CTI Update
This commit is contained in:
parent
72cd3bd4eb
commit
5a9687a59f
|
@ -0,0 +1,32 @@
|
|||
= 1937CN - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.1937cn[1937CN]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.1937cn
|
||||
|
||||
== Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with the actor.
|
||||
|
||||
- Rehashed RAT
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|1.3.30.3|-|High
|
||||
|2|1.3.33.5|-|High
|
||||
|========================================
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://www.threatminer.org/report.php?q=RehashedRATUsedinAPTCampaignAgainstVietnameseOrganizations_FortinetBlog.pdf&y=2017
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,32 @@
|
|||
= 9002 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.9002[9002]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.9002
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. CN
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|222.239.91.30|-|High
|
||||
|2|222.239.91.152|-|High
|
||||
|========================================
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://www.threatminer.org/report.php?q=AttackDelivers%E2%80%989002%E2%80%99TrojanThroughGoogleDrive-PaloAltoNetworksBlogPaloAltoNetworksBlog.pdf&y=2016
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,75 @@
|
|||
= APT-C-01 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt-c-01[APT-C-01]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt-c-01
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. US
|
||||
. CN
|
||||
. RU
|
||||
. ...
|
||||
|
||||
There are 3 more country items available. Please use our online service to access the data.
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|45.32.8.137|45.32.8.137.vultr.com|Medium
|
||||
|2|45.76.125.176|45.76.125.176.vultr.com|Medium
|
||||
|3|45.76.228.61|45.76.228.61.vultr.com|Medium
|
||||
|4|131.213.66.10|p83d5420a.tocgnt01.ap.so-net.ne.jp|High
|
||||
|5|146.0.32.168|al039.albit.dedi.server-hosting.expert|High
|
||||
|6|165.227.220.223|musyfy.staging.collaborators.us|High
|
||||
|7|188.166.67.36|-|High
|
||||
|========================================
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1059.007|Cross Site Scripting|High
|
||||
|2|T1068|Execution with Unnecessary Privileges|High
|
||||
|========================================
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|/forum/away.php|High
|
||||
|2|File|/goform/saveParentControlInfo|High
|
||||
|3|File|/uncpath/|Medium
|
||||
|4|File|2020\Messages\SDNotify.exe|High
|
||||
|5|File|admin/admin_disallow.php|High
|
||||
|6|File|email.php|Medium
|
||||
|7|File|entry.cgi|Medium
|
||||
|8|File|ext/date/lib/parse_date.c|High
|
||||
|9|File|goto.php|Medium
|
||||
|10|File|index.php?tg=delegat&idx=mem|High
|
||||
|11|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 25 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://www.threatminer.org/report.php?q=APT-C-01-360.pdf&y=2018
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,47 @@
|
|||
= APT-C-07 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt-c-07[APT-C-07]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt-c-07
|
||||
|
||||
== Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with the actor.
|
||||
|
||||
- Mermaid
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. US
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|69.195.129.72|-|High
|
||||
|========================================
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|Argument|widget_template|High
|
||||
|========================================
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://www.threatminer.org/report.php?q=Operation_Mermaid_360cn.pdf&y=2016
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,76 @@
|
|||
= APT-C-36 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt-c-36[APT-C-36]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt-c-36
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. US
|
||||
. BR
|
||||
. FR
|
||||
. ...
|
||||
|
||||
There are 3 more country items available. Please use our online service to access the data.
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|128.90.106.22|undefined.hostname.localhost|High
|
||||
|2|128.90.107.21|undefined.hostname.localhost|High
|
||||
|3|128.90.107.189|undefined.hostname.localhost|High
|
||||
|4|128.90.107.236|undefined.hostname.localhost|High
|
||||
|5|128.90.108.126|undefined.hostname.localhost|High
|
||||
|6|128.90.114.5|undefined.hostname.localhost|High
|
||||
|7|128.90.115.28|undefined.hostname.localhost|High
|
||||
|8|128.90.115.179|undefined.hostname.localhost|High
|
||||
|========================================
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1499|Resource Consumption|High
|
||||
|2|T1600|Cryptographic Issues|High
|
||||
|========================================
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|.htaccess|Medium
|
||||
|2|File|FileSeek.cgi|Medium
|
||||
|3|File|includes/dbal.php|High
|
||||
|4|File|index.php|Medium
|
||||
|5|File|modules/mappers/mod_rewrite.c|High
|
||||
|6|File|personalData/resumeDetail.cfm|High
|
||||
|7|File|prod.php|Medium
|
||||
|8|File|products.php|Medium
|
||||
|9|File|shop.pl|Low
|
||||
|10|File|software-description.php|High
|
||||
|11|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 10 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,97 @@
|
|||
= APT1 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt1[APT1]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt1
|
||||
|
||||
== Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with the actor.
|
||||
|
||||
- Mandiant
|
||||
- Oceansalt
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. CN
|
||||
. US
|
||||
. FR
|
||||
. ...
|
||||
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|23.236.62.147|147.62.236.23.bc.googleusercontent.com|Medium
|
||||
|2|27.102.112.179|-|High
|
||||
|3|58.246.|-|High
|
||||
|4|58.247.|-|High
|
||||
|5|67.222.16.131|host.dnsweb.org|High
|
||||
|6|100.42.216.230|tfs2480.sipnav.in|High
|
||||
|7|103.42.182.241|-|High
|
||||
|8|104.31.82.32|-|High
|
||||
|9|158.69.131.78|ip78.ip-158-69-131.net|High
|
||||
|10|172.81.132.62|ip-172-81-132-62.host.datawagon.net|High
|
||||
|11|211.104.160.196|-|High
|
||||
|12|223.166.|-|High
|
||||
|13|223.167.|-|High
|
||||
|========================================
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1059.007|Cross Site Scripting|High
|
||||
|2|T1068|Execution with Unnecessary Privileges|High
|
||||
|3|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|
||||
|4|T1211|7PK Security Features|High
|
||||
|5|T1222|Permission Issues|High
|
||||
|6|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|$HOME/.nylas-mail|High
|
||||
|2|File|$JENKINS_HOME/jenkins.security.RekeySecretAdminMonitor/backups|High
|
||||
|3|File|$SPLUNK_HOME/etc/splunk-launch.conf|High
|
||||
|4|File|%ProgramData%\CTES|High
|
||||
|5|File|%PROGRAMFILES%\Cylance\Desktop\log|High
|
||||
|6|File|%SYSTEMDRIVE%\ProgramData\exclusions.dat|High
|
||||
|7|File|'phpshell.php|High
|
||||
|8|File|*-sub-menu.php|High
|
||||
|9|File|-X/path/to/wwwroot/file.php.|High
|
||||
|10|File|.../gogo/|Medium
|
||||
|11|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 10537 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf
|
||||
* https://www.circleid.com/posts/20201215-revisiting-apt1-iocs-with-dns-and-subdomain-intelligence/
|
||||
* https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdfa
|
||||
* https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,110 @@
|
|||
= APT10 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt10[APT10]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt10
|
||||
|
||||
== Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with the actor.
|
||||
|
||||
- A41APT
|
||||
- Cloud Hopper
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. US
|
||||
. CN
|
||||
. DE
|
||||
. ...
|
||||
|
||||
There are 18 more country items available. Please use our online service to access the data.
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|23.89.193.34|-|High
|
||||
|2|23.110.64.147|-|High
|
||||
|3|23.252.105.137|23.252.105.137.16clouds.com|High
|
||||
|4|27.102.66.67|-|High
|
||||
|5|27.102.115.249|-|High
|
||||
|6|27.102.127.75|-|High
|
||||
|7|27.102.127.80|-|High
|
||||
|8|27.102.128.157|-|High
|
||||
|9|31.184.197.215|31-184-197-215.static.x5x-noc.ru|High
|
||||
|10|31.184.197.227|31-184-197-227.static.x5x-noc.ru|High
|
||||
|11|31.184.198.23|-|High
|
||||
|12|31.184.198.38|-|High
|
||||
|13|37.187.7.74|ns3372567.ip-37-187-7.eu|High
|
||||
|14|37.235.52.18|18.52.235.37.in-addr.arpa|High
|
||||
|15|38.72.112.45|-|High
|
||||
|16|38.72.114.16|-|High
|
||||
|17|38.72.115.9|-|High
|
||||
|18|45.62.112.161|45.62.112.161.16clouds.com|High
|
||||
|19|45.138.157.83|lilanews.serveexchange.com|High
|
||||
|20|46.108.39.134|-|High
|
||||
|21|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 94 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1059.007|Cross Site Scripting|High
|
||||
|2|T1068|Execution with Unnecessary Privileges|High
|
||||
|3|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|
||||
|4|T1211|7PK Security Features|High
|
||||
|5|T1222|Permission Issues|High
|
||||
|6|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 4 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|/+CSCOE+/logon.html|High
|
||||
|2|File|/.env|Low
|
||||
|3|File|/addnews.html|High
|
||||
|4|File|/admin/index.php|High
|
||||
|5|File|/assets/something/services/AppModule.class|High
|
||||
|6|File|/cgi-bin/admin/testserver.cgi|High
|
||||
|7|File|/cgi-bin/go|Medium
|
||||
|8|File|/dev/kvm|Medium
|
||||
|9|File|/etc/config/rpcd|High
|
||||
|10|File|/etc/gsissh/sshd_config|High
|
||||
|11|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 481 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://github.com/janhenrikdotcom/iocs/blob/master/APT10/Operation%20Cloud%20Hopper%20-%20Indicators%20of%20Compromise%20v3.csv
|
||||
* https://github.com/PwCUK-CTO/OperationCloudHopper/blob/master/cloud-hopper-indicators-of-compromise-v3.csv
|
||||
* https://github.com/riduangan/APT10/blob/master/IOC
|
||||
* https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/
|
||||
* https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html
|
||||
* https://www.threatminer.org/report.php?q=Accenture-Hogfish-Threat-Analysis.pdf&y=2018
|
||||
* https://www.threatminer.org/report.php?q=cloud-hopper-indicators-of-compromise-v3-PwC.pdf&y=2017
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,76 @@
|
|||
= APT12 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt12[APT12]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt12
|
||||
|
||||
== Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with the actor.
|
||||
|
||||
- Etumbot
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. ES
|
||||
. US
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|32.114.251.129|-|High
|
||||
|2|59.0.249.11|-|High
|
||||
|3|92.54.232.142|-|High
|
||||
|4|98.188.111.244|-|High
|
||||
|5|133.87.242.63|turonian.cris.hokudai.ac.jp|High
|
||||
|6|133.87.242.631|-|High
|
||||
|7|141.108.2.157|fabernext.roma1.infn.it|High
|
||||
|8|143.89.47.132|eea132.ee.ust.hk|High
|
||||
|9|143.89.145.156|dy145-156.ust.hk|High
|
||||
|10|190.16.246.129|129-246-16-190.fibertel.com.ar|High
|
||||
|11|190.193.44.138|138-44-193-190.cab.prima.net.ar|High
|
||||
|12|196.1.99.15|-|High
|
||||
|13|196.1.99.154|-|High
|
||||
|14|200.27.173.58|-|High
|
||||
|15|200.42.69.140|mail1.argus.com.ar|High
|
||||
|16|211.53.164.152|recruit.dhc.co.kr|High
|
||||
|17|217.119.240.118|-|High
|
||||
|========================================
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1059.007|Cross Site Scripting|High
|
||||
|2|T1499|Resource Consumption|High
|
||||
|========================================
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|Network Port|tcp/264|Low
|
||||
|========================================
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html
|
||||
* https://www.threatminer.org/report.php?q=ASERT-Threat-Intelligence-Brief-2014-07-Illuminating-Etumbot-APT.pdf&y=2014
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,32 @@
|
|||
= APT15 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt15[APT15]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt15
|
||||
|
||||
== Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with the actor.
|
||||
|
||||
- Ke3chang
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|61.128.110.38|-|High
|
||||
|2|180.149.252.181|-|High
|
||||
|========================================
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://www.threatminer.org/report.php?q=XSLCmd_OSX.pdf&y=2014
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,65 @@
|
|||
= APT16 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt16[APT16]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt16
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. US
|
||||
. CN
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|121.127.249.74|-|High
|
||||
|========================================
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1059.007|Cross Site Scripting|High
|
||||
|2|T1068|Execution with Unnecessary Privileges|High
|
||||
|========================================
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|/download|Medium
|
||||
|2|File|comment_add.asp|High
|
||||
|3|File|data/gbconfiguration.dat|High
|
||||
|4|File|email.php|Medium
|
||||
|5|File|inc/config.php|High
|
||||
|6|File|inc/filebrowser/browser.php|High
|
||||
|7|File|ogp_show.php|Medium
|
||||
|8|File|register.php|Medium
|
||||
|9|Argument|basePath|Medium
|
||||
|10|Argument|display|Low
|
||||
|11|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 4 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,89 @@
|
|||
= APT17 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt17[APT17]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt17
|
||||
|
||||
== Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with the actor.
|
||||
|
||||
- CCleaner
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. DE
|
||||
. US
|
||||
. JP
|
||||
. ...
|
||||
|
||||
There are 2 more country items available. Please use our online service to access the data.
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|1.234.52.111|-|High
|
||||
|2|69.80.72.165|-|High
|
||||
|3|103.250.72.39|sv01growth.bulks.jp|High
|
||||
|4|103.250.72.254|103x250x72x254.bulks.jp|High
|
||||
|5|110.45.151.43|-|High
|
||||
|6|121.101.73.231|p6549e7.fkokff01.ap.so-net.ne.jp|High
|
||||
|7|130.184.156.62|-|High
|
||||
|8|148.251.71.75|hotspot.nwwc.de|High
|
||||
|9|175.126.104.175|-|High
|
||||
|10|178.62.20.110|-|High
|
||||
|11|216.126.225.148|-|High
|
||||
|12|217.198.143.40|-|High
|
||||
|========================================
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1059.007|Cross Site Scripting|High
|
||||
|2|T1068|Execution with Unnecessary Privileges|High
|
||||
|3|T1211|7PK Security Features|High
|
||||
|4|T1587.003|Improper Certificate Validation|High
|
||||
|========================================
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|.htaccess|Medium
|
||||
|2|File|/wbg/core/_includes/authorization.inc.php|High
|
||||
|3|File|data/gbconfiguration.dat|High
|
||||
|4|File|inc/config.php|High
|
||||
|5|File|inc/filebrowser/browser.php|High
|
||||
|6|File|register/check/username?username|High
|
||||
|7|File|wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php|High
|
||||
|8|File|wp-login.php|Medium
|
||||
|9|Argument|basePath|Medium
|
||||
|10|Argument|file|Low
|
||||
|11|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 2 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://github.com/fireeye/iocs/blob/master/APT17/7b9e87c5-b619-4a13-b862-0145614d359a.ioc
|
||||
* https://www.threatminer.org/report.php?q=EvidenceAuroraOperationStillActive_SupplyChainAttackThroughCCleaner-Intezer.pdf&y=2017
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,36 @@
|
|||
= APT18 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt18[APT18]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt18
|
||||
|
||||
== Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with the actor.
|
||||
|
||||
- Wekby
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|23.252.166.89|-|High
|
||||
|2|23.252.166.99|-|High
|
||||
|3|107.180.58.70|ip-107-180-58-70.ip.secureserver.net|High
|
||||
|4|137.175.4.132|-|High
|
||||
|5|223.25.233.248|-|High
|
||||
|========================================
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://github.com/fireeye/iocs/blob/master/APT18/0ae061d7-c624-4a84-8adf-00281b97797b.ioc
|
||||
* https://unit42.paloaltonetworks.com/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,44 @@
|
|||
= APT19 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt19[APT19]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt19
|
||||
|
||||
== Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with the actor.
|
||||
|
||||
- c0d0s0
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. CN
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|42.200.18.194|-|High
|
||||
|2|104.236.77.169|-|High
|
||||
|3|121.54.168.230|-|High
|
||||
|4|138.68.45.9|openpubsource.com|High
|
||||
|5|162.243.143.145|-|High
|
||||
|6|210.181.184.64|-|High
|
||||
|7|218.54.139.20|-|High
|
||||
|========================================
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://unit42.paloaltonetworks.com/new-attacks-linked-to-c0d0s0-group/
|
||||
* https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,83 @@
|
|||
= APT2 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt2[APT2]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt2
|
||||
|
||||
== Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with the actor.
|
||||
|
||||
- Putter Panda
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. KR
|
||||
. US
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|31.170.110.163|io.uu3.net|High
|
||||
|2|58.196.156.15|-|High
|
||||
|3|59.120.168.199|59-120-168-199.hinet-ip.hinet.net|High
|
||||
|4|61.34.97.69|-|High
|
||||
|5|61.74.190.14|-|High
|
||||
|6|61.78.37.121|-|High
|
||||
|7|61.78.75.96|-|High
|
||||
|8|61.221.54.99|61-221-54-99.hinet-ip.hinet.net|High
|
||||
|9|67.42.255.50|rory.net|High
|
||||
|10|100.42.216.230|tfs2480.sipnav.in|High
|
||||
|11|121.157.104.122|-|High
|
||||
|12|134.129.140.212|eercvpn.eerc.und.nodak.edu|High
|
||||
|13|140.112.19.195|ipserver.ee.ntu.edu.tw|High
|
||||
|14|140.112.40.7|bpADServer.bp.ntu.edu.tw|High
|
||||
|15|140.113.88.216|IP-88-216.cs.nctu.edu.tw|High
|
||||
|16|140.113.241.33|mipserv.cs.nctu.edu.tw|High
|
||||
|17|140.119.46.35|econo2008.nccu.edu.tw|High
|
||||
|18|173.231.36.139|173-231-36-139.hosted.static.webnx.com|High
|
||||
|19|173.252.205.56|173-252-205-56.genericreverse.com|High
|
||||
|20|173.252.207.51|173-252-207-51.genericreverse.com|High
|
||||
|21|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 22 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1059.007|Cross Site Scripting|High
|
||||
|========================================
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|/bin/boa|Medium
|
||||
|2|Argument|Authorization|High
|
||||
|3|Argument|Username|Medium
|
||||
|========================================
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf
|
||||
* https://www.threatminer.org/report.php?q=putter-panda.pdf&y=2014
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,95 @@
|
|||
= APT27 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt27[APT27]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt27
|
||||
|
||||
== Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with the actor.
|
||||
|
||||
- SysUpdate
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. US
|
||||
. CN
|
||||
. ES
|
||||
. ...
|
||||
|
||||
There are 3 more country items available. Please use our online service to access the data.
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|34.90.207.23|23.207.90.34.bc.googleusercontent.com|Medium
|
||||
|2|34.93.247.126|126.247.93.34.bc.googleusercontent.com|Medium
|
||||
|3|35.187.148.253|253.148.187.35.bc.googleusercontent.com|Medium
|
||||
|4|35.220.135.85|85.135.220.35.bc.googleusercontent.com|Medium
|
||||
|5|45.142.214.188|mts.ru|High
|
||||
|6|47.75.49.32|-|High
|
||||
|7|85.204.74.143|-|High
|
||||
|8|89.35.178.105|-|High
|
||||
|9|103.79.78.48|103.79.78.48.static.hostdare.com|High
|
||||
|10|104.09.198.177|-|High
|
||||
|11|139.59.81.253|-|High
|
||||
|12|139.180.208.225|139.180.208.225.vultr.com|Medium
|
||||
|13|185.12.45.134|server5.cygda.info|High
|
||||
|========================================
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1008|Algorithm Downgrade|High
|
||||
|2|T1040|Authentication Bypass by Capture-replay|High
|
||||
|3|T1059.007|Cross Site Scripting|High
|
||||
|4|T1068|Execution with Unnecessary Privileges|High
|
||||
|5|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|
||||
|6|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|/+CSCOE+/logon.html|High
|
||||
|2|File|/cgi-bin/live_api.cgi|High
|
||||
|3|File|/config/getuser|High
|
||||
|4|File|/etc/shadow|Medium
|
||||
|5|File|/infusions/shoutbox_panel/shoutbox_admin.php|High
|
||||
|6|File|/oscommerce/admin/currencies.php|High
|
||||
|7|File|/proc/pid/syscall|High
|
||||
|8|File|/session/list/allActiveSession|High
|
||||
|9|File|/syslog_rules|High
|
||||
|10|File|/upload|Low
|
||||
|11|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 186 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/
|
||||
* https://vxug.fakedoma.in/archive/APTs/2021/2021.04.09/Iron%20Tiger.pdf
|
||||
* https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,139 @@
|
|||
= APT28 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt28[APT28]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt28
|
||||
|
||||
== Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with the actor.
|
||||
|
||||
- Carberp
|
||||
- Fysbis
|
||||
- Global Brute Force
|
||||
- ...
|
||||
|
||||
There are 3 more campaign items available. Please use our online service to access the data.
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. US
|
||||
. DE
|
||||
. ES
|
||||
. ...
|
||||
|
||||
There are 52 more country items available. Please use our online service to access the data.
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|5.63.153.177|5-63-153-177.ovz.vps.regruhosting.ru|High
|
||||
|2|5.100.155.82|5.100.155-82.publicdomainregistry.com|High
|
||||
|3|5.100.155.91|5.100.155-91.publicdomainregistry.com|High
|
||||
|4|5.135.183.154|ns3290077.ip-5-135-183.eu|High
|
||||
|5|5.199.171.58|-|High
|
||||
|6|23.163.0.59|naomi.rem2d.com|High
|
||||
|7|23.227.196.21|23-227-196-21.static.hvvc.us|High
|
||||
|8|23.227.196.215|23-227-196-215.static.hvvc.us|High
|
||||
|9|23.227.196.217|23-227-196-217.static.hvvc.us|High
|
||||
|10|31.184.198.23|-|High
|
||||
|11|31.184.198.38|-|High
|
||||
|12|31.220.43.99|-|High
|
||||
|13|31.220.61.251|-|High
|
||||
|14|37.235.52.18|18.52.235.37.in-addr.arpa|High
|
||||
|15|45.32.129.185|45.32.129.185.vultr.com|Medium
|
||||
|16|45.32.227.21|45.32.227.21.mobiltel.mx|High
|
||||
|17|45.64.105.23|-|High
|
||||
|18|45.124.132.127|-|High
|
||||
|19|46.19.138.66|ab2.alchibasystems.in.net|High
|
||||
|20|46.21.147.55|55.147.21.46.in-addr.arpa|High
|
||||
|21|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 211 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1040|Authentication Bypass by Capture-replay|High
|
||||
|2|T1059.007|Cross Site Scripting|High
|
||||
|3|T1068|Execution with Unnecessary Privileges|High
|
||||
|4|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|
||||
|5|T1211|7PK Security Features|High
|
||||
|6|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 10 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|.htaccess|Medium
|
||||
|2|File|.procmailrc|Medium
|
||||
|3|File|/$({curl|Medium
|
||||
|4|File|/+CSCOE+/logon.html|High
|
||||
|5|File|/.env|Low
|
||||
|6|File|/.ssh/authorized_keys|High
|
||||
|7|File|/.vnc/sesman_${username}_passwd|High
|
||||
|8|File|/account/details.php|High
|
||||
|9|File|/admin.php|Medium
|
||||
|10|File|/admin/adclass.php|High
|
||||
|11|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 2654 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://documents.trendmicro.com/assets/wp/wp-two-years-of-pawn-storm.pdf
|
||||
* https://github.com/blackorbird/APT_REPORT/blob/master/APT28/IOC/2019-04-05-ioc-mark.txt
|
||||
* https://github.com/blackorbird/APT_REPORT/blob/master/APT28/IOC/2019-04-09-ioc-mark.txt
|
||||
* https://github.com/fireeye/iocs/blob/master/APT28/e1cbf7ca-4938-4d3c-a7e6-3ff966516191.ioc
|
||||
* https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF
|
||||
* https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF
|
||||
* https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/
|
||||
* https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/
|
||||
* https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/2015.11.04_Evolving_Threats/cct-w08_evolving-threats-dissection-of-a-cyber-espionage-attack.pdf
|
||||
* https://unit42.paloaltonetworks.com/a-look-into-fysbis-sofacys-linux-backdoor/
|
||||
* https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/
|
||||
* https://unit42.paloaltonetworks.com/unit42-new-sofacy-attacks-against-us-government-agency/
|
||||
* https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
|
||||
* https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/
|
||||
* https://unit42.paloaltonetworks.com/unit42-sofacys-komplex-os-x-trojan/
|
||||
* https://unit42.paloaltonetworks.com/unit42-xagentosx-sofacys-xagent-macos-tool/
|
||||
* https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50
|
||||
* https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/
|
||||
* https://www.ncsc.gov.uk/files/NCSC_APT28.pdf
|
||||
* https://www.threatminer.org/report.php?q=ASongofIntelandFancy_ExploitingFancyBear%E2%80%99suseofSSLcertificate.pdf&y=2018
|
||||
* https://www.threatminer.org/report.php?q=eset-sednit-part-2-ESET.pdf&y=2016
|
||||
* https://www.threatminer.org/report.php?q=eset-sednit-part1-ESET.pdf&y=2016
|
||||
* https://www.threatminer.org/report.php?q=FancyBearcontinuetooperatethroughphishingemailsandmuchmore_ESET.pdf&y=2017
|
||||
* https://www.threatminer.org/report.php?q=OperationRussianDoll.pdf&y=2015
|
||||
* https://www.threatminer.org/report.php?q=TheDeceptionProjectANewJapanese-CentricThreat-Cylance.pdf&y=2017
|
||||
* https://www.threatminer.org/report.php?q=ThreatConnectandFidelisTeamUptoExploretheDCCCBreach-ThreatConnect.pdf&y=2016
|
||||
* https://www.threatminer.org/report.php?q=ThreatConnectIdentifiesFANCYBEARWorldAnti-DopingAgencyBreach-ThreatConnect.pdf&y=2016
|
||||
* https://www.threatminer.org/report.php?q=wp-operation-pawn-storm.pdf&y=2014
|
||||
* https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/
|
||||
* https://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf
|
||||
* https://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf
|
||||
* https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,111 @@
|
|||
= APT29 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt29[APT29]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt29
|
||||
|
||||
== Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with the actor.
|
||||
|
||||
- COVID-19
|
||||
- PowerDuke
|
||||
- Wellmail
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. US
|
||||
. CN
|
||||
. RU
|
||||
. ...
|
||||
|
||||
There are 14 more country items available. Please use our online service to access the data.
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|5.45.66.134|-|High
|
||||
|2|5.199.174.164|-|High
|
||||
|3|27.102.130.115|-|High
|
||||
|4|31.7.63.141|game.bignamegamereviewz.com|High
|
||||
|5|31.170.107.186|ohra.supplrald.com|High
|
||||
|6|45.120.156.69|-|High
|
||||
|7|45.123.190.167|-|High
|
||||
|8|45.123.190.168|-|High
|
||||
|9|45.129.229.48|-|High
|
||||
|10|45.152.84.57|-|High
|
||||
|11|46.19.143.69|-|High
|
||||
|12|46.246.120.178|-|High
|
||||
|13|50.7.192.146|-|High
|
||||
|14|64.18.143.66|-|High
|
||||
|15|65.15.88.243|adsl-065-015-088-243.sip.asm.bellsouth.net|High
|
||||
|16|66.29.115.55|647807.ds.nac.net|High
|
||||
|17|66.70.247.215|ip215.ip-66-70-247.net|High
|
||||
|18|69.59.28.57|-|High
|
||||
|19|79.141.168.109|-|High
|
||||
|20|81.17.17.213|customer20.tamic.info|High
|
||||
|21|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 77 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1059.007|Cross Site Scripting|High
|
||||
|2|T1068|Execution with Unnecessary Privileges|High
|
||||
|3|T1211|7PK Security Features|High
|
||||
|4|T1499|Resource Consumption|High
|
||||
|5|T1552|Unprotected Storage of Credentials|High
|
||||
|6|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 1 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|.procmailrc|Medium
|
||||
|2|File|/+CSCOE+/logon.html|High
|
||||
|3|File|/../../conf/template/uhttpd.json|High
|
||||
|4|File|/cgi-bin/portal|High
|
||||
|5|File|/CMD_ACCOUNT_ADMIN|High
|
||||
|6|File|/etc/shadow|Medium
|
||||
|7|File|/etc/sudoers|Medium
|
||||
|8|File|/firewall/policy/|High
|
||||
|9|File|/includes/plugins/mobile/scripts/login.php|High
|
||||
|10|File|/notice-edit.php|High
|
||||
|11|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 236 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf
|
||||
* https://github.com/blackorbird/APT_REPORT/blob/master/International%20Strategic/Russia/Advisory-APT29-targets-COVID-19-vaccine-development.pdf
|
||||
* https://us-cert.cisa.gov/ncas/alerts/aa21-148a
|
||||
* https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c
|
||||
* https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/
|
||||
* https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf
|
||||
* https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,66 @@
|
|||
= APT3 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt3[APT3]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt3
|
||||
|
||||
== Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with the actor.
|
||||
|
||||
- CVE-2015-5119
|
||||
- Doubletap
|
||||
- Double Tap
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. US
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|23.99.20.198|-|High
|
||||
|2|54.169.89.240|ec2-54-169-89-240.ap-southeast-1.compute.amazonaws.com|Medium
|
||||
|3|104.151.248.173|173.248-151-104.rdns.scalabledns.com|High
|
||||
|4|107.20.255.57|ec2-107-20-255-57.compute-1.amazonaws.com|Medium
|
||||
|5|112.74.87.60|-|High
|
||||
|6|137.175.4.132|-|High
|
||||
|7|192.157.198.103|-|High
|
||||
|8|192.184.60.229|unassigned.psychz.net|High
|
||||
|9|194.44.130.179|-|High
|
||||
|10|198.55.115.71|hosted-by.securefastserver.com|High
|
||||
|11|210.109.99.64|-|High
|
||||
|========================================
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|/forum/away.php|High
|
||||
|========================================
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://github.com/fireeye/iocs/blob/master/APT3/62f65dae-9475-44b0-a9eb-c1baebbd9885.ioc
|
||||
* https://github.com/fireeye/iocs/blob/master/APT3/db0b6ac6-874a-498e-892b-ac7c2020e061.ioc
|
||||
* https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html
|
||||
* https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html
|
||||
* https://www.recordedfuture.com/chinese-mss-behind-apt3/
|
||||
* https://www.threatminer.org/report.php?q=APTGroupUPSTargetsUSGovernmentwithHackingTeamFlashExploit-PaloAltoNetworksBlogPaloAltoNetworksBlog.pdf&y=2015
|
||||
* https://www.threatminer.org/report.php?q=OperationDoubleTap.pdf&y=2014
|
||||
* https://www.threatminer.org/report.php?q=SecondAdobeFlashZero-DayCVE-2015-5122fromHackingTeamExploitedinStrategicWebCompromiseTargetingJapaneseVictims%C2%ABThreatResearchBlog_FireEyeInc.pdf&y=2015
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,27 @@
|
|||
= APT30 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt30[APT30]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt30
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|5.1.0.29|5-1-0-29.datagroup.ua|High
|
||||
|2|112.117.9.222|-|High
|
||||
|========================================
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://www.threatminer.org/report.php?q=rpt-apt30.pdf&y=2015
|
||||
* https://www.threatminer.org/_reports/2015/rpt-apt30.pdf#viewer.action=download
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,79 @@
|
|||
= APT31 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt31[APT31]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt31
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. FR
|
||||
. US
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|105.154.12.165|-|High
|
||||
|2|105.157.234.0|-|High
|
||||
|3|105.159.122.85|-|High
|
||||
|4|110.36.231.150|WGPON-36231-150.wateen.net|High
|
||||
|5|115.31.133.26|-|High
|
||||
|6|115.133.136.29|-|High
|
||||
|7|119.110.222.94|static-119-110-222-94.violin.co.th|High
|
||||
|8|121.121.46.10|mail.worldtech.my|High
|
||||
|9|122.154.56.106|-|High
|
||||
|10|125.25.204.59|node-14cb.pool-125-25.dynamic.totinternet.net|High
|
||||
|11|125.31.50.150|n12531z50l150.static.ctmip.net|High
|
||||
|12|141.101.253.109|-|High
|
||||
|13|147.50.50.50|-|High
|
||||
|14|154.181.248.88|host-154.181.88.248-static.tedata.net|High
|
||||
|15|154.182.91.196|host-154.182.196.91-static.tedata.net|High
|
||||
|16|156.222.101.141|host-156.222.141.101-static.tedata.net|High
|
||||
|========================================
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1222|Permission Issues|High
|
||||
|========================================
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|/get_getnetworkconf.cgi|High
|
||||
|2|File|/horde/util/go.php|High
|
||||
|3|File|administrator/components/com_media/helpers/media.php|High
|
||||
|4|File|comments.php|Medium
|
||||
|5|File|data/gbconfiguration.dat|High
|
||||
|6|File|inc/config.php|High
|
||||
|7|File|item_details.php|High
|
||||
|8|File|KeyHelp.ocx|Medium
|
||||
|9|File|phpinfo.php|Medium
|
||||
|10|File|picture.php|Medium
|
||||
|11|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 12 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://blogs.infoblox.com/cyber-threat-intelligence/cyber-threat-advisory-apt31-targeting-france/
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,106 @@
|
|||
= APT32 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt32[APT32]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt32
|
||||
|
||||
== Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with the actor.
|
||||
|
||||
- Cobalt Kitty
|
||||
- OceanLotus
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. US
|
||||
. CN
|
||||
. TR
|
||||
. ...
|
||||
|
||||
There are 10 more country items available. Please use our online service to access the data.
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|23.227.196.126|23-227-196-126.static.hvvc.us|High
|
||||
|2|23.227.196.210|23-227-196-210.static.hvvc.us|High
|
||||
|3|23.227.199.121|23-227-199-121.static.hvvc.us|High
|
||||
|4|27.102.70.211|-|High
|
||||
|5|37.59.198.130|-|High
|
||||
|6|37.59.198.131|-|High
|
||||
|7|45.32.100.179|45.32.100.179.vultr.com|Medium
|
||||
|8|45.32.105.45|45.32.105.45.vultr.com|Medium
|
||||
|9|45.32.114.49|45.32.114.49.vultr.com|Medium
|
||||
|10|45.76.147.201|45.76.147.201.vultr.com|Medium
|
||||
|11|45.76.179.28|45.76.179.28.vultr.com|Medium
|
||||
|12|45.76.179.151|45.76.179.151.vultr.com|Medium
|
||||
|13|45.77.39.101|45.77.39.101.vultr.com|Medium
|
||||
|14|45.114.117.137|-|High
|
||||
|15|45.114.117.164|folien.reisnart.com|High
|
||||
|16|64.62.174.9|unassigned9.net2.fc.aoindustries.com|High
|
||||
|17|64.62.174.16|unassigned16.net2.fc.aoindustries.com|High
|
||||
|18|64.62.174.17|unassigned17.net2.fc.aoindustries.com|High
|
||||
|19|64.62.174.21|unassigned21.net2.fc.aoindustries.com|High
|
||||
|20|64.62.174.41|unassigned41.net2.fc.aoindustries.com|High
|
||||
|21|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 40 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1059.007|Cross Site Scripting|High
|
||||
|2|T1068|Execution with Unnecessary Privileges|High
|
||||
|3|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|
||||
|4|T1211|7PK Security Features|High
|
||||
|5|T1222|Permission Issues|High
|
||||
|6|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 5 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|/cgi-bin/cgiServer.exx|High
|
||||
|2|File|/cgi-bin/login_action.cgi|High
|
||||
|3|File|/dev/sg0|Medium
|
||||
|4|File|/event/runquery.do|High
|
||||
|5|File|/forum/away.php|High
|
||||
|6|File|/manager?action=getlogcat|High
|
||||
|7|File|/password.html|High
|
||||
|8|File|/system/ws/v11/ss/email)|High
|
||||
|9|File|/uncpath/|Medium
|
||||
|10|File|add_vhost.php|High
|
||||
|11|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 177 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf
|
||||
* https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html
|
||||
* https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,110 @@
|
|||
= APT33 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt33[APT33]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt33
|
||||
|
||||
== Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with the actor.
|
||||
|
||||
- Elfin
|
||||
- PoshC2
|
||||
- Powerton
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. FR
|
||||
. DE
|
||||
. ES
|
||||
. ...
|
||||
|
||||
There are 18 more country items available. Please use our online service to access the data.
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|5.79.66.241|-|High
|
||||
|2|5.79.127.177|-|High
|
||||
|3|5.135.120.57|-|High
|
||||
|4|5.135.199.25|-|High
|
||||
|5|5.187.21.70|-|High
|
||||
|6|5.187.21.71|-|High
|
||||
|7|8.26.21.117|117.21.26.8.serverpronto.com|High
|
||||
|8|8.26.21.119|ns1.glasscitysoftware.net|High
|
||||
|9|8.26.21.120|ns2.glasscitysoftware.net|High
|
||||
|10|8.26.21.220|mail2.boldinbox.com|High
|
||||
|11|8.26.21.221|mail3.boldinbox.com|High
|
||||
|12|8.26.21.222|mail9.servidorz.com|High
|
||||
|13|8.26.21.223|mail5.boldinbox.com|High
|
||||
|14|31.7.62.48|-|High
|
||||
|15|37.48.105.178|-|High
|
||||
|16|45.32.186.33|45.32.186.33.vultr.com|Medium
|
||||
|17|45.76.32.252|45.76.32.252.vultr.com|Medium
|
||||
|18|51.77.11.46|ip46.ip-51-77-11.eu|High
|
||||
|19|51.254.71.223|ip223.ip-51-254-71.eu|High
|
||||
|20|54.36.73.108|mail.snap-status.com|High
|
||||
|21|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 55 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1008|Algorithm Downgrade|High
|
||||
|2|T1040|Authentication Bypass by Capture-replay|High
|
||||
|3|T1059.007|Cross Site Scripting|High
|
||||
|4|T1068|Execution with Unnecessary Privileges|High
|
||||
|5|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|
||||
|6|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 11 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|$SPLUNK_HOME/etc/splunk-launch.conf|High
|
||||
|2|File|%PROGRAMDATA%\1E\Client|High
|
||||
|3|File|%PROGRAMDATA%\ASUS\GamingCenterLib|High
|
||||
|4|File|%PROGRAMDATA%\WrData\PKG|High
|
||||
|5|File|%PROGRAMFILES(X86)%/Aternity Information Systems/Assistant/plugins|High
|
||||
|6|File|.folder|Low
|
||||
|7|File|.forward|Medium
|
||||
|8|File|.git/hooks/post-update|High
|
||||
|9|File|.gitlab-ci.yml|High
|
||||
|10|File|.htaccess|Medium
|
||||
|11|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 4712 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/poshc2_apt_33.md
|
||||
* https://securelist.com/twas-the-night-before/91599/
|
||||
* https://securityaffairs.co/wordpress/93845/apt/apt33-vpn-networks.html
|
||||
* https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/elfin-apt33-espionage
|
||||
* https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html
|
||||
* https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,104 @@
|
|||
= APT34 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt34[APT34]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt34
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. US
|
||||
. IR
|
||||
. DE
|
||||
. ...
|
||||
|
||||
There are 19 more country items available. Please use our online service to access the data.
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|23.19.226.69|-|High
|
||||
|2|23.106.215.76|-|High
|
||||
|3|23.227.201.6|23-227-201-6.static.hvvc.us|High
|
||||
|4|38.132.124.153|-|High
|
||||
|5|46.4.69.52|static.52.69.4.46.clients.your-server.de|High
|
||||
|6|46.105.221.247|-|High
|
||||
|7|46.105.251.42|ip42.ip-46-105-251.eu|High
|
||||
|8|46.165.246.196|-|High
|
||||
|9|70.36.107.34|-|High
|
||||
|10|74.91.19.108|-|High
|
||||
|11|74.91.19.122|-|High
|
||||
|12|80.82.79.221|-|High
|
||||
|13|80.82.79.240|-|High
|
||||
|14|81.17.56.249|-|High
|
||||
|15|82.102.14.216|h82-102-14-216.host.redstation.co.uk|High
|
||||
|16|82.102.14.219|h82-102-14-219.host.redstation.co.uk|High
|
||||
|17|82.102.14.222|h82-102-14-222.host.redstation.co.uk|High
|
||||
|18|82.102.14.246|h82-102-14-246.host.redstation.co.uk|High
|
||||
|19|83.142.230.138|-|High
|
||||
|20|88.99.246.174|static.174.246.99.88.clients.your-server.de|High
|
||||
|21|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 52 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1059.007|Cross Site Scripting|High
|
||||
|2|T1068|Execution with Unnecessary Privileges|High
|
||||
|3|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|
||||
|4|T1211|7PK Security Features|High
|
||||
|5|T1222|Permission Issues|High
|
||||
|6|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 5 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|/admin/index.php|High
|
||||
|2|File|/bdswebui/assignusers/|High
|
||||
|3|File|/bin/goahead|Medium
|
||||
|4|File|/cgi-bin/luci|High
|
||||
|5|File|/cgi-bin/supervisor/PwdGrp.cgi|High
|
||||
|6|File|/dev/dri/card1|High
|
||||
|7|File|/etc/fstab|Medium
|
||||
|8|File|/forum/away.php|High
|
||||
|9|File|/getcfg.php|Medium
|
||||
|10|File|/GetCSSashx/?CP=%2fwebconfig|High
|
||||
|11|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 374 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://github.com/blackorbird/APT_REPORT/tree/master/APT34
|
||||
* https://unit42.paloaltonetworks.com/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/
|
||||
* https://unit42.paloaltonetworks.com/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/
|
||||
* https://unit42.paloaltonetworks.com/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/
|
||||
* https://unit42.paloaltonetworks.com/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/
|
||||
* https://www.clearskysec.com/oilrig/
|
||||
* https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html
|
||||
* https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,104 @@
|
|||
= APT36 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt36[APT36]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt36
|
||||
|
||||
== Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with the actor.
|
||||
|
||||
- C-Major
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. US
|
||||
. NL
|
||||
. RU
|
||||
. ...
|
||||
|
||||
There are 12 more country items available. Please use our online service to access the data.
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|5.189.137.8|vending.softjourn.if.ua|High
|
||||
|2|5.189.143.225|-|High
|
||||
|3|5.189.152.147|ccloud.armax.de|High
|
||||
|4|5.189.167.23|mltx.de|High
|
||||
|5|5.189.167.65|vmi437585.contaboserver.net|High
|
||||
|6|23.254.119.11|-|High
|
||||
|7|64.188.12.126|64.188.12.126.static.quadranet.com|High
|
||||
|8|64.188.25.232|64.188.25.232.static.quadranet.com|High
|
||||
|9|75.98.175.79|a2s83.a2hosting.com|High
|
||||
|10|75.119.139.169|server1.immacolata.com|High
|
||||
|11|80.240.134.51|-|High
|
||||
|12|82.196.13.94|-|High
|
||||
|13|95.85.43.35|-|High
|
||||
|14|95.168.176.141|-|High
|
||||
|15|107.175.64.209|107-175-64-209-host.colocrossing.com|High
|
||||
|16|107.175.64.251|107-175-64-251-host.colocrossing.com|High
|
||||
|17|151.106.14.125|-|High
|
||||
|18|151.106.19.218|-|High
|
||||
|19|151.106.56.32|-|High
|
||||
|20|162.218.122.126|162.218.122.126.static.quadranet.com|High
|
||||
|21|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 37 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1059.007|Cross Site Scripting|High
|
||||
|2|T1068|Execution with Unnecessary Privileges|High
|
||||
|3|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|
||||
|4|T1211|7PK Security Features|High
|
||||
|5|T1222|Permission Issues|High
|
||||
|6|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 4 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|/etc/sudoers|Medium
|
||||
|2|File|/forum/away.php|High
|
||||
|3|File|/inc/HTTPClient.php|High
|
||||
|4|File|/out.php|Medium
|
||||
|5|File|/service/upload|High
|
||||
|6|File|/uncpath/|Medium
|
||||
|7|File|adclick.php|Medium
|
||||
|8|File|add_comment.php|High
|
||||
|9|File|admin/system_manage/save.html|High
|
||||
|10|File|admin/sysUser/save.do?callbackType=closeCurrent&navTabId=sysUser/list|High
|
||||
|11|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 232 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://vxug.fakedoma.in/archive/APTs/2021/2021.05.13/Transparent%20Tribe.pdf
|
||||
* https://www.threatminer.org/report.php?q=indian-military-personnel-targeted-by-information-theft-campaign-cmajor.pdf&y=2016
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,76 @@
|
|||
= APT37 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt37[APT37]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt37
|
||||
|
||||
== Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with the actor.
|
||||
|
||||
- Daybreak
|
||||
- Scarcruft
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. US
|
||||
. PL
|
||||
. RU
|
||||
. ...
|
||||
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|34.13.42.35|-|High
|
||||
|2|120.192.73.202|-|High
|
||||
|3|180.182.52.76|-|High
|
||||
|4|212.7.217.10|212-7-217-10.lukman.pl|High
|
||||
|========================================
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1059.007|Cross Site Scripting|High
|
||||
|2|T1068|Execution with Unnecessary Privileges|High
|
||||
|3|T1600|Cryptographic Issues|High
|
||||
|========================================
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|examples/openid.php|High
|
||||
|2|File|FormDisplay.php|High
|
||||
|3|File|includes/startup.php|High
|
||||
|4|File|libraries/Header.php|High
|
||||
|5|File|wp-includes/class-wp-query.php|High
|
||||
|6|Argument|name|Low
|
||||
|7|Argument|Password|Medium
|
||||
|8|Argument|STARTTLS|Medium
|
||||
|========================================
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://securelist.com/operation-daybreak/75100/
|
||||
* https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,72 @@
|
|||
= APT38 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt38[APT38]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt38
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. US
|
||||
. KR
|
||||
. CN
|
||||
. ...
|
||||
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|175.45.176.|-|High
|
||||
|2|175.45.177.|-|High
|
||||
|3|175.45.178.|-|High
|
||||
|4|175.45.179.|-|High
|
||||
|5|210.52.109.|-|High
|
||||
|========================================
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1068|Execution with Unnecessary Privileges|High
|
||||
|========================================
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|json-stringifier.h|High
|
||||
|2|File|mm/memory.c|Medium
|
||||
|3|File|\\.\pipe\WPSCloudSvr\WpsCloudSvr|High
|
||||
|4|Library|DNSAPI.dll|Medium
|
||||
|5|Library|kso.dll|Low
|
||||
|6|Library|mshtml.dll|Medium
|
||||
|7|Library|system/libraries/Email.php|High
|
||||
|8|Argument|content|Low
|
||||
|9|Argument|email->from|Medium
|
||||
|10|Argument|location.href|High
|
||||
|11|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 5 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://content.fireeye.com/apt/rpt-apt38
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,99 @@
|
|||
= APT39 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt39[APT39]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt39
|
||||
|
||||
== Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with the actor.
|
||||
|
||||
- Chafer
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. US
|
||||
. RU
|
||||
. GB
|
||||
. ...
|
||||
|
||||
There are 15 more country items available. Please use our online service to access the data.
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|83.142.230.113|-|High
|
||||
|2|86.105.227.224|-|High
|
||||
|3|87.117.204.113|-|High
|
||||
|4|87.117.204.115|-|High
|
||||
|5|89.38.97.112|-|High
|
||||
|6|89.38.97.115 |-|High
|
||||
|7|91.218.114.204|-|High
|
||||
|8|91.218.114.225|-|High
|
||||
|9|92.243.95.203|203.95.243.92.cust-fiber.enegan.it|High
|
||||
|10|94.100.21.213|94-100-21-213.static.hvvc.us|High
|
||||
|11|107.191.62.45|107.191.62.45.vultr.com|Medium
|
||||
|12|108.61.189.174|108.61.189.174.vultr.com|Medium
|
||||
|13|134.119.217.84|-|High
|
||||
|14|134.119.217.87|-|High
|
||||
|15|148.251.197.113|n38-05.vpsnow.ru|High
|
||||
|16|185.22.172.40|mx2.privacyrequired.link|High
|
||||
|17|185.177.59.70|-|High
|
||||
|========================================
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1059.007|Cross Site Scripting|High
|
||||
|2|T1068|Execution with Unnecessary Privileges|High
|
||||
|3|T1211|7PK Security Features|High
|
||||
|4|T1499|Resource Consumption|High
|
||||
|5|T1552|Unprotected Storage of Credentials|High
|
||||
|6|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 1 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|//etc/RT2870STA.dat|High
|
||||
|2|File|/cwp_{SESSION_HASH}/admin/loader_ajax.php|High
|
||||
|3|File|/magnoliaPublic/travel/members/login.html|High
|
||||
|4|File|/Main_AdmStatus_Content.asp|High
|
||||
|5|File|/uncpath/|Medium
|
||||
|6|File|/var/log/nginx|High
|
||||
|7|File|admin/index.php|High
|
||||
|8|File|advertiser.php|High
|
||||
|9|File|akocomments.php|High
|
||||
|10|File|al_initialize.php|High
|
||||
|11|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 49 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://securelist.com/chafer-used-remexi-malware/89538/
|
||||
* https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions
|
||||
* https://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,112 @@
|
|||
= APT41 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt41[APT41]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt41
|
||||
|
||||
== Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with the actor.
|
||||
|
||||
- CVE-2019-19781
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. US
|
||||
. CN
|
||||
. TR
|
||||
. ...
|
||||
|
||||
There are 7 more country items available. Please use our online service to access the data.
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|43.255.191.255|-|High
|
||||
|2|45.76.6.149|45.76.6.149.vultr.com|Medium
|
||||
|3|45.76.75.219|45.76.75.219.vultr.com|Medium
|
||||
|4|45.138.157.78|vpnru07.12.21.example.com|High
|
||||
|5|61.78.62.21|-|High
|
||||
|6|61.195.98.245|h61-195-98-245.ablenetvps.ne.jp|High
|
||||
|7|66.42.48.186|66.42.48.186.vultr.com|Medium
|
||||
|8|66.42.98.220|66.42.98.220.vultr.com|Medium
|
||||
|9|66.42.103.222|66.42.103.222.vultr.com|Medium
|
||||
|10|66.42.107.133|66.42.107.133.vultr.com|Medium
|
||||
|11|66.98.126.203|66.98.126.203.16clouds.com|High
|
||||
|12|67.198.161.250|67.198.161.250.CUSTOMER.KRYPT.COM|High
|
||||
|13|67.198.161.251|67.198.161.251.CUSTOMER.KRYPT.COM|High
|
||||
|14|67.198.161.252|67.198.161.252.CUSTOMER.KRYPT.COM|High
|
||||
|15|74.82.201.8|74.82.201.8.16clouds.com|High
|
||||
|16|91.208.184.78|wk-azure.biz|High
|
||||
|17|103.19.3.21|-|High
|
||||
|18|103.19.3.109|-|High
|
||||
|19|103.79.76.205|103.79.76.205.static.hostdare.com|High
|
||||
|20|103.224.83.95|-|High
|
||||
|21|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 31 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1059.007|Cross Site Scripting|High
|
||||
|2|T1068|Execution with Unnecessary Privileges|High
|
||||
|3|T1211|7PK Security Features|High
|
||||
|4|T1222|Permission Issues|High
|
||||
|5|T1499|Resource Consumption|High
|
||||
|6|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 3 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|/etc/config/rpcd|High
|
||||
|2|File|/forum/away.php|High
|
||||
|3|File|/get_getnetworkconf.cgi|High
|
||||
|4|File|/lists/admin/|High
|
||||
|5|File|/login.cgi?logout=1|High
|
||||
|6|File|/public/login.htm|High
|
||||
|7|File|/tmp/app/.env|High
|
||||
|8|File|/wp-admin/admin-ajax.php|High
|
||||
|9|File|/_next|Low
|
||||
|10|File|addentry.php|Medium
|
||||
|11|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 98 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://app.box.com/s/qtqlwejty7xz8wj8osz98webycgo5j9x
|
||||
* https://github.com/eset/malware-ioc/tree/master/winnti_group
|
||||
* https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134508/winnti-more-than-just-a-game-130410.pdf
|
||||
* https://vxug.fakedoma.in/archive/APTs/2021/2021.01.14/APT%2041.pdf
|
||||
* https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
|
||||
* https://www.threatminer.org/report.php?q=OfPigsandMalwareExaminingaPossibleMemberoftheWinntiGroup-TrendMicro.pdf&y=2017
|
||||
* https://www.threatminer.org/report.php?q=WinntiAbusesGitHubforC&CCommunications-TrendMicro.pdf&y=2017
|
||||
* https://www.threatminer.org/report.php?q=WinntiEvolution-GoingOpenSource-Protectwise.pdf&y=2017
|
||||
* https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/
|
||||
* https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,72 @@
|
|||
= ActionRAT - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.actionrat[ActionRAT]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.actionrat
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. US
|
||||
. DE
|
||||
. CA
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|144.91.65.100|vmi652772.contaboserver.net|High
|
||||
|2|144.91.91.236|vmi512038.contaboserver.net|High
|
||||
|3|149.248.52.61|149.248.52.61.vultr.com|Medium
|
||||
|4|173.212.224.110|vmi587275.contaboserver.net|High
|
||||
|========================================
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1059.007|Cross Site Scripting|High
|
||||
|2|T1068|Execution with Unnecessary Privileges|High
|
||||
|3|T1499|Resource Consumption|High
|
||||
|4|T1587.003|Improper Certificate Validation|High
|
||||
|5|T1600|Cryptographic Issues|High
|
||||
|========================================
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|/wordpress/wp-admin/admin.php|High
|
||||
|2|File|admin/index.php|High
|
||||
|3|File|books.php|Medium
|
||||
|4|File|data/gbconfiguration.dat|High
|
||||
|5|File|filter.php|Medium
|
||||
|6|File|guestbook.cgi|High
|
||||
|7|File|inc/config.php|High
|
||||
|8|File|lib/krb5/asn.1/asn1_encode.c|High
|
||||
|9|File|login.php|Medium
|
||||
|10|File|mdeploy.php|Medium
|
||||
|11|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 23 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/594/original/Network_IOCs_list_for_coverage.txt?1625657479
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,26 @@
|
|||
= Adrozek - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.adrozek[Adrozek]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.adrozek
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|104.21.70.96|-|High
|
||||
|2|172.67.222.123|-|High
|
||||
|========================================
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,97 @@
|
|||
= Adwind - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.adwind[Adwind]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.adwind
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. US
|
||||
. CO
|
||||
. RU
|
||||
. ...
|
||||
|
||||
There are 13 more country items available. Please use our online service to access the data.
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|2.5.29.14|-|High
|
||||
|2|5.79.79.67|-|High
|
||||
|3|5.79.79.70|storage205.ntesrv.com|High
|
||||
|4|5.187.34.231|231.34.187.5.in-addr.arpa.dynamic.gestiondeservidor.com|High
|
||||
|5|5.254.112.21|-|High
|
||||
|6|5.254.112.24|-|High
|
||||
|7|5.254.112.36|-|High
|
||||
|8|5.254.112.56|-|High
|
||||
|9|5.254.112.60|-|High
|
||||
|10|8.15.0.59|-|High
|
||||
|11|14.3.210.2|ae210002.dynamic.ppp.asahi-net.or.jp|High
|
||||
|12|23.227.196.198|23-227-196-198.static.hvvc.us|High
|
||||
|13|23.227.199.72|23-227-199-72.static.hvvc.us|High
|
||||
|14|23.227.199.118|23-227-199-118.static.hvvc.us|High
|
||||
|15|23.227.199.121|23-227-199-121.static.hvvc.us|High
|
||||
|16|23.231.23.182|-|High
|
||||
|17|31.31.196.31|server31.hosting.reg.ru|High
|
||||
|18|31.171.155.72|-|High
|
||||
|19|37.61.235.30|-|High
|
||||
|20|46.20.33.76|-|High
|
||||
|21|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 106 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1059.007|Cross Site Scripting|High
|
||||
|2|T1068|Execution with Unnecessary Privileges|High
|
||||
|3|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|
||||
|4|T1211|7PK Security Features|High
|
||||
|5|T1222|Permission Issues|High
|
||||
|6|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|%windir%\Internet Logs\|High
|
||||
|2|File|/admin/link.php?action=addlink|High
|
||||
|3|File|/ajax/GetInheritedProperties|High
|
||||
|4|File|/anony/mjpg.cgi|High
|
||||
|5|File|/browse.PROJECTKEY|High
|
||||
|6|File|/data/admin/#/app/config/|High
|
||||
|7|File|/etc/group|Medium
|
||||
|8|File|/forum/away.php|High
|
||||
|9|File|/info.xml|Medium
|
||||
|10|File|/knowage/restful-services/signup/update|High
|
||||
|11|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 247 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://www.threatminer.org/report.php?q=KL_AdwindPublicReport_2016.pdf&y=2016
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,86 @@
|
|||
= Agrius - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.agrius[Agrius]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.agrius
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. US
|
||||
. RU
|
||||
. IR
|
||||
. ...
|
||||
|
||||
There are 8 more country items available. Please use our online service to access the data.
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|5.2.67.85|mail.astrilll.com|High
|
||||
|2|5.2.73.67|-|High
|
||||
|3|37.59.236.232|37.59.236.232.rdns.hasaserver.com|High
|
||||
|4|37.120.238.15|-|High
|
||||
|5|54.37.99.4|ip4.ip-54-37-99.eu|High
|
||||
|6|81.177.22.16|-|High
|
||||
|7|81.177.23.16|-|High
|
||||
|8|95.211.140.221|-|High
|
||||
|9|185.142.97.81|altvpn.mgn-host.ru|High
|
||||
|10|185.142.98.32|free.mgnhost.com|High
|
||||
|11|185.147.131.81|-|High
|
||||
|12|195.123.208.152|unallocated.layer6.net|High
|
||||
|========================================
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1059.007|Cross Site Scripting|High
|
||||
|2|T1068|Execution with Unnecessary Privileges|High
|
||||
|3|T1211|7PK Security Features|High
|
||||
|4|T1222|Permission Issues|High
|
||||
|5|T1499|Resource Consumption|High
|
||||
|6|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 2 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|/cgi-bin/kerbynet|High
|
||||
|2|File|/opt/IBM/es/lib/libffq.cryptionjni.so|High
|
||||
|3|File|/plugins/Dashboard/Controller.php|High
|
||||
|4|File|/storage/app/media/evil.svg|High
|
||||
|5|File|/uncpath/|Medium
|
||||
|6|File|admin.asp|Medium
|
||||
|7|File|admin.php|Medium
|
||||
|8|File|admin/admin_users.php|High
|
||||
|9|File|app/Controller/GalaxyElementsController.php|High
|
||||
|10|File|Application/Common/Controller/BaseController.class.php|High
|
||||
|11|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 62 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://github.com/blackorbird/APT_REPORT/blob/master/Agrius/evol-agrius.pdf
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,75 @@
|
|||
= Allakore - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.allakore[Allakore]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.allakore
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. US
|
||||
. DE
|
||||
. CA
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|144.91.65.100|vmi652772.contaboserver.net|High
|
||||
|2|144.91.91.236|vmi512038.contaboserver.net|High
|
||||
|3|161.97.142.96|vmi661694.contaboserver.net|High
|
||||
|4|164.68.104.126|vmd76303.contaboserver.net|High
|
||||
|5|167.86.83.29|vmi655047.contaboserver.net|High
|
||||
|6|173.212.224.110|vmi587275.contaboserver.net|High
|
||||
|7|173.249.50.230|vmi626137.contaboserver.net|High
|
||||
|========================================
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1059.007|Cross Site Scripting|High
|
||||
|2|T1068|Execution with Unnecessary Privileges|High
|
||||
|3|T1499|Resource Consumption|High
|
||||
|4|T1587.003|Improper Certificate Validation|High
|
||||
|5|T1600|Cryptographic Issues|High
|
||||
|========================================
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|/wordpress/wp-admin/admin.php|High
|
||||
|2|File|admin/index.php|High
|
||||
|3|File|data/gbconfiguration.dat|High
|
||||
|4|File|filter.php|Medium
|
||||
|5|File|inc/config.php|High
|
||||
|6|File|item_show.php|High
|
||||
|7|File|lib/krb5/asn.1/asn1_encode.c|High
|
||||
|8|File|login.php|Medium
|
||||
|9|File|mdeploy.php|Medium
|
||||
|10|File|multipart/form-data|High
|
||||
|11|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 20 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/594/original/Network_IOCs_list_for_coverage.txt?1625657479
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,67 @@
|
|||
= Amnesia - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.amnesia[Amnesia]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.amnesia
|
||||
|
||||
== Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with the actor.
|
||||
|
||||
- TVT Digital DVR Devices
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. US
|
||||
. IN
|
||||
. NL
|
||||
. ...
|
||||
|
||||
There are 3 more country items available. Please use our online service to access the data.
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|93.174.95.38|-|High
|
||||
|========================================
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1068|Execution with Unnecessary Privileges|High
|
||||
|========================================
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|/api/addusers|High
|
||||
|2|File|/home/httpd/cgi-bin/cgi.cgi|High
|
||||
|3|File|/public/login.htm|High
|
||||
|4|File|forumrunner/includes/moderation.php|High
|
||||
|5|Argument|Password|Medium
|
||||
|6|Argument|postids|Low
|
||||
|========================================
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,76 @@
|
|||
= Arid Viper - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.arid_viper[Arid Viper]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.arid_viper
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. US
|
||||
. DE
|
||||
. PL
|
||||
. ...
|
||||
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|54.255.143.112|ec2-54-255-143-112.ap-southeast-1.compute.amazonaws.com|Medium
|
||||
|2|173.236.89.19|19.89.236.173.unassigned.ord.singlehop.net|High
|
||||
|3|188.40.75.132|static.132.75.40.188.clients.your-server.de|High
|
||||
|4|188.40.81.136|francisco.eox.at|High
|
||||
|5|192.254.132.26|pst.pstcmedia.com|High
|
||||
|6|195.154.133.228|195-154-133-228.rev.poneytelecom.eu|High
|
||||
|7|195.154.252.2|hostd4.ahcorporation.com|High
|
||||
|========================================
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1059.007|Cross Site Scripting|High
|
||||
|2|T1068|Execution with Unnecessary Privileges|High
|
||||
|========================================
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|addguest.cgi|Medium
|
||||
|2|File|add_comment.php|High
|
||||
|3|File|admin/index.php|High
|
||||
|4|File|data/gbconfiguration.dat|High
|
||||
|5|File|e2_header.inc.php|High
|
||||
|6|File|email.php|Medium
|
||||
|7|File|Forms/tools_admin_1|High
|
||||
|8|File|ftpcmd.c|Medium
|
||||
|9|File|gb.cgi|Low
|
||||
|10|File|inc/config.php|High
|
||||
|11|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 19 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://www.threatminer.org/report.php?q=operation-arid-viper-whitepaper-en.pdf&y=2015
|
||||
* https://www.threatminer.org/report.php?q=OperationAridViperSlithersBackintoView_Proofpoint.pdf&y=2015
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,65 @@
|
|||
= Armor Piercer - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.armor_piercer[Armor Piercer]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.armor_piercer
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. US
|
||||
. CN
|
||||
. IT
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|5.252.179.221|5-252-179-221.mivocloud.com|High
|
||||
|2|45.79.81.88|li1180-88.members.linode.com|High
|
||||
|3|64.188.13.46|64.188.13.46.static.quadranet.com|High
|
||||
|4|66.154.103.106|66.154.103.106.static.quadranet.com|High
|
||||
|5|66.154.112.212|66.154.112.212.static.quadranet.com|High
|
||||
|========================================
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1059.007|Cross Site Scripting|High
|
||||
|2|T1068|Execution with Unnecessary Privileges|High
|
||||
|========================================
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|category.cfm|Medium
|
||||
|2|File|itemlookup.asp|High
|
||||
|3|File|mat5.c|Low
|
||||
|4|File|phddns.lua|Medium
|
||||
|5|File|register.php|Medium
|
||||
|6|Argument|cat|Low
|
||||
|7|Argument|new-interface|High
|
||||
|8|Argument|PATH_INFO|Medium
|
||||
|========================================
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://blog.talosintelligence.com/2021/09/operation-armor-piercer.html
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,57 @@
|
|||
= Astro Locker - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.astro_locker[Astro Locker]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.astro_locker
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. US
|
||||
. CN
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|45.134.21.8|-|High
|
||||
|2|46.21.153.135|135.153.21.46.static.swiftway.net|High
|
||||
|3|139.60.161.68|-|High
|
||||
|4|185.38.185.87|-|High
|
||||
|========================================
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|/htmlcode/html/indexdefault.asp|High
|
||||
|2|File|ajax_admin_apis.php|High
|
||||
|3|File|ajax_php_pecl.php|High
|
||||
|4|File|books.php|Medium
|
||||
|5|File|category.cfm|Medium
|
||||
|6|Argument|bookid|Low
|
||||
|7|Argument|cat|Low
|
||||
|8|Argument|employee_id|Medium
|
||||
|9|Argument|line|Low
|
||||
|10|Argument|phpversion|Medium
|
||||
|11|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 4 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://github.com/sophoslabs/IoCs/blob/master/Ransomware-AstroLocker.csv
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,96 @@
|
|||
= Autoit - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.autoit[Autoit]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.autoit
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. DE
|
||||
. US
|
||||
. ES
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|8.248.165.254|-|High
|
||||
|2|8.249.217.254|-|High
|
||||
|3|8.253.131.121|-|High
|
||||
|4|13.56.128.67|ec2-13-56-128-67.us-west-1.compute.amazonaws.com|Medium
|
||||
|5|23.3.13.88|a23-3-13-88.deploy.static.akamaitechnologies.com|High
|
||||
|6|23.3.13.154|a23-3-13-154.deploy.static.akamaitechnologies.com|High
|
||||
|7|23.63.245.19|a23-63-245-19.deploy.static.akamaitechnologies.com|High
|
||||
|8|23.63.245.50|a23-63-245-50.deploy.static.akamaitechnologies.com|High
|
||||
|9|23.199.71.136|a23-199-71-136.deploy.static.akamaitechnologies.com|High
|
||||
|10|35.205.61.67|67.61.205.35.bc.googleusercontent.com|Medium
|
||||
|11|72.21.81.240|-|High
|
||||
|12|104.18.6.156|-|High
|
||||
|13|104.18.7.156|-|High
|
||||
|14|104.21.9.139|-|High
|
||||
|15|104.21.19.200|-|High
|
||||
|16|104.26.12.247|-|High
|
||||
|17|104.26.13.247|-|High
|
||||
|18|120.136.10.20|sv519.xserver.jp|High
|
||||
|19|132.226.8.169|-|High
|
||||
|20|144.76.201.136|static.136.201.76.144.clients.your-server.de|High
|
||||
|21|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 10 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1059.007|Cross Site Scripting|High
|
||||
|2|T1068|Execution with Unnecessary Privileges|High
|
||||
|3|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|
||||
|4|T1222|Permission Issues|High
|
||||
|5|T1499|Resource Consumption|High
|
||||
|6|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 5 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|/appLms/ajax.server.php|High
|
||||
|2|File|/apps/|Low
|
||||
|3|File|/onlineordering/GPST/store/initiateorder.php|High
|
||||
|4|File|/rup|Low
|
||||
|5|File|/var/hnap/timestamp|High
|
||||
|6|File|admin.php|Medium
|
||||
|7|File|admin/admin_login.php|High
|
||||
|8|File|api/external.php?object=centreon_metric&action=listByService|High
|
||||
|9|File|app\contacts\contact_edit.php|High
|
||||
|10|File|audio_acdb.c|Medium
|
||||
|11|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 91 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.html
|
||||
* https://blog.talosintelligence.com/2021/09/threat-roundup-0827-0903.html
|
||||
* https://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,45 @@
|
|||
= Aveo - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.aveo[Aveo]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.aveo
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. US
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|50.63.202.38|ip-50-63-202-38.ip.secureserver.net|High
|
||||
|2|104.202.173.82|104-202-173-82.dyn.grandenetworks.net|High
|
||||
|3|107.180.36.179|ip-107-180-36-179.ip.secureserver.net|High
|
||||
|4|172.16.95.184|-|High
|
||||
|========================================
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|themes/|Low
|
||||
|========================================
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://unit42.paloaltonetworks.com/unit42-aveo-malware-family-targets-japanese-speaking-users/
|
||||
* https://www.threatminer.org/report.php?q=AveoMalwareFamilyTargetsJapaneseSpeakingUsers-PaloAltoNetworksBlogPaloAltoNetworksBlog.pdf&y=2016
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,78 @@
|
|||
= BEAR - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.bear[BEAR]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.bear
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. EE
|
||||
. US
|
||||
. UA
|
||||
. ...
|
||||
|
||||
There are 3 more country items available. Please use our online service to access the data.
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|5.149.248.67|mx1-mail.com|High
|
||||
|2|5.149.248.193|-|High
|
||||
|3|5.149.249.172|-|High
|
||||
|4|5.149.254.114|mail1.auditoriavanzada.info|High
|
||||
|5|95.153.32.53|mx1.servicetransfermail.com|High
|
||||
|6|155.254.36.155|-|High
|
||||
|========================================
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1059.007|Cross Site Scripting|High
|
||||
|2|T1068|Execution with Unnecessary Privileges|High
|
||||
|3|T1211|7PK Security Features|High
|
||||
|4|T1552|Unprotected Storage of Credentials|High
|
||||
|5|T1600|Cryptographic Issues|High
|
||||
|========================================
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|/index.php|Medium
|
||||
|2|File|/uncpath/|Medium
|
||||
|3|File|add_comment.php|High
|
||||
|4|File|data/gbconfiguration.dat|High
|
||||
|5|File|FlexCell.ocx|Medium
|
||||
|6|File|forums.aspx|Medium
|
||||
|7|File|forums.php|Medium
|
||||
|8|File|index.php|Medium
|
||||
|9|File|install.php|Medium
|
||||
|10|File|photo-gallery.php|High
|
||||
|11|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 16 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://www.threatminer.org/report.php?q=CanaBEARFitDownaRabbitHole_StateBoardofElectionAnalysis-ThreatConnect.pdf&y=2016
|
||||
* https://www.threatminer.org/report.php?q=RussiaHacksBellingcatMH17Investigation_ThreatConnect.pdf&y=2016
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,78 @@
|
|||
= Babar - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.babar[Babar]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.babar
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. US
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|64.20.43.107|vps238561.trouble-free.net|High
|
||||
|2|69.25.212.153|-|High
|
||||
|3|83.149.75.58|reserved.ps-it.nl|High
|
||||
|4|104.153.45.38|cpan6.webline-servers.com|High
|
||||
|5|184.172.143.188|bc.8f.acb8.ip4.static.sl-reverse.com|High
|
||||
|6|192.185.113.148|192-185-113-148.unifiedlayer.com|High
|
||||
|7|199.119.202.195|danish.unixbsd.info|High
|
||||
|8|199.231.93.221|cpan3s.webline-services.com|High
|
||||
|9|206.41.94.190|handsets.voip.novavision.ca|High
|
||||
|10|207.189.104.86|ppc.snapnames.com|High
|
||||
|11|207.189.104.87|parked.snapnames.com|High
|
||||
|12|208.87.242.66|ant.unixbsd.info|High
|
||||
|13|209.62.21.228|ev1s-209-62-21-228.theplanet.com|High
|
||||
|14|212.27.35.109|oldredir.online.net|High
|
||||
|15|216.152.252.55|ip-216-152-252-55.wireless.dyn.beamspeed.net|High
|
||||
|========================================
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1059.007|Cross Site Scripting|High
|
||||
|2|T1068|Execution with Unnecessary Privileges|High
|
||||
|========================================
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|addentry.php|Medium
|
||||
|2|File|data/gbconfiguration.dat|High
|
||||
|3|File|dc_categorieslist.asp|High
|
||||
|4|File|detected_potential_files.cgi|High
|
||||
|5|File|guestbook.cgi|High
|
||||
|6|File|inc/config.php|High
|
||||
|7|File|phpinfo.php|Medium
|
||||
|8|File|reports_mta_queue_status.html|High
|
||||
|9|File|template.class.php|High
|
||||
|10|Argument|basePath|Medium
|
||||
|11|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 4 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://www.threatminer.org/report.php?q=Elephantosis.pdf&y=2015
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,31 @@
|
|||
= BabyShark - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.babyshark[BabyShark]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.babyshark
|
||||
|
||||
== Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with the actor.
|
||||
|
||||
- BabyShark
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|173.248.170.149|-|High
|
||||
|========================================
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://www.threatminer.org/_reports/2019/BabySharkMalwarePartTwo%E2%80%93AttacksContinueUsingKimJongRATandPCRat.pdf#viewer.action=download
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,87 @@
|
|||
= BackdoorDiplomacy - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.backdoordiplomacy[BackdoorDiplomacy]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.backdoordiplomacy
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. CN
|
||||
. US
|
||||
. GB
|
||||
. ...
|
||||
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|23.83.224.178|23.83.224.178.16clouds.com|High
|
||||
|2|23.106.140.207|23.106.140.207.16clouds.com|High
|
||||
|3|23.228.203.130|unassigned.psychz.net|High
|
||||
|4|23.247.47.252|-|High
|
||||
|5|43.225.126.179|-|High
|
||||
|6|43.251.105.139|-|High
|
||||
|7|43.251.105.218|-|High
|
||||
|8|43.251.105.222|-|High
|
||||
|9|45.76.120.84|45.76.120.84.vultr.com|Medium
|
||||
|10|45.77.215.53|45.77.215.53.vultr.com|Medium
|
||||
|11|78.141.196.159|78.141.196.159.vultr.com|Medium
|
||||
|12|78.141.243.45|78.141.243.45.vultr.com|Medium
|
||||
|13|152.32.180.34|-|High
|
||||
|14|162.209.167.154|-|High
|
||||
|15|162.209.167.189|-|High
|
||||
|16|199.247.9.67|199.247.9.67.vultr.com|Medium
|
||||
|17|207.148.8.82|cabarruscounty.synkato.io|High
|
||||
|========================================
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1059.007|Cross Site Scripting|High
|
||||
|2|T1068|Execution with Unnecessary Privileges|High
|
||||
|3|T1499|Resource Consumption|High
|
||||
|4|T1555|Cleartext Storage of Sensitive Information|High
|
||||
|========================================
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|/clientes/visualizar|High
|
||||
|2|File|/oputilsServlet|High
|
||||
|3|File|admin/conf_users_edit.php|High
|
||||
|4|File|data/gbconfiguration.dat|High
|
||||
|5|File|shoutbox.php|Medium
|
||||
|6|File|wp-admin/post.php|High
|
||||
|7|File|wp-login.php|Medium
|
||||
|8|Argument|action|Low
|
||||
|9|Argument|description|Medium
|
||||
|10|Argument|filePath0|Medium
|
||||
|11|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 6 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,45 @@
|
|||
= BadPatch - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.badpatch[BadPatch]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.badpatch
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. DE
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|148.251.135.117|server.pogled.ba|High
|
||||
|2|195.154.216.74|195-154-216-74.rev.poneytelecom.eu|High
|
||||
|========================================
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|includes/pages.inc.php|High
|
||||
|2|File|setup.cgi|Medium
|
||||
|3|Argument|PagePrefix|Medium
|
||||
|4|Argument|TimeToLive|Medium
|
||||
|========================================
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://www.threatminer.org/report.php?q=BadPatch-PaloAltoNetworks.pdf&y=2017
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,97 @@
|
|||
= Baldr - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.baldr[Baldr]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.baldr
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. US
|
||||
. RU
|
||||
. CN
|
||||
. ...
|
||||
|
||||
There are 16 more country items available. Please use our online service to access the data.
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|5.8.88.198|-|High
|
||||
|2|5.45.73.87|-|High
|
||||
|3|5.188.60.7|-|High
|
||||
|4|5.188.60.18|-|High
|
||||
|5|5.188.60.24|-|High
|
||||
|6|5.188.60.30|-|High
|
||||
|7|5.188.60.54|-|High
|
||||
|8|5.188.60.68|-|High
|
||||
|9|5.188.60.74|-|High
|
||||
|10|5.188.60.101|-|High
|
||||
|11|5.188.60.115|-|High
|
||||
|12|5.188.60.206|-|High
|
||||
|13|5.188.231.96|-|High
|
||||
|14|5.188.231.210|-|High
|
||||
|15|18.207.217.146|ec2-18-207-217-146.compute-1.amazonaws.com|Medium
|
||||
|16|18.221.49.166|ec2-18-221-49-166.us-east-2.compute.amazonaws.com|Medium
|
||||
|17|23.19.58.101|-|High
|
||||
|18|23.95.95.61|23-95-95-61-host.colocrossing.com|High
|
||||
|19|23.254.217.112|hwsrv-901988.hostwindsdns.com|High
|
||||
|20|23.254.225.240|hwsrv-907360.hostwindsdns.com|High
|
||||
|21|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 101 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1059.007|Cross Site Scripting|High
|
||||
|2|T1068|Execution with Unnecessary Privileges|High
|
||||
|3|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|
||||
|4|T1211|7PK Security Features|High
|
||||
|5|T1222|Permission Issues|High
|
||||
|6|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 4 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|/+CSCOE+/logon.html|High
|
||||
|2|File|/admin/functions.php|High
|
||||
|3|File|/auth/login|Medium
|
||||
|4|File|/download|Medium
|
||||
|5|File|/forum/away.php|High
|
||||
|6|File|/goform/saveParentControlInfo|High
|
||||
|7|File|/inc/lists/edit-list.php|High
|
||||
|8|File|/Interface/DevManage/EC.php?cmd=upload|High
|
||||
|9|File|/MicroStrategyWS/happyaxis.jsp|High
|
||||
|10|File|/modules/projects/vw_files.php|High
|
||||
|11|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 247 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://github.com/sophoslabs/IoCs/blob/master/Stealer-Baldr
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,97 @@
|
|||
= Banjori - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.banjori[Banjori]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.banjori
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. JP
|
||||
. DE
|
||||
. US
|
||||
. ...
|
||||
|
||||
There are 10 more country items available. Please use our online service to access the data.
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|3.216.121.17|ec2-3-216-121-17.compute-1.amazonaws.com|Medium
|
||||
|2|5.79.79.212|-|High
|
||||
|3|13.59.74.74|ec2-13-59-74-74.us-east-2.compute.amazonaws.com|Medium
|
||||
|4|14.192.4.75|-|High
|
||||
|5|18.213.250.117|ec2-18-213-250-117.compute-1.amazonaws.com|Medium
|
||||
|6|18.215.128.143|ec2-18-215-128-143.compute-1.amazonaws.com|Medium
|
||||
|7|23.89.20.107|-|High
|
||||
|8|23.89.102.123|-|High
|
||||
|9|23.107.124.53|-|High
|
||||
|10|23.110.15.74|-|High
|
||||
|11|23.226.53.226|-|High
|
||||
|12|23.227.38.65|myshopify.com|High
|
||||
|13|23.231.218.195|-|High
|
||||
|14|23.236.62.147|147.62.236.23.bc.googleusercontent.com|Medium
|
||||
|15|34.98.99.30|30.99.98.34.bc.googleusercontent.com|Medium
|
||||
|16|34.102.136.180|180.136.102.34.bc.googleusercontent.com|Medium
|
||||
|17|35.186.238.101|101.238.186.35.bc.googleusercontent.com|Medium
|
||||
|18|35.226.69.129|129.69.226.35.bc.googleusercontent.com|Medium
|
||||
|19|43.230.142.125|-|High
|
||||
|20|43.241.196.105|-|High
|
||||
|21|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 116 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1059.007|Cross Site Scripting|High
|
||||
|2|T1068|Execution with Unnecessary Privileges|High
|
||||
|3|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|
||||
|4|T1211|7PK Security Features|High
|
||||
|5|T1222|Permission Issues|High
|
||||
|6|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 6 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|"/xml/system/setAttribute.xml|High
|
||||
|2|File|#!/system|Medium
|
||||
|3|File|$SPLUNK_HOME/etc/splunk-launch.conf|High
|
||||
|4|File|%LOCALAPPDATA%\Zemana\ZALSDK\MyRules2.ini|High
|
||||
|5|File|%ProgramData%\CTES|High
|
||||
|6|File|%SYSTEMDRIVE%|High
|
||||
|7|File|%TEMP%\par-%username%\cache-exiftool-8.32|High
|
||||
|8|File|%windir%\Internet Logs\|High
|
||||
|9|File|.../gogo/|Medium
|
||||
|10|File|.asp|Low
|
||||
|11|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 5749 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://github.com/firehol/blocklist-ipsets/blob/master/bambenek_banjori.ipset
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,94 @@
|
|||
= Banload - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.banload[Banload]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.banload
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. US
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|13.107.21.200|-|High
|
||||
|2|31.13.66.19|xx-fbcdn-shv-01-iad3.fbcdn.net|High
|
||||
|3|34.102.185.99|99.185.102.34.bc.googleusercontent.com|Medium
|
||||
|4|34.212.89.14|ec2-34-212-89-14.us-west-2.compute.amazonaws.com|Medium
|
||||
|5|52.95.165.35|s3-sa-east-1.amazonaws.com|Medium
|
||||
|6|52.216.76.254|s3-1.amazonaws.com|Medium
|
||||
|7|52.216.84.109|s3-1.amazonaws.com|Medium
|
||||
|8|52.216.129.45|s3-1.amazonaws.com|Medium
|
||||
|9|52.216.245.54|s3-1.amazonaws.com|Medium
|
||||
|10|52.217.33.190|s3-1.amazonaws.com|Medium
|
||||
|11|52.217.45.150|s3-1.amazonaws.com|Medium
|
||||
|12|52.217.48.70|s3-1.amazonaws.com|Medium
|
||||
|13|52.217.79.142|s3-1.amazonaws.com|Medium
|
||||
|14|52.217.85.222|s3-1.amazonaws.com|Medium
|
||||
|15|74.119.119.139|-|High
|
||||
|16|74.125.192.94|qn-in-f94.1e100.net|High
|
||||
|17|142.250.80.2|lga34s33-in-f2.1e100.net|High
|
||||
|18|142.250.80.3|lga34s33-in-f3.1e100.net|High
|
||||
|19|142.250.111.154|gb-in-f154.1e100.net|High
|
||||
|20|143.204.150.172|server-143-204-150-172.ewr52.r.cloudfront.net|High
|
||||
|21|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 50 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1059.007|Cross Site Scripting|High
|
||||
|2|T1068|Execution with Unnecessary Privileges|High
|
||||
|3|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|
||||
|4|T1211|7PK Security Features|High
|
||||
|5|T1499|Resource Consumption|High
|
||||
|6|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 2 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|/as/authorization.oauth2|High
|
||||
|2|File|/Forms/WLAN_General_1|High
|
||||
|3|File|/html/portal/flash.jsp|High
|
||||
|4|File|/index.php|Medium
|
||||
|5|File|/lua/set-passwd.lua|High
|
||||
|6|File|/oauth/authorize|High
|
||||
|7|File|/uncpath/|Medium
|
||||
|8|File|/user/user/edit.php|High
|
||||
|9|File|backupsettings.html|High
|
||||
|10|File|comment_add.asp|High
|
||||
|11|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 41 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://blog.talosintelligence.com/2021/02/threat-roundup-0129-0205.html
|
||||
* https://blog.talosintelligence.com/2021/03/threat-roundup-0319-0326.html
|
||||
* https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,40 @@
|
|||
= Barys - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.barys[Barys]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.barys
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|52.137.90.34|-|High
|
||||
|2|52.185.71.28|-|High
|
||||
|3|74.125.192.138|qn-in-f138.1e100.net|High
|
||||
|4|104.18.11.39|-|High
|
||||
|5|172.217.222.138|qi-in-f138.1e100.net|High
|
||||
|6|173.194.204.94|qb-in-f94.1e100.net|High
|
||||
|7|173.194.205.84|qm-in-f84.1e100.net|High
|
||||
|8|173.194.207.132|qk-in-f132.1e100.net|High
|
||||
|9|200.147.3.199|minnisinhashipi.com|High
|
||||
|10|200.147.35.224|www.leitorpagseguro.com.br|High
|
||||
|11|200.147.100.53|tvpanico.com|High
|
||||
|12|209.85.144.106|qv-in-f106.1e100.net|High
|
||||
|13|209.85.201.94|qu-in-f94.1e100.net|High
|
||||
|14|216.218.208.114|216-218-208-114.sinkhole.shadowserver.org|High
|
||||
|========================================
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://blog.talosintelligence.com/2021/06/threat-roundup-0604-0611.html
|
||||
* https://blog.talosintelligence.com/2021/08/threat-roundup-0820-0827.html
|
||||
* https://blog.talosintelligence.com/2021/09/threat-roundup-0827-0903.html
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,98 @@
|
|||
= BazarLoader - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.bazarloader[BazarLoader]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.bazarloader
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. US
|
||||
. DK
|
||||
. IT
|
||||
. ...
|
||||
|
||||
There are 9 more country items available. Please use our online service to access the data.
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|31.171.251.118|ch.ns.mon0.li|High
|
||||
|2|31.214.240.203|-|High
|
||||
|3|34.209.40.84|ec2-34-209-40-84.us-west-2.compute.amazonaws.com|Medium
|
||||
|4|34.221.188.35|ec2-34-221-188-35.us-west-2.compute.amazonaws.com|Medium
|
||||
|5|45.71.112.70|host-45-71-112-70.nedetel.net|High
|
||||
|6|45.76.254.23|45.76.254.23.vultr.com|Medium
|
||||
|7|54.184.178.68|ec2-54-184-178-68.us-west-2.compute.amazonaws.com|Medium
|
||||
|8|62.108.35.215|-|High
|
||||
|9|72.21.81.240|-|High
|
||||
|10|78.108.216.13|sshtunnel.itbyhf.xyz|High
|
||||
|11|80.82.68.132|-|High
|
||||
|12|91.217.137.37|frod.subnets.ru|High
|
||||
|13|92.222.97.145|ip145.ip-92-222-97.eu|High
|
||||
|14|94.247.43.254|opennic1.eth-services.de|High
|
||||
|15|104.37.195.178|178.195.37.104.in-addr.arpa|High
|
||||
|16|116.203.98.109|static.109.98.203.116.clients.your-server.de|High
|
||||
|17|163.53.248.170|vmx20170.hosting24.com.au|High
|
||||
|18|163.172.185.51|51-185-172-163.instances.scw.cloud|High
|
||||
|19|165.22.224.164|-|High
|
||||
|20|172.98.193.42|-|High
|
||||
|21|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 7 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1059.007|Cross Site Scripting|High
|
||||
|2|T1068|Execution with Unnecessary Privileges|High
|
||||
|3|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|
||||
|4|T1211|7PK Security Features|High
|
||||
|5|T1222|Permission Issues|High
|
||||
|6|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 5 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|.user|Low
|
||||
|2|File|/cgi-bin/system_mgr.cgi|High
|
||||
|3|File|/Content/Template/root/reverse-shell.aspx|High
|
||||
|4|File|/debug/pprof|Medium
|
||||
|5|File|/inc/parser/xhtml.php|High
|
||||
|6|File|/includes/db_adodb.php|High
|
||||
|7|File|/PluXml/core/admin/parametres_edittpl.php|High
|
||||
|8|File|/register.do|Medium
|
||||
|9|File|/rest/project-templates/1.0/createshared|High
|
||||
|10|File|/restoreinfo.cgi|High
|
||||
|11|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 302 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
|
||||
* https://twitter.com/_pr4gma/status/1347617681197961225
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,64 @@
|
|||
= BelialDemon - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.belialdemon[BelialDemon]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.belialdemon
|
||||
|
||||
== Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with the actor.
|
||||
|
||||
- Matanbuchus
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. TT
|
||||
. CO
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|34.94.151.129|129.151.94.34.bc.googleusercontent.com|Medium
|
||||
|2|34.105.89.82|82.89.105.34.bc.googleusercontent.com|Medium
|
||||
|3|34.106.243.174|174.243.106.34.bc.googleusercontent.com|Medium
|
||||
|========================================
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1059.007|Cross Site Scripting|High
|
||||
|2|T1068|Execution with Unnecessary Privileges|High
|
||||
|3|T1499|Resource Consumption|High
|
||||
|4|T1548.002|Improper Authorization|High
|
||||
|========================================
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|include/ajax.draft.php|High
|
||||
|2|Argument|request|Low
|
||||
|========================================
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://unit42.paloaltonetworks.com/matanbuchus-malware-as-a-service/
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,44 @@
|
|||
= Bifrost - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.bifrost[Bifrost]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.bifrost
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. ES
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|104.18.10.39|-|High
|
||||
|2|172.105.155.183|li2071-183.members.linode.com|High
|
||||
|3|173.194.5.216|lhr25s06-in-f8.1e100.net|High
|
||||
|========================================
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1059.007|Cross Site Scripting|High
|
||||
|========================================
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
|
||||
* https://blog.talosintelligence.com/2021/05/threat-roundup-0430-0507.html
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,26 @@
|
|||
= Bisonal - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.bisonal[Bisonal]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.bisonal
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|116.193.155.38|-|High
|
||||
|2|196.44.49.154|-|High
|
||||
|========================================
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://www.threatminer.org/report.php?q=BisonalMalwareUsedinAttacksAgainstRussiaandSouthKorea-PaloAltoNetworksBlog.pdf&y=2018
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,48 @@
|
|||
= Bitter - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.bitter[Bitter]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.bitter
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. US
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|82.221.129.17|hengill.orangewebsite.com|High
|
||||
|2|82.221.129.18|baula.orangewebsite.com|High
|
||||
|3|82.221.129.19|jolnir.orangewebsite.com|High
|
||||
|4|94.156.175.61|gray.warez-host.com|High
|
||||
|5|162.222.215.2|-|High
|
||||
|6|162.222.215.96|-|High
|
||||
|========================================
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|shopreviewlist.asp|High
|
||||
|2|File|test-cgi|Medium
|
||||
|3|Argument|catalogid|Medium
|
||||
|========================================
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://www.threatminer.org/report.php?q=SuspectedBITTERAPTContinuesTargetingGovernmentofChinaandChineseOrganizations.pdf&y=2019
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,78 @@
|
|||
= Black KingDom - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.black_kingdom[Black KingDom]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.black_kingdom
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. US
|
||||
. ES
|
||||
. CN
|
||||
. ...
|
||||
|
||||
There are 25 more country items available. Please use our online service to access the data.
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|104.21.89.10|-|High
|
||||
|2|172.64.80.0|-|High
|
||||
|3|185.220.101.204|tor-exit-204.relayon.org|High
|
||||
|4|185.220.101.216|tor-exit-216.relayon.org|High
|
||||
|========================================
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1008|Algorithm Downgrade|High
|
||||
|2|T1040|Authentication Bypass by Capture-replay|High
|
||||
|3|T1059.007|Cross Site Scripting|High
|
||||
|4|T1068|Execution with Unnecessary Privileges|High
|
||||
|5|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|
||||
|6|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 11 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|%LOCALAPPDATA%\SaferVPN\Log|High
|
||||
|2|File|%PROGRAMDATA%\ASUS\GamingCenterLib|High
|
||||
|3|File|%PROGRAMDATA%\OpenVPN Connect\drivers\tap\amd64\win10|High
|
||||
|4|File|%PROGRAMDATA%\Razer Chroma\SDK\Apps|High
|
||||
|5|File|%PROGRAMFILES(X86)%/Aternity Information Systems/Assistant/plugins|High
|
||||
|6|File|%PROGRAMFILES(X86)%\Teradici\PCoIP.exe|High
|
||||
|7|File|%SYSTEMDRIVE%\Course Software Material 18.0.1.9\cmd.exe|High
|
||||
|8|File|.authlie|Medium
|
||||
|9|File|.config/Yubico|High
|
||||
|10|File|.htaccess|Medium
|
||||
|11|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 6387 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://github.com/sophoslabs/IoCs/blob/master/Ransomware_BlackKingDom.csv
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,25 @@
|
|||
= Black Vine - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.black_vine[Black Vine]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.black_vine
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|192.199.254.126|-|High
|
||||
|========================================
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://www.threatminer.org/report.php?q=the-black-vine-cyberespionage-group.pdf&y=2015
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,69 @@
|
|||
= BlackNet - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.blacknet[BlackNet]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.blacknet
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. US
|
||||
. NL
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|1.1.1.1|one.one.one.one|High
|
||||
|2|37.221.67.91|-|High
|
||||
|3|45.133.1.98|-|High
|
||||
|4|137.220.53.57|137.220.53.57.vultr.com|Medium
|
||||
|5|185.239.243.112|ns1.20mb.nl|High
|
||||
|========================================
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1059.007|Cross Site Scripting|High
|
||||
|2|T1499|Resource Consumption|High
|
||||
|========================================
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|/about.php|Medium
|
||||
|2|File|/it-IT/splunkd/__raw/services/get_snapshot|High
|
||||
|3|File|/phpwcms/setup/setup.php|High
|
||||
|4|File|category.cfm|Medium
|
||||
|5|File|comersus_optreviewreadexec.asp|High
|
||||
|6|File|data/gbconfiguration.dat|High
|
||||
|7|File|index.php|Medium
|
||||
|8|File|item_show.php|High
|
||||
|9|File|wp-postratings.php|High
|
||||
|10|Argument|cat|Low
|
||||
|11|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 7 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://blog.talosintelligence.com/2021/06/threat-roundup-0528-0604.html
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,83 @@
|
|||
= BlackTech - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.blacktech[BlackTech]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.blacktech
|
||||
|
||||
== Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with the actor.
|
||||
|
||||
- Taiwan Government Agencies
|
||||
- TSCookie
|
||||
- WaterBear
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. CN
|
||||
. MS
|
||||
. US
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|10.0.0.211|-|High
|
||||
|2|43.240.12.81|mail.terascape.net|High
|
||||
|3|45.76.102.145|45.76.102.145.vultr.com|Medium
|
||||
|4|45.124.25.31|hkhdc.laws.ms|High
|
||||
|5|45.124.25.226|hkhdc.laws.ms|High
|
||||
|6|60.244.52.29|60-244-52-29.tinp.apol.com.tw|High
|
||||
|7|103.193.149.26|-|High
|
||||
|8|103.240.202.34|-|High
|
||||
|9|211.72.242.120|211-72-242-120.hinet-ip.hinet.net|High
|
||||
|10|220.130.216.76|220-130-216-76.hinet-ip.hinet.net|High
|
||||
|========================================
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1059.007|Cross Site Scripting|High
|
||||
|2|T1068|Execution with Unnecessary Privileges|High
|
||||
|3|T1600|Cryptographic Issues|High
|
||||
|========================================
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|/wp-json/oembed/1.0/embed?url|High
|
||||
|2|File|base/ErrorHandler.php|High
|
||||
|3|File|goto.php|Medium
|
||||
|4|File|isc/get_sid_js.aspx|High
|
||||
|5|File|item_show.php|High
|
||||
|6|Argument|author_name|Medium
|
||||
|7|Argument|code_no|Low
|
||||
|8|Argument|dbg_buf|Low
|
||||
|9|Argument|url|Low
|
||||
|========================================
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html
|
||||
* https://www.ithome.com.tw/news/139504
|
||||
* https://www.trendmicro.com/en_us/research/17/f/following-trail-blacktech-cyber-espionage-campaigns.html
|
||||
* https://www.trendmicro.com/en_us/research/19/l/waterbear-is-back-uses-api-hooking-to-evade-security-product-detection.html
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,78 @@
|
|||
= Bookworm - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.bookworm[Bookworm]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.bookworm
|
||||
|
||||
== Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with the actor.
|
||||
|
||||
- Thailand
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. US
|
||||
. CN
|
||||
. KR
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|43.248.8.249|-|High
|
||||
|2|103.226.127.47|-|High
|
||||
|3|104.156.239.105|104.156.239.105.vultr.com|Medium
|
||||
|4|112.167.143.179|-|High
|
||||
|5|115.144.107.22|-|High
|
||||
|6|115.144.107.46|-|High
|
||||
|7|115.144.107.52|-|High
|
||||
|8|115.144.107.53|-|High
|
||||
|9|115.144.107.134|-|High
|
||||
|10|115.144.166.209|-|High
|
||||
|11|119.205.158.70|-|High
|
||||
|========================================
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1059.007|Cross Site Scripting|High
|
||||
|2|T1499|Resource Consumption|High
|
||||
|========================================
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|/install/index.php|High
|
||||
|2|File|/var/WEB-GUI/cgi-bin/telnet.cgi|High
|
||||
|3|File|cirrus_vga.c|Medium
|
||||
|4|File|func.php|Medium
|
||||
|5|File|packages/strapi-admin/controllers/Auth.js|High
|
||||
|6|File|register/check/username?username|High
|
||||
|7|Argument|returnPath|Medium
|
||||
|8|Argument|theme/lang|Medium
|
||||
|9|Argument|username|Medium
|
||||
|========================================
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://unit42.paloaltonetworks.com/attack-campaign-on-the-government-of-thailand-delivers-bookworm-trojan/
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,81 @@
|
|||
= Bouncing Golf - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.bouncing_golf[Bouncing Golf]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.bouncing_golf
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. US
|
||||
. FR
|
||||
. DE
|
||||
. ...
|
||||
|
||||
There are 20 more country items available. Please use our online service to access the data.
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|54.38.51.159|-|High
|
||||
|2|82.211.31.181|-|High
|
||||
|3|84.234.96.167|eronn.erivermle.com|High
|
||||
|4|185.183.99.116|otp.s0x.eu|High
|
||||
|5|190.2.130.53|190-2-130-53.hosted-by-worldstream.net|High
|
||||
|6|194.187.249.134|-|High
|
||||
|7|212.8.248.179|212-8-248-179.hosted-by-worldstream.net|High
|
||||
|========================================
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1059.007|Cross Site Scripting|High
|
||||
|2|T1068|Execution with Unnecessary Privileges|High
|
||||
|3|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|
||||
|4|T1211|7PK Security Features|High
|
||||
|5|T1222|Permission Issues|High
|
||||
|6|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 3 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|.htaccess|Medium
|
||||
|2|File|/.env|Low
|
||||
|3|File|/cgi-bin/nobody|High
|
||||
|4|File|/cgi-bin/nobody/Search.cgi|High
|
||||
|5|File|/etc/passwd|Medium
|
||||
|6|File|/forum/away.php|High
|
||||
|7|File|/get_getnetworkconf.cgi|High
|
||||
|8|File|/horde/util/go.php|High
|
||||
|9|File|/new|Low
|
||||
|10|File|/show_news.php|High
|
||||
|11|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 195 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://documents.trendmicro.com/assets/appendix-mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east.pdf
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,39 @@
|
|||
= Brazil Unknown - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.brazil_unknown[Brazil Unknown]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.brazil_unknown
|
||||
|
||||
== Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with the actor.
|
||||
|
||||
- Boleto Mestre
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. US
|
||||
. NP
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|65.181.113.87|mx1.lifestylefundings.com|High
|
||||
|2|65.181.127.152|portal2.brewmyidea.com|High
|
||||
|========================================
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://unit42.paloaltonetworks.com/unit42-master-channel-the-boleto-mestre-campaign-targets-brazil/
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,72 @@
|
|||
= Bronze Butler - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.bronze_butler[Bronze Butler]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.bronze_butler
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. US
|
||||
. CN
|
||||
. KR
|
||||
. ...
|
||||
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|27.255.69.209|-|High
|
||||
|2|27.255.91.238|-|High
|
||||
|3|106.184.5.30|-|High
|
||||
|4|115.144.166.240|-|High
|
||||
|5|160.16.243.147|tk2-263-41393.vs.sakura.ne.jp|High
|
||||
|6|203.111.252.40|-|High
|
||||
|========================================
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1059.007|Cross Site Scripting|High
|
||||
|2|T1068|Execution with Unnecessary Privileges|High
|
||||
|3|T1222|Permission Issues|High
|
||||
|4|T1600|Cryptographic Issues|High
|
||||
|========================================
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|/out.php|Medium
|
||||
|2|File|data/gbconfiguration.dat|High
|
||||
|3|File|wp-login.php|Medium
|
||||
|4|File|Xvpnd.exe|Medium
|
||||
|5|Library|jscript9.dll|Medium
|
||||
|6|Argument|HOST|Low
|
||||
|7|Argument|id|Low
|
||||
|8|Argument|reason|Low
|
||||
|9|Network Port|tcp/2015|Medium
|
||||
|========================================
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,70 @@
|
|||
= Bronze Union - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.bronze_union[Bronze Union]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.bronze_union
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. CN
|
||||
. US
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|45.114.9.174|-|High
|
||||
|2|96.90.63.57|nleq.com|High
|
||||
|3|117.136.63.145|-|High
|
||||
|4|198.56.185.179|-|High
|
||||
|5|211.255.155.194|-|High
|
||||
|6|211.255.155.199|-|High
|
||||
|7|211.255.155.215|-|High
|
||||
|8|211.255.155.218|-|High
|
||||
|9|211.255.155.219|-|High
|
||||
|10|211.255.155.224|-|High
|
||||
|========================================
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1059.007|Cross Site Scripting|High
|
||||
|2|T1068|Execution with Unnecessary Privileges|High
|
||||
|3|T1548.002|Improper Authorization|High
|
||||
|========================================
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|/getcfg.php|Medium
|
||||
|2|File|http_auth.c|Medium
|
||||
|3|File|public/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]|High
|
||||
|4|File|ticket.php|Medium
|
||||
|5|Argument|SERVICES|Medium
|
||||
|6|Argument|tid|Low
|
||||
|7|Input Value|curl -d SERVICES=DEVICE.ACCOUNT http://192.168.0.1/getcfg.php|High
|
||||
|8|Network Port|Web Server Port|High
|
||||
|========================================
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://www.threatminer.org/report.php?q=BRONZEUNIONCyberespionagePersistsDespiteDisclosures_SecureWorks.pdf&y=2017
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,69 @@
|
|||
= Brunhilda - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.brunhilda[Brunhilda]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.brunhilda
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. FR
|
||||
. US
|
||||
. DE
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|45.142.212.216|holkitsor4.example.com|High
|
||||
|2|95.142.40.68|vm482228.eurodir.ru|High
|
||||
|3|185.177.92.213|ip-185-177-92-213.ah-server.com|High
|
||||
|4|185.177.93.32|ip-185-177-93-32.ah-server.com|High
|
||||
|5|185.177.93.44|ip-185-177-93-44.ah-server.com|High
|
||||
|6|185.177.93.72|ip-185-177-93-72.ah-server.com|High
|
||||
|7|185.177.93.73|ip-185-177-93-73.ah-server.com|High
|
||||
|8|185.177.93.105|ip-185-177-93-105.ah-server.com|High
|
||||
|9|185.177.93.111|ip-185-177-93-111.ah-server.com|High
|
||||
|10|185.177.93.120|ip-185-177-93-120.ah-server.com|High
|
||||
|11|185.177.93.145|ip-185-177-93-145.ah-server.com|High
|
||||
|12|185.177.93.242|ip-185-177-93-242.ah-server.com|High
|
||||
|13|198.54.125.121|premium101-3.web-hosting.com|High
|
||||
|========================================
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1059.007|Cross Site Scripting|High
|
||||
|2|T1068|Execution with Unnecessary Privileges|High
|
||||
|3|T1211|7PK Security Features|High
|
||||
|4|T1600|Cryptographic Issues|High
|
||||
|========================================
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|asm/preproc.c|High
|
||||
|2|File|data/gbconfiguration.dat|High
|
||||
|========================================
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://vxug.fakedoma.in/archive/APTs/2021/2021.01.07/BrunHilda.pdf
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,28 @@
|
|||
= Bublik - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.bublik[Bublik]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.bublik
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|66.128.53.179|-|High
|
||||
|2|104.21.57.186|-|High
|
||||
|3|157.240.2.35|edge-star-mini-shv-01-ort2.facebook.com|High
|
||||
|4|204.11.237.59|olacs.us|High
|
||||
|========================================
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://blog.talosintelligence.com/2021/05/threat-roundup-0507-0514.html
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,66 @@
|
|||
= Buhtrap - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.buhtrap[Buhtrap]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.buhtrap
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. RU
|
||||
. US
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|5.63.159.32|5-63-159-32.cloudvps.regruhosting.ru|High
|
||||
|2|37.140.195.165|console.teonet.cloud|High
|
||||
|3|37.143.12.190|www.portnov.dev|High
|
||||
|4|151.248.125.251|dbm1.dommebeli.local|High
|
||||
|5|178.21.10.33|178-21-10-33.ovz.vps.regruhosting.ru|High
|
||||
|6|193.124.17.223|-|High
|
||||
|7|194.58.97.249|supersail.ru|High
|
||||
|8|194.58.100.211|194-58-100-211.ovz.vps.regruhosting.ru|High
|
||||
|9|213.159.215.119|cms.cake.ru|High
|
||||
|========================================
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1059.007|Cross Site Scripting|High
|
||||
|========================================
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|adclick.php|Medium
|
||||
|2|File|adrotate.pm|Medium
|
||||
|3|File|article.php|Medium
|
||||
|4|File|_debugging_center_utils___.php|High
|
||||
|5|Argument|dest|Low
|
||||
|6|Argument|log|Low
|
||||
|7|Argument|sid|Low
|
||||
|========================================
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://www.threatminer.org/report.php?q=gib-buhtrap-report-GroupIB.pdf&y=2016
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,78 @@
|
|||
= Butterfly - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.butterfly[Butterfly]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.butterfly
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. NL
|
||||
. US
|
||||
. DE
|
||||
. ...
|
||||
|
||||
There are 4 more country items available. Please use our online service to access the data.
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|46.165.237.75|-|High
|
||||
|2|46.183.217.132|skalli.pereformed.com|High
|
||||
|3|178.162.197.9|-|High
|
||||
|4|217.23.3.112|217-23-3-112.hosted-by-worldstream.net|High
|
||||
|========================================
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1059.007|Cross Site Scripting|High
|
||||
|2|T1068|Execution with Unnecessary Privileges|High
|
||||
|3|T1211|7PK Security Features|High
|
||||
|4|T1222|Permission Issues|High
|
||||
|5|T1499|Resource Consumption|High
|
||||
|6|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 1 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|/cgi-bin/webviewer_login_page|High
|
||||
|2|File|/forum/away.php|High
|
||||
|3|File|/getcfg.php|Medium
|
||||
|4|File|/proc/ioports|High
|
||||
|5|File|/services/details.asp|High
|
||||
|6|File|/tmp|Low
|
||||
|7|File|/uncpath/|Medium
|
||||
|8|File|/Upload.ashx|Medium
|
||||
|9|File|/var/tmp/sess_*|High
|
||||
|10|File|14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi|High
|
||||
|11|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 120 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://www.threatminer.org/report.php?q=butterfly-corporate-spies-out-for-financial-gain.pdf&y=2015
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,41 @@
|
|||
= C0d0so - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.c0d0so[C0d0so]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.c0d0so
|
||||
|
||||
== Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with the actor.
|
||||
|
||||
- Bergard
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. CN
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|42.200.18.194|-|High
|
||||
|2|121.54.168.230|-|High
|
||||
|3|210.181.184.64|-|High
|
||||
|4|218.54.139.20|-|High
|
||||
|========================================
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://www.threatminer.org/report.php?q=ExploringBergard_OldMalwarewithNewTricks_Proofpoint.pdf&y=2016
|
||||
* https://www.threatminer.org/report.php?q=NewAttacksLinkedtoC0d0so0Group-PaloAltoNetworksBlogPaloAltoNetworksBlog.pdf&y=2016
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,46 @@
|
|||
= CDRThief - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.cdrthief[CDRThief]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.cdrthief
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. CN
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|34.94.199.142|142.199.94.34.bc.googleusercontent.com|Medium
|
||||
|2|35.236.173.187|187.173.236.35.bc.googleusercontent.com|Medium
|
||||
|3|119.29.173.65|-|High
|
||||
|4|129.211.157.244|-|High
|
||||
|5|129.226.134.180|-|High
|
||||
|6|150.109.79.136|-|High
|
||||
|========================================
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|
||||
|========================================
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://github.com/eset/malware-ioc/tree/master/cdrthief
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,112 @@
|
|||
= Carbanak - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.carbanak[Carbanak]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.carbanak
|
||||
|
||||
== Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with the actor.
|
||||
|
||||
- Anunak
|
||||
- Grand Mars
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. US
|
||||
. DE
|
||||
. RU
|
||||
. ...
|
||||
|
||||
There are 28 more country items available. Please use our online service to access the data.
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|5.1.83.133|mail.printonrug.com|High
|
||||
|2|5.45.179.173|mail.kincoss.info|High
|
||||
|3|5.45.179.185|-|High
|
||||
|4|5.45.192.117|-|High
|
||||
|5|5.61.32.118|-|High
|
||||
|6|5.61.38.52|-|High
|
||||
|7|5.101.146.184|3928081.securefastserver.com|High
|
||||
|8|5.135.111.89|-|High
|
||||
|9|5.199.169.188|-|High
|
||||
|10|10.74.5.100|-|High
|
||||
|11|23.227.196.99|23-227-196-99.static.hvvc.us|High
|
||||
|12|31.3.155.123|swe-net-ip.as51430.net|High
|
||||
|13|31.131.17.79|-|High
|
||||
|14|31.131.17.81|-|High
|
||||
|15|31.131.17.125|-|High
|
||||
|16|31.131.17.128|-|High
|
||||
|17|37.46.114.148|bg.as51430.net|High
|
||||
|18|37.59.202.124|ip124.ip-37-59-202.eu|High
|
||||
|19|37.235.54.48|48.54.235.37.in-addr.arpa|High
|
||||
|20|45.63.23.135|45.63.23.135.vultr.com|Medium
|
||||
|21|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 155 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1059.007|Cross Site Scripting|High
|
||||
|2|T1068|Execution with Unnecessary Privileges|High
|
||||
|3|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|
||||
|4|T1211|7PK Security Features|High
|
||||
|5|T1222|Permission Issues|High
|
||||
|6|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|$HOME/.cdrdao|High
|
||||
|2|File|%windir%\Internet Logs\|High
|
||||
|3|File|/+CSCOE+/logon.html|High
|
||||
|4|File|//etc/RT2870STA.dat|High
|
||||
|5|File|/api/addusers|High
|
||||
|6|File|/api/upload|Medium
|
||||
|7|File|/bin/boa|Medium
|
||||
|8|File|/cgi-bin/hotspot-changepw.cgi|High
|
||||
|9|File|/ClickAndBanexDemo/admin/admin.asp|High
|
||||
|10|File|/core/vendor/meenie/javascript-packer/example-inline.php|High
|
||||
|11|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 615 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf
|
||||
* https://www.forcepoint.com/blog/x-labs/carbanak-group-uses-google-malware-command-and-control
|
||||
* https://www.group-ib.com/resources/threat-research/Anunak_APT_against_financial_institutions.pdf
|
||||
* https://www.threatminer.org/report.php?q=Carbanak-Oraclebreach-KresonSecurity.pdf&y=2016
|
||||
* https://www.threatminer.org/report.php?q=Carbanakgangisbackandpackingnewguns-ESET.pdf&y=2016
|
||||
* https://www.threatminer.org/report.php?q=NewCarbanak-Trustwave.pdf&y=2016
|
||||
* https://www.threatminer.org/report.php?q=proofpoint-threat-insight-carbanak-group-en.pdf&y=2016
|
||||
* https://www.threatminer.org/report.php?q=the-shadows-of-ghosts-carbanak-report_RSA.pdf&y=2017
|
||||
* https://www.threatminer.org/_reports/2017/OperationGrandMars-Trustwave.pdf#viewer.action=download
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,85 @@
|
|||
= Cardinal RAT - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.cardinal_rat[Cardinal RAT]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.cardinal_rat
|
||||
|
||||
== Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with the actor.
|
||||
|
||||
- Cardinal RAT
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. US
|
||||
. CR
|
||||
. AR
|
||||
. ...
|
||||
|
||||
There are 4 more country items available. Please use our online service to access the data.
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|127.194.73.243|-|High
|
||||
|2|127.194.87.192|-|High
|
||||
|3|185.20.187.4|185.20.187.4.deltahost-ptr|High
|
||||
|4|185.247.211.198|185.247.211.198.deltahost-ptr|High
|
||||
|5|190.10.8.238|easyrobustads.com|High
|
||||
|6|193.22.96.98|193.22.96.98.deltahost-ptr|High
|
||||
|7|193.22.98.182|193.22.98.182.deltahost-ptr|High
|
||||
|8|193.22.99.168|193.22.99.168.deltahost-ptr|High
|
||||
|========================================
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1059.007|Cross Site Scripting|High
|
||||
|2|T1068|Execution with Unnecessary Privileges|High
|
||||
|3|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|
||||
|4|T1499|Resource Consumption|High
|
||||
|5|T1600|Cryptographic Issues|High
|
||||
|========================================
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|/admin/?/plugin/comment/settings|High
|
||||
|2|File|/filemanager/upload.php|High
|
||||
|3|File|/forum/away.php|High
|
||||
|4|File|/inc/parser/xhtml.php|High
|
||||
|5|File|/uncpath/|Medium
|
||||
|6|File|/webconsole/APIController|High
|
||||
|7|File|/webmail/|Medium
|
||||
|8|File|adclick.php|Medium
|
||||
|9|File|admin.php?s=/Admin/doedit|High
|
||||
|10|File|admin/web_config.php|High
|
||||
|11|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 85 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,90 @@
|
|||
= Careto - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.careto[Careto]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.careto
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. DE
|
||||
. US
|
||||
. AU
|
||||
. ...
|
||||
|
||||
There are 2 more country items available. Please use our online service to access the data.
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|8.28.16.254|-|High
|
||||
|2|12.0.0.38|-|High
|
||||
|3|23.20.44.92|ec2-23-20-44-92.compute-1.amazonaws.com|Medium
|
||||
|4|37.235.63.127|127-63-235-37.static.edis.at|High
|
||||
|5|62.149.227.3|host3-227-149-62.serverdedicati.aruba.it|High
|
||||
|6|72.52.91.30|-|High
|
||||
|7|75.126.146.114|72.92.7e4b.ip4.static.sl-reverse.com|High
|
||||
|8|81.0.233.15|assigned-81-0-233-015.casablanca.cz|High
|
||||
|9|174.122.254.42|2a.fe.7aae.static.theplanet.com|High
|
||||
|10|187.122.176.14|bb7ab00e.virtua.com.br|High
|
||||
|11|196.40.84.94|-|High
|
||||
|12|200.122.160.25|-|High
|
||||
|13|210.48.153.236|mercumaya.net|High
|
||||
|14|213.61.149.100|tor-exit-node.7by7.de|High
|
||||
|15|217.115.10.132|tor2.anonymizer.ccc.de|High
|
||||
|16|223.25.232.161|fishball3.singhost.com|High
|
||||
|========================================
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1059.007|Cross Site Scripting|High
|
||||
|2|T1068|Execution with Unnecessary Privileges|High
|
||||
|3|T1211|7PK Security Features|High
|
||||
|4|T1222|Permission Issues|High
|
||||
|5|T1499|Resource Consumption|High
|
||||
|6|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 3 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|/platform.cgi|High
|
||||
|2|File|/Status/wan_button_action.asp|High
|
||||
|3|File|/Users|Low
|
||||
|4|File|Aavmker4.sys|Medium
|
||||
|5|File|add_user.php|Medium
|
||||
|6|File|admin/app/physical/physical.php|High
|
||||
|7|File|admin/auto.def|High
|
||||
|8|File|app/admin/custom-fields/filter.php|High
|
||||
|9|File|auth-gss2.c|Medium
|
||||
|10|File|backoffice/login.asp|High
|
||||
|11|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 96 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://www.threatminer.org/report.php?q=unveilingthemask_v1.0.pdf&y=2014
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,70 @@
|
|||
= Carrotbat - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.carrotbat[Carrotbat]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.carrotbat
|
||||
|
||||
== Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with the actor.
|
||||
|
||||
- Fractured Block
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. CN
|
||||
. US
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|61.14.210.72|former-enews-out.squarspace.net|High
|
||||
|========================================
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|
||||
|========================================
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|anonymous/authenticated|High
|
||||
|2|File|count.cgi|Medium
|
||||
|3|File|data/gbconfiguration.dat|High
|
||||
|4|File|dede\co_do.php|High
|
||||
|5|File|email.php|Medium
|
||||
|6|File|index.php|Medium
|
||||
|7|File|mod_mysql_vhost.c|High
|
||||
|8|Argument|id|Low
|
||||
|9|Argument|ids|Low
|
||||
|10|Argument|skipSessionCheck|High
|
||||
|11|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 2 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://www.threatminer.org/report.php?q=TheFracturedBlockCampaign_CARROTBATUsedtoDeliverMalwareTargetingSoutheastAsia-PaloAltoNetworksBlog.pdf&y=2018
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,32 @@
|
|||
= Center-1 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.center-1[Center-1]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.center-1
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. IT
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|80.211.37.240|host240-37-211-80.serverdedicati.aruba.it|High
|
||||
|2|161.35.38.8|-|High
|
||||
|========================================
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit/
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,75 @@
|
|||
= Center-2 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.center-2[Center-2]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.center-2
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. FR
|
||||
. IT
|
||||
. US
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|80.211.35.111|host111-35-211-80.serverdedicati.aruba.it|High
|
||||
|2|89.40.115.27|host27-115-40-89.static.arubacloud.fr|High
|
||||
|3|134.122.68.221|-|High
|
||||
|4|209.250.230.12|209.250.230.12.vultr.com|Medium
|
||||
|========================================
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1059.007|Cross Site Scripting|High
|
||||
|2|T1068|Execution with Unnecessary Privileges|High
|
||||
|3|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|
||||
|4|T1211|7PK Security Features|High
|
||||
|5|T1222|Permission Issues|High
|
||||
|6|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 4 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|/docs/captcha_(number).jpeg|High
|
||||
|2|File|/etc/keystone/user-project-map.json|High
|
||||
|3|File|/forum/away.php|High
|
||||
|4|File|/horde/util/go.php|High
|
||||
|5|File|/SM8250_Q_Master/android/vendor/oppo_charger/oppo/oppo_charger.c|High
|
||||
|6|File|/webapps/Bb-sites-user-profile-BBLEARN/profile.form|High
|
||||
|7|File|/wp-content/plugins/emag-marketplace-connector/templates/order/awb-meta-box.php|High
|
||||
|8|File|action/addproject.php|High
|
||||
|9|File|adclick.php|Medium
|
||||
|10|File|admin/page/system/nav.php?del|High
|
||||
|11|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 64 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit/
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,103 @@
|
|||
= Cerber - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.cerber[Cerber]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.cerber
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. US
|
||||
. IR
|
||||
. CN
|
||||
. ...
|
||||
|
||||
There are 3 more country items available. Please use our online service to access the data.
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|23.152.0.36|tcts-000036.techtrapes.com|High
|
||||
|2|34.199.22.139|ec2-34-199-22-139.compute-1.amazonaws.com|Medium
|
||||
|3|45.56.79.23|li929-23.members.linode.com|High
|
||||
|4|52.2.101.52|ec2-52-2-101-52.compute-1.amazonaws.com|Medium
|
||||
|5|52.21.132.24|ec2-52-21-132-24.compute-1.amazonaws.com|Medium
|
||||
|6|54.84.252.139|ec2-54-84-252-139.compute-1.amazonaws.com|Medium
|
||||
|7|54.87.5.88|ec2-54-87-5-88.compute-1.amazonaws.com|Medium
|
||||
|8|54.88.175.149|ec2-54-88-175-149.compute-1.amazonaws.com|Medium
|
||||
|9|54.152.181.87|ec2-54-152-181-87.compute-1.amazonaws.com|Medium
|
||||
|10|78.128.92.96|-|High
|
||||
|11|85.93.0.0|-|High
|
||||
|12|87.96.148.0|h87-96-148-0.cust.a3fiber.se|High
|
||||
|13|87.97.148.0|-|High
|
||||
|14|87.98.148.0|sbg5-mail-137.bouncer.cloud|High
|
||||
|15|87.106.18.141|-|High
|
||||
|16|91.119.56.0|91-119-56-0.dsl.dynamic.surfer.at|High
|
||||
|17|91.119.216.0|91-119-216-0.dsl.dynamic.surfer.at|High
|
||||
|18|91.120.56.0|-|High
|
||||
|19|91.120.216.0|-|High
|
||||
|20|91.121.56.0|-|High
|
||||
|21|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 40 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1059.007|Cross Site Scripting|High
|
||||
|2|T1068|Execution with Unnecessary Privileges|High
|
||||
|3|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|
||||
|4|T1211|7PK Security Features|High
|
||||
|5|T1495|Download of Code Without Integrity Check|High
|
||||
|6|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 5 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|+CSCO|Low
|
||||
|2|File|/cgi-bin/login_action.cgi|High
|
||||
|3|File|/cns/|Low
|
||||
|4|File|/DbXmlInfo.xml|High
|
||||
|5|File|/etc/auditlog-keeper.conf|High
|
||||
|6|File|/forms/web_importTFTP|High
|
||||
|7|File|/OA_HTML/cabo/jsps/a.jsp|High
|
||||
|8|File|/plugin/extended-choice-parameter/js/|High
|
||||
|9|File|/rest/api/1.0/render|High
|
||||
|10|File|/shell?cmd|Medium
|
||||
|11|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 519 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://blog.talosintelligence.com/2021/01/threat-roundup-0122.html
|
||||
* https://blog.talosintelligence.com/2021/02/threat-roundup-0129-0205.html
|
||||
* https://blog.talosintelligence.com/2021/02/threat-roundup-0205-0212.html
|
||||
* https://blog.talosintelligence.com/2021/02/threat-roundup-0219-0226.html
|
||||
* https://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
|
||||
* https://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
|
||||
* https://blog.talosintelligence.com/2021/09/threat-roundup-0917-0924.html
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,69 @@
|
|||
= CetaRAT - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.cetarat[CetaRAT]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.cetarat
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. US
|
||||
. NL
|
||||
. SA
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|109.236.85.152|customer.worldstream.nl|High
|
||||
|2|161.97.142.96|vmi661694.contaboserver.net|High
|
||||
|3|164.68.104.126|vmd76303.contaboserver.net|High
|
||||
|4|167.86.75.119|vmi594989.contaboserver.net|High
|
||||
|5|173.249.41.175|vmi642039.contaboserver.net|High
|
||||
|========================================
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1068|Execution with Unnecessary Privileges|High
|
||||
|========================================
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|adclick.php|Medium
|
||||
|2|File|data/gbconfiguration.dat|High
|
||||
|3|File|exit.php|Medium
|
||||
|4|File|goto.php|Medium
|
||||
|5|File|ipsconnect.php|High
|
||||
|6|File|redir.php|Medium
|
||||
|7|File|register/check/username?username|High
|
||||
|8|Argument|dest|Low
|
||||
|9|Argument|foaf|Low
|
||||
|10|Argument|id|Low
|
||||
|11|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 3 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/594/original/Network_IOCs_list_for_coverage.txt?1625657479
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,85 @@
|
|||
= Chafer - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.chafer[Chafer]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.chafer
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. US
|
||||
. RU
|
||||
. GB
|
||||
. ...
|
||||
|
||||
There are 15 more country items available. Please use our online service to access the data.
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|83.142.230.113|-|High
|
||||
|2|89.38.97.112|-|High
|
||||
|3|89.38.97.115|89-38-97-115.hosted-by-worldstream.net|High
|
||||
|4|91.218.114.225|-|High
|
||||
|5|94.100.21.213|94-100-21-213.static.hvvc.us|High
|
||||
|6|134.119.217.84|-|High
|
||||
|7|134.119.217.87|-|High
|
||||
|8|148.251.197.113|n38-05.vpsnow.ru|High
|
||||
|9|185.22.172.40|mx2.privacyrequired.link|High
|
||||
|10|185.177.59.70|-|High
|
||||
|========================================
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1059.007|Cross Site Scripting|High
|
||||
|2|T1068|Execution with Unnecessary Privileges|High
|
||||
|3|T1211|7PK Security Features|High
|
||||
|4|T1499|Resource Consumption|High
|
||||
|5|T1552|Unprotected Storage of Credentials|High
|
||||
|6|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 1 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|//etc/RT2870STA.dat|High
|
||||
|2|File|/cwp_{SESSION_HASH}/admin/loader_ajax.php|High
|
||||
|3|File|/magnoliaPublic/travel/members/login.html|High
|
||||
|4|File|/Main_AdmStatus_Content.asp|High
|
||||
|5|File|/uncpath/|Medium
|
||||
|6|File|/var/log/nginx|High
|
||||
|7|File|advertiser.php|High
|
||||
|8|File|akocomments.php|High
|
||||
|9|File|al_initialize.php|High
|
||||
|10|File|category.cfm|Medium
|
||||
|11|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 42 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://www.threatminer.org/report.php?q=Chafer_LatestAttacksRevealHeightenedAmbitions_SymantecBlogs.pdf&y=2018
|
||||
* https://www.threatminer.org/_reports/2019/NewPython-BasedPayloadMechaFlounderUsedbyChafer.pdf#viewer.action=download
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,99 @@
|
|||
= Charming Kitten - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.charming_kitten[Charming Kitten]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.charming_kitten
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. US
|
||||
. NL
|
||||
. ES
|
||||
. ...
|
||||
|
||||
There are 17 more country items available. Please use our online service to access the data.
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|5.79.69.198|-|High
|
||||
|2|5.79.69.206|-|High
|
||||
|3|5.79.105.153|-|High
|
||||
|4|5.79.105.156|-|High
|
||||
|5|5.79.105.161|-|High
|
||||
|6|5.79.105.165|-|High
|
||||
|7|5.152.202.51|h5-152-202-51.host.redstation.co.uk|High
|
||||
|8|5.152.202.52|h5-152-202-52.host.redstation.co.uk|High
|
||||
|9|31.3.236.90|h31-3-236-90.host.redstation.co.uk|High
|
||||
|10|31.3.236.91|h31-3-236-91.host.redstation.co.uk|High
|
||||
|11|31.3.236.92|h31-3-236-92.host.redstation.co.uk|High
|
||||
|12|37.220.8.13|h37-220-8-13.host.redstation.co.uk|High
|
||||
|13|46.17.97.37|-|High
|
||||
|14|46.17.97.40|-|High
|
||||
|15|46.17.97.240|-|High
|
||||
|16|46.17.97.243|-|High
|
||||
|17|51.254.254.217|me14.mecide.com|High
|
||||
|18|51.255.28.57|-|High
|
||||
|19|54.36.217.8|ip8.ip-54-36-217.eu|High
|
||||
|20|54.37.164.254|ip254.ip-54-37-164.eu|High
|
||||
|21|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 87 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1040|Authentication Bypass by Capture-replay|High
|
||||
|2|T1059.007|Cross Site Scripting|High
|
||||
|3|T1068|Execution with Unnecessary Privileges|High
|
||||
|4|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|
||||
|5|T1211|7PK Security Features|High
|
||||
|6|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 6 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|'phpshell.php|High
|
||||
|2|File|..\WWWRoot\CustomPages\aspshell.asp|High
|
||||
|3|File|/about-us/locations/index|High
|
||||
|4|File|/admin/|Low
|
||||
|5|File|/admin/account/changepassword|High
|
||||
|6|File|/admin/index.php|High
|
||||
|7|File|/admin/pin/websitepin|High
|
||||
|8|File|/admin_giant/add_gallery.php|High
|
||||
|9|File|/admin_giant/add_team_member.php|High
|
||||
|10|File|/api/addusers|High
|
||||
|11|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 1236 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://github.com/blackorbird/APT_REPORT/tree/master/Charming%20Kitten
|
||||
* https://vxug.fakedoma.in/archive/APTs/2021/2021.01.08/Charming%20Kitten.pdf
|
||||
* https://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,26 @@
|
|||
= ChessMaster - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.chessmaster[ChessMaster]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.chessmaster
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|62.75.197.131|static-ip-62-75-197-131.inaddr.ip-pool.com|High
|
||||
|2|89.18.27.159|-|High
|
||||
|========================================
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://www.threatminer.org/report.php?q=ChessMaster%E2%80%99sNewStrategy_EvolvingToolsandTactics-TrendLabsSecurityIntelligenceBlog.pdf&y=2017
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,95 @@
|
|||
= Chimera - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.chimera[Chimera]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.chimera
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. US
|
||||
. CN
|
||||
. NU
|
||||
. ...
|
||||
|
||||
There are 3 more country items available. Please use our online service to access the data.
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|1.3.35.342|-|High
|
||||
|2|5.254.64.234|-|High
|
||||
|3|5.254.112.226|-|High
|
||||
|4|14.229.140.66|static.vnpt.vn|High
|
||||
|5|23.236.77.94|-|High
|
||||
|6|39.109.5.135|-|High
|
||||
|7|43.250.200.106|-|High
|
||||
|8|43.250.201.71|-|High
|
||||
|9|45.9.248.74|te-4-3-177.pe2.man4.uk.m247.com|High
|
||||
|10|47.75.0.147|-|High
|
||||
|11|59.47.4.27|27.4.47.59.broad.bx.ln.dynamic.163data.com.cn|High
|
||||
|12|103.51.145.123|smtphk.71.com|High
|
||||
|13|119.39.248.20|-|High
|
||||
|14|119.39.248.32|-|High
|
||||
|15|119.39.248.101|-|High
|
||||
|16|120.227.35.98|-|High
|
||||
|17|172.111.210.53|-|High
|
||||
|18|185.170.210.84|-|High
|
||||
|19|188.72.99.41|-|High
|
||||
|20|220.202.152.47|-|High
|
||||
|========================================
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1059.007|Cross Site Scripting|High
|
||||
|2|T1068|Execution with Unnecessary Privileges|High
|
||||
|3|T1211|7PK Security Features|High
|
||||
|4|T1499|Resource Consumption|High
|
||||
|5|T1566.003|Clickjacking|High
|
||||
|6|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 1 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|%windir%\Internet Logs\|High
|
||||
|2|File|/admin/system/database/filedown.php|High
|
||||
|3|File|/cgi-bin/supervisor/adcommand.cgi|High
|
||||
|4|File|/common/info.cgi|High
|
||||
|5|File|/getcfg.php|Medium
|
||||
|6|File|/uncpath/|Medium
|
||||
|7|File|/usr/local/www/csrf/csrf-magic.php|High
|
||||
|8|File|admin/index.php?n=ui_set&m=admin&c=index&a=doget_text_content&table=lang&field=1|High
|
||||
|9|File|administrator/components/com_media/helpers/media.php|High
|
||||
|10|File|APPFLT.SYS|Medium
|
||||
|11|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 115 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://cycraft.com/download/%5BTLP-White%5D20200415%20Chimera_V4.1.pdf
|
||||
* https://vxug.fakedoma.in/archive/APTs/2021/2021.01.12/Chimera.pdf
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,38 @@
|
|||
= China Unknown - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.china_unknown[China Unknown]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.china_unknown
|
||||
|
||||
== Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with the actor.
|
||||
|
||||
- RedXOR
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. CN
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|34.92.228.216|216.228.92.34.bc.googleusercontent.com|Medium
|
||||
|2|158.247.208.230|158.247.208.230.vultr.com|Medium
|
||||
|========================================
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://vxug.fakedoma.in/archive/APTs/2021/2021.03.10(1)/RedXOR.pdf
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,95 @@
|
|||
= Chthonic - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.chthonic[Chthonic]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.chthonic
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. PL
|
||||
. DE
|
||||
. US
|
||||
. ...
|
||||
|
||||
There are 3 more country items available. Please use our online service to access the data.
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|40.70.224.146|-|High
|
||||
|2|51.254.83.231|pob01.mulx.net|High
|
||||
|3|52.137.90.34|-|High
|
||||
|4|52.185.71.28|-|High
|
||||
|5|79.133.44.139|-|High
|
||||
|6|82.197.164.46|aquila.init7.net|High
|
||||
|7|85.199.214.98|-|High
|
||||
|8|88.198.193.213|static.88-198-193-213.clients.your-server.de|High
|
||||
|9|91.198.10.1|shyber.tntu.edu.ua|High
|
||||
|10|91.209.0.17|ntp-b.0x5e.se|High
|
||||
|11|91.236.251.129|mail.agrogradv.com|High
|
||||
|12|92.62.34.78|-|High
|
||||
|13|104.215.148.63|-|High
|
||||
|14|151.80.44.158|vega.ap-i.net|High
|
||||
|15|159.253.242.123|ip-159-253-242-123.rev.snt.net.pl|High
|
||||
|16|172.217.222.113|qi-in-f113.1e100.net|High
|
||||
|17|176.9.1.211|hotel.zq1.de|High
|
||||
|18|184.105.192.2|184-105-192-2.sinkhole.shadowserver.org|High
|
||||
|19|195.113.20.2|vpn.ms.mff.cuni.cz|High
|
||||
|20|213.154.236.182|services.freshdot.net|High
|
||||
|21|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 1 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1059.007|Cross Site Scripting|High
|
||||
|2|T1068|Execution with Unnecessary Privileges|High
|
||||
|3|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|
||||
|4|T1211|7PK Security Features|High
|
||||
|5|T1499|Resource Consumption|High
|
||||
|========================================
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|/tmp|Low
|
||||
|2|File|admin/?n=tags&c=index&a=doSaveTags|High
|
||||
|3|File|AniGIF.ocx|Medium
|
||||
|4|File|config.php|Medium
|
||||
|5|File|data/gbconfiguration.dat|High
|
||||
|6|File|ext/gd/libgd/gd_interpolation.c|High
|
||||
|7|File|http_auth.c|Medium
|
||||
|8|File|index.php|Medium
|
||||
|9|File|install.php|Medium
|
||||
|10|File|login.php|Medium
|
||||
|11|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 20 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://blog.talosintelligence.com/2021/01/threat-roundup-0122.html
|
||||
* https://blog.talosintelligence.com/2021/09/threat-roundup-0903-0910.html
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,99 @@
|
|||
= Cleaver - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.cleaver[Cleaver]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.cleaver
|
||||
|
||||
== Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with the actor.
|
||||
|
||||
- Cleaver
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. US
|
||||
. CA
|
||||
. NL
|
||||
. ...
|
||||
|
||||
There are 6 more country items available. Please use our online service to access the data.
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|23.238.17.181|s1.regulatorfix.com|High
|
||||
|2|50.23.164.161|a1.a4.1732.ip4.static.sl-reverse.com|High
|
||||
|3|64.120.128.154|-|High
|
||||
|4|64.120.208.74|-|High
|
||||
|5|64.120.208.75|-|High
|
||||
|6|64.120.208.76|-|High
|
||||
|7|64.120.208.78|-|High
|
||||
|8|66.96.252.198|host-66-96-252-198.myrepublic.co.id|High
|
||||
|9|78.109.194.96|-|High
|
||||
|10|78.109.194.114|-|High
|
||||
|11|80.243.182.149|149-182-243-80.rackcentre.redstation.net.uk|High
|
||||
|12|87.98.167.71|-|High
|
||||
|13|87.98.167.85|ip85.ip-87-98-167.eu|High
|
||||
|14|87.98.167.141|-|High
|
||||
|15|88.150.214.162|h88-150-214-162.host.redstation.co.uk|High
|
||||
|16|88.150.214.166|h88-150-214-166.host.redstation.co.uk|High
|
||||
|17|88.150.214.168|h88-150-214-168.host.redstation.co.uk|High
|
||||
|18|88.150.214.170|h88-150-214-170.host.redstation.co.uk|High
|
||||
|19|95.211.191.225|-|High
|
||||
|20|95.211.191.247|-|High
|
||||
|21|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 20 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1059.007|Cross Site Scripting|High
|
||||
|2|T1068|Execution with Unnecessary Privileges|High
|
||||
|3|T1587.003|Improper Certificate Validation|High
|
||||
|========================================
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|/forum/away.php|High
|
||||
|2|File|/home/httpd/cgi-bin/cgi.cgi|High
|
||||
|3|File|adclick.php|Medium
|
||||
|4|File|data/gbconfiguration.dat|High
|
||||
|5|File|Default.aspx|Medium
|
||||
|6|File|inc/config.php|High
|
||||
|7|File|libraries/idna_convert/example.php|High
|
||||
|8|File|mod_proxy_fcgi.c|High
|
||||
|9|File|ogp_show.php|Medium
|
||||
|10|File|redir.php|Medium
|
||||
|11|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 17 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf
|
||||
* https://www.threatminer.org/report.php?q=Cylance_Operation_Cleaver_Report.pdf&y=2014
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,99 @@
|
|||
= Cobalt Group - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.cobalt_group[Cobalt Group]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.cobalt_group
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. DE
|
||||
. PL
|
||||
. IT
|
||||
. ...
|
||||
|
||||
There are 8 more country items available. Please use our online service to access the data.
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|5.45.66.161|-|High
|
||||
|2|5.135.237.216|-|High
|
||||
|3|23.152.0.210|nordns.crowncloud.net|High
|
||||
|4|23.249.164.26|-|High
|
||||
|5|37.1.207.202|free.ispiria.net|High
|
||||
|6|46.21.147.61|61.147.21.46.in-addr.arpa|High
|
||||
|7|46.102.152.157|-|High
|
||||
|8|52.15.209.133|ec2-52-15-209-133.us-east-2.compute.amazonaws.com|Medium
|
||||
|9|85.204.74.117|-|High
|
||||
|10|86.106.131.207|-|High
|
||||
|11|95.142.39.109|vm480817.eurodir.ru|High
|
||||
|12|96.44.188.57|hosted-by.securefastserver.com|High
|
||||
|13|104.144.207.207|mta14.veiligheidsprotocol.info|High
|
||||
|14|138.68.234.128|-|High
|
||||
|15|139.60.163.10|-|High
|
||||
|16|142.91.104.135|i2.alluringpleasuresforu.com|High
|
||||
|17|149.56.115.70|-|High
|
||||
|18|173.254.204.67|limitu.csmilectp.co.uk|High
|
||||
|19|176.9.99.134|gtw02.rankingcoach.com|High
|
||||
|20|185.82.202.232|-|High
|
||||
|========================================
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1040|Authentication Bypass by Capture-replay|High
|
||||
|2|T1059.007|Cross Site Scripting|High
|
||||
|3|T1068|Execution with Unnecessary Privileges|High
|
||||
|4|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|
||||
|5|T1211|7PK Security Features|High
|
||||
|6|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 10 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|%PROGRAMDATA%\WrData\PKG|High
|
||||
|2|File|%PROGRAMFILES%\Cylance\Desktop\log|High
|
||||
|3|File|.gitolite.rc|Medium
|
||||
|4|File|.xserverrc|Medium
|
||||
|5|File|/+CSCOE+/logon.html|High
|
||||
|6|File|/.vnc/sesman_${username}_passwd|High
|
||||
|7|File|/32|Low
|
||||
|8|File|/?/admin/page/edit/3|High
|
||||
|9|File|/?/admin/snippet/add|High
|
||||
|10|File|/?mobile=1|Medium
|
||||
|11|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 2395 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html
|
||||
* https://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-integrates-cve-2017-0199-utilized-cobalt-group-target
|
||||
* https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-Snatch-eng.pdf
|
||||
* https://www.riskiq.com/blog/labs/cobalt-group-spear-phishing-russian-banks/
|
||||
* https://www.riskiq.com/blog/labs/cobalt-strike/
|
||||
* https://www.trendmicro.com/en_us/research/17/k/cobalt-spam-runs-use-macros-cve-2017-8759-exploit.html
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,81 @@
|
|||
= Cobalt Strike - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.cobalt_strike[Cobalt Strike]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.cobalt_strike
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. CN
|
||||
. US
|
||||
. IT
|
||||
. ...
|
||||
|
||||
There are 2 more country items available. Please use our online service to access the data.
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|23.108.57.108|-|High
|
||||
|2|62.128.111.176|polyminners.nl|High
|
||||
|3|82.118.21.221|vds-805975.hosted-by-itldc.com|High
|
||||
|4|83.171.237.173|83.171.237.173.static.as201206.net|High
|
||||
|5|86.105.18.116|-|High
|
||||
|6|89.34.111.11|-|High
|
||||
|7|192.99.221.77|ip77.ip-192-99-221.net|High
|
||||
|8|208.75.122.11|rs6.net|High
|
||||
|========================================
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1059.007|Cross Site Scripting|High
|
||||
|2|T1068|Execution with Unnecessary Privileges|High
|
||||
|3|T1499|Resource Consumption|High
|
||||
|========================================
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|/etc/tomcat8/Catalina/attack|High
|
||||
|2|File|/notice-edit.php|High
|
||||
|3|File|archive_read_support_format_rar5.c|High
|
||||
|4|File|burl.c|Low
|
||||
|5|File|CFM File Handler|High
|
||||
|6|File|http_auth.c|Medium
|
||||
|7|File|profile.php?cmd=download|High
|
||||
|8|File|ViewLog.asp|Medium
|
||||
|9|Argument|aid|Low
|
||||
|10|Argument|display name/title name/content|High
|
||||
|11|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 3 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://twitter.com/malware_traffic/status/1400876426497253379
|
||||
* https://twitter.com/malware_traffic/status/1415740795622248452
|
||||
* https://twitter.com/Unit42_Intel/status/1392174941181812737
|
||||
* https://us-cert.cisa.gov/ncas/alerts/aa21-148a
|
||||
* https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,104 @@
|
|||
= CoinMiner - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.coinminer[CoinMiner]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.coinminer
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. DE
|
||||
. NL
|
||||
. US
|
||||
. ...
|
||||
|
||||
There are 9 more country items available. Please use our online service to access the data.
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|5.196.13.29|29.ip-5-196-13.eu|High
|
||||
|2|5.196.23.240|240.ip-5-196-23.eu|High
|
||||
|3|13.107.21.200|-|High
|
||||
|4|18.210.126.40|ec2-18-210-126-40.compute-1.amazonaws.com|Medium
|
||||
|5|23.21.48.44|ec2-23-21-48-44.compute-1.amazonaws.com|Medium
|
||||
|6|23.21.76.253|ec2-23-21-76-253.compute-1.amazonaws.com|Medium
|
||||
|7|23.21.126.66|ec2-23-21-126-66.compute-1.amazonaws.com|Medium
|
||||
|8|23.21.140.41|ec2-23-21-140-41.compute-1.amazonaws.com|Medium
|
||||
|9|23.21.252.4|ec2-23-21-252-4.compute-1.amazonaws.com|Medium
|
||||
|10|49.12.80.38|static.38.80.12.49.clients.your-server.de|High
|
||||
|11|49.12.80.40|static.40.80.12.49.clients.your-server.de|High
|
||||
|12|50.19.96.218|ec2-50-19-96-218.compute-1.amazonaws.com|Medium
|
||||
|13|50.19.252.36|ec2-50-19-252-36.compute-1.amazonaws.com|Medium
|
||||
|14|51.15.54.102|102-54-15-51.instances.scw.cloud|High
|
||||
|15|51.15.58.224|224-58-15-51.instances.scw.cloud|High
|
||||
|16|51.15.65.182|182-65-15-51.instances.scw.cloud|High
|
||||
|17|51.15.67.17|17-67-15-51.instances.scw.cloud|High
|
||||
|18|51.15.69.136|136-69-15-51.instances.scw.cloud|High
|
||||
|19|51.15.78.68|68-78-15-51.instances.scw.cloud|High
|
||||
|20|51.68.21.188|ip188.ip-51-68-21.eu|High
|
||||
|21|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 37 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1040|Authentication Bypass by Capture-replay|High
|
||||
|2|T1059.007|Cross Site Scripting|High
|
||||
|3|T1068|Execution with Unnecessary Privileges|High
|
||||
|4|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|
||||
|5|T1211|7PK Security Features|High
|
||||
|6|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|%windir%\Internet Logs\|High
|
||||
|2|File|.htaccess|Medium
|
||||
|3|File|.imwheelrc|Medium
|
||||
|4|File|.jpilot|Low
|
||||
|5|File|.php|Low
|
||||
|6|File|.plan|Low
|
||||
|7|File|.tin|Low
|
||||
|8|File|/?Key=PhoneRequestAuthorization|High
|
||||
|9|File|/adfs/ls|Medium
|
||||
|10|File|/api/users/admin/check|High
|
||||
|11|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 760 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.html
|
||||
* https://blog.talosintelligence.com/2021/02/threat-roundup-0219-0226.html
|
||||
* https://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
|
||||
* https://blog.talosintelligence.com/2021/04/threat-roundup-0416-0423.html
|
||||
* https://blog.talosintelligence.com/2021/05/threat-roundup-0507-0514.html
|
||||
* https://blog.talosintelligence.com/2021/06/threat-roundup-0604-0611.html
|
||||
* https://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
|
||||
* https://blog.talosintelligence.com/2021/06/threat-roundup-0617-0624.html
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,32 @@
|
|||
= Comnie - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.comnie[Comnie]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.comnie
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. IT
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|113.196.70.11|113.196.70.11.ll.static.sparqnet.net|High
|
||||
|2|121.126.211.94|-|High
|
||||
|========================================
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://www.threatminer.org/report.php?q=ComnieContinuestoTargetOrganizationsinEastAsia_PaloAltoNetworks.pdf&y=2018
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,100 @@
|
|||
= Confucius - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.confucius[Confucius]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.confucius
|
||||
|
||||
== Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with the actor.
|
||||
|
||||
- Tibbar
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. US
|
||||
. LU
|
||||
. DE
|
||||
. ...
|
||||
|
||||
There are 5 more country items available. Please use our online service to access the data.
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|5.39.23.192|ip192.ip-5-39-23.eu|High
|
||||
|2|5.135.85.16|flotweb-o20.bestonthenet.fr|High
|
||||
|3|46.165.207.98|-|High
|
||||
|4|46.165.207.99|-|High
|
||||
|5|46.165.207.108|-|High
|
||||
|6|46.165.207.109|-|High
|
||||
|7|46.165.207.112|-|High
|
||||
|8|46.165.207.113|-|High
|
||||
|9|46.165.207.114|-|High
|
||||
|10|46.165.207.116|-|High
|
||||
|11|46.165.207.120|v608.ce02.fra-10.de.leaseweb.net|High
|
||||
|12|46.165.207.132|-|High
|
||||
|13|46.165.207.134|-|High
|
||||
|14|46.165.207.138|-|High
|
||||
|15|46.165.207.140|-|High
|
||||
|16|46.165.207.142|-|High
|
||||
|17|46.165.249.223|-|High
|
||||
|18|78.128.92.101|-|High
|
||||
|19|91.210.107.107|-|High
|
||||
|20|91.210.107.108|-|High
|
||||
|21|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 21 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1059.007|Cross Site Scripting|High
|
||||
|2|T1068|Execution with Unnecessary Privileges|High
|
||||
|3|T1211|7PK Security Features|High
|
||||
|4|T1600|Cryptographic Issues|High
|
||||
|========================================
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|.rediscli_history|High
|
||||
|2|File|/admin/index.php|High
|
||||
|3|File|/core/vb/vurl.php|High
|
||||
|4|File|/forum/away.php|High
|
||||
|5|File|/out.php|Medium
|
||||
|6|File|/uncpath/|Medium
|
||||
|7|File|adclick.php|Medium
|
||||
|8|File|admin-ajax.php|High
|
||||
|9|File|admin/index.php|High
|
||||
|10|File|administrator/components/com_media/helpers/media.php|High
|
||||
|11|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 89 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://github.com/blackorbird/APT_REPORT/blob/master/Confucius/OperationTibbar-A-retaliatory-targeted-attack-from-SouthAsian-APT-Group-Confucius.pdf
|
||||
* https://www.threatminer.org/report.php?q=Confucius%C2%A0Says%E2%80%A6Malware%C2%A0Families%C2%A0Get%C2%A0Further-PaloAltoNetworks.pdf&y=2016
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,86 @@
|
|||
= Conti - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.conti[Conti]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.conti
|
||||
|
||||
== Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with the actor.
|
||||
|
||||
- Cobalt Strike
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. DE
|
||||
. US
|
||||
. TR
|
||||
. ...
|
||||
|
||||
There are 4 more country items available. Please use our online service to access the data.
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|23.82.140.137|-|High
|
||||
|2|23.106.160.174|-|High
|
||||
|3|82.118.21.1|77626-46583.hyperdomen.com|High
|
||||
|4|85.93.88.165|malta2419.startdedicated.com|High
|
||||
|5|89.45.4.98|-|High
|
||||
|6|162.244.80.235|-|High
|
||||
|7|185.141.63.120|-|High
|
||||
|========================================
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1059.007|Cross Site Scripting|High
|
||||
|2|T1068|Execution with Unnecessary Privileges|High
|
||||
|3|T1211|7PK Security Features|High
|
||||
|4|T1499|Resource Consumption|High
|
||||
|5|T1600|Cryptographic Issues|High
|
||||
|========================================
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|/bin/bw|Low
|
||||
|2|File|/etc/tomcat8/Catalina/attack|High
|
||||
|3|File|/servlet/webacc|High
|
||||
|4|File|/uncpath/|Medium
|
||||
|5|File|abook_database.php|High
|
||||
|6|File|add_comment.php|High
|
||||
|7|File|admin/index.php/template/upload|High
|
||||
|8|File|agent/Core/Controller/SendRequest.cpp|High
|
||||
|9|File|AjaxResponse.jsp|High
|
||||
|10|File|apl_42.c|Medium
|
||||
|11|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 181 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://github.com/sophoslabs/IoCs/blob/master/Ransomware-Conti.csv
|
||||
* https://therecord.media/disgruntled-ransomware-affiliate-leaks-the-conti-gangs-technical-manuals/
|
||||
* https://twitter.com/vxunderground/status/1414809517993435139
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,106 @@
|
|||
= CopyKittens - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.copykittens[CopyKittens]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.copykittens
|
||||
|
||||
== Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with the actor.
|
||||
|
||||
- Wilted Tulip
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. PL
|
||||
. DE
|
||||
. FR
|
||||
. ...
|
||||
|
||||
There are 12 more country items available. Please use our online service to access the data.
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|5.34.180.252|vds-uuallex-113169.hosted-by-itldc.com|High
|
||||
|2|5.34.181.13|backups231.com|High
|
||||
|3|31.192.105.16|-|High
|
||||
|4|31.192.105.17|wikileaks.org|High
|
||||
|5|31.192.105.28|-|High
|
||||
|6|38.130.75.20|h20-us75.fcsrv.net|High
|
||||
|7|51.254.76.54|-|High
|
||||
|8|62.109.2.52|ns.leangroup.ru|High
|
||||
|9|62.109.2.109|mediclick.ru|High
|
||||
|10|66.55.152.164|66-55-152-164.choopa.net|High
|
||||
|11|68.232.180.122|68-232-180-122.choopa.net|High
|
||||
|12|80.179.42.37|80.179.42.37.forward.012.net.il|High
|
||||
|13|80.179.42.44|lnkrten-dazling.linegrace.com|High
|
||||
|14|86.105.18.5|-|High
|
||||
|15|93.190.138.137|93-190-138-137.hosted-by-worldstream.net|High
|
||||
|16|104.200.128.48|-|High
|
||||
|17|104.200.128.58|-|High
|
||||
|18|104.200.128.64|-|High
|
||||
|19|104.200.128.71|-|High
|
||||
|20|104.200.128.126|-|High
|
||||
|21|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 64 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1040|Authentication Bypass by Capture-replay|High
|
||||
|2|T1059.007|Cross Site Scripting|High
|
||||
|3|T1068|Execution with Unnecessary Privileges|High
|
||||
|4|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|
||||
|5|T1211|7PK Security Features|High
|
||||
|6|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 10 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|%LOCALAPPDATA%\Zemana\ZALSDK\MyRules2.ini|High
|
||||
|2|File|.backup/|Medium
|
||||
|3|File|.gemspec|Medium
|
||||
|4|File|.mscreenrc|Medium
|
||||
|5|File|.pref.xml|Medium
|
||||
|6|File|/?ajax-request=jnews|High
|
||||
|7|File|/?mobile=1|Medium
|
||||
|8|File|/admin|Low
|
||||
|9|File|/ADMIN.ASP|Medium
|
||||
|10|File|/admin.php/Foodcat/editsave|High
|
||||
|11|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 2712 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf
|
||||
* https://www.clearskysec.com/copykitten-jpost/
|
||||
* https://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf
|
||||
* https://www.threatminer.org/report.php?q=CopyKittens-MinervaandClearsky.pdf&y=2015
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,47 @@
|
|||
= Corkow - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.corkow[Corkow]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.corkow
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|1.17.6.4|-|High
|
||||
|2|3.8.9.6|ec2-3-8-9-6.eu-west-2.compute.amazonaws.com|Medium
|
||||
|3|4.1.0.1|-|High
|
||||
|4|4.3.1.2|-|High
|
||||
|5|4.3.9.1|-|High
|
||||
|6|4.3.9.5|-|High
|
||||
|7|4.3.9.7|-|High
|
||||
|8|4.3.9.8|-|High
|
||||
|9|4.4.7.1|lag-32-1065-99.ear3.Chicago2.Level3.net|High
|
||||
|10|4.4.7.2|ANDERSEN-CO.ear3.Chicago2.Level3.net|High
|
||||
|11|4.4.7.7|-|High
|
||||
|12|5.5.1.2|dynamic-005-005-001-002.5.5.pool.telefonica.de|High
|
||||
|13|5.7.9.1|dynamic-005-007-009-001.5.7.pool.telefonica.de|High
|
||||
|14|5.9.3.1|static.1.3.9.5.clients.your-server.de|High
|
||||
|15|6.0.8.1|-|High
|
||||
|16|6.0.8.2|-|High
|
||||
|17|6.0.8.4|-|High
|
||||
|18|6.2.0.1|-|High
|
||||
|19|6.4.1.3|-|High
|
||||
|20|7.5.0.1|-|High
|
||||
|21|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 36 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://www.threatminer.org/#apt_report_19
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,55 @@
|
|||
= CosmicDuke - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.cosmicduke[CosmicDuke]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.cosmicduke
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. LU
|
||||
. DE
|
||||
. SE
|
||||
. ...
|
||||
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|46.246.120.178|-|High
|
||||
|2|91.224.141.235|-|High
|
||||
|3|94.242.199.88|ip-static-94-242-199-88.server.lu|High
|
||||
|4|176.74.216.14|cz10131-d1z1-kvm.host-telecom.com|High
|
||||
|5|178.21.172.157|-|High
|
||||
|6|178.63.149.142|static.142.149.63.178.clients.your-server.de|High
|
||||
|7|178.170.164.84|o84.itliteclient.ru|High
|
||||
|8|188.116.32.164|-|High
|
||||
|9|188.241.115.41|188-241-115-41.static.intovps.com|High
|
||||
|10|212.76.128.149|-|High
|
||||
|========================================
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1068|Execution with Unnecessary Privileges|High
|
||||
|========================================
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://www.threatminer.org/report.php?q=cosmicduke_whitepaper.pdf&y=2014
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,66 @@
|
|||
= CozyDuke - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.cozyduke[CozyDuke]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.cozyduke
|
||||
|
||||
== Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with the actor.
|
||||
|
||||
- MiniDionis
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. US
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|64.244.34.200|-|High
|
||||
|2|121.193.130.170|-|High
|
||||
|3|122.228.193.115|-|High
|
||||
|4|183.78.169.5|-|High
|
||||
|5|200.119.128.45|-|High
|
||||
|6|200.125.133.28|pnet_133_28.panchonet.net|High
|
||||
|7|200.125.142.11|webuio.panchonet.net|High
|
||||
|8|210.59.2.20|-|High
|
||||
|========================================
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1068|Execution with Unnecessary Privileges|High
|
||||
|========================================
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|data/gbconfiguration.dat|High
|
||||
|2|File|drivers/net/ethernet/msm/rndis_ipa.c|High
|
||||
|========================================
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://www.threatminer.org/report.php?q=MiniDionis_CozyCar_Seaduke.pdf&y=2015
|
||||
* https://www.threatminer.org/report.php?q=TheCozyDukeAPT-Securelist.pdf&y=2015
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,56 @@
|
|||
= Crashoverride - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.crashoverride[Crashoverride]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.crashoverride
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. RU
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|5.39.218.152|-|High
|
||||
|2|93.115.27.57|-|High
|
||||
|3|195.16.88.6|server10005.hostlife.net|High
|
||||
|========================================
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1059.007|Cross Site Scripting|High
|
||||
|========================================
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|/cgi-bin/supervisor/PwdGrp.cgi|High
|
||||
|2|File|/CMD_SELECT_USERS|High
|
||||
|3|Argument|location|Medium
|
||||
|4|Input Value|CMD_ALL_USER_SHOW'"><script>alert(/IrIsT.Ir/)</script>|High
|
||||
|========================================
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://www.threatminer.org/report.php?q=CrashOverride-01-DragosSecurity.pdf&y=2017
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,53 @@
|
|||
= Cridex - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.cridex[Cridex]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.cridex
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. US
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|5.135.28.118|-|High
|
||||
|2|37.187.156.123|connor.playragnarokzero.com|High
|
||||
|3|46.165.241.0|-|High
|
||||
|4|50.56.200.226|50-56-200-226.static.cloud-ips.com|High
|
||||
|5|62.76.44.174|62-76-44-174.vm.clodoserver.ru|High
|
||||
|6|72.249.190.70|-|High
|
||||
|7|89.31.144.214|vserver-gempassion.nexen.net|High
|
||||
|8|89.188.121.106|rurik-e1.citytelecom.ru|High
|
||||
|9|91.121.162.48|ks360250.kimsufi.com|High
|
||||
|10|173.203.208.139|173-203-208-139.static.cloud-ips.com|High
|
||||
|11|194.28.132.33|spline.org.ua|High
|
||||
|12|209.54.58.186|-|High
|
||||
|13|212.111.1.212.2|-|High
|
||||
|========================================
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|.htaccess|Medium
|
||||
|========================================
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://gist.githubusercontent.com/BBcan177/bf29d47ea04391cb3eb0/raw/
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,75 @@
|
|||
= Crimeware - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.crimeware[Crimeware]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.crimeware
|
||||
|
||||
== Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with the actor.
|
||||
|
||||
- CTB-Locker
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. FR
|
||||
. US
|
||||
. IT
|
||||
. ...
|
||||
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|5.134.122.150|hpt01.web.l1.armada.it|High
|
||||
|2|64.71.33.177|-|High
|
||||
|3|188.93.8.7|-|High
|
||||
|4|213.186.33.3|cluster015.ovh.net|High
|
||||
|5|213.186.33.4|cluster003.ovh.net|High
|
||||
|6|213.186.33.19|cluster010.hosting.ovh.net|High
|
||||
|7|213.186.33.150|basic-cdn-01.cluster011.ovh.net|High
|
||||
|========================================
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1068|Execution with Unnecessary Privileges|High
|
||||
|2|T1587.003|Improper Certificate Validation|High
|
||||
|========================================
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|admin_store_form|High
|
||||
|2|File|cscopf.ocx|Medium
|
||||
|3|File|fs/inode.c|Medium
|
||||
|4|File|Util/PHP/eval-stdin.php|High
|
||||
|5|Argument|cntnt01fbrp_forma_form_template|High
|
||||
|6|Argument|Initialization|High
|
||||
|7|Input Value|admin/password|High
|
||||
|========================================
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://unit42.paloaltonetworks.com/newest-ctb-locker-campaign-bypasses-legacy-security-products/
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,50 @@
|
|||
= Crouching Yeti - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.crouching_yeti[Crouching Yeti]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.crouching_yeti
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. US
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|1.0.154.36|node-55w.pool-1-0.dynamic.totinternet.net|High
|
||||
|2|3.3.6.1|-|High
|
||||
|3|6.0.472.59|-|High
|
||||
|4|37.140.193.27|server39.hosting.reg.ru|High
|
||||
|5|66.39.134.254|-|High
|
||||
|6|78.63.99.143|78-63-99-143.static.zebra.lt|High
|
||||
|7|93.188.161.235|-|High
|
||||
|8|174.37.240.18|12.f0.25ae.ip4.static.sl-reverse.com|High
|
||||
|9|195.16.89.46|-|High
|
||||
|========================================
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|inc/config.php|High
|
||||
|2|Argument|basePath|Medium
|
||||
|========================================
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://www.threatminer.org/report.php?q=Kaspersky_Lab_crouching_yeti_appendixes_eng_final.pdf&y=2014
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,93 @@
|
|||
= CryptoPHP - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.cryptophp[CryptoPHP]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.cryptophp
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. US
|
||||
. PL
|
||||
. RU
|
||||
. ...
|
||||
|
||||
There are 2 more country items available. Please use our online service to access the data.
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|50.17.195.149|ec2-50-17-195-149.compute-1.amazonaws.com|Medium
|
||||
|2|78.138.118.195|-|High
|
||||
|3|78.138.118.196|-|High
|
||||
|4|78.138.118.197|-|High
|
||||
|5|78.138.118.198|-|High
|
||||
|6|78.138.118.199|-|High
|
||||
|7|78.138.118.200|-|High
|
||||
|8|78.138.118.201|-|High
|
||||
|9|78.138.118.202|-|High
|
||||
|10|78.138.118.203|-|High
|
||||
|11|78.138.118.204|-|High
|
||||
|12|78.138.118.205|-|High
|
||||
|13|78.138.118.206|-|High
|
||||
|14|78.138.118.207|-|High
|
||||
|15|78.138.118.208|-|High
|
||||
|16|78.138.118.209|-|High
|
||||
|17|78.138.126.220|-|High
|
||||
|18|78.138.126.223|-|High
|
||||
|19|78.138.126.224|-|High
|
||||
|20|87.119.221.40|-|High
|
||||
|21|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 24 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
== TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Technique|Access Vector|Confidence
|
||||
|1|T1059.007|Cross Site Scripting|High
|
||||
|2|T1068|Execution with Unnecessary Privileges|High
|
||||
|3|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|
||||
|4|T1600|Cryptographic Issues|High
|
||||
|========================================
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|/mics/j_spring_security_check|High
|
||||
|2|File|examples/openid.php|High
|
||||
|3|File|FormDisplay.php|High
|
||||
|4|File|includes/startup.php|High
|
||||
|5|File|libraries/Header.php|High
|
||||
|6|File|member.php|Medium
|
||||
|7|File|shopping-cart.php|High
|
||||
|8|File|wp-includes/class-wp-query.php|High
|
||||
|9|Argument|cusid|Low
|
||||
|10|Argument|j_username|Medium
|
||||
|11|...|...|...
|
||||
|========================================
|
||||
|
||||
There are 5 more IOA items available. Please use our online service to access the data.
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://github.com/fox-it/cryptophp/blob/master/ips.txt
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,25 @@
|
|||
= CryptoWall 2.0 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.cryptowall_2.0[CryptoWall 2.0]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.cryptowall_2.0
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|151.248.115.146|et-cetera.ru|High
|
||||
|========================================
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://unit42.paloaltonetworks.com/tracking-new-ransomware-cryptowall-2-0/
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
|
@ -0,0 +1,53 @@
|
|||
= DEV-0322 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.dev-0322[DEV-0322]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at https://vuldb.com/?actor.dev-0322
|
||||
|
||||
== Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with the actor.
|
||||
|
||||
- CVE-2021-35211
|
||||
|
||||
== Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
|
||||
|
||||
. CN
|
||||
|
||||
== IOC - Indicator of Compromise
|
||||
|
||||
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|IP address|Hostname|Confidence
|
||||
|1|68.235.178.32|huntres-cgo-cm1-68-235-178-32.vianet.ca|High
|
||||
|2|97.77.97.58|rrcs-97-77-97-58.sw.biz.rr.com|High
|
||||
|3|98.176.196.89|ip98-176-196-89.sd.sd.cox.net|High
|
||||
|4|144.34.179.162|144.34.179.162.16clouds.com|High
|
||||
|5|208.113.35.58|58.35.113.208.static.addr.dsl4u.ca|High
|
||||
|========================================
|
||||
|
||||
== IOA - Indicator of Attack
|
||||
|
||||
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
[options="header"]
|
||||
|========================================
|
||||
|ID|Class|Indicator|Confidence
|
||||
|1|File|flow.php|Medium
|
||||
|2|Argument|--config/--debugger|High
|
||||
|3|Argument|goods_number|Medium
|
||||
|========================================
|
||||
|
||||
== References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities.
|
||||
|
||||
* https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
|
||||
|
||||
== License
|
||||
|
||||
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue