66.204 | no-reverse-dns-configured.com | - | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Darkode. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Darkode. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-250, CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 5 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Darkode. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Darkode. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `data/gbconfiguration.dat` | High
|
||||
1 | File | `/cgi-bin/user/Config.cgi` | High
|
||||
2 | File | `/htdocs/cgibin` | High
|
||||
3 | File | `/uncpath/` | Medium
|
||||
4 | File | `/videotalk` | Medium
|
||||
5 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
6 | File | `activity_log.php` | High
|
||||
7 | File | `adm/systools.asp` | High
|
||||
8 | File | `admin/getparam.cgi` | High
|
||||
9 | File | `adminCons.php` | High
|
||||
10 | File | `ajax_list_accounts.php` | High
|
||||
11 | File | `auth-options.c` | High
|
||||
12 | File | `cdf.c` | Low
|
||||
13 | ... | ... | ...
|
||||
|
||||
There are 104 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://ddanchev.blogspot.com/2021/10/exposing-darkode-forum-bust-and.html
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,41 +1,41 @@
|
|||
# Deep Panda - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Deep Panda](https://vuldb.com/?actor.deep_panda). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Deep Panda](https://vuldb.com/?actor.deep_panda). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.deep_panda](https://vuldb.com/?actor.deep_panda)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.deep_panda](https://vuldb.com/?actor.deep_panda)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Deep Panda:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Deep Panda:
|
||||
|
||||
* CA
|
||||
* US
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Deep Panda.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Deep Panda.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 1.9.5.38 | - | High
|
||||
2 | 142.91.76.134 | mx3.29v.info | High
|
||||
3 | 184.71.210.4 | - | High
|
||||
4 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 1.9.5.38 | - | - | High
|
||||
2 | 142.91.76.134 | mx3.29v.info | - | High
|
||||
3 | 184.71.210.4 | - | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 3 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Deep Panda. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Deep Panda. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1068 | Execution with Unnecessary Privileges | High
|
||||
2 | T1222 | Permission Issues | High
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
2 | T1222 | CWE-275 | Permission Issues | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Deep Panda. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Deep Panda. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -44,11 +44,11 @@ ID | Type | Indicator | Confidence
|
|||
3 | File | `pkg/tool/path.go` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 4 more IOA items available. Please use our online service to access the data.
|
||||
There are 4 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://threatconnect.com/blog/the-anthem-hack-all-roads-lead-to-china/
|
||||
* https://www.rsa.com/content/dam/en/white-paper/rsa-incident-response-emerging-threat-profile-shell-crew.pdf
|
||||
|
@ -57,7 +57,7 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,12 +1,12 @@
|
|||
# DetaRAT - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [DetaRAT](https://vuldb.com/?actor.detarat). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [DetaRAT](https://vuldb.com/?actor.detarat). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.detarat](https://vuldb.com/?actor.detarat)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.detarat](https://vuldb.com/?actor.detarat)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with DetaRAT:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with DetaRAT:
|
||||
|
||||
* US
|
||||
* DE
|
||||
|
@ -14,29 +14,29 @@ These countries are directly (e.g. origin of attacks) or indirectly (e.g. access
|
|||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of DetaRAT.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of DetaRAT.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 173.212.224.110 | vmi587275.contaboserver.net | High
|
||||
2 | 173.249.50.230 | vmi626137.contaboserver.net | High
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 173.212.224.110 | vmi587275.contaboserver.net | - | High
|
||||
2 | 173.249.50.230 | vmi626137.contaboserver.net | - | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by DetaRAT. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by DetaRAT. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1499 | Resource Consumption | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1499 | CWE-400, CWE-404, CWE-770 | Resource Consumption | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 2 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by DetaRAT. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by DetaRAT. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -45,17 +45,17 @@ ID | Type | Indicator | Confidence
|
|||
3 | File | `data/gbconfiguration.dat` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 23 more IOA items available. Please use our online service to access the data.
|
||||
There are 23 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/594/original/Network_IOCs_list_for_coverage.txt?1625657479
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,12 +1,12 @@
|
|||
# Dofoil - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Dofoil](https://vuldb.com/?actor.dofoil). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Dofoil](https://vuldb.com/?actor.dofoil). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.dofoil](https://vuldb.com/?actor.dofoil)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.dofoil](https://vuldb.com/?actor.dofoil)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Dofoil:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Dofoil:
|
||||
|
||||
* US
|
||||
* DE
|
||||
|
@ -17,32 +17,32 @@ There are 5 more country items available. Please use our online service to acces
|
|||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Dofoil.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Dofoil.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 13.107.21.200 | - | High
|
||||
2 | 23.3.13.137 | a23-3-13-137.deploy.static.akamaitechnologies.com | High
|
||||
3 | 23.6.24.15 | a23-6-24-15.deploy.static.akamaitechnologies.com | High
|
||||
4 | 23.6.65.194 | a23-6-65-194.deploy.static.akamaitechnologies.com | High
|
||||
5 | 23.209.185.159 | a23-209-185-159.deploy.static.akamaitechnologies.com | High
|
||||
6 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 13.107.21.200 | - | - | High
|
||||
2 | 23.3.13.137 | a23-3-13-137.deploy.static.akamaitechnologies.com | - | High
|
||||
3 | 23.6.24.15 | a23-6-24-15.deploy.static.akamaitechnologies.com | - | High
|
||||
4 | 23.6.65.194 | a23-6-65-194.deploy.static.akamaitechnologies.com | - | High
|
||||
5 | 23.209.185.159 | a23-209-185-159.deploy.static.akamaitechnologies.com | - | High
|
||||
6 | ... | ... | ... | ...
|
||||
|
||||
There are 20 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Dofoil. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Dofoil. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1600 | Cryptographic Issues | High
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1600 | CWE-310 | Cryptographic Issues | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Dofoil. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Dofoil. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -57,17 +57,17 @@ ID | Type | Indicator | Confidence
|
|||
9 | File | `data/gbconfiguration.dat` | High
|
||||
10 | ... | ... | ...
|
||||
|
||||
There are 79 more IOA items available. Please use our online service to access the data.
|
||||
There are 79 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.talosintelligence.com/2021/04/threat-roundup-0326-0402.html
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -0,0 +1,76 @@
|
|||
# Domestic Kitten - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Domestic Kitten](https://vuldb.com/?actor.domestic_kitten). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.domestic_kitten](https://vuldb.com/?actor.domestic_kitten)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Domestic Kitten:
|
||||
|
||||
* NL
|
||||
* US
|
||||
* ME
|
||||
* ...
|
||||
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Domestic Kitten.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 89.38.98.49 | 89-38-98-49.hosted-by-worldstream.net | - | High
|
||||
2 | 162.248.247.172 | - | - | High
|
||||
3 | 190.2.144.140 | 190-2-144-140.hosted-by-worldstream.net | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Domestic Kitten. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 2 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Domestic Kitten. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/hub/api/user` | High
|
||||
2 | File | `/uncpath/` | Medium
|
||||
3 | File | `/wp-content/plugins/forum-server/feed.php` | High
|
||||
4 | File | `app/controllers/application_controller.rb` | High
|
||||
5 | File | `BKFSim_vhfd.exe` | High
|
||||
6 | File | `Cgi/private.py` | High
|
||||
7 | File | `cmd.php` | Low
|
||||
8 | ... | ... | ...
|
||||
|
||||
There are 59 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://research.checkpoint.com/2018/domestic-kitten-an-iranian-surveillance-operation/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
116
Donot/README.md
116
Donot/README.md
|
@ -1,100 +1,112 @@
|
|||
# Donot - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Donot](https://vuldb.com/?actor.donot). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Donot](https://vuldb.com/?actor.donot). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.donot](https://vuldb.com/?actor.donot)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.donot](https://vuldb.com/?actor.donot)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with Donot:
|
||||
The following _campaigns_ are known and can be associated with Donot:
|
||||
|
||||
* DarkMusical
|
||||
* Gedit
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Donot:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Donot:
|
||||
|
||||
* US
|
||||
* TR
|
||||
* GB
|
||||
* TR
|
||||
* ...
|
||||
|
||||
There are 18 more country items available. Please use our online service to access the data.
|
||||
There are 24 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Donot.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Donot.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 5.135.19.26 | - | High
|
||||
2 | 5.135.199.0 | - | High
|
||||
3 | 37.48.122.145 | - | High
|
||||
4 | 37.120.140.211 | - | High
|
||||
5 | 37.120.198.208 | - | High
|
||||
6 | 37.139.3.130 | - | High
|
||||
7 | 37.139.28.208 | - | High
|
||||
8 | 45.33.29.133 | li1046-133.members.linode.com | High
|
||||
9 | 46.101.204.168 | - | High
|
||||
10 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 5.135.19.26 | - | - | High
|
||||
2 | 5.135.199.0 | - | - | High
|
||||
3 | 37.48.122.145 | - | Gedit | High
|
||||
4 | 37.120.140.211 | - | - | High
|
||||
5 | 37.120.198.208 | - | DarkMusical | High
|
||||
6 | 37.139.3.130 | - | - | High
|
||||
7 | 37.139.28.208 | - | - | High
|
||||
8 | 45.33.29.133 | li1046-133.members.linode.com | - | High
|
||||
9 | 46.101.204.168 | - | - | High
|
||||
10 | ... | ... | ... | ...
|
||||
|
||||
There are 38 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Donot. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Donot. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 6 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Donot. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Donot. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/+CSCOE+/logon.html` | High
|
||||
2 | File | `/bin/login.php` | High
|
||||
3 | File | `/Category` | Medium
|
||||
4 | File | `/de/cgi/dfs_guest/` | High
|
||||
5 | File | `/event/runquery.do` | High
|
||||
6 | File | `/htmlcode/html/indexdefault.asp` | High
|
||||
7 | File | `/out.php` | Medium
|
||||
8 | File | `/products/details.asp` | High
|
||||
9 | File | `/system/ws/v11/ss/email` | High
|
||||
10 | File | `/uncpath/` | Medium
|
||||
11 | File | `/var/www/xms/application/config/config.php` | High
|
||||
12 | File | `/var/www/xms/application/controllers/gatherLogs.php` | High
|
||||
13 | File | `/var/www/xms/application/controllers/verifyLogin.php` | High
|
||||
14 | File | `/var/www/xms/cleanzip.sh` | High
|
||||
15 | File | `/wp-admin/admin-ajax.php` | High
|
||||
16 | File | `adclick.php` | Medium
|
||||
17 | File | `addentry.php` | Medium
|
||||
18 | File | `admin/user.php` | High
|
||||
19 | File | `agent.cfg` | Medium
|
||||
20 | File | `api/admin/role/save` | High
|
||||
21 | File | `app/controllers/application_controller.rb` | High
|
||||
22 | ... | ... | ...
|
||||
1 | File | `.htaccess` | Medium
|
||||
2 | File | `/+CSCOE+/logon.html` | High
|
||||
3 | File | `/.htpasswd` | Medium
|
||||
4 | File | `/admin/index.php` | High
|
||||
5 | File | `/bin/login.php` | High
|
||||
6 | File | `/Category` | Medium
|
||||
7 | File | `/de/cgi/dfs_guest/` | High
|
||||
8 | File | `/event/runquery.do` | High
|
||||
9 | File | `/filemanager/ajax_calls.php` | High
|
||||
10 | File | `/htmlcode/html/indexdefault.asp` | High
|
||||
11 | File | `/out.php` | Medium
|
||||
12 | File | `/products/details.asp` | High
|
||||
13 | File | `/system/ws/v11/ss/email` | High
|
||||
14 | File | `/uncpath/` | Medium
|
||||
15 | File | `/var/www/xms/application/config/config.php` | High
|
||||
16 | File | `/var/www/xms/application/controllers/gatherLogs.php` | High
|
||||
17 | File | `/var/www/xms/application/controllers/verifyLogin.php` | High
|
||||
18 | File | `/var/www/xms/cleanzip.sh` | High
|
||||
19 | File | `/web/jquery/uploader/multi_uploadify.php` | High
|
||||
20 | File | `/wp-admin/admin-ajax.php` | High
|
||||
21 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
22 | File | `about.php` | Medium
|
||||
23 | File | `adclick.php` | Medium
|
||||
24 | File | `addentry.php` | Medium
|
||||
25 | File | `add_vhost.php` | High
|
||||
26 | File | `admin/default.asp` | High
|
||||
27 | File | `admin/media/rename.php` | High
|
||||
28 | File | `admin/user.php` | High
|
||||
29 | File | `advanced_component_system/index.php` | High
|
||||
30 | File | `agent.cfg` | Medium
|
||||
31 | File | `ajax/render/widget_php` | High
|
||||
32 | File | `ampie.swf` | Medium
|
||||
33 | File | `announcements.php` | High
|
||||
34 | ... | ... | ...
|
||||
|
||||
There are 181 more IOA items available. Please use our online service to access the data.
|
||||
There are 293 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://github.com/faisalusuf/ThreatIntelligence/blob/main/APT%20DONOT%20TEAM/Tracking-DONOT-IOCs.csv
|
||||
* https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,12 +1,12 @@
|
|||
# Downeks - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Downeks](https://vuldb.com/?actor.downeks). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Downeks](https://vuldb.com/?actor.downeks). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.downeks](https://vuldb.com/?actor.downeks)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.downeks](https://vuldb.com/?actor.downeks)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Downeks:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Downeks:
|
||||
|
||||
* US
|
||||
* RU
|
||||
|
@ -17,50 +17,48 @@ There are 1 more country items available. Please use our online service to acces
|
|||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Downeks.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Downeks.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 185.141.25.68 | - | High
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 185.141.25.68 | - | - | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Downeks. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Downeks. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Downeks. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Downeks. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/etc/config/rpcd` | High
|
||||
2 | File | `cgi-bin/` | Medium
|
||||
3 | File | `import.php` | Medium
|
||||
4 | File | `php-fpm.conf.in` | High
|
||||
5 | File | `profile.php` | Medium
|
||||
6 | Library | `libraries/server_privileges.lib.php` | High
|
||||
7 | Argument | `Configuration` | High
|
||||
8 | Argument | `id` | Low
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 5 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://www.threatminer.org/report.php?q=DowneksandQuasarRATUsedinRecentTargetedAttacksAgainstGovernments-PaloAltoNetworksBlog.pdf&y=2017
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,28 +1,28 @@
|
|||
# Dragonfly 2.0 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Dragonfly 2.0](https://vuldb.com/?actor.dragonfly_2.0). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Dragonfly 2.0](https://vuldb.com/?actor.dragonfly_2.0). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.dragonfly_2.0](https://vuldb.com/?actor.dragonfly_2.0)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.dragonfly_2.0](https://vuldb.com/?actor.dragonfly_2.0)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Dragonfly 2.0.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Dragonfly 2.0.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 5.153.58.45 | 2d.3a.9905.ip4.static.sl-reverse.com | High
|
||||
2 | 62.8.193.206 | - | High
|
||||
3 | 184.154.150.66 | 66.150.154.184.unassigned.ord.singlehop.net | High
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 5.153.58.45 | 2d.3a.9905.ip4.static.sl-reverse.com | - | High
|
||||
2 | 62.8.193.206 | - | - | High
|
||||
3 | 184.154.150.66 | 66.150.154.184.unassigned.ord.singlehop.net | - | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://us-cert.cisa.gov/ncas/alerts/TA17-293A
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,57 +1,57 @@
|
|||
# Dragonfly - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Dragonfly](https://vuldb.com/?actor.dragonfly). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Dragonfly](https://vuldb.com/?actor.dragonfly). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.dragonfly](https://vuldb.com/?actor.dragonfly)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.dragonfly](https://vuldb.com/?actor.dragonfly)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with Dragonfly:
|
||||
The following _campaigns_ are known and can be associated with Dragonfly:
|
||||
|
||||
* Karagany
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Dragonfly:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Dragonfly:
|
||||
|
||||
* US
|
||||
* GB
|
||||
* RU
|
||||
* GB
|
||||
* ...
|
||||
|
||||
There are 6 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Dragonfly.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Dragonfly.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 5.45.119.124 | - | High
|
||||
2 | 5.135.104.77 | - | High
|
||||
3 | 5.196.167.184 | ip184.ip-5-196-167.eu | High
|
||||
4 | 37.139.7.16 | - | High
|
||||
5 | 51.159.28.101 | 51-159-28-101.rev.poneytelecom.eu | High
|
||||
6 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 5.45.119.124 | - | - | High
|
||||
2 | 5.135.104.77 | - | Karagany | High
|
||||
3 | 5.196.167.184 | ip184.ip-5-196-167.eu | - | High
|
||||
4 | 37.139.7.16 | - | - | High
|
||||
5 | 51.159.28.101 | 51-159-28-101.rev.poneytelecom.eu | - | High
|
||||
6 | ... | ... | ... | ...
|
||||
|
||||
There are 18 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Dragonfly. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Dragonfly. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 3 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Dragonfly. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Dragonfly. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -64,13 +64,14 @@ ID | Type | Indicator | Confidence
|
|||
7 | File | `ajax/comments.php` | High
|
||||
8 | File | `architext.conf` | High
|
||||
9 | File | `attachment_send.php` | High
|
||||
10 | ... | ... | ...
|
||||
10 | File | `bull/javamelody/PayloadNameRequestWrapper.java` | High
|
||||
11 | ... | ... | ...
|
||||
|
||||
There are 79 more IOA items available. Please use our online service to access the data.
|
||||
There are 81 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://us-cert.cisa.gov/ncas/alerts/aa20-296a
|
||||
* https://us-cert.cisa.gov/ncas/alerts/TA18-074A
|
||||
|
@ -80,7 +81,7 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,12 +1,12 @@
|
|||
# Dukes - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Dukes](https://vuldb.com/?actor.dukes). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Dukes](https://vuldb.com/?actor.dukes). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.dukes](https://vuldb.com/?actor.dukes)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.dukes](https://vuldb.com/?actor.dukes)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Dukes:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Dukes:
|
||||
|
||||
* US
|
||||
* RU
|
||||
|
@ -17,35 +17,35 @@ There are 9 more country items available. Please use our online service to acces
|
|||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Dukes.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Dukes.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 5.45.66.134 | - | High
|
||||
2 | 46.246.120.178 | - | High
|
||||
3 | 50.7.192.146 | - | High
|
||||
4 | 64.18.143.66 | - | High
|
||||
5 | 66.29.115.55 | 647807.ds.nac.net | High
|
||||
6 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 5.45.66.134 | - | - | High
|
||||
2 | 46.246.120.178 | - | - | High
|
||||
3 | 50.7.192.146 | - | - | High
|
||||
4 | 64.18.143.66 | - | - | High
|
||||
5 | 66.29.115.55 | 647807.ds.nac.net | - | High
|
||||
6 | ... | ... | ... | ...
|
||||
|
||||
There are 22 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Dukes. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Dukes. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | 7PK Security Features | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | CWE-254 | 7PK Security Features | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 2 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Dukes. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Dukes. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -58,18 +58,18 @@ ID | Type | Indicator | Confidence
|
|||
7 | File | `bbcode.php` | Medium
|
||||
8 | ... | ... | ...
|
||||
|
||||
There are 55 more IOA items available. Please use our online service to access the data.
|
||||
There are 55 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://www.threatminer.org/report.php?q=dukes_whitepaper-f-secure.pdf&y=2015
|
||||
* https://www.threatminer.org/report.php?q=Duke_cloud_Linux.pdf&y=2015
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,12 +1,12 @@
|
|||
# Dyre - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Dyre](https://vuldb.com/?actor.dyre). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Dyre](https://vuldb.com/?actor.dyre). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.dyre](https://vuldb.com/?actor.dyre)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.dyre](https://vuldb.com/?actor.dyre)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Dyre:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Dyre:
|
||||
|
||||
* RU
|
||||
* US
|
||||
|
@ -17,36 +17,36 @@ There are 5 more country items available. Please use our online service to acces
|
|||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Dyre.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Dyre.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 37.59.2.42 | ns399064.ip-37-59-2.eu | High
|
||||
2 | 64.70.19.202 | mailrelay.202.website.ws | High
|
||||
3 | 69.195.129.75 | - | High
|
||||
4 | 80.248.224.75 | - | High
|
||||
5 | 85.25.134.53 | delta526.dedicatedpanel.com | High
|
||||
6 | 85.25.138.12 | echo389.startdedicated.de | High
|
||||
7 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 37.59.2.42 | ns399064.ip-37-59-2.eu | - | High
|
||||
2 | 64.70.19.202 | mailrelay.202.website.ws | - | High
|
||||
3 | 69.195.129.75 | - | - | High
|
||||
4 | 80.248.224.75 | - | - | High
|
||||
5 | 85.25.134.53 | delta526.dedicatedpanel.com | - | High
|
||||
6 | 85.25.138.12 | echo389.startdedicated.de | - | High
|
||||
7 | ... | ... | ... | ...
|
||||
|
||||
There are 24 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Dyre. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Dyre. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | 7PK Security Features | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | CWE-254 | 7PK Security Features | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 3 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Dyre. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Dyre. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -60,18 +60,18 @@ ID | Type | Indicator | Confidence
|
|||
8 | File | `addentry.php` | Medium
|
||||
9 | ... | ... | ...
|
||||
|
||||
There are 64 more IOA items available. Please use our online service to access the data.
|
||||
There are 64 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://github.com/fl0x2208/IOCs-in-CSV-format/blob/6297513d672bd69f1bf488018035892e599e7a9c/Dyre_Banking_Trojan_IOCs.csv
|
||||
* https://unit42.paloaltonetworks.com/analysis-cryptowall-3-0-dyre-i2p/
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -0,0 +1,57 @@
|
|||
# ERMAC - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [ERMAC](https://vuldb.com/?actor.ermac). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.ermac](https://vuldb.com/?actor.ermac)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with ERMAC:
|
||||
|
||||
* [NL](https://vuldb.com/?country.nl)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of ERMAC.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [178.132.6.150](https://vuldb.com/?ip.178.132.6.150) | 178-132-6-150.hosted-by-worldstream.net | - | High
|
||||
2 | [185.215.113.42](https://vuldb.com/?ip.185.215.113.42) | - | - | High
|
||||
3 | [185.215.113.81](https://vuldb.com/?ip.185.215.113.81) | - | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by ERMAC. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by ERMAC. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `tftpserver.c` | Medium
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://www.threatfabric.com/blogs/ermac-another-cerberus-reborn.html
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -1,28 +1,28 @@
|
|||
# Edwind - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Edwind](https://vuldb.com/?actor.edwind). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Edwind](https://vuldb.com/?actor.edwind). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.edwind](https://vuldb.com/?actor.edwind)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.edwind](https://vuldb.com/?actor.edwind)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Edwind:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Edwind:
|
||||
|
||||
* RU
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Edwind.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Edwind.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 88.99.71.89 | static.89.71.99.88.clients.your-server.de | High
|
||||
2 | 88.99.112.168 | static.168.112.99.88.clients.your-server.de | High
|
||||
3 | 88.99.112.169 | static.169.112.99.88.clients.your-server.de | High
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 88.99.71.89 | static.89.71.99.88.clients.your-server.de | - | High
|
||||
2 | 88.99.112.168 | static.168.112.99.88.clients.your-server.de | - | High
|
||||
3 | 88.99.112.169 | static.169.112.99.88.clients.your-server.de | - | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Edwind. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Edwind. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -31,13 +31,13 @@ ID | Type | Indicator | Confidence
|
|||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://unit42.paloaltonetworks.com/unit42-ewind-adware-applications-clothing/
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -0,0 +1,47 @@
|
|||
# Elknot - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Elknot](https://vuldb.com/?actor.elknot). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.elknot](https://vuldb.com/?actor.elknot)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Elknot:
|
||||
|
||||
* CN
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Elknot.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 115.231.218.64 | - | - | High
|
||||
2 | 154.82.110.5 | - | - | High
|
||||
3 | 155.94.154.170 | 155.94.154.170.static.quadranet.com | - | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Elknot. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.netlab.360.com/new-elknot-billgates-variant-with-xor-like-c2-configuration-encryption-scheme/
|
||||
* https://blog.netlab.360.com/yi-jing-you-xxxge-jia-zu-de-botnetli-yong-log4shelllou-dong-chuan-bo-wei-da-bu-ding-de-gan-jin-liao/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
372
Emotet/README.md
372
Emotet/README.md
|
@ -1,218 +1,220 @@
|
|||
# Emotet - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Emotet](https://vuldb.com/?actor.emotet). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Emotet](https://vuldb.com/?actor.emotet). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.emotet](https://vuldb.com/?actor.emotet)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.emotet](https://vuldb.com/?actor.emotet)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Emotet:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Emotet:
|
||||
|
||||
* VN
|
||||
* CN
|
||||
* US
|
||||
* ...
|
||||
|
||||
There are 2 more country items available. Please use our online service to access the data.
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Emotet.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Emotet.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 1.186.249.82 | 1.186.249.82.dvois.com | High
|
||||
2 | 1.226.84.243 | - | High
|
||||
3 | 2.58.16.86 | - | High
|
||||
4 | 2.58.16.89 | - | High
|
||||
5 | 2.82.75.215 | bl21-75-215.dsl.telepac.pt | High
|
||||
6 | 5.2.84.232 | momos.alastyr.com | High
|
||||
7 | 5.2.136.90 | static-5-2-136-90.rdsnet.ro | High
|
||||
8 | 5.2.182.7 | static-5-2-182-7.rdsnet.ro | High
|
||||
9 | 5.2.212.254 | static-5-2-212-254.rdsnet.ro | High
|
||||
10 | 5.9.189.24 | static.24.189.9.5.clients.your-server.de | High
|
||||
11 | 5.12.246.155 | 5-12-246-155.residential.rdsnet.ro | High
|
||||
12 | 5.35.249.46 | rs250366.rs.hosteurope.de | High
|
||||
13 | 5.39.91.110 | ns3278366.ip-5-39-91.eu | High
|
||||
14 | 5.79.70.250 | - | High
|
||||
15 | 5.89.33.136 | net-5-89-33-136.cust.vodafonedsl.it | High
|
||||
16 | 5.159.57.195 | www-riedle.transfermarkt.de | High
|
||||
17 | 5.196.35.138 | vps10.open-techno.net | High
|
||||
18 | 5.230.193.41 | casagarcia-web.sys.netzfabrik.eu | High
|
||||
19 | 8.4.9.137 | onlinehorizons.net | High
|
||||
20 | 8.247.6.134 | - | High
|
||||
21 | 12.32.68.154 | mail.sealscoinc.com | High
|
||||
22 | 12.149.72.170 | - | High
|
||||
23 | 12.162.84.2 | - | High
|
||||
24 | 12.163.208.58 | - | High
|
||||
25 | 12.182.146.226 | - | High
|
||||
26 | 12.184.217.101 | - | High
|
||||
27 | 23.6.65.194 | a23-6-65-194.deploy.static.akamaitechnologies.com | High
|
||||
28 | 23.36.85.183 | a23-36-85-183.deploy.static.akamaitechnologies.com | High
|
||||
29 | 23.199.63.11 | a23-199-63-11.deploy.static.akamaitechnologies.com | High
|
||||
30 | 23.199.71.185 | a23-199-71-185.deploy.static.akamaitechnologies.com | High
|
||||
31 | 23.239.2.11 | li683-11.members.linode.com | High
|
||||
32 | 24.43.99.75 | rrcs-24-43-99-75.west.biz.rr.com | High
|
||||
33 | 24.101.229.82 | dynamic-acs-24-101-229-82.zoominternet.net | High
|
||||
34 | 24.119.116.230 | 24-119-116-230.cpe.sparklight.net | High
|
||||
35 | 24.121.176.48 | 24-121-176-48.prkrcmtc01.com.sta.suddenlink.net | High
|
||||
36 | 24.137.76.62 | host-24-137-76-62.public.eastlink.ca | High
|
||||
37 | 24.178.90.49 | 024-178-090-049.res.spectrum.com | High
|
||||
38 | 24.179.13.119 | 024-179-013-119.res.spectrum.com | High
|
||||
39 | 24.217.117.217 | 024-217-117-217.res.spectrum.com | High
|
||||
40 | 24.232.228.233 | OL233-228.fibertel.com.ar | High
|
||||
41 | 24.244.177.40 | - | High
|
||||
42 | 27.78.27.110 | localhost | High
|
||||
43 | 27.82.13.10 | KD027082013010.ppp-bb.dion.ne.jp | High
|
||||
44 | 27.109.24.214 | - | High
|
||||
45 | 27.114.9.93 | i27-114-9-93.s41.a011.ap.plala.or.jp | High
|
||||
46 | 36.91.44.183 | - | High
|
||||
47 | 37.46.129.215 | we-too.ru | High
|
||||
48 | 37.97.135.82 | 37-97-135-82.colo.transip.net | High
|
||||
49 | 37.139.21.175 | 37.139.21.175-e2-8080-keep-up | High
|
||||
50 | 37.179.204.33 | - | High
|
||||
51 | 37.187.4.178 | ks2.kku.io | High
|
||||
52 | 37.187.57.57 | ns3357940.ovh.net | High
|
||||
53 | 37.187.72.193 | ns3362285.ip-37-187-72.eu | High
|
||||
54 | 37.187.161.206 | toolbox.alabs.io | High
|
||||
55 | 37.205.9.252 | s1.ithelp24.eu | High
|
||||
56 | 37.221.70.250 | b2b-customer.inftele.net | High
|
||||
57 | 41.76.108.46 | - | High
|
||||
58 | 41.169.36.237 | - | High
|
||||
59 | 41.185.28.84 | brf01-nix01.wadns.net | High
|
||||
60 | 41.185.29.128 | exchange.imali-group.co.za | High
|
||||
61 | 41.231.225.139 | - | High
|
||||
62 | 42.62.40.103 | - | High
|
||||
63 | 45.16.226.117 | 45-16-226-117.lightspeed.sndgca.sbcglobal.net | High
|
||||
64 | 45.33.77.42 | li1023-42.members.linode.com | High
|
||||
65 | 45.46.37.97 | cpe-45-46-37-97.maine.res.rr.com | High
|
||||
66 | 45.55.36.51 | - | High
|
||||
67 | 45.55.219.163 | - | High
|
||||
68 | 45.79.95.107 | li1194-107.members.linode.com | High
|
||||
69 | 45.80.148.200 | - | High
|
||||
70 | 45.118.135.203 | 45-118-135-203.ip.linodeusercontent.com | High
|
||||
71 | 45.142.114.231 | mail.dounutmail.de | High
|
||||
72 | 45.230.45.171 | - | High
|
||||
73 | 46.4.100.178 | support.wizard-shopservice.de | High
|
||||
74 | 46.4.192.185 | static.185.192.4.46.clients.your-server.de | High
|
||||
75 | 46.28.111.142 | enkindu.jsuchy.net | High
|
||||
76 | 46.32.229.152 | 094882.vps-10.com | High
|
||||
77 | 46.32.233.226 | yetitoolusa.com | High
|
||||
78 | 46.38.238.8 | v2202109122001163131.happysrv.de | High
|
||||
79 | 46.43.2.95 | chris.default.cjenkinson.uk0.bigv.io | High
|
||||
80 | 46.101.58.37 | 46.101.58.37-e1-8080 | High
|
||||
81 | 46.105.81.76 | myu0.cylipo.sbs | High
|
||||
82 | 46.105.114.137 | ns3188253.ip-46-105-114.eu | High
|
||||
83 | 46.105.131.68 | http.adven.fr | High
|
||||
84 | 46.105.131.79 | relay.adven.fr | High
|
||||
85 | 46.105.131.87 | pop.adven.fr | High
|
||||
86 | 46.105.236.18 | - | High
|
||||
87 | 46.165.254.206 | - | High
|
||||
88 | 46.214.107.142 | 46-214-107-142.next-gen.ro | High
|
||||
89 | 47.36.140.164 | 047-036-140-164.res.spectrum.com | High
|
||||
90 | 47.146.39.147 | - | High
|
||||
91 | 47.188.131.94 | - | High
|
||||
92 | 49.12.121.47 | filezilla-project.org | High
|
||||
93 | 49.50.209.131 | 131.host-49-50-209.euba.megatel.co.nz | High
|
||||
94 | 49.212.135.76 | os3-321-50322.vs.sakura.ne.jp | High
|
||||
95 | 49.212.155.94 | os3-325-52340.vs.sakura.ne.jp | High
|
||||
96 | 50.28.51.143 | - | High
|
||||
97 | 50.31.146.101 | mail.brillinjurylaw.com | High
|
||||
98 | 50.56.135.44 | - | High
|
||||
99 | 50.91.114.38 | 050-091-114-038.res.spectrum.com | High
|
||||
100 | 50.116.78.109 | intersearchmedia.com | High
|
||||
101 | 50.245.107.73 | 50-245-107-73-static.hfc.comcastbusiness.net | High
|
||||
102 | 51.15.7.145 | 51-15-7-145.rev.poneytelecom.eu | High
|
||||
103 | 51.75.33.127 | ip127.ip-51-75-33.eu | High
|
||||
104 | 51.89.36.180 | ip180.ip-51-89-36.eu | High
|
||||
105 | 51.89.199.141 | ip141.ip-51-89-199.eu | High
|
||||
106 | 51.255.165.160 | 160.ip-51-255-165.eu | High
|
||||
107 | 54.38.143.245 | tools.inovato.me | High
|
||||
108 | 58.27.215.3 | 58-27-215-3.wateen.net | High
|
||||
109 | 58.94.58.13 | i58-94-58-13.s41.a014.ap.plala.or.jp | High
|
||||
110 | 58.227.42.236 | - | High
|
||||
111 | 59.148.253.194 | 059148253194.ctinets.com | High
|
||||
112 | 60.93.23.51 | softbank060093023051.bbtec.net | High
|
||||
113 | 60.108.128.186 | softbank060108128186.bbtec.net | High
|
||||
114 | 60.125.114.64 | softbank060125114064.bbtec.net | High
|
||||
115 | 60.249.78.226 | 60-249-78-226.hinet-ip.hinet.net | High
|
||||
116 | 61.19.246.238 | - | High
|
||||
117 | 62.30.7.67 | 67.7-30-62.static.virginmediabusiness.co.uk | High
|
||||
118 | 62.75.141.82 | static-ip-62-75-141-82.inaddr.ip-pool.com | High
|
||||
119 | 62.84.75.50 | mail.saadegrp.com.lb | High
|
||||
120 | 62.171.142.179 | vmi499457.contaboserver.net | High
|
||||
121 | 62.212.34.102 | - | High
|
||||
122 | 64.207.182.168 | - | High
|
||||
123 | 66.54.51.172 | - | High
|
||||
124 | 66.76.26.33 | 66-76-26-33.hdsncmta01.com.sta.suddenlink.net | High
|
||||
125 | 66.228.61.248 | li318-248.members.linode.com | High
|
||||
126 | 67.19.105.107 | ns2.datatrust.com.br | High
|
||||
127 | 67.170.250.203 | c-67-170-250-203.hsd1.ca.comcast.net | High
|
||||
128 | 68.2.97.91 | ip68-2-97-91.ph.ph.cox.net | High
|
||||
129 | 68.183.170.114 | 68.183.170.114-e1-8080-keep-up | High
|
||||
130 | 68.183.190.199 | 68.183.190.199-e1-8080-keep-up | High
|
||||
131 | 69.17.170.58 | unallocated-static.rogers.com | High
|
||||
132 | 69.43.168.200 | ns0.imunplugged.com | High
|
||||
133 | 69.45.19.251 | coastinet.com | High
|
||||
134 | 69.167.152.111 | - | High
|
||||
135 | 70.32.84.74 | - | High
|
||||
136 | 70.32.89.105 | parties-at-sea.com | High
|
||||
137 | 70.32.92.133 | popdesigngroup.com | High
|
||||
138 | 70.32.115.157 | harpotripofalifetime.com | High
|
||||
139 | 70.168.7.6 | wsip-70-168-7-6.ri.ri.cox.net | High
|
||||
140 | 70.182.77.184 | wsip-70-182-77-184.ok.ok.cox.net | High
|
||||
141 | 70.184.125.132 | wsip-70-184-125-132.ph.ph.cox.net | High
|
||||
142 | 71.15.245.148 | 071-015-245-148.res.spectrum.com | High
|
||||
143 | 71.197.211.156 | c-71-197-211-156.hsd1.wa.comcast.net | High
|
||||
144 | 71.244.60.231 | static-71-244-60-231.dllstx.fios.frontiernet.net | High
|
||||
145 | 72.10.49.117 | rtw7-rfpn.accessdomain.com | High
|
||||
146 | 72.18.204.17 | lasvegas-nv-datacenter.com | High
|
||||
147 | 72.45.212.62 | nyinstituteofmassage.com | High
|
||||
148 | 72.186.136.247 | 072-186-136-247.biz.spectrum.com | High
|
||||
149 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 1.186.249.82 | 1.186.249.82.dvois.com | - | High
|
||||
2 | 1.226.84.243 | - | - | High
|
||||
3 | 2.58.16.86 | - | - | High
|
||||
4 | 2.58.16.89 | - | - | High
|
||||
5 | 2.82.75.215 | bl21-75-215.dsl.telepac.pt | - | High
|
||||
6 | 5.2.84.232 | momos.alastyr.com | - | High
|
||||
7 | 5.2.136.90 | static-5-2-136-90.rdsnet.ro | - | High
|
||||
8 | 5.2.182.7 | static-5-2-182-7.rdsnet.ro | - | High
|
||||
9 | 5.2.212.254 | static-5-2-212-254.rdsnet.ro | - | High
|
||||
10 | 5.9.189.24 | static.24.189.9.5.clients.your-server.de | - | High
|
||||
11 | 5.12.246.155 | 5-12-246-155.residential.rdsnet.ro | - | High
|
||||
12 | 5.35.249.46 | rs250366.rs.hosteurope.de | - | High
|
||||
13 | 5.39.91.110 | ns3278366.ip-5-39-91.eu | - | High
|
||||
14 | 5.79.70.250 | - | - | High
|
||||
15 | 5.89.33.136 | net-5-89-33-136.cust.vodafonedsl.it | - | High
|
||||
16 | 5.159.57.195 | www-riedle.transfermarkt.de | - | High
|
||||
17 | 5.196.35.138 | vps10.open-techno.net | - | High
|
||||
18 | 5.230.193.41 | casagarcia-web.sys.netzfabrik.eu | - | High
|
||||
19 | 8.4.9.137 | onlinehorizons.net | - | High
|
||||
20 | 8.247.6.134 | - | - | High
|
||||
21 | 12.32.68.154 | mail.sealscoinc.com | - | High
|
||||
22 | 12.149.72.170 | - | - | High
|
||||
23 | 12.162.84.2 | - | - | High
|
||||
24 | 12.163.208.58 | - | - | High
|
||||
25 | 12.182.146.226 | - | - | High
|
||||
26 | 12.184.217.101 | - | - | High
|
||||
27 | 23.6.65.194 | a23-6-65-194.deploy.static.akamaitechnologies.com | - | High
|
||||
28 | 23.36.85.183 | a23-36-85-183.deploy.static.akamaitechnologies.com | - | High
|
||||
29 | 23.199.63.11 | a23-199-63-11.deploy.static.akamaitechnologies.com | - | High
|
||||
30 | 23.199.71.185 | a23-199-71-185.deploy.static.akamaitechnologies.com | - | High
|
||||
31 | 23.239.2.11 | li683-11.members.linode.com | - | High
|
||||
32 | 24.43.99.75 | rrcs-24-43-99-75.west.biz.rr.com | - | High
|
||||
33 | 24.101.229.82 | dynamic-acs-24-101-229-82.zoominternet.net | - | High
|
||||
34 | 24.119.116.230 | 24-119-116-230.cpe.sparklight.net | - | High
|
||||
35 | 24.121.176.48 | 24-121-176-48.prkrcmtc01.com.sta.suddenlink.net | - | High
|
||||
36 | 24.137.76.62 | host-24-137-76-62.public.eastlink.ca | - | High
|
||||
37 | 24.178.90.49 | 024-178-090-049.res.spectrum.com | - | High
|
||||
38 | 24.179.13.119 | 024-179-013-119.res.spectrum.com | - | High
|
||||
39 | 24.217.117.217 | 024-217-117-217.res.spectrum.com | - | High
|
||||
40 | 24.232.228.233 | OL233-228.fibertel.com.ar | - | High
|
||||
41 | 24.244.177.40 | - | - | High
|
||||
42 | 27.78.27.110 | localhost | - | High
|
||||
43 | 27.82.13.10 | KD027082013010.ppp-bb.dion.ne.jp | - | High
|
||||
44 | 27.109.24.214 | - | - | High
|
||||
45 | 27.114.9.93 | i27-114-9-93.s41.a011.ap.plala.or.jp | - | High
|
||||
46 | 36.91.44.183 | - | - | High
|
||||
47 | 37.46.129.215 | we-too.ru | - | High
|
||||
48 | 37.97.135.82 | 37-97-135-82.colo.transip.net | - | High
|
||||
49 | 37.139.21.175 | 37.139.21.175-e2-8080-keep-up | - | High
|
||||
50 | 37.179.204.33 | - | - | High
|
||||
51 | 37.187.4.178 | ks2.kku.io | - | High
|
||||
52 | 37.187.57.57 | ns3357940.ovh.net | - | High
|
||||
53 | 37.187.72.193 | ns3362285.ip-37-187-72.eu | - | High
|
||||
54 | 37.187.161.206 | toolbox.alabs.io | - | High
|
||||
55 | 37.205.9.252 | s1.ithelp24.eu | - | High
|
||||
56 | 37.221.70.250 | b2b-customer.inftele.net | - | High
|
||||
57 | 41.76.108.46 | - | - | High
|
||||
58 | 41.169.36.237 | - | - | High
|
||||
59 | 41.185.28.84 | brf01-nix01.wadns.net | - | High
|
||||
60 | 41.185.29.128 | abp79-nix01.wadns.net | - | High
|
||||
61 | 41.231.225.139 | - | - | High
|
||||
62 | 42.62.40.103 | - | - | High
|
||||
63 | 45.16.226.117 | 45-16-226-117.lightspeed.sndgca.sbcglobal.net | - | High
|
||||
64 | 45.33.77.42 | li1023-42.members.linode.com | - | High
|
||||
65 | 45.46.37.97 | cpe-45-46-37-97.maine.res.rr.com | - | High
|
||||
66 | 45.55.36.51 | - | - | High
|
||||
67 | 45.55.219.163 | - | - | High
|
||||
68 | 45.79.95.107 | li1194-107.members.linode.com | - | High
|
||||
69 | 45.80.148.200 | - | - | High
|
||||
70 | 45.118.115.99 | - | - | High
|
||||
71 | 45.118.135.203 | 45-118-135-203.ip.linodeusercontent.com | - | High
|
||||
72 | 45.142.114.231 | mail.dounutmail.de | - | High
|
||||
73 | 45.230.45.171 | - | - | High
|
||||
74 | 46.4.100.178 | support.wizard-shopservice.de | - | High
|
||||
75 | 46.4.192.185 | static.185.192.4.46.clients.your-server.de | - | High
|
||||
76 | 46.28.111.142 | enkindu.jsuchy.net | - | High
|
||||
77 | 46.32.229.152 | 094882.vps-10.com | - | High
|
||||
78 | 46.32.233.226 | yetitoolusa.com | - | High
|
||||
79 | 46.38.238.8 | v2202109122001163131.happysrv.de | - | High
|
||||
80 | 46.43.2.95 | chris.default.cjenkinson.uk0.bigv.io | - | High
|
||||
81 | 46.55.222.11 | - | - | High
|
||||
82 | 46.101.58.37 | 46.101.58.37-e1-8080 | - | High
|
||||
83 | 46.105.81.76 | myu0.cylipo.sbs | - | High
|
||||
84 | 46.105.114.137 | ns3188253.ip-46-105-114.eu | - | High
|
||||
85 | 46.105.131.68 | http.adven.fr | - | High
|
||||
86 | 46.105.131.79 | relay.adven.fr | - | High
|
||||
87 | 46.105.131.87 | pop.adven.fr | - | High
|
||||
88 | 46.105.236.18 | - | - | High
|
||||
89 | 46.165.254.206 | - | - | High
|
||||
90 | 46.214.107.142 | 46-214-107-142.next-gen.ro | - | High
|
||||
91 | 47.36.140.164 | 047-036-140-164.res.spectrum.com | - | High
|
||||
92 | 47.146.39.147 | - | - | High
|
||||
93 | 47.188.131.94 | - | - | High
|
||||
94 | 49.12.121.47 | filezilla-project.org | - | High
|
||||
95 | 49.50.209.131 | 131.host-49-50-209.euba.megatel.co.nz | - | High
|
||||
96 | 49.212.135.76 | os3-321-50322.vs.sakura.ne.jp | - | High
|
||||
97 | 49.212.155.94 | os3-325-52340.vs.sakura.ne.jp | - | High
|
||||
98 | 50.28.51.143 | - | - | High
|
||||
99 | 50.31.146.101 | mail.brillinjurylaw.com | - | High
|
||||
100 | 50.56.135.44 | - | - | High
|
||||
101 | 50.91.114.38 | 050-091-114-038.res.spectrum.com | - | High
|
||||
102 | 50.116.78.109 | intersearchmedia.com | - | High
|
||||
103 | 50.245.107.73 | 50-245-107-73-static.hfc.comcastbusiness.net | - | High
|
||||
104 | 51.15.4.22 | 51-15-4-22.rev.poneytelecom.eu | - | High
|
||||
105 | 51.15.7.145 | 51-15-7-145.rev.poneytelecom.eu | - | High
|
||||
106 | 51.75.33.127 | ip127.ip-51-75-33.eu | - | High
|
||||
107 | 51.89.36.180 | ip180.ip-51-89-36.eu | - | High
|
||||
108 | 51.89.199.141 | ip141.ip-51-89-199.eu | - | High
|
||||
109 | 51.255.165.160 | 160.ip-51-255-165.eu | - | High
|
||||
110 | 54.38.143.245 | tools.inovato.me | - | High
|
||||
111 | 58.27.215.3 | 58-27-215-3.wateen.net | - | High
|
||||
112 | 58.94.58.13 | i58-94-58-13.s41.a014.ap.plala.or.jp | - | High
|
||||
113 | 58.227.42.236 | - | - | High
|
||||
114 | 59.148.253.194 | 059148253194.ctinets.com | - | High
|
||||
115 | 60.93.23.51 | softbank060093023051.bbtec.net | - | High
|
||||
116 | 60.108.128.186 | softbank060108128186.bbtec.net | - | High
|
||||
117 | 60.125.114.64 | softbank060125114064.bbtec.net | - | High
|
||||
118 | 60.249.78.226 | 60-249-78-226.hinet-ip.hinet.net | - | High
|
||||
119 | 61.19.246.238 | - | - | High
|
||||
120 | 62.30.7.67 | 67.7-30-62.static.virginmediabusiness.co.uk | - | High
|
||||
121 | 62.75.141.82 | static-ip-62-75-141-82.inaddr.ip-pool.com | - | High
|
||||
122 | 62.84.75.50 | mail.saadegrp.com.lb | - | High
|
||||
123 | 62.171.142.179 | vmi499457.contaboserver.net | - | High
|
||||
124 | 62.212.34.102 | - | - | High
|
||||
125 | 64.207.182.168 | - | - | High
|
||||
126 | 66.54.51.172 | - | - | High
|
||||
127 | 66.76.26.33 | 66-76-26-33.hdsncmta01.com.sta.suddenlink.net | - | High
|
||||
128 | 66.228.61.248 | li318-248.members.linode.com | - | High
|
||||
129 | 67.19.105.107 | ns2.datatrust.com.br | - | High
|
||||
130 | 67.170.250.203 | c-67-170-250-203.hsd1.ca.comcast.net | - | High
|
||||
131 | 68.2.97.91 | ip68-2-97-91.ph.ph.cox.net | - | High
|
||||
132 | 68.183.170.114 | 68.183.170.114-e1-8080-keep-up | - | High
|
||||
133 | 68.183.190.199 | 68.183.190.199-e1-8080-keep-up | - | High
|
||||
134 | 69.17.170.58 | unallocated-static.rogers.com | - | High
|
||||
135 | 69.43.168.200 | ns0.imunplugged.com | - | High
|
||||
136 | 69.45.19.251 | coastinet.com | - | High
|
||||
137 | 69.167.152.111 | - | - | High
|
||||
138 | 70.32.84.74 | - | - | High
|
||||
139 | 70.32.89.105 | parties-at-sea.com | - | High
|
||||
140 | 70.32.92.133 | popdesigngroup.com | - | High
|
||||
141 | 70.32.115.157 | harpotripofalifetime.com | - | High
|
||||
142 | 70.168.7.6 | wsip-70-168-7-6.ri.ri.cox.net | - | High
|
||||
143 | 70.182.77.184 | wsip-70-182-77-184.ok.ok.cox.net | - | High
|
||||
144 | 70.184.125.132 | wsip-70-184-125-132.ph.ph.cox.net | - | High
|
||||
145 | 71.15.245.148 | 071-015-245-148.res.spectrum.com | - | High
|
||||
146 | 71.197.211.156 | c-71-197-211-156.hsd1.wa.comcast.net | - | High
|
||||
147 | 71.244.60.231 | static-71-244-60-231.dllstx.fios.frontiernet.net | - | High
|
||||
148 | 72.10.49.117 | rtw7-rfpn.accessdomain.com | - | High
|
||||
149 | 72.18.204.17 | lasvegas-nv-datacenter.com | - | High
|
||||
150 | 72.45.212.62 | nyinstituteofmassage.com | - | High
|
||||
151 | 72.186.136.247 | 072-186-136-247.biz.spectrum.com | - | High
|
||||
152 | 73.8.195.237 | c-73-8-195-237.hsd1.il.comcast.net | - | High
|
||||
153 | ... | ... | ... | ...
|
||||
|
||||
There are 594 more IOC items available. Please use our online service to access the data.
|
||||
There are 606 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Emotet. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Emotet. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 2 more TTP items available. Please use our online service to access the data.
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Emotet. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Emotet. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/admin/admin_manage/delete` | High
|
||||
2 | File | `/admin/configure.php` | High
|
||||
3 | File | `/administrator/components/table_manager/` | High
|
||||
4 | File | `/application/common.php#action_log` | High
|
||||
5 | File | `/cgi-bin/luci` | High
|
||||
6 | File | `/Hospital-Management-System-master/func.php` | High
|
||||
7 | File | `/rest/api/1.0/render` | High
|
||||
8 | File | `/usr/bin/pkexec` | High
|
||||
9 | File | `/yzmcms/comment/index/init.html` | High
|
||||
10 | File | `admin/posts.php?source=add_post` | High
|
||||
11 | File | `admin/users.php?source=add_user` | High
|
||||
12 | File | `cgiserver.cgi` | High
|
||||
13 | File | `Controller.php` | High
|
||||
14 | File | `cszcms/controllers/Member.php#viewUser` | High
|
||||
15 | ... | ... | ...
|
||||
1 | File | `/appliance/users?action=edit` | High
|
||||
2 | File | `/CMD_ACCOUNT_ADMIN` | High
|
||||
3 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
4 | File | `/horde/util/go.php` | High
|
||||
5 | File | `/jeecg-boot/sys/user/queryUserByDepId` | High
|
||||
6 | File | `/js/js-parser.c` | High
|
||||
7 | File | `/MobiPlusWeb/Handlers/MainHandler.ashx?MethodName=GridData&GridName=Users` | High
|
||||
8 | File | `/ms/cms/content/list.do` | High
|
||||
9 | File | `/ms/file/uploadTemplate.do` | High
|
||||
10 | File | `/ping.html` | Medium
|
||||
11 | File | `/SASWebReportStudio/logonAndRender.do` | High
|
||||
12 | File | `/sys/user/queryUserComponentData` | High
|
||||
13 | ... | ... | ...
|
||||
|
||||
There are 123 more IOA items available. Please use our online service to access the data.
|
||||
There are 104 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html
|
||||
* https://blog.talosintelligence.com/2021/02/threat-roundup-0205-0212.html
|
||||
|
@ -224,6 +226,8 @@ The following list contains external sources which discuss the actor and the ass
|
|||
* https://blog.talosintelligence.com/2021/10/threat-roundup-1022-1029.html
|
||||
* https://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html
|
||||
* https://blog.talosintelligence.com/2022/01/threat-roundup-0121-0128.html
|
||||
* https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html
|
||||
* https://blog.talosintelligence.com/2022/02/threat-roundup-0211-0218.html
|
||||
* https://community.blueliv.com/#!/s/5fb2ee2482df413eaf344b29
|
||||
* https://ddanchev.blogspot.com/2022/01/profiling-emotet-botnet-c.html
|
||||
* https://pastebin.com/uPn1zM6b
|
||||
|
@ -232,7 +236,7 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,26 +1,26 @@
|
|||
# EpicenterRAT - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [EpicenterRAT](https://vuldb.com/?actor.epicenterrat). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [EpicenterRAT](https://vuldb.com/?actor.epicenterrat). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.epicenterrat](https://vuldb.com/?actor.epicenterrat)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.epicenterrat](https://vuldb.com/?actor.epicenterrat)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of EpicenterRAT.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of EpicenterRAT.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 173.249.50.230 | vmi626137.contaboserver.net | High
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 173.249.50.230 | vmi626137.contaboserver.net | - | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/594/original/Network_IOCs_list_for_coverage.txt?1625657479
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,12 +1,12 @@
|
|||
# EvilBunny - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [EvilBunny](https://vuldb.com/?actor.evilbunny). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [EvilBunny](https://vuldb.com/?actor.evilbunny). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.evilbunny](https://vuldb.com/?actor.evilbunny)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.evilbunny](https://vuldb.com/?actor.evilbunny)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with EvilBunny:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with EvilBunny:
|
||||
|
||||
* US
|
||||
* CN
|
||||
|
@ -17,34 +17,34 @@ There are 6 more country items available. Please use our online service to acces
|
|||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of EvilBunny.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of EvilBunny.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 1.9.32.11 | - | High
|
||||
2 | 8.5.1.34 | - | High
|
||||
3 | 64.15.136.137 | - | High
|
||||
4 | 66.45.225.11 | - | High
|
||||
5 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 1.9.32.11 | - | - | High
|
||||
2 | 8.5.1.34 | - | - | High
|
||||
3 | 64.15.136.137 | - | - | High
|
||||
4 | 66.45.225.11 | - | - | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 16 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by EvilBunny. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by EvilBunny. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1555 | Cleartext Storage of Sensitive Information | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1555 | CWE-312 | Cleartext Storage of Sensitive Information | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 2 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by EvilBunny. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by EvilBunny. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -55,17 +55,17 @@ ID | Type | Indicator | Confidence
|
|||
5 | File | `forumrunner/includes/moderation.php` | High
|
||||
6 | ... | ... | ...
|
||||
|
||||
There are 38 more IOA items available. Please use our online service to access the data.
|
||||
There are 38 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://www.threatminer.org/report.php?q=EvilBunny_Suspect4_v1.0.pdf&y=2014
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -0,0 +1,72 @@
|
|||
# EwDoor - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [EwDoor](https://vuldb.com/?actor.ewdoor). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.ewdoor](https://vuldb.com/?actor.ewdoor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with EwDoor:
|
||||
|
||||
* SC
|
||||
* LI
|
||||
* US
|
||||
* ...
|
||||
|
||||
There are 3 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of EwDoor.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 45.141.157.217 | ip-157-217.CN-Global | - | High
|
||||
2 | 185.10.68.20 | 20.68.10.185.ro.ovo.sc | - | High
|
||||
3 | 212.193.30.209 | - | - | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by EwDoor. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1222 | CWE-275 | Permission Issues | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 6 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by EwDoor. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/admin/sysmon.php` | High
|
||||
2 | File | `/api/content/posts/comments` | High
|
||||
3 | File | `/Home/GetAttachment` | High
|
||||
4 | File | `/modules/projects/vw_files.php` | High
|
||||
5 | File | `admin/limits.php` | High
|
||||
6 | File | `cgi-bin/ddns_enc.cgi` | High
|
||||
7 | ... | ... | ...
|
||||
|
||||
There are 51 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.netlab.360.com/warning-ewdoor-botnet-is-attacking-att-customers/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,56 @@
|
|||
# FBot - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [FBot](https://vuldb.com/?actor.fbot). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.fbot](https://vuldb.com/?actor.fbot)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with FBot:
|
||||
|
||||
* US
|
||||
* IO
|
||||
* AT
|
||||
* ...
|
||||
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of FBot.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 89.248.174.219 | - | - | High
|
||||
2 | 185.61.138.13 | em.emmmof.live | - | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by FBot. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `goform/formSetDiagnosticToolsFmPing` | High
|
||||
2 | File | `MSCOMCTL.OCX` | Medium
|
||||
3 | File | `wp-admin/includes/class-wp-press-this.php` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 2 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.netlab.360.com/the-botnet-cluster-on-185-244-25-0-24-en/
|
||||
* https://blog.netlab.360.com/the-new-developments-of-the-fbot-en/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -1,46 +1,46 @@
|
|||
# FIN12 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [FIN12](https://vuldb.com/?actor.fin12). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [FIN12](https://vuldb.com/?actor.fin12). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.fin12](https://vuldb.com/?actor.fin12)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.fin12](https://vuldb.com/?actor.fin12)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with FIN12:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with FIN12:
|
||||
|
||||
* US
|
||||
* CN
|
||||
* GB
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [GB](https://vuldb.com/?country.gb)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of FIN12.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of FIN12.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 5.2.72.202 | pieterb.com | High
|
||||
2 | 23.81.246.17 | - | High
|
||||
3 | 95.179.165.239 | 95.179.165.239.vultr.com | Medium
|
||||
4 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [5.2.72.202](https://vuldb.com/?ip.5.2.72.202) | pieterb.com | - | High
|
||||
2 | [23.81.246.17](https://vuldb.com/?ip.23.81.246.17) | - | - | High
|
||||
3 | [95.179.165.239](https://vuldb.com/?ip.95.179.165.239) | 95.179.165.239.vultr.com | - | Medium
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 2 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by FIN12. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by FIN12. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 5 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by FIN12. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by FIN12. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -61,17 +61,17 @@ ID | Type | Indicator | Confidence
|
|||
15 | File | `AdvancedBluetoothDetailsHeaderController.java` | High
|
||||
16 | ... | ... | ...
|
||||
|
||||
There are 125 more IOA items available. Please use our online service to access the data.
|
||||
There are 130 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
107
FIN6/README.md
107
FIN6/README.md
|
@ -1,64 +1,64 @@
|
|||
# FIN6 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [FIN6](https://vuldb.com/?actor.fin6). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [FIN6](https://vuldb.com/?actor.fin6). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.fin6](https://vuldb.com/?actor.fin6)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.fin6](https://vuldb.com/?actor.fin6)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with FIN6:
|
||||
The following _campaigns_ are known and can be associated with FIN6:
|
||||
|
||||
* MAZE
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with FIN6:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with FIN6:
|
||||
|
||||
* DE
|
||||
* US
|
||||
* ES
|
||||
* RU
|
||||
* ...
|
||||
|
||||
There are 12 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of FIN6.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of FIN6.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 5.199.167.188 | - | High
|
||||
2 | 31.220.45.151 | - | High
|
||||
3 | 37.1.213.9 | - | High
|
||||
4 | 37.1.221.212 | adspect.net | High
|
||||
5 | 37.252.7.142 | - | High
|
||||
6 | 46.4.113.237 | static.237.113.4.46.clients.your-server.de | High
|
||||
7 | 46.166.173.109 | - | High
|
||||
8 | 54.39.233.188 | mail.ov120.slpmt.net | High
|
||||
9 | 62.210.136.65 | 62-210-136-65.rev.poneytelecom.eu | High
|
||||
10 | 89.105.194.236 | - | High
|
||||
11 | 91.208.184.174 | sell.mybeststore.club | High
|
||||
12 | 91.218.114.4 | - | High
|
||||
13 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 5.199.167.188 | - | MAZE | High
|
||||
2 | 31.220.45.151 | - | - | High
|
||||
3 | 37.1.213.9 | - | MAZE | High
|
||||
4 | 37.1.221.212 | adspect.net | - | High
|
||||
5 | 37.252.7.142 | - | MAZE | High
|
||||
6 | 46.4.113.237 | static.237.113.4.46.clients.your-server.de | - | High
|
||||
7 | 46.166.173.109 | - | - | High
|
||||
8 | 54.39.233.188 | mail.ov120.slpmt.net | MAZE | High
|
||||
9 | 62.210.136.65 | 62-210-136-65.rev.poneytelecom.eu | - | High
|
||||
10 | 89.105.194.236 | - | - | High
|
||||
11 | 91.208.184.174 | sell.mybeststore.club | MAZE | High
|
||||
12 | 91.218.114.4 | - | MAZE | High
|
||||
13 | ... | ... | ... | ...
|
||||
|
||||
There are 48 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by FIN6. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by FIN6. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 6 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by FIN6. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by FIN6. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -93,33 +93,34 @@ ID | Type | Indicator | Confidence
|
|||
29 | File | `/mnt/skyeye/mode_switch.sh` | High
|
||||
30 | File | `/mybb_1806/Upload/admin/index.php` | High
|
||||
31 | File | `/oauth/token` | Medium
|
||||
32 | File | `/romfile.cfg` | Medium
|
||||
33 | File | `/scp/directory.php` | High
|
||||
34 | File | `/setSystemAdmin` | High
|
||||
35 | File | `/system/WCore/WHelper.php` | High
|
||||
36 | File | `/tmp/connlicj.bin` | High
|
||||
37 | File | `/uncpath/` | Medium
|
||||
38 | File | `/upload` | Low
|
||||
39 | File | `/userfs/bin/tcapi` | High
|
||||
40 | File | `/var/www/xms/application/config/config.php` | High
|
||||
41 | File | `/var/www/xms/application/controllers/gatherLogs.php` | High
|
||||
42 | File | `/var/www/xms/application/controllers/verifyLogin.php` | High
|
||||
43 | File | `/var/www/xms/cleanzip.sh` | High
|
||||
44 | File | `/vendor/phpdocumentor/reflection-docblock/tests/phpDocumentor/Reflection/DocBlock/Tag/LinkTagTeet.php` | High
|
||||
45 | File | `/websocket/exec` | High
|
||||
46 | File | `/workspaceCleanup` | High
|
||||
47 | File | `/wp-admin/admin-ajax.php?action=get_wdtable&table_id=1` | High
|
||||
48 | File | `account/gallery.php` | High
|
||||
49 | File | `add_edit_cat.asp` | High
|
||||
50 | File | `admin.htm` | Medium
|
||||
51 | File | `admin.php` | Medium
|
||||
52 | ... | ... | ...
|
||||
32 | File | `/plain` | Low
|
||||
33 | File | `/romfile.cfg` | Medium
|
||||
34 | File | `/scp/directory.php` | High
|
||||
35 | File | `/setSystemAdmin` | High
|
||||
36 | File | `/system/WCore/WHelper.php` | High
|
||||
37 | File | `/tmp/connlicj.bin` | High
|
||||
38 | File | `/uncpath/` | Medium
|
||||
39 | File | `/upload` | Low
|
||||
40 | File | `/userfs/bin/tcapi` | High
|
||||
41 | File | `/var/www/xms/application/config/config.php` | High
|
||||
42 | File | `/var/www/xms/application/controllers/gatherLogs.php` | High
|
||||
43 | File | `/var/www/xms/application/controllers/verifyLogin.php` | High
|
||||
44 | File | `/var/www/xms/cleanzip.sh` | High
|
||||
45 | File | `/vendor/phpdocumentor/reflection-docblock/tests/phpDocumentor/Reflection/DocBlock/Tag/LinkTagTeet.php` | High
|
||||
46 | File | `/websocket/exec` | High
|
||||
47 | File | `/workspaceCleanup` | High
|
||||
48 | File | `/wp-admin/admin-ajax.php?action=get_wdtable&table_id=1` | High
|
||||
49 | File | `account/gallery.php` | High
|
||||
50 | File | `add_edit_cat.asp` | High
|
||||
51 | File | `admin.htm` | Medium
|
||||
52 | File | `admin.php` | Medium
|
||||
53 | ... | ... | ...
|
||||
|
||||
There are 450 more IOA items available. Please use our online service to access the data.
|
||||
There are 462 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/
|
||||
* https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf
|
||||
|
@ -128,7 +129,7 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
201
FIN7/README.md
201
FIN7/README.md
|
@ -1,113 +1,113 @@
|
|||
# FIN7 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [FIN7](https://vuldb.com/?actor.fin7). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [FIN7](https://vuldb.com/?actor.fin7). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.fin7](https://vuldb.com/?actor.fin7)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.fin7](https://vuldb.com/?actor.fin7)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with FIN7:
|
||||
The following _campaigns_ are known and can be associated with FIN7:
|
||||
|
||||
* AveMaria
|
||||
* OpBlueRaven
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with FIN7:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with FIN7:
|
||||
|
||||
* US
|
||||
* CN
|
||||
* FR
|
||||
* DE
|
||||
* ...
|
||||
|
||||
There are 29 more country items available. Please use our online service to access the data.
|
||||
There are 26 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of FIN7.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of FIN7.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 1.3.6.1 | - | High
|
||||
2 | 2.16.840.1 | - | High
|
||||
3 | 4.1.311.10 | - | High
|
||||
4 | 5.8.88.64 | - | High
|
||||
5 | 5.9.189.40 | static.40.189.9.5.clients.your-server.de | High
|
||||
6 | 5.10.40.54 | dsl-5-10-40-54.pool.bitel.net | High
|
||||
7 | 5.61.32.118 | - | High
|
||||
8 | 5.61.38.52 | - | High
|
||||
9 | 5.135.73.113 | - | High
|
||||
10 | 5.149.250.235 | quoll.tellfex.com | High
|
||||
11 | 5.149.250.241 | flipveranda.co.uk | High
|
||||
12 | 5.149.252.144 | - | High
|
||||
13 | 5.149.253.126 | - | High
|
||||
14 | 5.188.10.102 | - | High
|
||||
15 | 5.188.10.248 | - | High
|
||||
16 | 5.199.169.188 | - | High
|
||||
17 | 5.252.177.23 | 5-252-177-23.mivocloud.com | High
|
||||
18 | 5.252.177.37 | no-rdns.mivocloud.com | High
|
||||
19 | 8.28.175.68 | phoenixartisanacoutrements.com | High
|
||||
20 | 23.83.133.119 | - | High
|
||||
21 | 23.249.162.161 | - | High
|
||||
22 | 31.7.61.136 | hosted-by.securefastserver.com | High
|
||||
23 | 31.18.219.133 | ip1f12db85.dynamic.kabel-deutschland.de | High
|
||||
24 | 31.131.17.125 | - | High
|
||||
25 | 31.131.17.127 | automarinetechnology.com | High
|
||||
26 | 31.131.17.128 | - | High
|
||||
27 | 31.148.219.18 | - | High
|
||||
28 | 31.148.219.44 | - | High
|
||||
29 | 31.148.219.126 | - | High
|
||||
30 | 31.148.219.141 | - | High
|
||||
31 | 31.148.220.107 | - | High
|
||||
32 | 31.148.220.215 | - | High
|
||||
33 | 31.184.234.66 | - | High
|
||||
34 | 31.184.234.71 | - | High
|
||||
35 | 37.1.211.239 | ourdrops.org | High
|
||||
36 | 37.1.215.4 | - | High
|
||||
37 | 37.1.215.72 | - | High
|
||||
38 | 37.235.54.48 | 48.54.235.37.in-addr.arpa | High
|
||||
39 | 37.252.4.131 | - | High
|
||||
40 | 45.77.60.230 | 45.77.60.230.vultr.com | Medium
|
||||
41 | 45.77.204.130 | 45.77.204.130.vultr.com | Medium
|
||||
42 | 45.87.152.64 | free.pq.hosting | High
|
||||
43 | 45.133.216.25 | lisulisimp.example.com | High
|
||||
44 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 1.3.6.1 | - | - | High
|
||||
2 | 2.16.840.1 | - | - | High
|
||||
3 | 4.1.311.10 | - | - | High
|
||||
4 | 5.8.88.64 | - | - | High
|
||||
5 | 5.9.189.40 | static.40.189.9.5.clients.your-server.de | - | High
|
||||
6 | 5.10.40.54 | dsl-5-10-40-54.pool.bitel.net | - | High
|
||||
7 | 5.61.32.118 | - | - | High
|
||||
8 | 5.61.38.52 | - | - | High
|
||||
9 | 5.135.73.113 | - | - | High
|
||||
10 | 5.149.250.235 | snigist.co.uk | - | High
|
||||
11 | 5.149.250.241 | flipveranda.co.uk | - | High
|
||||
12 | 5.149.252.144 | - | - | High
|
||||
13 | 5.149.253.126 | - | - | High
|
||||
14 | 5.188.10.102 | - | - | High
|
||||
15 | 5.188.10.248 | - | - | High
|
||||
16 | 5.199.169.188 | - | - | High
|
||||
17 | 5.252.177.23 | 5-252-177-23.mivocloud.com | OpBlueRaven | High
|
||||
18 | 5.252.177.37 | no-rdns.mivocloud.com | OpBlueRaven | High
|
||||
19 | 8.28.175.68 | phoenixartisanacoutrements.com | - | High
|
||||
20 | 23.83.133.119 | - | OpBlueRaven | High
|
||||
21 | 23.249.162.161 | - | - | High
|
||||
22 | 31.7.61.136 | hosted-by.securefastserver.com | - | High
|
||||
23 | 31.18.219.133 | ip1f12db85.dynamic.kabel-deutschland.de | - | High
|
||||
24 | 31.131.17.125 | - | - | High
|
||||
25 | 31.131.17.127 | automarinetechnology.com | - | High
|
||||
26 | 31.131.17.128 | - | - | High
|
||||
27 | 31.148.219.18 | - | - | High
|
||||
28 | 31.148.219.44 | - | - | High
|
||||
29 | 31.148.219.126 | - | - | High
|
||||
30 | 31.148.219.141 | - | - | High
|
||||
31 | 31.148.220.107 | - | - | High
|
||||
32 | 31.148.220.215 | - | - | High
|
||||
33 | 31.184.234.66 | - | - | High
|
||||
34 | 31.184.234.71 | - | - | High
|
||||
35 | 37.1.211.239 | ourdrops.org | OpBlueRaven | High
|
||||
36 | 37.1.215.4 | - | OpBlueRaven | High
|
||||
37 | 37.1.215.72 | - | OpBlueRaven | High
|
||||
38 | 37.235.54.48 | 48.54.235.37.in-addr.arpa | - | High
|
||||
39 | 37.252.4.131 | - | OpBlueRaven | High
|
||||
40 | 45.77.60.230 | 45.77.60.230.vultr.com | OpBlueRaven | Medium
|
||||
41 | 45.77.204.130 | 45.77.204.130.vultr.com | OpBlueRaven | Medium
|
||||
42 | 45.87.152.64 | free.pq.hosting | OpBlueRaven | High
|
||||
43 | 45.133.216.25 | lisulisimp.example.com | OpBlueRaven | High
|
||||
44 | ... | ... | ... | ...
|
||||
|
||||
There are 172 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by FIN7. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by FIN7. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-266, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by FIN7. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by FIN7. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/+CSCOE+/logon.html` | High
|
||||
2 | File | `/?module=users§ion=cpanel&page=list` | High
|
||||
3 | File | `/concat?/%2557EB-INF/web.xml` | High
|
||||
4 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
2 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
3 | File | `/ext/phar/phar_object.c` | High
|
||||
4 | File | `/filemanager/php/connector.php` | High
|
||||
5 | File | `/get_getnetworkconf.cgi` | High
|
||||
6 | File | `/HNAP1` | Low
|
||||
7 | File | `/index.php?controller=calendar&format=raw&cat[0]=SQLi&task=events` | High
|
||||
7 | File | `/modx/manager/index.php` | High
|
||||
8 | File | `/monitoring` | Medium
|
||||
9 | File | `/new` | Low
|
||||
10 | File | `/osm/REGISTER.cmd` | High
|
||||
11 | File | `/proc/<pid>/status` | High
|
||||
12 | File | `/public/plugins/` | High
|
||||
13 | File | `/replication` | Medium
|
||||
14 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
10 | File | `/proc/<pid>/status` | High
|
||||
11 | File | `/public/plugins/` | High
|
||||
12 | File | `/replication` | Medium
|
||||
13 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
14 | File | `/siteminderagent/pwcgi/smpwservicescgi.exe` | High
|
||||
15 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
|
||||
16 | File | `/tmp` | Low
|
||||
17 | File | `/type.php` | Medium
|
||||
|
@ -116,36 +116,43 @@ ID | Type | Indicator | Confidence
|
|||
20 | File | `/wp-json/wc/v3/webhooks` | High
|
||||
21 | File | `4.2.0.CP09` | Medium
|
||||
22 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
23 | File | `actions/CompanyDetailsSave.php` | High
|
||||
24 | File | `ActiveServices.java` | High
|
||||
25 | File | `admin.color.php` | High
|
||||
26 | File | `admin.cropcanvas.php` | High
|
||||
27 | File | `admin.joomlaradiov5.php` | High
|
||||
28 | File | `admin.php` | Medium
|
||||
29 | File | `admin/?n=user&c=admin_user&a=doGetUserInfo` | High
|
||||
30 | File | `admin/add-glossary.php` | High
|
||||
31 | File | `admin/conf_users_edit.php` | High
|
||||
32 | File | `admin/edit-comments.php` | High
|
||||
33 | File | `admin/src/containers/InputModalStepperProvider/index.js` | High
|
||||
34 | File | `admin/write-post.php` | High
|
||||
35 | File | `administrator/components/com_media/helpers/media.php` | High
|
||||
36 | File | `admin_events.php` | High
|
||||
37 | File | `AjaxApplication.java` | High
|
||||
38 | File | `akocomments.php` | High
|
||||
39 | File | `allopass-error.php` | High
|
||||
40 | File | `AllowBindAppWidgetActivity.java` | High
|
||||
41 | File | `AndroidManifest.xml` | High
|
||||
42 | File | `AnnotateActivity.java` | High
|
||||
43 | File | `announcement.php` | High
|
||||
44 | File | `api/settings/values` | High
|
||||
45 | File | `apply.cgi` | Medium
|
||||
46 | ... | ... | ...
|
||||
23 | File | `802dot1xclientcert.cgi` | High
|
||||
24 | File | `AccountManagerService.java` | High
|
||||
25 | File | `actions/CompanyDetailsSave.php` | High
|
||||
26 | File | `add.exe` | Low
|
||||
27 | File | `admin.color.php` | High
|
||||
28 | File | `admin.cropcanvas.php` | High
|
||||
29 | File | `admin.joomlaradiov5.php` | High
|
||||
30 | File | `admin.php` | Medium
|
||||
31 | File | `admin.php?m=Food&a=addsave` | High
|
||||
32 | File | `admin/add-glossary.php` | High
|
||||
33 | File | `admin/conf_users_edit.php` | High
|
||||
34 | File | `admin/edit-comments.php` | High
|
||||
35 | File | `admin/index.php` | High
|
||||
36 | File | `admin/src/containers/InputModalStepperProvider/index.js` | High
|
||||
37 | File | `admin/write-post.php` | High
|
||||
38 | File | `administrator/components/com_media/helpers/media.php` | High
|
||||
39 | File | `admin_events.php` | High
|
||||
40 | File | `AjaxApplication.java` | High
|
||||
41 | File | `akocomments.php` | High
|
||||
42 | File | `allopass-error.php` | High
|
||||
43 | File | `AllowBindAppWidgetActivity.java` | High
|
||||
44 | File | `android/webkit/SearchBoxImpl.java` | High
|
||||
45 | File | `AndroidManifest.xml` | High
|
||||
46 | File | `announcement.php` | High
|
||||
47 | File | `api/settings/values` | High
|
||||
48 | File | `app/topic/action/admin/topic.php` | High
|
||||
49 | File | `apply.cgi` | Medium
|
||||
50 | File | `artlinks.dispnew.php` | High
|
||||
51 | File | `auth.inc.php` | Medium
|
||||
52 | File | `awstats.pl` | Medium
|
||||
53 | ... | ... | ...
|
||||
|
||||
There are 400 more IOA items available. Please use our online service to access the data.
|
||||
There are 458 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://github.com/prodaft/malware-ioc/tree/master/OpBlueRaven
|
||||
* https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/
|
||||
|
@ -157,7 +164,7 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,18 +1,18 @@
|
|||
# FIN8 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [FIN8](https://vuldb.com/?actor.fin8). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [FIN8](https://vuldb.com/?actor.fin8). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.fin8](https://vuldb.com/?actor.fin8)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.fin8](https://vuldb.com/?actor.fin8)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with FIN8:
|
||||
The following _campaigns_ are known and can be associated with FIN8:
|
||||
|
||||
* Badhatch
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with FIN8:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with FIN8:
|
||||
|
||||
* US
|
||||
* CN
|
||||
|
@ -23,29 +23,29 @@ There are 1 more country items available. Please use our online service to acces
|
|||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of FIN8.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of FIN8.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 104.168.145.204 | hwsrv-836597.hostwindsdns.com | High
|
||||
2 | 104.168.237.21 | hwsrv-850035.hostwindsdns.com | High
|
||||
3 | 192.52.167.199 | mx312.punkchaine.net | High
|
||||
4 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 104.168.145.204 | hwsrv-836597.hostwindsdns.com | Badhatch | High
|
||||
2 | 104.168.237.21 | hwsrv-850035.hostwindsdns.com | - | High
|
||||
3 | 192.52.167.199 | mx312.punkchaine.net | Badhatch | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 2 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by FIN8. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by FIN8. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by FIN8. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by FIN8. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -54,18 +54,18 @@ ID | Type | Indicator | Confidence
|
|||
3 | File | `admin/index.php` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 20 more IOA items available. Please use our online service to access the data.
|
||||
There are 20 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://businessinsights.bitdefender.com/deep-dive-into-a-fin8-attack-a-forensic-investigation
|
||||
* https://vxug.fakedoma.in/archive/APTs/2021/2021.03.10/BADHATCH.pdf
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,12 +1,12 @@
|
|||
# FakeAlert - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [FakeAlert](https://vuldb.com/?actor.fakealert). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [FakeAlert](https://vuldb.com/?actor.fakealert). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.fakealert](https://vuldb.com/?actor.fakealert)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.fakealert](https://vuldb.com/?actor.fakealert)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with FakeAlert:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with FakeAlert:
|
||||
|
||||
* US
|
||||
* PT
|
||||
|
@ -17,30 +17,30 @@ There are 4 more country items available. Please use our online service to acces
|
|||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of FakeAlert.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of FakeAlert.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 3.8.23.195 | ec2-3-8-23-195.eu-west-2.compute.amazonaws.com | Medium
|
||||
2 | 3.8.191.167 | ec2-3-8-191-167.eu-west-2.compute.amazonaws.com | Medium
|
||||
3 | 18.130.240.77 | ec2-18-130-240-77.eu-west-2.compute.amazonaws.com | Medium
|
||||
4 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 3.8.23.195 | ec2-3-8-23-195.eu-west-2.compute.amazonaws.com | - | Medium
|
||||
2 | 3.8.191.167 | ec2-3-8-191-167.eu-west-2.compute.amazonaws.com | - | Medium
|
||||
3 | 18.130.240.77 | ec2-18-130-240-77.eu-west-2.compute.amazonaws.com | - | Medium
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 10 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by FakeAlert. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by FakeAlert. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | 7PK Security Features | High
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | CWE-254 | 7PK Security Features | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by FakeAlert. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by FakeAlert. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -50,17 +50,17 @@ ID | Type | Indicator | Confidence
|
|||
4 | File | `content.php` | Medium
|
||||
5 | ... | ... | ...
|
||||
|
||||
There are 29 more IOA items available. Please use our online service to access the data.
|
||||
There are 29 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://github.com/sophoslabs/IoCs/blob/master/mal-fakealert.csv
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,41 +1,41 @@
|
|||
# FamousSparrow - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [FamousSparrow](https://vuldb.com/?actor.famoussparrow). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [FamousSparrow](https://vuldb.com/?actor.famoussparrow). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.famoussparrow](https://vuldb.com/?actor.famoussparrow)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.famoussparrow](https://vuldb.com/?actor.famoussparrow)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with FamousSparrow:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with FamousSparrow:
|
||||
|
||||
* US
|
||||
* CN
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of FamousSparrow.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of FamousSparrow.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 27.102.113.240 | power.playtimeins.net | High
|
||||
2 | 45.192.178.206 | - | High
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 27.102.113.240 | power.playtimeins.net | - | High
|
||||
2 | 45.192.178.206 | - | - | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by FamousSparrow. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by FamousSparrow. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 2 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by FamousSparrow. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by FamousSparrow. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -44,17 +44,17 @@ ID | Type | Indicator | Confidence
|
|||
3 | File | `/system?action=ServiceAdmin` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 25 more IOA items available. Please use our online service to access the data.
|
||||
There are 25 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -0,0 +1,112 @@
|
|||
# Fanel - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Fanel](https://vuldb.com/?actor.fanel). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.fanel](https://vuldb.com/?actor.fanel)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Fanel:
|
||||
|
||||
* RO
|
||||
* US
|
||||
* ES
|
||||
* ...
|
||||
|
||||
There are 5 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Fanel.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 34.67.140.147 | 147.140.67.34.bc.googleusercontent.com | - | Medium
|
||||
2 | 34.87.185.57 | 57.185.87.34.bc.googleusercontent.com | - | Medium
|
||||
3 | 34.93.240.37 | 37.240.93.34.bc.googleusercontent.com | - | Medium
|
||||
4 | 41.234.66.22 | host-41.234.66.22.tedata.net | - | High
|
||||
5 | 51.89.99.60 | ns31180559.ip-51-89-99.eu | - | High
|
||||
6 | 51.91.140.218 | - | - | High
|
||||
7 | ... | ... | ... | ...
|
||||
|
||||
There are 24 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Fanel. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Fanel. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/admin/editer.php` | High
|
||||
2 | File | `/admin/index/index.html#listarticle` | High
|
||||
3 | File | `/bin/goahead` | Medium
|
||||
4 | File | `/cgi-bin/kerbynet` | High
|
||||
5 | File | `/cgi-bin/supervisor/PwdGrp.cgi` | High
|
||||
6 | File | `/etc/postfix/sender_login` | High
|
||||
7 | File | `/framework/core/models/expRecord.php` | High
|
||||
8 | File | `/HNAP1` | Low
|
||||
9 | File | `/htdocs/webinc/js/bsc_sms_inbox.php` | High
|
||||
10 | File | `/manager?action=getlogcat` | High
|
||||
11 | File | `/medicines` | Medium
|
||||
12 | File | `/plugins/servlet/branchreview` | High
|
||||
13 | File | `/proc` | Low
|
||||
14 | File | `/Pwrchute` | Medium
|
||||
15 | File | `/tmp` | Low
|
||||
16 | File | `/tmp/.deepin-clone.log` | High
|
||||
17 | File | `/users/{id}` | Medium
|
||||
18 | File | `/usr/bin/pkexec` | High
|
||||
19 | File | `/var/www/xms/application/controllers/verifyLogin.php` | High
|
||||
20 | File | `actions.cpp` | Medium
|
||||
21 | File | `adm1n/admin_config.php` | High
|
||||
22 | File | `admin-ajax.php` | High
|
||||
23 | File | `admin.php` | Medium
|
||||
24 | File | `admin/addpage.php` | High
|
||||
25 | File | `admin/admin_process.php` | High
|
||||
26 | File | `admin/editusertag.php` | High
|
||||
27 | File | `admin/eventlist.php` | High
|
||||
28 | File | `admin/reklam_detay.asp` | High
|
||||
29 | File | `admin/settings.php` | High
|
||||
30 | File | `admin/snacks_edit.php` | High
|
||||
31 | File | `admin/userview.php` | High
|
||||
32 | File | `all_calendars.asp` | High
|
||||
33 | File | `anniv.php` | Medium
|
||||
34 | File | `api.php` | Low
|
||||
35 | File | `app/search/search.app.php` | High
|
||||
36 | File | `appGet.cgi` | Medium
|
||||
37 | File | `apply.cgi` | Medium
|
||||
38 | File | `arch/arm/kernel/perf_event.c` | High
|
||||
39 | File | `ArticleType.php` | High
|
||||
40 | File | `attachment.php` | High
|
||||
41 | ... | ... | ...
|
||||
|
||||
There are 358 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://github.com/guardicore/labs_campaigns/tree/master/Fanel
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -1,12 +1,12 @@
|
|||
# Farseer - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Farseer](https://vuldb.com/?actor.farseer). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Farseer](https://vuldb.com/?actor.farseer). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.farseer](https://vuldb.com/?actor.farseer)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.farseer](https://vuldb.com/?actor.farseer)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Farseer:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Farseer:
|
||||
|
||||
* US
|
||||
* CN
|
||||
|
@ -17,33 +17,33 @@ There are 6 more country items available. Please use our online service to acces
|
|||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Farseer.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Farseer.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 43.224.33.130 | 43.224.33.130.vultr.com | Medium
|
||||
2 | 45.32.24.39 | 45.32.24.39.vultr.com | Medium
|
||||
3 | 45.32.25.107 | 45.32.25.107.vultr.com | Medium
|
||||
4 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 43.224.33.130 | 43.224.33.130.vultr.com | - | Medium
|
||||
2 | 45.32.24.39 | 45.32.24.39.vultr.com | - | Medium
|
||||
3 | 45.32.25.107 | 45.32.25.107.vultr.com | - | Medium
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 14 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Farseer. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Farseer. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 4 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Farseer. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Farseer. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -58,18 +58,18 @@ ID | Type | Indicator | Confidence
|
|||
9 | File | `abook_database.php` | High
|
||||
10 | ... | ... | ...
|
||||
|
||||
There are 74 more IOA items available. Please use our online service to access the data.
|
||||
There are 74 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://unit42.paloaltonetworks.com/farseer-previously-unknown-malware-family-bolsters-the-chinese-armoury/
|
||||
* https://www.threatminer.org/_reports/2019/Farseer_PreviouslyUnknownMalwareFamilybolsterstheChinesearmoury.pdf#viewer.action=download
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,35 +1,39 @@
|
|||
# Finteam - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Finteam](https://vuldb.com/?actor.finteam). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Finteam](https://vuldb.com/?actor.finteam). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.finteam](https://vuldb.com/?actor.finteam)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.finteam](https://vuldb.com/?actor.finteam)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Finteam:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Finteam:
|
||||
|
||||
* US
|
||||
* CN
|
||||
* GB
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Finteam.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Finteam.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 146.0.72.180 | - | High
|
||||
2 | 185.70.186.145 | - | High
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 146.0.72.180 | - | - | High
|
||||
2 | 185.70.186.145 | - | - | High
|
||||
3 | 193.109.69.5 | - | - | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Finteam. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Finteam. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Finteam. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Finteam. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -43,17 +47,18 @@ ID | Type | Indicator | Confidence
|
|||
8 | File | `category.php` | Medium
|
||||
9 | ... | ... | ...
|
||||
|
||||
There are 65 more IOA items available. Please use our online service to access the data.
|
||||
There are 67 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://research.checkpoint.com/2019/finteam-trojanized-teamviewer-against-government-targets/
|
||||
* https://www.threatminer.org/_reports/2019/FINTEAM_TrojanizedTeamViewerAgainstGovernmentTargets-CheckPointResearch.pdf#viewer.action=download
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,41 +1,41 @@
|
|||
# Five Poisons - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Five Poisons](https://vuldb.com/?actor.five_poisons). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Five Poisons](https://vuldb.com/?actor.five_poisons). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.five_poisons](https://vuldb.com/?actor.five_poisons)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.five_poisons](https://vuldb.com/?actor.five_poisons)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Five Poisons:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Five Poisons:
|
||||
|
||||
* US
|
||||
* CN
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Five Poisons.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Five Poisons.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 59.188.12.123 | - | High
|
||||
2 | 118.193.240.195 | - | High
|
||||
3 | 122.10.9.121 | - | High
|
||||
4 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 59.188.12.123 | - | - | High
|
||||
2 | 118.193.240.195 | - | - | High
|
||||
3 | 122.10.9.121 | - | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 3 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Five Poisons. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Five Poisons. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-80 | Cross Site Scripting | High
|
||||
2 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Five Poisons. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Five Poisons. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -44,17 +44,17 @@ ID | Type | Indicator | Confidence
|
|||
3 | File | `inc/config.php` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 4 more IOA items available. Please use our online service to access the data.
|
||||
There are 4 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://www.threatminer.org/report.php?q=ASERT-Threat-Intelligence-Report-2016-03-The-Four-Element-Sword-Engagement.pdf&y=2016
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,40 +1,40 @@
|
|||
# FontOnLake - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [FontOnLake](https://vuldb.com/?actor.fontonlake). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [FontOnLake](https://vuldb.com/?actor.fontonlake). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.fontonlake](https://vuldb.com/?actor.fontonlake)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.fontonlake](https://vuldb.com/?actor.fontonlake)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with FontOnLake:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with FontOnLake:
|
||||
|
||||
* CN
|
||||
* US
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of FontOnLake.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of FontOnLake.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 27.102.130.63 | - | High
|
||||
2 | 47.107.60.212 | - | High
|
||||
3 | 47.112.197.119 | - | High
|
||||
4 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 27.102.130.63 | - | - | High
|
||||
2 | 47.107.60.212 | - | - | High
|
||||
3 | 47.112.197.119 | - | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 2 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by FontOnLake. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by FontOnLake. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1068 | Execution with Unnecessary Privileges | High
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1068 | CWE-284 | Execution with Unnecessary Privileges | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by FontOnLake. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by FontOnLake. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -43,17 +43,17 @@ ID | Type | Indicator | Confidence
|
|||
3 | File | `application\User\Controller\ProfileController.class.php` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 12 more IOA items available. Please use our online service to access the data.
|
||||
There are 12 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://www.welivesecurity.com/2021/10/07/fontonlake-previously-unknown-malware-family-targeting-linux/
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,43 +1,89 @@
|
|||
# Formbook - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Formbook](https://vuldb.com/?actor.formbook). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Formbook](https://vuldb.com/?actor.formbook). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.formbook](https://vuldb.com/?actor.formbook)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.formbook](https://vuldb.com/?actor.formbook)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Formbook:
|
||||
|
||||
* US
|
||||
* CN
|
||||
* FR
|
||||
* ...
|
||||
|
||||
There are 8 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Formbook.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Formbook.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 3.143.65.214 | ec2-3-143-65-214.us-east-2.compute.amazonaws.com | Medium
|
||||
2 | 3.223.115.185 | ec2-3-223-115-185.compute-1.amazonaws.com | Medium
|
||||
3 | 5.134.13.72 | i51.gds.guru.net.uk | High
|
||||
4 | 13.59.53.244 | ec2-13-59-53-244.us-east-2.compute.amazonaws.com | Medium
|
||||
5 | 13.107.42.12 | 1drv.ms | High
|
||||
6 | 13.248.216.40 | afdda383cf24ec8c3.awsglobalaccelerator.com | High
|
||||
7 | 20.36.253.92 | - | High
|
||||
8 | 23.6.69.99 | a23-6-69-99.deploy.static.akamaitechnologies.com | High
|
||||
9 | 23.227.38.74 | - | High
|
||||
10 | 34.98.99.30 | 30.99.98.34.bc.googleusercontent.com | Medium
|
||||
11 | 34.102.136.180 | 180.136.102.34.bc.googleusercontent.com | Medium
|
||||
12 | 34.214.40.214 | ec2-34-214-40-214.us-west-2.compute.amazonaws.com | Medium
|
||||
13 | 34.216.47.14 | ec2-34-216-47-14.us-west-2.compute.amazonaws.com | Medium
|
||||
14 | 34.242.63.192 | ec2-34-242-63-192.eu-west-1.compute.amazonaws.com | Medium
|
||||
15 | 34.243.160.251 | ec2-34-243-160-251.eu-west-1.compute.amazonaws.com | Medium
|
||||
16 | 34.255.61.59 | ec2-34-255-61-59.eu-west-1.compute.amazonaws.com | Medium
|
||||
17 | 35.178.125.63 | ec2-35-178-125-63.eu-west-2.compute.amazonaws.com | Medium
|
||||
18 | 40.77.18.167 | - | High
|
||||
19 | 40.126.26.134 | - | High
|
||||
20 | 44.227.65.245 | ec2-44-227-65-245.us-west-2.compute.amazonaws.com | Medium
|
||||
21 | 44.230.27.49 | ec2-44-230-27-49.us-west-2.compute.amazonaws.com | Medium
|
||||
22 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 3.143.65.214 | ec2-3-143-65-214.us-east-2.compute.amazonaws.com | - | Medium
|
||||
2 | 3.223.115.185 | ec2-3-223-115-185.compute-1.amazonaws.com | - | Medium
|
||||
3 | 5.134.13.72 | i51.gds.guru.net.uk | - | High
|
||||
4 | 13.59.53.244 | ec2-13-59-53-244.us-east-2.compute.amazonaws.com | - | Medium
|
||||
5 | 13.107.42.12 | 1drv.ms | - | High
|
||||
6 | 13.248.216.40 | afdda383cf24ec8c3.awsglobalaccelerator.com | - | High
|
||||
7 | 20.36.253.92 | - | - | High
|
||||
8 | 23.6.69.99 | a23-6-69-99.deploy.static.akamaitechnologies.com | - | High
|
||||
9 | 23.227.38.74 | - | - | High
|
||||
10 | 34.98.99.30 | 30.99.98.34.bc.googleusercontent.com | - | Medium
|
||||
11 | 34.102.136.180 | 180.136.102.34.bc.googleusercontent.com | - | Medium
|
||||
12 | 34.214.40.214 | ec2-34-214-40-214.us-west-2.compute.amazonaws.com | - | Medium
|
||||
13 | 34.216.47.14 | ec2-34-216-47-14.us-west-2.compute.amazonaws.com | - | Medium
|
||||
14 | 34.242.63.192 | ec2-34-242-63-192.eu-west-1.compute.amazonaws.com | - | Medium
|
||||
15 | 34.243.160.251 | ec2-34-243-160-251.eu-west-1.compute.amazonaws.com | - | Medium
|
||||
16 | 34.255.61.59 | ec2-34-255-61-59.eu-west-1.compute.amazonaws.com | - | Medium
|
||||
17 | 35.178.125.63 | ec2-35-178-125-63.eu-west-2.compute.amazonaws.com | - | Medium
|
||||
18 | 40.77.18.167 | - | - | High
|
||||
19 | 40.126.26.134 | - | - | High
|
||||
20 | 44.227.65.245 | ec2-44-227-65-245.us-west-2.compute.amazonaws.com | - | Medium
|
||||
21 | 44.230.27.49 | ec2-44-230-27-49.us-west-2.compute.amazonaws.com | - | Medium
|
||||
22 | ... | ... | ... | ...
|
||||
|
||||
There are 86 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Formbook. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | CWE-254 | 7PK Security Features | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 4 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Formbook. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/bin/boa` | Medium
|
||||
2 | File | `/dev/urandom` | Medium
|
||||
3 | File | `/etc/quantum/quantum.conf` | High
|
||||
4 | File | `/exec/` | Low
|
||||
5 | File | `/getcfg.php` | Medium
|
||||
6 | File | `/HNAP1` | Low
|
||||
7 | File | `/modules/projects/vw_files.php` | High
|
||||
8 | File | `/plain` | Low
|
||||
9 | File | `/uncpath/` | Medium
|
||||
10 | File | `/_next` | Low
|
||||
11 | File | `actionHandler/ajax_managed_services.php` | High
|
||||
12 | File | `admin/admin.shtml` | High
|
||||
13 | ... | ... | ...
|
||||
|
||||
There are 104 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html
|
||||
* https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.html
|
||||
|
@ -48,7 +94,7 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -0,0 +1,402 @@
|
|||
# FritzFrog - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [FritzFrog](https://vuldb.com/?actor.fritzfrog). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.fritzfrog](https://vuldb.com/?actor.fritzfrog)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with FritzFrog:
|
||||
|
||||
* US
|
||||
* CN
|
||||
* ES
|
||||
* ...
|
||||
|
||||
There are 5 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of FritzFrog.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 1.6.80.1 | - | - | High
|
||||
2 | 1.12.223.203 | - | - | High
|
||||
3 | 1.12.243.168 | - | - | High
|
||||
4 | 1.14.95.58 | - | - | High
|
||||
5 | 1.14.166.163 | - | - | High
|
||||
6 | 1.14.226.88 | - | - | High
|
||||
7 | 1.14.253.207 | - | - | High
|
||||
8 | 1.116.55.237 | - | - | High
|
||||
9 | 1.116.206.188 | - | - | High
|
||||
10 | 1.117.3.72 | - | - | High
|
||||
11 | 1.117.16.119 | - | - | High
|
||||
12 | 1.117.58.108 | - | - | High
|
||||
13 | 1.117.160.142 | - | - | High
|
||||
14 | 1.117.229.94 | - | - | High
|
||||
15 | 1.165.115.76 | 1-165-115-76.dynamic-ip.hinet.net | - | High
|
||||
16 | 1.165.118.93 | 1-165-118-93.dynamic-ip.hinet.net | - | High
|
||||
17 | 1.165.143.43 | 1-165-143-43.dynamic-ip.hinet.net | - | High
|
||||
18 | 1.165.211.196 | 1-165-211-196.dynamic-ip.hinet.net | - | High
|
||||
19 | 1.192.94.61 | - | - | High
|
||||
20 | 1.220.98.197 | - | - | High
|
||||
21 | 2.58.113.123 | tube-hosting.de | - | High
|
||||
22 | 2.59.92.14 | - | - | High
|
||||
23 | 2.78.61.194 | 2-78-61-194.kcell.kz | - | High
|
||||
24 | 2.80.12.140 | bl19-12-140.dsl.telepac.pt | - | High
|
||||
25 | 2.227.254.144 | - | - | High
|
||||
26 | 3.0.206.162 | ec2-3-0-206-162.ap-southeast-1.compute.amazonaws.com | - | Medium
|
||||
27 | 3.6.71.245 | ec2-3-6-71-245.ap-south-1.compute.amazonaws.com | - | Medium
|
||||
28 | 3.9.188.69 | ec2-3-9-188-69.eu-west-2.compute.amazonaws.com | - | Medium
|
||||
29 | 3.14.13.27 | ec2-3-14-13-27.us-east-2.compute.amazonaws.com | - | Medium
|
||||
30 | 3.14.153.3 | ec2-3-14-153-3.us-east-2.compute.amazonaws.com | - | Medium
|
||||
31 | 3.17.11.48 | ec2-3-17-11-48.us-east-2.compute.amazonaws.com | - | Medium
|
||||
32 | 3.17.152.26 | ec2-3-17-152-26.us-east-2.compute.amazonaws.com | - | Medium
|
||||
33 | 3.17.188.16 | ec2-3-17-188-16.us-east-2.compute.amazonaws.com | - | Medium
|
||||
34 | 3.35.185.49 | ec2-3-35-185-49.ap-northeast-2.compute.amazonaws.com | - | Medium
|
||||
35 | 3.38.209.200 | ec2-3-38-209-200.ap-northeast-2.compute.amazonaws.com | - | Medium
|
||||
36 | 3.70.67.35 | ec2-3-70-67-35.eu-central-1.compute.amazonaws.com | - | Medium
|
||||
37 | 3.82.227.46 | ec2-3-82-227-46.compute-1.amazonaws.com | - | Medium
|
||||
38 | 3.86.230.210 | ec2-3-86-230-210.compute-1.amazonaws.com | - | Medium
|
||||
39 | 3.88.203.1 | ec2-3-88-203-1.compute-1.amazonaws.com | - | Medium
|
||||
40 | 3.91.21.110 | ec2-3-91-21-110.compute-1.amazonaws.com | - | Medium
|
||||
41 | 3.112.16.145 | ec2-3-112-16-145.ap-northeast-1.compute.amazonaws.com | - | Medium
|
||||
42 | 3.112.27.236 | ec2-3-112-27-236.ap-northeast-1.compute.amazonaws.com | - | Medium
|
||||
43 | 3.112.52.252 | ec2-3-112-52-252.ap-northeast-1.compute.amazonaws.com | - | Medium
|
||||
44 | 3.113.28.245 | ec2-3-113-28-245.ap-northeast-1.compute.amazonaws.com | - | Medium
|
||||
45 | 3.115.18.133 | ec2-3-115-18-133.ap-northeast-1.compute.amazonaws.com | - | Medium
|
||||
46 | 3.122.60.196 | ec2-3-122-60-196.eu-central-1.compute.amazonaws.com | - | Medium
|
||||
47 | 3.127.114.41 | ec2-3-127-114-41.eu-central-1.compute.amazonaws.com | - | Medium
|
||||
48 | 3.127.255.82 | ec2-3-127-255-82.eu-central-1.compute.amazonaws.com | - | Medium
|
||||
49 | 3.133.59.250 | ec2-3-133-59-250.us-east-2.compute.amazonaws.com | - | Medium
|
||||
50 | 3.138.162.152 | ec2-3-138-162-152.us-east-2.compute.amazonaws.com | - | Medium
|
||||
51 | 3.219.216.198 | ec2-3-219-216-198.compute-1.amazonaws.com | - | Medium
|
||||
52 | 3.236.39.46 | ec2-3-236-39-46.compute-1.amazonaws.com | - | Medium
|
||||
53 | 3.236.44.195 | ec2-3-236-44-195.compute-1.amazonaws.com | - | Medium
|
||||
54 | 5.25.247.205 | - | - | High
|
||||
55 | 5.26.221.186 | - | - | High
|
||||
56 | 5.26.250.165 | - | - | High
|
||||
57 | 5.26.251.165 | - | - | High
|
||||
58 | 5.26.254.49 | - | - | High
|
||||
59 | 5.26.254.72 | - | - | High
|
||||
60 | 5.26.254.73 | - | - | High
|
||||
61 | 5.28.139.161 | - | - | High
|
||||
62 | 5.34.181.108 | unallocated.layer6.net | - | High
|
||||
63 | 5.34.181.109 | unallocated.layer6.net | - | High
|
||||
64 | 5.35.10.81 | - | - | High
|
||||
65 | 5.39.113.106 | ip106.ip-5-39-113.eu | - | High
|
||||
66 | 5.42.158.38 | - | - | High
|
||||
67 | 5.42.158.71 | - | - | High
|
||||
68 | 5.61.57.196 | - | - | High
|
||||
69 | 5.182.17.252 | vmi726193.contaboserver.net | - | High
|
||||
70 | 5.231.205.137 | certo-237-205-231-5.efeitocerto.com.br | - | High
|
||||
71 | 5.253.86.211 | - | - | High
|
||||
72 | 8.17.89.11 | 8-17-89-11.paxio.net | - | High
|
||||
73 | 8.208.89.230 | - | - | High
|
||||
74 | 8.215.31.94 | - | - | High
|
||||
75 | 8.218.100.52 | - | - | High
|
||||
76 | 12.36.229.193 | - | - | High
|
||||
77 | 12.160.25.98 | - | - | High
|
||||
78 | 12.173.254.230 | - | - | High
|
||||
79 | 12.176.121.170 | - | - | High
|
||||
80 | 12.222.12.26 | - | - | High
|
||||
81 | 12.234.91.165 | - | - | High
|
||||
82 | 13.37.158.253 | ec2-13-37-158-253.eu-west-3.compute.amazonaws.com | - | Medium
|
||||
83 | 13.52.74.242 | ec2-13-52-74-242.us-west-1.compute.amazonaws.com | - | Medium
|
||||
84 | 13.53.127.223 | ec2-13-53-127-223.eu-north-1.compute.amazonaws.com | - | Medium
|
||||
85 | 13.53.149.216 | ec2-13-53-149-216.eu-north-1.compute.amazonaws.com | - | Medium
|
||||
86 | 13.57.226.95 | ec2-13-57-226-95.us-west-1.compute.amazonaws.com | - | Medium
|
||||
87 | 13.59.13.98 | ec2-13-59-13-98.us-east-2.compute.amazonaws.com | - | Medium
|
||||
88 | 13.59.67.195 | ec2-13-59-67-195.us-east-2.compute.amazonaws.com | - | Medium
|
||||
89 | 13.72.247.133 | - | - | High
|
||||
90 | 13.77.163.87 | - | - | High
|
||||
91 | 13.78.143.45 | - | - | High
|
||||
92 | 13.79.246.35 | - | - | High
|
||||
93 | 13.80.144.47 | - | - | High
|
||||
94 | 13.80.148.182 | - | - | High
|
||||
95 | 13.90.45.216 | - | - | High
|
||||
96 | 13.92.247.241 | - | - | High
|
||||
97 | 13.113.129.210 | ec2-13-113-129-210.ap-northeast-1.compute.amazonaws.com | - | Medium
|
||||
98 | 13.114.10.152 | ec2-13-114-10-152.ap-northeast-1.compute.amazonaws.com | - | Medium
|
||||
99 | 13.124.214.6 | ec2-13-124-214-6.ap-northeast-2.compute.amazonaws.com | - | Medium
|
||||
100 | 13.124.217.127 | ec2-13-124-217-127.ap-northeast-2.compute.amazonaws.com | - | Medium
|
||||
101 | 13.126.18.196 | ec2-13-126-18-196.ap-south-1.compute.amazonaws.com | - | Medium
|
||||
102 | 13.126.244.38 | ec2-13-126-244-38.ap-south-1.compute.amazonaws.com | - | Medium
|
||||
103 | 13.209.39.176 | ec2-13-209-39-176.ap-northeast-2.compute.amazonaws.com | - | Medium
|
||||
104 | 13.211.180.165 | ec2-13-211-180-165.ap-southeast-2.compute.amazonaws.com | - | Medium
|
||||
105 | 13.211.234.149 | ec2-13-211-234-149.ap-southeast-2.compute.amazonaws.com | - | Medium
|
||||
106 | 13.232.213.134 | ec2-13-232-213-134.ap-south-1.compute.amazonaws.com | - | Medium
|
||||
107 | 13.233.60.246 | ec2-13-233-60-246.ap-south-1.compute.amazonaws.com | - | Medium
|
||||
108 | 13.233.98.125 | ec2-13-233-98-125.ap-south-1.compute.amazonaws.com | - | Medium
|
||||
109 | 13.234.76.179 | ec2-13-234-76-179.ap-south-1.compute.amazonaws.com | - | Medium
|
||||
110 | 13.235.82.69 | ec2-13-235-82-69.ap-south-1.compute.amazonaws.com | - | Medium
|
||||
111 | 13.235.253.205 | ec2-13-235-253-205.ap-south-1.compute.amazonaws.com | - | Medium
|
||||
112 | 13.238.218.177 | ec2-13-238-218-177.ap-southeast-2.compute.amazonaws.com | - | Medium
|
||||
113 | 13.251.26.201 | ec2-13-251-26-201.ap-southeast-1.compute.amazonaws.com | - | Medium
|
||||
114 | 13.251.89.210 | ec2-13-251-89-210.ap-southeast-1.compute.amazonaws.com | - | Medium
|
||||
115 | 13.251.166.37 | ec2-13-251-166-37.ap-southeast-1.compute.amazonaws.com | - | Medium
|
||||
116 | 14.37.111.114 | - | - | High
|
||||
117 | 14.43.135.243 | - | - | High
|
||||
118 | 14.46.100.84 | - | - | High
|
||||
119 | 14.54.245.109 | - | - | High
|
||||
120 | 14.54.245.220 | - | - | High
|
||||
121 | 14.118.208.75 | - | - | High
|
||||
122 | 14.118.208.86 | - | - | High
|
||||
123 | 14.118.211.158 | - | - | High
|
||||
124 | 14.139.122.146 | - | - | High
|
||||
125 | 15.206.70.23 | ec2-15-206-70-23.ap-south-1.compute.amazonaws.com | - | Medium
|
||||
126 | 15.235.13.210 | ns5009092.ip-15-235-13.net | - | High
|
||||
127 | 15.235.13.211 | ns5009085.ip-15-235-13.net | - | High
|
||||
128 | 15.235.30.194 | ip194.ip-15-235-30.net | - | High
|
||||
129 | 18.27.197.252 | - | - | High
|
||||
130 | 18.130.29.105 | ec2-18-130-29-105.eu-west-2.compute.amazonaws.com | - | Medium
|
||||
131 | 18.136.203.250 | ec2-18-136-203-250.ap-southeast-1.compute.amazonaws.com | - | Medium
|
||||
132 | 18.138.238.88 | ec2-18-138-238-88.ap-southeast-1.compute.amazonaws.com | - | Medium
|
||||
133 | 18.141.93.110 | ec2-18-141-93-110.ap-southeast-1.compute.amazonaws.com | - | Medium
|
||||
134 | 18.142.77.220 | ec2-18-142-77-220.ap-southeast-1.compute.amazonaws.com | - | Medium
|
||||
135 | 18.162.109.213 | ec2-18-162-109-213.ap-east-1.compute.amazonaws.com | - | Medium
|
||||
136 | 18.162.120.237 | ec2-18-162-120-237.ap-east-1.compute.amazonaws.com | - | Medium
|
||||
137 | 18.162.123.240 | ec2-18-162-123-240.ap-east-1.compute.amazonaws.com | - | Medium
|
||||
138 | 18.162.200.166 | ec2-18-162-200-166.ap-east-1.compute.amazonaws.com | - | Medium
|
||||
139 | 18.182.6.172 | ec2-18-182-6-172.ap-northeast-1.compute.amazonaws.com | - | Medium
|
||||
140 | 18.191.113.196 | ec2-18-191-113-196.us-east-2.compute.amazonaws.com | - | Medium
|
||||
141 | 18.202.242.7 | ec2-18-202-242-7.eu-west-1.compute.amazonaws.com | - | Medium
|
||||
142 | 18.204.247.146 | ec2-18-204-247-146.compute-1.amazonaws.com | - | Medium
|
||||
143 | 18.208.7.231 | ec2-18-208-7-231.compute-1.amazonaws.com | - | Medium
|
||||
144 | 18.212.26.134 | ec2-18-212-26-134.compute-1.amazonaws.com | - | Medium
|
||||
145 | 18.218.135.210 | ec2-18-218-135-210.us-east-2.compute.amazonaws.com | - | Medium
|
||||
146 | 18.219.191.219 | ec2-18-219-191-219.us-east-2.compute.amazonaws.com | - | Medium
|
||||
147 | 18.220.148.98 | ec2-18-220-148-98.us-east-2.compute.amazonaws.com | - | Medium
|
||||
148 | 18.222.214.151 | ec2-18-222-214-151.us-east-2.compute.amazonaws.com | - | Medium
|
||||
149 | 18.228.44.254 | ec2-18-228-44-254.sa-east-1.compute.amazonaws.com | - | Medium
|
||||
150 | 18.231.36.105 | ec2-18-231-36-105.sa-east-1.compute.amazonaws.com | - | Medium
|
||||
151 | 18.231.122.117 | ec2-18-231-122-117.sa-east-1.compute.amazonaws.com | - | Medium
|
||||
152 | 18.231.178.172 | ec2-18-231-178-172.sa-east-1.compute.amazonaws.com | - | Medium
|
||||
153 | 20.39.226.165 | - | - | High
|
||||
154 | 20.39.240.101 | - | - | High
|
||||
155 | 20.49.51.59 | - | - | High
|
||||
156 | 20.69.176.137 | - | - | High
|
||||
157 | 20.126.58.208 | - | - | High
|
||||
158 | 20.127.105.82 | - | - | High
|
||||
159 | 20.141.185.205 | - | - | High
|
||||
160 | 20.195.193.241 | - | - | High
|
||||
161 | 20.205.0.49 | - | - | High
|
||||
162 | 23.92.25.109 | 23-92-25-109.ip.linodeusercontent.com | - | High
|
||||
163 | 23.94.56.185 | 23-94-56-185-host.colocrossing.com | - | High
|
||||
164 | 23.100.81.44 | - | - | High
|
||||
165 | 23.148.146.118 | - | - | High
|
||||
166 | 23.148.146.122 | - | - | High
|
||||
167 | 23.234.197.173 | 173-197-234-23-dedicated.multacom.com | - | High
|
||||
168 | 23.234.209.234 | host-23-234-209-234-by.multacom.com | - | High
|
||||
169 | 23.237.228.74 | - | - | High
|
||||
170 | 23.237.228.90 | - | - | High
|
||||
171 | 23.254.217.214 | hwsrv-905596.hostwindsdns.com | - | High
|
||||
172 | 24.8.141.118 | c-24-8-141-118.hsd1.co.comcast.net | - | High
|
||||
173 | 24.65.42.248 | - | - | High
|
||||
174 | 24.152.38.22 | - | - | High
|
||||
175 | 24.152.38.152 | - | - | High
|
||||
176 | 24.158.63.182 | 024-158-063-182.biz.spectrum.com | - | High
|
||||
177 | 24.213.210.198 | rrcs-24-213-210-198.nys.biz.rr.com | - | High
|
||||
178 | 27.16.238.184 | - | - | High
|
||||
179 | 27.54.170.52 | - | - | High
|
||||
180 | 27.129.128.235 | - | - | High
|
||||
181 | 27.158.196.219 | 219.196.158.27.broad.zz.fj.dynamic.163data.com.cn | - | High
|
||||
182 | 27.191.107.92 | - | - | High
|
||||
183 | 31.15.241.181 | cpe-31-15-241-181.cable.telemach.net | - | High
|
||||
184 | 31.19.126.157 | ip1f137e9d.dynamic.kabel-deutschland.de | - | High
|
||||
185 | 31.19.237.46 | ip1f13ed2e.dynamic.kabel-deutschland.de | - | High
|
||||
186 | 31.19.237.170 | ip1f13edaa.dynamic.kabel-deutschland.de | - | High
|
||||
187 | 31.169.25.190 | - | - | High
|
||||
188 | 31.206.240.54 | - | - | High
|
||||
189 | 34.80.27.207 | 207.27.80.34.bc.googleusercontent.com | - | Medium
|
||||
190 | 34.80.39.155 | 155.39.80.34.bc.googleusercontent.com | - | Medium
|
||||
191 | 34.84.213.136 | 136.213.84.34.bc.googleusercontent.com | - | Medium
|
||||
192 | 34.92.90.235 | 235.90.92.34.bc.googleusercontent.com | - | Medium
|
||||
193 | 34.125.101.168 | 168.101.125.34.bc.googleusercontent.com | - | Medium
|
||||
194 | 34.130.214.198 | 198.214.130.34.bc.googleusercontent.com | - | Medium
|
||||
195 | 34.209.193.171 | ec2-34-209-193-171.us-west-2.compute.amazonaws.com | - | Medium
|
||||
196 | 34.218.227.40 | ec2-34-218-227-40.us-west-2.compute.amazonaws.com | - | Medium
|
||||
197 | 34.220.197.12 | ec2-34-220-197-12.us-west-2.compute.amazonaws.com | - | Medium
|
||||
198 | 34.228.43.200 | ec2-34-228-43-200.compute-1.amazonaws.com | - | Medium
|
||||
199 | 34.238.28.208 | ec2-34-238-28-208.compute-1.amazonaws.com | - | Medium
|
||||
200 | 34.239.121.245 | ec2-34-239-121-245.compute-1.amazonaws.com | - | Medium
|
||||
201 | 35.84.195.246 | ec2-35-84-195-246.us-west-2.compute.amazonaws.com | - | Medium
|
||||
202 | 35.154.250.210 | ec2-35-154-250-210.ap-south-1.compute.amazonaws.com | - | Medium
|
||||
203 | 35.176.154.160 | ec2-35-176-154-160.eu-west-2.compute.amazonaws.com | - | Medium
|
||||
204 | 35.178.109.174 | ec2-35-178-109-174.eu-west-2.compute.amazonaws.com | - | Medium
|
||||
205 | 35.181.9.94 | ec2-35-181-9-94.eu-west-3.compute.amazonaws.com | - | Medium
|
||||
206 | 35.182.238.155 | ec2-35-182-238-155.ca-central-1.compute.amazonaws.com | - | Medium
|
||||
207 | 35.183.109.60 | ec2-35-183-109-60.ca-central-1.compute.amazonaws.com | - | Medium
|
||||
208 | 35.192.122.245 | 245.122.192.35.bc.googleusercontent.com | - | Medium
|
||||
209 | 35.194.155.97 | 97.155.194.35.bc.googleusercontent.com | - | Medium
|
||||
210 | 35.229.239.179 | 179.239.229.35.bc.googleusercontent.com | - | Medium
|
||||
211 | 36.22.249.39 | - | - | High
|
||||
212 | 36.92.125.163 | - | - | High
|
||||
213 | 36.137.217.5 | - | - | High
|
||||
214 | 37.25.54.162 | - | - | High
|
||||
215 | 37.44.244.231 | - | - | High
|
||||
216 | 37.97.206.223 | 37-97-206-223.colo.transip.net | - | High
|
||||
217 | 37.156.28.213 | 213.mobinnet.net | - | High
|
||||
218 | 37.182.153.172 | - | - | High
|
||||
219 | 37.186.217.20 | 37-186-217-20.ip270.fastwebnet.it | - | High
|
||||
220 | 37.187.148.130 | ns345129.ip-37-187-148.eu | - | High
|
||||
221 | 37.230.137.180 | ds1-client.elegacy.ru | - | High
|
||||
222 | 39.86.114.252 | - | - | High
|
||||
223 | 39.105.123.135 | - | - | High
|
||||
224 | 39.106.111.11 | - | - | High
|
||||
225 | 40.77.57.4 | - | - | High
|
||||
226 | 41.193.68.46 | mail.udwc.co.za | - | High
|
||||
227 | 41.226.18.128 | - | - | High
|
||||
228 | 41.231.127.5 | - | - | High
|
||||
229 | 42.192.82.25 | - | - | High
|
||||
230 | 42.192.141.133 | - | - | High
|
||||
231 | 42.192.155.41 | - | - | High
|
||||
232 | 42.192.157.181 | - | - | High
|
||||
233 | 42.193.55.4 | - | - | High
|
||||
234 | 42.193.252.69 | - | - | High
|
||||
235 | 42.194.187.28 | - | - | High
|
||||
236 | 43.129.181.67 | - | - | High
|
||||
237 | 43.129.253.181 | - | - | High
|
||||
238 | 43.132.208.88 | - | - | High
|
||||
239 | 43.136.128.67 | - | - | High
|
||||
240 | 43.154.20.234 | - | - | High
|
||||
241 | 43.242.247.139 | - | - | High
|
||||
242 | 43.249.206.97 | - | - | High
|
||||
243 | 44.201.98.58 | ec2-44-201-98-58.compute-1.amazonaws.com | - | Medium
|
||||
244 | 45.6.96.34 | - | - | High
|
||||
245 | 45.22.199.195 | 45-22-199-195.lightspeed.sndgca.sbcglobal.net | - | High
|
||||
246 | 45.32.122.40 | 45.32.122.40.vultr.com | - | Medium
|
||||
247 | 45.32.128.117 | 45.32.128.117.vultr.com | - | Medium
|
||||
248 | 45.84.196.108 | - | - | High
|
||||
249 | 45.87.207.8 | - | - | High
|
||||
250 | 45.119.86.214 | - | - | High
|
||||
251 | 45.131.1.72 | ip.serverscity.net | - | High
|
||||
252 | 45.137.181.238 | - | - | High
|
||||
253 | 45.138.157.66 | vm326778.pq.hosting | - | High
|
||||
254 | 45.140.164.177 | - | - | High
|
||||
255 | 45.142.122.107 | merry-coach.aeza.network | - | High
|
||||
256 | 45.142.122.169 | dirty-magic.aeza.network | - | High
|
||||
257 | 45.143.136.213 | andreybaksalyar.example.com | - | High
|
||||
258 | 45.153.229.238 | vm346100.pq.hosting | - | High
|
||||
259 | 45.154.215.172 | - | - | High
|
||||
260 | 45.182.118.100 | - | - | High
|
||||
261 | 45.222.204.98 | - | - | High
|
||||
262 | 45.229.34.30 | - | - | High
|
||||
263 | 45.231.132.133 | generated-loan.cursorspec.com | - | High
|
||||
264 | 45.238.23.157 | - | - | High
|
||||
265 | 45.249.92.58 | - | - | High
|
||||
266 | 46.3.142.226 | - | - | High
|
||||
267 | 46.3.197.32 | - | - | High
|
||||
268 | 46.3.199.4 | - | - | High
|
||||
269 | 46.3.199.5 | - | - | High
|
||||
270 | 46.37.77.214 | 214.red.77.37.46.procono.es | - | High
|
||||
271 | 46.80.25.30 | p2e50191e.dip0.t-ipconnect.de | - | High
|
||||
272 | 46.97.44.18 | - | - | High
|
||||
273 | 46.101.2.179 | - | - | High
|
||||
274 | 46.101.18.240 | - | - | High
|
||||
275 | 46.109.34.247 | - | - | High
|
||||
276 | 46.148.227.125 | cd16.micsotmaster.art | - | High
|
||||
277 | 46.210.111.163 | - | - | High
|
||||
278 | 46.217.167.96 | - | - | High
|
||||
279 | 46.219.116.22 | - | - | High
|
||||
280 | 46.223.163.220 | ip-046-223-163-220.um13.pools.vodafone-ip.de | - | High
|
||||
281 | 47.16.155.222 | ool-2f109bde.dyn.optonline.net | - | High
|
||||
282 | 47.19.20.130 | - | - | High
|
||||
283 | 47.37.138.79 | 047-037-138-079.res.spectrum.com | - | High
|
||||
284 | 47.74.65.36 | - | - | High
|
||||
285 | 47.88.244.157 | - | - | High
|
||||
286 | 47.91.87.67 | - | - | High
|
||||
287 | 47.100.108.185 | - | - | High
|
||||
288 | 47.100.139.58 | - | - | High
|
||||
289 | 47.106.180.166 | - | - | High
|
||||
290 | 47.240.81.242 | - | - | High
|
||||
291 | 47.243.181.71 | - | - | High
|
||||
292 | 47.243.181.238 | - | - | High
|
||||
293 | 47.245.14.45 | - | - | High
|
||||
294 | 49.7.132.22 | - | - | High
|
||||
295 | 49.50.106.73 | - | - | High
|
||||
296 | 49.69.36.214 | - | - | High
|
||||
297 | 49.204.124.253 | broadband.actcorp.in | - | High
|
||||
298 | 49.232.80.64 | - | - | High
|
||||
299 | 49.232.104.199 | - | - | High
|
||||
300 | 49.232.122.130 | - | - | High
|
||||
301 | ... | ... | ... | ...
|
||||
|
||||
There are 1200 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by FritzFrog. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-250, CWE-264, CWE-266, CWE-274, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 9 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by FritzFrog. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `.well-known` | Medium
|
||||
2 | File | `/administration/settings_registration.php` | High
|
||||
3 | File | `/bin/false` | Medium
|
||||
4 | File | `/cgi-bin/` | Medium
|
||||
5 | File | `/coreframe/app/order/admin/index.php` | High
|
||||
6 | File | `/if.cgi` | Low
|
||||
7 | File | `/info.asp` | Medium
|
||||
8 | File | `/messages/messages_listing.asp` | High
|
||||
9 | File | `/moddable/xs/sources/xsDebug.c` | High
|
||||
10 | File | `/Monitoring-History.php` | High
|
||||
11 | File | `/Nodes-Traffic.php` | High
|
||||
12 | File | `/PluXml/core/admin/parametres_edittpl.php` | High
|
||||
13 | File | `/public/admin.php` | High
|
||||
14 | File | `/public/login.htm` | High
|
||||
15 | File | `/tools/network-trace` | High
|
||||
16 | File | `/trigger` | Medium
|
||||
17 | File | `/uncpath/` | Medium
|
||||
18 | File | `/usr/sbin/DM` | Medium
|
||||
19 | File | `/var/WEB-GUI/cgi-bin/telnet.cgi` | High
|
||||
20 | File | `/web/entry/en/address/adrsSetUserWizard.cgi` | High
|
||||
21 | File | `/weibo/comment` | High
|
||||
22 | File | `/ws.php` | Low
|
||||
23 | File | `/_up` | Low
|
||||
24 | File | `AccountManager.java` | High
|
||||
25 | File | `action=main:search:simpleSearch` | High
|
||||
26 | File | `add_cars.php` | Medium
|
||||
27 | File | `add_headers.php` | High
|
||||
28 | File | `add_ons.php` | Medium
|
||||
29 | File | `admin.cgi?action=config_save` | High
|
||||
30 | File | `admin.php` | Medium
|
||||
31 | File | `admin.php?action=files` | High
|
||||
32 | File | `admin/admin/dump/` | High
|
||||
33 | File | `admin/backupstart.php` | High
|
||||
34 | File | `admin/list_user` | High
|
||||
35 | File | `admin/themes` | Medium
|
||||
36 | File | `admin/view:modules/load_module:users#edit-user=1` | High
|
||||
37 | ... | ... | ...
|
||||
|
||||
There are 316 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://github.com/guardicore/labs_campaigns/tree/master/FritzFrog
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,79 @@
|
|||
# GRU - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [GRU](https://vuldb.com/?actor.gru). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.gru](https://vuldb.com/?actor.gru)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with GRU:
|
||||
|
||||
* US
|
||||
* RO
|
||||
* FR
|
||||
* ...
|
||||
|
||||
There are 11 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of GRU.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 77.83.247.81 | - | - | High
|
||||
2 | 93.115.28.161 | - | - | High
|
||||
3 | 95.141.36.180 | seflow9.neopoly.de | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 7 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by GRU. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | CWE-254 | 7PK Security Features | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 3 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by GRU. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `.htaccess` | Medium
|
||||
2 | File | `/loginLess/../../etc/passwd` | High
|
||||
3 | File | `/see_more_details.php` | High
|
||||
4 | File | `/system/proxy` | High
|
||||
5 | File | `/uncpath/` | Medium
|
||||
6 | File | `accountancy/customer/card.php` | High
|
||||
7 | File | `addentry.php` | Medium
|
||||
8 | File | `add_comment.php` | High
|
||||
9 | File | `admin.php` | Medium
|
||||
10 | File | `admin/create-package.php` | High
|
||||
11 | ... | ... | ...
|
||||
|
||||
There are 84 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -1,53 +1,53 @@
|
|||
# Gafgyt - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Gafgyt](https://vuldb.com/?actor.gafgyt). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Gafgyt](https://vuldb.com/?actor.gafgyt). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.gafgyt](https://vuldb.com/?actor.gafgyt)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.gafgyt](https://vuldb.com/?actor.gafgyt)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with Gafgyt:
|
||||
The following _campaigns_ are known and can be associated with Gafgyt:
|
||||
|
||||
* CVE-2014-8361 / CVE-2017-17215 / CVE-2017-18368
|
||||
* CVE-2017-5638 / CVE-2018-9866
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Gafgyt:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Gafgyt:
|
||||
|
||||
* SC
|
||||
* LI
|
||||
* US
|
||||
* [SC](https://vuldb.com/?country.sc)
|
||||
* [LI](https://vuldb.com/?country.li)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* ...
|
||||
|
||||
There are 2 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Gafgyt.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Gafgyt.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 185.10.68.127 | 127.68.10.185.ro.ovo.sc | High
|
||||
2 | 185.10.68.213 | 213.68.10.185.ro.ovo.sc | High
|
||||
3 | 185.172.110.224 | - | High
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [185.10.68.127](https://vuldb.com/?ip.185.10.68.127) | 127.68.10.185.ro.ovo.sc | CVE-2017-5638 / CVE-2018-9866 | High
|
||||
2 | [185.10.68.213](https://vuldb.com/?ip.185.10.68.213) | 213.68.10.185.ro.ovo.sc | CVE-2017-5638 / CVE-2018-9866 | High
|
||||
3 | [185.172.110.224](https://vuldb.com/?ip.185.172.110.224) | - | CVE-2014-8361 / CVE-2017-17215 / CVE-2017-18368 | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Gafgyt. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Gafgyt. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1222 | Permission Issues | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1222 | CWE-275 | Permission Issues | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 5 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Gafgyt. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Gafgyt. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -59,18 +59,18 @@ ID | Type | Indicator | Confidence
|
|||
6 | File | `AjaxFileUploadHandler.axd` | High
|
||||
7 | ... | ... | ...
|
||||
|
||||
There are 49 more IOA items available. Please use our online service to access the data.
|
||||
There are 49 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://unit42.paloaltonetworks.com/home-small-office-wireless-routers-exploited-to-attack-gaming-servers/
|
||||
* https://unit42.paloaltonetworks.com/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,68 +1,102 @@
|
|||
# Gamaredon - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Gamaredon](https://vuldb.com/?actor.gamaredon). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Gamaredon](https://vuldb.com/?actor.gamaredon). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.gamaredon](https://vuldb.com/?actor.gamaredon)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.gamaredon](https://vuldb.com/?actor.gamaredon)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following _campaigns_ are known and can be associated with Gamaredon:
|
||||
|
||||
* Ukraine
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Gamaredon:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Gamaredon:
|
||||
|
||||
* RU
|
||||
* CN
|
||||
* LY
|
||||
* ...
|
||||
|
||||
There are 2 more country items available. Please use our online service to access the data.
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Gamaredon.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Gamaredon.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 2.59.41.5 | vds-sizaus.timeweb.ru | High
|
||||
2 | 141.8.195.60 | ullir.from.sh | High
|
||||
3 | 142.93.110.250 | - | High
|
||||
4 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [2.59.41.5](https://vuldb.com/?ip.2.59.41.5) | vds-sizaus.timeweb.ru | - | High
|
||||
2 | [5.63.152.233](https://vuldb.com/?ip.5.63.152.233) | 5-63-152-233.cloudvps.regruhosting.ru | - | High
|
||||
3 | [5.63.154.19](https://vuldb.com/?ip.5.63.154.19) | 5-63-154-19.cloudvps.regruhosting.ru | - | High
|
||||
4 | [5.63.154.128](https://vuldb.com/?ip.5.63.154.128) | 5-63-154-128.cloudvps.regruhosting.ru | - | High
|
||||
5 | [5.63.158.179](https://vuldb.com/?ip.5.63.158.179) | 5-63-158-179.cloudvps.regruhosting.ru | - | High
|
||||
6 | [5.63.158.233](https://vuldb.com/?ip.5.63.158.233) | 5-63-158-233.cloudvps.regruhosting.ru | - | High
|
||||
7 | [5.63.158.238](https://vuldb.com/?ip.5.63.158.238) | 5-63-158-238.cloudvps.regruhosting.ru | - | High
|
||||
8 | [31.31.203.17](https://vuldb.com/?ip.31.31.203.17) | 31-31-203-17.cloudvps.regruhosting.ru | - | High
|
||||
9 | [31.31.203.71](https://vuldb.com/?ip.31.31.203.71) | 31-31-203-71.cloudvps.regruhosting.ru | - | High
|
||||
10 | [31.31.203.219](https://vuldb.com/?ip.31.31.203.219) | 31-31-203-219.cloudvps.regruhosting.ru | - | High
|
||||
11 | [31.40.251.145](https://vuldb.com/?ip.31.40.251.145) | - | - | High
|
||||
12 | [31.40.251.171](https://vuldb.com/?ip.31.40.251.171) | - | - | High
|
||||
13 | [37.77.105.102](https://vuldb.com/?ip.37.77.105.102) | 701115-cm83897.tmweb.ru | Ukraine | High
|
||||
14 | [37.140.195.137](https://vuldb.com/?ip.37.140.195.137) | 37-140-195-137.cloudvps.regruhosting.ru | - | High
|
||||
15 | [37.140.197.55](https://vuldb.com/?ip.37.140.197.55) | 37-140-197-55.cloudvps.regruhosting.ru | - | High
|
||||
16 | [37.140.197.206](https://vuldb.com/?ip.37.140.197.206) | 37-140-197-206.cloudvps.regruhosting.ru | - | High
|
||||
17 | [37.140.199.20](https://vuldb.com/?ip.37.140.199.20) | 37-140-199-20.cloudvps.regruhosting.ru | - | High
|
||||
18 | [37.140.199.224](https://vuldb.com/?ip.37.140.199.224) | nedvizhimostdoma.ru | - | High
|
||||
19 | [45.32.149.8](https://vuldb.com/?ip.45.32.149.8) | 45.32.149.8.vultr.com | - | Medium
|
||||
20 | [45.134.255.131](https://vuldb.com/?ip.45.134.255.131) | - | - | High
|
||||
21 | [70.34.194.31](https://vuldb.com/?ip.70.34.194.31) | 70.34.194.31.vultr.com | - | Medium
|
||||
22 | [70.34.194.123](https://vuldb.com/?ip.70.34.194.123) | 70.34.194.123.vultr.com | - | Medium
|
||||
23 | [70.34.195.75](https://vuldb.com/?ip.70.34.195.75) | 70.34.195.75.vultr.com | - | Medium
|
||||
24 | [70.34.197.185](https://vuldb.com/?ip.70.34.197.185) | 70.34.197.185.vultr.com | - | Medium
|
||||
25 | [70.34.198.226](https://vuldb.com/?ip.70.34.198.226) | 70.34.198.226.vultr.com | - | Medium
|
||||
26 | [70.34.199.214](https://vuldb.com/?ip.70.34.199.214) | 70.34.199.214.vultr.com | - | Medium
|
||||
27 | [70.34.202.55](https://vuldb.com/?ip.70.34.202.55) | 70.34.202.55.vultr.com | - | Medium
|
||||
28 | [70.34.204.74](https://vuldb.com/?ip.70.34.204.74) | 70.34.204.74.vultr.com | - | Medium
|
||||
29 | [70.34.204.141](https://vuldb.com/?ip.70.34.204.141) | 70.34.204.141.vultr.com | - | Medium
|
||||
30 | [70.34.208.32](https://vuldb.com/?ip.70.34.208.32) | 70.34.208.32.vultr.com | - | Medium
|
||||
31 | [78.40.219.12](https://vuldb.com/?ip.78.40.219.12) | 628153-cn06191.tmweb.ru | Ukraine | High
|
||||
32 | [80.78.240.210](https://vuldb.com/?ip.80.78.240.210) | 80-78-240-210.cloudvps.regruhosting.ru | - | High
|
||||
33 | [80.78.241.88](https://vuldb.com/?ip.80.78.241.88) | 80-78-241-88.cloudvps.regruhosting.ru | - | High
|
||||
34 | [80.78.241.253](https://vuldb.com/?ip.80.78.241.253) | 80-78-241-253.cloudvps.regruhosting.ru | - | High
|
||||
35 | [80.78.244.124](https://vuldb.com/?ip.80.78.244.124) | 80-78-244-124.cloudvps.regruhosting.ru | - | High
|
||||
36 | [80.78.244.199](https://vuldb.com/?ip.80.78.244.199) | 80-78-244-199.cloudvps.regruhosting.ru | - | High
|
||||
37 | [80.78.245.89](https://vuldb.com/?ip.80.78.245.89) | mail-open-3.nascom.nasa.gov | - | High
|
||||
38 | [80.78.245.223](https://vuldb.com/?ip.80.78.245.223) | 80-78-245-223.cloudvps.regruhosting.ru | - | High
|
||||
39 | [80.78.245.254](https://vuldb.com/?ip.80.78.245.254) | scraper.betty.network | - | High
|
||||
40 | [80.78.248.22](https://vuldb.com/?ip.80.78.248.22) | - | - | High
|
||||
41 | [80.78.248.167](https://vuldb.com/?ip.80.78.248.167) | hadassah.moscow | - | High
|
||||
42 | [80.78.248.222](https://vuldb.com/?ip.80.78.248.222) | 80-78-248-222.cloudvps.regruhosting.ru | - | High
|
||||
43 | [80.78.251.4](https://vuldb.com/?ip.80.78.251.4) | 80-78-251-4.cloudvps.regruhosting.ru | - | High
|
||||
44 | [80.78.251.191](https://vuldb.com/?ip.80.78.251.191) | 80-78-251-191.cloudvps.regruhosting.ru | - | High
|
||||
45 | [80.78.251.231](https://vuldb.com/?ip.80.78.251.231) | 80-78-251-231.cloudvps.regruhosting.ru | - | High
|
||||
46 | [80.78.253.26](https://vuldb.com/?ip.80.78.253.26) | 80-78-253-26.cloudvps.regruhosting.ru | - | High
|
||||
47 | [80.78.253.86](https://vuldb.com/?ip.80.78.253.86) | 80-78-253-86.cloudvps.regruhosting.ru | - | High
|
||||
48 | [80.78.253.196](https://vuldb.com/?ip.80.78.253.196) | 80-78-253-196.cloudvps.regruhosting.ru | - | High
|
||||
49 | [80.78.254.238](https://vuldb.com/?ip.80.78.254.238) | 80-78-254-238.cloudvps.regruhosting.ru | - | High
|
||||
50 | ... | ... | ... | ...
|
||||
|
||||
There are 5 more IOC items available. Please use our online service to access the data.
|
||||
There are 198 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Gamaredon. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Gamaredon. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1499 | Resource Consumption | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Gamaredon. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/manager?action=getlogcat` | High
|
||||
2 | File | `/var/log/nginx` | High
|
||||
3 | File | `index.php` | Medium
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 7 more IOA items available. Please use our online service to access the data.
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/
|
||||
* https://github.com/blackorbird/APT_REPORT/blob/master/Gamaredon/Gamaredon202102_ioc1000%2B.csv
|
||||
* https://github.com/SentineLabs/Gamaredon-APT/blob/master/2020-02-04-gamaredon-blog-iocs-vk.misp.csv
|
||||
* https://pastebin.com/Vhb4KF5L
|
||||
* https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine
|
||||
* https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,12 +1,12 @@
|
|||
# Gamarue - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Gamarue](https://vuldb.com/?actor.gamarue). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Gamarue](https://vuldb.com/?actor.gamarue). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.gamarue](https://vuldb.com/?actor.gamarue)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.gamarue](https://vuldb.com/?actor.gamarue)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Gamarue:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Gamarue:
|
||||
|
||||
* US
|
||||
* RU
|
||||
|
@ -17,39 +17,39 @@ There are 9 more country items available. Please use our online service to acces
|
|||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Gamarue.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Gamarue.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 5.154.191.57 | - | High
|
||||
2 | 37.187.0.40 | ns3108067.ip-37-187-0.eu | High
|
||||
3 | 45.8.124.25 | ouyr.secvolax.store | High
|
||||
4 | 45.128.204.36 | - | High
|
||||
5 | 45.128.207.237 | - | High
|
||||
6 | 46.45.169.106 | 46-45-169-106.turkrdns.com | High
|
||||
7 | 46.254.21.69 | h13.ihc.ru | High
|
||||
8 | 50.116.23.211 | www.eqnic.net | High
|
||||
9 | 51.195.53.221 | ip221.ip-51-195-53.eu | High
|
||||
10 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 5.154.191.57 | - | - | High
|
||||
2 | 37.187.0.40 | ns3108067.ip-37-187-0.eu | - | High
|
||||
3 | 45.8.124.25 | free.gbnhost.com | - | High
|
||||
4 | 45.128.204.36 | - | - | High
|
||||
5 | 45.128.207.237 | - | - | High
|
||||
6 | 46.45.169.106 | 46-45-169-106.turkrdns.com | - | High
|
||||
7 | 46.254.21.69 | h13.ihc.ru | - | High
|
||||
8 | 50.116.23.211 | www.eqnic.net | - | High
|
||||
9 | 51.195.53.221 | ip221.ip-51-195-53.eu | - | High
|
||||
10 | ... | ... | ... | ...
|
||||
|
||||
There are 35 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Gamarue. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Gamarue. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Gamarue. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Gamarue. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -92,11 +92,11 @@ ID | Type | Indicator | Confidence
|
|||
37 | File | `arch/powerpc/kernel/idle_book3s.S` | High
|
||||
38 | ... | ... | ...
|
||||
|
||||
There are 326 more IOA items available. Please use our online service to access the data.
|
||||
There are 326 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.html
|
||||
* https://blog.talosintelligence.com/2021/04/threat-roundup-0326-0402.html
|
||||
|
@ -105,7 +105,7 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,97 +1,96 @@
|
|||
# Gandcrab - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Gandcrab](https://vuldb.com/?actor.gandcrab). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Gandcrab](https://vuldb.com/?actor.gandcrab). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.gandcrab](https://vuldb.com/?actor.gandcrab)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.gandcrab](https://vuldb.com/?actor.gandcrab)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Gandcrab:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Gandcrab:
|
||||
|
||||
* US
|
||||
* ES
|
||||
* FR
|
||||
* ...
|
||||
|
||||
There are 5 more country items available. Please use our online service to access the data.
|
||||
There are 7 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Gandcrab.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Gandcrab.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 3.64.163.50 | ec2-3-64-163-50.eu-central-1.compute.amazonaws.com | Medium
|
||||
2 | 5.39.221.60 | - | High
|
||||
3 | 5.135.183.146 | freya.stelas.de | High
|
||||
4 | 13.76.158.123 | - | High
|
||||
5 | 20.50.64.11 | - | High
|
||||
6 | 34.102.136.180 | 180.136.102.34.bc.googleusercontent.com | Medium
|
||||
7 | 35.205.61.67 | 67.61.205.35.bc.googleusercontent.com | Medium
|
||||
8 | 39.107.34.197 | - | High
|
||||
9 | 45.118.145.96 | - | High
|
||||
10 | 51.254.25.115 | ip115.ip-51-254-25.eu | High
|
||||
11 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 3.64.163.50 | ec2-3-64-163-50.eu-central-1.compute.amazonaws.com | - | Medium
|
||||
2 | 5.39.221.60 | - | - | High
|
||||
3 | 5.135.183.146 | freya.stelas.de | - | High
|
||||
4 | 13.76.158.123 | - | - | High
|
||||
5 | 20.50.64.11 | - | - | High
|
||||
6 | 34.102.136.180 | 180.136.102.34.bc.googleusercontent.com | - | Medium
|
||||
7 | 35.205.61.67 | 67.61.205.35.bc.googleusercontent.com | - | Medium
|
||||
8 | 39.107.34.197 | - | - | High
|
||||
9 | 45.118.145.96 | - | - | High
|
||||
10 | 51.254.25.115 | ip115.ip-51-254-25.eu | - | High
|
||||
11 | ... | ... | ... | ...
|
||||
|
||||
There are 40 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Gandcrab. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Gandcrab. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1040 | Authentication Bypass by Capture-replay | High
|
||||
2 | T1059.007 | Cross Site Scripting | High
|
||||
3 | T1068 | Execution with Unnecessary Privileges | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
|
||||
2 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
3 | T1068 | CWE-250, CWE-264, CWE-266, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 11 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Gandcrab. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Gandcrab. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `%PROGRAMDATA%\checkmk\agent\local` | High
|
||||
2 | File | `/admin/comment.php` | High
|
||||
3 | File | `/agenttrayicon` | High
|
||||
4 | File | `/api/version` | Medium
|
||||
5 | File | `/app1/admin#foo` | High
|
||||
6 | File | `/appsuite` | Medium
|
||||
7 | File | `/article/add` | Medium
|
||||
8 | File | `/Controller/ChinaCityController.class.php` | High
|
||||
9 | File | `/coreframe/app/guestbook/myissue.php` | High
|
||||
10 | File | `/hub/api/user` | High
|
||||
11 | File | `/ics?tool=search` | High
|
||||
12 | File | `/info.xml` | Medium
|
||||
13 | File | `/it-IT/splunkd/__raw/services/get_snapshot` | High
|
||||
14 | File | `/knowage/restful-services/documentnotes/saveNote` | High
|
||||
15 | File | `/netact/sct` | Medium
|
||||
16 | File | `/nova/bin/bfd` | High
|
||||
17 | File | `/php/passport/index.php` | High
|
||||
18 | File | `/run/courier/authdaemon` | High
|
||||
19 | File | `/run/spice-vdagentd/spice-vdagent-sock` | High
|
||||
20 | File | `/service/v1/createUser` | High
|
||||
21 | File | `/settings/profile` | High
|
||||
22 | File | `/status.js` | Medium
|
||||
23 | File | `/suggest` | Medium
|
||||
24 | File | `/thruk/#cgi-bin/status.cgi?style=combined` | High
|
||||
25 | File | `/usr/local/bin/mjs` | High
|
||||
26 | File | `Access/DownloadFeed_Mnt/FileUpload_Upd.cfm` | High
|
||||
27 | File | `action.setdefaulttemplate.php` | High
|
||||
28 | File | `ActiveServices.java` | High
|
||||
29 | File | `Addons/file/mod.file.php` | High
|
||||
30 | File | `admin.php` | Medium
|
||||
31 | File | `admin/dashboard.php` | High
|
||||
32 | ... | ... | ...
|
||||
3 | File | `/api/version` | Medium
|
||||
4 | File | `/app1/admin#foo` | High
|
||||
5 | File | `/appsuite` | Medium
|
||||
6 | File | `/article/add` | Medium
|
||||
7 | File | `/Controller/ChinaCityController.class.php` | High
|
||||
8 | File | `/coreframe/app/guestbook/myissue.php` | High
|
||||
9 | File | `/hub/api/user` | High
|
||||
10 | File | `/ics?tool=search` | High
|
||||
11 | File | `/info.xml` | Medium
|
||||
12 | File | `/it-IT/splunkd/__raw/services/get_snapshot` | High
|
||||
13 | File | `/knowage/restful-services/documentnotes/saveNote` | High
|
||||
14 | File | `/netact/sct` | Medium
|
||||
15 | File | `/nova/bin/bfd` | High
|
||||
16 | File | `/php/passport/index.php` | High
|
||||
17 | File | `/run/courier/authdaemon` | High
|
||||
18 | File | `/run/spice-vdagentd/spice-vdagent-sock` | High
|
||||
19 | File | `/service/v1/createUser` | High
|
||||
20 | File | `/settings/profile` | High
|
||||
21 | File | `/status.js` | Medium
|
||||
22 | File | `/thruk/#cgi-bin/status.cgi?style=combined` | High
|
||||
23 | File | `/usr/local/bin/mjs` | High
|
||||
24 | File | `Access/DownloadFeed_Mnt/FileUpload_Upd.cfm` | High
|
||||
25 | File | `action.setdefaulttemplate.php` | High
|
||||
26 | File | `ActiveServices.java` | High
|
||||
27 | File | `Addons/file/mod.file.php` | High
|
||||
28 | File | `admin/dashboard.php` | High
|
||||
29 | File | `admin/edit.php` | High
|
||||
30 | File | `admin/pages/delete/` | High
|
||||
31 | ... | ... | ...
|
||||
|
||||
There are 272 more IOA items available. Please use our online service to access the data.
|
||||
There are 262 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html
|
||||
* https://blog.talosintelligence.com/2021/10/threat-roundup-1001-1008.html
|
||||
|
@ -101,7 +100,7 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,12 +1,12 @@
|
|||
# Gh0stRAT - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Gh0stRAT](https://vuldb.com/?actor.gh0strat). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Gh0stRAT](https://vuldb.com/?actor.gh0strat). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.gh0strat](https://vuldb.com/?actor.gh0strat)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.gh0strat](https://vuldb.com/?actor.gh0strat)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Gh0stRAT:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Gh0stRAT:
|
||||
|
||||
* US
|
||||
* VN
|
||||
|
@ -17,52 +17,53 @@ There are 16 more country items available. Please use our online service to acce
|
|||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Gh0stRAT.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Gh0stRAT.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 13.249.38.69 | server-13-249-38-69.iad89.r.cloudfront.net | High
|
||||
2 | 20.42.65.92 | - | High
|
||||
3 | 20.189.173.22 | - | High
|
||||
4 | 36.43.74.215 | - | High
|
||||
5 | 36.46.114.54 | - | High
|
||||
6 | 39.109.1.246 | - | High
|
||||
7 | 42.51.192.3 | - | High
|
||||
8 | 43.226.152.12 | - | High
|
||||
9 | 43.226.159.201 | - | High
|
||||
10 | 45.119.125.223 | - | High
|
||||
11 | 45.195.203.97 | - | High
|
||||
12 | 45.253.67.78 | - | High
|
||||
13 | 47.93.52.188 | - | High
|
||||
14 | 47.93.245.163 | - | High
|
||||
15 | 47.95.233.18 | - | High
|
||||
16 | 47.111.82.157 | - | High
|
||||
17 | 47.112.30.91 | - | High
|
||||
18 | 52.168.117.173 | - | High
|
||||
19 | 52.182.143.212 | - | High
|
||||
20 | 58.218.66.21 | - | High
|
||||
21 | 58.218.67.245 | - | High
|
||||
22 | 58.218.199.225 | - | High
|
||||
23 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 13.249.38.69 | server-13-249-38-69.iad89.r.cloudfront.net | - | High
|
||||
2 | 20.42.65.92 | - | - | High
|
||||
3 | 20.189.173.22 | - | - | High
|
||||
4 | 36.43.74.215 | - | - | High
|
||||
5 | 36.46.114.54 | - | - | High
|
||||
6 | 39.109.1.246 | - | - | High
|
||||
7 | 42.51.192.3 | - | - | High
|
||||
8 | 43.226.152.12 | - | - | High
|
||||
9 | 43.226.159.201 | - | - | High
|
||||
10 | 45.119.125.223 | - | - | High
|
||||
11 | 45.195.203.97 | - | - | High
|
||||
12 | 45.253.67.78 | - | - | High
|
||||
13 | 47.93.52.188 | - | - | High
|
||||
14 | 47.93.245.163 | - | - | High
|
||||
15 | 47.95.233.18 | - | - | High
|
||||
16 | 47.111.82.157 | - | - | High
|
||||
17 | 47.112.30.91 | - | - | High
|
||||
18 | 52.168.117.173 | - | - | High
|
||||
19 | 52.182.143.212 | - | - | High
|
||||
20 | 58.218.66.21 | - | - | High
|
||||
21 | 58.218.67.245 | - | - | High
|
||||
22 | 58.218.199.225 | - | - | High
|
||||
23 | 58.221.47.41 | - | - | High
|
||||
24 | ... | ... | ... | ...
|
||||
|
||||
There are 90 more IOC items available. Please use our online service to access the data.
|
||||
There are 93 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Gh0stRAT. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Gh0stRAT. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-250, CWE-264, CWE-266, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Gh0stRAT. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Gh0stRAT. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -72,43 +73,43 @@ ID | Type | Indicator | Confidence
|
|||
4 | File | `/admin.php?&m=Public&a=login` | High
|
||||
5 | File | `/ajax/networking/get_netcfg.php` | High
|
||||
6 | File | `/car.php` | Medium
|
||||
7 | File | `/concat?/%2557EB-INF/web.xml` | High
|
||||
8 | File | `/config/getuser` | High
|
||||
9 | File | `/dashboards/#` | High
|
||||
10 | File | `/data/remove` | Medium
|
||||
11 | File | `/etc/controller-agent/agent.conf` | High
|
||||
12 | File | `/etc/postfix/sender_login` | High
|
||||
13 | File | `/etc/sudoers` | Medium
|
||||
14 | File | `/etc/tomcat8/Catalina/attack` | High
|
||||
15 | File | `/filemanager/php/connector.php` | High
|
||||
16 | File | `/forum/away.php` | High
|
||||
17 | File | `/fudforum/adm/hlplist.php` | High
|
||||
18 | File | `/GponForm/fsetup_Form` | High
|
||||
19 | File | `/log_download.cgi` | High
|
||||
20 | File | `/modules/profile/index.php` | High
|
||||
21 | File | `/navigate/navigate_download.php` | High
|
||||
22 | File | `/out.php` | Medium
|
||||
23 | File | `/password.html` | High
|
||||
24 | File | `/property-list/property_view.php` | High
|
||||
25 | File | `/public/plugins/` | High
|
||||
26 | File | `/rest/api/2/search` | High
|
||||
27 | File | `/s/` | Low
|
||||
28 | File | `/scripts/cpan_config` | High
|
||||
29 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
30 | File | `/server-info` | Medium
|
||||
31 | File | `/tmp` | Low
|
||||
32 | File | `/tmp/app/.env` | High
|
||||
33 | File | `/tmp/kamailio_ctl` | High
|
||||
34 | File | `/tmp/kamailio_fifo` | High
|
||||
35 | File | `/ucms/index.php?do=list_edit` | High
|
||||
36 | File | `/uncpath/` | Medium
|
||||
7 | File | `/CMD_ACCOUNT_ADMIN` | High
|
||||
8 | File | `/concat?/%2557EB-INF/web.xml` | High
|
||||
9 | File | `/config/getuser` | High
|
||||
10 | File | `/core/admin/categories.php` | High
|
||||
11 | File | `/dashboards/#` | High
|
||||
12 | File | `/data/remove` | Medium
|
||||
13 | File | `/etc/controller-agent/agent.conf` | High
|
||||
14 | File | `/etc/postfix/sender_login` | High
|
||||
15 | File | `/etc/sudoers` | Medium
|
||||
16 | File | `/etc/tomcat8/Catalina/attack` | High
|
||||
17 | File | `/filemanager/php/connector.php` | High
|
||||
18 | File | `/forum/away.php` | High
|
||||
19 | File | `/fudforum/adm/hlplist.php` | High
|
||||
20 | File | `/GponForm/fsetup_Form` | High
|
||||
21 | File | `/log_download.cgi` | High
|
||||
22 | File | `/modules/profile/index.php` | High
|
||||
23 | File | `/navigate/navigate_download.php` | High
|
||||
24 | File | `/out.php` | Medium
|
||||
25 | File | `/password.html` | High
|
||||
26 | File | `/property-list/property_view.php` | High
|
||||
27 | File | `/public/plugins/` | High
|
||||
28 | File | `/rest/api/2/search` | High
|
||||
29 | File | `/s/` | Low
|
||||
30 | File | `/scripts/cpan_config` | High
|
||||
31 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
32 | File | `/server-info` | Medium
|
||||
33 | File | `/tmp` | Low
|
||||
34 | File | `/tmp/app/.env` | High
|
||||
35 | File | `/tmp/kamailio_ctl` | High
|
||||
36 | File | `/tmp/kamailio_fifo` | High
|
||||
37 | ... | ... | ...
|
||||
|
||||
There are 317 more IOA items available. Please use our online service to access the data.
|
||||
There are 321 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.talosintelligence.com/2021/01/threat-roundup-0122.html
|
||||
* https://blog.talosintelligence.com/2021/02/threat-roundup-0205-0212.html
|
||||
|
@ -125,10 +126,12 @@ The following list contains external sources which discuss the actor and the ass
|
|||
* https://blog.talosintelligence.com/2022/01/threat-roundup-0107-0114.html
|
||||
* https://blog.talosintelligence.com/2022/01/threat-roundup-0121-0128.html
|
||||
* https://blog.talosintelligence.com/2022/01/threat-roundup-1231-0107.html
|
||||
* https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html
|
||||
* https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,92 +1,103 @@
|
|||
# GreyEnergy - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [GreyEnergy](https://vuldb.com/?actor.greyenergy). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [GreyEnergy](https://vuldb.com/?actor.greyenergy). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.greyenergy](https://vuldb.com/?actor.greyenergy)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.greyenergy](https://vuldb.com/?actor.greyenergy)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with GreyEnergy:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with GreyEnergy:
|
||||
|
||||
* US
|
||||
* CN
|
||||
* RO
|
||||
* GB
|
||||
* ...
|
||||
|
||||
There are 13 more country items available. Please use our online service to access the data.
|
||||
There are 28 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of GreyEnergy.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of GreyEnergy.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 5.149.248.77 | - | High
|
||||
2 | 31.148.220.112 | - | High
|
||||
3 | 37.59.14.94 | ns3317178.ip-37-59-14.eu | High
|
||||
4 | 46.249.49.231 | - | High
|
||||
5 | 62.210.77.169 | 62-210-77-169.rev.poneytelecom.eu | High
|
||||
6 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 5.149.248.77 | - | - | High
|
||||
2 | 31.148.220.112 | - | - | High
|
||||
3 | 37.59.14.94 | ns3317178.ip-37-59-14.eu | - | High
|
||||
4 | 46.249.49.231 | - | - | High
|
||||
5 | 62.210.77.169 | 62-210-77-169.rev.poneytelecom.eu | - | High
|
||||
6 | ... | ... | ... | ...
|
||||
|
||||
There are 21 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by GreyEnergy. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by GreyEnergy. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-266, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by GreyEnergy. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by GreyEnergy. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/anony/mjpg.cgi` | High
|
||||
2 | File | `/cgi-bin/admin/downloadMedias.cgi` | High
|
||||
3 | File | `/cgi-bin/kerbynet` | High
|
||||
4 | File | `/cvms-hub/privado/seccionesmib/secciones.xhtml` | High
|
||||
5 | File | `/etc/ajenti/config.yml` | High
|
||||
6 | File | `/ext/phar/phar_object.c` | High
|
||||
7 | File | `/obihai-xml` | Medium
|
||||
8 | File | `/reports/temp` | High
|
||||
9 | File | `/rom-0` | Low
|
||||
10 | File | `/settings/avatar` | High
|
||||
11 | File | `/uncpath/` | Medium
|
||||
12 | File | `/webman/info.cgi` | High
|
||||
13 | File | `/~user_handler` | High
|
||||
14 | File | `ad.php` | Low
|
||||
15 | File | `addentry.php` | Medium
|
||||
16 | File | `admin.php` | Medium
|
||||
17 | File | `admin/about.php` | High
|
||||
18 | File | `admin/scripts/FileUploader/php.php` | High
|
||||
19 | File | `admin/stats_products_viewed.php` | High
|
||||
20 | File | `ajax/render/widget_php` | High
|
||||
21 | File | `app/admin/controller/themecontroller.php` | High
|
||||
22 | File | `arch/arm/kernel/process.c` | High
|
||||
23 | File | `asm/parser.c` | Medium
|
||||
24 | File | `backend/Login/load/` | High
|
||||
25 | File | `bl-kernel/ajax/upload-images.php` | High
|
||||
26 | ... | ... | ...
|
||||
1 | File | `/?module=users§ion=cpanel&page=list` | High
|
||||
2 | File | `/admin/powerline` | High
|
||||
3 | File | `/admin/syslog` | High
|
||||
4 | File | `/api/upload` | Medium
|
||||
5 | File | `/cgi-bin` | Medium
|
||||
6 | File | `/cgi-bin/kerbynet` | High
|
||||
7 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
8 | File | `/dcim/sites/add/` | High
|
||||
9 | File | `/EXCU_SHELL` | Medium
|
||||
10 | File | `/forum/away.php` | High
|
||||
11 | File | `/fudforum/adm/hlplist.php` | High
|
||||
12 | File | `/login` | Low
|
||||
13 | File | `/Main_Login.asp?flag=1&productname=RT-AC88U&url=/downloadmaster/task.asp` | High
|
||||
14 | File | `/monitoring` | Medium
|
||||
15 | File | `/new` | Low
|
||||
16 | File | `/proc/<pid>/status` | High
|
||||
17 | File | `/public/plugins/` | High
|
||||
18 | File | `/rom` | Low
|
||||
19 | File | `/scripts/killpvhost` | High
|
||||
20 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
21 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
|
||||
22 | File | `/tmp` | Low
|
||||
23 | File | `/tmp/redis.ds` | High
|
||||
24 | File | `/uncpath/` | Medium
|
||||
25 | File | `/ViewUserHover.jspa` | High
|
||||
26 | File | `/wp-admin` | Medium
|
||||
27 | File | `/wp-json/wc/v3/webhooks` | High
|
||||
28 | File | `actions/CompanyDetailsSave.php` | High
|
||||
29 | File | `ActiveServices.java` | High
|
||||
30 | File | `addlink.php` | Medium
|
||||
31 | File | `addtocart.asp` | High
|
||||
32 | File | `admin.php` | Medium
|
||||
33 | File | `admin/?n=user&c=admin_user&a=doGetUserInfo` | High
|
||||
34 | File | `admin/add-glossary.php` | High
|
||||
35 | File | `admin/conf_users_edit.php` | High
|
||||
36 | File | `admin/dashboard.php` | High
|
||||
37 | ... | ... | ...
|
||||
|
||||
There are 214 more IOA items available. Please use our online service to access the data.
|
||||
There are 320 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://github.com/eset/malware-ioc/tree/master/greyenergy
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,170 +1,170 @@
|
|||
# Grizzly Steppe - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Grizzly Steppe](https://vuldb.com/?actor.grizzly_steppe). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Grizzly Steppe](https://vuldb.com/?actor.grizzly_steppe). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.grizzly_steppe](https://vuldb.com/?actor.grizzly_steppe)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.grizzly_steppe](https://vuldb.com/?actor.grizzly_steppe)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Grizzly Steppe:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Grizzly Steppe:
|
||||
|
||||
* CN
|
||||
* RU
|
||||
* US
|
||||
* CN
|
||||
* GB
|
||||
* ...
|
||||
|
||||
There are 18 more country items available. Please use our online service to access the data.
|
||||
There are 19 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Grizzly Steppe.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Grizzly Steppe.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 1.112.1.1 | softbank001112001001.bbtec.net | High
|
||||
2 | 1.212.1.1 | - | High
|
||||
3 | 2.189.142.80 | - | High
|
||||
4 | 4.0.6.2 | p8-0-0.nchicago2-core0.bbnplanet.net | High
|
||||
5 | 5.1.82.130 | - | High
|
||||
6 | 5.1.82.140 | - | High
|
||||
7 | 5.2.64.10 | - | High
|
||||
8 | 5.9.32.230 | static.230.32.9.5.clients.your-server.de | High
|
||||
9 | 5.9.98.43 | static.43.98.9.5.clients.your-server.de | High
|
||||
10 | 5.28.62.85 | clfc.default.thewinduppirate.uk0.bigv.io | High
|
||||
11 | 5.34.150.2 | 5.34.150.2.static.user.wimaxonline.es | High
|
||||
12 | 5.34.183.55 | vds-807745.hosted-by-itldc.com | High
|
||||
13 | 5.40.21.27 | 5.40.21.27.static.user.ono.com | High
|
||||
14 | 5.45.183.194 | - | High
|
||||
15 | 5.56.133.19 | 5-56-133-19.static.karizanta.com | High
|
||||
16 | 5.56.133.23 | 5-56-133-23.static.karizanta.com | High
|
||||
17 | 5.56.133.125 | 5-56-133-125.static.karizanta.com | High
|
||||
18 | 5.77.47.142 | - | High
|
||||
19 | 5.133.8.152 | vendorcool.com | High
|
||||
20 | 5.133.8.162 | d8162.artnet.gda.pl | High
|
||||
21 | 5.133.179.243 | better-support4u.com | High
|
||||
22 | 5.134.1.250 | 5.134.1.250.hosted.by.stone-is.net | High
|
||||
23 | 5.135.65.145 | - | High
|
||||
24 | 5.135.65.146 | - | High
|
||||
25 | 5.135.186.35 | ns3291871.ip-5-135-186.eu | High
|
||||
26 | 5.135.199.28 | - | High
|
||||
27 | 5.149.249.172 | - | High
|
||||
28 | 5.149.254.114 | mail1.auditoriavanzada.info | High
|
||||
29 | 5.153.233.58 | - | High
|
||||
30 | 5.153.234.90 | - | High
|
||||
31 | 5.157.38.34 | - | High
|
||||
32 | 5.189.188.111 | vmd78384.contaboserver.net | High
|
||||
33 | 5.196.1.129 | vps-3d93b08b.vps.ovh.net | High
|
||||
34 | 5.196.58.96 | ip96.ip-5-196-58.eu | High
|
||||
35 | 5.199.171.58 | - | High
|
||||
36 | 5.199.172.147 | hst-172-147.cloudlix.com | High
|
||||
37 | 5.212.1.1 | - | High
|
||||
38 | 5.249.145.164 | host164-145-249-5.serverdedicati.aruba.it | High
|
||||
39 | 5.255.80.27 | srv23.mylady8.com | High
|
||||
40 | 8.39.147.120 | - | High
|
||||
41 | 23.239.10.144 | tor.shamm.as | High
|
||||
42 | 23.254.211.232 | hwsrv-930953.hostwindsdns.com | High
|
||||
43 | 27.24.190.240 | - | High
|
||||
44 | 27.50.94.251 | - | High
|
||||
45 | 31.16.91.237 | ip1f105bed.dynamic.kabel-deutschland.de | High
|
||||
46 | 31.31.72.43 | - | High
|
||||
47 | 31.132.0.11 | no.rdns.ukservers.com | High
|
||||
48 | 31.132.0.12 | no.rdns.ukservers.com | High
|
||||
49 | 31.148.219.50 | - | High
|
||||
50 | 31.148.219.166 | - | High
|
||||
51 | 31.148.219.168 | - | High
|
||||
52 | 31.148.219.176 | - | High
|
||||
53 | 31.168.172.147 | 31-168-172-147.telavivwifi.com | High
|
||||
54 | 31.186.96.19 | diburo.ru | High
|
||||
55 | 31.186.96.20 | test.diburo.ru | High
|
||||
56 | 31.192.228.185 | 31-192-228-185-static.glesys.net | High
|
||||
57 | 31.210.111.154 | . | High
|
||||
58 | 31.210.117.131 | . | High
|
||||
59 | 31.210.118.89 | . | High
|
||||
60 | 31.210.123.213 | . | High
|
||||
61 | 31.210.123.214 | . | High
|
||||
62 | 31.210.125.99 | . | High
|
||||
63 | 31.210.125.100 | . | High
|
||||
64 | 31.220.43.99 | - | High
|
||||
65 | 35.0.127.52 | tor-exit.eecs.umich.edu | High
|
||||
66 | 37.0.127.44 | bidder-quail.fellnear.net | High
|
||||
67 | 37.48.93.246 | 3906-others.noaaonline.com | High
|
||||
68 | 37.59.42.55 | dev.upyourbizz.com | High
|
||||
69 | 37.59.63.190 | ns3100645.ip-37-59-63.eu | High
|
||||
70 | 37.59.123.142 | 142.ip-37-59-123.eu | High
|
||||
71 | 37.123.130.176 | h-37-123-130-176.A183.corp.bahnhof.se | High
|
||||
72 | 37.123.130.186 | h-37-123-130-186.A183.corp.bahnhof.se | High
|
||||
73 | 37.139.52.47 | coachrobbo.com | High
|
||||
74 | 37.146.14.44 | 37-146-14-44.broadband.corbina.ru | High
|
||||
75 | 37.187.7.74 | ns3372567.ip-37-187-7.eu | High
|
||||
76 | 37.187.239.8 | 8.ip-37-187-239.eu | High
|
||||
77 | 37.187.247.3 | 3.ip-37-187-247.eu | High
|
||||
78 | 37.220.35.36 | - | High
|
||||
79 | 37.233.99.157 | - | High
|
||||
80 | 37.235.53.237 | 237.53.235.37.in-addr.arpa | High
|
||||
81 | 37.247.54.157 | - | High
|
||||
82 | 38.110.220.169 | - | High
|
||||
83 | 41.77.136.250 | - | High
|
||||
84 | 41.212.1.1 | po-0-0-0.edge1.uk-ln-TH-E.wananchi.com | High
|
||||
85 | 41.215.241.147 | - | High
|
||||
86 | 42.1.1.1 | - | High
|
||||
87 | 42.51.11.66 | - | High
|
||||
88 | 42.112.33.43 | - | High
|
||||
89 | 43.1.1.1 | - | High
|
||||
90 | 45.32.239.246 | 45.32.239.246.vultr.com | Medium
|
||||
91 | 45.55.178.34 | - | High
|
||||
92 | 45.56.90.85 | 45-56-90-85.ip.linodeusercontent.com | High
|
||||
93 | 45.62.255.94 | notassigned.cloudatcost.com | High
|
||||
94 | 45.79.85.112 | li1184-112.members.linode.com | High
|
||||
95 | 46.4.193.146 | server.netica.pl | High
|
||||
96 | 46.17.100.14 | - | High
|
||||
97 | 46.28.68.158 | a.prohoster.info | High
|
||||
98 | 46.28.110.136 | - | High
|
||||
99 | 46.28.111.122 | - | High
|
||||
100 | 46.29.248.238 | - | High
|
||||
101 | 46.73.164.160 | ip-46-73-164-160.bb.netbynet.ru | High
|
||||
102 | 46.148.17.98 | - | High
|
||||
103 | 46.148.17.99 | - | High
|
||||
104 | 46.148.17.100 | - | High
|
||||
105 | 46.148.17.210 | - | High
|
||||
106 | 46.148.26.78 | stb.fox-tv.info | High
|
||||
107 | 46.165.196.229 | - | High
|
||||
108 | 46.165.197.1 | - | High
|
||||
109 | 46.165.223.217 | - | High
|
||||
110 | 46.165.228.119 | - | High
|
||||
111 | 46.165.230.5 | tor-exit.dhalgren.org | High
|
||||
112 | 46.166.137.224 | - | High
|
||||
113 | 46.166.137.240 | - | High
|
||||
114 | 46.166.137.245 | - | High
|
||||
115 | 46.166.138.129 | - | High
|
||||
116 | 46.166.138.141 | - | High
|
||||
117 | 46.166.138.142 | - | High
|
||||
118 | 46.166.138.147 | - | High
|
||||
119 | 46.166.186.243 | tsn46-166-168-243.dyn.nltelcom.net | High
|
||||
120 | 46.166.188.228 | - | High
|
||||
121 | 46.166.190.182 | - | High
|
||||
122 | 46.166.190.192 | - | High
|
||||
123 | 46.166.190.223 | - | High
|
||||
124 | 46.242.66.240 | broadband-46-242-66-240.ip.moscow.rt.ru | High
|
||||
125 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 1.112.1.1 | softbank001112001001.bbtec.net | - | High
|
||||
2 | 1.212.1.1 | - | - | High
|
||||
3 | 2.189.142.80 | - | - | High
|
||||
4 | 4.0.6.2 | p8-0-0.nchicago2-core0.bbnplanet.net | - | High
|
||||
5 | 5.1.82.130 | - | - | High
|
||||
6 | 5.1.82.140 | - | - | High
|
||||
7 | 5.2.64.10 | - | - | High
|
||||
8 | 5.9.32.230 | static.230.32.9.5.clients.your-server.de | - | High
|
||||
9 | 5.9.98.43 | static.43.98.9.5.clients.your-server.de | - | High
|
||||
10 | 5.28.62.85 | clfc.default.thewinduppirate.uk0.bigv.io | - | High
|
||||
11 | 5.34.150.2 | 5.34.150.2.static.user.wimaxonline.es | - | High
|
||||
12 | 5.34.183.55 | vds-807745.hosted-by-itldc.com | - | High
|
||||
13 | 5.40.21.27 | 5.40.21.27.static.user.ono.com | - | High
|
||||
14 | 5.45.183.194 | - | - | High
|
||||
15 | 5.56.133.19 | 5-56-133-19.static.karizanta.com | - | High
|
||||
16 | 5.56.133.23 | 5-56-133-23.static.karizanta.com | - | High
|
||||
17 | 5.56.133.125 | 5-56-133-125.static.karizanta.com | - | High
|
||||
18 | 5.77.47.142 | - | - | High
|
||||
19 | 5.133.8.152 | vendorcool.com | - | High
|
||||
20 | 5.133.8.162 | d8162.artnet.gda.pl | - | High
|
||||
21 | 5.133.179.243 | better-support4u.com | - | High
|
||||
22 | 5.134.1.250 | 5.134.1.250.hosted.by.stone-is.net | - | High
|
||||
23 | 5.135.65.145 | - | - | High
|
||||
24 | 5.135.65.146 | - | - | High
|
||||
25 | 5.135.186.35 | ns3291871.ip-5-135-186.eu | - | High
|
||||
26 | 5.135.199.28 | - | - | High
|
||||
27 | 5.149.249.172 | - | - | High
|
||||
28 | 5.149.254.114 | mail1.auditoriavanzada.info | - | High
|
||||
29 | 5.153.233.58 | - | - | High
|
||||
30 | 5.153.234.90 | - | - | High
|
||||
31 | 5.157.38.34 | - | - | High
|
||||
32 | 5.189.188.111 | vmd78384.contaboserver.net | - | High
|
||||
33 | 5.196.1.129 | vps-b8a4260c.vps.ovh.net | - | High
|
||||
34 | 5.196.58.96 | ip96.ip-5-196-58.eu | - | High
|
||||
35 | 5.199.171.58 | - | - | High
|
||||
36 | 5.199.172.147 | hst-172-147.cloudlix.com | - | High
|
||||
37 | 5.212.1.1 | - | - | High
|
||||
38 | 5.249.145.164 | host164-145-249-5.serverdedicati.aruba.it | - | High
|
||||
39 | 5.255.80.27 | srv23.mylady8.com | - | High
|
||||
40 | 8.39.147.120 | - | - | High
|
||||
41 | 23.239.10.144 | tor.shamm.as | - | High
|
||||
42 | 23.254.211.232 | hwsrv-930953.hostwindsdns.com | - | High
|
||||
43 | 27.24.190.240 | - | - | High
|
||||
44 | 27.50.94.251 | - | - | High
|
||||
45 | 31.16.91.237 | ip1f105bed.dynamic.kabel-deutschland.de | - | High
|
||||
46 | 31.31.72.43 | - | - | High
|
||||
47 | 31.132.0.11 | no.rdns.ukservers.com | - | High
|
||||
48 | 31.132.0.12 | no.rdns.ukservers.com | - | High
|
||||
49 | 31.148.219.50 | - | - | High
|
||||
50 | 31.148.219.166 | - | - | High
|
||||
51 | 31.148.219.168 | - | - | High
|
||||
52 | 31.148.219.176 | - | - | High
|
||||
53 | 31.168.172.147 | 31-168-172-147.telavivwifi.com | - | High
|
||||
54 | 31.186.96.19 | diburo.ru | - | High
|
||||
55 | 31.186.96.20 | test.diburo.ru | - | High
|
||||
56 | 31.192.228.185 | 31-192-228-185-static.glesys.net | - | High
|
||||
57 | 31.210.111.154 | . | - | High
|
||||
58 | 31.210.117.131 | . | - | High
|
||||
59 | 31.210.118.89 | . | - | High
|
||||
60 | 31.210.123.213 | . | - | High
|
||||
61 | 31.210.123.214 | . | - | High
|
||||
62 | 31.210.125.99 | . | - | High
|
||||
63 | 31.210.125.100 | . | - | High
|
||||
64 | 31.220.43.99 | - | - | High
|
||||
65 | 35.0.127.52 | tor-exit.eecs.umich.edu | - | High
|
||||
66 | 37.0.127.44 | bidder-quail.fellnear.net | - | High
|
||||
67 | 37.48.93.246 | 3906-others.noaaonline.com | - | High
|
||||
68 | 37.59.42.55 | dev.upyourbizz.com | - | High
|
||||
69 | 37.59.63.190 | ns3100645.ip-37-59-63.eu | - | High
|
||||
70 | 37.59.123.142 | 142.ip-37-59-123.eu | - | High
|
||||
71 | 37.123.130.176 | h-37-123-130-176.A183.corp.bahnhof.se | - | High
|
||||
72 | 37.123.130.186 | h-37-123-130-186.A183.corp.bahnhof.se | - | High
|
||||
73 | 37.139.52.47 | coachrobbo.com | - | High
|
||||
74 | 37.146.14.44 | 37-146-14-44.broadband.corbina.ru | - | High
|
||||
75 | 37.187.7.74 | ns3372567.ip-37-187-7.eu | - | High
|
||||
76 | 37.187.239.8 | 8.ip-37-187-239.eu | - | High
|
||||
77 | 37.187.247.3 | 3.ip-37-187-247.eu | - | High
|
||||
78 | 37.220.35.36 | - | - | High
|
||||
79 | 37.233.99.157 | - | - | High
|
||||
80 | 37.235.53.237 | 237.53.235.37.in-addr.arpa | - | High
|
||||
81 | 37.247.54.157 | - | - | High
|
||||
82 | 38.110.220.169 | - | - | High
|
||||
83 | 41.77.136.250 | - | - | High
|
||||
84 | 41.212.1.1 | po-0-0-0.edge1.uk-ln-TH-E.wananchi.com | - | High
|
||||
85 | 41.215.241.147 | - | - | High
|
||||
86 | 42.1.1.1 | - | - | High
|
||||
87 | 42.51.11.66 | - | - | High
|
||||
88 | 42.112.33.43 | - | - | High
|
||||
89 | 43.1.1.1 | - | - | High
|
||||
90 | 45.32.239.246 | 45.32.239.246.vultr.com | - | Medium
|
||||
91 | 45.55.178.34 | - | - | High
|
||||
92 | 45.56.90.85 | 45-56-90-85.ip.linodeusercontent.com | - | High
|
||||
93 | 45.62.255.94 | notassigned.cloudatcost.com | - | High
|
||||
94 | 45.79.85.112 | li1184-112.members.linode.com | - | High
|
||||
95 | 46.4.193.146 | server.netica.pl | - | High
|
||||
96 | 46.17.100.14 | - | - | High
|
||||
97 | 46.28.68.158 | a.prohoster.info | - | High
|
||||
98 | 46.28.110.136 | - | - | High
|
||||
99 | 46.28.111.122 | - | - | High
|
||||
100 | 46.29.248.238 | - | - | High
|
||||
101 | 46.73.164.160 | ip-46-73-164-160.bb.netbynet.ru | - | High
|
||||
102 | 46.148.17.98 | - | - | High
|
||||
103 | 46.148.17.99 | - | - | High
|
||||
104 | 46.148.17.100 | - | - | High
|
||||
105 | 46.148.17.210 | - | - | High
|
||||
106 | 46.148.26.78 | stb.fox-tv.info | - | High
|
||||
107 | 46.165.196.229 | - | - | High
|
||||
108 | 46.165.197.1 | - | - | High
|
||||
109 | 46.165.223.217 | - | - | High
|
||||
110 | 46.165.228.119 | - | - | High
|
||||
111 | 46.165.230.5 | tor-exit.dhalgren.org | - | High
|
||||
112 | 46.166.137.224 | - | - | High
|
||||
113 | 46.166.137.240 | - | - | High
|
||||
114 | 46.166.137.245 | - | - | High
|
||||
115 | 46.166.138.129 | - | - | High
|
||||
116 | 46.166.138.141 | - | - | High
|
||||
117 | 46.166.138.142 | - | - | High
|
||||
118 | 46.166.138.147 | - | - | High
|
||||
119 | 46.166.186.243 | tsn46-166-168-243.dyn.nltelcom.net | - | High
|
||||
120 | 46.166.188.228 | - | - | High
|
||||
121 | 46.166.190.182 | - | - | High
|
||||
122 | 46.166.190.192 | - | - | High
|
||||
123 | 46.166.190.223 | - | - | High
|
||||
124 | 46.242.66.240 | broadband-46-242-66-240.ip.moscow.rt.ru | - | High
|
||||
125 | ... | ... | ... | ...
|
||||
|
||||
There are 496 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Grizzly Steppe. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Grizzly Steppe. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1040 | Authentication Bypass by Capture-replay | High
|
||||
2 | T1059.007 | Cross Site Scripting | High
|
||||
3 | T1068 | Execution with Unnecessary Privileges | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
|
||||
2 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
3 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 9 more TTP items available. Please use our online service to access the data.
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Grizzly Steppe. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Grizzly Steppe. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -174,43 +174,45 @@ ID | Type | Indicator | Confidence
|
|||
4 | File | `/cgi-bin/luci/rc` | High
|
||||
5 | File | `/cms/ajax.php` | High
|
||||
6 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
7 | File | `/domain/service/.ewell-known/caldav` | High
|
||||
8 | File | `/download` | Medium
|
||||
9 | File | `/etc/hosts` | Medium
|
||||
10 | File | `/formWlanSetup` | High
|
||||
11 | File | `/include/chart_generator.php` | High
|
||||
12 | File | `/modules/profile/index.php` | High
|
||||
13 | File | `/monitoring` | Medium
|
||||
14 | File | `/music/ajax.php` | High
|
||||
15 | File | `/new` | Low
|
||||
16 | File | `/pandora_console/ajax.php` | High
|
||||
17 | File | `/plugins/servlet/audit/resource` | High
|
||||
18 | File | `/plugins/servlet/project-config/PROJECT/roles` | High
|
||||
19 | File | `/proc/<pid>/status` | High
|
||||
20 | File | `/public/plugins/` | High
|
||||
21 | File | `/rest/api/1.0/render` | High
|
||||
22 | File | `/RestAPI` | Medium
|
||||
23 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
24 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
|
||||
25 | File | `/tmp` | Low
|
||||
26 | File | `/uncpath/` | Medium
|
||||
27 | File | `/var/log/nginx` | High
|
||||
28 | File | `account.php` | Medium
|
||||
29 | File | `actions/CompanyDetailsSave.php` | High
|
||||
30 | ... | ... | ...
|
||||
7 | File | `/dev/dri/card1` | High
|
||||
8 | File | `/domain/service/.ewell-known/caldav` | High
|
||||
9 | File | `/download` | Medium
|
||||
10 | File | `/etc/hosts` | Medium
|
||||
11 | File | `/formWlanSetup` | High
|
||||
12 | File | `/goform/setIPv6Status` | High
|
||||
13 | File | `/include/chart_generator.php` | High
|
||||
14 | File | `/InternalPages/ExecuteTask.aspx` | High
|
||||
15 | File | `/modules/profile/index.php` | High
|
||||
16 | File | `/monitoring` | Medium
|
||||
17 | File | `/music/ajax.php` | High
|
||||
18 | File | `/pandora_console/ajax.php` | High
|
||||
19 | File | `/plugins/servlet/audit/resource` | High
|
||||
20 | File | `/plugins/servlet/project-config/PROJECT/roles` | High
|
||||
21 | File | `/proc/<pid>/status` | High
|
||||
22 | File | `/public/plugins/` | High
|
||||
23 | File | `/rest/api/1.0/render` | High
|
||||
24 | File | `/RestAPI` | Medium
|
||||
25 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
26 | File | `/tmp` | Low
|
||||
27 | File | `/uncpath/` | Medium
|
||||
28 | File | `/var/log/nginx` | High
|
||||
29 | File | `account.php` | Medium
|
||||
30 | File | `AccountManagerService.java` | High
|
||||
31 | File | `actions/CompanyDetailsSave.php` | High
|
||||
32 | ... | ... | ...
|
||||
|
||||
There are 250 more IOA items available. Please use our online service to access the data.
|
||||
There are 274 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://www.threatminer.org/report.php?q=AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf&y=2017
|
||||
* https://www.threatminer.org/report.php?q=JAR-16-20296A-IOCs.pdf&y=2016
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,70 +1,137 @@
|
|||
# Groundhog - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Groundhog](https://vuldb.com/?actor.groundhog). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Groundhog](https://vuldb.com/?actor.groundhog). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.groundhog](https://vuldb.com/?actor.groundhog)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.groundhog](https://vuldb.com/?actor.groundhog)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Groundhog:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Groundhog:
|
||||
|
||||
* US
|
||||
* CN
|
||||
* RU
|
||||
* ...
|
||||
|
||||
There are 24 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Groundhog.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Groundhog.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 1.93.16.186 | - | High
|
||||
2 | 1.93.18.99 | - | High
|
||||
3 | 1.93.60.81 | - | High
|
||||
4 | 1.93.62.132 | - | High
|
||||
5 | 8.8.4.4 | dns.google | High
|
||||
6 | 8.23.224.120 | dynupdate.no-ip.com | High
|
||||
7 | 14.17.93.147 | - | High
|
||||
8 | 14.19.222.76 | - | High
|
||||
9 | 23.234.28.5 | - | High
|
||||
10 | 23.234.41.199 | - | High
|
||||
11 | 23.234.41.219 | - | High
|
||||
12 | 23.234.43.134 | - | High
|
||||
13 | 23.234.60.140 | - | High
|
||||
14 | 23.252.162.178 | - | High
|
||||
15 | 23.252.164.225 | - | High
|
||||
16 | 27.152.183.116 | - | High
|
||||
17 | 36.251.136.189 | - | High
|
||||
18 | 37.59.210.99 | - | High
|
||||
19 | 43.225.59.7 | - | High
|
||||
20 | 43.240.51.113 | - | High
|
||||
21 | 46.229.169.89 | - | High
|
||||
22 | 58.64.187.29 | - | High
|
||||
23 | 58.218.213.237 | - | High
|
||||
24 | 58.221.35.5 | - | High
|
||||
25 | 58.221.45.242 | - | High
|
||||
26 | 59.56.64.169 | - | High
|
||||
27 | 59.188.86.215 | - | High
|
||||
28 | 59.188.86.222 | - | High
|
||||
29 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 1.93.16.186 | - | - | High
|
||||
2 | 1.93.18.99 | - | - | High
|
||||
3 | 1.93.60.81 | - | - | High
|
||||
4 | 1.93.62.132 | - | - | High
|
||||
5 | 8.8.4.4 | dns.google | - | High
|
||||
6 | 8.23.224.120 | dynupdate.no-ip.com | - | High
|
||||
7 | 14.17.93.147 | - | - | High
|
||||
8 | 14.19.222.76 | - | - | High
|
||||
9 | 23.234.28.5 | - | - | High
|
||||
10 | 23.234.41.199 | - | - | High
|
||||
11 | 23.234.41.219 | - | - | High
|
||||
12 | 23.234.43.134 | - | - | High
|
||||
13 | 23.234.60.140 | - | - | High
|
||||
14 | 23.252.162.178 | - | - | High
|
||||
15 | 23.252.164.225 | - | - | High
|
||||
16 | 27.152.183.116 | - | - | High
|
||||
17 | 36.251.136.189 | - | - | High
|
||||
18 | 37.59.210.99 | - | - | High
|
||||
19 | 43.225.59.7 | - | - | High
|
||||
20 | 43.240.51.113 | - | - | High
|
||||
21 | 46.229.169.89 | - | - | High
|
||||
22 | 58.64.187.29 | - | - | High
|
||||
23 | 58.218.213.237 | - | - | High
|
||||
24 | 58.221.35.5 | - | - | High
|
||||
25 | 58.221.45.242 | - | - | High
|
||||
26 | 59.56.64.169 | - | - | High
|
||||
27 | 59.188.86.215 | - | - | High
|
||||
28 | 59.188.86.222 | - | - | High
|
||||
29 | ... | ... | ... | ...
|
||||
|
||||
There are 113 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Groundhog. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-250, CWE-264, CWE-266, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Groundhog. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Groundhog. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `http-domino-enum-passwords.nse` | High
|
||||
1 | File | `/+CSCOE+/logon.html` | High
|
||||
2 | File | `/.env` | Low
|
||||
3 | File | `/.ssh/authorized_keys` | High
|
||||
4 | File | `/admin.php?&m=Public&a=login` | High
|
||||
5 | File | `/admin/default.asp` | High
|
||||
6 | File | `/ajax/networking/get_netcfg.php` | High
|
||||
7 | File | `/assets/ctx` | Medium
|
||||
8 | File | `/cgi-bin/login_action.cgi` | High
|
||||
9 | File | `/cgi-bin/supervisor/PwdGrp.cgi` | High
|
||||
10 | File | `/checkLogin.cgi` | High
|
||||
11 | File | `/cms/print.php` | High
|
||||
12 | File | `/concat?/%2557EB-INF/web.xml` | High
|
||||
13 | File | `/config/getuser` | High
|
||||
14 | File | `/data/remove` | Medium
|
||||
15 | File | `/etc/ajenti/config.yml` | High
|
||||
16 | File | `/etc/passwd` | Medium
|
||||
17 | File | `/goform/telnet` | High
|
||||
18 | File | `/login` | Low
|
||||
19 | File | `/modules/profile/index.php` | High
|
||||
20 | File | `/navigate/navigate_download.php` | High
|
||||
21 | File | `/out.php` | Medium
|
||||
22 | File | `/owa/auth/logon.aspx` | High
|
||||
23 | File | `/p` | Low
|
||||
24 | File | `/password.html` | High
|
||||
25 | File | `/proc/ioports` | High
|
||||
26 | File | `/property-list/property_view.php` | High
|
||||
27 | File | `/rest` | Low
|
||||
28 | File | `/rest/api/2/search` | High
|
||||
29 | File | `/rom-0` | Low
|
||||
30 | File | `/s/` | Low
|
||||
31 | File | `/scripts/cpan_config` | High
|
||||
32 | File | `/services/system/setup.json` | High
|
||||
33 | File | `/setSystemAdmin` | High
|
||||
34 | File | `/ucms/index.php?do=list_edit` | High
|
||||
35 | File | `/uncpath/` | Medium
|
||||
36 | File | `/webconsole/APIController` | High
|
||||
37 | File | `/websocket/exec` | High
|
||||
38 | File | `/wp-admin/admin-ajax.php` | High
|
||||
39 | File | `/wp-json/oembed/1.0/embed?url` | High
|
||||
40 | File | `/_next` | Low
|
||||
41 | File | `4.edu.php\conn\function.php` | High
|
||||
42 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
43 | File | `actions/beats_uploader.php` | High
|
||||
44 | File | `adclick.php` | Medium
|
||||
45 | File | `addentry.php` | Medium
|
||||
46 | File | `admin/admin.php` | High
|
||||
47 | File | `admin/category.inc.php` | High
|
||||
48 | ... | ... | ...
|
||||
|
||||
There are 420 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://www.threatminer.org/report.php?q=sb-report-threat-intelligence-groundhog.pdf&y=2015
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,12 +1,12 @@
|
|||
# Guccifer 2.0 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Guccifer 2.0](https://vuldb.com/?actor.guccifer_2.0). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Guccifer 2.0](https://vuldb.com/?actor.guccifer_2.0). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.guccifer_2.0](https://vuldb.com/?actor.guccifer_2.0)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.guccifer_2.0](https://vuldb.com/?actor.guccifer_2.0)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Guccifer 2.0:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Guccifer 2.0:
|
||||
|
||||
* US
|
||||
* FR
|
||||
|
@ -14,63 +14,56 @@ These countries are directly (e.g. origin of attacks) or indirectly (e.g. access
|
|||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Guccifer 2.0.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Guccifer 2.0.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 95.130.9.198 | - | High
|
||||
2 | 95.130.15.34 | - | High
|
||||
3 | 95.130.15.36 | - | High
|
||||
4 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 95.130.9.198 | - | - | High
|
||||
2 | 95.130.15.34 | - | - | High
|
||||
3 | 95.130.15.36 | - | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 4 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Guccifer 2.0. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Guccifer 2.0. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1499 | Resource Consumption | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1499 | CWE-400 | Resource Consumption | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Guccifer 2.0. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Guccifer 2.0. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/Forms/` | Low
|
||||
2 | File | `/see_more_details.php` | High
|
||||
3 | File | `ajax.cgi` | Medium
|
||||
4 | File | `exprcalc.cfm` | Medium
|
||||
5 | File | `generate.php` | Medium
|
||||
6 | File | `io/channel-websock.c` | High
|
||||
7 | File | `net/xdp/xdp_umem.c` | High
|
||||
8 | File | `wp-admin/admin.php?page=monetize-zones-new` | High
|
||||
9 | File | `wp-admin/options-general.php?page=wp-social-bookmarking-light%2Fmodules%2Fadmin.php` | High
|
||||
10 | File | `wsecure-config.php` | High
|
||||
11 | ... | ... | ...
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 6 more IOA items available. Please use our online service to access the data.
|
||||
There are 13 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://www.threatminer.org/report.php?q=ThreatConnectfollowsGuccifer2-ThreatConnect.pdf&y=2016
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
|
@ -1,48 +1,48 @@
|
|||
# Hafnium - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Hafnium](https://vuldb.com/?actor.hafnium). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Hafnium](https://vuldb.com/?actor.hafnium). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.hafnium](https://vuldb.com/?actor.hafnium)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.hafnium](https://vuldb.com/?actor.hafnium)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with Hafnium:
|
||||
The following _campaigns_ are known and can be associated with Hafnium:
|
||||
|
||||
* Hafnium
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Hafnium:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Hafnium:
|
||||
|
||||
* CN
|
||||
* US
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Hafnium.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Hafnium.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 172.105.174.117 | 172-105-174-117.ip.linodeusercontent.com | High
|
||||
2 | 182.239.123.241 | 182.239.123.241.hk.chinamobile.com | High
|
||||
3 | 182.239.124.180 | 182.239.124.180.hk.chinamobile.com | High
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 172.105.174.117 | 172-105-174-117.ip.linodeusercontent.com | Hafnium | High
|
||||
2 | 182.239.123.241 | 182.239.123.241.hk.chinamobile.com | Hafnium | High
|
||||
3 | 182.239.124.180 | 182.239.124.180.hk.chinamobile.com | Hafnium | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Hafnium. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Hafnium. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | 7PK Security Features | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | CWE-254 | 7PK Security Features | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Hafnium. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Hafnium. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -51,18 +51,18 @@ ID | Type | Indicator | Confidence
|
|||
3 | File | `/auth/session` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 22 more IOA items available. Please use our online service to access the data.
|
||||
There are 22 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://twitter.com/KyleHanslovan/status/1370077442984001537
|
||||
* https://twitter.com/TheDFIRReport/status/1370079472033136640
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -0,0 +1,67 @@
|
|||
# Handymanny - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Handymanny](https://vuldb.com/?actor.handymanny). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.handymanny](https://vuldb.com/?actor.handymanny)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Handymanny:
|
||||
|
||||
* US
|
||||
* RU
|
||||
* PL
|
||||
* ...
|
||||
|
||||
There are 5 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Handymanny.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 185.112.82.89 | server-185-112-82-89.creanova.org | - | High
|
||||
2 | 185.244.25.200 | - | - | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Handymanny. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | CWE-254 | 7PK Security Features | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Handymanny. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/cfg` | Low
|
||||
2 | File | `/etc/quantum/quantum.conf` | High
|
||||
3 | File | `/index.php` | Medium
|
||||
4 | File | `/iwguestbook/admin/badwords_edit.asp` | High
|
||||
5 | File | `/iwguestbook/admin/messages_edit.asp` | High
|
||||
6 | ... | ... | ...
|
||||
|
||||
There are 38 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.netlab.360.com/the-botnet-cluster-on-185-244-25-0-24-en/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
Some files were not shown because too many files have changed in this diff Show More
Ładowanie…
Reference in New Issue