Update
This commit is contained in:
parent
e8e862b297
commit
a963970493
|
@ -0,0 +1,55 @@
|
|||
# 3LOSH - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [3LOSH](https://vuldb.com/?actor.3losh). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.3losh](https://vuldb.com/?actor.3losh)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with 3LOSH:
|
||||
|
||||
* [DE](https://vuldb.com/?country.de)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of 3LOSH.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [94.130.207.164](https://vuldb.com/?ip.94.130.207.164) | static.164.207.130.94.clients.your-server.de | - | High
|
||||
2 | [141.95.89.79](https://vuldb.com/?ip.141.95.89.79) | ip79.ip-141-95-89.eu | - | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _3LOSH_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1592 | CWE-200 | Configuration | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by 3LOSH. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `data/gbconfiguration.dat` | High
|
||||
2 | File | `redirect.php` | Medium
|
||||
3 | Argument | `goto` | Low
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://1275.ru/ioc/272/3losh-srypter-iocs/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -27,7 +27,7 @@ ID | IP address | Hostname | Campaign | Confidence
|
|||
3 | [146.59.198.38](https://vuldb.com/?ip.146.59.198.38) | vps-19ede15a.vps.ovh.net | CVE-2022-26134 | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 2 more IOC items available. Please use our online service to access the data.
|
||||
There are 3 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -36,8 +36,11 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
2 | T1505 | CWE-89 | SQL Injection | High
|
||||
3 | T1592 | CWE-200 | Configuration | High
|
||||
2 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
3 | T1068 | CWE-269 | Execution with Unnecessary Privileges | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 3 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -46,16 +49,17 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `data/gbconfiguration.dat` | High
|
||||
2 | File | `inc/config.php` | High
|
||||
3 | Argument | `basePath` | Medium
|
||||
2 | File | `GatewaySettings.bin` | High
|
||||
3 | File | `import.php` | Medium
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 1 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 6 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://1275.ru/ioc/503/8220-botnet-iocs/
|
||||
* https://blog.checkpoint.com/2022/06/09/crypto-miners-leveraging-atlassian-zero-day-vulnerability/
|
||||
|
||||
## Literature
|
||||
|
|
|
@ -131,10 +131,9 @@ ID | Type | Indicator | Confidence
|
|||
26 | File | `afr.php` | Low
|
||||
27 | File | `apcupsd.pid` | Medium
|
||||
28 | File | `api/it-recht-kanzlei/api-it-recht-kanzlei.php` | High
|
||||
29 | File | `api/sms/send-sms` | High
|
||||
30 | ... | ... | ...
|
||||
29 | ... | ... | ...
|
||||
|
||||
There are 252 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 250 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -102,13 +102,17 @@ ID | Type | Indicator | Confidence
|
|||
31 | File | `/TeleoptiWFM/Administration/GetOneTenant` | High
|
||||
32 | File | `/vicidial/admin.php` | High
|
||||
33 | File | `/vicidial/AST_agent_time_sheet.php` | High
|
||||
34 | File | `add_comment.php` | High
|
||||
35 | File | `add_edit_cat.asp` | High
|
||||
36 | File | `add_url.htm` | Medium
|
||||
37 | File | `adm.cgi` | Low
|
||||
38 | ... | ... | ...
|
||||
34 | File | `addphotosform.php` | High
|
||||
35 | File | `addreviewsform.php` | High
|
||||
36 | File | `add_comment.php` | High
|
||||
37 | File | `add_edit_cat.asp` | High
|
||||
38 | File | `add_url.htm` | Medium
|
||||
39 | File | `adm.cgi` | Low
|
||||
40 | File | `admin/index.php` | High
|
||||
41 | File | `adminAttachments.php` | High
|
||||
42 | ... | ... | ...
|
||||
|
||||
There are 329 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 363 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -13,7 +13,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [IR](https://vuldb.com/?country.ir)
|
||||
* ...
|
||||
|
||||
There are 8 more country items available. Please use our online service to access the data.
|
||||
There are 9 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -89,7 +89,7 @@ ID | Type | Indicator | Confidence
|
|||
27 | File | `/var/run/watchman.pid` | High
|
||||
28 | ... | ... | ...
|
||||
|
||||
There are 236 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 240 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -121,7 +121,7 @@ ID | Type | Indicator | Confidence
|
|||
43 | File | `admin.php/comments/batchdel/` | High
|
||||
44 | ... | ... | ...
|
||||
|
||||
There are 378 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 376 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -101,10 +101,9 @@ ID | Type | Indicator | Confidence
|
|||
36 | File | `ajax/deletePage.php` | High
|
||||
37 | File | `ajouter_tva.php` | High
|
||||
38 | File | `apcupsd.pid` | Medium
|
||||
39 | File | `api/sms/send-sms` | High
|
||||
40 | ... | ... | ...
|
||||
39 | ... | ... | ...
|
||||
|
||||
There are 342 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 340 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -0,0 +1,31 @@
|
|||
# Agent OGR - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Agent OGR](https://vuldb.com/?actor.agent_ogr). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.agent_ogr](https://vuldb.com/?actor.agent_ogr)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Agent OGR.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [159.69.101.96](https://vuldb.com/?ip.159.69.101.96) | static.96.101.69.159.clients.your-server.de | - | High
|
||||
2 | [193.106.191.201](https://vuldb.com/?ip.193.106.191.201) | - | - | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://1275.ru/ioc/256/gs-004-agent-ogr-tr-pws-stealer-iocs/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -13,7 +13,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [RU](https://vuldb.com/?country.ru)
|
||||
* ...
|
||||
|
||||
There are 29 more country items available. Please use our online service to access the data.
|
||||
There are 31 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -54,56 +54,57 @@ ID | Type | Indicator | Confidence
|
|||
1 | File | `/+CSCOE+/logon.html` | High
|
||||
2 | File | `/.env` | Low
|
||||
3 | File | `/.ssh/authorized_keys` | High
|
||||
4 | File | `/accountancy/admin/accountmodel.php` | High
|
||||
5 | File | `/admin/default.asp` | High
|
||||
6 | File | `/ajax/networking/get_netcfg.php` | High
|
||||
7 | File | `/app/options.py` | High
|
||||
8 | File | `/assets/ctx` | Medium
|
||||
9 | File | `/checkLogin.cgi` | High
|
||||
10 | File | `/ci_spms/admin/category` | High
|
||||
11 | File | `/ci_spms/admin/search/searching/` | High
|
||||
12 | File | `/classes/Master.php?f=delete_train` | High
|
||||
13 | File | `/cms/print.php` | High
|
||||
14 | File | `/concat?/%2557EB-INF/web.xml` | High
|
||||
15 | File | `/Content/Template/root/reverse-shell.aspx` | High
|
||||
4 | File | `/admin/default.asp` | High
|
||||
5 | File | `/ajax/networking/get_netcfg.php` | High
|
||||
6 | File | `/app/options.py` | High
|
||||
7 | File | `/assets/ctx` | Medium
|
||||
8 | File | `/checkLogin.cgi` | High
|
||||
9 | File | `/ci_spms/admin/category` | High
|
||||
10 | File | `/ci_spms/admin/search/searching/` | High
|
||||
11 | File | `/classes/Master.php?f=delete_train` | High
|
||||
12 | File | `/cms/print.php` | High
|
||||
13 | File | `/concat?/%2557EB-INF/web.xml` | High
|
||||
14 | File | `/Content/Template/root/reverse-shell.aspx` | High
|
||||
15 | File | `/dashboard/menu-list.php` | High
|
||||
16 | File | `/data/remove` | Medium
|
||||
17 | File | `/download` | Medium
|
||||
18 | File | `/etc/passwd` | Medium
|
||||
19 | File | `/goforms/rlminfo` | High
|
||||
20 | File | `/login` | Low
|
||||
21 | File | `/navigate/navigate_download.php` | High
|
||||
22 | File | `/ocwbs/admin/?page=user/manage_user` | High
|
||||
23 | File | `/ofrs/admin/?page=user/manage_user` | High
|
||||
24 | File | `/owa/auth/logon.aspx` | High
|
||||
25 | File | `/p` | Low
|
||||
26 | File | `/password.html` | High
|
||||
27 | File | `/proc/ioports` | High
|
||||
28 | File | `/property-list/property_view.php` | High
|
||||
29 | File | `/ptms/classes/Users.php` | High
|
||||
30 | File | `/rest` | Low
|
||||
31 | File | `/rest/api/2/search` | High
|
||||
32 | File | `/s/` | Low
|
||||
33 | File | `/scripts/cpan_config` | High
|
||||
34 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
35 | File | `/services/system/setup.json` | High
|
||||
36 | File | `/spip.php` | Medium
|
||||
37 | File | `/uncpath/` | Medium
|
||||
38 | File | `/vloggers_merch/?p=view_product` | High
|
||||
39 | File | `/webconsole/APIController` | High
|
||||
40 | File | `/websocket/exec` | High
|
||||
41 | File | `/wp-admin/admin-ajax.php` | High
|
||||
42 | File | `/wp-json` | Medium
|
||||
43 | File | `/wp-json/oembed/1.0/embed?url` | High
|
||||
44 | File | `/_next` | Low
|
||||
45 | File | `4.edu.php\conn\function.php` | High
|
||||
46 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
47 | File | `adclick.php` | Medium
|
||||
48 | File | `addentry.php` | Medium
|
||||
49 | File | `admin.php?reqGadget=Components&reqAction=InstallGadget&comp=FileBrowser` | High
|
||||
50 | File | `admin/category.inc.php` | High
|
||||
51 | ... | ... | ...
|
||||
19 | File | `/ffos/classes/Master.php?f=save_category` | High
|
||||
20 | File | `/goforms/rlminfo` | High
|
||||
21 | File | `/Items/*/RemoteImages/Download` | High
|
||||
22 | File | `/login` | Low
|
||||
23 | File | `/navigate/navigate_download.php` | High
|
||||
24 | File | `/ocwbs/admin/?page=user/manage_user` | High
|
||||
25 | File | `/ofrs/admin/?page=user/manage_user` | High
|
||||
26 | File | `/owa/auth/logon.aspx` | High
|
||||
27 | File | `/p` | Low
|
||||
28 | File | `/password.html` | High
|
||||
29 | File | `/proc/ioports` | High
|
||||
30 | File | `/property-list/property_view.php` | High
|
||||
31 | File | `/ptms/classes/Users.php` | High
|
||||
32 | File | `/rest` | Low
|
||||
33 | File | `/rest/api/2/search` | High
|
||||
34 | File | `/s/` | Low
|
||||
35 | File | `/scripts/cpan_config` | High
|
||||
36 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
37 | File | `/services/system/setup.json` | High
|
||||
38 | File | `/spip.php` | Medium
|
||||
39 | File | `/uncpath/` | Medium
|
||||
40 | File | `/vloggers_merch/?p=view_product` | High
|
||||
41 | File | `/webconsole/APIController` | High
|
||||
42 | File | `/websocket/exec` | High
|
||||
43 | File | `/wp-admin/admin-ajax.php` | High
|
||||
44 | File | `/wp-json` | Medium
|
||||
45 | File | `/wp-json/oembed/1.0/embed?url` | High
|
||||
46 | File | `/_next` | Low
|
||||
47 | File | `4.edu.php\conn\function.php` | High
|
||||
48 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
49 | File | `adclick.php` | Medium
|
||||
50 | File | `addentry.php` | Medium
|
||||
51 | File | `admin.php?reqGadget=Components&reqAction=InstallGadget&comp=FileBrowser` | High
|
||||
52 | ... | ... | ...
|
||||
|
||||
There are 444 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 448 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -9,6 +9,15 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
The following _campaigns_ are known and can be associated with Amadey Bot:
|
||||
|
||||
* Azorult
|
||||
* SmokeLoader
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Amadey Bot:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [IT](https://vuldb.com/?country.it)
|
||||
* [DE](https://vuldb.com/?country.de)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -17,11 +26,40 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [2.59.42.63](https://vuldb.com/?ip.2.59.42.63) | vds-cw08597.timeweb.ru | Azorult | High
|
||||
2 | [185.17.0.52](https://vuldb.com/?ip.185.17.0.52) | physicalteam.aeza.network | SmokeLoader | High
|
||||
3 | [185.17.0.63](https://vuldb.com/?ip.185.17.0.63) | braveteeth.aeza.network | SmokeLoader | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Amadey Bot_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-22 | Pathname Traversal | High
|
||||
2 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
3 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 3 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Amadey Bot. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `carbon/admin/login.jsp` | High
|
||||
2 | File | `inc/config.php` | High
|
||||
3 | File | `index.php` | Medium
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 17 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://asec.ahnlab.com/en/36634/
|
||||
* https://blogs.blackberry.com/en/2020/01/threat-spotlight-amadey-bot
|
||||
|
||||
## Literature
|
||||
|
|
|
@ -0,0 +1,68 @@
|
|||
# Armageddon - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Armageddon](https://vuldb.com/?actor.armageddon). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.armageddon](https://vuldb.com/?actor.armageddon)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Armageddon:
|
||||
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Armageddon.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [66.42.95.123](https://vuldb.com/?ip.66.42.95.123) | 66.42.95.123.vultrusercontent.com | - | High
|
||||
2 | [92.53.116.145](https://vuldb.com/?ip.92.53.116.145) | smtpout7.timeweb.ru | - | High
|
||||
3 | [194.58.121.198](https://vuldb.com/?ip.194.58.121.198) | 194-58-121-198.cloudvps.regruhosting.ru | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Armageddon_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-22 | Pathname Traversal | High
|
||||
2 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
|
||||
3 | T1505 | CWE-89 | SQL Injection | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Armageddon. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `ngx_http_lua_subrequest.c` | High
|
||||
2 | File | `stream.h` | Medium
|
||||
3 | File | `utility.c` | Medium
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 1 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://1275.ru/ioc/220/armageddon-apt-iocs/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -9,11 +9,11 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with AveMaria:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* [IO](https://vuldb.com/?country.io)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* ...
|
||||
|
||||
There are 12 more country items available. Please use our online service to access the data.
|
||||
There are 18 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -22,11 +22,11 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [5.2.68.67](https://vuldb.com/?ip.5.2.68.67) | - | - | High
|
||||
2 | [185.140.53.174](https://vuldb.com/?ip.185.140.53.174) | - | - | High
|
||||
3 | [185.183.98.169](https://vuldb.com/?ip.185.183.98.169) | - | - | High
|
||||
2 | [31.210.20.231](https://vuldb.com/?ip.31.210.20.231) | - | - | High
|
||||
3 | [169.159.91.226](https://vuldb.com/?ip.169.159.91.226) | - | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more IOC items available. Please use our online service to access the data.
|
||||
There are 5 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -34,12 +34,14 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
1 | T1006 | CWE-21, CWE-22 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
6 | ... | ... | ... | ...
|
||||
|
||||
There are 4 more TTP items available. Please use our online service to access the data.
|
||||
There are 18 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -47,22 +49,50 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/admin/syslog` | High
|
||||
2 | File | `/anony/mjpg.cgi` | High
|
||||
3 | File | `/etc/shadow` | Medium
|
||||
4 | File | `/plain` | Low
|
||||
5 | File | `/public/login.htm` | High
|
||||
6 | File | `/service/upload` | High
|
||||
7 | File | `/uncpath/` | Medium
|
||||
8 | File | `/upload/catalog/controller/account/password.php` | High
|
||||
9 | File | `admin/admin_users.php` | High
|
||||
10 | File | `admin/pageEditGroup.php` | High
|
||||
11 | File | `admin/record_company.php` | High
|
||||
12 | File | `admin/sysUser/save.do?callbackType=closeCurrent&navTabId=sysUser/list` | High
|
||||
13 | File | `api/account/register` | High
|
||||
14 | ... | ... | ...
|
||||
1 | File | `$SPLUNK_HOME/etc/splunk-launch.conf` | High
|
||||
2 | File | `.htaccess` | Medium
|
||||
3 | File | `/.ssh/authorized_keys` | High
|
||||
4 | File | `/account/details.php` | High
|
||||
5 | File | `/admin/academic/studenview_left.php` | High
|
||||
6 | File | `/admin/contenttemp` | High
|
||||
7 | File | `/admin/payment.php` | High
|
||||
8 | File | `/admin/syslog` | High
|
||||
9 | File | `/anony/mjpg.cgi` | High
|
||||
10 | File | `/assets/components/gallery/connector.php` | High
|
||||
11 | File | `/ctcprotocol/Protocol` | High
|
||||
12 | File | `/device/device=140/tab=wifi/view` | High
|
||||
13 | File | `/etc/shadow` | Medium
|
||||
14 | File | `/Forms/` | Low
|
||||
15 | File | `/framework/modules/users/models/user.php` | High
|
||||
16 | File | `/HNAP1/SetAccessPointMode` | High
|
||||
17 | File | `/iisadmin` | Medium
|
||||
18 | File | `/index.php` | Medium
|
||||
19 | File | `/mcategory.php` | High
|
||||
20 | File | `/member/picture/album` | High
|
||||
21 | File | `/mysql/api/diags.php` | High
|
||||
22 | File | `/phpcollab/users/edituser.php` | High
|
||||
23 | File | `/plain` | Low
|
||||
24 | File | `/products/details.asp` | High
|
||||
25 | File | `/product_list.php` | High
|
||||
26 | File | `/public/login.htm` | High
|
||||
27 | File | `/replication` | Medium
|
||||
28 | File | `/service/upload` | High
|
||||
29 | File | `/services/details.asp` | High
|
||||
30 | File | `/trx_addons/v2/get/sc_layout` | High
|
||||
31 | File | `/uncpath/` | Medium
|
||||
32 | File | `/upload/catalog/controller/account/password.php` | High
|
||||
33 | File | `/var/log/postgresql` | High
|
||||
34 | File | `/_vti_pvt/access.cnf` | High
|
||||
35 | File | `4.edu.php` | Medium
|
||||
36 | File | `add_ons.php` | Medium
|
||||
37 | File | `add_to_cart.php` | High
|
||||
38 | File | `admin.php` | Medium
|
||||
39 | File | `admin/admin_users.php` | High
|
||||
40 | File | `admin/index.php` | High
|
||||
41 | File | `admin/mod_users/controller.php?action=edit` | High
|
||||
42 | ... | ... | ...
|
||||
|
||||
There are 111 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 365 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -70,6 +100,10 @@ The following list contains _external sources_ which discuss the actor and the a
|
|||
|
||||
* https://asec.ahnlab.com/en/34102/
|
||||
* https://blog.morphisec.com/threat-alert-ave-maria-infostealer-on-the-rise-with-new-stealthier-delivery
|
||||
* https://github.com/executemalware/Malware-IOCs/blob/main/2021-10-11%20AveMaria%20IOCs
|
||||
* https://github.com/executemalware/Malware-IOCs/blob/main/2022-01-28%20AveMaria_Warzone%20IOCs
|
||||
* https://github.com/executemalware/Malware-IOCs/blob/main/2022-04-19%20AveMaria_Warzone%20IOCs
|
||||
* https://github.com/executemalware/Malware-IOCs/blob/main/2022-06-24%20AveMaria_Warzone%20RAT%20IOCs
|
||||
|
||||
## Literature
|
||||
|
||||
|
|
|
@ -0,0 +1,68 @@
|
|||
# Avos - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Avos](https://vuldb.com/?actor.avos). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.avos](https://vuldb.com/?actor.avos)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Avos:
|
||||
|
||||
* [FR](https://vuldb.com/?country.fr)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* ...
|
||||
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Avos.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [45.136.230.191](https://vuldb.com/?ip.45.136.230.191) | - | - | High
|
||||
2 | [176.113.115.107](https://vuldb.com/?ip.176.113.115.107) | - | - | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Avos_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-22 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 4 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Avos. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/iwguestbook/admin/badwords_edit.asp` | High
|
||||
2 | File | `/iwguestbook/admin/messages_edit.asp` | High
|
||||
3 | File | `admin/dashboard.php` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 22 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://1275.ru/ioc/364/avos-apt-iocs/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -29,7 +29,7 @@ ID | IP address | Hostname | Campaign | Confidence
|
|||
6 | [45.139.236.14](https://vuldb.com/?ip.45.139.236.14) | - | - | High
|
||||
7 | ... | ... | ... | ...
|
||||
|
||||
There are 22 more IOC items available. Please use our online service to access the data.
|
||||
There are 26 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -37,12 +37,13 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
1 | T1006 | CWE-22 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 5 more TTP items available. Please use our online service to access the data.
|
||||
There are 15 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -66,7 +67,7 @@ ID | Type | Indicator | Confidence
|
|||
14 | File | `actions/ChangeConfiguration.html` | High
|
||||
15 | ... | ... | ...
|
||||
|
||||
There are 118 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 123 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -74,6 +75,7 @@ The following list contains _external sources_ which discuss the actor and the a
|
|||
|
||||
* https://blog.cyble.com/2021/10/26/a-deep-dive-analysis-of-azorult-stealer/
|
||||
* https://blog.talosintelligence.com/2020/01/threat-roundup-0117-0124.html
|
||||
* https://cert.gov.ua/article/2806
|
||||
* https://isc.sans.edu/forums/diary/More+malspam+pushing+passwordprotected+Word+docs+for+AZORult+and+Hermes+Ransomware/23992/
|
||||
|
||||
## Literature
|
||||
|
|
|
@ -9,11 +9,11 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with B1txor20:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [GB](https://vuldb.com/?country.gb)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [PT](https://vuldb.com/?country.pt)
|
||||
* ...
|
||||
|
||||
There are 13 more country items available. Please use our online service to access the data.
|
||||
There are 6 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -45,14 +45,14 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
|
||||
1 | T1006 | CWE-22, CWE-23 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
6 | ... | ... | ... | ...
|
||||
|
||||
There are 20 more TTP items available. Please use our online service to access the data.
|
||||
There are 19 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -60,30 +60,33 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `.encfs6.xml` | Medium
|
||||
2 | File | `.forward` | Medium
|
||||
3 | File | `.python-version` | High
|
||||
4 | File | `/ajax/remove_sniffer_raw_log/` | High
|
||||
5 | File | `/api/sys_username_passwd.cmd` | High
|
||||
6 | File | `/auth/callback` | High
|
||||
7 | File | `/bin/posix/src/ports/POSIX/OpENer` | High
|
||||
8 | File | `/bmis/pages/resident/resident.php` | High
|
||||
9 | File | `/cgi-bin/mesh.cgi?page=upgrade` | High
|
||||
10 | File | `/cgi-bin/nightled.cgi` | High
|
||||
11 | File | `/cgi-bin/nobody` | High
|
||||
12 | File | `/ci_spms/admin/category` | High
|
||||
13 | File | `/conf/` | Low
|
||||
14 | File | `/dashboard/menu-list.php` | High
|
||||
15 | File | `/dashboard/profile.php` | High
|
||||
16 | File | `/dashboard/reports/logs/view` | High
|
||||
17 | File | `/dashboard/table-list.php` | High
|
||||
18 | File | `/dev/pts/` | Medium
|
||||
19 | File | `/editbrand.php` | High
|
||||
20 | File | `/etc/hosts` | Medium
|
||||
21 | File | `/etc/lighttpd.d/ca.pem` | High
|
||||
22 | ... | ... | ...
|
||||
1 | File | `/admin` | Low
|
||||
2 | File | `/api/plugin/uninstall` | High
|
||||
3 | File | `/api/plugin/upload` | High
|
||||
4 | File | `/artist-display.php` | High
|
||||
5 | File | `/assets/partials/_handleLogin.php` | High
|
||||
6 | File | `/cgi-bin/ExportAllSettings.sh` | High
|
||||
7 | File | `/chart` | Low
|
||||
8 | File | `/context.json` | High
|
||||
9 | File | `/ecrire` | Low
|
||||
10 | File | `/editbrand.php` | High
|
||||
11 | File | `/edituser.php` | High
|
||||
12 | File | `/login.php` | Medium
|
||||
13 | File | `/modules/caddyhttp/rewrite/rewrite.go` | High
|
||||
14 | File | `/movie.php` | Medium
|
||||
15 | File | `/pages/activity/activity.php` | High
|
||||
16 | File | `/pages/permit/permit.php` | High
|
||||
17 | File | `/pay-with-paypal/{id}` | High
|
||||
18 | File | `/php_action/createUser.php` | High
|
||||
19 | File | `/req_password_user.php` | High
|
||||
20 | File | `/show_news.php` | High
|
||||
21 | File | `/sistema/flash/reboot` | High
|
||||
22 | File | `/smarthome/devicecontrol` | High
|
||||
23 | File | `/src/video/x11/SDL_x11yuv.c` | High
|
||||
24 | File | `/wordpress-gallery-transformation/gallery.php` | High
|
||||
25 | ... | ... | ...
|
||||
|
||||
There are 179 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 207 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -0,0 +1,45 @@
|
|||
# Beastmode - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Beastmode](https://vuldb.com/?actor.beastmode). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.beastmode](https://vuldb.com/?actor.beastmode)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Beastmode:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Beastmode.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [136.144.41.69](https://vuldb.com/?ip.136.144.41.69) | - | - | High
|
||||
2 | [195.133.18.119](https://vuldb.com/?ip.195.133.18.119) | - | - | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Beastmode_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://1275.ru/ioc/81/beastmode-botnet-ioc/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,30 @@
|
|||
# Black Basta - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Black Basta](https://vuldb.com/?actor.black_basta). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.black_basta](https://vuldb.com/?actor.black_basta)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Black Basta.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [23.106.160.188](https://vuldb.com/?ip.23.106.160.188) | - | - | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://1275.ru/ioc/311/black-basta-apt-iocs/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -9,11 +9,11 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with BlackCat:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [PT](https://vuldb.com/?country.pt)
|
||||
* [DE](https://vuldb.com/?country.de)
|
||||
* [FR](https://vuldb.com/?country.fr)
|
||||
* ...
|
||||
|
||||
There are 5 more country items available. Please use our online service to access the data.
|
||||
There are 9 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -34,7 +34,7 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23, CWE-425 | Pathname Traversal | High
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23, CWE-24, CWE-425 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-294, CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
|
||||
|
@ -42,7 +42,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
6 | T1068 | CWE-250, CWE-264, CWE-269, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
7 | ... | ... | ... | ...
|
||||
|
||||
There are 24 more TTP items available. Please use our online service to access the data.
|
||||
There are 22 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -61,35 +61,32 @@ ID | Type | Indicator | Confidence
|
|||
9 | File | `/admin/new-content` | High
|
||||
10 | File | `/admin/posts.php` | High
|
||||
11 | File | `/admin/posts.php&action=delete` | High
|
||||
12 | File | `/admin/run_ajax.php` | High
|
||||
13 | File | `/admin/siteoptions.php&action=displaygoal&value=1&roleid=1` | High
|
||||
14 | File | `/admin/uesrs.php&&action=delete&userid=4` | High
|
||||
15 | File | `/admin/uesrs.php&action=type&userrole=Admin&userid=3` | High
|
||||
16 | File | `/ajax/set_sys_time/` | High
|
||||
17 | File | `/api/programs/orgUnits?programs` | High
|
||||
18 | File | `/application/controllers/Users.php` | High
|
||||
19 | File | `/bcms/admin/?page=reports/daily_court_rental_report` | High
|
||||
20 | File | `/bcms/admin/?page=service_transactions/manage_service_transaction` | High
|
||||
21 | File | `/bcms/classes/Master.php?f=delete_court_rental` | High
|
||||
22 | File | `/blog/blog.php` | High
|
||||
23 | File | `/cdsms/classes/Master.php?f=delete_enrollment` | High
|
||||
24 | File | `/cgi-bin/kerbynet` | High
|
||||
25 | File | `/cgi/get_param.cgi` | High
|
||||
26 | File | `/checklogin.jsp` | High
|
||||
27 | File | `/ci_hms/search` | High
|
||||
28 | File | `/classes/Master.php?f=delete_schedule` | High
|
||||
29 | File | `/cms/classes/Master.php?f=delete_service` | High
|
||||
30 | File | `/company/account/safety/trade` | High
|
||||
31 | File | `/ctpms/admin/?page=individuals/view_individual` | High
|
||||
32 | File | `/ctpms/classes/Master.php?f=delete_img` | High
|
||||
33 | File | `/dashboard/reports/logs/view` | High
|
||||
34 | File | `/dashboard/snapshot/*?orgId=0` | High
|
||||
35 | File | `/etc/ajenti/config.yml` | High
|
||||
36 | File | `/fuel/sitevariables/delete/4` | High
|
||||
37 | File | `/goform/AdvSetLanIp` | High
|
||||
38 | ... | ... | ...
|
||||
12 | File | `/admin/siteoptions.php&action=displaygoal&value=1&roleid=1` | High
|
||||
13 | File | `/admin/uesrs.php&&action=delete&userid=4` | High
|
||||
14 | File | `/admin/uesrs.php&action=type&userrole=Admin&userid=3` | High
|
||||
15 | File | `/ajax/set_sys_time/` | High
|
||||
16 | File | `/api/programs/orgUnits?programs` | High
|
||||
17 | File | `/application/controllers/Users.php` | High
|
||||
18 | File | `/bcms/admin/?page=reports/daily_court_rental_report` | High
|
||||
19 | File | `/bcms/admin/?page=service_transactions/manage_service_transaction` | High
|
||||
20 | File | `/bcms/classes/Master.php?f=delete_court_rental` | High
|
||||
21 | File | `/cdsms/classes/Master.php?f=delete_enrollment` | High
|
||||
22 | File | `/cgi/get_param.cgi` | High
|
||||
23 | File | `/checklogin.jsp` | High
|
||||
24 | File | `/ci_hms/search` | High
|
||||
25 | File | `/ci_spms/admin/search/searching/` | High
|
||||
26 | File | `/classes/Master.php?f=delete_schedule` | High
|
||||
27 | File | `/cms/classes/Master.php?f=delete_service` | High
|
||||
28 | File | `/company/account/safety/trade` | High
|
||||
29 | File | `/ctpms/admin/?page=individuals/view_individual` | High
|
||||
30 | File | `/ctpms/classes/Master.php?f=delete_img` | High
|
||||
31 | File | `/dashboard/reports/logs/view` | High
|
||||
32 | File | `/dashboard/snapshot/*?orgId=0` | High
|
||||
33 | File | `/dotrace.asp` | Medium
|
||||
34 | File | `/fuel/sitevariables/delete/4` | High
|
||||
35 | ... | ... | ...
|
||||
|
||||
There are 327 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 295 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -13,7 +13,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [US](https://vuldb.com/?country.us)
|
||||
* ...
|
||||
|
||||
There are 21 more country items available. Please use our online service to access the data.
|
||||
There are 19 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -69,7 +69,7 @@ ID | Type | Indicator | Confidence
|
|||
16 | File | `/index/jobfairol/show/` | High
|
||||
17 | File | `/librarian/bookdetails.php` | High
|
||||
18 | File | `/mgmt/tm/util/bash` | High
|
||||
19 | File | `/monitoring` | Medium
|
||||
19 | File | `/modules/caddyhttp/rewrite/rewrite.go` | High
|
||||
20 | File | `/new` | Low
|
||||
21 | File | `/proc/<PID>/mem` | High
|
||||
22 | File | `/proc/<pid>/status` | High
|
||||
|
@ -77,12 +77,13 @@ ID | Type | Indicator | Confidence
|
|||
24 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
25 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
26 | File | `/simple_chat_bot/admin/?page=user/manage_user` | High
|
||||
27 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
|
||||
28 | File | `/tmp` | Low
|
||||
29 | File | `/uncpath/` | Medium
|
||||
30 | ... | ... | ...
|
||||
27 | File | `/spip.php` | Medium
|
||||
28 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
|
||||
29 | File | `/tmp` | Low
|
||||
30 | File | `/uncpath/` | Medium
|
||||
31 | ... | ... | ...
|
||||
|
||||
There are 252 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 265 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -0,0 +1,90 @@
|
|||
# Brute Ratel C4 - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Brute Ratel C4](https://vuldb.com/?actor.brute_ratel_c4). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.brute_ratel_c4](https://vuldb.com/?actor.brute_ratel_c4)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Brute Ratel C4:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [IE](https://vuldb.com/?country.ie)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* ...
|
||||
|
||||
There are 8 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Brute Ratel C4.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [3.110.56.219](https://vuldb.com/?ip.3.110.56.219) | ec2-3-110-56-219.ap-south-1.compute.amazonaws.com | - | Medium
|
||||
2 | [3.133.7.69](https://vuldb.com/?ip.3.133.7.69) | ec2-3-133-7-69.us-east-2.compute.amazonaws.com | - | Medium
|
||||
3 | [15.206.84.52](https://vuldb.com/?ip.15.206.84.52) | ec2-15-206-84-52.ap-south-1.compute.amazonaws.com | - | Medium
|
||||
4 | [18.130.233.249](https://vuldb.com/?ip.18.130.233.249) | ec2-18-130-233-249.eu-west-2.compute.amazonaws.com | - | Medium
|
||||
5 | [18.133.26.247](https://vuldb.com/?ip.18.133.26.247) | ec2-18-133-26-247.eu-west-2.compute.amazonaws.com | - | Medium
|
||||
6 | [18.217.179.8](https://vuldb.com/?ip.18.217.179.8) | ec2-18-217-179-8.us-east-2.compute.amazonaws.com | - | Medium
|
||||
7 | [18.236.92.31](https://vuldb.com/?ip.18.236.92.31) | ec2-18-236-92-31.us-west-2.compute.amazonaws.com | - | Medium
|
||||
8 | [31.184.198.83](https://vuldb.com/?ip.31.184.198.83) | - | - | High
|
||||
9 | [34.195.122.225](https://vuldb.com/?ip.34.195.122.225) | ec2-34-195-122-225.compute-1.amazonaws.com | - | Medium
|
||||
10 | ... | ... | ... | ...
|
||||
|
||||
There are 35 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Brute Ratel C4_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-22 | Pathname Traversal | High
|
||||
2 | T1055 | CWE-74 | Injection | High
|
||||
3 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
4 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 14 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Brute Ratel C4. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/+CSCOE+/logon.html` | High
|
||||
2 | File | `/admin/featured.php` | High
|
||||
3 | File | `/admin/newsletter1.php` | High
|
||||
4 | File | `/admin/renewaldue.php` | High
|
||||
5 | File | `/admin/reports.php` | High
|
||||
6 | File | `/admin/web_config.php` | High
|
||||
7 | File | `/ajax/ImportCertificate` | High
|
||||
8 | File | `/app/controller/Books.php` | High
|
||||
9 | File | `/cgi-bin` | Medium
|
||||
10 | File | `/config/service/host.go` | High
|
||||
11 | File | `/data/sqldata` | High
|
||||
12 | File | `/DataHandler/AM/AM_Handler.ashx` | High
|
||||
13 | File | `/lan.asp` | Medium
|
||||
14 | File | `/Pwrchute` | Medium
|
||||
15 | ... | ... | ...
|
||||
|
||||
There are 116 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://1275.ru/ioc/409/brute-ratel-c4-brc4-iocs/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -9,11 +9,11 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Bumblebee:
|
||||
|
||||
* [VN](https://vuldb.com/?country.vn)
|
||||
* [IT](https://vuldb.com/?country.it)
|
||||
* [PL](https://vuldb.com/?country.pl)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* ...
|
||||
|
||||
There are 2 more country items available. Please use our online service to access the data.
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -66,59 +66,77 @@ ID | IP address | Hostname | Campaign | Confidence
|
|||
43 | [22.83.186.45](https://vuldb.com/?ip.22.83.186.45) | - | - | High
|
||||
44 | [22.175.0.90](https://vuldb.com/?ip.22.175.0.90) | - | - | High
|
||||
45 | [23.81.246.187](https://vuldb.com/?ip.23.81.246.187) | - | - | High
|
||||
46 | [23.254.201.97](https://vuldb.com/?ip.23.254.201.97) | hwsrv-974106.hostwindsdns.com | - | High
|
||||
47 | [23.254.217.222](https://vuldb.com/?ip.23.254.217.222) | hwsrv-976272.hostwindsdns.com | - | High
|
||||
48 | [24.4.68.32](https://vuldb.com/?ip.24.4.68.32) | c-24-4-68-32.hsd1.ca.comcast.net | - | High
|
||||
49 | [24.57.185.167](https://vuldb.com/?ip.24.57.185.167) | d24-57-185-167.home.cgocable.net | - | High
|
||||
50 | [24.121.25.160](https://vuldb.com/?ip.24.121.25.160) | 24-121-25-160.sdoncmtk01.com.dyn.suddenlink.net | - | High
|
||||
51 | [25.5.198.104](https://vuldb.com/?ip.25.5.198.104) | - | - | High
|
||||
52 | [25.170.215.18](https://vuldb.com/?ip.25.170.215.18) | - | - | High
|
||||
53 | [25.181.64.39](https://vuldb.com/?ip.25.181.64.39) | - | - | High
|
||||
54 | [26.6.83.53](https://vuldb.com/?ip.26.6.83.53) | - | - | High
|
||||
55 | [28.53.120.108](https://vuldb.com/?ip.28.53.120.108) | - | - | High
|
||||
56 | [28.107.38.196](https://vuldb.com/?ip.28.107.38.196) | - | - | High
|
||||
57 | [28.148.236.16](https://vuldb.com/?ip.28.148.236.16) | - | - | High
|
||||
58 | [29.64.0.111](https://vuldb.com/?ip.29.64.0.111) | - | - | High
|
||||
59 | [29.122.243.158](https://vuldb.com/?ip.29.122.243.158) | - | - | High
|
||||
60 | [30.17.4.146](https://vuldb.com/?ip.30.17.4.146) | - | - | High
|
||||
61 | [30.65.48.152](https://vuldb.com/?ip.30.65.48.152) | - | - | High
|
||||
62 | [30.205.76.70](https://vuldb.com/?ip.30.205.76.70) | - | - | High
|
||||
63 | [31.228.253.114](https://vuldb.com/?ip.31.228.253.114) | - | - | High
|
||||
64 | [32.181.245.23](https://vuldb.com/?ip.32.181.245.23) | - | - | High
|
||||
65 | [33.93.97.183](https://vuldb.com/?ip.33.93.97.183) | - | - | High
|
||||
66 | [33.145.184.132](https://vuldb.com/?ip.33.145.184.132) | - | - | High
|
||||
67 | [34.229.154.31](https://vuldb.com/?ip.34.229.154.31) | ec2-34-229-154-31.compute-1.amazonaws.com | - | Medium
|
||||
68 | [35.120.155.220](https://vuldb.com/?ip.35.120.155.220) | - | - | High
|
||||
69 | [36.110.58.103](https://vuldb.com/?ip.36.110.58.103) | 103.58.110.36.static.bjtelecom.net | - | High
|
||||
70 | [37.64.220.2](https://vuldb.com/?ip.37.64.220.2) | 2.220.64.37.rev.sfr.net | - | High
|
||||
71 | [37.72.174.23](https://vuldb.com/?ip.37.72.174.23) | 37-72-174-23.static.hvvc.us | - | High
|
||||
72 | [37.120.198.248](https://vuldb.com/?ip.37.120.198.248) | - | - | High
|
||||
73 | [38.12.57.131](https://vuldb.com/?ip.38.12.57.131) | - | - | High
|
||||
74 | [39.57.152.217](https://vuldb.com/?ip.39.57.152.217) | - | - | High
|
||||
75 | [40.72.17.141](https://vuldb.com/?ip.40.72.17.141) | - | - | High
|
||||
76 | [41.28.188.77](https://vuldb.com/?ip.41.28.188.77) | vc-gp-s-41-28-188-77.umts.vodacom.co.za | - | High
|
||||
77 | [41.56.181.200](https://vuldb.com/?ip.41.56.181.200) | - | - | High
|
||||
78 | [45.3.236.177](https://vuldb.com/?ip.45.3.236.177) | 045-003-236-177.biz.spectrum.com | - | High
|
||||
79 | [45.84.0.13](https://vuldb.com/?ip.45.84.0.13) | vm523902.stark-industries.solutions | - | High
|
||||
80 | [45.138.172.246](https://vuldb.com/?ip.45.138.172.246) | - | - | High
|
||||
81 | [45.142.214.120](https://vuldb.com/?ip.45.142.214.120) | vm516885.stark-industries.solutions | - | High
|
||||
82 | [45.142.214.167](https://vuldb.com/?ip.45.142.214.167) | - | - | High
|
||||
83 | [45.147.229.50](https://vuldb.com/?ip.45.147.229.50) | - | - | High
|
||||
84 | [45.147.229.101](https://vuldb.com/?ip.45.147.229.101) | - | - | High
|
||||
85 | [45.147.229.199](https://vuldb.com/?ip.45.147.229.199) | - | - | High
|
||||
86 | [45.147.231.202](https://vuldb.com/?ip.45.147.231.202) | - | - | High
|
||||
87 | [45.153.240.139](https://vuldb.com/?ip.45.153.240.139) | - | - | High
|
||||
88 | [45.153.241.187](https://vuldb.com/?ip.45.153.241.187) | - | - | High
|
||||
89 | [45.153.241.234](https://vuldb.com/?ip.45.153.241.234) | - | - | High
|
||||
90 | [46.21.153.145](https://vuldb.com/?ip.46.21.153.145) | 145.153.21.46.static.swiftway.net | - | High
|
||||
91 | [46.44.240.53](https://vuldb.com/?ip.46.44.240.53) | 46-44-240-53.ip.welcomeitalia.it | - | High
|
||||
92 | [47.27.63.45](https://vuldb.com/?ip.47.27.63.45) | 047-027-063-045.res.spectrum.com | - | High
|
||||
93 | [47.58.200.234](https://vuldb.com/?ip.47.58.200.234) | 47-58-200-234.red-acceso.airtel.net | - | High
|
||||
94 | [48.165.175.199](https://vuldb.com/?ip.48.165.175.199) | - | - | High
|
||||
95 | [48.209.106.172](https://vuldb.com/?ip.48.209.106.172) | - | - | High
|
||||
96 | ... | ... | ... | ...
|
||||
46 | [23.82.19.208](https://vuldb.com/?ip.23.82.19.208) | - | - | High
|
||||
47 | [23.82.140.133](https://vuldb.com/?ip.23.82.140.133) | - | - | High
|
||||
48 | [23.82.141.184](https://vuldb.com/?ip.23.82.141.184) | - | - | High
|
||||
49 | [23.83.133.1](https://vuldb.com/?ip.23.83.133.1) | v327.er01.dal.ubiquity.io | - | High
|
||||
50 | [23.83.133.182](https://vuldb.com/?ip.23.83.133.182) | - | - | High
|
||||
51 | [23.83.133.216](https://vuldb.com/?ip.23.83.133.216) | - | - | High
|
||||
52 | [23.83.134.110](https://vuldb.com/?ip.23.83.134.110) | - | - | High
|
||||
53 | [23.83.134.136](https://vuldb.com/?ip.23.83.134.136) | - | - | High
|
||||
54 | [23.106.160.39](https://vuldb.com/?ip.23.106.160.39) | - | - | High
|
||||
55 | [23.106.160.120](https://vuldb.com/?ip.23.106.160.120) | - | - | High
|
||||
56 | [23.106.215.123](https://vuldb.com/?ip.23.106.215.123) | - | - | High
|
||||
57 | [23.108.57.13](https://vuldb.com/?ip.23.108.57.13) | - | - | High
|
||||
58 | [23.227.198.217](https://vuldb.com/?ip.23.227.198.217) | 23-227-198-217.static.hvvc.us | - | High
|
||||
59 | [23.254.201.97](https://vuldb.com/?ip.23.254.201.97) | hwsrv-974106.hostwindsdns.com | - | High
|
||||
60 | [23.254.202.59](https://vuldb.com/?ip.23.254.202.59) | hwsrv-987701.hostwindsdns.com | - | High
|
||||
61 | [23.254.217.20](https://vuldb.com/?ip.23.254.217.20) | hwsrv-984041.hostwindsdns.com | - | High
|
||||
62 | [23.254.217.222](https://vuldb.com/?ip.23.254.217.222) | hwsrv-976272.hostwindsdns.com | - | High
|
||||
63 | [23.254.227.144](https://vuldb.com/?ip.23.254.227.144) | hwsrv-982332.hostwindsdns.com | - | High
|
||||
64 | [24.4.68.32](https://vuldb.com/?ip.24.4.68.32) | c-24-4-68-32.hsd1.ca.comcast.net | - | High
|
||||
65 | [24.57.185.167](https://vuldb.com/?ip.24.57.185.167) | d24-57-185-167.home.cgocable.net | - | High
|
||||
66 | [24.121.25.160](https://vuldb.com/?ip.24.121.25.160) | 24-121-25-160.sdoncmtk01.com.dyn.suddenlink.net | - | High
|
||||
67 | [25.5.198.104](https://vuldb.com/?ip.25.5.198.104) | - | - | High
|
||||
68 | [25.170.215.18](https://vuldb.com/?ip.25.170.215.18) | - | - | High
|
||||
69 | [25.181.64.39](https://vuldb.com/?ip.25.181.64.39) | - | - | High
|
||||
70 | [26.6.83.53](https://vuldb.com/?ip.26.6.83.53) | - | - | High
|
||||
71 | [28.11.143.222](https://vuldb.com/?ip.28.11.143.222) | - | - | High
|
||||
72 | [28.53.120.108](https://vuldb.com/?ip.28.53.120.108) | - | - | High
|
||||
73 | [28.107.38.196](https://vuldb.com/?ip.28.107.38.196) | - | - | High
|
||||
74 | [28.148.236.16](https://vuldb.com/?ip.28.148.236.16) | - | - | High
|
||||
75 | [29.64.0.111](https://vuldb.com/?ip.29.64.0.111) | - | - | High
|
||||
76 | [29.122.243.158](https://vuldb.com/?ip.29.122.243.158) | - | - | High
|
||||
77 | [30.17.4.146](https://vuldb.com/?ip.30.17.4.146) | - | - | High
|
||||
78 | [30.65.48.152](https://vuldb.com/?ip.30.65.48.152) | - | - | High
|
||||
79 | [30.205.76.70](https://vuldb.com/?ip.30.205.76.70) | - | - | High
|
||||
80 | [31.228.253.114](https://vuldb.com/?ip.31.228.253.114) | - | - | High
|
||||
81 | [32.181.245.23](https://vuldb.com/?ip.32.181.245.23) | - | - | High
|
||||
82 | [33.93.97.183](https://vuldb.com/?ip.33.93.97.183) | - | - | High
|
||||
83 | [33.145.184.132](https://vuldb.com/?ip.33.145.184.132) | - | - | High
|
||||
84 | [34.229.154.31](https://vuldb.com/?ip.34.229.154.31) | ec2-34-229-154-31.compute-1.amazonaws.com | - | Medium
|
||||
85 | [35.120.155.220](https://vuldb.com/?ip.35.120.155.220) | - | - | High
|
||||
86 | [36.110.58.103](https://vuldb.com/?ip.36.110.58.103) | 103.58.110.36.static.bjtelecom.net | - | High
|
||||
87 | [37.64.220.2](https://vuldb.com/?ip.37.64.220.2) | 2.220.64.37.rev.sfr.net | - | High
|
||||
88 | [37.72.174.9](https://vuldb.com/?ip.37.72.174.9) | emailmail.org.uk | - | High
|
||||
89 | [37.72.174.23](https://vuldb.com/?ip.37.72.174.23) | 37-72-174-23.static.hvvc.us | - | High
|
||||
90 | [37.120.198.248](https://vuldb.com/?ip.37.120.198.248) | - | - | High
|
||||
91 | [38.12.57.131](https://vuldb.com/?ip.38.12.57.131) | - | - | High
|
||||
92 | [39.57.152.217](https://vuldb.com/?ip.39.57.152.217) | - | - | High
|
||||
93 | [40.72.17.141](https://vuldb.com/?ip.40.72.17.141) | - | - | High
|
||||
94 | [41.28.188.77](https://vuldb.com/?ip.41.28.188.77) | vc-gp-s-41-28-188-77.umts.vodacom.co.za | - | High
|
||||
95 | [41.56.181.200](https://vuldb.com/?ip.41.56.181.200) | - | - | High
|
||||
96 | [45.3.236.177](https://vuldb.com/?ip.45.3.236.177) | 045-003-236-177.biz.spectrum.com | - | High
|
||||
97 | [45.11.19.224](https://vuldb.com/?ip.45.11.19.224) | - | - | High
|
||||
98 | [45.66.151.155](https://vuldb.com/?ip.45.66.151.155) | - | - | High
|
||||
99 | [45.84.0.13](https://vuldb.com/?ip.45.84.0.13) | vm523902.stark-industries.solutions | - | High
|
||||
100 | [45.138.172.246](https://vuldb.com/?ip.45.138.172.246) | - | - | High
|
||||
101 | [45.140.146.30](https://vuldb.com/?ip.45.140.146.30) | vm542320.stark-industries.solutions | - | High
|
||||
102 | [45.140.146.244](https://vuldb.com/?ip.45.140.146.244) | - | - | High
|
||||
103 | [45.142.214.120](https://vuldb.com/?ip.45.142.214.120) | vm516885.stark-industries.solutions | - | High
|
||||
104 | [45.142.214.167](https://vuldb.com/?ip.45.142.214.167) | - | - | High
|
||||
105 | [45.147.229.23](https://vuldb.com/?ip.45.147.229.23) | - | - | High
|
||||
106 | [45.147.229.50](https://vuldb.com/?ip.45.147.229.50) | - | - | High
|
||||
107 | [45.147.229.101](https://vuldb.com/?ip.45.147.229.101) | - | - | High
|
||||
108 | [45.147.229.177](https://vuldb.com/?ip.45.147.229.177) | - | - | High
|
||||
109 | [45.147.229.199](https://vuldb.com/?ip.45.147.229.199) | - | - | High
|
||||
110 | [45.147.231.107](https://vuldb.com/?ip.45.147.231.107) | - | - | High
|
||||
111 | [45.147.231.202](https://vuldb.com/?ip.45.147.231.202) | - | - | High
|
||||
112 | [45.153.240.139](https://vuldb.com/?ip.45.153.240.139) | - | - | High
|
||||
113 | [45.153.241.187](https://vuldb.com/?ip.45.153.241.187) | - | - | High
|
||||
114 | ... | ... | ... | ...
|
||||
|
||||
There are 382 more IOC items available. Please use our online service to access the data.
|
||||
There are 450 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -127,12 +145,12 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-22 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
4 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 15 more TTP items available. Please use our online service to access the data.
|
||||
There are 17 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -140,24 +158,29 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/app/options.py` | High
|
||||
2 | File | `/auth/callback` | High
|
||||
3 | File | `/bin/posix/src/ports/POSIX/OpENer` | High
|
||||
4 | File | `/dashboard/menu-list.php` | High
|
||||
5 | File | `/dashboard/profile.php` | High
|
||||
6 | File | `/dashboard/table-list.php` | High
|
||||
7 | File | `/data/vendor/tcl` | High
|
||||
8 | File | `/etc/lighttpd.d/ca.pem` | High
|
||||
9 | File | `/ffos/classes/Master.php?f=save_category` | High
|
||||
10 | File | `/home/iojs/build/ws/out/Release/obj.target/deps/openssl/openssl.cnf` | High
|
||||
11 | ... | ... | ...
|
||||
1 | File | `.procmailrc` | Medium
|
||||
2 | File | `/catcompany.php` | High
|
||||
3 | File | `/edituser.php` | High
|
||||
4 | File | `/modules/projects/vw_files.php` | High
|
||||
5 | File | `/pages/permit/permit.php` | High
|
||||
6 | File | `/php_action/createUser.php` | High
|
||||
7 | File | `/products/view_product.php` | High
|
||||
8 | File | `/sistema/flash/reboot` | High
|
||||
9 | File | `/src/video/x11/SDL_x11yuv.c` | High
|
||||
10 | File | `admin.cropcanvas.php` | High
|
||||
11 | File | `admin/conf_users_edit.php` | High
|
||||
12 | ... | ... | ...
|
||||
|
||||
There are 87 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 93 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://1275.ru/ioc/151/bumblebee-loader-iocs/
|
||||
* https://1275.ru/ioc/250/bumblebee-malware-iocs-part-3/
|
||||
* https://1275.ru/ioc/287/bumblebee-malware-iocs-part-4/
|
||||
* https://1275.ru/ioc/347/bumblebee-loader-iocs-part-5/
|
||||
* https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/
|
||||
* https://github.com/pr0xylife/Bumblebee/blob/main/Bumblebee_01.06.2022.txt
|
||||
* https://github.com/pr0xylife/Bumblebee/blob/main/Bumblebee_02.06.2022.txt
|
||||
|
|
|
@ -0,0 +1,30 @@
|
|||
# Caligula - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Caligula](https://vuldb.com/?actor.caligula). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.caligula](https://vuldb.com/?actor.caligula)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Caligula.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [45.95.55.24](https://vuldb.com/?ip.45.95.55.24) | 45.95.55.24.fly-hosting.net | - | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://1275.ru/ioc/448/caligula-botnet-iocs/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -61,43 +61,42 @@ ID | Type | Indicator | Confidence
|
|||
-- | ---- | --------- | ----------
|
||||
1 | File | `%PROGRAMDATA%\OpenVPN Connect\drivers\tap\amd64\win10` | High
|
||||
2 | File | `/.dbus-keyrings` | High
|
||||
3 | File | `/.vnc/sesman_${username}_passwd` | High
|
||||
4 | File | `/acms/classes/Master.php?f=delete_cargo` | High
|
||||
5 | File | `/addsrv` | Low
|
||||
6 | File | `/admin.php/news/admin/topic/save` | High
|
||||
7 | File | `/admin/comn/service/update.json` | High
|
||||
8 | File | `/Admin/Views/FileEditor/` | High
|
||||
9 | File | `/api/user/{ID}` | High
|
||||
10 | File | `/article/add` | Medium
|
||||
11 | File | `/cgi-bin/uploadWeiXinPic` | High
|
||||
12 | File | `/controller/pay.class.php` | High
|
||||
13 | File | `/ctpms/admin/?page=applications/view_application` | High
|
||||
14 | File | `/dev/block/mmcblk0rpmb` | High
|
||||
15 | File | `/dev/kmem` | Medium
|
||||
16 | File | `/dev/shm` | Medium
|
||||
17 | File | `/dev/snd/seq` | Medium
|
||||
18 | File | `/device/device=140/tab=wifi/view` | High
|
||||
19 | File | `/dl/dl_print.php` | High
|
||||
20 | File | `/getcfg.php` | Medium
|
||||
21 | File | `/goform/addressNat` | High
|
||||
22 | File | `/goform/SetClientState` | High
|
||||
23 | File | `/htdocs/admin/dict.php?id=3` | High
|
||||
24 | File | `/include/menu_v.inc.php` | High
|
||||
25 | File | `/irj/servlet/prt/portal/prtroot/com.sap.portal.usermanagement.admin.UserMapping` | High
|
||||
26 | File | `/jerry-core/ecma/base/ecma-gc.c` | High
|
||||
27 | File | `/jerry-core/ecma/base/ecma-helpers-conversion.c` | High
|
||||
28 | File | `/librarian/bookdetails.php` | High
|
||||
29 | File | `/login` | Low
|
||||
30 | File | `/mngset/authset` | High
|
||||
31 | File | `/module/module_frame/index.php` | High
|
||||
32 | File | `/nova/bin/sniffer` | High
|
||||
33 | File | `/ofcms/company-c-47` | High
|
||||
34 | File | `/proc/*/cmdline"` | High
|
||||
35 | File | `/proc/pid/syscall` | High
|
||||
36 | File | `/product_list.php` | High
|
||||
37 | ... | ... | ...
|
||||
3 | File | `/acms/classes/Master.php?f=delete_cargo` | High
|
||||
4 | File | `/addsrv` | Low
|
||||
5 | File | `/admin.php/news/admin/topic/save` | High
|
||||
6 | File | `/admin/comn/service/update.json` | High
|
||||
7 | File | `/Admin/Views/FileEditor/` | High
|
||||
8 | File | `/api/user/{ID}` | High
|
||||
9 | File | `/article/add` | Medium
|
||||
10 | File | `/cgi-bin/uploadWeiXinPic` | High
|
||||
11 | File | `/controller/pay.class.php` | High
|
||||
12 | File | `/ctpms/admin/?page=applications/view_application` | High
|
||||
13 | File | `/dev/block/mmcblk0rpmb` | High
|
||||
14 | File | `/dev/kmem` | Medium
|
||||
15 | File | `/dev/shm` | Medium
|
||||
16 | File | `/dev/snd/seq` | Medium
|
||||
17 | File | `/device/device=140/tab=wifi/view` | High
|
||||
18 | File | `/dl/dl_print.php` | High
|
||||
19 | File | `/getcfg.php` | Medium
|
||||
20 | File | `/goform/addressNat` | High
|
||||
21 | File | `/goform/SetClientState` | High
|
||||
22 | File | `/htdocs/admin/dict.php?id=3` | High
|
||||
23 | File | `/include/menu_v.inc.php` | High
|
||||
24 | File | `/irj/servlet/prt/portal/prtroot/com.sap.portal.usermanagement.admin.UserMapping` | High
|
||||
25 | File | `/jerry-core/ecma/base/ecma-gc.c` | High
|
||||
26 | File | `/jerry-core/ecma/base/ecma-helpers-conversion.c` | High
|
||||
27 | File | `/librarian/bookdetails.php` | High
|
||||
28 | File | `/login` | Low
|
||||
29 | File | `/mngset/authset` | High
|
||||
30 | File | `/module/module_frame/index.php` | High
|
||||
31 | File | `/nova/bin/sniffer` | High
|
||||
32 | File | `/ofcms/company-c-47` | High
|
||||
33 | File | `/proc/*/cmdline"` | High
|
||||
34 | File | `/proc/pid/syscall` | High
|
||||
35 | File | `/product_list.php` | High
|
||||
36 | ... | ... | ...
|
||||
|
||||
There are 313 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 306 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -13,7 +13,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [FR](https://vuldb.com/?country.fr)
|
||||
* ...
|
||||
|
||||
There are 17 more country items available. Please use our online service to access the data.
|
||||
There are 18 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -84,7 +84,7 @@ ID | Type | Indicator | Confidence
|
|||
30 | File | `admin/article_category.php?rec=update` | High
|
||||
31 | ... | ... | ...
|
||||
|
||||
There are 260 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 262 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -0,0 +1,46 @@
|
|||
# Cobalt Mirage - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Cobalt Mirage](https://vuldb.com/?actor.cobalt_mirage). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.cobalt_mirage](https://vuldb.com/?actor.cobalt_mirage)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Cobalt Mirage:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Cobalt Mirage.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [107.173.231.114](https://vuldb.com/?ip.107.173.231.114) | 107-173-231-114-host.colocrossing.com | - | High
|
||||
2 | [198.12.65.175](https://vuldb.com/?ip.198.12.65.175) | 198-12-65-175-host.colocrossing.com | - | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Cobalt Mirage_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1202 | CWE-78 | Command Injection | High
|
||||
2 | T1505 | CWE-89 | SQL Injection | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://1275.ru/ioc/213/cobalt-mirage-apt-iocs/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -104,10 +104,9 @@ ID | Type | Indicator | Confidence
|
|||
26 | File | `/index.php/?p=report` | High
|
||||
27 | File | `/Items/*/RemoteImages/Download` | High
|
||||
28 | File | `/modules/caddyhttp/rewrite/rewrite.go` | High
|
||||
29 | File | `/out.php` | Medium
|
||||
30 | ... | ... | ...
|
||||
29 | ... | ... | ...
|
||||
|
||||
There are 253 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 247 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -8,12 +8,12 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with CoolWebSearch:
|
||||
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [VN](https://vuldb.com/?country.vn)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* ...
|
||||
|
||||
There are 21 more country items available. Please use our online service to access the data.
|
||||
There are 13 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -154,12 +154,14 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
|
||||
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
6 | ... | ... | ... | ...
|
||||
|
||||
There are 6 more TTP items available. Please use our online service to access the data.
|
||||
There are 19 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -167,39 +169,36 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/.ssh/authorized_keys` | High
|
||||
2 | File | `/cgi-bin/luci/api/auth` | High
|
||||
3 | File | `/cgi-bin/luci/api/diagnose` | High
|
||||
4 | File | `/CMD_ACCOUNT_ADMIN` | High
|
||||
5 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
6 | File | `/core/admin/categories.php` | High
|
||||
7 | File | `/etc/groups` | Medium
|
||||
8 | File | `/etc/sudoers` | Medium
|
||||
9 | File | `/filemanager/php/connector.php` | High
|
||||
10 | File | `/forum/away.php` | High
|
||||
11 | File | `/mgmt/tm/util/bash` | High
|
||||
12 | File | `/modules/profile/index.php` | High
|
||||
13 | File | `/MTFWU` | Low
|
||||
14 | File | `/new` | Low
|
||||
15 | File | `/php/passport/index.php` | High
|
||||
16 | File | `/proc/<pid>/status` | High
|
||||
17 | File | `/public/plugins/` | High
|
||||
18 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
19 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
20 | File | `/server-info` | Medium
|
||||
21 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
|
||||
22 | File | `/tmp` | Low
|
||||
23 | File | `/uncpath/` | Medium
|
||||
24 | File | `/updown/upload.cgi` | High
|
||||
25 | File | `/usr/bin/pkexec` | High
|
||||
26 | File | `4.2.0.CP09` | Medium
|
||||
27 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
28 | File | `AccountManagerService.java` | High
|
||||
29 | File | `actions/CompanyDetailsSave.php` | High
|
||||
30 | File | `ActivityManagerService.java` | High
|
||||
31 | ... | ... | ...
|
||||
1 | File | `//proc/kcore` | Medium
|
||||
2 | File | `/Ap4RtpAtom.cpp` | High
|
||||
3 | File | `/app/options.py` | High
|
||||
4 | File | `/bcms/admin/?page=user/list` | High
|
||||
5 | File | `/bsms/?page=manage_account` | High
|
||||
6 | File | `/cgi-bin/login.cgi` | High
|
||||
7 | File | `/cgi-bin/luci/api/auth` | High
|
||||
8 | File | `/cgi-bin/luci/api/diagnose` | High
|
||||
9 | File | `/ci_hms/massage_room/edit/1` | High
|
||||
10 | File | `/dashboard/reports/logs/view` | High
|
||||
11 | File | `/debug/pprof` | Medium
|
||||
12 | File | `/etc/config/image_sign` | High
|
||||
13 | File | `/etc/groups` | Medium
|
||||
14 | File | `/etc/hosts` | Medium
|
||||
15 | File | `/forum/away.php` | High
|
||||
16 | File | `/fuel/index.php/fuel/logs/items` | High
|
||||
17 | File | `/fuel/sitevariables/delete/4` | High
|
||||
18 | File | `/ghost/preview` | High
|
||||
19 | File | `/hprms/admin/doctors/manage_doctor.php` | High
|
||||
20 | File | `/index/jobfairol/show/` | High
|
||||
21 | File | `/librarian/bookdetails.php` | High
|
||||
22 | File | `/Main_Login.asp?flag=1&productname=RT-AC88U&url=/downloadmaster/task.asp` | High
|
||||
23 | File | `/mgmt/tm/util/bash` | High
|
||||
24 | File | `/modules/caddyhttp/rewrite/rewrite.go` | High
|
||||
25 | File | `/php/passport/index.php` | High
|
||||
26 | File | `/proc/<PID>/mem` | High
|
||||
27 | File | `/servlet/AdapterHTTP` | High
|
||||
28 | ... | ... | ...
|
||||
|
||||
There are 259 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 233 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -0,0 +1,30 @@
|
|||
# CrateDepression - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [CrateDepression](https://vuldb.com/?actor.cratedepression). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.cratedepression](https://vuldb.com/?actor.cratedepression)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of CrateDepression.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [64.227.12.57](https://vuldb.com/?ip.64.227.12.57) | - | - | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://1275.ru/ioc/240/cratedepression-malware-iocs/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,30 @@
|
|||
# CredoMap - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [CredoMap](https://vuldb.com/?actor.credomap). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.credomap](https://vuldb.com/?actor.credomap)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of CredoMap.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [69.16.243.33](https://vuldb.com/?ip.69.16.243.33) | host.tecnode.com | - | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://1275.ru/ioc/199/credomap_v2-stealer-iocs/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,59 @@
|
|||
# CrescentImp - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [CrescentImp](https://vuldb.com/?actor.crescentimp). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.crescentimp](https://vuldb.com/?actor.crescentimp)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with CrescentImp:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [IR](https://vuldb.com/?country.ir)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of CrescentImp.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [87.236.161.43](https://vuldb.com/?ip.87.236.161.43) | 87-236-161-43.digiturunc.com | - | High
|
||||
2 | [185.80.92.143](https://vuldb.com/?ip.185.80.92.143) | vps30215.alfahosting-vps.de | - | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _CrescentImp_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1505 | CWE-89 | SQL Injection | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by CrescentImp. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/category_view.php` | High
|
||||
2 | File | `breadcrumbs_create.php` | High
|
||||
3 | File | `shopping_cart.php` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 2 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://1275.ru/ioc/334/crescentimp-malware-iocs/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,53 @@
|
|||
# CuteBoi - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [CuteBoi](https://vuldb.com/?actor.cuteboi). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.cuteboi](https://vuldb.com/?actor.cuteboi)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with CuteBoi:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of CuteBoi.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [130.162.52.80](https://vuldb.com/?ip.130.162.52.80) | - | - | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _CuteBoi_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1505 | CWE-89 | SQL Injection | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by CuteBoi. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `read.php` | Medium
|
||||
2 | Argument | `TID` | Low
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://1275.ru/ioc/427/cuteboi-company-iocs/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -4,69 +4,58 @@ These _indicators_ were reported, collected, and generated during the [VulDB CTI
|
|||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.cyclops_blink](https://vuldb.com/?actor.cyclops_blink)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Cyclops Blink:
|
||||
|
||||
* [FR](https://vuldb.com/?country.fr)
|
||||
* [IT](https://vuldb.com/?country.it)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* ...
|
||||
|
||||
There are 2 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Cyclops Blink.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [2.230.110.137](https://vuldb.com/?ip.2.230.110.137) | - | - | High
|
||||
2 | [24.199.247.222](https://vuldb.com/?ip.24.199.247.222) | webmail.capefearclinic.org | - | High
|
||||
3 | [37.71.147.186](https://vuldb.com/?ip.37.71.147.186) | 186.147.71.37.rev.sfr.net | - | High
|
||||
4 | [37.99.163.162](https://vuldb.com/?ip.37.99.163.162) | 37.99.163-162.static.go.com.sa | - | High
|
||||
5 | [50.255.126.65](https://vuldb.com/?ip.50.255.126.65) | 50-255-126-65-static.hfc.comcastbusiness.net | - | High
|
||||
6 | ... | ... | ... | ...
|
||||
1 | [1.9.85.247](https://vuldb.com/?ip.1.9.85.247) | - | - | High
|
||||
2 | [1.9.85.248](https://vuldb.com/?ip.1.9.85.248) | - | - | High
|
||||
3 | [1.9.85.249](https://vuldb.com/?ip.1.9.85.249) | - | - | High
|
||||
4 | [1.9.85.252](https://vuldb.com/?ip.1.9.85.252) | - | - | High
|
||||
5 | [1.9.85.253](https://vuldb.com/?ip.1.9.85.253) | - | - | High
|
||||
6 | [1.9.85.254](https://vuldb.com/?ip.1.9.85.254) | - | - | High
|
||||
7 | [2.192.0.94](https://vuldb.com/?ip.2.192.0.94) | - | - | High
|
||||
8 | [2.192.1.120](https://vuldb.com/?ip.2.192.1.120) | - | - | High
|
||||
9 | [2.192.6.144](https://vuldb.com/?ip.2.192.6.144) | - | - | High
|
||||
10 | [2.192.7.244](https://vuldb.com/?ip.2.192.7.244) | - | - | High
|
||||
11 | [2.192.67.0](https://vuldb.com/?ip.2.192.67.0) | - | - | High
|
||||
12 | [2.192.71.115](https://vuldb.com/?ip.2.192.71.115) | - | - | High
|
||||
13 | [2.192.74.124](https://vuldb.com/?ip.2.192.74.124) | - | - | High
|
||||
14 | [2.229.24.16](https://vuldb.com/?ip.2.229.24.16) | 2-229-24-16.ip194.fastwebnet.it | - | High
|
||||
15 | [2.229.32.106](https://vuldb.com/?ip.2.229.32.106) | 2-229-32-106.ip194.fastwebnet.it | - | High
|
||||
16 | [2.230.110.137](https://vuldb.com/?ip.2.230.110.137) | - | - | High
|
||||
17 | [12.34.226.34](https://vuldb.com/?ip.12.34.226.34) | - | - | High
|
||||
18 | [12.172.90.242](https://vuldb.com/?ip.12.172.90.242) | - | - | High
|
||||
19 | [12.191.39.162](https://vuldb.com/?ip.12.191.39.162) | - | - | High
|
||||
20 | [12.191.39.163](https://vuldb.com/?ip.12.191.39.163) | - | - | High
|
||||
21 | [12.191.39.164](https://vuldb.com/?ip.12.191.39.164) | - | - | High
|
||||
22 | [12.191.39.165](https://vuldb.com/?ip.12.191.39.165) | - | - | High
|
||||
23 | [12.191.39.166](https://vuldb.com/?ip.12.191.39.166) | - | - | High
|
||||
24 | [24.39.220.218](https://vuldb.com/?ip.24.39.220.218) | rrcs-24-39-220-218.nys.biz.rr.com | - | High
|
||||
25 | [24.96.94.11](https://vuldb.com/?ip.24.96.94.11) | static-24-96-94-11.knology.net | - | High
|
||||
26 | [24.199.247.222](https://vuldb.com/?ip.24.199.247.222) | webmail.capefearclinic.org | - | High
|
||||
27 | [24.227.240.210](https://vuldb.com/?ip.24.227.240.210) | rrcs-24-227-240-210.sw.biz.rr.com | - | High
|
||||
28 | [24.227.240.211](https://vuldb.com/?ip.24.227.240.211) | rrcs-24-227-240-211.sw.biz.rr.com | - | High
|
||||
29 | [37.26.183.94](https://vuldb.com/?ip.37.26.183.94) | 37.26.183.94.not.updated.openip-cs.net | - | High
|
||||
30 | [37.71.147.186](https://vuldb.com/?ip.37.71.147.186) | 186.147.71.37.rev.sfr.net | - | High
|
||||
31 | [37.99.163.162](https://vuldb.com/?ip.37.99.163.162) | 37.99.163-162.static.go.com.sa | - | High
|
||||
32 | [37.99.163.163](https://vuldb.com/?ip.37.99.163.163) | - | - | High
|
||||
33 | [37.99.163.164](https://vuldb.com/?ip.37.99.163.164) | mail.ftl.com.sa | - | High
|
||||
34 | [37.99.163.165](https://vuldb.com/?ip.37.99.163.165) | 37.99.163-165.static.go.com.sa | - | High
|
||||
35 | [37.99.163.166](https://vuldb.com/?ip.37.99.163.166) | 37.99.163-166.static.go.com.sa | - | High
|
||||
36 | [41.142.240.197](https://vuldb.com/?ip.41.142.240.197) | - | - | High
|
||||
37 | [50.192.49.210](https://vuldb.com/?ip.50.192.49.210) | 50-192-49-210-static.hfc.comcastbusiness.net | - | High
|
||||
38 | ... | ... | ... | ...
|
||||
|
||||
There are 20 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Cyclops Blink_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-22, CWE-425 | Pathname Traversal | High
|
||||
2 | T1055 | CWE-74 | Injection | High
|
||||
3 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
4 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 14 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Cyclops Blink. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/doorgets/app/views/ajax/commentView.php` | High
|
||||
2 | File | `/etc/passwd` | Medium
|
||||
3 | File | `/tmp` | Low
|
||||
4 | File | `AbstractController.php` | High
|
||||
5 | File | `ActBar.ocx` | Medium
|
||||
6 | File | `add_ons.php` | Medium
|
||||
7 | File | `admin.comms.php` | High
|
||||
8 | File | `admin.php` | Medium
|
||||
9 | File | `admin/bad.php` | High
|
||||
10 | ... | ... | ...
|
||||
|
||||
There are 71 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 150 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://1275.ru/ioc/45/cyclops-blink-botnet-ioc/
|
||||
* https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf
|
||||
|
||||
## Literature
|
||||
|
|
|
@ -0,0 +1,77 @@
|
|||
# DarkCrystalRAT - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [DarkCrystalRAT](https://vuldb.com/?actor.darkcrystalrat). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.darkcrystalrat](https://vuldb.com/?actor.darkcrystalrat)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with DarkCrystalRAT:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* ...
|
||||
|
||||
There are 7 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of DarkCrystalRAT.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [31.7.58.82](https://vuldb.com/?ip.31.7.58.82) | no-rdns.offshorededicated.net | - | High
|
||||
2 | [103.27.202.127](https://vuldb.com/?ip.103.27.202.127) | 103-27-202-127.static.bangmod-idc.com | - | High
|
||||
3 | [203.96.191.70](https://vuldb.com/?ip.203.96.191.70) | - | - | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _DarkCrystalRAT_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-22 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 15 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by DarkCrystalRAT. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/backupsettings.conf` | High
|
||||
2 | File | `/export` | Low
|
||||
3 | File | `/horde/util/go.php` | High
|
||||
4 | File | `/show_news.php` | High
|
||||
5 | File | `/uncpath/` | Medium
|
||||
6 | File | `adclick.php` | Medium
|
||||
7 | File | `admin/dashboard.php` | High
|
||||
8 | File | `admin/index.php` | High
|
||||
9 | File | `admin/tools/dolibarr_export.php` | High
|
||||
10 | File | `adv_remotelog.asp` | High
|
||||
11 | ... | ... | ...
|
||||
|
||||
There are 85 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://cert.gov.ua/article/405538
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -34,12 +34,12 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
|
||||
3 | T1222 | CWE-275 | Permission Issues | High
|
||||
1 | T1006 | CWE-22 | Pathname Traversal | High
|
||||
2 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
3 | T1068 | CWE-264, CWE-269 | Execution with Unnecessary Privileges | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more TTP items available. Please use our online service to access the data.
|
||||
There are 6 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
|
|
@ -0,0 +1,46 @@
|
|||
# DeadBolt - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [DeadBolt](https://vuldb.com/?actor.deadbolt). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.deadbolt](https://vuldb.com/?actor.deadbolt)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with DeadBolt:
|
||||
|
||||
* [SG](https://vuldb.com/?country.sg)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of DeadBolt.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [132.147.73.87](https://vuldb.com/?ip.132.147.73.87) | fnet87-f73-access.vqbn.com.sg | - | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _DeadBolt_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1055 | CWE-74 | Injection | High
|
||||
2 | T1592 | CWE-200 | Configuration | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://1275.ru/ioc/238/deadbolt-ransomware-iocs/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -10,10 +10,10 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
|
||||
* [IT](https://vuldb.com/?country.it)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [FR](https://vuldb.com/?country.fr)
|
||||
* ...
|
||||
|
||||
There are 5 more country items available. Please use our online service to access the data.
|
||||
There are 6 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -76,7 +76,7 @@ ID | Type | Indicator | Confidence
|
|||
21 | File | `/mtms/admin/?page=user/manage_user` | High
|
||||
22 | ... | ... | ...
|
||||
|
||||
There are 182 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 181 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -30,7 +30,9 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
|
||||
1 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
|
||||
3 | T1202 | CWE-77 | Command Injection | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
|
|
@ -0,0 +1,68 @@
|
|||
# Earth Berberoka - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Earth Berberoka](https://vuldb.com/?actor.earth_berberoka). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.earth_berberoka](https://vuldb.com/?actor.earth_berberoka)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Earth Berberoka:
|
||||
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Earth Berberoka.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [42.200.181.116](https://vuldb.com/?ip.42.200.181.116) | 42-200-181-116.static.imsbiz.com | - | High
|
||||
2 | [45.76.199.119](https://vuldb.com/?ip.45.76.199.119) | 45.76.199.119.vultrusercontent.com | - | High
|
||||
3 | [45.77.22.215](https://vuldb.com/?ip.45.77.22.215) | 45.77.22.215.vultrusercontent.com | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 2 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Earth Berberoka_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
2 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
3 | T1068 | CWE-264, CWE-269, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 4 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Earth Berberoka. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/mgmt/tm/util/bash` | High
|
||||
2 | File | `/uncpath/` | Medium
|
||||
3 | File | `/usr/bin/at` | Medium
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 10 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://1275.ru/ioc/156/earth-berberoka-apt-iocs/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -10,7 +10,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
|
||||
* [VN](https://vuldb.com/?country.vn)
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* ...
|
||||
|
||||
There are 3 more country items available. Please use our online service to access the data.
|
||||
|
@ -446,11 +446,11 @@ ID | Technique | Weakness | Description | Confidence
|
|||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-21, CWE-22 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
4 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 16 more TTP items available. Please use our online service to access the data.
|
||||
There are 18 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -458,17 +458,23 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/addNotifyServlet` | High
|
||||
2 | File | `/edituser.php` | High
|
||||
3 | File | `/forum/away.php` | High
|
||||
4 | File | `/index.php/?p=report` | High
|
||||
5 | File | `/index.php?r=site%2Fsignup` | High
|
||||
6 | File | `/nav_bar_action.php` | High
|
||||
7 | File | `/pages/activity/activity.php` | High
|
||||
8 | File | `/pages/permit/permit.php` | High
|
||||
9 | ... | ... | ...
|
||||
1 | File | `/admin/operations/packages.php` | High
|
||||
2 | File | `/catcompany.php` | High
|
||||
3 | File | `/ECT_Provider/` | High
|
||||
4 | File | `/edituser.php` | High
|
||||
5 | File | `/IISADMPWD` | Medium
|
||||
6 | File | `/modules/projects/vw_files.php` | High
|
||||
7 | File | `/pages/permit/permit.php` | High
|
||||
8 | File | `/php_action/createUser.php` | High
|
||||
9 | File | `/products/view_product.php` | High
|
||||
10 | File | `/sistema/flash/reboot` | High
|
||||
11 | File | `/src/video/x11/SDL_x11yuv.c` | High
|
||||
12 | File | `/sys/ui/extend/varkind/custom.jsp` | High
|
||||
13 | File | `adclick.php` | Medium
|
||||
14 | File | `admin/conf_users_edit.php` | High
|
||||
15 | ... | ... | ...
|
||||
|
||||
There are 70 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 117 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -40,12 +40,12 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-250, CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
1 | T1006 | CWE-22 | Pathname Traversal | High
|
||||
2 | T1055 | CWE-74 | Injection | High
|
||||
3 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more TTP items available. Please use our online service to access the data.
|
||||
There are 13 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -55,14 +55,14 @@ ID | Type | Indicator | Confidence
|
|||
-- | ---- | --------- | ----------
|
||||
1 | File | `/cgi-bin/luci/api/auth` | High
|
||||
2 | File | `/filemanager/upload.php` | High
|
||||
3 | File | `/usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php` | High
|
||||
4 | File | `/usr/local/WowzaStreamingEngine/bin/` | High
|
||||
5 | File | `/wp-json/oembed/1.0/embed?url` | High
|
||||
6 | File | `admin/modules/tools/ip_history_logs.php` | High
|
||||
7 | File | `api_poller.php` | High
|
||||
3 | File | `/resources//../` | High
|
||||
4 | File | `/usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php` | High
|
||||
5 | File | `/usr/local/WowzaStreamingEngine/bin/` | High
|
||||
6 | File | `/wp-json/oembed/1.0/embed?url` | High
|
||||
7 | File | `admin/modules/tools/ip_history_logs.php` | High
|
||||
8 | ... | ... | ...
|
||||
|
||||
There are 54 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 57 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -0,0 +1,61 @@
|
|||
# FFDroider - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [FFDroider](https://vuldb.com/?actor.ffdroider). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.ffdroider](https://vuldb.com/?actor.ffdroider)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with FFDroider:
|
||||
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* [AR](https://vuldb.com/?country.ar)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of FFDroider.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [152.32.228.19](https://vuldb.com/?ip.152.32.228.19) | - | - | High
|
||||
2 | [186.2.171.17](https://vuldb.com/?ip.186.2.171.17) | ddos-guard.net | - | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _FFDroider_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
|
||||
3 | T1552 | CWE-522 | ASP.NET Misconfiguration: Password in Configuration File | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by FFDroider. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `cgi/config_user.cgi` | High
|
||||
2 | File | `cloudinit/config/cc_set_passwords.py` | High
|
||||
3 | File | `net/netfilter/nf_tables_api.c` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 1 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://1275.ru/ioc/97/ffdroider-malware-ioc/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -20,7 +20,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [CN](https://vuldb.com/?country.cn)
|
||||
* ...
|
||||
|
||||
There are 16 more country items available. Please use our online service to access the data.
|
||||
There are 15 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -85,7 +85,8 @@ ID | Technique | Weakness | Description | Confidence
|
|||
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
6 | ... | ... | ... | ...
|
||||
|
||||
There are 18 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
|
@ -131,7 +132,7 @@ ID | Type | Indicator | Confidence
|
|||
34 | File | `/proc/<PID>/mem` | High
|
||||
35 | ... | ... | ...
|
||||
|
||||
There are 298 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 297 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -0,0 +1,79 @@
|
|||
# FakeCrack - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [FakeCrack](https://vuldb.com/?actor.fakecrack). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.fakecrack](https://vuldb.com/?actor.fakecrack)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with FakeCrack:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [TR](https://vuldb.com/?country.tr)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* ...
|
||||
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of FakeCrack.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [37.221.67.219](https://vuldb.com/?ip.37.221.67.219) | - | - | High
|
||||
2 | [45.135.134.211](https://vuldb.com/?ip.45.135.134.211) | mail.hhllk.cn | - | High
|
||||
3 | [45.140.146.169](https://vuldb.com/?ip.45.140.146.169) | - | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 4 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _FakeCrack_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-21, CWE-22 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 17 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by FakeCrack. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/acms/classes/Master.php?f=delete_cargo` | High
|
||||
2 | File | `/admin.php/news/admin/topic/save` | High
|
||||
3 | File | `/admin/comn/service/update.json` | High
|
||||
4 | File | `/api/files/` | Medium
|
||||
5 | File | `/dev/shm` | Medium
|
||||
6 | File | `/dl/dl_print.php` | High
|
||||
7 | File | `/getcfg.php` | Medium
|
||||
8 | File | `/ofcms/company-c-47` | High
|
||||
9 | File | `/util/print.c` | High
|
||||
10 | ... | ... | ...
|
||||
|
||||
There are 77 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://1275.ru/ioc/324/fakecrack-iocs/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -45,7 +45,7 @@ ID | Type | Indicator | Confidence
|
|||
4 | File | `/system?action=ServiceAdmin` | High
|
||||
5 | ... | ... | ...
|
||||
|
||||
There are 32 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 34 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -0,0 +1,53 @@
|
|||
# FatalRAT - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [FatalRAT](https://vuldb.com/?actor.fatalrat). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.fatalrat](https://vuldb.com/?actor.fatalrat)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with FatalRAT:
|
||||
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of FatalRAT.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [144.48.243.79](https://vuldb.com/?ip.144.48.243.79) | - | - | High
|
||||
2 | [156.226.173.202](https://vuldb.com/?ip.156.226.173.202) | - | - | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _FatalRAT_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1608.002 | CWE-434 | Unrestricted Upload | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by FatalRAT. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `web/jquery/uploader/uploadify.php` | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://1275.ru/ioc/66/fatalrat-backdoor-ioc/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,77 @@
|
|||
# Fileless - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Fileless](https://vuldb.com/?actor.fileless). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.fileless](https://vuldb.com/?actor.fileless)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Fileless:
|
||||
|
||||
* [IS](https://vuldb.com/?country.is)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [DE](https://vuldb.com/?country.de)
|
||||
* ...
|
||||
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Fileless.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [93.95.228.97](https://vuldb.com/?ip.93.95.228.97) | timestechnologies.org | - | High
|
||||
2 | [162.0.224.144](https://vuldb.com/?ip.162.0.224.144) | people-role.quarantine-pnap-vlan51.web-hosting.com | - | High
|
||||
3 | [178.79.176.1](https://vuldb.com/?ip.178.79.176.1) | gw-li345.linode.com | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 3 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Fileless_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-22 | Pathname Traversal | High
|
||||
2 | T1055 | CWE-74 | Injection | High
|
||||
3 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
4 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 14 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Fileless. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/acms/classes/Master.php?f=delete_cargo` | High
|
||||
2 | File | `/domains/list` | High
|
||||
3 | File | `/sbin` | Low
|
||||
4 | File | `/sbin/orthrus` | High
|
||||
5 | File | `/sbin/rtspd` | Medium
|
||||
6 | File | `/var/www/video/mp4ts` | High
|
||||
7 | File | `admin/listMailConfiguration` | High
|
||||
8 | ... | ... | ...
|
||||
|
||||
There are 61 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://1275.ru/ioc/180/fileless-malware-iocs/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -87,7 +87,7 @@ ID | Type | Indicator | Confidence
|
|||
9 | File | `/uncpath/` | Medium
|
||||
10 | ... | ... | ...
|
||||
|
||||
There are 70 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 71 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -46,12 +46,13 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/admin/dl_sendmail.php` | High
|
||||
2 | File | `application/modules/admin/views/ecommerce/products.php` | High
|
||||
3 | File | `base/ErrorHandler.php` | High
|
||||
4 | File | `blog.php` | Medium
|
||||
5 | ... | ... | ...
|
||||
2 | File | `/spip.php` | Medium
|
||||
3 | File | `application/modules/admin/views/ecommerce/products.php` | High
|
||||
4 | File | `base/ErrorHandler.php` | High
|
||||
5 | File | `blog.php` | Medium
|
||||
6 | ... | ... | ...
|
||||
|
||||
There are 34 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 39 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -0,0 +1,32 @@
|
|||
# GoldBackdoor - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [GoldBackdoor](https://vuldb.com/?actor.goldbackdoor). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.goldbackdoor](https://vuldb.com/?actor.goldbackdoor)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of GoldBackdoor.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [13.107.42.12](https://vuldb.com/?ip.13.107.42.12) | 1drv.ms | - | High
|
||||
2 | [131.107.255.255](https://vuldb.com/?ip.131.107.255.255) | dns.msftncsi.com | - | High
|
||||
3 | [142.93.201.77](https://vuldb.com/?ip.142.93.201.77) | - | - | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://1275.ru/ioc/144/goldbackdoor-backdoor-iocs/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -30,12 +30,12 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
1 | T1006 | CWE-22 | Pathname Traversal | High
|
||||
2 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
3 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more TTP items available. Please use our online service to access the data.
|
||||
There are 9 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
|
|
@ -80,35 +80,34 @@ ID | Type | Indicator | Confidence
|
|||
6 | File | `/forum/away.php` | High
|
||||
7 | File | `/images/` | Medium
|
||||
8 | File | `/inc/extensions.php` | High
|
||||
9 | File | `/inc/parser/xhtml.php` | High
|
||||
10 | File | `/lists/index.php` | High
|
||||
11 | File | `/login` | Low
|
||||
12 | File | `/modules/profile/index.php` | High
|
||||
13 | File | `/nova/bin/console` | High
|
||||
14 | File | `/objects/getImageMP4.php` | High
|
||||
15 | File | `/one_church/userregister.php` | High
|
||||
16 | File | `/out.php` | Medium
|
||||
17 | File | `/owa/auth/logon.aspx` | High
|
||||
18 | File | `/public/plugins/` | High
|
||||
19 | File | `/replication` | Medium
|
||||
20 | File | `/req_password_user.php` | High
|
||||
21 | File | `/SAP_Information_System/controllers/add_admin.php` | High
|
||||
22 | File | `/SASWebReportStudio/logonAndRender.do` | High
|
||||
23 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
24 | File | `/secure/admin/ViewInstrumentation.jspa` | High
|
||||
25 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
26 | File | `/SSOPOST/metaAlias/%realm%/idpv2` | High
|
||||
27 | File | `/trx_addons/v2/get/sc_layout` | High
|
||||
28 | File | `/uncpath/` | Medium
|
||||
29 | File | `/usr/syno/etc/mount.conf` | High
|
||||
30 | File | `/v2/quantum/save-data-upload-big-file` | High
|
||||
31 | File | `/WEB-INF/web.xml` | High
|
||||
32 | File | `/web/entry/en/address/adrsSetUserWizard.cgi` | High
|
||||
33 | File | `/wp-json/oembed/1.0/embed?url` | High
|
||||
34 | File | `4.edu.php` | Medium
|
||||
35 | ... | ... | ...
|
||||
9 | File | `/lists/index.php` | High
|
||||
10 | File | `/login` | Low
|
||||
11 | File | `/modules/profile/index.php` | High
|
||||
12 | File | `/nova/bin/console` | High
|
||||
13 | File | `/objects/getImageMP4.php` | High
|
||||
14 | File | `/one_church/userregister.php` | High
|
||||
15 | File | `/out.php` | Medium
|
||||
16 | File | `/owa/auth/logon.aspx` | High
|
||||
17 | File | `/public/plugins/` | High
|
||||
18 | File | `/replication` | Medium
|
||||
19 | File | `/req_password_user.php` | High
|
||||
20 | File | `/SAP_Information_System/controllers/add_admin.php` | High
|
||||
21 | File | `/SASWebReportStudio/logonAndRender.do` | High
|
||||
22 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
23 | File | `/secure/admin/ViewInstrumentation.jspa` | High
|
||||
24 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
25 | File | `/SSOPOST/metaAlias/%realm%/idpv2` | High
|
||||
26 | File | `/trx_addons/v2/get/sc_layout` | High
|
||||
27 | File | `/uncpath/` | Medium
|
||||
28 | File | `/usr/syno/etc/mount.conf` | High
|
||||
29 | File | `/v2/quantum/save-data-upload-big-file` | High
|
||||
30 | File | `/WEB-INF/web.xml` | High
|
||||
31 | File | `/web/entry/en/address/adrsSetUserWizard.cgi` | High
|
||||
32 | File | `/wp-json/oembed/1.0/embed?url` | High
|
||||
33 | File | `4.edu.php` | Medium
|
||||
34 | ... | ... | ...
|
||||
|
||||
There are 301 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 288 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -0,0 +1,30 @@
|
|||
# HavanaCrypt - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [HavanaCrypt](https://vuldb.com/?actor.havanacrypt). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.havanacrypt](https://vuldb.com/?actor.havanacrypt)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of HavanaCrypt.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [20.227.128.33](https://vuldb.com/?ip.20.227.128.33) | - | - | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://1275.ru/ioc/437/havanacrypt-ransomware-iocs/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,60 @@
|
|||
# Hermit - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Hermit](https://vuldb.com/?actor.hermit). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.hermit](https://vuldb.com/?actor.hermit)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Hermit:
|
||||
|
||||
* [IT](https://vuldb.com/?country.it)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Hermit.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [2.228.150.86](https://vuldb.com/?ip.2.228.150.86) | 2-228-150-86.ip192.fastwebnet.it | - | High
|
||||
2 | [2.229.68.182](https://vuldb.com/?ip.2.229.68.182) | 2-229-68-182.ip195.fastwebnet.it | - | High
|
||||
3 | [45.148.30.122](https://vuldb.com/?ip.45.148.30.122) | - | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Hermit_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-80 | Cross Site Scripting | High
|
||||
2 | T1592 | CWE-200 | Configuration | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Hermit. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/admin/template.php` | High
|
||||
2 | Argument | `Password` | Medium
|
||||
3 | Argument | `title` | Low
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://1275.ru/ioc/380/hermit-spyware-iocs/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -14,8 +14,8 @@ The following _campaigns_ are known and can be associated with Inception:
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Inception:
|
||||
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* [AR](https://vuldb.com/?country.ar)
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* [PL](https://vuldb.com/?country.pl)
|
||||
* ...
|
||||
|
||||
|
@ -92,9 +92,12 @@ ID | Type | Indicator | Confidence
|
|||
35 | File | `/mcategory.php` | High
|
||||
36 | File | `/modules/tasks/gantt.php` | High
|
||||
37 | File | `/odfs/classes/Master.php?f=delete_team` | High
|
||||
38 | ... | ... | ...
|
||||
38 | File | `/ofrs/admin/requests/take_action.php` | High
|
||||
39 | File | `/otps/classes/Master.php` | High
|
||||
40 | File | `/pms/admin/actions/view_action.php` | High
|
||||
41 | ... | ... | ...
|
||||
|
||||
There are 325 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 354 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -0,0 +1,30 @@
|
|||
# Jester - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Jester](https://vuldb.com/?actor.jester). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.jester](https://vuldb.com/?actor.jester)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Jester.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [157.112.183.47](https://vuldb.com/?ip.157.112.183.47) | sv5206.xserver.jp | - | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://1275.ru/ioc/198/jester-stealer-iocs/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -24,7 +24,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [NZ](https://vuldb.com/?country.nz)
|
||||
* ...
|
||||
|
||||
There are 9 more country items available. Please use our online service to access the data.
|
||||
There are 16 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -137,12 +137,13 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23, CWE-24 | Pathname Traversal | High
|
||||
2 | T1055 | CWE-74 | Injection | High
|
||||
3 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
|
||||
4 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
There are 17 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -153,51 +154,49 @@ ID | Type | Indicator | Confidence
|
|||
1 | File | `.htaccess` | Medium
|
||||
2 | File | `/#/CampaignManager/users` | High
|
||||
3 | File | `/admin/admin_login.php` | High
|
||||
4 | File | `/admin/login.php` | High
|
||||
5 | File | `/bin/sh` | Low
|
||||
6 | File | `/cgi-bin/supervisor/CloudSetup.cgi` | High
|
||||
7 | File | `/Content/Template/root/reverse-shell.aspx` | High
|
||||
8 | File | `/data/vendor/tcl` | High
|
||||
9 | File | `/debug/pprof` | Medium
|
||||
10 | File | `/dev/tty` | Medium
|
||||
11 | File | `/doorgets/app/requests/user/modulecategoryRequest.php` | High
|
||||
12 | File | `/gaia-job-admin/user/add` | High
|
||||
13 | File | `/goforms/rlminfo` | High
|
||||
14 | File | `/HNAP1` | Low
|
||||
15 | File | `/login` | Low
|
||||
16 | File | `/login.html` | Medium
|
||||
17 | File | `/magnoliaPublic/travel/members/login.html` | High
|
||||
18 | File | `/member/index/login.html` | High
|
||||
19 | File | `/mgmt/tm/util/bash` | High
|
||||
20 | File | `/ocwbs/admin/?page=user/manage_user` | High
|
||||
21 | File | `/ofrs/admin/?page=user/manage_user` | High
|
||||
22 | File | `/product.php` | Medium
|
||||
23 | File | `/rdms/admin/?page=user/manage_user` | High
|
||||
24 | File | `/requests.php` | High
|
||||
25 | File | `/saml/login` | Medium
|
||||
26 | File | `/ScadaBR/login.htm` | High
|
||||
27 | File | `/uncpath/` | Medium
|
||||
28 | File | `/upload` | Low
|
||||
29 | File | `/var/adm/btmp` | High
|
||||
30 | File | `/vloggers_merch/?p=view_product` | High
|
||||
31 | File | `/wp-admin/admin-ajax.php` | High
|
||||
32 | File | `/wp-json` | Medium
|
||||
33 | File | `5.2.9\syscrb.exe` | High
|
||||
34 | File | `account/login.php` | High
|
||||
35 | File | `ad/login.asp` | Medium
|
||||
36 | File | `admin.inc.php` | High
|
||||
37 | File | `admin/admin_ping.php` | High
|
||||
38 | File | `admin/conf_users_edit.php` | High
|
||||
39 | File | `admin/index.php` | High
|
||||
40 | File | `admin/login.asp` | High
|
||||
41 | File | `admin/login.php` | High
|
||||
42 | File | `admin/nos/login` | High
|
||||
43 | File | `admin/viewtheatre.php` | High
|
||||
44 | File | `agenda.php3` | Medium
|
||||
45 | File | `ajaxp.php` | Medium
|
||||
46 | ... | ... | ...
|
||||
4 | File | `/api/user/{ID}` | High
|
||||
5 | File | `/app/options.py` | High
|
||||
6 | File | `/ci_spms/admin/category` | High
|
||||
7 | File | `/ci_spms/admin/search/searching/` | High
|
||||
8 | File | `/classes/Master.php?f=delete_train` | High
|
||||
9 | File | `/Content/Template/root/reverse-shell.aspx` | High
|
||||
10 | File | `/dashboard/menu-list.php` | High
|
||||
11 | File | `/data/vendor/tcl` | High
|
||||
12 | File | `/debug/pprof` | Medium
|
||||
13 | File | `/dev/tty` | Medium
|
||||
14 | File | `/ffos/classes/Master.php?f=save_category` | High
|
||||
15 | File | `/gaia-job-admin/user/add` | High
|
||||
16 | File | `/goforms/rlminfo` | High
|
||||
17 | File | `/HNAP1` | Low
|
||||
18 | File | `/Items/*/RemoteImages/Download` | High
|
||||
19 | File | `/login` | Low
|
||||
20 | File | `/member/index/login.html` | High
|
||||
21 | File | `/mgmt/tm/util/bash` | High
|
||||
22 | File | `/ocwbs/admin/?page=user/manage_user` | High
|
||||
23 | File | `/ofrs/admin/?page=user/manage_user` | High
|
||||
24 | File | `/p1/p2/:name` | Medium
|
||||
25 | File | `/product.php` | Medium
|
||||
26 | File | `/rdms/admin/?page=user/manage_user` | High
|
||||
27 | File | `/requests.php` | High
|
||||
28 | File | `/saml/login` | Medium
|
||||
29 | File | `/ScadaBR/login.htm` | High
|
||||
30 | File | `/spip.php` | Medium
|
||||
31 | File | `/uncpath/` | Medium
|
||||
32 | File | `/upload` | Low
|
||||
33 | File | `/var/adm/btmp` | High
|
||||
34 | File | `/vloggers_merch/?p=view_product` | High
|
||||
35 | File | `/wp-admin/admin-ajax.php` | High
|
||||
36 | File | `account/login.php` | High
|
||||
37 | File | `ad/login.asp` | Medium
|
||||
38 | File | `admin.inc.php` | High
|
||||
39 | File | `admin.php` | Medium
|
||||
40 | File | `admin/admin_ping.php` | High
|
||||
41 | File | `admin/conf_users_edit.php` | High
|
||||
42 | File | `admin/index.php` | High
|
||||
43 | File | `admin/login.php` | High
|
||||
44 | ... | ... | ...
|
||||
|
||||
There are 399 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 377 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -22,10 +22,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
|
||||
* [VN](https://vuldb.com/?country.vn)
|
||||
* [IN](https://vuldb.com/?country.in)
|
||||
* [GB](https://vuldb.com/?country.gb)
|
||||
* ...
|
||||
|
||||
There are 4 more country items available. Please use our online service to access the data.
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -99,128 +96,129 @@ ID | IP address | Hostname | Campaign | Confidence
|
|||
64 | [5.200.191.104](https://vuldb.com/?ip.5.200.191.104) | - | Hidden Cobra | High
|
||||
65 | [5.200.198.10](https://vuldb.com/?ip.5.200.198.10) | - | Hidden Cobra | High
|
||||
66 | [5.200.202.99](https://vuldb.com/?ip.5.200.202.99) | - | Hidden Cobra | High
|
||||
67 | [14.102.46.3](https://vuldb.com/?ip.14.102.46.3) | - | Volgmer | High
|
||||
68 | [14.139.125.214](https://vuldb.com/?ip.14.139.125.214) | - | Volgmer | High
|
||||
69 | [14.140.123.179](https://vuldb.com/?ip.14.140.123.179) | 14.140.123.179.static-pune-vsnl.net.in | Hidden Cobra | High
|
||||
70 | [14.141.27.100](https://vuldb.com/?ip.14.141.27.100) | 14.141.26.100.static-Mumbai.vsnl.net.in | Hidden Cobra | High
|
||||
71 | [14.141.129.116](https://vuldb.com/?ip.14.141.129.116) | 14.141.129.116.static-Delhi.vsnl.net.in | Volgmer | High
|
||||
72 | [14.149.149.211](https://vuldb.com/?ip.14.149.149.211) | - | Hidden Cobra | High
|
||||
73 | [21.252.107.198](https://vuldb.com/?ip.21.252.107.198) | - | Hoplight | High
|
||||
74 | [23.81.246.131](https://vuldb.com/?ip.23.81.246.131) | - | South Korea | High
|
||||
75 | [23.152.0.232](https://vuldb.com/?ip.23.152.0.232) | betrp-basisto.seemband.com | - | High
|
||||
76 | [26.165.218.44](https://vuldb.com/?ip.26.165.218.44) | - | Hoplight | High
|
||||
77 | [27.96.110.130](https://vuldb.com/?ip.27.96.110.130) | 130.110.96.27.static.m1net.com.sg | Hidden Cobra | High
|
||||
78 | [27.114.187.37](https://vuldb.com/?ip.27.114.187.37) | - | Volgmer | High
|
||||
79 | [27.123.221.66](https://vuldb.com/?ip.27.123.221.66) | 66-221.fiber.net.id | Fallchill | High
|
||||
80 | [27.125.35.229](https://vuldb.com/?ip.27.125.35.229) | - | Hidden Cobra | High
|
||||
81 | [31.47.47.130](https://vuldb.com/?ip.31.47.47.130) | - | Hidden Cobra | High
|
||||
82 | [31.54.73.156](https://vuldb.com/?ip.31.54.73.156) | host31-54-73-156.range31-54.btcentralplus.com | Hidden Cobra | High
|
||||
83 | [31.54.74.176](https://vuldb.com/?ip.31.54.74.176) | host31-54-74-176.range31-54.btcentralplus.com | Hidden Cobra | High
|
||||
84 | [31.146.82.22](https://vuldb.com/?ip.31.146.82.22) | 31-146-82-22.dsl.utg.ge | Volgmer | High
|
||||
85 | [31.146.136.6](https://vuldb.com/?ip.31.146.136.6) | 31-146-136-6.dsl.utg.ge | Hidden Cobra | High
|
||||
86 | [31.168.203.44](https://vuldb.com/?ip.31.168.203.44) | bzq-203-168-31-44.red.bezeqint.net | Hidden Cobra | High
|
||||
87 | [36.71.90.4](https://vuldb.com/?ip.36.71.90.4) | - | Fallchill | High
|
||||
88 | [37.34.240.177](https://vuldb.com/?ip.37.34.240.177) | - | Hidden Cobra | High
|
||||
89 | [37.48.106.69](https://vuldb.com/?ip.37.48.106.69) | high-convey.blockother.com | Hidden Cobra | High
|
||||
90 | [37.71.50.2](https://vuldb.com/?ip.37.71.50.2) | 2.50.71.37.rev.sfr.net | Hidden Cobra | High
|
||||
91 | [37.75.0.98](https://vuldb.com/?ip.37.75.0.98) | - | Hidden Cobra | High
|
||||
92 | [37.75.2.203](https://vuldb.com/?ip.37.75.2.203) | - | Hidden Cobra | High
|
||||
93 | [37.75.10.194](https://vuldb.com/?ip.37.75.10.194) | mail.kplus.com.tr | Hidden Cobra | High
|
||||
94 | [37.75.11.162](https://vuldb.com/?ip.37.75.11.162) | 37-75-11-162.rdns.saglayici.net | Hidden Cobra | High
|
||||
95 | [37.98.114.90](https://vuldb.com/?ip.37.98.114.90) | 90.mobinnet.net | Volgmer | High
|
||||
96 | [37.104.24.220](https://vuldb.com/?ip.37.104.24.220) | - | Hidden Cobra | High
|
||||
97 | [37.104.50.144](https://vuldb.com/?ip.37.104.50.144) | - | Hidden Cobra | High
|
||||
98 | [37.104.67.33](https://vuldb.com/?ip.37.104.67.33) | - | Hidden Cobra | High
|
||||
99 | [37.105.234.200](https://vuldb.com/?ip.37.105.234.200) | - | Hidden Cobra | High
|
||||
100 | [37.106.115.3](https://vuldb.com/?ip.37.106.115.3) | - | Hidden Cobra | High
|
||||
101 | [37.143.29.10](https://vuldb.com/?ip.37.143.29.10) | - | Hidden Cobra | High
|
||||
102 | [37.148.209.156](https://vuldb.com/?ip.37.148.209.156) | 37-148-209-156.cizgi.net.tr | Hidden Cobra | High
|
||||
103 | [37.216.67.155](https://vuldb.com/?ip.37.216.67.155) | - | Volgmer | High
|
||||
104 | [37.216.213.70](https://vuldb.com/?ip.37.216.213.70) | - | Hidden Cobra | High
|
||||
105 | [37.235.21.166](https://vuldb.com/?ip.37.235.21.166) | - | Volgmer | High
|
||||
106 | [37.238.135.70](https://vuldb.com/?ip.37.238.135.70) | - | - | High
|
||||
107 | [38.132.124.161](https://vuldb.com/?ip.38.132.124.161) | - | TraderTraitor | High
|
||||
108 | [41.57.108.68](https://vuldb.com/?ip.41.57.108.68) | - | Hidden Cobra | High
|
||||
109 | [41.67.136.38](https://vuldb.com/?ip.41.67.136.38) | netcomafrica.com | Hidden Cobra | High
|
||||
110 | [41.67.136.39](https://vuldb.com/?ip.41.67.136.39) | netcomafrica.com | Hidden Cobra | High
|
||||
111 | [41.72.99.5](https://vuldb.com/?ip.41.72.99.5) | - | Hidden Cobra | High
|
||||
112 | [41.72.101.138](https://vuldb.com/?ip.41.72.101.138) | - | Hidden Cobra | High
|
||||
113 | [41.74.166.253](https://vuldb.com/?ip.41.74.166.253) | - | Hidden Cobra | High
|
||||
114 | [41.92.208.194](https://vuldb.com/?ip.41.92.208.194) | - | Fallchill | High
|
||||
115 | [41.92.208.196](https://vuldb.com/?ip.41.92.208.196) | - | Fallchill | High
|
||||
116 | [41.92.208.197](https://vuldb.com/?ip.41.92.208.197) | - | Fallchill | High
|
||||
117 | [41.110.179.197](https://vuldb.com/?ip.41.110.179.197) | - | Hidden Cobra | High
|
||||
118 | [41.128.226.60](https://vuldb.com/?ip.41.128.226.60) | - | Hidden Cobra | High
|
||||
119 | [41.131.49.228](https://vuldb.com/?ip.41.131.49.228) | host-41-131-49-228.static.link.com.eg | Hidden Cobra | High
|
||||
120 | [41.131.164.156](https://vuldb.com/?ip.41.131.164.156) | - | Hidden Cobra | High
|
||||
121 | [41.134.208.234](https://vuldb.com/?ip.41.134.208.234) | 41-134-208-234.dsl.mweb.co.za | Hidden Cobra | High
|
||||
122 | [41.182.252.56](https://vuldb.com/?ip.41.182.252.56) | ADSL-41-182-252-56.ipb.na | Hidden Cobra | High
|
||||
123 | [41.205.139.34](https://vuldb.com/?ip.41.205.139.34) | ADSL-41-205-139-34.ipb.na | Hidden Cobra | High
|
||||
124 | [41.208.106.68](https://vuldb.com/?ip.41.208.106.68) | owa.altaqnya.com.ly | Hidden Cobra | High
|
||||
125 | [41.208.106.70](https://vuldb.com/?ip.41.208.106.70) | dc1.Mail.dsmhlc.ly | Hidden Cobra | High
|
||||
126 | [41.215.250.40](https://vuldb.com/?ip.41.215.250.40) | - | Hidden Cobra | High
|
||||
127 | [41.223.30.20](https://vuldb.com/?ip.41.223.30.20) | host30-20.creolink.com | Hidden Cobra | High
|
||||
128 | [41.224.254.90](https://vuldb.com/?ip.41.224.254.90) | - | Hidden Cobra | High
|
||||
129 | [43.249.216.6](https://vuldb.com/?ip.43.249.216.6) | - | Volgmer | High
|
||||
130 | [45.33.2.79](https://vuldb.com/?ip.45.33.2.79) | li956-79.members.linode.com | AppleJeus | High
|
||||
131 | [45.33.23.183](https://vuldb.com/?ip.45.33.23.183) | li977-183.members.linode.com | AppleJeus | High
|
||||
132 | [45.56.79.23](https://vuldb.com/?ip.45.56.79.23) | li929-23.members.linode.com | AppleJeus | High
|
||||
133 | [45.79.19.196](https://vuldb.com/?ip.45.79.19.196) | li1118-196.members.linode.com | AppleJeus | High
|
||||
134 | [45.118.34.215](https://vuldb.com/?ip.45.118.34.215) | - | Volgmer | High
|
||||
135 | [45.120.61.145](https://vuldb.com/?ip.45.120.61.145) | - | Hidden Cobra | High
|
||||
136 | [45.124.169.36](https://vuldb.com/?ip.45.124.169.36) | - | Volgmer | High
|
||||
137 | [45.199.63.220](https://vuldb.com/?ip.45.199.63.220) | - | AppleJeus | High
|
||||
138 | [46.16.62.238](https://vuldb.com/?ip.46.16.62.238) | fnadh-35.srv.cat | TraderTraitor | High
|
||||
139 | [46.19.101.186](https://vuldb.com/?ip.46.19.101.186) | ip-46-19-101-186.gnc.net | Hidden Cobra | High
|
||||
140 | [46.21.147.161](https://vuldb.com/?ip.46.21.147.161) | 46-21-147-161.static.hvvc.us | - | High
|
||||
141 | [46.52.131.102](https://vuldb.com/?ip.46.52.131.102) | - | Hidden Cobra | High
|
||||
142 | [46.121.242.180](https://vuldb.com/?ip.46.121.242.180) | 46-121-242-180.static.012.net.il | Hidden Cobra | High
|
||||
143 | [46.174.116.60](https://vuldb.com/?ip.46.174.116.60) | - | Hidden Cobra | High
|
||||
144 | [46.174.116.87](https://vuldb.com/?ip.46.174.116.87) | - | Hidden Cobra | High
|
||||
145 | [46.174.116.90](https://vuldb.com/?ip.46.174.116.90) | - | Hidden Cobra | High
|
||||
146 | [46.174.116.99](https://vuldb.com/?ip.46.174.116.99) | - | Hidden Cobra | High
|
||||
147 | [46.174.116.221](https://vuldb.com/?ip.46.174.116.221) | - | Hidden Cobra | High
|
||||
148 | [46.174.116.231](https://vuldb.com/?ip.46.174.116.231) | - | Hidden Cobra | High
|
||||
149 | [46.174.116.234](https://vuldb.com/?ip.46.174.116.234) | - | Hidden Cobra | High
|
||||
150 | [46.174.117.15](https://vuldb.com/?ip.46.174.117.15) | - | Hidden Cobra | High
|
||||
151 | [46.174.117.32](https://vuldb.com/?ip.46.174.117.32) | - | Hidden Cobra | High
|
||||
152 | [46.174.117.36](https://vuldb.com/?ip.46.174.117.36) | - | Hidden Cobra | High
|
||||
153 | [46.174.117.42](https://vuldb.com/?ip.46.174.117.42) | - | Hidden Cobra | High
|
||||
154 | [46.174.117.44](https://vuldb.com/?ip.46.174.117.44) | - | Hidden Cobra | High
|
||||
155 | [46.174.117.50](https://vuldb.com/?ip.46.174.117.50) | - | Hidden Cobra | High
|
||||
156 | [46.174.117.61](https://vuldb.com/?ip.46.174.117.61) | - | Hidden Cobra | High
|
||||
157 | [46.174.117.77](https://vuldb.com/?ip.46.174.117.77) | - | Hidden Cobra | High
|
||||
158 | [46.174.117.80](https://vuldb.com/?ip.46.174.117.80) | - | Hidden Cobra | High
|
||||
159 | [46.174.117.97](https://vuldb.com/?ip.46.174.117.97) | - | Hidden Cobra | High
|
||||
160 | [46.174.117.98](https://vuldb.com/?ip.46.174.117.98) | - | Hidden Cobra | High
|
||||
161 | [46.174.117.103](https://vuldb.com/?ip.46.174.117.103) | - | Hidden Cobra | High
|
||||
162 | [46.174.117.116](https://vuldb.com/?ip.46.174.117.116) | - | Hidden Cobra | High
|
||||
163 | [46.174.117.121](https://vuldb.com/?ip.46.174.117.121) | - | Hidden Cobra | High
|
||||
164 | [46.174.117.129](https://vuldb.com/?ip.46.174.117.129) | - | Hidden Cobra | High
|
||||
165 | [46.174.117.134](https://vuldb.com/?ip.46.174.117.134) | - | Hidden Cobra | High
|
||||
166 | [46.174.117.153](https://vuldb.com/?ip.46.174.117.153) | - | Hidden Cobra | High
|
||||
167 | [46.174.117.164](https://vuldb.com/?ip.46.174.117.164) | - | Hidden Cobra | High
|
||||
168 | [46.218.127.110](https://vuldb.com/?ip.46.218.127.110) | reverse.completel.fr | Hidden Cobra | High
|
||||
169 | [47.206.4.145](https://vuldb.com/?ip.47.206.4.145) | static-47-206-4-145.srst.fl.frontiernet.net | Hoplight | High
|
||||
170 | [49.206.1.61](https://vuldb.com/?ip.49.206.1.61) | 49.206.1.61.actcorp.in | Hidden Cobra | High
|
||||
171 | [49.247.9.177](https://vuldb.com/?ip.49.247.9.177) | - | - | High
|
||||
172 | [50.62.168.157](https://vuldb.com/?ip.50.62.168.157) | p3nwvpweb145.shr.prod.phx3.secureserver.net | Fallchill | High
|
||||
173 | [50.87.144.227](https://vuldb.com/?ip.50.87.144.227) | somethingaboutmarketing.com | - | High
|
||||
174 | [51.235.1.216](https://vuldb.com/?ip.51.235.1.216) | - | Hidden Cobra | High
|
||||
175 | [51.235.13.162](https://vuldb.com/?ip.51.235.13.162) | - | Hidden Cobra | High
|
||||
176 | [51.235.17.133](https://vuldb.com/?ip.51.235.17.133) | - | Hidden Cobra | High
|
||||
177 | [51.235.19.202](https://vuldb.com/?ip.51.235.19.202) | - | Hidden Cobra | High
|
||||
178 | [51.235.33.226](https://vuldb.com/?ip.51.235.33.226) | - | Hidden Cobra | High
|
||||
179 | [51.235.49.202](https://vuldb.com/?ip.51.235.49.202) | - | Hidden Cobra | High
|
||||
180 | [52.79.118.195](https://vuldb.com/?ip.52.79.118.195) | ec2-52-79-118-195.ap-northeast-2.compute.amazonaws.com | Chemical Sector | Medium
|
||||
181 | [54.64.30.175](https://vuldb.com/?ip.54.64.30.175) | vega.mh-tec.co.jp | - | High
|
||||
182 | [58.82.155.98](https://vuldb.com/?ip.58.82.155.98) | 98.155.82.58.static-corp.jastel.co.th | Volgmer | High
|
||||
183 | [58.185.197.210](https://vuldb.com/?ip.58.185.197.210) | - | Volgmer | High
|
||||
184 | [59.8.194.228](https://vuldb.com/?ip.59.8.194.228) | - | - | High
|
||||
185 | [59.90.93.97](https://vuldb.com/?ip.59.90.93.97) | static.bb.knl.59.90.93.97.bsnl.in | Typeframe | High
|
||||
186 | ... | ... | ... | ...
|
||||
67 | [13.88.245.250](https://vuldb.com/?ip.13.88.245.250) | - | - | High
|
||||
68 | [14.102.46.3](https://vuldb.com/?ip.14.102.46.3) | - | Volgmer | High
|
||||
69 | [14.139.125.214](https://vuldb.com/?ip.14.139.125.214) | - | Volgmer | High
|
||||
70 | [14.140.123.179](https://vuldb.com/?ip.14.140.123.179) | 14.140.123.179.static-pune-vsnl.net.in | Hidden Cobra | High
|
||||
71 | [14.141.27.100](https://vuldb.com/?ip.14.141.27.100) | 14.141.26.100.static-Mumbai.vsnl.net.in | Hidden Cobra | High
|
||||
72 | [14.141.129.116](https://vuldb.com/?ip.14.141.129.116) | 14.141.129.116.static-Delhi.vsnl.net.in | Volgmer | High
|
||||
73 | [14.149.149.211](https://vuldb.com/?ip.14.149.149.211) | - | Hidden Cobra | High
|
||||
74 | [21.252.107.198](https://vuldb.com/?ip.21.252.107.198) | - | Hoplight | High
|
||||
75 | [23.81.246.131](https://vuldb.com/?ip.23.81.246.131) | - | South Korea | High
|
||||
76 | [23.152.0.232](https://vuldb.com/?ip.23.152.0.232) | betrp-basisto.seemband.com | - | High
|
||||
77 | [26.165.218.44](https://vuldb.com/?ip.26.165.218.44) | - | Hoplight | High
|
||||
78 | [27.96.110.130](https://vuldb.com/?ip.27.96.110.130) | 130.110.96.27.static.m1net.com.sg | Hidden Cobra | High
|
||||
79 | [27.114.187.37](https://vuldb.com/?ip.27.114.187.37) | - | Volgmer | High
|
||||
80 | [27.123.221.66](https://vuldb.com/?ip.27.123.221.66) | 66-221.fiber.net.id | Fallchill | High
|
||||
81 | [27.125.35.229](https://vuldb.com/?ip.27.125.35.229) | - | Hidden Cobra | High
|
||||
82 | [31.47.47.130](https://vuldb.com/?ip.31.47.47.130) | - | Hidden Cobra | High
|
||||
83 | [31.54.73.156](https://vuldb.com/?ip.31.54.73.156) | host31-54-73-156.range31-54.btcentralplus.com | Hidden Cobra | High
|
||||
84 | [31.54.74.176](https://vuldb.com/?ip.31.54.74.176) | host31-54-74-176.range31-54.btcentralplus.com | Hidden Cobra | High
|
||||
85 | [31.146.82.22](https://vuldb.com/?ip.31.146.82.22) | 31-146-82-22.dsl.utg.ge | Volgmer | High
|
||||
86 | [31.146.136.6](https://vuldb.com/?ip.31.146.136.6) | 31-146-136-6.dsl.utg.ge | Hidden Cobra | High
|
||||
87 | [31.168.203.44](https://vuldb.com/?ip.31.168.203.44) | bzq-203-168-31-44.red.bezeqint.net | Hidden Cobra | High
|
||||
88 | [36.71.90.4](https://vuldb.com/?ip.36.71.90.4) | - | Fallchill | High
|
||||
89 | [37.34.240.177](https://vuldb.com/?ip.37.34.240.177) | - | Hidden Cobra | High
|
||||
90 | [37.48.106.69](https://vuldb.com/?ip.37.48.106.69) | high-convey.blockother.com | Hidden Cobra | High
|
||||
91 | [37.71.50.2](https://vuldb.com/?ip.37.71.50.2) | 2.50.71.37.rev.sfr.net | Hidden Cobra | High
|
||||
92 | [37.75.0.98](https://vuldb.com/?ip.37.75.0.98) | - | Hidden Cobra | High
|
||||
93 | [37.75.2.203](https://vuldb.com/?ip.37.75.2.203) | - | Hidden Cobra | High
|
||||
94 | [37.75.10.194](https://vuldb.com/?ip.37.75.10.194) | mail.kplus.com.tr | Hidden Cobra | High
|
||||
95 | [37.75.11.162](https://vuldb.com/?ip.37.75.11.162) | 37-75-11-162.rdns.saglayici.net | Hidden Cobra | High
|
||||
96 | [37.98.114.90](https://vuldb.com/?ip.37.98.114.90) | 90.mobinnet.net | Volgmer | High
|
||||
97 | [37.104.24.220](https://vuldb.com/?ip.37.104.24.220) | - | Hidden Cobra | High
|
||||
98 | [37.104.50.144](https://vuldb.com/?ip.37.104.50.144) | - | Hidden Cobra | High
|
||||
99 | [37.104.67.33](https://vuldb.com/?ip.37.104.67.33) | - | Hidden Cobra | High
|
||||
100 | [37.105.234.200](https://vuldb.com/?ip.37.105.234.200) | - | Hidden Cobra | High
|
||||
101 | [37.106.115.3](https://vuldb.com/?ip.37.106.115.3) | - | Hidden Cobra | High
|
||||
102 | [37.143.29.10](https://vuldb.com/?ip.37.143.29.10) | - | Hidden Cobra | High
|
||||
103 | [37.148.209.156](https://vuldb.com/?ip.37.148.209.156) | 37-148-209-156.cizgi.net.tr | Hidden Cobra | High
|
||||
104 | [37.216.67.155](https://vuldb.com/?ip.37.216.67.155) | - | Volgmer | High
|
||||
105 | [37.216.213.70](https://vuldb.com/?ip.37.216.213.70) | - | Hidden Cobra | High
|
||||
106 | [37.235.21.166](https://vuldb.com/?ip.37.235.21.166) | - | Volgmer | High
|
||||
107 | [37.238.135.70](https://vuldb.com/?ip.37.238.135.70) | - | - | High
|
||||
108 | [38.132.124.161](https://vuldb.com/?ip.38.132.124.161) | - | TraderTraitor | High
|
||||
109 | [41.57.108.68](https://vuldb.com/?ip.41.57.108.68) | - | Hidden Cobra | High
|
||||
110 | [41.67.136.38](https://vuldb.com/?ip.41.67.136.38) | netcomafrica.com | Hidden Cobra | High
|
||||
111 | [41.67.136.39](https://vuldb.com/?ip.41.67.136.39) | netcomafrica.com | Hidden Cobra | High
|
||||
112 | [41.72.99.5](https://vuldb.com/?ip.41.72.99.5) | - | Hidden Cobra | High
|
||||
113 | [41.72.101.138](https://vuldb.com/?ip.41.72.101.138) | - | Hidden Cobra | High
|
||||
114 | [41.74.166.253](https://vuldb.com/?ip.41.74.166.253) | - | Hidden Cobra | High
|
||||
115 | [41.92.208.194](https://vuldb.com/?ip.41.92.208.194) | - | Fallchill | High
|
||||
116 | [41.92.208.196](https://vuldb.com/?ip.41.92.208.196) | - | Fallchill | High
|
||||
117 | [41.92.208.197](https://vuldb.com/?ip.41.92.208.197) | - | Fallchill | High
|
||||
118 | [41.110.179.197](https://vuldb.com/?ip.41.110.179.197) | - | Hidden Cobra | High
|
||||
119 | [41.128.226.60](https://vuldb.com/?ip.41.128.226.60) | - | Hidden Cobra | High
|
||||
120 | [41.131.49.228](https://vuldb.com/?ip.41.131.49.228) | host-41-131-49-228.static.link.com.eg | Hidden Cobra | High
|
||||
121 | [41.131.164.156](https://vuldb.com/?ip.41.131.164.156) | - | Hidden Cobra | High
|
||||
122 | [41.134.208.234](https://vuldb.com/?ip.41.134.208.234) | 41-134-208-234.dsl.mweb.co.za | Hidden Cobra | High
|
||||
123 | [41.182.252.56](https://vuldb.com/?ip.41.182.252.56) | ADSL-41-182-252-56.ipb.na | Hidden Cobra | High
|
||||
124 | [41.205.139.34](https://vuldb.com/?ip.41.205.139.34) | ADSL-41-205-139-34.ipb.na | Hidden Cobra | High
|
||||
125 | [41.208.106.68](https://vuldb.com/?ip.41.208.106.68) | owa.altaqnya.com.ly | Hidden Cobra | High
|
||||
126 | [41.208.106.70](https://vuldb.com/?ip.41.208.106.70) | dc1.Mail.dsmhlc.ly | Hidden Cobra | High
|
||||
127 | [41.215.250.40](https://vuldb.com/?ip.41.215.250.40) | - | Hidden Cobra | High
|
||||
128 | [41.223.30.20](https://vuldb.com/?ip.41.223.30.20) | host30-20.creolink.com | Hidden Cobra | High
|
||||
129 | [41.224.254.90](https://vuldb.com/?ip.41.224.254.90) | - | Hidden Cobra | High
|
||||
130 | [43.249.216.6](https://vuldb.com/?ip.43.249.216.6) | - | Volgmer | High
|
||||
131 | [45.33.2.79](https://vuldb.com/?ip.45.33.2.79) | li956-79.members.linode.com | AppleJeus | High
|
||||
132 | [45.33.23.183](https://vuldb.com/?ip.45.33.23.183) | li977-183.members.linode.com | AppleJeus | High
|
||||
133 | [45.56.79.23](https://vuldb.com/?ip.45.56.79.23) | li929-23.members.linode.com | AppleJeus | High
|
||||
134 | [45.79.19.196](https://vuldb.com/?ip.45.79.19.196) | li1118-196.members.linode.com | AppleJeus | High
|
||||
135 | [45.118.34.215](https://vuldb.com/?ip.45.118.34.215) | - | Volgmer | High
|
||||
136 | [45.120.61.145](https://vuldb.com/?ip.45.120.61.145) | - | Hidden Cobra | High
|
||||
137 | [45.124.169.36](https://vuldb.com/?ip.45.124.169.36) | - | Volgmer | High
|
||||
138 | [45.199.63.220](https://vuldb.com/?ip.45.199.63.220) | - | AppleJeus | High
|
||||
139 | [46.16.62.238](https://vuldb.com/?ip.46.16.62.238) | fnadh-35.srv.cat | TraderTraitor | High
|
||||
140 | [46.19.101.186](https://vuldb.com/?ip.46.19.101.186) | ip-46-19-101-186.gnc.net | Hidden Cobra | High
|
||||
141 | [46.21.147.161](https://vuldb.com/?ip.46.21.147.161) | 46-21-147-161.static.hvvc.us | - | High
|
||||
142 | [46.52.131.102](https://vuldb.com/?ip.46.52.131.102) | - | Hidden Cobra | High
|
||||
143 | [46.121.242.180](https://vuldb.com/?ip.46.121.242.180) | 46-121-242-180.static.012.net.il | Hidden Cobra | High
|
||||
144 | [46.174.116.60](https://vuldb.com/?ip.46.174.116.60) | - | Hidden Cobra | High
|
||||
145 | [46.174.116.87](https://vuldb.com/?ip.46.174.116.87) | - | Hidden Cobra | High
|
||||
146 | [46.174.116.90](https://vuldb.com/?ip.46.174.116.90) | - | Hidden Cobra | High
|
||||
147 | [46.174.116.99](https://vuldb.com/?ip.46.174.116.99) | - | Hidden Cobra | High
|
||||
148 | [46.174.116.221](https://vuldb.com/?ip.46.174.116.221) | - | Hidden Cobra | High
|
||||
149 | [46.174.116.231](https://vuldb.com/?ip.46.174.116.231) | - | Hidden Cobra | High
|
||||
150 | [46.174.116.234](https://vuldb.com/?ip.46.174.116.234) | - | Hidden Cobra | High
|
||||
151 | [46.174.117.15](https://vuldb.com/?ip.46.174.117.15) | - | Hidden Cobra | High
|
||||
152 | [46.174.117.32](https://vuldb.com/?ip.46.174.117.32) | - | Hidden Cobra | High
|
||||
153 | [46.174.117.36](https://vuldb.com/?ip.46.174.117.36) | - | Hidden Cobra | High
|
||||
154 | [46.174.117.42](https://vuldb.com/?ip.46.174.117.42) | - | Hidden Cobra | High
|
||||
155 | [46.174.117.44](https://vuldb.com/?ip.46.174.117.44) | - | Hidden Cobra | High
|
||||
156 | [46.174.117.50](https://vuldb.com/?ip.46.174.117.50) | - | Hidden Cobra | High
|
||||
157 | [46.174.117.61](https://vuldb.com/?ip.46.174.117.61) | - | Hidden Cobra | High
|
||||
158 | [46.174.117.77](https://vuldb.com/?ip.46.174.117.77) | - | Hidden Cobra | High
|
||||
159 | [46.174.117.80](https://vuldb.com/?ip.46.174.117.80) | - | Hidden Cobra | High
|
||||
160 | [46.174.117.97](https://vuldb.com/?ip.46.174.117.97) | - | Hidden Cobra | High
|
||||
161 | [46.174.117.98](https://vuldb.com/?ip.46.174.117.98) | - | Hidden Cobra | High
|
||||
162 | [46.174.117.103](https://vuldb.com/?ip.46.174.117.103) | - | Hidden Cobra | High
|
||||
163 | [46.174.117.116](https://vuldb.com/?ip.46.174.117.116) | - | Hidden Cobra | High
|
||||
164 | [46.174.117.121](https://vuldb.com/?ip.46.174.117.121) | - | Hidden Cobra | High
|
||||
165 | [46.174.117.129](https://vuldb.com/?ip.46.174.117.129) | - | Hidden Cobra | High
|
||||
166 | [46.174.117.134](https://vuldb.com/?ip.46.174.117.134) | - | Hidden Cobra | High
|
||||
167 | [46.174.117.153](https://vuldb.com/?ip.46.174.117.153) | - | Hidden Cobra | High
|
||||
168 | [46.174.117.164](https://vuldb.com/?ip.46.174.117.164) | - | Hidden Cobra | High
|
||||
169 | [46.218.127.110](https://vuldb.com/?ip.46.218.127.110) | reverse.completel.fr | Hidden Cobra | High
|
||||
170 | [47.206.4.145](https://vuldb.com/?ip.47.206.4.145) | static-47-206-4-145.srst.fl.frontiernet.net | Hoplight | High
|
||||
171 | [49.206.1.61](https://vuldb.com/?ip.49.206.1.61) | 49.206.1.61.actcorp.in | Hidden Cobra | High
|
||||
172 | [49.247.9.177](https://vuldb.com/?ip.49.247.9.177) | - | - | High
|
||||
173 | [50.62.168.157](https://vuldb.com/?ip.50.62.168.157) | p3nwvpweb145.shr.prod.phx3.secureserver.net | Fallchill | High
|
||||
174 | [50.87.144.227](https://vuldb.com/?ip.50.87.144.227) | somethingaboutmarketing.com | - | High
|
||||
175 | [51.235.1.216](https://vuldb.com/?ip.51.235.1.216) | - | Hidden Cobra | High
|
||||
176 | [51.235.13.162](https://vuldb.com/?ip.51.235.13.162) | - | Hidden Cobra | High
|
||||
177 | [51.235.17.133](https://vuldb.com/?ip.51.235.17.133) | - | Hidden Cobra | High
|
||||
178 | [51.235.19.202](https://vuldb.com/?ip.51.235.19.202) | - | Hidden Cobra | High
|
||||
179 | [51.235.33.226](https://vuldb.com/?ip.51.235.33.226) | - | Hidden Cobra | High
|
||||
180 | [51.235.49.202](https://vuldb.com/?ip.51.235.49.202) | - | Hidden Cobra | High
|
||||
181 | [52.79.118.195](https://vuldb.com/?ip.52.79.118.195) | ec2-52-79-118-195.ap-northeast-2.compute.amazonaws.com | Chemical Sector | Medium
|
||||
182 | [54.64.30.175](https://vuldb.com/?ip.54.64.30.175) | vega.mh-tec.co.jp | - | High
|
||||
183 | [58.82.155.98](https://vuldb.com/?ip.58.82.155.98) | 98.155.82.58.static-corp.jastel.co.th | Volgmer | High
|
||||
184 | [58.185.197.210](https://vuldb.com/?ip.58.185.197.210) | - | Volgmer | High
|
||||
185 | [59.8.194.228](https://vuldb.com/?ip.59.8.194.228) | - | - | High
|
||||
186 | [59.90.93.97](https://vuldb.com/?ip.59.90.93.97) | static.bb.knl.59.90.93.97.bsnl.in | Typeframe | High
|
||||
187 | ... | ... | ... | ...
|
||||
|
||||
There are 741 more IOC items available. Please use our online service to access the data.
|
||||
There are 742 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -228,10 +226,10 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
|
||||
2 | T1055 | CWE-74 | Injection | High
|
||||
3 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
4 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
1 | T1006 | CWE-22 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 17 more TTP items available. Please use our online service to access the data.
|
||||
|
@ -242,26 +240,23 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/addNotifyServlet` | High
|
||||
2 | File | `/admin/js` | Medium
|
||||
3 | File | `/api/plugin/uninstall` | High
|
||||
4 | File | `/api/plugin/upload` | High
|
||||
5 | File | `/cgi-bin/ExportAllSettings.sh` | High
|
||||
6 | File | `/etc/init.d/sshd_service` | High
|
||||
7 | File | `/etc/tomcat8/Catalina/attack` | High
|
||||
8 | File | `/index.php/?p=report` | High
|
||||
9 | File | `/index.php?r=site%2Fsignup` | High
|
||||
10 | File | `/modules/caddyhttp/rewrite/rewrite.go` | High
|
||||
11 | File | `/nav_bar_action.php` | High
|
||||
12 | File | `/ossn/administrator/com_installer` | High
|
||||
13 | ... | ... | ...
|
||||
1 | File | `/edituser.php` | High
|
||||
2 | File | `/pages/permit/permit.php` | High
|
||||
3 | File | `/php_action/createUser.php` | High
|
||||
4 | File | `/products/view_product.php` | High
|
||||
5 | File | `/sistema/flash/reboot` | High
|
||||
6 | File | `/src/video/x11/SDL_x11yuv.c` | High
|
||||
7 | File | `/wp-admin/admin-ajax.php` | High
|
||||
8 | ... | ... | ...
|
||||
|
||||
There are 98 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 56 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://1275.ru/ioc/189/lazarus-apt-iocs/
|
||||
* https://1275.ru/ioc/237/lazarus-apt-iocs-part-2/
|
||||
* https://asec.ahnlab.com/en/33801/
|
||||
* https://asec.ahnlab.com/en/34461/
|
||||
* https://github.com/blackorbird/APT_REPORT/tree/master/lazarus
|
||||
|
|
|
@ -13,7 +13,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [CN](https://vuldb.com/?country.cn)
|
||||
* ...
|
||||
|
||||
There are 12 more country items available. Please use our online service to access the data.
|
||||
There are 11 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -74,20 +74,20 @@ ID | Type | Indicator | Confidence
|
|||
14 | File | `/fuel/index.php/fuel/logs/items` | High
|
||||
15 | File | `/fuel/sitevariables/delete/4` | High
|
||||
16 | File | `/hprms/admin/doctors/manage_doctor.php` | High
|
||||
17 | File | `/include/chart_generator.php` | High
|
||||
18 | File | `/index/jobfairol/show/` | High
|
||||
19 | File | `/librarian/bookdetails.php` | High
|
||||
20 | File | `/mgmt/tm/util/bash` | High
|
||||
21 | File | `/modules/caddyhttp/rewrite/rewrite.go` | High
|
||||
22 | File | `/plugin/LiveChat/getChat.json.php` | High
|
||||
23 | File | `/proc/<PID>/mem` | High
|
||||
24 | File | `/public/plugins/` | High
|
||||
25 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
26 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
27 | File | `/simple_chat_bot/admin/?page=user/manage_user` | High
|
||||
17 | File | `/index/jobfairol/show/` | High
|
||||
18 | File | `/librarian/bookdetails.php` | High
|
||||
19 | File | `/mgmt/tm/util/bash` | High
|
||||
20 | File | `/modules/caddyhttp/rewrite/rewrite.go` | High
|
||||
21 | File | `/plugin/LiveChat/getChat.json.php` | High
|
||||
22 | File | `/proc/<PID>/mem` | High
|
||||
23 | File | `/public/plugins/` | High
|
||||
24 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
25 | File | `/simple_chat_bot/admin/?page=user/manage_user` | High
|
||||
26 | File | `/tmp` | Low
|
||||
27 | File | `/tmp/zarafa-vacation-*` | High
|
||||
28 | ... | ... | ...
|
||||
|
||||
There are 234 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 236 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -0,0 +1,70 @@
|
|||
# LokiLocker - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [LokiLocker](https://vuldb.com/?actor.lokilocker). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.lokilocker](https://vuldb.com/?actor.lokilocker)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with LokiLocker:
|
||||
|
||||
* [CO](https://vuldb.com/?country.co)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of LokiLocker.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [91.223.82.6](https://vuldb.com/?ip.91.223.82.6) | pink.warez-host.com | - | High
|
||||
2 | [194.226.139.3](https://vuldb.com/?ip.194.226.139.3) | - | - | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _LokiLocker_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-22 | Pathname Traversal | High
|
||||
2 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
3 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by LokiLocker. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/Tools/tools_admin.htm` | High
|
||||
2 | File | `adm/krgourl.php` | High
|
||||
3 | File | `admin.php` | Medium
|
||||
4 | File | `administers` | Medium
|
||||
5 | File | `catchsegv` | Medium
|
||||
6 | File | `classified.php` | High
|
||||
7 | File | `coders/mat.c` | Medium
|
||||
8 | File | `default.asp` | Medium
|
||||
9 | File | `drivers/char/lp.c` | High
|
||||
10 | ... | ... | ...
|
||||
|
||||
There are 73 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://1275.ru/ioc/42/lokilocker-ransomware-ioc/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -52,15 +52,15 @@ ID | Type | Indicator | Confidence
|
|||
2 | File | `/forum/away.php` | High
|
||||
3 | File | `/out.php` | Medium
|
||||
4 | File | `/phppath/php` | Medium
|
||||
5 | File | `/systemrw/` | Medium
|
||||
6 | File | `adclick.php` | Medium
|
||||
7 | File | `application/modules/admin/views/ecommerce/products.php` | High
|
||||
8 | File | `base/ErrorHandler.php` | High
|
||||
9 | File | `blog.php` | Medium
|
||||
10 | File | `category.php` | Medium
|
||||
5 | File | `/spip.php` | Medium
|
||||
6 | File | `/systemrw/` | Medium
|
||||
7 | File | `adclick.php` | Medium
|
||||
8 | File | `application/modules/admin/views/ecommerce/products.php` | High
|
||||
9 | File | `base/ErrorHandler.php` | High
|
||||
10 | File | `blog.php` | Medium
|
||||
11 | ... | ... | ...
|
||||
|
||||
There are 80 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 88 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -0,0 +1,66 @@
|
|||
# Magniber - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Magniber](https://vuldb.com/?actor.magniber). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.magniber](https://vuldb.com/?actor.magniber)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Magniber:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [IR](https://vuldb.com/?country.ir)
|
||||
* [TR](https://vuldb.com/?country.tr)
|
||||
* ...
|
||||
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Magniber.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [92.222.121.30](https://vuldb.com/?ip.92.222.121.30) | ip30.ip-92-222-121.eu | - | High
|
||||
2 | [94.23.165.192](https://vuldb.com/?ip.94.23.165.192) | ip192.ip-94-23-165.eu | - | High
|
||||
3 | [149.202.112.72](https://vuldb.com/?ip.149.202.112.72) | ip72.ip-149-202-112.eu | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Magniber_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1202 | CWE-78 | Command Injection | High
|
||||
2 | T1505 | CWE-89 | SQL Injection | High
|
||||
3 | T1592 | CWE-200 | Configuration | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Magniber. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `data/gbconfiguration.dat` | High
|
||||
2 | File | `shopprojectlogin.asp` | High
|
||||
3 | Argument | `strpemail` | Medium
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://1275.ru/ioc/163/magniber-ransomware-iocs/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,35 @@
|
|||
# MakeMoney - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [MakeMoney](https://vuldb.com/?actor.makemoney). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.makemoney](https://vuldb.com/?actor.makemoney)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of MakeMoney.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [185.215.113.121](https://vuldb.com/?ip.185.215.113.121) | - | - | High
|
||||
2 | [185.220.33.3](https://vuldb.com/?ip.185.220.33.3) | vps23002.vpsville.ru | - | High
|
||||
3 | [185.220.35.26](https://vuldb.com/?ip.185.220.35.26) | vps09026.vpsville.ru | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 3 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://1275.ru/ioc/333/makemoney-iocs/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,30 @@
|
|||
# Manjusaka - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Manjusaka](https://vuldb.com/?actor.manjusaka). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.manjusaka](https://vuldb.com/?actor.manjusaka)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Manjusaka.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [39.104.90.45](https://vuldb.com/?ip.39.104.90.45) | - | - | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -4,12 +4,22 @@ These _indicators_ were reported, collected, and generated during the [VulDB CTI
|
|||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.matanbuchus](https://vuldb.com/?actor.matanbuchus)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following _campaigns_ are known and can be associated with Matanbuchus:
|
||||
|
||||
* Cobalt Strike
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Matanbuchus:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [TT](https://vuldb.com/?country.tt)
|
||||
* [CO](https://vuldb.com/?country.co)
|
||||
* [IT](https://vuldb.com/?country.it)
|
||||
* ...
|
||||
|
||||
There are 5 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -17,7 +27,12 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [213.226.114.15](https://vuldb.com/?ip.213.226.114.15) | - | - | High
|
||||
1 | [44.208.127.245](https://vuldb.com/?ip.44.208.127.245) | ec2-44-208-127-245.compute-1.amazonaws.com | Cobalt Strike | Medium
|
||||
2 | [185.217.1.23](https://vuldb.com/?ip.185.217.1.23) | - | Cobalt Strike | High
|
||||
3 | [190.123.44.220](https://vuldb.com/?ip.190.123.44.220) | - | Cobalt Strike | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -25,12 +40,12 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
|
||||
3 | T1548.002 | CWE-285 | Improper Authorization | High
|
||||
1 | T1006 | CWE-22 | Pathname Traversal | High
|
||||
2 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
3 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more TTP items available. Please use our online service to access the data.
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -38,14 +53,18 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `AdminBaseController.class.php` | High
|
||||
2 | File | `include/ajax.draft.php` | High
|
||||
3 | Argument | `request` | Low
|
||||
1 | File | `/cgi-bin/supervisor/PwdGrp.cgi` | High
|
||||
2 | File | `/etc/shadow` | Medium
|
||||
3 | File | `/uncpath/` | Medium
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 19 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://circleid.com/posts/20220721-matanbuchus-with-cobalt-strike-not-your-favorite-combo
|
||||
* https://github.com/executemalware/Malware-IOCs/blob/main/2022-06-16%20Matanbuchus%20IOCs
|
||||
|
||||
## Literature
|
||||
|
|
|
@ -9,7 +9,11 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with MedusaLocker:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [DE](https://vuldb.com/?country.de)
|
||||
* [PT](https://vuldb.com/?country.pt)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* ...
|
||||
|
||||
There are 11 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -32,14 +36,14 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23, CWE-425 | Pathname Traversal | High
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-294, CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
|
||||
4 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
6 | ... | ... | ... | ...
|
||||
|
||||
There are 22 more TTP items available. Please use our online service to access the data.
|
||||
There are 21 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -47,39 +51,28 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/action/import_https_cert_file/` | High
|
||||
2 | File | `/action/remove/` | High
|
||||
3 | File | `/admin/featured.php` | High
|
||||
4 | File | `/admin/scheprofile.cgi` | High
|
||||
5 | File | `/admin/showbad.php` | High
|
||||
6 | File | `/admin/ztliuyan_sendmail.php` | High
|
||||
7 | File | `/ajax/config_rollback/` | High
|
||||
8 | File | `/alarm_pi/alarmService.php` | High
|
||||
9 | File | `/cgi-bin/webproc` | High
|
||||
10 | File | `/ci_hms/massage_room/edit/1` | High
|
||||
11 | File | `/ci_hms/search` | High
|
||||
12 | File | `/company` | Medium
|
||||
13 | File | `/company/service/increment/add/im` | High
|
||||
14 | File | `/dashboard/blocks/stacks/view_details/` | High
|
||||
15 | File | `/dashboard/reports/logs/view` | High
|
||||
16 | File | `/dashboard/snapshot/*?orgId=0` | High
|
||||
17 | File | `/dashboard/system/express/entities/forms/save_control/[GUID]` | High
|
||||
18 | File | `/dl/dl_sendmail.php` | High
|
||||
19 | File | `/dl/dl_sendsms.php` | High
|
||||
20 | File | `/home/campus/campus_job` | High
|
||||
21 | File | `/home/job/index` | High
|
||||
22 | File | `/IISADMPWD` | Medium
|
||||
23 | File | `/images/background/1.php` | High
|
||||
24 | File | `/irj/servlet/prt/portal/prtroot/com.sap.portal.usermanagement.admin.UserMapping` | High
|
||||
25 | File | `/job` | Low
|
||||
26 | File | `/linkedcontent/editfolder.php` | High
|
||||
27 | File | `/loginsave.php` | High
|
||||
28 | File | `/mobilebroker/ServiceToBroker.svc/Json/Connect` | High
|
||||
29 | File | `/modules/mindmap/index.php` | High
|
||||
30 | File | `/odfs/posts/view_post.php` | High
|
||||
31 | ... | ... | ...
|
||||
1 | File | `.python-version` | High
|
||||
2 | File | `/ajax/remove_sniffer_raw_log/` | High
|
||||
3 | File | `/api/sys_username_passwd.cmd` | High
|
||||
4 | File | `/auth/callback` | High
|
||||
5 | File | `/bin/posix/src/ports/POSIX/OpENer` | High
|
||||
6 | File | `/bmis/pages/resident/resident.php` | High
|
||||
7 | File | `/cgi-bin/mesh.cgi?page=upgrade` | High
|
||||
8 | File | `/cgi-bin/nightled.cgi` | High
|
||||
9 | File | `/cgi-bin/nobody` | High
|
||||
10 | File | `/ci_spms/admin/category` | High
|
||||
11 | File | `/conf/` | Low
|
||||
12 | File | `/dashboard/menu-list.php` | High
|
||||
13 | File | `/dashboard/profile.php` | High
|
||||
14 | File | `/dashboard/table-list.php` | High
|
||||
15 | File | `/dev/pts/` | Medium
|
||||
16 | File | `/doping.asp` | Medium
|
||||
17 | File | `/dotrace.asp` | Medium
|
||||
18 | File | `/editbrand.php` | High
|
||||
19 | File | `/etc/lighttpd.d/ca.pem` | High
|
||||
20 | ... | ... | ...
|
||||
|
||||
There are 259 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 167 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -9,11 +9,11 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Middle East Unknown:
|
||||
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* [IT](https://vuldb.com/?country.it)
|
||||
* [PT](https://vuldb.com/?country.pt)
|
||||
* [AR](https://vuldb.com/?country.ar)
|
||||
* ...
|
||||
|
||||
There are 8 more country items available. Please use our online service to access the data.
|
||||
There are 7 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -47,8 +47,8 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-22, CWE-23 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-294, CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
|
||||
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
|
@ -75,7 +75,7 @@ ID | Type | Indicator | Confidence
|
|||
11 | File | `/admin/scheprofile.cgi` | High
|
||||
12 | File | `/admin/vca/license/license_tok.cgi` | High
|
||||
13 | File | `/AJAX/ajaxget` | High
|
||||
14 | File | `/base/SysEveMenuAuthPointMapper.xml` | High
|
||||
14 | File | `/api/plugin/uninstall` | High
|
||||
15 | File | `/bcms/admin/courts/manage_court.php` | High
|
||||
16 | File | `/bcms/classes/Master.php?f=save_court_rental` | High
|
||||
17 | File | `/car-rental-management-system/admin/manage_booking.php` | High
|
||||
|
@ -84,20 +84,26 @@ ID | Type | Indicator | Confidence
|
|||
20 | File | `/cgi-bin/readfile.tcl` | High
|
||||
21 | File | `/cgi-bin/touchlist_sync.cgi` | High
|
||||
22 | File | `/classes/Users.php?f=save` | High
|
||||
23 | File | `/cms/classes/Master.php?f=delete_client` | High
|
||||
24 | File | `/config` | Low
|
||||
25 | File | `/defaultui/player/modern.html` | High
|
||||
26 | File | `/ffos/admin/categories/manage_category.php` | High
|
||||
27 | File | `/ffos/admin/menus/view_menu.php` | High
|
||||
28 | File | `/gaia-job-admin/user/add` | High
|
||||
29 | File | `/goform/aspForm` | High
|
||||
30 | File | `/goform/setNetworkLan` | High
|
||||
31 | File | `/goform/SetSysTimeCfg` | High
|
||||
32 | File | `/html/Solar_Ftp.php` | High
|
||||
33 | File | `/isms/admin/stocks/view_stock.php` | High
|
||||
34 | ... | ... | ...
|
||||
23 | File | `/defaultui/player/modern.html` | High
|
||||
24 | File | `/etc/quagga` | Medium
|
||||
25 | File | `/ffos/admin/categories/manage_category.php` | High
|
||||
26 | File | `/ffos/admin/menus/view_menu.php` | High
|
||||
27 | File | `/gaia-job-admin/user/add` | High
|
||||
28 | File | `/goform/aspForm` | High
|
||||
29 | File | `/includes/db_connect.php` | High
|
||||
30 | File | `/isms/admin/stocks/view_stock.php` | High
|
||||
31 | File | `/lists/admin/` | High
|
||||
32 | File | `/login.php` | Medium
|
||||
33 | File | `/orrs/admin/trains/manage_train.php` | High
|
||||
34 | File | `/otps/classes/Master.php?f=delete_team` | High
|
||||
35 | File | `/pages/permit/permit.php` | High
|
||||
36 | File | `/pdfalto/src/pdfalto.cc` | High
|
||||
37 | File | `/pms/admin/crimes/manage_crime.php` | High
|
||||
38 | File | `/psrs/admin/?page=products/manage_product` | High
|
||||
39 | File | `/roomtype-details.php` | High
|
||||
40 | ... | ... | ...
|
||||
|
||||
There are 286 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 343 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -21,7 +21,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [CN](https://vuldb.com/?country.cn)
|
||||
* ...
|
||||
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
There are 2 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -29,116 +29,138 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [1.69.18.104](https://vuldb.com/?ip.1.69.18.104) | - | - | High
|
||||
2 | [1.246.222.93](https://vuldb.com/?ip.1.246.222.93) | - | - | High
|
||||
3 | [1.246.223.83](https://vuldb.com/?ip.1.246.223.83) | - | - | High
|
||||
4 | [2.21.153.176](https://vuldb.com/?ip.2.21.153.176) | a2-21-153-176.deploy.static.akamaitechnologies.com | - | High
|
||||
5 | [2.56.56.78](https://vuldb.com/?ip.2.56.56.78) | - | - | High
|
||||
6 | [2.56.57.167](https://vuldb.com/?ip.2.56.57.167) | - | - | High
|
||||
7 | [2.56.57.187](https://vuldb.com/?ip.2.56.57.187) | - | - | High
|
||||
8 | [2.56.57.238](https://vuldb.com/?ip.2.56.57.238) | - | - | High
|
||||
9 | [2.56.59.10](https://vuldb.com/?ip.2.56.59.10) | - | - | High
|
||||
10 | [2.56.59.58](https://vuldb.com/?ip.2.56.59.58) | - | - | High
|
||||
11 | [2.56.59.83](https://vuldb.com/?ip.2.56.59.83) | - | - | High
|
||||
12 | [2.56.59.176](https://vuldb.com/?ip.2.56.59.176) | - | - | High
|
||||
13 | [2.56.59.225](https://vuldb.com/?ip.2.56.59.225) | - | - | High
|
||||
14 | [2.58.149.17](https://vuldb.com/?ip.2.58.149.17) | - | - | High
|
||||
15 | [2.58.149.116](https://vuldb.com/?ip.2.58.149.116) | - | - | High
|
||||
16 | [2.58.149.186](https://vuldb.com/?ip.2.58.149.186) | - | - | High
|
||||
17 | [2.239.84.105](https://vuldb.com/?ip.2.239.84.105) | 2-239-84-105.ip248.fastwebnet.it | - | High
|
||||
18 | [5.2.69.50](https://vuldb.com/?ip.5.2.69.50) | - | - | High
|
||||
19 | [5.2.75.132](https://vuldb.com/?ip.5.2.75.132) | - | - | High
|
||||
20 | [5.61.50.236](https://vuldb.com/?ip.5.61.50.236) | mail.novonet.org | - | High
|
||||
21 | [5.181.80.103](https://vuldb.com/?ip.5.181.80.103) | ip-80-103-bullethost.net | - | High
|
||||
22 | [5.182.210.145](https://vuldb.com/?ip.5.182.210.145) | - | - | High
|
||||
23 | [5.182.211.5](https://vuldb.com/?ip.5.182.211.5) | - | - | High
|
||||
24 | [5.188.76.60](https://vuldb.com/?ip.5.188.76.60) | - | - | High
|
||||
25 | [12.203.33.13](https://vuldb.com/?ip.12.203.33.13) | - | - | High
|
||||
26 | [13.70.188.178](https://vuldb.com/?ip.13.70.188.178) | - | - | High
|
||||
27 | [14.42.109.60](https://vuldb.com/?ip.14.42.109.60) | - | - | High
|
||||
28 | [14.198.46.139](https://vuldb.com/?ip.14.198.46.139) | 014198046139.ctinets.com | - | High
|
||||
29 | [15.185.242.46](https://vuldb.com/?ip.15.185.242.46) | ec2-15-185-242-46.me-south-1.compute.amazonaws.com | - | Medium
|
||||
30 | [15.204.7.101](https://vuldb.com/?ip.15.204.7.101) | ip101.ip-15-204-7.us | - | High
|
||||
31 | [18.172.150.9](https://vuldb.com/?ip.18.172.150.9) | server-18-172-150-9.lhr50.r.cloudfront.net | - | High
|
||||
32 | [18.184.201.19](https://vuldb.com/?ip.18.184.201.19) | ec2-18-184-201-19.eu-central-1.compute.amazonaws.com | - | Medium
|
||||
33 | [18.210.126.40](https://vuldb.com/?ip.18.210.126.40) | ec2-18-210-126-40.compute-1.amazonaws.com | - | Medium
|
||||
34 | [18.253.232.0](https://vuldb.com/?ip.18.253.232.0) | ec2-18-253-232-0.us-gov-east-1.compute.amazonaws.com | - | Medium
|
||||
35 | [20.205.9.191](https://vuldb.com/?ip.20.205.9.191) | - | - | High
|
||||
36 | [23.34.155.162](https://vuldb.com/?ip.23.34.155.162) | a23-34-155-162.deploy.static.akamaitechnologies.com | - | High
|
||||
37 | [23.48.162.198](https://vuldb.com/?ip.23.48.162.198) | a23-48-162-198.deploy.static.akamaitechnologies.com | - | High
|
||||
38 | [23.72.35.209](https://vuldb.com/?ip.23.72.35.209) | a23-72-35-209.deploy.static.akamaitechnologies.com | - | High
|
||||
39 | [23.94.28.76](https://vuldb.com/?ip.23.94.28.76) | 23-94-28-76-host.colocrossing.com | - | High
|
||||
40 | [23.94.36.134](https://vuldb.com/?ip.23.94.36.134) | 23-94-36-134-host.colocrossing.com | - | High
|
||||
41 | [23.94.50.159](https://vuldb.com/?ip.23.94.50.159) | 23-94-50-159-host.colocrossing.com | - | High
|
||||
42 | [23.96.101.205](https://vuldb.com/?ip.23.96.101.205) | - | - | High
|
||||
43 | [23.128.248.12](https://vuldb.com/?ip.23.128.248.12) | tor-exit03.stormycloud.org | - | High
|
||||
44 | [23.128.248.24](https://vuldb.com/?ip.23.128.248.24) | tor-exit15.stormycloud.org | - | High
|
||||
45 | [23.160.193.123](https://vuldb.com/?ip.23.160.193.123) | unknown.ip-xfer.net | - | High
|
||||
46 | [23.195.45.48](https://vuldb.com/?ip.23.195.45.48) | a23-195-45-48.deploy.static.akamaitechnologies.com | - | High
|
||||
47 | [23.197.224.108](https://vuldb.com/?ip.23.197.224.108) | a23-197-224-108.deploy.static.akamaitechnologies.com | - | High
|
||||
48 | [23.204.208.68](https://vuldb.com/?ip.23.204.208.68) | a23-204-208-68.deploy.static.akamaitechnologies.com | - | High
|
||||
49 | [23.211.7.69](https://vuldb.com/?ip.23.211.7.69) | a23-211-7-69.deploy.static.akamaitechnologies.com | - | High
|
||||
50 | [23.227.146.106](https://vuldb.com/?ip.23.227.146.106) | - | - | High
|
||||
51 | [23.254.247.214](https://vuldb.com/?ip.23.254.247.214) | hwsrv-840463.hostwindsdns.com | - | High
|
||||
52 | [24.123.252.154](https://vuldb.com/?ip.24.123.252.154) | rrcs-24-123-252-154.central.biz.rr.com | - | High
|
||||
53 | [27.37.239.164](https://vuldb.com/?ip.27.37.239.164) | - | - | High
|
||||
54 | [27.50.57.147](https://vuldb.com/?ip.27.50.57.147) | - | - | High
|
||||
55 | [27.105.131.171](https://vuldb.com/?ip.27.105.131.171) | 27-105-131-171-FIX-TXG.dynamic.so-net.net.tw | - | High
|
||||
56 | [31.7.58.162](https://vuldb.com/?ip.31.7.58.162) | r | - | High
|
||||
57 | [31.44.185.235](https://vuldb.com/?ip.31.44.185.235) | - | - | High
|
||||
58 | [31.210.20.111](https://vuldb.com/?ip.31.210.20.111) | - | - | High
|
||||
59 | [31.220.43.69](https://vuldb.com/?ip.31.220.43.69) | - | - | High
|
||||
60 | [34.80.131.135](https://vuldb.com/?ip.34.80.131.135) | 135.131.80.34.bc.googleusercontent.com | - | Medium
|
||||
61 | [35.80.216.15](https://vuldb.com/?ip.35.80.216.15) | ec2-35-80-216-15.us-west-2.compute.amazonaws.com | - | Medium
|
||||
62 | [35.85.181.9](https://vuldb.com/?ip.35.85.181.9) | ec2-35-85-181-9.us-west-2.compute.amazonaws.com | - | Medium
|
||||
63 | [35.166.106.142](https://vuldb.com/?ip.35.166.106.142) | ec2-35-166-106-142.us-west-2.compute.amazonaws.com | - | Medium
|
||||
64 | [35.225.213.190](https://vuldb.com/?ip.35.225.213.190) | 190.213.225.35.bc.googleusercontent.com | - | Medium
|
||||
65 | [36.79.62.31](https://vuldb.com/?ip.36.79.62.31) | - | - | High
|
||||
66 | [36.89.18.133](https://vuldb.com/?ip.36.89.18.133) | - | - | High
|
||||
67 | [37.0.8.11](https://vuldb.com/?ip.37.0.8.11) | - | - | High
|
||||
68 | [37.0.8.85](https://vuldb.com/?ip.37.0.8.85) | - | - | High
|
||||
69 | [37.0.8.111](https://vuldb.com/?ip.37.0.8.111) | - | - | High
|
||||
70 | [37.0.8.123](https://vuldb.com/?ip.37.0.8.123) | - | - | High
|
||||
71 | [37.0.8.157](https://vuldb.com/?ip.37.0.8.157) | - | - | High
|
||||
72 | [37.0.8.158](https://vuldb.com/?ip.37.0.8.158) | - | - | High
|
||||
73 | [37.0.11.130](https://vuldb.com/?ip.37.0.11.130) | - | - | High
|
||||
74 | [37.49.230.128](https://vuldb.com/?ip.37.49.230.128) | - | - | High
|
||||
75 | [37.139.11.231](https://vuldb.com/?ip.37.139.11.231) | - | - | High
|
||||
76 | [37.187.18.212](https://vuldb.com/?ip.37.187.18.212) | ns3110317.ip-37-187-18.eu | - | High
|
||||
77 | [37.187.143.65](https://vuldb.com/?ip.37.187.143.65) | ns414234.ip-37-187-143.eu | - | High
|
||||
78 | [37.187.255.93](https://vuldb.com/?ip.37.187.255.93) | ns373958.ip-37-187-255.eu | - | High
|
||||
79 | [37.252.96.62](https://vuldb.com/?ip.37.252.96.62) | foxman.net | - | High
|
||||
80 | [38.7.64.166](https://vuldb.com/?ip.38.7.64.166) | - | - | High
|
||||
81 | [38.54.16.10](https://vuldb.com/?ip.38.54.16.10) | - | - | High
|
||||
82 | [38.54.208.217](https://vuldb.com/?ip.38.54.208.217) | - | - | High
|
||||
83 | [38.55.219.137](https://vuldb.com/?ip.38.55.219.137) | - | - | High
|
||||
84 | [40.90.250.107](https://vuldb.com/?ip.40.90.250.107) | - | - | High
|
||||
85 | [40.140.15.8](https://vuldb.com/?ip.40.140.15.8) | h8.15.140.40.ip.windstream.net | - | High
|
||||
86 | [41.143.56.7](https://vuldb.com/?ip.41.143.56.7) | - | - | High
|
||||
87 | [41.215.220.238](https://vuldb.com/?ip.41.215.220.238) | bl2.41.215.220.238.dynamic.dsl.cvmultimedia.cv | - | High
|
||||
88 | [41.216.189.11](https://vuldb.com/?ip.41.216.189.11) | - | - | High
|
||||
89 | [43.156.17.183](https://vuldb.com/?ip.43.156.17.183) | - | - | High
|
||||
90 | [43.228.65.13](https://vuldb.com/?ip.43.228.65.13) | - | - | High
|
||||
91 | [45.61.136.130](https://vuldb.com/?ip.45.61.136.130) | - | DDoS Ukraine | High
|
||||
92 | [45.61.184.4](https://vuldb.com/?ip.45.61.184.4) | cryptoin.club | - | High
|
||||
93 | [45.61.186.13](https://vuldb.com/?ip.45.61.186.13) | - | DDoS Ukraine | High
|
||||
94 | [45.61.187.136](https://vuldb.com/?ip.45.61.187.136) | - | - | High
|
||||
95 | [45.63.93.202](https://vuldb.com/?ip.45.63.93.202) | 45.63.93.202.vultrusercontent.com | - | High
|
||||
96 | [45.76.147.47](https://vuldb.com/?ip.45.76.147.47) | 45.76.147.47.vultrusercontent.com | - | High
|
||||
97 | [45.79.21.252](https://vuldb.com/?ip.45.79.21.252) | mail.mrdigital.com | - | High
|
||||
98 | [45.85.190.69](https://vuldb.com/?ip.45.85.190.69) | igum.navic.shop | - | High
|
||||
99 | [45.86.86.50](https://vuldb.com/?ip.45.86.86.50) | mfoxx.co.uk | - | High
|
||||
100 | [45.88.40.116](https://vuldb.com/?ip.45.88.40.116) | service.akxtto.cn | - | High
|
||||
101 | [45.88.181.46](https://vuldb.com/?ip.45.88.181.46) | pelko.incifios.org.uk | - | High
|
||||
102 | [45.95.55.17](https://vuldb.com/?ip.45.95.55.17) | 45.95.55.17.fly-hosting.net | - | High
|
||||
103 | [45.95.55.23](https://vuldb.com/?ip.45.95.55.23) | 45.95.55.23.fly-hosting.net | - | High
|
||||
104 | [45.95.55.27](https://vuldb.com/?ip.45.95.55.27) | 45.95.55.27.fly-hosting.net | - | High
|
||||
105 | [45.95.169.100](https://vuldb.com/?ip.45.95.169.100) | antoniagavve.live | - | High
|
||||
106 | [45.95.169.139](https://vuldb.com/?ip.45.95.169.139) | - | - | High
|
||||
107 | [45.95.169.143](https://vuldb.com/?ip.45.95.169.143) | - | - | High
|
||||
108 | ... | ... | ... | ...
|
||||
1 | [1.49.153.168](https://vuldb.com/?ip.1.49.153.168) | - | - | High
|
||||
2 | [1.69.18.104](https://vuldb.com/?ip.1.69.18.104) | - | - | High
|
||||
3 | [1.246.222.93](https://vuldb.com/?ip.1.246.222.93) | - | - | High
|
||||
4 | [1.246.223.83](https://vuldb.com/?ip.1.246.223.83) | - | - | High
|
||||
5 | [2.21.153.176](https://vuldb.com/?ip.2.21.153.176) | a2-21-153-176.deploy.static.akamaitechnologies.com | - | High
|
||||
6 | [2.56.56.78](https://vuldb.com/?ip.2.56.56.78) | - | - | High
|
||||
7 | [2.56.57.167](https://vuldb.com/?ip.2.56.57.167) | - | - | High
|
||||
8 | [2.56.57.187](https://vuldb.com/?ip.2.56.57.187) | - | - | High
|
||||
9 | [2.56.57.238](https://vuldb.com/?ip.2.56.57.238) | - | - | High
|
||||
10 | [2.56.59.10](https://vuldb.com/?ip.2.56.59.10) | - | - | High
|
||||
11 | [2.56.59.58](https://vuldb.com/?ip.2.56.59.58) | - | - | High
|
||||
12 | [2.56.59.83](https://vuldb.com/?ip.2.56.59.83) | - | - | High
|
||||
13 | [2.56.59.176](https://vuldb.com/?ip.2.56.59.176) | - | - | High
|
||||
14 | [2.56.59.196](https://vuldb.com/?ip.2.56.59.196) | - | - | High
|
||||
15 | [2.56.59.225](https://vuldb.com/?ip.2.56.59.225) | - | - | High
|
||||
16 | [2.57.122.154](https://vuldb.com/?ip.2.57.122.154) | mail.vsb-ocommunitysde.club | - | High
|
||||
17 | [2.58.149.17](https://vuldb.com/?ip.2.58.149.17) | - | - | High
|
||||
18 | [2.58.149.116](https://vuldb.com/?ip.2.58.149.116) | - | - | High
|
||||
19 | [2.58.149.186](https://vuldb.com/?ip.2.58.149.186) | - | - | High
|
||||
20 | [2.239.84.105](https://vuldb.com/?ip.2.239.84.105) | 2-239-84-105.ip248.fastwebnet.it | - | High
|
||||
21 | [5.2.69.50](https://vuldb.com/?ip.5.2.69.50) | - | - | High
|
||||
22 | [5.2.75.132](https://vuldb.com/?ip.5.2.75.132) | - | - | High
|
||||
23 | [5.61.50.236](https://vuldb.com/?ip.5.61.50.236) | mail.novonet.org | - | High
|
||||
24 | [5.181.80.103](https://vuldb.com/?ip.5.181.80.103) | ip-80-103-bullethost.net | - | High
|
||||
25 | [5.182.210.145](https://vuldb.com/?ip.5.182.210.145) | - | - | High
|
||||
26 | [5.182.211.5](https://vuldb.com/?ip.5.182.211.5) | - | - | High
|
||||
27 | [5.188.76.60](https://vuldb.com/?ip.5.188.76.60) | - | - | High
|
||||
28 | [12.203.33.13](https://vuldb.com/?ip.12.203.33.13) | - | - | High
|
||||
29 | [13.70.188.178](https://vuldb.com/?ip.13.70.188.178) | - | - | High
|
||||
30 | [14.42.109.60](https://vuldb.com/?ip.14.42.109.60) | - | - | High
|
||||
31 | [14.198.46.139](https://vuldb.com/?ip.14.198.46.139) | 014198046139.ctinets.com | - | High
|
||||
32 | [15.185.242.46](https://vuldb.com/?ip.15.185.242.46) | ec2-15-185-242-46.me-south-1.compute.amazonaws.com | - | Medium
|
||||
33 | [15.204.7.101](https://vuldb.com/?ip.15.204.7.101) | ip101.ip-15-204-7.us | - | High
|
||||
34 | [18.172.150.9](https://vuldb.com/?ip.18.172.150.9) | server-18-172-150-9.lhr50.r.cloudfront.net | - | High
|
||||
35 | [18.184.201.19](https://vuldb.com/?ip.18.184.201.19) | ec2-18-184-201-19.eu-central-1.compute.amazonaws.com | - | Medium
|
||||
36 | [18.210.126.40](https://vuldb.com/?ip.18.210.126.40) | ec2-18-210-126-40.compute-1.amazonaws.com | - | Medium
|
||||
37 | [18.253.232.0](https://vuldb.com/?ip.18.253.232.0) | ec2-18-253-232-0.us-gov-east-1.compute.amazonaws.com | - | Medium
|
||||
38 | [20.205.9.191](https://vuldb.com/?ip.20.205.9.191) | - | - | High
|
||||
39 | [23.34.155.162](https://vuldb.com/?ip.23.34.155.162) | a23-34-155-162.deploy.static.akamaitechnologies.com | - | High
|
||||
40 | [23.48.162.198](https://vuldb.com/?ip.23.48.162.198) | a23-48-162-198.deploy.static.akamaitechnologies.com | - | High
|
||||
41 | [23.72.35.209](https://vuldb.com/?ip.23.72.35.209) | a23-72-35-209.deploy.static.akamaitechnologies.com | - | High
|
||||
42 | [23.94.28.76](https://vuldb.com/?ip.23.94.28.76) | 23-94-28-76-host.colocrossing.com | - | High
|
||||
43 | [23.94.36.134](https://vuldb.com/?ip.23.94.36.134) | 23-94-36-134-host.colocrossing.com | - | High
|
||||
44 | [23.94.50.159](https://vuldb.com/?ip.23.94.50.159) | 23-94-50-159-host.colocrossing.com | - | High
|
||||
45 | [23.96.101.205](https://vuldb.com/?ip.23.96.101.205) | - | - | High
|
||||
46 | [23.128.248.12](https://vuldb.com/?ip.23.128.248.12) | tor-exit03.stormycloud.org | - | High
|
||||
47 | [23.128.248.24](https://vuldb.com/?ip.23.128.248.24) | tor-exit15.stormycloud.org | - | High
|
||||
48 | [23.160.193.123](https://vuldb.com/?ip.23.160.193.123) | unknown.ip-xfer.net | - | High
|
||||
49 | [23.195.45.48](https://vuldb.com/?ip.23.195.45.48) | a23-195-45-48.deploy.static.akamaitechnologies.com | - | High
|
||||
50 | [23.197.224.108](https://vuldb.com/?ip.23.197.224.108) | a23-197-224-108.deploy.static.akamaitechnologies.com | - | High
|
||||
51 | [23.204.208.68](https://vuldb.com/?ip.23.204.208.68) | a23-204-208-68.deploy.static.akamaitechnologies.com | - | High
|
||||
52 | [23.211.7.69](https://vuldb.com/?ip.23.211.7.69) | a23-211-7-69.deploy.static.akamaitechnologies.com | - | High
|
||||
53 | [23.227.146.106](https://vuldb.com/?ip.23.227.146.106) | - | - | High
|
||||
54 | [23.254.247.214](https://vuldb.com/?ip.23.254.247.214) | hwsrv-840463.hostwindsdns.com | - | High
|
||||
55 | [24.123.252.154](https://vuldb.com/?ip.24.123.252.154) | rrcs-24-123-252-154.central.biz.rr.com | - | High
|
||||
56 | [27.37.239.164](https://vuldb.com/?ip.27.37.239.164) | - | - | High
|
||||
57 | [27.45.36.193](https://vuldb.com/?ip.27.45.36.193) | - | - | High
|
||||
58 | [27.50.57.147](https://vuldb.com/?ip.27.50.57.147) | - | - | High
|
||||
59 | [27.54.123.94](https://vuldb.com/?ip.27.54.123.94) | - | - | High
|
||||
60 | [27.105.131.171](https://vuldb.com/?ip.27.105.131.171) | 27-105-131-171-FIX-TXG.dynamic.so-net.net.tw | - | High
|
||||
61 | [27.215.77.102](https://vuldb.com/?ip.27.215.77.102) | - | - | High
|
||||
62 | [27.215.122.51](https://vuldb.com/?ip.27.215.122.51) | - | - | High
|
||||
63 | [31.7.58.162](https://vuldb.com/?ip.31.7.58.162) | r | - | High
|
||||
64 | [31.7.62.22](https://vuldb.com/?ip.31.7.62.22) | mail.mackage-outlet.com | - | High
|
||||
65 | [31.44.185.235](https://vuldb.com/?ip.31.44.185.235) | - | - | High
|
||||
66 | [31.210.20.111](https://vuldb.com/?ip.31.210.20.111) | - | - | High
|
||||
67 | [31.220.43.69](https://vuldb.com/?ip.31.220.43.69) | - | - | High
|
||||
68 | [34.80.131.135](https://vuldb.com/?ip.34.80.131.135) | 135.131.80.34.bc.googleusercontent.com | - | Medium
|
||||
69 | [35.80.216.15](https://vuldb.com/?ip.35.80.216.15) | ec2-35-80-216-15.us-west-2.compute.amazonaws.com | - | Medium
|
||||
70 | [35.85.181.9](https://vuldb.com/?ip.35.85.181.9) | ec2-35-85-181-9.us-west-2.compute.amazonaws.com | - | Medium
|
||||
71 | [35.166.106.142](https://vuldb.com/?ip.35.166.106.142) | ec2-35-166-106-142.us-west-2.compute.amazonaws.com | - | Medium
|
||||
72 | [35.225.213.190](https://vuldb.com/?ip.35.225.213.190) | 190.213.225.35.bc.googleusercontent.com | - | Medium
|
||||
73 | [36.79.62.31](https://vuldb.com/?ip.36.79.62.31) | - | - | High
|
||||
74 | [36.89.18.133](https://vuldb.com/?ip.36.89.18.133) | - | - | High
|
||||
75 | [36.89.18.195](https://vuldb.com/?ip.36.89.18.195) | - | - | High
|
||||
76 | [36.248.133.18](https://vuldb.com/?ip.36.248.133.18) | - | - | High
|
||||
77 | [37.0.8.11](https://vuldb.com/?ip.37.0.8.11) | - | - | High
|
||||
78 | [37.0.8.85](https://vuldb.com/?ip.37.0.8.85) | - | - | High
|
||||
79 | [37.0.8.111](https://vuldb.com/?ip.37.0.8.111) | - | - | High
|
||||
80 | [37.0.8.123](https://vuldb.com/?ip.37.0.8.123) | - | - | High
|
||||
81 | [37.0.8.157](https://vuldb.com/?ip.37.0.8.157) | - | - | High
|
||||
82 | [37.0.8.158](https://vuldb.com/?ip.37.0.8.158) | - | - | High
|
||||
83 | [37.0.11.130](https://vuldb.com/?ip.37.0.11.130) | - | - | High
|
||||
84 | [37.49.230.128](https://vuldb.com/?ip.37.49.230.128) | - | - | High
|
||||
85 | [37.139.11.231](https://vuldb.com/?ip.37.139.11.231) | - | - | High
|
||||
86 | [37.187.18.212](https://vuldb.com/?ip.37.187.18.212) | ns3110317.ip-37-187-18.eu | - | High
|
||||
87 | [37.187.143.65](https://vuldb.com/?ip.37.187.143.65) | ns414234.ip-37-187-143.eu | - | High
|
||||
88 | [37.187.255.93](https://vuldb.com/?ip.37.187.255.93) | ns373958.ip-37-187-255.eu | - | High
|
||||
89 | [37.252.96.62](https://vuldb.com/?ip.37.252.96.62) | foxman.net | - | High
|
||||
90 | [38.7.64.166](https://vuldb.com/?ip.38.7.64.166) | - | - | High
|
||||
91 | [38.54.16.10](https://vuldb.com/?ip.38.54.16.10) | - | - | High
|
||||
92 | [38.54.208.217](https://vuldb.com/?ip.38.54.208.217) | - | - | High
|
||||
93 | [38.55.219.137](https://vuldb.com/?ip.38.55.219.137) | - | - | High
|
||||
94 | [40.90.250.107](https://vuldb.com/?ip.40.90.250.107) | - | - | High
|
||||
95 | [40.140.15.8](https://vuldb.com/?ip.40.140.15.8) | h8.15.140.40.ip.windstream.net | - | High
|
||||
96 | [41.39.34.110](https://vuldb.com/?ip.41.39.34.110) | host-41.39.34.110.tedata.net | - | High
|
||||
97 | [41.143.56.7](https://vuldb.com/?ip.41.143.56.7) | - | - | High
|
||||
98 | [41.215.220.238](https://vuldb.com/?ip.41.215.220.238) | bl2.41.215.220.238.dynamic.dsl.cvmultimedia.cv | - | High
|
||||
99 | [41.216.182.131](https://vuldb.com/?ip.41.216.182.131) | magnamhvoqa.timefaucet.de | - | High
|
||||
100 | [41.216.189.11](https://vuldb.com/?ip.41.216.189.11) | - | - | High
|
||||
101 | [42.228.78.68](https://vuldb.com/?ip.42.228.78.68) | hn.kd.ny.adsl | - | High
|
||||
102 | [43.156.17.183](https://vuldb.com/?ip.43.156.17.183) | - | - | High
|
||||
103 | [43.228.65.13](https://vuldb.com/?ip.43.228.65.13) | - | - | High
|
||||
104 | [45.12.2.72](https://vuldb.com/?ip.45.12.2.72) | contact13.marketeast.link | - | High
|
||||
105 | [45.61.136.130](https://vuldb.com/?ip.45.61.136.130) | - | DDoS Ukraine | High
|
||||
106 | [45.61.184.4](https://vuldb.com/?ip.45.61.184.4) | cryptoin.club | - | High
|
||||
107 | [45.61.186.13](https://vuldb.com/?ip.45.61.186.13) | - | DDoS Ukraine | High
|
||||
108 | [45.61.187.136](https://vuldb.com/?ip.45.61.187.136) | - | - | High
|
||||
109 | [45.63.93.202](https://vuldb.com/?ip.45.63.93.202) | 45.63.93.202.vultrusercontent.com | - | High
|
||||
110 | [45.76.147.47](https://vuldb.com/?ip.45.76.147.47) | 45.76.147.47.vultrusercontent.com | - | High
|
||||
111 | [45.79.21.252](https://vuldb.com/?ip.45.79.21.252) | mail.mrdigital.com | - | High
|
||||
112 | [45.79.126.62](https://vuldb.com/?ip.45.79.126.62) | 45-79-126-62.ip.linodeusercontent.com | - | High
|
||||
113 | [45.85.190.69](https://vuldb.com/?ip.45.85.190.69) | igum.navic.shop | - | High
|
||||
114 | [45.86.86.50](https://vuldb.com/?ip.45.86.86.50) | mfoxx.co.uk | - | High
|
||||
115 | [45.87.42.123](https://vuldb.com/?ip.45.87.42.123) | hosted-by.triple.nl | - | High
|
||||
116 | [45.88.40.116](https://vuldb.com/?ip.45.88.40.116) | service.akxtto.cn | - | High
|
||||
117 | [45.88.181.46](https://vuldb.com/?ip.45.88.181.46) | pelko.incifios.org.uk | - | High
|
||||
118 | [45.95.55.17](https://vuldb.com/?ip.45.95.55.17) | 45.95.55.17.fly-hosting.net | - | High
|
||||
119 | [45.95.55.23](https://vuldb.com/?ip.45.95.55.23) | 45.95.55.23.fly-hosting.net | - | High
|
||||
120 | [45.95.55.27](https://vuldb.com/?ip.45.95.55.27) | 45.95.55.27.fly-hosting.net | - | High
|
||||
121 | [45.95.55.38](https://vuldb.com/?ip.45.95.55.38) | 45.95.55.38.fly-hosting.net | - | High
|
||||
122 | [45.95.169.100](https://vuldb.com/?ip.45.95.169.100) | antoniagavve.live | - | High
|
||||
123 | [45.95.169.139](https://vuldb.com/?ip.45.95.169.139) | - | - | High
|
||||
124 | [45.95.169.143](https://vuldb.com/?ip.45.95.169.143) | - | - | High
|
||||
125 | [45.124.84.135](https://vuldb.com/?ip.45.124.84.135) | sv-84135.bkns.vn | - | High
|
||||
126 | [45.124.84.253](https://vuldb.com/?ip.45.124.84.253) | sv-84253.bkns.vn | - | High
|
||||
127 | [45.133.1.9](https://vuldb.com/?ip.45.133.1.9) | - | - | High
|
||||
128 | [45.133.1.89](https://vuldb.com/?ip.45.133.1.89) | - | - | High
|
||||
129 | [45.134.174.234](https://vuldb.com/?ip.45.134.174.234) | dedicated.vsys.host | - | High
|
||||
130 | ... | ... | ... | ...
|
||||
|
||||
There are 428 more IOC items available. Please use our online service to access the data.
|
||||
There are 517 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -146,10 +168,10 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
|
||||
2 | T1055 | CWE-74 | Injection | High
|
||||
3 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
4 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
1 | T1006 | CWE-21, CWE-22 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 17 more TTP items available. Please use our online service to access the data.
|
||||
|
@ -160,23 +182,23 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/addNotifyServlet` | High
|
||||
2 | File | `/admin/js` | Medium
|
||||
3 | File | `/cgi-bin/ExportAllSettings.sh` | High
|
||||
4 | File | `/debug/pprof` | Medium
|
||||
1 | File | `/admin/inc/include.php` | High
|
||||
2 | File | `/admin/operations/packages.php` | High
|
||||
3 | File | `/alarm_pi/alarmService.php` | High
|
||||
4 | File | `/catcompany.php` | High
|
||||
5 | File | `/edituser.php` | High
|
||||
6 | File | `/etc/init.d/sshd_service` | High
|
||||
7 | File | `/forum/away.php` | High
|
||||
8 | File | `/index.php/?p=report` | High
|
||||
9 | File | `/index.php?r=site%2Fsignup` | High
|
||||
10 | File | `/nav_bar_action.php` | High
|
||||
11 | File | `/pages/activity/activity.php` | High
|
||||
12 | File | `/pages/permit/permit.php` | High
|
||||
13 | File | `/php_action/createUser.php` | High
|
||||
14 | File | `/src/video/x11/SDL_x11yuv.c` | High
|
||||
6 | File | `/modules/projects/vw_files.php` | High
|
||||
7 | File | `/pages/permit/permit.php` | High
|
||||
8 | File | `/php_action/createUser.php` | High
|
||||
9 | File | `/products/view_product.php` | High
|
||||
10 | File | `/sistema/flash/reboot` | High
|
||||
11 | File | `/src/video/x11/SDL_x11yuv.c` | High
|
||||
12 | File | `/sys/ui/extend/varkind/custom.jsp` | High
|
||||
13 | File | `admin/conf_users_edit.php` | High
|
||||
14 | File | `amf.c` | Low
|
||||
15 | ... | ... | ...
|
||||
|
||||
There are 117 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 123 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -199,6 +221,7 @@ The following list contains _external sources_ which discuss the actor and the a
|
|||
* https://1275.ru/ioc/318/gs-035-mirai-botnet-iocs/
|
||||
* https://1275.ru/ioc/325/gs-037-mirai-botnet-iocs/
|
||||
* https://1275.ru/ioc/332/gs-038-mirai-botnet-iocs/
|
||||
* https://1275.ru/ioc/338/gs-040-mirai-botnet-iocs/
|
||||
* https://1275.ru/ioc/340/gs-042-mirai-botnet-iocs/
|
||||
* https://1275.ru/ioc/346/gs-047-mirai-botnet-iocs/
|
||||
* https://1275.ru/ioc/350/gs-048-mirai-botnet-iocs/
|
||||
|
@ -217,6 +240,8 @@ The following list contains _external sources_ which discuss the actor and the a
|
|||
* https://1275.ru/ioc/429/gs-069-mirai-botnet-iocs/
|
||||
* https://1275.ru/ioc/490/gs-071-mirai-botnet-iocs/
|
||||
* https://1275.ru/ioc/494/gs-072-mirai-botnet-iocs/
|
||||
* https://1275.ru/ioc/502/gs-073-mirai-botnet-iocs/
|
||||
* https://1275.ru/ioc/515/gs-074-mirai-botnet-iocs/
|
||||
* https://blog.cyble.com/2022/04/12/springshell-remote-code-execution-vulnerability/
|
||||
* https://blog.netlab.360.com/early-warning-a-new-mirai-variant-is-spreading-quickly-on-port-23-and-2323-en/
|
||||
* https://blog.netlab.360.com/emptiness-a-new-evolving-botnet/
|
||||
|
|
|
@ -13,7 +13,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [US](https://vuldb.com/?country.us)
|
||||
* ...
|
||||
|
||||
There are 7 more country items available. Please use our online service to access the data.
|
||||
There are 8 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -35,12 +35,12 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
1 | T1006 | CWE-21, CWE-22 | Pathname Traversal | High
|
||||
2 | T1055 | CWE-74 | Injection | High
|
||||
3 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 5 more TTP items available. Please use our online service to access the data.
|
||||
There are 14 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -57,7 +57,7 @@ ID | Type | Indicator | Confidence
|
|||
7 | File | `ActivityPicker.java` | High
|
||||
8 | ... | ... | ...
|
||||
|
||||
There are 52 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 53 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -45,7 +45,7 @@ ID | IP address | Hostname | Campaign | Confidence
|
|||
14 | [51.254.219.134](https://vuldb.com/?ip.51.254.219.134) | 134.ip-51-254-219.eu | CVE-2018-7600 / CVE-2017-10271 | High
|
||||
15 | ... | ... | ... | ...
|
||||
|
||||
There are 56 more IOC items available. Please use our online service to access the data.
|
||||
There are 58 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -97,6 +97,7 @@ There are 180 more IOA items available (file, library, argument, input value, pa
|
|||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://1275.ru/ioc/68/muhstik-botnet-ioc/
|
||||
* https://blog.netlab.360.com/botnet-muhstik-is-actively-exploiting-drupal-cve-2018-7600-in-a-worm-style-en/
|
||||
* https://blog.netlab.360.com/wei-xie-kuai-xun-log4jlou-dong-yi-jing-bei-yong-lai-zu-jian-botnet-zhen-dui-linuxshe-bei/
|
||||
* https://blogs.infoblox.com/cyber-threat-intelligence/cyber-campaign-briefs/log4j-indicators-of-compromise-to-date/
|
||||
|
|
|
@ -54,47 +54,47 @@ ID | Type | Indicator | Confidence
|
|||
2 | File | `/../conf/config.properties` | High
|
||||
3 | File | `/addnews.html` | High
|
||||
4 | File | `/admin/` | Low
|
||||
5 | File | `/api/2.0/rest/aggregator/xml` | High
|
||||
6 | File | `/api/blade-log/api/list` | High
|
||||
7 | File | `/cgi-bin/webviewer_login_page` | High
|
||||
8 | File | `/Config/SaveUploadedHotspotLogoFile` | High
|
||||
9 | File | `/core/vendor/meenie/javascript-packer/example-inline.php` | High
|
||||
10 | File | `/etc/config/rpcd` | High
|
||||
11 | File | `/exponent_constants.php` | High
|
||||
12 | File | `/forum/away.php` | High
|
||||
13 | File | `/goform/formLogin` | High
|
||||
14 | File | `/hub/api/user` | High
|
||||
15 | File | `/mfaslmf/nolicense` | High
|
||||
16 | File | `/opt/bin/cli` | Medium
|
||||
17 | File | `/plain` | Low
|
||||
18 | File | `/proc` | Low
|
||||
19 | File | `/proc/ioports` | High
|
||||
20 | File | `/products/details.asp` | High
|
||||
21 | File | `/public/plugins/` | High
|
||||
22 | File | `/RestAPI` | Medium
|
||||
23 | File | `/tmp` | Low
|
||||
24 | File | `/uncpath/` | Medium
|
||||
25 | File | `/User/saveUser` | High
|
||||
26 | File | `/ViewUserHover.jspa` | High
|
||||
27 | File | `/WEB-INF/web.xml` | High
|
||||
28 | File | `/wp-admin/admin-ajax.php` | High
|
||||
29 | File | `/wp-json/wc/v3/webhooks` | High
|
||||
30 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
31 | File | `abc-pcie.c` | Medium
|
||||
32 | File | `accountmanagement.php` | High
|
||||
33 | File | `addentry.php` | Medium
|
||||
34 | File | `adherents/subscription/info.php` | High
|
||||
35 | File | `admin.joomlaflashfun.php` | High
|
||||
36 | File | `admin.joomlaradiov5.php` | High
|
||||
37 | File | `admin.panoramic.php` | High
|
||||
38 | File | `admin.php` | Medium
|
||||
39 | File | `admin/change-password.php` | High
|
||||
40 | File | `admin/index.php` | High
|
||||
41 | File | `admin/killsource` | High
|
||||
42 | File | `admin/scripts/FileUploader/php.php` | High
|
||||
5 | File | `/admin/inquiries/view_details.php` | High
|
||||
6 | File | `/api/2.0/rest/aggregator/xml` | High
|
||||
7 | File | `/api/blade-log/api/list` | High
|
||||
8 | File | `/cgi-bin/webviewer_login_page` | High
|
||||
9 | File | `/Config/SaveUploadedHotspotLogoFile` | High
|
||||
10 | File | `/core/vendor/meenie/javascript-packer/example-inline.php` | High
|
||||
11 | File | `/etc/config/rpcd` | High
|
||||
12 | File | `/exponent_constants.php` | High
|
||||
13 | File | `/forum/away.php` | High
|
||||
14 | File | `/goform/formLogin` | High
|
||||
15 | File | `/hub/api/user` | High
|
||||
16 | File | `/mfaslmf/nolicense` | High
|
||||
17 | File | `/mhds/clinic/view_details.php` | High
|
||||
18 | File | `/opt/bin/cli` | Medium
|
||||
19 | File | `/plain` | Low
|
||||
20 | File | `/proc` | Low
|
||||
21 | File | `/proc/ioports` | High
|
||||
22 | File | `/products/details.asp` | High
|
||||
23 | File | `/public/plugins/` | High
|
||||
24 | File | `/RestAPI` | Medium
|
||||
25 | File | `/tmp` | Low
|
||||
26 | File | `/uncpath/` | Medium
|
||||
27 | File | `/User/saveUser` | High
|
||||
28 | File | `/ViewUserHover.jspa` | High
|
||||
29 | File | `/WEB-INF/web.xml` | High
|
||||
30 | File | `/wp-admin/admin-ajax.php` | High
|
||||
31 | File | `/wp-json/wc/v3/webhooks` | High
|
||||
32 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
33 | File | `abc-pcie.c` | Medium
|
||||
34 | File | `accountmanagement.php` | High
|
||||
35 | File | `addentry.php` | Medium
|
||||
36 | File | `adherents/subscription/info.php` | High
|
||||
37 | File | `admin.joomlaflashfun.php` | High
|
||||
38 | File | `admin.joomlaradiov5.php` | High
|
||||
39 | File | `admin.panoramic.php` | High
|
||||
40 | File | `admin.php` | Medium
|
||||
41 | File | `admin/change-password.php` | High
|
||||
42 | File | `admin/index.php` | High
|
||||
43 | ... | ... | ...
|
||||
|
||||
There are 370 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 374 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -0,0 +1,69 @@
|
|||
# NDSW - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [NDSW](https://vuldb.com/?actor.ndsw). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.ndsw](https://vuldb.com/?actor.ndsw)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with NDSW:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* [FR](https://vuldb.com/?country.fr)
|
||||
* ...
|
||||
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of NDSW.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [109.234.35.249](https://vuldb.com/?ip.109.234.35.249) | v1020533.hosted-by-vdsina.ru | - | High
|
||||
2 | [179.43.169.30](https://vuldb.com/?ip.179.43.169.30) | - | - | High
|
||||
3 | [188.120.239.154](https://vuldb.com/?ip.188.120.239.154) | cy22.ru | - | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _NDSW_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-22 | Pathname Traversal | High
|
||||
2 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
3 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 3 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by NDSW. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `blog.php` | Medium
|
||||
2 | File | `comments/feed` | High
|
||||
3 | File | `data/gbconfiguration.dat` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 17 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://1275.ru/ioc/370/ndsw-ndsx-malware-iocs/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -98,7 +98,7 @@ ID | Type | Indicator | Confidence
|
|||
32 | File | `admin/scripts/FileUploader/php.php` | High
|
||||
33 | ... | ... | ...
|
||||
|
||||
There are 282 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 286 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -0,0 +1,60 @@
|
|||
# Nerbian - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Nerbian](https://vuldb.com/?actor.nerbian). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.nerbian](https://vuldb.com/?actor.nerbian)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Nerbian:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [FR](https://vuldb.com/?country.fr)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Nerbian.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [185.121.139.249](https://vuldb.com/?ip.185.121.139.249) | 249.139.121.185.baremetal.zare.com | - | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Nerbian_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1202 | CWE-78 | Command Injection | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Nerbian. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `ecrire/exec/plonger.php` | High
|
||||
2 | File | `Filesystem.php` | High
|
||||
3 | File | `username/password` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 1 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://1275.ru/ioc/202/nerbian-rat-iocs/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,62 @@
|
|||
# Nokoyawa - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Nokoyawa](https://vuldb.com/?actor.nokoyawa). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.nokoyawa](https://vuldb.com/?actor.nokoyawa)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Nokoyawa:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Nokoyawa.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [185.150.117.186](https://vuldb.com/?ip.185.150.117.186) | - | - | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Nokoyawa_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1055 | CWE-74 | Injection | High
|
||||
2 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
3 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Nokoyawa. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `admin/import/class-import-settings.php` | High
|
||||
2 | File | `class-s2-list-table.php` | High
|
||||
3 | File | `wp-admin/edit.php?post_type=forum` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 2 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://1275.ru/ioc/269/nokoyawa-ransomware-iocs/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -13,7 +13,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [FR](https://vuldb.com/?country.fr)
|
||||
* ...
|
||||
|
||||
There are 8 more country items available. Please use our online service to access the data.
|
||||
There are 9 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -26,7 +26,7 @@ ID | IP address | Hostname | Campaign | Confidence
|
|||
3 | [185.220.100.240](https://vuldb.com/?ip.185.220.100.240) | tor-exit-13.zbau.f3netze.de | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 2 more IOC items available. Please use our online service to access the data.
|
||||
There are 9 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -41,7 +41,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
6 | ... | ... | ... | ...
|
||||
|
||||
There are 21 more TTP items available. Please use our online service to access the data.
|
||||
There are 19 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -50,45 +50,45 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `//proc/kcore` | Medium
|
||||
2 | File | `/admin/?page=system_info/contact_info` | High
|
||||
3 | File | `/admin/featured.php` | High
|
||||
4 | File | `/ajax/config_rollback/` | High
|
||||
5 | File | `/Ap4RtpAtom.cpp` | High
|
||||
6 | File | `/api/part_categories` | High
|
||||
2 | File | `/admin/featured.php` | High
|
||||
3 | File | `/ajax/config_rollback/` | High
|
||||
4 | File | `/Ap4RtpAtom.cpp` | High
|
||||
5 | File | `/api/part_categories` | High
|
||||
6 | File | `/api/plugin/uninstall` | High
|
||||
7 | File | `/auditLogAction.do` | High
|
||||
8 | File | `/cgi-bin` | Medium
|
||||
9 | File | `/cgi-bin/webproc` | High
|
||||
10 | File | `/churchcrm/WhyCameEditor.php` | High
|
||||
11 | File | `/ci_spms/admin/category` | High
|
||||
12 | File | `/dashboard/menu-list.php` | High
|
||||
13 | File | `/dms/admin/reports/daily_collection_report.php` | High
|
||||
14 | File | `/editbrand.php` | High
|
||||
15 | File | `/etc/cron.daily/upstart` | High
|
||||
16 | File | `/etc/lighttpd.d/ca.pem` | High
|
||||
17 | File | `/fuel/sitevariables/delete/4` | High
|
||||
18 | File | `/goform/aspForm` | High
|
||||
19 | File | `/goform/WanParameterSetting` | High
|
||||
20 | File | `/IISADMPWD` | Medium
|
||||
21 | File | `/index.php?page=search/rentals` | High
|
||||
22 | File | `/Items/*/RemoteImages/Download` | High
|
||||
23 | File | `/job` | Low
|
||||
24 | File | `/linkedcontent/editfolder.php` | High
|
||||
25 | File | `/mgmt/tm/util/bash` | High
|
||||
26 | File | `/mhds/clinic/view_details.php` | High
|
||||
27 | File | `/officials/officials.php` | High
|
||||
28 | File | `/ofrs/admin/?page=reports` | High
|
||||
29 | File | `/PC/WebService.asmx` | High
|
||||
30 | File | `/pms/admin/actions/view_action.php` | High
|
||||
31 | File | `/pms/admin/cells/manage_cell.php` | High
|
||||
32 | File | `/pms/admin/inmates/manage_inmate.php` | High
|
||||
33 | ... | ... | ...
|
||||
8 | File | `/bmis/pages/resident/resident.php` | High
|
||||
9 | File | `/cgi-bin` | Medium
|
||||
10 | File | `/cgi-bin/ExportAllSettings.sh` | High
|
||||
11 | File | `/cgi-bin/webproc` | High
|
||||
12 | File | `/churchcrm/WhyCameEditor.php` | High
|
||||
13 | File | `/ci_spms/admin/category` | High
|
||||
14 | File | `/dashboard/menu-list.php` | High
|
||||
15 | File | `/doping.asp` | Medium
|
||||
16 | File | `/dotrace.asp` | Medium
|
||||
17 | File | `/editbrand.php` | High
|
||||
18 | File | `/etc/cron.daily/upstart` | High
|
||||
19 | File | `/etc/lighttpd.d/ca.pem` | High
|
||||
20 | File | `/fuel/sitevariables/delete/4` | High
|
||||
21 | File | `/goform/aspForm` | High
|
||||
22 | File | `/goform/WanParameterSetting` | High
|
||||
23 | File | `/IISADMPWD` | Medium
|
||||
24 | File | `/index.php` | Medium
|
||||
25 | File | `/index.php?page=search/rentals` | High
|
||||
26 | File | `/job` | Low
|
||||
27 | File | `/linkedcontent/editfolder.php` | High
|
||||
28 | File | `/mhds/clinic/view_details.php` | High
|
||||
29 | File | `/movie.php` | Medium
|
||||
30 | File | `/officials/officials.php` | High
|
||||
31 | File | `/ofrs/admin/?page=reports` | High
|
||||
32 | ... | ... | ...
|
||||
|
||||
There are 284 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 270 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://1275.ru/ioc/120/pysa-ransomware-iocs/
|
||||
* https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/
|
||||
|
||||
## Literature
|
||||
|
|
|
@ -34,12 +34,12 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
1 | T1006 | CWE-21, CWE-22 | Pathname Traversal | High
|
||||
2 | T1055 | CWE-74 | Injection | High
|
||||
3 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 3 more TTP items available. Please use our online service to access the data.
|
||||
There are 11 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -62,7 +62,7 @@ ID | Type | Indicator | Confidence
|
|||
13 | File | `/SASWebReportStudio/logonAndRender.do` | High
|
||||
14 | ... | ... | ...
|
||||
|
||||
There are 106 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 108 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -0,0 +1,97 @@
|
|||
# Parrot - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Parrot](https://vuldb.com/?actor.parrot). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.parrot](https://vuldb.com/?actor.parrot)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Parrot:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* ...
|
||||
|
||||
There are 8 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Parrot.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [5.180.136.119](https://vuldb.com/?ip.5.180.136.119) | free.ihor-hosting.ru | - | High
|
||||
2 | [15.76.172.110](https://vuldb.com/?ip.15.76.172.110) | - | - | High
|
||||
3 | [45.76.172.113](https://vuldb.com/?ip.45.76.172.113) | 45.76.172.113.vultrusercontent.com | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 11 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Parrot_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
6 | ... | ... | ... | ...
|
||||
|
||||
There are 18 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Parrot. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/addsrv` | Low
|
||||
2 | File | `/Admin/Views/FileEditor/` | High
|
||||
3 | File | `/article/add` | Medium
|
||||
4 | File | `/controller/pay.class.php` | High
|
||||
5 | File | `/dev/kmem` | Medium
|
||||
6 | File | `/dev/snd/seq` | Medium
|
||||
7 | File | `/device/device=140/tab=wifi/view` | High
|
||||
8 | File | `/EXCU_SHELL` | Medium
|
||||
9 | File | `/forum/away.php` | High
|
||||
10 | File | `/gena.cgi` | Medium
|
||||
11 | File | `/goform/SetClientState` | High
|
||||
12 | File | `/jerry-core/ecma/base/ecma-gc.c` | High
|
||||
13 | File | `/jpg/image.jpg` | High
|
||||
14 | File | `/out.php` | Medium
|
||||
15 | File | `/product_list.php` | High
|
||||
16 | File | `/rapi/read_url` | High
|
||||
17 | File | `/rrps/classes/Master.php?f=delete_category` | High
|
||||
18 | File | `/rukovoditel_2.4.1/index.php?module=configuration/save&redirect_to=configuration/application` | High
|
||||
19 | File | `/sec/content/sec_asa_users_local_db_add.html` | High
|
||||
20 | File | `/see_more_details.php` | High
|
||||
21 | File | `/src/core/controllers/cm.php` | High
|
||||
22 | File | `/transmission/web/` | High
|
||||
23 | File | `/uncpath/` | Medium
|
||||
24 | File | `/usr/local` | Medium
|
||||
25 | File | `/usr/sbin/sendmail` | High
|
||||
26 | File | `/weibo/publishdata` | High
|
||||
27 | ... | ... | ...
|
||||
|
||||
There are 230 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://1275.ru/ioc/89/parrot-tds-ioc/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -140,37 +140,38 @@ ID | Type | Indicator | Confidence
|
|||
16 | File | `/data/remove` | Medium
|
||||
17 | File | `/ffos/classes/Master.php?f=save_category` | High
|
||||
18 | File | `/goforms/rlminfo` | High
|
||||
19 | File | `/htdocs/cgibin` | High
|
||||
20 | File | `/Items/*/RemoteImages/Download` | High
|
||||
21 | File | `/login` | Low
|
||||
22 | File | `/navigate/navigate_download.php` | High
|
||||
23 | File | `/ocwbs/admin/?page=user/manage_user` | High
|
||||
24 | File | `/ofrs/admin/?page=user/manage_user` | High
|
||||
25 | File | `/owa/auth/logon.aspx` | High
|
||||
26 | File | `/password.html` | High
|
||||
27 | File | `/proc/ioports` | High
|
||||
28 | File | `/property-list/property_view.php` | High
|
||||
29 | File | `/ptms/classes/Users.php` | High
|
||||
30 | File | `/rest/api/2/search` | High
|
||||
31 | File | `/s/` | Low
|
||||
32 | File | `/scripts/cpan_config` | High
|
||||
33 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
34 | File | `/services/system/setup.json` | High
|
||||
35 | File | `/spip.php` | Medium
|
||||
36 | File | `/uncpath/` | Medium
|
||||
37 | File | `/vloggers_merch/?p=view_product` | High
|
||||
38 | File | `/web/MCmsAction.java` | High
|
||||
39 | File | `/webconsole/APIController` | High
|
||||
40 | File | `/websocket/exec` | High
|
||||
41 | File | `/wp-admin/admin-ajax.php` | High
|
||||
42 | File | `/wp-content/plugins/woocommerce/templates/emails/plain/` | High
|
||||
43 | File | `/wp-json` | Medium
|
||||
44 | File | `/wp-json/oembed/1.0/embed?url` | High
|
||||
45 | File | `/_next` | Low
|
||||
46 | File | `4.edu.php\conn\function.php` | High
|
||||
47 | ... | ... | ...
|
||||
19 | File | `/Items/*/RemoteImages/Download` | High
|
||||
20 | File | `/login` | Low
|
||||
21 | File | `/navigate/navigate_download.php` | High
|
||||
22 | File | `/ocwbs/admin/?page=user/manage_user` | High
|
||||
23 | File | `/ofrs/admin/?page=user/manage_user` | High
|
||||
24 | File | `/owa/auth/logon.aspx` | High
|
||||
25 | File | `/password.html` | High
|
||||
26 | File | `/proc/ioports` | High
|
||||
27 | File | `/property-list/property_view.php` | High
|
||||
28 | File | `/ptms/classes/Users.php` | High
|
||||
29 | File | `/rest/api/2/search` | High
|
||||
30 | File | `/s/` | Low
|
||||
31 | File | `/scripts/cpan_config` | High
|
||||
32 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
33 | File | `/services/system/setup.json` | High
|
||||
34 | File | `/spip.php` | Medium
|
||||
35 | File | `/uncpath/` | Medium
|
||||
36 | File | `/vloggers_merch/?p=view_product` | High
|
||||
37 | File | `/web/MCmsAction.java` | High
|
||||
38 | File | `/webconsole/APIController` | High
|
||||
39 | File | `/websocket/exec` | High
|
||||
40 | File | `/wp-admin/admin-ajax.php` | High
|
||||
41 | File | `/wp-content/plugins/woocommerce/templates/emails/plain/` | High
|
||||
42 | File | `/wp-json` | Medium
|
||||
43 | File | `/wp-json/oembed/1.0/embed?url` | High
|
||||
44 | File | `/_next` | Low
|
||||
45 | File | `4.edu.php\conn\function.php` | High
|
||||
46 | File | `about.php` | Medium
|
||||
47 | File | `acl.c` | Low
|
||||
48 | ... | ... | ...
|
||||
|
||||
There are 412 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 413 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -0,0 +1,107 @@
|
|||
# PingPull - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [PingPull](https://vuldb.com/?actor.pingpull). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.pingpull](https://vuldb.com/?actor.pingpull)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with PingPull:
|
||||
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [HK](https://vuldb.com/?country.hk)
|
||||
* ...
|
||||
|
||||
There are 9 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of PingPull.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [2.58.242.229](https://vuldb.com/?ip.2.58.242.229) | 242-58-2-229.hostinginside.com | - | High
|
||||
2 | [2.58.242.230](https://vuldb.com/?ip.2.58.242.230) | 242-58-2-230.hostinginside.com | - | High
|
||||
3 | [2.58.242.231](https://vuldb.com/?ip.2.58.242.231) | 242-58-2-231.hostinginside.com | - | High
|
||||
4 | [2.58.242.232](https://vuldb.com/?ip.2.58.242.232) | 242-58-2-232.hostinginside.com | - | High
|
||||
5 | [2.58.242.235](https://vuldb.com/?ip.2.58.242.235) | 242-58-2-235.hostinginside.com | - | High
|
||||
6 | [2.58.242.236](https://vuldb.com/?ip.2.58.242.236) | 242-58-2-236.hostinginside.com | - | High
|
||||
7 | [5.8.71.97](https://vuldb.com/?ip.5.8.71.97) | vps.hostry.com | - | High
|
||||
8 | [5.181.25.55](https://vuldb.com/?ip.5.181.25.55) | contato.instagram05.polarbor.solutions | - | High
|
||||
9 | [5.188.33.237](https://vuldb.com/?ip.5.188.33.237) | core3.icons8.com | - | High
|
||||
10 | [37.61.229.104](https://vuldb.com/?ip.37.61.229.104) | theodore974.example.com | - | High
|
||||
11 | [37.61.229.106](https://vuldb.com/?ip.37.61.229.106) | www.asterip.net | - | High
|
||||
12 | [43.254.218.43](https://vuldb.com/?ip.43.254.218.43) | - | - | High
|
||||
13 | [43.254.218.57](https://vuldb.com/?ip.43.254.218.57) | - | - | High
|
||||
14 | [43.254.218.98](https://vuldb.com/?ip.43.254.218.98) | - | - | High
|
||||
15 | [43.254.218.104](https://vuldb.com/?ip.43.254.218.104) | - | - | High
|
||||
16 | [43.254.218.114](https://vuldb.com/?ip.43.254.218.114) | - | - | High
|
||||
17 | [45.14.66.230](https://vuldb.com/?ip.45.14.66.230) | 45.14.66.230.static.xtom.com | - | High
|
||||
18 | [45.76.113.163](https://vuldb.com/?ip.45.76.113.163) | 45.76.113.163.vultrusercontent.com | - | High
|
||||
19 | [45.116.13.153](https://vuldb.com/?ip.45.116.13.153) | 45.116.13.153.static.xtom.hk | - | High
|
||||
20 | [45.121.50.230](https://vuldb.com/?ip.45.121.50.230) | - | - | High
|
||||
21 | [45.128.221.61](https://vuldb.com/?ip.45.128.221.61) | - | - | High
|
||||
22 | [45.128.221.66](https://vuldb.com/?ip.45.128.221.66) | - | - | High
|
||||
23 | [45.128.221.169](https://vuldb.com/?ip.45.128.221.169) | - | - | High
|
||||
24 | [45.128.221.172](https://vuldb.com/?ip.45.128.221.172) | - | - | High
|
||||
25 | [45.128.221.182](https://vuldb.com/?ip.45.128.221.182) | - | - | High
|
||||
26 | [45.128.221.186](https://vuldb.com/?ip.45.128.221.186) | - | - | High
|
||||
27 | ... | ... | ... | ...
|
||||
|
||||
There are 103 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _PingPull_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 17 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by PingPull. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/api/trackedEntityInstances` | High
|
||||
2 | File | `/cgi-bin/portal` | High
|
||||
3 | File | `/cgi-bin/wapopen` | High
|
||||
4 | File | `/download` | Medium
|
||||
5 | File | `/etc/shadow` | Medium
|
||||
6 | File | `/inc/extensions.php` | High
|
||||
7 | File | `/Items/*/RemoteImages/Download` | High
|
||||
8 | File | `/mifs/c/i/reg/reg.html` | High
|
||||
9 | File | `/nova/bin/console` | High
|
||||
10 | File | `/out.php` | Medium
|
||||
11 | File | `/owa/auth/logon.aspx` | High
|
||||
12 | File | `/req_password_user.php` | High
|
||||
13 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
14 | File | `/service/upload` | High
|
||||
15 | ... | ... | ...
|
||||
|
||||
There are 121 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://1275.ru/ioc/342/pingpull-trojan-iocs/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -25,6 +25,7 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1505 | CWE-89 | SQL Injection | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
|
|
@ -16,6 +16,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [PT](https://vuldb.com/?country.pt)
|
||||
* [TR](https://vuldb.com/?country.tr)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -49,7 +50,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
6 | ... | ... | ... | ...
|
||||
|
||||
There are 21 more TTP items available. Please use our online service to access the data.
|
||||
There are 20 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -59,27 +60,29 @@ ID | Type | Indicator | Confidence
|
|||
-- | ---- | --------- | ----------
|
||||
1 | File | `/admin` | Low
|
||||
2 | File | `/api/plugin/uninstall` | High
|
||||
3 | File | `/assets/partials/_handleLogin.php` | High
|
||||
4 | File | `/cgi-bin/ExportAllSettings.sh` | High
|
||||
5 | File | `/context.json` | High
|
||||
6 | File | `/ecrire` | Low
|
||||
7 | File | `/edituser.php` | High
|
||||
8 | File | `/login.php` | Medium
|
||||
9 | File | `/modules/caddyhttp/rewrite/rewrite.go` | High
|
||||
10 | File | `/pages/activity/activity.php` | High
|
||||
11 | File | `/pages/permit/permit.php` | High
|
||||
12 | File | `/php_action/createUser.php` | High
|
||||
13 | File | `/req_password_user.php` | High
|
||||
14 | File | `/show_news.php` | High
|
||||
15 | File | `/sistema/flash/reboot` | High
|
||||
16 | File | `/smarthome/devicecontrol` | High
|
||||
17 | File | `/src/video/x11/SDL_x11yuv.c` | High
|
||||
18 | File | `/wordpress-gallery-transformation/gallery.php` | High
|
||||
19 | File | `adm.cgi` | Low
|
||||
20 | File | `admin.php` | Medium
|
||||
21 | ... | ... | ...
|
||||
3 | File | `/artist-display.php` | High
|
||||
4 | File | `/assets/partials/_handleLogin.php` | High
|
||||
5 | File | `/cgi-bin/ExportAllSettings.sh` | High
|
||||
6 | File | `/context.json` | High
|
||||
7 | File | `/ecrire` | Low
|
||||
8 | File | `/editbrand.php` | High
|
||||
9 | File | `/edituser.php` | High
|
||||
10 | File | `/login.php` | Medium
|
||||
11 | File | `/modules/caddyhttp/rewrite/rewrite.go` | High
|
||||
12 | File | `/movie.php` | Medium
|
||||
13 | File | `/pages/activity/activity.php` | High
|
||||
14 | File | `/pages/permit/permit.php` | High
|
||||
15 | File | `/php_action/createUser.php` | High
|
||||
16 | File | `/req_password_user.php` | High
|
||||
17 | File | `/show_news.php` | High
|
||||
18 | File | `/sistema/flash/reboot` | High
|
||||
19 | File | `/smarthome/devicecontrol` | High
|
||||
20 | File | `/src/video/x11/SDL_x11yuv.c` | High
|
||||
21 | File | `/wordpress-gallery-transformation/gallery.php` | High
|
||||
22 | File | `adm.cgi` | Low
|
||||
23 | ... | ... | ...
|
||||
|
||||
There are 170 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 194 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -10,6 +10,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [KZ](https://vuldb.com/?country.kz)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -30,7 +31,12 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
1 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
2 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
3 | T1068 | CWE-269 | Execution with Unnecessary Privileges | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 2 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
|
|
@ -0,0 +1,84 @@
|
|||
# Raspberry Robin - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Raspberry Robin](https://vuldb.com/?actor.raspberry_robin). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.raspberry_robin](https://vuldb.com/?actor.raspberry_robin)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Raspberry Robin:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* ...
|
||||
|
||||
There are 9 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Raspberry Robin.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [37.223.74.108](https://vuldb.com/?ip.37.223.74.108) | - | - | High
|
||||
2 | [46.11.6.104](https://vuldb.com/?ip.46.11.6.104) | - | - | High
|
||||
3 | [46.11.83.236](https://vuldb.com/?ip.46.11.83.236) | - | - | High
|
||||
4 | [46.11.88.157](https://vuldb.com/?ip.46.11.88.157) | - | - | High
|
||||
5 | [46.11.88.251](https://vuldb.com/?ip.46.11.88.251) | - | - | High
|
||||
6 | [46.217.252.5](https://vuldb.com/?ip.46.217.252.5) | - | - | High
|
||||
7 | [46.217.252.172](https://vuldb.com/?ip.46.217.252.172) | - | - | High
|
||||
8 | [46.246.235.240](https://vuldb.com/?ip.46.246.235.240) | 46.246.235.240.dsl.dyn.forthnet.gr | - | High
|
||||
9 | [47.62.21.60](https://vuldb.com/?ip.47.62.21.60) | 47-62-21-60.red-acceso.airtel.net | - | High
|
||||
10 | [47.62.80.170](https://vuldb.com/?ip.47.62.80.170) | 47-62-80-170.red-acceso.airtel.net | - | High
|
||||
11 | [62.117.214.168](https://vuldb.com/?ip.62.117.214.168) | 62.117.214.168.dyn.user.ono.com | - | High
|
||||
12 | [77.0.14.225](https://vuldb.com/?ip.77.0.14.225) | dynamic-077-000-014-225.77.0.pool.telefonica.de | - | High
|
||||
13 | [77.0.54.234](https://vuldb.com/?ip.77.0.54.234) | dynamic-077-000-054-234.77.0.pool.telefonica.de | - | High
|
||||
14 | ... | ... | ... | ...
|
||||
|
||||
There are 50 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Raspberry Robin_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-22 | Pathname Traversal | High
|
||||
2 | T1055 | CWE-74 | Injection | High
|
||||
3 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 14 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Raspberry Robin. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/+CSCOE+/logon.html` | High
|
||||
2 | File | `/.env` | Low
|
||||
3 | File | `/server-info` | Medium
|
||||
4 | File | `/usr/bin/pkexec` | High
|
||||
5 | ... | ... | ...
|
||||
|
||||
There are 32 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://1275.ru/ioc/191/raspberry-robin-worm-iocs/
|
||||
* https://1275.ru/ioc/365/raspberry-robin-worm-iocs-part-2/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,30 @@
|
|||
# Rozena - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Rozena](https://vuldb.com/?actor.rozena). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.rozena](https://vuldb.com/?actor.rozena)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Rozena.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [18.231.121.185](https://vuldb.com/?ip.18.231.121.185) | ec2-18-231-121-185.sa-east-1.compute.amazonaws.com | - | Medium
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://1275.ru/ioc/435/rozena-backdoor-iocs/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,68 @@
|
|||
# SYK - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [SYK](https://vuldb.com/?actor.syk). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.syk](https://vuldb.com/?actor.syk)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with SYK:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [IT](https://vuldb.com/?country.it)
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* ...
|
||||
|
||||
There are 5 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of SYK.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [185.19.85.163](https://vuldb.com/?ip.185.19.85.163) | - | - | High
|
||||
2 | [185.140.53.174](https://vuldb.com/?ip.185.140.53.174) | - | - | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _SYK_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1055 | CWE-74 | Injection | High
|
||||
2 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
3 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 9 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by SYK. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/admin/syslog` | High
|
||||
2 | File | `/see_more_details.php` | High
|
||||
3 | File | `admin/admin_users.php` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 24 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://1275.ru/ioc/229/syk-crypter-iocs/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -4,12 +4,6 @@ These _indicators_ were reported, collected, and generated during the [VulDB CTI
|
|||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.sage](https://vuldb.com/?actor.sage)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Sage:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Sage.
|
||||
|
@ -37,11 +31,11 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-22 | Pathname Traversal | High
|
||||
2 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
2 | T1055 | CWE-74 | Injection | High
|
||||
3 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 9 more TTP items available. Please use our online service to access the data.
|
||||
There are 11 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -49,21 +43,47 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/admin/inquiries/view_details.php` | High
|
||||
2 | File | `/tmp/zarafa-vacation-*` | High
|
||||
3 | File | `apl_42.c` | Medium
|
||||
4 | File | `arch/arm/p2m.c` | High
|
||||
5 | File | `arch/powerpc/kernel/process.c` | High
|
||||
6 | File | `arch/x86/mm/guest_walk.c` | High
|
||||
7 | File | `auth.c` | Low
|
||||
8 | File | `block/qcow.c` | Medium
|
||||
9 | File | `cgi-bin/webproc` | High
|
||||
10 | File | `cgi_main.c` | Medium
|
||||
11 | File | `class.phpmailer.php` | High
|
||||
12 | File | `content/content.systempreferences.php` | High
|
||||
13 | ... | ... | ...
|
||||
1 | File | `/admin/inc/include.php` | High
|
||||
2 | File | `/auth/callback` | High
|
||||
3 | File | `/modules/admin/vw_usr_roles.php` | High
|
||||
4 | File | `/modules/public/calendar.php` | High
|
||||
5 | File | `/profiles/` | Medium
|
||||
6 | File | `/resolv/nss_dns/dns-host.c` | High
|
||||
7 | File | `/util/print.c` | High
|
||||
8 | File | `account.asp` | Medium
|
||||
9 | File | `accounts/inc/include.php` | High
|
||||
10 | File | `add.php` | Low
|
||||
11 | File | `add_comment.php` | High
|
||||
12 | File | `add_contents.htm` | High
|
||||
13 | File | `add_review.htm` | High
|
||||
14 | File | `admin/BunchDetail.do` | High
|
||||
15 | File | `admin/main.php` | High
|
||||
16 | File | `advertiser.php` | High
|
||||
17 | File | `arch/powerpc/kernel/process.c` | High
|
||||
18 | File | `arch/s390/include/asm/mmu_context.h` | High
|
||||
19 | File | `arch/x86/mm/tlb.c` | High
|
||||
20 | File | `attachment_send.php` | High
|
||||
21 | File | `audit/class.audit.php` | High
|
||||
22 | File | `badlogin.php` | Medium
|
||||
23 | File | `browse.php` | Medium
|
||||
24 | File | `browsecats.php` | High
|
||||
25 | File | `C:\mingw64\bin\git.exe` | High
|
||||
26 | File | `cart.php` | Medium
|
||||
27 | File | `category.php` | Medium
|
||||
28 | File | `cdf.c` | Low
|
||||
29 | File | `check.php` | Medium
|
||||
30 | File | `closeup.php` | Medium
|
||||
31 | File | `comments.php` | Medium
|
||||
32 | File | `compiler/pipeline.cc` | High
|
||||
33 | File | `conf/revize.xml` | High
|
||||
34 | File | `config.php` | Medium
|
||||
35 | File | `contact.htm` | Medium
|
||||
36 | File | `containing` | Medium
|
||||
37 | File | `content.php` | Medium
|
||||
38 | File | `contents.php` | Medium
|
||||
39 | ... | ... | ...
|
||||
|
||||
There are 100 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 334 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -92,7 +92,7 @@ ID | Type | Indicator | Confidence
|
|||
30 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
|
||||
31 | ... | ... | ...
|
||||
|
||||
There are 262 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 263 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -757,7 +757,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
6 | ... | ... | ... | ...
|
||||
|
||||
There are 19 more TTP items available. Please use our online service to access the data.
|
||||
There are 18 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
|
|
@ -72,40 +72,40 @@ ID | Type | Indicator | Confidence
|
|||
7 | File | `/dashboard/reports/logs/view` | High
|
||||
8 | File | `/dashboard/system/express/entities/forms/save_control/[GUID]` | High
|
||||
9 | File | `/dev/cuse` | Medium
|
||||
10 | File | `/download` | Medium
|
||||
11 | File | `/etc/config/rpcd` | High
|
||||
12 | File | `/EXCU_SHELL` | Medium
|
||||
13 | File | `/export` | Low
|
||||
14 | File | `/forum/away.php` | High
|
||||
15 | File | `/gena.cgi` | Medium
|
||||
16 | File | `/goform/webSettingProfileSecurity` | High
|
||||
17 | File | `/login` | Low
|
||||
18 | File | `/mgmt/tm/util/bash` | High
|
||||
19 | File | `/MIME/INBOX-MM-1/` | High
|
||||
20 | File | `/ms/file/uploadTemplate.do` | High
|
||||
21 | File | `/netflow/jspui/editProfile.jsp` | High
|
||||
22 | File | `/novel-admin/src/main/java/com/java2nb/common/controller/FileController.java` | High
|
||||
23 | File | `/ofrs/admin/?page=requests/view_request` | High
|
||||
24 | File | `/opt/IBM/es/lib/libffq.cryptionjni.so` | High
|
||||
25 | File | `/out.php` | Medium
|
||||
26 | File | `/php/ajax.php` | High
|
||||
27 | File | `/public/login.htm` | High
|
||||
28 | File | `/rapi/read_url` | High
|
||||
29 | File | `/sec/content/sec_asa_users_local_db_add.html` | High
|
||||
30 | File | `/see_more_details.php` | High
|
||||
31 | File | `/service/v1/createUser` | High
|
||||
32 | File | `/setSystemAdmin` | High
|
||||
33 | File | `/Storage/Emulated/0/Telegram/Telegram` | High
|
||||
34 | File | `/thruk/#cgi-bin/extinfo.cgi?type=2` | High
|
||||
35 | File | `/uncpath/` | Medium
|
||||
36 | File | `/user/dls_download.php` | High
|
||||
37 | File | `/vicidial/user_stats.php` | High
|
||||
38 | File | `/vloggers_merch/admin/?page=orders/view_order` | High
|
||||
39 | File | `/wp-admin/admin-ajax.php` | High
|
||||
40 | File | `/wp-admin/admin-post.php?es_skip=1&option_name` | High
|
||||
10 | File | `/etc/config/rpcd` | High
|
||||
11 | File | `/EXCU_SHELL` | Medium
|
||||
12 | File | `/export` | Low
|
||||
13 | File | `/forum/away.php` | High
|
||||
14 | File | `/gena.cgi` | Medium
|
||||
15 | File | `/goform/webSettingProfileSecurity` | High
|
||||
16 | File | `/login` | Low
|
||||
17 | File | `/mgmt/tm/util/bash` | High
|
||||
18 | File | `/MIME/INBOX-MM-1/` | High
|
||||
19 | File | `/ms/file/uploadTemplate.do` | High
|
||||
20 | File | `/netflow/jspui/editProfile.jsp` | High
|
||||
21 | File | `/novel-admin/src/main/java/com/java2nb/common/controller/FileController.java` | High
|
||||
22 | File | `/ofrs/admin/?page=requests/view_request` | High
|
||||
23 | File | `/opt/IBM/es/lib/libffq.cryptionjni.so` | High
|
||||
24 | File | `/out.php` | Medium
|
||||
25 | File | `/php/ajax.php` | High
|
||||
26 | File | `/public/login.htm` | High
|
||||
27 | File | `/rapi/read_url` | High
|
||||
28 | File | `/sec/content/sec_asa_users_local_db_add.html` | High
|
||||
29 | File | `/see_more_details.php` | High
|
||||
30 | File | `/service/v1/createUser` | High
|
||||
31 | File | `/setSystemAdmin` | High
|
||||
32 | File | `/Storage/Emulated/0/Telegram/Telegram` | High
|
||||
33 | File | `/thruk/#cgi-bin/extinfo.cgi?type=2` | High
|
||||
34 | File | `/uncpath/` | Medium
|
||||
35 | File | `/user/dls_download.php` | High
|
||||
36 | File | `/vicidial/user_stats.php` | High
|
||||
37 | File | `/vloggers_merch/admin/?page=orders/view_order` | High
|
||||
38 | File | `/wp-admin/admin-ajax.php` | High
|
||||
39 | File | `/wp-admin/admin-post.php?es_skip=1&option_name` | High
|
||||
40 | File | `/wp-content/plugins/updraftplus/admin.php` | High
|
||||
41 | ... | ... | ...
|
||||
|
||||
There are 358 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 355 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -103,7 +103,7 @@ ID | Type | Indicator | Confidence
|
|||
40 | File | `Array.prototype.concat` | High
|
||||
41 | ... | ... | ...
|
||||
|
||||
There are 351 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 352 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -60,7 +60,7 @@ ID | Type | Indicator | Confidence
|
|||
9 | File | `addentry.php` | Medium
|
||||
10 | ... | ... | ...
|
||||
|
||||
There are 77 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 78 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -0,0 +1,90 @@
|
|||
# SolarMarker - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [SolarMarker](https://vuldb.com/?actor.solarmarker). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.solarmarker](https://vuldb.com/?actor.solarmarker)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with SolarMarker:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [FR](https://vuldb.com/?country.fr)
|
||||
* [GB](https://vuldb.com/?country.gb)
|
||||
* ...
|
||||
|
||||
There are 23 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of SolarMarker.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [37.120.233.92](https://vuldb.com/?ip.37.120.233.92) | no-rdns.m247.com | - | High
|
||||
2 | [37.120.237.251](https://vuldb.com/?ip.37.120.237.251) | - | - | High
|
||||
3 | [45.42.201.248](https://vuldb.com/?ip.45.42.201.248) | - | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 7 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _SolarMarker_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
|
||||
2 | T1055 | CWE-74 | Injection | High
|
||||
3 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
4 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 16 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by SolarMarker. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `.htaccess` | Medium
|
||||
2 | File | `/cloud_config/router_post/register` | High
|
||||
3 | File | `/etc/gsissh/sshd_config` | High
|
||||
4 | File | `/forms/nslookupHandler` | High
|
||||
5 | File | `/include/chart_generator.php` | High
|
||||
6 | File | `/log_download.cgi` | High
|
||||
7 | File | `/mgmt/tm/util/bash` | High
|
||||
8 | File | `/news.dtl.php` | High
|
||||
9 | File | `/p1/p2/:name` | Medium
|
||||
10 | File | `/ptms/?page=user` | High
|
||||
11 | File | `/setup/finish` | High
|
||||
12 | File | `/uncpath/` | Medium
|
||||
13 | File | `/upload/file.php` | High
|
||||
14 | File | `/usr/bin/pkexec` | High
|
||||
15 | File | `/wolfcms/?/admin/user/add` | High
|
||||
16 | File | `/wp-admin` | Medium
|
||||
17 | File | `/wp-content/plugins/woocommerce/templates/emails/plain/` | High
|
||||
18 | File | `/wp-json/wc/v3/webhooks` | High
|
||||
19 | File | `5.2.9\syscrb.exe` | High
|
||||
20 | File | `adclick.php` | Medium
|
||||
21 | ... | ... | ...
|
||||
|
||||
There are 175 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://1275.ru/ioc/184/solarmarker-malware-iocs/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,77 @@
|
|||
# Space Pirates - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Space Pirates](https://vuldb.com/?actor.space_pirates). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.space_pirates](https://vuldb.com/?actor.space_pirates)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Space Pirates:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [JP](https://vuldb.com/?country.jp)
|
||||
* ...
|
||||
|
||||
There are 2 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Space Pirates.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [45.76.145.22](https://vuldb.com/?ip.45.76.145.22) | 45.76.145.22.vultrusercontent.com | - | High
|
||||
2 | [45.77.16.91](https://vuldb.com/?ip.45.77.16.91) | 45.77.16.91.vultrusercontent.com | - | High
|
||||
3 | [47.108.89.169](https://vuldb.com/?ip.47.108.89.169) | - | - | High
|
||||
4 | [103.27.109.234](https://vuldb.com/?ip.103.27.109.234) | - | - | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 14 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Space Pirates_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-22 | Pathname Traversal | High
|
||||
2 | T1055 | CWE-74 | Injection | High
|
||||
3 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Space Pirates. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/controller/Index.php` | High
|
||||
2 | File | `/GetCSSashx/?CP=%2fwebconfig` | High
|
||||
3 | File | `/includes/rrdtool.inc.php` | High
|
||||
4 | File | `/srv/www/htdocs` | High
|
||||
5 | File | `api_poller.php` | High
|
||||
6 | File | `articleview.php` | High
|
||||
7 | File | `authent.php4` | Medium
|
||||
8 | ... | ... | ...
|
||||
|
||||
There are 57 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://1275.ru/ioc/224/space-pirates-p1rat-apt-iocs/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,77 @@
|
|||
# StrikeSuit Gif - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [StrikeSuit Gif](https://vuldb.com/?actor.strikesuit_gif). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.strikesuit_gif](https://vuldb.com/?actor.strikesuit_gif)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with StrikeSuit Gif:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [TR](https://vuldb.com/?country.tr)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* ...
|
||||
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of StrikeSuit Gif.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [23.227.196.210](https://vuldb.com/?ip.23.227.196.210) | 23-227-196-210.static.hvvc.us | - | High
|
||||
2 | [80.255.3.87](https://vuldb.com/?ip.80.255.3.87) | 0zr0.netdoincr.com | - | High
|
||||
3 | [86.105.18.241](https://vuldb.com/?ip.86.105.18.241) | - | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 3 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _StrikeSuit Gif_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-22 | Pathname Traversal | High
|
||||
2 | T1055 | CWE-74 | Injection | High
|
||||
3 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 13 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by StrikeSuit Gif. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/cgi-bin/cgiServer.exx` | High
|
||||
2 | File | `/event/runquery.do` | High
|
||||
3 | File | `/system/ws/v11/ss/email` | High
|
||||
4 | File | `add_vhost.php` | High
|
||||
5 | File | `adv2.php?action=modify` | High
|
||||
6 | File | `agent.cfg` | Medium
|
||||
7 | File | `arch/x86/include/asm/fpu/internal.h` | High
|
||||
8 | File | `asm/float.c` | Medium
|
||||
9 | ... | ... | ...
|
||||
|
||||
There are 70 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://1275.ru/ioc/185/strikesuit-gif-malware-iocs/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -71,9 +71,10 @@ ID | Type | Indicator | Confidence
|
|||
13 | File | `/fantasticblog/single.php` | High
|
||||
14 | File | `/goform/aspForm` | High
|
||||
15 | File | `/jpg/image.jpg` | High
|
||||
16 | ... | ... | ...
|
||||
16 | File | `/Main_AdmStatus_Content.asp` | High
|
||||
17 | ... | ... | ...
|
||||
|
||||
There are 127 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 135 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -0,0 +1,72 @@
|
|||
# Sysrv - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Sysrv](https://vuldb.com/?actor.sysrv). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.sysrv](https://vuldb.com/?actor.sysrv)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Sysrv:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [SI](https://vuldb.com/?country.si)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Sysrv.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [31.42.177.123](https://vuldb.com/?ip.31.42.177.123) | scalemany.com | - | High
|
||||
2 | [31.210.20.120](https://vuldb.com/?ip.31.210.20.120) | - | - | High
|
||||
3 | [31.210.20.181](https://vuldb.com/?ip.31.210.20.181) | - | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 5 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Sysrv_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-21, CWE-22 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 13 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Sysrv. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/admin/contenttemp` | High
|
||||
2 | File | `/member/picture/album` | High
|
||||
3 | File | `/products/details.asp` | High
|
||||
4 | File | `/services/details.asp` | High
|
||||
5 | File | `admin.php` | Medium
|
||||
6 | File | `comersus_optreviewreadexec.asp` | High
|
||||
7 | ... | ... | ...
|
||||
|
||||
There are 48 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://1275.ru/ioc/218/sysrv-botnet-iocs/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -31,7 +31,12 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1068 | CWE-284 | Execution with Unnecessary Privileges | High
|
||||
1 | T1006 | CWE-22 | Pathname Traversal | High
|
||||
2 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
3 | T1068 | CWE-284 | Execution with Unnecessary Privileges | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
|
|
@ -10,10 +10,10 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* [IR](https://vuldb.com/?country.ir)
|
||||
* [GB](https://vuldb.com/?country.gb)
|
||||
* ...
|
||||
|
||||
There are 2 more country items available. Please use our online service to access the data.
|
||||
There are 3 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -22,7 +22,13 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [5.149.255.178](https://vuldb.com/?ip.5.149.255.178) | - | - | High
|
||||
2 | [185.80.54.18](https://vuldb.com/?ip.185.80.54.18) | specific.hornycone.com | - | High
|
||||
2 | [13.107.21.200](https://vuldb.com/?ip.13.107.21.200) | - | - | High
|
||||
3 | [34.107.221.82](https://vuldb.com/?ip.34.107.221.82) | 82.221.107.34.bc.googleusercontent.com | - | Medium
|
||||
4 | [34.213.158.239](https://vuldb.com/?ip.34.213.158.239) | ec2-34-213-158-239.us-west-2.compute.amazonaws.com | - | Medium
|
||||
5 | [34.214.44.170](https://vuldb.com/?ip.34.214.44.170) | ec2-34-214-44-170.us-west-2.compute.amazonaws.com | - | Medium
|
||||
6 | ... | ... | ... | ...
|
||||
|
||||
There are 21 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -30,12 +36,13 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | CWE-358 | 7PK Security Features | High
|
||||
4 | ... | ... | ... | ...
|
||||
1 | T1006 | CWE-22 | Pathname Traversal | High
|
||||
2 | T1055 | CWE-74 | Injection | High
|
||||
3 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
4 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more TTP items available. Please use our online service to access the data.
|
||||
There are 14 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -43,18 +50,31 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/api/json/admin/getmailserversettings` | High
|
||||
2 | File | `administrative` | High
|
||||
3 | File | `sc.exe` | Low
|
||||
4 | ... | ... | ...
|
||||
1 | File | `/admin/` | Low
|
||||
2 | File | `/admin/account/changepassword` | High
|
||||
3 | File | `/admin/users.php` | High
|
||||
4 | File | `/api/json/admin/getmailserversettings` | High
|
||||
5 | File | `/artist.php` | Medium
|
||||
6 | File | `/bin/su` | Low
|
||||
7 | File | `/data/system/users/0/settings_secure.xml` | High
|
||||
8 | File | `/dev/mem` | Medium
|
||||
9 | File | `/dev/urandom` | Medium
|
||||
10 | File | `/etc/dt` | Low
|
||||
11 | File | `/etc/password` | High
|
||||
12 | File | `/show_group_members.php` | High
|
||||
13 | File | `/usr/etc/rpc.passwd` | High
|
||||
14 | File | `/WEB-INF/web.xml` | High
|
||||
15 | ... | ... | ...
|
||||
|
||||
There are 9 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 121 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.talosintelligence.com/2018/08/threat-roundup-0810-0817.html
|
||||
* https://blog.talosintelligence.com/2019/04/threat-roundup-0405-0412.html
|
||||
* https://blog.talosintelligence.com/2020/12/threat-roundup-1211-1218.html
|
||||
|
||||
## Literature
|
||||
|
||||
|
|
|
@ -0,0 +1,85 @@
|
|||
# TraderTraitor - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [TraderTraitor](https://vuldb.com/?actor.tradertraitor). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.tradertraitor](https://vuldb.com/?actor.tradertraitor)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with TraderTraitor:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [DE](https://vuldb.com/?country.de)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* ...
|
||||
|
||||
There are 8 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of TraderTraitor.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [38.132.124.161](https://vuldb.com/?ip.38.132.124.161) | - | - | High
|
||||
2 | [45.14.227.58](https://vuldb.com/?ip.45.14.227.58) | static.pwxs.net | - | High
|
||||
3 | [46.16.62.238](https://vuldb.com/?ip.46.16.62.238) | fnadh-35.srv.cat | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 10 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _TraderTraitor_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 15 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by TraderTraitor. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/admin/countrymanagement.php` | High
|
||||
2 | File | `/admin/newsletter1.php` | High
|
||||
3 | File | `/admin/payment.php` | High
|
||||
4 | File | `/doc/packages` | High
|
||||
5 | File | `/forum/away.php` | High
|
||||
6 | File | `/getcfg.php` | Medium
|
||||
7 | File | `/login` | Low
|
||||
8 | File | `/newsDia.php` | Medium
|
||||
9 | File | `/product_list.php` | High
|
||||
10 | File | `/rom-0` | Low
|
||||
11 | File | `/scas/admin/` | Medium
|
||||
12 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
13 | File | `/var/log/nginx` | High
|
||||
14 | File | `/web/entry/en/address/adrsSetUserWizard.cgi` | High
|
||||
15 | File | `adclick.php` | Medium
|
||||
16 | ... | ... | ...
|
||||
|
||||
There are 130 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://1275.ru/ioc/126/tradertraitor-iocs/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -225,7 +225,7 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23, CWE-425 | Pathname Traversal | High
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
|
@ -239,27 +239,23 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `.python-version` | High
|
||||
2 | File | `/addNotifyServlet` | High
|
||||
3 | File | `/admin/curltest.cgi` | High
|
||||
4 | File | `/admin/js` | Medium
|
||||
5 | File | `/admin/vca/bia/addacph.cgi` | High
|
||||
6 | File | `/api/plugin/uninstall` | High
|
||||
7 | File | `/api/plugin/upload` | High
|
||||
8 | File | `/cgi-bin/ExportAllSettings.sh` | High
|
||||
9 | File | `/cgi-bin/mesh.cgi?page=upgrade` | High
|
||||
10 | File | `/cgi-bin/nightled.cgi` | High
|
||||
11 | File | `/cgi-bin/touchlist_sync.cgi` | High
|
||||
12 | File | `/dashboard/profile.php` | High
|
||||
13 | File | `/donor-wall` | Medium
|
||||
14 | File | `/edituser.php` | High
|
||||
15 | File | `/etc/init.d/sshd_service` | High
|
||||
16 | File | `/forum/away.php` | High
|
||||
17 | File | `/index.php` | Medium
|
||||
18 | File | `/index.php/?p=report` | High
|
||||
19 | ... | ... | ...
|
||||
1 | File | `/addNotifyServlet` | High
|
||||
2 | File | `/admin/js` | Medium
|
||||
3 | File | `/admin/operations/packages.php` | High
|
||||
4 | File | `/api/plugin/uninstall` | High
|
||||
5 | File | `/api/plugin/upload` | High
|
||||
6 | File | `/cgi-bin/ExportAllSettings.sh` | High
|
||||
7 | File | `/edituser.php` | High
|
||||
8 | File | `/etc/init.d/sshd_service` | High
|
||||
9 | File | `/index.php/?p=report` | High
|
||||
10 | File | `/index.php?r=site%2Fsignup` | High
|
||||
11 | File | `/modules/caddyhttp/rewrite/rewrite.go` | High
|
||||
12 | File | `/nav_bar_action.php` | High
|
||||
13 | File | `/pages/activity/activity.php` | High
|
||||
14 | File | `/pages/permit/permit.php` | High
|
||||
15 | ... | ... | ...
|
||||
|
||||
There are 151 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 121 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue