Update
This commit is contained in:
parent
ddc7826ca2
commit
bf4ee41f97
|
@ -70,20 +70,21 @@ ID | Type | Indicator | Confidence
|
|||
13 | File | `/mcategory.php` | High
|
||||
14 | File | `/out.php` | Medium
|
||||
15 | File | `/p` | Low
|
||||
16 | File | `/uncpath/` | Medium
|
||||
17 | File | `/usr/bin/uucp` | High
|
||||
18 | File | `/usr/local/contego/scripts/mgrconfig.pl` | High
|
||||
19 | File | `/web/google_analytics.php` | High
|
||||
20 | File | `/webadmin.nsf/dlgFilesFolderNew` | High
|
||||
21 | File | `/whbs/admin/?page=user` | High
|
||||
22 | File | `/_readmail` | Medium
|
||||
23 | File | `admin.php3` | Medium
|
||||
24 | File | `admin/index.php?c=database` | High
|
||||
25 | File | `admin/index.php?id=users/action=edit/user_id=1` | High
|
||||
26 | File | `administrator/components/com_media/helpers/media.php` | High
|
||||
27 | ... | ... | ...
|
||||
16 | File | `/pages/processlogin.php` | High
|
||||
17 | File | `/uncpath/` | Medium
|
||||
18 | File | `/usr/bin/uucp` | High
|
||||
19 | File | `/usr/local/contego/scripts/mgrconfig.pl` | High
|
||||
20 | File | `/web/google_analytics.php` | High
|
||||
21 | File | `/webadmin.nsf/dlgFilesFolderNew` | High
|
||||
22 | File | `/whbs/admin/?page=user` | High
|
||||
23 | File | `/_readmail` | Medium
|
||||
24 | File | `admin.php3` | Medium
|
||||
25 | File | `admin/index.php?c=database` | High
|
||||
26 | File | `admin/index.php?id=users/action=edit/user_id=1` | High
|
||||
27 | File | `administrator/components/com_media/helpers/media.php` | High
|
||||
28 | ... | ... | ...
|
||||
|
||||
There are 231 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 232 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -15,6 +15,11 @@ The following _campaigns_ are known and can be associated with 8220 Gang:
|
|||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with 8220 Gang:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [SE](https://vuldb.com/?country.se)
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* ...
|
||||
|
||||
There are 5 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -24,10 +29,10 @@ ID | IP address | Hostname | Campaign | Confidence
|
|||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [51.79.175.139](https://vuldb.com/?ip.51.79.175.139) | vps-dc8b0481.vps.ovh.ca | CVE-2022-26134 | High
|
||||
2 | [51.255.171.23](https://vuldb.com/?ip.51.255.171.23) | vps-fc1a1567.vps.ovh.net | CVE-2022-26134 | High
|
||||
3 | [146.59.198.38](https://vuldb.com/?ip.146.59.198.38) | vps-19ede15a.vps.ovh.net | CVE-2022-26134 | High
|
||||
3 | [89.34.27.167](https://vuldb.com/?ip.89.34.27.167) | core.afadashop.com | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 3 more IOC items available. Please use our online service to access the data.
|
||||
There are 6 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -35,12 +40,13 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
2 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
3 | T1068 | CWE-269 | Execution with Unnecessary Privileges | High
|
||||
4 | ... | ... | ... | ...
|
||||
1 | T1006 | CWE-22, CWE-23 | Pathname Traversal | High
|
||||
2 | T1055 | CWE-74 | Injection | High
|
||||
3 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
4 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 3 more TTP items available. Please use our online service to access the data.
|
||||
There are 15 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -48,18 +54,30 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `data/gbconfiguration.dat` | High
|
||||
2 | File | `GatewaySettings.bin` | High
|
||||
3 | File | `import.php` | Medium
|
||||
4 | ... | ... | ...
|
||||
1 | File | `/cgi-bin/web_index.cgi?lang=en&src=AwSystem.html&ertqVvnKV4TjU9Vt` | High
|
||||
2 | File | `/control/stream` | High
|
||||
3 | File | `/MicroStrategyWS/happyaxis.jsp` | High
|
||||
4 | File | `/product_list.php` | High
|
||||
5 | File | `/SM8250_Q_Master/android/vendor/oppo_charger/oppo/oppo_charger.c` | High
|
||||
6 | File | `/tmp` | Low
|
||||
7 | File | `/ucms/chk.php` | High
|
||||
8 | File | `/uncpath/` | Medium
|
||||
9 | File | `/wp-content/plugins/woocommerce/templates/emails/plain/` | High
|
||||
10 | File | `add-category.php` | High
|
||||
11 | File | `admin/content/postcategory` | High
|
||||
12 | File | `AdminByRequest.exe` | High
|
||||
13 | File | `announcements.php` | High
|
||||
14 | File | `app/View/Users/statistics_orgs.ctp` | High
|
||||
15 | ... | ... | ...
|
||||
|
||||
There are 6 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 115 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://1275.ru/ioc/503/8220-botnet-iocs/
|
||||
* https://asec.ahnlab.com/en/36820/
|
||||
* https://blog.checkpoint.com/2022/06/09/crypto-miners-leveraging-atlassian-zero-day-vulnerability/
|
||||
|
||||
## Literature
|
||||
|
|
|
@ -39,7 +39,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
3 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 6 more TTP items available. Please use our online service to access the data.
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
|
|
@ -53,9 +53,11 @@ ID | IP address | Hostname | Campaign | Confidence
|
|||
22 | [43.245.196.122](https://vuldb.com/?ip.43.245.196.122) | - | Cache Panda | High
|
||||
23 | [43.245.196.123](https://vuldb.com/?ip.43.245.196.123) | - | Cache Panda | High
|
||||
24 | [43.245.196.124](https://vuldb.com/?ip.43.245.196.124) | - | Cache Panda | High
|
||||
25 | ... | ... | ... | ...
|
||||
25 | [45.62.112.161](https://vuldb.com/?ip.45.62.112.161) | 45.62.112.161.16clouds.com | Cloud Hopper | High
|
||||
26 | [45.138.157.83](https://vuldb.com/?ip.45.138.157.83) | google.com.tm | A41APT | High
|
||||
27 | ... | ... | ... | ...
|
||||
|
||||
There are 98 more IOC items available. Please use our online service to access the data.
|
||||
There are 104 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -111,12 +113,13 @@ ID | Type | Indicator | Confidence
|
|||
32 | File | `admin.jcomments.php` | High
|
||||
33 | ... | ... | ...
|
||||
|
||||
There are 286 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 283 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://github.com/blackorbird/APT_REPORT/blob/master/summary/2021/mpressioncss_ta_report_2020_5_en.pdf
|
||||
* https://github.com/janhenrikdotcom/iocs/blob/master/APT10/Operation%20Cloud%20Hopper%20-%20Indicators%20of%20Compromise%20v3.csv
|
||||
* https://github.com/PwCUK-CTO/OperationCloudHopper/blob/master/cloud-hopper-indicators-of-compromise-v3.csv
|
||||
* https://github.com/riduangan/APT10/blob/master/IOC
|
||||
|
|
|
@ -61,7 +61,7 @@ ID | Type | Indicator | Confidence
|
|||
5 | File | `data/gbconfiguration.dat` | High
|
||||
6 | ... | ... | ...
|
||||
|
||||
There are 40 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 41 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -19,7 +19,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [ES](https://vuldb.com/?country.es)
|
||||
* ...
|
||||
|
||||
There are 12 more country items available. Please use our online service to access the data.
|
||||
There are 13 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -71,36 +71,37 @@ ID | Type | Indicator | Confidence
|
|||
8 | File | `/infusions/shoutbox_panel/shoutbox_admin.php` | High
|
||||
9 | File | `/lan.asp` | Medium
|
||||
10 | File | `/modules/profile/index.php` | High
|
||||
11 | File | `/oscommerce/admin/currencies.php` | High
|
||||
12 | File | `/proc/pid/syscall` | High
|
||||
13 | File | `/rapi/read_url` | High
|
||||
14 | File | `/rom-0` | Low
|
||||
15 | File | `/session/list/allActiveSession` | High
|
||||
16 | File | `/syslog_rules` | High
|
||||
17 | File | `/tmp/phpglibccheck` | High
|
||||
18 | File | `/uncpath/` | Medium
|
||||
19 | File | `/upload` | Low
|
||||
20 | File | `/users/{id}` | Medium
|
||||
21 | File | `/var/tmp/sess_*` | High
|
||||
22 | File | `/var/WEB-GUI/cgi-bin/telnet.cgi` | High
|
||||
23 | File | `/video` | Low
|
||||
24 | File | `actionphp/download.File.php` | High
|
||||
25 | File | `ActivityManagerService.java` | High
|
||||
26 | File | `adaptmap_reg.c` | High
|
||||
27 | File | `add_comment.php` | High
|
||||
28 | File | `admin.cgi` | Medium
|
||||
29 | File | `admin.php` | Medium
|
||||
30 | File | `admin.php?action=files` | High
|
||||
31 | File | `admin/admin.php` | High
|
||||
32 | File | `admin/content.php` | High
|
||||
33 | File | `admin/index.php?id=users/action=edit/user_id=1` | High
|
||||
34 | File | `admin/modules/master_file/rda_cmc.php?keywords` | High
|
||||
35 | File | `affich.php` | Medium
|
||||
36 | File | `agent/Core/Controller/SendRequest.cpp` | High
|
||||
37 | File | `album_portal.php` | High
|
||||
38 | ... | ... | ...
|
||||
11 | File | `/opt/zimbra/jetty/webapps/zimbra/public` | High
|
||||
12 | File | `/oscommerce/admin/currencies.php` | High
|
||||
13 | File | `/proc/pid/syscall` | High
|
||||
14 | File | `/rapi/read_url` | High
|
||||
15 | File | `/rom-0` | Low
|
||||
16 | File | `/session/list/allActiveSession` | High
|
||||
17 | File | `/syslog_rules` | High
|
||||
18 | File | `/tmp/phpglibccheck` | High
|
||||
19 | File | `/uncpath/` | Medium
|
||||
20 | File | `/upload` | Low
|
||||
21 | File | `/users/{id}` | Medium
|
||||
22 | File | `/var/tmp/sess_*` | High
|
||||
23 | File | `/var/WEB-GUI/cgi-bin/telnet.cgi` | High
|
||||
24 | File | `/video` | Low
|
||||
25 | File | `actionphp/download.File.php` | High
|
||||
26 | File | `ActivityManagerService.java` | High
|
||||
27 | File | `adaptmap_reg.c` | High
|
||||
28 | File | `add_comment.php` | High
|
||||
29 | File | `admin.cgi` | Medium
|
||||
30 | File | `admin.php` | Medium
|
||||
31 | File | `admin.php?action=files` | High
|
||||
32 | File | `admin/admin.php` | High
|
||||
33 | File | `admin/content.php` | High
|
||||
34 | File | `admin/index.php?id=users/action=edit/user_id=1` | High
|
||||
35 | File | `admin/modules/master_file/rda_cmc.php?keywords` | High
|
||||
36 | File | `affich.php` | Medium
|
||||
37 | File | `agent/Core/Controller/SendRequest.cpp` | High
|
||||
38 | File | `album_portal.php` | High
|
||||
39 | ... | ... | ...
|
||||
|
||||
There are 330 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 332 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -24,7 +24,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [US](https://vuldb.com/?country.us)
|
||||
* ...
|
||||
|
||||
There are 10 more country items available. Please use our online service to access the data.
|
||||
There are 8 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -40,48 +40,50 @@ ID | IP address | Hostname | Campaign | Confidence
|
|||
6 | [18.130.154.13](https://vuldb.com/?ip.18.130.154.13) | ec2-18-130-154-13.eu-west-2.compute.amazonaws.com | - | Medium
|
||||
7 | [18.133.205.135](https://vuldb.com/?ip.18.133.205.135) | ec2-18-133-205-135.eu-west-2.compute.amazonaws.com | - | Medium
|
||||
8 | [18.133.249.238](https://vuldb.com/?ip.18.133.249.238) | ec2-18-133-249-238.eu-west-2.compute.amazonaws.com | - | Medium
|
||||
9 | [23.163.0.59](https://vuldb.com/?ip.23.163.0.59) | naomi.rem2d.com | - | High
|
||||
10 | [23.227.196.21](https://vuldb.com/?ip.23.227.196.21) | 23-227-196-21.static.hvvc.us | - | High
|
||||
11 | [23.227.196.215](https://vuldb.com/?ip.23.227.196.215) | 23-227-196-215.static.hvvc.us | - | High
|
||||
12 | [23.227.196.217](https://vuldb.com/?ip.23.227.196.217) | 23-227-196-217.static.hvvc.us | - | High
|
||||
13 | [31.184.198.23](https://vuldb.com/?ip.31.184.198.23) | - | - | High
|
||||
14 | [31.184.198.38](https://vuldb.com/?ip.31.184.198.38) | - | - | High
|
||||
15 | [31.220.43.99](https://vuldb.com/?ip.31.220.43.99) | - | Sednit | High
|
||||
16 | [31.220.61.251](https://vuldb.com/?ip.31.220.61.251) | - | - | High
|
||||
17 | [37.235.52.18](https://vuldb.com/?ip.37.235.52.18) | 18.52.235.37.in-addr.arpa | - | High
|
||||
18 | [45.32.129.185](https://vuldb.com/?ip.45.32.129.185) | 45.32.129.185.vultr.com | - | Medium
|
||||
19 | [45.32.227.21](https://vuldb.com/?ip.45.32.227.21) | 45.32.227.21.mobiltel.mx | - | High
|
||||
20 | [45.64.105.23](https://vuldb.com/?ip.45.64.105.23) | - | - | High
|
||||
21 | [45.124.132.127](https://vuldb.com/?ip.45.124.132.127) | - | - | High
|
||||
22 | [46.19.138.66](https://vuldb.com/?ip.46.19.138.66) | ab2.alchibasystems.in.net | - | High
|
||||
23 | [46.21.147.55](https://vuldb.com/?ip.46.21.147.55) | 46-21-147-55.static.hvvc.us | - | High
|
||||
24 | [46.21.147.71](https://vuldb.com/?ip.46.21.147.71) | 46-21-147-71.static.hvvc.us | - | High
|
||||
25 | [46.21.147.76](https://vuldb.com/?ip.46.21.147.76) | 46-21-147-76.static.hvvc.us | - | High
|
||||
26 | [46.148.17.227](https://vuldb.com/?ip.46.148.17.227) | - | - | High
|
||||
27 | [46.166.162.90](https://vuldb.com/?ip.46.166.162.90) | - | Pawn Storm | High
|
||||
28 | [46.183.217.74](https://vuldb.com/?ip.46.183.217.74) | ip-217-74.dataclub.info | Pawn Storm | High
|
||||
29 | [51.38.128.110](https://vuldb.com/?ip.51.38.128.110) | vps-0a3489af.vps.ovh.net | - | High
|
||||
30 | [51.254.76.54](https://vuldb.com/?ip.51.254.76.54) | - | - | High
|
||||
31 | [51.254.158.57](https://vuldb.com/?ip.51.254.158.57) | - | - | High
|
||||
32 | [54.37.104.106](https://vuldb.com/?ip.54.37.104.106) | piber.connectedlists.com | - | High
|
||||
33 | [58.49.58.58](https://vuldb.com/?ip.58.49.58.58) | - | - | High
|
||||
34 | [62.113.232.197](https://vuldb.com/?ip.62.113.232.197) | - | - | High
|
||||
35 | [66.172.11.207](https://vuldb.com/?ip.66.172.11.207) | ip-66-172-11-207.chunkhost.com | Carberp | High
|
||||
36 | [66.172.12.133](https://vuldb.com/?ip.66.172.12.133) | - | - | High
|
||||
37 | [69.12.73.174](https://vuldb.com/?ip.69.12.73.174) | 69.12.73.174.static.quadranet.com | Sednit | High
|
||||
38 | [69.16.243.33](https://vuldb.com/?ip.69.16.243.33) | host.tecnode.com | - | High
|
||||
39 | [70.85.221.10](https://vuldb.com/?ip.70.85.221.10) | server002.nilsson-it.dk | - | High
|
||||
40 | [70.85.221.20](https://vuldb.com/?ip.70.85.221.20) | 14.dd.5546.static.theplanet.com | Pawn Storm | High
|
||||
41 | [76.74.177.251](https://vuldb.com/?ip.76.74.177.251) | ip-76-74-177-251.chunkhost.com | - | High
|
||||
42 | [77.81.98.122](https://vuldb.com/?ip.77.81.98.122) | no-rdns.clues.ro | - | High
|
||||
43 | [77.83.247.81](https://vuldb.com/?ip.77.83.247.81) | - | Global Brute Force | High
|
||||
44 | [78.153.151.222](https://vuldb.com/?ip.78.153.151.222) | smtp33.pristavka-fr.ru | - | High
|
||||
45 | [80.83.115.187](https://vuldb.com/?ip.80.83.115.187) | host3.smtpnoida.biz | - | High
|
||||
46 | [80.255.3.93](https://vuldb.com/?ip.80.255.3.93) | - | - | High
|
||||
47 | [80.255.3.94](https://vuldb.com/?ip.80.255.3.94) | set121.com | - | High
|
||||
48 | ... | ... | ... | ...
|
||||
9 | [23.88.228.248](https://vuldb.com/?ip.23.88.228.248) | - | - | High
|
||||
10 | [23.163.0.59](https://vuldb.com/?ip.23.163.0.59) | naomi.rem2d.com | - | High
|
||||
11 | [23.227.196.21](https://vuldb.com/?ip.23.227.196.21) | 23-227-196-21.static.hvvc.us | - | High
|
||||
12 | [23.227.196.215](https://vuldb.com/?ip.23.227.196.215) | 23-227-196-215.static.hvvc.us | - | High
|
||||
13 | [23.227.196.217](https://vuldb.com/?ip.23.227.196.217) | 23-227-196-217.static.hvvc.us | - | High
|
||||
14 | [31.184.198.23](https://vuldb.com/?ip.31.184.198.23) | - | - | High
|
||||
15 | [31.184.198.38](https://vuldb.com/?ip.31.184.198.38) | - | - | High
|
||||
16 | [31.220.43.99](https://vuldb.com/?ip.31.220.43.99) | - | Sednit | High
|
||||
17 | [31.220.61.251](https://vuldb.com/?ip.31.220.61.251) | - | - | High
|
||||
18 | [37.235.52.18](https://vuldb.com/?ip.37.235.52.18) | 18.52.235.37.in-addr.arpa | - | High
|
||||
19 | [45.32.129.185](https://vuldb.com/?ip.45.32.129.185) | 45.32.129.185.vultr.com | - | Medium
|
||||
20 | [45.32.227.21](https://vuldb.com/?ip.45.32.227.21) | 45.32.227.21.mobiltel.mx | - | High
|
||||
21 | [45.64.105.23](https://vuldb.com/?ip.45.64.105.23) | - | - | High
|
||||
22 | [45.124.132.127](https://vuldb.com/?ip.45.124.132.127) | - | - | High
|
||||
23 | [46.19.138.66](https://vuldb.com/?ip.46.19.138.66) | ab2.alchibasystems.in.net | - | High
|
||||
24 | [46.21.147.55](https://vuldb.com/?ip.46.21.147.55) | 46-21-147-55.static.hvvc.us | - | High
|
||||
25 | [46.21.147.71](https://vuldb.com/?ip.46.21.147.71) | 46-21-147-71.static.hvvc.us | - | High
|
||||
26 | [46.21.147.76](https://vuldb.com/?ip.46.21.147.76) | 46-21-147-76.static.hvvc.us | - | High
|
||||
27 | [46.148.17.227](https://vuldb.com/?ip.46.148.17.227) | - | - | High
|
||||
28 | [46.166.162.90](https://vuldb.com/?ip.46.166.162.90) | - | Pawn Storm | High
|
||||
29 | [46.183.217.74](https://vuldb.com/?ip.46.183.217.74) | ip-217-74.dataclub.info | Pawn Storm | High
|
||||
30 | [51.38.128.110](https://vuldb.com/?ip.51.38.128.110) | vps-0a3489af.vps.ovh.net | - | High
|
||||
31 | [51.254.76.54](https://vuldb.com/?ip.51.254.76.54) | - | - | High
|
||||
32 | [51.254.158.57](https://vuldb.com/?ip.51.254.158.57) | - | - | High
|
||||
33 | [54.37.104.106](https://vuldb.com/?ip.54.37.104.106) | piber.connectedlists.com | - | High
|
||||
34 | [58.49.58.58](https://vuldb.com/?ip.58.49.58.58) | - | - | High
|
||||
35 | [62.113.232.197](https://vuldb.com/?ip.62.113.232.197) | - | - | High
|
||||
36 | [66.172.11.207](https://vuldb.com/?ip.66.172.11.207) | ip-66-172-11-207.chunkhost.com | Carberp | High
|
||||
37 | [66.172.12.133](https://vuldb.com/?ip.66.172.12.133) | - | - | High
|
||||
38 | [69.12.73.174](https://vuldb.com/?ip.69.12.73.174) | 69.12.73.174.static.quadranet.com | Sednit | High
|
||||
39 | [69.16.243.33](https://vuldb.com/?ip.69.16.243.33) | host.tecnode.com | - | High
|
||||
40 | [70.85.221.10](https://vuldb.com/?ip.70.85.221.10) | server002.nilsson-it.dk | - | High
|
||||
41 | [70.85.221.20](https://vuldb.com/?ip.70.85.221.20) | 14.dd.5546.static.theplanet.com | Pawn Storm | High
|
||||
42 | [76.74.177.251](https://vuldb.com/?ip.76.74.177.251) | ip-76-74-177-251.chunkhost.com | - | High
|
||||
43 | [77.81.98.122](https://vuldb.com/?ip.77.81.98.122) | no-rdns.clues.ro | - | High
|
||||
44 | [77.83.247.81](https://vuldb.com/?ip.77.83.247.81) | - | Global Brute Force | High
|
||||
45 | [78.153.151.222](https://vuldb.com/?ip.78.153.151.222) | smtp33.pristavka-fr.ru | - | High
|
||||
46 | [80.83.115.187](https://vuldb.com/?ip.80.83.115.187) | host3.smtpnoida.biz | - | High
|
||||
47 | [80.255.3.93](https://vuldb.com/?ip.80.255.3.93) | - | - | High
|
||||
48 | [80.255.3.94](https://vuldb.com/?ip.80.255.3.94) | set121.com | - | High
|
||||
49 | [80.255.6.15](https://vuldb.com/?ip.80.255.6.15) | - | - | High
|
||||
50 | ... | ... | ... | ...
|
||||
|
||||
There are 190 more IOC items available. Please use our online service to access the data.
|
||||
There are 196 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -109,31 +111,30 @@ ID | Type | Indicator | Confidence
|
|||
4 | File | `/Config/SaveUploadedHotspotLogoFile` | High
|
||||
5 | File | `/core/conditions/AbstractWrapper.java` | High
|
||||
6 | File | `/dashboard/updatelogo.php` | High
|
||||
7 | File | `/file?action=download&file` | High
|
||||
8 | File | `/index.php` | Medium
|
||||
9 | File | `/medical/inventories.php` | High
|
||||
10 | File | `/mgmt/tm/util/bash` | High
|
||||
11 | File | `/mkshop/Men/profile.php` | High
|
||||
12 | File | `/monitoring` | Medium
|
||||
13 | File | `/Noxen-master/users.php` | High
|
||||
14 | File | `/plugin/LiveChat/getChat.json.php` | High
|
||||
15 | File | `/plugins/servlet/audit/resource` | High
|
||||
16 | File | `/plugins/servlet/project-config/PROJECT/roles` | High
|
||||
17 | File | `/REBOOTSYSTEM` | High
|
||||
18 | File | `/replication` | Medium
|
||||
19 | File | `/reports/rwservlet` | High
|
||||
20 | File | `/RestAPI` | Medium
|
||||
21 | File | `/tmp/speedtest_urls.xml` | High
|
||||
22 | File | `/tmp/zarafa-vacation-*` | High
|
||||
23 | File | `/uncpath/` | Medium
|
||||
24 | File | `/upload` | Low
|
||||
25 | File | `/usr/bin/at` | Medium
|
||||
26 | File | `/var/log/nginx` | High
|
||||
27 | File | `/var/run/watchman.pid` | High
|
||||
28 | File | `/viewer/krpano.html` | High
|
||||
29 | ... | ... | ...
|
||||
7 | File | `/export` | Low
|
||||
8 | File | `/file?action=download&file` | High
|
||||
9 | File | `/index.php` | Medium
|
||||
10 | File | `/medical/inventories.php` | High
|
||||
11 | File | `/mgmt/tm/util/bash` | High
|
||||
12 | File | `/mkshop/Men/profile.php` | High
|
||||
13 | File | `/monitoring` | Medium
|
||||
14 | File | `/Noxen-master/users.php` | High
|
||||
15 | File | `/plugin/LiveChat/getChat.json.php` | High
|
||||
16 | File | `/plugins/servlet/audit/resource` | High
|
||||
17 | File | `/plugins/servlet/project-config/PROJECT/roles` | High
|
||||
18 | File | `/REBOOTSYSTEM` | High
|
||||
19 | File | `/replication` | Medium
|
||||
20 | File | `/reports/rwservlet` | High
|
||||
21 | File | `/RestAPI` | Medium
|
||||
22 | File | `/tmp/speedtest_urls.xml` | High
|
||||
23 | File | `/tmp/zarafa-vacation-*` | High
|
||||
24 | File | `/uncpath/` | Medium
|
||||
25 | File | `/upload` | Low
|
||||
26 | File | `/usr/bin/at` | Medium
|
||||
27 | File | `/var/log/nginx` | High
|
||||
28 | ... | ... | ...
|
||||
|
||||
There are 243 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 239 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -145,6 +146,7 @@ The following list contains _external sources_ which discuss the actor and the a
|
|||
* https://documents.trendmicro.com/assets/wp/wp-two-years-of-pawn-storm.pdf
|
||||
* https://github.com/blackorbird/APT_REPORT/blob/master/APT28/IOC/2019-04-05-ioc-mark.txt
|
||||
* https://github.com/blackorbird/APT_REPORT/blob/master/APT28/IOC/2019-04-09-ioc-mark.txt
|
||||
* https://github.com/blackorbird/APT_REPORT/blob/master/CyberMerceNary/wp-void-balaur-tracking-a-cybermercenarys-activities.pdf
|
||||
* https://github.com/fireeye/iocs/blob/master/APT28/e1cbf7ca-4938-4d3c-a7e6-3ff966516191.ioc
|
||||
* https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF
|
||||
* https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF
|
||||
|
|
|
@ -24,7 +24,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [US](https://vuldb.com/?country.us)
|
||||
* ...
|
||||
|
||||
There are 13 more country items available. Please use our online service to access the data.
|
||||
There are 12 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -69,7 +69,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
4 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 17 more TTP items available. Please use our online service to access the data.
|
||||
There are 18 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -107,12 +107,12 @@ ID | Type | Indicator | Confidence
|
|||
28 | File | `/mgmt/tm/util/bash` | High
|
||||
29 | File | `/modules/caddyhttp/rewrite/rewrite.go` | High
|
||||
30 | File | `/ms/cms/content/list.do` | High
|
||||
31 | File | `/orms/` | Low
|
||||
32 | File | `/pages/apply_vacancy.php` | High
|
||||
33 | File | `/plesk-site-preview/` | High
|
||||
31 | File | `/pages/apply_vacancy.php` | High
|
||||
32 | File | `/plesk-site-preview/` | High
|
||||
33 | File | `/proc/<PID>/mem` | High
|
||||
34 | ... | ... | ...
|
||||
|
||||
There are 290 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 288 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -20,7 +20,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [RU](https://vuldb.com/?country.ru)
|
||||
* ...
|
||||
|
||||
There are 27 more country items available. Please use our online service to access the data.
|
||||
There are 29 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -41,12 +41,14 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-250, CWE-264, CWE-266, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23, CWE-24 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
|
||||
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
6 | ... | ... | ... | ...
|
||||
|
||||
There are 9 more TTP items available. Please use our online service to access the data.
|
||||
There are 20 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -59,50 +61,52 @@ ID | Type | Indicator | Confidence
|
|||
3 | File | `/.ssh/authorized_keys` | High
|
||||
4 | File | `/admin/default.asp` | High
|
||||
5 | File | `/ajax/networking/get_netcfg.php` | High
|
||||
6 | File | `/assets/ctx` | Medium
|
||||
7 | File | `/cgi-bin/login_action.cgi` | High
|
||||
8 | File | `/cgi-bin/supervisor/PwdGrp.cgi` | High
|
||||
9 | File | `/checkLogin.cgi` | High
|
||||
10 | File | `/cms/print.php` | High
|
||||
11 | File | `/concat?/%2557EB-INF/web.xml` | High
|
||||
12 | File | `/Content/Template/root/reverse-shell.aspx` | High
|
||||
13 | File | `/data/remove` | Medium
|
||||
14 | File | `/etc/passwd` | Medium
|
||||
15 | File | `/forum/away.php` | High
|
||||
16 | File | `/goforms/rlminfo` | High
|
||||
17 | File | `/login` | Low
|
||||
18 | File | `/navigate/navigate_download.php` | High
|
||||
19 | File | `/ocwbs/admin/?page=user/manage_user` | High
|
||||
20 | File | `/ofrs/admin/?page=user/manage_user` | High
|
||||
21 | File | `/out.php` | Medium
|
||||
22 | File | `/owa/auth/logon.aspx` | High
|
||||
23 | File | `/p` | Low
|
||||
24 | File | `/password.html` | High
|
||||
25 | File | `/proc/ioports` | High
|
||||
26 | File | `/property-list/property_view.php` | High
|
||||
27 | File | `/ptms/classes/Users.php` | High
|
||||
28 | File | `/rest` | Low
|
||||
29 | File | `/rest/api/2/search` | High
|
||||
30 | File | `/s/` | Low
|
||||
31 | File | `/scripts/cpan_config` | High
|
||||
32 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
33 | File | `/services/system/setup.json` | High
|
||||
34 | File | `/uncpath/` | Medium
|
||||
35 | File | `/vloggers_merch/?p=view_product` | High
|
||||
36 | File | `/webconsole/APIController` | High
|
||||
37 | File | `/websocket/exec` | High
|
||||
38 | File | `/wp-admin/admin-ajax.php` | High
|
||||
39 | File | `/wp-json` | Medium
|
||||
40 | File | `/wp-json/oembed/1.0/embed?url` | High
|
||||
41 | File | `/_next` | Low
|
||||
42 | File | `4.edu.php\conn\function.php` | High
|
||||
43 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
44 | File | `adclick.php` | Medium
|
||||
45 | File | `addentry.php` | Medium
|
||||
46 | File | `admin/category.inc.php` | High
|
||||
47 | ... | ... | ...
|
||||
6 | File | `/app/options.py` | High
|
||||
7 | File | `/assets/ctx` | Medium
|
||||
8 | File | `/bin/httpd` | Medium
|
||||
9 | File | `/cgi-bin/wapopen` | High
|
||||
10 | File | `/ci_spms/admin/category` | High
|
||||
11 | File | `/ci_spms/admin/search/searching/` | High
|
||||
12 | File | `/classes/Master.php?f=delete_train` | High
|
||||
13 | File | `/cms/print.php` | High
|
||||
14 | File | `/concat?/%2557EB-INF/web.xml` | High
|
||||
15 | File | `/Content/Template/root/reverse-shell.aspx` | High
|
||||
16 | File | `/dashboard/menu-list.php` | High
|
||||
17 | File | `/data/remove` | Medium
|
||||
18 | File | `/etc/passwd` | Medium
|
||||
19 | File | `/ffos/classes/Master.php?f=save_category` | High
|
||||
20 | File | `/forum/away.php` | High
|
||||
21 | File | `/goforms/rlminfo` | High
|
||||
22 | File | `/Items/*/RemoteImages/Download` | High
|
||||
23 | File | `/login` | Low
|
||||
24 | File | `/navigate/navigate_download.php` | High
|
||||
25 | File | `/ocwbs/admin/?page=user/manage_user` | High
|
||||
26 | File | `/ofrs/admin/?page=user/manage_user` | High
|
||||
27 | File | `/owa/auth/logon.aspx` | High
|
||||
28 | File | `/p` | Low
|
||||
29 | File | `/password.html` | High
|
||||
30 | File | `/proc/ioports` | High
|
||||
31 | File | `/property-list/property_view.php` | High
|
||||
32 | File | `/ptms/classes/Users.php` | High
|
||||
33 | File | `/rest` | Low
|
||||
34 | File | `/rest/api/2/search` | High
|
||||
35 | File | `/s/` | Low
|
||||
36 | File | `/scripts/cpan_config` | High
|
||||
37 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
38 | File | `/services/system/setup.json` | High
|
||||
39 | File | `/spip.php` | Medium
|
||||
40 | File | `/uncpath/` | Medium
|
||||
41 | File | `/vloggers_merch/?p=view_product` | High
|
||||
42 | File | `/webconsole/APIController` | High
|
||||
43 | File | `/websocket/exec` | High
|
||||
44 | File | `/whbs/?page=my_bookings` | High
|
||||
45 | File | `/wp-admin/admin-ajax.php` | High
|
||||
46 | File | `/wp-json` | Medium
|
||||
47 | File | `/wp-json/oembed/1.0/embed?url` | High
|
||||
48 | File | `/_next` | Low
|
||||
49 | ... | ... | ...
|
||||
|
||||
There are 404 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 421 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -87,9 +87,10 @@ ID | Type | Indicator | Confidence
|
|||
21 | File | `admin/index.php` | High
|
||||
22 | File | `adv2.php?action=modify` | High
|
||||
23 | File | `agent.cfg` | Medium
|
||||
24 | ... | ... | ...
|
||||
24 | File | `arch/x86/include/asm/fpu/internal.h` | High
|
||||
25 | ... | ... | ...
|
||||
|
||||
There are 204 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 206 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -16,9 +16,9 @@ The following _campaigns_ are known and can be associated with APT33:
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT33:
|
||||
|
||||
* [SV](https://vuldb.com/?country.sv)
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* [DE](https://vuldb.com/?country.de)
|
||||
* [IT](https://vuldb.com/?country.it)
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* ...
|
||||
|
||||
There are 6 more country items available. Please use our online service to access the data.
|
||||
|
@ -54,11 +54,11 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23, CWE-425 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23, CWE-25, CWE-36, CWE-425 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-94, CWE-1321 | Cross Site Scripting | High
|
||||
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
4 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
5 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
6 | ... | ... | ... | ...
|
||||
|
||||
There are 21 more TTP items available. Please use our online service to access the data.
|
||||
|
@ -69,38 +69,35 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `.rediscli_history` | High
|
||||
2 | File | `/activity/admin/modules/event/index.php?view=edit` | High
|
||||
3 | File | `/activity/admin/modules/modstudent/index.php?view=view` | High
|
||||
4 | File | `/admin/?page=user/manage_user` | High
|
||||
5 | File | `/admin/comment/list` | High
|
||||
6 | File | `/admin/del.php` | High
|
||||
7 | File | `/admin/delstu.php` | High
|
||||
8 | File | `/admin/edit_event.php` | High
|
||||
9 | File | `/admin/edit_user.php` | High
|
||||
10 | File | `/admin/lab.php` | High
|
||||
11 | File | `/admin/video/list` | High
|
||||
12 | File | `/admin/videoalbum/list` | High
|
||||
13 | File | `/api/upload-resource` | High
|
||||
14 | File | `/bibliography/marcsru.php` | High
|
||||
15 | File | `/bin/httpd` | Medium
|
||||
16 | File | `/bits/stl_vector.h` | High
|
||||
17 | File | `/categories/view_category.php` | High
|
||||
18 | File | `/classes/Master.php?f=delete_category` | High
|
||||
19 | File | `/classes/Master.php?f=delete_schedule` | High
|
||||
20 | File | `/classes/Users.php?f=save_client` | High
|
||||
21 | File | `/dashboard/settings` | High
|
||||
22 | File | `/dede/co_do.php` | High
|
||||
23 | File | `/etc/shadow.sample` | High
|
||||
24 | File | `/fax/fax_send.php` | High
|
||||
25 | File | `/garage/editcategory.php` | High
|
||||
26 | File | `/gfxpoly/stroke.c` | High
|
||||
27 | File | `/goform/saveParentControlInfo` | High
|
||||
28 | File | `/goform/SetIpMacBind` | High
|
||||
29 | File | `/guestmanagement/front.php` | High
|
||||
30 | ... | ... | ...
|
||||
1 | File | `/activity/admin/modules/event/index.php?view=edit` | High
|
||||
2 | File | `/activity/admin/modules/modstudent/index.php?view=view` | High
|
||||
3 | File | `/admin/?page=orders/view_order` | High
|
||||
4 | File | `/admin/del.php` | High
|
||||
5 | File | `/admin/edit_user.php` | High
|
||||
6 | File | `/admin/products/controller.php?action=add` | High
|
||||
7 | File | `/bin/boa` | Medium
|
||||
8 | File | `/bin/httpd` | Medium
|
||||
9 | File | `/bits/stl_vector.h` | High
|
||||
10 | File | `/blog/post/edit` | High
|
||||
11 | File | `/brand.php` | Medium
|
||||
12 | File | `/categories/manage_category.php` | High
|
||||
13 | File | `/categories/view_category.php` | High
|
||||
14 | File | `/category.php` | High
|
||||
15 | File | `/cgi-bin/downloadFile.cgi` | High
|
||||
16 | File | `/cgi-bin/DownloadFlash` | High
|
||||
17 | File | `/classes/Master.php?f=delete_item` | High
|
||||
18 | File | `/dede/co_do.php` | High
|
||||
19 | File | `/etc/init0.d/S80telnetd.sh` | High
|
||||
20 | File | `/etc/shadow.sample` | High
|
||||
21 | File | `/etc/sysconfig/tomcat` | High
|
||||
22 | File | `/fax/fax_send.php` | High
|
||||
23 | File | `/framework/modules/help/controllers/helpController.php` | High
|
||||
24 | File | `/gfxpoly/stroke.c` | High
|
||||
25 | File | `/goform/wizard_end` | High
|
||||
26 | File | `/guestmanagement/front.php` | High
|
||||
27 | ... | ... | ...
|
||||
|
||||
There are 256 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 224 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -70,28 +70,28 @@ ID | Type | Indicator | Confidence
|
|||
8 | File | `/admin/newsletter1.php` | High
|
||||
9 | File | `/admin/payment.php` | High
|
||||
10 | File | `/core/conditions/AbstractWrapper.java` | High
|
||||
11 | File | `/file?action=download&file` | High
|
||||
12 | File | `/filemanager/upload/drop` | High
|
||||
13 | File | `/index.php` | Medium
|
||||
14 | File | `/irj/servlet/prt/portal/prtroot/com.sap.portal.usermanagement.admin.UserMapping` | High
|
||||
15 | File | `/login.php` | Medium
|
||||
16 | File | `/medical/inventories.php` | High
|
||||
17 | File | `/mgmt/tm/util/bash` | High
|
||||
18 | File | `/mkshop/Men/profile.php` | High
|
||||
19 | File | `/monitoring` | Medium
|
||||
20 | File | `/pages/apply_vacancy.php` | High
|
||||
21 | File | `/php_action/createUser.php` | High
|
||||
22 | File | `/plugin/LiveChat/getChat.json.php` | High
|
||||
23 | File | `/plugins/servlet/audit/resource` | High
|
||||
24 | File | `/plugins/servlet/project-config/PROJECT/roles` | High
|
||||
25 | File | `/replication` | Medium
|
||||
26 | File | `/RestAPI` | Medium
|
||||
27 | File | `/SASWebReportStudio/logonAndRender.do` | High
|
||||
28 | File | `/scas/admin/` | Medium
|
||||
29 | File | `/tmp/zarafa-vacation-*` | High
|
||||
11 | File | `/export` | Low
|
||||
12 | File | `/file?action=download&file` | High
|
||||
13 | File | `/filemanager/upload/drop` | High
|
||||
14 | File | `/index.php` | Medium
|
||||
15 | File | `/irj/servlet/prt/portal/prtroot/com.sap.portal.usermanagement.admin.UserMapping` | High
|
||||
16 | File | `/login.php` | Medium
|
||||
17 | File | `/medical/inventories.php` | High
|
||||
18 | File | `/mgmt/tm/util/bash` | High
|
||||
19 | File | `/mkshop/Men/profile.php` | High
|
||||
20 | File | `/monitoring` | Medium
|
||||
21 | File | `/pages/apply_vacancy.php` | High
|
||||
22 | File | `/php_action/createUser.php` | High
|
||||
23 | File | `/plugin/LiveChat/getChat.json.php` | High
|
||||
24 | File | `/plugins/servlet/audit/resource` | High
|
||||
25 | File | `/plugins/servlet/project-config/PROJECT/roles` | High
|
||||
26 | File | `/replication` | Medium
|
||||
27 | File | `/RestAPI` | Medium
|
||||
28 | File | `/SASWebReportStudio/logonAndRender.do` | High
|
||||
29 | File | `/scas/admin/` | Medium
|
||||
30 | ... | ... | ...
|
||||
|
||||
There are 257 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 256 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -19,7 +19,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [CN](https://vuldb.com/?country.cn)
|
||||
* ...
|
||||
|
||||
There are 20 more country items available. Please use our online service to access the data.
|
||||
There are 22 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -63,9 +63,10 @@ ID | Type | Indicator | Confidence
|
|||
7 | File | `/magnoliaPublic/travel/members/login.html` | High
|
||||
8 | File | `/Main_AdmStatus_Content.asp` | High
|
||||
9 | File | `/server-status` | High
|
||||
10 | ... | ... | ...
|
||||
10 | File | `/uncpath/` | Medium
|
||||
11 | ... | ... | ...
|
||||
|
||||
There are 77 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 79 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -84,44 +84,43 @@ ID | Type | Indicator | Confidence
|
|||
6 | File | `/debug/pprof` | Medium
|
||||
7 | File | `/etc/config/rpcd` | High
|
||||
8 | File | `/forum/away.php` | High
|
||||
9 | File | `/get_getnetworkconf.cgi` | High
|
||||
10 | File | `/include/make.php` | High
|
||||
11 | File | `/index.php` | Medium
|
||||
12 | File | `/jeecg-boot/sys/common/upload` | High
|
||||
13 | File | `/lists/admin/` | High
|
||||
14 | File | `/login.cgi?logout=1` | High
|
||||
15 | File | `/medical/inventories.php` | High
|
||||
16 | File | `/members/view_member.php` | High
|
||||
17 | File | `/mgmt/tm/util/bash` | High
|
||||
18 | File | `/module/admin_logs` | High
|
||||
19 | File | `/nova/bin/console` | High
|
||||
20 | File | `/owa/auth/logon.aspx` | High
|
||||
21 | File | `/plesk-site-preview/` | High
|
||||
22 | File | `/public/login.htm` | High
|
||||
23 | File | `/public/plugins/` | High
|
||||
24 | File | `/replication` | Medium
|
||||
25 | File | `/SASWebReportStudio/logonAndRender.do` | High
|
||||
26 | File | `/scas/classes/Users.php?f=save_user` | High
|
||||
27 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
28 | File | `/secure/admin/ViewInstrumentation.jspa` | High
|
||||
29 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
30 | File | `/SSOPOST/metaAlias/%realm%/idpv2` | High
|
||||
31 | File | `/start-stop` | Medium
|
||||
32 | File | `/thruk/#cgi-bin/extinfo.cgi?type=2` | High
|
||||
33 | File | `/tmp/app/.env` | High
|
||||
34 | File | `/uncpath/` | Medium
|
||||
35 | File | `/upload` | Low
|
||||
36 | File | `/usr/bin/pkexec` | High
|
||||
37 | File | `/v2/quantum/save-data-upload-big-file` | High
|
||||
38 | File | `/WEB-INF/web.xml` | High
|
||||
39 | File | `/wp-admin/admin-ajax.php` | High
|
||||
40 | File | `/wp-admin/options.php` | High
|
||||
41 | File | `/_next` | Low
|
||||
42 | File | `adclick.php` | Medium
|
||||
43 | File | `addentry.php` | Medium
|
||||
44 | ... | ... | ...
|
||||
9 | File | `/include/make.php` | High
|
||||
10 | File | `/index.php` | Medium
|
||||
11 | File | `/jeecg-boot/sys/common/upload` | High
|
||||
12 | File | `/lists/admin/` | High
|
||||
13 | File | `/login.cgi?logout=1` | High
|
||||
14 | File | `/medical/inventories.php` | High
|
||||
15 | File | `/members/view_member.php` | High
|
||||
16 | File | `/mgmt/tm/util/bash` | High
|
||||
17 | File | `/module/admin_logs` | High
|
||||
18 | File | `/nova/bin/console` | High
|
||||
19 | File | `/owa/auth/logon.aspx` | High
|
||||
20 | File | `/plesk-site-preview/` | High
|
||||
21 | File | `/public/login.htm` | High
|
||||
22 | File | `/public/plugins/` | High
|
||||
23 | File | `/replication` | Medium
|
||||
24 | File | `/SASWebReportStudio/logonAndRender.do` | High
|
||||
25 | File | `/scas/classes/Users.php?f=save_user` | High
|
||||
26 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
27 | File | `/secure/admin/ViewInstrumentation.jspa` | High
|
||||
28 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
29 | File | `/SSOPOST/metaAlias/%realm%/idpv2` | High
|
||||
30 | File | `/start-stop` | Medium
|
||||
31 | File | `/thruk/#cgi-bin/extinfo.cgi?type=2` | High
|
||||
32 | File | `/tmp/app/.env` | High
|
||||
33 | File | `/uncpath/` | Medium
|
||||
34 | File | `/upload` | Low
|
||||
35 | File | `/usr/bin/pkexec` | High
|
||||
36 | File | `/v2/quantum/save-data-upload-big-file` | High
|
||||
37 | File | `/WEB-INF/web.xml` | High
|
||||
38 | File | `/wp-admin/admin-ajax.php` | High
|
||||
39 | File | `/wp-admin/options.php` | High
|
||||
40 | File | `/_next` | Low
|
||||
41 | File | `adclick.php` | Medium
|
||||
42 | File | `addentry.php` | Medium
|
||||
43 | ... | ... | ...
|
||||
|
||||
There are 378 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 376 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -19,7 +19,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [CN](https://vuldb.com/?country.cn)
|
||||
* ...
|
||||
|
||||
There are 17 more country items available. Please use our online service to access the data.
|
||||
There are 18 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -74,39 +74,39 @@ ID | Type | Indicator | Confidence
|
|||
11 | File | `/public/launchNewWindow.jsp` | High
|
||||
12 | File | `/public/login.htm` | High
|
||||
13 | File | `/rom-0` | Low
|
||||
14 | File | `/tmp/connlicj.bin` | High
|
||||
15 | File | `/tmp/phpglibccheck` | High
|
||||
16 | File | `/uncpath/` | Medium
|
||||
17 | File | `/usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php` | High
|
||||
18 | File | `/var/log/nginx` | High
|
||||
19 | File | `/var/tmp/sess_*` | High
|
||||
20 | File | `action.php` | Medium
|
||||
21 | File | `actionphp/download.File.php` | High
|
||||
22 | File | `add_comment.php` | High
|
||||
23 | File | `admin.a6mambocredits.php` | High
|
||||
24 | File | `admin.php` | Medium
|
||||
25 | File | `admin/admin.php` | High
|
||||
26 | File | `admin/content.php` | High
|
||||
27 | File | `admin/import/class-import-settings.php` | High
|
||||
28 | File | `admin/index.php?id=users/action=edit/user_id=1` | High
|
||||
29 | File | `admin/sitesettings.php` | High
|
||||
30 | File | `affich.php` | Medium
|
||||
31 | File | `agent/Core/Controller/SendRequest.cpp` | High
|
||||
32 | File | `akeyActivationLogin.do` | High
|
||||
33 | File | `album_portal.php` | High
|
||||
34 | File | `apache-auth.conf` | High
|
||||
35 | File | `app/admin/routing/edit-bgp-mapping-search.php` | High
|
||||
36 | File | `askapache-firefox-adsense.php` | High
|
||||
37 | File | `assets/add/category.php` | High
|
||||
38 | File | `attachment.cgi` | High
|
||||
39 | File | `blueprints/sections/edit/1` | High
|
||||
40 | File | `books.php` | Medium
|
||||
41 | File | `btif_hd.cc` | Medium
|
||||
42 | File | `cart.php` | Medium
|
||||
43 | File | `cart_add.php` | Medium
|
||||
14 | File | `/spip.php` | Medium
|
||||
15 | File | `/tmp/connlicj.bin` | High
|
||||
16 | File | `/tmp/phpglibccheck` | High
|
||||
17 | File | `/uncpath/` | Medium
|
||||
18 | File | `/usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php` | High
|
||||
19 | File | `/var/log/nginx` | High
|
||||
20 | File | `/var/tmp/sess_*` | High
|
||||
21 | File | `action.php` | Medium
|
||||
22 | File | `actionphp/download.File.php` | High
|
||||
23 | File | `add_comment.php` | High
|
||||
24 | File | `admin.a6mambocredits.php` | High
|
||||
25 | File | `admin.php` | Medium
|
||||
26 | File | `admin/admin.php` | High
|
||||
27 | File | `admin/content.php` | High
|
||||
28 | File | `admin/import/class-import-settings.php` | High
|
||||
29 | File | `admin/index.php?id=users/action=edit/user_id=1` | High
|
||||
30 | File | `admin/sitesettings.php` | High
|
||||
31 | File | `affich.php` | Medium
|
||||
32 | File | `agent/Core/Controller/SendRequest.cpp` | High
|
||||
33 | File | `akeyActivationLogin.do` | High
|
||||
34 | File | `album_portal.php` | High
|
||||
35 | File | `apache-auth.conf` | High
|
||||
36 | File | `app/admin/routing/edit-bgp-mapping-search.php` | High
|
||||
37 | File | `askapache-firefox-adsense.php` | High
|
||||
38 | File | `assets/add/category.php` | High
|
||||
39 | File | `attachment.cgi` | High
|
||||
40 | File | `blueprints/sections/edit/1` | High
|
||||
41 | File | `books.php` | Medium
|
||||
42 | File | `btif_hd.cc` | Medium
|
||||
43 | File | `cart.php` | Medium
|
||||
44 | ... | ... | ...
|
||||
|
||||
There are 378 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 381 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -10,10 +10,10 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* [CH](https://vuldb.com/?country.ch)
|
||||
* ...
|
||||
|
||||
There are 31 more country items available. Please use our online service to access the data.
|
||||
There are 27 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -56,54 +56,52 @@ ID | Type | Indicator | Confidence
|
|||
3 | File | `/.ssh/authorized_keys` | High
|
||||
4 | File | `/admin/default.asp` | High
|
||||
5 | File | `/ajax/networking/get_netcfg.php` | High
|
||||
6 | File | `/app/options.py` | High
|
||||
7 | File | `/assets/ctx` | Medium
|
||||
8 | File | `/ci_spms/admin/category` | High
|
||||
9 | File | `/ci_spms/admin/search/searching/` | High
|
||||
10 | File | `/classes/Master.php?f=delete_train` | High
|
||||
11 | File | `/cms/print.php` | High
|
||||
12 | File | `/concat?/%2557EB-INF/web.xml` | High
|
||||
13 | File | `/Content/Template/root/reverse-shell.aspx` | High
|
||||
14 | File | `/dashboard/menu-list.php` | High
|
||||
15 | File | `/dashboard/updatelogo.php` | High
|
||||
16 | File | `/data/remove` | Medium
|
||||
17 | File | `/download` | Medium
|
||||
18 | File | `/etc/passwd` | Medium
|
||||
19 | File | `/ffos/classes/Master.php?f=save_category` | High
|
||||
20 | File | `/goforms/rlminfo` | High
|
||||
21 | File | `/Items/*/RemoteImages/Download` | High
|
||||
22 | File | `/login` | Low
|
||||
23 | File | `/navigate/navigate_download.php` | High
|
||||
24 | File | `/ocwbs/admin/?page=user/manage_user` | High
|
||||
25 | File | `/ofrs/admin/?page=user/manage_user` | High
|
||||
26 | File | `/owa/auth/logon.aspx` | High
|
||||
27 | File | `/password.html` | High
|
||||
28 | File | `/proc/ioports` | High
|
||||
29 | File | `/property-list/property_view.php` | High
|
||||
30 | File | `/ptms/classes/Users.php` | High
|
||||
31 | File | `/rest` | Low
|
||||
32 | File | `/rest/api/2/search` | High
|
||||
33 | File | `/s/` | Low
|
||||
34 | File | `/scripts/cpan_config` | High
|
||||
35 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
36 | File | `/services/system/setup.json` | High
|
||||
37 | File | `/spip.php` | Medium
|
||||
38 | File | `/uncpath/` | Medium
|
||||
39 | File | `/vloggers_merch/?p=view_product` | High
|
||||
40 | File | `/webconsole/APIController` | High
|
||||
41 | File | `/websocket/exec` | High
|
||||
42 | File | `/whbs/?page=my_bookings` | High
|
||||
43 | File | `/wp-admin/admin-ajax.php` | High
|
||||
44 | File | `/wp-json` | Medium
|
||||
45 | File | `/wp-json/oembed/1.0/embed?url` | High
|
||||
46 | File | `/_next` | Low
|
||||
47 | File | `4.edu.php\conn\function.php` | High
|
||||
48 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
49 | File | `adclick.php` | Medium
|
||||
50 | File | `addentry.php` | Medium
|
||||
51 | ... | ... | ...
|
||||
6 | File | `/api` | Low
|
||||
7 | File | `/app/options.py` | High
|
||||
8 | File | `/assets/ctx` | Medium
|
||||
9 | File | `/bin/httpd` | Medium
|
||||
10 | File | `/cgi-bin/wapopen` | High
|
||||
11 | File | `/ci_spms/admin/category` | High
|
||||
12 | File | `/ci_spms/admin/search/searching/` | High
|
||||
13 | File | `/classes/Master.php?f=delete_train` | High
|
||||
14 | File | `/cms/print.php` | High
|
||||
15 | File | `/concat?/%2557EB-INF/web.xml` | High
|
||||
16 | File | `/Content/Template/root/reverse-shell.aspx` | High
|
||||
17 | File | `/dashboard/menu-list.php` | High
|
||||
18 | File | `/dashboard/updatelogo.php` | High
|
||||
19 | File | `/data/remove` | Medium
|
||||
20 | File | `/download` | Medium
|
||||
21 | File | `/etc/passwd` | Medium
|
||||
22 | File | `/ffos/classes/Master.php?f=save_category` | High
|
||||
23 | File | `/goforms/rlminfo` | High
|
||||
24 | File | `/index.php` | Medium
|
||||
25 | File | `/Items/*/RemoteImages/Download` | High
|
||||
26 | File | `/jsoa/hntdCustomDesktopActionContent` | High
|
||||
27 | File | `/login` | Low
|
||||
28 | File | `/mkshop/Men/profile.php` | High
|
||||
29 | File | `/navigate/navigate_download.php` | High
|
||||
30 | File | `/Noxen-master/users.php` | High
|
||||
31 | File | `/ocwbs/admin/?page=user/manage_user` | High
|
||||
32 | File | `/ofrs/admin/?page=user/manage_user` | High
|
||||
33 | File | `/owa/auth/logon.aspx` | High
|
||||
34 | File | `/password.html` | High
|
||||
35 | File | `/port_3480/data_request` | High
|
||||
36 | File | `/proc/ioports` | High
|
||||
37 | File | `/property-list/property_view.php` | High
|
||||
38 | File | `/ptms/classes/Users.php` | High
|
||||
39 | File | `/rest/api/2/search` | High
|
||||
40 | File | `/s/` | Low
|
||||
41 | File | `/scripts/cpan_config` | High
|
||||
42 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
43 | File | `/services/system/setup.json` | High
|
||||
44 | File | `/spip.php` | Medium
|
||||
45 | File | `/uncpath/` | Medium
|
||||
46 | File | `/vloggers_merch/?p=view_product` | High
|
||||
47 | File | `/webconsole/APIController` | High
|
||||
48 | File | `/websocket/exec` | High
|
||||
49 | ... | ... | ...
|
||||
|
||||
There are 447 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 430 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -4,6 +4,12 @@ These _indicators_ were reported, collected, and generated during the [VulDB CTI
|
|||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.aggah](https://vuldb.com/?actor.aggah)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Aggah:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Aggah.
|
||||
|
|
|
@ -37,9 +37,10 @@ ID | Technique | Weakness | Description | Confidence
|
|||
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
|
||||
2 | T1055 | CWE-74 | Injection | High
|
||||
3 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
|
||||
4 | ... | ... | ... | ...
|
||||
4 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 13 more TTP items available. Please use our online service to access the data.
|
||||
There are 14 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -52,15 +53,15 @@ ID | Type | Indicator | Confidence
|
|||
3 | File | `/etc/quagga` | Medium
|
||||
4 | File | `/main?cmd=invalid_browser` | High
|
||||
5 | File | `/opt/IBM/es/lib/libffq.cryptionjni.so` | High
|
||||
6 | File | `/plugins/Dashboard/Controller.php` | High
|
||||
7 | File | `/storage/app/media/evil.svg` | High
|
||||
8 | File | `/uncpath/` | Medium
|
||||
9 | File | `/usr/lpp/mmfs/bin/` | High
|
||||
10 | File | `admin.asp` | Medium
|
||||
11 | File | `admin.php` | Medium
|
||||
6 | File | `/pdf/InfoOutputDev.cc` | High
|
||||
7 | File | `/plugins/Dashboard/Controller.php` | High
|
||||
8 | File | `/storage/app/media/evil.svg` | High
|
||||
9 | File | `/uncpath/` | Medium
|
||||
10 | File | `/usr/lpp/mmfs/bin/` | High
|
||||
11 | File | `admin.asp` | Medium
|
||||
12 | ... | ... | ...
|
||||
|
||||
There are 90 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 92 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -13,7 +13,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [FR](https://vuldb.com/?country.fr)
|
||||
* ...
|
||||
|
||||
There are 3 more country items available. Please use our online service to access the data.
|
||||
There are 4 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
|
|
@ -84,13 +84,14 @@ ID | Type | Indicator | Confidence
|
|||
33 | File | `/var/log/postgresql` | High
|
||||
34 | File | `/_vti_pvt/access.cnf` | High
|
||||
35 | File | `4.edu.php` | Medium
|
||||
36 | File | `add_ons.php` | Medium
|
||||
37 | File | `add_to_cart.php` | High
|
||||
38 | File | `admin.php` | Medium
|
||||
39 | File | `admin/admin_users.php` | High
|
||||
40 | File | `admin/index.php` | High
|
||||
41 | File | `admin/mod_users/controller.php?action=edit` | High
|
||||
42 | ... | ... | ...
|
||||
36 | File | `5.2.9\syscrb.exe` | High
|
||||
37 | File | `add_ons.php` | Medium
|
||||
38 | File | `add_to_cart.php` | High
|
||||
39 | File | `admin.php` | Medium
|
||||
40 | File | `admin/admin_users.php` | High
|
||||
41 | File | `admin/index.php` | High
|
||||
42 | File | `admin/mod_users/controller.php?action=edit` | High
|
||||
43 | ... | ... | ...
|
||||
|
||||
There are 367 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
|
|
|
@ -27,7 +27,8 @@ ID | IP address | Hostname | Campaign | Confidence
|
|||
4 | [37.140.192.166](https://vuldb.com/?ip.37.140.192.166) | scp46.hosting.reg.ru | - | High
|
||||
5 | [45.76.18.39](https://vuldb.com/?ip.45.76.18.39) | 45.76.18.39.vultrusercontent.com | - | High
|
||||
6 | [45.139.236.14](https://vuldb.com/?ip.45.139.236.14) | - | - | High
|
||||
7 | ... | ... | ... | ...
|
||||
7 | [67.199.248.10](https://vuldb.com/?ip.67.199.248.10) | bit.ly | - | High
|
||||
8 | ... | ... | ... | ...
|
||||
|
||||
There are 26 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
|
@ -37,13 +38,13 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-22 | Pathname Traversal | High
|
||||
1 | T1006 | CWE-22, CWE-23 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 15 more TTP items available. Please use our online service to access the data.
|
||||
There are 17 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -59,20 +60,23 @@ ID | Type | Indicator | Confidence
|
|||
6 | File | `/login.html` | Medium
|
||||
7 | File | `/medical/inventories.php` | High
|
||||
8 | File | `/pages.php` | Medium
|
||||
9 | File | `/uncpath/` | Medium
|
||||
10 | File | `/usr/local/psa/admin/sbin/wrapper` | High
|
||||
11 | File | `/usr/local/WowzaStreamingEngine/bin/` | High
|
||||
12 | File | `/vloggers_merch/classes/Master.php?f=delete_order` | High
|
||||
13 | File | `abm.aspx` | Medium
|
||||
14 | File | `actions/ChangeConfiguration.html` | High
|
||||
15 | ... | ... | ...
|
||||
9 | File | `/patient/doctors.php` | High
|
||||
10 | File | `/uncpath/` | Medium
|
||||
11 | File | `/usr/local/psa/admin/sbin/wrapper` | High
|
||||
12 | File | `/usr/local/WowzaStreamingEngine/bin/` | High
|
||||
13 | File | `/vloggers_merch/classes/Master.php?f=delete_order` | High
|
||||
14 | File | `abm.aspx` | Medium
|
||||
15 | File | `actions/ChangeConfiguration.html` | High
|
||||
16 | File | `adclick.php` | Medium
|
||||
17 | ... | ... | ...
|
||||
|
||||
There are 123 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 133 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://1275.ru/ioc/308/gs-031-azorult-stealer-iocs/
|
||||
* https://blog.cyble.com/2021/10/26/a-deep-dive-analysis-of-azorult-stealer/
|
||||
* https://blog.talosintelligence.com/2020/01/threat-roundup-0117-0124.html
|
||||
* https://cert.gov.ua/article/2806
|
||||
|
|
|
@ -13,7 +13,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [SC](https://vuldb.com/?country.sc)
|
||||
* ...
|
||||
|
||||
There are 8 more country items available. Please use our online service to access the data.
|
||||
There are 2 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -45,14 +45,14 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23, CWE-35, CWE-36 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23, CWE-25 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-88, CWE-94, CWE-1321 | Cross Site Scripting | High
|
||||
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
5 | T1059.007 | CWE-79, CWE-84 | Cross Site Scripting | High
|
||||
6 | ... | ... | ... | ...
|
||||
|
||||
There are 21 more TTP items available. Please use our online service to access the data.
|
||||
There are 20 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -60,36 +60,30 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/about.php` | Medium
|
||||
2 | File | `/admin/addemployee.php` | High
|
||||
3 | File | `/admin/article/list` | High
|
||||
4 | File | `/admin/article/list_approve` | High
|
||||
5 | File | `/admin/contact/list` | High
|
||||
6 | File | `/admin/foldernotice/list` | High
|
||||
7 | File | `/admin/folderrollpicture/list` | High
|
||||
8 | File | `/admin/friendlylink/list` | High
|
||||
9 | File | `/admin/image/list` | High
|
||||
10 | File | `/admin/imagealbum/list` | High
|
||||
11 | File | `/admin/site/list` | High
|
||||
12 | File | `/admin/video/list` | High
|
||||
13 | File | `/admin/videoalbum/list` | High
|
||||
14 | File | `/admin_book.php` | High
|
||||
15 | File | `/api/upload-resource` | High
|
||||
16 | File | `/appConfig/userDB.json` | High
|
||||
17 | File | `/bd_genie_create_account.cgi` | High
|
||||
18 | File | `/bin/boa` | Medium
|
||||
19 | File | `/bin/httpd` | Medium
|
||||
20 | File | `/blog/edit` | Medium
|
||||
21 | File | `/blogengine/api/posts` | High
|
||||
22 | File | `/brand.php` | Medium
|
||||
23 | File | `/carbon/mediation_secure_vault/properties/ajaxprocessor.jsp` | High
|
||||
24 | File | `/carbon/ndatasource/validateconnection/ajaxprocessor.jsp` | High
|
||||
25 | File | `/card/in-card.php` | High
|
||||
26 | File | `/cgi-bin/luci/api/wireless` | High
|
||||
27 | File | `/client.php` | Medium
|
||||
28 | ... | ... | ...
|
||||
1 | File | `/admin/?page=orders/view_order` | High
|
||||
2 | File | `/Admin/add-student.php` | High
|
||||
3 | File | `/admin/client_assign.php` | High
|
||||
4 | File | `/admin/client_edit.php` | High
|
||||
5 | File | `/admin/feature_edit.php` | High
|
||||
6 | File | `/Admin/login.php` | High
|
||||
7 | File | `/admin/settings.php` | High
|
||||
8 | File | `/admin/subnets/ripe-query.php` | High
|
||||
9 | File | `/admin/update_currency.php` | High
|
||||
10 | File | `/admin/update_expense.php` | High
|
||||
11 | File | `/admin/up_booking.php` | High
|
||||
12 | File | `/authUserAction!edit.action` | High
|
||||
13 | File | `/baseOpLog.do` | High
|
||||
14 | File | `/buspassms/download-pass.php` | High
|
||||
15 | File | `/cardo/api` | Medium
|
||||
16 | File | `/category.php` | High
|
||||
17 | File | `/cgi-bin/cstecgi.cgi` | High
|
||||
18 | File | `/csms/admin/storages/manage_storage.php` | High
|
||||
19 | File | `/csms/admin/storages/view_storage.php` | High
|
||||
20 | File | `/DesignTools/CssEditor.aspx` | High
|
||||
21 | File | `/diagnostic/editcategory.php` | High
|
||||
22 | ... | ... | ...
|
||||
|
||||
There are 235 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 187 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -34,12 +34,12 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | CWE-254 | 7PK Security Features | High
|
||||
1 | T1006 | CWE-22 | Pathname Traversal | High
|
||||
2 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
3 | T1068 | CWE-264, CWE-269, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 2 more TTP items available. Please use our online service to access the data.
|
||||
There are 6 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -47,13 +47,13 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/index.php` | Medium
|
||||
2 | File | `/uncpath/` | Medium
|
||||
3 | File | `add_comment.php` | High
|
||||
4 | File | `data/gbconfiguration.dat` | High
|
||||
1 | File | `/cgi-bin/wlogin.cgi` | High
|
||||
2 | File | `/index.php` | Medium
|
||||
3 | File | `/uncpath/` | Medium
|
||||
4 | File | `add_comment.php` | High
|
||||
5 | ... | ... | ...
|
||||
|
||||
There are 26 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 28 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -84,15 +84,16 @@ ID | Type | Indicator | Confidence
|
|||
1 | File | `/api` | Low
|
||||
2 | File | `/include/makecvs.php` | High
|
||||
3 | File | `/PluXml/core/admin/parametres_edittpl.php` | High
|
||||
4 | File | `/usr/local/psa/admin/sbin/wrapper` | High
|
||||
5 | File | `/wp-admin/admin.php?page=wp_file_manager_properties` | High
|
||||
6 | File | `add.php` | Low
|
||||
7 | File | `admin/admin.shtml` | High
|
||||
8 | File | `bpf-object-fuzzer.c` | High
|
||||
9 | File | `cal.php` | Low
|
||||
10 | ... | ... | ...
|
||||
4 | File | `/requests.php` | High
|
||||
5 | File | `/usr/local/psa/admin/sbin/wrapper` | High
|
||||
6 | File | `/wp-admin/admin.php?page=wp_file_manager_properties` | High
|
||||
7 | File | `add.php` | Low
|
||||
8 | File | `admin/admin.shtml` | High
|
||||
9 | File | `bpf-object-fuzzer.c` | High
|
||||
10 | File | `cal.php` | Low
|
||||
11 | ... | ... | ...
|
||||
|
||||
There are 74 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 79 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -0,0 +1,151 @@
|
|||
# BeamWinHTTP - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [BeamWinHTTP](https://vuldb.com/?actor.beamwinhttp). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.beamwinhttp](https://vuldb.com/?actor.beamwinhttp)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with BeamWinHTTP:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of BeamWinHTTP.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [37.0.8.39](https://vuldb.com/?ip.37.0.8.39) | - | - | High
|
||||
2 | [212.192.246.217](https://vuldb.com/?ip.212.192.246.217) | - | - | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _BeamWinHTTP_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
|
||||
2 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
3 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 11 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by BeamWinHTTP. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/about.php` | Medium
|
||||
2 | File | `/admin.php` | Medium
|
||||
3 | File | `/admin/doctors/view_doctor.php` | High
|
||||
4 | File | `/admin/modules/bibliography/index.php` | High
|
||||
5 | File | `/adminlogin.asp` | High
|
||||
6 | File | `/app/controller/Books.php` | High
|
||||
7 | File | `/aqpg/users/login.php` | High
|
||||
8 | File | `/controller/Index.php` | High
|
||||
9 | File | `/coreframe/app/content/admin/content.php` | High
|
||||
10 | File | `/dl/dl_print.php` | High
|
||||
11 | File | `/etc/master.passwd` | High
|
||||
12 | File | `/etc/passwd` | Medium
|
||||
13 | File | `/Hospital-Management-System-master/contact.php` | High
|
||||
14 | File | `/include/friends.inc.php` | High
|
||||
15 | File | `/members/view_member.php` | High
|
||||
16 | File | `/servlet/webacc` | High
|
||||
17 | File | `/sitemagic/upgrade.php` | High
|
||||
18 | File | `/userui/ticket_list.php` | High
|
||||
19 | File | `/wp-admin/options-general.php` | High
|
||||
20 | File | `/zm/index.php` | High
|
||||
21 | File | `abook_database.php` | High
|
||||
22 | File | `accounts/inc/include.php` | High
|
||||
23 | File | `adaptive-images-script.php` | High
|
||||
24 | File | `additem.asp` | Medium
|
||||
25 | File | `addtocart.asp` | High
|
||||
26 | File | `adherents/subscription/info.php` | High
|
||||
27 | File | `admin.asp` | Medium
|
||||
28 | File | `admin.php` | Medium
|
||||
29 | File | `admin/admin.php` | High
|
||||
30 | File | `admin/admin_users.php` | High
|
||||
31 | File | `admin/general.php` | High
|
||||
32 | File | `admin/header.php` | High
|
||||
33 | File | `admin/inc/change_action.php` | High
|
||||
34 | File | `admin/index.php` | High
|
||||
35 | File | `admin/info.php` | High
|
||||
36 | File | `admin/login.asp` | High
|
||||
37 | File | `admin/manage-comments.php` | High
|
||||
38 | File | `admin/manage-news.php` | High
|
||||
39 | File | `admin/plugin-settings.php` | High
|
||||
40 | File | `admin/specials.php` | High
|
||||
41 | File | `admin:de` | Medium
|
||||
42 | File | `admincp/auth/checklogin.php` | High
|
||||
43 | File | `admincp/auth/secure.php` | High
|
||||
44 | File | `administrator/components/com_media/helpers/media.php` | High
|
||||
45 | File | `administrator/index.php` | High
|
||||
46 | File | `admin_login.asp` | High
|
||||
47 | File | `adv_search.asp` | High
|
||||
48 | File | `ajax_url.php` | Medium
|
||||
49 | File | `album_portal.php` | High
|
||||
50 | File | `al_initialize.php` | High
|
||||
51 | File | `anjel.index.php` | High
|
||||
52 | File | `annonces-p-f.php` | High
|
||||
53 | File | `announce.php` | Medium
|
||||
54 | File | `announcement.php` | High
|
||||
55 | File | `announcements.php` | High
|
||||
56 | File | `app/admin/routing/edit-bgp-mapping-search.php` | High
|
||||
57 | File | `application/config/config.php` | High
|
||||
58 | File | `apply.cgi` | Medium
|
||||
59 | File | `apps/app_article/controller/rating.php` | High
|
||||
60 | File | `article.php` | Medium
|
||||
61 | File | `articles.php` | Medium
|
||||
62 | File | `artikel_anzeige.php` | High
|
||||
63 | File | `auktion.cgi` | Medium
|
||||
64 | File | `auth.php` | Medium
|
||||
65 | File | `authfiles/login.asp` | High
|
||||
66 | File | `basket.php` | Medium
|
||||
67 | File | `boardData103.php/boardDataJP.php/boardDataNA.php/boardDataWW.php` | High
|
||||
68 | File | `books.php` | Medium
|
||||
69 | File | `browse-category.php` | High
|
||||
70 | File | `browse.php` | Medium
|
||||
71 | File | `browse_videos.php` | High
|
||||
72 | File | `BrudaNews/BrudaGB` | High
|
||||
73 | File | `bwlist_inc.html` | High
|
||||
74 | File | `calendar.php` | Medium
|
||||
75 | File | `callme_page.php` | High
|
||||
76 | File | `cart.php` | Medium
|
||||
77 | File | `cart_add.php` | Medium
|
||||
78 | File | `case.filemanager.php` | High
|
||||
79 | File | `catalog.php` | Medium
|
||||
80 | File | `catalogshop.php` | High
|
||||
81 | File | `catalogue.asp` | High
|
||||
82 | File | `category.cfm` | Medium
|
||||
83 | File | `category.php` | Medium
|
||||
84 | File | `category_list.php` | High
|
||||
85 | File | `cgi-bin/awstats.pl` | High
|
||||
86 | File | `channel.asp` | Medium
|
||||
87 | File | `ChooseCpSearch.php` | High
|
||||
88 | File | `comentarii.php` | High
|
||||
89 | File | `comments.php` | Medium
|
||||
90 | File | `config.inc.php` | High
|
||||
91 | File | `config.php` | Medium
|
||||
92 | ... | ... | ...
|
||||
|
||||
There are 814 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://asec.ahnlab.com/en/34876/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,123 @@
|
|||
# BianLian - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [BianLian](https://vuldb.com/?actor.bianlian). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.bianlian](https://vuldb.com/?actor.bianlian)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with BianLian:
|
||||
|
||||
* [SC](https://vuldb.com/?country.sc)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* ...
|
||||
|
||||
There are 14 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of BianLian.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [5.2.79.138](https://vuldb.com/?ip.5.2.79.138) | - | - | High
|
||||
2 | [5.188.6.118](https://vuldb.com/?ip.5.188.6.118) | subnet.local | - | High
|
||||
3 | [5.230.67.2](https://vuldb.com/?ip.5.230.67.2) | - | - | High
|
||||
4 | [13.49.57.110](https://vuldb.com/?ip.13.49.57.110) | ec2-13-49-57-110.eu-north-1.compute.amazonaws.com | - | Medium
|
||||
5 | [16.162.137.220](https://vuldb.com/?ip.16.162.137.220) | ec2-16-162-137-220.ap-east-1.compute.amazonaws.com | - | Medium
|
||||
6 | [18.130.242.71](https://vuldb.com/?ip.18.130.242.71) | ec2-18-130-242-71.eu-west-2.compute.amazonaws.com | - | Medium
|
||||
7 | [23.94.56.154](https://vuldb.com/?ip.23.94.56.154) | 23-94-56-154-host.colocrossing.com | - | High
|
||||
8 | [23.227.198.243](https://vuldb.com/?ip.23.227.198.243) | 23-227-198-243.static.hvvc.us | - | High
|
||||
9 | [37.235.54.81](https://vuldb.com/?ip.37.235.54.81) | 81.54.235.37.in-addr.arpa | - | High
|
||||
10 | [43.155.116.250](https://vuldb.com/?ip.43.155.116.250) | - | - | High
|
||||
11 | [45.9.150.132](https://vuldb.com/?ip.45.9.150.132) | - | - | High
|
||||
12 | [45.92.156.105](https://vuldb.com/?ip.45.92.156.105) | - | - | High
|
||||
13 | ... | ... | ... | ...
|
||||
|
||||
There are 46 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _BianLian_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-294, CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
|
||||
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
6 | ... | ... | ... | ...
|
||||
|
||||
There are 21 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by BianLian. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/+CSCOE+/logon.html` | High
|
||||
2 | File | `/addQuestion.php` | High
|
||||
3 | File | `/admin` | Low
|
||||
4 | File | `/admin/admapi.php` | High
|
||||
5 | File | `/admin/conferences/get-all-status/` | High
|
||||
6 | File | `/admin/conferences/list/` | High
|
||||
7 | File | `/admin/countrymanagement.php` | High
|
||||
8 | File | `/admin/general/change-lang` | High
|
||||
9 | File | `/admin/group/list/` | High
|
||||
10 | File | `/admin/renewaldue.php` | High
|
||||
11 | File | `/admin/usermanagement.php` | High
|
||||
12 | File | `/admin/ztliuyan_sendmail.php` | High
|
||||
13 | File | `/api/RecordingList/DownloadRecord?file=` | High
|
||||
14 | File | `/app1/admin#foo` | High
|
||||
15 | File | `/aya/module/admin/ust_tab_e.inc.php` | High
|
||||
16 | File | `/backups/` | Medium
|
||||
17 | File | `/bl-plugins/backup/plugin.php` | High
|
||||
18 | File | `/category.php` | High
|
||||
19 | File | `/cgi-bin/editBookmark` | High
|
||||
20 | File | `/chart` | Low
|
||||
21 | File | `/Core/Ap4Utils.h` | High
|
||||
22 | File | `/core/kernels/ctc_decoder_ops.cc` | High
|
||||
23 | File | `/ctpms/classes/Master.php?f=delete_application` | High
|
||||
24 | File | `/etc/passwd` | Medium
|
||||
25 | File | `/front/roomtype-details.php` | High
|
||||
26 | File | `/goform/aspForm` | High
|
||||
27 | File | `/gofrom/setwanType` | High
|
||||
28 | File | `/hdf5/src/H5T.c` | High
|
||||
29 | File | `/homeaction.php` | High
|
||||
30 | File | `/horde/imp/search.php` | High
|
||||
31 | File | `/index.php` | Medium
|
||||
32 | File | `/installer/upgrade_start` | High
|
||||
33 | File | `/Items/*/RemoteImages/Download` | High
|
||||
34 | File | `/items/view_item.php` | High
|
||||
35 | File | `/lan.asp` | Medium
|
||||
36 | File | `/librarian/bookdetails.php` | High
|
||||
37 | File | `/lists/admin/` | High
|
||||
38 | File | `/mail/index.html` | High
|
||||
39 | File | `/media/?action=cmd` | High
|
||||
40 | File | `/medicines` | Medium
|
||||
41 | File | `/navigate/navigate_download.php` | High
|
||||
42 | File | `/onlineordering/GPST/admin/design.php` | High
|
||||
43 | File | `/public/plugins/` | High
|
||||
44 | ... | ... | ...
|
||||
|
||||
There are 385 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://rhisac.org/threat-intelligence/bianlian-ransomware-expanding-c2-infrastructure-and-operational-tempo/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -4,6 +4,17 @@ These _indicators_ were reported, collected, and generated during the [VulDB CTI
|
|||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.black_basta](https://vuldb.com/?actor.black_basta)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Black Basta:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [DO](https://vuldb.com/?country.do)
|
||||
* [SG](https://vuldb.com/?country.sg)
|
||||
* ...
|
||||
|
||||
There are 3 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Black Basta.
|
||||
|
@ -11,12 +22,45 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [23.106.160.188](https://vuldb.com/?ip.23.106.160.188) | - | - | High
|
||||
2 | [24.178.196.44](https://vuldb.com/?ip.24.178.196.44) | 024-178-196-044.biz.spectrum.com | - | High
|
||||
3 | [37.186.54.185](https://vuldb.com/?ip.37.186.54.185) | - | - | High
|
||||
4 | [39.44.144.182](https://vuldb.com/?ip.39.44.144.182) | - | - | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 17 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Black Basta_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-269, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1505 | CWE-89 | SQL Injection | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Black Basta. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/cardo/api` | Medium
|
||||
2 | File | `/index.php` | Medium
|
||||
3 | File | `/sendrcpackage?keyid=-2544&keysymbol=-4081` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 19 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://1275.ru/ioc/311/black-basta-apt-iocs/
|
||||
* https://www.trendmicro.com/de_de/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html
|
||||
|
||||
## Literature
|
||||
|
||||
|
|
|
@ -9,8 +9,11 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Black KingDom:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [FR](https://vuldb.com/?country.fr)
|
||||
* [GB](https://vuldb.com/?country.gb)
|
||||
* [PT](https://vuldb.com/?country.pt)
|
||||
* ...
|
||||
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -31,14 +34,15 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23, CWE-35, CWE-36 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23, CWE-25, CWE-35 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-94, CWE-1321 | Cross Site Scripting | High
|
||||
4 | T1059 | CWE-88, CWE-94, CWE-1321 | Cross Site Scripting | High
|
||||
5 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
6 | ... | ... | ... | ...
|
||||
6 | T1068 | CWE-264, CWE-269, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
7 | ... | ... | ... | ...
|
||||
|
||||
There are 20 more TTP items available. Please use our online service to access the data.
|
||||
There are 23 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -46,41 +50,33 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/admin/?page=reports/stockin` | High
|
||||
2 | File | `/admin/?page=reports/waste` | High
|
||||
3 | File | `/admin/?page=user/manage_user` | High
|
||||
4 | File | `/admin/addemployee.php` | High
|
||||
5 | File | `/admin/article/list_approve` | High
|
||||
6 | File | `/admin/contact/list` | High
|
||||
7 | File | `/admin/del.php` | High
|
||||
8 | File | `/admin/delete.php` | High
|
||||
9 | File | `/admin/delstu.php` | High
|
||||
10 | File | `/admin/foldernotice/list` | High
|
||||
11 | File | `/admin/history.php` | High
|
||||
12 | File | `/admin/image/list` | High
|
||||
13 | File | `/admin/imagealbum/list` | High
|
||||
14 | File | `/admin/login.php` | High
|
||||
15 | File | `/admin/modify.php` | High
|
||||
16 | File | `/admin/modify1.php` | High
|
||||
17 | File | `/admin/products/controller.php?action=add` | High
|
||||
18 | File | `/admin/sendmailto.php?tomail=&groupid=` | High
|
||||
19 | File | `/admin/site/list` | High
|
||||
20 | File | `/admin/video/list` | High
|
||||
21 | File | `/admin_book.php` | High
|
||||
22 | File | `/advanced-tools/nova/bin/netwatch` | High
|
||||
23 | File | `/api/upload-resource` | High
|
||||
24 | File | `/api/v1/user` | Medium
|
||||
25 | File | `/appConfig/userDB.json` | High
|
||||
26 | File | `/bin/boa` | Medium
|
||||
27 | File | `/bin/httpd` | Medium
|
||||
28 | File | `/blog/edit` | Medium
|
||||
29 | File | `/blogengine/api/posts` | High
|
||||
30 | File | `/brand.php` | Medium
|
||||
31 | File | `/carbon/ndatasource/validateconnection/ajaxprocessor.jsp` | High
|
||||
32 | File | `/card/in-card.php` | High
|
||||
33 | ... | ... | ...
|
||||
1 | File | `/admin/article/list_approve` | High
|
||||
2 | File | `/admin/client_assign.php` | High
|
||||
3 | File | `/admin/client_edit.php` | High
|
||||
4 | File | `/admin/contact/list` | High
|
||||
5 | File | `/admin/feature_edit.php` | High
|
||||
6 | File | `/admin/foldernotice/list` | High
|
||||
7 | File | `/admin/image/list` | High
|
||||
8 | File | `/admin/imagealbum/list` | High
|
||||
9 | File | `/admin/select.php` | High
|
||||
10 | File | `/admin/sendmailto.php?tomail=&groupid=` | High
|
||||
11 | File | `/admin/site/list` | High
|
||||
12 | File | `/admin/subnets/ripe-query.php` | High
|
||||
13 | File | `/admin/update_currency.php` | High
|
||||
14 | File | `/admin/video/list` | High
|
||||
15 | File | `/admin_book.php` | High
|
||||
16 | File | `/api/upload-resource` | High
|
||||
17 | File | `/authUserAction!edit.action` | High
|
||||
18 | File | `/bin/boa` | Medium
|
||||
19 | File | `/bin/httpd` | Medium
|
||||
20 | File | `/buspassms/download-pass.php` | High
|
||||
21 | File | `/carbon/ndatasource/validateconnection/ajaxprocessor.jsp` | High
|
||||
22 | File | `/card/in-card.php` | High
|
||||
23 | File | `/cgi-bin/cstecgi.cgi` | High
|
||||
24 | File | `/confirm` | Medium
|
||||
25 | ... | ... | ...
|
||||
|
||||
There are 279 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 207 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -51,7 +51,7 @@ ID | Type | Indicator | Confidence
|
|||
6 | File | `Adminstrator/Users/Edit/` | High
|
||||
7 | ... | ... | ...
|
||||
|
||||
There are 49 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 52 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -34,15 +34,15 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23, CWE-24, CWE-425 | Pathname Traversal | High
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23, CWE-24, CWE-25, CWE-425 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-294, CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
|
||||
4 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
6 | T1068 | CWE-250, CWE-264, CWE-269, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
6 | T1068 | CWE-250, CWE-264, CWE-266, CWE-269, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
7 | ... | ... | ... | ...
|
||||
|
||||
There are 23 more TTP items available. Please use our online service to access the data.
|
||||
There are 25 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -64,26 +64,25 @@ ID | Type | Indicator | Confidence
|
|||
12 | File | `/bcms/admin/?page=reports/daily_court_rental_report` | High
|
||||
13 | File | `/bcms/admin/?page=service_transactions/manage_service_transaction` | High
|
||||
14 | File | `/bcms/classes/Master.php?f=delete_court_rental` | High
|
||||
15 | File | `/cgi/get_param.cgi` | High
|
||||
16 | File | `/checklogin.jsp` | High
|
||||
17 | File | `/ci_hms/search` | High
|
||||
18 | File | `/ci_spms/admin/search/searching/` | High
|
||||
19 | File | `/classes/Master.php?f=delete_category` | High
|
||||
20 | File | `/classes/Master.php?f=delete_payment` | High
|
||||
21 | File | `/classes/Master.php?f=delete_schedule` | High
|
||||
22 | File | `/company/account/safety/trade` | High
|
||||
23 | File | `/ctpms/admin/?page=individuals/view_individual` | High
|
||||
24 | File | `/ctpms/classes/Master.php?f=delete_img` | High
|
||||
25 | File | `/dashboard/reports/logs/view` | High
|
||||
26 | File | `/dashboard/snapshot/*?orgId=0` | High
|
||||
27 | File | `/dotrace.asp` | Medium
|
||||
28 | File | `/etc/init0.d/S80telnetd.sh` | High
|
||||
29 | File | `/fuel/sitevariables/delete/4` | High
|
||||
30 | File | `/goform/AdvSetLanIp` | High
|
||||
31 | File | `/goform/aspForm` | High
|
||||
32 | ... | ... | ...
|
||||
15 | File | `/buspassms/download-pass.php` | High
|
||||
16 | File | `/cgi-bin/cstecgi.cgi` | High
|
||||
17 | File | `/cgi/get_param.cgi` | High
|
||||
18 | File | `/checklogin.jsp` | High
|
||||
19 | File | `/ci_hms/search` | High
|
||||
20 | File | `/ci_spms/admin/search/searching/` | High
|
||||
21 | File | `/classes/Master.php?f=delete_category` | High
|
||||
22 | File | `/classes/Master.php?f=delete_payment` | High
|
||||
23 | File | `/classes/Master.php?f=delete_schedule` | High
|
||||
24 | File | `/company/account/safety/trade` | High
|
||||
25 | File | `/csms/admin/storages/view_storage.php` | High
|
||||
26 | File | `/dashboard/reports/logs/view` | High
|
||||
27 | File | `/dashboard/snapshot/*?orgId=0` | High
|
||||
28 | File | `/diagnostic/editclient.php` | High
|
||||
29 | File | `/dotrace.asp` | Medium
|
||||
30 | File | `/etc/init0.d/S80telnetd.sh` | High
|
||||
31 | ... | ... | ...
|
||||
|
||||
There are 275 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 267 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -19,6 +19,9 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [MS](https://vuldb.com/?country.ms)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* ...
|
||||
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -29,9 +32,10 @@ ID | IP address | Hostname | Campaign | Confidence
|
|||
1 | [10.0.0.211](https://vuldb.com/?ip.10.0.0.211) | - | WaterBear | High
|
||||
2 | [43.240.12.81](https://vuldb.com/?ip.43.240.12.81) | mail.terascape.net | Taiwan Government Agencies | High
|
||||
3 | [45.76.102.145](https://vuldb.com/?ip.45.76.102.145) | 45.76.102.145.vultr.com | TSCookie | Medium
|
||||
4 | ... | ... | ... | ...
|
||||
4 | [45.124.25.31](https://vuldb.com/?ip.45.124.25.31) | hkhdc.laws.ms | Taiwan Government Agencies | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 11 more IOC items available. Please use our online service to access the data.
|
||||
There are 14 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -45,7 +49,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
4 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 15 more TTP items available. Please use our online service to access the data.
|
||||
There are 16 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -56,20 +60,22 @@ ID | Type | Indicator | Confidence
|
|||
1 | File | `/cdsms/classes/Master.php?f=delete_enrollment` | High
|
||||
2 | File | `/cgi-bin/portal` | High
|
||||
3 | File | `/cgi-mod/lookup.cgi` | High
|
||||
4 | File | `/mifs/c/i/reg/reg.html` | High
|
||||
5 | File | `/server-info` | Medium
|
||||
6 | File | `/service/upload` | High
|
||||
7 | File | `/tmp` | Low
|
||||
8 | File | `/uncpath/` | Medium
|
||||
9 | File | `/wp-json/oembed/1.0/embed?url` | High
|
||||
10 | File | `a2billing/customer/iridium_threed.php` | High
|
||||
11 | File | `admin.php` | Medium
|
||||
12 | File | `admin.php?s=/Channel/add.html` | High
|
||||
13 | File | `admin/class-bulk-editor-list-table.php` | High
|
||||
14 | File | `administrator/components/com_media/helpers/media.php` | High
|
||||
15 | ... | ... | ...
|
||||
4 | File | `/forum/away.php` | High
|
||||
5 | File | `/mifs/c/i/reg/reg.html` | High
|
||||
6 | File | `/modules/profile/index.php` | High
|
||||
7 | File | `/RPC2` | Low
|
||||
8 | File | `/server-info` | Medium
|
||||
9 | File | `/service/upload` | High
|
||||
10 | File | `/tmp` | Low
|
||||
11 | File | `/uncpath/` | Medium
|
||||
12 | File | `/wp-json/oembed/1.0/embed?url` | High
|
||||
13 | File | `a2billing/customer/iridium_threed.php` | High
|
||||
14 | File | `admin.php` | Medium
|
||||
15 | File | `admin.php?s=/Channel/add.html` | High
|
||||
16 | File | `admin/class-bulk-editor-list-table.php` | High
|
||||
17 | ... | ... | ...
|
||||
|
||||
There are 120 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 137 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -77,6 +83,7 @@ The following list contains _external sources_ which discuss the actor and the a
|
|||
|
||||
* https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html
|
||||
* https://blogs.jpcert.or.jp/en/2021/10/gh0sttimes.html
|
||||
* https://blogs.jpcert.or.jp/en/2022/09/bigip-exploit.html
|
||||
* https://www.ithome.com.tw/news/139504
|
||||
* https://www.trendmicro.com/en_us/research/17/f/following-trail-blacktech-cyber-espionage-campaigns.html
|
||||
* https://www.trendmicro.com/en_us/research/19/l/waterbear-is-back-uses-api-hooking-to-evade-security-product-detection.html
|
||||
|
|
|
@ -50,32 +50,39 @@ ID | Type | Indicator | Confidence
|
|||
-- | ---- | --------- | ----------
|
||||
1 | File | `.htaccess` | Medium
|
||||
2 | File | `/.env` | Low
|
||||
3 | File | `/cgi-bin/nobody` | High
|
||||
4 | File | `/cgi-bin/nobody/Search.cgi` | High
|
||||
5 | File | `/edit-db.php` | Medium
|
||||
6 | File | `/etc/passwd` | Medium
|
||||
7 | File | `/forum/away.php` | High
|
||||
8 | File | `/get_getnetworkconf.cgi` | High
|
||||
9 | File | `/horde/util/go.php` | High
|
||||
10 | File | `/mobile_seal/get_seal.php` | High
|
||||
11 | File | `/new` | Low
|
||||
12 | File | `/nova/bin/detnet` | High
|
||||
13 | File | `/show_news.php` | High
|
||||
14 | File | `/tmp` | Low
|
||||
15 | File | `/uncpath/` | Medium
|
||||
16 | File | `/userRpm/MediaServerFoldersCfgRpm.htm` | High
|
||||
17 | File | `/vicidial/AST_agent_time_sheet.php` | High
|
||||
18 | File | `/ViewUserHover.jspa` | High
|
||||
19 | File | `AccountStatus.jsp` | High
|
||||
20 | File | `adclick.php` | Medium
|
||||
21 | File | `add.php` | Low
|
||||
22 | File | `admin/systemOutOfBand.do` | High
|
||||
23 | File | `app/application.cpp` | High
|
||||
24 | File | `auth-gss2.c` | Medium
|
||||
25 | File | `authent.php4` | Medium
|
||||
26 | ... | ... | ...
|
||||
3 | File | `/admin/login.php` | High
|
||||
4 | File | `/cgi-bin/nobody` | High
|
||||
5 | File | `/cgi-bin/nobody/Search.cgi` | High
|
||||
6 | File | `/edit-db.php` | Medium
|
||||
7 | File | `/etc/passwd` | Medium
|
||||
8 | File | `/forum/away.php` | High
|
||||
9 | File | `/get_getnetworkconf.cgi` | High
|
||||
10 | File | `/horde/util/go.php` | High
|
||||
11 | File | `/mobile_seal/get_seal.php` | High
|
||||
12 | File | `/new` | Low
|
||||
13 | File | `/nova/bin/detnet` | High
|
||||
14 | File | `/show_news.php` | High
|
||||
15 | File | `/tmp` | Low
|
||||
16 | File | `/uncpath/` | Medium
|
||||
17 | File | `/userRpm/MediaServerFoldersCfgRpm.htm` | High
|
||||
18 | File | `/vicidial/AST_agent_time_sheet.php` | High
|
||||
19 | File | `/ViewUserHover.jspa` | High
|
||||
20 | File | `AccountStatus.jsp` | High
|
||||
21 | File | `adclick.php` | Medium
|
||||
22 | File | `add.php` | Low
|
||||
23 | File | `admin.color.php` | High
|
||||
24 | File | `admin.joomlaradiov5.php` | High
|
||||
25 | File | `admin/systemOutOfBand.do` | High
|
||||
26 | File | `allopass-error.php` | High
|
||||
27 | File | `app/application.cpp` | High
|
||||
28 | File | `ashnews.php/ashheadlines.php` | High
|
||||
29 | File | `auth-gss2.c` | Medium
|
||||
30 | File | `authent.php4` | Medium
|
||||
31 | File | `base_maintenance.php` | High
|
||||
32 | File | `BBStore.php` | Medium
|
||||
33 | ... | ... | ...
|
||||
|
||||
There are 216 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 284 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -10,10 +10,10 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
|
||||
* [VN](https://vuldb.com/?country.vn)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* [NL](https://vuldb.com/?country.nl)
|
||||
* ...
|
||||
|
||||
There are 2 more country items available. Please use our online service to access the data.
|
||||
There are 7 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -29,114 +29,117 @@ ID | IP address | Hostname | Campaign | Confidence
|
|||
6 | [2.97.24.126](https://vuldb.com/?ip.2.97.24.126) | host-2-97-24-126.as13285.net | - | High
|
||||
7 | [2.190.89.140](https://vuldb.com/?ip.2.190.89.140) | - | - | High
|
||||
8 | [2.211.111.213](https://vuldb.com/?ip.2.211.111.213) | dynamic-002-211-111-213.2.211.pool.telefonica.de | - | High
|
||||
9 | [3.144.143.242](https://vuldb.com/?ip.3.144.143.242) | ec2-3-144-143-242.us-east-2.compute.amazonaws.com | - | Medium
|
||||
10 | [3.172.226.46](https://vuldb.com/?ip.3.172.226.46) | - | - | High
|
||||
11 | [4.165.175.212](https://vuldb.com/?ip.4.165.175.212) | - | - | High
|
||||
12 | [5.152.80.211](https://vuldb.com/?ip.5.152.80.211) | - | - | High
|
||||
13 | [5.239.33.172](https://vuldb.com/?ip.5.239.33.172) | - | - | High
|
||||
14 | [6.30.139.246](https://vuldb.com/?ip.6.30.139.246) | - | - | High
|
||||
15 | [6.249.22.42](https://vuldb.com/?ip.6.249.22.42) | - | - | High
|
||||
16 | [7.233.9.154](https://vuldb.com/?ip.7.233.9.154) | - | - | High
|
||||
17 | [8.12.181.20](https://vuldb.com/?ip.8.12.181.20) | - | - | High
|
||||
18 | [9.63.15.101](https://vuldb.com/?ip.9.63.15.101) | - | - | High
|
||||
19 | [9.240.112.25](https://vuldb.com/?ip.9.240.112.25) | - | - | High
|
||||
20 | [10.28.17.62](https://vuldb.com/?ip.10.28.17.62) | - | - | High
|
||||
21 | [11.1.201.27](https://vuldb.com/?ip.11.1.201.27) | - | - | High
|
||||
22 | [12.75.186.131](https://vuldb.com/?ip.12.75.186.131) | 131.newark-21-23rs.nj.dial-access.att.net | - | High
|
||||
23 | [12.115.36.174](https://vuldb.com/?ip.12.115.36.174) | - | - | High
|
||||
24 | [12.153.80.238](https://vuldb.com/?ip.12.153.80.238) | - | - | High
|
||||
25 | [12.202.229.195](https://vuldb.com/?ip.12.202.229.195) | - | - | High
|
||||
26 | [12.236.242.155](https://vuldb.com/?ip.12.236.242.155) | - | - | High
|
||||
27 | [13.2.200.200](https://vuldb.com/?ip.13.2.200.200) | - | - | High
|
||||
28 | [13.218.205.215](https://vuldb.com/?ip.13.218.205.215) | - | - | High
|
||||
29 | [14.7.69.141](https://vuldb.com/?ip.14.7.69.141) | - | - | High
|
||||
30 | [14.40.68.19](https://vuldb.com/?ip.14.40.68.19) | - | - | High
|
||||
31 | [14.102.170.127](https://vuldb.com/?ip.14.102.170.127) | cache-ipnet01.nexlogic.ph | - | High
|
||||
32 | [14.155.143.74](https://vuldb.com/?ip.14.155.143.74) | - | - | High
|
||||
33 | [14.163.179.250](https://vuldb.com/?ip.14.163.179.250) | static.vnpt.vn | - | High
|
||||
34 | [15.209.19.148](https://vuldb.com/?ip.15.209.19.148) | - | - | High
|
||||
35 | [18.8.71.243](https://vuldb.com/?ip.18.8.71.243) | - | - | High
|
||||
36 | [18.127.96.221](https://vuldb.com/?ip.18.127.96.221) | - | - | High
|
||||
37 | [19.32.56.182](https://vuldb.com/?ip.19.32.56.182) | - | - | High
|
||||
38 | [19.71.13.153](https://vuldb.com/?ip.19.71.13.153) | - | - | High
|
||||
39 | [20.150.149.28](https://vuldb.com/?ip.20.150.149.28) | - | - | High
|
||||
40 | [21.21.141.32](https://vuldb.com/?ip.21.21.141.32) | - | - | High
|
||||
41 | [21.29.238.98](https://vuldb.com/?ip.21.29.238.98) | - | - | High
|
||||
42 | [21.175.22.99](https://vuldb.com/?ip.21.175.22.99) | - | - | High
|
||||
43 | [21.246.85.34](https://vuldb.com/?ip.21.246.85.34) | - | - | High
|
||||
44 | [22.83.186.45](https://vuldb.com/?ip.22.83.186.45) | - | - | High
|
||||
45 | [22.175.0.90](https://vuldb.com/?ip.22.175.0.90) | - | - | High
|
||||
46 | [23.81.246.187](https://vuldb.com/?ip.23.81.246.187) | - | - | High
|
||||
47 | [23.82.19.208](https://vuldb.com/?ip.23.82.19.208) | - | - | High
|
||||
48 | [23.82.140.133](https://vuldb.com/?ip.23.82.140.133) | - | - | High
|
||||
49 | [23.82.141.184](https://vuldb.com/?ip.23.82.141.184) | - | - | High
|
||||
50 | [23.83.133.1](https://vuldb.com/?ip.23.83.133.1) | v327.er01.dal.ubiquity.io | - | High
|
||||
51 | [23.83.133.182](https://vuldb.com/?ip.23.83.133.182) | - | - | High
|
||||
52 | [23.83.133.216](https://vuldb.com/?ip.23.83.133.216) | - | - | High
|
||||
53 | [23.83.134.110](https://vuldb.com/?ip.23.83.134.110) | - | - | High
|
||||
54 | [23.83.134.136](https://vuldb.com/?ip.23.83.134.136) | - | - | High
|
||||
55 | [23.106.160.39](https://vuldb.com/?ip.23.106.160.39) | - | - | High
|
||||
56 | [23.106.160.120](https://vuldb.com/?ip.23.106.160.120) | - | - | High
|
||||
57 | [23.106.215.123](https://vuldb.com/?ip.23.106.215.123) | - | - | High
|
||||
58 | [23.108.57.13](https://vuldb.com/?ip.23.108.57.13) | - | - | High
|
||||
59 | [23.227.198.217](https://vuldb.com/?ip.23.227.198.217) | 23-227-198-217.static.hvvc.us | - | High
|
||||
60 | [23.254.201.97](https://vuldb.com/?ip.23.254.201.97) | hwsrv-974106.hostwindsdns.com | - | High
|
||||
61 | [23.254.202.59](https://vuldb.com/?ip.23.254.202.59) | hwsrv-987701.hostwindsdns.com | - | High
|
||||
62 | [23.254.217.20](https://vuldb.com/?ip.23.254.217.20) | hwsrv-984041.hostwindsdns.com | - | High
|
||||
63 | [23.254.217.222](https://vuldb.com/?ip.23.254.217.222) | hwsrv-976272.hostwindsdns.com | - | High
|
||||
64 | [23.254.227.144](https://vuldb.com/?ip.23.254.227.144) | hwsrv-982332.hostwindsdns.com | - | High
|
||||
65 | [24.4.68.32](https://vuldb.com/?ip.24.4.68.32) | c-24-4-68-32.hsd1.ca.comcast.net | - | High
|
||||
66 | [24.57.185.167](https://vuldb.com/?ip.24.57.185.167) | d24-57-185-167.home.cgocable.net | - | High
|
||||
67 | [24.121.25.160](https://vuldb.com/?ip.24.121.25.160) | 24-121-25-160.sdoncmtk01.com.dyn.suddenlink.net | - | High
|
||||
68 | [25.5.198.104](https://vuldb.com/?ip.25.5.198.104) | - | - | High
|
||||
69 | [25.170.215.18](https://vuldb.com/?ip.25.170.215.18) | - | - | High
|
||||
70 | [25.181.64.39](https://vuldb.com/?ip.25.181.64.39) | - | - | High
|
||||
71 | [26.6.83.53](https://vuldb.com/?ip.26.6.83.53) | - | - | High
|
||||
72 | [28.11.143.222](https://vuldb.com/?ip.28.11.143.222) | - | - | High
|
||||
73 | [28.53.120.108](https://vuldb.com/?ip.28.53.120.108) | - | - | High
|
||||
74 | [28.107.38.196](https://vuldb.com/?ip.28.107.38.196) | - | - | High
|
||||
75 | [28.148.236.16](https://vuldb.com/?ip.28.148.236.16) | - | - | High
|
||||
76 | [29.64.0.111](https://vuldb.com/?ip.29.64.0.111) | - | - | High
|
||||
77 | [29.122.243.158](https://vuldb.com/?ip.29.122.243.158) | - | - | High
|
||||
78 | [30.17.4.146](https://vuldb.com/?ip.30.17.4.146) | - | - | High
|
||||
79 | [30.65.48.152](https://vuldb.com/?ip.30.65.48.152) | - | - | High
|
||||
80 | [30.205.76.70](https://vuldb.com/?ip.30.205.76.70) | - | - | High
|
||||
81 | [31.228.253.114](https://vuldb.com/?ip.31.228.253.114) | - | - | High
|
||||
82 | [32.181.245.23](https://vuldb.com/?ip.32.181.245.23) | - | - | High
|
||||
83 | [33.93.97.183](https://vuldb.com/?ip.33.93.97.183) | - | - | High
|
||||
84 | [33.145.184.132](https://vuldb.com/?ip.33.145.184.132) | - | - | High
|
||||
85 | [34.229.154.31](https://vuldb.com/?ip.34.229.154.31) | ec2-34-229-154-31.compute-1.amazonaws.com | - | Medium
|
||||
86 | [35.120.155.220](https://vuldb.com/?ip.35.120.155.220) | - | - | High
|
||||
87 | [36.110.58.103](https://vuldb.com/?ip.36.110.58.103) | 103.58.110.36.static.bjtelecom.net | - | High
|
||||
88 | [37.64.220.2](https://vuldb.com/?ip.37.64.220.2) | 2.220.64.37.rev.sfr.net | - | High
|
||||
89 | [37.72.174.9](https://vuldb.com/?ip.37.72.174.9) | emailmail.org.uk | - | High
|
||||
90 | [37.72.174.23](https://vuldb.com/?ip.37.72.174.23) | 37-72-174-23.static.hvvc.us | - | High
|
||||
91 | [37.120.198.248](https://vuldb.com/?ip.37.120.198.248) | - | - | High
|
||||
92 | [38.12.57.131](https://vuldb.com/?ip.38.12.57.131) | - | - | High
|
||||
93 | [39.57.152.217](https://vuldb.com/?ip.39.57.152.217) | - | - | High
|
||||
94 | [40.72.17.141](https://vuldb.com/?ip.40.72.17.141) | - | - | High
|
||||
95 | [41.28.188.77](https://vuldb.com/?ip.41.28.188.77) | vc-gp-s-41-28-188-77.umts.vodacom.co.za | - | High
|
||||
96 | [41.56.181.200](https://vuldb.com/?ip.41.56.181.200) | - | - | High
|
||||
97 | [45.3.236.177](https://vuldb.com/?ip.45.3.236.177) | 045-003-236-177.biz.spectrum.com | - | High
|
||||
98 | [45.11.19.224](https://vuldb.com/?ip.45.11.19.224) | - | - | High
|
||||
99 | [45.66.151.155](https://vuldb.com/?ip.45.66.151.155) | - | - | High
|
||||
100 | [45.84.0.13](https://vuldb.com/?ip.45.84.0.13) | vm523902.stark-industries.solutions | - | High
|
||||
101 | [45.138.172.246](https://vuldb.com/?ip.45.138.172.246) | - | - | High
|
||||
102 | [45.140.146.30](https://vuldb.com/?ip.45.140.146.30) | vm542320.stark-industries.solutions | - | High
|
||||
103 | [45.140.146.244](https://vuldb.com/?ip.45.140.146.244) | - | - | High
|
||||
104 | [45.142.214.120](https://vuldb.com/?ip.45.142.214.120) | vm516885.stark-industries.solutions | - | High
|
||||
105 | [45.142.214.167](https://vuldb.com/?ip.45.142.214.167) | - | - | High
|
||||
106 | [45.147.229.23](https://vuldb.com/?ip.45.147.229.23) | - | - | High
|
||||
107 | [45.147.229.50](https://vuldb.com/?ip.45.147.229.50) | - | - | High
|
||||
108 | [45.147.229.101](https://vuldb.com/?ip.45.147.229.101) | - | - | High
|
||||
109 | [45.147.229.177](https://vuldb.com/?ip.45.147.229.177) | - | - | High
|
||||
110 | [45.147.229.199](https://vuldb.com/?ip.45.147.229.199) | - | - | High
|
||||
111 | [45.147.231.107](https://vuldb.com/?ip.45.147.231.107) | - | - | High
|
||||
112 | [45.147.231.202](https://vuldb.com/?ip.45.147.231.202) | - | - | High
|
||||
113 | [45.153.240.139](https://vuldb.com/?ip.45.153.240.139) | - | - | High
|
||||
114 | ... | ... | ... | ...
|
||||
9 | [3.85.198.66](https://vuldb.com/?ip.3.85.198.66) | ec2-3-85-198-66.compute-1.amazonaws.com | - | Medium
|
||||
10 | [3.144.143.242](https://vuldb.com/?ip.3.144.143.242) | ec2-3-144-143-242.us-east-2.compute.amazonaws.com | - | Medium
|
||||
11 | [3.172.226.46](https://vuldb.com/?ip.3.172.226.46) | - | - | High
|
||||
12 | [4.165.175.212](https://vuldb.com/?ip.4.165.175.212) | - | - | High
|
||||
13 | [5.152.80.211](https://vuldb.com/?ip.5.152.80.211) | - | - | High
|
||||
14 | [5.239.33.172](https://vuldb.com/?ip.5.239.33.172) | - | - | High
|
||||
15 | [6.30.139.246](https://vuldb.com/?ip.6.30.139.246) | - | - | High
|
||||
16 | [6.249.22.42](https://vuldb.com/?ip.6.249.22.42) | - | - | High
|
||||
17 | [7.233.9.154](https://vuldb.com/?ip.7.233.9.154) | - | - | High
|
||||
18 | [8.12.181.20](https://vuldb.com/?ip.8.12.181.20) | - | - | High
|
||||
19 | [9.63.15.101](https://vuldb.com/?ip.9.63.15.101) | - | - | High
|
||||
20 | [9.240.112.25](https://vuldb.com/?ip.9.240.112.25) | - | - | High
|
||||
21 | [10.28.17.62](https://vuldb.com/?ip.10.28.17.62) | - | - | High
|
||||
22 | [11.1.201.27](https://vuldb.com/?ip.11.1.201.27) | - | - | High
|
||||
23 | [12.75.186.131](https://vuldb.com/?ip.12.75.186.131) | 131.newark-21-23rs.nj.dial-access.att.net | - | High
|
||||
24 | [12.115.36.174](https://vuldb.com/?ip.12.115.36.174) | - | - | High
|
||||
25 | [12.153.80.238](https://vuldb.com/?ip.12.153.80.238) | - | - | High
|
||||
26 | [12.202.229.195](https://vuldb.com/?ip.12.202.229.195) | - | - | High
|
||||
27 | [12.236.242.155](https://vuldb.com/?ip.12.236.242.155) | - | - | High
|
||||
28 | [13.2.200.200](https://vuldb.com/?ip.13.2.200.200) | - | - | High
|
||||
29 | [13.218.205.215](https://vuldb.com/?ip.13.218.205.215) | - | - | High
|
||||
30 | [14.7.69.141](https://vuldb.com/?ip.14.7.69.141) | - | - | High
|
||||
31 | [14.40.68.19](https://vuldb.com/?ip.14.40.68.19) | - | - | High
|
||||
32 | [14.102.170.127](https://vuldb.com/?ip.14.102.170.127) | cache-ipnet01.nexlogic.ph | - | High
|
||||
33 | [14.155.143.74](https://vuldb.com/?ip.14.155.143.74) | - | - | High
|
||||
34 | [14.163.179.250](https://vuldb.com/?ip.14.163.179.250) | static.vnpt.vn | - | High
|
||||
35 | [15.209.19.148](https://vuldb.com/?ip.15.209.19.148) | - | - | High
|
||||
36 | [18.8.71.243](https://vuldb.com/?ip.18.8.71.243) | - | - | High
|
||||
37 | [18.127.96.221](https://vuldb.com/?ip.18.127.96.221) | - | - | High
|
||||
38 | [19.32.56.182](https://vuldb.com/?ip.19.32.56.182) | - | - | High
|
||||
39 | [19.71.13.153](https://vuldb.com/?ip.19.71.13.153) | - | - | High
|
||||
40 | [20.150.149.28](https://vuldb.com/?ip.20.150.149.28) | - | - | High
|
||||
41 | [21.21.141.32](https://vuldb.com/?ip.21.21.141.32) | - | - | High
|
||||
42 | [21.29.238.98](https://vuldb.com/?ip.21.29.238.98) | - | - | High
|
||||
43 | [21.175.22.99](https://vuldb.com/?ip.21.175.22.99) | - | - | High
|
||||
44 | [21.246.85.34](https://vuldb.com/?ip.21.246.85.34) | - | - | High
|
||||
45 | [22.83.186.45](https://vuldb.com/?ip.22.83.186.45) | - | - | High
|
||||
46 | [22.175.0.90](https://vuldb.com/?ip.22.175.0.90) | - | - | High
|
||||
47 | [23.81.246.187](https://vuldb.com/?ip.23.81.246.187) | - | - | High
|
||||
48 | [23.82.19.208](https://vuldb.com/?ip.23.82.19.208) | - | - | High
|
||||
49 | [23.82.140.133](https://vuldb.com/?ip.23.82.140.133) | - | - | High
|
||||
50 | [23.82.141.184](https://vuldb.com/?ip.23.82.141.184) | - | - | High
|
||||
51 | [23.83.133.1](https://vuldb.com/?ip.23.83.133.1) | v327.er01.dal.ubiquity.io | - | High
|
||||
52 | [23.83.133.182](https://vuldb.com/?ip.23.83.133.182) | - | - | High
|
||||
53 | [23.83.133.216](https://vuldb.com/?ip.23.83.133.216) | - | - | High
|
||||
54 | [23.83.134.110](https://vuldb.com/?ip.23.83.134.110) | - | - | High
|
||||
55 | [23.83.134.136](https://vuldb.com/?ip.23.83.134.136) | - | - | High
|
||||
56 | [23.106.160.39](https://vuldb.com/?ip.23.106.160.39) | - | - | High
|
||||
57 | [23.106.160.120](https://vuldb.com/?ip.23.106.160.120) | - | - | High
|
||||
58 | [23.106.215.123](https://vuldb.com/?ip.23.106.215.123) | - | - | High
|
||||
59 | [23.108.57.13](https://vuldb.com/?ip.23.108.57.13) | - | - | High
|
||||
60 | [23.227.198.217](https://vuldb.com/?ip.23.227.198.217) | 23-227-198-217.static.hvvc.us | - | High
|
||||
61 | [23.254.201.97](https://vuldb.com/?ip.23.254.201.97) | hwsrv-974106.hostwindsdns.com | - | High
|
||||
62 | [23.254.202.59](https://vuldb.com/?ip.23.254.202.59) | hwsrv-987701.hostwindsdns.com | - | High
|
||||
63 | [23.254.217.20](https://vuldb.com/?ip.23.254.217.20) | hwsrv-984041.hostwindsdns.com | - | High
|
||||
64 | [23.254.217.222](https://vuldb.com/?ip.23.254.217.222) | hwsrv-976272.hostwindsdns.com | - | High
|
||||
65 | [23.254.227.144](https://vuldb.com/?ip.23.254.227.144) | hwsrv-982332.hostwindsdns.com | - | High
|
||||
66 | [24.4.68.32](https://vuldb.com/?ip.24.4.68.32) | c-24-4-68-32.hsd1.ca.comcast.net | - | High
|
||||
67 | [24.57.185.167](https://vuldb.com/?ip.24.57.185.167) | d24-57-185-167.home.cgocable.net | - | High
|
||||
68 | [24.121.25.160](https://vuldb.com/?ip.24.121.25.160) | 24-121-25-160.sdoncmtk01.com.dyn.suddenlink.net | - | High
|
||||
69 | [25.5.198.104](https://vuldb.com/?ip.25.5.198.104) | - | - | High
|
||||
70 | [25.170.215.18](https://vuldb.com/?ip.25.170.215.18) | - | - | High
|
||||
71 | [25.181.64.39](https://vuldb.com/?ip.25.181.64.39) | - | - | High
|
||||
72 | [26.6.83.53](https://vuldb.com/?ip.26.6.83.53) | - | - | High
|
||||
73 | [28.11.143.222](https://vuldb.com/?ip.28.11.143.222) | - | - | High
|
||||
74 | [28.53.120.108](https://vuldb.com/?ip.28.53.120.108) | - | - | High
|
||||
75 | [28.107.38.196](https://vuldb.com/?ip.28.107.38.196) | - | - | High
|
||||
76 | [28.148.236.16](https://vuldb.com/?ip.28.148.236.16) | - | - | High
|
||||
77 | [29.64.0.111](https://vuldb.com/?ip.29.64.0.111) | - | - | High
|
||||
78 | [29.122.243.158](https://vuldb.com/?ip.29.122.243.158) | - | - | High
|
||||
79 | [30.17.4.146](https://vuldb.com/?ip.30.17.4.146) | - | - | High
|
||||
80 | [30.65.48.152](https://vuldb.com/?ip.30.65.48.152) | - | - | High
|
||||
81 | [30.205.76.70](https://vuldb.com/?ip.30.205.76.70) | - | - | High
|
||||
82 | [31.228.253.114](https://vuldb.com/?ip.31.228.253.114) | - | - | High
|
||||
83 | [32.181.245.23](https://vuldb.com/?ip.32.181.245.23) | - | - | High
|
||||
84 | [33.93.97.183](https://vuldb.com/?ip.33.93.97.183) | - | - | High
|
||||
85 | [33.145.184.132](https://vuldb.com/?ip.33.145.184.132) | - | - | High
|
||||
86 | [34.229.154.31](https://vuldb.com/?ip.34.229.154.31) | ec2-34-229-154-31.compute-1.amazonaws.com | - | Medium
|
||||
87 | [35.120.155.220](https://vuldb.com/?ip.35.120.155.220) | - | - | High
|
||||
88 | [36.110.58.103](https://vuldb.com/?ip.36.110.58.103) | 103.58.110.36.static.bjtelecom.net | - | High
|
||||
89 | [37.64.220.2](https://vuldb.com/?ip.37.64.220.2) | 2.220.64.37.rev.sfr.net | - | High
|
||||
90 | [37.72.174.9](https://vuldb.com/?ip.37.72.174.9) | emailmail.org.uk | - | High
|
||||
91 | [37.72.174.23](https://vuldb.com/?ip.37.72.174.23) | 37-72-174-23.static.hvvc.us | - | High
|
||||
92 | [37.120.198.248](https://vuldb.com/?ip.37.120.198.248) | - | - | High
|
||||
93 | [38.12.57.131](https://vuldb.com/?ip.38.12.57.131) | - | - | High
|
||||
94 | [39.57.152.217](https://vuldb.com/?ip.39.57.152.217) | - | - | High
|
||||
95 | [40.72.17.141](https://vuldb.com/?ip.40.72.17.141) | - | - | High
|
||||
96 | [41.28.188.77](https://vuldb.com/?ip.41.28.188.77) | vc-gp-s-41-28-188-77.umts.vodacom.co.za | - | High
|
||||
97 | [41.56.181.200](https://vuldb.com/?ip.41.56.181.200) | - | - | High
|
||||
98 | [45.3.236.177](https://vuldb.com/?ip.45.3.236.177) | 045-003-236-177.biz.spectrum.com | - | High
|
||||
99 | [45.11.19.224](https://vuldb.com/?ip.45.11.19.224) | - | - | High
|
||||
100 | [45.66.151.155](https://vuldb.com/?ip.45.66.151.155) | - | - | High
|
||||
101 | [45.84.0.13](https://vuldb.com/?ip.45.84.0.13) | vm523902.stark-industries.solutions | - | High
|
||||
102 | [45.138.172.246](https://vuldb.com/?ip.45.138.172.246) | - | - | High
|
||||
103 | [45.140.146.30](https://vuldb.com/?ip.45.140.146.30) | vm542320.stark-industries.solutions | - | High
|
||||
104 | [45.140.146.244](https://vuldb.com/?ip.45.140.146.244) | - | - | High
|
||||
105 | [45.142.214.120](https://vuldb.com/?ip.45.142.214.120) | vm516885.stark-industries.solutions | - | High
|
||||
106 | [45.142.214.167](https://vuldb.com/?ip.45.142.214.167) | - | - | High
|
||||
107 | [45.147.229.23](https://vuldb.com/?ip.45.147.229.23) | - | - | High
|
||||
108 | [45.147.229.50](https://vuldb.com/?ip.45.147.229.50) | - | - | High
|
||||
109 | [45.147.229.101](https://vuldb.com/?ip.45.147.229.101) | - | - | High
|
||||
110 | [45.147.229.177](https://vuldb.com/?ip.45.147.229.177) | - | - | High
|
||||
111 | [45.147.229.199](https://vuldb.com/?ip.45.147.229.199) | - | - | High
|
||||
112 | [45.147.231.107](https://vuldb.com/?ip.45.147.231.107) | - | - | High
|
||||
113 | [45.147.231.202](https://vuldb.com/?ip.45.147.231.202) | - | - | High
|
||||
114 | [45.153.240.139](https://vuldb.com/?ip.45.153.240.139) | - | - | High
|
||||
115 | [45.153.241.187](https://vuldb.com/?ip.45.153.241.187) | - | - | High
|
||||
116 | [45.153.241.234](https://vuldb.com/?ip.45.153.241.234) | - | - | High
|
||||
117 | ... | ... | ... | ...
|
||||
|
||||
There are 454 more IOC items available. Please use our online service to access the data.
|
||||
There are 466 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -144,14 +147,13 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-94, CWE-1321 | Cross Site Scripting | High
|
||||
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
6 | ... | ... | ... | ...
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23, CWE-25 | Pathname Traversal | High
|
||||
2 | T1055 | CWE-74 | Injection | High
|
||||
3 | T1059 | CWE-88, CWE-94, CWE-1321 | Cross Site Scripting | High
|
||||
4 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 19 more TTP items available. Please use our online service to access the data.
|
||||
There are 17 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -159,32 +161,28 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/admin/?page=reports/stockin` | High
|
||||
2 | File | `/admin/?page=reports/stockout` | High
|
||||
3 | File | `/admin/?page=reports/waste` | High
|
||||
4 | File | `/admin/?page=user/manage_user` | High
|
||||
5 | File | `/admin/del.php` | High
|
||||
6 | File | `/admin/delete.php` | High
|
||||
7 | File | `/admin/delstu.php` | High
|
||||
8 | File | `/admin/login.php` | High
|
||||
9 | File | `/admin/products/controller.php?action=add` | High
|
||||
10 | File | `/api/v1/user` | Medium
|
||||
11 | File | `/categories/view_category.php` | High
|
||||
12 | File | `/cgi-bin/ExportSettings.sh` | High
|
||||
13 | File | `/cgi-bin/wlogin.cgi` | High
|
||||
14 | File | `/classes/Master.php?f=delete_account` | High
|
||||
15 | File | `/classes/Master.php?f=delete_category` | High
|
||||
16 | File | `/classes/Master.php?f=delete_img` | High
|
||||
17 | File | `/classes/Master.php?f=delete_payment` | High
|
||||
18 | File | `/classes/Master.php?f=delete_schedule` | High
|
||||
19 | File | `/classes/Master.php?f=delete_student` | High
|
||||
20 | File | `/classes/Users.php?f=save_client` | High
|
||||
21 | File | `/etc/ciel.cfg` | High
|
||||
22 | File | `/etc/init0.d/S80telnetd.sh` | High
|
||||
23 | File | `/etc/shadow` | Medium
|
||||
24 | ... | ... | ...
|
||||
1 | File | `/admin/index.PHP` | High
|
||||
2 | File | `/admin/sendmailto.php?tomail=&groupid=` | High
|
||||
3 | File | `/admin/update_expense.php` | High
|
||||
4 | File | `/admin/update_expense_category.php` | High
|
||||
5 | File | `/advanced-tools/nova/bin/netwatch` | High
|
||||
6 | File | `/api/project` | Medium
|
||||
7 | File | `/cgi-bin/qcmap_auth` | High
|
||||
8 | File | `/cgi-bin/wlogin.cgi` | High
|
||||
9 | File | `/editbrand.php` | High
|
||||
10 | File | `/etc/fwupd/redfish.conf` | High
|
||||
11 | File | `/etc/shadow` | Medium
|
||||
12 | File | `/file/upload/1` | High
|
||||
13 | File | `/forum/away.php` | High
|
||||
14 | File | `/getcfg.php` | Medium
|
||||
15 | File | `/IISADMPWD` | Medium
|
||||
16 | File | `/issue` | Low
|
||||
17 | File | `/kfm/index.php` | High
|
||||
18 | File | `/leave_system/classes/Master.php?f=delete_application` | High
|
||||
19 | File | `/opt/zimbra/jetty/webapps/zimbra/public` | High
|
||||
20 | ... | ... | ...
|
||||
|
||||
There are 201 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 166 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -210,6 +208,8 @@ The following list contains _external sources_ which discuss the actor and the a
|
|||
* https://github.com/pr0xylife/Bumblebee/blob/main/Bumblebee_23.06.2022.txt
|
||||
* https://github.com/pr0xylife/Bumblebee/blob/main/Bumblebee_27.05.2022.txt
|
||||
* https://github.com/pr0xylife/Bumblebee/blob/main/Bumblebee_27.06.2022.txt
|
||||
* https://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps/
|
||||
* https://thedfirreport.com/2022/09/26/bumblebee-round-two/
|
||||
* https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control
|
||||
|
||||
## Literature
|
||||
|
|
|
@ -43,7 +43,7 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23, CWE-425 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
|
||||
|
@ -51,7 +51,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
6 | T1068 | CWE-264, CWE-266, CWE-269, CWE-273, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
7 | ... | ... | ... | ...
|
||||
|
||||
There are 22 more TTP items available. Please use our online service to access the data.
|
||||
There are 23 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -91,11 +91,11 @@ ID | Type | Indicator | Confidence
|
|||
30 | File | `/module/module_frame/index.php` | High
|
||||
31 | File | `/nova/bin/sniffer` | High
|
||||
32 | File | `/ofcms/company-c-47` | High
|
||||
33 | File | `/patient/settings.php` | High
|
||||
34 | File | `/proc/*/cmdline"` | High
|
||||
33 | File | `/opt/zimbra/jetty/webapps/zimbra/public` | High
|
||||
34 | File | `/patient/settings.php` | High
|
||||
35 | ... | ... | ...
|
||||
|
||||
There are 302 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 299 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -73,7 +73,7 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-22 | Pathname Traversal | High
|
||||
1 | T1006 | CWE-21, CWE-22 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
|
@ -127,7 +127,7 @@ ID | Type | Indicator | Confidence
|
|||
37 | File | `admin/default.asp` | High
|
||||
38 | ... | ... | ...
|
||||
|
||||
There are 323 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 325 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -13,7 +13,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [US](https://vuldb.com/?country.us)
|
||||
* ...
|
||||
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
There are 2 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -34,12 +34,13 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
1 | T1006 | CWE-22 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 5 more TTP items available. Please use our online service to access the data.
|
||||
There are 14 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -58,7 +59,7 @@ ID | Type | Indicator | Confidence
|
|||
9 | File | `action/addproject.php` | High
|
||||
10 | ... | ... | ...
|
||||
|
||||
There are 73 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 74 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -19,7 +19,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [CN](https://vuldb.com/?country.cn)
|
||||
* ...
|
||||
|
||||
There are 21 more country items available. Please use our online service to access the data.
|
||||
There are 22 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -64,7 +64,7 @@ ID | Type | Indicator | Confidence
|
|||
9 | File | `/uncpath/` | Medium
|
||||
10 | ... | ... | ...
|
||||
|
||||
There are 71 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 72 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -0,0 +1,112 @@
|
|||
# Chaos - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Chaos](https://vuldb.com/?actor.chaos). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.chaos](https://vuldb.com/?actor.chaos)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Chaos:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [LU](https://vuldb.com/?country.lu)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* ...
|
||||
|
||||
There are 8 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Chaos.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [5.180.44.53](https://vuldb.com/?ip.5.180.44.53) | 53.44-180-5.rdns.scalabledns.com | - | High
|
||||
2 | [20.90.110.121](https://vuldb.com/?ip.20.90.110.121) | - | - | High
|
||||
3 | [20.187.95.103](https://vuldb.com/?ip.20.187.95.103) | - | - | High
|
||||
4 | [23.224.132.58](https://vuldb.com/?ip.23.224.132.58) | - | - | High
|
||||
5 | [23.225.194.65](https://vuldb.com/?ip.23.225.194.65) | - | - | High
|
||||
6 | [23.226.76.122](https://vuldb.com/?ip.23.226.76.122) | we.love.servers.at.ioflood.net | - | High
|
||||
7 | [43.142.157.239](https://vuldb.com/?ip.43.142.157.239) | - | - | High
|
||||
8 | ... | ... | ... | ...
|
||||
|
||||
There are 26 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Chaos_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23, CWE-24 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
|
||||
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
6 | ... | ... | ... | ...
|
||||
|
||||
There are 22 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Chaos. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/../conf/config.properties` | High
|
||||
2 | File | `/admin.php/singer/admin/lists/zhuan` | High
|
||||
3 | File | `/admin.php/User/level_sort` | High
|
||||
4 | File | `/authUserAction!edit.action` | High
|
||||
5 | File | `/blog/edit` | Medium
|
||||
6 | File | `/bmis/pages/resident/resident.php` | High
|
||||
7 | File | `/cgi-bin-sdb/` | High
|
||||
8 | File | `/cgi-bin/activate.cgi` | High
|
||||
9 | File | `/cgi-bin/mesh.cgi?page=upgrade` | High
|
||||
10 | File | `/cgi-bin/uploadWeiXinPic` | High
|
||||
11 | File | `/claire_blake` | High
|
||||
12 | File | `/core/admin/categories.php` | High
|
||||
13 | File | `/debug/pprof` | Medium
|
||||
14 | File | `/dms/admin/reports/daily_collection_report.php` | High
|
||||
15 | File | `/etc/config/cameo` | High
|
||||
16 | File | `/export` | Low
|
||||
17 | File | `/files.md5` | Medium
|
||||
18 | File | `/food/admin/all_users.php` | High
|
||||
19 | File | `/forum/away.php` | High
|
||||
20 | File | `/images/` | Medium
|
||||
21 | File | `/isms/classes/Users.php` | High
|
||||
22 | File | `/login` | Low
|
||||
23 | File | `/MagickCore/quantize.c` | High
|
||||
24 | File | `/mc` | Low
|
||||
25 | File | `/mkshop/Men/profile.php` | High
|
||||
26 | File | `/modules/profile/index.php` | High
|
||||
27 | File | `/multiux/SaveMailbox` | High
|
||||
28 | File | `/ofrs/admin/?page=teams/view_team` | High
|
||||
29 | File | `/one_church/userregister.php` | High
|
||||
30 | File | `/out.php` | Medium
|
||||
31 | File | `/panel/configuration/general` | High
|
||||
32 | File | `/public/plugins/` | High
|
||||
33 | File | `/SAP_Information_System/controllers/add_admin.php` | High
|
||||
34 | File | `/SASWebReportStudio/logonAndRender.do` | High
|
||||
35 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
36 | File | `/secure/admin/ViewInstrumentation.jspa` | High
|
||||
37 | File | `/sns/classes/Master.php?f=delete_img` | High
|
||||
38 | ... | ... | ...
|
||||
|
||||
There are 324 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://community.blueliv.com/#!/s/63353bd382df413eb5359c9b
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -21,7 +21,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [NL](https://vuldb.com/?country.nl)
|
||||
* ...
|
||||
|
||||
There are 12 more country items available. Please use our online service to access the data.
|
||||
There are 11 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -68,7 +68,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
4 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 17 more TTP items available. Please use our online service to access the data.
|
||||
There are 16 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -91,22 +91,23 @@ ID | Type | Indicator | Confidence
|
|||
13 | File | `/debian/patches/load_ppp_generic_if_needed` | High
|
||||
14 | File | `/debug/pprof` | Medium
|
||||
15 | File | `/etc/hosts` | Medium
|
||||
16 | File | `/fuel/index.php/fuel/logs/items` | High
|
||||
17 | File | `/fuel/sitevariables/delete/4` | High
|
||||
18 | File | `/goform/setmac` | High
|
||||
19 | File | `/hprms/admin/doctors/manage_doctor.php` | High
|
||||
20 | File | `/index/jobfairol/show/` | High
|
||||
21 | File | `/librarian/bookdetails.php` | High
|
||||
22 | File | `/manage-apartment.php` | High
|
||||
23 | File | `/mgmt/tm/util/bash` | High
|
||||
24 | File | `/modules/caddyhttp/rewrite/rewrite.go` | High
|
||||
25 | File | `/pages/apply_vacancy.php` | High
|
||||
26 | File | `/plugin/LiveChat/getChat.json.php` | High
|
||||
27 | File | `/proc/<PID>/mem` | High
|
||||
28 | File | `/simple_chat_bot/admin/?page=user/manage_user` | High
|
||||
29 | ... | ... | ...
|
||||
16 | File | `/export` | Low
|
||||
17 | File | `/fuel/index.php/fuel/logs/items` | High
|
||||
18 | File | `/fuel/sitevariables/delete/4` | High
|
||||
19 | File | `/goform/setmac` | High
|
||||
20 | File | `/hprms/admin/doctors/manage_doctor.php` | High
|
||||
21 | File | `/index/jobfairol/show/` | High
|
||||
22 | File | `/librarian/bookdetails.php` | High
|
||||
23 | File | `/manage-apartment.php` | High
|
||||
24 | File | `/mgmt/tm/util/bash` | High
|
||||
25 | File | `/modules/caddyhttp/rewrite/rewrite.go` | High
|
||||
26 | File | `/pages/apply_vacancy.php` | High
|
||||
27 | File | `/plugin/LiveChat/getChat.json.php` | High
|
||||
28 | File | `/proc/<PID>/mem` | High
|
||||
29 | File | `/simple_chat_bot/admin/?page=user/manage_user` | High
|
||||
30 | ... | ... | ...
|
||||
|
||||
There are 249 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 251 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -9,8 +9,11 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
The following _campaigns_ are known and can be associated with China Unknown:
|
||||
|
||||
* Dragon Castling
|
||||
* ProxyNotShell
|
||||
* RedXOR
|
||||
* Russia
|
||||
* ...
|
||||
|
||||
There are 1 more campaign items available. Please use our online service to access the data.
|
||||
|
||||
## Countries
|
||||
|
||||
|
@ -18,10 +21,10 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* [JP](https://vuldb.com/?country.jp)
|
||||
* ...
|
||||
|
||||
There are 10 more country items available. Please use our online service to access the data.
|
||||
There are 12 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -29,17 +32,21 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [23.106.123.196](https://vuldb.com/?ip.23.106.123.196) | - | Dragon Castling | High
|
||||
2 | [23.106.124.136](https://vuldb.com/?ip.23.106.124.136) | - | Dragon Castling | High
|
||||
3 | [34.92.228.216](https://vuldb.com/?ip.34.92.228.216) | 216.228.92.34.bc.googleusercontent.com | RedXOR | Medium
|
||||
4 | [43.129.177.152](https://vuldb.com/?ip.43.129.177.152) | - | - | High
|
||||
5 | [43.134.194.237](https://vuldb.com/?ip.43.134.194.237) | - | - | High
|
||||
6 | [43.154.74.7](https://vuldb.com/?ip.43.154.74.7) | - | - | High
|
||||
7 | [43.154.85.5](https://vuldb.com/?ip.43.154.85.5) | - | - | High
|
||||
8 | [43.154.88.192](https://vuldb.com/?ip.43.154.88.192) | - | - | High
|
||||
9 | ... | ... | ... | ...
|
||||
1 | [5.180.61.17](https://vuldb.com/?ip.5.180.61.17) | - | ProxyNotShell | High
|
||||
2 | [23.106.123.196](https://vuldb.com/?ip.23.106.123.196) | - | Dragon Castling | High
|
||||
3 | [23.106.124.136](https://vuldb.com/?ip.23.106.124.136) | - | Dragon Castling | High
|
||||
4 | [34.92.228.216](https://vuldb.com/?ip.34.92.228.216) | 216.228.92.34.bc.googleusercontent.com | RedXOR | Medium
|
||||
5 | [43.129.177.152](https://vuldb.com/?ip.43.129.177.152) | - | - | High
|
||||
6 | [43.134.194.237](https://vuldb.com/?ip.43.134.194.237) | - | - | High
|
||||
7 | [43.154.74.7](https://vuldb.com/?ip.43.154.74.7) | - | - | High
|
||||
8 | [43.154.85.5](https://vuldb.com/?ip.43.154.85.5) | - | - | High
|
||||
9 | [43.154.88.192](https://vuldb.com/?ip.43.154.88.192) | - | - | High
|
||||
10 | [45.61.137.211](https://vuldb.com/?ip.45.61.137.211) | - | Russia | High
|
||||
11 | [45.76.218.247](https://vuldb.com/?ip.45.76.218.247) | 45.76.218.247.vultrusercontent.com | - | High
|
||||
12 | [45.77.178.47](https://vuldb.com/?ip.45.77.178.47) | 45.77.178.47.vultrusercontent.com | - | High
|
||||
13 | ... | ... | ... | ...
|
||||
|
||||
There are 33 more IOC items available. Please use our online service to access the data.
|
||||
There are 48 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -47,13 +54,15 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-21, CWE-22 | Pathname Traversal | High
|
||||
2 | T1055 | CWE-74 | Injection | High
|
||||
3 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
|
||||
4 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23, CWE-25, CWE-35 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-88, CWE-94, CWE-1321 | Cross Site Scripting | High
|
||||
5 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
6 | T1068 | CWE-264, CWE-269, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
7 | ... | ... | ... | ...
|
||||
|
||||
There are 18 more TTP items available. Please use our online service to access the data.
|
||||
There are 24 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -61,21 +70,33 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `.config/Yubico` | High
|
||||
2 | File | `/admin/manager/admin_mod.php` | High
|
||||
3 | File | `/ajax-files/postComment.php` | High
|
||||
4 | File | `/bin/login.php` | High
|
||||
5 | File | `/cgi-bin/editBookmark` | High
|
||||
6 | File | `/public/plugins/` | High
|
||||
7 | File | `/rom-0` | Low
|
||||
8 | File | `/server-status` | High
|
||||
9 | File | `/uncpath/` | Medium
|
||||
10 | File | `/wp-content/plugins/forum-server/feed.php` | High
|
||||
11 | File | `actions/ChangeConfiguration.html` | High
|
||||
12 | File | `addentry.php` | Medium
|
||||
13 | ... | ... | ...
|
||||
1 | File | `/Admin/add-student.php` | High
|
||||
2 | File | `/admin/article/list_approve` | High
|
||||
3 | File | `/admin/client_assign.php` | High
|
||||
4 | File | `/admin/client_edit.php` | High
|
||||
5 | File | `/admin/contact/list` | High
|
||||
6 | File | `/admin/feature_edit.php` | High
|
||||
7 | File | `/admin/foldernotice/list` | High
|
||||
8 | File | `/admin/image/list` | High
|
||||
9 | File | `/admin/imagealbum/list` | High
|
||||
10 | File | `/admin/select.php` | High
|
||||
11 | File | `/admin/sendmailto.php?tomail=&groupid=` | High
|
||||
12 | File | `/admin/site/list` | High
|
||||
13 | File | `/admin/subnets/ripe-query.php` | High
|
||||
14 | File | `/admin/update_currency.php` | High
|
||||
15 | File | `/admin/video/list` | High
|
||||
16 | File | `/admin_book.php` | High
|
||||
17 | File | `/api/upload-resource` | High
|
||||
18 | File | `/authUserAction!edit.action` | High
|
||||
19 | File | `/bin/httpd` | Medium
|
||||
20 | File | `/buspassms/download-pass.php` | High
|
||||
21 | File | `/carbon/ndatasource/validateconnection/ajaxprocessor.jsp` | High
|
||||
22 | File | `/card/in-card.php` | High
|
||||
23 | File | `/cgi-bin/cstecgi.cgi` | High
|
||||
24 | File | `/confirm` | Medium
|
||||
25 | ... | ... | ...
|
||||
|
||||
There are 99 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 206 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -88,6 +109,7 @@ The following list contains _external sources_ which discuss the actor and the a
|
|||
* https://github.com/avast/ioc/tree/master/OperationDragonCastling
|
||||
* https://research.checkpoint.com/2022/chinese-actor-takes-aim-armed-with-nim-language-and-bizarro-aes/
|
||||
* https://vxug.fakedoma.in/archive/APTs/2021/2021.03.10(1)/RedXOR.pdf
|
||||
* https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html
|
||||
|
||||
## Literature
|
||||
|
||||
|
|
|
@ -8,12 +8,12 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Cobalt Group:
|
||||
|
||||
* [PL](https://vuldb.com/?country.pl)
|
||||
* [DE](https://vuldb.com/?country.de)
|
||||
* [AR](https://vuldb.com/?country.ar)
|
||||
* [SV](https://vuldb.com/?country.sv)
|
||||
* [PL](https://vuldb.com/?country.pl)
|
||||
* ...
|
||||
|
||||
There are 8 more country items available. Please use our online service to access the data.
|
||||
There are 7 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -35,14 +35,14 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-21, CWE-22 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-294, CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-425 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
4 | T1059 | CWE-94, CWE-1321 | Cross Site Scripting | High
|
||||
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
6 | ... | ... | ... | ...
|
||||
|
||||
There are 19 more TTP items available. Please use our online service to access the data.
|
||||
There are 21 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -50,58 +50,44 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/admin/inc/include.php` | High
|
||||
2 | File | `/api/v1/user` | Medium
|
||||
3 | File | `/app/options.py` | High
|
||||
1 | File | `/admin/?page=user/manage_user` | High
|
||||
2 | File | `/admin/subnets/ripe-query.php` | High
|
||||
3 | File | `/api/v1/user` | Medium
|
||||
4 | File | `/blogengine/api/posts` | High
|
||||
5 | File | `/categories/view_category.php` | High
|
||||
6 | File | `/ci_spms/admin/search/searching/` | High
|
||||
7 | File | `/classes/Master.php?f=delete_category` | High
|
||||
8 | File | `/classes/Master.php?f=delete_stockin` | High
|
||||
9 | File | `/classes/Master.php?f=delete_student` | High
|
||||
6 | File | `/classes/Master.php?f=delete_category` | High
|
||||
7 | File | `/classes/Master.php?f=delete_stockin` | High
|
||||
8 | File | `/classes/Master.php?f=delete_student` | High
|
||||
9 | File | `/client.php` | Medium
|
||||
10 | File | `/conf/users` | Medium
|
||||
11 | File | `/domains/index.fts` | High
|
||||
12 | File | `/etc/shadow.sample` | High
|
||||
13 | File | `/garage/editcategory.php` | High
|
||||
14 | File | `/guestmanagement/front.php` | High
|
||||
15 | File | `/Home/debit_credit_p` | High
|
||||
16 | File | `/htdocs/upnpinc/gena.php` | High
|
||||
17 | File | `/include/comm_post.inc.php` | High
|
||||
18 | File | `/include/header_admin.inc.php` | High
|
||||
19 | File | `/index.php` | Medium
|
||||
20 | File | `/interview/delete.php?action=questiondelete` | High
|
||||
21 | File | `/interview/editQuestion.php` | High
|
||||
22 | File | `/ip/admin/` | Medium
|
||||
23 | File | `/login.php` | Medium
|
||||
24 | File | `/management/api/rcx_management/global_config_query` | High
|
||||
25 | File | `/master/index.php` | High
|
||||
26 | File | `/mkshop/Men/profile.php` | High
|
||||
27 | File | `/modules/tasks/gantt.php` | High
|
||||
11 | File | `/csms/admin/storages/view_storage.php` | High
|
||||
12 | File | `/cstecgi.cgi` | Medium
|
||||
13 | File | `/etc/shadow` | Medium
|
||||
14 | File | `/export` | Low
|
||||
15 | File | `/garage/editcategory.php` | High
|
||||
16 | File | `/goform/delIpMacBind/` | High
|
||||
17 | File | `/guestmanagement/front.php` | High
|
||||
18 | File | `/Home/debit_credit_p` | High
|
||||
19 | File | `/htdocs/upnpinc/gena.php` | High
|
||||
20 | File | `/index.php` | Medium
|
||||
21 | File | `/interview/delete.php?action=deletecand` | High
|
||||
22 | File | `/interview/delete.php?action=questiondelete` | High
|
||||
23 | File | `/interview/editQuestion.php` | High
|
||||
24 | File | `/ip/admin/` | Medium
|
||||
25 | File | `/login.php` | Medium
|
||||
26 | File | `/master/index.php` | High
|
||||
27 | File | `/mkshop/Men/profile.php` | High
|
||||
28 | File | `/multiarch/memset-vec-unaligned-erms.S` | High
|
||||
29 | File | `/oa/setup/checkPool?database` | High
|
||||
30 | File | `/obs/book.php` | High
|
||||
31 | File | `/officials/officials.php` | High
|
||||
32 | File | `/pages/faculty_sched.php` | High
|
||||
33 | File | `/pages/processlogin.php` | High
|
||||
34 | File | `/patient/settings.php` | High
|
||||
35 | File | `/php_action/createUser.php` | High
|
||||
36 | File | `/pms/index.php` | High
|
||||
37 | File | `/psrs/classes/Master.php?f=delete_product` | High
|
||||
38 | File | `/readers/swf.c` | High
|
||||
39 | File | `/registration.php` | High
|
||||
40 | File | `/release-x64/otfccdump` | High
|
||||
41 | File | `/schedules/manage_schedule.php` | High
|
||||
42 | File | `/services/v4/invoiceImg` | High
|
||||
43 | File | `/src/inffast.c` | High
|
||||
44 | File | `/staff/delete.php` | High
|
||||
45 | File | `/system/department/list` | High
|
||||
46 | File | `/templates/header.inc.php` | High
|
||||
47 | File | `/tmp/tardiff-$` | High
|
||||
48 | File | `/whbs/?page=contact_us` | High
|
||||
49 | File | `/xpdf/Lexer.cc` | High
|
||||
50 | ... | ... | ...
|
||||
29 | File | `/net-banking/manage_customers.php` | High
|
||||
30 | File | `/Noxen-master/users.php` | High
|
||||
31 | File | `/oa/setup/checkPool?database` | High
|
||||
32 | File | `/obs/book.php` | High
|
||||
33 | File | `/opt/axess/var/blobstorage/` | High
|
||||
34 | File | `/opt/zimbra/jetty/webapps/zimbra/public` | High
|
||||
35 | File | `/pages/processlogin.php` | High
|
||||
36 | ... | ... | ...
|
||||
|
||||
There are 434 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 304 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -8,12 +8,12 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Cobalt Strike:
|
||||
|
||||
* [VN](https://vuldb.com/?country.vn)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [GB](https://vuldb.com/?country.gb)
|
||||
* ...
|
||||
|
||||
There are 10 more country items available. Please use our online service to access the data.
|
||||
There are 7 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -26,36 +26,54 @@ ID | IP address | Hostname | Campaign | Confidence
|
|||
3 | [5.199.173.152](https://vuldb.com/?ip.5.199.173.152) | - | - | High
|
||||
4 | [5.199.174.219](https://vuldb.com/?ip.5.199.174.219) | - | - | High
|
||||
5 | [5.252.177.199](https://vuldb.com/?ip.5.252.177.199) | 5-252-177-199.mivocloud.com | - | High
|
||||
6 | [5.255.98.144](https://vuldb.com/?ip.5.255.98.144) | - | - | High
|
||||
7 | [23.19.227.147](https://vuldb.com/?ip.23.19.227.147) | - | - | High
|
||||
8 | [23.81.246.32](https://vuldb.com/?ip.23.81.246.32) | - | - | High
|
||||
9 | [23.82.140.91](https://vuldb.com/?ip.23.82.140.91) | - | - | High
|
||||
10 | [23.106.160.188](https://vuldb.com/?ip.23.106.160.188) | - | - | High
|
||||
11 | [23.108.57.39](https://vuldb.com/?ip.23.108.57.39) | - | - | High
|
||||
12 | [23.108.57.108](https://vuldb.com/?ip.23.108.57.108) | - | - | High
|
||||
13 | [23.160.193.55](https://vuldb.com/?ip.23.160.193.55) | unknown.ip-xfer.net | - | High
|
||||
14 | [23.227.194.86](https://vuldb.com/?ip.23.227.194.86) | 23-227-194-86.static.hvvc.us | - | High
|
||||
15 | [23.227.199.10](https://vuldb.com/?ip.23.227.199.10) | 23-227-199-10.static.hvvc.us | - | High
|
||||
16 | [23.229.36.43](https://vuldb.com/?ip.23.229.36.43) | bet5jn-day-43.bettertisholiday.com | - | High
|
||||
17 | [23.236.174.190](https://vuldb.com/?ip.23.236.174.190) | - | - | High
|
||||
18 | [37.0.8.252](https://vuldb.com/?ip.37.0.8.252) | - | - | High
|
||||
19 | [37.120.198.225](https://vuldb.com/?ip.37.120.198.225) | - | - | High
|
||||
20 | [39.104.90.45](https://vuldb.com/?ip.39.104.90.45) | - | - | High
|
||||
21 | [45.15.131.96](https://vuldb.com/?ip.45.15.131.96) | - | - | High
|
||||
22 | [45.66.158.14](https://vuldb.com/?ip.45.66.158.14) | 14.158-66-45.rdns.scalabledns.com | - | High
|
||||
23 | [45.84.0.116](https://vuldb.com/?ip.45.84.0.116) | n5336.md | - | High
|
||||
24 | [45.134.26.174](https://vuldb.com/?ip.45.134.26.174) | - | - | High
|
||||
25 | [45.144.29.185](https://vuldb.com/?ip.45.144.29.185) | master.pisyandriy.com | - | High
|
||||
26 | [45.153.243.142](https://vuldb.com/?ip.45.153.243.142) | - | - | High
|
||||
27 | [45.197.132.72](https://vuldb.com/?ip.45.197.132.72) | - | - | High
|
||||
28 | [46.165.254.166](https://vuldb.com/?ip.46.165.254.166) | - | - | High
|
||||
29 | [51.15.76.60](https://vuldb.com/?ip.51.15.76.60) | 60-76-15-51.instances.scw.cloud | - | High
|
||||
30 | [51.68.91.152](https://vuldb.com/?ip.51.68.91.152) | - | - | High
|
||||
31 | [51.68.93.185](https://vuldb.com/?ip.51.68.93.185) | - | - | High
|
||||
32 | [51.81.13.141](https://vuldb.com/?ip.51.81.13.141) | ip141.ip-51-81-13.us | - | High
|
||||
33 | ... | ... | ... | ...
|
||||
6 | [5.254.64.234](https://vuldb.com/?ip.5.254.64.234) | - | - | High
|
||||
7 | [5.254.112.226](https://vuldb.com/?ip.5.254.112.226) | - | - | High
|
||||
8 | [5.255.98.144](https://vuldb.com/?ip.5.255.98.144) | - | - | High
|
||||
9 | [14.229.140.66](https://vuldb.com/?ip.14.229.140.66) | static.vnpt.vn | - | High
|
||||
10 | [23.19.227.147](https://vuldb.com/?ip.23.19.227.147) | - | - | High
|
||||
11 | [23.81.246.32](https://vuldb.com/?ip.23.81.246.32) | - | - | High
|
||||
12 | [23.81.246.187](https://vuldb.com/?ip.23.81.246.187) | - | - | High
|
||||
13 | [23.82.19.208](https://vuldb.com/?ip.23.82.19.208) | - | - | High
|
||||
14 | [23.82.140.91](https://vuldb.com/?ip.23.82.140.91) | - | - | High
|
||||
15 | [23.82.140.133](https://vuldb.com/?ip.23.82.140.133) | - | - | High
|
||||
16 | [23.82.141.184](https://vuldb.com/?ip.23.82.141.184) | - | - | High
|
||||
17 | [23.83.133.1](https://vuldb.com/?ip.23.83.133.1) | v327.er01.dal.ubiquity.io | - | High
|
||||
18 | [23.83.133.182](https://vuldb.com/?ip.23.83.133.182) | - | - | High
|
||||
19 | [23.83.133.216](https://vuldb.com/?ip.23.83.133.216) | - | - | High
|
||||
20 | [23.83.134.110](https://vuldb.com/?ip.23.83.134.110) | - | - | High
|
||||
21 | [23.83.134.136](https://vuldb.com/?ip.23.83.134.136) | - | - | High
|
||||
22 | [23.106.160.39](https://vuldb.com/?ip.23.106.160.39) | - | - | High
|
||||
23 | [23.106.160.120](https://vuldb.com/?ip.23.106.160.120) | - | - | High
|
||||
24 | [23.106.160.188](https://vuldb.com/?ip.23.106.160.188) | - | - | High
|
||||
25 | [23.108.57.13](https://vuldb.com/?ip.23.108.57.13) | - | - | High
|
||||
26 | [23.108.57.39](https://vuldb.com/?ip.23.108.57.39) | - | - | High
|
||||
27 | [23.108.57.108](https://vuldb.com/?ip.23.108.57.108) | - | - | High
|
||||
28 | [23.160.193.55](https://vuldb.com/?ip.23.160.193.55) | unknown.ip-xfer.net | - | High
|
||||
29 | [23.227.194.86](https://vuldb.com/?ip.23.227.194.86) | 23-227-194-86.static.hvvc.us | - | High
|
||||
30 | [23.227.198.217](https://vuldb.com/?ip.23.227.198.217) | 23-227-198-217.static.hvvc.us | - | High
|
||||
31 | [23.227.199.10](https://vuldb.com/?ip.23.227.199.10) | 23-227-199-10.static.hvvc.us | - | High
|
||||
32 | [23.229.36.43](https://vuldb.com/?ip.23.229.36.43) | bet5jn-day-43.bettertisholiday.com | - | High
|
||||
33 | [23.236.77.94](https://vuldb.com/?ip.23.236.77.94) | - | - | High
|
||||
34 | [23.236.174.190](https://vuldb.com/?ip.23.236.174.190) | - | - | High
|
||||
35 | [23.254.202.59](https://vuldb.com/?ip.23.254.202.59) | client-23-254-202-59.hostwindsdns.com | - | High
|
||||
36 | [28.11.143.222](https://vuldb.com/?ip.28.11.143.222) | - | - | High
|
||||
37 | [37.0.8.252](https://vuldb.com/?ip.37.0.8.252) | - | - | High
|
||||
38 | [37.72.174.9](https://vuldb.com/?ip.37.72.174.9) | emailmail.org.uk | - | High
|
||||
39 | [37.120.198.225](https://vuldb.com/?ip.37.120.198.225) | - | - | High
|
||||
40 | [39.104.90.45](https://vuldb.com/?ip.39.104.90.45) | - | - | High
|
||||
41 | [39.109.5.135](https://vuldb.com/?ip.39.109.5.135) | - | - | High
|
||||
42 | [43.154.175.230](https://vuldb.com/?ip.43.154.175.230) | - | - | High
|
||||
43 | [43.250.200.106](https://vuldb.com/?ip.43.250.200.106) | - | - | High
|
||||
44 | [43.250.201.71](https://vuldb.com/?ip.43.250.201.71) | - | - | High
|
||||
45 | [45.9.248.74](https://vuldb.com/?ip.45.9.248.74) | te-4-3-177.pe2.man4.uk.m247.com | - | High
|
||||
46 | [45.11.19.224](https://vuldb.com/?ip.45.11.19.224) | - | - | High
|
||||
47 | [45.15.131.96](https://vuldb.com/?ip.45.15.131.96) | - | - | High
|
||||
48 | [45.66.158.14](https://vuldb.com/?ip.45.66.158.14) | 14.158-66-45.rdns.scalabledns.com | - | High
|
||||
49 | [45.84.0.116](https://vuldb.com/?ip.45.84.0.116) | n5336.md | - | High
|
||||
50 | [45.134.26.174](https://vuldb.com/?ip.45.134.26.174) | - | - | High
|
||||
51 | ... | ... | ... | ...
|
||||
|
||||
There are 127 more IOC items available. Please use our online service to access the data.
|
||||
There are 198 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -64,14 +82,14 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-294, CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-94, CWE-1321 | Cross Site Scripting | High
|
||||
4 | T1059 | CWE-88, CWE-94, CWE-1321 | Cross Site Scripting | High
|
||||
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
6 | T1068 | CWE-264, CWE-269, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
7 | ... | ... | ... | ...
|
||||
|
||||
There are 26 more TTP items available. Please use our online service to access the data.
|
||||
There are 22 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -79,44 +97,42 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/addQuestion.php` | High
|
||||
2 | File | `/admin/?page=reports/waste` | High
|
||||
1 | File | `/+CSCOE+/logon.html` | High
|
||||
2 | File | `/Admin/add-student.php` | High
|
||||
3 | File | `/admin/addemployee.php` | High
|
||||
4 | File | `/admin/add_trainers.php` | High
|
||||
5 | File | `/admin/article/list_approve` | High
|
||||
6 | File | `/admin/budget.php` | High
|
||||
7 | File | `/admin/friendlylink/list` | High
|
||||
8 | File | `/admin/image/list` | High
|
||||
9 | File | `/admin/imagealbum/list` | High
|
||||
10 | File | `/admin/modify.php` | High
|
||||
11 | File | `/admin/showbad.php` | High
|
||||
12 | File | `/admin/video/list` | High
|
||||
13 | File | `/admin/videoalbum/list` | High
|
||||
14 | File | `/advanced-tools/nova/bin/netwatch` | High
|
||||
15 | File | `/api/v1/user` | Medium
|
||||
16 | File | `/bd_genie_create_account.cgi` | High
|
||||
17 | File | `/bin/httpd` | Medium
|
||||
18 | File | `/card_scan.php` | High
|
||||
19 | File | `/categories/view_category.php` | High
|
||||
20 | File | `/category/controller.php?action=edit` | High
|
||||
21 | File | `/cgi-bin-sdb/ExportSettings.sh` | High
|
||||
22 | File | `/cgi-bin/ExportAllSettings.sh` | High
|
||||
23 | File | `/cgi-bin/wapopen` | High
|
||||
24 | File | `/claire_blake` | High
|
||||
25 | File | `/classes/Master.php?f=delete_account` | High
|
||||
26 | File | `/classes/Master.php?f=delete_schedule` | High
|
||||
27 | File | `/coreframe/app/attachment/admin/index.php` | High
|
||||
28 | File | `/dashboard/add-service.php` | High
|
||||
29 | File | `/dashboard/settings` | High
|
||||
30 | File | `/edituser.php` | High
|
||||
31 | File | `/etc/shadow.sample` | High
|
||||
32 | File | `/forum/away.php` | High
|
||||
33 | File | `/fw.login.php` | High
|
||||
34 | File | `/garage/editcategory.php` | High
|
||||
35 | File | `/goform/NTPSyncWithHost` | High
|
||||
36 | ... | ... | ...
|
||||
4 | File | `/admin/article/list_approve` | High
|
||||
5 | File | `/admin/budget.php` | High
|
||||
6 | File | `/admin/client_assign.php` | High
|
||||
7 | File | `/admin/client_edit.php` | High
|
||||
8 | File | `/admin/conferences/list/` | High
|
||||
9 | File | `/admin/friendlylink/list` | High
|
||||
10 | File | `/admin/image/list` | High
|
||||
11 | File | `/admin/imagealbum/list` | High
|
||||
12 | File | `/admin/index.PHP` | High
|
||||
13 | File | `/Admin/login.php` | High
|
||||
14 | File | `/admin/select.php` | High
|
||||
15 | File | `/admin/sendmailto.php?tomail=&groupid=` | High
|
||||
16 | File | `/admin/settings.php` | High
|
||||
17 | File | `/admin/update_booking.php` | High
|
||||
18 | File | `/admin/update_currency.php` | High
|
||||
19 | File | `/admin/video/list` | High
|
||||
20 | File | `/admin/videoalbum/list` | High
|
||||
21 | File | `/advanced-tools/nova/bin/netwatch` | High
|
||||
22 | File | `/bd_genie_create_account.cgi` | High
|
||||
23 | File | `/bin/httpd` | Medium
|
||||
24 | File | `/carbon/mediation_secure_vault/properties/ajaxprocessor.jsp` | High
|
||||
25 | File | `/categories/view_category.php` | High
|
||||
26 | File | `/category.php` | High
|
||||
27 | File | `/cgi-bin/cstecgi.cgi` | High
|
||||
28 | File | `/cgi-bin/kerbynet` | High
|
||||
29 | File | `/cgi-bin/qcmap_auth` | High
|
||||
30 | File | `/cgi-bin/wapopen` | High
|
||||
31 | File | `/cgi-bin/wlogin.cgi` | High
|
||||
32 | File | `/diagnostic/editcategory.php` | High
|
||||
33 | File | `/editbrand.php` | High
|
||||
34 | ... | ... | ...
|
||||
|
||||
There are 313 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 294 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -126,7 +142,11 @@ The following list contains _external sources_ which discuss the actor and the a
|
|||
* https://1275.ru/ioc/359/cobalt-strike-beacon-iocs-2/
|
||||
* https://asec.ahnlab.com/en/20130/
|
||||
* https://asec.ahnlab.com/en/27646/
|
||||
* https://asec.ahnlab.com/en/36159/
|
||||
* https://asec.ahnlab.com/en/39152/
|
||||
* https://blog.cyble.com/2022/05/20/malware-campaign-targets-infosec-community-threat-actor-uses-fake-proof-of-concept-to-deliver-cobalt-strike-beacon/
|
||||
* https://blog.fox-it.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/
|
||||
* https://blog.fox-it.com/2022/04/29/adventures-in-the-land-of-bumblebee/
|
||||
* https://blog.morphisec.com/log4j-exploit-targets-vulnerable-unifi-network-applications
|
||||
* https://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html
|
||||
* https://blogs.infoblox.com/cyber-threat-intelligence/nobelium-campaigns-and-malware/
|
||||
|
@ -168,6 +188,7 @@ The following list contains _external sources_ which discuss the actor and the a
|
|||
* https://isc.sans.edu/forums/diary/June+2021+Forensic+Contest+Answers+and+Analysis/27582/
|
||||
* https://isc.sans.edu/forums/diary/Qakbot+infection+with+Cobalt+Strike+and+VNC+activity/28448/
|
||||
* https://isc.sans.edu/forums/diary/Qakbot+infection+with+Cobalt+Strike/27158/
|
||||
* https://raw.githubusercontent.com/Cisco-Talos/IOCs/main/2022/09/new-campaign-uses-government-union.txt
|
||||
* https://research.checkpoint.com/2019/cobalt-group-returns-to-kazakhstan/
|
||||
* https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/
|
||||
* https://securelist.com/owowa-credential-stealer-and-remote-access/105219/
|
||||
|
@ -190,6 +211,8 @@ The following list contains _external sources_ which discuss the actor and the a
|
|||
* https://us-cert.cisa.gov/ncas/alerts/aa21-148a
|
||||
* https://www.cisa.gov/uscert/ncas/alerts/aa22-228a
|
||||
* https://www.malware-traffic-analysis.net/2022/06/07/index2.html
|
||||
* https://www.trendmicro.com/de_de/research/22/e/patch-your-wso2-cve-2022-29464-exploited-to-install-linux-compatible-cobalt-strike-beacons-other-malware.html
|
||||
* https://www.trendmicro.com/de_de/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html
|
||||
* https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/
|
||||
|
||||
## Literature
|
||||
|
|
|
@ -19,7 +19,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [DE](https://vuldb.com/?country.de)
|
||||
* ...
|
||||
|
||||
There are 20 more country items available. Please use our online service to access the data.
|
||||
There are 19 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -61,10 +61,10 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `.htaccess` | Medium
|
||||
2 | File | `/+CSCOE+/logon.html` | High
|
||||
3 | File | `/admin/conferences/list/` | High
|
||||
4 | File | `/admin/edit_admin_details.php?id=admin` | High
|
||||
5 | File | `/admin/generalsettings.php` | High
|
||||
2 | File | `/admin/conferences/list/` | High
|
||||
3 | File | `/admin/edit_admin_details.php?id=admin` | High
|
||||
4 | File | `/admin/generalsettings.php` | High
|
||||
5 | File | `/Admin/login.php` | High
|
||||
6 | File | `/admin/payment.php` | High
|
||||
7 | File | `/admin/reports.php` | High
|
||||
8 | File | `/admin/showbad.php` | High
|
||||
|
@ -72,13 +72,13 @@ ID | Type | Indicator | Confidence
|
|||
10 | File | `/bsms/?page=products` | High
|
||||
11 | File | `/cgi-bin/kerbynet` | High
|
||||
12 | File | `/cgi-bin/system_mgr.cgi` | High
|
||||
13 | File | `/cloud_config/router_post/check_reg_verify_code` | High
|
||||
14 | File | `/debug/pprof` | Medium
|
||||
15 | File | `/dms/admin/reports/daily_collection_report.php` | High
|
||||
16 | File | `/ext/phar/phar_object.c` | High
|
||||
17 | File | `/filemanager/php/connector.php` | High
|
||||
18 | File | `/forum/away.php` | High
|
||||
19 | File | `/get_getnetworkconf.cgi` | High
|
||||
13 | File | `/cgi-bin/wlogin.cgi` | High
|
||||
14 | File | `/cloud_config/router_post/check_reg_verify_code` | High
|
||||
15 | File | `/debug/pprof` | Medium
|
||||
16 | File | `/dms/admin/reports/daily_collection_report.php` | High
|
||||
17 | File | `/ext/phar/phar_object.c` | High
|
||||
18 | File | `/filemanager/php/connector.php` | High
|
||||
19 | File | `/forum/away.php` | High
|
||||
20 | File | `/HNAP1` | Low
|
||||
21 | File | `/include/chart_generator.php` | High
|
||||
22 | File | `/index.php` | Medium
|
||||
|
@ -109,11 +109,9 @@ ID | Type | Indicator | Confidence
|
|||
47 | File | `admin.php?m=Food&a=addsave` | High
|
||||
48 | File | `admin/conf_users_edit.php` | High
|
||||
49 | File | `admin/index.php` | High
|
||||
50 | File | `admin/limits.php` | High
|
||||
51 | File | `admin/write-post.php` | High
|
||||
52 | ... | ... | ...
|
||||
50 | ... | ... | ...
|
||||
|
||||
There are 457 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 435 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -20,7 +20,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [ES](https://vuldb.com/?country.es)
|
||||
* ...
|
||||
|
||||
There are 25 more country items available. Please use our online service to access the data.
|
||||
There are 26 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -541,42 +541,42 @@ ID | Type | Indicator | Confidence
|
|||
-- | ---- | --------- | ----------
|
||||
1 | File | `.procmailrc` | Medium
|
||||
2 | File | `/about.php` | Medium
|
||||
3 | File | `/admin/communitymanagement.php` | High
|
||||
4 | File | `/admin/extended` | High
|
||||
5 | File | `/admin/featured.php` | High
|
||||
6 | File | `/admin/generalsettings.php` | High
|
||||
7 | File | `/admin/inquiries/view_details.php` | High
|
||||
8 | File | `/admin/login.php` | High
|
||||
9 | File | `/admin/newsletter1.php` | High
|
||||
10 | File | `/admin/payment.php` | High
|
||||
11 | File | `/admin/students/view_student.php` | High
|
||||
12 | File | `/admin/usermanagement.php` | High
|
||||
13 | File | `/ad_js.php` | Medium
|
||||
14 | File | `/api/addusers` | High
|
||||
15 | File | `/app/options.py` | High
|
||||
16 | File | `/application/common.php#action_log` | High
|
||||
17 | File | `/cgi-bin/login.cgi` | High
|
||||
18 | File | `/cgi-bin/luci/api/wireless` | High
|
||||
19 | File | `/cgi-bin/wlogin.cgi` | High
|
||||
20 | File | `/ci_hms/massage_room/edit/1` | High
|
||||
21 | File | `/core/conditions/AbstractWrapper.java` | High
|
||||
22 | File | `/cwc/login` | Medium
|
||||
23 | File | `/dashboard/reports/logs/view` | High
|
||||
24 | File | `/dashboard/updatelogo.php` | High
|
||||
25 | File | `/debian/patches/load_ppp_generic_if_needed` | High
|
||||
26 | File | `/debug/pprof` | Medium
|
||||
27 | File | `/designer/add/layout` | High
|
||||
28 | File | `/etc/hosts` | Medium
|
||||
29 | File | `/filemanager/upload/drop` | High
|
||||
30 | File | `/gasmark/assets/myimages/oneWord.php` | High
|
||||
31 | File | `/goform/setmac` | High
|
||||
32 | File | `/hprms/admin/doctors/manage_doctor.php` | High
|
||||
33 | File | `/index.php` | Medium
|
||||
34 | File | `/index/jobfairol/show/` | High
|
||||
35 | File | `/loginVaLidation.php` | High
|
||||
3 | File | `/admin/inquiries/view_details.php` | High
|
||||
4 | File | `/admin/login.php` | High
|
||||
5 | File | `/Admin/login.php` | High
|
||||
6 | File | `/admin/students/view_student.php` | High
|
||||
7 | File | `/ad_js.php` | Medium
|
||||
8 | File | `/api/addusers` | High
|
||||
9 | File | `/app/options.py` | High
|
||||
10 | File | `/application/common.php#action_log` | High
|
||||
11 | File | `/card_scan.php` | High
|
||||
12 | File | `/cgi-bin/luci/api/wireless` | High
|
||||
13 | File | `/cgi-bin/wlogin.cgi` | High
|
||||
14 | File | `/cwc/login` | Medium
|
||||
15 | File | `/dashboard/reports/logs/view` | High
|
||||
16 | File | `/dashboard/updatelogo.php` | High
|
||||
17 | File | `/debian/patches/load_ppp_generic_if_needed` | High
|
||||
18 | File | `/debug/pprof` | Medium
|
||||
19 | File | `/etc/hosts` | Medium
|
||||
20 | File | `/export` | Low
|
||||
21 | File | `/gasmark/assets/myimages/oneWord.php` | High
|
||||
22 | File | `/goform/setmac` | High
|
||||
23 | File | `/index.php` | Medium
|
||||
24 | File | `/loginVaLidation.php` | High
|
||||
25 | File | `/manage-apartment.php` | High
|
||||
26 | File | `/members/view_member.php` | High
|
||||
27 | File | `/mkshop/Men/profile.php` | High
|
||||
28 | File | `/modules/caddyhttp/rewrite/rewrite.go` | High
|
||||
29 | File | `/mygym/admin/index.php` | High
|
||||
30 | File | `/Noxen-master/users.php` | High
|
||||
31 | File | `/out.php` | Medium
|
||||
32 | File | `/owa/auth/logon.aspx` | High
|
||||
33 | File | `/pages/animals.php` | High
|
||||
34 | File | `/pages/apply_vacancy.php` | High
|
||||
35 | File | `/pms/index.php` | High
|
||||
36 | ... | ... | ...
|
||||
|
||||
There are 308 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 304 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -8,12 +8,12 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with CoolWebSearch:
|
||||
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* ...
|
||||
|
||||
There are 13 more country items available. Please use our online service to access the data.
|
||||
There are 17 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -155,7 +155,7 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
2 | T1040 | CWE-294, CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
|
||||
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
|
@ -169,36 +169,42 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `//proc/kcore` | Medium
|
||||
2 | File | `/Ap4RtpAtom.cpp` | High
|
||||
3 | File | `/app/options.py` | High
|
||||
4 | File | `/bcms/admin/?page=user/list` | High
|
||||
5 | File | `/bsms/?page=manage_account` | High
|
||||
6 | File | `/cgi-bin/login.cgi` | High
|
||||
7 | File | `/cgi-bin/luci/api/auth` | High
|
||||
8 | File | `/cgi-bin/luci/api/diagnose` | High
|
||||
9 | File | `/ci_hms/massage_room/edit/1` | High
|
||||
10 | File | `/dashboard/reports/logs/view` | High
|
||||
11 | File | `/debug/pprof` | Medium
|
||||
12 | File | `/etc/config/image_sign` | High
|
||||
13 | File | `/etc/groups` | Medium
|
||||
14 | File | `/etc/hosts` | Medium
|
||||
15 | File | `/forum/away.php` | High
|
||||
16 | File | `/fuel/index.php/fuel/logs/items` | High
|
||||
17 | File | `/fuel/sitevariables/delete/4` | High
|
||||
18 | File | `/ghost/preview` | High
|
||||
19 | File | `/hprms/admin/doctors/manage_doctor.php` | High
|
||||
20 | File | `/index/jobfairol/show/` | High
|
||||
21 | File | `/librarian/bookdetails.php` | High
|
||||
22 | File | `/Main_Login.asp?flag=1&productname=RT-AC88U&url=/downloadmaster/task.asp` | High
|
||||
23 | File | `/mgmt/tm/util/bash` | High
|
||||
24 | File | `/modules/caddyhttp/rewrite/rewrite.go` | High
|
||||
25 | File | `/php/passport/index.php` | High
|
||||
26 | File | `/proc/<PID>/mem` | High
|
||||
27 | File | `/servlet/AdapterHTTP` | High
|
||||
28 | ... | ... | ...
|
||||
1 | File | `/about.php` | Medium
|
||||
2 | File | `/administration/settings_registration.php` | High
|
||||
3 | File | `/ad_js.php` | Medium
|
||||
4 | File | `/app/options.py` | High
|
||||
5 | File | `/appConfig/userDB.json` | High
|
||||
6 | File | `/bd_genie_create_account.cgi` | High
|
||||
7 | File | `/bsms/?page=manage_account` | High
|
||||
8 | File | `/c/macho_reader.c` | High
|
||||
9 | File | `/cgi-bin/login.cgi` | High
|
||||
10 | File | `/cgi-bin/luci/api/wireless` | High
|
||||
11 | File | `/ci_hms/massage_room/edit/1` | High
|
||||
12 | File | `/claire_blake` | High
|
||||
13 | File | `/dashboard/reports/logs/view` | High
|
||||
14 | File | `/debian/patches/load_ppp_generic_if_needed` | High
|
||||
15 | File | `/debug/pprof` | Medium
|
||||
16 | File | `/defaultui/player/modern.html` | High
|
||||
17 | File | `/etc/hosts` | Medium
|
||||
18 | File | `/etc/init0.d/S80telnetd.sh` | High
|
||||
19 | File | `/etc/shadow.sample` | High
|
||||
20 | File | `/forum/away.php` | High
|
||||
21 | File | `/ghost/preview` | High
|
||||
22 | File | `/goform/SetIpMacBind` | High
|
||||
23 | File | `/goform/setmac` | High
|
||||
24 | File | `/hprms/admin/doctors/manage_doctor.php` | High
|
||||
25 | File | `/htdocs/utils/Files.php` | High
|
||||
26 | File | `/index/jobfairol/show/` | High
|
||||
27 | File | `/jfinal_cms/system/role/list` | High
|
||||
28 | File | `/librarian/bookdetails.php` | High
|
||||
29 | File | `/librarian/edit_book_details.php` | High
|
||||
30 | File | `/Main_Login.asp?flag=1&productname=RT-AC88U&url=/downloadmaster/task.asp` | High
|
||||
31 | File | `/manage-apartment.php` | High
|
||||
32 | File | `/master/index.php` | High
|
||||
33 | File | `/mkshop/Men/profile.php` | High
|
||||
34 | ... | ... | ...
|
||||
|
||||
There are 233 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 290 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -14,9 +14,9 @@ The following _campaigns_ are known and can be associated with CopyKittens:
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with CopyKittens:
|
||||
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* [PT](https://vuldb.com/?country.pt)
|
||||
* [SV](https://vuldb.com/?country.sv)
|
||||
* [AR](https://vuldb.com/?country.ar)
|
||||
* ...
|
||||
|
||||
There are 9 more country items available. Please use our online service to access the data.
|
||||
|
@ -69,58 +69,42 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/admin/addemployee.php` | High
|
||||
2 | File | `/admin/add_trainers.php` | High
|
||||
3 | File | `/admin/header.inc.php` | High
|
||||
4 | File | `/admin/index.PHP` | High
|
||||
5 | File | `/admin/video/list` | High
|
||||
6 | File | `/api/plugin/uninstall` | High
|
||||
1 | File | `/admin/?page=reports/waste` | High
|
||||
2 | File | `/admin/?page=user/manage_user` | High
|
||||
3 | File | `/admin/addemployee.php` | High
|
||||
4 | File | `/admin/add_trainers.php` | High
|
||||
5 | File | `/admin/index.PHP` | High
|
||||
6 | File | `/admin/video/list` | High
|
||||
7 | File | `/api/upload-resource` | High
|
||||
8 | File | `/api/v2/config` | High
|
||||
9 | File | `/belegungsplan/wochenuebersicht.inc.php` | High
|
||||
10 | File | `/bin/httpd` | Medium
|
||||
11 | File | `/bits/stl_vector.h` | High
|
||||
12 | File | `/card/in-card.php` | High
|
||||
13 | File | `/cgi-bin/R14.2/cgi-bin/R14.2/host.pl` | High
|
||||
14 | File | `/classes/Users.php?f=save_client` | High
|
||||
15 | File | `/coreframe/app/attachment/admin/index.php` | High
|
||||
16 | File | `/dishes.php` | Medium
|
||||
17 | File | `/etc/quagga` | Medium
|
||||
18 | File | `/etc/shadow.sample` | High
|
||||
19 | File | `/fax/fax_send.php` | High
|
||||
20 | File | `/garage/editclient.php` | High
|
||||
21 | File | `/get_missing_events` | High
|
||||
22 | File | `/gfxpoly/stroke.c` | High
|
||||
23 | File | `/goform/addRouting` | High
|
||||
24 | File | `/goform/form2Wan.cgi` | High
|
||||
25 | File | `/home/bupt/Desktop/swftools/src/gif2swf` | High
|
||||
26 | File | `/htdocs/utils/Files.php` | High
|
||||
27 | File | `/include/menu_u.inc.php` | High
|
||||
28 | File | `/includes/db_connect.php` | High
|
||||
29 | File | `/includes/images.php` | High
|
||||
30 | File | `/index.php` | Medium
|
||||
31 | File | `/ip/admin/` | Medium
|
||||
32 | File | `/login.php` | Medium
|
||||
33 | File | `/multiarch/memset-vec-unaligned-erms.S` | High
|
||||
34 | File | `/oa/setup/checkPool?database` | High
|
||||
35 | File | `/pages/class_sched.php` | High
|
||||
36 | File | `/pages/faculty_sched.php` | High
|
||||
37 | File | `/pages/permit/permit.php` | High
|
||||
38 | File | `/patient/booking.php` | High
|
||||
39 | File | `/pms/update_medicine.php` | High
|
||||
40 | File | `/pms/update_user.php` | High
|
||||
41 | File | `/qr/I/` | Low
|
||||
42 | File | `/release-x64/otfccdump` | High
|
||||
43 | File | `/release-x64/otfccdump+0x6badae` | High
|
||||
44 | File | `/release-x64/otfccdump+0x5266a8` | High
|
||||
45 | File | `/sanitizer_common/sanitizer_common_interceptors.inc` | High
|
||||
46 | File | `/session/sendmail` | High
|
||||
47 | File | `/sistema/flash/reboot` | High
|
||||
48 | File | `/sys/ui/extend/varkind/custom.jsp` | High
|
||||
49 | File | `/templates/default/html/windows/right.php` | High
|
||||
50 | ... | ... | ...
|
||||
9 | File | `/authUserAction!edit.action` | High
|
||||
10 | File | `/belegungsplan/wochenuebersicht.inc.php` | High
|
||||
11 | File | `/bin/httpd` | Medium
|
||||
12 | File | `/bits/stl_vector.h` | High
|
||||
13 | File | `/card/in-card.php` | High
|
||||
14 | File | `/cgi-bin/DownloadFlash` | High
|
||||
15 | File | `/cgi-bin/R14.2/cgi-bin/R14.2/host.pl` | High
|
||||
16 | File | `/classes/Master.php?f=delete_category` | High
|
||||
17 | File | `/classes/Users.php?f=save_client` | High
|
||||
18 | File | `/coreframe/app/attachment/admin/index.php` | High
|
||||
19 | File | `/csms/admin/storages/view_storage.php` | High
|
||||
20 | File | `/dishes.php` | Medium
|
||||
21 | File | `/etc/ciel.cfg` | High
|
||||
22 | File | `/etc/shadow.sample` | High
|
||||
23 | File | `/fax/fax_send.php` | High
|
||||
24 | File | `/garage/editclient.php` | High
|
||||
25 | File | `/get_missing_events` | High
|
||||
26 | File | `/gfxpoly/stroke.c` | High
|
||||
27 | File | `/goform/addRouting` | High
|
||||
28 | File | `/goform/form2Wan.cgi` | High
|
||||
29 | File | `/goform/NTPSyncWithHost` | High
|
||||
30 | File | `/home/bupt/Desktop/swftools/src/gif2swf` | High
|
||||
31 | File | `/htdocs/utils/Files.php` | High
|
||||
32 | File | `/includes/images.php` | High
|
||||
33 | File | `/index.php` | Medium
|
||||
34 | ... | ... | ...
|
||||
|
||||
There are 434 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 289 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -39,7 +39,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
3 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 6 more TTP items available. Please use our online service to access the data.
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -50,9 +50,10 @@ ID | Type | Indicator | Confidence
|
|||
1 | File | `/forum/away.php` | High
|
||||
2 | File | `/modules/profile/index.php` | High
|
||||
3 | File | `/probe?target` | High
|
||||
4 | ... | ... | ...
|
||||
4 | File | `/usr/www/ja/mnt_cmd.cgi` | High
|
||||
5 | ... | ... | ...
|
||||
|
||||
There are 22 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 27 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -39,7 +39,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
3 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 10 more TTP items available. Please use our online service to access the data.
|
||||
There are 11 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -54,11 +54,11 @@ ID | Type | Indicator | Confidence
|
|||
5 | File | `admin/file-manager/attachments` | High
|
||||
6 | File | `application/modules/admin/views/ecommerce/products.php` | High
|
||||
7 | File | `apply.cgi` | Medium
|
||||
8 | File | `base/ErrorHandler.php` | High
|
||||
9 | File | `blog.php` | Medium
|
||||
8 | File | `archivejson.cgi` | High
|
||||
9 | File | `base/ErrorHandler.php` | High
|
||||
10 | ... | ... | ...
|
||||
|
||||
There are 73 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 74 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -10,7 +10,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
|
||||
* [IT](https://vuldb.com/?country.it)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [DE](https://vuldb.com/?country.de)
|
||||
* [FR](https://vuldb.com/?country.fr)
|
||||
* ...
|
||||
|
||||
There are 6 more country items available. Please use our online service to access the data.
|
||||
|
@ -74,10 +74,9 @@ ID | Type | Indicator | Confidence
|
|||
19 | File | `/goform/SetSysTimeCfg` | High
|
||||
20 | File | `/ifs` | Low
|
||||
21 | File | `/mtms/admin/?page=user/manage_user` | High
|
||||
22 | File | `/novel-admin/src/main/java/com/java2nb/common/controller/FileController.java` | High
|
||||
23 | ... | ... | ...
|
||||
22 | ... | ... | ...
|
||||
|
||||
There are 189 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 182 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -8,8 +8,12 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Dharma:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [BG](https://vuldb.com/?country.bg)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [TR](https://vuldb.com/?country.tr)
|
||||
* ...
|
||||
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
|
|
@ -53,33 +53,32 @@ ID | Type | Indicator | Confidence
|
|||
3 | File | `/admin.php` | Medium
|
||||
4 | File | `/appliance/users?action=edit` | High
|
||||
5 | File | `/core/conditions/AbstractWrapper.java` | High
|
||||
6 | File | `/file?action=download&file` | High
|
||||
7 | File | `/hub/api/user` | High
|
||||
8 | File | `/medical/inventories.php` | High
|
||||
9 | File | `/monitoring` | Medium
|
||||
10 | File | `/plugin/LiveChat/getChat.json.php` | High
|
||||
11 | File | `/plugins/servlet/audit/resource` | High
|
||||
12 | File | `/plugins/servlet/project-config/PROJECT/roles` | High
|
||||
13 | File | `/replication` | Medium
|
||||
14 | File | `/RestAPI` | Medium
|
||||
15 | File | `/tmp/speedtest_urls.xml` | High
|
||||
16 | File | `/tmp/zarafa-vacation-*` | High
|
||||
17 | File | `/uncpath/` | Medium
|
||||
18 | File | `/upload` | Low
|
||||
19 | File | `/var/log/nginx` | High
|
||||
20 | File | `/var/run/watchman.pid` | High
|
||||
21 | File | `/viewer/krpano.html` | High
|
||||
22 | File | `/WEB-INF/web.xml` | High
|
||||
23 | File | `/wp-json/oembed/1.0/embed?url` | High
|
||||
24 | File | `account.asp` | Medium
|
||||
6 | File | `/export` | Low
|
||||
7 | File | `/file?action=download&file` | High
|
||||
8 | File | `/hub/api/user` | High
|
||||
9 | File | `/medical/inventories.php` | High
|
||||
10 | File | `/monitoring` | Medium
|
||||
11 | File | `/plugin/LiveChat/getChat.json.php` | High
|
||||
12 | File | `/plugins/servlet/audit/resource` | High
|
||||
13 | File | `/plugins/servlet/project-config/PROJECT/roles` | High
|
||||
14 | File | `/replication` | Medium
|
||||
15 | File | `/RestAPI` | Medium
|
||||
16 | File | `/tmp/speedtest_urls.xml` | High
|
||||
17 | File | `/tmp/zarafa-vacation-*` | High
|
||||
18 | File | `/uncpath/` | Medium
|
||||
19 | File | `/upload` | Low
|
||||
20 | File | `/var/log/nginx` | High
|
||||
21 | File | `/var/run/watchman.pid` | High
|
||||
22 | File | `/viewer/krpano.html` | High
|
||||
23 | File | `/WEB-INF/web.xml` | High
|
||||
24 | File | `/wp-json/oembed/1.0/embed?url` | High
|
||||
25 | File | `addentry.php` | Medium
|
||||
26 | File | `admin-ajax.php?action=get_wdtable order[0][dir]` | High
|
||||
27 | File | `admins.js` | Medium
|
||||
28 | File | `admin\model\catalog\download.php` | High
|
||||
29 | File | `AdxDSrv.exe` | Medium
|
||||
30 | ... | ... | ...
|
||||
29 | ... | ... | ...
|
||||
|
||||
There are 250 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 243 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -17,10 +17,10 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [GB](https://vuldb.com/?country.gb)
|
||||
* [TR](https://vuldb.com/?country.tr)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* ...
|
||||
|
||||
There are 24 more country items available. Please use our online service to access the data.
|
||||
There are 26 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -52,7 +52,8 @@ ID | Technique | Weakness | Description | Confidence
|
|||
2 | T1055 | CWE-74 | Injection | High
|
||||
3 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
4 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
5 | T1068 | CWE-264, CWE-269, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
6 | ... | ... | ... | ...
|
||||
|
||||
There are 18 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
|
@ -72,34 +73,34 @@ ID | Type | Indicator | Confidence
|
|||
8 | File | `/event/runquery.do` | High
|
||||
9 | File | `/filemanager/ajax_calls.php` | High
|
||||
10 | File | `/htmlcode/html/indexdefault.asp` | High
|
||||
11 | File | `/out.php` | Medium
|
||||
12 | File | `/products/details.asp` | High
|
||||
13 | File | `/share/error?message` | High
|
||||
14 | File | `/system/ws/v11/ss/email` | High
|
||||
15 | File | `/uncpath/` | Medium
|
||||
16 | File | `/var/www/xms/application/config/config.php` | High
|
||||
17 | File | `/var/www/xms/application/controllers/gatherLogs.php` | High
|
||||
18 | File | `/var/www/xms/application/controllers/verifyLogin.php` | High
|
||||
19 | File | `/var/www/xms/cleanzip.sh` | High
|
||||
20 | File | `/web/jquery/uploader/multi_uploadify.php` | High
|
||||
21 | File | `/wp-admin/admin-ajax.php` | High
|
||||
22 | File | `/wp-content/plugins/woocommerce/templates/emails/plain/` | High
|
||||
23 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
24 | File | `about.php` | Medium
|
||||
25 | File | `adclick.php` | Medium
|
||||
26 | File | `addentry.php` | Medium
|
||||
27 | File | `add_vhost.php` | High
|
||||
28 | File | `admin.php` | Medium
|
||||
29 | File | `admin/conf_users_edit.php` | High
|
||||
30 | File | `admin/default.asp` | High
|
||||
31 | File | `admin/media/rename.php` | High
|
||||
32 | File | `admin/user.php` | High
|
||||
33 | File | `advanced_component_system/index.php` | High
|
||||
34 | File | `agent.cfg` | Medium
|
||||
35 | File | `ajax/render/widget_php` | High
|
||||
11 | File | `/opt/zimbra/jetty/webapps/zimbra/public` | High
|
||||
12 | File | `/out.php` | Medium
|
||||
13 | File | `/products/details.asp` | High
|
||||
14 | File | `/share/error?message` | High
|
||||
15 | File | `/system/ws/v11/ss/email` | High
|
||||
16 | File | `/uncpath/` | Medium
|
||||
17 | File | `/var/www/xms/application/config/config.php` | High
|
||||
18 | File | `/var/www/xms/application/controllers/gatherLogs.php` | High
|
||||
19 | File | `/var/www/xms/application/controllers/verifyLogin.php` | High
|
||||
20 | File | `/var/www/xms/cleanzip.sh` | High
|
||||
21 | File | `/web/jquery/uploader/multi_uploadify.php` | High
|
||||
22 | File | `/wp-admin/admin-ajax.php` | High
|
||||
23 | File | `/wp-content/plugins/woocommerce/templates/emails/plain/` | High
|
||||
24 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
25 | File | `about.php` | Medium
|
||||
26 | File | `adclick.php` | Medium
|
||||
27 | File | `addentry.php` | Medium
|
||||
28 | File | `add_vhost.php` | High
|
||||
29 | File | `admin.php` | Medium
|
||||
30 | File | `admin/conf_users_edit.php` | High
|
||||
31 | File | `admin/default.asp` | High
|
||||
32 | File | `admin/media/rename.php` | High
|
||||
33 | File | `admin/user.php` | High
|
||||
34 | File | `admincp/attachment.php&do=rebuild&type` | High
|
||||
35 | File | `advanced_component_system/index.php` | High
|
||||
36 | ... | ... | ...
|
||||
|
||||
There are 306 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 311 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -0,0 +1,73 @@
|
|||
# Dracarys - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Dracarys](https://vuldb.com/?actor.dracarys). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.dracarys](https://vuldb.com/?actor.dracarys)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Dracarys:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [TR](https://vuldb.com/?country.tr)
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* ...
|
||||
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Dracarys.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [94.140.114.22](https://vuldb.com/?ip.94.140.114.22) | - | - | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Dracarys_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-21, CWE-22 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-88 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 17 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Dracarys. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/acms/classes/Master.php?f=delete_cargo` | High
|
||||
2 | File | `/admin.php/news/admin/topic/save` | High
|
||||
3 | File | `/admin/comn/service/update.json` | High
|
||||
4 | File | `/dev/shm` | Medium
|
||||
5 | File | `/dl/dl_print.php` | High
|
||||
6 | File | `/getcfg.php` | Medium
|
||||
7 | File | `/ofcms/company-c-47` | High
|
||||
8 | File | `/util/print.c` | High
|
||||
9 | ... | ... | ...
|
||||
|
||||
There are 67 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.cyble.com/2022/08/09/bitter-apt-group-using-dracarys-android-spyware/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -13,7 +13,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [US](https://vuldb.com/?country.us)
|
||||
* ...
|
||||
|
||||
There are 17 more country items available. Please use our online service to access the data.
|
||||
There are 16 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -151,39 +151,40 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `//proc/kcore` | Medium
|
||||
2 | File | `/ad_js.php` | Medium
|
||||
3 | File | `/Ap4RtpAtom.cpp` | High
|
||||
4 | File | `/app/options.py` | High
|
||||
5 | File | `/bcms/admin/?page=user/list` | High
|
||||
6 | File | `/bsms/?page=manage_account` | High
|
||||
7 | File | `/cgi-bin/login.cgi` | High
|
||||
8 | File | `/ci_hms/massage_room/edit/1` | High
|
||||
9 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
10 | File | `/dashboard/reports/logs/view` | High
|
||||
11 | File | `/debian/patches/load_ppp_generic_if_needed` | High
|
||||
12 | File | `/debug/pprof` | Medium
|
||||
13 | File | `/etc/hosts` | Medium
|
||||
14 | File | `/fuel/index.php/fuel/logs/items` | High
|
||||
15 | File | `/fuel/sitevariables/delete/4` | High
|
||||
16 | File | `/hprms/admin/doctors/manage_doctor.php` | High
|
||||
17 | File | `/index.php` | Medium
|
||||
18 | File | `/index/jobfairol/show/` | High
|
||||
19 | File | `/librarian/bookdetails.php` | High
|
||||
20 | File | `/manage-apartment.php` | High
|
||||
21 | File | `/members/view_member.php` | High
|
||||
22 | File | `/mgmt/tm/util/bash` | High
|
||||
23 | File | `/modules/caddyhttp/rewrite/rewrite.go` | High
|
||||
24 | File | `/owa/auth/logon.aspx` | High
|
||||
25 | File | `/pages/apply_vacancy.php` | High
|
||||
26 | File | `/proc/<PID>/mem` | High
|
||||
27 | File | `/proc/<pid>/status` | High
|
||||
28 | File | `/public/plugins/` | High
|
||||
29 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
30 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
31 | File | `/simple_chat_bot/admin/?page=user/manage_user` | High
|
||||
32 | ... | ... | ...
|
||||
2 | File | `/about.php` | Medium
|
||||
3 | File | `/ad_js.php` | Medium
|
||||
4 | File | `/Ap4RtpAtom.cpp` | High
|
||||
5 | File | `/app/options.py` | High
|
||||
6 | File | `/bcms/admin/?page=user/list` | High
|
||||
7 | File | `/bsms/?page=manage_account` | High
|
||||
8 | File | `/cgi-bin/login.cgi` | High
|
||||
9 | File | `/cgi-bin/luci/api/wireless` | High
|
||||
10 | File | `/ci_hms/massage_room/edit/1` | High
|
||||
11 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
12 | File | `/dashboard/reports/logs/view` | High
|
||||
13 | File | `/debian/patches/load_ppp_generic_if_needed` | High
|
||||
14 | File | `/debug/pprof` | Medium
|
||||
15 | File | `/etc/hosts` | Medium
|
||||
16 | File | `/fuel/index.php/fuel/logs/items` | High
|
||||
17 | File | `/fuel/sitevariables/delete/4` | High
|
||||
18 | File | `/goform/setmac` | High
|
||||
19 | File | `/hprms/admin/doctors/manage_doctor.php` | High
|
||||
20 | File | `/index.php` | Medium
|
||||
21 | File | `/index/jobfairol/show/` | High
|
||||
22 | File | `/librarian/bookdetails.php` | High
|
||||
23 | File | `/manage-apartment.php` | High
|
||||
24 | File | `/members/view_member.php` | High
|
||||
25 | File | `/mgmt/tm/util/bash` | High
|
||||
26 | File | `/modules/caddyhttp/rewrite/rewrite.go` | High
|
||||
27 | File | `/owa/auth/logon.aspx` | High
|
||||
28 | File | `/pages/apply_vacancy.php` | High
|
||||
29 | File | `/proc/<PID>/mem` | High
|
||||
30 | File | `/public/plugins/` | High
|
||||
31 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
32 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
33 | ... | ... | ...
|
||||
|
||||
There are 277 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 283 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -0,0 +1,30 @@
|
|||
# DroidWatcher - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [DroidWatcher](https://vuldb.com/?actor.droidwatcher). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.droidwatcher](https://vuldb.com/?actor.droidwatcher)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of DroidWatcher.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [192.168.35.40](https://vuldb.com/?ip.192.168.35.40) | - | - | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://github.com/blackorbird/APT_REPORT/blob/master/CyberMerceNary/wp-void-balaur-tracking-a-cybermercenarys-activities.pdf
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -16,12 +16,12 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [178.132.6.150](https://vuldb.com/?ip.178.132.6.150) | 178-132-6-150.hosted-by-worldstream.net | - | High
|
||||
2 | [185.215.113.42](https://vuldb.com/?ip.185.215.113.42) | - | - | High
|
||||
3 | [185.215.113.81](https://vuldb.com/?ip.185.215.113.81) | - | - | High
|
||||
1 | [45.141.85.25](https://vuldb.com/?ip.45.141.85.25) | - | - | High
|
||||
2 | [178.132.6.150](https://vuldb.com/?ip.178.132.6.150) | 178-132-6-150.hosted-by-worldstream.net | - | High
|
||||
3 | [185.215.113.42](https://vuldb.com/?ip.185.215.113.42) | - | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more IOC items available. Please use our online service to access the data.
|
||||
There are 3 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -44,6 +44,7 @@ ID | Type | Indicator | Confidence
|
|||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://community.blueliv.com/#!/s/6290743382df41552632f5fe
|
||||
* https://www.threatfabric.com/blogs/ermac-another-cerberus-reborn.html
|
||||
|
||||
## Literature
|
||||
|
|
|
@ -13,7 +13,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [US](https://vuldb.com/?country.us)
|
||||
* ...
|
||||
|
||||
There are 7 more country items available. Please use our online service to access the data.
|
||||
There are 6 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -460,10 +460,10 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23, CWE-36 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-294, CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-88, CWE-94, CWE-1321 | Cross Site Scripting | High
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23, CWE-25 | Pathname Traversal | High
|
||||
2 | T1055 | CWE-74 | Injection | High
|
||||
3 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
|
||||
4 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 18 more TTP items available. Please use our online service to access the data.
|
||||
|
@ -474,33 +474,30 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/about.php` | Medium
|
||||
2 | File | `/admin/index.PHP` | High
|
||||
3 | File | `/admin/lab.php` | High
|
||||
4 | File | `/admin/sendmailto.php?tomail=&groupid=` | High
|
||||
5 | File | `/api/index.php` | High
|
||||
6 | File | `/appConfig/userDB.json` | High
|
||||
7 | File | `/bd_genie_create_account.cgi` | High
|
||||
8 | File | `/bibliography/marcsru.php` | High
|
||||
9 | File | `/c/macho_reader.c` | High
|
||||
1 | File | `/Admin/add-student.php` | High
|
||||
2 | File | `/admin/conferences/list/` | High
|
||||
3 | File | `/Admin/login.php` | High
|
||||
4 | File | `/admin/subnets/ripe-query.php` | High
|
||||
5 | File | `/administration/settings_registration.php` | High
|
||||
6 | File | `/advanced-tools/nova/bin/netwatch` | High
|
||||
7 | File | `/api/project` | Medium
|
||||
8 | File | `/authUserAction!edit.action` | High
|
||||
9 | File | `/baseOpLog.do` | High
|
||||
10 | File | `/carbon/mediation_secure_vault/properties/ajaxprocessor.jsp` | High
|
||||
11 | File | `/card/in-card.php` | High
|
||||
12 | File | `/cgi-bin/kerbynet` | High
|
||||
13 | File | `/cgi-bin/koha/members/paycollect.pl` | High
|
||||
14 | File | `/cgi-bin/luci/api/wireless` | High
|
||||
15 | File | `/cgi-bin/touchlist_sync.cgi` | High
|
||||
16 | File | `/cgi-bin/wlogin.cgi` | High
|
||||
17 | File | `/etc/networkd-dispatcher` | High
|
||||
18 | File | `/EXCU_SHELL` | Medium
|
||||
19 | File | `/forum/away.php` | High
|
||||
20 | File | `/goform/SetIpMacBind` | High
|
||||
21 | File | `/goform/setmac` | High
|
||||
22 | File | `/goform/wifiSSIDset` | High
|
||||
23 | File | `/home/iojs/build/ws/out/Release/obj.target/deps/openssl/openssl.cnf` | High
|
||||
24 | File | `/modules/modstudent/index.php?view=edit` | High
|
||||
25 | ... | ... | ...
|
||||
11 | File | `/cgi-bin/qcmap_auth` | High
|
||||
12 | File | `/diagnostic/edittest.php` | High
|
||||
13 | File | `/editbrand.php` | High
|
||||
14 | File | `/etc/fwupd/redfish.conf` | High
|
||||
15 | File | `/forum/away.php` | High
|
||||
16 | File | `/framework/mod/db/DBMapper.xml` | High
|
||||
17 | File | `/getcfg.php` | Medium
|
||||
18 | File | `/issue` | Low
|
||||
19 | File | `/leave_system/classes/Master.php?f=delete_application` | High
|
||||
20 | File | `/leave_system/classes/Users.php?f=save` | High
|
||||
21 | File | `/opt/onedev/sites/` | High
|
||||
22 | ... | ... | ...
|
||||
|
||||
There are 206 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 180 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -0,0 +1,84 @@
|
|||
# Eternity - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Eternity](https://vuldb.com/?actor.eternity). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.eternity](https://vuldb.com/?actor.eternity)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following _campaigns_ are known and can be associated with Eternity:
|
||||
|
||||
* LilithBot
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Eternity:
|
||||
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* ...
|
||||
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Eternity.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [45.9.148.203](https://vuldb.com/?ip.45.9.148.203) | - | LilithBot | High
|
||||
2 | [77.73.133.12](https://vuldb.com/?ip.77.73.133.12) | - | LilithBot | High
|
||||
3 | [91.243.59.210](https://vuldb.com/?ip.91.243.59.210) | - | LilithBot | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Eternity_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-21, CWE-22 | Pathname Traversal | High
|
||||
2 | T1055 | CWE-74 | Injection | High
|
||||
3 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
4 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 15 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Eternity. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/admin.php/admin/art/data.html` | High
|
||||
2 | File | `/forum/away.php` | High
|
||||
3 | File | `/goform/SetNetControlList` | High
|
||||
4 | File | `/ptipupgrade.cgi` | High
|
||||
5 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
6 | File | `admin/categories_industry.php` | High
|
||||
7 | File | `admin/content/postcategory` | High
|
||||
8 | File | `Adminstrator/Users/Edit/` | High
|
||||
9 | ... | ... | ...
|
||||
|
||||
There are 65 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://www.zscaler.com/blogs/security-research/analysis-lilithbot-malware-and-eternity-threat-group
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,118 @@
|
|||
# EvilProxy - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [EvilProxy](https://vuldb.com/?actor.evilproxy). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.evilproxy](https://vuldb.com/?actor.evilproxy)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with EvilProxy:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [DE](https://vuldb.com/?country.de)
|
||||
* ...
|
||||
|
||||
There are 18 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of EvilProxy.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [147.78.47.250](https://vuldb.com/?ip.147.78.47.250) | undefined.hostname.localhost | - | High
|
||||
2 | [185.158.251.169](https://vuldb.com/?ip.185.158.251.169) | - | - | High
|
||||
3 | [194.76.226.166](https://vuldb.com/?ip.194.76.226.166) | - | - | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _EvilProxy_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-294, CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
6 | ... | ... | ... | ...
|
||||
|
||||
There are 18 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by EvilProxy. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `.htaccess` | Medium
|
||||
2 | File | `/Admin/add-student.php` | High
|
||||
3 | File | `/admin/conferences/list/` | High
|
||||
4 | File | `/admin/edit_admin_details.php?id=admin` | High
|
||||
5 | File | `/admin/generalsettings.php` | High
|
||||
6 | File | `/Admin/login.php` | High
|
||||
7 | File | `/admin/payment.php` | High
|
||||
8 | File | `/admin/reports.php` | High
|
||||
9 | File | `/admin/showbad.php` | High
|
||||
10 | File | `/admin_page/all-files-update-ajax.php` | High
|
||||
11 | File | `/bsms/?page=products` | High
|
||||
12 | File | `/cgi-bin/kerbynet` | High
|
||||
13 | File | `/cgi-bin/system_mgr.cgi` | High
|
||||
14 | File | `/cgi-bin/wlogin.cgi` | High
|
||||
15 | File | `/cloud_config/router_post/check_reg_verify_code` | High
|
||||
16 | File | `/debug/pprof` | Medium
|
||||
17 | File | `/dms/admin/reports/daily_collection_report.php` | High
|
||||
18 | File | `/ext/phar/phar_object.c` | High
|
||||
19 | File | `/filemanager/php/connector.php` | High
|
||||
20 | File | `/forum/away.php` | High
|
||||
21 | File | `/get_getnetworkconf.cgi` | High
|
||||
22 | File | `/HNAP1` | Low
|
||||
23 | File | `/include/chart_generator.php` | High
|
||||
24 | File | `/index.php` | Medium
|
||||
25 | File | `/info.cgi` | Medium
|
||||
26 | File | `/Items/*/RemoteImages/Download` | High
|
||||
27 | File | `/lists/admin/` | High
|
||||
28 | File | `/MagickCore/image.c` | High
|
||||
29 | File | `/mgmt/tm/util/bash` | High
|
||||
30 | File | `/modx/manager/index.php` | High
|
||||
31 | File | `/out.php` | Medium
|
||||
32 | File | `/public/launchNewWindow.jsp` | High
|
||||
33 | File | `/replication` | Medium
|
||||
34 | File | `/siteminderagent/pwcgi/smpwservicescgi.exe` | High
|
||||
35 | File | `/spip.php` | Medium
|
||||
36 | File | `/TeleoptiWFM/Administration/GetOneTenant` | High
|
||||
37 | File | `/type.php` | Medium
|
||||
38 | File | `/usr/bin/pkexec` | High
|
||||
39 | File | `/WEB-INF/web.xml` | High
|
||||
40 | File | `/Wedding-Management/package_detail.php` | High
|
||||
41 | File | `/wp-content/plugins/woocommerce/templates/emails/plain/` | High
|
||||
42 | File | `4.2.0.CP09` | Medium
|
||||
43 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
44 | File | `802dot1xclientcert.cgi` | High
|
||||
45 | File | `a2billing/customer/iridium_threed.php` | High
|
||||
46 | File | `AdClass.php` | Medium
|
||||
47 | File | `adclick.php` | Medium
|
||||
48 | File | `add.exe` | Low
|
||||
49 | File | `admin.php?m=Food&a=addsave` | High
|
||||
50 | File | `admin/conf_users_edit.php` | High
|
||||
51 | ... | ... | ...
|
||||
|
||||
There are 443 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://community.blueliv.com/#!/s/6316ed0e82df417b923303f4
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -82,7 +82,7 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-294, CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
2 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
@ -95,41 +95,40 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `.htaccess` | Medium
|
||||
2 | File | `//proc/kcore` | Medium
|
||||
1 | File | `/about.php` | Medium
|
||||
2 | File | `/Admin/add-student.php` | High
|
||||
3 | File | `/admin/conferences/list/` | High
|
||||
4 | File | `/admin/edit_admin_details.php?id=admin` | High
|
||||
5 | File | `/admin/generalsettings.php` | High
|
||||
6 | File | `/admin/payment.php` | High
|
||||
7 | File | `/admin/reports.php` | High
|
||||
8 | File | `/admin/showbad.php` | High
|
||||
9 | File | `/ad_js.php` | Medium
|
||||
10 | File | `/Ap4RtpAtom.cpp` | High
|
||||
6 | File | `/Admin/login.php` | High
|
||||
7 | File | `/admin/payment.php` | High
|
||||
8 | File | `/admin/reports.php` | High
|
||||
9 | File | `/admin/showbad.php` | High
|
||||
10 | File | `/ad_js.php` | Medium
|
||||
11 | File | `/app/options.py` | High
|
||||
12 | File | `/bsms/?page=manage_account` | High
|
||||
13 | File | `/cgi-bin/kerbynet` | High
|
||||
14 | File | `/cgi-bin/login.cgi` | High
|
||||
15 | File | `/ci_hms/massage_room/edit/1` | High
|
||||
16 | File | `/dashboard/reports/logs/view` | High
|
||||
17 | File | `/debian/patches/load_ppp_generic_if_needed` | High
|
||||
18 | File | `/debug/pprof` | Medium
|
||||
19 | File | `/etc/hosts` | Medium
|
||||
20 | File | `/forum/away.php` | High
|
||||
21 | File | `/fuel/sitevariables/delete/4` | High
|
||||
22 | File | `/hprms/admin/doctors/manage_doctor.php` | High
|
||||
23 | File | `/index.php` | Medium
|
||||
24 | File | `/index/jobfairol/show/` | High
|
||||
25 | File | `/Items/*/RemoteImages/Download` | High
|
||||
26 | File | `/librarian/bookdetails.php` | High
|
||||
27 | File | `/lists/admin/` | High
|
||||
28 | File | `/MagickCore/image.c` | High
|
||||
29 | File | `/manage-apartment.php` | High
|
||||
30 | File | `/modules/caddyhttp/rewrite/rewrite.go` | High
|
||||
31 | File | `/out.php` | Medium
|
||||
32 | File | `/pages/apply_vacancy.php` | High
|
||||
33 | ... | ... | ...
|
||||
13 | File | `/cgi-bin/login.cgi` | High
|
||||
14 | File | `/cgi-bin/luci/api/wireless` | High
|
||||
15 | File | `/cgi-bin/wlogin.cgi` | High
|
||||
16 | File | `/ci_hms/massage_room/edit/1` | High
|
||||
17 | File | `/dashboard/reports/logs/view` | High
|
||||
18 | File | `/debian/patches/load_ppp_generic_if_needed` | High
|
||||
19 | File | `/debug/pprof` | Medium
|
||||
20 | File | `/etc/hosts` | Medium
|
||||
21 | File | `/forum/away.php` | High
|
||||
22 | File | `/goform/setmac` | High
|
||||
23 | File | `/hprms/admin/doctors/manage_doctor.php` | High
|
||||
24 | File | `/index.php` | Medium
|
||||
25 | File | `/index/jobfairol/show/` | High
|
||||
26 | File | `/Items/*/RemoteImages/Download` | High
|
||||
27 | File | `/librarian/bookdetails.php` | High
|
||||
28 | File | `/manage-apartment.php` | High
|
||||
29 | File | `/modules/caddyhttp/rewrite/rewrite.go` | High
|
||||
30 | File | `/out.php` | Medium
|
||||
31 | File | `/pages/apply_vacancy.php` | High
|
||||
32 | ... | ... | ...
|
||||
|
||||
There are 280 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 273 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -55,38 +55,39 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `//proc/kcore` | Medium
|
||||
2 | File | `/ad_js.php` | Medium
|
||||
3 | File | `/Ap4RtpAtom.cpp` | High
|
||||
4 | File | `/app/options.py` | High
|
||||
5 | File | `/bcms/admin/?page=user/list` | High
|
||||
6 | File | `/bsms/?page=manage_account` | High
|
||||
7 | File | `/cgi-bin/login.cgi` | High
|
||||
8 | File | `/ci_hms/massage_room/edit/1` | High
|
||||
9 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
10 | File | `/dashboard/reports/logs/view` | High
|
||||
11 | File | `/debian/patches/load_ppp_generic_if_needed` | High
|
||||
12 | File | `/debug/pprof` | Medium
|
||||
13 | File | `/etc/hosts` | Medium
|
||||
14 | File | `/fuel/index.php/fuel/logs/items` | High
|
||||
15 | File | `/fuel/sitevariables/delete/4` | High
|
||||
16 | File | `/hprms/admin/doctors/manage_doctor.php` | High
|
||||
17 | File | `/index/jobfairol/show/` | High
|
||||
18 | File | `/librarian/bookdetails.php` | High
|
||||
19 | File | `/manage-apartment.php` | High
|
||||
20 | File | `/mgmt/tm/util/bash` | High
|
||||
21 | File | `/modules/caddyhttp/rewrite/rewrite.go` | High
|
||||
22 | File | `/new` | Low
|
||||
23 | File | `/pages/apply_vacancy.php` | High
|
||||
24 | File | `/proc/<PID>/mem` | High
|
||||
25 | File | `/proc/<pid>/status` | High
|
||||
26 | File | `/public/plugins/` | High
|
||||
27 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
28 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
29 | File | `/simple_chat_bot/admin/?page=user/manage_user` | High
|
||||
30 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
|
||||
31 | ... | ... | ...
|
||||
2 | File | `/about.php` | Medium
|
||||
3 | File | `/ad_js.php` | Medium
|
||||
4 | File | `/Ap4RtpAtom.cpp` | High
|
||||
5 | File | `/app/options.py` | High
|
||||
6 | File | `/bcms/admin/?page=user/list` | High
|
||||
7 | File | `/bsms/?page=manage_account` | High
|
||||
8 | File | `/cgi-bin/login.cgi` | High
|
||||
9 | File | `/cgi-bin/luci/api/wireless` | High
|
||||
10 | File | `/ci_hms/massage_room/edit/1` | High
|
||||
11 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
12 | File | `/dashboard/reports/logs/view` | High
|
||||
13 | File | `/debian/patches/load_ppp_generic_if_needed` | High
|
||||
14 | File | `/debug/pprof` | Medium
|
||||
15 | File | `/etc/hosts` | Medium
|
||||
16 | File | `/fuel/index.php/fuel/logs/items` | High
|
||||
17 | File | `/fuel/sitevariables/delete/4` | High
|
||||
18 | File | `/goform/setmac` | High
|
||||
19 | File | `/hprms/admin/doctors/manage_doctor.php` | High
|
||||
20 | File | `/index/jobfairol/show/` | High
|
||||
21 | File | `/librarian/bookdetails.php` | High
|
||||
22 | File | `/manage-apartment.php` | High
|
||||
23 | File | `/mgmt/tm/util/bash` | High
|
||||
24 | File | `/modules/caddyhttp/rewrite/rewrite.go` | High
|
||||
25 | File | `/pages/apply_vacancy.php` | High
|
||||
26 | File | `/proc/<PID>/mem` | High
|
||||
27 | File | `/proc/<pid>/status` | High
|
||||
28 | File | `/public/plugins/` | High
|
||||
29 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
30 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
31 | File | `/simple_chat_bot/admin/?page=user/manage_user` | High
|
||||
32 | ... | ... | ...
|
||||
|
||||
There are 266 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 274 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -13,7 +13,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [CN](https://vuldb.com/?country.cn)
|
||||
* ...
|
||||
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
There are 2 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -57,9 +57,10 @@ ID | Type | Indicator | Confidence
|
|||
7 | File | `/getcfg.php` | Medium
|
||||
8 | File | `/ofcms/company-c-47` | High
|
||||
9 | File | `/util/print.c` | High
|
||||
10 | ... | ... | ...
|
||||
10 | File | `/web/MCmsAction.java` | High
|
||||
11 | ... | ... | ...
|
||||
|
||||
There are 79 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 81 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -43,9 +43,10 @@ ID | Type | Indicator | Confidence
|
|||
2 | File | `/new` | Low
|
||||
3 | File | `/service/upload` | High
|
||||
4 | File | `/system?action=ServiceAdmin` | High
|
||||
5 | ... | ... | ...
|
||||
5 | File | `/var/log/nginx` | High
|
||||
6 | ... | ... | ...
|
||||
|
||||
There are 34 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 35 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -9,11 +9,11 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with FritzFrog:
|
||||
|
||||
* [VN](https://vuldb.com/?country.vn)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* ...
|
||||
|
||||
There are 15 more country items available. Please use our online service to access the data.
|
||||
There are 14 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -331,14 +331,14 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-21, CWE-22 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
|
||||
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
|
||||
2 | T1055 | CWE-74 | Injection | High
|
||||
3 | T1059 | CWE-88, CWE-94, CWE-1321 | Cross Site Scripting | High
|
||||
4 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
5 | T1068 | CWE-250, CWE-264, CWE-269, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
6 | ... | ... | ... | ...
|
||||
|
||||
There are 21 more TTP items available. Please use our online service to access the data.
|
||||
There are 20 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -346,48 +346,41 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/admin/inc/include.php` | High
|
||||
2 | File | `/admin/index.php` | High
|
||||
3 | File | `/admin/students/view_student.php` | High
|
||||
4 | File | `/alarm_pi/alarmService.php` | High
|
||||
5 | File | `/api/` | Low
|
||||
6 | File | `/appliance/users?action=edit` | High
|
||||
7 | File | `/bin/login` | Medium
|
||||
8 | File | `/catcompany.php` | High
|
||||
9 | File | `/cdsms/classes/Master.php?f=delete_enrollment` | High
|
||||
10 | File | `/cgi-bin/kerbynet` | High
|
||||
11 | File | `/cgi-bin/luci/api/wireless` | High
|
||||
12 | File | `/claire_blake` | High
|
||||
13 | File | `/controller/OnlinePreviewController.java` | High
|
||||
14 | File | `/coreframe/app/pay/admin/index.php` | High
|
||||
15 | File | `/dashboard/snapshot/*?orgId=0` | High
|
||||
16 | File | `/debug/pprof` | Medium
|
||||
17 | File | `/etc/init0.d/S80telnetd.sh` | High
|
||||
18 | File | `/etc/shadow.sample` | High
|
||||
19 | File | `/forum/away.php` | High
|
||||
20 | File | `/h/search?action` | High
|
||||
21 | File | `/IISADMPWD` | Medium
|
||||
22 | File | `/index.php` | Medium
|
||||
23 | File | `/index.php?action=seomatic/file/seo-file-link` | High
|
||||
24 | File | `/Items/*/RemoteImages/Download` | High
|
||||
25 | File | `/jfinal_cms/system/role/list` | High
|
||||
26 | File | `/loginVaLidation.php` | High
|
||||
27 | File | `/MicroStrategyWS/happyaxis.jsp` | High
|
||||
28 | File | `/mkshop/Men/profile.php` | High
|
||||
29 | File | `/modules/projects/vw_files.php` | High
|
||||
30 | File | `/ows-bin` | Medium
|
||||
31 | File | `/pages/faculty_sched.php` | High
|
||||
32 | File | `/php_action/createUser.php` | High
|
||||
33 | File | `/rest/collectors/1.0/template/custom` | High
|
||||
34 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
35 | File | `/uncpath/` | Medium
|
||||
36 | File | `/upload` | Low
|
||||
37 | File | `/vendor/views/add_product.php` | High
|
||||
38 | File | `/way4acs/enroll` | High
|
||||
39 | File | `/wp-admin/admin-ajax.php` | High
|
||||
40 | ... | ... | ...
|
||||
1 | File | `/about.php` | Medium
|
||||
2 | File | `/Admin/add-student.php` | High
|
||||
3 | File | `/admin/conferences/list/` | High
|
||||
4 | File | `/admin/index.PHP` | High
|
||||
5 | File | `/Admin/login.php` | High
|
||||
6 | File | `/admin/sendmailto.php?tomail=&groupid=` | High
|
||||
7 | File | `/admin/subnets/ripe-query.php` | High
|
||||
8 | File | `/administration/settings_registration.php` | High
|
||||
9 | File | `/advanced-tools/nova/bin/netwatch` | High
|
||||
10 | File | `/appConfig/userDB.json` | High
|
||||
11 | File | `/assets` | Low
|
||||
12 | File | `/carbon/mediation_secure_vault/properties/ajaxprocessor.jsp` | High
|
||||
13 | File | `/cgi-bin/kerbynet` | High
|
||||
14 | File | `/cgi-bin/qcmap_auth` | High
|
||||
15 | File | `/cgi-bin/wlogin.cgi` | High
|
||||
16 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
17 | File | `/editbrand.php` | High
|
||||
18 | File | `/etc/networkd-dispatcher` | High
|
||||
19 | File | `/form/index.php?module=getjson` | High
|
||||
20 | File | `/forum/away.php` | High
|
||||
21 | File | `/goform/wifiSSIDset` | High
|
||||
22 | File | `/leave_system/classes/Master.php?f=delete_application` | High
|
||||
23 | File | `/mgmt/tm/util/bash` | High
|
||||
24 | File | `/obs/bookPerPub.php` | High
|
||||
25 | File | `/opt/onedev/sites/` | High
|
||||
26 | File | `/opt/zimbra/jetty/webapps/zimbra/public` | High
|
||||
27 | File | `/phpinventory/editcategory.php` | High
|
||||
28 | File | `/requests.php` | High
|
||||
29 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
30 | File | `/uncpath/` | Medium
|
||||
31 | File | `/usr/www/ja/mnt_cmd.cgi` | High
|
||||
32 | File | `/vendor/htmlawed/htmlawed/htmLawedTest.php` | High
|
||||
33 | ... | ... | ...
|
||||
|
||||
There are 346 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 277 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -68,7 +68,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
3 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 12 more TTP items available. Please use our online service to access the data.
|
||||
There are 14 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -88,7 +88,7 @@ ID | Type | Indicator | Confidence
|
|||
10 | File | `/SSOPOST/metaAlias/%realm%/idpv2` | High
|
||||
11 | ... | ... | ...
|
||||
|
||||
There are 79 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 83 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -78,7 +78,8 @@ ID | IP address | Hostname | Campaign | Confidence
|
|||
53 | [80.78.254.238](https://vuldb.com/?ip.80.78.254.238) | 80-78-254-238.cloudvps.regruhosting.ru | - | High
|
||||
54 | [83.166.242.108](https://vuldb.com/?ip.83.166.242.108) | - | - | High
|
||||
55 | [83.166.247.110](https://vuldb.com/?ip.83.166.247.110) | - | - | High
|
||||
56 | ... | ... | ... | ...
|
||||
56 | [83.166.247.185](https://vuldb.com/?ip.83.166.247.185) | - | - | High
|
||||
57 | ... | ... | ... | ...
|
||||
|
||||
There are 222 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
|
@ -126,6 +127,7 @@ The following list contains _external sources_ which discuss the actor and the a
|
|||
* https://github.com/stamparm/maltrail/blob/2d0339af3523b230d8e9a08efd22af032ec7a18e/trails/static/malware/apt_gamaredon.txt
|
||||
* https://pastebin.com/Vhb4KF5L
|
||||
* https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine
|
||||
* https://twitter.com/500mk500/status/1579822593053691906
|
||||
* https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/
|
||||
* https://www.fortinet.com/jp/blog/threat-research/gamaredon-group-ttp-profile-analysis
|
||||
|
||||
|
|
|
@ -112,45 +112,47 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/about.php` | Medium
|
||||
2 | File | `/admin/lab.php` | High
|
||||
3 | File | `/admin/login.php` | High
|
||||
4 | File | `/admin/students/view_student.php` | High
|
||||
5 | File | `/app/options.py` | High
|
||||
6 | File | `/appConfig/userDB.json` | High
|
||||
7 | File | `/bd_genie_create_account.cgi` | High
|
||||
8 | File | `/bin/httpd` | Medium
|
||||
9 | File | `/c/macho_reader.c` | High
|
||||
10 | File | `/cgi-bin/wapopen` | High
|
||||
11 | File | `/ci_spms/admin/category` | High
|
||||
12 | File | `/ci_spms/admin/search/searching/` | High
|
||||
13 | File | `/claire_blake` | High
|
||||
14 | File | `/classes/Master.php?f=delete_train` | High
|
||||
15 | File | `/coreframe/app/attachment/admin/index.php` | High
|
||||
16 | File | `/dashboard/menu-list.php` | High
|
||||
17 | File | `/debug/pprof` | Medium
|
||||
18 | File | `/defaultui/player/modern.html` | High
|
||||
19 | File | `/etc/init0.d/S80telnetd.sh` | High
|
||||
20 | File | `/etc/shadow.sample` | High
|
||||
21 | File | `/ffos/classes/Master.php?f=save_category` | High
|
||||
22 | File | `/forum/away.php` | High
|
||||
23 | File | `/ghost/preview` | High
|
||||
24 | File | `/goform/SetIpMacBind` | High
|
||||
25 | File | `/goform/setmac` | High
|
||||
26 | File | `/htdocs/utils/Files.php` | High
|
||||
27 | File | `/Items/*/RemoteImages/Download` | High
|
||||
28 | File | `/jfinal_cms/system/role/list` | High
|
||||
29 | File | `/librarian/edit_book_details.php` | High
|
||||
30 | File | `/Main_Login.asp?flag=1&productname=RT-AC88U&url=/downloadmaster/task.asp` | High
|
||||
31 | File | `/management/api/rcx_management/global_config_query` | High
|
||||
32 | File | `/master/index.php` | High
|
||||
33 | File | `/mkshop/Men/profile.php` | High
|
||||
34 | File | `/p1/p2/:name` | Medium
|
||||
35 | File | `/pages/faculty_sched.php` | High
|
||||
36 | File | `/pages/processlogin.php` | High
|
||||
37 | ... | ... | ...
|
||||
1 | File | `/+CSCOE+/logon.html` | High
|
||||
2 | File | `/about.php` | Medium
|
||||
3 | File | `/admin/lab.php` | High
|
||||
4 | File | `/admin/login.php` | High
|
||||
5 | File | `/admin/students/view_student.php` | High
|
||||
6 | File | `/administration/settings_registration.php` | High
|
||||
7 | File | `/app/options.py` | High
|
||||
8 | File | `/appConfig/userDB.json` | High
|
||||
9 | File | `/bd_genie_create_account.cgi` | High
|
||||
10 | File | `/bin/httpd` | Medium
|
||||
11 | File | `/c/macho_reader.c` | High
|
||||
12 | File | `/cgi-bin/wapopen` | High
|
||||
13 | File | `/ci_spms/admin/category` | High
|
||||
14 | File | `/ci_spms/admin/search/searching/` | High
|
||||
15 | File | `/claire_blake` | High
|
||||
16 | File | `/classes/Master.php?f=delete_train` | High
|
||||
17 | File | `/coreframe/app/attachment/admin/index.php` | High
|
||||
18 | File | `/dashboard/menu-list.php` | High
|
||||
19 | File | `/debug` | Low
|
||||
20 | File | `/debug/pprof` | Medium
|
||||
21 | File | `/defaultui/player/modern.html` | High
|
||||
22 | File | `/etc/init0.d/S80telnetd.sh` | High
|
||||
23 | File | `/etc/shadow.sample` | High
|
||||
24 | File | `/ffos/classes/Master.php?f=save_category` | High
|
||||
25 | File | `/forum/away.php` | High
|
||||
26 | File | `/ghost/preview` | High
|
||||
27 | File | `/goform/SetIpMacBind` | High
|
||||
28 | File | `/goform/setmac` | High
|
||||
29 | File | `/htdocs/utils/Files.php` | High
|
||||
30 | File | `/Items/*/RemoteImages/Download` | High
|
||||
31 | File | `/jfinal_cms/system/role/list` | High
|
||||
32 | File | `/librarian/edit_book_details.php` | High
|
||||
33 | File | `/Main_Login.asp?flag=1&productname=RT-AC88U&url=/downloadmaster/task.asp` | High
|
||||
34 | File | `/management/api/rcx_management/global_config_query` | High
|
||||
35 | File | `/master/index.php` | High
|
||||
36 | File | `/mkshop/Men/profile.php` | High
|
||||
37 | File | `/opt/zimbra/jetty/webapps/zimbra/public` | High
|
||||
38 | File | `/pages/faculty_sched.php` | High
|
||||
39 | ... | ... | ...
|
||||
|
||||
There are 321 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 333 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -20,6 +20,14 @@ ID | IP address | Hostname | Campaign | Confidence
|
|||
1 | [3.109.48.136](https://vuldb.com/?ip.3.109.48.136) | ec2-3-109-48-136.ap-south-1.compute.amazonaws.com | - | Medium
|
||||
2 | [13.235.50.147](https://vuldb.com/?ip.13.235.50.147) | ec2-13-235-50-147.ap-south-1.compute.amazonaws.com | - | Medium
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _GoodWill_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by GoodWill. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
|
|
@ -155,15 +155,14 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23, CWE-425 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23, CWE-25 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-294, CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-88, CWE-94, CWE-1321 | Cross Site Scripting | High
|
||||
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
6 | T1068 | CWE-264, CWE-269, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
7 | ... | ... | ... | ...
|
||||
5 | T1059.007 | CWE-79, CWE-80, CWE-84 | Cross Site Scripting | High
|
||||
6 | ... | ... | ... | ...
|
||||
|
||||
There are 22 more TTP items available. Please use our online service to access the data.
|
||||
There are 21 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -171,43 +170,41 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `.forward` | Medium
|
||||
2 | File | `/#/network?tab=network_node_list.html` | High
|
||||
3 | File | `/about.php` | Medium
|
||||
1 | File | `/#/network?tab=network_node_list.html` | High
|
||||
2 | File | `/about.php` | Medium
|
||||
3 | File | `/Admin/add-student.php` | High
|
||||
4 | File | `/admin/addemployee.php` | High
|
||||
5 | File | `/admin/contact/list` | High
|
||||
6 | File | `/admin/del.php` | High
|
||||
7 | File | `/admin/folderrollpicture/list` | High
|
||||
8 | File | `/admin/imagealbum/list` | High
|
||||
9 | File | `/admin/lab.php` | High
|
||||
10 | File | `/admin/login.php` | High
|
||||
9 | File | `/admin/login.php` | High
|
||||
10 | File | `/Admin/login.php` | High
|
||||
11 | File | `/advanced-tools/nova/bin/netwatch` | High
|
||||
12 | File | `/ad_js.php` | Medium
|
||||
13 | File | `/api/` | Low
|
||||
14 | File | `/api/plugin/uninstall` | High
|
||||
15 | File | `/bin/httpd` | Medium
|
||||
16 | File | `/blog/edit` | Medium
|
||||
17 | File | `/catcompany.php` | High
|
||||
18 | File | `/category/controller.php?action=edit` | High
|
||||
19 | File | `/cgi-bin/luci/api/wireless` | High
|
||||
20 | File | `/cgi/get_param.cgi` | High
|
||||
21 | File | `/chart` | Low
|
||||
22 | File | `/classes/Master.php?f=delete_account` | High
|
||||
23 | File | `/dashboard/reports/logs/view` | High
|
||||
24 | File | `/dashboard/updatelogo.php` | High
|
||||
25 | File | `/debian/patches/load_ppp_generic_if_needed` | High
|
||||
26 | File | `/debug/pprof` | Medium
|
||||
27 | File | `/dede/co_do.php` | High
|
||||
28 | File | `/etc/hosts` | Medium
|
||||
29 | File | `/etc/init.d/sshd_service` | High
|
||||
30 | File | `/goform/addRouting` | High
|
||||
31 | File | `/goform/saveParentControlInfo` | High
|
||||
32 | File | `/goform/setmac` | High
|
||||
33 | File | `/goform/SystemCommand` | High
|
||||
34 | File | `/index.php` | Medium
|
||||
35 | ... | ... | ...
|
||||
14 | File | `/bin/httpd` | Medium
|
||||
15 | File | `/blog/edit` | Medium
|
||||
16 | File | `/category/controller.php?action=edit` | High
|
||||
17 | File | `/cgi-bin/cstecgi.cgi` | High
|
||||
18 | File | `/cgi-bin/luci/api/wireless` | High
|
||||
19 | File | `/cgi/get_param.cgi` | High
|
||||
20 | File | `/classes/Master.php?f=delete_account` | High
|
||||
21 | File | `/college_website/index.php?` | High
|
||||
22 | File | `/dashboard/updatelogo.php` | High
|
||||
23 | File | `/debian/patches/load_ppp_generic_if_needed` | High
|
||||
24 | File | `/debug/pprof` | Medium
|
||||
25 | File | `/dede/co_do.php` | High
|
||||
26 | File | `/DesignTools/CssEditor.aspx` | High
|
||||
27 | File | `/ebics-server/ebics.aspx` | High
|
||||
28 | File | `/export` | Low
|
||||
29 | File | `/goform/addRouting` | High
|
||||
30 | File | `/goform/saveParentControlInfo` | High
|
||||
31 | File | `/goform/setmac` | High
|
||||
32 | File | `/goform/SystemCommand` | High
|
||||
33 | ... | ... | ...
|
||||
|
||||
There are 300 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 285 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -0,0 +1,82 @@
|
|||
# GuLoader - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [GuLoader](https://vuldb.com/?actor.guloader). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.guloader](https://vuldb.com/?actor.guloader)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with GuLoader:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* ...
|
||||
|
||||
There are 4 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of GuLoader.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [5.2.75.164](https://vuldb.com/?ip.5.2.75.164) | - | - | High
|
||||
2 | [37.0.8.96](https://vuldb.com/?ip.37.0.8.96) | - | - | High
|
||||
3 | [64.44.168.209](https://vuldb.com/?ip.64.44.168.209) | 209-168-44-64-.reverse-dns | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 6 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _GuLoader_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-21, CWE-22 | Pathname Traversal | High
|
||||
2 | T1055 | CWE-74 | Injection | High
|
||||
3 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 11 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by GuLoader. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/dashboard/add-portfolio.php` | High
|
||||
2 | File | `/forum/away.php` | High
|
||||
3 | File | `/jerry-core/ecma/base/ecma-helpers-conversion.c` | High
|
||||
4 | File | `/login` | Low
|
||||
5 | File | `/opt/IBM/es/lib/libffq.cryptionjni.so` | High
|
||||
6 | File | `/sdm-ws-rest/preconfiguration` | High
|
||||
7 | File | `/settings` | Medium
|
||||
8 | File | `/uapi/doc` | Medium
|
||||
9 | File | `/uncpath/` | Medium
|
||||
10 | File | `/updownload/t.report` | High
|
||||
11 | ... | ... | ...
|
||||
|
||||
There are 87 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://asec.ahnlab.com/en/36042/
|
||||
* https://asec.ahnlab.com/en/36294/
|
||||
* https://asec.ahnlab.com/en/36785/
|
||||
* https://asec.ahnlab.com/en/38942/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,101 @@
|
|||
# H0lyGh0st - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [H0lyGh0st](https://vuldb.com/?actor.h0lygh0st). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.h0lygh0st](https://vuldb.com/?actor.h0lygh0st)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with H0lyGh0st:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [VN](https://vuldb.com/?country.vn)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* ...
|
||||
|
||||
There are 15 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of H0lyGh0st.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [127.0.0.1](https://vuldb.com/?ip.127.0.0.1) | localhost | - | High
|
||||
2 | [193.56.29.123](https://vuldb.com/?ip.193.56.29.123) | - | - | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _H0lyGh0st_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
|
||||
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
6 | ... | ... | ... | ...
|
||||
|
||||
There are 20 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by H0lyGh0st. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/admin.php?page=batch_manager&mode=unit` | High
|
||||
2 | File | `/administration/settings_registration.php` | High
|
||||
3 | File | `/appConfig/userDB.json` | High
|
||||
4 | File | `/bd_genie_create_account.cgi` | High
|
||||
5 | File | `/c/macho_reader.c` | High
|
||||
6 | File | `/cgi-bin/luci/api/auth` | High
|
||||
7 | File | `/cgi-bin/luci/api/diagnose` | High
|
||||
8 | File | `/claire_blake` | High
|
||||
9 | File | `/CMD_ACCOUNT_ADMIN` | High
|
||||
10 | File | `/core/admin/categories.php` | High
|
||||
11 | File | `/debug/pprof` | Medium
|
||||
12 | File | `/defaultui/player/modern.html` | High
|
||||
13 | File | `/etc/config/image_sign` | High
|
||||
14 | File | `/etc/groups` | Medium
|
||||
15 | File | `/etc/init0.d/S80telnetd.sh` | High
|
||||
16 | File | `/etc/shadow.sample` | High
|
||||
17 | File | `/forum/away.php` | High
|
||||
18 | File | `/ghost/preview` | High
|
||||
19 | File | `/goform/aspForm` | High
|
||||
20 | File | `/goform/SetIpMacBind` | High
|
||||
21 | File | `/htdocs/utils/Files.php` | High
|
||||
22 | File | `/jfinal_cms/system/role/list` | High
|
||||
23 | File | `/librarian/edit_book_details.php` | High
|
||||
24 | File | `/Main_Login.asp?flag=1&productname=RT-AC88U&url=/downloadmaster/task.asp` | High
|
||||
25 | File | `/master/index.php` | High
|
||||
26 | File | `/mgmt/tm/util/bash` | High
|
||||
27 | File | `/mkshop/Men/profile.php` | High
|
||||
28 | File | `/MTFWU` | Low
|
||||
29 | File | `/omps/seller` | Medium
|
||||
30 | File | `/opt/zimbra/jetty/webapps/zimbra/public` | High
|
||||
31 | File | `/pages/faculty_sched.php` | High
|
||||
32 | File | `/pages/processlogin.php` | High
|
||||
33 | File | `/php/passport/index.php` | High
|
||||
34 | File | `/php_action/createUser.php` | High
|
||||
35 | ... | ... | ...
|
||||
|
||||
There are 299 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://community.blueliv.com/#!/s/62d1143282df41552632f957
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -19,7 +19,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [CA](https://vuldb.com/?country.ca)
|
||||
* ...
|
||||
|
||||
There are 15 more country items available. Please use our online service to access the data.
|
||||
There are 16 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -74,40 +74,39 @@ ID | Type | Indicator | Confidence
|
|||
-- | ---- | --------- | ----------
|
||||
1 | File | `/../conf/config.properties` | High
|
||||
2 | File | `/auth/session` | High
|
||||
3 | File | `/concat?/%2557EB-INF/web.xml` | High
|
||||
4 | File | `/download` | Medium
|
||||
5 | File | `/files.md5` | Medium
|
||||
6 | File | `/forum/away.php` | High
|
||||
7 | File | `/images/` | Medium
|
||||
8 | File | `/inc/extensions.php` | High
|
||||
9 | File | `/index.php` | Medium
|
||||
10 | File | `/lists/index.php` | High
|
||||
11 | File | `/login` | Low
|
||||
12 | File | `/members/view_member.php` | High
|
||||
13 | File | `/modules/profile/index.php` | High
|
||||
14 | File | `/nova/bin/console` | High
|
||||
15 | File | `/objects/getImageMP4.php` | High
|
||||
16 | File | `/one_church/userregister.php` | High
|
||||
17 | File | `/out.php` | Medium
|
||||
18 | File | `/owa/auth/logon.aspx` | High
|
||||
19 | File | `/public/plugins/` | High
|
||||
20 | File | `/replication` | Medium
|
||||
21 | File | `/req_password_user.php` | High
|
||||
22 | File | `/SAP_Information_System/controllers/add_admin.php` | High
|
||||
23 | File | `/SASWebReportStudio/logonAndRender.do` | High
|
||||
24 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
25 | File | `/secure/admin/ViewInstrumentation.jspa` | High
|
||||
26 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
27 | File | `/SSOPOST/metaAlias/%realm%/idpv2` | High
|
||||
28 | File | `/trx_addons/v2/get/sc_layout` | High
|
||||
29 | File | `/uncpath/` | Medium
|
||||
30 | File | `/usr/syno/etc/mount.conf` | High
|
||||
31 | File | `/v2/quantum/save-data-upload-big-file` | High
|
||||
32 | File | `/WEB-INF/web.xml` | High
|
||||
33 | File | `/web/entry/en/address/adrsSetUserWizard.cgi` | High
|
||||
34 | ... | ... | ...
|
||||
3 | File | `/card_scan.php` | High
|
||||
4 | File | `/concat?/%2557EB-INF/web.xml` | High
|
||||
5 | File | `/cwc/login` | Medium
|
||||
6 | File | `/download` | Medium
|
||||
7 | File | `/files.md5` | Medium
|
||||
8 | File | `/forum/away.php` | High
|
||||
9 | File | `/images/` | Medium
|
||||
10 | File | `/inc/extensions.php` | High
|
||||
11 | File | `/index.php` | Medium
|
||||
12 | File | `/lists/index.php` | High
|
||||
13 | File | `/login` | Low
|
||||
14 | File | `/members/view_member.php` | High
|
||||
15 | File | `/modules/profile/index.php` | High
|
||||
16 | File | `/nova/bin/console` | High
|
||||
17 | File | `/objects/getImageMP4.php` | High
|
||||
18 | File | `/one_church/userregister.php` | High
|
||||
19 | File | `/out.php` | Medium
|
||||
20 | File | `/owa/auth/logon.aspx` | High
|
||||
21 | File | `/public/plugins/` | High
|
||||
22 | File | `/replication` | Medium
|
||||
23 | File | `/req_password_user.php` | High
|
||||
24 | File | `/SAP_Information_System/controllers/add_admin.php` | High
|
||||
25 | File | `/SASWebReportStudio/logonAndRender.do` | High
|
||||
26 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
27 | File | `/secure/admin/ViewInstrumentation.jspa` | High
|
||||
28 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
29 | File | `/SSOPOST/metaAlias/%realm%/idpv2` | High
|
||||
30 | File | `/trx_addons/v2/get/sc_layout` | High
|
||||
31 | File | `/uncpath/` | Medium
|
||||
32 | File | `/usr/syno/etc/mount.conf` | High
|
||||
33 | ... | ... | ...
|
||||
|
||||
There are 289 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 286 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -0,0 +1,30 @@
|
|||
# Hezb - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Hezb](https://vuldb.com/?actor.hezb). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.hezb](https://vuldb.com/?actor.hezb)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Hezb.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [202.28.229.174](https://vuldb.com/?ip.202.28.229.174) | - | - | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://asec.ahnlab.com/en/36820/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -0,0 +1,68 @@
|
|||
# IRGC - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [IRGC](https://vuldb.com/?actor.irgc). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.irgc](https://vuldb.com/?actor.irgc)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with IRGC:
|
||||
|
||||
* [DE](https://vuldb.com/?country.de)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of IRGC.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [54.39.78.148](https://vuldb.com/?ip.54.39.78.148) | ip148.ip-54-39-78.net | - | High
|
||||
2 | [95.217.193.86](https://vuldb.com/?ip.95.217.193.86) | static.86.193.217.95.clients.your-server.de | - | High
|
||||
3 | [104.168.117.149](https://vuldb.com/?ip.104.168.117.149) | 104-168-117-149-host.colocrossing.com | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 7 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _IRGC_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
2 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
3 | T1068 | CWE-269 | Execution with Unnecessary Privileges | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 4 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by IRGC. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/admin/users.php` | High
|
||||
2 | File | `data/gbconfiguration.dat` | High
|
||||
3 | File | `gxadmin/index.php` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 6 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://www.cisa.gov/uscert/ncas/alerts/aa22-257a
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -16,7 +16,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
|
||||
* [AR](https://vuldb.com/?country.ar)
|
||||
* [IT](https://vuldb.com/?country.it)
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* [SV](https://vuldb.com/?country.sv)
|
||||
* ...
|
||||
|
||||
There are 6 more country items available. Please use our online service to access the data.
|
||||
|
@ -44,9 +44,10 @@ ID | Technique | Weakness | Description | Confidence
|
|||
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
6 | ... | ... | ... | ...
|
||||
|
||||
There are 18 more TTP items available. Please use our online service to access the data.
|
||||
There are 20 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -54,59 +55,54 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/admin/comment/list` | High
|
||||
2 | File | `/admin/header.inc.php` | High
|
||||
3 | File | `/admin/index.PHP` | High
|
||||
4 | File | `/admin/login.php` | High
|
||||
5 | File | `/admin/plugins/NP_Referrer.php` | High
|
||||
6 | File | `/admin/products/controller.php?action=add` | High
|
||||
7 | File | `/admin/profile.php` | High
|
||||
8 | File | `/admin/sendmailto.php?tomail=&groupid=` | High
|
||||
9 | File | `/admin/site/list` | High
|
||||
10 | File | `/AJAX/ajaxget` | High
|
||||
11 | File | `/api/` | Low
|
||||
12 | File | `/api/v2/labels/` | High
|
||||
13 | File | `/asan/asan_interceptors_memintrinsics.cpp` | High
|
||||
14 | File | `/bin/posix/src/ports/POSIX/OpENer` | High
|
||||
15 | File | `/cgi-bin/ExportSettings.sh` | High
|
||||
16 | File | `/cgi-bin/R14.2/cgi-bin/R14.2/host.pl` | High
|
||||
17 | File | `/claire_blake` | High
|
||||
18 | File | `/common/bbox.cpp` | High
|
||||
19 | File | `/dotrace.asp` | Medium
|
||||
20 | File | `/etc/origin/master/master-config.yaml` | High
|
||||
21 | File | `/etc/shadow.sample` | High
|
||||
22 | File | `/footer.inc.php` | High
|
||||
23 | File | `/gasmark/assets/myimages/oneWord.php` | High
|
||||
24 | File | `/goform/formWifiBasicSet` | High
|
||||
25 | File | `/goform/NatStaticSetting` | High
|
||||
26 | File | `/goform/saveParentControlInfo` | High
|
||||
27 | File | `/home/www/cgi-bin/login.cgi` | High
|
||||
28 | File | `/htdocs/utils/Files.php` | High
|
||||
29 | File | `/include/notify.inc.php` | High
|
||||
30 | File | `/master/index.php` | High
|
||||
31 | File | `/mdiy/model/delete` | High
|
||||
32 | File | `/modules/tasks/gantt.php` | High
|
||||
33 | File | `/net-banking/customer_transactions.php` | High
|
||||
34 | File | `/net/nfc/netlink.c` | High
|
||||
35 | File | `/pages/permit/permit.php` | High
|
||||
36 | File | `/patient/settings.php` | High
|
||||
37 | File | `/ptipupgrade.cgi` | High
|
||||
38 | File | `/release-x64/otfccdump` | High
|
||||
39 | File | `/release-x64/otfccdump+0x6e7e3d` | High
|
||||
40 | File | `/release-x64/otfccdump+0x6e20a0` | High
|
||||
41 | File | `/staff/lab.php` | High
|
||||
42 | File | `/student/dele.php` | High
|
||||
43 | File | `/superguestconfig` | High
|
||||
44 | File | `/SVFE2/pages/audit/voiceaudit.jsf` | High
|
||||
45 | File | `/tmp` | Low
|
||||
46 | File | `/upload/admin.php?/deal/` | High
|
||||
47 | File | `/var/log/qualys/qualys-cloud-agent-scan.log` | High
|
||||
48 | File | `/WebInterface/UserManager/` | High
|
||||
49 | File | `/www/cgi-bin/popen.cgi` | High
|
||||
50 | File | `/xpdf/AcroForm.cc` | High
|
||||
51 | ... | ... | ...
|
||||
1 | File | `/admin/changestock.php` | High
|
||||
2 | File | `/admin/client_edit.php` | High
|
||||
3 | File | `/admin/comment/list` | High
|
||||
4 | File | `/admin/header.inc.php` | High
|
||||
5 | File | `/admin/index.PHP` | High
|
||||
6 | File | `/admin/login.php` | High
|
||||
7 | File | `/admin/modify.php` | High
|
||||
8 | File | `/admin/plugins/NP_Referrer.php` | High
|
||||
9 | File | `/admin/products/controller.php?action=add` | High
|
||||
10 | File | `/admin/profile.php` | High
|
||||
11 | File | `/admin/search.php` | High
|
||||
12 | File | `/admin/select.php` | High
|
||||
13 | File | `/admin/sendmailto.php?tomail=&groupid=` | High
|
||||
14 | File | `/admin/site/list` | High
|
||||
15 | File | `/api/` | Low
|
||||
16 | File | `/api/v2/labels/` | High
|
||||
17 | File | `/asan/asan_interceptors_memintrinsics.cpp` | High
|
||||
18 | File | `/cgi-bin/ExportSettings.sh` | High
|
||||
19 | File | `/cgi-bin/R14.2/cgi-bin/R14.2/host.pl` | High
|
||||
20 | File | `/claire_blake` | High
|
||||
21 | File | `/classes/Master.php?f=delete_student` | High
|
||||
22 | File | `/common/bbox.cpp` | High
|
||||
23 | File | `/etc/origin/master/master-config.yaml` | High
|
||||
24 | File | `/etc/shadow.sample` | High
|
||||
25 | File | `/footer.inc.php` | High
|
||||
26 | File | `/framework/core/models/expConfig.php` | High
|
||||
27 | File | `/framework/modules/core/controllers/expHTMLEditorController.php` | High
|
||||
28 | File | `/fw.login.php` | High
|
||||
29 | File | `/gasmark/assets/myimages/oneWord.php` | High
|
||||
30 | File | `/goform/formWifiBasicSet` | High
|
||||
31 | File | `/goform/NatStaticSetting` | High
|
||||
32 | File | `/goform/saveParentControlInfo` | High
|
||||
33 | File | `/home/www/cgi-bin/login.cgi` | High
|
||||
34 | File | `/htdocs/utils/Files.php` | High
|
||||
35 | File | `/include/notify.inc.php` | High
|
||||
36 | File | `/ip/admin/` | Medium
|
||||
37 | File | `/issue` | Low
|
||||
38 | File | `/leave_system/classes/Master.php?f=delete_application` | High
|
||||
39 | File | `/master/index.php` | High
|
||||
40 | File | `/mdiy/model/delete` | High
|
||||
41 | File | `/net-banking/customer_transactions.php` | High
|
||||
42 | File | `/net/nfc/netlink.c` | High
|
||||
43 | File | `/pages/permit/permit.php` | High
|
||||
44 | File | `/patient/settings.php` | High
|
||||
45 | File | `/ptipupgrade.cgi` | High
|
||||
46 | ... | ... | ...
|
||||
|
||||
There are 445 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 398 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -9,11 +9,11 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Indexsinas:
|
||||
|
||||
* [VN](https://vuldb.com/?country.vn)
|
||||
* [HK](https://vuldb.com/?country.hk)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [NZ](https://vuldb.com/?country.nz)
|
||||
* ...
|
||||
|
||||
There are 2 more country items available. Please use our online service to access the data.
|
||||
There are 3 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -287,13 +287,13 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23, CWE-36 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-294, CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-88, CWE-94, CWE-1321 | Cross Site Scripting | High
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23, CWE-25 | Pathname Traversal | High
|
||||
2 | T1055 | CWE-74 | Injection | High
|
||||
3 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
|
||||
4 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 17 more TTP items available. Please use our online service to access the data.
|
||||
There are 15 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -301,33 +301,29 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/admin/addemployee.php` | High
|
||||
2 | File | `/admin_book.php` | High
|
||||
3 | File | `/api/` | Low
|
||||
4 | File | `/bd_genie_create_account.cgi` | High
|
||||
5 | File | `/bibliography/marcsru.php` | High
|
||||
6 | File | `/c/macho_reader.c` | High
|
||||
1 | File | `/Admin/add-student.php` | High
|
||||
2 | File | `/admin/conferences/list/` | High
|
||||
3 | File | `/Admin/login.php` | High
|
||||
4 | File | `/administration/settings_registration.php` | High
|
||||
5 | File | `/authUserAction!edit.action` | High
|
||||
6 | File | `/baseOpLog.do` | High
|
||||
7 | File | `/carbon/mediation_secure_vault/properties/ajaxprocessor.jsp` | High
|
||||
8 | File | `/card/in-card.php` | High
|
||||
9 | File | `/cgi-bin/kerbynet` | High
|
||||
10 | File | `/cgi-bin/koha/members/paycollect.pl` | High
|
||||
11 | File | `/cgi-bin/touchlist_sync.cgi` | High
|
||||
12 | File | `/cgi-bin/wlogin.cgi` | High
|
||||
13 | File | `/defaultui/player/modern.html` | High
|
||||
14 | File | `/EXCU_SHELL` | Medium
|
||||
15 | File | `/filemanager/ajax_calls.php` | High
|
||||
16 | File | `/forum/away.php` | High
|
||||
17 | File | `/goform/addRouting` | High
|
||||
18 | File | `/goform/Diagnosis` | High
|
||||
19 | File | `/goform/form2userconfig.cgi` | High
|
||||
20 | File | `/goform/NTPSyncWithHost` | High
|
||||
21 | File | `/goform/SetIpMacBind` | High
|
||||
22 | File | `/goform/SetLEDCfg` | High
|
||||
23 | File | `/goform/setMAC` | High
|
||||
24 | File | `/goform/setMacFilterCfg` | High
|
||||
25 | ... | ... | ...
|
||||
8 | File | `/cgi-bin/qcmap_auth` | High
|
||||
9 | File | `/diagnostic/edittest.php` | High
|
||||
10 | File | `/editbrand.php` | High
|
||||
11 | File | `/forum/away.php` | High
|
||||
12 | File | `/framework/mod/db/DBMapper.xml` | High
|
||||
13 | File | `/getcfg.php` | Medium
|
||||
14 | File | `/leave_system/classes/Master.php?f=delete_application` | High
|
||||
15 | File | `/leave_system/classes/Users.php?f=save` | High
|
||||
16 | File | `/opt/onedev/sites/` | High
|
||||
17 | File | `/opt/zimbra/jetty/webapps/zimbra/public` | High
|
||||
18 | File | `/out.php` | Medium
|
||||
19 | File | `/patient/booking.php` | High
|
||||
20 | File | `/pet_shop/admin/?page=inventory/manage_inventory` | High
|
||||
21 | ... | ... | ...
|
||||
|
||||
There are 211 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 171 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -37,7 +37,7 @@ ID | IP address | Hostname | Campaign | Confidence
|
|||
7 | [27.102.114.79](https://vuldb.com/?ip.27.102.114.79) | - | - | High
|
||||
8 | ... | ... | ... | ...
|
||||
|
||||
There are 29 more IOC items available. Please use our online service to access the data.
|
||||
There are 30 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -51,7 +51,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
4 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 16 more TTP items available. Please use our online service to access the data.
|
||||
There are 17 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -79,13 +79,14 @@ ID | Type | Indicator | Confidence
|
|||
18 | File | `/rest/jpo/1.0/hierarchyConfiguration` | High
|
||||
19 | File | `/SASWebReportStudio/logonAndRender.do` | High
|
||||
20 | File | `/scas/admin/` | Medium
|
||||
21 | File | `/tlogin.cgi` | Medium
|
||||
22 | File | `/tmp/scfgdndf` | High
|
||||
23 | File | `/uncpath/` | Medium
|
||||
24 | File | `/upload` | Low
|
||||
25 | ... | ... | ...
|
||||
21 | File | `/static/ueditor/php/controller.php` | High
|
||||
22 | File | `/tlogin.cgi` | Medium
|
||||
23 | File | `/tmp/scfgdndf` | High
|
||||
24 | File | `/uncpath/` | Medium
|
||||
25 | File | `/upload` | Low
|
||||
26 | ... | ... | ...
|
||||
|
||||
There are 212 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 215 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -93,6 +94,7 @@ The following list contains _external sources_ which discuss the actor and the a
|
|||
|
||||
* https://asec.ahnlab.com/en/30532/
|
||||
* https://blog.alyac.co.kr/2234
|
||||
* https://blog.alyac.co.kr/4892
|
||||
* https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/
|
||||
* https://community.blueliv.com/#!/s/5fa1234a82df413ea9349a07
|
||||
* https://twitter.com/shadowchasing1/status/1500778382966939653
|
||||
|
|
|
@ -15,7 +15,7 @@ The following _campaigns_ are known and can be associated with Lazarus:
|
|||
* Hoplight
|
||||
* ...
|
||||
|
||||
There are 9 more campaign items available. Please use our online service to access the data.
|
||||
There are 10 more campaign items available. Please use our online service to access the data.
|
||||
|
||||
## Countries
|
||||
|
||||
|
@ -26,7 +26,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [US](https://vuldb.com/?country.us)
|
||||
* ...
|
||||
|
||||
There are 7 more country items available. Please use our online service to access the data.
|
||||
There are 8 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -133,130 +133,131 @@ ID | IP address | Hostname | Campaign | Confidence
|
|||
97 | [27.114.187.37](https://vuldb.com/?ip.27.114.187.37) | - | Volgmer | High
|
||||
98 | [27.123.221.66](https://vuldb.com/?ip.27.123.221.66) | 66-221.fiber.net.id | Fallchill | High
|
||||
99 | [27.125.35.229](https://vuldb.com/?ip.27.125.35.229) | - | Hidden Cobra | High
|
||||
100 | [31.47.47.130](https://vuldb.com/?ip.31.47.47.130) | - | Hidden Cobra | High
|
||||
101 | [31.54.73.156](https://vuldb.com/?ip.31.54.73.156) | host31-54-73-156.range31-54.btcentralplus.com | Hidden Cobra | High
|
||||
102 | [31.54.74.176](https://vuldb.com/?ip.31.54.74.176) | host31-54-74-176.range31-54.btcentralplus.com | Hidden Cobra | High
|
||||
103 | [31.146.82.22](https://vuldb.com/?ip.31.146.82.22) | 31-146-82-22.dsl.utg.ge | Volgmer | High
|
||||
104 | [31.146.136.6](https://vuldb.com/?ip.31.146.136.6) | 31-146-136-6.dsl.utg.ge | Hidden Cobra | High
|
||||
105 | [31.168.203.44](https://vuldb.com/?ip.31.168.203.44) | bzq-203-168-31-44.red.bezeqint.net | Hidden Cobra | High
|
||||
106 | [36.71.90.4](https://vuldb.com/?ip.36.71.90.4) | - | Fallchill | High
|
||||
107 | [37.34.240.177](https://vuldb.com/?ip.37.34.240.177) | - | Hidden Cobra | High
|
||||
108 | [37.48.106.69](https://vuldb.com/?ip.37.48.106.69) | high-convey.blockother.com | Hidden Cobra | High
|
||||
109 | [37.71.50.2](https://vuldb.com/?ip.37.71.50.2) | 2.50.71.37.rev.sfr.net | Hidden Cobra | High
|
||||
110 | [37.72.168.228](https://vuldb.com/?ip.37.72.168.228) | 228.168.72.37.static.swiftway.net | - | High
|
||||
111 | [37.72.175.135](https://vuldb.com/?ip.37.72.175.135) | 37-72-175-135.static.hvvc.us | - | High
|
||||
112 | [37.72.175.179](https://vuldb.com/?ip.37.72.175.179) | 37-72-175-179.static.hvvc.us | - | High
|
||||
113 | [37.72.175.196](https://vuldb.com/?ip.37.72.175.196) | 37-72-175-196.static.hvvc.us | - | High
|
||||
114 | [37.75.0.98](https://vuldb.com/?ip.37.75.0.98) | - | Hidden Cobra | High
|
||||
115 | [37.75.2.203](https://vuldb.com/?ip.37.75.2.203) | - | Hidden Cobra | High
|
||||
116 | [37.75.10.194](https://vuldb.com/?ip.37.75.10.194) | mail.kplus.com.tr | Hidden Cobra | High
|
||||
117 | [37.75.11.162](https://vuldb.com/?ip.37.75.11.162) | 37-75-11-162.rdns.saglayici.net | Hidden Cobra | High
|
||||
118 | [37.98.114.90](https://vuldb.com/?ip.37.98.114.90) | 90.mobinnet.net | Volgmer | High
|
||||
119 | [37.104.24.220](https://vuldb.com/?ip.37.104.24.220) | - | Hidden Cobra | High
|
||||
120 | [37.104.50.144](https://vuldb.com/?ip.37.104.50.144) | - | Hidden Cobra | High
|
||||
121 | [37.104.67.33](https://vuldb.com/?ip.37.104.67.33) | - | Hidden Cobra | High
|
||||
122 | [37.105.234.200](https://vuldb.com/?ip.37.105.234.200) | - | Hidden Cobra | High
|
||||
123 | [37.106.115.3](https://vuldb.com/?ip.37.106.115.3) | - | Hidden Cobra | High
|
||||
124 | [37.143.29.10](https://vuldb.com/?ip.37.143.29.10) | - | Hidden Cobra | High
|
||||
125 | [37.148.209.156](https://vuldb.com/?ip.37.148.209.156) | 37-148-209-156.cizgi.net.tr | Hidden Cobra | High
|
||||
126 | [37.216.67.155](https://vuldb.com/?ip.37.216.67.155) | - | Volgmer | High
|
||||
127 | [37.216.213.70](https://vuldb.com/?ip.37.216.213.70) | - | Hidden Cobra | High
|
||||
128 | [37.235.21.166](https://vuldb.com/?ip.37.235.21.166) | - | Volgmer | High
|
||||
129 | [37.238.135.70](https://vuldb.com/?ip.37.238.135.70) | - | - | High
|
||||
130 | [38.132.124.161](https://vuldb.com/?ip.38.132.124.161) | - | TraderTraitor | High
|
||||
131 | [40.121.90.194](https://vuldb.com/?ip.40.121.90.194) | - | - | High
|
||||
132 | [41.57.108.68](https://vuldb.com/?ip.41.57.108.68) | - | Hidden Cobra | High
|
||||
133 | [41.67.136.38](https://vuldb.com/?ip.41.67.136.38) | netcomafrica.com | Hidden Cobra | High
|
||||
134 | [41.67.136.39](https://vuldb.com/?ip.41.67.136.39) | netcomafrica.com | Hidden Cobra | High
|
||||
135 | [41.72.99.5](https://vuldb.com/?ip.41.72.99.5) | - | Hidden Cobra | High
|
||||
136 | [41.72.101.138](https://vuldb.com/?ip.41.72.101.138) | - | Hidden Cobra | High
|
||||
137 | [41.74.166.253](https://vuldb.com/?ip.41.74.166.253) | - | Hidden Cobra | High
|
||||
138 | [41.92.208.194](https://vuldb.com/?ip.41.92.208.194) | - | Fallchill | High
|
||||
139 | [41.92.208.196](https://vuldb.com/?ip.41.92.208.196) | - | Fallchill | High
|
||||
140 | [41.92.208.197](https://vuldb.com/?ip.41.92.208.197) | - | Fallchill | High
|
||||
141 | [41.110.179.197](https://vuldb.com/?ip.41.110.179.197) | - | Hidden Cobra | High
|
||||
142 | [41.128.226.60](https://vuldb.com/?ip.41.128.226.60) | - | Hidden Cobra | High
|
||||
143 | [41.131.49.228](https://vuldb.com/?ip.41.131.49.228) | host-41-131-49-228.static.link.com.eg | Hidden Cobra | High
|
||||
144 | [41.131.164.156](https://vuldb.com/?ip.41.131.164.156) | - | Hidden Cobra | High
|
||||
145 | [41.134.208.234](https://vuldb.com/?ip.41.134.208.234) | 41-134-208-234.dsl.mweb.co.za | Hidden Cobra | High
|
||||
146 | [41.182.252.56](https://vuldb.com/?ip.41.182.252.56) | ADSL-41-182-252-56.ipb.na | Hidden Cobra | High
|
||||
147 | [41.205.139.34](https://vuldb.com/?ip.41.205.139.34) | ADSL-41-205-139-34.ipb.na | Hidden Cobra | High
|
||||
148 | [41.208.106.68](https://vuldb.com/?ip.41.208.106.68) | owa.altaqnya.com.ly | Hidden Cobra | High
|
||||
149 | [41.208.106.70](https://vuldb.com/?ip.41.208.106.70) | dc1.Mail.dsmhlc.ly | Hidden Cobra | High
|
||||
150 | [41.215.250.40](https://vuldb.com/?ip.41.215.250.40) | - | Hidden Cobra | High
|
||||
151 | [41.223.30.20](https://vuldb.com/?ip.41.223.30.20) | host30-20.creolink.com | Hidden Cobra | High
|
||||
152 | [41.224.254.90](https://vuldb.com/?ip.41.224.254.90) | - | Hidden Cobra | High
|
||||
153 | [43.249.216.6](https://vuldb.com/?ip.43.249.216.6) | - | Volgmer | High
|
||||
154 | [45.33.2.79](https://vuldb.com/?ip.45.33.2.79) | li956-79.members.linode.com | AppleJeus | High
|
||||
155 | [45.33.23.183](https://vuldb.com/?ip.45.33.23.183) | li977-183.members.linode.com | AppleJeus | High
|
||||
156 | [45.56.79.23](https://vuldb.com/?ip.45.56.79.23) | li929-23.members.linode.com | AppleJeus | High
|
||||
157 | [45.58.112.77](https://vuldb.com/?ip.45.58.112.77) | - | - | High
|
||||
158 | [45.79.19.196](https://vuldb.com/?ip.45.79.19.196) | li1118-196.members.linode.com | AppleJeus | High
|
||||
159 | [45.118.34.215](https://vuldb.com/?ip.45.118.34.215) | - | Volgmer | High
|
||||
160 | [45.120.61.145](https://vuldb.com/?ip.45.120.61.145) | - | Hidden Cobra | High
|
||||
161 | [45.122.138.130](https://vuldb.com/?ip.45.122.138.130) | - | - | High
|
||||
162 | [45.124.169.36](https://vuldb.com/?ip.45.124.169.36) | - | Volgmer | High
|
||||
163 | [45.128.156.27](https://vuldb.com/?ip.45.128.156.27) | smtp.flatmeadow.com | - | High
|
||||
164 | [45.199.63.220](https://vuldb.com/?ip.45.199.63.220) | - | AppleJeus | High
|
||||
165 | [46.16.62.238](https://vuldb.com/?ip.46.16.62.238) | fnadh-35.srv.cat | TraderTraitor | High
|
||||
166 | [46.19.101.186](https://vuldb.com/?ip.46.19.101.186) | ip-46-19-101-186.gnc.net | Hidden Cobra | High
|
||||
167 | [46.21.147.161](https://vuldb.com/?ip.46.21.147.161) | 46-21-147-161.static.hvvc.us | - | High
|
||||
168 | [46.21.153.87](https://vuldb.com/?ip.46.21.153.87) | 87.153.21.46.static.swiftway.net | - | High
|
||||
169 | [46.52.131.102](https://vuldb.com/?ip.46.52.131.102) | - | Hidden Cobra | High
|
||||
170 | [46.121.242.180](https://vuldb.com/?ip.46.121.242.180) | 46-121-242-180.static.012.net.il | Hidden Cobra | High
|
||||
171 | [46.174.116.60](https://vuldb.com/?ip.46.174.116.60) | - | Hidden Cobra | High
|
||||
172 | [46.174.116.87](https://vuldb.com/?ip.46.174.116.87) | - | Hidden Cobra | High
|
||||
173 | [46.174.116.90](https://vuldb.com/?ip.46.174.116.90) | - | Hidden Cobra | High
|
||||
174 | [46.174.116.99](https://vuldb.com/?ip.46.174.116.99) | - | Hidden Cobra | High
|
||||
175 | [46.174.116.221](https://vuldb.com/?ip.46.174.116.221) | - | Hidden Cobra | High
|
||||
176 | [46.174.116.231](https://vuldb.com/?ip.46.174.116.231) | - | Hidden Cobra | High
|
||||
177 | [46.174.116.234](https://vuldb.com/?ip.46.174.116.234) | - | Hidden Cobra | High
|
||||
178 | [46.174.117.15](https://vuldb.com/?ip.46.174.117.15) | - | Hidden Cobra | High
|
||||
179 | [46.174.117.32](https://vuldb.com/?ip.46.174.117.32) | - | Hidden Cobra | High
|
||||
180 | [46.174.117.36](https://vuldb.com/?ip.46.174.117.36) | - | Hidden Cobra | High
|
||||
181 | [46.174.117.42](https://vuldb.com/?ip.46.174.117.42) | - | Hidden Cobra | High
|
||||
182 | [46.174.117.44](https://vuldb.com/?ip.46.174.117.44) | - | Hidden Cobra | High
|
||||
183 | [46.174.117.50](https://vuldb.com/?ip.46.174.117.50) | - | Hidden Cobra | High
|
||||
184 | [46.174.117.61](https://vuldb.com/?ip.46.174.117.61) | - | Hidden Cobra | High
|
||||
185 | [46.174.117.77](https://vuldb.com/?ip.46.174.117.77) | - | Hidden Cobra | High
|
||||
186 | [46.174.117.80](https://vuldb.com/?ip.46.174.117.80) | - | Hidden Cobra | High
|
||||
187 | [46.174.117.97](https://vuldb.com/?ip.46.174.117.97) | - | Hidden Cobra | High
|
||||
188 | [46.174.117.98](https://vuldb.com/?ip.46.174.117.98) | - | Hidden Cobra | High
|
||||
189 | [46.174.117.103](https://vuldb.com/?ip.46.174.117.103) | - | Hidden Cobra | High
|
||||
190 | [46.174.117.116](https://vuldb.com/?ip.46.174.117.116) | - | Hidden Cobra | High
|
||||
191 | [46.174.117.121](https://vuldb.com/?ip.46.174.117.121) | - | Hidden Cobra | High
|
||||
192 | [46.174.117.129](https://vuldb.com/?ip.46.174.117.129) | - | Hidden Cobra | High
|
||||
193 | [46.174.117.134](https://vuldb.com/?ip.46.174.117.134) | - | Hidden Cobra | High
|
||||
194 | [46.174.117.153](https://vuldb.com/?ip.46.174.117.153) | - | Hidden Cobra | High
|
||||
195 | [46.174.117.164](https://vuldb.com/?ip.46.174.117.164) | - | Hidden Cobra | High
|
||||
196 | [46.183.221.109](https://vuldb.com/?ip.46.183.221.109) | ip-221-109.dataclub.info | - | High
|
||||
197 | [46.218.127.110](https://vuldb.com/?ip.46.218.127.110) | reverse.completel.fr | Hidden Cobra | High
|
||||
198 | [47.206.4.145](https://vuldb.com/?ip.47.206.4.145) | static-47-206-4-145.srst.fl.frontiernet.net | Hoplight | High
|
||||
199 | [49.206.1.61](https://vuldb.com/?ip.49.206.1.61) | 49.206.1.61.actcorp.in | Hidden Cobra | High
|
||||
200 | [49.247.9.177](https://vuldb.com/?ip.49.247.9.177) | - | - | High
|
||||
201 | [50.62.168.157](https://vuldb.com/?ip.50.62.168.157) | p3nwvpweb145.shr.prod.phx3.secureserver.net | Fallchill | High
|
||||
202 | [50.87.144.227](https://vuldb.com/?ip.50.87.144.227) | somethingaboutmarketing.com | - | High
|
||||
203 | [51.38.234.8](https://vuldb.com/?ip.51.38.234.8) | hydra.skok.pl | - | High
|
||||
204 | [51.235.1.216](https://vuldb.com/?ip.51.235.1.216) | - | Hidden Cobra | High
|
||||
205 | [51.235.13.162](https://vuldb.com/?ip.51.235.13.162) | - | Hidden Cobra | High
|
||||
206 | [51.235.17.133](https://vuldb.com/?ip.51.235.17.133) | - | Hidden Cobra | High
|
||||
207 | [51.235.19.202](https://vuldb.com/?ip.51.235.19.202) | - | Hidden Cobra | High
|
||||
208 | [51.235.33.226](https://vuldb.com/?ip.51.235.33.226) | - | Hidden Cobra | High
|
||||
209 | [51.235.49.202](https://vuldb.com/?ip.51.235.49.202) | - | Hidden Cobra | High
|
||||
210 | [52.79.118.195](https://vuldb.com/?ip.52.79.118.195) | ec2-52-79-118-195.ap-northeast-2.compute.amazonaws.com | Chemical Sector | Medium
|
||||
211 | [52.202.193.124](https://vuldb.com/?ip.52.202.193.124) | ec2-52-202-193-124.compute-1.amazonaws.com | MagicRAT | Medium
|
||||
212 | [54.38.11.132](https://vuldb.com/?ip.54.38.11.132) | ip132.ip-54-38-11.eu | - | High
|
||||
213 | [54.39.204.190](https://vuldb.com/?ip.54.39.204.190) | ip190.ip-54-39-204.net | - | High
|
||||
214 | [54.64.30.175](https://vuldb.com/?ip.54.64.30.175) | vega.mh-tec.co.jp | - | High
|
||||
215 | [54.68.42.4](https://vuldb.com/?ip.54.68.42.4) | ec2-54-68-42-4.us-west-2.compute.amazonaws.com | - | Medium
|
||||
216 | [58.82.155.98](https://vuldb.com/?ip.58.82.155.98) | 98.155.82.58.static-corp.jastel.co.th | Volgmer | High
|
||||
217 | [58.185.197.210](https://vuldb.com/?ip.58.185.197.210) | - | Volgmer | High
|
||||
218 | [59.8.194.228](https://vuldb.com/?ip.59.8.194.228) | - | - | High
|
||||
219 | [59.90.93.97](https://vuldb.com/?ip.59.90.93.97) | static.bb.knl.59.90.93.97.bsnl.in | Typeframe | High
|
||||
220 | [59.90.93.138](https://vuldb.com/?ip.59.90.93.138) | static.bb.knl.59.90.93.138.bsnl.in | Fallchill | High
|
||||
221 | ... | ... | ... | ...
|
||||
100 | [31.11.32.79](https://vuldb.com/?ip.31.11.32.79) | websn1s069.aruba.it | Netherlands and Belgium | High
|
||||
101 | [31.47.47.130](https://vuldb.com/?ip.31.47.47.130) | - | Hidden Cobra | High
|
||||
102 | [31.54.73.156](https://vuldb.com/?ip.31.54.73.156) | host31-54-73-156.range31-54.btcentralplus.com | Hidden Cobra | High
|
||||
103 | [31.54.74.176](https://vuldb.com/?ip.31.54.74.176) | host31-54-74-176.range31-54.btcentralplus.com | Hidden Cobra | High
|
||||
104 | [31.146.82.22](https://vuldb.com/?ip.31.146.82.22) | 31-146-82-22.dsl.utg.ge | Volgmer | High
|
||||
105 | [31.146.136.6](https://vuldb.com/?ip.31.146.136.6) | 31-146-136-6.dsl.utg.ge | Hidden Cobra | High
|
||||
106 | [31.168.203.44](https://vuldb.com/?ip.31.168.203.44) | bzq-203-168-31-44.red.bezeqint.net | Hidden Cobra | High
|
||||
107 | [36.71.90.4](https://vuldb.com/?ip.36.71.90.4) | - | Fallchill | High
|
||||
108 | [37.34.240.177](https://vuldb.com/?ip.37.34.240.177) | - | Hidden Cobra | High
|
||||
109 | [37.48.106.69](https://vuldb.com/?ip.37.48.106.69) | high-convey.blockother.com | Hidden Cobra | High
|
||||
110 | [37.71.50.2](https://vuldb.com/?ip.37.71.50.2) | 2.50.71.37.rev.sfr.net | Hidden Cobra | High
|
||||
111 | [37.72.168.228](https://vuldb.com/?ip.37.72.168.228) | 228.168.72.37.static.swiftway.net | - | High
|
||||
112 | [37.72.175.135](https://vuldb.com/?ip.37.72.175.135) | 37-72-175-135.static.hvvc.us | - | High
|
||||
113 | [37.72.175.179](https://vuldb.com/?ip.37.72.175.179) | 37-72-175-179.static.hvvc.us | - | High
|
||||
114 | [37.72.175.196](https://vuldb.com/?ip.37.72.175.196) | 37-72-175-196.static.hvvc.us | - | High
|
||||
115 | [37.75.0.98](https://vuldb.com/?ip.37.75.0.98) | - | Hidden Cobra | High
|
||||
116 | [37.75.2.203](https://vuldb.com/?ip.37.75.2.203) | - | Hidden Cobra | High
|
||||
117 | [37.75.10.194](https://vuldb.com/?ip.37.75.10.194) | mail.kplus.com.tr | Hidden Cobra | High
|
||||
118 | [37.75.11.162](https://vuldb.com/?ip.37.75.11.162) | 37-75-11-162.rdns.saglayici.net | Hidden Cobra | High
|
||||
119 | [37.98.114.90](https://vuldb.com/?ip.37.98.114.90) | 90.mobinnet.net | Volgmer | High
|
||||
120 | [37.104.24.220](https://vuldb.com/?ip.37.104.24.220) | - | Hidden Cobra | High
|
||||
121 | [37.104.50.144](https://vuldb.com/?ip.37.104.50.144) | - | Hidden Cobra | High
|
||||
122 | [37.104.67.33](https://vuldb.com/?ip.37.104.67.33) | - | Hidden Cobra | High
|
||||
123 | [37.105.234.200](https://vuldb.com/?ip.37.105.234.200) | - | Hidden Cobra | High
|
||||
124 | [37.106.115.3](https://vuldb.com/?ip.37.106.115.3) | - | Hidden Cobra | High
|
||||
125 | [37.143.29.10](https://vuldb.com/?ip.37.143.29.10) | - | Hidden Cobra | High
|
||||
126 | [37.148.209.156](https://vuldb.com/?ip.37.148.209.156) | 37-148-209-156.cizgi.net.tr | Hidden Cobra | High
|
||||
127 | [37.216.67.155](https://vuldb.com/?ip.37.216.67.155) | - | Volgmer | High
|
||||
128 | [37.216.213.70](https://vuldb.com/?ip.37.216.213.70) | - | Hidden Cobra | High
|
||||
129 | [37.235.21.166](https://vuldb.com/?ip.37.235.21.166) | - | Volgmer | High
|
||||
130 | [37.238.135.70](https://vuldb.com/?ip.37.238.135.70) | - | - | High
|
||||
131 | [38.132.124.161](https://vuldb.com/?ip.38.132.124.161) | - | TraderTraitor | High
|
||||
132 | [40.121.90.194](https://vuldb.com/?ip.40.121.90.194) | - | - | High
|
||||
133 | [41.57.108.68](https://vuldb.com/?ip.41.57.108.68) | - | Hidden Cobra | High
|
||||
134 | [41.67.136.38](https://vuldb.com/?ip.41.67.136.38) | netcomafrica.com | Hidden Cobra | High
|
||||
135 | [41.67.136.39](https://vuldb.com/?ip.41.67.136.39) | netcomafrica.com | Hidden Cobra | High
|
||||
136 | [41.72.99.5](https://vuldb.com/?ip.41.72.99.5) | - | Hidden Cobra | High
|
||||
137 | [41.72.101.138](https://vuldb.com/?ip.41.72.101.138) | - | Hidden Cobra | High
|
||||
138 | [41.74.166.253](https://vuldb.com/?ip.41.74.166.253) | - | Hidden Cobra | High
|
||||
139 | [41.92.208.194](https://vuldb.com/?ip.41.92.208.194) | - | Fallchill | High
|
||||
140 | [41.92.208.196](https://vuldb.com/?ip.41.92.208.196) | - | Fallchill | High
|
||||
141 | [41.92.208.197](https://vuldb.com/?ip.41.92.208.197) | - | Fallchill | High
|
||||
142 | [41.110.179.197](https://vuldb.com/?ip.41.110.179.197) | - | Hidden Cobra | High
|
||||
143 | [41.128.226.60](https://vuldb.com/?ip.41.128.226.60) | - | Hidden Cobra | High
|
||||
144 | [41.131.49.228](https://vuldb.com/?ip.41.131.49.228) | host-41-131-49-228.static.link.com.eg | Hidden Cobra | High
|
||||
145 | [41.131.164.156](https://vuldb.com/?ip.41.131.164.156) | - | Hidden Cobra | High
|
||||
146 | [41.134.208.234](https://vuldb.com/?ip.41.134.208.234) | 41-134-208-234.dsl.mweb.co.za | Hidden Cobra | High
|
||||
147 | [41.182.252.56](https://vuldb.com/?ip.41.182.252.56) | ADSL-41-182-252-56.ipb.na | Hidden Cobra | High
|
||||
148 | [41.205.139.34](https://vuldb.com/?ip.41.205.139.34) | ADSL-41-205-139-34.ipb.na | Hidden Cobra | High
|
||||
149 | [41.208.106.68](https://vuldb.com/?ip.41.208.106.68) | owa.altaqnya.com.ly | Hidden Cobra | High
|
||||
150 | [41.208.106.70](https://vuldb.com/?ip.41.208.106.70) | dc1.Mail.dsmhlc.ly | Hidden Cobra | High
|
||||
151 | [41.215.250.40](https://vuldb.com/?ip.41.215.250.40) | - | Hidden Cobra | High
|
||||
152 | [41.223.30.20](https://vuldb.com/?ip.41.223.30.20) | host30-20.creolink.com | Hidden Cobra | High
|
||||
153 | [41.224.254.90](https://vuldb.com/?ip.41.224.254.90) | - | Hidden Cobra | High
|
||||
154 | [43.249.216.6](https://vuldb.com/?ip.43.249.216.6) | - | Volgmer | High
|
||||
155 | [45.33.2.79](https://vuldb.com/?ip.45.33.2.79) | li956-79.members.linode.com | AppleJeus | High
|
||||
156 | [45.33.23.183](https://vuldb.com/?ip.45.33.23.183) | li977-183.members.linode.com | AppleJeus | High
|
||||
157 | [45.56.79.23](https://vuldb.com/?ip.45.56.79.23) | li929-23.members.linode.com | AppleJeus | High
|
||||
158 | [45.58.112.77](https://vuldb.com/?ip.45.58.112.77) | - | - | High
|
||||
159 | [45.79.19.196](https://vuldb.com/?ip.45.79.19.196) | li1118-196.members.linode.com | AppleJeus | High
|
||||
160 | [45.118.34.215](https://vuldb.com/?ip.45.118.34.215) | - | Volgmer | High
|
||||
161 | [45.120.61.145](https://vuldb.com/?ip.45.120.61.145) | - | Hidden Cobra | High
|
||||
162 | [45.122.138.130](https://vuldb.com/?ip.45.122.138.130) | - | - | High
|
||||
163 | [45.124.169.36](https://vuldb.com/?ip.45.124.169.36) | - | Volgmer | High
|
||||
164 | [45.128.156.27](https://vuldb.com/?ip.45.128.156.27) | smtp.flatmeadow.com | - | High
|
||||
165 | [45.199.63.220](https://vuldb.com/?ip.45.199.63.220) | - | AppleJeus | High
|
||||
166 | [46.16.62.238](https://vuldb.com/?ip.46.16.62.238) | fnadh-35.srv.cat | TraderTraitor | High
|
||||
167 | [46.19.101.186](https://vuldb.com/?ip.46.19.101.186) | ip-46-19-101-186.gnc.net | Hidden Cobra | High
|
||||
168 | [46.21.147.161](https://vuldb.com/?ip.46.21.147.161) | 46-21-147-161.static.hvvc.us | - | High
|
||||
169 | [46.21.153.87](https://vuldb.com/?ip.46.21.153.87) | 87.153.21.46.static.swiftway.net | - | High
|
||||
170 | [46.52.131.102](https://vuldb.com/?ip.46.52.131.102) | - | Hidden Cobra | High
|
||||
171 | [46.121.242.180](https://vuldb.com/?ip.46.121.242.180) | 46-121-242-180.static.012.net.il | Hidden Cobra | High
|
||||
172 | [46.174.116.60](https://vuldb.com/?ip.46.174.116.60) | - | Hidden Cobra | High
|
||||
173 | [46.174.116.87](https://vuldb.com/?ip.46.174.116.87) | - | Hidden Cobra | High
|
||||
174 | [46.174.116.90](https://vuldb.com/?ip.46.174.116.90) | - | Hidden Cobra | High
|
||||
175 | [46.174.116.99](https://vuldb.com/?ip.46.174.116.99) | - | Hidden Cobra | High
|
||||
176 | [46.174.116.221](https://vuldb.com/?ip.46.174.116.221) | - | Hidden Cobra | High
|
||||
177 | [46.174.116.231](https://vuldb.com/?ip.46.174.116.231) | - | Hidden Cobra | High
|
||||
178 | [46.174.116.234](https://vuldb.com/?ip.46.174.116.234) | - | Hidden Cobra | High
|
||||
179 | [46.174.117.15](https://vuldb.com/?ip.46.174.117.15) | - | Hidden Cobra | High
|
||||
180 | [46.174.117.32](https://vuldb.com/?ip.46.174.117.32) | - | Hidden Cobra | High
|
||||
181 | [46.174.117.36](https://vuldb.com/?ip.46.174.117.36) | - | Hidden Cobra | High
|
||||
182 | [46.174.117.42](https://vuldb.com/?ip.46.174.117.42) | - | Hidden Cobra | High
|
||||
183 | [46.174.117.44](https://vuldb.com/?ip.46.174.117.44) | - | Hidden Cobra | High
|
||||
184 | [46.174.117.50](https://vuldb.com/?ip.46.174.117.50) | - | Hidden Cobra | High
|
||||
185 | [46.174.117.61](https://vuldb.com/?ip.46.174.117.61) | - | Hidden Cobra | High
|
||||
186 | [46.174.117.77](https://vuldb.com/?ip.46.174.117.77) | - | Hidden Cobra | High
|
||||
187 | [46.174.117.80](https://vuldb.com/?ip.46.174.117.80) | - | Hidden Cobra | High
|
||||
188 | [46.174.117.97](https://vuldb.com/?ip.46.174.117.97) | - | Hidden Cobra | High
|
||||
189 | [46.174.117.98](https://vuldb.com/?ip.46.174.117.98) | - | Hidden Cobra | High
|
||||
190 | [46.174.117.103](https://vuldb.com/?ip.46.174.117.103) | - | Hidden Cobra | High
|
||||
191 | [46.174.117.116](https://vuldb.com/?ip.46.174.117.116) | - | Hidden Cobra | High
|
||||
192 | [46.174.117.121](https://vuldb.com/?ip.46.174.117.121) | - | Hidden Cobra | High
|
||||
193 | [46.174.117.129](https://vuldb.com/?ip.46.174.117.129) | - | Hidden Cobra | High
|
||||
194 | [46.174.117.134](https://vuldb.com/?ip.46.174.117.134) | - | Hidden Cobra | High
|
||||
195 | [46.174.117.153](https://vuldb.com/?ip.46.174.117.153) | - | Hidden Cobra | High
|
||||
196 | [46.174.117.164](https://vuldb.com/?ip.46.174.117.164) | - | Hidden Cobra | High
|
||||
197 | [46.183.221.109](https://vuldb.com/?ip.46.183.221.109) | ip-221-109.dataclub.info | - | High
|
||||
198 | [46.218.127.110](https://vuldb.com/?ip.46.218.127.110) | reverse.completel.fr | Hidden Cobra | High
|
||||
199 | [47.206.4.145](https://vuldb.com/?ip.47.206.4.145) | static-47-206-4-145.srst.fl.frontiernet.net | Hoplight | High
|
||||
200 | [49.206.1.61](https://vuldb.com/?ip.49.206.1.61) | 49.206.1.61.actcorp.in | Hidden Cobra | High
|
||||
201 | [49.247.9.177](https://vuldb.com/?ip.49.247.9.177) | - | - | High
|
||||
202 | [50.62.168.157](https://vuldb.com/?ip.50.62.168.157) | p3nwvpweb145.shr.prod.phx3.secureserver.net | Fallchill | High
|
||||
203 | [50.87.144.227](https://vuldb.com/?ip.50.87.144.227) | somethingaboutmarketing.com | - | High
|
||||
204 | [50.192.28.29](https://vuldb.com/?ip.50.192.28.29) | speed-stream.com | Netherlands and Belgium | High
|
||||
205 | [51.38.234.8](https://vuldb.com/?ip.51.38.234.8) | hydra.skok.pl | - | High
|
||||
206 | [51.235.1.216](https://vuldb.com/?ip.51.235.1.216) | - | Hidden Cobra | High
|
||||
207 | [51.235.13.162](https://vuldb.com/?ip.51.235.13.162) | - | Hidden Cobra | High
|
||||
208 | [51.235.17.133](https://vuldb.com/?ip.51.235.17.133) | - | Hidden Cobra | High
|
||||
209 | [51.235.19.202](https://vuldb.com/?ip.51.235.19.202) | - | Hidden Cobra | High
|
||||
210 | [51.235.33.226](https://vuldb.com/?ip.51.235.33.226) | - | Hidden Cobra | High
|
||||
211 | [51.235.49.202](https://vuldb.com/?ip.51.235.49.202) | - | Hidden Cobra | High
|
||||
212 | [52.79.118.195](https://vuldb.com/?ip.52.79.118.195) | ec2-52-79-118-195.ap-northeast-2.compute.amazonaws.com | Chemical Sector | Medium
|
||||
213 | [52.202.193.124](https://vuldb.com/?ip.52.202.193.124) | ec2-52-202-193-124.compute-1.amazonaws.com | MagicRAT | Medium
|
||||
214 | [54.38.11.132](https://vuldb.com/?ip.54.38.11.132) | ip132.ip-54-38-11.eu | - | High
|
||||
215 | [54.39.204.190](https://vuldb.com/?ip.54.39.204.190) | ip190.ip-54-39-204.net | - | High
|
||||
216 | [54.64.30.175](https://vuldb.com/?ip.54.64.30.175) | vega.mh-tec.co.jp | - | High
|
||||
217 | [54.68.42.4](https://vuldb.com/?ip.54.68.42.4) | ec2-54-68-42-4.us-west-2.compute.amazonaws.com | - | Medium
|
||||
218 | [58.82.155.98](https://vuldb.com/?ip.58.82.155.98) | 98.155.82.58.static-corp.jastel.co.th | Volgmer | High
|
||||
219 | [58.185.197.210](https://vuldb.com/?ip.58.185.197.210) | - | Volgmer | High
|
||||
220 | [59.8.194.228](https://vuldb.com/?ip.59.8.194.228) | - | - | High
|
||||
221 | [59.90.93.97](https://vuldb.com/?ip.59.90.93.97) | static.bb.knl.59.90.93.97.bsnl.in | Typeframe | High
|
||||
222 | ... | ... | ... | ...
|
||||
|
||||
There are 880 more IOC items available. Please use our online service to access the data.
|
||||
There are 882 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -264,14 +265,13 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-36 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-294, CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-94, CWE-1321 | Cross Site Scripting | High
|
||||
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
6 | ... | ... | ... | ...
|
||||
1 | T1006 | CWE-22, CWE-23, CWE-25 | Pathname Traversal | High
|
||||
2 | T1055 | CWE-74 | Injection | High
|
||||
3 | T1059 | CWE-88, CWE-94, CWE-1321 | Cross Site Scripting | High
|
||||
4 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 18 more TTP items available. Please use our online service to access the data.
|
||||
There are 16 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -279,30 +279,26 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/admin/addemployee.php` | High
|
||||
2 | File | `/admin/login.php` | High
|
||||
3 | File | `/admin/products/controller.php?action=add` | High
|
||||
4 | File | `/bd_genie_create_account.cgi` | High
|
||||
5 | File | `/bibliography/marcsru.php` | High
|
||||
6 | File | `/bin/httpd` | Medium
|
||||
7 | File | `/c/macho_reader.c` | High
|
||||
8 | File | `/carbon/mediation_secure_vault/properties/ajaxprocessor.jsp` | High
|
||||
9 | File | `/card/in-card.php` | High
|
||||
10 | File | `/categories/view_category.php` | High
|
||||
11 | File | `/cgi-bin/ExportSettings.sh` | High
|
||||
12 | File | `/cgi-bin/wapopen` | High
|
||||
13 | File | `/defaultui/player/modern.html` | High
|
||||
14 | File | `/etc/ciel.cfg` | High
|
||||
15 | File | `/etc/srapi/config/system.conf` | High
|
||||
16 | File | `/goform/addRouting` | High
|
||||
17 | File | `/goform/Diagnosis` | High
|
||||
18 | File | `/goform/form2userconfig.cgi` | High
|
||||
19 | File | `/goform/NTPSyncWithHost` | High
|
||||
20 | File | `/goform/SetIpMacBind` | High
|
||||
21 | File | `/goform/setMAC` | High
|
||||
22 | ... | ... | ...
|
||||
1 | File | `/Admin/login.php` | High
|
||||
2 | File | `/admin/update_expense.php` | High
|
||||
3 | File | `/admin/update_expense_category.php` | High
|
||||
4 | File | `/api/project` | Medium
|
||||
5 | File | `/bin/httpd` | Medium
|
||||
6 | File | `/cgi-bin/wapopen` | High
|
||||
7 | File | `/etc/fwupd/redfish.conf` | High
|
||||
8 | File | `/etc/shadow` | Medium
|
||||
9 | File | `/file/upload/1` | High
|
||||
10 | File | `/forum/away.php` | High
|
||||
11 | File | `/getcfg.php` | Medium
|
||||
12 | File | `/IISADMPWD` | Medium
|
||||
13 | File | `/issue` | Low
|
||||
14 | File | `/kfm/index.php` | High
|
||||
15 | File | `/opt/zimbra/jetty/webapps/zimbra/public` | High
|
||||
16 | File | `/out.php` | Medium
|
||||
17 | File | `/plugin` | Low
|
||||
18 | ... | ... | ...
|
||||
|
||||
There are 184 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 148 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -338,6 +334,7 @@ The following list contains _external sources_ which discuss the actor and the a
|
|||
* https://www.threatminer.org/report.php?q=LAZARUS&WATERING-HOLEATTACKS-BAESystems.pdf&y=2017
|
||||
* https://www.trendmicro.com/en_us/research/18/k/lazarus-continues-heists-mounts-attacks-on-financial-organizations-in-latin-america.html
|
||||
* https://www.trendmicro.com/en_us/research/20/e/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability.html
|
||||
* https://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/
|
||||
* https://www.zscaler.com/blogs/security-research/naver-ending-game-lazarus-apt
|
||||
|
||||
## Literature
|
||||
|
|
|
@ -52,13 +52,13 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-294, CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
2 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
|
||||
4 | T1059 | CWE-88, CWE-94, CWE-1321 | Cross Site Scripting | High
|
||||
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
6 | ... | ... | ... | ...
|
||||
|
||||
There are 21 more TTP items available. Please use our online service to access the data.
|
||||
There are 20 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -67,44 +67,45 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `.python-version` | High
|
||||
2 | File | `/admin/inc/include.php` | High
|
||||
3 | File | `/admin/index.php` | High
|
||||
4 | File | `/alarm_pi/alarmService.php` | High
|
||||
5 | File | `/app/controller/Books.php` | High
|
||||
6 | File | `/appliance/users?action=edit` | High
|
||||
7 | File | `/bin/login` | Medium
|
||||
8 | File | `/catcompany.php` | High
|
||||
9 | File | `/cdsms/classes/Master.php?f=delete_enrollment` | High
|
||||
10 | File | `/cgi-bin/kerbynet` | High
|
||||
11 | File | `/cgi-bin/luci/api/wireless` | High
|
||||
12 | File | `/cgi-bin/wlogin.cgi` | High
|
||||
13 | File | `/coreframe/app/pay/admin/index.php` | High
|
||||
14 | File | `/debug/pprof` | Medium
|
||||
15 | File | `/etc/hosts` | Medium
|
||||
16 | File | `/etc/shadow` | Medium
|
||||
17 | File | `/EXCU_SHELL` | Medium
|
||||
18 | File | `/filemanager/php/connector.php` | High
|
||||
19 | File | `/forum/away.php` | High
|
||||
20 | File | `/h/search?action` | High
|
||||
21 | File | `/home/iojs/build/ws/out/Release/obj.target/deps/openssl/openssl.cnf` | High
|
||||
22 | File | `/index.php?action=seomatic/file/seo-file-link` | High
|
||||
23 | File | `/index.php?p=admin/actions/users/send-password-reset-email` | High
|
||||
24 | File | `/language/lang` | High
|
||||
25 | File | `/loginsave.php` | High
|
||||
26 | File | `/loginVaLidation.php` | High
|
||||
27 | File | `/menu.html` | Medium
|
||||
28 | File | `/MicroStrategyWS/happyaxis.jsp` | High
|
||||
29 | File | `/modules/projects/vw_files.php` | High
|
||||
30 | File | `/owa/auth/logon.aspx` | High
|
||||
31 | File | `/ows-bin` | Medium
|
||||
32 | File | `/recreate.php` | High
|
||||
33 | File | `/rest/collectors/1.0/template/custom` | High
|
||||
34 | File | `/uncpath/` | Medium
|
||||
35 | File | `/way4acs/enroll` | High
|
||||
36 | File | `/wp-content/plugins/updraftplus/admin.php` | High
|
||||
37 | ... | ... | ...
|
||||
2 | File | `/admin/conferences/list/` | High
|
||||
3 | File | `/admin/inc/include.php` | High
|
||||
4 | File | `/admin/index.php` | High
|
||||
5 | File | `/admin/index.PHP` | High
|
||||
6 | File | `/admin/sendmailto.php?tomail=&groupid=` | High
|
||||
7 | File | `/advanced-tools/nova/bin/netwatch` | High
|
||||
8 | File | `/alarm_pi/alarmService.php` | High
|
||||
9 | File | `/app/controller/Books.php` | High
|
||||
10 | File | `/appliance/users?action=edit` | High
|
||||
11 | File | `/bin/login` | Medium
|
||||
12 | File | `/carbon/mediation_secure_vault/properties/ajaxprocessor.jsp` | High
|
||||
13 | File | `/catcompany.php` | High
|
||||
14 | File | `/cdsms/classes/Master.php?f=delete_enrollment` | High
|
||||
15 | File | `/cgi-bin/kerbynet` | High
|
||||
16 | File | `/cgi-bin/luci/api/wireless` | High
|
||||
17 | File | `/cgi-bin/qcmap_auth` | High
|
||||
18 | File | `/cgi-bin/wlogin.cgi` | High
|
||||
19 | File | `/coreframe/app/pay/admin/index.php` | High
|
||||
20 | File | `/debug/pprof` | Medium
|
||||
21 | File | `/editbrand.php` | High
|
||||
22 | File | `/etc/shadow` | Medium
|
||||
23 | File | `/EXCU_SHELL` | Medium
|
||||
24 | File | `/forum/away.php` | High
|
||||
25 | File | `/h/search?action` | High
|
||||
26 | File | `/home/iojs/build/ws/out/Release/obj.target/deps/openssl/openssl.cnf` | High
|
||||
27 | File | `/index.php?action=seomatic/file/seo-file-link` | High
|
||||
28 | File | `/language/lang` | High
|
||||
29 | File | `/leave_system/classes/Master.php?f=delete_application` | High
|
||||
30 | File | `/loginsave.php` | High
|
||||
31 | File | `/loginVaLidation.php` | High
|
||||
32 | File | `/MicroStrategyWS/happyaxis.jsp` | High
|
||||
33 | File | `/modules/projects/vw_files.php` | High
|
||||
34 | File | `/opt/zimbra/jetty/webapps/zimbra/public` | High
|
||||
35 | File | `/ows-bin` | Medium
|
||||
36 | File | `/phpinventory/editcategory.php` | High
|
||||
37 | File | `/rest/collectors/1.0/template/custom` | High
|
||||
38 | ... | ... | ...
|
||||
|
||||
There are 318 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 328 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -8,12 +8,12 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Liberty Front Press:
|
||||
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* ...
|
||||
|
||||
There are 16 more country items available. Please use our online service to access the data.
|
||||
There are 18 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -91,7 +91,7 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
2 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
|
||||
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
|
@ -105,40 +105,43 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `//proc/kcore` | Medium
|
||||
2 | File | `/about.php` | Medium
|
||||
3 | File | `/admin/` | Low
|
||||
1 | File | `/about.php` | Medium
|
||||
2 | File | `/admin/` | Low
|
||||
3 | File | `/Admin/add-student.php` | High
|
||||
4 | File | `/admin/photo.php` | High
|
||||
5 | File | `/ad_js.php` | Medium
|
||||
6 | File | `/Ap4RtpAtom.cpp` | High
|
||||
5 | File | `/administration/settings_registration.php` | High
|
||||
6 | File | `/ad_js.php` | Medium
|
||||
7 | File | `/app/options.py` | High
|
||||
8 | File | `/bcms/admin/?page=user/list` | High
|
||||
9 | File | `/bsms/?page=manage_account` | High
|
||||
10 | File | `/catcompany.php` | High
|
||||
11 | File | `/cgi-bin/login.cgi` | High
|
||||
12 | File | `/ci_hms/massage_room/edit/1` | High
|
||||
13 | File | `/claire_blake` | High
|
||||
14 | File | `/dashboard/reports/logs/view` | High
|
||||
15 | File | `/debian/patches/load_ppp_generic_if_needed` | High
|
||||
16 | File | `/debug/pprof` | Medium
|
||||
17 | File | `/etc/config/image_sign` | High
|
||||
18 | File | `/etc/hosts` | Medium
|
||||
19 | File | `/forum/away.php` | High
|
||||
20 | File | `/fuel/index.php/fuel/logs/items` | High
|
||||
21 | File | `/fuel/sitevariables/delete/4` | High
|
||||
22 | File | `/ghost/preview` | High
|
||||
23 | File | `/hprms/admin/doctors/manage_doctor.php` | High
|
||||
24 | File | `/index.php` | Medium
|
||||
25 | File | `/index/jobfairol/show/` | High
|
||||
26 | File | `/librarian/bookdetails.php` | High
|
||||
27 | File | `/Main_Login.asp?flag=1&productname=RT-AC88U&url=/downloadmaster/task.asp` | High
|
||||
28 | File | `/mgmt/tm/util/bash` | High
|
||||
29 | File | `/modules/caddyhttp/rewrite/rewrite.go` | High
|
||||
30 | File | `/owa/auth/logon.aspx` | High
|
||||
31 | File | `/pages/faculty_sched.php` | High
|
||||
32 | ... | ... | ...
|
||||
8 | File | `/appConfig/userDB.json` | High
|
||||
9 | File | `/bd_genie_create_account.cgi` | High
|
||||
10 | File | `/c/macho_reader.c` | High
|
||||
11 | File | `/catcompany.php` | High
|
||||
12 | File | `/cgi-bin/login.cgi` | High
|
||||
13 | File | `/cgi-bin/luci/api/wireless` | High
|
||||
14 | File | `/ci_hms/massage_room/edit/1` | High
|
||||
15 | File | `/claire_blake` | High
|
||||
16 | File | `/dashboard/reports/logs/view` | High
|
||||
17 | File | `/debian/patches/load_ppp_generic_if_needed` | High
|
||||
18 | File | `/debug/pprof` | Medium
|
||||
19 | File | `/defaultui/player/modern.html` | High
|
||||
20 | File | `/ebics-server/ebics.aspx` | High
|
||||
21 | File | `/etc/hosts` | Medium
|
||||
22 | File | `/etc/init0.d/S80telnetd.sh` | High
|
||||
23 | File | `/etc/shadow.sample` | High
|
||||
24 | File | `/forum/away.php` | High
|
||||
25 | File | `/ghost/preview` | High
|
||||
26 | File | `/goform/SetIpMacBind` | High
|
||||
27 | File | `/goform/setmac` | High
|
||||
28 | File | `/hprms/admin/doctors/manage_doctor.php` | High
|
||||
29 | File | `/htdocs/utils/Files.php` | High
|
||||
30 | File | `/index.php` | Medium
|
||||
31 | File | `/index/jobfairol/show/` | High
|
||||
32 | File | `/jfinal_cms/system/role/list` | High
|
||||
33 | File | `/librarian/bookdetails.php` | High
|
||||
34 | File | `/librarian/edit_book_details.php` | High
|
||||
35 | ... | ... | ...
|
||||
|
||||
There are 274 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 298 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -10,7 +10,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [GB](https://vuldb.com/?country.gb)
|
||||
* [IR](https://vuldb.com/?country.ir)
|
||||
* ...
|
||||
|
||||
There are 2 more country items available. Please use our online service to access the data.
|
||||
|
|
|
@ -8,12 +8,12 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with LokiBot:
|
||||
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* ...
|
||||
|
||||
There are 13 more country items available. Please use our online service to access the data.
|
||||
There are 16 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -22,79 +22,86 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [1.2.4.8](https://vuldb.com/?ip.1.2.4.8) | public1.sdns.cn | - | High
|
||||
2 | [2.57.186.170](https://vuldb.com/?ip.2.57.186.170) | - | - | High
|
||||
3 | [3.64.163.50](https://vuldb.com/?ip.3.64.163.50) | ec2-3-64-163-50.eu-central-1.compute.amazonaws.com | - | Medium
|
||||
4 | [3.130.204.160](https://vuldb.com/?ip.3.130.204.160) | ec2-3-130-204-160.us-east-2.compute.amazonaws.com | - | Medium
|
||||
5 | [3.220.57.224](https://vuldb.com/?ip.3.220.57.224) | ec2-3-220-57-224.compute-1.amazonaws.com | - | Medium
|
||||
6 | [3.232.242.170](https://vuldb.com/?ip.3.232.242.170) | ec2-3-232-242-170.compute-1.amazonaws.com | - | Medium
|
||||
7 | [5.160.218.88](https://vuldb.com/?ip.5.160.218.88) | ircpanel4.novinhost.org | - | High
|
||||
8 | [5.253.62.214](https://vuldb.com/?ip.5.253.62.214) | - | - | High
|
||||
9 | [5.255.255.80](https://vuldb.com/?ip.5.255.255.80) | yandex.ru | - | High
|
||||
10 | [8.208.76.80](https://vuldb.com/?ip.8.208.76.80) | - | - | High
|
||||
11 | [8.249.245.254](https://vuldb.com/?ip.8.249.245.254) | - | - | High
|
||||
12 | [13.107.21.200](https://vuldb.com/?ip.13.107.21.200) | - | - | High
|
||||
13 | [13.250.255.10](https://vuldb.com/?ip.13.250.255.10) | ec2-13-250-255-10.ap-southeast-1.compute.amazonaws.com | - | Medium
|
||||
14 | [15.197.142.173](https://vuldb.com/?ip.15.197.142.173) | a4ec4c6ea1c92e2e6.awsglobalaccelerator.com | - | High
|
||||
15 | [18.116.152.12](https://vuldb.com/?ip.18.116.152.12) | ec2-18-116-152-12.us-east-2.compute.amazonaws.com | - | Medium
|
||||
16 | [18.118.182.0](https://vuldb.com/?ip.18.118.182.0) | ec2-18-118-182-0.us-east-2.compute.amazonaws.com | - | Medium
|
||||
17 | [18.188.18.34](https://vuldb.com/?ip.18.188.18.34) | ec2-18-188-18-34.us-east-2.compute.amazonaws.com | - | Medium
|
||||
18 | [20.42.65.92](https://vuldb.com/?ip.20.42.65.92) | - | - | High
|
||||
19 | [20.72.235.82](https://vuldb.com/?ip.20.72.235.82) | - | - | High
|
||||
20 | [20.112.52.29](https://vuldb.com/?ip.20.112.52.29) | - | - | High
|
||||
21 | [20.189.173.20](https://vuldb.com/?ip.20.189.173.20) | - | - | High
|
||||
22 | [23.20.239.12](https://vuldb.com/?ip.23.20.239.12) | ec2-23-20-239-12.compute-1.amazonaws.com | - | Medium
|
||||
23 | [23.21.126.66](https://vuldb.com/?ip.23.21.126.66) | ec2-23-21-126-66.compute-1.amazonaws.com | - | Medium
|
||||
24 | [23.21.173.155](https://vuldb.com/?ip.23.21.173.155) | ec2-23-21-173-155.compute-1.amazonaws.com | - | Medium
|
||||
25 | [23.21.211.162](https://vuldb.com/?ip.23.21.211.162) | ec2-23-21-211-162.compute-1.amazonaws.com | - | Medium
|
||||
26 | [23.21.252.4](https://vuldb.com/?ip.23.21.252.4) | ec2-23-21-252-4.compute-1.amazonaws.com | - | Medium
|
||||
27 | [23.95.132.48](https://vuldb.com/?ip.23.95.132.48) | 23-95-132-48-host.colocrossing.com | - | High
|
||||
28 | [23.105.131.228](https://vuldb.com/?ip.23.105.131.228) | - | - | High
|
||||
29 | [23.111.168.182](https://vuldb.com/?ip.23.111.168.182) | netbserverdns02.com | - | High
|
||||
30 | [23.205.105.153](https://vuldb.com/?ip.23.205.105.153) | a23-205-105-153.deploy.static.akamaitechnologies.com | - | High
|
||||
31 | [23.205.105.157](https://vuldb.com/?ip.23.205.105.157) | a23-205-105-157.deploy.static.akamaitechnologies.com | - | High
|
||||
32 | [23.222.5.37](https://vuldb.com/?ip.23.222.5.37) | a23-222-5-37.deploy.static.akamaitechnologies.com | - | High
|
||||
33 | [27.121.64.133](https://vuldb.com/?ip.27.121.64.133) | cp133.ezyreg.com | - | High
|
||||
34 | [31.13.65.174](https://vuldb.com/?ip.31.13.65.174) | instagram-p42-shv-01-atl3.fbcdn.net | - | High
|
||||
35 | [31.41.46.120](https://vuldb.com/?ip.31.41.46.120) | maldova873.example.com | - | High
|
||||
36 | [31.220.52.219](https://vuldb.com/?ip.31.220.52.219) | workshop.piguno.com | - | High
|
||||
37 | [34.77.10.20](https://vuldb.com/?ip.34.77.10.20) | 20.10.77.34.bc.googleusercontent.com | - | Medium
|
||||
38 | [34.98.99.30](https://vuldb.com/?ip.34.98.99.30) | 30.99.98.34.bc.googleusercontent.com | - | Medium
|
||||
39 | [34.102.136.180](https://vuldb.com/?ip.34.102.136.180) | 180.136.102.34.bc.googleusercontent.com | - | Medium
|
||||
40 | [34.117.168.233](https://vuldb.com/?ip.34.117.168.233) | 233.168.117.34.bc.googleusercontent.com | - | Medium
|
||||
41 | [34.175.248.207](https://vuldb.com/?ip.34.175.248.207) | 207.248.175.34.bc.googleusercontent.com | - | Medium
|
||||
42 | [34.205.248.193](https://vuldb.com/?ip.34.205.248.193) | ec2-34-205-248-193.compute-1.amazonaws.com | - | Medium
|
||||
43 | [35.186.238.101](https://vuldb.com/?ip.35.186.238.101) | 101.238.186.35.bc.googleusercontent.com | - | Medium
|
||||
44 | [35.238.161.88](https://vuldb.com/?ip.35.238.161.88) | 88.161.238.35.bc.googleusercontent.com | - | Medium
|
||||
45 | [35.247.234.230](https://vuldb.com/?ip.35.247.234.230) | 230.234.247.35.bc.googleusercontent.com | - | Medium
|
||||
46 | [37.0.11.227](https://vuldb.com/?ip.37.0.11.227) | - | - | High
|
||||
47 | [37.49.224.146](https://vuldb.com/?ip.37.49.224.146) | - | - | High
|
||||
48 | [37.49.224.209](https://vuldb.com/?ip.37.49.224.209) | - | - | High
|
||||
49 | [37.49.225.195](https://vuldb.com/?ip.37.49.225.195) | - | - | High
|
||||
50 | [37.49.225.217](https://vuldb.com/?ip.37.49.225.217) | - | - | High
|
||||
51 | [37.120.146.122](https://vuldb.com/?ip.37.120.146.122) | - | - | High
|
||||
52 | [37.120.146.124](https://vuldb.com/?ip.37.120.146.124) | - | - | High
|
||||
53 | [37.235.1.174](https://vuldb.com/?ip.37.235.1.174) | resolver1.freedns.zone.powered.by.virtexxa.com | - | High
|
||||
54 | [37.235.1.177](https://vuldb.com/?ip.37.235.1.177) | resolver2.freedns.zone.powered.by.virtexxa.com | - | High
|
||||
55 | [40.70.224.146](https://vuldb.com/?ip.40.70.224.146) | - | - | High
|
||||
56 | [40.76.4.15](https://vuldb.com/?ip.40.76.4.15) | - | - | High
|
||||
57 | [43.254.17.15](https://vuldb.com/?ip.43.254.17.15) | 43-254-17-15.static.ip.net.tw | - | High
|
||||
58 | [43.255.154.37](https://vuldb.com/?ip.43.255.154.37) | ip-43-255-154-37.ip.secureserver.net | - | High
|
||||
59 | [45.33.83.75](https://vuldb.com/?ip.45.33.83.75) | li1029-75.members.linode.com | - | High
|
||||
60 | [45.43.35.96](https://vuldb.com/?ip.45.43.35.96) | - | - | High
|
||||
61 | [45.67.14.182](https://vuldb.com/?ip.45.67.14.182) | - | - | High
|
||||
62 | [45.80.132.70](https://vuldb.com/?ip.45.80.132.70) | host-45-80-132-70.superhosting.rs | - | High
|
||||
63 | [45.122.138.6](https://vuldb.com/?ip.45.122.138.6) | - | - | High
|
||||
64 | [45.128.184.132](https://vuldb.com/?ip.45.128.184.132) | vds107519.mgn-host.ru | - | High
|
||||
65 | [45.133.1.20](https://vuldb.com/?ip.45.133.1.20) | - | - | High
|
||||
66 | [45.147.229.85](https://vuldb.com/?ip.45.147.229.85) | - | - | High
|
||||
67 | [45.154.253.150](https://vuldb.com/?ip.45.154.253.150) | shared04.cust05.proxy.is | - | High
|
||||
68 | [45.154.253.152](https://vuldb.com/?ip.45.154.253.152) | shared06.cust05.proxy.is | - | High
|
||||
69 | [46.17.98.105](https://vuldb.com/?ip.46.17.98.105) | - | - | High
|
||||
70 | [46.101.46.83](https://vuldb.com/?ip.46.101.46.83) | - | - | High
|
||||
71 | [47.52.60.150](https://vuldb.com/?ip.47.52.60.150) | - | - | High
|
||||
72 | ... | ... | ... | ...
|
||||
2 | [2.57.90.16](https://vuldb.com/?ip.2.57.90.16) | - | - | High
|
||||
3 | [2.57.186.170](https://vuldb.com/?ip.2.57.186.170) | - | - | High
|
||||
4 | [2.58.149.41](https://vuldb.com/?ip.2.58.149.41) | - | - | High
|
||||
5 | [3.64.163.50](https://vuldb.com/?ip.3.64.163.50) | ec2-3-64-163-50.eu-central-1.compute.amazonaws.com | - | Medium
|
||||
6 | [3.130.204.160](https://vuldb.com/?ip.3.130.204.160) | ec2-3-130-204-160.us-east-2.compute.amazonaws.com | - | Medium
|
||||
7 | [3.220.57.224](https://vuldb.com/?ip.3.220.57.224) | ec2-3-220-57-224.compute-1.amazonaws.com | - | Medium
|
||||
8 | [3.232.242.170](https://vuldb.com/?ip.3.232.242.170) | ec2-3-232-242-170.compute-1.amazonaws.com | - | Medium
|
||||
9 | [5.160.218.88](https://vuldb.com/?ip.5.160.218.88) | ircpanel4.novinhost.org | - | High
|
||||
10 | [5.253.62.214](https://vuldb.com/?ip.5.253.62.214) | - | - | High
|
||||
11 | [5.255.255.80](https://vuldb.com/?ip.5.255.255.80) | yandex.ru | - | High
|
||||
12 | [8.208.76.80](https://vuldb.com/?ip.8.208.76.80) | - | - | High
|
||||
13 | [8.249.245.254](https://vuldb.com/?ip.8.249.245.254) | - | - | High
|
||||
14 | [13.107.21.200](https://vuldb.com/?ip.13.107.21.200) | - | - | High
|
||||
15 | [13.250.255.10](https://vuldb.com/?ip.13.250.255.10) | ec2-13-250-255-10.ap-southeast-1.compute.amazonaws.com | - | Medium
|
||||
16 | [15.197.142.173](https://vuldb.com/?ip.15.197.142.173) | a4ec4c6ea1c92e2e6.awsglobalaccelerator.com | - | High
|
||||
17 | [18.116.152.12](https://vuldb.com/?ip.18.116.152.12) | ec2-18-116-152-12.us-east-2.compute.amazonaws.com | - | Medium
|
||||
18 | [18.118.182.0](https://vuldb.com/?ip.18.118.182.0) | ec2-18-118-182-0.us-east-2.compute.amazonaws.com | - | Medium
|
||||
19 | [18.188.18.34](https://vuldb.com/?ip.18.188.18.34) | ec2-18-188-18-34.us-east-2.compute.amazonaws.com | - | Medium
|
||||
20 | [20.42.65.92](https://vuldb.com/?ip.20.42.65.92) | - | - | High
|
||||
21 | [20.72.235.82](https://vuldb.com/?ip.20.72.235.82) | - | - | High
|
||||
22 | [20.112.52.29](https://vuldb.com/?ip.20.112.52.29) | - | - | High
|
||||
23 | [20.189.173.20](https://vuldb.com/?ip.20.189.173.20) | - | - | High
|
||||
24 | [23.20.239.12](https://vuldb.com/?ip.23.20.239.12) | ec2-23-20-239-12.compute-1.amazonaws.com | - | Medium
|
||||
25 | [23.21.126.66](https://vuldb.com/?ip.23.21.126.66) | ec2-23-21-126-66.compute-1.amazonaws.com | - | Medium
|
||||
26 | [23.21.173.155](https://vuldb.com/?ip.23.21.173.155) | ec2-23-21-173-155.compute-1.amazonaws.com | - | Medium
|
||||
27 | [23.21.211.162](https://vuldb.com/?ip.23.21.211.162) | ec2-23-21-211-162.compute-1.amazonaws.com | - | Medium
|
||||
28 | [23.21.252.4](https://vuldb.com/?ip.23.21.252.4) | ec2-23-21-252-4.compute-1.amazonaws.com | - | Medium
|
||||
29 | [23.95.132.48](https://vuldb.com/?ip.23.95.132.48) | 23-95-132-48-host.colocrossing.com | - | High
|
||||
30 | [23.105.131.228](https://vuldb.com/?ip.23.105.131.228) | - | - | High
|
||||
31 | [23.111.168.182](https://vuldb.com/?ip.23.111.168.182) | netbserverdns02.com | - | High
|
||||
32 | [23.205.105.153](https://vuldb.com/?ip.23.205.105.153) | a23-205-105-153.deploy.static.akamaitechnologies.com | - | High
|
||||
33 | [23.205.105.157](https://vuldb.com/?ip.23.205.105.157) | a23-205-105-157.deploy.static.akamaitechnologies.com | - | High
|
||||
34 | [23.222.5.37](https://vuldb.com/?ip.23.222.5.37) | a23-222-5-37.deploy.static.akamaitechnologies.com | - | High
|
||||
35 | [27.121.64.133](https://vuldb.com/?ip.27.121.64.133) | cp133.ezyreg.com | - | High
|
||||
36 | [31.13.65.174](https://vuldb.com/?ip.31.13.65.174) | instagram-p42-shv-01-atl3.fbcdn.net | - | High
|
||||
37 | [31.41.46.120](https://vuldb.com/?ip.31.41.46.120) | maldova873.example.com | - | High
|
||||
38 | [31.220.52.219](https://vuldb.com/?ip.31.220.52.219) | workshop.piguno.com | - | High
|
||||
39 | [34.77.10.20](https://vuldb.com/?ip.34.77.10.20) | 20.10.77.34.bc.googleusercontent.com | - | Medium
|
||||
40 | [34.98.99.30](https://vuldb.com/?ip.34.98.99.30) | 30.99.98.34.bc.googleusercontent.com | - | Medium
|
||||
41 | [34.102.136.180](https://vuldb.com/?ip.34.102.136.180) | 180.136.102.34.bc.googleusercontent.com | - | Medium
|
||||
42 | [34.117.168.233](https://vuldb.com/?ip.34.117.168.233) | 233.168.117.34.bc.googleusercontent.com | - | Medium
|
||||
43 | [34.175.248.207](https://vuldb.com/?ip.34.175.248.207) | 207.248.175.34.bc.googleusercontent.com | - | Medium
|
||||
44 | [34.205.248.193](https://vuldb.com/?ip.34.205.248.193) | ec2-34-205-248-193.compute-1.amazonaws.com | - | Medium
|
||||
45 | [35.186.238.101](https://vuldb.com/?ip.35.186.238.101) | 101.238.186.35.bc.googleusercontent.com | - | Medium
|
||||
46 | [35.238.161.88](https://vuldb.com/?ip.35.238.161.88) | 88.161.238.35.bc.googleusercontent.com | - | Medium
|
||||
47 | [35.247.234.230](https://vuldb.com/?ip.35.247.234.230) | 230.234.247.35.bc.googleusercontent.com | - | Medium
|
||||
48 | [37.0.11.227](https://vuldb.com/?ip.37.0.11.227) | - | - | High
|
||||
49 | [37.49.224.146](https://vuldb.com/?ip.37.49.224.146) | - | - | High
|
||||
50 | [37.49.224.209](https://vuldb.com/?ip.37.49.224.209) | - | - | High
|
||||
51 | [37.49.225.195](https://vuldb.com/?ip.37.49.225.195) | - | - | High
|
||||
52 | [37.49.225.217](https://vuldb.com/?ip.37.49.225.217) | - | - | High
|
||||
53 | [37.120.146.122](https://vuldb.com/?ip.37.120.146.122) | - | - | High
|
||||
54 | [37.120.146.124](https://vuldb.com/?ip.37.120.146.124) | - | - | High
|
||||
55 | [37.235.1.174](https://vuldb.com/?ip.37.235.1.174) | resolver1.freedns.zone.powered.by.virtexxa.com | - | High
|
||||
56 | [37.235.1.177](https://vuldb.com/?ip.37.235.1.177) | resolver2.freedns.zone.powered.by.virtexxa.com | - | High
|
||||
57 | [40.70.224.146](https://vuldb.com/?ip.40.70.224.146) | - | - | High
|
||||
58 | [40.76.4.15](https://vuldb.com/?ip.40.76.4.15) | - | - | High
|
||||
59 | [43.254.17.15](https://vuldb.com/?ip.43.254.17.15) | 43-254-17-15.static.ip.net.tw | - | High
|
||||
60 | [43.255.154.37](https://vuldb.com/?ip.43.255.154.37) | ip-43-255-154-37.ip.secureserver.net | - | High
|
||||
61 | [45.33.83.75](https://vuldb.com/?ip.45.33.83.75) | li1029-75.members.linode.com | - | High
|
||||
62 | [45.43.35.96](https://vuldb.com/?ip.45.43.35.96) | - | - | High
|
||||
63 | [45.67.14.182](https://vuldb.com/?ip.45.67.14.182) | - | - | High
|
||||
64 | [45.80.132.70](https://vuldb.com/?ip.45.80.132.70) | host-45-80-132-70.superhosting.rs | - | High
|
||||
65 | [45.122.138.6](https://vuldb.com/?ip.45.122.138.6) | - | - | High
|
||||
66 | [45.128.184.132](https://vuldb.com/?ip.45.128.184.132) | vds107519.mgn-host.ru | - | High
|
||||
67 | [45.133.1.20](https://vuldb.com/?ip.45.133.1.20) | - | - | High
|
||||
68 | [45.133.1.45](https://vuldb.com/?ip.45.133.1.45) | - | - | High
|
||||
69 | [45.147.229.85](https://vuldb.com/?ip.45.147.229.85) | - | - | High
|
||||
70 | [45.154.253.150](https://vuldb.com/?ip.45.154.253.150) | shared04.cust05.proxy.is | - | High
|
||||
71 | [45.154.253.152](https://vuldb.com/?ip.45.154.253.152) | shared06.cust05.proxy.is | - | High
|
||||
72 | [46.17.98.105](https://vuldb.com/?ip.46.17.98.105) | - | - | High
|
||||
73 | [46.101.46.83](https://vuldb.com/?ip.46.101.46.83) | - | - | High
|
||||
74 | [47.52.60.150](https://vuldb.com/?ip.47.52.60.150) | - | - | High
|
||||
75 | [47.88.22.122](https://vuldb.com/?ip.47.88.22.122) | server1.sjdjeu.top | - | High
|
||||
76 | [47.91.169.15](https://vuldb.com/?ip.47.91.169.15) | - | - | High
|
||||
77 | [47.254.177.155](https://vuldb.com/?ip.47.254.177.155) | - | - | High
|
||||
78 | [50.16.216.118](https://vuldb.com/?ip.50.16.216.118) | ec2-50-16-216-118.compute-1.amazonaws.com | - | Medium
|
||||
79 | ... | ... | ... | ...
|
||||
|
||||
There are 285 more IOC items available. Please use our online service to access the data.
|
||||
There are 312 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -103,7 +110,7 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
2 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
|
||||
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
|
@ -117,46 +124,55 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `//proc/kcore` | Medium
|
||||
2 | File | `/ad_js.php` | Medium
|
||||
3 | File | `/Ap4RtpAtom.cpp` | High
|
||||
4 | File | `/app/options.py` | High
|
||||
5 | File | `/bcms/admin/?page=user/list` | High
|
||||
6 | File | `/bsms/?page=manage_account` | High
|
||||
7 | File | `/cgi-bin/login.cgi` | High
|
||||
8 | File | `/ci_hms/massage_room/edit/1` | High
|
||||
9 | File | `/claire_blake` | High
|
||||
10 | File | `/dashboard/reports/logs/view` | High
|
||||
11 | File | `/debian/patches/load_ppp_generic_if_needed` | High
|
||||
12 | File | `/debug/pprof` | Medium
|
||||
13 | File | `/etc/config/image_sign` | High
|
||||
14 | File | `/etc/hosts` | Medium
|
||||
15 | File | `/etc/init0.d/S80telnetd.sh` | High
|
||||
16 | File | `/etc/shadow.sample` | High
|
||||
17 | File | `/fuel/index.php/fuel/logs/items` | High
|
||||
18 | File | `/fuel/sitevariables/delete/4` | High
|
||||
19 | File | `/ghost/preview` | High
|
||||
20 | File | `/hprms/admin/doctors/manage_doctor.php` | High
|
||||
21 | File | `/htdocs/utils/Files.php` | High
|
||||
22 | File | `/index/jobfairol/show/` | High
|
||||
23 | File | `/jfinal_cms/system/role/list` | High
|
||||
24 | File | `/librarian/bookdetails.php` | High
|
||||
25 | File | `/librarian/edit_book_details.php` | High
|
||||
26 | File | `/Main_Login.asp?flag=1&productname=RT-AC88U&url=/downloadmaster/task.asp` | High
|
||||
27 | File | `/master/index.php` | High
|
||||
28 | File | `/mgmt/tm/util/bash` | High
|
||||
29 | File | `/mkshop/Men/profile.php` | High
|
||||
30 | File | `/modules/caddyhttp/rewrite/rewrite.go` | High
|
||||
31 | File | `/pages/faculty_sched.php` | High
|
||||
32 | ... | ... | ...
|
||||
1 | File | `/about.php` | Medium
|
||||
2 | File | `/Admin/add-student.php` | High
|
||||
3 | File | `/administration/settings_registration.php` | High
|
||||
4 | File | `/ad_js.php` | Medium
|
||||
5 | File | `/app/options.py` | High
|
||||
6 | File | `/appConfig/userDB.json` | High
|
||||
7 | File | `/bd_genie_create_account.cgi` | High
|
||||
8 | File | `/c/macho_reader.c` | High
|
||||
9 | File | `/cgi-bin/luci/api/wireless` | High
|
||||
10 | File | `/ci_hms/massage_room/edit/1` | High
|
||||
11 | File | `/claire_blake` | High
|
||||
12 | File | `/dashboard/reports/logs/view` | High
|
||||
13 | File | `/debian/patches/load_ppp_generic_if_needed` | High
|
||||
14 | File | `/debug/pprof` | Medium
|
||||
15 | File | `/defaultui/player/modern.html` | High
|
||||
16 | File | `/etc/hosts` | Medium
|
||||
17 | File | `/etc/init0.d/S80telnetd.sh` | High
|
||||
18 | File | `/etc/shadow.sample` | High
|
||||
19 | File | `/forum/away.php` | High
|
||||
20 | File | `/ghost/preview` | High
|
||||
21 | File | `/goform/SetIpMacBind` | High
|
||||
22 | File | `/goform/setmac` | High
|
||||
23 | File | `/htdocs/utils/Files.php` | High
|
||||
24 | File | `/index.asp` | Medium
|
||||
25 | File | `/jfinal_cms/system/role/list` | High
|
||||
26 | File | `/librarian/edit_book_details.php` | High
|
||||
27 | File | `/Main_Login.asp?flag=1&productname=RT-AC88U&url=/downloadmaster/task.asp` | High
|
||||
28 | File | `/manage-apartment.php` | High
|
||||
29 | File | `/master/index.php` | High
|
||||
30 | File | `/mkshop/Men/profile.php` | High
|
||||
31 | File | `/modules/caddyhttp/rewrite/rewrite.go` | High
|
||||
32 | File | `/opt/zimbra/jetty/webapps/zimbra/public` | High
|
||||
33 | File | `/pages/apply_vacancy.php` | High
|
||||
34 | File | `/pages/faculty_sched.php` | High
|
||||
35 | File | `/pages/processlogin.php` | High
|
||||
36 | ... | ... | ...
|
||||
|
||||
There are 271 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 310 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://1275.ru/ioc/304/gs-029-lokibot-trojan-iocs/
|
||||
* https://asec.ahnlab.com/en/35424/
|
||||
* https://asec.ahnlab.com/en/35859/
|
||||
* https://asec.ahnlab.com/en/36294/
|
||||
* https://asec.ahnlab.com/en/36785/
|
||||
* https://asec.ahnlab.com/en/39332/
|
||||
* https://blog.talosintelligence.com/2019/04/threat-source-april-18-new-attacks.html
|
||||
* https://blog.talosintelligence.com/2019/05/threat-roundup-0524-0531.html
|
||||
* https://blog.talosintelligence.com/2019/06/threat-roundup-0531-0607.html
|
||||
|
@ -191,6 +207,8 @@ The following list contains _external sources_ which discuss the actor and the a
|
|||
* https://blog.talosintelligence.com/2022/05/threat-roundup-0429-0506.html
|
||||
* https://blog.talosintelligence.com/2022/05/threat-roundup-0506-0513.html
|
||||
* https://blog.talosintelligence.com/2022/07/threat-roundup-0715-0722.html
|
||||
* https://blog.talosintelligence.com/2022/09/threat-roundup-0909-0916.html
|
||||
* https://blog.talosintelligence.com/2022/09/threat-roundup-0916-0923.html
|
||||
* https://github.com/executemalware/Malware-IOCs/blob/main/2021-10-20%20Lokibot%20IOCs
|
||||
* https://github.com/executemalware/Malware-IOCs/blob/main/2021-11-17%20Lokibot%20IOCs
|
||||
* https://github.com/executemalware/Malware-IOCs/blob/main/2022-05-16%20Lokibot%20IOCs
|
||||
|
|
|
@ -0,0 +1,78 @@
|
|||
# Lorenz - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Lorenz](https://vuldb.com/?actor.lorenz). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.lorenz](https://vuldb.com/?actor.lorenz)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following _campaigns_ are known and can be associated with Lorenz:
|
||||
|
||||
* CVE-2022-29499
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Lorenz:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [IR](https://vuldb.com/?country.ir)
|
||||
* ...
|
||||
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Lorenz.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [64.190.113.100](https://vuldb.com/?ip.64.190.113.100) | - | CVE-2022-29499 | High
|
||||
2 | [137.184.181.252](https://vuldb.com/?ip.137.184.181.252) | - | CVE-2022-29499 | High
|
||||
3 | [138.68.19.94](https://vuldb.com/?ip.138.68.19.94) | node.gardenfitfoods.com | CVE-2022-29499 | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 4 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Lorenz_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-22 | Pathname Traversal | High
|
||||
2 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
3 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Lorenz. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `config.xml` | Medium
|
||||
2 | File | `contact.php` | Medium
|
||||
3 | File | `contact_support.php` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 22 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -19,7 +19,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [RU](https://vuldb.com/?country.ru)
|
||||
* ...
|
||||
|
||||
There are 8 more country items available. Please use our online service to access the data.
|
||||
There are 9 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -111,7 +111,7 @@ ID | Type | Indicator | Confidence
|
|||
48 | File | `details_view.php` | High
|
||||
49 | ... | ... | ...
|
||||
|
||||
There are 430 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 428 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -41,7 +41,7 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23, CWE-24 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
2 | T1040 | CWE-294, CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
|
||||
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
|
@ -62,45 +62,46 @@ ID | Type | Indicator | Confidence
|
|||
5 | File | `/ajax/networking/get_netcfg.php` | High
|
||||
6 | File | `/app/options.py` | High
|
||||
7 | File | `/assets/ctx` | Medium
|
||||
8 | File | `/ci_spms/admin/category` | High
|
||||
9 | File | `/ci_spms/admin/search/searching/` | High
|
||||
10 | File | `/classes/Master.php?f=delete_train` | High
|
||||
11 | File | `/cms/print.php` | High
|
||||
12 | File | `/concat?/%2557EB-INF/web.xml` | High
|
||||
13 | File | `/Content/Template/root/reverse-shell.aspx` | High
|
||||
14 | File | `/course/api/upload/pic` | High
|
||||
15 | File | `/dashboard/menu-list.php` | High
|
||||
16 | File | `/data/remove` | Medium
|
||||
17 | File | `/etc/passwd` | Medium
|
||||
18 | File | `/ffos/classes/Master.php?f=save_category` | High
|
||||
19 | File | `/goforms/rlminfo` | High
|
||||
20 | File | `/Items/*/RemoteImages/Download` | High
|
||||
21 | File | `/login` | Low
|
||||
22 | File | `/navigate/navigate_download.php` | High
|
||||
23 | File | `/ocwbs/admin/?page=user/manage_user` | High
|
||||
24 | File | `/ofrs/admin/?page=user/manage_user` | High
|
||||
25 | File | `/owa/auth/logon.aspx` | High
|
||||
26 | File | `/password.html` | High
|
||||
27 | File | `/pms/index.php` | High
|
||||
28 | File | `/proc/ioports` | High
|
||||
29 | File | `/property-list/property_view.php` | High
|
||||
30 | File | `/ptms/classes/Users.php` | High
|
||||
31 | File | `/rest/api/2/search` | High
|
||||
32 | File | `/s/` | Low
|
||||
33 | File | `/scripts/cpan_config` | High
|
||||
34 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
35 | File | `/services/system/setup.json` | High
|
||||
36 | File | `/spip.php` | Medium
|
||||
37 | File | `/uncpath/` | Medium
|
||||
38 | File | `/vloggers_merch/?p=view_product` | High
|
||||
39 | File | `/webconsole/APIController` | High
|
||||
40 | File | `/websocket/exec` | High
|
||||
41 | File | `/whbs/?page=my_bookings` | High
|
||||
42 | File | `/wp-admin/admin-ajax.php` | High
|
||||
43 | File | `/wp-content/plugins/updraftplus/admin.php` | High
|
||||
44 | ... | ... | ...
|
||||
8 | File | `/bin/httpd` | Medium
|
||||
9 | File | `/cgi-bin/wapopen` | High
|
||||
10 | File | `/ci_spms/admin/category` | High
|
||||
11 | File | `/ci_spms/admin/search/searching/` | High
|
||||
12 | File | `/classes/Master.php?f=delete_train` | High
|
||||
13 | File | `/cms/print.php` | High
|
||||
14 | File | `/concat?/%2557EB-INF/web.xml` | High
|
||||
15 | File | `/Content/Template/root/reverse-shell.aspx` | High
|
||||
16 | File | `/course/api/upload/pic` | High
|
||||
17 | File | `/dashboard/menu-list.php` | High
|
||||
18 | File | `/data/remove` | Medium
|
||||
19 | File | `/ffos/classes/Master.php?f=save_category` | High
|
||||
20 | File | `/goforms/rlminfo` | High
|
||||
21 | File | `/Items/*/RemoteImages/Download` | High
|
||||
22 | File | `/login` | Low
|
||||
23 | File | `/navigate/navigate_download.php` | High
|
||||
24 | File | `/ocwbs/admin/?page=user/manage_user` | High
|
||||
25 | File | `/ofrs/admin/?page=user/manage_user` | High
|
||||
26 | File | `/owa/auth/logon.aspx` | High
|
||||
27 | File | `/password.html` | High
|
||||
28 | File | `/pms/index.php` | High
|
||||
29 | File | `/proc/ioports` | High
|
||||
30 | File | `/property-list/property_view.php` | High
|
||||
31 | File | `/ptms/classes/Users.php` | High
|
||||
32 | File | `/rest/api/2/search` | High
|
||||
33 | File | `/s/` | Low
|
||||
34 | File | `/scripts/cpan_config` | High
|
||||
35 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
36 | File | `/services/system/setup.json` | High
|
||||
37 | File | `/spip.php` | Medium
|
||||
38 | File | `/uncpath/` | Medium
|
||||
39 | File | `/vloggers_merch/?p=view_product` | High
|
||||
40 | File | `/webconsole/APIController` | High
|
||||
41 | File | `/websocket/exec` | High
|
||||
42 | File | `/whbs/?page=my_bookings` | High
|
||||
43 | File | `/wp-admin/admin-ajax.php` | High
|
||||
44 | File | `/wp-content/plugins/updraftplus/admin.php` | High
|
||||
45 | ... | ... | ...
|
||||
|
||||
There are 382 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 387 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -9,11 +9,11 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Magecart:
|
||||
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [PT](https://vuldb.com/?country.pt)
|
||||
* [DE](https://vuldb.com/?country.de)
|
||||
* [IT](https://vuldb.com/?country.it)
|
||||
* ...
|
||||
|
||||
There are 12 more country items available. Please use our online service to access the data.
|
||||
There are 11 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -50,13 +50,14 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23, CWE-25 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-294, CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-88, CWE-94, CWE-1321 | Cross Site Scripting | High
|
||||
5 | ... | ... | ... | ...
|
||||
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
6 | ... | ... | ... | ...
|
||||
|
||||
There are 18 more TTP items available. Please use our online service to access the data.
|
||||
There are 21 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -65,51 +66,37 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/about.php` | Medium
|
||||
2 | File | `/admin/changestock.php` | High
|
||||
3 | File | `/admin/contact/list` | High
|
||||
4 | File | `/admin/delete.php` | High
|
||||
2 | File | `/admin/addemployee.php` | High
|
||||
3 | File | `/admin/admin_pic.php` | High
|
||||
4 | File | `/admin/contact/list` | High
|
||||
5 | File | `/admin/edit_visitor.php` | High
|
||||
6 | File | `/admin/image.php` | High
|
||||
7 | File | `/admin/modify.php` | High
|
||||
8 | File | `/admin/settings/fields` | High
|
||||
9 | File | `/ad_js.php` | Medium
|
||||
10 | File | `/api/` | Low
|
||||
11 | File | `/api/plugin/uninstall` | High
|
||||
12 | File | `/bin/httpd` | Medium
|
||||
13 | File | `/bin/png2swf` | Medium
|
||||
14 | File | `/blogengine/api/posts` | High
|
||||
15 | File | `/brand.php` | Medium
|
||||
16 | File | `/cgi-bin/luci/api/wireless` | High
|
||||
17 | File | `/classes/Master.php?f=delete_item` | High
|
||||
18 | File | `/classes/Master.php?f=delete_stockin` | High
|
||||
19 | File | `/classes/Master.php?f=delete_student` | High
|
||||
20 | File | `/conf/users` | Medium
|
||||
21 | File | `/controller/OnlinePreviewController.java` | High
|
||||
22 | File | `/coreframe/app/attachment/admin/index.php` | High
|
||||
23 | File | `/debian/patches/load_ppp_generic_if_needed` | High
|
||||
24 | File | `/debug/pprof` | Medium
|
||||
25 | File | `/etc/ciel.cfg` | High
|
||||
26 | File | `/etc/init0.d/S80telnetd.sh` | High
|
||||
27 | File | `/etc/shadow.sample` | High
|
||||
28 | File | `/frm/` | Low
|
||||
6 | File | `/admin/login.php` | High
|
||||
7 | File | `/admin/settings/fields` | High
|
||||
8 | File | `/admin/update_expense_category.php` | High
|
||||
9 | File | `/api/` | Low
|
||||
10 | File | `/api/plugin/uninstall` | High
|
||||
11 | File | `/api/plugin/upload` | High
|
||||
12 | File | `/auth/callback` | High
|
||||
13 | File | `/bin/httpd` | Medium
|
||||
14 | File | `/carbon/mediation_secure_vault/properties/ajaxprocessor.jsp` | High
|
||||
15 | File | `/category.php` | High
|
||||
16 | File | `/cgi-bin/cstecgi.cgi` | High
|
||||
17 | File | `/cgi-bin/DownloadFlash` | High
|
||||
18 | File | `/cgi-bin/luci/api/wireless` | High
|
||||
19 | File | `/classes/Master.php?f=delete_stockin` | High
|
||||
20 | File | `/college_website/index.php?` | High
|
||||
21 | File | `/connectors/index.php` | High
|
||||
22 | File | `/controller/OnlinePreviewController.java` | High
|
||||
23 | File | `/employeeview.php` | High
|
||||
24 | File | `/etc/shadow.sample` | High
|
||||
25 | File | `/ffos/classes/Master.php?f=delete_menu` | High
|
||||
26 | File | `/framework/core/models/expConfig.php` | High
|
||||
27 | File | `/goform/addRouting` | High
|
||||
28 | File | `/goform/Diagnosis` | High
|
||||
29 | File | `/goform/setmac` | High
|
||||
30 | File | `/goform/WifiMacFilterSet` | High
|
||||
31 | File | `/home/www/cgi-bin/diagnostics.cgi` | High
|
||||
32 | File | `/htmldoc/htmldoc/html.cxx` | High
|
||||
33 | File | `/include/comm_post.inc.php` | High
|
||||
34 | File | `/index.php` | Medium
|
||||
35 | File | `/jpeg-quantsmooth/jpegqs` | High
|
||||
36 | File | `/linux/main.cpp` | High
|
||||
37 | File | `/manage-apartment.php` | High
|
||||
38 | File | `/pages/apply_vacancy.php` | High
|
||||
39 | File | `/pages/class_sched.php` | High
|
||||
40 | File | `/pages/processlogin.php` | High
|
||||
41 | File | `/publiccms/admin/ueditor` | High
|
||||
42 | File | `/release-x64/otfccdump` | High
|
||||
43 | File | `/release-x64/otfccdump+0x6e420d` | High
|
||||
44 | ... | ... | ...
|
||||
30 | ... | ... | ...
|
||||
|
||||
There are 379 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 250 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -76,30 +76,30 @@ ID | Type | Indicator | Confidence
|
|||
1 | File | `.htaccess` | Medium
|
||||
2 | File | `/admin.php` | Medium
|
||||
3 | File | `/admin/book/create/` | High
|
||||
4 | File | `/admin/loginc.php` | High
|
||||
5 | File | `/auditLogAction.do` | High
|
||||
6 | File | `/cgi-bin/wapopen` | High
|
||||
7 | File | `/devices/acurite.c` | High
|
||||
8 | File | `/etc/ajenti/config.yml` | High
|
||||
9 | File | `/example/editor` | High
|
||||
10 | File | `/getcfg.php` | Medium
|
||||
11 | File | `/GetCSSashx/?CP=%2fwebconfig` | High
|
||||
12 | File | `/goform/login_process` | High
|
||||
13 | File | `/goform/rlmswitchr_process` | High
|
||||
14 | File | `/goforms/rlminfo` | High
|
||||
15 | File | `/newsDia.php` | Medium
|
||||
16 | File | `/plugin` | Low
|
||||
17 | File | `/pms/index.php` | High
|
||||
18 | File | `/rating.php` | Medium
|
||||
19 | File | `/scas/admin/` | Medium
|
||||
20 | File | `/scas/classes/Users.php?f=save_user` | High
|
||||
21 | File | `/services/prefs.php` | High
|
||||
22 | File | `/src/njs_object.c` | High
|
||||
23 | File | `/uncpath/` | Medium
|
||||
24 | File | `/wordpress-gallery-transformation/gallery.php` | High
|
||||
4 | File | `/Admin/login.php` | High
|
||||
5 | File | `/admin/loginc.php` | High
|
||||
6 | File | `/auditLogAction.do` | High
|
||||
7 | File | `/cgi-bin/wapopen` | High
|
||||
8 | File | `/devices/acurite.c` | High
|
||||
9 | File | `/etc/ajenti/config.yml` | High
|
||||
10 | File | `/example/editor` | High
|
||||
11 | File | `/getcfg.php` | Medium
|
||||
12 | File | `/GetCSSashx/?CP=%2fwebconfig` | High
|
||||
13 | File | `/goform/login_process` | High
|
||||
14 | File | `/goform/rlmswitchr_process` | High
|
||||
15 | File | `/goforms/rlminfo` | High
|
||||
16 | File | `/newsDia.php` | Medium
|
||||
17 | File | `/plugin` | Low
|
||||
18 | File | `/pms/index.php` | High
|
||||
19 | File | `/rating.php` | Medium
|
||||
20 | File | `/scas/admin/` | Medium
|
||||
21 | File | `/scas/classes/Users.php?f=save_user` | High
|
||||
22 | File | `/services/prefs.php` | High
|
||||
23 | File | `/src/njs_object.c` | High
|
||||
24 | File | `/uncpath/` | Medium
|
||||
25 | ... | ... | ...
|
||||
|
||||
There are 206 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 208 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -0,0 +1,30 @@
|
|||
# Meterpreter - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Meterpreter](https://vuldb.com/?actor.meterpreter). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.meterpreter](https://vuldb.com/?actor.meterpreter)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Meterpreter.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [194.31.98.133](https://vuldb.com/?ip.194.31.98.133) | - | - | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://asec.ahnlab.com/en/36159/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -8,12 +8,12 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Middle East Unknown:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [VN](https://vuldb.com/?country.vn)
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* [PT](https://vuldb.com/?country.pt)
|
||||
* [SV](https://vuldb.com/?country.sv)
|
||||
* ...
|
||||
|
||||
There are 14 more country items available. Please use our online service to access the data.
|
||||
There are 11 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -49,14 +49,14 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-94, CWE-1321 | Cross Site Scripting | High
|
||||
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
1 | T1006 | CWE-21, CWE-22 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-294, CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1059 | CWE-94, CWE-1321 | Cross Site Scripting | High
|
||||
4 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
5 | T1068 | CWE-264, CWE-269, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
6 | ... | ... | ... | ...
|
||||
|
||||
There are 22 more TTP items available. Please use our online service to access the data.
|
||||
There are 21 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -64,61 +64,39 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/admin/addemployee.php` | High
|
||||
2 | File | `/admin/add_trainers.php` | High
|
||||
3 | File | `/admin/header.inc.php` | High
|
||||
4 | File | `/admin/vca/license/license_tok.cgi` | High
|
||||
5 | File | `/AJAX/ajaxget` | High
|
||||
6 | File | `/api/plugin/uninstall` | High
|
||||
7 | File | `/api/v2/config` | High
|
||||
8 | File | `/belegungsplan/wochenuebersicht.inc.php` | High
|
||||
9 | File | `/cgi-bin/touchlist_sync.cgi` | High
|
||||
10 | File | `/claire_blake` | High
|
||||
11 | File | `/classes/Users.php?f=save_client` | High
|
||||
12 | File | `/coreframe/app/attachment/admin/index.php` | High
|
||||
13 | File | `/debug/pprof` | Medium
|
||||
14 | File | `/defaultui/player/modern.html` | High
|
||||
15 | File | `/dishes.php` | Medium
|
||||
16 | File | `/etc/init0.d/S80telnetd.sh` | High
|
||||
17 | File | `/etc/quagga` | Medium
|
||||
18 | File | `/etc/shadow.sample` | High
|
||||
19 | File | `/fax/fax_send.php` | High
|
||||
20 | File | `/gfxpoly/stroke.c` | High
|
||||
21 | File | `/goform/addRouting` | High
|
||||
22 | File | `/goform/form2Wan.cgi` | High
|
||||
23 | File | `/htdocs/utils/Files.php` | High
|
||||
24 | File | `/include/menu_u.inc.php` | High
|
||||
25 | File | `/includes/db_connect.php` | High
|
||||
26 | File | `/includes/images.php` | High
|
||||
27 | File | `/ip/admin/` | Medium
|
||||
28 | File | `/jfinal_cms/system/role/list` | High
|
||||
29 | File | `/librarian/edit_book_details.php` | High
|
||||
30 | File | `/login.php` | Medium
|
||||
31 | File | `/Main_Login.asp?flag=1&productname=RT-AC88U&url=/downloadmaster/task.asp` | High
|
||||
32 | File | `/master/index.php` | High
|
||||
33 | File | `/mkshop/Men/profile.php` | High
|
||||
34 | File | `/oa/setup/checkPool?database` | High
|
||||
35 | File | `/pages/class_sched.php` | High
|
||||
36 | File | `/pages/faculty_sched.php` | High
|
||||
37 | File | `/pages/permit/permit.php` | High
|
||||
38 | File | `/pages/processlogin.php` | High
|
||||
39 | File | `/patient/booking.php` | High
|
||||
40 | File | `/php_action/createUser.php` | High
|
||||
41 | File | `/pms/update_medicine.php` | High
|
||||
42 | File | `/pms/update_user.php` | High
|
||||
43 | File | `/qr/I/` | Low
|
||||
44 | File | `/release-x64/otfccdump` | High
|
||||
45 | File | `/servlet/AdapterHTTP` | High
|
||||
46 | File | `/session/sendmail` | High
|
||||
47 | File | `/sistema/flash/reboot` | High
|
||||
48 | File | `/sys/ui/extend/varkind/custom.jsp` | High
|
||||
49 | File | `/templates/default/html/windows/right.php` | High
|
||||
50 | File | `/ubus/uci.apply` | High
|
||||
51 | File | `/web/api/v1/upload/UploadHandler.php` | High
|
||||
52 | File | `/webmail/server/webmail.php` | High
|
||||
53 | ... | ... | ...
|
||||
1 | File | `/admin/?page=reports/waste` | High
|
||||
2 | File | `/admin/?page=user/manage_user` | High
|
||||
3 | File | `/admin/addemployee.php` | High
|
||||
4 | File | `/admin/index.PHP` | High
|
||||
5 | File | `/admin/video/list` | High
|
||||
6 | File | `/administration/settings_registration.php` | High
|
||||
7 | File | `/api/upload-resource` | High
|
||||
8 | File | `/api/v2/config` | High
|
||||
9 | File | `/appConfig/userDB.json` | High
|
||||
10 | File | `/authUserAction!edit.action` | High
|
||||
11 | File | `/bd_genie_create_account.cgi` | High
|
||||
12 | File | `/bin/httpd` | Medium
|
||||
13 | File | `/bits/stl_vector.h` | High
|
||||
14 | File | `/c/macho_reader.c` | High
|
||||
15 | File | `/card/in-card.php` | High
|
||||
16 | File | `/cgi-bin/DownloadFlash` | High
|
||||
17 | File | `/cgi-bin/R14.2/cgi-bin/R14.2/host.pl` | High
|
||||
18 | File | `/classes/Master.php?f=delete_category` | High
|
||||
19 | File | `/classes/Users.php?f=save_client` | High
|
||||
20 | File | `/coreframe/app/attachment/admin/index.php` | High
|
||||
21 | File | `/csms/admin/storages/view_storage.php` | High
|
||||
22 | File | `/defaultui/player/modern.html` | High
|
||||
23 | File | `/dishes.php` | Medium
|
||||
24 | File | `/etc/ciel.cfg` | High
|
||||
25 | File | `/etc/init0.d/S80telnetd.sh` | High
|
||||
26 | File | `/etc/shadow.sample` | High
|
||||
27 | File | `/forum/away.php` | High
|
||||
28 | File | `/garage/editclient.php` | High
|
||||
29 | File | `/get_missing_events` | High
|
||||
30 | File | `/goform/addRouting` | High
|
||||
31 | ... | ... | ...
|
||||
|
||||
There are 461 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 263 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -0,0 +1,36 @@
|
|||
# MikuBot - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [MikuBot](https://vuldb.com/?actor.mikubot). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.mikubot](https://vuldb.com/?actor.mikubot)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with MikuBot:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of MikuBot.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [136.144.41.244](https://vuldb.com/?ip.136.144.41.244) | - | - | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.cyble.com/2022/08/11/mikubot-spotted-in-the-wild/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -21,7 +21,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [US](https://vuldb.com/?country.us)
|
||||
* ...
|
||||
|
||||
There are 7 more country items available. Please use our online service to access the data.
|
||||
There are 5 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -213,14 +213,13 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23, CWE-36 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-294, CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
1 | T1006 | CWE-21, CWE-22, CWE-23, CWE-25 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-88, CWE-94, CWE-1321 | Cross Site Scripting | High
|
||||
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
6 | ... | ... | ... | ...
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 20 more TTP items available. Please use our online service to access the data.
|
||||
There are 17 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -228,36 +227,30 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/about.php` | Medium
|
||||
2 | File | `/admin/addemployee.php` | High
|
||||
3 | File | `/admin/article/list_approve` | High
|
||||
4 | File | `/admin/budget.php` | High
|
||||
5 | File | `/admin/friendlylink/list` | High
|
||||
6 | File | `/admin/image/list` | High
|
||||
7 | File | `/admin/imagealbum/list` | High
|
||||
8 | File | `/admin/lab.php` | High
|
||||
9 | File | `/admin/login.php` | High
|
||||
10 | File | `/admin/video/list` | High
|
||||
11 | File | `/admin/videoalbum/list` | High
|
||||
12 | File | `/bd_genie_create_account.cgi` | High
|
||||
13 | File | `/bibliography/marcsru.php` | High
|
||||
14 | File | `/bin/httpd` | Medium
|
||||
15 | File | `/c/macho_reader.c` | High
|
||||
16 | File | `/carbon/mediation_secure_vault/properties/ajaxprocessor.jsp` | High
|
||||
17 | File | `/card/in-card.php` | High
|
||||
18 | File | `/cgi-bin/kerbynet` | High
|
||||
19 | File | `/cgi-bin/luci/api/wireless` | High
|
||||
20 | File | `/cgi-bin/wapopen` | High
|
||||
21 | File | `/cgi-bin/wlogin.cgi` | High
|
||||
22 | File | `/cwc/login` | Medium
|
||||
23 | File | `/debug/pprof` | Medium
|
||||
24 | File | `/EXCU_SHELL` | Medium
|
||||
25 | File | `/forum/away.php` | High
|
||||
26 | File | `/garage/editcategory.php` | High
|
||||
27 | File | `/goform/saveParentControlInfo` | High
|
||||
28 | ... | ... | ...
|
||||
1 | File | `/+CSCOE+/logon.html` | High
|
||||
2 | File | `/Admin/add-student.php` | High
|
||||
3 | File | `/admin/conferences/list/` | High
|
||||
4 | File | `/Admin/login.php` | High
|
||||
5 | File | `/carbon/mediation_secure_vault/properties/ajaxprocessor.jsp` | High
|
||||
6 | File | `/cgi-bin/qcmap_auth` | High
|
||||
7 | File | `/cgi-bin/wlogin.cgi` | High
|
||||
8 | File | `/diagnostic/editcategory.php` | High
|
||||
9 | File | `/diagnostic/edittest.php` | High
|
||||
10 | File | `/ebics-server/ebics.aspx` | High
|
||||
11 | File | `/editbrand.php` | High
|
||||
12 | File | `/etc/fwupd/redfish.conf` | High
|
||||
13 | File | `/forum/away.php` | High
|
||||
14 | File | `/getcfg.php` | Medium
|
||||
15 | File | `/leave_system/classes/Master.php?f=delete_application` | High
|
||||
16 | File | `/leave_system/classes/Users.php?f=save` | High
|
||||
17 | File | `/opt/onedev/sites/` | High
|
||||
18 | File | `/opt/zimbra/jetty/webapps/zimbra/public` | High
|
||||
19 | File | `/out.php` | Medium
|
||||
20 | File | `/pet_shop/admin/?page=inventory/manage_inventory` | High
|
||||
21 | File | `/pet_shop/admin/?page=maintenance/manage_category` | High
|
||||
22 | ... | ... | ...
|
||||
|
||||
There are 239 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 183 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -49,49 +49,49 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/admin/access` | High
|
||||
2 | File | `/admin/index.html` | High
|
||||
3 | File | `/admin/index.php?id=themes&action=edit_template&filename=blog` | High
|
||||
4 | File | `/admin/posts.php` | High
|
||||
5 | File | `/ci_ssms/index.php/orders/create` | High
|
||||
6 | File | `/fw.login.php` | High
|
||||
7 | File | `/index.php` | Medium
|
||||
8 | File | `/membres/modif_profil.php` | High
|
||||
9 | File | `/ordering/admin/category/index.php?view=edit` | High
|
||||
10 | File | `/pms/index.php` | High
|
||||
11 | File | `/pms/update_user.php?user_id=1` | High
|
||||
12 | File | `/SimpleBusTicket/index.php` | High
|
||||
13 | File | `/tmp` | Low
|
||||
14 | File | `/uncpath/` | Medium
|
||||
15 | File | `/updown/upload.cgi` | High
|
||||
16 | File | `/usr/bin/pkexec` | High
|
||||
17 | File | `/wp-admin/admin-ajax.php` | High
|
||||
18 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
19 | File | `addpost_newpoll.php` | High
|
||||
20 | File | `adm-index.php` | High
|
||||
21 | File | `Admin.PHP` | Medium
|
||||
22 | File | `admin.php` | Medium
|
||||
23 | File | `admin/index.php` | High
|
||||
24 | File | `admin/ops/reports/ops/forum.php` | High
|
||||
25 | File | `admincp/attachment.php` | High
|
||||
26 | File | `adminedit.pl` | Medium
|
||||
27 | File | `ajax/api/hook/getHookList` | High
|
||||
28 | File | `archive/index.php` | High
|
||||
29 | File | `backend/groups/index.php` | High
|
||||
30 | File | `bbs/member_confirm.php` | High
|
||||
31 | File | `bottom.php` | Medium
|
||||
32 | File | `breadcrumbs_create.php` | High
|
||||
33 | File | `C:\Program Files\FileZilla FTP Client\uninstall.exe` | High
|
||||
34 | File | `cds-fpdf.php` | Medium
|
||||
35 | File | `connector.php` | High
|
||||
36 | File | `controllers/member/Api.php` | High
|
||||
37 | File | `cp.php` | Low
|
||||
38 | File | `dashboard_teacher.php` | High
|
||||
39 | File | `data/gbconfiguration.dat` | High
|
||||
40 | File | `demo.php` | Medium
|
||||
41 | File | `dev.c` | Low
|
||||
2 | File | `/admin/addemployee.php` | High
|
||||
3 | File | `/admin/index.html` | High
|
||||
4 | File | `/admin/index.php?id=themes&action=edit_template&filename=blog` | High
|
||||
5 | File | `/admin/posts.php` | High
|
||||
6 | File | `/ci_ssms/index.php/orders/create` | High
|
||||
7 | File | `/fw.login.php` | High
|
||||
8 | File | `/index.php` | Medium
|
||||
9 | File | `/membres/modif_profil.php` | High
|
||||
10 | File | `/ordering/admin/category/index.php?view=edit` | High
|
||||
11 | File | `/pms/index.php` | High
|
||||
12 | File | `/pms/update_user.php?user_id=1` | High
|
||||
13 | File | `/SimpleBusTicket/index.php` | High
|
||||
14 | File | `/tmp` | Low
|
||||
15 | File | `/uncpath/` | Medium
|
||||
16 | File | `/updown/upload.cgi` | High
|
||||
17 | File | `/usr/bin/pkexec` | High
|
||||
18 | File | `/wp-admin/admin-ajax.php` | High
|
||||
19 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
20 | File | `addpost_newpoll.php` | High
|
||||
21 | File | `adm-index.php` | High
|
||||
22 | File | `Admin.PHP` | Medium
|
||||
23 | File | `admin.php` | Medium
|
||||
24 | File | `admin/index.php` | High
|
||||
25 | File | `admin/ops/reports/ops/forum.php` | High
|
||||
26 | File | `admincp/attachment.php` | High
|
||||
27 | File | `adminedit.pl` | Medium
|
||||
28 | File | `ajax/api/hook/getHookList` | High
|
||||
29 | File | `archive/index.php` | High
|
||||
30 | File | `backend/groups/index.php` | High
|
||||
31 | File | `bbs/member_confirm.php` | High
|
||||
32 | File | `bottom.php` | Medium
|
||||
33 | File | `breadcrumbs_create.php` | High
|
||||
34 | File | `C:\Program Files\FileZilla FTP Client\uninstall.exe` | High
|
||||
35 | File | `cds-fpdf.php` | Medium
|
||||
36 | File | `connector.php` | High
|
||||
37 | File | `controllers/member/Api.php` | High
|
||||
38 | File | `cp.php` | Low
|
||||
39 | File | `dashboard_teacher.php` | High
|
||||
40 | File | `data/gbconfiguration.dat` | High
|
||||
41 | File | `demo.php` | Medium
|
||||
42 | ... | ... | ...
|
||||
|
||||
There are 359 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 364 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -64,9 +64,10 @@ ID | Type | Indicator | Confidence
|
|||
12 | File | `/gasmark/assets/myimages/oneWord.php` | High
|
||||
13 | File | `/goform/formWifiBasicSet` | High
|
||||
14 | File | `/home/www/cgi-bin/diagnostics.cgi` | High
|
||||
15 | ... | ... | ...
|
||||
15 | File | `/index.php` | Medium
|
||||
16 | ... | ... | ...
|
||||
|
||||
There are 124 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 125 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -92,9 +92,10 @@ ID | Type | Indicator | Confidence
|
|||
31 | File | `/music/ajax.php` | High
|
||||
32 | File | `/ofrs/admin/?page=teams/view_team` | High
|
||||
33 | File | `/ordering/index.php?q=category` | High
|
||||
34 | ... | ... | ...
|
||||
34 | File | `/orms/` | Low
|
||||
35 | ... | ... | ...
|
||||
|
||||
There are 294 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 297 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -32,7 +32,8 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1592 | CWE-200 | Configuration | High
|
||||
1 | T1068 | CWE-284 | Execution with Unnecessary Privileges | High
|
||||
2 | T1592 | CWE-200 | Configuration | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
|
|
@ -21,10 +21,10 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
|
||||
* [JP](https://vuldb.com/?country.jp)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [FR](https://vuldb.com/?country.fr)
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* ...
|
||||
|
||||
There are 17 more country items available. Please use our online service to access the data.
|
||||
There are 15 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -59,11 +59,12 @@ ID | Technique | Weakness | Description | Confidence
|
|||
1 | T1006 | CWE-21, CWE-22, CWE-23, CWE-24 | Pathname Traversal | High
|
||||
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
|
||||
3 | T1055 | CWE-74 | Injection | High
|
||||
4 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
|
||||
4 | T1059 | CWE-94, CWE-1321 | Cross Site Scripting | High
|
||||
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
6 | ... | ... | ... | ...
|
||||
6 | T1068 | CWE-264, CWE-266, CWE-269, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
7 | ... | ... | ... | ...
|
||||
|
||||
There are 20 more TTP items available. Please use our online service to access the data.
|
||||
There are 23 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -71,47 +72,45 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/addQuestion.php` | High
|
||||
1 | File | `%PROGRAMDATA%\CheckPoint\ZoneAlarm\Data\Updates` | High
|
||||
2 | File | `/admin/add_exercises.php` | High
|
||||
3 | File | `/admin/add_trainers.php` | High
|
||||
4 | File | `/admin/edit.php` | High
|
||||
5 | File | `/admin/lab.php` | High
|
||||
5 | File | `/admin/settings/fields` | High
|
||||
6 | File | `/admin/students/view_student.php` | High
|
||||
7 | File | `/api/` | Low
|
||||
7 | File | `/api/v1/chat.getThreadsList` | High
|
||||
8 | File | `/api/v1/user` | Medium
|
||||
9 | File | `/bd_genie_create_account.cgi` | High
|
||||
10 | File | `/bin/boa` | Medium
|
||||
11 | File | `/carbon/mediation_secure_vault/properties/ajaxprocessor.jsp` | High
|
||||
12 | File | `/carbon/ndatasource/validateconnection/ajaxprocessor.jsp` | High
|
||||
13 | File | `/cgi-bin/DownloadFlash` | High
|
||||
14 | File | `/claire_blake` | High
|
||||
15 | File | `/dashboard/add-portfolio.php` | High
|
||||
16 | File | `/dashboard/add-service.php` | High
|
||||
17 | File | `/dashboard/settings` | High
|
||||
18 | File | `/dashboard/updatelogo.php` | High
|
||||
19 | File | `/edituser.php` | High
|
||||
20 | File | `/etc/networkd-dispatcher` | High
|
||||
21 | File | `/etc/shadow.sample` | High
|
||||
22 | File | `/fw.login.php` | High
|
||||
23 | File | `/gasmark/assets/myimages/oneWord.php` | High
|
||||
24 | File | `/git-prereceive-callback` | High
|
||||
25 | File | `/goform/addRouting` | High
|
||||
26 | File | `/goform/Diagnosis` | High
|
||||
27 | File | `/goform/form2userconfig.cgi` | High
|
||||
28 | File | `/goform/NTPSyncWithHost` | High
|
||||
29 | File | `/goform/saveParentControlInfo` | High
|
||||
30 | File | `/goform/SetIpMacBind` | High
|
||||
31 | File | `/goform/SetLEDCfg` | High
|
||||
32 | File | `/goform/setMAC` | High
|
||||
33 | File | `/goform/setMacFilterCfg` | High
|
||||
34 | File | `/goform/SetStaticRouteCfg` | High
|
||||
35 | File | `/goform/SetVirtualServerCfg` | High
|
||||
36 | File | `/goform/SystemCommand` | High
|
||||
37 | File | `/goform/wizard_end` | High
|
||||
38 | File | `/htmldoc/htmldoc/html.cxx` | High
|
||||
39 | ... | ... | ...
|
||||
11 | File | `/buspassms/download-pass.php` | High
|
||||
12 | File | `/carbon/mediation_secure_vault/properties/ajaxprocessor.jsp` | High
|
||||
13 | File | `/carbon/ndatasource/validateconnection/ajaxprocessor.jsp` | High
|
||||
14 | File | `/cgi-bin/DownloadFlash` | High
|
||||
15 | File | `/claire_blake` | High
|
||||
16 | File | `/cnr` | Low
|
||||
17 | File | `/dashboard/add-portfolio.php` | High
|
||||
18 | File | `/dashboard/add-service.php` | High
|
||||
19 | File | `/dashboard/settings` | High
|
||||
20 | File | `/dashboard/updatelogo.php` | High
|
||||
21 | File | `/DesignTools/CssEditor.aspx` | High
|
||||
22 | File | `/ebics-server/ebics.aspx` | High
|
||||
23 | File | `/etc/networkd-dispatcher` | High
|
||||
24 | File | `/etc/shadow.sample` | High
|
||||
25 | File | `/etc/version` | Medium
|
||||
26 | File | `/fw.login.php` | High
|
||||
27 | File | `/gasmark/assets/myimages/oneWord.php` | High
|
||||
28 | File | `/git-prereceive-callback` | High
|
||||
29 | File | `/goform/addRouting` | High
|
||||
30 | File | `/goform/Diagnosis` | High
|
||||
31 | File | `/goform/expandDlnaFile` | High
|
||||
32 | File | `/goform/fast_setting_wifi_set` | High
|
||||
33 | File | `/goform/form2userconfig.cgi` | High
|
||||
34 | File | `/goform/NatStaticSetting` | High
|
||||
35 | File | `/goform/NTPSyncWithHost` | High
|
||||
36 | File | `/goform/openSchedWifi/` | High
|
||||
37 | ... | ... | ...
|
||||
|
||||
There are 334 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 321 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -41,14 +41,14 @@ ID | IP address | Hostname | Campaign | Confidence
|
|||
7 | [45.43.50.197](https://vuldb.com/?ip.45.43.50.197) | - | Europe | High
|
||||
8 | [45.77.184.12](https://vuldb.com/?ip.45.77.184.12) | comm.phiu.pw | - | High
|
||||
9 | [45.131.179.179](https://vuldb.com/?ip.45.131.179.179) | - | Hodur | High
|
||||
10 | [45.134.83.41](https://vuldb.com/?ip.45.134.83.41) | - | PlugX | High
|
||||
11 | [45.154.14.235](https://vuldb.com/?ip.45.154.14.235) | - | Hodur | High
|
||||
12 | [45.248.87.14](https://vuldb.com/?ip.45.248.87.14) | - | - | High
|
||||
13 | [45.248.87.162](https://vuldb.com/?ip.45.248.87.162) | - | Europe | High
|
||||
14 | [46.8.198.134](https://vuldb.com/?ip.46.8.198.134) | - | Europe | High
|
||||
10 | [45.134.83.4](https://vuldb.com/?ip.45.134.83.4) | - | - | High
|
||||
11 | [45.134.83.41](https://vuldb.com/?ip.45.134.83.41) | - | PlugX | High
|
||||
12 | [45.154.14.235](https://vuldb.com/?ip.45.154.14.235) | - | Hodur | High
|
||||
13 | [45.248.87.14](https://vuldb.com/?ip.45.248.87.14) | - | - | High
|
||||
14 | [45.248.87.162](https://vuldb.com/?ip.45.248.87.162) | - | Europe | High
|
||||
15 | ... | ... | ... | ...
|
||||
|
||||
There are 54 more IOC items available. Please use our online service to access the data.
|
||||
There are 56 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
@ -71,34 +71,36 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/cgi-bin/portal` | High
|
||||
2 | File | `/Config/service/initModel?` | High
|
||||
3 | File | `/export` | Low
|
||||
4 | File | `/goform/NTPSyncWithHost` | High
|
||||
5 | File | `/HNAP1/SetAccessPointMode` | High
|
||||
6 | File | `/home/<user>/SecurityOnion/setup/so-setup` | High
|
||||
7 | File | `/home/www/cgi-bin/diagnostics.cgi` | High
|
||||
8 | File | `/htmlcode/html/indexdefault.asp` | High
|
||||
9 | File | `/include/helpers/upload.helper.php` | High
|
||||
10 | File | `/interface/main/backup.php` | High
|
||||
11 | File | `/local/domain/$DOMID` | High
|
||||
12 | File | `/mkshop/Men/profile.php` | High
|
||||
13 | File | `/MTFWU` | Low
|
||||
14 | File | `/mygym/admin/index.php` | High
|
||||
15 | File | `/patient/settings.php` | High
|
||||
16 | File | `/rest/api/2/user/picker` | High
|
||||
17 | File | `/service/upload` | High
|
||||
18 | File | `/settings` | Medium
|
||||
19 | File | `/tmp` | Low
|
||||
20 | ... | ... | ...
|
||||
1 | File | `/admin/settings.php` | High
|
||||
2 | File | `/cgi-bin/portal` | High
|
||||
3 | File | `/Config/service/initModel?` | High
|
||||
4 | File | `/export` | Low
|
||||
5 | File | `/goform/NTPSyncWithHost` | High
|
||||
6 | File | `/HNAP1/SetAccessPointMode` | High
|
||||
7 | File | `/home/<user>/SecurityOnion/setup/so-setup` | High
|
||||
8 | File | `/home/www/cgi-bin/diagnostics.cgi` | High
|
||||
9 | File | `/htmlcode/html/indexdefault.asp` | High
|
||||
10 | File | `/include/helpers/upload.helper.php` | High
|
||||
11 | File | `/interface/main/backup.php` | High
|
||||
12 | File | `/local/domain/$DOMID` | High
|
||||
13 | File | `/mkshop/Men/profile.php` | High
|
||||
14 | File | `/MTFWU` | Low
|
||||
15 | File | `/mygym/admin/index.php` | High
|
||||
16 | File | `/patient/settings.php` | High
|
||||
17 | File | `/rest/api/2/user/picker` | High
|
||||
18 | File | `/service/upload` | High
|
||||
19 | File | `/settings` | Medium
|
||||
20 | File | `/tmp` | Low
|
||||
21 | ... | ... | ...
|
||||
|
||||
There are 161 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 172 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html
|
||||
* https://blogs.blackberry.com/en/2022/10/mustang-panda-abuses-legitimate-apps-to-target-myanmar-based-victims
|
||||
* https://github.com/eset/malware-ioc/tree/master/quarterly_reports/2020_Q2
|
||||
* https://twitter.com/ESETresearch/status/1400165861973966854
|
||||
* https://twitter.com/xorhex/status/1406496693735067650
|
||||
|
|
|
@ -63,39 +63,41 @@ ID | Type | Indicator | Confidence
|
|||
5 | File | `/admin/budget.php` | High
|
||||
6 | File | `/admin/contact/list` | High
|
||||
7 | File | `/admin/edit.php` | High
|
||||
8 | File | `/admin/students/view_student.php` | High
|
||||
9 | File | `/advanced-tools/nova/bin/netwatch` | High
|
||||
10 | File | `/bd_genie_create_account.cgi` | High
|
||||
11 | File | `/bits/stl_vector.h` | High
|
||||
12 | File | `/categories/view_category.php` | High
|
||||
13 | File | `/category_view.php` | High
|
||||
14 | File | `/cgi-bin/editBookmark` | High
|
||||
15 | File | `/claire_blake` | High
|
||||
16 | File | `/classes/Master.php?f=delete_category` | High
|
||||
17 | File | `/dashboard/add-portfolio.php` | High
|
||||
18 | File | `/dashboard/add-service.php` | High
|
||||
19 | File | `/dashboard/contact` | High
|
||||
20 | File | `/dashboard/updatelogo.php` | High
|
||||
21 | File | `/employees/manage_leave_type.php` | High
|
||||
22 | File | `/etc/shadow.sample` | High
|
||||
23 | File | `/etc/srapi/config/system.conf` | High
|
||||
24 | File | `/fax/fax_send.php` | High
|
||||
25 | File | `/framework/mod/db/DBMapper.xml` | High
|
||||
26 | File | `/goform/aspForm` | High
|
||||
27 | File | `/goform/form2userconfig.cgi` | High
|
||||
28 | File | `/goform/formWifiBasicSet` | High
|
||||
29 | File | `/goform/NatStaticSetting` | High
|
||||
30 | File | `/goform/wifiSSIDget` | High
|
||||
31 | File | `/goform/wifiSSIDset` | High
|
||||
32 | File | `/guestmanagement/front.php` | High
|
||||
33 | File | `/Home/debit_credit_p` | High
|
||||
34 | File | `/htdocs/utils/Files.php` | High
|
||||
35 | File | `/htmldoc/htmldoc/html.cxx` | High
|
||||
36 | File | `/include/makecvs.php` | High
|
||||
37 | File | `/index.php` | Medium
|
||||
38 | ... | ... | ...
|
||||
8 | File | `/admin/sql` | Medium
|
||||
9 | File | `/admin/students/view_student.php` | High
|
||||
10 | File | `/advanced-tools/nova/bin/netwatch` | High
|
||||
11 | File | `/baseOpLog.do` | High
|
||||
12 | File | `/bd_genie_create_account.cgi` | High
|
||||
13 | File | `/bits/stl_vector.h` | High
|
||||
14 | File | `/categories/view_category.php` | High
|
||||
15 | File | `/category_view.php` | High
|
||||
16 | File | `/cgi-bin/editBookmark` | High
|
||||
17 | File | `/claire_blake` | High
|
||||
18 | File | `/classes/Master.php?f=delete_category` | High
|
||||
19 | File | `/dashboard/add-portfolio.php` | High
|
||||
20 | File | `/dashboard/add-service.php` | High
|
||||
21 | File | `/dashboard/contact` | High
|
||||
22 | File | `/dashboard/updatelogo.php` | High
|
||||
23 | File | `/employees/manage_leave_type.php` | High
|
||||
24 | File | `/etc/shadow.sample` | High
|
||||
25 | File | `/etc/srapi/config/system.conf` | High
|
||||
26 | File | `/fax/fax_send.php` | High
|
||||
27 | File | `/framework/mod/db/DBMapper.xml` | High
|
||||
28 | File | `/goform/form2userconfig.cgi` | High
|
||||
29 | File | `/goform/formWifiBasicSet` | High
|
||||
30 | File | `/goform/NatStaticSetting` | High
|
||||
31 | File | `/goform/wifiSSIDget` | High
|
||||
32 | File | `/goform/wifiSSIDset` | High
|
||||
33 | File | `/guestmanagement/front.php` | High
|
||||
34 | File | `/Home/debit_credit_p` | High
|
||||
35 | File | `/htdocs/utils/Files.php` | High
|
||||
36 | File | `/htmldoc/htmldoc/html.cxx` | High
|
||||
37 | File | `/include/makecvs.php` | High
|
||||
38 | File | `/items/manage_item.php` | High
|
||||
39 | File | `/kfm/index.php` | High
|
||||
40 | ... | ... | ...
|
||||
|
||||
There are 325 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 343 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -34,12 +34,12 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
|
|||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
1 | T1059 | CWE-94 | Cross Site Scripting | High
|
||||
2 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
3 | T1068 | CWE-264, CWE-269 | Execution with Unnecessary Privileges | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more TTP items available. Please use our online service to access the data.
|
||||
There are 5 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
|
|
@ -0,0 +1,30 @@
|
|||
# NoMercy Stealer - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [NoMercy Stealer](https://vuldb.com/?actor.nomercy_stealer). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.nomercy_stealer](https://vuldb.com/?actor.nomercy_stealer)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of NoMercy Stealer.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [193.34.76.44](https://vuldb.com/?ip.193.34.76.44) | - | - | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.cyble.com/2022/07/07/nomercy-stealer-adding-new-features/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue