Update
This commit is contained in:
parent
3922dcb510
commit
6478b4e94a
|
@ -1,6 +1,6 @@
|
|||
# APT27 - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT27](https://vuldb.com/?actor.apt27). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT27](https://vuldb.com/?actor.apt27). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.apt27](https://vuldb.com/?actor.apt27)
|
||||
|
||||
|
@ -14,9 +14,9 @@ The following _campaigns_ are known and can be associated with APT27:
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT27:
|
||||
|
||||
* US
|
||||
* CN
|
||||
* ES
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* ...
|
||||
|
||||
There are 5 more country items available. Please use our online service to access the data.
|
||||
|
@ -27,12 +27,13 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 34.90.207.23 | 23.207.90.34.bc.googleusercontent.com | - | Medium
|
||||
2 | 34.93.247.126 | 126.247.93.34.bc.googleusercontent.com | SysUpdate | Medium
|
||||
3 | 35.187.148.253 | 253.148.187.35.bc.googleusercontent.com | SysUpdate | Medium
|
||||
4 | ... | ... | ... | ...
|
||||
1 | [34.90.207.23](https://vuldb.com/?ip.34.90.207.23) | 23.207.90.34.bc.googleusercontent.com | - | Medium
|
||||
2 | [34.93.247.126](https://vuldb.com/?ip.34.93.247.126) | 126.247.93.34.bc.googleusercontent.com | SysUpdate | Medium
|
||||
3 | [35.187.148.253](https://vuldb.com/?ip.35.187.148.253) | 253.148.187.35.bc.googleusercontent.com | SysUpdate | Medium
|
||||
4 | [35.220.135.85](https://vuldb.com/?ip.35.220.135.85) | 85.135.220.35.bc.googleusercontent.com | SysUpdate | Medium
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 10 more IOC items available. Please use our online service to access the data.
|
||||
There are 16 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -45,7 +46,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
3 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 9 more TTP items available. Please use our online service to access the data.
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -63,25 +64,26 @@ ID | Type | Indicator | Confidence
|
|||
8 | File | `/rapi/read_url` | High
|
||||
9 | File | `/session/list/allActiveSession` | High
|
||||
10 | File | `/syslog_rules` | High
|
||||
11 | File | `/upload` | Low
|
||||
12 | File | `/users/{id}` | Medium
|
||||
13 | File | `/video` | Low
|
||||
14 | File | `ActivityManagerService.java` | High
|
||||
15 | File | `adaptmap_reg.c` | High
|
||||
16 | File | `admin.cgi` | Medium
|
||||
17 | File | `admin.php` | Medium
|
||||
18 | File | `admin.php?action=files` | High
|
||||
19 | File | `admin/modules/master_file/rda_cmc.php?keywords` | High
|
||||
20 | File | `album_portal.php` | High
|
||||
21 | File | `al_initialize.php` | High
|
||||
11 | File | `/uncpath/` | Medium
|
||||
12 | File | `/upload` | Low
|
||||
13 | File | `/users/{id}` | Medium
|
||||
14 | File | `/video` | Low
|
||||
15 | File | `ActivityManagerService.java` | High
|
||||
16 | File | `adaptmap_reg.c` | High
|
||||
17 | File | `admin.cgi` | Medium
|
||||
18 | File | `admin.php` | Medium
|
||||
19 | File | `admin.php?action=files` | High
|
||||
20 | File | `admin/modules/master_file/rda_cmc.php?keywords` | High
|
||||
21 | File | `album_portal.php` | High
|
||||
22 | ... | ... | ...
|
||||
|
||||
There are 179 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 187 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://github.com/hvs-consulting/ioc_signatures/blob/main/Emissary_Panda_APT27/HvS_APT27_2021-10_IOCs.csv
|
||||
* https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/
|
||||
* https://vxug.fakedoma.in/archive/APTs/2021/2021.04.09/Iron%20Tiger.pdf
|
||||
* https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# APT31 - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT31](https://vuldb.com/?actor.apt31). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT31](https://vuldb.com/?actor.apt31). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.apt31](https://vuldb.com/?actor.apt31)
|
||||
|
||||
|
@ -8,8 +8,8 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT31:
|
||||
|
||||
* FR
|
||||
* US
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [FR](https://vuldb.com/?country.fr)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -17,9 +17,9 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 105.154.12.165 | - | - | High
|
||||
2 | 105.157.234.0 | - | - | High
|
||||
3 | 105.159.122.85 | - | - | High
|
||||
1 | [105.154.12.165](https://vuldb.com/?ip.105.154.12.165) | - | - | High
|
||||
2 | [105.157.234.0](https://vuldb.com/?ip.105.157.234.0) | - | - | High
|
||||
3 | [105.159.122.85](https://vuldb.com/?ip.105.159.122.85) | - | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 13 more IOC items available. Please use our online service to access the data.
|
||||
|
|
|
@ -50,7 +50,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
|
|
@ -68,31 +68,32 @@ ID | Type | Indicator | Confidence
|
|||
-- | ---- | --------- | ----------
|
||||
1 | File | `/api/blade-log/api/list` | High
|
||||
2 | File | `/category_view.php` | High
|
||||
3 | File | `/cgi-bin/system_mgr.cgi` | High
|
||||
4 | File | `/debug/pprof` | Medium
|
||||
5 | File | `/etc/config/rpcd` | High
|
||||
6 | File | `/forum/away.php` | High
|
||||
7 | File | `/get_getnetworkconf.cgi` | High
|
||||
8 | File | `/lists/admin/` | High
|
||||
9 | File | `/login.cgi?logout=1` | High
|
||||
10 | File | `/module/admin_logs` | High
|
||||
11 | File | `/public/login.htm` | High
|
||||
12 | File | `/public/plugins/` | High
|
||||
13 | File | `/replication` | Medium
|
||||
14 | File | `/SASWebReportStudio/logonAndRender.do` | High
|
||||
15 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
16 | File | `/secure/admin/ViewInstrumentation.jspa` | High
|
||||
17 | File | `/start-stop` | Medium
|
||||
18 | File | `/tmp/app/.env` | High
|
||||
19 | File | `/uncpath/` | Medium
|
||||
20 | File | `/upload` | Low
|
||||
21 | File | `/usr/bin/pkexec` | High
|
||||
22 | File | `/WEB-INF/web.xml` | High
|
||||
23 | File | `/wp-admin/admin-ajax.php` | High
|
||||
24 | File | `/_next` | Low
|
||||
25 | ... | ... | ...
|
||||
3 | File | `/cgi-bin/portal` | High
|
||||
4 | File | `/cgi-bin/system_mgr.cgi` | High
|
||||
5 | File | `/debug/pprof` | Medium
|
||||
6 | File | `/etc/config/rpcd` | High
|
||||
7 | File | `/forum/away.php` | High
|
||||
8 | File | `/get_getnetworkconf.cgi` | High
|
||||
9 | File | `/lists/admin/` | High
|
||||
10 | File | `/login.cgi?logout=1` | High
|
||||
11 | File | `/medical/inventories.php` | High
|
||||
12 | File | `/module/admin_logs` | High
|
||||
13 | File | `/public/login.htm` | High
|
||||
14 | File | `/public/plugins/` | High
|
||||
15 | File | `/replication` | Medium
|
||||
16 | File | `/SASWebReportStudio/logonAndRender.do` | High
|
||||
17 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
18 | File | `/secure/admin/ViewInstrumentation.jspa` | High
|
||||
19 | File | `/start-stop` | Medium
|
||||
20 | File | `/tmp/app/.env` | High
|
||||
21 | File | `/uncpath/` | Medium
|
||||
22 | File | `/upload` | Low
|
||||
23 | File | `/usr/bin/pkexec` | High
|
||||
24 | File | `/WEB-INF/web.xml` | High
|
||||
25 | File | `/wp-admin/admin-ajax.php` | High
|
||||
26 | ... | ... | ...
|
||||
|
||||
There are 213 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 221 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# ActionRAT - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [ActionRAT](https://vuldb.com/?actor.actionrat). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [ActionRAT](https://vuldb.com/?actor.actionrat). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.actionrat](https://vuldb.com/?actor.actionrat)
|
||||
|
||||
|
@ -33,10 +33,10 @@ ID | Technique | Weakness | Description | Confidence
|
|||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1499 | CWE-400, CWE-404, CWE-770 | Resource Consumption | High
|
||||
3 | T1587.003 | CWE-295 | Improper Certificate Validation | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 2 more TTP items available. Please use our online service to access the data.
|
||||
There are 1 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
|
|
@ -0,0 +1,122 @@
|
|||
# Agent Tesla - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Agent Tesla](https://vuldb.com/?actor.agent_tesla). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.agent_tesla](https://vuldb.com/?actor.agent_tesla)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following _campaigns_ are known and can be associated with Agent Tesla:
|
||||
|
||||
* Phishing Korea
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Agent Tesla:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* ...
|
||||
|
||||
There are 8 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Agent Tesla.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [69.174.99.181](https://vuldb.com/?ip.69.174.99.181) | unassigned.quadranet.com | Phishing Korea | High
|
||||
2 | [149.56.200.165](https://vuldb.com/?ip.149.56.200.165) | ip165.ip-149-56-200.net | Phishing Korea | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Agent Tesla. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 3 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Agent Tesla. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/+CSCOE+/logon.html` | High
|
||||
2 | File | `/cgi-bin/wapopen` | High
|
||||
3 | File | `/etc/ajenti/config.yml` | High
|
||||
4 | File | `/goform/telnet` | High
|
||||
5 | File | `/modules/profile/index.php` | High
|
||||
6 | File | `/php/init.poll.php` | High
|
||||
7 | File | `/rom-0` | Low
|
||||
8 | File | `/tmp/phpglibccheck` | High
|
||||
9 | File | `/uncpath/` | Medium
|
||||
10 | File | `/var/tmp/sess_*` | High
|
||||
11 | File | `action.php` | Medium
|
||||
12 | File | `actionphp/download.File.php` | High
|
||||
13 | File | `add_comment.php` | High
|
||||
14 | File | `admin/admin.php` | High
|
||||
15 | File | `admin/content.php` | High
|
||||
16 | File | `admin/index.php?id=users/action=edit/user_id=1` | High
|
||||
17 | File | `admin/memberviewdetails.php` | High
|
||||
18 | File | `admin/sitesettings.php` | High
|
||||
19 | File | `affich.php` | Medium
|
||||
20 | File | `agent/Core/Controller/SendRequest.cpp` | High
|
||||
21 | File | `akeyActivationLogin.do` | High
|
||||
22 | File | `album_portal.php` | High
|
||||
23 | File | `apache-auth.conf` | High
|
||||
24 | File | `askapache-firefox-adsense.php` | High
|
||||
25 | File | `attachment.cgi` | High
|
||||
26 | File | `basic_search_result.php` | High
|
||||
27 | File | `blueprints/sections/edit/1` | High
|
||||
28 | File | `books.php` | Medium
|
||||
29 | File | `cart_add.php` | Medium
|
||||
30 | File | `CFS.c` | Low
|
||||
31 | File | `cgi-bin/gnudip.cgi` | High
|
||||
32 | File | `checktransferstatus.php` | High
|
||||
33 | File | `checkuser.php` | High
|
||||
34 | File | `class.SystemAction.php` | High
|
||||
35 | File | `clientarea.php` | High
|
||||
36 | File | `cmdmon.c` | Medium
|
||||
37 | File | `collectivite.class.php` | High
|
||||
38 | File | `confirm.php` | Medium
|
||||
39 | File | `contact` | Low
|
||||
40 | File | `control.c` | Medium
|
||||
41 | File | `core-util.c` | Medium
|
||||
42 | File | `core/coreuserinputhandler.cpp` | High
|
||||
43 | File | `d1_both.c` | Medium
|
||||
44 | File | `data/gbconfiguration.dat` | High
|
||||
45 | File | `Debug_command_page.asp` | High
|
||||
46 | File | `details_view.php` | High
|
||||
47 | File | `Diagnose.exe` | Medium
|
||||
48 | File | `DigiDocSAXParser.c` | High
|
||||
49 | File | `download-file.php` | High
|
||||
50 | File | `download.php` | Medium
|
||||
51 | File | `e/member/doaction.php` | High
|
||||
52 | ... | ... | ...
|
||||
|
||||
There are 451 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://www.fortinet.com/blog/threat-research/phishing-campaign-targeting-korean-to-deliver-agent-tesla-new-variant
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -1,31 +1,31 @@
|
|||
# Brontok - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Brontok](https://vuldb.com/?actor.brontok). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Brontok](https://vuldb.com/?actor.brontok). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.brontok](https://vuldb.com/?actor.brontok)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.brontok](https://vuldb.com/?actor.brontok)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Brontok.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Brontok.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 20.42.65.92 | - | High
|
||||
2 | 20.189.173.20 | - | High
|
||||
3 | 52.168.117.173 | - | High
|
||||
4 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [20.42.65.92](https://vuldb.com/?ip.20.42.65.92) | - | - | High
|
||||
2 | [20.189.173.20](https://vuldb.com/?ip.20.189.173.20) | - | - | High
|
||||
3 | [52.168.117.173](https://vuldb.com/?ip.52.168.117.173) | - | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.talosintelligence.com/2022/01/threat-roundup-0114-0121.html
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Chafer - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Chafer](https://vuldb.com/?actor.chafer). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Chafer](https://vuldb.com/?actor.chafer). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.chafer](https://vuldb.com/?actor.chafer)
|
||||
|
||||
|
@ -8,9 +8,9 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Chafer:
|
||||
|
||||
* US
|
||||
* RU
|
||||
* GB
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* [GB](https://vuldb.com/?country.gb)
|
||||
* ...
|
||||
|
||||
There are 18 more country items available. Please use our online service to access the data.
|
||||
|
@ -21,9 +21,9 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 83.142.230.113 | - | - | High
|
||||
2 | 89.38.97.112 | 89-38-97-112.hosted-by-worldstream.net | - | High
|
||||
3 | 89.38.97.115 | 89-38-97-115.hosted-by-worldstream.net | - | High
|
||||
1 | [83.142.230.113](https://vuldb.com/?ip.83.142.230.113) | - | - | High
|
||||
2 | [89.38.97.112](https://vuldb.com/?ip.89.38.97.112) | 89-38-97-112.hosted-by-worldstream.net | - | High
|
||||
3 | [89.38.97.115](https://vuldb.com/?ip.89.38.97.115) | 89-38-97-115.hosted-by-worldstream.net | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 7 more IOC items available. Please use our online service to access the data.
|
||||
|
@ -39,7 +39,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
3 | T1211 | CWE-254 | 7PK Security Features | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 3 more TTP items available. Please use our online service to access the data.
|
||||
There are 2 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
|
|
@ -1,80 +1,94 @@
|
|||
# Chimera - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Chimera](https://vuldb.com/?actor.chimera). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Chimera](https://vuldb.com/?actor.chimera). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.chimera](https://vuldb.com/?actor.chimera)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.chimera](https://vuldb.com/?actor.chimera)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Chimera:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Chimera:
|
||||
|
||||
* US
|
||||
* CN
|
||||
* NU
|
||||
* ...
|
||||
|
||||
There are 3 more country items available. Please use our online service to access the data.
|
||||
* [VN](https://vuldb.com/?country.vn)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Chimera.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Chimera.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 1.3.35.342 | - | High
|
||||
2 | 5.254.64.234 | - | High
|
||||
3 | 5.254.112.226 | - | High
|
||||
4 | 14.229.140.66 | static.vnpt.vn | High
|
||||
5 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [1.3.35.342](https://vuldb.com/?ip.1.3.35.342) | - | - | High
|
||||
2 | [5.254.64.234](https://vuldb.com/?ip.5.254.64.234) | - | - | High
|
||||
3 | [5.254.112.226](https://vuldb.com/?ip.5.254.112.226) | - | - | High
|
||||
4 | [14.229.140.66](https://vuldb.com/?ip.14.229.140.66) | static.vnpt.vn | - | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 16 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Chimera. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Chimera. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | 7PK Security Features | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 3 more TTP items available. Please use our online service to access the data.
|
||||
There are 5 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Chimera. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Chimera. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `%windir%\Internet Logs\` | High
|
||||
2 | File | `/admin/system/database/filedown.php` | High
|
||||
3 | File | `/cgi-bin/supervisor/adcommand.cgi` | High
|
||||
4 | File | `/common/info.cgi` | High
|
||||
5 | File | `/getcfg.php` | Medium
|
||||
6 | File | `/uncpath/` | Medium
|
||||
7 | File | `/usr/local/www/csrf/csrf-magic.php` | High
|
||||
8 | File | `admin/index.php?n=ui_set&m=admin&c=index&a=doget_text_content&table=lang&field=1` | High
|
||||
9 | File | `administrator/components/com_media/helpers/media.php` | High
|
||||
10 | File | `APPFLT.SYS` | Medium
|
||||
11 | File | `auth-gss2.c` | Medium
|
||||
12 | File | `authors.pwd` | Medium
|
||||
13 | File | `CFIDE/componentutils/cfcexplorer.cfc` | High
|
||||
14 | ... | ... | ...
|
||||
1 | File | `./clients/client` | High
|
||||
2 | File | `/alumni/admin/ajax.php?action=save_settings` | High
|
||||
3 | File | `/assets/ctx` | Medium
|
||||
4 | File | `/cgi-bin/luci` | High
|
||||
5 | File | `/cgi-bin/portal` | High
|
||||
6 | File | `/cimom` | Low
|
||||
7 | File | `/config/getuser` | High
|
||||
8 | File | `/forum/away.php` | High
|
||||
9 | File | `/gcp/roleset/*` | High
|
||||
10 | File | `/horde/util/go.php` | High
|
||||
11 | File | `/hostapd` | Medium
|
||||
12 | File | `/IISADMPWD` | Medium
|
||||
13 | File | `/iisadmpwd` | Medium
|
||||
14 | File | `/include/chart_generator.php` | High
|
||||
15 | File | `/MTFWU` | Low
|
||||
16 | File | `/my_photo_gallery/image.php` | High
|
||||
17 | File | `/public/login.htm` | High
|
||||
18 | File | `/public/plugins/` | High
|
||||
19 | File | `/rest/api/1.0/render` | High
|
||||
20 | File | `/rest/api/latest/user/avatar/temporary` | High
|
||||
21 | File | `/secure/admin/ConfigureBatching!default.jspa` | High
|
||||
22 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
23 | File | `/sm/api/v1/firewall/zone/services` | High
|
||||
24 | File | `/sys/attachment/uploaderServlet` | High
|
||||
25 | File | `/uncpath/` | Medium
|
||||
26 | File | `/userRpm/popupSiteSurveyRpm.html` | High
|
||||
27 | File | `/users/{id}` | Medium
|
||||
28 | File | `/usr/bin/pkexec` | High
|
||||
29 | File | `/wp-admin` | Medium
|
||||
30 | File | `/wp-admin/admin-ajax.php` | High
|
||||
31 | File | `/wp-json` | Medium
|
||||
32 | ... | ... | ...
|
||||
|
||||
There are 113 more IOA items available. Please use our online service to access the data.
|
||||
There are 268 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://cycraft.com/download/%5BTLP-White%5D20200415%20Chimera_V4.1.pdf
|
||||
* https://vxug.fakedoma.in/archive/APTs/2021/2021.01.12/Chimera.pdf
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -92,7 +92,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -104,45 +104,45 @@ ID | Type | Indicator | Confidence
|
|||
2 | File | `/../../conf/template/uhttpd.json` | High
|
||||
3 | File | `/bin/boa` | Medium
|
||||
4 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
5 | File | `/dev/dri/card1` | High
|
||||
6 | File | `/etc/sudoers` | Medium
|
||||
7 | File | `/export` | Low
|
||||
8 | File | `/iissamples` | Medium
|
||||
9 | File | `/login` | Low
|
||||
10 | File | `/modules/profile/index.php` | High
|
||||
11 | File | `/monitoring` | Medium
|
||||
12 | File | `/new` | Low
|
||||
13 | File | `/proc/<pid>/status` | High
|
||||
14 | File | `/public/plugins/` | High
|
||||
15 | File | `/req_password_user.php` | High
|
||||
16 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
17 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
18 | File | `/servlet/webacc` | High
|
||||
19 | File | `/show_news.php` | High
|
||||
20 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
|
||||
21 | File | `/tmp` | Low
|
||||
22 | File | `/uncpath/` | Medium
|
||||
23 | File | `/usr/bin/pkexec` | High
|
||||
24 | File | `/WEB-INF/web.xml` | High
|
||||
25 | File | `/webconsole/Controller` | High
|
||||
26 | File | `/wp-json/wc/v3/webhooks` | High
|
||||
27 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
28 | File | `AccountManagerService.java` | High
|
||||
29 | File | `actions/CompanyDetailsSave.php` | High
|
||||
30 | File | `ActivityManagerService.java` | High
|
||||
31 | File | `adclick.php` | Medium
|
||||
32 | File | `admin.php` | Medium
|
||||
33 | File | `admin.php?page=languages` | High
|
||||
34 | File | `admin/add-glossary.php` | High
|
||||
35 | File | `admin/admin.php` | High
|
||||
36 | File | `admin/conf_users_edit.php` | High
|
||||
37 | File | `admin/edit-comments.php` | High
|
||||
38 | File | `admin/src/containers/InputModalStepperProvider/index.js` | High
|
||||
39 | File | `admin\db\DoSql.php` | High
|
||||
40 | File | `adverts/assets/plugins/ultimate/content/downloader.php` | High
|
||||
5 | File | `/etc/sudoers` | Medium
|
||||
6 | File | `/export` | Low
|
||||
7 | File | `/iissamples` | Medium
|
||||
8 | File | `/login` | Low
|
||||
9 | File | `/modules/profile/index.php` | High
|
||||
10 | File | `/monitoring` | Medium
|
||||
11 | File | `/new` | Low
|
||||
12 | File | `/proc/<pid>/status` | High
|
||||
13 | File | `/public/plugins/` | High
|
||||
14 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
15 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
16 | File | `/servlet/webacc` | High
|
||||
17 | File | `/show_news.php` | High
|
||||
18 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
|
||||
19 | File | `/tmp` | Low
|
||||
20 | File | `/uncpath/` | Medium
|
||||
21 | File | `/usr/bin/pkexec` | High
|
||||
22 | File | `/WEB-INF/web.xml` | High
|
||||
23 | File | `/wp-json/wc/v3/webhooks` | High
|
||||
24 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
25 | File | `AccountManagerService.java` | High
|
||||
26 | File | `actions/CompanyDetailsSave.php` | High
|
||||
27 | File | `ActivityManagerService.java` | High
|
||||
28 | File | `adclick.php` | Medium
|
||||
29 | File | `admin.php` | Medium
|
||||
30 | File | `admin.php?page=languages` | High
|
||||
31 | File | `admin/add-glossary.php` | High
|
||||
32 | File | `admin/admin.php` | High
|
||||
33 | File | `admin/conf_users_edit.php` | High
|
||||
34 | File | `admin/edit-comments.php` | High
|
||||
35 | File | `admin/src/containers/InputModalStepperProvider/index.js` | High
|
||||
36 | File | `admin\db\DoSql.php` | High
|
||||
37 | File | `adverts/assets/plugins/ultimate/content/downloader.php` | High
|
||||
38 | File | `advsearch.asp` | High
|
||||
39 | File | `AjaxApplication.java` | High
|
||||
40 | File | `AllowBindAppWidgetActivity.java` | High
|
||||
41 | ... | ... | ...
|
||||
|
||||
There are 354 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 355 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# DEV-0322 - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [DEV-0322](https://vuldb.com/?actor.dev-0322). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [DEV-0322](https://vuldb.com/?actor.dev-0322). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.dev-0322](https://vuldb.com/?actor.dev-0322)
|
||||
|
||||
|
@ -15,8 +15,8 @@ The following _campaigns_ are known and can be associated with DEV-0322:
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with DEV-0322:
|
||||
|
||||
* US
|
||||
* CN
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -24,9 +24,9 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 24.64.36.238 | mail.target-realty.com | ManageEngine ADSelfService Plus | High
|
||||
2 | 45.63.62.109 | 45.63.62.109.vultr.com | ManageEngine ADSelfService Plus | Medium
|
||||
3 | 45.76.173.103 | 45.76.173.103.vultr.com | ManageEngine ADSelfService Plus | Medium
|
||||
1 | [24.64.36.238](https://vuldb.com/?ip.24.64.36.238) | mail.target-realty.com | ManageEngine ADSelfService Plus | High
|
||||
2 | [45.63.62.109](https://vuldb.com/?ip.45.63.62.109) | 45.63.62.109.vultr.com | ManageEngine ADSelfService Plus | Medium
|
||||
3 | [45.76.173.103](https://vuldb.com/?ip.45.76.173.103) | 45.76.173.103.vultr.com | ManageEngine ADSelfService Plus | Medium
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 11 more IOC items available. Please use our online service to access the data.
|
||||
|
@ -39,10 +39,10 @@ ID | Technique | Weakness | Description | Confidence
|
|||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1499 | CWE-400, CWE-404 | Resource Consumption | High
|
||||
3 | T1548.002 | CWE-285 | Improper Authorization | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 2 more TTP items available. Please use our online service to access the data.
|
||||
There are 1 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
|
|
@ -0,0 +1,30 @@
|
|||
# DarkWatchman - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [DarkWatchman](https://vuldb.com/?actor.darkwatchman). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.darkwatchman](https://vuldb.com/?actor.darkwatchman)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of DarkWatchman.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [45.156.27.245](https://vuldb.com/?ip.45.156.27.245) | dasee-1.net7.dns.cloudbackbone.net | - | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://www.prevailion.com/darkwatchman-new-fileless-techniques/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -1,32 +1,32 @@
|
|||
# DeathClick - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [DeathClick](https://vuldb.com/?actor.deathclick). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [DeathClick](https://vuldb.com/?actor.deathclick). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.deathclick](https://vuldb.com/?actor.deathclick)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.deathclick](https://vuldb.com/?actor.deathclick)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with DeathClick:
|
||||
The following _campaigns_ are known and can be associated with DeathClick:
|
||||
|
||||
* DeathClick
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of DeathClick.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of DeathClick.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 24.234.123.133 | wsip-24-234-123-133.lv.lv.cox.net | High
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [24.234.123.133](https://vuldb.com/?ip.24.234.123.133) | wsip-24-234-123-133.lv.lv.cox.net | DeathClick | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://www.threatminer.org/report.php?q=Micro-Targeted-Malvertising-WP-10-27-14-1.pdf&y=2014
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# FIN12 - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [FIN12](https://vuldb.com/?actor.fin12). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [FIN12](https://vuldb.com/?actor.fin12). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.fin12](https://vuldb.com/?actor.fin12)
|
||||
|
||||
|
@ -61,7 +61,7 @@ ID | Type | Indicator | Confidence
|
|||
15 | File | `AdvancedBluetoothDetailsHeaderController.java` | High
|
||||
16 | ... | ... | ...
|
||||
|
||||
There are 130 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 132 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -13,7 +13,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [US](https://vuldb.com/?country.us)
|
||||
* ...
|
||||
|
||||
There are 13 more country items available. Please use our online service to access the data.
|
||||
There are 14 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -336,7 +336,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
There are 5 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -347,48 +347,49 @@ ID | Type | Indicator | Confidence
|
|||
1 | File | `/CMD_ACCOUNT_ADMIN` | High
|
||||
2 | File | `/config/getuser` | High
|
||||
3 | File | `/core/admin/categories.php` | High
|
||||
4 | File | `/data-service/users/` | High
|
||||
4 | File | `/debug/pprof` | Medium
|
||||
5 | File | `/dev/cpu/*/msr` | High
|
||||
6 | File | `/ext/phar/phar_object.c` | High
|
||||
7 | File | `/filemanager/php/connector.php` | High
|
||||
8 | File | `/forum/away.php` | High
|
||||
9 | File | `/front/document.form.php` | High
|
||||
10 | File | `/horde/util/go.php` | High
|
||||
11 | File | `/hostapd` | Medium
|
||||
12 | File | `/include/chart_generator.php` | High
|
||||
13 | File | `/modx/manager/index.php` | High
|
||||
14 | File | `/MTFWU` | Low
|
||||
15 | File | `/my_photo_gallery/image.php` | High
|
||||
6 | File | `/filemanager/php/connector.php` | High
|
||||
7 | File | `/forum/away.php` | High
|
||||
8 | File | `/front/document.form.php` | High
|
||||
9 | File | `/horde/util/go.php` | High
|
||||
10 | File | `/hostapd` | Medium
|
||||
11 | File | `/include/chart_generator.php` | High
|
||||
12 | File | `/modx/manager/index.php` | High
|
||||
13 | File | `/MTFWU` | Low
|
||||
14 | File | `/my_photo_gallery/image.php` | High
|
||||
15 | File | `/public/admin.php` | High
|
||||
16 | File | `/public/login.htm` | High
|
||||
17 | File | `/public/plugins/` | High
|
||||
18 | File | `/rest/api/1.0/render` | High
|
||||
19 | File | `/search.php` | Medium
|
||||
20 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
21 | File | `/siteminderagent/pwcgi/smpwservicescgi.exe` | High
|
||||
22 | File | `/sys/attachment/uploaderServlet` | High
|
||||
23 | File | `/uncpath/` | Medium
|
||||
24 | File | `/user/login/oauth` | High
|
||||
25 | File | `/userRpm/popupSiteSurveyRpm.html` | High
|
||||
26 | File | `/usr/bin/pkexec` | High
|
||||
27 | File | `/wp-admin/admin-ajax.php` | High
|
||||
28 | File | `/wp-json` | Medium
|
||||
29 | File | `/x_program_center/jaxrs/invoke` | High
|
||||
30 | File | `/zm/index.php` | High
|
||||
31 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
32 | File | `102/tcp` | Low
|
||||
33 | File | `802dot1xclientcert.cgi` | High
|
||||
34 | File | `add.exe` | Low
|
||||
35 | File | `admin.php?m=Food&a=addsave` | High
|
||||
36 | File | `admin.remository.php` | High
|
||||
37 | File | `admin/conf_users_edit.php` | High
|
||||
38 | File | `admin/index.php` | High
|
||||
39 | File | `admin/theme-edit.php` | High
|
||||
40 | File | `adminpanel/modules/pro/inc/ajax.php` | High
|
||||
41 | File | `admin_ajax.php?action=checkrepeat` | High
|
||||
42 | File | `affich.php` | Medium
|
||||
43 | ... | ... | ...
|
||||
19 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
20 | File | `/siteminderagent/pwcgi/smpwservicescgi.exe` | High
|
||||
21 | File | `/uncpath/` | Medium
|
||||
22 | File | `/user-utils/users/md5.json` | High
|
||||
23 | File | `/userRpm/popupSiteSurveyRpm.html` | High
|
||||
24 | File | `/usr/bin/pkexec` | High
|
||||
25 | File | `/wp-json` | Medium
|
||||
26 | File | `/x_program_center/jaxrs/invoke` | High
|
||||
27 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
28 | File | `102/tcp` | Low
|
||||
29 | File | `802dot1xclientcert.cgi` | High
|
||||
30 | File | `add.exe` | Low
|
||||
31 | File | `admin.php?m=Food&a=addsave` | High
|
||||
32 | File | `admin.remository.php` | High
|
||||
33 | File | `admin/conf_users_edit.php` | High
|
||||
34 | File | `admin/index.php` | High
|
||||
35 | File | `admin/theme-edit.php` | High
|
||||
36 | File | `adminpanel/modules/pro/inc/ajax.php` | High
|
||||
37 | File | `admin_ajax.php?action=checkrepeat` | High
|
||||
38 | File | `affich.php` | Medium
|
||||
39 | File | `ajax/kanban.php` | High
|
||||
40 | File | `ajax_calls.php` | High
|
||||
41 | File | `akocomments.php` | High
|
||||
42 | File | `api-third-party/download/extdisks../etc/config/account` | High
|
||||
43 | File | `app/topic/action/admin/topic.php` | High
|
||||
44 | ... | ... | ...
|
||||
|
||||
There are 374 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 381 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# GRU - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [GRU](https://vuldb.com/?actor.gru). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [GRU](https://vuldb.com/?actor.gru). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.gru](https://vuldb.com/?actor.gru)
|
||||
|
||||
|
@ -8,9 +8,9 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with GRU:
|
||||
|
||||
* US
|
||||
* RO
|
||||
* FR
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [RO](https://vuldb.com/?country.ro)
|
||||
* [FR](https://vuldb.com/?country.fr)
|
||||
* ...
|
||||
|
||||
There are 11 more country items available. Please use our online service to access the data.
|
||||
|
@ -21,9 +21,9 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 77.83.247.81 | - | - | High
|
||||
2 | 93.115.28.161 | - | - | High
|
||||
3 | 95.141.36.180 | seflow9.neopoly.de | - | High
|
||||
1 | [77.83.247.81](https://vuldb.com/?ip.77.83.247.81) | - | - | High
|
||||
2 | [93.115.28.161](https://vuldb.com/?ip.93.115.28.161) | - | - | High
|
||||
3 | [95.141.36.180](https://vuldb.com/?ip.95.141.36.180) | seflow9.neopoly.de | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 7 more IOC items available. Please use our online service to access the data.
|
||||
|
@ -39,7 +39,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
3 | T1211 | CWE-254 | 7PK Security Features | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 3 more TTP items available. Please use our online service to access the data.
|
||||
There are 2 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
|
|
@ -92,7 +92,7 @@ ID | Type | Indicator | Confidence
|
|||
37 | File | `arch/powerpc/kernel/idle_book3s.S` | High
|
||||
38 | ... | ... | ...
|
||||
|
||||
There are 326 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 328 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -60,7 +60,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -98,14 +98,13 @@ ID | Type | Indicator | Confidence
|
|||
28 | File | `/rest/api/2/search` | High
|
||||
29 | File | `/s/` | Low
|
||||
30 | File | `/scripts/cpan_config` | High
|
||||
31 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
32 | File | `/server-info` | Medium
|
||||
33 | File | `/tmp` | Low
|
||||
34 | File | `/tmp/app/.env` | High
|
||||
35 | File | `/tmp/kamailio_ctl` | High
|
||||
36 | File | `/tmp/kamailio_fifo` | High
|
||||
37 | File | `/ucms/index.php?do=list_edit` | High
|
||||
38 | ... | ... | ...
|
||||
31 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
32 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
33 | File | `/server-info` | Medium
|
||||
34 | File | `/tmp` | Low
|
||||
35 | File | `/tmp/app/.env` | High
|
||||
36 | File | `/tmp/kamailio_ctl` | High
|
||||
37 | ... | ... | ...
|
||||
|
||||
There are 322 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
|
|
|
@ -160,7 +160,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
3 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -178,30 +178,30 @@ ID | Type | Indicator | Confidence
|
|||
8 | File | `/dev/dri/card1` | High
|
||||
9 | File | `/domain/service/.ewell-known/caldav` | High
|
||||
10 | File | `/download` | Medium
|
||||
11 | File | `/etc/hosts` | Medium
|
||||
12 | File | `/formWlanSetup` | High
|
||||
13 | File | `/goform/setIPv6Status` | High
|
||||
14 | File | `/images` | Low
|
||||
15 | File | `/include/chart_generator.php` | High
|
||||
16 | File | `/InternalPages/ExecuteTask.aspx` | High
|
||||
17 | File | `/modules/profile/index.php` | High
|
||||
18 | File | `/monitoring` | Medium
|
||||
19 | File | `/music/ajax.php` | High
|
||||
20 | File | `/pandora_console/ajax.php` | High
|
||||
21 | File | `/plugins/servlet/audit/resource` | High
|
||||
22 | File | `/plugins/servlet/project-config/PROJECT/roles` | High
|
||||
23 | File | `/proc/<pid>/status` | High
|
||||
24 | File | `/public/plugins/` | High
|
||||
25 | File | `/rest/api/1.0/render` | High
|
||||
26 | File | `/RestAPI` | Medium
|
||||
27 | File | `/SASWebReportStudio/logonAndRender.do` | High
|
||||
28 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
29 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
30 | File | `/tmp` | Low
|
||||
31 | File | `/uncpath/` | Medium
|
||||
11 | File | `/formWlanSetup` | High
|
||||
12 | File | `/goform/setIPv6Status` | High
|
||||
13 | File | `/images` | Low
|
||||
14 | File | `/include/chart_generator.php` | High
|
||||
15 | File | `/InternalPages/ExecuteTask.aspx` | High
|
||||
16 | File | `/modules/profile/index.php` | High
|
||||
17 | File | `/monitoring` | Medium
|
||||
18 | File | `/music/ajax.php` | High
|
||||
19 | File | `/pandora_console/ajax.php` | High
|
||||
20 | File | `/plugins/servlet/audit/resource` | High
|
||||
21 | File | `/plugins/servlet/project-config/PROJECT/roles` | High
|
||||
22 | File | `/proc/<pid>/status` | High
|
||||
23 | File | `/public/plugins/` | High
|
||||
24 | File | `/rest/api/1.0/render` | High
|
||||
25 | File | `/RestAPI` | Medium
|
||||
26 | File | `/SASWebReportStudio/logonAndRender.do` | High
|
||||
27 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
28 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
29 | File | `/tmp` | Low
|
||||
30 | File | `/uncpath/` | Medium
|
||||
31 | File | `/var/log/nginx` | High
|
||||
32 | ... | ... | ...
|
||||
|
||||
There are 276 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 269 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -53,32 +53,32 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/api/notify.php` | High
|
||||
2 | File | `/domain/service/.ewell-known/caldav` | High
|
||||
3 | File | `/etc/passwd` | Medium
|
||||
4 | File | `/formAdvFirewall` | High
|
||||
5 | File | `/master/article.php` | High
|
||||
6 | File | `/mobile/SelectUsers.jsp` | High
|
||||
7 | File | `/ProteinArraySignificanceTest.json` | High
|
||||
8 | File | `/usr/local/bin/mjs` | High
|
||||
9 | File | `/web` | Low
|
||||
10 | File | `admin/bad.php` | High
|
||||
11 | File | `admin/dl_sendmail.php` | High
|
||||
12 | File | `admin/pages/useredit.php` | High
|
||||
13 | File | `AdminBaseController.class.php` | High
|
||||
14 | File | `AlertReceiver.java` | High
|
||||
15 | File | `AndroidFuture.java` | High
|
||||
16 | File | `AndroidManifest.xml` | High
|
||||
17 | File | `api/info.php` | Medium
|
||||
18 | File | `attach.c` | Medium
|
||||
19 | File | `backup_xi.sh` | Medium
|
||||
20 | File | `box_code_apple.c` | High
|
||||
21 | File | `bugs.aspx` | Medium
|
||||
22 | File | `bug_actiongroup.php` | High
|
||||
23 | File | `bug_report_page.php` | High
|
||||
1 | File | `/admin/page_edit/3` | High
|
||||
2 | File | `/api/notify.php` | High
|
||||
3 | File | `/domain/service/.ewell-known/caldav` | High
|
||||
4 | File | `/etc/passwd` | Medium
|
||||
5 | File | `/formAdvFirewall` | High
|
||||
6 | File | `/master/article.php` | High
|
||||
7 | File | `/mobile/SelectUsers.jsp` | High
|
||||
8 | File | `/ProteinArraySignificanceTest.json` | High
|
||||
9 | File | `/usr/local/bin/mjs` | High
|
||||
10 | File | `/web` | Low
|
||||
11 | File | `admin/bad.php` | High
|
||||
12 | File | `admin/dl_sendmail.php` | High
|
||||
13 | File | `admin/pages/useredit.php` | High
|
||||
14 | File | `AdminBaseController.class.php` | High
|
||||
15 | File | `AlertReceiver.java` | High
|
||||
16 | File | `AndroidFuture.java` | High
|
||||
17 | File | `AndroidManifest.xml` | High
|
||||
18 | File | `api/info.php` | Medium
|
||||
19 | File | `attach.c` | Medium
|
||||
20 | File | `backup_xi.sh` | Medium
|
||||
21 | File | `box_code_apple.c` | High
|
||||
22 | File | `bugs.aspx` | Medium
|
||||
23 | File | `bug_actiongroup.php` | High
|
||||
24 | ... | ... | ...
|
||||
|
||||
There are 196 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 198 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -235,20 +235,24 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/front/document.form.php` | High
|
||||
2 | File | `/members/view_member.php` | High
|
||||
3 | File | `/ms/file/uploadTemplate.do` | High
|
||||
4 | File | `/MTFWU` | Low
|
||||
5 | File | `/SASWebReportStudio/logonAndRender.do` | High
|
||||
6 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
7 | File | `/secure/admin/ViewInstrumentation.jspa` | High
|
||||
8 | File | `/template/unzip.do` | High
|
||||
9 | File | `/tmp` | Low
|
||||
10 | File | `/x_program_center/jaxrs/invoke` | High
|
||||
11 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
12 | ... | ... | ...
|
||||
1 | File | `/admin-panel1.php` | High
|
||||
2 | File | `/admin/files` | Medium
|
||||
3 | File | `/admin/options` | High
|
||||
4 | File | `/admin/page_edit/3` | High
|
||||
5 | File | `/admin_page/all-files-update-ajax.php` | High
|
||||
6 | File | `/api/servers` | Medium
|
||||
7 | File | `/front/document.form.php` | High
|
||||
8 | File | `/members/view_member.php` | High
|
||||
9 | File | `/ms/file/uploadTemplate.do` | High
|
||||
10 | File | `/MTFWU` | Low
|
||||
11 | File | `/ok_jpg.c` | Medium
|
||||
12 | File | `/ok_png.c` | Medium
|
||||
13 | File | `/rest/jpo/1.0/hierarchyConfiguration` | High
|
||||
14 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
15 | File | `/secure/admin/ViewInstrumentation.jspa` | High
|
||||
16 | ... | ... | ...
|
||||
|
||||
There are 93 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 127 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Lock360 - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Lock360](https://vuldb.com/?actor.lock360). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Lock360](https://vuldb.com/?actor.lock360). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.lock360](https://vuldb.com/?actor.lock360)
|
||||
|
||||
|
|
|
@ -1,116 +1,107 @@
|
|||
# LokiBot - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [LokiBot](https://vuldb.com/?actor.lokibot). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [LokiBot](https://vuldb.com/?actor.lokibot). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.lokibot](https://vuldb.com/?actor.lokibot)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.lokibot](https://vuldb.com/?actor.lokibot)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with LokiBot:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with LokiBot:
|
||||
|
||||
* ES
|
||||
* US
|
||||
* CN
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [VN](https://vuldb.com/?country.vn)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* ...
|
||||
|
||||
There are 12 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of LokiBot.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of LokiBot.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 15.197.142.173 | a4ec4c6ea1c92e2e6.awsglobalaccelerator.com | High
|
||||
2 | 23.21.173.155 | ec2-23-21-173-155.compute-1.amazonaws.com | Medium
|
||||
3 | 23.21.211.162 | ec2-23-21-211-162.compute-1.amazonaws.com | Medium
|
||||
4 | 23.95.132.48 | 23-95-132-48-host.colocrossing.com | High
|
||||
5 | 31.220.52.219 | workshop.piguno.com | High
|
||||
6 | 34.102.136.180 | 180.136.102.34.bc.googleusercontent.com | Medium
|
||||
7 | 35.247.234.230 | 230.234.247.35.bc.googleusercontent.com | Medium
|
||||
8 | 37.235.1.174 | resolver1.freedns.zone.powered.by.virtexxa.com | High
|
||||
9 | 37.235.1.177 | resolver2.freedns.zone.powered.by.virtexxa.com | High
|
||||
10 | 45.33.83.75 | li1029-75.members.linode.com | High
|
||||
11 | 45.147.229.85 | - | High
|
||||
12 | 50.16.216.118 | ec2-50-16-216-118.compute-1.amazonaws.com | Medium
|
||||
13 | 50.19.92.227 | ec2-50-19-92-227.compute-1.amazonaws.com | Medium
|
||||
14 | 52.60.87.163 | ec2-52-60-87-163.ca-central-1.compute.amazonaws.com | Medium
|
||||
15 | 54.225.78.40 | ec2-54-225-78-40.compute-1.amazonaws.com | Medium
|
||||
16 | 54.225.165.85 | ec2-54-225-165-85.compute-1.amazonaws.com | Medium
|
||||
17 | 54.225.245.108 | ec2-54-225-245-108.compute-1.amazonaws.com | Medium
|
||||
18 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [15.197.142.173](https://vuldb.com/?ip.15.197.142.173) | a4ec4c6ea1c92e2e6.awsglobalaccelerator.com | - | High
|
||||
2 | [23.21.173.155](https://vuldb.com/?ip.23.21.173.155) | ec2-23-21-173-155.compute-1.amazonaws.com | - | Medium
|
||||
3 | [23.21.211.162](https://vuldb.com/?ip.23.21.211.162) | ec2-23-21-211-162.compute-1.amazonaws.com | - | Medium
|
||||
4 | [23.95.132.48](https://vuldb.com/?ip.23.95.132.48) | 23-95-132-48-host.colocrossing.com | - | High
|
||||
5 | [31.220.52.219](https://vuldb.com/?ip.31.220.52.219) | workshop.piguno.com | - | High
|
||||
6 | [34.102.136.180](https://vuldb.com/?ip.34.102.136.180) | 180.136.102.34.bc.googleusercontent.com | - | Medium
|
||||
7 | [35.247.234.230](https://vuldb.com/?ip.35.247.234.230) | 230.234.247.35.bc.googleusercontent.com | - | Medium
|
||||
8 | [37.235.1.174](https://vuldb.com/?ip.37.235.1.174) | resolver1.freedns.zone.powered.by.virtexxa.com | - | High
|
||||
9 | [37.235.1.177](https://vuldb.com/?ip.37.235.1.177) | resolver2.freedns.zone.powered.by.virtexxa.com | - | High
|
||||
10 | [45.33.83.75](https://vuldb.com/?ip.45.33.83.75) | li1029-75.members.linode.com | - | High
|
||||
11 | [45.147.229.85](https://vuldb.com/?ip.45.147.229.85) | - | - | High
|
||||
12 | [50.16.216.118](https://vuldb.com/?ip.50.16.216.118) | ec2-50-16-216-118.compute-1.amazonaws.com | - | Medium
|
||||
13 | [50.19.92.227](https://vuldb.com/?ip.50.19.92.227) | ec2-50-19-92-227.compute-1.amazonaws.com | - | Medium
|
||||
14 | [52.60.87.163](https://vuldb.com/?ip.52.60.87.163) | ec2-52-60-87-163.ca-central-1.compute.amazonaws.com | - | Medium
|
||||
15 | [54.225.78.40](https://vuldb.com/?ip.54.225.78.40) | ec2-54-225-78-40.compute-1.amazonaws.com | - | Medium
|
||||
16 | [54.225.165.85](https://vuldb.com/?ip.54.225.165.85) | ec2-54-225-165-85.compute-1.amazonaws.com | - | Medium
|
||||
17 | [54.225.245.108](https://vuldb.com/?ip.54.225.245.108) | ec2-54-225-245-108.compute-1.amazonaws.com | - | Medium
|
||||
18 | [54.235.88.121](https://vuldb.com/?ip.54.235.88.121) | ec2-54-235-88-121.compute-1.amazonaws.com | - | Medium
|
||||
19 | ... | ... | ... | ...
|
||||
|
||||
There are 68 more IOC items available. Please use our online service to access the data.
|
||||
There are 71 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by LokiBot. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by LokiBot. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-266, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
There are 6 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by LokiBot. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by LokiBot. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/.htpasswd` | Medium
|
||||
2 | File | `/1/?type=productinfo&S_id=140` | High
|
||||
3 | File | `/academico/aluno/esqueci-minha-senha/` | High
|
||||
4 | File | `/admin/config.php?display=disa&view=form` | High
|
||||
5 | File | `/admin/syslog` | High
|
||||
6 | File | `/api/blade-log/api/list` | High
|
||||
7 | File | `/api/resource/Item?fields` | High
|
||||
8 | File | `/aterm_httpif.cgi/negotiate` | High
|
||||
9 | File | `/attachments.php` | High
|
||||
10 | File | `/category_view.php` | High
|
||||
11 | File | `/cgi-bin/wapopen` | High
|
||||
12 | File | `/cms?section=manage_settings&action=edit` | High
|
||||
13 | File | `/contingency/servlet/ServletFileDownload` | High
|
||||
14 | File | `/data/inc/images.php` | High
|
||||
15 | File | `/docs/captcha_(number).jpeg` | High
|
||||
16 | File | `/etc/keystone/user-project-map.json` | High
|
||||
17 | File | `/etc/sysctl.d/10-ptrace.conf` | High
|
||||
18 | File | `/forum/` | Low
|
||||
19 | File | `/goform/SystemCommand` | High
|
||||
20 | File | `/index.php/admin/admin_manage/add.html` | High
|
||||
21 | File | `/index.php/newsletter/subscriber/new/` | High
|
||||
22 | File | `/knowage/restful-services/documentnotes/saveNote` | High
|
||||
23 | File | `/magnoliaAuthor/.magnolia/` | High
|
||||
24 | File | `/main.php` | Medium
|
||||
25 | File | `/newsDia.php` | Medium
|
||||
26 | File | `/objects/getSpiritsFromVideo.php` | High
|
||||
27 | File | `/owa/auth/logon.aspx` | High
|
||||
28 | File | `/product` | Medium
|
||||
29 | File | `/reports-viewScriptReport.view` | High
|
||||
30 | File | `/restapi/v1/certificates/FFM-SSLInspect` | High
|
||||
31 | File | `/romfile.cfg` | Medium
|
||||
32 | File | `/servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet` | High
|
||||
33 | File | `/system/WCore/WHelper.php` | High
|
||||
34 | File | `/tmp` | Low
|
||||
35 | File | `/tmp/speedtest_urls.xml` | High
|
||||
36 | File | `/uncpath/` | Medium
|
||||
37 | File | `/var/www/xms/cleanzip.sh` | High
|
||||
38 | File | `/vendor/phpdocumentor/reflection-docblock/tests/phpDocumentor/Reflection/DocBlock/Tag/LinkTagTeet.php` | High
|
||||
39 | File | `/webconsole/APIController` | High
|
||||
40 | File | `/webconsole/Controller` | High
|
||||
41 | File | `AACExtractor.cpp` | High
|
||||
42 | File | `add_comment.php` | High
|
||||
43 | File | `admin.htm` | Medium
|
||||
44 | ... | ... | ...
|
||||
1 | File | `/.env` | Low
|
||||
2 | File | `/.ssh/authorized_keys` | High
|
||||
3 | File | `/car.php` | Medium
|
||||
4 | File | `/CMD_ACCOUNT_ADMIN` | High
|
||||
5 | File | `/config/getuser` | High
|
||||
6 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
7 | File | `/core/admin/categories.php` | High
|
||||
8 | File | `/dashboards/#` | High
|
||||
9 | File | `/etc/controller-agent/agent.conf` | High
|
||||
10 | File | `/etc/postfix/sender_login` | High
|
||||
11 | File | `/etc/sudoers` | Medium
|
||||
12 | File | `/etc/tomcat8/Catalina/attack` | High
|
||||
13 | File | `/filemanager/php/connector.php` | High
|
||||
14 | File | `/forum/away.php` | High
|
||||
15 | File | `/fudforum/adm/hlplist.php` | High
|
||||
16 | File | `/GponForm/fsetup_Form` | High
|
||||
17 | File | `/log_download.cgi` | High
|
||||
18 | File | `/modules/profile/index.php` | High
|
||||
19 | File | `/out.php` | Medium
|
||||
20 | File | `/public/plugins/` | High
|
||||
21 | File | `/s/` | Low
|
||||
22 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
23 | File | `/server-info` | Medium
|
||||
24 | File | `/tmp` | Low
|
||||
25 | File | `/tmp/app/.env` | High
|
||||
26 | File | `/tmp/kamailio_ctl` | High
|
||||
27 | File | `/tmp/kamailio_fifo` | High
|
||||
28 | File | `/uncpath/` | Medium
|
||||
29 | File | `/updown/upload.cgi` | High
|
||||
30 | File | `/usr/bin/at` | Medium
|
||||
31 | File | `/usr/bin/pkexec` | High
|
||||
32 | File | `/way4acs/enroll` | High
|
||||
33 | File | `/WEB-INF/web.xml` | High
|
||||
34 | ... | ... | ...
|
||||
|
||||
There are 384 more IOA items available. Please use our online service to access the data.
|
||||
There are 287 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.talosintelligence.com/2021/04/threat-roundup-0423-0430.html
|
||||
* https://blog.talosintelligence.com/2021/06/threat-roundup-0604-0611.html
|
||||
|
@ -121,11 +112,13 @@ The following list contains external sources which discuss the actor and the ass
|
|||
* https://blog.talosintelligence.com/2021/10/threat-roundup-1001-1008.html
|
||||
* https://blog.talosintelligence.com/2021/11/threat-roundup-1029-1105.html
|
||||
* https://blog.talosintelligence.com/2021/11/threat-roundup-1112-1119.html
|
||||
* https://blog.talosintelligence.com/2022/01/threat-roundup-0121-0128.html
|
||||
* https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html
|
||||
* https://vxug.fakedoma.in/archive/APTs/2021/2021.01.06(1)/LokiBot%20Infection%20Chain.pdf
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Lorec53 - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Lorec53](https://vuldb.com/?actor.lorec53). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Lorec53](https://vuldb.com/?actor.lorec53). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.lorec53](https://vuldb.com/?actor.lorec53)
|
||||
|
||||
|
@ -14,9 +14,9 @@ The following _campaigns_ are known and can be associated with Lorec53:
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Lorec53:
|
||||
|
||||
* RU
|
||||
* FR
|
||||
* IT
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* [FR](https://vuldb.com/?country.fr)
|
||||
* [IT](https://vuldb.com/?country.it)
|
||||
* ...
|
||||
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
|
@ -27,9 +27,9 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 45.12.5.62 | sarimp.website | - | High
|
||||
2 | 45.146.165.91 | - | Phishing Georgian Government | High
|
||||
3 | 185.244.41.109 | - | - | High
|
||||
1 | [45.12.5.62](https://vuldb.com/?ip.45.12.5.62) | sarimp.website | - | High
|
||||
2 | [45.146.165.91](https://vuldb.com/?ip.45.146.165.91) | - | Phishing Georgian Government | High
|
||||
3 | [185.244.41.109](https://vuldb.com/?ip.185.244.41.109) | - | - | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Magecart - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Magecart](https://vuldb.com/?actor.magecart). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Magecart](https://vuldb.com/?actor.magecart). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.magecart](https://vuldb.com/?actor.magecart)
|
||||
|
||||
|
@ -8,9 +8,9 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Magecart:
|
||||
|
||||
* CN
|
||||
* FR
|
||||
* IT
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [FR](https://vuldb.com/?country.fr)
|
||||
* [DE](https://vuldb.com/?country.de)
|
||||
* ...
|
||||
|
||||
There are 14 more country items available. Please use our online service to access the data.
|
||||
|
@ -21,13 +21,13 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 5.135.247.141 | ip141.ip-5-135-247.eu | - | High
|
||||
2 | 5.135.247.142 | ip142.ip-5-135-247.eu | - | High
|
||||
3 | 5.188.44.32 | - | - | High
|
||||
4 | 35.246.189.253 | 253.189.246.35.bc.googleusercontent.com | - | Medium
|
||||
5 | 37.59.47.208 | ns3000975.ip-37-59-47.eu | - | High
|
||||
6 | 47.254.175.211 | - | - | High
|
||||
7 | 51.83.209.11 | ip11.ip-51-83-209.eu | - | High
|
||||
1 | [5.135.247.141](https://vuldb.com/?ip.5.135.247.141) | ip141.ip-5-135-247.eu | - | High
|
||||
2 | [5.135.247.142](https://vuldb.com/?ip.5.135.247.142) | ip142.ip-5-135-247.eu | - | High
|
||||
3 | [5.188.44.32](https://vuldb.com/?ip.5.188.44.32) | - | - | High
|
||||
4 | [35.246.189.253](https://vuldb.com/?ip.35.246.189.253) | 253.189.246.35.bc.googleusercontent.com | - | Medium
|
||||
5 | [37.59.47.208](https://vuldb.com/?ip.37.59.47.208) | ns3000975.ip-37-59-47.eu | - | High
|
||||
6 | [47.254.175.211](https://vuldb.com/?ip.47.254.175.211) | - | - | High
|
||||
7 | [51.83.209.11](https://vuldb.com/?ip.51.83.209.11) | ip11.ip-51-83-209.eu | - | High
|
||||
8 | ... | ... | ... | ...
|
||||
|
||||
There are 27 more IOC items available. Please use our online service to access the data.
|
||||
|
@ -43,7 +43,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 6 more TTP items available. Please use our online service to access the data.
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -51,36 +51,36 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/admin.html?do=user&act=add` | High
|
||||
2 | File | `/admin/delete_image.php` | High
|
||||
3 | File | `/admin/login.php` | High
|
||||
4 | File | `/administrator/components/table_manager/` | High
|
||||
5 | File | `/changePassword` | High
|
||||
6 | File | `/check_availability.php` | High
|
||||
7 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
8 | File | `/data-service/users/` | High
|
||||
9 | File | `/Hospital-Management-System-master/func.php` | High
|
||||
10 | File | `/jeecg-boot/sys/user/queryUserByDepId` | High
|
||||
11 | File | `/jerry-core/ecma/builtin-objects/ecma-builtin-date-prototype.c` | High
|
||||
12 | File | `/js/app.js` | Medium
|
||||
13 | File | `/message-bus/_diagnostics` | High
|
||||
14 | File | `/ms/cms/content/list.do` | High
|
||||
15 | File | `/new` | Low
|
||||
16 | File | `/plugin/jcapture/applet.php` | High
|
||||
17 | File | `/preferences/tags` | High
|
||||
18 | File | `/proc/<pid>/status` | High
|
||||
19 | File | `/public/plugins/` | High
|
||||
20 | File | `/secure/EditSubscription.jspa` | High
|
||||
21 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
22 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
|
||||
23 | File | `/tmp` | Low
|
||||
24 | File | `/uncpath/` | Medium
|
||||
25 | File | `1.2.2.pl4` | Medium
|
||||
26 | File | `AccountManagerService.java` | High
|
||||
27 | File | `acl.c` | Low
|
||||
1 | File | `/admin/delete_image.php` | High
|
||||
2 | File | `/admin/login.php` | High
|
||||
3 | File | `/administrator/components/table_manager/` | High
|
||||
4 | File | `/changePassword` | High
|
||||
5 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
6 | File | `/data-service/users/` | High
|
||||
7 | File | `/Hospital-Management-System-master/func.php` | High
|
||||
8 | File | `/jeecg-boot/sys/user/queryUserByDepId` | High
|
||||
9 | File | `/jerry-core/ecma/builtin-objects/ecma-builtin-date-prototype.c` | High
|
||||
10 | File | `/js/app.js` | Medium
|
||||
11 | File | `/message-bus/_diagnostics` | High
|
||||
12 | File | `/ms/cms/content/list.do` | High
|
||||
13 | File | `/new` | Low
|
||||
14 | File | `/plugin/jcapture/applet.php` | High
|
||||
15 | File | `/preferences/tags` | High
|
||||
16 | File | `/proc/<pid>/status` | High
|
||||
17 | File | `/public/plugins/` | High
|
||||
18 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
19 | File | `/secure/EditSubscription.jspa` | High
|
||||
20 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
21 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
|
||||
22 | File | `/tmp` | Low
|
||||
23 | File | `/uncpath/` | Medium
|
||||
24 | File | `1.2.2.pl4` | Medium
|
||||
25 | File | `AccountManagerService.java` | High
|
||||
26 | File | `actions/CompanyDetailsSave.php` | High
|
||||
27 | File | `ActivityManagerService.java` | High
|
||||
28 | ... | ... | ...
|
||||
|
||||
There are 232 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 234 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -1,47 +1,47 @@
|
|||
# MalKamak - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [MalKamak](https://vuldb.com/?actor.malkamak). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [MalKamak](https://vuldb.com/?actor.malkamak). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.malkamak](https://vuldb.com/?actor.malkamak)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.malkamak](https://vuldb.com/?actor.malkamak)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with MalKamak:
|
||||
The following _campaigns_ are known and can be associated with MalKamak:
|
||||
|
||||
* GhostShell
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with MalKamak:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with MalKamak:
|
||||
|
||||
* CN
|
||||
* US
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of MalKamak.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of MalKamak.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 50.116.17.41 | li601-41.members.linode.com | High
|
||||
2 | 139.162.120.150 | li1604-150.members.linode.com | High
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [50.116.17.41](https://vuldb.com/?ip.50.116.17.41) | li601-41.members.linode.com | GhostShell | High
|
||||
2 | [139.162.120.150](https://vuldb.com/?ip.139.162.120.150) | li1604-150.members.linode.com | GhostShell | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by MalKamak. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by MalKamak. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1499 | Resource Consumption | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1499 | CWE-770 | Resource Consumption | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by MalKamak. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by MalKamak. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -50,17 +50,17 @@ ID | Type | Indicator | Confidence
|
|||
3 | File | `/tmp` | Low
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 6 more IOA items available. Please use our online service to access the data.
|
||||
There are 6 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://www.cybereason.com/blog/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,31 +1,31 @@
|
|||
# Monarchy - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Monarchy](https://vuldb.com/?actor.monarchy). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Monarchy](https://vuldb.com/?actor.monarchy). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.monarchy](https://vuldb.com/?actor.monarchy)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.monarchy](https://vuldb.com/?actor.monarchy)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Monarchy:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Monarchy:
|
||||
|
||||
* US
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Monarchy.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Monarchy.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 45.76.47.218 | 45.76.47.218.vultr.com | Medium
|
||||
2 | 134.122.87.198 | - | High
|
||||
3 | 178.128.163.233 | gpsurgerydatabase-staging.assura.uk | High
|
||||
4 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [45.76.47.218](https://vuldb.com/?ip.45.76.47.218) | 45.76.47.218.vultr.com | - | Medium
|
||||
2 | [134.122.87.198](https://vuldb.com/?ip.134.122.87.198) | - | - | High
|
||||
3 | [178.128.163.233](https://vuldb.com/?ip.178.128.163.233) | gpsurgerydatabase-staging.assura.uk | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Monarchy. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Monarchy. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -33,13 +33,13 @@ ID | Type | Indicator | Confidence
|
|||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit/
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# MuddyWater - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [MuddyWater](https://vuldb.com/?actor.muddywater). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [MuddyWater](https://vuldb.com/?actor.muddywater). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.muddywater](https://vuldb.com/?actor.muddywater)
|
||||
|
||||
|
@ -9,18 +9,22 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
The following _campaigns_ are known and can be associated with MuddyWater:
|
||||
|
||||
* BlackWater
|
||||
* Ligolo
|
||||
* Seedworm
|
||||
* ...
|
||||
|
||||
There are 1 more campaign items available. Please use our online service to access the data.
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with MuddyWater:
|
||||
|
||||
* US
|
||||
* GB
|
||||
* RU
|
||||
* [JP](https://vuldb.com/?country.jp)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [GB](https://vuldb.com/?country.gb)
|
||||
* ...
|
||||
|
||||
There are 9 more country items available. Please use our online service to access the data.
|
||||
There are 13 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -28,17 +32,22 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 1.5.1.1 | - | - | High
|
||||
2 | 5.9.0.155 | static.155.0.9.5.clients.your-server.de | - | High
|
||||
3 | 5.199.133.149 | ve958.venus.servdiscount-customer.com | - | High
|
||||
4 | 7.236.212.22 | - | - | High
|
||||
5 | 31.171.154.67 | - | Seedworm | High
|
||||
6 | 38.132.99.167 | - | BlackWater | High
|
||||
7 | 46.99.148.96 | - | Seedworm | High
|
||||
8 | 66.219.22.235 | core96.hostingmadeeasy.com | - | High
|
||||
9 | ... | ... | ... | ...
|
||||
1 | [1.5.1.1](https://vuldb.com/?ip.1.5.1.1) | - | - | High
|
||||
2 | [5.9.0.155](https://vuldb.com/?ip.5.9.0.155) | static.155.0.9.5.clients.your-server.de | - | High
|
||||
3 | [5.199.133.149](https://vuldb.com/?ip.5.199.133.149) | ve958.venus.servdiscount-customer.com | - | High
|
||||
4 | [7.236.212.22](https://vuldb.com/?ip.7.236.212.22) | - | - | High
|
||||
5 | [31.171.154.67](https://vuldb.com/?ip.31.171.154.67) | - | Seedworm | High
|
||||
6 | [38.132.99.167](https://vuldb.com/?ip.38.132.99.167) | - | BlackWater | High
|
||||
7 | [45.142.212.61](https://vuldb.com/?ip.45.142.212.61) | vm218389.pq.hosting | - | High
|
||||
8 | [45.142.213.17](https://vuldb.com/?ip.45.142.213.17) | vm218393.pq.hosting | - | High
|
||||
9 | [45.153.231.104](https://vuldb.com/?ip.45.153.231.104) | vm218397.pq.hosting | - | High
|
||||
10 | [46.99.148.96](https://vuldb.com/?ip.46.99.148.96) | - | Seedworm | High
|
||||
11 | [46.166.129.159](https://vuldb.com/?ip.46.166.129.159) | gcn.warrirge.com | - | High
|
||||
12 | [66.219.22.235](https://vuldb.com/?ip.66.219.22.235) | core96.hostingmadeeasy.com | - | High
|
||||
13 | [78.129.139.134](https://vuldb.com/?ip.78.129.139.134) | der134.creditloanlenders.com | - | High
|
||||
14 | ... | ... | ... | ...
|
||||
|
||||
There are 31 more IOC items available. Please use our online service to access the data.
|
||||
There are 50 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -51,7 +60,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
There are 9 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -59,38 +68,36 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `%PROGRAMFILES%\MyQ\PHP\Sessions\` | High
|
||||
2 | File | `/.env` | Low
|
||||
3 | File | `/.flatpak-info` | High
|
||||
4 | File | `/convert/html` | High
|
||||
5 | File | `/etc/ajenti/config.yml` | High
|
||||
6 | File | `/etc/passwd` | Medium
|
||||
7 | File | `/forum/away.php` | High
|
||||
8 | File | `/login` | Low
|
||||
9 | File | `/movie.php` | Medium
|
||||
10 | File | `/nagiosxi/admin/graphtemplates.php` | High
|
||||
11 | File | `/phppath/php` | Medium
|
||||
12 | File | `/search_events.php` | High
|
||||
13 | File | `/StartingPage/link_req_2.php` | High
|
||||
14 | File | `/uncpath/` | Medium
|
||||
15 | File | `/usr/bin/pkexec` | High
|
||||
16 | File | `/ViewUserHover.jspa` | High
|
||||
17 | File | `/WWW//app/admin/controller/admincontroller.php` | High
|
||||
18 | File | `abook_database.php` | High
|
||||
19 | File | `admin.php` | Medium
|
||||
20 | File | `admin/admin.shtml` | High
|
||||
21 | File | `admin/AJAX_lookup_handler.php` | High
|
||||
22 | File | `admin/bitrix.xscan_worker.php` | High
|
||||
23 | File | `admin/config.php` | High
|
||||
24 | File | `admin/general.php` | High
|
||||
25 | File | `admin/login.asp` | High
|
||||
26 | File | `admin/movieedit.php` | High
|
||||
27 | File | `affich.php` | Medium
|
||||
28 | File | `ahcache.sys` | Medium
|
||||
29 | File | `ajax/api/hook/getHookList` | High
|
||||
30 | ... | ... | ...
|
||||
1 | File | `/admin/configure.php` | High
|
||||
2 | File | `/admin/login.php` | High
|
||||
3 | File | `/api/trackedEntityInstances` | High
|
||||
4 | File | `/appliance/users?action=edit` | High
|
||||
5 | File | `/cgi-bin/kerbynet` | High
|
||||
6 | File | `/css/..%2f` | Medium
|
||||
7 | File | `/etc/tomcat8/Catalina/attack` | High
|
||||
8 | File | `/etc/wpa_supplicant.conf` | High
|
||||
9 | File | `/files/$username/Myfolder/Mysubfolder/shared.txt` | High
|
||||
10 | File | `/formSetPortTr` | High
|
||||
11 | File | `/forum/away.php` | High
|
||||
12 | File | `/getcfg.php` | Medium
|
||||
13 | File | `/GetCopiedFile` | High
|
||||
14 | File | `/hdf5/src/H5T.c` | High
|
||||
15 | File | `/include/chart_generator.php` | High
|
||||
16 | File | `/jerry-core/parser/js/js-scanner-util.c` | High
|
||||
17 | File | `/modules/profile/index.php` | High
|
||||
18 | File | `/music/ajax.php` | High
|
||||
19 | File | `/opensis/functions/GetStuListFnc.php` | High
|
||||
20 | File | `/owa/auth/logon.aspx` | High
|
||||
21 | File | `/post/editing` | High
|
||||
22 | File | `/product.php` | Medium
|
||||
23 | File | `/product_list.php` | High
|
||||
24 | File | `/public/plugins/` | High
|
||||
25 | File | `/RestAPI` | Medium
|
||||
26 | File | `/rsms/` | Low
|
||||
27 | File | `/secure/admin/AssociatedProjectsForCustomField.jspa` | High
|
||||
28 | ... | ... | ...
|
||||
|
||||
There are 259 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 234 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -102,7 +109,9 @@ The following list contains _external sources_ which discuss the actor and the a
|
|||
* https://securelist.com/muddywater/88059/
|
||||
* https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-espionage-group
|
||||
* https://unit42.paloaltonetworks.com/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/
|
||||
* https://www.cisa.gov/uscert/ncas/alerts/aa22-055a
|
||||
* https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf
|
||||
* https://www.mandiant.com/resources/telegram-malware-iranian-espionage
|
||||
* https://www.threatminer.org/_reports/2019/TheMuddyWatersofAPTAttacks-CheckPointResearch.pdf#viewer.action=download
|
||||
|
||||
## Literature
|
||||
|
|
|
@ -1,49 +1,49 @@
|
|||
# OnePercent - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [OnePercent](https://vuldb.com/?actor.onepercent). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [OnePercent](https://vuldb.com/?actor.onepercent). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.onepercent](https://vuldb.com/?actor.onepercent)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.onepercent](https://vuldb.com/?actor.onepercent)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with OnePercent:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with OnePercent:
|
||||
|
||||
* US
|
||||
* IR
|
||||
* RU
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [IR](https://vuldb.com/?country.ir)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* ...
|
||||
|
||||
There are 4 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of OnePercent.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of OnePercent.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 31.187.64.199 | sophia.onebusinessdesign.info | High
|
||||
2 | 80.82.67.221 | - | High
|
||||
3 | 134.209.203.30 | - | High
|
||||
4 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [31.187.64.199](https://vuldb.com/?ip.31.187.64.199) | sophia.onebusinessdesign.info | - | High
|
||||
2 | [80.82.67.221](https://vuldb.com/?ip.80.82.67.221) | - | - | High
|
||||
3 | [134.209.203.30](https://vuldb.com/?ip.134.209.203.30) | - | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 4 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by OnePercent. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by OnePercent. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | 7PK Security Features | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-266 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | CWE-254 | 7PK Security Features | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 2 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by OnePercent. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by OnePercent. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -56,17 +56,17 @@ ID | Type | Indicator | Confidence
|
|||
7 | File | `admin/index.php?n=ui_set&m=admin&c=index&a=doget_text_content&table=lang&field=1` | High
|
||||
8 | ... | ... | ...
|
||||
|
||||
There are 60 more IOA items available. Please use our online service to access the data.
|
||||
There are 60 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://www.ic3.gov/Media/News/2021/210823.pdf
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Oto Gonderici - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Oto Gonderici](https://vuldb.com/?actor.oto_gonderici). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Oto Gonderici](https://vuldb.com/?actor.oto_gonderici). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.oto_gonderici](https://vuldb.com/?actor.oto_gonderici)
|
||||
|
||||
|
@ -8,9 +8,9 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Oto Gonderici:
|
||||
|
||||
* US
|
||||
* FR
|
||||
* ES
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [FR](https://vuldb.com/?country.fr)
|
||||
* [IR](https://vuldb.com/?country.ir)
|
||||
* ...
|
||||
|
||||
There are 3 more country items available. Please use our online service to access the data.
|
||||
|
@ -21,9 +21,9 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 51.15.225.63 | 63-225-15-51.instances.scw.cloud | - | High
|
||||
2 | 51.158.125.92 | 92-125-158-51.instances.scw.cloud | - | High
|
||||
3 | 54.36.212.133 | ip133.ip-54-36-212.eu | - | High
|
||||
1 | [51.15.225.63](https://vuldb.com/?ip.51.15.225.63) | 63-225-15-51.instances.scw.cloud | - | High
|
||||
2 | [51.158.125.92](https://vuldb.com/?ip.51.158.125.92) | 92-125-158-51.instances.scw.cloud | - | High
|
||||
3 | [54.36.212.133](https://vuldb.com/?ip.54.36.212.133) | ip133.ip-54-36-212.eu | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more IOC items available. Please use our online service to access the data.
|
||||
|
@ -39,7 +39,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
3 | T1222 | CWE-275 | Permission Issues | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 5 more TTP items available. Please use our online service to access the data.
|
||||
There are 4 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
|
|
@ -19,7 +19,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [MX](https://vuldb.com/?country.mx)
|
||||
* ...
|
||||
|
||||
There are 3 more country items available. Please use our online service to access the data.
|
||||
There are 6 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -46,12 +46,12 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techn
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1008 | CWE-757 | Algorithm Downgrade | High
|
||||
2 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
1 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
|
||||
2 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
3 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 10 more TTP items available. Please use our online service to access the data.
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -59,28 +59,31 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/admin/allergens/edit/1` | High
|
||||
2 | File | `/adminzone/index.php?page=admin-commandr` | High
|
||||
3 | File | `/core/admin/comment.php` | High
|
||||
4 | File | `/data-service/users/` | High
|
||||
5 | File | `/etc/cobbler` | Medium
|
||||
6 | File | `/etc/wpa_supplicant.conf` | High
|
||||
7 | File | `/jeecg-boot/sys/user/queryUserByDepId` | High
|
||||
8 | File | `/js/app.js` | Medium
|
||||
9 | File | `/js/js-parser.c` | High
|
||||
10 | File | `/main?cmd=invalid_browser` | High
|
||||
11 | File | `/ms/file/uploadTemplate.do` | High
|
||||
12 | File | `/northstar/Admin/changePassword.jsp` | High
|
||||
13 | File | `/options/mailman` | High
|
||||
14 | File | `/ping.html` | Medium
|
||||
15 | File | `/projeqtor/tool/saveAttachment.php` | High
|
||||
16 | File | `/SASWebReportStudio/logonAndRender.do` | High
|
||||
17 | File | `/secure/admin/ImporterFinishedPage.jspa` | High
|
||||
18 | File | `/secure/admin/RestoreDefaults.jspa` | High
|
||||
19 | File | `/src/njs_object.c` | High
|
||||
20 | ... | ... | ...
|
||||
1 | File | `/admin-panel1.php` | High
|
||||
2 | File | `/admin/?page=members/view_member` | High
|
||||
3 | File | `/admin/file-manager/` | High
|
||||
4 | File | `/admin/page_edit/3` | High
|
||||
5 | File | `/admin_page/all-files-update-ajax.php` | High
|
||||
6 | File | `/api/servers` | Medium
|
||||
7 | File | `/aya/module/admin/ust_tab_e.inc.php` | High
|
||||
8 | File | `/core/admin/comment.php` | High
|
||||
9 | File | `/etc/cobbler` | Medium
|
||||
10 | File | `/etc/wpa_supplicant.conf` | High
|
||||
11 | File | `/jeecg-boot/sys/user/queryUserByDepId` | High
|
||||
12 | File | `/js/js-parser.c` | High
|
||||
13 | File | `/languages/index.php` | High
|
||||
14 | File | `/main?cmd=invalid_browser` | High
|
||||
15 | File | `/members/view_member.php` | High
|
||||
16 | File | `/ms/file/uploadTemplate.do` | High
|
||||
17 | File | `/northstar/Admin/changePassword.jsp` | High
|
||||
18 | File | `/ok_png.c` | Medium
|
||||
19 | File | `/ping.html` | Medium
|
||||
20 | File | `/projeqtor/tool/saveAttachment.php` | High
|
||||
21 | File | `/rest/jpo/1.0/hierarchyConfiguration` | High
|
||||
22 | File | `/rootfs` | Low
|
||||
23 | ... | ... | ...
|
||||
|
||||
There are 165 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 193 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -125,32 +125,32 @@ ID | Type | Indicator | Confidence
|
|||
2 | File | `/(((a\2)|(a*)\g</-1>/))*/` | High
|
||||
3 | File | `/+CSCOE+/logon.html` | High
|
||||
4 | File | `/alumni/admin/ajax.php?action=save_settings` | High
|
||||
5 | File | `/app/Http/Controllers/Admin/NEditorController.php` | High
|
||||
6 | File | `/auth/session` | High
|
||||
7 | File | `/cfg` | Low
|
||||
8 | File | `/cgi-bin/webproc` | High
|
||||
9 | File | `/config/getuser` | High
|
||||
10 | File | `/etc/passwd` | Medium
|
||||
11 | File | `/exponent_constants.php` | High
|
||||
12 | File | `/front/document.form.php` | High
|
||||
13 | File | `/ibi_apps/WFServlet.cfg` | High
|
||||
14 | File | `/log_download.cgi` | High
|
||||
15 | File | `/modx/manager/index.php` | High
|
||||
16 | File | `/proc/sysvipc/sem` | High
|
||||
17 | File | `/replication` | Medium
|
||||
18 | File | `/rest/collectors/1.0/template/custom` | High
|
||||
19 | File | `/RestAPI` | Medium
|
||||
20 | File | `/search.php` | Medium
|
||||
21 | File | `/SSOPOST/metaAlias/%realm%/idpv2` | High
|
||||
22 | File | `/tmp` | Low
|
||||
23 | File | `/trigger` | Medium
|
||||
24 | File | `/uncpath/` | Medium
|
||||
25 | File | `/user/login/oauth` | High
|
||||
26 | File | `/usr/bin/pkexec` | High
|
||||
27 | File | `/usr/doc` | Medium
|
||||
5 | File | `/auth/session` | High
|
||||
6 | File | `/cfg` | Low
|
||||
7 | File | `/cgi-bin/webproc` | High
|
||||
8 | File | `/config/getuser` | High
|
||||
9 | File | `/etc/passwd` | Medium
|
||||
10 | File | `/exponent_constants.php` | High
|
||||
11 | File | `/front/document.form.php` | High
|
||||
12 | File | `/ibi_apps/WFServlet.cfg` | High
|
||||
13 | File | `/log_download.cgi` | High
|
||||
14 | File | `/proc/sysvipc/sem` | High
|
||||
15 | File | `/replication` | Medium
|
||||
16 | File | `/rest/collectors/1.0/template/custom` | High
|
||||
17 | File | `/RestAPI` | Medium
|
||||
18 | File | `/search.php` | Medium
|
||||
19 | File | `/SSOPOST/metaAlias/%realm%/idpv2` | High
|
||||
20 | File | `/tmp` | Low
|
||||
21 | File | `/trigger` | Medium
|
||||
22 | File | `/uncpath/` | Medium
|
||||
23 | File | `/user/login/oauth` | High
|
||||
24 | File | `/usr/bin/pkexec` | High
|
||||
25 | File | `/usr/doc` | Medium
|
||||
26 | File | `/WEB-INF/web.xml` | High
|
||||
27 | File | `/webpages/data` | High
|
||||
28 | ... | ... | ...
|
||||
|
||||
There are 237 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 238 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -1,66 +1,101 @@
|
|||
# RedEcho - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [RedEcho](https://vuldb.com/?actor.redecho). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [RedEcho](https://vuldb.com/?actor.redecho). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.redecho](https://vuldb.com/?actor.redecho)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.redecho](https://vuldb.com/?actor.redecho)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with RedEcho:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with RedEcho:
|
||||
|
||||
* US
|
||||
* CN
|
||||
* HK
|
||||
* [HK](https://vuldb.com/?country.hk)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* ...
|
||||
|
||||
There are 2 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of RedEcho.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of RedEcho.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 27.255.92.83 | - | High
|
||||
2 | 27.255.94.21 | - | High
|
||||
3 | 27.255.94.29 | - | High
|
||||
4 | 101.78.177.227 | - | High
|
||||
5 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [27.255.92.83](https://vuldb.com/?ip.27.255.92.83) | - | - | High
|
||||
2 | [27.255.94.21](https://vuldb.com/?ip.27.255.94.21) | - | - | High
|
||||
3 | [27.255.94.29](https://vuldb.com/?ip.27.255.94.29) | - | - | High
|
||||
4 | [101.78.177.227](https://vuldb.com/?ip.101.78.177.227) | - | - | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 17 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by RedEcho. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by RedEcho. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | 7PK Security Features | High
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1008 | CWE-757 | Algorithm Downgrade | High
|
||||
2 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
3 | T1068 | CWE-250, CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 10 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by RedEcho. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by RedEcho. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/preauth` | Medium
|
||||
2 | File | `/usr/bin/pkexec` | High
|
||||
3 | File | `Adminstrator/Users/Edit/` | High
|
||||
4 | ... | ... | ...
|
||||
1 | File | `.htaccess` | Medium
|
||||
2 | File | `/09/business/upgrade/upcfgAction.php?download=true` | High
|
||||
3 | File | `/ad_js.php` | Medium
|
||||
4 | File | `/api/email_accounts` | High
|
||||
5 | File | `/API/system/admins/session` | High
|
||||
6 | File | `/cgi-bin/ExportALLSettings.sh` | High
|
||||
7 | File | `/config/config.php` | High
|
||||
8 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
9 | File | `/customers/index.php` | High
|
||||
10 | File | `/DataHandler/AM/AM_Handler.ashx` | High
|
||||
11 | File | `/DataHandler/HandlerAlarmGroup.ashx` | High
|
||||
12 | File | `/DataHandler/HandlerEnergyType.ashx` | High
|
||||
13 | File | `/DataHandler/Handler_CFG.ashx` | High
|
||||
14 | File | `/ECT_Provider/` | High
|
||||
15 | File | `/fuel/index.php/fuel/logs/items` | High
|
||||
16 | File | `/fuel/index.php/fuel/pages/items` | High
|
||||
17 | File | `/goform/openSchedWifi` | High
|
||||
18 | File | `/goform/SetNetControlList` | High
|
||||
19 | File | `/image_zoom.php` | High
|
||||
20 | File | `/include/config.cache.php` | High
|
||||
21 | File | `/json/profile/removeStarAjax.do` | High
|
||||
22 | File | `/oauth/token/request` | High
|
||||
23 | File | `/plugin/ajax.php` | High
|
||||
24 | File | `/plugins/servlet/branchreview` | High
|
||||
25 | File | `/preauth` | Medium
|
||||
26 | File | `/proc/ioports` | High
|
||||
27 | File | `/proc/self/exe` | High
|
||||
28 | File | `/public/plugins/` | High
|
||||
29 | File | `/rest/api/2/search` | High
|
||||
30 | File | `/rest/api/latest/groupuserpicker` | High
|
||||
31 | File | `/rest/api/latest/projectvalidate/key` | High
|
||||
32 | File | `/rom-0` | Low
|
||||
33 | File | `/tmp` | Low
|
||||
34 | File | `/tmp/connlicj.bin` | High
|
||||
35 | File | `/uncpath/` | Medium
|
||||
36 | ... | ... | ...
|
||||
|
||||
There are 22 more IOA items available. Please use our online service to access the data.
|
||||
There are 306 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://vxug.fakedoma.in/archive/APTs/2021/2021.02.28/RedEcho%20APT.pdf
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Royal Road - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Royal Road](https://vuldb.com/?actor.royal_road). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Royal Road](https://vuldb.com/?actor.royal_road). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.royal_road](https://vuldb.com/?actor.royal_road)
|
||||
|
||||
|
@ -14,9 +14,9 @@ The following _campaigns_ are known and can be associated with Royal Road:
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Royal Road:
|
||||
|
||||
* US
|
||||
* RU
|
||||
* IT
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* [IT](https://vuldb.com/?country.it)
|
||||
* ...
|
||||
|
||||
There are 13 more country items available. Please use our online service to access the data.
|
||||
|
@ -27,9 +27,9 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 138.68.133.211 | share.sawblade.org.uk | Royal Road | High
|
||||
2 | 185.216.35.11 | - | Royal Road | High
|
||||
3 | 185.234.73.4 | - | Royal Road | High
|
||||
1 | [138.68.133.211](https://vuldb.com/?ip.138.68.133.211) | share.sawblade.org.uk | Royal Road | High
|
||||
2 | [185.216.35.11](https://vuldb.com/?ip.185.216.35.11) | - | Royal Road | High
|
||||
3 | [185.234.73.4](https://vuldb.com/?ip.185.234.73.4) | - | Royal Road | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more IOC items available. Please use our online service to access the data.
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Sandworm Team - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Sandworm Team](https://vuldb.com/?actor.sandworm_team). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Sandworm Team](https://vuldb.com/?actor.sandworm_team). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.sandworm_team](https://vuldb.com/?actor.sandworm_team)
|
||||
|
||||
|
@ -14,9 +14,9 @@ The following _campaigns_ are known and can be associated with Sandworm Team:
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Sandworm Team:
|
||||
|
||||
* US
|
||||
* CN
|
||||
* RU
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* ...
|
||||
|
||||
There are 26 more country items available. Please use our online service to access the data.
|
||||
|
@ -27,13 +27,13 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 5.9.32.230 | static.230.32.9.5.clients.your-server.de | BlackEnergy | High
|
||||
2 | 5.61.38.31 | - | BlackEnergy | High
|
||||
3 | 5.79.80.166 | - | BlackEnergy | High
|
||||
4 | 5.133.8.46 | d8046.artnet.gda.pl | - | High
|
||||
5 | 5.149.254.114 | mail1.auditoriavanzada.info | BlackEnergy | High
|
||||
6 | 5.255.87.39 | - | BlackEnergy | High
|
||||
7 | 31.210.111.154 | . | BlackEnergy | High
|
||||
1 | [5.9.32.230](https://vuldb.com/?ip.5.9.32.230) | static.230.32.9.5.clients.your-server.de | BlackEnergy | High
|
||||
2 | [5.61.38.31](https://vuldb.com/?ip.5.61.38.31) | - | BlackEnergy | High
|
||||
3 | [5.79.80.166](https://vuldb.com/?ip.5.79.80.166) | - | BlackEnergy | High
|
||||
4 | [5.133.8.46](https://vuldb.com/?ip.5.133.8.46) | d8046.artnet.gda.pl | - | High
|
||||
5 | [5.149.254.114](https://vuldb.com/?ip.5.149.254.114) | mail1.auditoriavanzada.info | BlackEnergy | High
|
||||
6 | [5.255.87.39](https://vuldb.com/?ip.5.255.87.39) | - | BlackEnergy | High
|
||||
7 | [31.210.111.154](https://vuldb.com/?ip.31.210.111.154) | . | BlackEnergy | High
|
||||
8 | ... | ... | ... | ...
|
||||
|
||||
There are 26 more IOC items available. Please use our online service to access the data.
|
||||
|
@ -46,10 +46,10 @@ ID | Technique | Weakness | Description | Confidence
|
|||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-266, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 5 more TTP items available. Please use our online service to access the data.
|
||||
There are 4 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -82,20 +82,19 @@ ID | Type | Indicator | Confidence
|
|||
23 | File | `/public/plugins/` | High
|
||||
24 | File | `/rom` | Low
|
||||
25 | File | `/scripts/killpvhost` | High
|
||||
26 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
27 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
|
||||
28 | File | `/StdC/Ap4StdCFileByteStream.cpp` | High
|
||||
29 | File | `/tmp` | Low
|
||||
30 | File | `/tmp/redis.ds` | High
|
||||
31 | File | `/uncpath/` | Medium
|
||||
32 | File | `/usr/bin/pkexec` | High
|
||||
33 | File | `/ViewUserHover.jspa` | High
|
||||
34 | File | `/wp-admin` | Medium
|
||||
35 | File | `/wp-json/wc/v3/webhooks` | High
|
||||
36 | File | `AccountManagerService.java` | High
|
||||
37 | ... | ... | ...
|
||||
26 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
27 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
28 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
|
||||
29 | File | `/StdC/Ap4StdCFileByteStream.cpp` | High
|
||||
30 | File | `/tmp` | Low
|
||||
31 | File | `/tmp/redis.ds` | High
|
||||
32 | File | `/uncpath/` | Medium
|
||||
33 | File | `/usr/bin/pkexec` | High
|
||||
34 | File | `/ViewUserHover.jspa` | High
|
||||
35 | File | `/wp-admin` | Medium
|
||||
36 | ... | ... | ...
|
||||
|
||||
There are 314 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 312 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -1,69 +1,102 @@
|
|||
# Sauron - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Sauron](https://vuldb.com/?actor.sauron). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Sauron](https://vuldb.com/?actor.sauron). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.sauron](https://vuldb.com/?actor.sauron)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.sauron](https://vuldb.com/?actor.sauron)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Sauron:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Sauron:
|
||||
|
||||
* IT
|
||||
* US
|
||||
* CN
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [GB](https://vuldb.com/?country.gb)
|
||||
* ...
|
||||
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
There are 25 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Sauron.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Sauron.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 37.252.125.88 | - | High
|
||||
2 | 66.228.52.133 | li294-133.members.linode.com | High
|
||||
3 | 74.125.148.11 | rate-limited-proxy-74-125-148-11.google.com | High
|
||||
4 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [37.252.125.88](https://vuldb.com/?ip.37.252.125.88) | - | - | High
|
||||
2 | [66.228.52.133](https://vuldb.com/?ip.66.228.52.133) | li294-133.members.linode.com | - | High
|
||||
3 | [74.125.148.11](https://vuldb.com/?ip.74.125.148.11) | rate-limited-proxy-74-125-148-11.google.com | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 7 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Sauron. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Sauron. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1499 | Resource Consumption | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-266, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more TTP items available. Please use our online service to access the data.
|
||||
There are 5 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Sauron. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Sauron. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `.procmailrc` | Medium
|
||||
2 | File | `article.php` | Medium
|
||||
3 | File | `include.php` | Medium
|
||||
4 | ... | ... | ...
|
||||
1 | File | `/?module=users§ion=cpanel&page=list` | High
|
||||
2 | File | `/admin/powerline` | High
|
||||
3 | File | `/admin/syslog` | High
|
||||
4 | File | `/api/upload` | Medium
|
||||
5 | File | `/cgi-bin` | Medium
|
||||
6 | File | `/cgi-bin/kerbynet` | High
|
||||
7 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
8 | File | `/dcim/sites/add/` | High
|
||||
9 | File | `/EXCU_SHELL` | Medium
|
||||
10 | File | `/forum/away.php` | High
|
||||
11 | File | `/fudforum/adm/hlplist.php` | High
|
||||
12 | File | `/login` | Low
|
||||
13 | File | `/Main_Login.asp?flag=1&productname=RT-AC88U&url=/downloadmaster/task.asp` | High
|
||||
14 | File | `/monitoring` | Medium
|
||||
15 | File | `/new` | Low
|
||||
16 | File | `/proc/<pid>/status` | High
|
||||
17 | File | `/public/plugins/` | High
|
||||
18 | File | `/rom` | Low
|
||||
19 | File | `/scripts/killpvhost` | High
|
||||
20 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
21 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
22 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
|
||||
23 | File | `/tmp` | Low
|
||||
24 | File | `/tmp/redis.ds` | High
|
||||
25 | File | `/uncpath/` | Medium
|
||||
26 | File | `/ViewUserHover.jspa` | High
|
||||
27 | File | `/wp-admin` | Medium
|
||||
28 | File | `/wp-json/wc/v3/webhooks` | High
|
||||
29 | File | `AccountManagerService.java` | High
|
||||
30 | File | `actions/CompanyDetailsSave.php` | High
|
||||
31 | File | `ActiveServices.java` | High
|
||||
32 | File | `ActivityManagerService.java` | High
|
||||
33 | File | `addlink.php` | Medium
|
||||
34 | File | `addtocart.asp` | High
|
||||
35 | File | `admin.php` | Medium
|
||||
36 | File | `admin/?n=user&c=admin_user&a=doGetUserInfo` | High
|
||||
37 | ... | ... | ...
|
||||
|
||||
There are 12 more IOA items available. Please use our online service to access the data.
|
||||
There are 315 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://www.threatminer.org/report.php?q=The-ProjectSauron-APT_research_KL.pdf&y=2016
|
||||
* https://www.threatminer.org/_reports/2016/The-ProjectSauron-APT_IOCs_KL.pdf#viewer.action=download
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -61,7 +61,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
There are 6 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
|
|
@ -1,61 +1,61 @@
|
|||
# SilverFish - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [SilverFish](https://vuldb.com/?actor.silverfish). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [SilverFish](https://vuldb.com/?actor.silverfish). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.silverfish](https://vuldb.com/?actor.silverfish)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.silverfish](https://vuldb.com/?actor.silverfish)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with SilverFish:
|
||||
The following _campaigns_ are known and can be associated with SilverFish:
|
||||
|
||||
* SolarWinds
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with SilverFish:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with SilverFish:
|
||||
|
||||
* GB
|
||||
* US
|
||||
* RU
|
||||
* [GB](https://vuldb.com/?country.gb)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* ...
|
||||
|
||||
There are 15 more country items available. Please use our online service to access the data.
|
||||
There are 12 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of SilverFish.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of SilverFish.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 5.61.57.152 | - | High
|
||||
2 | 23.106.61.74 | - | High
|
||||
3 | 37.48.84.156 | - | High
|
||||
4 | 38.135.104.189 | h189-us104.fcsrv.net | High
|
||||
5 | 74.72.74.142 | cpe-74-72-74-142.nyc.res.rr.com | High
|
||||
6 | 79.110.52.138 | - | High
|
||||
7 | 79.110.52.139 | - | High
|
||||
8 | 79.110.52.140 | - | High
|
||||
9 | 81.4.122.101 | comet.v1sor.com | High
|
||||
10 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [5.61.57.152](https://vuldb.com/?ip.5.61.57.152) | - | SolarWinds | High
|
||||
2 | [23.106.61.74](https://vuldb.com/?ip.23.106.61.74) | - | SolarWinds | High
|
||||
3 | [37.48.84.156](https://vuldb.com/?ip.37.48.84.156) | - | - | High
|
||||
4 | [38.135.104.189](https://vuldb.com/?ip.38.135.104.189) | h189-us104.fcsrv.net | - | High
|
||||
5 | [74.72.74.142](https://vuldb.com/?ip.74.72.74.142) | cpe-74-72-74-142.nyc.res.rr.com | SolarWinds | High
|
||||
6 | [79.110.52.138](https://vuldb.com/?ip.79.110.52.138) | - | - | High
|
||||
7 | [79.110.52.139](https://vuldb.com/?ip.79.110.52.139) | - | - | High
|
||||
8 | [79.110.52.140](https://vuldb.com/?ip.79.110.52.140) | - | - | High
|
||||
9 | [81.4.122.101](https://vuldb.com/?ip.81.4.122.101) | comet.v1sor.com | - | High
|
||||
10 | ... | ... | ... | ...
|
||||
|
||||
There are 35 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by SilverFish. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by SilverFish. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
There are 9 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by SilverFish. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by SilverFish. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -66,28 +66,28 @@ ID | Type | Indicator | Confidence
|
|||
5 | File | `/advanced/adv_dns.xgi` | High
|
||||
6 | File | `/CFIDE/probe.cfm` | High
|
||||
7 | File | `/computer/(agent-name)/api` | High
|
||||
8 | File | `/error` | Low
|
||||
9 | File | `/etc/config/rpcd` | High
|
||||
10 | File | `/frontend/x3/cpanelpro/filelist-thumbs.html` | High
|
||||
8 | File | `/dev/snd/seq` | Medium
|
||||
9 | File | `/error` | Low
|
||||
10 | File | `/etc/config/rpcd` | High
|
||||
11 | File | `/goform/saveParentControlInfo` | High
|
||||
12 | File | `/htdocs/admin/dict.php?id=3` | High
|
||||
13 | File | `/includes/rrdtool.inc.php` | High
|
||||
14 | File | `/index.php/weblinks-categories` | High
|
||||
15 | File | `/module/module_frame/index.php` | High
|
||||
16 | File | `/nidp/app/login` | High
|
||||
17 | File | `/proc` | Low
|
||||
14 | File | `/module/module_frame/index.php` | High
|
||||
15 | File | `/nidp/app/login` | High
|
||||
16 | File | `/proc` | Low
|
||||
17 | File | `/rapi/read_url` | High
|
||||
18 | File | `/redpass.cgi` | Medium
|
||||
19 | File | `/rom-0` | Low
|
||||
20 | File | `/sbin/conf.d/SuSEconfig.javarunt` | High
|
||||
21 | File | `/setSystemAdmin` | High
|
||||
22 | File | `/sgms/mainPage` | High
|
||||
23 | File | `/tmp` | Low
|
||||
24 | File | `/uncpath/` | Medium
|
||||
25 | File | `/user-utils/users/md5.json` | High
|
||||
26 | File | `/usr/lib/utmp_update` | High
|
||||
22 | File | `/tmp` | Low
|
||||
23 | File | `/uncpath/` | Medium
|
||||
24 | File | `/user-utils/users/md5.json` | High
|
||||
25 | File | `/usr/lib/utmp_update` | High
|
||||
26 | File | `/usr/local` | Medium
|
||||
27 | File | `/usr/local/psa/admin/sbin/wrapper` | High
|
||||
28 | File | `/wp-admin` | Medium
|
||||
29 | File | `1.9.5\controllers\member\ContentController.php` | High
|
||||
29 | File | `/wp-admin/admin-post.php?es_skip=1&option_name` | High
|
||||
30 | File | `2020\Messages\SDNotify.exe` | High
|
||||
31 | File | `admin/admin_disallow.php` | High
|
||||
32 | File | `admin/Login.php` | High
|
||||
|
@ -95,24 +95,24 @@ ID | Type | Indicator | Confidence
|
|||
34 | File | `administration` | High
|
||||
35 | File | `administrative` | High
|
||||
36 | File | `Alias.asmx` | Medium
|
||||
37 | File | `android/webkit/SearchBoxImpl.java` | High
|
||||
38 | File | `aolfix.exe` | Medium
|
||||
39 | File | `AudioService.java` | High
|
||||
40 | File | `awhost32.exe` | Medium
|
||||
37 | File | `aolfix.exe` | Medium
|
||||
38 | File | `AudioService.java` | High
|
||||
39 | File | `awhost32.exe` | Medium
|
||||
40 | File | `bidhistory.php` | High
|
||||
41 | ... | ... | ...
|
||||
|
||||
There are 356 more IOA items available. Please use our online service to access the data.
|
||||
There are 351 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://github.com/blackorbird/APT_REPORT/blob/master/SunBurst/SilverFish_Solarwinds.pdf
|
||||
* https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# SpeakUp - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [SpeakUp](https://vuldb.com/?actor.speakup). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [SpeakUp](https://vuldb.com/?actor.speakup). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.speakup](https://vuldb.com/?actor.speakup)
|
||||
|
||||
|
@ -8,9 +8,9 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with SpeakUp:
|
||||
|
||||
* US
|
||||
* CN
|
||||
* NL
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [NL](https://vuldb.com/?country.nl)
|
||||
* ...
|
||||
|
||||
There are 4 more country items available. Please use our online service to access the data.
|
||||
|
@ -21,9 +21,9 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 5.2.73.127 | - | - | High
|
||||
2 | 5.196.70.86 | electron.positon.org | - | High
|
||||
3 | 67.209.177.163 | 67.209.177.163.16clouds.com | - | High
|
||||
1 | [5.2.73.127](https://vuldb.com/?ip.5.2.73.127) | - | - | High
|
||||
2 | [5.196.70.86](https://vuldb.com/?ip.5.196.70.86) | electron.positon.org | - | High
|
||||
3 | [67.209.177.163](https://vuldb.com/?ip.67.209.177.163) | 67.209.177.163.16clouds.com | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 2 more IOC items available. Please use our online service to access the data.
|
||||
|
@ -39,7 +39,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
3 | T1211 | CWE-254 | 7PK Security Features | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 4 more TTP items available. Please use our online service to access the data.
|
||||
There are 3 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# SpyEye - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [SpyEye](https://vuldb.com/?actor.spyeye). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [SpyEye](https://vuldb.com/?actor.spyeye). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.spyeye](https://vuldb.com/?actor.spyeye)
|
||||
|
||||
|
@ -8,9 +8,9 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with SpyEye:
|
||||
|
||||
* CO
|
||||
* US
|
||||
* RU
|
||||
* [CO](https://vuldb.com/?country.co)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* ...
|
||||
|
||||
There are 5 more country items available. Please use our online service to access the data.
|
||||
|
@ -21,23 +21,23 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 38.99.83.111 | - | - | High
|
||||
2 | 46.17.96.177 | - | - | High
|
||||
3 | 46.17.100.230 | - | - | High
|
||||
4 | 46.243.9.169 | - | - | High
|
||||
5 | 50.22.104.142 | 8e.68.1632.ip4.static.sl-reverse.com | - | High
|
||||
6 | 60.199.114.84 | 60-199-114-84.static.tfn.net.tw | - | High
|
||||
7 | 62.109.3.105 | indocreo.fvds.ru | - | High
|
||||
8 | 62.193.233.77 | - | - | High
|
||||
9 | 66.7.199.176 | 66-7-199-176.static.hostdime.com | - | High
|
||||
10 | 69.89.31.133 | box333.bluehost.com | - | High
|
||||
11 | 69.197.135.91 | - | - | High
|
||||
12 | 74.54.152.37 | 25.98.364a.static.theplanet.com | - | High
|
||||
13 | 74.81.82.189 | srv3.93w.ru | - | High
|
||||
14 | 76.76.98.82 | - | - | High
|
||||
15 | 76.76.107.74 | - | - | High
|
||||
16 | 77.79.4.200 | - | - | High
|
||||
17 | 77.79.10.93 | - | - | High
|
||||
1 | [38.99.83.111](https://vuldb.com/?ip.38.99.83.111) | - | - | High
|
||||
2 | [46.17.96.177](https://vuldb.com/?ip.46.17.96.177) | - | - | High
|
||||
3 | [46.17.100.230](https://vuldb.com/?ip.46.17.100.230) | - | - | High
|
||||
4 | [46.243.9.169](https://vuldb.com/?ip.46.243.9.169) | - | - | High
|
||||
5 | [50.22.104.142](https://vuldb.com/?ip.50.22.104.142) | 8e.68.1632.ip4.static.sl-reverse.com | - | High
|
||||
6 | [60.199.114.84](https://vuldb.com/?ip.60.199.114.84) | 60-199-114-84.static.tfn.net.tw | - | High
|
||||
7 | [62.109.3.105](https://vuldb.com/?ip.62.109.3.105) | indocreo.fvds.ru | - | High
|
||||
8 | [62.193.233.77](https://vuldb.com/?ip.62.193.233.77) | - | - | High
|
||||
9 | [66.7.199.176](https://vuldb.com/?ip.66.7.199.176) | 66-7-199-176.static.hostdime.com | - | High
|
||||
10 | [69.89.31.133](https://vuldb.com/?ip.69.89.31.133) | box333.bluehost.com | - | High
|
||||
11 | [69.197.135.91](https://vuldb.com/?ip.69.197.135.91) | - | - | High
|
||||
12 | [74.54.152.37](https://vuldb.com/?ip.74.54.152.37) | 25.98.364a.static.theplanet.com | - | High
|
||||
13 | [74.81.82.189](https://vuldb.com/?ip.74.81.82.189) | srv3.93w.ru | - | High
|
||||
14 | [76.76.98.82](https://vuldb.com/?ip.76.76.98.82) | - | - | High
|
||||
15 | [76.76.107.74](https://vuldb.com/?ip.76.76.107.74) | - | - | High
|
||||
16 | [77.79.4.200](https://vuldb.com/?ip.77.79.4.200) | - | - | High
|
||||
17 | [77.79.10.93](https://vuldb.com/?ip.77.79.10.93) | - | - | High
|
||||
18 | ... | ... | ... | ...
|
||||
|
||||
There are 66 more IOC items available. Please use our online service to access the data.
|
||||
|
@ -53,7 +53,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 5 more TTP items available. Please use our online service to access the data.
|
||||
There are 4 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
|
|
@ -58,7 +58,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
There are 6 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
|
|
@ -1,48 +1,48 @@
|
|||
# TEMP.Heretic - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [TEMP.Heretic](https://vuldb.com/?actor.temp.heretic). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [TEMP.Heretic](https://vuldb.com/?actor.temp.heretic). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.temp.heretic](https://vuldb.com/?actor.temp.heretic)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.temp.heretic](https://vuldb.com/?actor.temp.heretic)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with TEMP.Heretic:
|
||||
The following _campaigns_ are known and can be associated with TEMP.Heretic:
|
||||
|
||||
* EmailThief
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with TEMP.Heretic:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with TEMP.Heretic:
|
||||
|
||||
* US
|
||||
* CN
|
||||
* GB
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [GB](https://vuldb.com/?country.gb)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of TEMP.Heretic.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of TEMP.Heretic.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 108.160.133.32 | 108.160.133.32.vultr.com | Medium
|
||||
2 | 172.86.75.158 | - | High
|
||||
3 | 206.166.251.141 | - | High
|
||||
4 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [108.160.133.32](https://vuldb.com/?ip.108.160.133.32) | 108.160.133.32.vultr.com | EmailThief | Medium
|
||||
2 | [172.86.75.158](https://vuldb.com/?ip.172.86.75.158) | - | EmailThief | High
|
||||
3 | [206.166.251.141](https://vuldb.com/?ip.206.166.251.141) | - | EmailThief | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by TEMP.Heretic. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by TEMP.Heretic. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1222 | Permission Issues | High
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1222 | CWE-275 | Permission Issues | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by TEMP.Heretic. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by TEMP.Heretic. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -51,17 +51,17 @@ ID | Type | Indicator | Confidence
|
|||
3 | File | `inc/config.php` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 9 more IOA items available. Please use our online service to access the data.
|
||||
There are 9 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Tonto Team - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Tonto Team](https://vuldb.com/?actor.tonto_team). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Tonto Team](https://vuldb.com/?actor.tonto_team). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.tonto_team](https://vuldb.com/?actor.tonto_team)
|
||||
|
||||
|
@ -8,8 +8,8 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Tonto Team:
|
||||
|
||||
* CN
|
||||
* US
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -17,7 +17,7 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 77.83.159.15 | - | - | High
|
||||
1 | [77.83.159.15](https://vuldb.com/?ip.77.83.159.15) | - | - | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# TousAntiCovid - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [TousAntiCovid](https://vuldb.com/?actor.tousanticovid). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [TousAntiCovid](https://vuldb.com/?actor.tousanticovid). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.tousanticovid](https://vuldb.com/?actor.tousanticovid)
|
||||
|
||||
|
@ -8,7 +8,7 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with TousAntiCovid:
|
||||
|
||||
* TR
|
||||
* [TR](https://vuldb.com/?country.tr)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -16,9 +16,9 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 8.208.96.239 | - | - | High
|
||||
2 | 8.208.103.115 | - | - | High
|
||||
3 | 47.254.146.169 | - | - | High
|
||||
1 | [8.208.96.239](https://vuldb.com/?ip.8.208.96.239) | - | - | High
|
||||
2 | [8.208.103.115](https://vuldb.com/?ip.8.208.103.115) | - | - | High
|
||||
3 | [47.254.146.169](https://vuldb.com/?ip.47.254.146.169) | - | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more IOC items available. Please use our online service to access the data.
|
||||
|
|
|
@ -15,8 +15,8 @@ The following _campaigns_ are known and can be associated with TrickBot:
|
|||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with TrickBot:
|
||||
|
||||
* [VN](https://vuldb.com/?country.vn)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -97,12 +97,12 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techn
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-250, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -110,22 +110,27 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/admin.add` | Medium
|
||||
2 | File | `/admin.back` | Medium
|
||||
3 | File | `/admin/allergens/edit/1` | High
|
||||
4 | File | `/cgi-bin/logo_extra_upload.cgi` | High
|
||||
5 | File | `/core/admin/categories.php` | High
|
||||
6 | File | `/core/admin/comment.php` | High
|
||||
7 | File | `/etc/cobbler` | Medium
|
||||
8 | File | `/exponentcms/administration/configure_site` | High
|
||||
9 | File | `/HandleEvent` | Medium
|
||||
10 | File | `/jeecg-boot/sys/user/queryUserByDepId` | High
|
||||
11 | File | `/js/js-parser.c` | High
|
||||
12 | File | `/main?cmd=invalid_browser` | High
|
||||
13 | File | `/MobiPlusWeb/Handlers/MainHandler.ashx?MethodName=GridData&GridName=Users` | High
|
||||
14 | ... | ... | ...
|
||||
1 | File | `/admin-panel1.php` | High
|
||||
2 | File | `/admin.add` | Medium
|
||||
3 | File | `/admin.back` | Medium
|
||||
4 | File | `/admin/?page=members/view_member` | High
|
||||
5 | File | `/admin/options` | High
|
||||
6 | File | `/admin/page_edit/3` | High
|
||||
7 | File | `/admin_page/all-files-update-ajax.php` | High
|
||||
8 | File | `/cgi-bin/logo_extra_upload.cgi` | High
|
||||
9 | File | `/core/admin/categories.php` | High
|
||||
10 | File | `/core/admin/comment.php` | High
|
||||
11 | File | `/etc/cobbler` | Medium
|
||||
12 | File | `/HandleEvent` | Medium
|
||||
13 | File | `/jeecg-boot/sys/user/queryUserByDepId` | High
|
||||
14 | File | `/js/js-parser.c` | High
|
||||
15 | File | `/main?cmd=invalid_browser` | High
|
||||
16 | File | `/members/view_member.php` | High
|
||||
17 | File | `/MobiPlusWeb/Handlers/MainHandler.ashx?MethodName=GridData&GridName=Users` | High
|
||||
18 | File | `/ms/cms/content/list.do` | High
|
||||
19 | ... | ... | ...
|
||||
|
||||
There are 114 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 157 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -4,19 +4,99 @@ These _indicators_ were reported, collected, and generated during the [VulDB CTI
|
|||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.uac-0056](https://vuldb.com/?actor.uac-0056)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following _campaigns_ are known and can be associated with UAC-0056:
|
||||
|
||||
* Ukraine
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with UAC-0056:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* ...
|
||||
|
||||
There are 11 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of UAC-0056.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [185.244.41.109](https://vuldb.com/?ip.185.244.41.109) | - | - | High
|
||||
1 | [31.42.185.63](https://vuldb.com/?ip.31.42.185.63) | dedicated.vsys.host | Ukraine | High
|
||||
2 | [45.146.164.37](https://vuldb.com/?ip.45.146.164.37) | - | Ukraine | High
|
||||
3 | [45.146.165.91](https://vuldb.com/?ip.45.146.165.91) | - | Ukraine | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 2 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by UAC-0056. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 6 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by UAC-0056. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/+CSCOE+/logon.html` | High
|
||||
2 | File | `/admin/login.php` | High
|
||||
3 | File | `/admin/produts/controller.php` | High
|
||||
4 | File | `/admin/user/team` | High
|
||||
5 | File | `/adminlogin.asp` | High
|
||||
6 | File | `/cgi-bin/system_mgr.cgi` | High
|
||||
7 | File | `/common/logViewer/logViewer.jsf` | High
|
||||
8 | File | `/crmeb/app/admin/controller/store/CopyTaobao.php` | High
|
||||
9 | File | `/forum/away.php` | High
|
||||
10 | File | `/includes/rrdtool.inc.php` | High
|
||||
11 | File | `/mc-admin/post.php?state=delete&delete` | High
|
||||
12 | File | `/mifs/c/i/reg/reg.html` | High
|
||||
13 | File | `/ms/cms/content/list.do` | High
|
||||
14 | File | `/orms/` | Low
|
||||
15 | File | `/uncpath/` | Medium
|
||||
16 | File | `/usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php` | High
|
||||
17 | File | `/www/ping_response.cgi` | High
|
||||
18 | File | `ABuffer.cpp` | Medium
|
||||
19 | File | `account.asp` | Medium
|
||||
20 | File | `addmember.php` | High
|
||||
21 | File | `addtocart.asp` | High
|
||||
22 | File | `addtomylist.asp` | High
|
||||
23 | File | `admin.php` | Medium
|
||||
24 | File | `admin.x-shop.php` | High
|
||||
25 | File | `admin/auth.php` | High
|
||||
26 | File | `admin/changedata.php` | High
|
||||
27 | File | `admin/dashboard.php` | High
|
||||
28 | File | `admin/edit-news.php` | High
|
||||
29 | File | `admin/gallery.php` | High
|
||||
30 | File | `admin/index.php` | High
|
||||
31 | File | `admin/manage-departments.php` | High
|
||||
32 | File | `admin/sellerupd.php` | High
|
||||
33 | File | `admin/vqmods.app/vqmods.inc.php` | High
|
||||
34 | File | `admincp/auth/checklogin.php` | High
|
||||
35 | ... | ... | ...
|
||||
|
||||
There are 297 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://cert.gov.ua/article/18419
|
||||
* https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/
|
||||
|
||||
## Literature
|
||||
|
||||
|
|
|
@ -1,32 +1,71 @@
|
|||
# UNC1151 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [UNC1151](https://vuldb.com/?actor.unc1151). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [UNC1151](https://vuldb.com/?actor.unc1151). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.unc1151](https://vuldb.com/?actor.unc1151)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.unc1151](https://vuldb.com/?actor.unc1151)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with UNC1151:
|
||||
The following _campaigns_ are known and can be associated with UNC1151:
|
||||
|
||||
* Ghostwriter
|
||||
* Phishing Ukrainian Soldiers
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with UNC1151:
|
||||
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of UNC1151.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of UNC1151.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 88.99.104.179 | static.179.104.99.88.clients.your-server.de | High
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [88.99.104.179](https://vuldb.com/?ip.88.99.104.179) | static.179.104.99.88.clients.your-server.de | Ghostwriter | High
|
||||
2 | [185.173.94.12](https://vuldb.com/?ip.185.173.94.12) | mx05.mylifehelper.su | Phishing Ukrainian Soldiers | High
|
||||
3 | [185.244.180.13](https://vuldb.com/?ip.185.244.180.13) | host-185-244-180-13.macloud.host | Phishing Ukrainian Soldiers | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by UNC1151. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by UNC1151. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/concat?/%2557EB-INF/web.xml` | High
|
||||
2 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
3 | File | `net/unix/af_unix.c` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 6 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://community.riskiq.com/article/e3a7ceea/indicators
|
||||
* https://github.com/blackorbird/APT_REPORT/blob/master/Ghostwriter/unc1151-ghostwriter-update-report.pdf
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# UNC215 - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [UNC215](https://vuldb.com/?actor.unc215). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [UNC215](https://vuldb.com/?actor.unc215). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.unc215](https://vuldb.com/?actor.unc215)
|
||||
|
||||
|
@ -8,9 +8,9 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with UNC215:
|
||||
|
||||
* US
|
||||
* CN
|
||||
* GB
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [GB](https://vuldb.com/?country.gb)
|
||||
* ...
|
||||
|
||||
There are 3 more country items available. Please use our online service to access the data.
|
||||
|
@ -21,9 +21,9 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 34.65.151.250 | 250.151.65.34.bc.googleusercontent.com | - | Medium
|
||||
2 | 46.101.255.16 | - | - | High
|
||||
3 | 47.75.49.32 | - | - | High
|
||||
1 | [34.65.151.250](https://vuldb.com/?ip.34.65.151.250) | 250.151.65.34.bc.googleusercontent.com | - | Medium
|
||||
2 | [46.101.255.16](https://vuldb.com/?ip.46.101.255.16) | - | - | High
|
||||
3 | [47.75.49.32](https://vuldb.com/?ip.47.75.49.32) | - | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 13 more IOC items available. Please use our online service to access the data.
|
||||
|
@ -37,9 +37,6 @@ ID | Technique | Weakness | Description | Confidence
|
|||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Unrecom - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Unrecom](https://vuldb.com/?actor.unrecom). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Unrecom](https://vuldb.com/?actor.unrecom). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.unrecom](https://vuldb.com/?actor.unrecom)
|
||||
|
||||
|
@ -8,9 +8,9 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Unrecom:
|
||||
|
||||
* US
|
||||
* GB
|
||||
* TH
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [GB](https://vuldb.com/?country.gb)
|
||||
* [TH](https://vuldb.com/?country.th)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -18,9 +18,9 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 41.138.184.85 | - | - | High
|
||||
2 | 87.117.232.203 | - | - | High
|
||||
3 | 184.22.201.27 | 184-22-201-0.24.myaisfibre.com | - | High
|
||||
1 | [41.138.184.85](https://vuldb.com/?ip.41.138.184.85) | - | - | High
|
||||
2 | [87.117.232.203](https://vuldb.com/?ip.87.117.232.203) | - | - | High
|
||||
3 | [184.22.201.27](https://vuldb.com/?ip.184.22.201.27) | 184-22-201-0.24.myaisfibre.com | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more IOC items available. Please use our online service to access the data.
|
||||
|
|
|
@ -90,37 +90,37 @@ ID | Type | Indicator | Confidence
|
|||
6 | File | `/etc/gsissh/sshd_config` | High
|
||||
7 | File | `/etc/hosts` | Medium
|
||||
8 | File | `/forum/away.php` | High
|
||||
9 | File | `/horde/util/go.php` | High
|
||||
10 | File | `/images/` | Medium
|
||||
11 | File | `/inc/parser/xhtml.php` | High
|
||||
12 | File | `/login` | Low
|
||||
13 | File | `/modules/profile/index.php` | High
|
||||
14 | File | `/out.php` | Medium
|
||||
15 | File | `/php-fusion/infusions/shoutbox_panel/shoutbox_archive.php` | High
|
||||
16 | File | `/product_list.php` | High
|
||||
17 | File | `/public/plugins/` | High
|
||||
18 | File | `/SASWebReportStudio/logonAndRender.do` | High
|
||||
19 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
20 | File | `/secure/admin/ViewInstrumentation.jspa` | High
|
||||
21 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
22 | File | `/see_more_details.php` | High
|
||||
23 | File | `/uncpath/` | Medium
|
||||
24 | File | `/usr/local/WowzaStreamingEngine/bin/` | High
|
||||
25 | File | `/WEB-INF/web.xml` | High
|
||||
26 | File | `/web/frames/` | Medium
|
||||
27 | File | `AccountManager.java` | High
|
||||
28 | File | `adclick.php` | Medium
|
||||
29 | File | `addentry.php` | Medium
|
||||
30 | File | `admin.cgi?action=upgrade` | High
|
||||
31 | File | `admin.php` | Medium
|
||||
32 | File | `admin/executar_login.php` | High
|
||||
33 | File | `admin/index.php?mode=tools&page=upload` | High
|
||||
34 | File | `admin/pageUploadCSV.php` | High
|
||||
35 | File | `admin/setting.php` | High
|
||||
36 | File | `AdminQuickAccessesController.php` | High
|
||||
37 | File | `ajax/aj_*.php` | High
|
||||
38 | File | `alipay/alipayapi.php` | High
|
||||
39 | File | `auth.inc.php` | Medium
|
||||
9 | File | `/images/` | Medium
|
||||
10 | File | `/inc/parser/xhtml.php` | High
|
||||
11 | File | `/login` | Low
|
||||
12 | File | `/modules/profile/index.php` | High
|
||||
13 | File | `/out.php` | Medium
|
||||
14 | File | `/php-fusion/infusions/shoutbox_panel/shoutbox_archive.php` | High
|
||||
15 | File | `/product_list.php` | High
|
||||
16 | File | `/public/plugins/` | High
|
||||
17 | File | `/SASWebReportStudio/logonAndRender.do` | High
|
||||
18 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
19 | File | `/secure/admin/ViewInstrumentation.jspa` | High
|
||||
20 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
21 | File | `/see_more_details.php` | High
|
||||
22 | File | `/uncpath/` | Medium
|
||||
23 | File | `/usr/local/WowzaStreamingEngine/bin/` | High
|
||||
24 | File | `/WEB-INF/web.xml` | High
|
||||
25 | File | `/web/frames/` | Medium
|
||||
26 | File | `AccountManager.java` | High
|
||||
27 | File | `adclick.php` | Medium
|
||||
28 | File | `addentry.php` | Medium
|
||||
29 | File | `admin.cgi?action=upgrade` | High
|
||||
30 | File | `admin.php` | Medium
|
||||
31 | File | `admin/executar_login.php` | High
|
||||
32 | File | `admin/index.php?mode=tools&page=upload` | High
|
||||
33 | File | `admin/pageUploadCSV.php` | High
|
||||
34 | File | `admin/setting.php` | High
|
||||
35 | File | `ajax/aj_*.php` | High
|
||||
36 | File | `alipay/alipayapi.php` | High
|
||||
37 | File | `auth.inc.php` | Medium
|
||||
38 | File | `auth.py` | Low
|
||||
39 | File | `auth2-gss.c` | Medium
|
||||
40 | ... | ... | ...
|
||||
|
||||
There are 344 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# m8220 - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [m8220](https://vuldb.com/?actor.m8220). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [m8220](https://vuldb.com/?actor.m8220). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.m8220](https://vuldb.com/?actor.m8220)
|
||||
|
||||
|
@ -14,9 +14,9 @@ The following _campaigns_ are known and can be associated with m8220:
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with m8220:
|
||||
|
||||
* US
|
||||
* CN
|
||||
* IN
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [IN](https://vuldb.com/?country.in)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -24,7 +24,7 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 205.185.113.59 | - | Log4Shell | High
|
||||
1 | [205.185.113.59](https://vuldb.com/?ip.205.185.113.59) | - | Log4Shell | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -37,7 +37,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 6 more TTP items available. Please use our online service to access the data.
|
||||
There are 5 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
|
100
xHunt/README.md
100
xHunt/README.md
|
@ -1,6 +1,6 @@
|
|||
# xHunt - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [xHunt](https://vuldb.com/?actor.xhunt). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [xHunt](https://vuldb.com/?actor.xhunt). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.xhunt](https://vuldb.com/?actor.xhunt)
|
||||
|
||||
|
@ -16,10 +16,10 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [NL](https://vuldb.com/?country.nl)
|
||||
* [GB](https://vuldb.com/?country.gb)
|
||||
* ...
|
||||
|
||||
There are 37 more country items available. Please use our online service to access the data.
|
||||
There are 34 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -57,55 +57,55 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/../../conf/template/uhttpd.json` | High
|
||||
2 | File | `/about.php` | Medium
|
||||
3 | File | `/account/register` | High
|
||||
4 | File | `/app1/admin#foo` | High
|
||||
5 | File | `/articles/welcome-to-your-site#comments-head` | High
|
||||
6 | File | `/assets/ctx` | Medium
|
||||
7 | File | `/bin/boa` | Medium
|
||||
8 | File | `/cgi?1&5` | Medium
|
||||
9 | File | `/config/getuser` | High
|
||||
10 | File | `/configs/application.ini` | High
|
||||
11 | File | `/debug/pprof` | Medium
|
||||
12 | File | `/etc/sudoers` | Medium
|
||||
13 | File | `/export` | Low
|
||||
14 | File | `/forum/away.php` | High
|
||||
15 | File | `/gracemedia-media-player/templates/files/ajax_controller.php` | High
|
||||
16 | File | `/iissamples` | Medium
|
||||
17 | File | `/index.pl` | Medium
|
||||
18 | File | `/login` | Low
|
||||
19 | File | `/plugin/file_manager/` | High
|
||||
20 | File | `/public/plugins/` | High
|
||||
21 | File | `/sbin/gs_config` | High
|
||||
22 | File | `/settings` | Medium
|
||||
23 | File | `/Storage/Emulated/0/Telegram/Telegram` | High
|
||||
24 | File | `/uncpath/` | Medium
|
||||
25 | File | `/Upload/admin/index.php?module=forum-management&action=add` | High
|
||||
26 | File | `/uploads/dede` | High
|
||||
27 | File | `/usr/bin/pkexec` | High
|
||||
28 | File | `/WEB-INF/web.xml` | High
|
||||
29 | File | `/webman/info.cgi` | High
|
||||
30 | File | `/wp-json/oembed/1.0/embed?url` | High
|
||||
31 | File | `/wp-json/wc/v3/webhooks` | High
|
||||
32 | File | `/_next` | Low
|
||||
33 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
34 | File | `adclick.php` | Medium
|
||||
35 | File | `admin.php?m=admin&c=site&a=save` | High
|
||||
36 | File | `admin.php?page=languages` | High
|
||||
37 | File | `admin/backupdb.php` | High
|
||||
38 | File | `admin/bitrix.mpbuilder_step2.php` | High
|
||||
39 | File | `admin/bitrix.xscan_worker.php` | High
|
||||
40 | File | `admin/conf_users_edit.php` | High
|
||||
41 | File | `admin/gb-dashboard-widget.php` | High
|
||||
42 | File | `admin/mcart_xls_import.php` | High
|
||||
43 | File | `admin/modules/tools/ip_history_logs.php` | High
|
||||
44 | File | `admin/ops/reports/ops/news.php` | High
|
||||
45 | File | `admin/orion.extfeedbackform_efbf_forms.php` | High
|
||||
46 | File | `adminer.php` | Medium
|
||||
1 | File | `/+CSCOE+/logon.html` | High
|
||||
2 | File | `/../../conf/template/uhttpd.json` | High
|
||||
3 | File | `/about.php` | Medium
|
||||
4 | File | `/account/register` | High
|
||||
5 | File | `/app1/admin#foo` | High
|
||||
6 | File | `/articles/welcome-to-your-site#comments-head` | High
|
||||
7 | File | `/assets/ctx` | Medium
|
||||
8 | File | `/bin/boa` | Medium
|
||||
9 | File | `/cgi?1&5` | Medium
|
||||
10 | File | `/config/getuser` | High
|
||||
11 | File | `/configs/application.ini` | High
|
||||
12 | File | `/debug/pprof` | Medium
|
||||
13 | File | `/etc/sudoers` | Medium
|
||||
14 | File | `/export` | Low
|
||||
15 | File | `/forum/away.php` | High
|
||||
16 | File | `/gracemedia-media-player/templates/files/ajax_controller.php` | High
|
||||
17 | File | `/iissamples` | Medium
|
||||
18 | File | `/index.pl` | Medium
|
||||
19 | File | `/login` | Low
|
||||
20 | File | `/plugin/file_manager/` | High
|
||||
21 | File | `/public/plugins/` | High
|
||||
22 | File | `/sbin/gs_config` | High
|
||||
23 | File | `/settings` | Medium
|
||||
24 | File | `/Storage/Emulated/0/Telegram/Telegram` | High
|
||||
25 | File | `/uncpath/` | Medium
|
||||
26 | File | `/Upload/admin/index.php?module=forum-management&action=add` | High
|
||||
27 | File | `/uploads/dede` | High
|
||||
28 | File | `/usr/bin/pkexec` | High
|
||||
29 | File | `/WEB-INF/web.xml` | High
|
||||
30 | File | `/webman/info.cgi` | High
|
||||
31 | File | `/wp-json/oembed/1.0/embed?url` | High
|
||||
32 | File | `/wp-json/wc/v3/webhooks` | High
|
||||
33 | File | `/_next` | Low
|
||||
34 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
35 | File | `adclick.php` | Medium
|
||||
36 | File | `admin.php?m=admin&c=site&a=save` | High
|
||||
37 | File | `admin.php?page=languages` | High
|
||||
38 | File | `admin/backupdb.php` | High
|
||||
39 | File | `admin/bitrix.mpbuilder_step2.php` | High
|
||||
40 | File | `admin/bitrix.xscan_worker.php` | High
|
||||
41 | File | `admin/conf_users_edit.php` | High
|
||||
42 | File | `admin/gb-dashboard-widget.php` | High
|
||||
43 | File | `admin/mcart_xls_import.php` | High
|
||||
44 | File | `admin/modules/tools/ip_history_logs.php` | High
|
||||
45 | File | `admin/ops/reports/ops/news.php` | High
|
||||
46 | File | `admin/orion.extfeedbackform_efbf_forms.php` | High
|
||||
47 | ... | ... | ...
|
||||
|
||||
There are 406 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 411 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
Loading…
Reference in New Issue