Mirrors
/
cyber_threat_intelligence
mirror of https://github.com/vuldb/cyber_threat_intelligence
6
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update

This commit is contained in:
Marc Ruef 2022-03-18 10:38:46 +01:00
parent 63ca436110
commit ef16ee7c43
237 changed files with 8589 additions and 5953 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

111
actors/APT1/README.md
View File

@ -1,110 +1,87 @@
# APT1 - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT1](https://vuldb.com/?actor.apt1). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT1](https://vuldb.com/?actor.apt1). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt1](https://vuldb.com/?actor.apt1)
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.apt1](https://vuldb.com/?actor.apt1)
## Campaigns
The following campaigns are known and can be associated with APT1:
The following _campaigns_ are known and can be associated with APT1:
* Mandiant
* Oceansalt
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT1:
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT1:
* CN
* US
* FR
* ...
There are 1 more country items available. Please use our online service to access the data.
* [US](https://vuldb.com/?country.us)
* [CN](https://vuldb.com/?country.cn)
* [GB](https://vuldb.com/?country.gb)
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of APT1.
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of APT1.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 23.236.62.147 | 147.62.236.23.bc.googleusercontent.com | Medium
2 | 27.102.112.179 | - | High
3 | 58.246. | - | High
4 | ... | ... | ...
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [23.236.62.147](https://vuldb.com/?ip.23.236.62.147) | 147.62.236.23.bc.googleusercontent.com | - | Medium
2 | [27.102.112.179](https://vuldb.com/?ip.27.102.112.179) | - | Oceansalt | High
3 | [58.246.0.0](https://vuldb.com/?ip.58.246.0.0) | - | Mandiant | High
4 | [58.247.0.0](https://vuldb.com/?ip.58.247.0.0) | - | Mandiant | High
5 | [67.222.16.131](https://vuldb.com/?ip.67.222.16.131) | host.dnsweb.org | - | High
6 | [100.42.216.230](https://vuldb.com/?ip.100.42.216.230) | tfs2480.sipnav.in | - | High
7 | [101.80.0.0](https://vuldb.com/?ip.101.80.0.0) | - | Mandiant | High
8 | [101.81.0.0](https://vuldb.com/?ip.101.81.0.0) | - | Mandiant | High
9 | [101.82.0.0](https://vuldb.com/?ip.101.82.0.0) | - | Mandiant | High
10 | [101.83.0.0](https://vuldb.com/?ip.101.83.0.0) | - | Mandiant | High
11 | [101.84.0.0](https://vuldb.com/?ip.101.84.0.0) | - | Mandiant | High
12 | [101.85.0.0](https://vuldb.com/?ip.101.85.0.0) | - | Mandiant | High
13 | [101.86.0.0](https://vuldb.com/?ip.101.86.0.0) | - | Mandiant | High
14 | [101.87.0.0](https://vuldb.com/?ip.101.87.0.0) | - | Mandiant | High
15 | [101.88.0.0](https://vuldb.com/?ip.101.88.0.0) | - | Mandiant | High
16 | ... | ... | ... | ...
There are 10 more IOC items available. Please use our online service to access the data.
There are 60 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by APT1. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by APT1. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
4 | ... | ... | ...
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
2 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
4 | ... | ... | ... | ...
There are 6 more TTP items available. Please use our online service to access the data.
There are 2 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT1. This data is unique as it uses our predictive model for actor profiling.
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT1. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `.htaccess` | Medium
2 | File | `/+CSCOE+/logon.html` | High
3 | File | `/admin/ajax/file-browser/upload/` | High
4 | File | `/admin/pictures` | High
5 | File | `/authenticationendpoint/domain.jsp` | High
6 | File | `/cmf/process/<process_id>/logs` | High
7 | File | `/dashbuilder/Controller` | High
8 | File | `/getcfg.php` | Medium
9 | File | `/goform/addressNat` | High
10 | File | `/goform/SysToolReboot` | High
11 | File | `/jpg/image.jpg` | High
12 | File | `/main.html` | Medium
13 | File | `/mc-admin/post.php?state=delete&delete` | High
14 | File | `/member/myfriend.php` | High
15 | File | `/member/pm.php` | High
16 | File | `/member/uploads_select.php` | High
17 | File | `/public/common/umeditor/php/getcontent.php` | High
18 | File | `/public/plugins/` | High
19 | File | `/robot/initialize` | High
20 | File | `/systemrw/` | Medium
21 | File | `/tmp` | Low
22 | File | `/tmp/csman/0` | Medium
23 | File | `/UDPUpdates/Config/FullUpdateSettings.xml` | High
24 | File | `/uncpath/` | Medium
25 | File | `/usr/bin/pkexec` | High
26 | File | `/var` | Low
27 | File | `/WebMstr7/servlet/mstrWeb` | High
28 | File | `/wp-admin/admin-ajax.php` | High
29 | File | `adm/boardgroup_form_update.php` | High
30 | File | `admin.php?mod=db&act=del` | High
31 | File | `admin.php?moduleid=2&action=add` | High
32 | File | `admin/category.inc.php` | High
33 | File | `admin/check.asp` | High
34 | File | `admin/code/tce_functions_tcecode_editor.php` | High
35 | File | `admin/content/editcontent?id=29&gopage=1` | High
36 | ... | ... | ...
1 | File | `/public/plugins/` | High
2 | File | `/systemrw/` | Medium
3 | File | `adm/boardgroup_form_update.php` | High
4 | ... | ... | ...
There are 308 more IOA items available. Please use our online service to access the data.
There are 16 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References
The following list contains external sources which discuss the actor and the associated activities:
The following list contains _external sources_ which discuss the actor and the associated activities:
* http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf
* https://www.circleid.com/posts/20201215-revisiting-apt1-iocs-with-dns-and-subdomain-intelligence/
* https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdfa
* https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
* https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf
## Literature
The following articles explain our unique predictive cyber threat intelligence:
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)

8
actors/APT10/README.md
View File

@ -21,7 +21,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
* [DE](https://vuldb.com/?country.de)
* ...
There are 8 more country items available. Please use our online service to access the data.
There are 9 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -59,7 +59,7 @@ There are 98 more IOC items available. Please use our online service to access t
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _APT10_. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _APT10_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
@ -106,10 +106,10 @@ ID | Type | Indicator | Confidence
28 | File | `apply.cgi` | Medium
29 | File | `arm/lithium-codegen-arm.cc` | High
30 | File | `authenticate.c` | High
31 | File | `Authenticate.class.php` | High
31 | File | `base_maintenance.php` | High
32 | ... | ... | ...
There are 275 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 271 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

8
actors/APT16/README.md
View File

@ -1,6 +1,6 @@
# APT16 - Cyber Threat Intelligence
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT16](https://vuldb.com/?actor.apt16). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT16](https://vuldb.com/?actor.apt16). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.apt16](https://vuldb.com/?actor.apt16)
@ -8,8 +8,8 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT16:
* US
* CN
* [US](https://vuldb.com/?country.us)
* [CN](https://vuldb.com/?country.cn)
## IOC - Indicator of Compromise
@ -17,7 +17,7 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | 121.127.249.74 | - | - | High
1 | [121.127.249.74](https://vuldb.com/?ip.121.127.249.74) | - | - | High
## TTP - Tactics, Techniques, Procedures

24
actors/APT18/README.md
View File

@ -1,38 +1,38 @@
# APT18 - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT18](https://vuldb.com/?actor.apt18). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT18](https://vuldb.com/?actor.apt18). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt18](https://vuldb.com/?actor.apt18)
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.apt18](https://vuldb.com/?actor.apt18)
## Campaigns
The following campaigns are known and can be associated with APT18:
The following _campaigns_ are known and can be associated with APT18:
* Wekby
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of APT18.
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of APT18.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 23.252.166.89 | - | High
2 | 23.252.166.99 | - | High
3 | 107.180.58.70 | ip-107-180-58-70.ip.secureserver.net | High
4 | ... | ... | ...
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [23.252.166.89](https://vuldb.com/?ip.23.252.166.89) | - | Wekby | High
2 | [23.252.166.99](https://vuldb.com/?ip.23.252.166.99) | - | Wekby | High
3 | [107.180.58.70](https://vuldb.com/?ip.107.180.58.70) | ip-107-180-58-70.ip.secureserver.net | Wekby | High
4 | ... | ... | ... | ...
There are 2 more IOC items available. Please use our online service to access the data.
## References
The following list contains external sources which discuss the actor and the associated activities:
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://github.com/fireeye/iocs/blob/master/APT18/0ae061d7-c624-4a84-8adf-00281b97797b.ioc
* https://unit42.paloaltonetworks.com/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/
## Literature
The following articles explain our unique predictive cyber threat intelligence:
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)

66
actors/APT2/README.md
View File

@ -1,68 +1,78 @@
# APT2 - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT2](https://vuldb.com/?actor.apt2). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT2](https://vuldb.com/?actor.apt2). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt2](https://vuldb.com/?actor.apt2)
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.apt2](https://vuldb.com/?actor.apt2)
## Campaigns
The following campaigns are known and can be associated with APT2:
The following _campaigns_ are known and can be associated with APT2:
* Putter Panda
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT2:
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT2:
* KR
* US
* [CN](https://vuldb.com/?country.cn)
* [KR](https://vuldb.com/?country.kr)
* [US](https://vuldb.com/?country.us)
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of APT2.
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of APT2.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 31.170.110.163 | io.uu3.net | High
2 | 58.196.156.15 | - | High
3 | 59.120.168.199 | 59-120-168-199.hinet-ip.hinet.net | High
4 | 61.34.97.69 | - | High
5 | 61.74.190.14 | - | High
6 | 61.78.37.121 | - | High
7 | 61.78.75.96 | - | High
8 | 61.221.54.99 | 61-221-54-99.hinet-ip.hinet.net | High
9 | ... | ... | ...
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [31.170.110.163](https://vuldb.com/?ip.31.170.110.163) | io.uu3.net | Putter Panda | High
2 | [58.196.156.15](https://vuldb.com/?ip.58.196.156.15) | - | Putter Panda | High
3 | [59.120.168.199](https://vuldb.com/?ip.59.120.168.199) | 59-120-168-199.hinet-ip.hinet.net | - | High
4 | [61.34.97.69](https://vuldb.com/?ip.61.34.97.69) | - | - | High
5 | [61.74.190.14](https://vuldb.com/?ip.61.74.190.14) | - | - | High
6 | [61.78.37.121](https://vuldb.com/?ip.61.78.37.121) | - | - | High
7 | [61.78.75.96](https://vuldb.com/?ip.61.78.75.96) | - | - | High
8 | [61.221.54.99](https://vuldb.com/?ip.61.221.54.99) | 61-221-54-99.hinet-ip.hinet.net | - | High
9 | ... | ... | ... | ...
There are 34 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by APT2. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by APT2. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1059.007 | Cross Site Scripting | High
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
2 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
3 | T1211 | CWE-254 | 7PK Security Features | High
4 | ... | ... | ... | ...
There are 2 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT2. This data is unique as it uses our predictive model for actor profiling.
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT2. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/bin/boa` | Medium
2 | Argument | `Authorization` | High
3 | Argument | `Username` | Medium
1 | File | `/admin/blog/blogcategory/add/?_to_field=id&_popup=1` | High
2 | File | `/bin/boa` | Medium
3 | File | `/DOWN/FIRMWAREUPDATE/ROM1` | High
4 | File | `admin/admin/adminsave.html` | High
5 | ... | ... | ...
There are 26 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References
The following list contains external sources which discuss the actor and the associated activities:
The following list contains _external sources_ which discuss the actor and the associated activities:
* http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf
* https://www.threatminer.org/report.php?q=putter-panda.pdf&y=2014
## Literature
The following articles explain our unique predictive cyber threat intelligence:
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)

42
actors/APT28/README.md
View File

@ -84,7 +84,7 @@ There are 184 more IOC items available. Please use our online service to access
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _APT28_. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _APT28_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
@ -115,28 +115,28 @@ ID | Type | Indicator | Confidence
12 | File | `/plugins/servlet/audit/resource` | High
13 | File | `/plugins/servlet/project-config/PROJECT/roles` | High
14 | File | `/proc/ioports` | High
15 | File | `/replication` | Medium
16 | File | `/reports/rwservlet` | High
17 | File | `/RestAPI` | Medium
18 | File | `/tmp` | Low
19 | File | `/tmp/speedtest_urls.xml` | High
20 | File | `/uncpath/` | Medium
21 | File | `/var/log/nginx` | High
22 | File | `/wp-admin/admin.php` | High
23 | File | `/wp-json/wc/v3/webhooks` | High
24 | File | `admin-ajax.php?action=get_wdtable order[0][dir]` | High
25 | File | `admin/app/mediamanager` | High
26 | File | `admin/index.php` | High
27 | File | `admin\model\catalog\download.php` | High
28 | File | `afr.php` | Low
29 | File | `apcupsd.pid` | Medium
30 | File | `api/it-recht-kanzlei/api-it-recht-kanzlei.php` | High
31 | File | `api/sms/send-sms` | High
32 | File | `api/v1/alarms` | High
33 | File | `application/controller/InstallerController.php` | High
15 | File | `/REBOOTSYSTEM` | High
16 | File | `/replication` | Medium
17 | File | `/reports/rwservlet` | High
18 | File | `/RestAPI` | Medium
19 | File | `/tmp` | Low
20 | File | `/tmp/speedtest_urls.xml` | High
21 | File | `/uncpath/` | Medium
22 | File | `/var/log/nginx` | High
23 | File | `/wp-admin/admin.php` | High
24 | File | `/wp-json/wc/v3/webhooks` | High
25 | File | `admin-ajax.php?action=get_wdtable order[0][dir]` | High
26 | File | `admin/app/mediamanager` | High
27 | File | `admin/index.php` | High
28 | File | `admin\model\catalog\download.php` | High
29 | File | `afr.php` | Low
30 | File | `apcupsd.pid` | Medium
31 | File | `api/it-recht-kanzlei/api-it-recht-kanzlei.php` | High
32 | File | `api/sms/send-sms` | High
33 | File | `api/v1/alarms` | High
34 | ... | ... | ...
There are 291 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 290 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

16
actors/APT29/README.md
View File

@ -19,8 +19,8 @@ There are 1 more campaign items available. Please use our online service to acce
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT29:
* [US](https://vuldb.com/?country.us)
* [CN](https://vuldb.com/?country.cn)
* [US](https://vuldb.com/?country.us)
* [FR](https://vuldb.com/?country.fr)
* ...
@ -59,16 +59,16 @@ There are 83 more IOC items available. Please use our online service to access t
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by APT29. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _APT29_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
2 | T1068 | CWE-264, CWE-266, CWE-284 | Execution with Unnecessary Privileges | High
3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
4 | ... | ... | ... | ...
There are 7 more TTP items available. Please use our online service to access the data.
There are 6 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -108,14 +108,14 @@ ID | Type | Indicator | Confidence
30 | File | `/tmp` | Low
31 | File | `/tmp/redis.ds` | High
32 | File | `/uncpath/` | Medium
33 | File | `/ViewUserHover.jspa` | High
34 | File | `/wp-admin` | Medium
35 | File | `/wp-json/wc/v3/webhooks` | High
33 | File | `/wp-admin` | Medium
34 | File | `/wp-json/wc/v3/webhooks` | High
35 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
36 | File | `ABuffer.cpp` | Medium
37 | File | `AccountManagerService.java` | High
38 | ... | ... | ...
There are 331 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 326 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

64
actors/APT3/README.md
View File

@ -1,6 +1,6 @@
# APT3 - Cyber Threat Intelligence
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT3](https://vuldb.com/?actor.apt3). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT3](https://vuldb.com/?actor.apt3). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.apt3](https://vuldb.com/?actor.apt3)
@ -9,16 +9,15 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
The following _campaigns_ are known and can be associated with APT3:
* CVE-2015-5119
* Doubletap
* Double Tap
## Countries
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT3:
* US
* CN
* RU
* [US](https://vuldb.com/?country.us)
* [CN](https://vuldb.com/?country.cn)
* [RU](https://vuldb.com/?country.ru)
* ...
There are 24 more country items available. Please use our online service to access the data.
@ -29,16 +28,16 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | 23.99.20.198 | - | - | High
2 | 54.169.89.240 | ec2-54-169-89-240.ap-southeast-1.compute.amazonaws.com | - | Medium
3 | 104.151.248.173 | 173.248-151-104.rdns.scalabledns.com | Doubletap | High
1 | [23.99.20.198](https://vuldb.com/?ip.23.99.20.198) | - | - | High
2 | [54.169.89.240](https://vuldb.com/?ip.54.169.89.240) | ec2-54-169-89-240.ap-southeast-1.compute.amazonaws.com | - | Medium
3 | [104.151.248.173](https://vuldb.com/?ip.104.151.248.173) | 173.248-151-104.rdns.scalabledns.com | Double Tap | High
4 | ... | ... | ... | ...
There are 8 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by APT3. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _APT3_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
@ -47,7 +46,7 @@ ID | Technique | Weakness | Description | Confidence
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
4 | ... | ... | ... | ...
There are 8 more TTP items available. Please use our online service to access the data.
There are 7 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -81,29 +80,30 @@ ID | Type | Indicator | Confidence
24 | File | `/rest/api/2/search` | High
25 | File | `/s/` | Low
26 | File | `/scripts/cpan_config` | High
27 | File | `/services/system/setup.json` | High
28 | File | `/uncpath/` | Medium
29 | File | `/webconsole/APIController` | High
30 | File | `/websocket/exec` | High
31 | File | `/wp-admin/admin-ajax.php` | High
32 | File | `/wp-json/oembed/1.0/embed?url` | High
33 | File | `/_next` | Low
34 | File | `4.edu.php\conn\function.php` | High
35 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
36 | File | `adclick.php` | Medium
37 | File | `addentry.php` | Medium
38 | File | `addressbook.php` | High
39 | File | `add_comment.php` | High
40 | File | `admin/category.inc.php` | High
41 | File | `admin/conf_users_edit.php` | High
42 | File | `admin/dl_sendmail.php` | High
43 | File | `admin/index.php` | High
44 | File | `admin/languages.php` | High
45 | File | `admin/password_forgotten.php` | High
46 | File | `admin/versions.html` | High
47 | ... | ... | ...
27 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
28 | File | `/services/system/setup.json` | High
29 | File | `/uncpath/` | Medium
30 | File | `/webconsole/APIController` | High
31 | File | `/websocket/exec` | High
32 | File | `/wp-admin/admin-ajax.php` | High
33 | File | `/wp-json/oembed/1.0/embed?url` | High
34 | File | `/_next` | Low
35 | File | `4.edu.php\conn\function.php` | High
36 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
37 | File | `adclick.php` | Medium
38 | File | `addentry.php` | Medium
39 | File | `addressbook.php` | High
40 | File | `add_comment.php` | High
41 | File | `admin/category.inc.php` | High
42 | File | `admin/conf_users_edit.php` | High
43 | File | `admin/dl_sendmail.php` | High
44 | File | `admin/index.php` | High
45 | File | `admin/languages.php` | High
46 | File | `admin/password_forgotten.php` | High
47 | File | `admin/versions.html` | High
48 | ... | ... | ...
There are 410 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 412 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

2
actors/APT31/README.md
View File

@ -26,7 +26,7 @@ There are 13 more IOC items available. Please use our online service to access t
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _APT31_. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _APT31_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------

2
actors/APT32/README.md
View File

@ -46,7 +46,7 @@ There are 48 more IOC items available. Please use our online service to access t
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _APT32_. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _APT32_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------

36
actors/APT33/README.md
View File

@ -21,7 +21,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
* [FR](https://vuldb.com/?country.fr)
* ...
There are 5 more country items available. Please use our online service to access the data.
There are 6 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -50,7 +50,7 @@ There are 60 more IOC items available. Please use our online service to access t
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _APT33_. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _APT33_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
@ -75,24 +75,24 @@ ID | Type | Indicator | Confidence
6 | File | `/admin/files` | Medium
7 | File | `/administrator/components/menu/` | High
8 | File | `/administrator/components/table_manager/` | High
9 | File | `/api/ZRMesh/set_ZRMesh` | High
10 | File | `/damicms-master/admin.php?s=/Article/doedit` | High
11 | File | `/Hospital-Management-System-master/contact.php` | High
12 | File | `/Hospital-Management-System-master/func.php` | High
13 | File | `/jerry-core/ecma/base/ecma-lcache.c` | High
14 | File | `/jerry-core/ecma/base/ecma-literal-storage.c` | High
15 | File | `/jerry-core/jmem/jmem-heap.c` | High
16 | File | `/ms/cms/content/list.do` | High
17 | File | `/orms/` | Low
18 | File | `/parser/js/js-parser-expr.c` | High
19 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
20 | File | `/thruk/#cgi-bin/extinfo.cgi?type=2` | High
21 | File | `/transmission/web/` | High
22 | File | `/uploads/exam_question/` | High
23 | File | `/usr/bin/pkexec` | High
9 | File | `/api/appInternals/1.0/agent/configuration&amp` | High
10 | File | `/api/appInternals/1.0/agent/diagnostic/logs` | High
11 | File | `/api/ZRMesh/set_ZRMesh` | High
12 | File | `/cloud_config/router_post/register` | High
13 | File | `/Hospital-Management-System-master/contact.php` | High
14 | File | `/Hospital-Management-System-master/func.php` | High
15 | File | `/jerry-core/ecma/base/ecma-lcache.c` | High
16 | File | `/jerry-core/ecma/base/ecma-literal-storage.c` | High
17 | File | `/jerry-core/jmem/jmem-heap.c` | High
18 | File | `/ManageRoute/postRoute` | High
19 | File | `/ms/cms/content/list.do` | High
20 | File | `/orms/` | Low
21 | File | `/parser/js/js-parser-expr.c` | High
22 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
23 | File | `/thruk/#cgi-bin/extinfo.cgi?type=2` | High
24 | ... | ... | ...
There are 200 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 204 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

4
actors/APT34/README.md
View File

@ -41,7 +41,7 @@ There are 58 more IOC items available. Please use our online service to access t
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _APT34_. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _APT34_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
@ -91,7 +91,7 @@ ID | Type | Indicator | Confidence
31 | File | `apcupsd.pid` | Medium
32 | ... | ... | ...
There are 276 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 277 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

14
actors/APT39/README.md
View File

@ -16,7 +16,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
* [US](https://vuldb.com/?country.us)
* [RU](https://vuldb.com/?country.ru)
* [GB](https://vuldb.com/?country.gb)
* [IR](https://vuldb.com/?country.ir)
* ...
There are 18 more country items available. Please use our online service to access the data.
@ -36,7 +36,7 @@ There are 14 more IOC items available. Please use our online service to access t
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _APT39_. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _APT39_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
@ -56,13 +56,13 @@ ID | Type | Indicator | Confidence
1 | File | `//etc/RT2870STA.dat` | High
2 | File | `/admin/index.php?id=themes&action=edit_template&filename=blog` | High
3 | File | `/cwp_{SESSION_HASH}/admin/loader_ajax.php` | High
4 | File | `/magnoliaPublic/travel/members/login.html` | High
5 | File | `/Main_AdmStatus_Content.asp` | High
6 | File | `/server-status` | High
7 | File | `/uncpath/` | Medium
4 | File | `/jquery_file_upload/server/php/index.php` | High
5 | File | `/magnoliaPublic/travel/members/login.html` | High
6 | File | `/Main_AdmStatus_Content.asp` | High
7 | File | `/server-status` | High
8 | ... | ... | ...
There are 56 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 60 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

100
actors/APT41/README.md
View File

@ -9,18 +9,22 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
The following _campaigns_ are known and can be associated with APT41:
* CVE-2019-19781
* MoonBounce
* CVE-2021-44207
* CVE-2021-44228
* ...
There are 1 more campaign items available. Please use our online service to access the data.
## Countries
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT41:
* [US](https://vuldb.com/?country.us)
* [CN](https://vuldb.com/?country.cn)
* [US](https://vuldb.com/?country.us)
* [RU](https://vuldb.com/?country.ru)
* ...
There are 14 more country items available. Please use our online service to access the data.
There are 18 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -35,21 +39,25 @@ ID | IP address | Hostname | Campaign | Confidence
5 | [5.188.108.22](https://vuldb.com/?ip.5.188.108.22) | pol1.htjsq.com | MoonBounce | High
6 | [5.188.108.228](https://vuldb.com/?ip.5.188.108.228) | xc5.exclusivacondominios.com | MoonBounce | High
7 | [5.189.222.33](https://vuldb.com/?ip.5.189.222.33) | spain466.es | MoonBounce | High
8 | [23.67.95.153](https://vuldb.com/?ip.23.67.95.153) | a23-67-95-153.deploy.static.akamaitechnologies.com | - | High
9 | [43.255.191.255](https://vuldb.com/?ip.43.255.191.255) | - | - | High
10 | [45.76.6.149](https://vuldb.com/?ip.45.76.6.149) | 45.76.6.149.vultr.com | - | Medium
11 | [45.76.75.219](https://vuldb.com/?ip.45.76.75.219) | 45.76.75.219.vultr.com | - | Medium
12 | [45.128.132.6](https://vuldb.com/?ip.45.128.132.6) | - | MoonBounce | High
13 | [45.128.135.15](https://vuldb.com/?ip.45.128.135.15) | - | MoonBounce | High
14 | [45.138.157.78](https://vuldb.com/?ip.45.138.157.78) | srv1.fincantleri.co | - | High
15 | [61.78.62.21](https://vuldb.com/?ip.61.78.62.21) | - | - | High
16 | ... | ... | ... | ...
8 | [18.118.56.237](https://vuldb.com/?ip.18.118.56.237) | ec2-18-118-56-237.us-east-2.compute.amazonaws.com | CVE-2021-44207 | Medium
9 | [20.121.42.11](https://vuldb.com/?ip.20.121.42.11) | - | CVE-2021-44207 | High
10 | [23.67.95.153](https://vuldb.com/?ip.23.67.95.153) | a23-67-95-153.deploy.static.akamaitechnologies.com | - | High
11 | [34.139.13.46](https://vuldb.com/?ip.34.139.13.46) | 46.13.139.34.bc.googleusercontent.com | CVE-2021-44207 | Medium
12 | [43.255.191.255](https://vuldb.com/?ip.43.255.191.255) | - | - | High
13 | [45.76.6.149](https://vuldb.com/?ip.45.76.6.149) | 45.76.6.149.vultr.com | - | Medium
14 | [45.76.75.219](https://vuldb.com/?ip.45.76.75.219) | 45.76.75.219.vultr.com | - | Medium
15 | [45.84.1.181](https://vuldb.com/?ip.45.84.1.181) | vm372737.pq.hosting | CVE-2021-44207 | High
16 | [45.128.132.6](https://vuldb.com/?ip.45.128.132.6) | - | MoonBounce | High
17 | [45.128.135.15](https://vuldb.com/?ip.45.128.135.15) | - | MoonBounce | High
18 | [45.138.157.78](https://vuldb.com/?ip.45.138.157.78) | srv1.fincantleri.co | - | High
19 | [45.153.231.31](https://vuldb.com/?ip.45.153.231.31) | cheater.rehab | CVE-2021-44207 | High
20 | ... | ... | ... | ...
There are 60 more IOC items available. Please use our online service to access the data.
There are 74 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _APT41_. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _APT41_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
@ -58,7 +66,7 @@ ID | Technique | Weakness | Description | Confidence
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
4 | ... | ... | ... | ...
There are 6 more TTP items available. Please use our online service to access the data.
There are 7 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -67,34 +75,41 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/api/blade-log/api/list` | High
2 | File | `/category_view.php` | High
3 | File | `/cgi-bin/portal` | High
4 | File | `/cgi-bin/system_mgr.cgi` | High
5 | File | `/debug/pprof` | Medium
6 | File | `/etc/config/rpcd` | High
7 | File | `/forum/away.php` | High
8 | File | `/get_getnetworkconf.cgi` | High
9 | File | `/lists/admin/` | High
10 | File | `/login.cgi?logout=1` | High
11 | File | `/medical/inventories.php` | High
12 | File | `/module/admin_logs` | High
13 | File | `/public/login.htm` | High
14 | File | `/public/plugins/` | High
15 | File | `/replication` | Medium
16 | File | `/SASWebReportStudio/logonAndRender.do` | High
17 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
18 | File | `/secure/admin/ViewInstrumentation.jspa` | High
19 | File | `/start-stop` | Medium
20 | File | `/tmp/app/.env` | High
21 | File | `/uncpath/` | Medium
22 | File | `/upload` | Low
23 | File | `/usr/bin/pkexec` | High
24 | File | `/WEB-INF/web.xml` | High
25 | File | `/wp-admin/admin-ajax.php` | High
26 | File | `/_next` | Low
27 | ... | ... | ...
2 | File | `/api/trackedEntityInstances` | High
3 | File | `/category_view.php` | High
4 | File | `/cgi-bin/portal` | High
5 | File | `/cgi-bin/system_mgr.cgi` | High
6 | File | `/debug/pprof` | Medium
7 | File | `/etc/config/rpcd` | High
8 | File | `/forum/away.php` | High
9 | File | `/get_getnetworkconf.cgi` | High
10 | File | `/lists/admin/` | High
11 | File | `/login.cgi?logout=1` | High
12 | File | `/medical/inventories.php` | High
13 | File | `/module/admin_logs` | High
14 | File | `/public/login.htm` | High
15 | File | `/public/plugins/` | High
16 | File | `/replication` | Medium
17 | File | `/SASWebReportStudio/logonAndRender.do` | High
18 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
19 | File | `/secure/admin/ViewInstrumentation.jspa` | High
20 | File | `/secure/QueryComponent!Default.jspa` | High
21 | File | `/start-stop` | Medium
22 | File | `/tmp/app/.env` | High
23 | File | `/uncpath/` | Medium
24 | File | `/upload` | Low
25 | File | `/usr/bin/pkexec` | High
26 | File | `/WEB-INF/web.xml` | High
27 | File | `/wp-admin/admin-ajax.php` | High
28 | File | `/_next` | Low
29 | File | `adclick.php` | Medium
30 | File | `addentry.php` | Medium
31 | File | `addrating.php` | High
32 | File | `admin.php` | Medium
33 | File | `admin.php/comments/batchdel/` | High
34 | ... | ... | ...
There are 226 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 289 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References
@ -107,6 +122,7 @@ The following list contains _external sources_ which discuss the actor and the a
* https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/
* https://vxug.fakedoma.in/archive/APTs/2021/2021.01.14/APT%2041.pdf
* https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
* https://www.mandiant.com/resources/apt41-us-state-governments
* https://www.threatminer.org/report.php?q=OfPigsandMalwareExaminingaPossibleMemberoftheWinntiGroup-TrendMicro.pdf&y=2017
* https://www.threatminer.org/report.php?q=WinntiAbusesGitHubforC&CCommunications-TrendMicro.pdf&y=2017
* https://www.threatminer.org/report.php?q=WinntiEvolution-GoingOpenSource-Protectwise.pdf&y=2017

2
actors/ActionRAT/README.md
View File

@ -27,7 +27,7 @@ There are 1 more IOC items available. Please use our online service to access th
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _ActionRAT_. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _ActionRAT_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------

35
actors/Admiral/README.md Normal file
View File

@ -0,0 +1,35 @@
# Admiral - Cyber Threat Intelligence
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Admiral](https://vuldb.com/?actor.admiral). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.admiral](https://vuldb.com/?actor.admiral)
## IOC - Indicator of Compromise
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Admiral.
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [35.186.219.42](https://vuldb.com/?ip.35.186.219.42) | 42.219.186.35.bc.googleusercontent.com | - | Medium
2 | [35.186.249.84](https://vuldb.com/?ip.35.186.249.84) | 84.249.186.35.bc.googleusercontent.com | - | Medium
3 | [35.190.48.184](https://vuldb.com/?ip.35.190.48.184) | 184.48.190.35.bc.googleusercontent.com | - | Medium
4 | ... | ... | ... | ...
There are 9 more IOC items available. Please use our online service to access the data.
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://github.com/jkrejcha/AdmiraList
## Literature
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

94
actors/Adwind/README.md
View File

@ -1,71 +1,71 @@
# Adwind - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Adwind](https://vuldb.com/?actor.adwind). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Adwind](https://vuldb.com/?actor.adwind). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.adwind](https://vuldb.com/?actor.adwind)
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.adwind](https://vuldb.com/?actor.adwind)
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Adwind:
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Adwind:
* US
* RU
* FR
* [US](https://vuldb.com/?country.us)
* [RU](https://vuldb.com/?country.ru)
* [FR](https://vuldb.com/?country.fr)
* ...
There are 16 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Adwind.
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Adwind.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 2.5.29.14 | - | High
2 | 5.79.79.67 | - | High
3 | 5.79.79.70 | storage205.ntesrv.com | High
4 | 5.187.34.231 | 231.34.187.5.in-addr.arpa.dynamic.gestiondeservidor.com | High
5 | 5.254.112.21 | - | High
6 | 5.254.112.24 | - | High
7 | 5.254.112.36 | - | High
8 | 5.254.112.56 | - | High
9 | 5.254.112.60 | - | High
10 | 8.15.0.59 | - | High
11 | 14.3.210.2 | ae210002.dynamic.ppp.asahi-net.or.jp | High
12 | 23.227.196.198 | 23-227-196-198.static.hvvc.us | High
13 | 23.227.199.72 | 23-227-199-72.static.hvvc.us | High
14 | 23.227.199.118 | 23-227-199-118.static.hvvc.us | High
15 | 23.227.199.121 | 23-227-199-121.static.hvvc.us | High
16 | 23.231.23.182 | mx6.touringul.com | High
17 | 31.31.196.31 | server31.hosting.reg.ru | High
18 | 31.171.155.72 | - | High
19 | 37.61.235.30 | - | High
20 | 46.20.33.76 | - | High
21 | 50.7.199.164 | - | High
22 | 51.254.21.25 | ip25.ip-51-254-21.eu | High
23 | 65.99.225.111 | hv36svg168.neubox.net | High
24 | 67.215.4.74 | - | High
25 | 67.215.4.75 | - | High
26 | ... | ... | ...
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [2.5.29.14](https://vuldb.com/?ip.2.5.29.14) | - | - | High
2 | [5.79.79.67](https://vuldb.com/?ip.5.79.79.67) | - | - | High
3 | [5.79.79.70](https://vuldb.com/?ip.5.79.79.70) | storage205.ntesrv.com | - | High
4 | [5.187.34.231](https://vuldb.com/?ip.5.187.34.231) | 231.34.187.5.in-addr.arpa.dynamic.gestiondeservidor.com | - | High
5 | [5.254.112.21](https://vuldb.com/?ip.5.254.112.21) | - | - | High
6 | [5.254.112.24](https://vuldb.com/?ip.5.254.112.24) | - | - | High
7 | [5.254.112.36](https://vuldb.com/?ip.5.254.112.36) | - | - | High
8 | [5.254.112.56](https://vuldb.com/?ip.5.254.112.56) | - | - | High
9 | [5.254.112.60](https://vuldb.com/?ip.5.254.112.60) | - | - | High
10 | [8.15.0.59](https://vuldb.com/?ip.8.15.0.59) | - | - | High
11 | [14.3.210.2](https://vuldb.com/?ip.14.3.210.2) | ae210002.dynamic.ppp.asahi-net.or.jp | - | High
12 | [23.227.196.198](https://vuldb.com/?ip.23.227.196.198) | 23-227-196-198.static.hvvc.us | - | High
13 | [23.227.199.72](https://vuldb.com/?ip.23.227.199.72) | 23-227-199-72.static.hvvc.us | - | High
14 | [23.227.199.118](https://vuldb.com/?ip.23.227.199.118) | 23-227-199-118.static.hvvc.us | - | High
15 | [23.227.199.121](https://vuldb.com/?ip.23.227.199.121) | 23-227-199-121.static.hvvc.us | - | High
16 | [23.231.23.182](https://vuldb.com/?ip.23.231.23.182) | mx6.touringul.com | - | High
17 | [31.31.196.31](https://vuldb.com/?ip.31.31.196.31) | server31.hosting.reg.ru | - | High
18 | [31.171.155.72](https://vuldb.com/?ip.31.171.155.72) | - | - | High
19 | [37.61.235.30](https://vuldb.com/?ip.37.61.235.30) | - | - | High
20 | [46.20.33.76](https://vuldb.com/?ip.46.20.33.76) | - | - | High
21 | [50.7.199.164](https://vuldb.com/?ip.50.7.199.164) | - | - | High
22 | [51.254.21.25](https://vuldb.com/?ip.51.254.21.25) | ip25.ip-51-254-21.eu | - | High
23 | [65.99.225.111](https://vuldb.com/?ip.65.99.225.111) | hv36svg168.neubox.net | - | High
24 | [67.215.4.74](https://vuldb.com/?ip.67.215.4.74) | - | - | High
25 | [67.215.4.75](https://vuldb.com/?ip.67.215.4.75) | - | - | High
26 | ... | ... | ... | ...
There are 101 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Adwind. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Adwind_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
4 | ... | ... | ...
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
4 | ... | ... | ... | ...
There are 3 more TTP items available. Please use our online service to access the data.
There are 2 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Adwind. This data is unique as it uses our predictive model for actor profiling.
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Adwind. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
@ -77,17 +77,17 @@ ID | Type | Indicator | Confidence
6 | File | `administrator/components/com_media/helpers/media.php` | High
7 | ... | ... | ...
There are 48 more IOA items available. Please use our online service to access the data.
There are 48 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References
The following list contains external sources which discuss the actor and the associated activities:
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://www.threatminer.org/report.php?q=KL_AdwindPublicReport_2016.pdf&y=2016
## Literature
The following articles explain our unique predictive cyber threat intelligence:
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)

123
actors/Africa Unknown/README.md Normal file
View File

@ -0,0 +1,123 @@
# Africa Unknown - Cyber Threat Intelligence
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Africa Unknown](https://vuldb.com/?actor.africa_unknown). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.africa_unknown](https://vuldb.com/?actor.africa_unknown)
## Countries
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Africa Unknown:
* [NL](https://vuldb.com/?country.nl)
* [GB](https://vuldb.com/?country.gb)
* [US](https://vuldb.com/?country.us)
* ...
There are 9 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Africa Unknown.
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [2.23.158.50](https://vuldb.com/?ip.2.23.158.50) | a2-23-158-50.deploy.static.akamaitechnologies.com | - | High
2 | [3.94.40.55](https://vuldb.com/?ip.3.94.40.55) | ec2-3-94-40-55.compute-1.amazonaws.com | - | Medium
3 | [3.94.72.89](https://vuldb.com/?ip.3.94.72.89) | ec2-3-94-72-89.compute-1.amazonaws.com | - | Medium
4 | [5.11.82.213](https://vuldb.com/?ip.5.11.82.213) | - | - | High
5 | [5.62.40.217](https://vuldb.com/?ip.5.62.40.217) | r-217.40.62.5.ptr.avast.com | - | High
6 | [8.241.78.254](https://vuldb.com/?ip.8.241.78.254) | - | - | High
7 | [8.248.5.254](https://vuldb.com/?ip.8.248.5.254) | - | - | High
8 | [23.39.160.11](https://vuldb.com/?ip.23.39.160.11) | a23-39-160-11.deploy.static.akamaitechnologies.com | - | High
9 | [23.39.160.19](https://vuldb.com/?ip.23.39.160.19) | a23-39-160-19.deploy.static.akamaitechnologies.com | - | High
10 | [23.39.160.59](https://vuldb.com/?ip.23.39.160.59) | a23-39-160-59.deploy.static.akamaitechnologies.com | - | High
11 | [23.39.160.72](https://vuldb.com/?ip.23.39.160.72) | a23-39-160-72.deploy.static.akamaitechnologies.com | - | High
12 | [23.41.187.13](https://vuldb.com/?ip.23.41.187.13) | a23-41-187-13.deploy.static.akamaitechnologies.com | - | High
13 | [23.62.46.8](https://vuldb.com/?ip.23.62.46.8) | a23-62-46-8.deploy.static.akamaitechnologies.com | - | High
14 | [34.98.99.30](https://vuldb.com/?ip.34.98.99.30) | 30.99.98.34.bc.googleusercontent.com | - | Medium
15 | [34.104.35.123](https://vuldb.com/?ip.34.104.35.123) | 123.35.104.34.bc.googleusercontent.com | - | Medium
16 | [38.132.109.186](https://vuldb.com/?ip.38.132.109.186) | - | - | High
17 | [41.78.118.2](https://vuldb.com/?ip.41.78.118.2) | - | - | High
18 | ... | ... | ... | ...
There are 70 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Africa Unknown_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
4 | ... | ... | ... | ...
There are 7 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Africa Unknown. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `.travis.yml` | Medium
2 | File | `/.env` | Low
3 | File | `/.ssh/authorized_keys` | High
4 | File | `/account/details.php` | High
5 | File | `/admin.php` | Medium
6 | File | `/admin/user/manage` | High
7 | File | `/anony/mjpg.cgi` | High
8 | File | `/artist-display.php` | High
9 | File | `/customer_demo/index2.html` | High
10 | File | `/file?action=download&file` | High
11 | File | `/home/httpd/cgi-bin/cgi.cgi` | High
12 | File | `/html/includes/graphs/port/mac_acc_total.inc.php` | High
13 | File | `/inc/subscriber_list.php` | High
14 | File | `/install/index.php` | High
15 | File | `/layout/class.xblogcomment.php` | High
16 | File | `/LEPTON_stable_2.2.2/upload/admins/admintools/tool.php` | High
17 | File | `/manager/jsp/test.jsp` | High
18 | File | `/medical/inventories.php` | High
19 | File | `/monitoring` | Medium
20 | File | `/plugins/servlet/audit/resource` | High
21 | File | `/plugins/servlet/project-config/PROJECT/roles` | High
22 | File | `/replication` | Medium
23 | File | `/RestAPI` | Medium
24 | File | `/TeleoptiWFM/Administration/GetOneTenant` | High
25 | File | `/tmp` | Low
26 | File | `/tmp/speedtest_urls.xml` | High
27 | File | `/uncpath/` | Medium
28 | File | `/usr/bin/at` | Medium
29 | File | `/var/log/nginx` | High
30 | File | `/_vti_pvt/access.cnf` | High
31 | File | `admin-ajax.php?action=get_wdtable order[0][dir]` | High
32 | File | `admin/e_mesaj_yaz.asp` | High
33 | File | `admin/mcart_xls_import.php` | High
34 | File | `admin/profile.php` | High
35 | File | `admin/salesadmin.php` | High
36 | File | `admin/systemWebAdminConfig.do` | High
37 | File | `admin11.cgi` | Medium
38 | File | `admincp/auth/checklogin.php` | High
39 | File | `agenda2.php3` | Medium
40 | File | `ajax-actions.php` | High
41 | ... | ... | ...
There are 349 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://github.com/ManagedGuard/AfricaBlackList/blob/main/MGAfricaIPBlackList.txt
## Literature
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

2
actors/Agrius/README.md
View File

@ -30,7 +30,7 @@ There are 9 more IOC items available. Please use our online service to access th
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Agrius_. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Agrius_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------

2
actors/Allakore/README.md
View File

@ -27,7 +27,7 @@ There are 4 more IOC items available. Please use our online service to access th
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Allakore. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Allakore_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------

2
actors/Arid Viper/README.md
View File

@ -30,7 +30,7 @@ There are 4 more IOC items available. Please use our online service to access th
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Arid Viper_. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Arid Viper_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------

4
actors/Arkei/README.md
View File

@ -1,6 +1,6 @@
# Arkei - Cyber Threat Intelligence
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Arkei](https://vuldb.com/?actor.arkei). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Arkei](https://vuldb.com/?actor.arkei). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.arkei](https://vuldb.com/?actor.arkei)
@ -27,7 +27,7 @@ ID | IP address | Hostname | Campaign | Confidence
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Arkei. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Arkei_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------

102
actors/B1txor20/README.md Normal file
View File

@ -0,0 +1,102 @@
# B1txor20 - Cyber Threat Intelligence
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [B1txor20](https://vuldb.com/?actor.b1txor20). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.b1txor20](https://vuldb.com/?actor.b1txor20)
## Countries
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with B1txor20:
* [US](https://vuldb.com/?country.us)
* [CN](https://vuldb.com/?country.cn)
* [SC](https://vuldb.com/?country.sc)
* ...
There are 11 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of B1txor20.
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [5.2.69.50](https://vuldb.com/?ip.5.2.69.50) | - | - | High
2 | [23.129.64.216](https://vuldb.com/?ip.23.129.64.216) | - | - | High
3 | [23.154.177.4](https://vuldb.com/?ip.23.154.177.4) | - | - | High
4 | [45.13.104.179](https://vuldb.com/?ip.45.13.104.179) | nosoignons.cust.milkywan.net | - | High
5 | [45.61.185.90](https://vuldb.com/?ip.45.61.185.90) | MiamiTor4.us | - | High
6 | [45.154.255.147](https://vuldb.com/?ip.45.154.255.147) | cust-147.keff.org | - | High
7 | [46.166.139.111](https://vuldb.com/?ip.46.166.139.111) | - | - | High
8 | [51.15.43.205](https://vuldb.com/?ip.51.15.43.205) | 205-43-15-51.instances.scw.cloud | - | High
9 | [62.102.148.68](https://vuldb.com/?ip.62.102.148.68) | - | - | High
10 | [62.102.148.69](https://vuldb.com/?ip.62.102.148.69) | - | - | High
11 | [81.17.18.62](https://vuldb.com/?ip.81.17.18.62) | block1-che.interlayer.co.uk | - | High
12 | [104.244.73.126](https://vuldb.com/?ip.104.244.73.126) | lu1.exit.tor.alkyl.eu.org | - | High
13 | [109.201.133.100](https://vuldb.com/?ip.109.201.133.100) | . | - | High
14 | [162.247.74.27](https://vuldb.com/?ip.162.247.74.27) | turing.tor-exit.calyxinstitute.org | - | High
15 | ... | ... | ... | ...
There are 54 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _B1txor20_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
2 | T1059.007 | CWE-79 | Cross Site Scripting | High
3 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
4 | ... | ... | ... | ...
There are 8 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by B1txor20. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/.htaccess` | Medium
2 | File | `/admin-panel1.php` | High
3 | File | `/admin/?page=members/view_member` | High
4 | File | `/admin/doctors/view_doctor.php` | High
5 | File | `/admin/file-manager/` | High
6 | File | `/admin/files` | Medium
7 | File | `/admin/login.php` | High
8 | File | `/admin/news/news_mod.php` | High
9 | File | `/admin/news/news_ok.php` | High
10 | File | `/admin/options` | High
11 | File | `/admin/page_edit/3` | High
12 | File | `/admin/templates/template_manage.php` | High
13 | File | `/admin_page/all-files-update-ajax.php` | High
14 | File | `/api/servers` | Medium
15 | File | `/aya/module/admin/ust_tab_e.inc.php` | High
16 | File | `/cloud_config/router_post/check_reset_pwd_verify_code` | High
17 | File | `/cloud_config/router_post/upgrade_info` | High
18 | File | `/common/info.cgi` | High
19 | File | `/DataPackageTable` | High
20 | File | `/download/` | Medium
21 | File | `/etc/passwd` | Medium
22 | File | `/goform/SetPptpServerCfg` | High
23 | ... | ... | ...
There are 189 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://blog.netlab.360.com/b1txor20-use-of-dns-tunneling_cn/
## Literature
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

116
actors/Baldr/README.md
View File

@ -1,6 +1,6 @@
# Baldr - Cyber Threat Intelligence
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Baldr](https://vuldb.com/?actor.baldr). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Baldr](https://vuldb.com/?actor.baldr). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.baldr](https://vuldb.com/?actor.baldr)
@ -8,8 +8,8 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Baldr:
* NL
* US
* [NL](https://vuldb.com/?country.nl)
* [US](https://vuldb.com/?country.us)
## IOC - Indicator of Compromise
@ -17,37 +17,37 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | 5.8.88.198 | - | - | High
2 | 5.45.73.87 | - | - | High
3 | 5.188.60.7 | - | - | High
4 | 5.188.60.18 | - | - | High
5 | 5.188.60.24 | - | - | High
6 | 5.188.60.30 | - | - | High
7 | 5.188.60.54 | - | - | High
8 | 5.188.60.68 | - | - | High
9 | 5.188.60.74 | - | - | High
10 | 5.188.60.101 | - | - | High
11 | 5.188.60.115 | - | - | High
12 | 5.188.60.206 | - | - | High
13 | 5.188.231.96 | - | - | High
14 | 5.188.231.210 | - | - | High
15 | 18.207.217.146 | ec2-18-207-217-146.compute-1.amazonaws.com | - | Medium
16 | 18.221.49.166 | ec2-18-221-49-166.us-east-2.compute.amazonaws.com | - | Medium
17 | 23.19.58.101 | - | - | High
18 | 23.95.95.61 | 23-95-95-61-host.colocrossing.com | - | High
19 | 23.254.217.112 | hwsrv-930282.hostwindsdns.com | - | High
20 | 23.254.225.240 | sha29.phpautomailer.com | - | High
21 | 45.64.186.10 | 45-64-186-10.static.bangmod-idc.com | - | High
22 | 45.77.252.143 | 45.77.252.143.vultr.com | - | Medium
23 | 46.30.42.130 | assetshub.com | - | High
24 | 46.249.62.196 | - | - | High
1 | [5.8.88.198](https://vuldb.com/?ip.5.8.88.198) | - | - | High
2 | [5.45.73.87](https://vuldb.com/?ip.5.45.73.87) | - | - | High
3 | [5.188.60.7](https://vuldb.com/?ip.5.188.60.7) | - | - | High
4 | [5.188.60.18](https://vuldb.com/?ip.5.188.60.18) | - | - | High
5 | [5.188.60.24](https://vuldb.com/?ip.5.188.60.24) | - | - | High
6 | [5.188.60.30](https://vuldb.com/?ip.5.188.60.30) | - | - | High
7 | [5.188.60.54](https://vuldb.com/?ip.5.188.60.54) | - | - | High
8 | [5.188.60.68](https://vuldb.com/?ip.5.188.60.68) | - | - | High
9 | [5.188.60.74](https://vuldb.com/?ip.5.188.60.74) | - | - | High
10 | [5.188.60.101](https://vuldb.com/?ip.5.188.60.101) | - | - | High
11 | [5.188.60.115](https://vuldb.com/?ip.5.188.60.115) | - | - | High
12 | [5.188.60.206](https://vuldb.com/?ip.5.188.60.206) | - | - | High
13 | [5.188.231.96](https://vuldb.com/?ip.5.188.231.96) | - | - | High
14 | [5.188.231.210](https://vuldb.com/?ip.5.188.231.210) | - | - | High
15 | [18.207.217.146](https://vuldb.com/?ip.18.207.217.146) | ec2-18-207-217-146.compute-1.amazonaws.com | - | Medium
16 | [18.221.49.166](https://vuldb.com/?ip.18.221.49.166) | ec2-18-221-49-166.us-east-2.compute.amazonaws.com | - | Medium
17 | [23.19.58.101](https://vuldb.com/?ip.23.19.58.101) | - | - | High
18 | [23.95.95.61](https://vuldb.com/?ip.23.95.95.61) | 23-95-95-61-host.colocrossing.com | - | High
19 | [23.254.217.112](https://vuldb.com/?ip.23.254.217.112) | hwsrv-930282.hostwindsdns.com | - | High
20 | [23.254.225.240](https://vuldb.com/?ip.23.254.225.240) | sha29.phpautomailer.com | - | High
21 | [45.64.186.10](https://vuldb.com/?ip.45.64.186.10) | 45-64-186-10.static.bangmod-idc.com | - | High
22 | [45.77.252.143](https://vuldb.com/?ip.45.77.252.143) | 45.77.252.143.vultr.com | - | Medium
23 | [46.30.42.130](https://vuldb.com/?ip.46.30.42.130) | assetshub.com | - | High
24 | [46.249.62.196](https://vuldb.com/?ip.46.249.62.196) | - | - | High
25 | ... | ... | ... | ...
There are 97 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Baldr. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Baldr_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
@ -56,7 +56,7 @@ ID | Technique | Weakness | Description | Confidence
3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
4 | ... | ... | ... | ...
There are 7 more TTP items available. Please use our online service to access the data.
There are 6 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -71,37 +71,37 @@ ID | Type | Indicator | Confidence
5 | File | `/category_view.php` | High
6 | File | `/dev/kmem` | Medium
7 | File | `/dev/shm` | Medium
8 | File | `/medical/inventories.php` | High
9 | File | `/monitoring` | Medium
10 | File | `/NAGErrors` | Medium
11 | File | `/plugins/servlet/audit/resource` | High
12 | File | `/plugins/servlet/project-config/PROJECT/roles` | High
13 | File | `/proc/ioports` | High
14 | File | `/replication` | Medium
15 | File | `/RestAPI` | Medium
16 | File | `/rom-0` | Low
17 | File | `/tmp` | Low
18 | File | `/tmp/speedtest_urls.xml` | High
19 | File | `/uncpath/` | Medium
20 | File | `/var/log/nginx` | High
21 | File | `/wp-admin/admin.php` | High
22 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
23 | File | `abook_database.php` | High
24 | File | `account.asp` | Medium
25 | File | `addentry.php` | Medium
26 | File | `admin-ajax.php?action=get_wdtable order[0][dir]` | High
27 | File | `admin/index.php` | High
28 | File | `admin/login.php` | High
29 | File | `admincp.php?app=files` | High
30 | File | `admin\model\catalog\download.php` | High
31 | File | `ajax/render/widget_php` | High
32 | File | `apcupsd.pid` | Medium
33 | File | `api/sms/send-sms` | High
34 | File | `api/v1/alarms` | High
35 | File | `application/controller/InstallerController.php` | High
8 | File | `/file?action=download&file` | High
9 | File | `/medical/inventories.php` | High
10 | File | `/monitoring` | Medium
11 | File | `/NAGErrors` | Medium
12 | File | `/plugins/servlet/audit/resource` | High
13 | File | `/plugins/servlet/project-config/PROJECT/roles` | High
14 | File | `/proc/ioports` | High
15 | File | `/replication` | Medium
16 | File | `/RestAPI` | Medium
17 | File | `/rom-0` | Low
18 | File | `/tmp` | Low
19 | File | `/tmp/speedtest_urls.xml` | High
20 | File | `/uncpath/` | Medium
21 | File | `/var/log/nginx` | High
22 | File | `/wp-admin/admin.php` | High
23 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
24 | File | `abook_database.php` | High
25 | File | `account.asp` | Medium
26 | File | `addentry.php` | Medium
27 | File | `admin-ajax.php?action=get_wdtable order[0][dir]` | High
28 | File | `admin/index.php` | High
29 | File | `admin/login.php` | High
30 | File | `admincp.php?app=files` | High
31 | File | `admin\model\catalog\download.php` | High
32 | File | `ajax/render/widget_php` | High
33 | File | `apcupsd.pid` | Medium
34 | File | `api/sms/send-sms` | High
35 | File | `api/v1/alarms` | High
36 | ... | ... | ...
There are 305 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 306 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

77
actors/Banjori/README.md
View File

@ -1,55 +1,62 @@
# Banjori - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Banjori](https://vuldb.com/?actor.banjori). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Banjori](https://vuldb.com/?actor.banjori). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.banjori](https://vuldb.com/?actor.banjori)
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.banjori](https://vuldb.com/?actor.banjori)
## Countries
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Banjori:
* [US](https://vuldb.com/?country.us)
* [ES](https://vuldb.com/?country.es)
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Banjori.
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Banjori.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 3.216.121.17 | ec2-3-216-121-17.compute-1.amazonaws.com | Medium
2 | 5.79.79.212 | - | High
3 | 13.59.74.74 | ec2-13-59-74-74.us-east-2.compute.amazonaws.com | Medium
4 | 14.192.4.75 | - | High
5 | 18.213.250.117 | ec2-18-213-250-117.compute-1.amazonaws.com | Medium
6 | 18.215.128.143 | ec2-18-215-128-143.compute-1.amazonaws.com | Medium
7 | 23.89.20.107 | - | High
8 | 23.89.102.123 | - | High
9 | 23.107.124.53 | - | High
10 | 23.110.15.74 | - | High
11 | 23.226.53.226 | - | High
12 | 23.227.38.65 | myshopify.com | High
13 | 23.231.218.195 | - | High
14 | 23.236.62.147 | 147.62.236.23.bc.googleusercontent.com | Medium
15 | 34.98.99.30 | 30.99.98.34.bc.googleusercontent.com | Medium
16 | 34.102.136.180 | 180.136.102.34.bc.googleusercontent.com | Medium
17 | 35.186.238.101 | 101.238.186.35.bc.googleusercontent.com | Medium
18 | 35.226.69.129 | 129.69.226.35.bc.googleusercontent.com | Medium
19 | 43.230.142.125 | - | High
20 | 43.241.196.105 | - | High
21 | 43.249.76.176 | - | High
22 | 47.91.170.222 | - | High
23 | 47.245.10.59 | - | High
24 | 50.117.86.130 | - | High
25 | 52.4.209.250 | ec2-52-4-209-250.compute-1.amazonaws.com | Medium
26 | 52.25.92.0 | ec2-52-25-92-0.us-west-2.compute.amazonaws.com | Medium
27 | 52.58.78.16 | ec2-52-58-78-16.eu-central-1.compute.amazonaws.com | Medium
28 | ... | ... | ...
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [3.216.121.17](https://vuldb.com/?ip.3.216.121.17) | ec2-3-216-121-17.compute-1.amazonaws.com | - | Medium
2 | [5.79.79.212](https://vuldb.com/?ip.5.79.79.212) | - | - | High
3 | [13.59.74.74](https://vuldb.com/?ip.13.59.74.74) | ec2-13-59-74-74.us-east-2.compute.amazonaws.com | - | Medium
4 | [14.192.4.75](https://vuldb.com/?ip.14.192.4.75) | - | - | High
5 | [18.213.250.117](https://vuldb.com/?ip.18.213.250.117) | ec2-18-213-250-117.compute-1.amazonaws.com | - | Medium
6 | [18.215.128.143](https://vuldb.com/?ip.18.215.128.143) | ec2-18-215-128-143.compute-1.amazonaws.com | - | Medium
7 | [23.89.20.107](https://vuldb.com/?ip.23.89.20.107) | - | - | High
8 | [23.89.102.123](https://vuldb.com/?ip.23.89.102.123) | - | - | High
9 | [23.107.124.53](https://vuldb.com/?ip.23.107.124.53) | - | - | High
10 | [23.110.15.74](https://vuldb.com/?ip.23.110.15.74) | - | - | High
11 | [23.226.53.226](https://vuldb.com/?ip.23.226.53.226) | - | - | High
12 | [23.227.38.65](https://vuldb.com/?ip.23.227.38.65) | myshopify.com | - | High
13 | [23.231.218.195](https://vuldb.com/?ip.23.231.218.195) | - | - | High
14 | [23.236.62.147](https://vuldb.com/?ip.23.236.62.147) | 147.62.236.23.bc.googleusercontent.com | - | Medium
15 | [34.98.99.30](https://vuldb.com/?ip.34.98.99.30) | 30.99.98.34.bc.googleusercontent.com | - | Medium
16 | [34.102.136.180](https://vuldb.com/?ip.34.102.136.180) | 180.136.102.34.bc.googleusercontent.com | - | Medium
17 | [35.186.238.101](https://vuldb.com/?ip.35.186.238.101) | 101.238.186.35.bc.googleusercontent.com | - | Medium
18 | [35.226.69.129](https://vuldb.com/?ip.35.226.69.129) | 129.69.226.35.bc.googleusercontent.com | - | Medium
19 | [43.230.142.125](https://vuldb.com/?ip.43.230.142.125) | - | - | High
20 | [43.241.196.105](https://vuldb.com/?ip.43.241.196.105) | - | - | High
21 | [43.249.76.176](https://vuldb.com/?ip.43.249.76.176) | - | - | High
22 | [47.91.170.222](https://vuldb.com/?ip.47.91.170.222) | - | - | High
23 | [47.245.10.59](https://vuldb.com/?ip.47.245.10.59) | - | - | High
24 | [50.117.86.130](https://vuldb.com/?ip.50.117.86.130) | - | - | High
25 | [52.4.209.250](https://vuldb.com/?ip.52.4.209.250) | ec2-52-4-209-250.compute-1.amazonaws.com | - | Medium
26 | [52.25.92.0](https://vuldb.com/?ip.52.25.92.0) | ec2-52-25-92-0.us-west-2.compute.amazonaws.com | - | Medium
27 | [52.58.78.16](https://vuldb.com/?ip.52.58.78.16) | ec2-52-58-78-16.eu-central-1.compute.amazonaws.com | - | Medium
28 | ... | ... | ... | ...
There are 109 more IOC items available. Please use our online service to access the data.
## References
The following list contains external sources which discuss the actor and the associated activities:
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://github.com/firehol/blocklist-ipsets/blob/master/bambenek_banjori.ipset
## Literature
The following articles explain our unique predictive cyber threat intelligence:
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)

52
actors/Black KingDom/README.md
View File

@ -13,7 +13,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
* [MX](https://vuldb.com/?country.mx)
* ...
There are 4 more country items available. Please use our online service to access the data.
There are 5 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -30,16 +30,16 @@ There are 1 more IOC items available. Please use our online service to access th
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Black KingDom_. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Black KingDom_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1008 | CWE-757 | Algorithm Downgrade | High
1 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
2 | T1059.007 | CWE-79 | Cross Site Scripting | High
3 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
4 | ... | ... | ... | ...
There are 9 more TTP items available. Please use our online service to access the data.
There are 8 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -47,30 +47,30 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/admin-panel1.php` | High
2 | File | `/adminzone/index.php?page=admin-commandr` | High
3 | File | `/api/servers` | Medium
4 | File | `/aya/module/admin/ust_tab_e.inc.php` | High
5 | File | `/core/admin/comment.php` | High
6 | File | `/data-service/users/` | High
7 | File | `/etc/passwd` | Medium
8 | File | `/etc/wpa_supplicant.conf` | High
9 | File | `/goform/SetPptpServerCfg` | High
10 | File | `/jeecg-boot/sys/user/queryUserByDepId` | High
11 | File | `/js/app.js` | Medium
12 | File | `/js/js-parser.c` | High
13 | File | `/main?cmd=invalid_browser` | High
14 | File | `/mdiy/dict/listExcludeApp` | High
15 | File | `/ms/file/uploadTemplate.do` | High
16 | File | `/ok_jpg.c` | Medium
17 | File | `/ok_png.c` | Medium
18 | File | `/ping.html` | Medium
19 | File | `/rootfs` | Low
20 | File | `/SASWebReportStudio/logonAndRender.do` | High
21 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
1 | File | `/.htaccess` | Medium
2 | File | `/admin-panel1.php` | High
3 | File | `/admin/login.php` | High
4 | File | `/admin/templates/template_manage.php` | High
5 | File | `/adminzone/index.php?page=admin-commandr` | High
6 | File | `/api/servers` | Medium
7 | File | `/aya/module/admin/ust_tab_e.inc.php` | High
8 | File | `/cloud_config/router_post/check_reset_pwd_verify_code` | High
9 | File | `/cloud_config/router_post/upgrade_info` | High
10 | File | `/core/admin/comment.php` | High
11 | File | `/DataPackageTable` | High
12 | File | `/download/` | Medium
13 | File | `/etc/passwd` | Medium
14 | File | `/etc/wpa_supplicant.conf` | High
15 | File | `/goform/SetPptpServerCfg` | High
16 | File | `/i/:data/ipa.plist` | High
17 | File | `/jeecg-boot/sys/user/queryUserByDepId` | High
18 | File | `/js/js-parser.c` | High
19 | File | `/main?cmd=invalid_browser` | High
20 | File | `/mdiy/dict/listExcludeApp` | High
21 | File | `/ms/file/uploadTemplate.do` | High
22 | ... | ... | ...
There are 178 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 180 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

54
actors/BlackCat/README.md Normal file
View File

@ -0,0 +1,54 @@
# BlackCat - Cyber Threat Intelligence
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [BlackCat](https://vuldb.com/?actor.blackcat). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.blackcat](https://vuldb.com/?actor.blackcat)
## Countries
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with BlackCat:
* [US](https://vuldb.com/?country.us)
## IOC - Indicator of Compromise
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of BlackCat.
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [20.46.245.56](https://vuldb.com/?ip.20.46.245.56) | - | - | High
2 | [52.149.228.45](https://vuldb.com/?ip.52.149.228.45) | - | - | High
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _BlackCat_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1059.007 | CWE-80 | Cross Site Scripting | High
## IOA - Indicator of Attack
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by BlackCat. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `nav.php3` | Medium
2 | Argument | `page` | Low
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html
## Literature
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

2
actors/Bondnet/README.md
View File

@ -29,7 +29,7 @@ There are 22 more IOC items available. Please use our online service to access t
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Bondnet_. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Bondnet_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------

2
actors/Brunhilda/README.md
View File

@ -27,7 +27,7 @@ There are 10 more IOC items available. Please use our online service to access t
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Brunhilda_. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Brunhilda_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------

2
actors/Butter/README.md
View File

@ -26,7 +26,7 @@ There are 7 more IOC items available. Please use our online service to access th
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Butter_. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Butter_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------

28
actors/C0d0so/README.md
View File

@ -1,44 +1,44 @@
# C0d0so - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [C0d0so](https://vuldb.com/?actor.c0d0so). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [C0d0so](https://vuldb.com/?actor.c0d0so). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.c0d0so](https://vuldb.com/?actor.c0d0so)
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.c0d0so](https://vuldb.com/?actor.c0d0so)
## Campaigns
The following campaigns are known and can be associated with C0d0so:
The following _campaigns_ are known and can be associated with C0d0so:
* Bergard
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with C0d0so:
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with C0d0so:
* CN
* [CN](https://vuldb.com/?country.cn)
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of C0d0so.
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of C0d0so.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 42.200.18.194 | - | High
2 | 121.54.168.230 | - | High
3 | 210.181.184.64 | - | High
4 | ... | ... | ...
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [42.200.18.194](https://vuldb.com/?ip.42.200.18.194) | - | Bergard | High
2 | [121.54.168.230](https://vuldb.com/?ip.121.54.168.230) | - | - | High
3 | [210.181.184.64](https://vuldb.com/?ip.210.181.184.64) | - | Bergard | High
4 | ... | ... | ... | ...
There are 1 more IOC items available. Please use our online service to access the data.
## References
The following list contains external sources which discuss the actor and the associated activities:
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://www.threatminer.org/report.php?q=ExploringBergard_OldMalwarewithNewTricks_Proofpoint.pdf&y=2016
* https://www.threatminer.org/report.php?q=NewAttacksLinkedtoC0d0so0Group-PaloAltoNetworksBlogPaloAltoNetworksBlog.pdf&y=2016
## Literature
The following articles explain our unique predictive cyber threat intelligence:
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)

5
actors/Candiru/README.md
View File

@ -33,7 +33,7 @@ There are 23 more IOC items available. Please use our online service to access t
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Candiru_. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Candiru_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
@ -85,7 +85,8 @@ ID | Type | Indicator | Confidence
33 | File | `/storage/app/media/evil.svg` | High
34 | File | `/transmission/web/` | High
35 | File | `/uapi/doc` | Medium
36 | ... | ... | ...
36 | File | `/uncpath/` | Medium
37 | ... | ... | ...
There are 313 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

98
actors/Carbanak/README.md
View File

@ -1,6 +1,6 @@
# Carbanak - Cyber Threat Intelligence
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Carbanak](https://vuldb.com/?actor.carbanak). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Carbanak](https://vuldb.com/?actor.carbanak). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.carbanak](https://vuldb.com/?actor.carbanak)
@ -15,9 +15,9 @@ The following _campaigns_ are known and can be associated with Carbanak:
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Carbanak:
* US
* RU
* SE
* [US](https://vuldb.com/?country.us)
* [RU](https://vuldb.com/?country.ru)
* [SE](https://vuldb.com/?country.se)
* ...
There are 29 more country items available. Please use our online service to access the data.
@ -28,48 +28,48 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | 5.1.83.133 | mail.printonrug.com | - | High
2 | 5.45.179.173 | mail.kincoss.info | - | High
3 | 5.45.179.185 | - | - | High
4 | 5.45.192.117 | - | - | High
5 | 5.61.32.118 | - | - | High
6 | 5.61.38.52 | - | - | High
7 | 5.101.146.184 | 3928081.securefastserver.com | - | High
8 | 5.135.111.89 | - | - | High
9 | 5.199.169.188 | - | - | High
10 | 10.74.5.100 | - | - | High
11 | 23.227.196.99 | 23-227-196-99.static.hvvc.us | - | High
12 | 31.3.155.123 | swe-net-ip.as51430.net | - | High
13 | 31.131.17.79 | - | - | High
14 | 31.131.17.81 | - | - | High
15 | 31.131.17.125 | - | - | High
16 | 31.131.17.128 | - | - | High
17 | 37.46.114.148 | bg.as51430.net | - | High
18 | 37.59.202.124 | ip124.ip-37-59-202.eu | - | High
19 | 37.235.54.48 | 48.54.235.37.in-addr.arpa | - | High
20 | 45.63.23.135 | 45.63.23.135.vultr.com | - | Medium
21 | 45.63.96.216 | 45.63.96.216.vultr.com | - | Medium
22 | 50.62.171.62 | ip-50-62-171-62.ip.secureserver.net | - | High
23 | 50.115.127.36 | 50.115.127.36.static.westdc.net | - | High
24 | 50.115.127.37 | mail.ingrampartners.com | - | High
25 | 51.254.95.99 | ip99.ip-51-254-95.eu | - | High
26 | 51.254.95.100 | ip100.ip-51-254-95.eu | - | High
27 | 55.198.6.56 | - | - | High
28 | 59.55.142.171 | - | - | High
29 | 60.228.38.213 | cpe-60-228-38-213.bpe6-r-962.pie.wa.bigpond.net.au | - | High
30 | 61.7.219.61 | - | - | High
31 | 62.75.224.229 | prag178.startdedicated.de | - | High
32 | 62.210.25.121 | svgit.festivalscope.com | Grand Mars | High
33 | 65.19.141.199 | - | - | High
34 | 66.55.133.86 | 66-55-133-86.choopa.net | - | High
35 | 66.232.124.175 | customer.hivelocity.net | - | High
1 | [5.1.83.133](https://vuldb.com/?ip.5.1.83.133) | mail.printonrug.com | - | High
2 | [5.45.179.173](https://vuldb.com/?ip.5.45.179.173) | mail.kincoss.info | - | High
3 | [5.45.179.185](https://vuldb.com/?ip.5.45.179.185) | - | - | High
4 | [5.45.192.117](https://vuldb.com/?ip.5.45.192.117) | - | - | High
5 | [5.61.32.118](https://vuldb.com/?ip.5.61.32.118) | - | - | High
6 | [5.61.38.52](https://vuldb.com/?ip.5.61.38.52) | - | - | High
7 | [5.101.146.184](https://vuldb.com/?ip.5.101.146.184) | 3928081.securefastserver.com | - | High
8 | [5.135.111.89](https://vuldb.com/?ip.5.135.111.89) | - | - | High
9 | [5.199.169.188](https://vuldb.com/?ip.5.199.169.188) | - | - | High
10 | [10.74.5.100](https://vuldb.com/?ip.10.74.5.100) | - | - | High
11 | [23.227.196.99](https://vuldb.com/?ip.23.227.196.99) | 23-227-196-99.static.hvvc.us | - | High
12 | [31.3.155.123](https://vuldb.com/?ip.31.3.155.123) | swe-net-ip.as51430.net | - | High
13 | [31.131.17.79](https://vuldb.com/?ip.31.131.17.79) | - | - | High
14 | [31.131.17.81](https://vuldb.com/?ip.31.131.17.81) | - | - | High
15 | [31.131.17.125](https://vuldb.com/?ip.31.131.17.125) | - | - | High
16 | [31.131.17.128](https://vuldb.com/?ip.31.131.17.128) | - | - | High
17 | [37.46.114.148](https://vuldb.com/?ip.37.46.114.148) | bg.as51430.net | - | High
18 | [37.59.202.124](https://vuldb.com/?ip.37.59.202.124) | ip124.ip-37-59-202.eu | - | High
19 | [37.235.54.48](https://vuldb.com/?ip.37.235.54.48) | 48.54.235.37.in-addr.arpa | - | High
20 | [45.63.23.135](https://vuldb.com/?ip.45.63.23.135) | 45.63.23.135.vultr.com | - | Medium
21 | [45.63.96.216](https://vuldb.com/?ip.45.63.96.216) | 45.63.96.216.vultr.com | - | Medium
22 | [50.62.171.62](https://vuldb.com/?ip.50.62.171.62) | ip-50-62-171-62.ip.secureserver.net | - | High
23 | [50.115.127.36](https://vuldb.com/?ip.50.115.127.36) | 50.115.127.36.static.westdc.net | - | High
24 | [50.115.127.37](https://vuldb.com/?ip.50.115.127.37) | mail.ingrampartners.com | - | High
25 | [51.254.95.99](https://vuldb.com/?ip.51.254.95.99) | ip99.ip-51-254-95.eu | - | High
26 | [51.254.95.100](https://vuldb.com/?ip.51.254.95.100) | ip100.ip-51-254-95.eu | - | High
27 | [55.198.6.56](https://vuldb.com/?ip.55.198.6.56) | - | - | High
28 | [59.55.142.171](https://vuldb.com/?ip.59.55.142.171) | - | - | High
29 | [60.228.38.213](https://vuldb.com/?ip.60.228.38.213) | cpe-60-228-38-213.bpe6-r-962.pie.wa.bigpond.net.au | - | High
30 | [61.7.219.61](https://vuldb.com/?ip.61.7.219.61) | - | - | High
31 | [62.75.224.229](https://vuldb.com/?ip.62.75.224.229) | prag178.startdedicated.de | - | High
32 | [62.210.25.121](https://vuldb.com/?ip.62.210.25.121) | svgit.festivalscope.com | Grand Mars | High
33 | [65.19.141.199](https://vuldb.com/?ip.65.19.141.199) | - | - | High
34 | [66.55.133.86](https://vuldb.com/?ip.66.55.133.86) | 66-55-133-86.choopa.net | - | High
35 | [66.232.124.175](https://vuldb.com/?ip.66.232.124.175) | customer.hivelocity.net | - | High
36 | ... | ... | ... | ...
There are 140 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Carbanak. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Carbanak_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
@ -78,7 +78,7 @@ ID | Technique | Weakness | Description | Confidence
3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
4 | ... | ... | ... | ...
There are 7 more TTP items available. Please use our online service to access the data.
There are 6 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -114,16 +114,16 @@ ID | Type | Indicator | Confidence
26 | File | `/wp-content/plugins/updraftplus/admin.php` | High
27 | File | `/zhndnsdisplay.cmd` | High
28 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
29 | File | `acl.c` | Low
30 | File | `adclick.php` | Medium
31 | File | `add_comment.php` | High
32 | File | `add_vhost.php` | High
33 | File | `admin.php` | Medium
34 | File | `admin/default.asp` | High
35 | File | `admin/index.php?n=ui_set&m=admin&c=index&a=doget_text_content&table=lang&field=1` | High
29 | File | `about.php` | Medium
30 | File | `acl.c` | Low
31 | File | `adclick.php` | Medium
32 | File | `add_comment.php` | High
33 | File | `add_vhost.php` | High
34 | File | `admin.php` | Medium
35 | File | `admin/conf_users_edit.php` | High
36 | ... | ... | ...
There are 306 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 313 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

4
actors/Chafer/README.md
View File

@ -30,7 +30,7 @@ There are 7 more IOC items available. Please use our online service to access th
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Chafer. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Chafer_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
@ -55,7 +55,7 @@ ID | Type | Indicator | Confidence
6 | File | `/uncpath/` | Medium
7 | ... | ... | ...
There are 49 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 50 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

88
actors/Charming Kitten/README.md
View File

@ -1,6 +1,6 @@
# Charming Kitten - Cyber Threat Intelligence
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Charming Kitten](https://vuldb.com/?actor.charming_kitten). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Charming Kitten](https://vuldb.com/?actor.charming_kitten). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.charming_kitten](https://vuldb.com/?actor.charming_kitten)
@ -14,12 +14,12 @@ The following _campaigns_ are known and can be associated with Charming Kitten:
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Charming Kitten:
* NL
* CN
* US
* [NL](https://vuldb.com/?country.nl)
* [CN](https://vuldb.com/?country.cn)
* [US](https://vuldb.com/?country.us)
* ...
There are 23 more country items available. Please use our online service to access the data.
There are 22 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -27,35 +27,35 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | 5.79.69.198 | - | - | High
2 | 5.79.69.206 | - | - | High
3 | 5.79.105.153 | - | - | High
4 | 5.79.105.156 | - | - | High
5 | 5.79.105.161 | - | - | High
6 | 5.79.105.165 | - | - | High
7 | 5.152.202.51 | h5-152-202-51.host.redstation.co.uk | - | High
8 | 5.152.202.52 | h5-152-202-52.host.redstation.co.uk | - | High
9 | 31.3.236.90 | h31-3-236-90.host.redstation.co.uk | - | High
10 | 31.3.236.91 | h31-3-236-91.host.redstation.co.uk | - | High
11 | 31.3.236.92 | h31-3-236-92.host.redstation.co.uk | - | High
12 | 37.220.8.13 | h37-220-8-13.host.redstation.co.uk | - | High
13 | 46.17.97.37 | - | - | High
14 | 46.17.97.40 | - | - | High
15 | 46.17.97.240 | - | - | High
16 | 46.17.97.243 | - | - | High
17 | 51.254.254.217 | me14.mecide.com | - | High
18 | 51.255.28.57 | - | - | High
19 | 54.36.217.8 | ip8.ip-54-36-217.eu | - | High
20 | 54.37.164.254 | - | - | High
21 | 54.38.49.6 | ip6.ip-54-38-49.eu | Log4Shell | High
22 | 69.30.221.126 | - | - | High
1 | [5.79.69.198](https://vuldb.com/?ip.5.79.69.198) | - | - | High
2 | [5.79.69.206](https://vuldb.com/?ip.5.79.69.206) | - | - | High
3 | [5.79.105.153](https://vuldb.com/?ip.5.79.105.153) | - | - | High
4 | [5.79.105.156](https://vuldb.com/?ip.5.79.105.156) | - | - | High
5 | [5.79.105.161](https://vuldb.com/?ip.5.79.105.161) | - | - | High
6 | [5.79.105.165](https://vuldb.com/?ip.5.79.105.165) | - | - | High
7 | [5.152.202.51](https://vuldb.com/?ip.5.152.202.51) | h5-152-202-51.host.redstation.co.uk | - | High
8 | [5.152.202.52](https://vuldb.com/?ip.5.152.202.52) | h5-152-202-52.host.redstation.co.uk | - | High
9 | [31.3.236.90](https://vuldb.com/?ip.31.3.236.90) | h31-3-236-90.host.redstation.co.uk | - | High
10 | [31.3.236.91](https://vuldb.com/?ip.31.3.236.91) | h31-3-236-91.host.redstation.co.uk | - | High
11 | [31.3.236.92](https://vuldb.com/?ip.31.3.236.92) | h31-3-236-92.host.redstation.co.uk | - | High
12 | [37.220.8.13](https://vuldb.com/?ip.37.220.8.13) | h37-220-8-13.host.redstation.co.uk | - | High
13 | [46.17.97.37](https://vuldb.com/?ip.46.17.97.37) | - | - | High
14 | [46.17.97.40](https://vuldb.com/?ip.46.17.97.40) | - | - | High
15 | [46.17.97.240](https://vuldb.com/?ip.46.17.97.240) | - | - | High
16 | [46.17.97.243](https://vuldb.com/?ip.46.17.97.243) | - | - | High
17 | [51.254.254.217](https://vuldb.com/?ip.51.254.254.217) | me14.mecide.com | - | High
18 | [51.255.28.57](https://vuldb.com/?ip.51.255.28.57) | - | - | High
19 | [54.36.217.8](https://vuldb.com/?ip.54.36.217.8) | ip8.ip-54-36-217.eu | - | High
20 | [54.37.164.254](https://vuldb.com/?ip.54.37.164.254) | - | - | High
21 | [54.38.49.6](https://vuldb.com/?ip.54.38.49.6) | ip6.ip-54-38-49.eu | Log4Shell | High
22 | [69.30.221.126](https://vuldb.com/?ip.69.30.221.126) | - | - | High
23 | ... | ... | ... | ...
There are 88 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Charming Kitten. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Charming Kitten_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
@ -64,7 +64,7 @@ ID | Technique | Weakness | Description | Confidence
3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
4 | ... | ... | ... | ...
There are 7 more TTP items available. Please use our online service to access the data.
There are 6 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -78,8 +78,8 @@ ID | Type | Indicator | Confidence
4 | File | `/admin/powerline` | High
5 | File | `/admin/syslog` | High
6 | File | `/api/upload` | Medium
7 | File | `/cgi-bin` | Medium
8 | File | `/context/%2e/WEB-INF/web.xml` | High
7 | File | `/context/%2e/WEB-INF/web.xml` | High
8 | File | `/file?action=download&file` | High
9 | File | `/medical/inventories.php` | High
10 | File | `/monitoring` | Medium
11 | File | `/new` | Low
@ -89,21 +89,21 @@ ID | Type | Indicator | Confidence
15 | File | `/public/plugins/` | High
16 | File | `/replication` | Medium
17 | File | `/RestAPI` | Medium
18 | File | `/secure/QueryComponent!Default.jspa` | High
19 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
20 | File | `/tmp` | Low
21 | File | `/uncpath/` | Medium
22 | File | `/var/log/nginx` | High
23 | File | `/wp-json/wc/v3/webhooks` | High
24 | File | `AccountManagerService.java` | High
25 | File | `actions/CompanyDetailsSave.php` | High
26 | File | `ActiveServices.java` | High
27 | File | `admin.php` | Medium
28 | File | `admin/?n=user&c=admin_user&a=doGetUserInfo` | High
29 | File | `admin/add-glossary.php` | High
18 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
19 | File | `/secure/QueryComponent!Default.jspa` | High
20 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
21 | File | `/tmp` | Low
22 | File | `/uncpath/` | Medium
23 | File | `/var/log/nginx` | High
24 | File | `/wp-json/wc/v3/webhooks` | High
25 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
26 | File | `AccountManagerService.java` | High
27 | File | `actions/CompanyDetailsSave.php` | High
28 | File | `ActiveServices.java` | High
29 | File | `ActivityManagerService.java` | High
30 | ... | ... | ...
There are 258 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 259 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

18
actors/Conficker/README.md
View File

@ -1,6 +1,6 @@
# Conficker - Cyber Threat Intelligence
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Conficker](https://vuldb.com/?actor.conficker). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Conficker](https://vuldb.com/?actor.conficker). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.conficker](https://vuldb.com/?actor.conficker)
@ -8,9 +8,9 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Conficker:
* US
* NL
* FR
* [US](https://vuldb.com/?country.us)
* [NL](https://vuldb.com/?country.nl)
* [FR](https://vuldb.com/?country.fr)
* ...
There are 10 more country items available. Please use our online service to access the data.
@ -21,16 +21,16 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | 5.79.74.75 | nl1.zoogvpn.com | - | High
2 | 50.57.203.17 | - | - | High
3 | 64.71.74.227 | 64.71.74.227.hosted.at.cloudsouth.com | - | High
1 | [5.79.74.75](https://vuldb.com/?ip.5.79.74.75) | nl1.zoogvpn.com | - | High
2 | [50.57.203.17](https://vuldb.com/?ip.50.57.203.17) | - | - | High
3 | [64.71.74.227](https://vuldb.com/?ip.64.71.74.227) | 64.71.74.227.hosted.at.cloudsouth.com | - | High
4 | ... | ... | ... | ...
There are 8 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Conficker. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Conficker_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
@ -39,7 +39,7 @@ ID | Technique | Weakness | Description | Confidence
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
4 | ... | ... | ... | ...
There are 2 more TTP items available. Please use our online service to access the data.
There are 1 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack

44
actors/Conti/README.md
View File

@ -83,7 +83,7 @@ There are 200 more IOC items available. Please use our online service to access
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Conti_. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Conti_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
@ -120,29 +120,29 @@ ID | Type | Indicator | Confidence
18 | File | `/tmp` | Low
19 | File | `/uncpath/` | Medium
20 | File | `/usr/bin/pkexec` | High
21 | File | `/WEB-INF/web.xml` | High
22 | File | `/wp-json/wc/v3/webhooks` | High
23 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
24 | File | `AccountManagerService.java` | High
25 | File | `actions/CompanyDetailsSave.php` | High
26 | File | `ActivityManagerService.java` | High
27 | File | `adclick.php` | Medium
28 | File | `admin.php` | Medium
29 | File | `admin.php?page=languages` | High
30 | File | `admin/add-glossary.php` | High
31 | File | `admin/admin.php` | High
32 | File | `admin/conf_users_edit.php` | High
33 | File | `admin/edit-comments.php` | High
34 | File | `admin/src/containers/InputModalStepperProvider/index.js` | High
35 | File | `admin\db\DoSql.php` | High
36 | File | `adverts/assets/plugins/ultimate/content/downloader.php` | High
37 | File | `advsearch.asp` | High
38 | File | `AjaxApplication.java` | High
39 | File | `AllowBindAppWidgetActivity.java` | High
40 | File | `android/webkit/SearchBoxImpl.java` | High
21 | File | `/usr/sbin/suexec` | High
22 | File | `/WEB-INF/web.xml` | High
23 | File | `/wp-json/wc/v3/webhooks` | High
24 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
25 | File | `AccountManagerService.java` | High
26 | File | `actions/CompanyDetailsSave.php` | High
27 | File | `ActivityManagerService.java` | High
28 | File | `adclick.php` | Medium
29 | File | `admin.php` | Medium
30 | File | `admin.php?page=languages` | High
31 | File | `admin/add-glossary.php` | High
32 | File | `admin/admin.php` | High
33 | File | `admin/conf_users_edit.php` | High
34 | File | `admin/edit-comments.php` | High
35 | File | `admin/src/containers/InputModalStepperProvider/index.js` | High
36 | File | `admin\db\DoSql.php` | High
37 | File | `adverts/assets/plugins/ultimate/content/downloader.php` | High
38 | File | `advsearch.asp` | High
39 | File | `AjaxApplication.java` | High
40 | File | `AllowBindAppWidgetActivity.java` | High
41 | ... | ... | ...
There are 349 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 351 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

352
actors/CoolWebSearch/README.md
View File

@ -1,217 +1,217 @@
# CoolWebSearch - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [CoolWebSearch](https://vuldb.com/?actor.coolwebsearch). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [CoolWebSearch](https://vuldb.com/?actor.coolwebsearch). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.coolwebsearch](https://vuldb.com/?actor.coolwebsearch)
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.coolwebsearch](https://vuldb.com/?actor.coolwebsearch)
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with CoolWebSearch:
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with CoolWebSearch:
* US
* VN
* CN
* [US](https://vuldb.com/?country.us)
* [VN](https://vuldb.com/?country.vn)
* [CN](https://vuldb.com/?country.cn)
* ...
There are 21 more country items available. Please use our online service to access the data.
There are 23 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of CoolWebSearch.
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of CoolWebSearch.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 38.113.3.122 | - | High
2 | 38.113.198.80 | - | High
3 | 38.113.198.81 | - | High
4 | 38.113.198.235 | - | High
5 | 38.113.198.243 | - | High
6 | 38.113.198.249 | - | High
7 | 38.113.198.252 | - | High
8 | 38.113.199.63 | - | High
9 | 38.113.204.40 | - | High
10 | 38.113.204.182 | - | High
11 | 38.117.144.30 | - | High
12 | 38.117.144.50 | - | High
13 | 38.117.144.51 | - | High
14 | 38.117.144.162 | - | High
15 | 61.152.242.111 | - | High
16 | 62.65.252.93 | 62.65.252.93.cable.starman.ee | High
17 | 62.65.252.226 | 62.65.252.226.cable.starman.ee | High
18 | 62.129.133.193 | HOSTED-BY.VIRTUALXS.COM | High
19 | 63.160.243.7 | - | High
20 | 63.208.158.126 | unknown.Level3.net | High
21 | 63.217.29.115 | - | High
22 | 63.219.176.203 | 63-219-176-203.static.pccwglobal.net | High
23 | 63.219.178.91 | 63-219-178-91.supercreate.net | High
24 | 63.219.181.7 | web-r2-h7.globecorp.net | High
25 | 63.219.181.10 | web-r2-h10.globecorp.net | High
26 | 63.219.181.64 | web-r2-h64.globecorp.net | High
27 | 63.246.42.13 | - | High
28 | 63.246.131.19 | - | High
29 | 63.246.146.142 | - | High
30 | 63.246.146.147 | - | High
31 | 63.251.83.54 | - | High
32 | 63.251.83.56 | - | High
33 | 64.7.197.6 | - | High
34 | 64.7.205.18 | - | High
35 | 64.7.207.118 | NET-allocation-0011058.ix.sitestream.net | High
36 | 64.7.209.58 | NET-allocation-00025837.ix.sitestream.net | High
37 | 64.7.212.98 | gxb.nastydollars.com | High
38 | 64.38.226.6 | maxcash.cavecreek.net | High
39 | 64.94.3.243 | - | High
40 | 64.124.210.76 | 64.124.210.76.t00517.above.net | High
41 | 64.124.210.98 | 64.124.210.98.t00517.above.net | High
42 | 64.124.210.111 | 64.124.210.111.t00517.above.net | High
43 | 64.124.222.167 | 64.124.222.167.T01708-02.above.net | High
44 | 64.124.222.236 | 64.124.222.236.T01708-02.above.net | High
45 | 64.125.84.23 | - | High
46 | 64.127.104.144 | - | High
47 | 64.154.5.9 | - | High
48 | 64.154.5.38 | - | High
49 | 64.157.143.86 | unknown.Level3.net | High
50 | 64.185.230.223 | 64-185-230-223.static.webnx.com | High
51 | 64.186.129.250 | - | High
52 | 64.186.129.252 | - | High
53 | 64.186.152.83 | - | High
54 | 64.200.25.75 | - | High
55 | 64.200.25.86 | - | High
56 | 64.202.105.82 | unknown.ord.scnet.net | High
57 | 64.202.167.129 | ip-64-202-167-129.ip.secureserver.net | High
58 | 64.202.167.192 | ip-64-202-167-192.ip.secureserver.net | High
59 | 64.237.37.152 | - | High
60 | 64.237.39.70 | - | High
61 | 64.237.39.76 | - | High
62 | 64.237.39.77 | - | High
63 | 64.237.39.80 | - | High
64 | 64.237.39.226 | 64-237-39-226.choopa.net | High
65 | 64.237.41.215 | 64-237-41-215.choopa.com | High
66 | 64.237.44.247 | 64-237-44-247.constant.com | High
67 | 64.237.45.18 | 64-237-45-18.constant.com | High
68 | 64.237.47.178 | 64-237-47-178.constant.com | High
69 | 64.237.47.210 | 64-237-47-210.choopa.net | High
70 | 64.237.53.3 | 64.237.53.3.choopa.net | High
71 | 64.237.53.4 | 64.237.53.4.choopa.net | High
72 | 64.237.56.64 | 64-237-56-64.choopa.net | High
73 | 64.237.57.37 | 64.237.57.37.choopa.com | High
74 | 64.237.57.92 | tsca-057092.toscaa.com | High
75 | 64.237.57.202 | 64.237.57.202.choopa.com | High
76 | 64.237.57.205 | 64.237.57.205.choopa.com | High
77 | 64.237.57.206 | 64.237.57.206.choopa.com | High
78 | 64.237.57.215 | 64-237-57-215.reliableservers.com | High
79 | 64.246.18.41 | ev1s-64-246-18-41.theplanet.com | High
80 | 64.246.33.179 | ev1s-64-246-33-179.theplanet.com | High
81 | 64.246.33.191 | bignaturalboobs.org | High
82 | 64.246.40.84 | ev1s-64-246-40-84.theplanet.com | High
83 | 64.250.235.140 | ip-64-250-235-140.lasvegas.net | High
84 | 64.255.161.101 | 64-255-161-101.jupiter.navisite.com | High
85 | 65.39.191.71 | - | High
86 | 65.75.143.119 | ip-65-75-143-119.local | High
87 | 65.75.161.13 | galt1.seowebhosting.net | High
88 | 65.75.175.64 | ip-65-75-175-64.local | High
89 | 65.75.187.94 | ip-65-75-187-94.local | High
90 | 65.77.129.178 | - | High
91 | 65.77.129.212 | - | High
92 | 65.110.40.789 | - | High
93 | 65.115.110.251 | - | High
94 | 66.28.176.79 | - | High
95 | 66.28.176.138 | - | High
96 | 66.28.176.154 | - | High
97 | 66.40.28.3 | host3.maxim.net | High
98 | 66.40.28.12 | host12.maxim.net | High
99 | 66.40.28.51 | host51.maxim.net | High
100 | 66.40.28.61 | host61.maxim.net | High
101 | 66.45.237.99 | athostech.website | High
102 | 66.55.128.76 | 66.55.128.76.choopa.com | High
103 | 66.55.134.98 | 66-55-134-98.choopa.net | High
104 | 66.55.136.82 | 66.55.136.82.choopa.com | High
105 | 66.55.136.84 | 66.55.136.84.choopa.com | High
106 | 66.55.136.87 | 66.55.136.87.choopa.com | High
107 | 66.55.136.93 | 66-55-136-93.constant.com | High
108 | 66.55.139.28 | 66-55-139-28.choopa.net | High
109 | 66.55.139.29 | 66-55-139-29.choopa.net | High
110 | 66.55.140.119 | - | High
111 | 66.55.141.3 | - | High
112 | 66.55.144.200 | 66.55.144.200.choopa.net | High
113 | 66.70.44.60 | tunders.com | High
114 | 66.70.68.147 | - | High
115 | 66.79.171.70 | - | High
116 | 66.79.171.75 | - | High
117 | 66.79.183.140 | - | High
118 | 66.79.189.120 | - | High
119 | 66.79.191.231 | - | High
120 | 66.90.65.252 | - | High
121 | 66.98.142.163 | ns106.ehostpros.com | High
122 | 66.98.176.62 | ev1s-66-98-176-62.theplanet.com | High
123 | 66.98.194.89 | ns1.mygreatwebsite.net | High
124 | ... | ... | ...
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [38.113.3.122](https://vuldb.com/?ip.38.113.3.122) | - | - | High
2 | [38.113.198.80](https://vuldb.com/?ip.38.113.198.80) | - | - | High
3 | [38.113.198.81](https://vuldb.com/?ip.38.113.198.81) | - | - | High
4 | [38.113.198.235](https://vuldb.com/?ip.38.113.198.235) | - | - | High
5 | [38.113.198.243](https://vuldb.com/?ip.38.113.198.243) | - | - | High
6 | [38.113.198.249](https://vuldb.com/?ip.38.113.198.249) | - | - | High
7 | [38.113.198.252](https://vuldb.com/?ip.38.113.198.252) | - | - | High
8 | [38.113.199.63](https://vuldb.com/?ip.38.113.199.63) | - | - | High
9 | [38.113.204.40](https://vuldb.com/?ip.38.113.204.40) | - | - | High
10 | [38.113.204.182](https://vuldb.com/?ip.38.113.204.182) | - | - | High
11 | [38.117.144.30](https://vuldb.com/?ip.38.117.144.30) | - | - | High
12 | [38.117.144.50](https://vuldb.com/?ip.38.117.144.50) | - | - | High
13 | [38.117.144.51](https://vuldb.com/?ip.38.117.144.51) | - | - | High
14 | [38.117.144.162](https://vuldb.com/?ip.38.117.144.162) | - | - | High
15 | [61.152.242.111](https://vuldb.com/?ip.61.152.242.111) | - | - | High
16 | [62.65.252.93](https://vuldb.com/?ip.62.65.252.93) | 62.65.252.93.cable.starman.ee | - | High
17 | [62.65.252.226](https://vuldb.com/?ip.62.65.252.226) | 62.65.252.226.cable.starman.ee | - | High
18 | [62.129.133.193](https://vuldb.com/?ip.62.129.133.193) | HOSTED-BY.VIRTUALXS.COM | - | High
19 | [63.160.243.7](https://vuldb.com/?ip.63.160.243.7) | - | - | High
20 | [63.208.158.126](https://vuldb.com/?ip.63.208.158.126) | unknown.Level3.net | - | High
21 | [63.217.29.115](https://vuldb.com/?ip.63.217.29.115) | - | - | High
22 | [63.219.176.203](https://vuldb.com/?ip.63.219.176.203) | 63-219-176-203.static.pccwglobal.net | - | High
23 | [63.219.178.91](https://vuldb.com/?ip.63.219.178.91) | 63-219-178-91.supercreate.net | - | High
24 | [63.219.181.7](https://vuldb.com/?ip.63.219.181.7) | web-r2-h7.globecorp.net | - | High
25 | [63.219.181.10](https://vuldb.com/?ip.63.219.181.10) | web-r2-h10.globecorp.net | - | High
26 | [63.219.181.64](https://vuldb.com/?ip.63.219.181.64) | web-r2-h64.globecorp.net | - | High
27 | [63.246.42.13](https://vuldb.com/?ip.63.246.42.13) | - | - | High
28 | [63.246.131.19](https://vuldb.com/?ip.63.246.131.19) | - | - | High
29 | [63.246.146.142](https://vuldb.com/?ip.63.246.146.142) | - | - | High
30 | [63.246.146.147](https://vuldb.com/?ip.63.246.146.147) | - | - | High
31 | [63.251.83.54](https://vuldb.com/?ip.63.251.83.54) | - | - | High
32 | [63.251.83.56](https://vuldb.com/?ip.63.251.83.56) | - | - | High
33 | [64.7.197.6](https://vuldb.com/?ip.64.7.197.6) | - | - | High
34 | [64.7.205.18](https://vuldb.com/?ip.64.7.205.18) | - | - | High
35 | [64.7.207.118](https://vuldb.com/?ip.64.7.207.118) | NET-allocation-0011058.ix.sitestream.net | - | High
36 | [64.7.209.58](https://vuldb.com/?ip.64.7.209.58) | NET-allocation-00025837.ix.sitestream.net | - | High
37 | [64.7.212.98](https://vuldb.com/?ip.64.7.212.98) | gxb.nastydollars.com | - | High
38 | [64.38.226.6](https://vuldb.com/?ip.64.38.226.6) | maxcash.cavecreek.net | - | High
39 | [64.94.3.243](https://vuldb.com/?ip.64.94.3.243) | - | - | High
40 | [64.124.210.76](https://vuldb.com/?ip.64.124.210.76) | 64.124.210.76.t00517.above.net | - | High
41 | [64.124.210.98](https://vuldb.com/?ip.64.124.210.98) | 64.124.210.98.t00517.above.net | - | High
42 | [64.124.210.111](https://vuldb.com/?ip.64.124.210.111) | 64.124.210.111.t00517.above.net | - | High
43 | [64.124.222.167](https://vuldb.com/?ip.64.124.222.167) | 64.124.222.167.T01708-02.above.net | - | High
44 | [64.124.222.236](https://vuldb.com/?ip.64.124.222.236) | 64.124.222.236.T01708-02.above.net | - | High
45 | [64.125.84.23](https://vuldb.com/?ip.64.125.84.23) | - | - | High
46 | [64.127.104.144](https://vuldb.com/?ip.64.127.104.144) | - | - | High
47 | [64.154.5.9](https://vuldb.com/?ip.64.154.5.9) | - | - | High
48 | [64.154.5.38](https://vuldb.com/?ip.64.154.5.38) | - | - | High
49 | [64.157.143.86](https://vuldb.com/?ip.64.157.143.86) | unknown.Level3.net | - | High
50 | [64.185.230.223](https://vuldb.com/?ip.64.185.230.223) | 64-185-230-223.static.webnx.com | - | High
51 | [64.186.129.250](https://vuldb.com/?ip.64.186.129.250) | - | - | High
52 | [64.186.129.252](https://vuldb.com/?ip.64.186.129.252) | - | - | High
53 | [64.186.152.83](https://vuldb.com/?ip.64.186.152.83) | - | - | High
54 | [64.200.25.75](https://vuldb.com/?ip.64.200.25.75) | - | - | High
55 | [64.200.25.86](https://vuldb.com/?ip.64.200.25.86) | - | - | High
56 | [64.202.105.82](https://vuldb.com/?ip.64.202.105.82) | unknown.ord.scnet.net | - | High
57 | [64.202.167.129](https://vuldb.com/?ip.64.202.167.129) | ip-64-202-167-129.ip.secureserver.net | - | High
58 | [64.202.167.192](https://vuldb.com/?ip.64.202.167.192) | ip-64-202-167-192.ip.secureserver.net | - | High
59 | [64.237.37.152](https://vuldb.com/?ip.64.237.37.152) | - | - | High
60 | [64.237.39.70](https://vuldb.com/?ip.64.237.39.70) | - | - | High
61 | [64.237.39.76](https://vuldb.com/?ip.64.237.39.76) | - | - | High
62 | [64.237.39.77](https://vuldb.com/?ip.64.237.39.77) | - | - | High
63 | [64.237.39.80](https://vuldb.com/?ip.64.237.39.80) | - | - | High
64 | [64.237.39.226](https://vuldb.com/?ip.64.237.39.226) | 64-237-39-226.choopa.net | - | High
65 | [64.237.41.215](https://vuldb.com/?ip.64.237.41.215) | 64-237-41-215.choopa.com | - | High
66 | [64.237.44.247](https://vuldb.com/?ip.64.237.44.247) | 64-237-44-247.constant.com | - | High
67 | [64.237.45.18](https://vuldb.com/?ip.64.237.45.18) | 64-237-45-18.constant.com | - | High
68 | [64.237.47.178](https://vuldb.com/?ip.64.237.47.178) | 64-237-47-178.constant.com | - | High
69 | [64.237.47.210](https://vuldb.com/?ip.64.237.47.210) | 64-237-47-210.choopa.net | - | High
70 | [64.237.53.3](https://vuldb.com/?ip.64.237.53.3) | 64.237.53.3.choopa.net | - | High
71 | [64.237.53.4](https://vuldb.com/?ip.64.237.53.4) | 64.237.53.4.choopa.net | - | High
72 | [64.237.56.64](https://vuldb.com/?ip.64.237.56.64) | 64-237-56-64.choopa.net | - | High
73 | [64.237.57.37](https://vuldb.com/?ip.64.237.57.37) | 64.237.57.37.choopa.com | - | High
74 | [64.237.57.92](https://vuldb.com/?ip.64.237.57.92) | tsca-057092.toscaa.com | - | High
75 | [64.237.57.202](https://vuldb.com/?ip.64.237.57.202) | 64.237.57.202.choopa.com | - | High
76 | [64.237.57.205](https://vuldb.com/?ip.64.237.57.205) | 64.237.57.205.choopa.com | - | High
77 | [64.237.57.206](https://vuldb.com/?ip.64.237.57.206) | 64.237.57.206.choopa.com | - | High
78 | [64.237.57.215](https://vuldb.com/?ip.64.237.57.215) | 64-237-57-215.reliableservers.com | - | High
79 | [64.246.18.41](https://vuldb.com/?ip.64.246.18.41) | ev1s-64-246-18-41.theplanet.com | - | High
80 | [64.246.33.179](https://vuldb.com/?ip.64.246.33.179) | ev1s-64-246-33-179.theplanet.com | - | High
81 | [64.246.33.191](https://vuldb.com/?ip.64.246.33.191) | bignaturalboobs.org | - | High
82 | [64.246.40.84](https://vuldb.com/?ip.64.246.40.84) | ev1s-64-246-40-84.theplanet.com | - | High
83 | [64.250.235.140](https://vuldb.com/?ip.64.250.235.140) | ip-64-250-235-140.lasvegas.net | - | High
84 | [64.255.161.101](https://vuldb.com/?ip.64.255.161.101) | 64-255-161-101.jupiter.navisite.com | - | High
85 | [65.39.191.71](https://vuldb.com/?ip.65.39.191.71) | - | - | High
86 | [65.75.143.119](https://vuldb.com/?ip.65.75.143.119) | ip-65-75-143-119.local | - | High
87 | [65.75.161.13](https://vuldb.com/?ip.65.75.161.13) | galt1.seowebhosting.net | - | High
88 | [65.75.175.64](https://vuldb.com/?ip.65.75.175.64) | ip-65-75-175-64.local | - | High
89 | [65.75.187.94](https://vuldb.com/?ip.65.75.187.94) | ip-65-75-187-94.local | - | High
90 | [65.77.129.178](https://vuldb.com/?ip.65.77.129.178) | - | - | High
91 | [65.77.129.212](https://vuldb.com/?ip.65.77.129.212) | - | - | High
92 | [65.110.40.789](https://vuldb.com/?ip.65.110.40.789) | - | - | High
93 | [65.115.110.251](https://vuldb.com/?ip.65.115.110.251) | - | - | High
94 | [66.28.176.79](https://vuldb.com/?ip.66.28.176.79) | - | - | High
95 | [66.28.176.138](https://vuldb.com/?ip.66.28.176.138) | - | - | High
96 | [66.28.176.154](https://vuldb.com/?ip.66.28.176.154) | - | - | High
97 | [66.40.28.3](https://vuldb.com/?ip.66.40.28.3) | host3.maxim.net | - | High
98 | [66.40.28.12](https://vuldb.com/?ip.66.40.28.12) | host12.maxim.net | - | High
99 | [66.40.28.51](https://vuldb.com/?ip.66.40.28.51) | host51.maxim.net | - | High
100 | [66.40.28.61](https://vuldb.com/?ip.66.40.28.61) | host61.maxim.net | - | High
101 | [66.45.237.99](https://vuldb.com/?ip.66.45.237.99) | athostech.website | - | High
102 | [66.55.128.76](https://vuldb.com/?ip.66.55.128.76) | 66.55.128.76.choopa.com | - | High
103 | [66.55.134.98](https://vuldb.com/?ip.66.55.134.98) | 66-55-134-98.choopa.net | - | High
104 | [66.55.136.82](https://vuldb.com/?ip.66.55.136.82) | 66.55.136.82.choopa.com | - | High
105 | [66.55.136.84](https://vuldb.com/?ip.66.55.136.84) | 66.55.136.84.choopa.com | - | High
106 | [66.55.136.87](https://vuldb.com/?ip.66.55.136.87) | 66.55.136.87.choopa.com | - | High
107 | [66.55.136.93](https://vuldb.com/?ip.66.55.136.93) | 66-55-136-93.constant.com | - | High
108 | [66.55.139.28](https://vuldb.com/?ip.66.55.139.28) | 66-55-139-28.choopa.net | - | High
109 | [66.55.139.29](https://vuldb.com/?ip.66.55.139.29) | 66-55-139-29.choopa.net | - | High
110 | [66.55.140.119](https://vuldb.com/?ip.66.55.140.119) | - | - | High
111 | [66.55.141.3](https://vuldb.com/?ip.66.55.141.3) | - | - | High
112 | [66.55.144.200](https://vuldb.com/?ip.66.55.144.200) | 66.55.144.200.choopa.net | - | High
113 | [66.70.44.60](https://vuldb.com/?ip.66.70.44.60) | tunders.com | - | High
114 | [66.70.68.147](https://vuldb.com/?ip.66.70.68.147) | - | - | High
115 | [66.79.171.70](https://vuldb.com/?ip.66.79.171.70) | - | - | High
116 | [66.79.171.75](https://vuldb.com/?ip.66.79.171.75) | - | - | High
117 | [66.79.183.140](https://vuldb.com/?ip.66.79.183.140) | - | - | High
118 | [66.79.189.120](https://vuldb.com/?ip.66.79.189.120) | - | - | High
119 | [66.79.191.231](https://vuldb.com/?ip.66.79.191.231) | - | - | High
120 | [66.90.65.252](https://vuldb.com/?ip.66.90.65.252) | - | - | High
121 | [66.98.142.163](https://vuldb.com/?ip.66.98.142.163) | ns106.ehostpros.com | - | High
122 | [66.98.176.62](https://vuldb.com/?ip.66.98.176.62) | ev1s-66-98-176-62.theplanet.com | - | High
123 | [66.98.194.89](https://vuldb.com/?ip.66.98.194.89) | ns1.mygreatwebsite.net | - | High
124 | ... | ... | ... | ...
There are 494 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by CoolWebSearch. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _CoolWebSearch_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
4 | ... | ... | ...
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
2 | T1068 | CWE-264, CWE-266, CWE-284 | Execution with Unnecessary Privileges | High
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
4 | ... | ... | ... | ...
There are 7 more TTP items available. Please use our online service to access the data.
There are 6 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by CoolWebSearch. This data is unique as it uses our predictive model for actor profiling.
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by CoolWebSearch. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/.ssh/authorized_keys` | High
2 | File | `/car.php` | Medium
3 | File | `/context/%2e/WEB-INF/web.xml` | High
4 | File | `/dashboards/#` | High
5 | File | `/etc/controller-agent/agent.conf` | High
6 | File | `/etc/sudoers` | Medium
7 | File | `/filemanager/php/connector.php` | High
8 | File | `/forum/away.php` | High
9 | File | `/fudforum/adm/hlplist.php` | High
10 | File | `/GponForm/fsetup_Form` | High
11 | File | `/log_download.cgi` | High
12 | File | `/modules/profile/index.php` | High
13 | File | `/monitoring` | Medium
14 | File | `/new` | Low
15 | File | `/out.php` | Medium
16 | File | `/proc/<pid>/status` | High
17 | File | `/public/plugins/` | High
18 | File | `/s/` | Low
19 | File | `/secure/QueryComponent!Default.jspa` | High
20 | File | `/server-info` | Medium
21 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
22 | File | `/tmp` | Low
23 | File | `/tmp/kamailio_ctl` | High
24 | File | `/tmp/kamailio_fifo` | High
25 | File | `/uncpath/` | Medium
26 | File | `/updown/upload.cgi` | High
27 | File | `/usr/bin/pkexec` | High
28 | File | `/way4acs/enroll` | High
29 | File | `/WEB-INF/web.xml` | High
30 | File | `/wp-json/wc/v3/webhooks` | High
31 | File | `4.2.0.CP09` | Medium
32 | File | `actions/CompanyDetailsSave.php` | High
3 | File | `/CMD_ACCOUNT_ADMIN` | High
4 | File | `/context/%2e/WEB-INF/web.xml` | High
5 | File | `/core/admin/categories.php` | High
6 | File | `/dashboards/#` | High
7 | File | `/etc/sudoers` | Medium
8 | File | `/filemanager/php/connector.php` | High
9 | File | `/forum/away.php` | High
10 | File | `/fudforum/adm/hlplist.php` | High
11 | File | `/GponForm/fsetup_Form` | High
12 | File | `/log_download.cgi` | High
13 | File | `/modules/profile/index.php` | High
14 | File | `/monitoring` | Medium
15 | File | `/MTFWU` | Low
16 | File | `/new` | Low
17 | File | `/out.php` | Medium
18 | File | `/proc/<pid>/status` | High
19 | File | `/public/plugins/` | High
20 | File | `/s/` | Low
21 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
22 | File | `/secure/QueryComponent!Default.jspa` | High
23 | File | `/server-info` | Medium
24 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
25 | File | `/tmp` | Low
26 | File | `/uncpath/` | Medium
27 | File | `/updown/upload.cgi` | High
28 | File | `/usr/bin/pkexec` | High
29 | File | `/way4acs/enroll` | High
30 | File | `/WEB-INF/web.xml` | High
31 | File | `/wp-json/wc/v3/webhooks` | High
32 | File | `4.2.0.CP09` | Medium
33 | ... | ... | ...
There are 283 more IOA items available. Please use our online service to access the data.
There are 277 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References
The following list contains external sources which discuss the actor and the associated activities:
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://ddanchev.blogspot.com/2022/01/exposing-currently-active-coolwebsearch.html
## Literature
The following articles explain our unique predictive cyber threat intelligence:
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)

87
actors/CopyKittens/README.md
View File

@ -1,6 +1,6 @@
# CopyKittens - Cyber Threat Intelligence
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [CopyKittens](https://vuldb.com/?actor.copykittens). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [CopyKittens](https://vuldb.com/?actor.copykittens). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.copykittens](https://vuldb.com/?actor.copykittens)
@ -14,9 +14,9 @@ The following _campaigns_ are known and can be associated with CopyKittens:
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with CopyKittens:
* PL
* FR
* ES
* [ES](https://vuldb.com/?country.es)
* [PL](https://vuldb.com/?country.pl)
* [FR](https://vuldb.com/?country.fr)
* ...
There are 5 more country items available. Please use our online service to access the data.
@ -27,30 +27,30 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | 5.34.180.252 | vds-uuallex-113169.hosted-by-itldc.com | Wilted Tulip | High
2 | 5.34.181.13 | backups231.com | Wilted Tulip | High
3 | 31.192.105.16 | down-it-niscat.cosmeticdentistwellesley.com | Wilted Tulip | High
4 | 31.192.105.17 | - | Wilted Tulip | High
5 | 31.192.105.28 | - | Wilted Tulip | High
6 | 38.130.75.20 | h20-us75.fcsrv.net | Wilted Tulip | High
7 | 51.254.76.54 | - | Wilted Tulip | High
8 | 62.109.2.52 | ns.leangroup.ru | Wilted Tulip | High
9 | 62.109.2.109 | mediclick.ru | - | High
10 | 66.55.152.164 | 66-55-152-164.choopa.net | Wilted Tulip | High
11 | 68.232.180.122 | 68-232-180-122.choopa.net | Wilted Tulip | High
12 | 80.179.42.37 | 80.179.42.37.forward.012.net.il | Wilted Tulip | High
13 | 80.179.42.44 | lnkrten-dazling.linegrace.com | - | High
14 | 86.105.18.5 | - | - | High
15 | 93.190.138.137 | 93-190-138-137.hosted-by-worldstream.net | Wilted Tulip | High
16 | 104.200.128.48 | - | Wilted Tulip | High
17 | 104.200.128.58 | - | Wilted Tulip | High
1 | [5.34.180.252](https://vuldb.com/?ip.5.34.180.252) | vds-uuallex-113169.hosted-by-itldc.com | Wilted Tulip | High
2 | [5.34.181.13](https://vuldb.com/?ip.5.34.181.13) | backups231.com | Wilted Tulip | High
3 | [31.192.105.16](https://vuldb.com/?ip.31.192.105.16) | down-it-niscat.cosmeticdentistwellesley.com | Wilted Tulip | High
4 | [31.192.105.17](https://vuldb.com/?ip.31.192.105.17) | - | Wilted Tulip | High
5 | [31.192.105.28](https://vuldb.com/?ip.31.192.105.28) | - | Wilted Tulip | High
6 | [38.130.75.20](https://vuldb.com/?ip.38.130.75.20) | h20-us75.fcsrv.net | Wilted Tulip | High
7 | [51.254.76.54](https://vuldb.com/?ip.51.254.76.54) | - | Wilted Tulip | High
8 | [62.109.2.52](https://vuldb.com/?ip.62.109.2.52) | ns.leangroup.ru | Wilted Tulip | High
9 | [62.109.2.109](https://vuldb.com/?ip.62.109.2.109) | mediclick.ru | - | High
10 | [66.55.152.164](https://vuldb.com/?ip.66.55.152.164) | 66-55-152-164.choopa.net | Wilted Tulip | High
11 | [68.232.180.122](https://vuldb.com/?ip.68.232.180.122) | 68-232-180-122.choopa.net | Wilted Tulip | High
12 | [80.179.42.37](https://vuldb.com/?ip.80.179.42.37) | 80.179.42.37.forward.012.net.il | Wilted Tulip | High
13 | [80.179.42.44](https://vuldb.com/?ip.80.179.42.44) | lnkrten-dazling.linegrace.com | - | High
14 | [86.105.18.5](https://vuldb.com/?ip.86.105.18.5) | - | - | High
15 | [93.190.138.137](https://vuldb.com/?ip.93.190.138.137) | 93-190-138-137.hosted-by-worldstream.net | Wilted Tulip | High
16 | [104.200.128.48](https://vuldb.com/?ip.104.200.128.48) | - | Wilted Tulip | High
17 | [104.200.128.58](https://vuldb.com/?ip.104.200.128.58) | - | Wilted Tulip | High
18 | ... | ... | ... | ...
There are 67 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by CopyKittens. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _CopyKittens_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
@ -69,32 +69,27 @@ ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/about/../` | Medium
2 | File | `/admin/admin.php?module=admin_group_edit&agID` | High
3 | File | `/admin/comment.php` | High
4 | File | `/admin/configure.php` | High
5 | File | `/admin/index.php?lfj=member&action=editmember` | High
6 | File | `/admin/login.php` | High
7 | File | `/api/notify.php` | High
8 | File | `/box_code_base.c` | High
9 | File | `/EXCU_SHELL` | Medium
10 | File | `/forgetpassword.php` | High
11 | File | `/formAdvFirewall` | High
12 | File | `/function/booksave.php` | High
13 | File | `/home/user/dir` | High
14 | File | `/jerry-core/ecma/base/ecma-helpers-conversion.c` | High
15 | File | `/moddable/xs/sources/xsDataView.c` | High
16 | File | `abc2ps.c` | Medium
17 | File | `acknow.php` | Medium
18 | File | `adminlogin.php` | High
19 | File | `admin_home.php` | High
3 | File | `/admin/configure.php` | High
4 | File | `/admin/index.php?lfj=member&action=editmember` | High
5 | File | `/admin/login.php` | High
6 | File | `/apilog.php` | Medium
7 | File | `/box_code_base.c` | High
8 | File | `/cloud_config/router_post/upgrade_info` | High
9 | File | `/forgetpassword.php` | High
10 | File | `/formAdvFirewall` | High
11 | File | `/function/booksave.php` | High
12 | File | `/jerry-core/ecma/base/ecma-helpers-conversion.c` | High
13 | File | `/moddable/xs/sources/xsDataView.c` | High
14 | File | `/ok_png.c` | Medium
15 | File | `abc2ps.c` | Medium
16 | File | `acknow.php` | Medium
17 | File | `adminlogin.php` | High
18 | File | `admin_home.php` | High
19 | File | `alfresco/s/admin/admin-nodebrowser` | High
20 | File | `allocator.cc` | Medium
21 | File | `AndroidManifest.xml` | High
22 | File | `archive_read_support_format_iso9660.c` | High
23 | File | `AscoServer.exe` | High
24 | File | `AudioOutputSpeech.cpp` | High
25 | File | `box_code_base.c` | High
26 | ... | ... | ...
21 | ... | ... | ...
There are 216 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 178 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

16
actors/CryptoWall 2.0/README.md
View File

@ -1,26 +1,26 @@
# CryptoWall 2.0 - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [CryptoWall 2.0](https://vuldb.com/?actor.cryptowall_2.0). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [CryptoWall 2.0](https://vuldb.com/?actor.cryptowall_2.0). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.cryptowall_2.0](https://vuldb.com/?actor.cryptowall_2.0)
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.cryptowall_2.0](https://vuldb.com/?actor.cryptowall_2.0)
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of CryptoWall 2.0.
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of CryptoWall 2.0.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 151.248.115.146 | et-cetera.ru | High
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [151.248.115.146](https://vuldb.com/?ip.151.248.115.146) | et-cetera.ru | - | High
## References
The following list contains external sources which discuss the actor and the associated activities:
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://unit42.paloaltonetworks.com/tracking-new-ransomware-cryptowall-2-0/
## Literature
The following articles explain our unique predictive cyber threat intelligence:
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)

4
actors/Cyclops Blink/README.md
View File

@ -32,7 +32,7 @@ There are 20 more IOC items available. Please use our online service to access t
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Cyclops Blink_. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Cyclops Blink_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
@ -58,7 +58,7 @@ ID | Type | Indicator | Confidence
7 | File | `ajax.php?type=../admin-panel/autoload&page=manage-users` | High
8 | ... | ... | ...
There are 59 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 60 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

2
actors/DEV-0322/README.md
View File

@ -33,7 +33,7 @@ There are 11 more IOC items available. Please use our online service to access t
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _DEV-0322_. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _DEV-0322_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------

8
actors/DNSBirthday/README.md
View File

@ -10,7 +10,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
* [US](https://vuldb.com/?country.us)
* [RU](https://vuldb.com/?country.ru)
* [FR](https://vuldb.com/?country.fr)
* [IO](https://vuldb.com/?country.io)
* ...
There are 1 more country items available. Please use our online service to access the data.
@ -30,7 +30,7 @@ There are 1 more IOC items available. Please use our online service to access th
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _DNSBirthday_. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _DNSBirthday_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
@ -45,10 +45,10 @@ ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/forum/away.php` | High
2 | File | `/modules/profile/index.php` | High
3 | File | `data/gbconfiguration.dat` | High
3 | File | `/probe?target` | High
4 | ... | ... | ...
There are 19 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 20 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

16
actors/Darkkomet/README.md
View File

@ -1,26 +1,26 @@
# Darkkomet - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Darkkomet](https://vuldb.com/?actor.darkkomet). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Darkkomet](https://vuldb.com/?actor.darkkomet). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.darkkomet](https://vuldb.com/?actor.darkkomet)
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.darkkomet](https://vuldb.com/?actor.darkkomet)
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Darkkomet.
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Darkkomet.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 209.99.40.222 | 209-99-40-222.fwd.datafoundry.com | High
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [209.99.40.222](https://vuldb.com/?ip.209.99.40.222) | 209-99-40-222.fwd.datafoundry.com | - | High
## References
The following list contains external sources which discuss the actor and the associated activities:
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html
## Literature
The following articles explain our unique predictive cyber threat intelligence:
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)

12
actors/Deep Panda/README.md
View File

@ -1,6 +1,6 @@
# Deep Panda - Cyber Threat Intelligence
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Deep Panda](https://vuldb.com/?actor.deep_panda). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Deep Panda](https://vuldb.com/?actor.deep_panda). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.deep_panda](https://vuldb.com/?actor.deep_panda)
@ -8,8 +8,8 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Deep Panda:
* CA
* US
* [CA](https://vuldb.com/?country.ca)
* [US](https://vuldb.com/?country.us)
## IOC - Indicator of Compromise
@ -17,9 +17,9 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | 1.9.5.38 | - | - | High
2 | 142.91.76.134 | mx3.29v.info | - | High
3 | 184.71.210.4 | - | - | High
1 | [1.9.5.38](https://vuldb.com/?ip.1.9.5.38) | - | - | High
2 | [142.91.76.134](https://vuldb.com/?ip.142.91.76.134) | mx3.29v.info | - | High
3 | [184.71.210.4](https://vuldb.com/?ip.184.71.210.4) | - | - | High
4 | ... | ... | ... | ...
There are 3 more IOC items available. Please use our online service to access the data.

16
actors/Dokkaebi/README.md
View File

@ -1,26 +1,26 @@
# Dokkaebi - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Dokkaebi](https://vuldb.com/?actor.dokkaebi). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Dokkaebi](https://vuldb.com/?actor.dokkaebi). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.dokkaebi](https://vuldb.com/?actor.dokkaebi)
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.dokkaebi](https://vuldb.com/?actor.dokkaebi)
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Dokkaebi.
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Dokkaebi.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 7.0.4.325 | - | High
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [7.0.4.325](https://vuldb.com/?ip.7.0.4.325) | - | - | High
## References
The following list contains external sources which discuss the actor and the associated activities:
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://www.threatminer.org/report.php?q=FSIThreatIntelligenceReport-CampaignDOKKAEBI.pdf&y=2018
## Literature
The following articles explain our unique predictive cyber threat intelligence:
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)

2
actors/Donot/README.md
View File

@ -43,7 +43,7 @@ There are 38 more IOC items available. Please use our online service to access t
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Donot_. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Donot_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------

2
actors/Dukes/README.md
View File

@ -32,7 +32,7 @@ There are 22 more IOC items available. Please use our online service to access t
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Dukes_. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Dukes_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------

359
actors/Emotet/README.md
View File

@ -1,6 +1,6 @@
# Emotet - Cyber Threat Intelligence
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Emotet](https://vuldb.com/?actor.emotet). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Emotet](https://vuldb.com/?actor.emotet). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.emotet](https://vuldb.com/?actor.emotet)
@ -8,9 +8,9 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Emotet:
* VN
* CN
* US
* [VN](https://vuldb.com/?country.vn)
* [US](https://vuldb.com/?country.us)
* [CN](https://vuldb.com/?country.cn)
* ...
There are 1 more country items available. Please use our online service to access the data.
@ -21,174 +21,180 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | 1.186.249.82 | 1.186.249.82.dvois.com | - | High
2 | 1.226.84.243 | - | - | High
3 | 2.58.16.86 | - | - | High
4 | 2.58.16.89 | - | - | High
5 | 2.82.75.215 | bl21-75-215.dsl.telepac.pt | - | High
6 | 5.2.84.232 | momos.alastyr.com | - | High
7 | 5.2.136.90 | static-5-2-136-90.rdsnet.ro | - | High
8 | 5.2.182.7 | static-5-2-182-7.rdsnet.ro | - | High
9 | 5.2.212.254 | static-5-2-212-254.rdsnet.ro | - | High
10 | 5.9.189.24 | static.24.189.9.5.clients.your-server.de | - | High
11 | 5.12.246.155 | 5-12-246-155.residential.rdsnet.ro | - | High
12 | 5.35.249.46 | rs250366.rs.hosteurope.de | - | High
13 | 5.39.91.110 | ns3278366.ip-5-39-91.eu | - | High
14 | 5.79.70.250 | - | - | High
15 | 5.89.33.136 | net-5-89-33-136.cust.vodafonedsl.it | - | High
16 | 5.159.57.195 | www-riedle.transfermarkt.de | - | High
17 | 5.196.35.138 | vps10.open-techno.net | - | High
18 | 5.230.193.41 | casagarcia-web.sys.netzfabrik.eu | - | High
19 | 8.4.9.137 | onlinehorizons.net | - | High
20 | 8.247.6.134 | - | - | High
21 | 12.32.68.154 | mail.sealscoinc.com | - | High
22 | 12.149.72.170 | - | - | High
23 | 12.162.84.2 | - | - | High
24 | 12.163.208.58 | - | - | High
25 | 12.182.146.226 | - | - | High
26 | 12.184.217.101 | - | - | High
27 | 23.6.65.194 | a23-6-65-194.deploy.static.akamaitechnologies.com | - | High
28 | 23.36.85.183 | a23-36-85-183.deploy.static.akamaitechnologies.com | - | High
29 | 23.199.63.11 | a23-199-63-11.deploy.static.akamaitechnologies.com | - | High
30 | 23.199.71.185 | a23-199-71-185.deploy.static.akamaitechnologies.com | - | High
31 | 23.239.2.11 | li683-11.members.linode.com | - | High
32 | 24.43.99.75 | rrcs-24-43-99-75.west.biz.rr.com | - | High
33 | 24.101.229.82 | dynamic-acs-24-101-229-82.zoominternet.net | - | High
34 | 24.119.116.230 | 24-119-116-230.cpe.sparklight.net | - | High
35 | 24.121.176.48 | 24-121-176-48.prkrcmtc01.com.sta.suddenlink.net | - | High
36 | 24.137.76.62 | host-24-137-76-62.public.eastlink.ca | - | High
37 | 24.178.90.49 | 024-178-090-049.res.spectrum.com | - | High
38 | 24.179.13.119 | 024-179-013-119.res.spectrum.com | - | High
39 | 24.217.117.217 | 024-217-117-217.res.spectrum.com | - | High
40 | 24.232.228.233 | OL233-228.fibertel.com.ar | - | High
41 | 24.244.177.40 | - | - | High
42 | 27.78.27.110 | localhost | - | High
43 | 27.82.13.10 | KD027082013010.ppp-bb.dion.ne.jp | - | High
44 | 27.109.24.214 | - | - | High
45 | 27.114.9.93 | i27-114-9-93.s41.a011.ap.plala.or.jp | - | High
46 | 36.91.44.183 | - | - | High
47 | 37.46.129.215 | we-too.ru | - | High
48 | 37.97.135.82 | 37-97-135-82.colo.transip.net | - | High
49 | 37.139.21.175 | 37.139.21.175-e2-8080-keep-up | - | High
50 | 37.179.204.33 | - | - | High
51 | 37.187.4.178 | ks2.kku.io | - | High
52 | 37.187.57.57 | ns3357940.ovh.net | - | High
53 | 37.187.72.193 | ns3362285.ip-37-187-72.eu | - | High
54 | 37.187.161.206 | toolbox.alabs.io | - | High
55 | 37.205.9.252 | s1.ithelp24.eu | - | High
56 | 37.221.70.250 | b2b-customer.inftele.net | - | High
57 | 41.76.108.46 | - | - | High
58 | 41.169.36.237 | - | - | High
59 | 41.185.28.84 | brf01-nix01.wadns.net | - | High
60 | 41.185.29.128 | abp79-nix01.wadns.net | - | High
61 | 41.231.225.139 | - | - | High
62 | 42.62.40.103 | - | - | High
63 | 45.16.226.117 | 45-16-226-117.lightspeed.sndgca.sbcglobal.net | - | High
64 | 45.33.77.42 | li1023-42.members.linode.com | - | High
65 | 45.46.37.97 | cpe-45-46-37-97.maine.res.rr.com | - | High
66 | 45.55.36.51 | - | - | High
67 | 45.55.219.163 | - | - | High
68 | 45.79.95.107 | li1194-107.members.linode.com | - | High
69 | 45.80.148.200 | - | - | High
70 | 45.118.115.99 | - | - | High
71 | 45.118.135.203 | 45-118-135-203.ip.linodeusercontent.com | - | High
72 | 45.142.114.231 | mail.dounutmail.de | - | High
73 | 45.230.45.171 | - | - | High
74 | 46.4.100.178 | support.wizard-shopservice.de | - | High
75 | 46.4.192.185 | static.185.192.4.46.clients.your-server.de | - | High
76 | 46.28.111.142 | enkindu.jsuchy.net | - | High
77 | 46.32.229.152 | 094882.vps-10.com | - | High
78 | 46.32.233.226 | yetitoolusa.com | - | High
79 | 46.38.238.8 | v2202109122001163131.happysrv.de | - | High
80 | 46.43.2.95 | chris.default.cjenkinson.uk0.bigv.io | - | High
81 | 46.55.222.11 | - | - | High
82 | 46.101.58.37 | 46.101.58.37-e1-8080 | - | High
83 | 46.105.81.76 | myu0.cylipo.sbs | - | High
84 | 46.105.114.137 | ns3188253.ip-46-105-114.eu | - | High
85 | 46.105.131.68 | http.adven.fr | - | High
86 | 46.105.131.79 | relay.adven.fr | - | High
87 | 46.105.131.87 | pop.adven.fr | - | High
88 | 46.105.236.18 | - | - | High
89 | 46.165.254.206 | - | - | High
90 | 46.214.107.142 | 46-214-107-142.next-gen.ro | - | High
91 | 47.36.140.164 | 047-036-140-164.res.spectrum.com | - | High
92 | 47.146.39.147 | - | - | High
93 | 47.188.131.94 | - | - | High
94 | 49.12.121.47 | filezilla-project.org | - | High
95 | 49.50.209.131 | 131.host-49-50-209.euba.megatel.co.nz | - | High
96 | 49.212.135.76 | os3-321-50322.vs.sakura.ne.jp | - | High
97 | 49.212.155.94 | os3-325-52340.vs.sakura.ne.jp | - | High
98 | 50.28.51.143 | - | - | High
99 | 50.31.146.101 | mail.brillinjurylaw.com | - | High
100 | 50.56.135.44 | - | - | High
101 | 50.91.114.38 | 050-091-114-038.res.spectrum.com | - | High
102 | 50.116.78.109 | intersearchmedia.com | - | High
103 | 50.245.107.73 | 50-245-107-73-static.hfc.comcastbusiness.net | - | High
104 | 51.15.4.22 | 51-15-4-22.rev.poneytelecom.eu | - | High
105 | 51.15.7.145 | 51-15-7-145.rev.poneytelecom.eu | - | High
106 | 51.75.33.127 | ip127.ip-51-75-33.eu | - | High
107 | 51.89.36.180 | ip180.ip-51-89-36.eu | - | High
108 | 51.89.199.141 | ip141.ip-51-89-199.eu | - | High
109 | 51.255.165.160 | 160.ip-51-255-165.eu | - | High
110 | 54.38.143.245 | tools.inovato.me | - | High
111 | 58.27.215.3 | 58-27-215-3.wateen.net | - | High
112 | 58.94.58.13 | i58-94-58-13.s41.a014.ap.plala.or.jp | - | High
113 | 58.227.42.236 | - | - | High
114 | 59.148.253.194 | 059148253194.ctinets.com | - | High
115 | 60.93.23.51 | softbank060093023051.bbtec.net | - | High
116 | 60.108.128.186 | softbank060108128186.bbtec.net | - | High
117 | 60.125.114.64 | softbank060125114064.bbtec.net | - | High
118 | 60.249.78.226 | 60-249-78-226.hinet-ip.hinet.net | - | High
119 | 61.19.246.238 | - | - | High
120 | 62.30.7.67 | 67.7-30-62.static.virginmediabusiness.co.uk | - | High
121 | 62.75.141.82 | static-ip-62-75-141-82.inaddr.ip-pool.com | - | High
122 | 62.84.75.50 | mail.saadegrp.com.lb | - | High
123 | 62.171.142.179 | vmi499457.contaboserver.net | - | High
124 | 62.212.34.102 | - | - | High
125 | 64.207.182.168 | - | - | High
126 | 66.54.51.172 | - | - | High
127 | 66.76.26.33 | 66-76-26-33.hdsncmta01.com.sta.suddenlink.net | - | High
128 | 66.228.61.248 | li318-248.members.linode.com | - | High
129 | 67.19.105.107 | ns2.datatrust.com.br | - | High
130 | 67.170.250.203 | c-67-170-250-203.hsd1.ca.comcast.net | - | High
131 | 68.2.97.91 | ip68-2-97-91.ph.ph.cox.net | - | High
132 | 68.183.170.114 | 68.183.170.114-e1-8080-keep-up | - | High
133 | 68.183.190.199 | 68.183.190.199-e1-8080-keep-up | - | High
134 | 69.17.170.58 | unallocated-static.rogers.com | - | High
135 | 69.43.168.200 | ns0.imunplugged.com | - | High
136 | 69.45.19.251 | coastinet.com | - | High
137 | 69.167.152.111 | - | - | High
138 | 70.32.84.74 | - | - | High
139 | 70.32.89.105 | parties-at-sea.com | - | High
140 | 70.32.92.133 | popdesigngroup.com | - | High
141 | 70.32.115.157 | harpotripofalifetime.com | - | High
142 | 70.168.7.6 | wsip-70-168-7-6.ri.ri.cox.net | - | High
143 | 70.182.77.184 | wsip-70-182-77-184.ok.ok.cox.net | - | High
144 | 70.184.125.132 | wsip-70-184-125-132.ph.ph.cox.net | - | High
145 | 71.15.245.148 | 071-015-245-148.res.spectrum.com | - | High
146 | 71.197.211.156 | c-71-197-211-156.hsd1.wa.comcast.net | - | High
147 | 71.244.60.231 | static-71-244-60-231.dllstx.fios.frontiernet.net | - | High
148 | 72.10.49.117 | rtw7-rfpn.accessdomain.com | - | High
149 | 72.18.204.17 | lasvegas-nv-datacenter.com | - | High
150 | 72.45.212.62 | nyinstituteofmassage.com | - | High
151 | 72.186.136.247 | 072-186-136-247.biz.spectrum.com | - | High
152 | 73.8.195.237 | c-73-8-195-237.hsd1.il.comcast.net | - | High
153 | ... | ... | ... | ...
1 | [1.186.249.82](https://vuldb.com/?ip.1.186.249.82) | 1.186.249.82.dvois.com | - | High
2 | [1.226.84.243](https://vuldb.com/?ip.1.226.84.243) | - | - | High
3 | [2.58.16.86](https://vuldb.com/?ip.2.58.16.86) | - | - | High
4 | [2.58.16.89](https://vuldb.com/?ip.2.58.16.89) | - | - | High
5 | [2.82.75.215](https://vuldb.com/?ip.2.82.75.215) | bl21-75-215.dsl.telepac.pt | - | High
6 | [5.2.84.232](https://vuldb.com/?ip.5.2.84.232) | momos.alastyr.com | - | High
7 | [5.2.136.90](https://vuldb.com/?ip.5.2.136.90) | static-5-2-136-90.rdsnet.ro | - | High
8 | [5.2.182.7](https://vuldb.com/?ip.5.2.182.7) | static-5-2-182-7.rdsnet.ro | - | High
9 | [5.2.212.254](https://vuldb.com/?ip.5.2.212.254) | static-5-2-212-254.rdsnet.ro | - | High
10 | [5.9.189.24](https://vuldb.com/?ip.5.9.189.24) | static.24.189.9.5.clients.your-server.de | - | High
11 | [5.12.246.155](https://vuldb.com/?ip.5.12.246.155) | 5-12-246-155.residential.rdsnet.ro | - | High
12 | [5.35.249.46](https://vuldb.com/?ip.5.35.249.46) | rs250366.rs.hosteurope.de | - | High
13 | [5.39.91.110](https://vuldb.com/?ip.5.39.91.110) | ns3278366.ip-5-39-91.eu | - | High
14 | [5.79.70.250](https://vuldb.com/?ip.5.79.70.250) | - | - | High
15 | [5.89.33.136](https://vuldb.com/?ip.5.89.33.136) | net-5-89-33-136.cust.vodafonedsl.it | - | High
16 | [5.159.57.195](https://vuldb.com/?ip.5.159.57.195) | www-riedle.transfermarkt.de | - | High
17 | [5.196.35.138](https://vuldb.com/?ip.5.196.35.138) | vps10.open-techno.net | - | High
18 | [5.230.193.41](https://vuldb.com/?ip.5.230.193.41) | casagarcia-web.sys.netzfabrik.eu | - | High
19 | [8.4.9.137](https://vuldb.com/?ip.8.4.9.137) | onlinehorizons.net | - | High
20 | [8.247.6.134](https://vuldb.com/?ip.8.247.6.134) | - | - | High
21 | [12.32.68.154](https://vuldb.com/?ip.12.32.68.154) | mail.sealscoinc.com | - | High
22 | [12.149.72.170](https://vuldb.com/?ip.12.149.72.170) | - | - | High
23 | [12.162.84.2](https://vuldb.com/?ip.12.162.84.2) | - | - | High
24 | [12.163.208.58](https://vuldb.com/?ip.12.163.208.58) | - | - | High
25 | [12.182.146.226](https://vuldb.com/?ip.12.182.146.226) | - | - | High
26 | [12.184.217.101](https://vuldb.com/?ip.12.184.217.101) | - | - | High
27 | [23.6.65.194](https://vuldb.com/?ip.23.6.65.194) | a23-6-65-194.deploy.static.akamaitechnologies.com | - | High
28 | [23.36.85.183](https://vuldb.com/?ip.23.36.85.183) | a23-36-85-183.deploy.static.akamaitechnologies.com | - | High
29 | [23.199.63.11](https://vuldb.com/?ip.23.199.63.11) | a23-199-63-11.deploy.static.akamaitechnologies.com | - | High
30 | [23.199.71.185](https://vuldb.com/?ip.23.199.71.185) | a23-199-71-185.deploy.static.akamaitechnologies.com | - | High
31 | [23.239.2.11](https://vuldb.com/?ip.23.239.2.11) | li683-11.members.linode.com | - | High
32 | [24.43.99.75](https://vuldb.com/?ip.24.43.99.75) | rrcs-24-43-99-75.west.biz.rr.com | - | High
33 | [24.101.229.82](https://vuldb.com/?ip.24.101.229.82) | dynamic-acs-24-101-229-82.zoominternet.net | - | High
34 | [24.119.116.230](https://vuldb.com/?ip.24.119.116.230) | 24-119-116-230.cpe.sparklight.net | - | High
35 | [24.121.176.48](https://vuldb.com/?ip.24.121.176.48) | 24-121-176-48.prkrcmtc01.com.sta.suddenlink.net | - | High
36 | [24.137.76.62](https://vuldb.com/?ip.24.137.76.62) | host-24-137-76-62.public.eastlink.ca | - | High
37 | [24.178.90.49](https://vuldb.com/?ip.24.178.90.49) | 024-178-090-049.res.spectrum.com | - | High
38 | [24.179.13.119](https://vuldb.com/?ip.24.179.13.119) | 024-179-013-119.res.spectrum.com | - | High
39 | [24.217.117.217](https://vuldb.com/?ip.24.217.117.217) | 024-217-117-217.res.spectrum.com | - | High
40 | [24.232.228.233](https://vuldb.com/?ip.24.232.228.233) | OL233-228.fibertel.com.ar | - | High
41 | [24.244.177.40](https://vuldb.com/?ip.24.244.177.40) | - | - | High
42 | [27.78.27.110](https://vuldb.com/?ip.27.78.27.110) | localhost | - | High
43 | [27.82.13.10](https://vuldb.com/?ip.27.82.13.10) | KD027082013010.ppp-bb.dion.ne.jp | - | High
44 | [27.109.24.214](https://vuldb.com/?ip.27.109.24.214) | - | - | High
45 | [27.114.9.93](https://vuldb.com/?ip.27.114.9.93) | i27-114-9-93.s41.a011.ap.plala.or.jp | - | High
46 | [35.190.87.116](https://vuldb.com/?ip.35.190.87.116) | 116.87.190.35.bc.googleusercontent.com | - | Medium
47 | [36.91.44.183](https://vuldb.com/?ip.36.91.44.183) | - | - | High
48 | [37.46.129.215](https://vuldb.com/?ip.37.46.129.215) | we-too.ru | - | High
49 | [37.97.135.82](https://vuldb.com/?ip.37.97.135.82) | 37-97-135-82.colo.transip.net | - | High
50 | [37.139.21.175](https://vuldb.com/?ip.37.139.21.175) | 37.139.21.175-e2-8080-keep-up | - | High
51 | [37.179.204.33](https://vuldb.com/?ip.37.179.204.33) | - | - | High
52 | [37.187.4.178](https://vuldb.com/?ip.37.187.4.178) | ks2.kku.io | - | High
53 | [37.187.57.57](https://vuldb.com/?ip.37.187.57.57) | ns3357940.ovh.net | - | High
54 | [37.187.72.193](https://vuldb.com/?ip.37.187.72.193) | ns3362285.ip-37-187-72.eu | - | High
55 | [37.187.161.206](https://vuldb.com/?ip.37.187.161.206) | toolbox.alabs.io | - | High
56 | [37.205.9.252](https://vuldb.com/?ip.37.205.9.252) | s1.ithelp24.eu | - | High
57 | [37.221.70.250](https://vuldb.com/?ip.37.221.70.250) | b2b-customer.inftele.net | - | High
58 | [41.76.108.46](https://vuldb.com/?ip.41.76.108.46) | - | - | High
59 | [41.169.36.237](https://vuldb.com/?ip.41.169.36.237) | - | - | High
60 | [41.185.28.84](https://vuldb.com/?ip.41.185.28.84) | brf01-nix01.wadns.net | - | High
61 | [41.185.29.128](https://vuldb.com/?ip.41.185.29.128) | abp79-nix01.wadns.net | - | High
62 | [41.231.225.139](https://vuldb.com/?ip.41.231.225.139) | - | - | High
63 | [42.62.40.103](https://vuldb.com/?ip.42.62.40.103) | - | - | High
64 | [45.16.226.117](https://vuldb.com/?ip.45.16.226.117) | 45-16-226-117.lightspeed.sndgca.sbcglobal.net | - | High
65 | [45.33.77.42](https://vuldb.com/?ip.45.33.77.42) | li1023-42.members.linode.com | - | High
66 | [45.46.37.97](https://vuldb.com/?ip.45.46.37.97) | cpe-45-46-37-97.maine.res.rr.com | - | High
67 | [45.55.36.51](https://vuldb.com/?ip.45.55.36.51) | - | - | High
68 | [45.55.219.163](https://vuldb.com/?ip.45.55.219.163) | - | - | High
69 | [45.79.95.107](https://vuldb.com/?ip.45.79.95.107) | li1194-107.members.linode.com | - | High
70 | [45.80.148.200](https://vuldb.com/?ip.45.80.148.200) | - | - | High
71 | [45.118.115.99](https://vuldb.com/?ip.45.118.115.99) | - | - | High
72 | [45.118.135.203](https://vuldb.com/?ip.45.118.135.203) | 45-118-135-203.ip.linodeusercontent.com | - | High
73 | [45.142.114.231](https://vuldb.com/?ip.45.142.114.231) | mail.dounutmail.de | - | High
74 | [45.230.45.171](https://vuldb.com/?ip.45.230.45.171) | - | - | High
75 | [46.4.100.178](https://vuldb.com/?ip.46.4.100.178) | support.wizard-shopservice.de | - | High
76 | [46.4.192.185](https://vuldb.com/?ip.46.4.192.185) | static.185.192.4.46.clients.your-server.de | - | High
77 | [46.28.111.142](https://vuldb.com/?ip.46.28.111.142) | enkindu.jsuchy.net | - | High
78 | [46.32.229.152](https://vuldb.com/?ip.46.32.229.152) | 094882.vps-10.com | - | High
79 | [46.32.233.226](https://vuldb.com/?ip.46.32.233.226) | yetitoolusa.com | - | High
80 | [46.38.238.8](https://vuldb.com/?ip.46.38.238.8) | v2202109122001163131.happysrv.de | - | High
81 | [46.43.2.95](https://vuldb.com/?ip.46.43.2.95) | chris.default.cjenkinson.uk0.bigv.io | - | High
82 | [46.55.222.11](https://vuldb.com/?ip.46.55.222.11) | - | - | High
83 | [46.101.58.37](https://vuldb.com/?ip.46.101.58.37) | 46.101.58.37-e1-8080 | - | High
84 | [46.105.81.76](https://vuldb.com/?ip.46.105.81.76) | myu0.cylipo.sbs | - | High
85 | [46.105.114.137](https://vuldb.com/?ip.46.105.114.137) | ns3188253.ip-46-105-114.eu | - | High
86 | [46.105.131.68](https://vuldb.com/?ip.46.105.131.68) | http.adven.fr | - | High
87 | [46.105.131.79](https://vuldb.com/?ip.46.105.131.79) | relay.adven.fr | - | High
88 | [46.105.131.87](https://vuldb.com/?ip.46.105.131.87) | pop.adven.fr | - | High
89 | [46.105.236.18](https://vuldb.com/?ip.46.105.236.18) | - | - | High
90 | [46.165.254.206](https://vuldb.com/?ip.46.165.254.206) | - | - | High
91 | [46.214.107.142](https://vuldb.com/?ip.46.214.107.142) | 46-214-107-142.next-gen.ro | - | High
92 | [47.36.140.164](https://vuldb.com/?ip.47.36.140.164) | 047-036-140-164.res.spectrum.com | - | High
93 | [47.146.39.147](https://vuldb.com/?ip.47.146.39.147) | - | - | High
94 | [47.188.131.94](https://vuldb.com/?ip.47.188.131.94) | - | - | High
95 | [47.246.24.225](https://vuldb.com/?ip.47.246.24.225) | - | - | High
96 | [47.246.24.226](https://vuldb.com/?ip.47.246.24.226) | - | - | High
97 | [47.246.24.230](https://vuldb.com/?ip.47.246.24.230) | - | - | High
98 | [47.246.24.232](https://vuldb.com/?ip.47.246.24.232) | - | - | High
99 | [49.12.121.47](https://vuldb.com/?ip.49.12.121.47) | filezilla-project.org | - | High
100 | [49.50.209.131](https://vuldb.com/?ip.49.50.209.131) | 131.host-49-50-209.euba.megatel.co.nz | - | High
101 | [49.212.135.76](https://vuldb.com/?ip.49.212.135.76) | os3-321-50322.vs.sakura.ne.jp | - | High
102 | [49.212.155.94](https://vuldb.com/?ip.49.212.155.94) | os3-325-52340.vs.sakura.ne.jp | - | High
103 | [50.28.51.143](https://vuldb.com/?ip.50.28.51.143) | - | - | High
104 | [50.31.146.101](https://vuldb.com/?ip.50.31.146.101) | mail.brillinjurylaw.com | - | High
105 | [50.56.135.44](https://vuldb.com/?ip.50.56.135.44) | - | - | High
106 | [50.91.114.38](https://vuldb.com/?ip.50.91.114.38) | 050-091-114-038.res.spectrum.com | - | High
107 | [50.116.78.109](https://vuldb.com/?ip.50.116.78.109) | intersearchmedia.com | - | High
108 | [50.245.107.73](https://vuldb.com/?ip.50.245.107.73) | 50-245-107-73-static.hfc.comcastbusiness.net | - | High
109 | [51.15.4.22](https://vuldb.com/?ip.51.15.4.22) | 51-15-4-22.rev.poneytelecom.eu | - | High
110 | [51.15.7.145](https://vuldb.com/?ip.51.15.7.145) | 51-15-7-145.rev.poneytelecom.eu | - | High
111 | [51.75.33.127](https://vuldb.com/?ip.51.75.33.127) | ip127.ip-51-75-33.eu | - | High
112 | [51.89.36.180](https://vuldb.com/?ip.51.89.36.180) | ip180.ip-51-89-36.eu | - | High
113 | [51.89.199.141](https://vuldb.com/?ip.51.89.199.141) | ip141.ip-51-89-199.eu | - | High
114 | [51.255.165.160](https://vuldb.com/?ip.51.255.165.160) | 160.ip-51-255-165.eu | - | High
115 | [54.38.143.245](https://vuldb.com/?ip.54.38.143.245) | tools.inovato.me | - | High
116 | [58.27.215.3](https://vuldb.com/?ip.58.27.215.3) | 58-27-215-3.wateen.net | - | High
117 | [58.94.58.13](https://vuldb.com/?ip.58.94.58.13) | i58-94-58-13.s41.a014.ap.plala.or.jp | - | High
118 | [58.216.16.130](https://vuldb.com/?ip.58.216.16.130) | - | - | High
119 | [58.227.42.236](https://vuldb.com/?ip.58.227.42.236) | - | - | High
120 | [59.148.253.194](https://vuldb.com/?ip.59.148.253.194) | 059148253194.ctinets.com | - | High
121 | [60.93.23.51](https://vuldb.com/?ip.60.93.23.51) | softbank060093023051.bbtec.net | - | High
122 | [60.108.128.186](https://vuldb.com/?ip.60.108.128.186) | softbank060108128186.bbtec.net | - | High
123 | [60.125.114.64](https://vuldb.com/?ip.60.125.114.64) | softbank060125114064.bbtec.net | - | High
124 | [60.249.78.226](https://vuldb.com/?ip.60.249.78.226) | 60-249-78-226.hinet-ip.hinet.net | - | High
125 | [61.19.246.238](https://vuldb.com/?ip.61.19.246.238) | - | - | High
126 | [62.30.7.67](https://vuldb.com/?ip.62.30.7.67) | 67.7-30-62.static.virginmediabusiness.co.uk | - | High
127 | [62.75.141.82](https://vuldb.com/?ip.62.75.141.82) | static-ip-62-75-141-82.inaddr.ip-pool.com | - | High
128 | [62.84.75.50](https://vuldb.com/?ip.62.84.75.50) | mail.saadegrp.com.lb | - | High
129 | [62.171.142.179](https://vuldb.com/?ip.62.171.142.179) | vmi499457.contaboserver.net | - | High
130 | [62.212.34.102](https://vuldb.com/?ip.62.212.34.102) | - | - | High
131 | [64.190.63.136](https://vuldb.com/?ip.64.190.63.136) | - | - | High
132 | [64.207.182.168](https://vuldb.com/?ip.64.207.182.168) | - | - | High
133 | [66.54.51.172](https://vuldb.com/?ip.66.54.51.172) | - | - | High
134 | [66.76.26.33](https://vuldb.com/?ip.66.76.26.33) | 66-76-26-33.hdsncmta01.com.sta.suddenlink.net | - | High
135 | [66.228.61.248](https://vuldb.com/?ip.66.228.61.248) | li318-248.members.linode.com | - | High
136 | [67.19.105.107](https://vuldb.com/?ip.67.19.105.107) | ns2.datatrust.com.br | - | High
137 | [67.170.250.203](https://vuldb.com/?ip.67.170.250.203) | c-67-170-250-203.hsd1.ca.comcast.net | - | High
138 | [67.225.218.50](https://vuldb.com/?ip.67.225.218.50) | lb01.parklogic.com | - | High
139 | [68.2.97.91](https://vuldb.com/?ip.68.2.97.91) | ip68-2-97-91.ph.ph.cox.net | - | High
140 | [68.183.170.114](https://vuldb.com/?ip.68.183.170.114) | 68.183.170.114-e1-8080-keep-up | - | High
141 | [68.183.190.199](https://vuldb.com/?ip.68.183.190.199) | 68.183.190.199-e1-8080-keep-up | - | High
142 | [69.17.170.58](https://vuldb.com/?ip.69.17.170.58) | unallocated-static.rogers.com | - | High
143 | [69.43.168.200](https://vuldb.com/?ip.69.43.168.200) | ns0.imunplugged.com | - | High
144 | [69.45.19.251](https://vuldb.com/?ip.69.45.19.251) | coastinet.com | - | High
145 | [69.167.152.111](https://vuldb.com/?ip.69.167.152.111) | - | - | High
146 | [69.198.17.49](https://vuldb.com/?ip.69.198.17.49) | 69-198-17-49.customerip.birch.net | - | High
147 | [70.32.84.74](https://vuldb.com/?ip.70.32.84.74) | - | - | High
148 | [70.32.89.105](https://vuldb.com/?ip.70.32.89.105) | parties-at-sea.com | - | High
149 | [70.32.92.133](https://vuldb.com/?ip.70.32.92.133) | popdesigngroup.com | - | High
150 | [70.32.115.157](https://vuldb.com/?ip.70.32.115.157) | harpotripofalifetime.com | - | High
151 | [70.168.7.6](https://vuldb.com/?ip.70.168.7.6) | wsip-70-168-7-6.ri.ri.cox.net | - | High
152 | [70.182.77.184](https://vuldb.com/?ip.70.182.77.184) | wsip-70-182-77-184.ok.ok.cox.net | - | High
153 | [70.184.125.132](https://vuldb.com/?ip.70.184.125.132) | wsip-70-184-125-132.ph.ph.cox.net | - | High
154 | [71.15.245.148](https://vuldb.com/?ip.71.15.245.148) | 071-015-245-148.res.spectrum.com | - | High
155 | [71.197.211.156](https://vuldb.com/?ip.71.197.211.156) | c-71-197-211-156.hsd1.wa.comcast.net | - | High
156 | [71.244.60.231](https://vuldb.com/?ip.71.244.60.231) | static-71-244-60-231.dllstx.fios.frontiernet.net | - | High
157 | [72.10.49.117](https://vuldb.com/?ip.72.10.49.117) | rtw7-rfpn.accessdomain.com | - | High
158 | [72.18.204.17](https://vuldb.com/?ip.72.18.204.17) | lasvegas-nv-datacenter.com | - | High
159 | ... | ... | ... | ...
There are 606 more IOC items available. Please use our online service to access the data.
There are 630 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Emotet. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Emotet_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
4 | ... | ... | ... | ...
There are 7 more TTP items available. Please use our online service to access the data.
There are 6 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -196,21 +202,20 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/appliance/users?action=edit` | High
2 | File | `/CMD_ACCOUNT_ADMIN` | High
3 | File | `/context/%2e/WEB-INF/web.xml` | High
4 | File | `/horde/util/go.php` | High
5 | File | `/jeecg-boot/sys/user/queryUserByDepId` | High
6 | File | `/js/js-parser.c` | High
7 | File | `/MobiPlusWeb/Handlers/MainHandler.ashx?MethodName=GridData&GridName=Users` | High
8 | File | `/ms/cms/content/list.do` | High
9 | File | `/ms/file/uploadTemplate.do` | High
10 | File | `/ping.html` | Medium
11 | File | `/SASWebReportStudio/logonAndRender.do` | High
12 | File | `/sys/user/queryUserComponentData` | High
13 | ... | ... | ...
1 | File | `/.htaccess` | Medium
2 | File | `/admin/ajax/avatar.php` | High
3 | File | `/admin/uploads.php` | High
4 | File | `/alerts/alertConfigField.php` | High
5 | File | `/alerts/alertLightbox.php` | High
6 | File | `/aqpg/users/login.php` | High
7 | File | `/classes/ajax/Functions.php` | High
8 | File | `/cwms/admin/?page=articles/view_article/` | High
9 | File | `/cwms/classes/Master.php?f=save_contact` | High
10 | File | `/i/:data/ipa.plist` | High
11 | File | `/jquery_file_upload/server/php/index.php` | High
12 | ... | ... | ...
There are 104 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 95 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References
@ -228,6 +233,8 @@ The following list contains _external sources_ which discuss the actor and the a
* https://blog.talosintelligence.com/2022/01/threat-roundup-0121-0128.html
* https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html
* https://blog.talosintelligence.com/2022/02/threat-roundup-0211-0218.html
* https://blog.talosintelligence.com/2022/03/threat-roundup-0225-0304.html
* https://blogs.blackberry.com/en/2017/12/threat-spotlight-emotet-infostealer-malware
* https://community.blueliv.com/#!/s/5fb2ee2482df413eaf344b29
* https://ddanchev.blogspot.com/2022/01/profiling-emotet-botnet-c.html
* https://pastebin.com/uPn1zM6b

56
actors/Equation/README.md
View File

@ -1,58 +1,58 @@
# Equation - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Equation](https://vuldb.com/?actor.equation). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Equation](https://vuldb.com/?actor.equation). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.equation](https://vuldb.com/?actor.equation)
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.equation](https://vuldb.com/?actor.equation)
## Campaigns
The following campaigns are known and can be associated with Equation:
The following _campaigns_ are known and can be associated with Equation:
* Gauss
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Equation:
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Equation:
* US
* ES
* GB
* [ES](https://vuldb.com/?country.es)
* [US](https://vuldb.com/?country.us)
* [GB](https://vuldb.com/?country.gb)
* ...
There are 4 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Equation.
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Equation.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 41.222.35.70 | 70.35.static.rdns.co.za | High
2 | 62.216.152.67 | - | High
3 | 64.76.82.52 | c647682-52.static.impsat.com.co | High
4 | 80.77.4.3 | - | High
5 | 81.31.34.175 | 81-31-34-175.static.masterinter.net | High
6 | 81.31.36.174 | vl504.sl509s.r1-3.dc1.4d.prg.masterinter.net | High
7 | ... | ... | ...
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [41.222.35.70](https://vuldb.com/?ip.41.222.35.70) | 70.35.static.rdns.co.za | - | High
2 | [62.216.152.67](https://vuldb.com/?ip.62.216.152.67) | - | - | High
3 | [64.76.82.52](https://vuldb.com/?ip.64.76.82.52) | c647682-52.static.impsat.com.co | - | High
4 | [80.77.4.3](https://vuldb.com/?ip.80.77.4.3) | - | - | High
5 | [81.31.34.175](https://vuldb.com/?ip.81.31.34.175) | 81-31-34-175.static.masterinter.net | - | High
6 | [81.31.36.174](https://vuldb.com/?ip.81.31.36.174) | vl504.sl509s.r1-3.dc1.4d.prg.masterinter.net | - | High
7 | ... | ... | ... | ...
There are 24 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Equation. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Equation_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1211 | 7PK Security Features | High
4 | ... | ... | ...
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
3 | T1211 | CWE-254 | 7PK Security Features | High
4 | ... | ... | ... | ...
There are 1 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Equation. This data is unique as it uses our predictive model for actor profiling.
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Equation. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
@ -61,18 +61,18 @@ ID | Type | Indicator | Confidence
3 | File | `GetRules.asp` | Medium
4 | ... | ... | ...
There are 9 more IOA items available. Please use our online service to access the data.
There are 9 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References
The following list contains external sources which discuss the actor and the associated activities:
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf
* https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134940/kaspersky-lab-gauss.pdf
## Literature
The following articles explain our unique predictive cyber threat intelligence:
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)

16
actors/EquationDrug/README.md
View File

@ -1,26 +1,26 @@
# EquationDrug - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [EquationDrug](https://vuldb.com/?actor.equationdrug). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [EquationDrug](https://vuldb.com/?actor.equationdrug). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.equationdrug](https://vuldb.com/?actor.equationdrug)
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.equationdrug](https://vuldb.com/?actor.equationdrug)
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of EquationDrug.
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of EquationDrug.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 213.198.79.49 | - | High
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [213.198.79.49](https://vuldb.com/?ip.213.198.79.49) | - | - | High
## References
The following list contains external sources which discuss the actor and the associated activities:
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://www.threatminer.org/report.php?q=Inside_EquationDrug_Espionage_Platform.pdf&y=2015
## Literature
The following articles explain our unique predictive cyber threat intelligence:
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)

65
actors/FF-Rat/README.md Normal file
View File

@ -0,0 +1,65 @@
# FF-Rat - Cyber Threat Intelligence
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [FF-Rat](https://vuldb.com/?actor.ff-rat). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.ff-rat](https://vuldb.com/?actor.ff-rat)
## Countries
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with FF-Rat:
* [CN](https://vuldb.com/?country.cn)
* [US](https://vuldb.com/?country.us)
* [GB](https://vuldb.com/?country.gb)
## IOC - Indicator of Compromise
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of FF-Rat.
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [59.188.16.147](https://vuldb.com/?ip.59.188.16.147) | - | - | High
2 | [68.68.43.149](https://vuldb.com/?ip.68.68.43.149) | 149.43.68.68.client.static.strong11.as22781.net | - | High
3 | [103.27.108.121](https://vuldb.com/?ip.103.27.108.121) | - | - | High
4 | ... | ... | ... | ...
There are 1 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _FF-Rat_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1059.007 | CWE-80 | Cross Site Scripting | High
2 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
## IOA - Indicator of Attack
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by FF-Rat. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `admin/review.php` | High
2 | File | `cgi-bin/webfile_mgr.cgi` | High
3 | File | `img.pl` | Low
4 | ... | ... | ...
There are 10 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://blogs.blackberry.com/en/2017/06/breaking-down-ff-rat-malware
## Literature
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

2
actors/FIN12/README.md
View File

@ -27,7 +27,7 @@ There are 2 more IOC items available. Please use our online service to access th
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _FIN12_. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _FIN12_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------

32
actors/FIN6/README.md
View File

@ -1,6 +1,6 @@
# FIN6 - Cyber Threat Intelligence
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [FIN6](https://vuldb.com/?actor.fin6). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [FIN6](https://vuldb.com/?actor.fin6). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.fin6](https://vuldb.com/?actor.fin6)
@ -14,9 +14,9 @@ The following _campaigns_ are known and can be associated with FIN6:
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with FIN6:
* DE
* US
* RU
* [DE](https://vuldb.com/?country.de)
* [US](https://vuldb.com/?country.us)
* [RU](https://vuldb.com/?country.ru)
* ...
There are 12 more country items available. Please use our online service to access the data.
@ -27,18 +27,18 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | 5.199.167.188 | - | MAZE | High
2 | 31.220.45.151 | - | - | High
3 | 37.1.213.9 | - | MAZE | High
4 | 37.1.221.212 | adspect.net | - | High
5 | 37.252.7.142 | - | MAZE | High
6 | 46.4.113.237 | static.237.113.4.46.clients.your-server.de | - | High
7 | 46.166.173.109 | - | - | High
8 | 54.39.233.188 | mail.ov120.slpmt.net | MAZE | High
9 | 62.210.136.65 | 62-210-136-65.rev.poneytelecom.eu | - | High
10 | 89.105.194.236 | - | - | High
11 | 91.208.184.174 | sell.mybeststore.club | MAZE | High
12 | 91.218.114.4 | - | MAZE | High
1 | [5.199.167.188](https://vuldb.com/?ip.5.199.167.188) | - | MAZE | High
2 | [31.220.45.151](https://vuldb.com/?ip.31.220.45.151) | - | - | High
3 | [37.1.213.9](https://vuldb.com/?ip.37.1.213.9) | - | MAZE | High
4 | [37.1.221.212](https://vuldb.com/?ip.37.1.221.212) | adspect.net | - | High
5 | [37.252.7.142](https://vuldb.com/?ip.37.252.7.142) | - | MAZE | High
6 | [46.4.113.237](https://vuldb.com/?ip.46.4.113.237) | static.237.113.4.46.clients.your-server.de | - | High
7 | [46.166.173.109](https://vuldb.com/?ip.46.166.173.109) | - | - | High
8 | [54.39.233.188](https://vuldb.com/?ip.54.39.233.188) | mail.ov120.slpmt.net | MAZE | High
9 | [62.210.136.65](https://vuldb.com/?ip.62.210.136.65) | 62-210-136-65.rev.poneytelecom.eu | - | High
10 | [89.105.194.236](https://vuldb.com/?ip.89.105.194.236) | - | - | High
11 | [91.208.184.174](https://vuldb.com/?ip.91.208.184.174) | sell.mybeststore.club | MAZE | High
12 | [91.218.114.4](https://vuldb.com/?ip.91.218.114.4) | - | MAZE | High
13 | ... | ... | ... | ...
There are 48 more IOC items available. Please use our online service to access the data.

102
actors/FIN7/README.md
View File

@ -15,8 +15,8 @@ The following _campaigns_ are known and can be associated with FIN7:
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with FIN7:
* [US](https://vuldb.com/?country.us)
* [CN](https://vuldb.com/?country.cn)
* [US](https://vuldb.com/?country.us)
* [DE](https://vuldb.com/?country.de)
* ...
@ -77,7 +77,7 @@ There are 172 more IOC items available. Please use our online service to access
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _FIN7_. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _FIN7_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
@ -95,59 +95,59 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/+CSCOE+/logon.html` | High
2 | File | `/context/%2e/WEB-INF/web.xml` | High
3 | File | `/debug/pprof` | Medium
4 | File | `/ext/phar/phar_object.c` | High
5 | File | `/filemanager/php/connector.php` | High
6 | File | `/get_getnetworkconf.cgi` | High
7 | File | `/HNAP1` | Low
8 | File | `/modx/manager/index.php` | High
9 | File | `/monitoring` | Medium
10 | File | `/new` | Low
11 | File | `/proc/<pid>/status` | High
12 | File | `/public/plugins/` | High
13 | File | `/replication` | Medium
14 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
15 | File | `/secure/QueryComponent!Default.jspa` | High
16 | File | `/siteminderagent/pwcgi/smpwservicescgi.exe` | High
17 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
18 | File | `/tmp` | Low
19 | File | `/type.php` | Medium
20 | File | `/uncpath/` | Medium
21 | File | `/usr/bin/pkexec` | High
22 | File | `/wp-json/wc/v3/webhooks` | High
23 | File | `4.2.0.CP09` | Medium
24 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
25 | File | `802dot1xclientcert.cgi` | High
26 | File | `AccountManagerService.java` | High
27 | File | `actions/CompanyDetailsSave.php` | High
28 | File | `ActivityManagerService.java` | High
29 | File | `add.exe` | Low
30 | File | `admin.color.php` | High
31 | File | `admin.cropcanvas.php` | High
32 | File | `admin.joomlaradiov5.php` | High
33 | File | `admin.php` | Medium
34 | File | `admin.php?m=Food&a=addsave` | High
35 | File | `admin/add-glossary.php` | High
36 | File | `admin/conf_users_edit.php` | High
37 | File | `admin/edit-comments.php` | High
38 | File | `admin/index.php` | High
39 | File | `admin/src/containers/InputModalStepperProvider/index.js` | High
40 | File | `admin/write-post.php` | High
41 | File | `administrator/components/com_media/helpers/media.php` | High
42 | File | `admin_events.php` | High
43 | File | `AjaxApplication.java` | High
44 | File | `akocomments.php` | High
45 | File | `allopass-error.php` | High
46 | File | `AllowBindAppWidgetActivity.java` | High
47 | File | `android/webkit/SearchBoxImpl.java` | High
48 | File | `AndroidManifest.xml` | High
49 | File | `announcement.php` | High
2 | File | `/cloud_config/router_post/check_reg_verify_code` | High
3 | File | `/context/%2e/WEB-INF/web.xml` | High
4 | File | `/debug/pprof` | Medium
5 | File | `/ext/phar/phar_object.c` | High
6 | File | `/filemanager/php/connector.php` | High
7 | File | `/get_getnetworkconf.cgi` | High
8 | File | `/HNAP1` | Low
9 | File | `/modx/manager/index.php` | High
10 | File | `/monitoring` | Medium
11 | File | `/new` | Low
12 | File | `/proc/<pid>/status` | High
13 | File | `/public/plugins/` | High
14 | File | `/replication` | Medium
15 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
16 | File | `/secure/QueryComponent!Default.jspa` | High
17 | File | `/siteminderagent/pwcgi/smpwservicescgi.exe` | High
18 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
19 | File | `/tmp` | Low
20 | File | `/type.php` | Medium
21 | File | `/uncpath/` | Medium
22 | File | `/usr/bin/pkexec` | High
23 | File | `/wp-json/wc/v3/webhooks` | High
24 | File | `4.2.0.CP09` | Medium
25 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
26 | File | `802dot1xclientcert.cgi` | High
27 | File | `AccountManagerService.java` | High
28 | File | `actions/CompanyDetailsSave.php` | High
29 | File | `ActivityManagerService.java` | High
30 | File | `add.exe` | Low
31 | File | `admin.color.php` | High
32 | File | `admin.cropcanvas.php` | High
33 | File | `admin.joomlaradiov5.php` | High
34 | File | `admin.php` | Medium
35 | File | `admin.php?m=Food&a=addsave` | High
36 | File | `admin/add-glossary.php` | High
37 | File | `admin/conf_users_edit.php` | High
38 | File | `admin/edit-comments.php` | High
39 | File | `admin/index.php` | High
40 | File | `admin/src/containers/InputModalStepperProvider/index.js` | High
41 | File | `admin/write-post.php` | High
42 | File | `administrator/components/com_media/helpers/media.php` | High
43 | File | `admin_events.php` | High
44 | File | `AjaxApplication.java` | High
45 | File | `akocomments.php` | High
46 | File | `allopass-error.php` | High
47 | File | `AllowBindAppWidgetActivity.java` | High
48 | File | `android/webkit/SearchBoxImpl.java` | High
49 | File | `AndroidManifest.xml` | High
50 | File | `api/settings/values` | High
51 | File | `app/topic/action/admin/topic.php` | High
52 | ... | ... | ...
There are 451 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 449 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

14
actors/FakeAlert/README.md
View File

@ -1,6 +1,6 @@
# FakeAlert - Cyber Threat Intelligence
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [FakeAlert](https://vuldb.com/?actor.fakealert). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [FakeAlert](https://vuldb.com/?actor.fakealert). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.fakealert](https://vuldb.com/?actor.fakealert)
@ -8,9 +8,9 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with FakeAlert:
* US
* PT
* RU
* [US](https://vuldb.com/?country.us)
* [PT](https://vuldb.com/?country.pt)
* [RU](https://vuldb.com/?country.ru)
* ...
There are 4 more country items available. Please use our online service to access the data.
@ -21,9 +21,9 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | 3.8.23.195 | ec2-3-8-23-195.eu-west-2.compute.amazonaws.com | - | Medium
2 | 3.8.191.167 | ec2-3-8-191-167.eu-west-2.compute.amazonaws.com | - | Medium
3 | 18.130.240.77 | ec2-18-130-240-77.eu-west-2.compute.amazonaws.com | - | Medium
1 | [3.8.23.195](https://vuldb.com/?ip.3.8.23.195) | ec2-3-8-23-195.eu-west-2.compute.amazonaws.com | - | Medium
2 | [3.8.191.167](https://vuldb.com/?ip.3.8.191.167) | ec2-3-8-191-167.eu-west-2.compute.amazonaws.com | - | Medium
3 | [18.130.240.77](https://vuldb.com/?ip.18.130.240.77) | ec2-18-130-240-77.eu-west-2.compute.amazonaws.com | - | Medium
4 | ... | ... | ... | ...
There are 10 more IOC items available. Please use our online service to access the data.

2
actors/FamousSparrow/README.md
View File

@ -22,7 +22,7 @@ ID | IP address | Hostname | Campaign | Confidence
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _FamousSparrow_. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _FamousSparrow_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------

66
actors/Formbook/README.md
View File

@ -1,19 +1,25 @@
# Formbook - Cyber Threat Intelligence
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Formbook](https://vuldb.com/?actor.formbook). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Formbook](https://vuldb.com/?actor.formbook). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.formbook](https://vuldb.com/?actor.formbook)
## Campaigns
The following _campaigns_ are known and can be associated with Formbook:
* Ukraine
## Countries
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Formbook:
* US
* CN
* FR
* [US](https://vuldb.com/?country.us)
* [CN](https://vuldb.com/?country.cn)
* [FR](https://vuldb.com/?country.fr)
* ...
There are 8 more country items available. Please use our online service to access the data.
There are 9 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -21,34 +27,35 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | 3.143.65.214 | ec2-3-143-65-214.us-east-2.compute.amazonaws.com | - | Medium
2 | 3.223.115.185 | ec2-3-223-115-185.compute-1.amazonaws.com | - | Medium
3 | 5.134.13.72 | i51.gds.guru.net.uk | - | High
4 | 13.59.53.244 | ec2-13-59-53-244.us-east-2.compute.amazonaws.com | - | Medium
5 | 13.107.42.12 | 1drv.ms | - | High
6 | 13.248.216.40 | afdda383cf24ec8c3.awsglobalaccelerator.com | - | High
7 | 20.36.253.92 | - | - | High
8 | 23.6.69.99 | a23-6-69-99.deploy.static.akamaitechnologies.com | - | High
9 | 23.227.38.74 | - | - | High
10 | 34.98.99.30 | 30.99.98.34.bc.googleusercontent.com | - | Medium
11 | 34.102.136.180 | 180.136.102.34.bc.googleusercontent.com | - | Medium
12 | 34.214.40.214 | ec2-34-214-40-214.us-west-2.compute.amazonaws.com | - | Medium
13 | 34.216.47.14 | ec2-34-216-47-14.us-west-2.compute.amazonaws.com | - | Medium
14 | 34.242.63.192 | ec2-34-242-63-192.eu-west-1.compute.amazonaws.com | - | Medium
15 | 34.243.160.251 | ec2-34-243-160-251.eu-west-1.compute.amazonaws.com | - | Medium
16 | 34.255.61.59 | ec2-34-255-61-59.eu-west-1.compute.amazonaws.com | - | Medium
17 | 35.178.125.63 | ec2-35-178-125-63.eu-west-2.compute.amazonaws.com | - | Medium
18 | 40.77.18.167 | - | - | High
19 | 40.126.26.134 | - | - | High
20 | 44.227.65.245 | ec2-44-227-65-245.us-west-2.compute.amazonaws.com | - | Medium
21 | 44.230.27.49 | ec2-44-230-27-49.us-west-2.compute.amazonaws.com | - | Medium
22 | ... | ... | ... | ...
1 | [3.143.65.214](https://vuldb.com/?ip.3.143.65.214) | ec2-3-143-65-214.us-east-2.compute.amazonaws.com | - | Medium
2 | [3.223.115.185](https://vuldb.com/?ip.3.223.115.185) | ec2-3-223-115-185.compute-1.amazonaws.com | - | Medium
3 | [5.134.13.72](https://vuldb.com/?ip.5.134.13.72) | i51.gds.guru.net.uk | - | High
4 | [13.59.53.244](https://vuldb.com/?ip.13.59.53.244) | ec2-13-59-53-244.us-east-2.compute.amazonaws.com | - | Medium
5 | [13.107.42.12](https://vuldb.com/?ip.13.107.42.12) | 1drv.ms | - | High
6 | [13.248.216.40](https://vuldb.com/?ip.13.248.216.40) | afdda383cf24ec8c3.awsglobalaccelerator.com | - | High
7 | [20.36.253.92](https://vuldb.com/?ip.20.36.253.92) | - | - | High
8 | [23.6.69.99](https://vuldb.com/?ip.23.6.69.99) | a23-6-69-99.deploy.static.akamaitechnologies.com | - | High
9 | [23.227.38.74](https://vuldb.com/?ip.23.227.38.74) | - | - | High
10 | [34.98.99.30](https://vuldb.com/?ip.34.98.99.30) | 30.99.98.34.bc.googleusercontent.com | - | Medium
11 | [34.102.136.180](https://vuldb.com/?ip.34.102.136.180) | 180.136.102.34.bc.googleusercontent.com | - | Medium
12 | [34.214.40.214](https://vuldb.com/?ip.34.214.40.214) | ec2-34-214-40-214.us-west-2.compute.amazonaws.com | - | Medium
13 | [34.216.47.14](https://vuldb.com/?ip.34.216.47.14) | ec2-34-216-47-14.us-west-2.compute.amazonaws.com | - | Medium
14 | [34.242.63.192](https://vuldb.com/?ip.34.242.63.192) | ec2-34-242-63-192.eu-west-1.compute.amazonaws.com | - | Medium
15 | [34.243.160.251](https://vuldb.com/?ip.34.243.160.251) | ec2-34-243-160-251.eu-west-1.compute.amazonaws.com | - | Medium
16 | [34.255.61.59](https://vuldb.com/?ip.34.255.61.59) | ec2-34-255-61-59.eu-west-1.compute.amazonaws.com | - | Medium
17 | [35.178.125.63](https://vuldb.com/?ip.35.178.125.63) | ec2-35-178-125-63.eu-west-2.compute.amazonaws.com | - | Medium
18 | [40.77.18.167](https://vuldb.com/?ip.40.77.18.167) | - | - | High
19 | [40.126.26.134](https://vuldb.com/?ip.40.126.26.134) | - | - | High
20 | [44.227.65.245](https://vuldb.com/?ip.44.227.65.245) | ec2-44-227-65-245.us-west-2.compute.amazonaws.com | - | Medium
21 | [44.230.27.49](https://vuldb.com/?ip.44.230.27.49) | ec2-44-230-27-49.us-west-2.compute.amazonaws.com | - | Medium
22 | [45.135.229.212](https://vuldb.com/?ip.45.135.229.212) | iad.scarletshark.net | - | High
23 | ... | ... | ... | ...
There are 86 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Formbook. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Formbook_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
@ -57,7 +64,7 @@ ID | Technique | Weakness | Description | Confidence
3 | T1211 | CWE-254 | 7PK Security Features | High
4 | ... | ... | ... | ...
There are 4 more TTP items available. Please use our online service to access the data.
There are 3 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -85,6 +92,7 @@ There are 104 more IOA items available (file, library, argument, input value, pa
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://blog.malwarebytes.com/threat-intelligence/2022/03/formbook-spam-campaign-targets-citizens-of-ukraine%ef%b8%8f/
* https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html
* https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.html
* https://blog.talosintelligence.com/2021/07/threat-roundup-0723-0730.html

16
actors/Foudre/README.md
View File

@ -1,26 +1,26 @@
# Foudre - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Foudre](https://vuldb.com/?actor.foudre). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Foudre](https://vuldb.com/?actor.foudre). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.foudre](https://vuldb.com/?actor.foudre)
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.foudre](https://vuldb.com/?actor.foudre)
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Foudre.
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Foudre.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 185.61.154.26 | premium46-3.web-hosting.com | High
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [185.61.154.26](https://vuldb.com/?ip.185.61.154.26) | premium46-3.web-hosting.com | - | High
## References
The following list contains external sources which discuss the actor and the associated activities:
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://www.threatminer.org/report.php?q=PrinceofPersia_TheSandsofFoudre-Intezer.pdf&y=2018
## Literature
The following articles explain our unique predictive cyber threat intelligence:
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)

4
actors/GRU/README.md
View File

@ -30,7 +30,7 @@ There are 7 more IOC items available. Please use our online service to access th
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _GRU_. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _GRU_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
@ -59,7 +59,7 @@ ID | Type | Indicator | Confidence
10 | File | `admin/create-package.php` | High
11 | ... | ... | ...
There are 84 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 88 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

39
actors/Gafgyt/README.md
View File

@ -1,6 +1,6 @@
# Gafgyt - Cyber Threat Intelligence
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Gafgyt](https://vuldb.com/?actor.gafgyt). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Gafgyt](https://vuldb.com/?actor.gafgyt). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.gafgyt](https://vuldb.com/?actor.gafgyt)
@ -10,17 +10,18 @@ The following _campaigns_ are known and can be associated with Gafgyt:
* CVE-2014-8361 / CVE-2017-17215 / CVE-2017-18368
* CVE-2017-5638 / CVE-2018-9866
* DDoS Ukraine
## Countries
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Gafgyt:
* [SC](https://vuldb.com/?country.sc)
* [LI](https://vuldb.com/?country.li)
* [US](https://vuldb.com/?country.us)
* [LI](https://vuldb.com/?country.li)
* ...
There are 2 more country items available. Please use our online service to access the data.
There are 3 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -28,22 +29,25 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [185.10.68.127](https://vuldb.com/?ip.185.10.68.127) | 127.68.10.185.ro.ovo.sc | CVE-2017-5638 / CVE-2018-9866 | High
2 | [185.10.68.213](https://vuldb.com/?ip.185.10.68.213) | 213.68.10.185.ro.ovo.sc | CVE-2017-5638 / CVE-2018-9866 | High
3 | [185.172.110.224](https://vuldb.com/?ip.185.172.110.224) | - | CVE-2014-8361 / CVE-2017-17215 / CVE-2017-18368 | High
1 | [46.249.32.109](https://vuldb.com/?ip.46.249.32.109) | reverse.hostingbb.com | DDoS Ukraine | High
2 | [172.245.6.134](https://vuldb.com/?ip.172.245.6.134) | 172-245-6-134-host.colocrossing.com | - | High
3 | [185.10.68.127](https://vuldb.com/?ip.185.10.68.127) | 127.68.10.185.ro.ovo.sc | CVE-2017-5638 / CVE-2018-9866 | High
4 | ... | ... | ... | ...
There are 5 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Gafgyt. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Gafgyt_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
3 | T1222 | CWE-275 | Permission Issues | High
4 | ... | ... | ... | ...
There are 5 more TTP items available. Please use our online service to access the data.
There are 4 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -53,18 +57,23 @@ ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/admin/sysmon.php` | High
2 | File | `/api/content/posts/comments` | High
3 | File | `/Home/GetAttachment` | High
4 | File | `/modules/projects/vw_files.php` | High
5 | File | `admin/limits.php` | High
6 | File | `AjaxFileUploadHandler.axd` | High
7 | ... | ... | ...
3 | File | `/cimom` | Low
4 | File | `/Home/GetAttachment` | High
5 | File | `/LogoStore/search.php` | High
6 | File | `/modules/projects/vw_files.php` | High
7 | File | `admin/limits.php` | High
8 | File | `AjaxFileUploadHandler.axd` | High
9 | File | `CarelDataServer.exe` | High
10 | ... | ... | ...
There are 49 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 77 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/
* https://blog.netlab.360.com/wo-men-kan-dao-de-wu-ke-lan-bei-ddosgong-ji-xi-jie/
* https://unit42.paloaltonetworks.com/home-small-office-wireless-routers-exploited-to-attack-gaming-servers/
* https://unit42.paloaltonetworks.com/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/

2
actors/Gamaredon/README.md
View File

@ -77,7 +77,7 @@ There are 198 more IOC items available. Please use our online service to access
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Gamaredon_. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Gamaredon_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------

4
actors/Gamarue/README.md
View File

@ -36,7 +36,7 @@ There are 35 more IOC items available. Please use our online service to access t
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Gamarue. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Gamarue_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
@ -45,7 +45,7 @@ ID | Technique | Weakness | Description | Confidence
3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
4 | ... | ... | ... | ...
There are 8 more TTP items available. Please use our online service to access the data.
There are 7 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack

53
actors/Gh0stRAT/README.md
View File

@ -51,7 +51,7 @@ There are 97 more IOC items available. Please use our online service to access t
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Gh0stRAT_. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Gh0stRAT_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
@ -80,33 +80,32 @@ ID | Type | Indicator | Confidence
10 | File | `/dashboards/#` | High
11 | File | `/data/remove` | Medium
12 | File | `/etc/controller-agent/agent.conf` | High
13 | File | `/etc/postfix/sender_login` | High
14 | File | `/etc/sudoers` | Medium
15 | File | `/etc/tomcat8/Catalina/attack` | High
16 | File | `/filemanager/php/connector.php` | High
17 | File | `/forum/away.php` | High
18 | File | `/fudforum/adm/hlplist.php` | High
19 | File | `/GponForm/fsetup_Form` | High
20 | File | `/log_download.cgi` | High
21 | File | `/modules/profile/index.php` | High
22 | File | `/MTFWU` | Low
23 | File | `/navigate/navigate_download.php` | High
24 | File | `/out.php` | Medium
25 | File | `/password.html` | High
26 | File | `/property-list/property_view.php` | High
27 | File | `/public/plugins/` | High
28 | File | `/rest/api/2/search` | High
29 | File | `/s/` | Low
30 | File | `/scripts/cpan_config` | High
31 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
32 | File | `/secure/QueryComponent!Default.jspa` | High
33 | File | `/server-info` | Medium
34 | File | `/tmp` | Low
35 | File | `/tmp/app/.env` | High
36 | File | `/tmp/kamailio_ctl` | High
37 | ... | ... | ...
13 | File | `/etc/sudoers` | Medium
14 | File | `/etc/tomcat8/Catalina/attack` | High
15 | File | `/filemanager/php/connector.php` | High
16 | File | `/forum/away.php` | High
17 | File | `/fudforum/adm/hlplist.php` | High
18 | File | `/GponForm/fsetup_Form` | High
19 | File | `/log_download.cgi` | High
20 | File | `/modules/profile/index.php` | High
21 | File | `/MTFWU` | Low
22 | File | `/navigate/navigate_download.php` | High
23 | File | `/out.php` | Medium
24 | File | `/password.html` | High
25 | File | `/property-list/property_view.php` | High
26 | File | `/public/plugins/` | High
27 | File | `/rest/api/2/search` | High
28 | File | `/s/` | Low
29 | File | `/scripts/cpan_config` | High
30 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
31 | File | `/secure/QueryComponent!Default.jspa` | High
32 | File | `/server-info` | Medium
33 | File | `/tmp` | Low
34 | File | `/tmp/app/.env` | High
35 | File | `/tmp/kamailio_ctl` | High
36 | ... | ... | ...
There are 317 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 307 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

38
actors/GreyEnergy/README.md
View File

@ -13,7 +13,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
* [RO](https://vuldb.com/?country.ro)
* ...
There are 26 more country items available. Please use our online service to access the data.
There are 25 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -32,7 +32,7 @@ There are 22 more IOC items available. Please use our online service to access t
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _GreyEnergy_. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _GreyEnergy_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
@ -56,14 +56,14 @@ ID | Type | Indicator | Confidence
5 | File | `/cgi-bin` | Medium
6 | File | `/cgi-bin/kerbynet` | High
7 | File | `/context/%2e/WEB-INF/web.xml` | High
8 | File | `/dcim/sites/add/` | High
9 | File | `/fudforum/adm/hlplist.php` | High
10 | File | `/login` | Low
11 | File | `/Main_Login.asp?flag=1&productname=RT-AC88U&url=/downloadmaster/task.asp` | High
12 | File | `/monitoring` | Medium
13 | File | `/new` | Low
14 | File | `/proc/<pid>/status` | High
15 | File | `/public/plugins/` | High
8 | File | `/fudforum/adm/hlplist.php` | High
9 | File | `/login` | Low
10 | File | `/Main_Login.asp?flag=1&productname=RT-AC88U&url=/downloadmaster/task.asp` | High
11 | File | `/monitoring` | Medium
12 | File | `/new` | Low
13 | File | `/proc/<pid>/status` | High
14 | File | `/public/plugins/` | High
15 | File | `/REBOOTSYSTEM` | High
16 | File | `/rom` | Low
17 | File | `/scripts/killpvhost` | High
18 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
@ -74,15 +74,15 @@ ID | Type | Indicator | Confidence
23 | File | `/uncpath/` | Medium
24 | File | `/wp-admin` | Medium
25 | File | `/wp-json/wc/v3/webhooks` | High
26 | File | `AccountManagerService.java` | High
27 | File | `actions/CompanyDetailsSave.php` | High
28 | File | `ActiveServices.java` | High
29 | File | `ActivityManagerService.java` | High
30 | File | `admin.php` | Medium
31 | File | `admin/?n=user&c=admin_user&a=doGetUserInfo` | High
32 | File | `admin/add-glossary.php` | High
33 | File | `admin/conf_users_edit.php` | High
34 | File | `admin/dashboard.php` | High
26 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
27 | File | `AccountManagerService.java` | High
28 | File | `actions/CompanyDetailsSave.php` | High
29 | File | `ActiveServices.java` | High
30 | File | `ActivityManagerService.java` | High
31 | File | `admin.php` | Medium
32 | File | `admin/?n=user&c=admin_user&a=doGetUserInfo` | High
33 | File | `admin/add-glossary.php` | High
34 | File | `admin/conf_users_edit.php` | High
35 | File | `admin/edit-comments.php` | High
36 | ... | ... | ...

23
actors/Grizzly Steppe/README.md
View File

@ -151,7 +151,7 @@ There are 496 more IOC items available. Please use our online service to access
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Grizzly Steppe_. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Grizzly Steppe_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
@ -160,7 +160,7 @@ ID | Technique | Weakness | Description | Confidence
3 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
4 | ... | ... | ... | ...
There are 7 more TTP items available. Please use our online service to access the data.
There are 8 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -179,13 +179,13 @@ ID | Type | Indicator | Confidence
9 | File | `/dev/dri/card1` | High
10 | File | `/domain/service/.ewell-known/caldav` | High
11 | File | `/download` | Medium
12 | File | `/formWlanSetup` | High
13 | File | `/goform/setIPv6Status` | High
14 | File | `/images` | Low
15 | File | `/include/chart_generator.php` | High
16 | File | `/InternalPages/ExecuteTask.aspx` | High
17 | File | `/modules/profile/index.php` | High
18 | File | `/monitoring` | Medium
12 | File | `/file?action=download&file` | High
13 | File | `/formWlanSetup` | High
14 | File | `/goform/setIPv6Status` | High
15 | File | `/images` | Low
16 | File | `/include/chart_generator.php` | High
17 | File | `/InternalPages/ExecuteTask.aspx` | High
18 | File | `/modules/profile/index.php` | High
19 | File | `/music/ajax.php` | High
20 | File | `/pandora_console/ajax.php` | High
21 | File | `/plugins/servlet/audit/resource` | High
@ -198,10 +198,9 @@ ID | Type | Indicator | Confidence
28 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
29 | File | `/secure/QueryComponent!Default.jspa` | High
30 | File | `/tmp` | Low
31 | File | `/uncpath/` | Medium
32 | ... | ... | ...
31 | ... | ... | ...
There are 272 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 267 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

14
actors/Guccifer 2.0/README.md
View File

@ -1,6 +1,6 @@
# Guccifer 2.0 - Cyber Threat Intelligence
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Guccifer 2.0](https://vuldb.com/?actor.guccifer_2.0). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Guccifer 2.0](https://vuldb.com/?actor.guccifer_2.0). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.guccifer_2.0](https://vuldb.com/?actor.guccifer_2.0)
@ -8,9 +8,9 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Guccifer 2.0:
* US
* FR
* RU
* [US](https://vuldb.com/?country.us)
* [FR](https://vuldb.com/?country.fr)
* [RU](https://vuldb.com/?country.ru)
## IOC - Indicator of Compromise
@ -18,9 +18,9 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | 95.130.9.198 | - | - | High
2 | 95.130.15.34 | - | - | High
3 | 95.130.15.36 | - | - | High
1 | [95.130.9.198](https://vuldb.com/?ip.95.130.9.198) | - | - | High
2 | [95.130.15.34](https://vuldb.com/?ip.95.130.15.34) | - | - | High
3 | [95.130.15.36](https://vuldb.com/?ip.95.130.15.36) | - | - | High
4 | ... | ... | ... | ...
There are 4 more IOC items available. Please use our online service to access the data.

52
actors/Inception/README.md
View File

@ -16,7 +16,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
* [ES](https://vuldb.com/?country.es)
* [SV](https://vuldb.com/?country.sv)
* [DE](https://vuldb.com/?country.de)
* [PL](https://vuldb.com/?country.pl)
* ...
There are 4 more country items available. Please use our online service to access the data.
@ -36,13 +36,13 @@ There are 7 more IOC items available. Please use our online service to access th
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Inception_. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Inception_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
2 | T1068 | CWE-250, CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
4 | ... | ... | ... | ...
There are 8 more TTP items available. Please use our online service to access the data.
@ -53,31 +53,31 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/admin/page_edit/3` | High
2 | File | `/api/notify.php` | High
3 | File | `/domain/service/.ewell-known/caldav` | High
4 | File | `/formAdvFirewall` | High
5 | File | `/mobile/SelectUsers.jsp` | High
6 | File | `/ProteinArraySignificanceTest.json` | High
7 | File | `/usr/local/bin/mjs` | High
8 | File | `/web` | Low
9 | File | `admin/bad.php` | High
10 | File | `admin/dl_sendmail.php` | High
11 | File | `admin/pages/useredit.php` | High
12 | File | `AdminBaseController.class.php` | High
13 | File | `AlertReceiver.java` | High
14 | File | `alfresco/s/admin/admin-nodebrowser` | High
15 | File | `AndroidFuture.java` | High
16 | File | `AndroidManifest.xml` | High
17 | File | `api/info.php` | Medium
18 | File | `attach.c` | Medium
19 | File | `box_code_apple.c` | High
20 | File | `bug_actiongroup.php` | High
21 | File | `bug_report_page.php` | High
22 | File | `cavsdec.c` | Medium
1 | File | `/admin/news/news_mod.php` | High
2 | File | `/admin/page_edit/3` | High
3 | File | `/api/notify.php` | High
4 | File | `/domain/service/.ewell-known/caldav` | High
5 | File | `/formAdvFirewall` | High
6 | File | `/mobile/SelectUsers.jsp` | High
7 | File | `/ProteinArraySignificanceTest.json` | High
8 | File | `/system/bin/osi_bin` | High
9 | File | `/usr/local/bin/mjs` | High
10 | File | `/web` | Low
11 | File | `admin/bad.php` | High
12 | File | `admin/dl_sendmail.php` | High
13 | File | `admin/pages/useredit.php` | High
14 | File | `AdminBaseController.class.php` | High
15 | File | `AlertReceiver.java` | High
16 | File | `alfresco/s/admin/admin-nodebrowser` | High
17 | File | `AndroidFuture.java` | High
18 | File | `AndroidManifest.xml` | High
19 | File | `api/info.php` | Medium
20 | File | `attach.c` | Medium
21 | File | `box_code_apple.c` | High
22 | File | `bug_actiongroup.php` | High
23 | ... | ... | ...
There are 192 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 194 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

31
actors/Indexsinas/README.md
View File

@ -13,7 +13,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
* [US](https://vuldb.com/?country.us)
* ...
There are 2 more country items available. Please use our online service to access the data.
There are 3 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -283,16 +283,16 @@ There are 1024 more IOC items available. Please use our online service to access
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Indexsinas_. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Indexsinas_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
3 | T1110.001 | CWE-307 | Improper Restriction of Excessive Authentication Attempts | High
1 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
2 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
3 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
4 | ... | ... | ... | ...
There are 6 more TTP items available. Please use our online service to access the data.
There are 8 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -300,16 +300,17 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/config/getuser` | High
2 | File | `/etc/passwd` | Medium
3 | File | `/mdiy/dict/listExcludeApp` | High
4 | File | `/public/login.htm` | High
5 | File | `/web/MCmsAction.java` | High
6 | File | `admin.php` | Medium
7 | File | `admin/cgi-bin/listdir.pl` | High
8 | ... | ... | ...
1 | File | `/.htaccess` | Medium
2 | File | `/admin/link/link_ok.php` | High
3 | File | `/admin/upload/upload` | High
4 | File | `/api/appInternals/1.0/agent/configuration` | High
5 | File | `/api/appInternals/1.0/agent/da/pcf` | High
6 | File | `/api/appInternals/1.0/agent/diagnostic/logs` | High
7 | File | `/api/appInternals/1.0/plugin/pmx` | High
8 | File | `/api/eventinstance` | High
9 | ... | ... | ...
There are 59 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 61 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

2
actors/InvisiMole/README.md
View File

@ -1,6 +1,6 @@
# InvisiMole - Cyber Threat Intelligence
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [InvisiMole](https://vuldb.com/?actor.invisimole). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [InvisiMole](https://vuldb.com/?actor.invisimole). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.invisimole](https://vuldb.com/?actor.invisimole)

10
actors/Ircbot/README.md
View File

@ -1,6 +1,6 @@
# Ircbot - Cyber Threat Intelligence
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Ircbot](https://vuldb.com/?actor.ircbot). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Ircbot](https://vuldb.com/?actor.ircbot). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.ircbot](https://vuldb.com/?actor.ircbot)
@ -8,7 +8,7 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Ircbot:
* US
* [US](https://vuldb.com/?country.us)
## IOC - Indicator of Compromise
@ -16,9 +16,9 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | 70.39.99.203 | ns2.4.cn | - | High
2 | 91.134.203.49 | - | - | High
3 | 95.173.180.252 | 2522nimdu.alanyareklam.com | - | High
1 | [70.39.99.203](https://vuldb.com/?ip.70.39.99.203) | ns2.4.cn | - | High
2 | [91.134.203.49](https://vuldb.com/?ip.91.134.203.49) | - | - | High
3 | [95.173.180.252](https://vuldb.com/?ip.95.173.180.252) | 2522nimdu.alanyareklam.com | - | High
4 | ... | ... | ... | ...
There are 1 more IOC items available. Please use our online service to access the data.

56
actors/Johnnie/README.md
View File

@ -1,52 +1,52 @@
# Johnnie - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Johnnie](https://vuldb.com/?actor.johnnie). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Johnnie](https://vuldb.com/?actor.johnnie). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.johnnie](https://vuldb.com/?actor.johnnie)
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.johnnie](https://vuldb.com/?actor.johnnie)
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Johnnie:
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Johnnie:
* US
* ES
* DE
* [US](https://vuldb.com/?country.us)
* [ES](https://vuldb.com/?country.es)
* [DE](https://vuldb.com/?country.de)
* ...
There are 5 more country items available. Please use our online service to access the data.
There are 6 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Johnnie.
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Johnnie.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 20.36.253.92 | - | High
2 | 23.6.69.99 | a23-6-69-99.deploy.static.akamaitechnologies.com | High
3 | 23.105.131.235 | - | High
4 | 23.218.140.208 | a23-218-140-208.deploy.static.akamaitechnologies.com | High
5 | 34.107.221.82 | 82.221.107.34.bc.googleusercontent.com | Medium
6 | 34.215.65.187 | ec2-34-215-65-187.us-west-2.compute.amazonaws.com | Medium
7 | ... | ... | ...
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [20.36.253.92](https://vuldb.com/?ip.20.36.253.92) | - | - | High
2 | [23.6.69.99](https://vuldb.com/?ip.23.6.69.99) | a23-6-69-99.deploy.static.akamaitechnologies.com | - | High
3 | [23.105.131.235](https://vuldb.com/?ip.23.105.131.235) | - | - | High
4 | [23.218.140.208](https://vuldb.com/?ip.23.218.140.208) | a23-218-140-208.deploy.static.akamaitechnologies.com | - | High
5 | [34.107.221.82](https://vuldb.com/?ip.34.107.221.82) | 82.221.107.34.bc.googleusercontent.com | - | Medium
6 | [34.215.65.187](https://vuldb.com/?ip.34.215.65.187) | ec2-34-215-65-187.us-west-2.compute.amazonaws.com | - | Medium
7 | ... | ... | ... | ...
There are 25 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Johnnie. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Johnnie. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1211 | 7PK Security Features | High
4 | ... | ... | ...
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
3 | T1211 | CWE-254, CWE-358 | 7PK Security Features | High
4 | ... | ... | ... | ...
There are 4 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Johnnie. This data is unique as it uses our predictive model for actor profiling.
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Johnnie. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
@ -66,18 +66,18 @@ ID | Type | Indicator | Confidence
14 | File | `bmp.c` | Low
15 | ... | ... | ...
There are 124 more IOA items available. Please use our online service to access the data.
There are 124 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References
The following list contains external sources which discuss the actor and the associated activities:
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://blog.talosintelligence.com/2021/03/threat-roundup-0226-0305.html
* https://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
## Literature
The following articles explain our unique predictive cyber threat intelligence:
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)

33
actors/Jupyter/README.md
View File

@ -1,6 +1,6 @@
# Jupyter - Cyber Threat Intelligence
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Jupyter](https://vuldb.com/?actor.jupyter). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Jupyter](https://vuldb.com/?actor.jupyter). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.jupyter](https://vuldb.com/?actor.jupyter)
@ -8,12 +8,12 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Jupyter:
* US
* FR
* RU
* [US](https://vuldb.com/?country.us)
* [FR](https://vuldb.com/?country.fr)
* [GB](https://vuldb.com/?country.gb)
* ...
There are 11 more country items available. Please use our online service to access the data.
There are 12 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -21,16 +21,16 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | 23.29.115.175 | 23-29-115-175.static.hvvc.us | - | High
2 | 37.221.114.23 | - | - | High
3 | 69.46.15.151 | 69-46-15-151.static.hvvc.us | - | High
1 | [23.29.115.175](https://vuldb.com/?ip.23.29.115.175) | 23-29-115-175.static.hvvc.us | - | High
2 | [37.221.114.23](https://vuldb.com/?ip.37.221.114.23) | - | - | High
3 | [69.46.15.151](https://vuldb.com/?ip.69.46.15.151) | 69-46-15-151.static.hvvc.us | - | High
4 | ... | ... | ... | ...
There are 4 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Jupyter. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Jupyter_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
@ -51,14 +51,15 @@ ID | Type | Indicator | Confidence
2 | File | `/include/chart_generator.php` | High
3 | File | `/login` | Low
4 | File | `/modules/profile/index.php` | High
5 | File | `/uncpath/` | Medium
6 | File | `/usr/bin/pkexec` | High
7 | File | `/wp-admin` | Medium
8 | File | `adclick.php` | Medium
9 | File | `admin-ajax.php` | High
10 | ... | ... | ...
5 | File | `/setup/finish` | High
6 | File | `/uncpath/` | Medium
7 | File | `/usr/bin/pkexec` | High
8 | File | `/wp-admin` | Medium
9 | File | `/wp-content/plugins/woocommerce/templates/emails/plain/` | High
10 | File | `adclick.php` | Medium
11 | ... | ... | ...
There are 79 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 84 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

19
actors/KillSomeOne/README.md
View File

@ -1,36 +1,35 @@
# KilllSomeOne - Cyber Threat Intelligence
# KillSomeOne - Cyber Threat Intelligence
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [KilllSomeOne](https://vuldb.com/?actor.killlsomeone). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [KillSomeOne](https://vuldb.com/?actor.killsomeone). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.killlsomeone](https://vuldb.com/?actor.killlsomeone)
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.killsomeone](https://vuldb.com/?actor.killsomeone)
## Countries
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with KilllSomeOne:
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with KillSomeOne:
* US
* [US](https://vuldb.com/?country.us)
## IOC - Indicator of Compromise
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of KilllSomeOne.
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of KillSomeOne.
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | 160.20.147.254 | - | - | High
1 | [160.20.147.254](https://vuldb.com/?ip.160.20.147.254) | - | - | High
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by KilllSomeOne. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _KillSomeOne_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
2 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
3 | T1499 | CWE-404 | Resource Consumption | High
## IOA - Indicator of Attack
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by KilllSomeOne. This data is unique as it uses our predictive model for actor profiling.
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by KillSomeOne. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------

26
actors/Kimsuky/README.md
View File

@ -36,16 +36,16 @@ There are 6 more IOC items available. Please use our online service to access th
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Kimsuky_. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Kimsuky_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
4 | ... | ... | ... | ...
There are 4 more TTP items available. Please use our online service to access the data.
There are 5 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -54,14 +54,20 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/.env` | Low
2 | File | `/cgi-bin/webproc` | High
3 | File | `/expert_wizard.php` | High
4 | File | `/mc` | Low
5 | File | `/tlogin.cgi` | Medium
6 | File | `/upload` | Low
7 | ... | ... | ...
2 | File | `/?/admin/snippet/add` | High
3 | File | `/bin/false` | Medium
4 | File | `/cgi-bin/webproc` | High
5 | File | `/expert_wizard.php` | High
6 | File | `/images/browserslide.jpg` | High
7 | File | `/includes/lib/get.php` | High
8 | File | `/main?cmd=invalid_browser` | High
9 | File | `/manager?action=getlogcat` | High
10 | File | `/mc` | Low
11 | File | `/rest/jpo/1.0/hierarchyConfiguration` | High
12 | File | `/SASWebReportStudio/logonAndRender.do` | High
13 | ... | ... | ...
There are 51 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 99 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

2
actors/Kuluoz/README.md
View File

@ -32,7 +32,7 @@ There are 20 more IOC items available. Please use our online service to access t
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Kuluoz. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Kuluoz_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------

32
actors/Lazarus/README.md
View File

@ -24,7 +24,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
* [IN](https://vuldb.com/?country.in)
* ...
There are 3 more country items available. Please use our online service to access the data.
There are 1 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -218,16 +218,16 @@ There are 722 more IOC items available. Please use our online service to access
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Lazarus_. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Lazarus_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
3 | T1110.001 | CWE-307 | Improper Restriction of Excessive Authentication Attempts | High
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
2 | T1068 | CWE-284 | Execution with Unnecessary Privileges | High
3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
4 | ... | ... | ... | ...
There are 5 more TTP items available. Please use our online service to access the data.
There are 6 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -235,16 +235,18 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/etc/passwd` | Medium
2 | File | `/mdiy/dict/listExcludeApp` | High
3 | File | `/uncpath/` | Medium
4 | File | `/web/MCmsAction.java` | High
5 | File | `admin.php` | Medium
6 | File | `admin/cgi-bin/listdir.pl` | High
7 | File | `admin/cgi-bin/rulemgr.pl/getfile/` | High
8 | ... | ... | ...
1 | File | `/.htaccess` | Medium
2 | File | `/admin/link/link_ok.php` | High
3 | File | `/alerts/alertConfigField.php` | High
4 | File | `/alerts/alertLightbox.php` | High
5 | File | `/aqpg/users/login.php` | High
6 | File | `/cwms/admin/?page=articles/view_article/` | High
7 | File | `/cwms/classes/Master.php?f=save_contact` | High
8 | File | `/download/` | Medium
9 | File | `/i/:data/ipa.plist` | High
10 | ... | ... | ...
There are 58 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 71 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

2
actors/LightBasin/README.md
View File

@ -30,7 +30,7 @@ There are 6 more IOC items available. Please use our online service to access th
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _LightBasin_. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _LightBasin_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------

2
actors/Lock360/README.md
View File

@ -28,7 +28,7 @@ ID | IP address | Hostname | Campaign | Confidence
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Lock360_. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Lock360_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------

109
actors/LokiBot/README.md
View File

@ -13,7 +13,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
* [CN](https://vuldb.com/?country.cn)
* ...
There are 13 more country items available. Please use our online service to access the data.
There are 10 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -21,31 +21,36 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [15.197.142.173](https://vuldb.com/?ip.15.197.142.173) | a4ec4c6ea1c92e2e6.awsglobalaccelerator.com | - | High
2 | [23.21.173.155](https://vuldb.com/?ip.23.21.173.155) | ec2-23-21-173-155.compute-1.amazonaws.com | - | Medium
3 | [23.21.211.162](https://vuldb.com/?ip.23.21.211.162) | ec2-23-21-211-162.compute-1.amazonaws.com | - | Medium
4 | [23.95.132.48](https://vuldb.com/?ip.23.95.132.48) | 23-95-132-48-host.colocrossing.com | - | High
5 | [31.220.52.219](https://vuldb.com/?ip.31.220.52.219) | workshop.piguno.com | - | High
6 | [34.102.136.180](https://vuldb.com/?ip.34.102.136.180) | 180.136.102.34.bc.googleusercontent.com | - | Medium
7 | [35.247.234.230](https://vuldb.com/?ip.35.247.234.230) | 230.234.247.35.bc.googleusercontent.com | - | Medium
8 | [37.235.1.174](https://vuldb.com/?ip.37.235.1.174) | resolver1.freedns.zone.powered.by.virtexxa.com | - | High
9 | [37.235.1.177](https://vuldb.com/?ip.37.235.1.177) | resolver2.freedns.zone.powered.by.virtexxa.com | - | High
10 | [45.33.83.75](https://vuldb.com/?ip.45.33.83.75) | li1029-75.members.linode.com | - | High
11 | [45.147.229.85](https://vuldb.com/?ip.45.147.229.85) | - | - | High
12 | [50.16.216.118](https://vuldb.com/?ip.50.16.216.118) | ec2-50-16-216-118.compute-1.amazonaws.com | - | Medium
13 | [50.19.92.227](https://vuldb.com/?ip.50.19.92.227) | ec2-50-19-92-227.compute-1.amazonaws.com | - | Medium
14 | [52.60.87.163](https://vuldb.com/?ip.52.60.87.163) | ec2-52-60-87-163.ca-central-1.compute.amazonaws.com | - | Medium
15 | [54.225.78.40](https://vuldb.com/?ip.54.225.78.40) | ec2-54-225-78-40.compute-1.amazonaws.com | - | Medium
16 | [54.225.165.85](https://vuldb.com/?ip.54.225.165.85) | ec2-54-225-165-85.compute-1.amazonaws.com | - | Medium
17 | [54.225.245.108](https://vuldb.com/?ip.54.225.245.108) | ec2-54-225-245-108.compute-1.amazonaws.com | - | Medium
18 | [54.235.88.121](https://vuldb.com/?ip.54.235.88.121) | ec2-54-235-88-121.compute-1.amazonaws.com | - | Medium
19 | ... | ... | ... | ...
1 | [2.57.186.170](https://vuldb.com/?ip.2.57.186.170) | - | - | High
2 | [13.107.21.200](https://vuldb.com/?ip.13.107.21.200) | - | - | High
3 | [15.197.142.173](https://vuldb.com/?ip.15.197.142.173) | a4ec4c6ea1c92e2e6.awsglobalaccelerator.com | - | High
4 | [20.189.173.20](https://vuldb.com/?ip.20.189.173.20) | - | - | High
5 | [23.21.173.155](https://vuldb.com/?ip.23.21.173.155) | ec2-23-21-173-155.compute-1.amazonaws.com | - | Medium
6 | [23.21.211.162](https://vuldb.com/?ip.23.21.211.162) | ec2-23-21-211-162.compute-1.amazonaws.com | - | Medium
7 | [23.95.132.48](https://vuldb.com/?ip.23.95.132.48) | 23-95-132-48-host.colocrossing.com | - | High
8 | [23.205.105.153](https://vuldb.com/?ip.23.205.105.153) | a23-205-105-153.deploy.static.akamaitechnologies.com | - | High
9 | [23.205.105.157](https://vuldb.com/?ip.23.205.105.157) | a23-205-105-157.deploy.static.akamaitechnologies.com | - | High
10 | [23.222.5.37](https://vuldb.com/?ip.23.222.5.37) | a23-222-5-37.deploy.static.akamaitechnologies.com | - | High
11 | [31.41.46.120](https://vuldb.com/?ip.31.41.46.120) | maldova873.example.com | - | High
12 | [31.220.52.219](https://vuldb.com/?ip.31.220.52.219) | workshop.piguno.com | - | High
13 | [34.102.136.180](https://vuldb.com/?ip.34.102.136.180) | 180.136.102.34.bc.googleusercontent.com | - | Medium
14 | [35.247.234.230](https://vuldb.com/?ip.35.247.234.230) | 230.234.247.35.bc.googleusercontent.com | - | Medium
15 | [37.235.1.174](https://vuldb.com/?ip.37.235.1.174) | resolver1.freedns.zone.powered.by.virtexxa.com | - | High
16 | [37.235.1.177](https://vuldb.com/?ip.37.235.1.177) | resolver2.freedns.zone.powered.by.virtexxa.com | - | High
17 | [45.33.83.75](https://vuldb.com/?ip.45.33.83.75) | li1029-75.members.linode.com | - | High
18 | [45.128.184.132](https://vuldb.com/?ip.45.128.184.132) | vds107519.mgn-host.ru | - | High
19 | [45.147.229.85](https://vuldb.com/?ip.45.147.229.85) | - | - | High
20 | [45.154.253.150](https://vuldb.com/?ip.45.154.253.150) | shared04.cust05.proxy.is | - | High
21 | [45.154.253.152](https://vuldb.com/?ip.45.154.253.152) | shared06.cust05.proxy.is | - | High
22 | [50.16.216.118](https://vuldb.com/?ip.50.16.216.118) | ec2-50-16-216-118.compute-1.amazonaws.com | - | Medium
23 | [50.19.92.227](https://vuldb.com/?ip.50.19.92.227) | ec2-50-19-92-227.compute-1.amazonaws.com | - | Medium
24 | ... | ... | ... | ...
There are 71 more IOC items available. Please use our online service to access the data.
There are 91 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _LokiBot_. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _LokiBot_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
@ -67,37 +72,36 @@ ID | Type | Indicator | Confidence
3 | File | `/car.php` | Medium
4 | File | `/CMD_ACCOUNT_ADMIN` | High
5 | File | `/config/getuser` | High
6 | File | `/core/admin/categories.php` | High
7 | File | `/dashboards/#` | High
8 | File | `/etc/controller-agent/agent.conf` | High
9 | File | `/etc/postfix/sender_login` | High
10 | File | `/etc/sudoers` | Medium
11 | File | `/etc/tomcat8/Catalina/attack` | High
12 | File | `/filemanager/php/connector.php` | High
13 | File | `/forum/away.php` | High
14 | File | `/fudforum/adm/hlplist.php` | High
15 | File | `/GponForm/fsetup_Form` | High
16 | File | `/log_download.cgi` | High
17 | File | `/modules/profile/index.php` | High
18 | File | `/MTFWU` | Low
19 | File | `/out.php` | Medium
20 | File | `/public/plugins/` | High
21 | File | `/s/` | Low
22 | File | `/secure/QueryComponent!Default.jspa` | High
23 | File | `/server-info` | Medium
24 | File | `/tmp` | Low
25 | File | `/tmp/app/.env` | High
26 | File | `/tmp/kamailio_ctl` | High
27 | File | `/tmp/kamailio_fifo` | High
28 | File | `/uncpath/` | Medium
29 | File | `/updown/upload.cgi` | High
30 | File | `/usr/bin/pkexec` | High
31 | File | `/way4acs/enroll` | High
32 | File | `/WEB-INF/web.xml` | High
33 | File | `/wp-json/wc/v3/webhooks` | High
34 | ... | ... | ...
6 | File | `/context/%2e/WEB-INF/web.xml` | High
7 | File | `/core/admin/categories.php` | High
8 | File | `/dashboards/#` | High
9 | File | `/etc/controller-agent/agent.conf` | High
10 | File | `/etc/postfix/sender_login` | High
11 | File | `/etc/sudoers` | Medium
12 | File | `/etc/tomcat8/Catalina/attack` | High
13 | File | `/filemanager/php/connector.php` | High
14 | File | `/forum/away.php` | High
15 | File | `/fudforum/adm/hlplist.php` | High
16 | File | `/GponForm/fsetup_Form` | High
17 | File | `/log_download.cgi` | High
18 | File | `/modules/profile/index.php` | High
19 | File | `/MTFWU` | Low
20 | File | `/out.php` | Medium
21 | File | `/public/plugins/` | High
22 | File | `/s/` | Low
23 | File | `/secure/QueryComponent!Default.jspa` | High
24 | File | `/server-info` | Medium
25 | File | `/tmp` | Low
26 | File | `/tmp/app/.env` | High
27 | File | `/tmp/kamailio_ctl` | High
28 | File | `/tmp/kamailio_fifo` | High
29 | File | `/uncpath/` | Medium
30 | File | `/updown/upload.cgi` | High
31 | File | `/usr/bin/at` | Medium
32 | File | `/usr/bin/pkexec` | High
33 | ... | ... | ...
There are 288 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 282 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References
@ -114,6 +118,7 @@ The following list contains _external sources_ which discuss the actor and the a
* https://blog.talosintelligence.com/2021/11/threat-roundup-1112-1119.html
* https://blog.talosintelligence.com/2022/01/threat-roundup-0121-0128.html
* https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html
* https://blog.talosintelligence.com/2022/03/threat-roundup-0304-0311.html
* https://vxug.fakedoma.in/archive/APTs/2021/2021.01.06(1)/LokiBot%20Infection%20Chain.pdf
## Literature

2
actors/Lorec53/README.md
View File

@ -33,7 +33,7 @@ ID | IP address | Hostname | Campaign | Confidence
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Lorec53. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Lorec53_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------

53
actors/Magecart/README.md
View File

@ -10,7 +10,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
* [CN](https://vuldb.com/?country.cn)
* [FR](https://vuldb.com/?country.fr)
* [DE](https://vuldb.com/?country.de)
* [IT](https://vuldb.com/?country.it)
* ...
There are 14 more country items available. Please use our online service to access the data.
@ -34,7 +34,7 @@ There are 27 more IOC items available. Please use our online service to access t
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Magecart_. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Magecart_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
@ -55,32 +55,31 @@ ID | Type | Indicator | Confidence
2 | File | `/admin/delete_image.php` | High
3 | File | `/admin/login.php` | High
4 | File | `/administrator/components/table_manager/` | High
5 | File | `/changePassword` | High
6 | File | `/context/%2e/WEB-INF/web.xml` | High
7 | File | `/data-service/users/` | High
8 | File | `/Hospital-Management-System-master/func.php` | High
9 | File | `/jeecg-boot/sys/user/queryUserByDepId` | High
10 | File | `/jerry-core/ecma/builtin-objects/ecma-builtin-date-prototype.c` | High
11 | File | `/js/app.js` | Medium
12 | File | `/message-bus/_diagnostics` | High
13 | File | `/ms/cms/content/list.do` | High
14 | File | `/plugin/jcapture/applet.php` | High
15 | File | `/preferences/tags` | High
16 | File | `/proc/<pid>/status` | High
17 | File | `/public/plugins/` | High
18 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
19 | File | `/secure/EditSubscription.jspa` | High
20 | File | `/secure/QueryComponent!Default.jspa` | High
21 | File | `/tmp` | Low
22 | File | `/uncpath/` | Medium
23 | File | `1.2.2.pl4` | Medium
24 | File | `AccountManagerService.java` | High
25 | File | `actions/CompanyDetailsSave.php` | High
26 | File | `ActivityManagerService.java` | High
27 | File | `admin.php` | Medium
28 | ... | ... | ...
5 | File | `/aqpg/users/login.php` | High
6 | File | `/changePassword` | High
7 | File | `/cloud_config/router_post/check_reg_verify_code` | High
8 | File | `/context/%2e/WEB-INF/web.xml` | High
9 | File | `/data-service/users/` | High
10 | File | `/Hospital-Management-System-master/func.php` | High
11 | File | `/jeecg-boot/sys/user/queryUserByDepId` | High
12 | File | `/jerry-core/ecma/builtin-objects/ecma-builtin-date-prototype.c` | High
13 | File | `/js/app.js` | Medium
14 | File | `/ManageRoute/postRoute` | High
15 | File | `/message-bus/_diagnostics` | High
16 | File | `/ms/cms/content/list.do` | High
17 | File | `/plugin/jcapture/applet.php` | High
18 | File | `/preferences/tags` | High
19 | File | `/proc/<pid>/status` | High
20 | File | `/public/plugins/` | High
21 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
22 | File | `/secure/EditSubscription.jspa` | High
23 | File | `/secure/QueryComponent!Default.jspa` | High
24 | File | `/tmp` | Low
25 | File | `/uncpath/` | Medium
26 | File | `1.2.2.pl4` | Medium
27 | ... | ... | ...
There are 234 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 227 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

7
actors/MalKamak/README.md
View File

@ -28,16 +28,13 @@ ID | IP address | Hostname | Campaign | Confidence
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by MalKamak. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _MalKamak_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
2 | T1068 | CWE-284 | Execution with Unnecessary Privileges | High
3 | T1499 | CWE-770 | Resource Consumption | High
4 | ... | ... | ... | ...
There are 1 more TTP items available. Please use our online service to access the data.
3 | T1555 | CWE-312 | Cleartext Storage of Sensitive Information | High
## IOA - Indicator of Attack

36
actors/Maze/README.md
View File

@ -1,21 +1,53 @@
# Maze - Cyber Threat Intelligence
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Maze](https://vuldb.com/?actor.maze). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Maze](https://vuldb.com/?actor.maze). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.maze](https://vuldb.com/?actor.maze)
## Countries
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Maze:
* [US](https://vuldb.com/?country.us)
* [RU](https://vuldb.com/?country.ru)
## IOC - Indicator of Compromise
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Maze.
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | 94.232.40.167 | - | - | High
1 | [91.218.114.4](https://vuldb.com/?ip.91.218.114.4) | - | - | High
2 | [91.218.114.11](https://vuldb.com/?ip.91.218.114.11) | - | - | High
3 | [94.232.40.167](https://vuldb.com/?ip.94.232.40.167) | - | - | High
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Maze_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
## IOA - Indicator of Attack
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Maze. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/uncpath/` | Medium
2 | File | `/var/log/nginx` | High
3 | File | `ext/standard/var_unserializer.re` | High
4 | ... | ... | ...
There are 4 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://blog.talosintelligence.com/2022/03/threat-roundup-0304-0311.html
* https://github.com/sophoslabs/IoCs/blob/master/Ransomware-Maze.csv
## Literature

72
actors/Miner/README.md Normal file
View File

@ -0,0 +1,72 @@
# Miner - Cyber Threat Intelligence
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Miner](https://vuldb.com/?actor.miner). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.miner](https://vuldb.com/?actor.miner)
## Countries
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Miner:
* [SC](https://vuldb.com/?country.sc)
* [LI](https://vuldb.com/?country.li)
* [US](https://vuldb.com/?country.us)
* ...
There are 2 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Miner.
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [91.211.89.29](https://vuldb.com/?ip.91.211.89.29) | - | - | High
2 | [185.10.68.123](https://vuldb.com/?ip.185.10.68.123) | 123.68.10.185.ro.ovo.sc | - | High
3 | [185.10.68.220](https://vuldb.com/?ip.185.10.68.220) | 220.68.10.185.ro.ovo.sc | - | High
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Miner_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
4 | ... | ... | ... | ...
There are 5 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Miner. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/admin/sysmon.php` | High
2 | File | `/api/content/posts/comments` | High
3 | File | `/Home/GetAttachment` | High
4 | File | `/members/view_member.php` | High
5 | File | `/modules/projects/vw_files.php` | High
6 | File | `admin/limits.php` | High
7 | ... | ... | ...
There are 50 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://blog.talosintelligence.com/2022/03/threat-roundup-0304-0311.html
## Literature
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

4
actors/Mirai/README.md
View File

@ -20,7 +20,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
* [CN](https://vuldb.com/?country.cn)
* ...
There are 6 more country items available. Please use our online service to access the data.
There are 7 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -39,7 +39,7 @@ There are 22 more IOC items available. Please use our online service to access t
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Mirai_. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Mirai_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------

2
actors/Molerats/README.md
View File

@ -42,7 +42,7 @@ There are 17 more IOC items available. Please use our online service to access t
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Molerats_. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Molerats_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------

14
actors/Moses Staff/README.md
View File

@ -1,23 +1,31 @@
# Moses Staff - Cyber Threat Intelligence
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Moses Staff](https://vuldb.com/?actor.moses_staff). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Moses Staff](https://vuldb.com/?actor.moses_staff). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.moses_staff](https://vuldb.com/?actor.moses_staff)
## Campaigns
The following _campaigns_ are known and can be associated with Moses Staff:
* DriveGuard
## IOC - Indicator of Compromise
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Moses Staff.
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | 95.169.196.52 | - | - | High
2 | 185.206.180.138 | 25.http-proxy2.cloudns.net | - | High
1 | [87.120.8.210](https://vuldb.com/?ip.87.120.8.210) | - | DriveGuard | High
2 | [95.169.196.52](https://vuldb.com/?ip.95.169.196.52) | - | - | High
3 | [185.206.180.138](https://vuldb.com/?ip.185.206.180.138) | 25.http-proxy2.cloudns.net | - | High
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://ddanchev.blogspot.com/2021/10/exposing-moses-staff-data-leaks-gang.html
* https://www.fortinet.com/blog/threat-research/guard-your-drive-from-driveguard
## Literature

38
actors/Muhstik/README.md
View File

@ -1,6 +1,6 @@
# Muhstik - Cyber Threat Intelligence
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Muhstik](https://vuldb.com/?actor.muhstik). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Muhstik](https://vuldb.com/?actor.muhstik). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.muhstik](https://vuldb.com/?actor.muhstik)
@ -16,9 +16,9 @@ The following _campaigns_ are known and can be associated with Muhstik:
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Muhstik:
* FR
* US
* NL
* [FR](https://vuldb.com/?country.fr)
* [US](https://vuldb.com/?country.us)
* [NL](https://vuldb.com/?country.nl)
* ...
There are 15 more country items available. Please use our online service to access the data.
@ -29,20 +29,20 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | 1.116.59.211 | - | - | High
2 | 3.10.224.87 | ec2-3-10-224-87.eu-west-2.compute.amazonaws.com | - | Medium
3 | 5.19.4.15 | relay.zmk.spb.ru | - | High
4 | 18.228.7.109 | ec2-18-228-7-109.sa-east-1.compute.amazonaws.com | Log4Shell | Medium
5 | 34.66.229.152 | 152.229.66.34.bc.googleusercontent.com | - | Medium
6 | 34.221.40.237 | ec2-34-221-40-237.us-west-2.compute.amazonaws.com | - | Medium
7 | 35.160.222.182 | ec2-35-160-222-182.us-west-2.compute.amazonaws.com | - | Medium
8 | 37.187.107.139 | ns326418.ip-37-187-107.eu | - | High
9 | 37.187.253.12 | ns347308.ip-37-187-253.eu | - | High
10 | 45.130.229.168 | - | Log4Shell | High
11 | 46.29.160.149 | - | - | High
12 | 46.218.149.85 | reverse.completel.fr | - | High
13 | 47.135.208.145 | 047-135-208-145.res.spectrum.com | CVE-2018-7600 / CVE-2017-10271 | High
14 | 51.254.219.134 | 134.ip-51-254-219.eu | CVE-2018-7600 / CVE-2017-10271 | High
1 | [1.116.59.211](https://vuldb.com/?ip.1.116.59.211) | - | - | High
2 | [3.10.224.87](https://vuldb.com/?ip.3.10.224.87) | ec2-3-10-224-87.eu-west-2.compute.amazonaws.com | - | Medium
3 | [5.19.4.15](https://vuldb.com/?ip.5.19.4.15) | relay.zmk.spb.ru | - | High
4 | [18.228.7.109](https://vuldb.com/?ip.18.228.7.109) | ec2-18-228-7-109.sa-east-1.compute.amazonaws.com | Log4Shell | Medium
5 | [34.66.229.152](https://vuldb.com/?ip.34.66.229.152) | 152.229.66.34.bc.googleusercontent.com | - | Medium
6 | [34.221.40.237](https://vuldb.com/?ip.34.221.40.237) | ec2-34-221-40-237.us-west-2.compute.amazonaws.com | - | Medium
7 | [35.160.222.182](https://vuldb.com/?ip.35.160.222.182) | ec2-35-160-222-182.us-west-2.compute.amazonaws.com | - | Medium
8 | [37.187.107.139](https://vuldb.com/?ip.37.187.107.139) | ns326418.ip-37-187-107.eu | - | High
9 | [37.187.253.12](https://vuldb.com/?ip.37.187.253.12) | ns347308.ip-37-187-253.eu | - | High
10 | [45.130.229.168](https://vuldb.com/?ip.45.130.229.168) | - | Log4Shell | High
11 | [46.29.160.149](https://vuldb.com/?ip.46.29.160.149) | - | - | High
12 | [46.218.149.85](https://vuldb.com/?ip.46.218.149.85) | reverse.completel.fr | - | High
13 | [47.135.208.145](https://vuldb.com/?ip.47.135.208.145) | 047-135-208-145.res.spectrum.com | CVE-2018-7600 / CVE-2017-10271 | High
14 | [51.254.219.134](https://vuldb.com/?ip.51.254.219.134) | 134.ip-51-254-219.eu | CVE-2018-7600 / CVE-2017-10271 | High
15 | ... | ... | ... | ...
There are 56 more IOC items available. Please use our online service to access the data.
@ -89,7 +89,7 @@ ID | Type | Indicator | Confidence
21 | File | `adm1n/admin_config.php` | High
22 | ... | ... | ...
There are 183 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 184 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

2
actors/Mustang Panda/README.md
View File

@ -35,7 +35,7 @@ There are 22 more IOC items available. Please use our online service to access t
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Mustang Panda_. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Mustang Panda_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------

28
actors/NSO Group/README.md
View File

@ -43,7 +43,7 @@ There are 31 more IOC items available. Please use our online service to access t
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _NSO Group_. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _NSO Group_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
@ -66,21 +66,21 @@ ID | Type | Indicator | Confidence
4 | File | `/forms/web_importTFTP` | High
5 | File | `/forum/away.php` | High
6 | File | `/graphql` | Medium
7 | File | `/localhost/u` | Medium
8 | File | `/out.php` | Medium
9 | File | `/PluXml/core/admin/parametres_edittpl.php` | High
10 | File | `/public_html/admin/plugins/bad_behavior2/blacklist.php` | High
11 | File | `/rom-0` | Low
12 | File | `/root/run/adm.php?admin-ediy&part=exdiy` | High
13 | File | `/v2/devices/add` | High
14 | File | `/var/ipfire/backup/bin/backup.pl` | High
15 | File | `/wp-json/wc/v3/webhooks` | High
16 | File | `adclick.php` | Medium
17 | File | `AddEvent.php` | Medium
18 | File | `admin.php` | Medium
7 | File | `/jeecg-boot/jmreport/view` | High
8 | File | `/localhost/u` | Medium
9 | File | `/out.php` | Medium
10 | File | `/PluXml/core/admin/parametres_edittpl.php` | High
11 | File | `/public_html/admin/plugins/bad_behavior2/blacklist.php` | High
12 | File | `/rom-0` | Low
13 | File | `/root/run/adm.php?admin-ediy&part=exdiy` | High
14 | File | `/v2/devices/add` | High
15 | File | `/var/ipfire/backup/bin/backup.pl` | High
16 | File | `/wp-json/wc/v3/webhooks` | High
17 | File | `adclick.php` | Medium
18 | File | `AddEvent.php` | Medium
19 | ... | ... | ...
There are 154 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 155 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

67
actors/Naikon/README.md
View File

@ -1,71 +1,72 @@
# Naikon - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Naikon](https://vuldb.com/?actor.naikon). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Naikon](https://vuldb.com/?actor.naikon). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.naikon](https://vuldb.com/?actor.naikon)
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.naikon](https://vuldb.com/?actor.naikon)
## Campaigns
The following campaigns are known and can be associated with Naikon:
The following _campaigns_ are known and can be associated with Naikon:
* Camerashy
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Naikon:
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Naikon:
* US
* CN
* [US](https://vuldb.com/?country.us)
* [CN](https://vuldb.com/?country.cn)
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Naikon.
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Naikon.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 47.241.127.190 | - | High
2 | 50.117.115.89 | - | High
3 | 50.117.115.90 | - | High
4 | 65.19.141.203 | shibakov.org | High
5 | ... | ... | ...
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [47.241.127.190](https://vuldb.com/?ip.47.241.127.190) | - | - | High
2 | [50.117.115.89](https://vuldb.com/?ip.50.117.115.89) | - | Camerashy | High
3 | [50.117.115.90](https://vuldb.com/?ip.50.117.115.90) | - | Camerashy | High
4 | [65.19.141.203](https://vuldb.com/?ip.65.19.141.203) | shibakov.org | Camerashy | High
5 | ... | ... | ... | ...
There are 16 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Naikon. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Naikon_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
4 | ... | ... | ...
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
4 | ... | ... | ... | ...
There are 5 more TTP items available. Please use our online service to access the data.
There are 4 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Naikon. This data is unique as it uses our predictive model for actor profiling.
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Naikon. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `%windir%\Internet Logs\` | High
2 | File | `/crypto_keyfile.bin` | High
3 | File | `/show_news.php` | High
4 | File | `/squashfs-root/www/HNAP1/control/SetWizardConfig.php` | High
5 | File | `500page.jsp` | Medium
6 | File | `admin/admin_process.php` | High
7 | File | `admin/user_activate_submit.php` | High
8 | File | `browse-scategory.php` | High
9 | File | `classes/Visualizer/Gutenberg/Block.php` | High
10 | ... | ... | ...
4 | File | `/siteminderagent/pwcgi/smpwservicescgi.exe` | High
5 | File | `/squashfs-root/www/HNAP1/control/SetWizardConfig.php` | High
6 | File | `500page.jsp` | Medium
7 | File | `admin/admin_process.php` | High
8 | File | `admin/user_activate_submit.php` | High
9 | File | `browse-scategory.php` | High
10 | File | `classes/Visualizer/Gutenberg/Block.php` | High
11 | ... | ... | ...
There are 78 more IOA items available. Please use our online service to access the data.
There are 83 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References
The following list contains external sources which discuss the actor and the associated activities:
The following list contains _external sources_ which discuss the actor and the associated activities:
* http://cdn2.hubspot.net/hubfs/454298/Project_CAMERASHY_ThreatConnect_Copyright_2015.pdf
* https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/
@ -74,7 +75,7 @@ The following list contains external sources which discuss the actor and the ass
## Literature
The following articles explain our unique predictive cyber threat intelligence:
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)

62
actors/Nanocore/README.md
View File

@ -1,70 +1,70 @@
# Nanocore - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Nanocore](https://vuldb.com/?actor.nanocore). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Nanocore](https://vuldb.com/?actor.nanocore). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.nanocore](https://vuldb.com/?actor.nanocore)
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.nanocore](https://vuldb.com/?actor.nanocore)
## Campaigns
The following campaigns are known and can be associated with Nanocore:
The following _campaigns_ are known and can be associated with Nanocore:
* Tax-Themed Phishing
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Nanocore:
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Nanocore:
* US
* CN
* GB
* [US](https://vuldb.com/?country.us)
* [CN](https://vuldb.com/?country.cn)
* [GB](https://vuldb.com/?country.gb)
* ...
There are 6 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Nanocore.
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Nanocore.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 8.8.8.8 | dns.google | High
2 | 20.42.65.92 | - | High
3 | 23.235.221.158 | vps53141.inmotionhosting.com | High
4 | ... | ... | ...
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [8.8.8.8](https://vuldb.com/?ip.8.8.8.8) | dns.google | - | High
2 | [20.42.65.92](https://vuldb.com/?ip.20.42.65.92) | - | - | High
3 | [23.235.221.158](https://vuldb.com/?ip.23.235.221.158) | vps53141.inmotionhosting.com | Tax-Themed Phishing | High
4 | ... | ... | ... | ...
There are 14 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Nanocore. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Nanocore_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1211 | 7PK Security Features | High
4 | ... | ... | ...
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
3 | T1211 | CWE-254 | 7PK Security Features | High
4 | ... | ... | ... | ...
There are 4 more TTP items available. Please use our online service to access the data.
There are 3 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Nanocore. This data is unique as it uses our predictive model for actor profiling.
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Nanocore. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/services/details.asp` | High
2 | File | `/uncpath/` | Medium
3 | File | `browser.php` | Medium
4 | File | `cat.php` | Low
5 | File | `CompanionDeviceManagerService.java` | High
1 | File | `/etc/sudoers` | Medium
2 | File | `/services/details.asp` | High
3 | File | `/uncpath/` | Medium
4 | File | `browser.php` | Medium
5 | File | `cat.php` | Low
6 | ... | ... | ...
There are 42 more IOA items available. Please use our online service to access the data.
There are 43 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References
The following list contains external sources which discuss the actor and the associated activities:
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://blog.talosintelligence.com/2021/07/threat-roundup-0716-0723.html
* https://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html
@ -72,7 +72,7 @@ The following list contains external sources which discuss the actor and the ass
## Literature
The following articles explain our unique predictive cyber threat intelligence:
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)

38
actors/Nobelium/README.md
View File

@ -1,37 +1,37 @@
# Nobelium - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Nobelium](https://vuldb.com/?actor.nobelium). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Nobelium](https://vuldb.com/?actor.nobelium). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.nobelium](https://vuldb.com/?actor.nobelium)
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.nobelium](https://vuldb.com/?actor.nobelium)
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Nobelium:
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Nobelium:
* CN
* US
* DE
* [CN](https://vuldb.com/?country.cn)
* [US](https://vuldb.com/?country.us)
* [DE](https://vuldb.com/?country.de)
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Nobelium.
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Nobelium.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 83.171.237.173 | 83.171.237.173.static.as201206.net | High
2 | 192.99.221.77 | ip77.ip-192-99-221.net | High
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [83.171.237.173](https://vuldb.com/?ip.83.171.237.173) | 83.171.237.173.static.as201206.net | - | High
2 | [192.99.221.77](https://vuldb.com/?ip.192.99.221.77) | ip77.ip-192-99-221.net | - | High
## TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Nobelium. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Nobelium_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1068 | Execution with Unnecessary Privileges | High
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1068 | CWE-284 | Execution with Unnecessary Privileges | High
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Nobelium. This data is unique as it uses our predictive model for actor profiling.
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Nobelium. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
@ -40,17 +40,17 @@ ID | Type | Indicator | Confidence
3 | File | `burl.c` | Low
4 | ... | ... | ...
There are 8 more IOA items available. Please use our online service to access the data.
There are 8 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References
The following list contains external sources which discuss the actor and the associated activities:
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/
## Literature
The following articles explain our unique predictive cyber threat intelligence:
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)

54
actors/Nymaim/README.md
View File

@ -33,7 +33,7 @@ There are 22 more IOC items available. Please use our online service to access t
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Nymaim_. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Nymaim_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
@ -50,34 +50,34 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/adfs/ls` | Medium
2 | File | `/admin/doctors/view_doctor.php` | High
3 | File | `/appliance/users?action=edit` | High
4 | File | `/config/getuser` | High
5 | File | `/data-service/users/` | High
6 | File | `/IISADMPWD` | Medium
7 | File | `/js/app.js` | Medium
8 | File | `/login` | Low
9 | File | `/monitor/s_headmodel.php` | High
10 | File | `/pro/repo-create.html` | High
11 | File | `/public/plugins/` | High
12 | File | `/rest/api/1.0/issues/{id}/ActionsAndOperations` | High
13 | File | `/rest/api/latest/projectvalidate/key` | High
14 | File | `/rest/collectors/1.0/template/custom` | High
15 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
16 | File | `/server-info` | Medium
17 | File | `/services` | Medium
18 | File | `/test/cookie/` | High
19 | File | `/uncpath/` | Medium
20 | File | `/usr/bin/at` | Medium
21 | File | `/usr/bin/pkexec` | High
22 | File | `/WEB-INF/web.xml` | High
23 | File | `admin-ajax.php` | High
24 | File | `AndroidManifest.xml` | High
25 | File | `app/View/Galaxies/view.ctp` | High
1 | File | `//` | Low
2 | File | `/adfs/ls` | Medium
3 | File | `/admin/doctors/view_doctor.php` | High
4 | File | `/appliance/users?action=edit` | High
5 | File | `/config/getuser` | High
6 | File | `/data-service/users/` | High
7 | File | `/IISADMPWD` | Medium
8 | File | `/js/app.js` | Medium
9 | File | `/login` | Low
10 | File | `/monitor/s_headmodel.php` | High
11 | File | `/pro/repo-create.html` | High
12 | File | `/public/plugins/` | High
13 | File | `/rest/api/1.0/issues/{id}/ActionsAndOperations` | High
14 | File | `/rest/api/latest/projectvalidate/key` | High
15 | File | `/rest/collectors/1.0/template/custom` | High
16 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
17 | File | `/server-info` | Medium
18 | File | `/services` | Medium
19 | File | `/test/cookie/` | High
20 | File | `/uncpath/` | Medium
21 | File | `/usr/bin/at` | Medium
22 | File | `/usr/bin/pkexec` | High
23 | File | `/WEB-INF/web.xml` | High
24 | File | `admin-ajax.php` | High
25 | File | `AndroidManifest.xml` | High
26 | ... | ... | ...
There are 217 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 220 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

2
actors/OilRig/README.md
View File

@ -31,7 +31,7 @@ There are 14 more IOC items available. Please use our online service to access t
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _OilRig_. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _OilRig_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------

18
actors/Omni/README.md
View File

@ -1,6 +1,6 @@
# Omni - Cyber Threat Intelligence
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Omni](https://vuldb.com/?actor.omni). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Omni](https://vuldb.com/?actor.omni). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.omni](https://vuldb.com/?actor.omni)
@ -8,12 +8,12 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Omni:
* US
* PW
* ES
* [US](https://vuldb.com/?country.us)
* [PW](https://vuldb.com/?country.pw)
* [ES](https://vuldb.com/?country.es)
* ...
There are 3 more country items available. Please use our online service to access the data.
There are 4 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -21,12 +21,12 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | 51.15.106.135 | 135-106-15-51.instances.scw.cloud | - | High
2 | 185.246.152.173 | free.ds.melbicom.net | - | High
1 | [51.15.106.135](https://vuldb.com/?ip.51.15.106.135) | 135-106-15-51.instances.scw.cloud | - | High
2 | [185.246.152.173](https://vuldb.com/?ip.185.246.152.173) | free.ds.melbicom.net | - | High
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Omni. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Omni_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
@ -35,7 +35,7 @@ ID | Technique | Weakness | Description | Confidence
3 | T1211 | CWE-254 | 7PK Security Features | High
4 | ... | ... | ... | ...
There are 5 more TTP items available. Please use our online service to access the data.
There are 4 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack

4
actors/OnePercent/README.md
View File

@ -30,7 +30,7 @@ There are 4 more IOC items available. Please use our online service to access th
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by OnePercent. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _OnePercent_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
@ -39,7 +39,7 @@ ID | Technique | Weakness | Description | Confidence
3 | T1211 | CWE-254 | 7PK Security Features | High
4 | ... | ... | ... | ...
There are 2 more TTP items available. Please use our online service to access the data.
There are 1 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack

2
actors/Oto Gonderici/README.md
View File

@ -30,7 +30,7 @@ There are 1 more IOC items available. Please use our online service to access th
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Oto Gonderici_. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Oto Gonderici_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------

79
actors/PKPLUG/README.md
View File

@ -1,85 +1,78 @@
# PKPLUG - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [PKPLUG](https://vuldb.com/?actor.pkplug). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [PKPLUG](https://vuldb.com/?actor.pkplug). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.pkplug](https://vuldb.com/?actor.pkplug)
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.pkplug](https://vuldb.com/?actor.pkplug)
## Campaigns
The following campaigns are known and can be associated with PKPLUG:
The following _campaigns_ are known and can be associated with PKPLUG:
* THOR
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with PKPLUG:
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with PKPLUG:
* CN
* US
* [CN](https://vuldb.com/?country.cn)
* [US](https://vuldb.com/?country.us)
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of PKPLUG.
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of PKPLUG.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 42.99.117.92 | - | High
2 | 42.99.117.95 | - | High
3 | 43.254.217.165 | - | High
4 | 45.142.166.112 | - | High
5 | 45.248.87.140 | - | High
6 | 45.248.87.162 | - | High
7 | 45.248.87.217 | - | High
8 | ... | ... | ...
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [42.99.117.92](https://vuldb.com/?ip.42.99.117.92) | - | THOR | High
2 | [42.99.117.95](https://vuldb.com/?ip.42.99.117.95) | - | THOR | High
3 | [43.254.217.165](https://vuldb.com/?ip.43.254.217.165) | - | THOR | High
4 | [45.142.166.112](https://vuldb.com/?ip.45.142.166.112) | - | THOR | High
5 | ... | ... | ... | ...
There are 13 more IOC items available. Please use our online service to access the data.
There are 16 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by PKPLUG. This data is unique as it uses our predictive model for actor profiling.
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _PKPLUG_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1222 | Permission Issues | High
4 | ... | ... | ...
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
4 | ... | ... | ... | ...
There are 2 more TTP items available. Please use our online service to access the data.
There are 3 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by PKPLUG. This data is unique as it uses our predictive model for actor profiling.
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by PKPLUG. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/etc/shadow` | Medium
2 | File | `/htmlcode/html/indexdefault.asp` | High
3 | File | `/include/config.cache.php` | High
4 | File | `/include/helpers/upload.helper.php` | High
5 | File | `/tmp` | Low
6 | File | `admin.php` | Medium
7 | File | `app\admin\controller\RouteController.php` | High
8 | File | `archiver\index.php` | High
9 | File | `cmd.exe` | Low
10 | File | `drivers/media/platform/vivid` | High
11 | ... | ... | ...
1 | File | `/cgi-bin/portal` | High
2 | File | `/etc/passwd` | Medium
3 | File | `/etc/shadow` | Medium
4 | File | `/htmlcode/html/indexdefault.asp` | High
5 | File | `/include/config.cache.php` | High
6 | File | `/include/helpers/upload.helper.php` | High
7 | ... | ... | ...
There are 36 more IOA items available. Please use our online service to access the data.
There are 49 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References
The following list contains external sources which discuss the actor and the associated activities:
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://unit42.paloaltonetworks.com/thor-plugx-variant/
## Literature
The following articles explain our unique predictive cyber threat intelligence:
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

Some files were not shown because too many files have changed in this diff Show More