Update
This commit is contained in:
parent
63ca436110
commit
ef16ee7c43
|
@ -1,110 +1,87 @@
|
|||
# APT1 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT1](https://vuldb.com/?actor.apt1). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT1](https://vuldb.com/?actor.apt1). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt1](https://vuldb.com/?actor.apt1)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.apt1](https://vuldb.com/?actor.apt1)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with APT1:
|
||||
The following _campaigns_ are known and can be associated with APT1:
|
||||
|
||||
* Mandiant
|
||||
* Oceansalt
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT1:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT1:
|
||||
|
||||
* CN
|
||||
* US
|
||||
* FR
|
||||
* ...
|
||||
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [GB](https://vuldb.com/?country.gb)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of APT1.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of APT1.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 23.236.62.147 | 147.62.236.23.bc.googleusercontent.com | Medium
|
||||
2 | 27.102.112.179 | - | High
|
||||
3 | 58.246. | - | High
|
||||
4 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [23.236.62.147](https://vuldb.com/?ip.23.236.62.147) | 147.62.236.23.bc.googleusercontent.com | - | Medium
|
||||
2 | [27.102.112.179](https://vuldb.com/?ip.27.102.112.179) | - | Oceansalt | High
|
||||
3 | [58.246.0.0](https://vuldb.com/?ip.58.246.0.0) | - | Mandiant | High
|
||||
4 | [58.247.0.0](https://vuldb.com/?ip.58.247.0.0) | - | Mandiant | High
|
||||
5 | [67.222.16.131](https://vuldb.com/?ip.67.222.16.131) | host.dnsweb.org | - | High
|
||||
6 | [100.42.216.230](https://vuldb.com/?ip.100.42.216.230) | tfs2480.sipnav.in | - | High
|
||||
7 | [101.80.0.0](https://vuldb.com/?ip.101.80.0.0) | - | Mandiant | High
|
||||
8 | [101.81.0.0](https://vuldb.com/?ip.101.81.0.0) | - | Mandiant | High
|
||||
9 | [101.82.0.0](https://vuldb.com/?ip.101.82.0.0) | - | Mandiant | High
|
||||
10 | [101.83.0.0](https://vuldb.com/?ip.101.83.0.0) | - | Mandiant | High
|
||||
11 | [101.84.0.0](https://vuldb.com/?ip.101.84.0.0) | - | Mandiant | High
|
||||
12 | [101.85.0.0](https://vuldb.com/?ip.101.85.0.0) | - | Mandiant | High
|
||||
13 | [101.86.0.0](https://vuldb.com/?ip.101.86.0.0) | - | Mandiant | High
|
||||
14 | [101.87.0.0](https://vuldb.com/?ip.101.87.0.0) | - | Mandiant | High
|
||||
15 | [101.88.0.0](https://vuldb.com/?ip.101.88.0.0) | - | Mandiant | High
|
||||
16 | ... | ... | ... | ...
|
||||
|
||||
There are 10 more IOC items available. Please use our online service to access the data.
|
||||
There are 60 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by APT1. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by APT1. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 6 more TTP items available. Please use our online service to access the data.
|
||||
There are 2 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT1. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT1. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `.htaccess` | Medium
|
||||
2 | File | `/+CSCOE+/logon.html` | High
|
||||
3 | File | `/admin/ajax/file-browser/upload/` | High
|
||||
4 | File | `/admin/pictures` | High
|
||||
5 | File | `/authenticationendpoint/domain.jsp` | High
|
||||
6 | File | `/cmf/process/<process_id>/logs` | High
|
||||
7 | File | `/dashbuilder/Controller` | High
|
||||
8 | File | `/getcfg.php` | Medium
|
||||
9 | File | `/goform/addressNat` | High
|
||||
10 | File | `/goform/SysToolReboot` | High
|
||||
11 | File | `/jpg/image.jpg` | High
|
||||
12 | File | `/main.html` | Medium
|
||||
13 | File | `/mc-admin/post.php?state=delete&delete` | High
|
||||
14 | File | `/member/myfriend.php` | High
|
||||
15 | File | `/member/pm.php` | High
|
||||
16 | File | `/member/uploads_select.php` | High
|
||||
17 | File | `/public/common/umeditor/php/getcontent.php` | High
|
||||
18 | File | `/public/plugins/` | High
|
||||
19 | File | `/robot/initialize` | High
|
||||
20 | File | `/systemrw/` | Medium
|
||||
21 | File | `/tmp` | Low
|
||||
22 | File | `/tmp/csman/0` | Medium
|
||||
23 | File | `/UDPUpdates/Config/FullUpdateSettings.xml` | High
|
||||
24 | File | `/uncpath/` | Medium
|
||||
25 | File | `/usr/bin/pkexec` | High
|
||||
26 | File | `/var` | Low
|
||||
27 | File | `/WebMstr7/servlet/mstrWeb` | High
|
||||
28 | File | `/wp-admin/admin-ajax.php` | High
|
||||
29 | File | `adm/boardgroup_form_update.php` | High
|
||||
30 | File | `admin.php?mod=db&act=del` | High
|
||||
31 | File | `admin.php?moduleid=2&action=add` | High
|
||||
32 | File | `admin/category.inc.php` | High
|
||||
33 | File | `admin/check.asp` | High
|
||||
34 | File | `admin/code/tce_functions_tcecode_editor.php` | High
|
||||
35 | File | `admin/content/editcontent?id=29&gopage=1` | High
|
||||
36 | ... | ... | ...
|
||||
1 | File | `/public/plugins/` | High
|
||||
2 | File | `/systemrw/` | Medium
|
||||
3 | File | `adm/boardgroup_form_update.php` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 308 more IOA items available. Please use our online service to access the data.
|
||||
There are 16 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf
|
||||
* https://www.circleid.com/posts/20201215-revisiting-apt1-iocs-with-dns-and-subdomain-intelligence/
|
||||
* https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdfa
|
||||
* https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
|
||||
* https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -21,7 +21,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [DE](https://vuldb.com/?country.de)
|
||||
* ...
|
||||
|
||||
There are 8 more country items available. Please use our online service to access the data.
|
||||
There are 9 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -59,7 +59,7 @@ There are 98 more IOC items available. Please use our online service to access t
|
|||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _APT10_. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _APT10_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
|
@ -106,10 +106,10 @@ ID | Type | Indicator | Confidence
|
|||
28 | File | `apply.cgi` | Medium
|
||||
29 | File | `arm/lithium-codegen-arm.cc` | High
|
||||
30 | File | `authenticate.c` | High
|
||||
31 | File | `Authenticate.class.php` | High
|
||||
31 | File | `base_maintenance.php` | High
|
||||
32 | ... | ... | ...
|
||||
|
||||
There are 275 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 271 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# APT16 - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT16](https://vuldb.com/?actor.apt16). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT16](https://vuldb.com/?actor.apt16). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.apt16](https://vuldb.com/?actor.apt16)
|
||||
|
||||
|
@ -8,8 +8,8 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT16:
|
||||
|
||||
* US
|
||||
* CN
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -17,7 +17,7 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 121.127.249.74 | - | - | High
|
||||
1 | [121.127.249.74](https://vuldb.com/?ip.121.127.249.74) | - | - | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
|
|
|
@ -1,38 +1,38 @@
|
|||
# APT18 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT18](https://vuldb.com/?actor.apt18). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT18](https://vuldb.com/?actor.apt18). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt18](https://vuldb.com/?actor.apt18)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.apt18](https://vuldb.com/?actor.apt18)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with APT18:
|
||||
The following _campaigns_ are known and can be associated with APT18:
|
||||
|
||||
* Wekby
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of APT18.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of APT18.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 23.252.166.89 | - | High
|
||||
2 | 23.252.166.99 | - | High
|
||||
3 | 107.180.58.70 | ip-107-180-58-70.ip.secureserver.net | High
|
||||
4 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [23.252.166.89](https://vuldb.com/?ip.23.252.166.89) | - | Wekby | High
|
||||
2 | [23.252.166.99](https://vuldb.com/?ip.23.252.166.99) | - | Wekby | High
|
||||
3 | [107.180.58.70](https://vuldb.com/?ip.107.180.58.70) | ip-107-180-58-70.ip.secureserver.net | Wekby | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 2 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://github.com/fireeye/iocs/blob/master/APT18/0ae061d7-c624-4a84-8adf-00281b97797b.ioc
|
||||
* https://unit42.paloaltonetworks.com/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,68 +1,78 @@
|
|||
# APT2 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT2](https://vuldb.com/?actor.apt2). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT2](https://vuldb.com/?actor.apt2). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt2](https://vuldb.com/?actor.apt2)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.apt2](https://vuldb.com/?actor.apt2)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with APT2:
|
||||
The following _campaigns_ are known and can be associated with APT2:
|
||||
|
||||
* Putter Panda
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT2:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT2:
|
||||
|
||||
* KR
|
||||
* US
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [KR](https://vuldb.com/?country.kr)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of APT2.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of APT2.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 31.170.110.163 | io.uu3.net | High
|
||||
2 | 58.196.156.15 | - | High
|
||||
3 | 59.120.168.199 | 59-120-168-199.hinet-ip.hinet.net | High
|
||||
4 | 61.34.97.69 | - | High
|
||||
5 | 61.74.190.14 | - | High
|
||||
6 | 61.78.37.121 | - | High
|
||||
7 | 61.78.75.96 | - | High
|
||||
8 | 61.221.54.99 | 61-221-54-99.hinet-ip.hinet.net | High
|
||||
9 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [31.170.110.163](https://vuldb.com/?ip.31.170.110.163) | io.uu3.net | Putter Panda | High
|
||||
2 | [58.196.156.15](https://vuldb.com/?ip.58.196.156.15) | - | Putter Panda | High
|
||||
3 | [59.120.168.199](https://vuldb.com/?ip.59.120.168.199) | 59-120-168-199.hinet-ip.hinet.net | - | High
|
||||
4 | [61.34.97.69](https://vuldb.com/?ip.61.34.97.69) | - | - | High
|
||||
5 | [61.74.190.14](https://vuldb.com/?ip.61.74.190.14) | - | - | High
|
||||
6 | [61.78.37.121](https://vuldb.com/?ip.61.78.37.121) | - | - | High
|
||||
7 | [61.78.75.96](https://vuldb.com/?ip.61.78.75.96) | - | - | High
|
||||
8 | [61.221.54.99](https://vuldb.com/?ip.61.221.54.99) | 61-221-54-99.hinet-ip.hinet.net | - | High
|
||||
9 | ... | ... | ... | ...
|
||||
|
||||
There are 34 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by APT2. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by APT2. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | CWE-254 | 7PK Security Features | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 2 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT2. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT2. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/bin/boa` | Medium
|
||||
2 | Argument | `Authorization` | High
|
||||
3 | Argument | `Username` | Medium
|
||||
1 | File | `/admin/blog/blogcategory/add/?_to_field=id&_popup=1` | High
|
||||
2 | File | `/bin/boa` | Medium
|
||||
3 | File | `/DOWN/FIRMWAREUPDATE/ROM1` | High
|
||||
4 | File | `admin/admin/adminsave.html` | High
|
||||
5 | ... | ... | ...
|
||||
|
||||
There are 26 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf
|
||||
* https://www.threatminer.org/report.php?q=putter-panda.pdf&y=2014
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -84,7 +84,7 @@ There are 184 more IOC items available. Please use our online service to access
|
|||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _APT28_. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _APT28_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
|
@ -115,28 +115,28 @@ ID | Type | Indicator | Confidence
|
|||
12 | File | `/plugins/servlet/audit/resource` | High
|
||||
13 | File | `/plugins/servlet/project-config/PROJECT/roles` | High
|
||||
14 | File | `/proc/ioports` | High
|
||||
15 | File | `/replication` | Medium
|
||||
16 | File | `/reports/rwservlet` | High
|
||||
17 | File | `/RestAPI` | Medium
|
||||
18 | File | `/tmp` | Low
|
||||
19 | File | `/tmp/speedtest_urls.xml` | High
|
||||
20 | File | `/uncpath/` | Medium
|
||||
21 | File | `/var/log/nginx` | High
|
||||
22 | File | `/wp-admin/admin.php` | High
|
||||
23 | File | `/wp-json/wc/v3/webhooks` | High
|
||||
24 | File | `admin-ajax.php?action=get_wdtable order[0][dir]` | High
|
||||
25 | File | `admin/app/mediamanager` | High
|
||||
26 | File | `admin/index.php` | High
|
||||
27 | File | `admin\model\catalog\download.php` | High
|
||||
28 | File | `afr.php` | Low
|
||||
29 | File | `apcupsd.pid` | Medium
|
||||
30 | File | `api/it-recht-kanzlei/api-it-recht-kanzlei.php` | High
|
||||
31 | File | `api/sms/send-sms` | High
|
||||
32 | File | `api/v1/alarms` | High
|
||||
33 | File | `application/controller/InstallerController.php` | High
|
||||
15 | File | `/REBOOTSYSTEM` | High
|
||||
16 | File | `/replication` | Medium
|
||||
17 | File | `/reports/rwservlet` | High
|
||||
18 | File | `/RestAPI` | Medium
|
||||
19 | File | `/tmp` | Low
|
||||
20 | File | `/tmp/speedtest_urls.xml` | High
|
||||
21 | File | `/uncpath/` | Medium
|
||||
22 | File | `/var/log/nginx` | High
|
||||
23 | File | `/wp-admin/admin.php` | High
|
||||
24 | File | `/wp-json/wc/v3/webhooks` | High
|
||||
25 | File | `admin-ajax.php?action=get_wdtable order[0][dir]` | High
|
||||
26 | File | `admin/app/mediamanager` | High
|
||||
27 | File | `admin/index.php` | High
|
||||
28 | File | `admin\model\catalog\download.php` | High
|
||||
29 | File | `afr.php` | Low
|
||||
30 | File | `apcupsd.pid` | Medium
|
||||
31 | File | `api/it-recht-kanzlei/api-it-recht-kanzlei.php` | High
|
||||
32 | File | `api/sms/send-sms` | High
|
||||
33 | File | `api/v1/alarms` | High
|
||||
34 | ... | ... | ...
|
||||
|
||||
There are 291 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 290 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -19,8 +19,8 @@ There are 1 more campaign items available. Please use our online service to acce
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT29:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [FR](https://vuldb.com/?country.fr)
|
||||
* ...
|
||||
|
||||
|
@ -59,16 +59,16 @@ There are 83 more IOC items available. Please use our online service to access t
|
|||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by APT29. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _APT29_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-266, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
There are 6 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -108,14 +108,14 @@ ID | Type | Indicator | Confidence
|
|||
30 | File | `/tmp` | Low
|
||||
31 | File | `/tmp/redis.ds` | High
|
||||
32 | File | `/uncpath/` | Medium
|
||||
33 | File | `/ViewUserHover.jspa` | High
|
||||
34 | File | `/wp-admin` | Medium
|
||||
35 | File | `/wp-json/wc/v3/webhooks` | High
|
||||
33 | File | `/wp-admin` | Medium
|
||||
34 | File | `/wp-json/wc/v3/webhooks` | High
|
||||
35 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
36 | File | `ABuffer.cpp` | Medium
|
||||
37 | File | `AccountManagerService.java` | High
|
||||
38 | ... | ... | ...
|
||||
|
||||
There are 331 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 326 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# APT3 - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT3](https://vuldb.com/?actor.apt3). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT3](https://vuldb.com/?actor.apt3). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.apt3](https://vuldb.com/?actor.apt3)
|
||||
|
||||
|
@ -9,16 +9,15 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
The following _campaigns_ are known and can be associated with APT3:
|
||||
|
||||
* CVE-2015-5119
|
||||
* Doubletap
|
||||
* Double Tap
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT3:
|
||||
|
||||
* US
|
||||
* CN
|
||||
* RU
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* ...
|
||||
|
||||
There are 24 more country items available. Please use our online service to access the data.
|
||||
|
@ -29,16 +28,16 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 23.99.20.198 | - | - | High
|
||||
2 | 54.169.89.240 | ec2-54-169-89-240.ap-southeast-1.compute.amazonaws.com | - | Medium
|
||||
3 | 104.151.248.173 | 173.248-151-104.rdns.scalabledns.com | Doubletap | High
|
||||
1 | [23.99.20.198](https://vuldb.com/?ip.23.99.20.198) | - | - | High
|
||||
2 | [54.169.89.240](https://vuldb.com/?ip.54.169.89.240) | ec2-54-169-89-240.ap-southeast-1.compute.amazonaws.com | - | Medium
|
||||
3 | [104.151.248.173](https://vuldb.com/?ip.104.151.248.173) | 173.248-151-104.rdns.scalabledns.com | Double Tap | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 8 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by APT3. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _APT3_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
|
@ -47,7 +46,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -81,29 +80,30 @@ ID | Type | Indicator | Confidence
|
|||
24 | File | `/rest/api/2/search` | High
|
||||
25 | File | `/s/` | Low
|
||||
26 | File | `/scripts/cpan_config` | High
|
||||
27 | File | `/services/system/setup.json` | High
|
||||
28 | File | `/uncpath/` | Medium
|
||||
29 | File | `/webconsole/APIController` | High
|
||||
30 | File | `/websocket/exec` | High
|
||||
31 | File | `/wp-admin/admin-ajax.php` | High
|
||||
32 | File | `/wp-json/oembed/1.0/embed?url` | High
|
||||
33 | File | `/_next` | Low
|
||||
34 | File | `4.edu.php\conn\function.php` | High
|
||||
35 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
36 | File | `adclick.php` | Medium
|
||||
37 | File | `addentry.php` | Medium
|
||||
38 | File | `addressbook.php` | High
|
||||
39 | File | `add_comment.php` | High
|
||||
40 | File | `admin/category.inc.php` | High
|
||||
41 | File | `admin/conf_users_edit.php` | High
|
||||
42 | File | `admin/dl_sendmail.php` | High
|
||||
43 | File | `admin/index.php` | High
|
||||
44 | File | `admin/languages.php` | High
|
||||
45 | File | `admin/password_forgotten.php` | High
|
||||
46 | File | `admin/versions.html` | High
|
||||
47 | ... | ... | ...
|
||||
27 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
28 | File | `/services/system/setup.json` | High
|
||||
29 | File | `/uncpath/` | Medium
|
||||
30 | File | `/webconsole/APIController` | High
|
||||
31 | File | `/websocket/exec` | High
|
||||
32 | File | `/wp-admin/admin-ajax.php` | High
|
||||
33 | File | `/wp-json/oembed/1.0/embed?url` | High
|
||||
34 | File | `/_next` | Low
|
||||
35 | File | `4.edu.php\conn\function.php` | High
|
||||
36 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
37 | File | `adclick.php` | Medium
|
||||
38 | File | `addentry.php` | Medium
|
||||
39 | File | `addressbook.php` | High
|
||||
40 | File | `add_comment.php` | High
|
||||
41 | File | `admin/category.inc.php` | High
|
||||
42 | File | `admin/conf_users_edit.php` | High
|
||||
43 | File | `admin/dl_sendmail.php` | High
|
||||
44 | File | `admin/index.php` | High
|
||||
45 | File | `admin/languages.php` | High
|
||||
46 | File | `admin/password_forgotten.php` | High
|
||||
47 | File | `admin/versions.html` | High
|
||||
48 | ... | ... | ...
|
||||
|
||||
There are 410 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 412 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -26,7 +26,7 @@ There are 13 more IOC items available. Please use our online service to access t
|
|||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _APT31_. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _APT31_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
|
|
|
@ -46,7 +46,7 @@ There are 48 more IOC items available. Please use our online service to access t
|
|||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _APT32_. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _APT32_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
|
|
|
@ -21,7 +21,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [FR](https://vuldb.com/?country.fr)
|
||||
* ...
|
||||
|
||||
There are 5 more country items available. Please use our online service to access the data.
|
||||
There are 6 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -50,7 +50,7 @@ There are 60 more IOC items available. Please use our online service to access t
|
|||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _APT33_. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _APT33_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
|
@ -75,24 +75,24 @@ ID | Type | Indicator | Confidence
|
|||
6 | File | `/admin/files` | Medium
|
||||
7 | File | `/administrator/components/menu/` | High
|
||||
8 | File | `/administrator/components/table_manager/` | High
|
||||
9 | File | `/api/ZRMesh/set_ZRMesh` | High
|
||||
10 | File | `/damicms-master/admin.php?s=/Article/doedit` | High
|
||||
11 | File | `/Hospital-Management-System-master/contact.php` | High
|
||||
12 | File | `/Hospital-Management-System-master/func.php` | High
|
||||
13 | File | `/jerry-core/ecma/base/ecma-lcache.c` | High
|
||||
14 | File | `/jerry-core/ecma/base/ecma-literal-storage.c` | High
|
||||
15 | File | `/jerry-core/jmem/jmem-heap.c` | High
|
||||
16 | File | `/ms/cms/content/list.do` | High
|
||||
17 | File | `/orms/` | Low
|
||||
18 | File | `/parser/js/js-parser-expr.c` | High
|
||||
19 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
20 | File | `/thruk/#cgi-bin/extinfo.cgi?type=2` | High
|
||||
21 | File | `/transmission/web/` | High
|
||||
22 | File | `/uploads/exam_question/` | High
|
||||
23 | File | `/usr/bin/pkexec` | High
|
||||
9 | File | `/api/appInternals/1.0/agent/configuration&` | High
|
||||
10 | File | `/api/appInternals/1.0/agent/diagnostic/logs` | High
|
||||
11 | File | `/api/ZRMesh/set_ZRMesh` | High
|
||||
12 | File | `/cloud_config/router_post/register` | High
|
||||
13 | File | `/Hospital-Management-System-master/contact.php` | High
|
||||
14 | File | `/Hospital-Management-System-master/func.php` | High
|
||||
15 | File | `/jerry-core/ecma/base/ecma-lcache.c` | High
|
||||
16 | File | `/jerry-core/ecma/base/ecma-literal-storage.c` | High
|
||||
17 | File | `/jerry-core/jmem/jmem-heap.c` | High
|
||||
18 | File | `/ManageRoute/postRoute` | High
|
||||
19 | File | `/ms/cms/content/list.do` | High
|
||||
20 | File | `/orms/` | Low
|
||||
21 | File | `/parser/js/js-parser-expr.c` | High
|
||||
22 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
23 | File | `/thruk/#cgi-bin/extinfo.cgi?type=2` | High
|
||||
24 | ... | ... | ...
|
||||
|
||||
There are 200 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 204 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -41,7 +41,7 @@ There are 58 more IOC items available. Please use our online service to access t
|
|||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _APT34_. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _APT34_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
|
@ -91,7 +91,7 @@ ID | Type | Indicator | Confidence
|
|||
31 | File | `apcupsd.pid` | Medium
|
||||
32 | ... | ... | ...
|
||||
|
||||
There are 276 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 277 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -16,7 +16,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* [GB](https://vuldb.com/?country.gb)
|
||||
* [IR](https://vuldb.com/?country.ir)
|
||||
* ...
|
||||
|
||||
There are 18 more country items available. Please use our online service to access the data.
|
||||
|
@ -36,7 +36,7 @@ There are 14 more IOC items available. Please use our online service to access t
|
|||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _APT39_. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _APT39_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
|
@ -56,13 +56,13 @@ ID | Type | Indicator | Confidence
|
|||
1 | File | `//etc/RT2870STA.dat` | High
|
||||
2 | File | `/admin/index.php?id=themes&action=edit_template&filename=blog` | High
|
||||
3 | File | `/cwp_{SESSION_HASH}/admin/loader_ajax.php` | High
|
||||
4 | File | `/magnoliaPublic/travel/members/login.html` | High
|
||||
5 | File | `/Main_AdmStatus_Content.asp` | High
|
||||
6 | File | `/server-status` | High
|
||||
7 | File | `/uncpath/` | Medium
|
||||
4 | File | `/jquery_file_upload/server/php/index.php` | High
|
||||
5 | File | `/magnoliaPublic/travel/members/login.html` | High
|
||||
6 | File | `/Main_AdmStatus_Content.asp` | High
|
||||
7 | File | `/server-status` | High
|
||||
8 | ... | ... | ...
|
||||
|
||||
There are 56 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 60 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -9,18 +9,22 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
The following _campaigns_ are known and can be associated with APT41:
|
||||
|
||||
* CVE-2019-19781
|
||||
* MoonBounce
|
||||
* CVE-2021-44207
|
||||
* CVE-2021-44228
|
||||
* ...
|
||||
|
||||
There are 1 more campaign items available. Please use our online service to access the data.
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT41:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* ...
|
||||
|
||||
There are 14 more country items available. Please use our online service to access the data.
|
||||
There are 18 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -35,21 +39,25 @@ ID | IP address | Hostname | Campaign | Confidence
|
|||
5 | [5.188.108.22](https://vuldb.com/?ip.5.188.108.22) | pol1.htjsq.com | MoonBounce | High
|
||||
6 | [5.188.108.228](https://vuldb.com/?ip.5.188.108.228) | xc5.exclusivacondominios.com | MoonBounce | High
|
||||
7 | [5.189.222.33](https://vuldb.com/?ip.5.189.222.33) | spain466.es | MoonBounce | High
|
||||
8 | [23.67.95.153](https://vuldb.com/?ip.23.67.95.153) | a23-67-95-153.deploy.static.akamaitechnologies.com | - | High
|
||||
9 | [43.255.191.255](https://vuldb.com/?ip.43.255.191.255) | - | - | High
|
||||
10 | [45.76.6.149](https://vuldb.com/?ip.45.76.6.149) | 45.76.6.149.vultr.com | - | Medium
|
||||
11 | [45.76.75.219](https://vuldb.com/?ip.45.76.75.219) | 45.76.75.219.vultr.com | - | Medium
|
||||
12 | [45.128.132.6](https://vuldb.com/?ip.45.128.132.6) | - | MoonBounce | High
|
||||
13 | [45.128.135.15](https://vuldb.com/?ip.45.128.135.15) | - | MoonBounce | High
|
||||
14 | [45.138.157.78](https://vuldb.com/?ip.45.138.157.78) | srv1.fincantleri.co | - | High
|
||||
15 | [61.78.62.21](https://vuldb.com/?ip.61.78.62.21) | - | - | High
|
||||
16 | ... | ... | ... | ...
|
||||
8 | [18.118.56.237](https://vuldb.com/?ip.18.118.56.237) | ec2-18-118-56-237.us-east-2.compute.amazonaws.com | CVE-2021-44207 | Medium
|
||||
9 | [20.121.42.11](https://vuldb.com/?ip.20.121.42.11) | - | CVE-2021-44207 | High
|
||||
10 | [23.67.95.153](https://vuldb.com/?ip.23.67.95.153) | a23-67-95-153.deploy.static.akamaitechnologies.com | - | High
|
||||
11 | [34.139.13.46](https://vuldb.com/?ip.34.139.13.46) | 46.13.139.34.bc.googleusercontent.com | CVE-2021-44207 | Medium
|
||||
12 | [43.255.191.255](https://vuldb.com/?ip.43.255.191.255) | - | - | High
|
||||
13 | [45.76.6.149](https://vuldb.com/?ip.45.76.6.149) | 45.76.6.149.vultr.com | - | Medium
|
||||
14 | [45.76.75.219](https://vuldb.com/?ip.45.76.75.219) | 45.76.75.219.vultr.com | - | Medium
|
||||
15 | [45.84.1.181](https://vuldb.com/?ip.45.84.1.181) | vm372737.pq.hosting | CVE-2021-44207 | High
|
||||
16 | [45.128.132.6](https://vuldb.com/?ip.45.128.132.6) | - | MoonBounce | High
|
||||
17 | [45.128.135.15](https://vuldb.com/?ip.45.128.135.15) | - | MoonBounce | High
|
||||
18 | [45.138.157.78](https://vuldb.com/?ip.45.138.157.78) | srv1.fincantleri.co | - | High
|
||||
19 | [45.153.231.31](https://vuldb.com/?ip.45.153.231.31) | cheater.rehab | CVE-2021-44207 | High
|
||||
20 | ... | ... | ... | ...
|
||||
|
||||
There are 60 more IOC items available. Please use our online service to access the data.
|
||||
There are 74 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _APT41_. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _APT41_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
|
@ -58,7 +66,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 6 more TTP items available. Please use our online service to access the data.
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -67,34 +75,41 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/api/blade-log/api/list` | High
|
||||
2 | File | `/category_view.php` | High
|
||||
3 | File | `/cgi-bin/portal` | High
|
||||
4 | File | `/cgi-bin/system_mgr.cgi` | High
|
||||
5 | File | `/debug/pprof` | Medium
|
||||
6 | File | `/etc/config/rpcd` | High
|
||||
7 | File | `/forum/away.php` | High
|
||||
8 | File | `/get_getnetworkconf.cgi` | High
|
||||
9 | File | `/lists/admin/` | High
|
||||
10 | File | `/login.cgi?logout=1` | High
|
||||
11 | File | `/medical/inventories.php` | High
|
||||
12 | File | `/module/admin_logs` | High
|
||||
13 | File | `/public/login.htm` | High
|
||||
14 | File | `/public/plugins/` | High
|
||||
15 | File | `/replication` | Medium
|
||||
16 | File | `/SASWebReportStudio/logonAndRender.do` | High
|
||||
17 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
18 | File | `/secure/admin/ViewInstrumentation.jspa` | High
|
||||
19 | File | `/start-stop` | Medium
|
||||
20 | File | `/tmp/app/.env` | High
|
||||
21 | File | `/uncpath/` | Medium
|
||||
22 | File | `/upload` | Low
|
||||
23 | File | `/usr/bin/pkexec` | High
|
||||
24 | File | `/WEB-INF/web.xml` | High
|
||||
25 | File | `/wp-admin/admin-ajax.php` | High
|
||||
26 | File | `/_next` | Low
|
||||
27 | ... | ... | ...
|
||||
2 | File | `/api/trackedEntityInstances` | High
|
||||
3 | File | `/category_view.php` | High
|
||||
4 | File | `/cgi-bin/portal` | High
|
||||
5 | File | `/cgi-bin/system_mgr.cgi` | High
|
||||
6 | File | `/debug/pprof` | Medium
|
||||
7 | File | `/etc/config/rpcd` | High
|
||||
8 | File | `/forum/away.php` | High
|
||||
9 | File | `/get_getnetworkconf.cgi` | High
|
||||
10 | File | `/lists/admin/` | High
|
||||
11 | File | `/login.cgi?logout=1` | High
|
||||
12 | File | `/medical/inventories.php` | High
|
||||
13 | File | `/module/admin_logs` | High
|
||||
14 | File | `/public/login.htm` | High
|
||||
15 | File | `/public/plugins/` | High
|
||||
16 | File | `/replication` | Medium
|
||||
17 | File | `/SASWebReportStudio/logonAndRender.do` | High
|
||||
18 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
19 | File | `/secure/admin/ViewInstrumentation.jspa` | High
|
||||
20 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
21 | File | `/start-stop` | Medium
|
||||
22 | File | `/tmp/app/.env` | High
|
||||
23 | File | `/uncpath/` | Medium
|
||||
24 | File | `/upload` | Low
|
||||
25 | File | `/usr/bin/pkexec` | High
|
||||
26 | File | `/WEB-INF/web.xml` | High
|
||||
27 | File | `/wp-admin/admin-ajax.php` | High
|
||||
28 | File | `/_next` | Low
|
||||
29 | File | `adclick.php` | Medium
|
||||
30 | File | `addentry.php` | Medium
|
||||
31 | File | `addrating.php` | High
|
||||
32 | File | `admin.php` | Medium
|
||||
33 | File | `admin.php/comments/batchdel/` | High
|
||||
34 | ... | ... | ...
|
||||
|
||||
There are 226 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 289 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -107,6 +122,7 @@ The following list contains _external sources_ which discuss the actor and the a
|
|||
* https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/
|
||||
* https://vxug.fakedoma.in/archive/APTs/2021/2021.01.14/APT%2041.pdf
|
||||
* https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
|
||||
* https://www.mandiant.com/resources/apt41-us-state-governments
|
||||
* https://www.threatminer.org/report.php?q=OfPigsandMalwareExaminingaPossibleMemberoftheWinntiGroup-TrendMicro.pdf&y=2017
|
||||
* https://www.threatminer.org/report.php?q=WinntiAbusesGitHubforC&CCommunications-TrendMicro.pdf&y=2017
|
||||
* https://www.threatminer.org/report.php?q=WinntiEvolution-GoingOpenSource-Protectwise.pdf&y=2017
|
||||
|
|
|
@ -27,7 +27,7 @@ There are 1 more IOC items available. Please use our online service to access th
|
|||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _ActionRAT_. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _ActionRAT_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
|
|
|
@ -0,0 +1,35 @@
|
|||
# Admiral - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Admiral](https://vuldb.com/?actor.admiral). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.admiral](https://vuldb.com/?actor.admiral)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Admiral.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [35.186.219.42](https://vuldb.com/?ip.35.186.219.42) | 42.219.186.35.bc.googleusercontent.com | - | Medium
|
||||
2 | [35.186.249.84](https://vuldb.com/?ip.35.186.249.84) | 84.249.186.35.bc.googleusercontent.com | - | Medium
|
||||
3 | [35.190.48.184](https://vuldb.com/?ip.35.190.48.184) | 184.48.190.35.bc.googleusercontent.com | - | Medium
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 9 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://github.com/jkrejcha/AdmiraList
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -1,71 +1,71 @@
|
|||
# Adwind - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Adwind](https://vuldb.com/?actor.adwind). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Adwind](https://vuldb.com/?actor.adwind). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.adwind](https://vuldb.com/?actor.adwind)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.adwind](https://vuldb.com/?actor.adwind)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Adwind:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Adwind:
|
||||
|
||||
* US
|
||||
* RU
|
||||
* FR
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* [FR](https://vuldb.com/?country.fr)
|
||||
* ...
|
||||
|
||||
There are 16 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Adwind.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Adwind.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 2.5.29.14 | - | High
|
||||
2 | 5.79.79.67 | - | High
|
||||
3 | 5.79.79.70 | storage205.ntesrv.com | High
|
||||
4 | 5.187.34.231 | 231.34.187.5.in-addr.arpa.dynamic.gestiondeservidor.com | High
|
||||
5 | 5.254.112.21 | - | High
|
||||
6 | 5.254.112.24 | - | High
|
||||
7 | 5.254.112.36 | - | High
|
||||
8 | 5.254.112.56 | - | High
|
||||
9 | 5.254.112.60 | - | High
|
||||
10 | 8.15.0.59 | - | High
|
||||
11 | 14.3.210.2 | ae210002.dynamic.ppp.asahi-net.or.jp | High
|
||||
12 | 23.227.196.198 | 23-227-196-198.static.hvvc.us | High
|
||||
13 | 23.227.199.72 | 23-227-199-72.static.hvvc.us | High
|
||||
14 | 23.227.199.118 | 23-227-199-118.static.hvvc.us | High
|
||||
15 | 23.227.199.121 | 23-227-199-121.static.hvvc.us | High
|
||||
16 | 23.231.23.182 | mx6.touringul.com | High
|
||||
17 | 31.31.196.31 | server31.hosting.reg.ru | High
|
||||
18 | 31.171.155.72 | - | High
|
||||
19 | 37.61.235.30 | - | High
|
||||
20 | 46.20.33.76 | - | High
|
||||
21 | 50.7.199.164 | - | High
|
||||
22 | 51.254.21.25 | ip25.ip-51-254-21.eu | High
|
||||
23 | 65.99.225.111 | hv36svg168.neubox.net | High
|
||||
24 | 67.215.4.74 | - | High
|
||||
25 | 67.215.4.75 | - | High
|
||||
26 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [2.5.29.14](https://vuldb.com/?ip.2.5.29.14) | - | - | High
|
||||
2 | [5.79.79.67](https://vuldb.com/?ip.5.79.79.67) | - | - | High
|
||||
3 | [5.79.79.70](https://vuldb.com/?ip.5.79.79.70) | storage205.ntesrv.com | - | High
|
||||
4 | [5.187.34.231](https://vuldb.com/?ip.5.187.34.231) | 231.34.187.5.in-addr.arpa.dynamic.gestiondeservidor.com | - | High
|
||||
5 | [5.254.112.21](https://vuldb.com/?ip.5.254.112.21) | - | - | High
|
||||
6 | [5.254.112.24](https://vuldb.com/?ip.5.254.112.24) | - | - | High
|
||||
7 | [5.254.112.36](https://vuldb.com/?ip.5.254.112.36) | - | - | High
|
||||
8 | [5.254.112.56](https://vuldb.com/?ip.5.254.112.56) | - | - | High
|
||||
9 | [5.254.112.60](https://vuldb.com/?ip.5.254.112.60) | - | - | High
|
||||
10 | [8.15.0.59](https://vuldb.com/?ip.8.15.0.59) | - | - | High
|
||||
11 | [14.3.210.2](https://vuldb.com/?ip.14.3.210.2) | ae210002.dynamic.ppp.asahi-net.or.jp | - | High
|
||||
12 | [23.227.196.198](https://vuldb.com/?ip.23.227.196.198) | 23-227-196-198.static.hvvc.us | - | High
|
||||
13 | [23.227.199.72](https://vuldb.com/?ip.23.227.199.72) | 23-227-199-72.static.hvvc.us | - | High
|
||||
14 | [23.227.199.118](https://vuldb.com/?ip.23.227.199.118) | 23-227-199-118.static.hvvc.us | - | High
|
||||
15 | [23.227.199.121](https://vuldb.com/?ip.23.227.199.121) | 23-227-199-121.static.hvvc.us | - | High
|
||||
16 | [23.231.23.182](https://vuldb.com/?ip.23.231.23.182) | mx6.touringul.com | - | High
|
||||
17 | [31.31.196.31](https://vuldb.com/?ip.31.31.196.31) | server31.hosting.reg.ru | - | High
|
||||
18 | [31.171.155.72](https://vuldb.com/?ip.31.171.155.72) | - | - | High
|
||||
19 | [37.61.235.30](https://vuldb.com/?ip.37.61.235.30) | - | - | High
|
||||
20 | [46.20.33.76](https://vuldb.com/?ip.46.20.33.76) | - | - | High
|
||||
21 | [50.7.199.164](https://vuldb.com/?ip.50.7.199.164) | - | - | High
|
||||
22 | [51.254.21.25](https://vuldb.com/?ip.51.254.21.25) | ip25.ip-51-254-21.eu | - | High
|
||||
23 | [65.99.225.111](https://vuldb.com/?ip.65.99.225.111) | hv36svg168.neubox.net | - | High
|
||||
24 | [67.215.4.74](https://vuldb.com/?ip.67.215.4.74) | - | - | High
|
||||
25 | [67.215.4.75](https://vuldb.com/?ip.67.215.4.75) | - | - | High
|
||||
26 | ... | ... | ... | ...
|
||||
|
||||
There are 101 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Adwind. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Adwind_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 3 more TTP items available. Please use our online service to access the data.
|
||||
There are 2 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Adwind. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Adwind. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -77,17 +77,17 @@ ID | Type | Indicator | Confidence
|
|||
6 | File | `administrator/components/com_media/helpers/media.php` | High
|
||||
7 | ... | ... | ...
|
||||
|
||||
There are 48 more IOA items available. Please use our online service to access the data.
|
||||
There are 48 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://www.threatminer.org/report.php?q=KL_AdwindPublicReport_2016.pdf&y=2016
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -0,0 +1,123 @@
|
|||
# Africa Unknown - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Africa Unknown](https://vuldb.com/?actor.africa_unknown). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.africa_unknown](https://vuldb.com/?actor.africa_unknown)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Africa Unknown:
|
||||
|
||||
* [NL](https://vuldb.com/?country.nl)
|
||||
* [GB](https://vuldb.com/?country.gb)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* ...
|
||||
|
||||
There are 9 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Africa Unknown.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [2.23.158.50](https://vuldb.com/?ip.2.23.158.50) | a2-23-158-50.deploy.static.akamaitechnologies.com | - | High
|
||||
2 | [3.94.40.55](https://vuldb.com/?ip.3.94.40.55) | ec2-3-94-40-55.compute-1.amazonaws.com | - | Medium
|
||||
3 | [3.94.72.89](https://vuldb.com/?ip.3.94.72.89) | ec2-3-94-72-89.compute-1.amazonaws.com | - | Medium
|
||||
4 | [5.11.82.213](https://vuldb.com/?ip.5.11.82.213) | - | - | High
|
||||
5 | [5.62.40.217](https://vuldb.com/?ip.5.62.40.217) | r-217.40.62.5.ptr.avast.com | - | High
|
||||
6 | [8.241.78.254](https://vuldb.com/?ip.8.241.78.254) | - | - | High
|
||||
7 | [8.248.5.254](https://vuldb.com/?ip.8.248.5.254) | - | - | High
|
||||
8 | [23.39.160.11](https://vuldb.com/?ip.23.39.160.11) | a23-39-160-11.deploy.static.akamaitechnologies.com | - | High
|
||||
9 | [23.39.160.19](https://vuldb.com/?ip.23.39.160.19) | a23-39-160-19.deploy.static.akamaitechnologies.com | - | High
|
||||
10 | [23.39.160.59](https://vuldb.com/?ip.23.39.160.59) | a23-39-160-59.deploy.static.akamaitechnologies.com | - | High
|
||||
11 | [23.39.160.72](https://vuldb.com/?ip.23.39.160.72) | a23-39-160-72.deploy.static.akamaitechnologies.com | - | High
|
||||
12 | [23.41.187.13](https://vuldb.com/?ip.23.41.187.13) | a23-41-187-13.deploy.static.akamaitechnologies.com | - | High
|
||||
13 | [23.62.46.8](https://vuldb.com/?ip.23.62.46.8) | a23-62-46-8.deploy.static.akamaitechnologies.com | - | High
|
||||
14 | [34.98.99.30](https://vuldb.com/?ip.34.98.99.30) | 30.99.98.34.bc.googleusercontent.com | - | Medium
|
||||
15 | [34.104.35.123](https://vuldb.com/?ip.34.104.35.123) | 123.35.104.34.bc.googleusercontent.com | - | Medium
|
||||
16 | [38.132.109.186](https://vuldb.com/?ip.38.132.109.186) | - | - | High
|
||||
17 | [41.78.118.2](https://vuldb.com/?ip.41.78.118.2) | - | - | High
|
||||
18 | ... | ... | ... | ...
|
||||
|
||||
There are 70 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Africa Unknown_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Africa Unknown. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `.travis.yml` | Medium
|
||||
2 | File | `/.env` | Low
|
||||
3 | File | `/.ssh/authorized_keys` | High
|
||||
4 | File | `/account/details.php` | High
|
||||
5 | File | `/admin.php` | Medium
|
||||
6 | File | `/admin/user/manage` | High
|
||||
7 | File | `/anony/mjpg.cgi` | High
|
||||
8 | File | `/artist-display.php` | High
|
||||
9 | File | `/customer_demo/index2.html` | High
|
||||
10 | File | `/file?action=download&file` | High
|
||||
11 | File | `/home/httpd/cgi-bin/cgi.cgi` | High
|
||||
12 | File | `/html/includes/graphs/port/mac_acc_total.inc.php` | High
|
||||
13 | File | `/inc/subscriber_list.php` | High
|
||||
14 | File | `/install/index.php` | High
|
||||
15 | File | `/layout/class.xblogcomment.php` | High
|
||||
16 | File | `/LEPTON_stable_2.2.2/upload/admins/admintools/tool.php` | High
|
||||
17 | File | `/manager/jsp/test.jsp` | High
|
||||
18 | File | `/medical/inventories.php` | High
|
||||
19 | File | `/monitoring` | Medium
|
||||
20 | File | `/plugins/servlet/audit/resource` | High
|
||||
21 | File | `/plugins/servlet/project-config/PROJECT/roles` | High
|
||||
22 | File | `/replication` | Medium
|
||||
23 | File | `/RestAPI` | Medium
|
||||
24 | File | `/TeleoptiWFM/Administration/GetOneTenant` | High
|
||||
25 | File | `/tmp` | Low
|
||||
26 | File | `/tmp/speedtest_urls.xml` | High
|
||||
27 | File | `/uncpath/` | Medium
|
||||
28 | File | `/usr/bin/at` | Medium
|
||||
29 | File | `/var/log/nginx` | High
|
||||
30 | File | `/_vti_pvt/access.cnf` | High
|
||||
31 | File | `admin-ajax.php?action=get_wdtable order[0][dir]` | High
|
||||
32 | File | `admin/e_mesaj_yaz.asp` | High
|
||||
33 | File | `admin/mcart_xls_import.php` | High
|
||||
34 | File | `admin/profile.php` | High
|
||||
35 | File | `admin/salesadmin.php` | High
|
||||
36 | File | `admin/systemWebAdminConfig.do` | High
|
||||
37 | File | `admin11.cgi` | Medium
|
||||
38 | File | `admincp/auth/checklogin.php` | High
|
||||
39 | File | `agenda2.php3` | Medium
|
||||
40 | File | `ajax-actions.php` | High
|
||||
41 | ... | ... | ...
|
||||
|
||||
There are 349 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://github.com/ManagedGuard/AfricaBlackList/blob/main/MGAfricaIPBlackList.txt
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -30,7 +30,7 @@ There are 9 more IOC items available. Please use our online service to access th
|
|||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Agrius_. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Agrius_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
|
|
|
@ -27,7 +27,7 @@ There are 4 more IOC items available. Please use our online service to access th
|
|||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Allakore. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Allakore_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
|
|
|
@ -30,7 +30,7 @@ There are 4 more IOC items available. Please use our online service to access th
|
|||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Arid Viper_. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Arid Viper_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Arkei - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Arkei](https://vuldb.com/?actor.arkei). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Arkei](https://vuldb.com/?actor.arkei). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.arkei](https://vuldb.com/?actor.arkei)
|
||||
|
||||
|
@ -27,7 +27,7 @@ ID | IP address | Hostname | Campaign | Confidence
|
|||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Arkei. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Arkei_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
|
|
|
@ -0,0 +1,102 @@
|
|||
# B1txor20 - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [B1txor20](https://vuldb.com/?actor.b1txor20). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.b1txor20](https://vuldb.com/?actor.b1txor20)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with B1txor20:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [SC](https://vuldb.com/?country.sc)
|
||||
* ...
|
||||
|
||||
There are 11 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of B1txor20.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [5.2.69.50](https://vuldb.com/?ip.5.2.69.50) | - | - | High
|
||||
2 | [23.129.64.216](https://vuldb.com/?ip.23.129.64.216) | - | - | High
|
||||
3 | [23.154.177.4](https://vuldb.com/?ip.23.154.177.4) | - | - | High
|
||||
4 | [45.13.104.179](https://vuldb.com/?ip.45.13.104.179) | nosoignons.cust.milkywan.net | - | High
|
||||
5 | [45.61.185.90](https://vuldb.com/?ip.45.61.185.90) | MiamiTor4.us | - | High
|
||||
6 | [45.154.255.147](https://vuldb.com/?ip.45.154.255.147) | cust-147.keff.org | - | High
|
||||
7 | [46.166.139.111](https://vuldb.com/?ip.46.166.139.111) | - | - | High
|
||||
8 | [51.15.43.205](https://vuldb.com/?ip.51.15.43.205) | 205-43-15-51.instances.scw.cloud | - | High
|
||||
9 | [62.102.148.68](https://vuldb.com/?ip.62.102.148.68) | - | - | High
|
||||
10 | [62.102.148.69](https://vuldb.com/?ip.62.102.148.69) | - | - | High
|
||||
11 | [81.17.18.62](https://vuldb.com/?ip.81.17.18.62) | block1-che.interlayer.co.uk | - | High
|
||||
12 | [104.244.73.126](https://vuldb.com/?ip.104.244.73.126) | lu1.exit.tor.alkyl.eu.org | - | High
|
||||
13 | [109.201.133.100](https://vuldb.com/?ip.109.201.133.100) | . | - | High
|
||||
14 | [162.247.74.27](https://vuldb.com/?ip.162.247.74.27) | turing.tor-exit.calyxinstitute.org | - | High
|
||||
15 | ... | ... | ... | ...
|
||||
|
||||
There are 54 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _B1txor20_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
|
||||
2 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
3 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by B1txor20. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/.htaccess` | Medium
|
||||
2 | File | `/admin-panel1.php` | High
|
||||
3 | File | `/admin/?page=members/view_member` | High
|
||||
4 | File | `/admin/doctors/view_doctor.php` | High
|
||||
5 | File | `/admin/file-manager/` | High
|
||||
6 | File | `/admin/files` | Medium
|
||||
7 | File | `/admin/login.php` | High
|
||||
8 | File | `/admin/news/news_mod.php` | High
|
||||
9 | File | `/admin/news/news_ok.php` | High
|
||||
10 | File | `/admin/options` | High
|
||||
11 | File | `/admin/page_edit/3` | High
|
||||
12 | File | `/admin/templates/template_manage.php` | High
|
||||
13 | File | `/admin_page/all-files-update-ajax.php` | High
|
||||
14 | File | `/api/servers` | Medium
|
||||
15 | File | `/aya/module/admin/ust_tab_e.inc.php` | High
|
||||
16 | File | `/cloud_config/router_post/check_reset_pwd_verify_code` | High
|
||||
17 | File | `/cloud_config/router_post/upgrade_info` | High
|
||||
18 | File | `/common/info.cgi` | High
|
||||
19 | File | `/DataPackageTable` | High
|
||||
20 | File | `/download/` | Medium
|
||||
21 | File | `/etc/passwd` | Medium
|
||||
22 | File | `/goform/SetPptpServerCfg` | High
|
||||
23 | ... | ... | ...
|
||||
|
||||
There are 189 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.netlab.360.com/b1txor20-use-of-dns-tunneling_cn/
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -1,6 +1,6 @@
|
|||
# Baldr - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Baldr](https://vuldb.com/?actor.baldr). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Baldr](https://vuldb.com/?actor.baldr). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.baldr](https://vuldb.com/?actor.baldr)
|
||||
|
||||
|
@ -8,8 +8,8 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Baldr:
|
||||
|
||||
* NL
|
||||
* US
|
||||
* [NL](https://vuldb.com/?country.nl)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -17,37 +17,37 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 5.8.88.198 | - | - | High
|
||||
2 | 5.45.73.87 | - | - | High
|
||||
3 | 5.188.60.7 | - | - | High
|
||||
4 | 5.188.60.18 | - | - | High
|
||||
5 | 5.188.60.24 | - | - | High
|
||||
6 | 5.188.60.30 | - | - | High
|
||||
7 | 5.188.60.54 | - | - | High
|
||||
8 | 5.188.60.68 | - | - | High
|
||||
9 | 5.188.60.74 | - | - | High
|
||||
10 | 5.188.60.101 | - | - | High
|
||||
11 | 5.188.60.115 | - | - | High
|
||||
12 | 5.188.60.206 | - | - | High
|
||||
13 | 5.188.231.96 | - | - | High
|
||||
14 | 5.188.231.210 | - | - | High
|
||||
15 | 18.207.217.146 | ec2-18-207-217-146.compute-1.amazonaws.com | - | Medium
|
||||
16 | 18.221.49.166 | ec2-18-221-49-166.us-east-2.compute.amazonaws.com | - | Medium
|
||||
17 | 23.19.58.101 | - | - | High
|
||||
18 | 23.95.95.61 | 23-95-95-61-host.colocrossing.com | - | High
|
||||
19 | 23.254.217.112 | hwsrv-930282.hostwindsdns.com | - | High
|
||||
20 | 23.254.225.240 | sha29.phpautomailer.com | - | High
|
||||
21 | 45.64.186.10 | 45-64-186-10.static.bangmod-idc.com | - | High
|
||||
22 | 45.77.252.143 | 45.77.252.143.vultr.com | - | Medium
|
||||
23 | 46.30.42.130 | assetshub.com | - | High
|
||||
24 | 46.249.62.196 | - | - | High
|
||||
1 | [5.8.88.198](https://vuldb.com/?ip.5.8.88.198) | - | - | High
|
||||
2 | [5.45.73.87](https://vuldb.com/?ip.5.45.73.87) | - | - | High
|
||||
3 | [5.188.60.7](https://vuldb.com/?ip.5.188.60.7) | - | - | High
|
||||
4 | [5.188.60.18](https://vuldb.com/?ip.5.188.60.18) | - | - | High
|
||||
5 | [5.188.60.24](https://vuldb.com/?ip.5.188.60.24) | - | - | High
|
||||
6 | [5.188.60.30](https://vuldb.com/?ip.5.188.60.30) | - | - | High
|
||||
7 | [5.188.60.54](https://vuldb.com/?ip.5.188.60.54) | - | - | High
|
||||
8 | [5.188.60.68](https://vuldb.com/?ip.5.188.60.68) | - | - | High
|
||||
9 | [5.188.60.74](https://vuldb.com/?ip.5.188.60.74) | - | - | High
|
||||
10 | [5.188.60.101](https://vuldb.com/?ip.5.188.60.101) | - | - | High
|
||||
11 | [5.188.60.115](https://vuldb.com/?ip.5.188.60.115) | - | - | High
|
||||
12 | [5.188.60.206](https://vuldb.com/?ip.5.188.60.206) | - | - | High
|
||||
13 | [5.188.231.96](https://vuldb.com/?ip.5.188.231.96) | - | - | High
|
||||
14 | [5.188.231.210](https://vuldb.com/?ip.5.188.231.210) | - | - | High
|
||||
15 | [18.207.217.146](https://vuldb.com/?ip.18.207.217.146) | ec2-18-207-217-146.compute-1.amazonaws.com | - | Medium
|
||||
16 | [18.221.49.166](https://vuldb.com/?ip.18.221.49.166) | ec2-18-221-49-166.us-east-2.compute.amazonaws.com | - | Medium
|
||||
17 | [23.19.58.101](https://vuldb.com/?ip.23.19.58.101) | - | - | High
|
||||
18 | [23.95.95.61](https://vuldb.com/?ip.23.95.95.61) | 23-95-95-61-host.colocrossing.com | - | High
|
||||
19 | [23.254.217.112](https://vuldb.com/?ip.23.254.217.112) | hwsrv-930282.hostwindsdns.com | - | High
|
||||
20 | [23.254.225.240](https://vuldb.com/?ip.23.254.225.240) | sha29.phpautomailer.com | - | High
|
||||
21 | [45.64.186.10](https://vuldb.com/?ip.45.64.186.10) | 45-64-186-10.static.bangmod-idc.com | - | High
|
||||
22 | [45.77.252.143](https://vuldb.com/?ip.45.77.252.143) | 45.77.252.143.vultr.com | - | Medium
|
||||
23 | [46.30.42.130](https://vuldb.com/?ip.46.30.42.130) | assetshub.com | - | High
|
||||
24 | [46.249.62.196](https://vuldb.com/?ip.46.249.62.196) | - | - | High
|
||||
25 | ... | ... | ... | ...
|
||||
|
||||
There are 97 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Baldr. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Baldr_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
|
@ -56,7 +56,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
There are 6 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -71,37 +71,37 @@ ID | Type | Indicator | Confidence
|
|||
5 | File | `/category_view.php` | High
|
||||
6 | File | `/dev/kmem` | Medium
|
||||
7 | File | `/dev/shm` | Medium
|
||||
8 | File | `/medical/inventories.php` | High
|
||||
9 | File | `/monitoring` | Medium
|
||||
10 | File | `/NAGErrors` | Medium
|
||||
11 | File | `/plugins/servlet/audit/resource` | High
|
||||
12 | File | `/plugins/servlet/project-config/PROJECT/roles` | High
|
||||
13 | File | `/proc/ioports` | High
|
||||
14 | File | `/replication` | Medium
|
||||
15 | File | `/RestAPI` | Medium
|
||||
16 | File | `/rom-0` | Low
|
||||
17 | File | `/tmp` | Low
|
||||
18 | File | `/tmp/speedtest_urls.xml` | High
|
||||
19 | File | `/uncpath/` | Medium
|
||||
20 | File | `/var/log/nginx` | High
|
||||
21 | File | `/wp-admin/admin.php` | High
|
||||
22 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
23 | File | `abook_database.php` | High
|
||||
24 | File | `account.asp` | Medium
|
||||
25 | File | `addentry.php` | Medium
|
||||
26 | File | `admin-ajax.php?action=get_wdtable order[0][dir]` | High
|
||||
27 | File | `admin/index.php` | High
|
||||
28 | File | `admin/login.php` | High
|
||||
29 | File | `admincp.php?app=files` | High
|
||||
30 | File | `admin\model\catalog\download.php` | High
|
||||
31 | File | `ajax/render/widget_php` | High
|
||||
32 | File | `apcupsd.pid` | Medium
|
||||
33 | File | `api/sms/send-sms` | High
|
||||
34 | File | `api/v1/alarms` | High
|
||||
35 | File | `application/controller/InstallerController.php` | High
|
||||
8 | File | `/file?action=download&file` | High
|
||||
9 | File | `/medical/inventories.php` | High
|
||||
10 | File | `/monitoring` | Medium
|
||||
11 | File | `/NAGErrors` | Medium
|
||||
12 | File | `/plugins/servlet/audit/resource` | High
|
||||
13 | File | `/plugins/servlet/project-config/PROJECT/roles` | High
|
||||
14 | File | `/proc/ioports` | High
|
||||
15 | File | `/replication` | Medium
|
||||
16 | File | `/RestAPI` | Medium
|
||||
17 | File | `/rom-0` | Low
|
||||
18 | File | `/tmp` | Low
|
||||
19 | File | `/tmp/speedtest_urls.xml` | High
|
||||
20 | File | `/uncpath/` | Medium
|
||||
21 | File | `/var/log/nginx` | High
|
||||
22 | File | `/wp-admin/admin.php` | High
|
||||
23 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
24 | File | `abook_database.php` | High
|
||||
25 | File | `account.asp` | Medium
|
||||
26 | File | `addentry.php` | Medium
|
||||
27 | File | `admin-ajax.php?action=get_wdtable order[0][dir]` | High
|
||||
28 | File | `admin/index.php` | High
|
||||
29 | File | `admin/login.php` | High
|
||||
30 | File | `admincp.php?app=files` | High
|
||||
31 | File | `admin\model\catalog\download.php` | High
|
||||
32 | File | `ajax/render/widget_php` | High
|
||||
33 | File | `apcupsd.pid` | Medium
|
||||
34 | File | `api/sms/send-sms` | High
|
||||
35 | File | `api/v1/alarms` | High
|
||||
36 | ... | ... | ...
|
||||
|
||||
There are 305 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 306 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -1,55 +1,62 @@
|
|||
# Banjori - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Banjori](https://vuldb.com/?actor.banjori). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Banjori](https://vuldb.com/?actor.banjori). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.banjori](https://vuldb.com/?actor.banjori)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.banjori](https://vuldb.com/?actor.banjori)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Banjori:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Banjori.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Banjori.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 3.216.121.17 | ec2-3-216-121-17.compute-1.amazonaws.com | Medium
|
||||
2 | 5.79.79.212 | - | High
|
||||
3 | 13.59.74.74 | ec2-13-59-74-74.us-east-2.compute.amazonaws.com | Medium
|
||||
4 | 14.192.4.75 | - | High
|
||||
5 | 18.213.250.117 | ec2-18-213-250-117.compute-1.amazonaws.com | Medium
|
||||
6 | 18.215.128.143 | ec2-18-215-128-143.compute-1.amazonaws.com | Medium
|
||||
7 | 23.89.20.107 | - | High
|
||||
8 | 23.89.102.123 | - | High
|
||||
9 | 23.107.124.53 | - | High
|
||||
10 | 23.110.15.74 | - | High
|
||||
11 | 23.226.53.226 | - | High
|
||||
12 | 23.227.38.65 | myshopify.com | High
|
||||
13 | 23.231.218.195 | - | High
|
||||
14 | 23.236.62.147 | 147.62.236.23.bc.googleusercontent.com | Medium
|
||||
15 | 34.98.99.30 | 30.99.98.34.bc.googleusercontent.com | Medium
|
||||
16 | 34.102.136.180 | 180.136.102.34.bc.googleusercontent.com | Medium
|
||||
17 | 35.186.238.101 | 101.238.186.35.bc.googleusercontent.com | Medium
|
||||
18 | 35.226.69.129 | 129.69.226.35.bc.googleusercontent.com | Medium
|
||||
19 | 43.230.142.125 | - | High
|
||||
20 | 43.241.196.105 | - | High
|
||||
21 | 43.249.76.176 | - | High
|
||||
22 | 47.91.170.222 | - | High
|
||||
23 | 47.245.10.59 | - | High
|
||||
24 | 50.117.86.130 | - | High
|
||||
25 | 52.4.209.250 | ec2-52-4-209-250.compute-1.amazonaws.com | Medium
|
||||
26 | 52.25.92.0 | ec2-52-25-92-0.us-west-2.compute.amazonaws.com | Medium
|
||||
27 | 52.58.78.16 | ec2-52-58-78-16.eu-central-1.compute.amazonaws.com | Medium
|
||||
28 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [3.216.121.17](https://vuldb.com/?ip.3.216.121.17) | ec2-3-216-121-17.compute-1.amazonaws.com | - | Medium
|
||||
2 | [5.79.79.212](https://vuldb.com/?ip.5.79.79.212) | - | - | High
|
||||
3 | [13.59.74.74](https://vuldb.com/?ip.13.59.74.74) | ec2-13-59-74-74.us-east-2.compute.amazonaws.com | - | Medium
|
||||
4 | [14.192.4.75](https://vuldb.com/?ip.14.192.4.75) | - | - | High
|
||||
5 | [18.213.250.117](https://vuldb.com/?ip.18.213.250.117) | ec2-18-213-250-117.compute-1.amazonaws.com | - | Medium
|
||||
6 | [18.215.128.143](https://vuldb.com/?ip.18.215.128.143) | ec2-18-215-128-143.compute-1.amazonaws.com | - | Medium
|
||||
7 | [23.89.20.107](https://vuldb.com/?ip.23.89.20.107) | - | - | High
|
||||
8 | [23.89.102.123](https://vuldb.com/?ip.23.89.102.123) | - | - | High
|
||||
9 | [23.107.124.53](https://vuldb.com/?ip.23.107.124.53) | - | - | High
|
||||
10 | [23.110.15.74](https://vuldb.com/?ip.23.110.15.74) | - | - | High
|
||||
11 | [23.226.53.226](https://vuldb.com/?ip.23.226.53.226) | - | - | High
|
||||
12 | [23.227.38.65](https://vuldb.com/?ip.23.227.38.65) | myshopify.com | - | High
|
||||
13 | [23.231.218.195](https://vuldb.com/?ip.23.231.218.195) | - | - | High
|
||||
14 | [23.236.62.147](https://vuldb.com/?ip.23.236.62.147) | 147.62.236.23.bc.googleusercontent.com | - | Medium
|
||||
15 | [34.98.99.30](https://vuldb.com/?ip.34.98.99.30) | 30.99.98.34.bc.googleusercontent.com | - | Medium
|
||||
16 | [34.102.136.180](https://vuldb.com/?ip.34.102.136.180) | 180.136.102.34.bc.googleusercontent.com | - | Medium
|
||||
17 | [35.186.238.101](https://vuldb.com/?ip.35.186.238.101) | 101.238.186.35.bc.googleusercontent.com | - | Medium
|
||||
18 | [35.226.69.129](https://vuldb.com/?ip.35.226.69.129) | 129.69.226.35.bc.googleusercontent.com | - | Medium
|
||||
19 | [43.230.142.125](https://vuldb.com/?ip.43.230.142.125) | - | - | High
|
||||
20 | [43.241.196.105](https://vuldb.com/?ip.43.241.196.105) | - | - | High
|
||||
21 | [43.249.76.176](https://vuldb.com/?ip.43.249.76.176) | - | - | High
|
||||
22 | [47.91.170.222](https://vuldb.com/?ip.47.91.170.222) | - | - | High
|
||||
23 | [47.245.10.59](https://vuldb.com/?ip.47.245.10.59) | - | - | High
|
||||
24 | [50.117.86.130](https://vuldb.com/?ip.50.117.86.130) | - | - | High
|
||||
25 | [52.4.209.250](https://vuldb.com/?ip.52.4.209.250) | ec2-52-4-209-250.compute-1.amazonaws.com | - | Medium
|
||||
26 | [52.25.92.0](https://vuldb.com/?ip.52.25.92.0) | ec2-52-25-92-0.us-west-2.compute.amazonaws.com | - | Medium
|
||||
27 | [52.58.78.16](https://vuldb.com/?ip.52.58.78.16) | ec2-52-58-78-16.eu-central-1.compute.amazonaws.com | - | Medium
|
||||
28 | ... | ... | ... | ...
|
||||
|
||||
There are 109 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://github.com/firehol/blocklist-ipsets/blob/master/bambenek_banjori.ipset
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -13,7 +13,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [MX](https://vuldb.com/?country.mx)
|
||||
* ...
|
||||
|
||||
There are 4 more country items available. Please use our online service to access the data.
|
||||
There are 5 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -30,16 +30,16 @@ There are 1 more IOC items available. Please use our online service to access th
|
|||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Black KingDom_. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Black KingDom_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1008 | CWE-757 | Algorithm Downgrade | High
|
||||
1 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
|
||||
2 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
3 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 9 more TTP items available. Please use our online service to access the data.
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -47,30 +47,30 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/admin-panel1.php` | High
|
||||
2 | File | `/adminzone/index.php?page=admin-commandr` | High
|
||||
3 | File | `/api/servers` | Medium
|
||||
4 | File | `/aya/module/admin/ust_tab_e.inc.php` | High
|
||||
5 | File | `/core/admin/comment.php` | High
|
||||
6 | File | `/data-service/users/` | High
|
||||
7 | File | `/etc/passwd` | Medium
|
||||
8 | File | `/etc/wpa_supplicant.conf` | High
|
||||
9 | File | `/goform/SetPptpServerCfg` | High
|
||||
10 | File | `/jeecg-boot/sys/user/queryUserByDepId` | High
|
||||
11 | File | `/js/app.js` | Medium
|
||||
12 | File | `/js/js-parser.c` | High
|
||||
13 | File | `/main?cmd=invalid_browser` | High
|
||||
14 | File | `/mdiy/dict/listExcludeApp` | High
|
||||
15 | File | `/ms/file/uploadTemplate.do` | High
|
||||
16 | File | `/ok_jpg.c` | Medium
|
||||
17 | File | `/ok_png.c` | Medium
|
||||
18 | File | `/ping.html` | Medium
|
||||
19 | File | `/rootfs` | Low
|
||||
20 | File | `/SASWebReportStudio/logonAndRender.do` | High
|
||||
21 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
1 | File | `/.htaccess` | Medium
|
||||
2 | File | `/admin-panel1.php` | High
|
||||
3 | File | `/admin/login.php` | High
|
||||
4 | File | `/admin/templates/template_manage.php` | High
|
||||
5 | File | `/adminzone/index.php?page=admin-commandr` | High
|
||||
6 | File | `/api/servers` | Medium
|
||||
7 | File | `/aya/module/admin/ust_tab_e.inc.php` | High
|
||||
8 | File | `/cloud_config/router_post/check_reset_pwd_verify_code` | High
|
||||
9 | File | `/cloud_config/router_post/upgrade_info` | High
|
||||
10 | File | `/core/admin/comment.php` | High
|
||||
11 | File | `/DataPackageTable` | High
|
||||
12 | File | `/download/` | Medium
|
||||
13 | File | `/etc/passwd` | Medium
|
||||
14 | File | `/etc/wpa_supplicant.conf` | High
|
||||
15 | File | `/goform/SetPptpServerCfg` | High
|
||||
16 | File | `/i/:data/ipa.plist` | High
|
||||
17 | File | `/jeecg-boot/sys/user/queryUserByDepId` | High
|
||||
18 | File | `/js/js-parser.c` | High
|
||||
19 | File | `/main?cmd=invalid_browser` | High
|
||||
20 | File | `/mdiy/dict/listExcludeApp` | High
|
||||
21 | File | `/ms/file/uploadTemplate.do` | High
|
||||
22 | ... | ... | ...
|
||||
|
||||
There are 178 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 180 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -0,0 +1,54 @@
|
|||
# BlackCat - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [BlackCat](https://vuldb.com/?actor.blackcat). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.blackcat](https://vuldb.com/?actor.blackcat)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with BlackCat:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of BlackCat.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [20.46.245.56](https://vuldb.com/?ip.20.46.245.56) | - | - | High
|
||||
2 | [52.149.228.45](https://vuldb.com/?ip.52.149.228.45) | - | - | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _BlackCat_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-80 | Cross Site Scripting | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by BlackCat. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `nav.php3` | Medium
|
||||
2 | Argument | `page` | Low
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -29,7 +29,7 @@ There are 22 more IOC items available. Please use our online service to access t
|
|||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Bondnet_. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Bondnet_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
|
|
|
@ -27,7 +27,7 @@ There are 10 more IOC items available. Please use our online service to access t
|
|||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Brunhilda_. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Brunhilda_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
|
|
|
@ -26,7 +26,7 @@ There are 7 more IOC items available. Please use our online service to access th
|
|||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Butter_. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Butter_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
|
|
|
@ -1,44 +1,44 @@
|
|||
# C0d0so - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [C0d0so](https://vuldb.com/?actor.c0d0so). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [C0d0so](https://vuldb.com/?actor.c0d0so). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.c0d0so](https://vuldb.com/?actor.c0d0so)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.c0d0so](https://vuldb.com/?actor.c0d0so)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with C0d0so:
|
||||
The following _campaigns_ are known and can be associated with C0d0so:
|
||||
|
||||
* Bergard
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with C0d0so:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with C0d0so:
|
||||
|
||||
* CN
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of C0d0so.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of C0d0so.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 42.200.18.194 | - | High
|
||||
2 | 121.54.168.230 | - | High
|
||||
3 | 210.181.184.64 | - | High
|
||||
4 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [42.200.18.194](https://vuldb.com/?ip.42.200.18.194) | - | Bergard | High
|
||||
2 | [121.54.168.230](https://vuldb.com/?ip.121.54.168.230) | - | - | High
|
||||
3 | [210.181.184.64](https://vuldb.com/?ip.210.181.184.64) | - | Bergard | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://www.threatminer.org/report.php?q=ExploringBergard_OldMalwarewithNewTricks_Proofpoint.pdf&y=2016
|
||||
* https://www.threatminer.org/report.php?q=NewAttacksLinkedtoC0d0so0Group-PaloAltoNetworksBlogPaloAltoNetworksBlog.pdf&y=2016
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -33,7 +33,7 @@ There are 23 more IOC items available. Please use our online service to access t
|
|||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Candiru_. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Candiru_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
|
@ -85,7 +85,8 @@ ID | Type | Indicator | Confidence
|
|||
33 | File | `/storage/app/media/evil.svg` | High
|
||||
34 | File | `/transmission/web/` | High
|
||||
35 | File | `/uapi/doc` | Medium
|
||||
36 | ... | ... | ...
|
||||
36 | File | `/uncpath/` | Medium
|
||||
37 | ... | ... | ...
|
||||
|
||||
There are 313 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Carbanak - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Carbanak](https://vuldb.com/?actor.carbanak). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Carbanak](https://vuldb.com/?actor.carbanak). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.carbanak](https://vuldb.com/?actor.carbanak)
|
||||
|
||||
|
@ -15,9 +15,9 @@ The following _campaigns_ are known and can be associated with Carbanak:
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Carbanak:
|
||||
|
||||
* US
|
||||
* RU
|
||||
* SE
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* [SE](https://vuldb.com/?country.se)
|
||||
* ...
|
||||
|
||||
There are 29 more country items available. Please use our online service to access the data.
|
||||
|
@ -28,48 +28,48 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 5.1.83.133 | mail.printonrug.com | - | High
|
||||
2 | 5.45.179.173 | mail.kincoss.info | - | High
|
||||
3 | 5.45.179.185 | - | - | High
|
||||
4 | 5.45.192.117 | - | - | High
|
||||
5 | 5.61.32.118 | - | - | High
|
||||
6 | 5.61.38.52 | - | - | High
|
||||
7 | 5.101.146.184 | 3928081.securefastserver.com | - | High
|
||||
8 | 5.135.111.89 | - | - | High
|
||||
9 | 5.199.169.188 | - | - | High
|
||||
10 | 10.74.5.100 | - | - | High
|
||||
11 | 23.227.196.99 | 23-227-196-99.static.hvvc.us | - | High
|
||||
12 | 31.3.155.123 | swe-net-ip.as51430.net | - | High
|
||||
13 | 31.131.17.79 | - | - | High
|
||||
14 | 31.131.17.81 | - | - | High
|
||||
15 | 31.131.17.125 | - | - | High
|
||||
16 | 31.131.17.128 | - | - | High
|
||||
17 | 37.46.114.148 | bg.as51430.net | - | High
|
||||
18 | 37.59.202.124 | ip124.ip-37-59-202.eu | - | High
|
||||
19 | 37.235.54.48 | 48.54.235.37.in-addr.arpa | - | High
|
||||
20 | 45.63.23.135 | 45.63.23.135.vultr.com | - | Medium
|
||||
21 | 45.63.96.216 | 45.63.96.216.vultr.com | - | Medium
|
||||
22 | 50.62.171.62 | ip-50-62-171-62.ip.secureserver.net | - | High
|
||||
23 | 50.115.127.36 | 50.115.127.36.static.westdc.net | - | High
|
||||
24 | 50.115.127.37 | mail.ingrampartners.com | - | High
|
||||
25 | 51.254.95.99 | ip99.ip-51-254-95.eu | - | High
|
||||
26 | 51.254.95.100 | ip100.ip-51-254-95.eu | - | High
|
||||
27 | 55.198.6.56 | - | - | High
|
||||
28 | 59.55.142.171 | - | - | High
|
||||
29 | 60.228.38.213 | cpe-60-228-38-213.bpe6-r-962.pie.wa.bigpond.net.au | - | High
|
||||
30 | 61.7.219.61 | - | - | High
|
||||
31 | 62.75.224.229 | prag178.startdedicated.de | - | High
|
||||
32 | 62.210.25.121 | svgit.festivalscope.com | Grand Mars | High
|
||||
33 | 65.19.141.199 | - | - | High
|
||||
34 | 66.55.133.86 | 66-55-133-86.choopa.net | - | High
|
||||
35 | 66.232.124.175 | customer.hivelocity.net | - | High
|
||||
1 | [5.1.83.133](https://vuldb.com/?ip.5.1.83.133) | mail.printonrug.com | - | High
|
||||
2 | [5.45.179.173](https://vuldb.com/?ip.5.45.179.173) | mail.kincoss.info | - | High
|
||||
3 | [5.45.179.185](https://vuldb.com/?ip.5.45.179.185) | - | - | High
|
||||
4 | [5.45.192.117](https://vuldb.com/?ip.5.45.192.117) | - | - | High
|
||||
5 | [5.61.32.118](https://vuldb.com/?ip.5.61.32.118) | - | - | High
|
||||
6 | [5.61.38.52](https://vuldb.com/?ip.5.61.38.52) | - | - | High
|
||||
7 | [5.101.146.184](https://vuldb.com/?ip.5.101.146.184) | 3928081.securefastserver.com | - | High
|
||||
8 | [5.135.111.89](https://vuldb.com/?ip.5.135.111.89) | - | - | High
|
||||
9 | [5.199.169.188](https://vuldb.com/?ip.5.199.169.188) | - | - | High
|
||||
10 | [10.74.5.100](https://vuldb.com/?ip.10.74.5.100) | - | - | High
|
||||
11 | [23.227.196.99](https://vuldb.com/?ip.23.227.196.99) | 23-227-196-99.static.hvvc.us | - | High
|
||||
12 | [31.3.155.123](https://vuldb.com/?ip.31.3.155.123) | swe-net-ip.as51430.net | - | High
|
||||
13 | [31.131.17.79](https://vuldb.com/?ip.31.131.17.79) | - | - | High
|
||||
14 | [31.131.17.81](https://vuldb.com/?ip.31.131.17.81) | - | - | High
|
||||
15 | [31.131.17.125](https://vuldb.com/?ip.31.131.17.125) | - | - | High
|
||||
16 | [31.131.17.128](https://vuldb.com/?ip.31.131.17.128) | - | - | High
|
||||
17 | [37.46.114.148](https://vuldb.com/?ip.37.46.114.148) | bg.as51430.net | - | High
|
||||
18 | [37.59.202.124](https://vuldb.com/?ip.37.59.202.124) | ip124.ip-37-59-202.eu | - | High
|
||||
19 | [37.235.54.48](https://vuldb.com/?ip.37.235.54.48) | 48.54.235.37.in-addr.arpa | - | High
|
||||
20 | [45.63.23.135](https://vuldb.com/?ip.45.63.23.135) | 45.63.23.135.vultr.com | - | Medium
|
||||
21 | [45.63.96.216](https://vuldb.com/?ip.45.63.96.216) | 45.63.96.216.vultr.com | - | Medium
|
||||
22 | [50.62.171.62](https://vuldb.com/?ip.50.62.171.62) | ip-50-62-171-62.ip.secureserver.net | - | High
|
||||
23 | [50.115.127.36](https://vuldb.com/?ip.50.115.127.36) | 50.115.127.36.static.westdc.net | - | High
|
||||
24 | [50.115.127.37](https://vuldb.com/?ip.50.115.127.37) | mail.ingrampartners.com | - | High
|
||||
25 | [51.254.95.99](https://vuldb.com/?ip.51.254.95.99) | ip99.ip-51-254-95.eu | - | High
|
||||
26 | [51.254.95.100](https://vuldb.com/?ip.51.254.95.100) | ip100.ip-51-254-95.eu | - | High
|
||||
27 | [55.198.6.56](https://vuldb.com/?ip.55.198.6.56) | - | - | High
|
||||
28 | [59.55.142.171](https://vuldb.com/?ip.59.55.142.171) | - | - | High
|
||||
29 | [60.228.38.213](https://vuldb.com/?ip.60.228.38.213) | cpe-60-228-38-213.bpe6-r-962.pie.wa.bigpond.net.au | - | High
|
||||
30 | [61.7.219.61](https://vuldb.com/?ip.61.7.219.61) | - | - | High
|
||||
31 | [62.75.224.229](https://vuldb.com/?ip.62.75.224.229) | prag178.startdedicated.de | - | High
|
||||
32 | [62.210.25.121](https://vuldb.com/?ip.62.210.25.121) | svgit.festivalscope.com | Grand Mars | High
|
||||
33 | [65.19.141.199](https://vuldb.com/?ip.65.19.141.199) | - | - | High
|
||||
34 | [66.55.133.86](https://vuldb.com/?ip.66.55.133.86) | 66-55-133-86.choopa.net | - | High
|
||||
35 | [66.232.124.175](https://vuldb.com/?ip.66.232.124.175) | customer.hivelocity.net | - | High
|
||||
36 | ... | ... | ... | ...
|
||||
|
||||
There are 140 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Carbanak. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Carbanak_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
|
@ -78,7 +78,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
There are 6 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -114,16 +114,16 @@ ID | Type | Indicator | Confidence
|
|||
26 | File | `/wp-content/plugins/updraftplus/admin.php` | High
|
||||
27 | File | `/zhndnsdisplay.cmd` | High
|
||||
28 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
29 | File | `acl.c` | Low
|
||||
30 | File | `adclick.php` | Medium
|
||||
31 | File | `add_comment.php` | High
|
||||
32 | File | `add_vhost.php` | High
|
||||
33 | File | `admin.php` | Medium
|
||||
34 | File | `admin/default.asp` | High
|
||||
35 | File | `admin/index.php?n=ui_set&m=admin&c=index&a=doget_text_content&table=lang&field=1` | High
|
||||
29 | File | `about.php` | Medium
|
||||
30 | File | `acl.c` | Low
|
||||
31 | File | `adclick.php` | Medium
|
||||
32 | File | `add_comment.php` | High
|
||||
33 | File | `add_vhost.php` | High
|
||||
34 | File | `admin.php` | Medium
|
||||
35 | File | `admin/conf_users_edit.php` | High
|
||||
36 | ... | ... | ...
|
||||
|
||||
There are 306 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 313 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -30,7 +30,7 @@ There are 7 more IOC items available. Please use our online service to access th
|
|||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Chafer. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Chafer_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
|
@ -55,7 +55,7 @@ ID | Type | Indicator | Confidence
|
|||
6 | File | `/uncpath/` | Medium
|
||||
7 | ... | ... | ...
|
||||
|
||||
There are 49 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 50 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Charming Kitten - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Charming Kitten](https://vuldb.com/?actor.charming_kitten). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Charming Kitten](https://vuldb.com/?actor.charming_kitten). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.charming_kitten](https://vuldb.com/?actor.charming_kitten)
|
||||
|
||||
|
@ -14,12 +14,12 @@ The following _campaigns_ are known and can be associated with Charming Kitten:
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Charming Kitten:
|
||||
|
||||
* NL
|
||||
* CN
|
||||
* US
|
||||
* [NL](https://vuldb.com/?country.nl)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* ...
|
||||
|
||||
There are 23 more country items available. Please use our online service to access the data.
|
||||
There are 22 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -27,35 +27,35 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 5.79.69.198 | - | - | High
|
||||
2 | 5.79.69.206 | - | - | High
|
||||
3 | 5.79.105.153 | - | - | High
|
||||
4 | 5.79.105.156 | - | - | High
|
||||
5 | 5.79.105.161 | - | - | High
|
||||
6 | 5.79.105.165 | - | - | High
|
||||
7 | 5.152.202.51 | h5-152-202-51.host.redstation.co.uk | - | High
|
||||
8 | 5.152.202.52 | h5-152-202-52.host.redstation.co.uk | - | High
|
||||
9 | 31.3.236.90 | h31-3-236-90.host.redstation.co.uk | - | High
|
||||
10 | 31.3.236.91 | h31-3-236-91.host.redstation.co.uk | - | High
|
||||
11 | 31.3.236.92 | h31-3-236-92.host.redstation.co.uk | - | High
|
||||
12 | 37.220.8.13 | h37-220-8-13.host.redstation.co.uk | - | High
|
||||
13 | 46.17.97.37 | - | - | High
|
||||
14 | 46.17.97.40 | - | - | High
|
||||
15 | 46.17.97.240 | - | - | High
|
||||
16 | 46.17.97.243 | - | - | High
|
||||
17 | 51.254.254.217 | me14.mecide.com | - | High
|
||||
18 | 51.255.28.57 | - | - | High
|
||||
19 | 54.36.217.8 | ip8.ip-54-36-217.eu | - | High
|
||||
20 | 54.37.164.254 | - | - | High
|
||||
21 | 54.38.49.6 | ip6.ip-54-38-49.eu | Log4Shell | High
|
||||
22 | 69.30.221.126 | - | - | High
|
||||
1 | [5.79.69.198](https://vuldb.com/?ip.5.79.69.198) | - | - | High
|
||||
2 | [5.79.69.206](https://vuldb.com/?ip.5.79.69.206) | - | - | High
|
||||
3 | [5.79.105.153](https://vuldb.com/?ip.5.79.105.153) | - | - | High
|
||||
4 | [5.79.105.156](https://vuldb.com/?ip.5.79.105.156) | - | - | High
|
||||
5 | [5.79.105.161](https://vuldb.com/?ip.5.79.105.161) | - | - | High
|
||||
6 | [5.79.105.165](https://vuldb.com/?ip.5.79.105.165) | - | - | High
|
||||
7 | [5.152.202.51](https://vuldb.com/?ip.5.152.202.51) | h5-152-202-51.host.redstation.co.uk | - | High
|
||||
8 | [5.152.202.52](https://vuldb.com/?ip.5.152.202.52) | h5-152-202-52.host.redstation.co.uk | - | High
|
||||
9 | [31.3.236.90](https://vuldb.com/?ip.31.3.236.90) | h31-3-236-90.host.redstation.co.uk | - | High
|
||||
10 | [31.3.236.91](https://vuldb.com/?ip.31.3.236.91) | h31-3-236-91.host.redstation.co.uk | - | High
|
||||
11 | [31.3.236.92](https://vuldb.com/?ip.31.3.236.92) | h31-3-236-92.host.redstation.co.uk | - | High
|
||||
12 | [37.220.8.13](https://vuldb.com/?ip.37.220.8.13) | h37-220-8-13.host.redstation.co.uk | - | High
|
||||
13 | [46.17.97.37](https://vuldb.com/?ip.46.17.97.37) | - | - | High
|
||||
14 | [46.17.97.40](https://vuldb.com/?ip.46.17.97.40) | - | - | High
|
||||
15 | [46.17.97.240](https://vuldb.com/?ip.46.17.97.240) | - | - | High
|
||||
16 | [46.17.97.243](https://vuldb.com/?ip.46.17.97.243) | - | - | High
|
||||
17 | [51.254.254.217](https://vuldb.com/?ip.51.254.254.217) | me14.mecide.com | - | High
|
||||
18 | [51.255.28.57](https://vuldb.com/?ip.51.255.28.57) | - | - | High
|
||||
19 | [54.36.217.8](https://vuldb.com/?ip.54.36.217.8) | ip8.ip-54-36-217.eu | - | High
|
||||
20 | [54.37.164.254](https://vuldb.com/?ip.54.37.164.254) | - | - | High
|
||||
21 | [54.38.49.6](https://vuldb.com/?ip.54.38.49.6) | ip6.ip-54-38-49.eu | Log4Shell | High
|
||||
22 | [69.30.221.126](https://vuldb.com/?ip.69.30.221.126) | - | - | High
|
||||
23 | ... | ... | ... | ...
|
||||
|
||||
There are 88 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Charming Kitten. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Charming Kitten_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
|
@ -64,7 +64,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
There are 6 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -78,8 +78,8 @@ ID | Type | Indicator | Confidence
|
|||
4 | File | `/admin/powerline` | High
|
||||
5 | File | `/admin/syslog` | High
|
||||
6 | File | `/api/upload` | Medium
|
||||
7 | File | `/cgi-bin` | Medium
|
||||
8 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
7 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
8 | File | `/file?action=download&file` | High
|
||||
9 | File | `/medical/inventories.php` | High
|
||||
10 | File | `/monitoring` | Medium
|
||||
11 | File | `/new` | Low
|
||||
|
@ -89,21 +89,21 @@ ID | Type | Indicator | Confidence
|
|||
15 | File | `/public/plugins/` | High
|
||||
16 | File | `/replication` | Medium
|
||||
17 | File | `/RestAPI` | Medium
|
||||
18 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
19 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
|
||||
20 | File | `/tmp` | Low
|
||||
21 | File | `/uncpath/` | Medium
|
||||
22 | File | `/var/log/nginx` | High
|
||||
23 | File | `/wp-json/wc/v3/webhooks` | High
|
||||
24 | File | `AccountManagerService.java` | High
|
||||
25 | File | `actions/CompanyDetailsSave.php` | High
|
||||
26 | File | `ActiveServices.java` | High
|
||||
27 | File | `admin.php` | Medium
|
||||
28 | File | `admin/?n=user&c=admin_user&a=doGetUserInfo` | High
|
||||
29 | File | `admin/add-glossary.php` | High
|
||||
18 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
19 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
20 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
|
||||
21 | File | `/tmp` | Low
|
||||
22 | File | `/uncpath/` | Medium
|
||||
23 | File | `/var/log/nginx` | High
|
||||
24 | File | `/wp-json/wc/v3/webhooks` | High
|
||||
25 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
26 | File | `AccountManagerService.java` | High
|
||||
27 | File | `actions/CompanyDetailsSave.php` | High
|
||||
28 | File | `ActiveServices.java` | High
|
||||
29 | File | `ActivityManagerService.java` | High
|
||||
30 | ... | ... | ...
|
||||
|
||||
There are 258 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 259 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Conficker - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Conficker](https://vuldb.com/?actor.conficker). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Conficker](https://vuldb.com/?actor.conficker). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.conficker](https://vuldb.com/?actor.conficker)
|
||||
|
||||
|
@ -8,9 +8,9 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Conficker:
|
||||
|
||||
* US
|
||||
* NL
|
||||
* FR
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [NL](https://vuldb.com/?country.nl)
|
||||
* [FR](https://vuldb.com/?country.fr)
|
||||
* ...
|
||||
|
||||
There are 10 more country items available. Please use our online service to access the data.
|
||||
|
@ -21,16 +21,16 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 5.79.74.75 | nl1.zoogvpn.com | - | High
|
||||
2 | 50.57.203.17 | - | - | High
|
||||
3 | 64.71.74.227 | 64.71.74.227.hosted.at.cloudsouth.com | - | High
|
||||
1 | [5.79.74.75](https://vuldb.com/?ip.5.79.74.75) | nl1.zoogvpn.com | - | High
|
||||
2 | [50.57.203.17](https://vuldb.com/?ip.50.57.203.17) | - | - | High
|
||||
3 | [64.71.74.227](https://vuldb.com/?ip.64.71.74.227) | 64.71.74.227.hosted.at.cloudsouth.com | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 8 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Conficker. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Conficker_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
|
@ -39,7 +39,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 2 more TTP items available. Please use our online service to access the data.
|
||||
There are 1 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
|
|
@ -83,7 +83,7 @@ There are 200 more IOC items available. Please use our online service to access
|
|||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Conti_. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Conti_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
|
@ -120,29 +120,29 @@ ID | Type | Indicator | Confidence
|
|||
18 | File | `/tmp` | Low
|
||||
19 | File | `/uncpath/` | Medium
|
||||
20 | File | `/usr/bin/pkexec` | High
|
||||
21 | File | `/WEB-INF/web.xml` | High
|
||||
22 | File | `/wp-json/wc/v3/webhooks` | High
|
||||
23 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
24 | File | `AccountManagerService.java` | High
|
||||
25 | File | `actions/CompanyDetailsSave.php` | High
|
||||
26 | File | `ActivityManagerService.java` | High
|
||||
27 | File | `adclick.php` | Medium
|
||||
28 | File | `admin.php` | Medium
|
||||
29 | File | `admin.php?page=languages` | High
|
||||
30 | File | `admin/add-glossary.php` | High
|
||||
31 | File | `admin/admin.php` | High
|
||||
32 | File | `admin/conf_users_edit.php` | High
|
||||
33 | File | `admin/edit-comments.php` | High
|
||||
34 | File | `admin/src/containers/InputModalStepperProvider/index.js` | High
|
||||
35 | File | `admin\db\DoSql.php` | High
|
||||
36 | File | `adverts/assets/plugins/ultimate/content/downloader.php` | High
|
||||
37 | File | `advsearch.asp` | High
|
||||
38 | File | `AjaxApplication.java` | High
|
||||
39 | File | `AllowBindAppWidgetActivity.java` | High
|
||||
40 | File | `android/webkit/SearchBoxImpl.java` | High
|
||||
21 | File | `/usr/sbin/suexec` | High
|
||||
22 | File | `/WEB-INF/web.xml` | High
|
||||
23 | File | `/wp-json/wc/v3/webhooks` | High
|
||||
24 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
25 | File | `AccountManagerService.java` | High
|
||||
26 | File | `actions/CompanyDetailsSave.php` | High
|
||||
27 | File | `ActivityManagerService.java` | High
|
||||
28 | File | `adclick.php` | Medium
|
||||
29 | File | `admin.php` | Medium
|
||||
30 | File | `admin.php?page=languages` | High
|
||||
31 | File | `admin/add-glossary.php` | High
|
||||
32 | File | `admin/admin.php` | High
|
||||
33 | File | `admin/conf_users_edit.php` | High
|
||||
34 | File | `admin/edit-comments.php` | High
|
||||
35 | File | `admin/src/containers/InputModalStepperProvider/index.js` | High
|
||||
36 | File | `admin\db\DoSql.php` | High
|
||||
37 | File | `adverts/assets/plugins/ultimate/content/downloader.php` | High
|
||||
38 | File | `advsearch.asp` | High
|
||||
39 | File | `AjaxApplication.java` | High
|
||||
40 | File | `AllowBindAppWidgetActivity.java` | High
|
||||
41 | ... | ... | ...
|
||||
|
||||
There are 349 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 351 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -1,217 +1,217 @@
|
|||
# CoolWebSearch - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [CoolWebSearch](https://vuldb.com/?actor.coolwebsearch). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [CoolWebSearch](https://vuldb.com/?actor.coolwebsearch). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.coolwebsearch](https://vuldb.com/?actor.coolwebsearch)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.coolwebsearch](https://vuldb.com/?actor.coolwebsearch)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with CoolWebSearch:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with CoolWebSearch:
|
||||
|
||||
* US
|
||||
* VN
|
||||
* CN
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [VN](https://vuldb.com/?country.vn)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* ...
|
||||
|
||||
There are 21 more country items available. Please use our online service to access the data.
|
||||
There are 23 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of CoolWebSearch.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of CoolWebSearch.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 38.113.3.122 | - | High
|
||||
2 | 38.113.198.80 | - | High
|
||||
3 | 38.113.198.81 | - | High
|
||||
4 | 38.113.198.235 | - | High
|
||||
5 | 38.113.198.243 | - | High
|
||||
6 | 38.113.198.249 | - | High
|
||||
7 | 38.113.198.252 | - | High
|
||||
8 | 38.113.199.63 | - | High
|
||||
9 | 38.113.204.40 | - | High
|
||||
10 | 38.113.204.182 | - | High
|
||||
11 | 38.117.144.30 | - | High
|
||||
12 | 38.117.144.50 | - | High
|
||||
13 | 38.117.144.51 | - | High
|
||||
14 | 38.117.144.162 | - | High
|
||||
15 | 61.152.242.111 | - | High
|
||||
16 | 62.65.252.93 | 62.65.252.93.cable.starman.ee | High
|
||||
17 | 62.65.252.226 | 62.65.252.226.cable.starman.ee | High
|
||||
18 | 62.129.133.193 | HOSTED-BY.VIRTUALXS.COM | High
|
||||
19 | 63.160.243.7 | - | High
|
||||
20 | 63.208.158.126 | unknown.Level3.net | High
|
||||
21 | 63.217.29.115 | - | High
|
||||
22 | 63.219.176.203 | 63-219-176-203.static.pccwglobal.net | High
|
||||
23 | 63.219.178.91 | 63-219-178-91.supercreate.net | High
|
||||
24 | 63.219.181.7 | web-r2-h7.globecorp.net | High
|
||||
25 | 63.219.181.10 | web-r2-h10.globecorp.net | High
|
||||
26 | 63.219.181.64 | web-r2-h64.globecorp.net | High
|
||||
27 | 63.246.42.13 | - | High
|
||||
28 | 63.246.131.19 | - | High
|
||||
29 | 63.246.146.142 | - | High
|
||||
30 | 63.246.146.147 | - | High
|
||||
31 | 63.251.83.54 | - | High
|
||||
32 | 63.251.83.56 | - | High
|
||||
33 | 64.7.197.6 | - | High
|
||||
34 | 64.7.205.18 | - | High
|
||||
35 | 64.7.207.118 | NET-allocation-0011058.ix.sitestream.net | High
|
||||
36 | 64.7.209.58 | NET-allocation-00025837.ix.sitestream.net | High
|
||||
37 | 64.7.212.98 | gxb.nastydollars.com | High
|
||||
38 | 64.38.226.6 | maxcash.cavecreek.net | High
|
||||
39 | 64.94.3.243 | - | High
|
||||
40 | 64.124.210.76 | 64.124.210.76.t00517.above.net | High
|
||||
41 | 64.124.210.98 | 64.124.210.98.t00517.above.net | High
|
||||
42 | 64.124.210.111 | 64.124.210.111.t00517.above.net | High
|
||||
43 | 64.124.222.167 | 64.124.222.167.T01708-02.above.net | High
|
||||
44 | 64.124.222.236 | 64.124.222.236.T01708-02.above.net | High
|
||||
45 | 64.125.84.23 | - | High
|
||||
46 | 64.127.104.144 | - | High
|
||||
47 | 64.154.5.9 | - | High
|
||||
48 | 64.154.5.38 | - | High
|
||||
49 | 64.157.143.86 | unknown.Level3.net | High
|
||||
50 | 64.185.230.223 | 64-185-230-223.static.webnx.com | High
|
||||
51 | 64.186.129.250 | - | High
|
||||
52 | 64.186.129.252 | - | High
|
||||
53 | 64.186.152.83 | - | High
|
||||
54 | 64.200.25.75 | - | High
|
||||
55 | 64.200.25.86 | - | High
|
||||
56 | 64.202.105.82 | unknown.ord.scnet.net | High
|
||||
57 | 64.202.167.129 | ip-64-202-167-129.ip.secureserver.net | High
|
||||
58 | 64.202.167.192 | ip-64-202-167-192.ip.secureserver.net | High
|
||||
59 | 64.237.37.152 | - | High
|
||||
60 | 64.237.39.70 | - | High
|
||||
61 | 64.237.39.76 | - | High
|
||||
62 | 64.237.39.77 | - | High
|
||||
63 | 64.237.39.80 | - | High
|
||||
64 | 64.237.39.226 | 64-237-39-226.choopa.net | High
|
||||
65 | 64.237.41.215 | 64-237-41-215.choopa.com | High
|
||||
66 | 64.237.44.247 | 64-237-44-247.constant.com | High
|
||||
67 | 64.237.45.18 | 64-237-45-18.constant.com | High
|
||||
68 | 64.237.47.178 | 64-237-47-178.constant.com | High
|
||||
69 | 64.237.47.210 | 64-237-47-210.choopa.net | High
|
||||
70 | 64.237.53.3 | 64.237.53.3.choopa.net | High
|
||||
71 | 64.237.53.4 | 64.237.53.4.choopa.net | High
|
||||
72 | 64.237.56.64 | 64-237-56-64.choopa.net | High
|
||||
73 | 64.237.57.37 | 64.237.57.37.choopa.com | High
|
||||
74 | 64.237.57.92 | tsca-057092.toscaa.com | High
|
||||
75 | 64.237.57.202 | 64.237.57.202.choopa.com | High
|
||||
76 | 64.237.57.205 | 64.237.57.205.choopa.com | High
|
||||
77 | 64.237.57.206 | 64.237.57.206.choopa.com | High
|
||||
78 | 64.237.57.215 | 64-237-57-215.reliableservers.com | High
|
||||
79 | 64.246.18.41 | ev1s-64-246-18-41.theplanet.com | High
|
||||
80 | 64.246.33.179 | ev1s-64-246-33-179.theplanet.com | High
|
||||
81 | 64.246.33.191 | bignaturalboobs.org | High
|
||||
82 | 64.246.40.84 | ev1s-64-246-40-84.theplanet.com | High
|
||||
83 | 64.250.235.140 | ip-64-250-235-140.lasvegas.net | High
|
||||
84 | 64.255.161.101 | 64-255-161-101.jupiter.navisite.com | High
|
||||
85 | 65.39.191.71 | - | High
|
||||
86 | 65.75.143.119 | ip-65-75-143-119.local | High
|
||||
87 | 65.75.161.13 | galt1.seowebhosting.net | High
|
||||
88 | 65.75.175.64 | ip-65-75-175-64.local | High
|
||||
89 | 65.75.187.94 | ip-65-75-187-94.local | High
|
||||
90 | 65.77.129.178 | - | High
|
||||
91 | 65.77.129.212 | - | High
|
||||
92 | 65.110.40.789 | - | High
|
||||
93 | 65.115.110.251 | - | High
|
||||
94 | 66.28.176.79 | - | High
|
||||
95 | 66.28.176.138 | - | High
|
||||
96 | 66.28.176.154 | - | High
|
||||
97 | 66.40.28.3 | host3.maxim.net | High
|
||||
98 | 66.40.28.12 | host12.maxim.net | High
|
||||
99 | 66.40.28.51 | host51.maxim.net | High
|
||||
100 | 66.40.28.61 | host61.maxim.net | High
|
||||
101 | 66.45.237.99 | athostech.website | High
|
||||
102 | 66.55.128.76 | 66.55.128.76.choopa.com | High
|
||||
103 | 66.55.134.98 | 66-55-134-98.choopa.net | High
|
||||
104 | 66.55.136.82 | 66.55.136.82.choopa.com | High
|
||||
105 | 66.55.136.84 | 66.55.136.84.choopa.com | High
|
||||
106 | 66.55.136.87 | 66.55.136.87.choopa.com | High
|
||||
107 | 66.55.136.93 | 66-55-136-93.constant.com | High
|
||||
108 | 66.55.139.28 | 66-55-139-28.choopa.net | High
|
||||
109 | 66.55.139.29 | 66-55-139-29.choopa.net | High
|
||||
110 | 66.55.140.119 | - | High
|
||||
111 | 66.55.141.3 | - | High
|
||||
112 | 66.55.144.200 | 66.55.144.200.choopa.net | High
|
||||
113 | 66.70.44.60 | tunders.com | High
|
||||
114 | 66.70.68.147 | - | High
|
||||
115 | 66.79.171.70 | - | High
|
||||
116 | 66.79.171.75 | - | High
|
||||
117 | 66.79.183.140 | - | High
|
||||
118 | 66.79.189.120 | - | High
|
||||
119 | 66.79.191.231 | - | High
|
||||
120 | 66.90.65.252 | - | High
|
||||
121 | 66.98.142.163 | ns106.ehostpros.com | High
|
||||
122 | 66.98.176.62 | ev1s-66-98-176-62.theplanet.com | High
|
||||
123 | 66.98.194.89 | ns1.mygreatwebsite.net | High
|
||||
124 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [38.113.3.122](https://vuldb.com/?ip.38.113.3.122) | - | - | High
|
||||
2 | [38.113.198.80](https://vuldb.com/?ip.38.113.198.80) | - | - | High
|
||||
3 | [38.113.198.81](https://vuldb.com/?ip.38.113.198.81) | - | - | High
|
||||
4 | [38.113.198.235](https://vuldb.com/?ip.38.113.198.235) | - | - | High
|
||||
5 | [38.113.198.243](https://vuldb.com/?ip.38.113.198.243) | - | - | High
|
||||
6 | [38.113.198.249](https://vuldb.com/?ip.38.113.198.249) | - | - | High
|
||||
7 | [38.113.198.252](https://vuldb.com/?ip.38.113.198.252) | - | - | High
|
||||
8 | [38.113.199.63](https://vuldb.com/?ip.38.113.199.63) | - | - | High
|
||||
9 | [38.113.204.40](https://vuldb.com/?ip.38.113.204.40) | - | - | High
|
||||
10 | [38.113.204.182](https://vuldb.com/?ip.38.113.204.182) | - | - | High
|
||||
11 | [38.117.144.30](https://vuldb.com/?ip.38.117.144.30) | - | - | High
|
||||
12 | [38.117.144.50](https://vuldb.com/?ip.38.117.144.50) | - | - | High
|
||||
13 | [38.117.144.51](https://vuldb.com/?ip.38.117.144.51) | - | - | High
|
||||
14 | [38.117.144.162](https://vuldb.com/?ip.38.117.144.162) | - | - | High
|
||||
15 | [61.152.242.111](https://vuldb.com/?ip.61.152.242.111) | - | - | High
|
||||
16 | [62.65.252.93](https://vuldb.com/?ip.62.65.252.93) | 62.65.252.93.cable.starman.ee | - | High
|
||||
17 | [62.65.252.226](https://vuldb.com/?ip.62.65.252.226) | 62.65.252.226.cable.starman.ee | - | High
|
||||
18 | [62.129.133.193](https://vuldb.com/?ip.62.129.133.193) | HOSTED-BY.VIRTUALXS.COM | - | High
|
||||
19 | [63.160.243.7](https://vuldb.com/?ip.63.160.243.7) | - | - | High
|
||||
20 | [63.208.158.126](https://vuldb.com/?ip.63.208.158.126) | unknown.Level3.net | - | High
|
||||
21 | [63.217.29.115](https://vuldb.com/?ip.63.217.29.115) | - | - | High
|
||||
22 | [63.219.176.203](https://vuldb.com/?ip.63.219.176.203) | 63-219-176-203.static.pccwglobal.net | - | High
|
||||
23 | [63.219.178.91](https://vuldb.com/?ip.63.219.178.91) | 63-219-178-91.supercreate.net | - | High
|
||||
24 | [63.219.181.7](https://vuldb.com/?ip.63.219.181.7) | web-r2-h7.globecorp.net | - | High
|
||||
25 | [63.219.181.10](https://vuldb.com/?ip.63.219.181.10) | web-r2-h10.globecorp.net | - | High
|
||||
26 | [63.219.181.64](https://vuldb.com/?ip.63.219.181.64) | web-r2-h64.globecorp.net | - | High
|
||||
27 | [63.246.42.13](https://vuldb.com/?ip.63.246.42.13) | - | - | High
|
||||
28 | [63.246.131.19](https://vuldb.com/?ip.63.246.131.19) | - | - | High
|
||||
29 | [63.246.146.142](https://vuldb.com/?ip.63.246.146.142) | - | - | High
|
||||
30 | [63.246.146.147](https://vuldb.com/?ip.63.246.146.147) | - | - | High
|
||||
31 | [63.251.83.54](https://vuldb.com/?ip.63.251.83.54) | - | - | High
|
||||
32 | [63.251.83.56](https://vuldb.com/?ip.63.251.83.56) | - | - | High
|
||||
33 | [64.7.197.6](https://vuldb.com/?ip.64.7.197.6) | - | - | High
|
||||
34 | [64.7.205.18](https://vuldb.com/?ip.64.7.205.18) | - | - | High
|
||||
35 | [64.7.207.118](https://vuldb.com/?ip.64.7.207.118) | NET-allocation-0011058.ix.sitestream.net | - | High
|
||||
36 | [64.7.209.58](https://vuldb.com/?ip.64.7.209.58) | NET-allocation-00025837.ix.sitestream.net | - | High
|
||||
37 | [64.7.212.98](https://vuldb.com/?ip.64.7.212.98) | gxb.nastydollars.com | - | High
|
||||
38 | [64.38.226.6](https://vuldb.com/?ip.64.38.226.6) | maxcash.cavecreek.net | - | High
|
||||
39 | [64.94.3.243](https://vuldb.com/?ip.64.94.3.243) | - | - | High
|
||||
40 | [64.124.210.76](https://vuldb.com/?ip.64.124.210.76) | 64.124.210.76.t00517.above.net | - | High
|
||||
41 | [64.124.210.98](https://vuldb.com/?ip.64.124.210.98) | 64.124.210.98.t00517.above.net | - | High
|
||||
42 | [64.124.210.111](https://vuldb.com/?ip.64.124.210.111) | 64.124.210.111.t00517.above.net | - | High
|
||||
43 | [64.124.222.167](https://vuldb.com/?ip.64.124.222.167) | 64.124.222.167.T01708-02.above.net | - | High
|
||||
44 | [64.124.222.236](https://vuldb.com/?ip.64.124.222.236) | 64.124.222.236.T01708-02.above.net | - | High
|
||||
45 | [64.125.84.23](https://vuldb.com/?ip.64.125.84.23) | - | - | High
|
||||
46 | [64.127.104.144](https://vuldb.com/?ip.64.127.104.144) | - | - | High
|
||||
47 | [64.154.5.9](https://vuldb.com/?ip.64.154.5.9) | - | - | High
|
||||
48 | [64.154.5.38](https://vuldb.com/?ip.64.154.5.38) | - | - | High
|
||||
49 | [64.157.143.86](https://vuldb.com/?ip.64.157.143.86) | unknown.Level3.net | - | High
|
||||
50 | [64.185.230.223](https://vuldb.com/?ip.64.185.230.223) | 64-185-230-223.static.webnx.com | - | High
|
||||
51 | [64.186.129.250](https://vuldb.com/?ip.64.186.129.250) | - | - | High
|
||||
52 | [64.186.129.252](https://vuldb.com/?ip.64.186.129.252) | - | - | High
|
||||
53 | [64.186.152.83](https://vuldb.com/?ip.64.186.152.83) | - | - | High
|
||||
54 | [64.200.25.75](https://vuldb.com/?ip.64.200.25.75) | - | - | High
|
||||
55 | [64.200.25.86](https://vuldb.com/?ip.64.200.25.86) | - | - | High
|
||||
56 | [64.202.105.82](https://vuldb.com/?ip.64.202.105.82) | unknown.ord.scnet.net | - | High
|
||||
57 | [64.202.167.129](https://vuldb.com/?ip.64.202.167.129) | ip-64-202-167-129.ip.secureserver.net | - | High
|
||||
58 | [64.202.167.192](https://vuldb.com/?ip.64.202.167.192) | ip-64-202-167-192.ip.secureserver.net | - | High
|
||||
59 | [64.237.37.152](https://vuldb.com/?ip.64.237.37.152) | - | - | High
|
||||
60 | [64.237.39.70](https://vuldb.com/?ip.64.237.39.70) | - | - | High
|
||||
61 | [64.237.39.76](https://vuldb.com/?ip.64.237.39.76) | - | - | High
|
||||
62 | [64.237.39.77](https://vuldb.com/?ip.64.237.39.77) | - | - | High
|
||||
63 | [64.237.39.80](https://vuldb.com/?ip.64.237.39.80) | - | - | High
|
||||
64 | [64.237.39.226](https://vuldb.com/?ip.64.237.39.226) | 64-237-39-226.choopa.net | - | High
|
||||
65 | [64.237.41.215](https://vuldb.com/?ip.64.237.41.215) | 64-237-41-215.choopa.com | - | High
|
||||
66 | [64.237.44.247](https://vuldb.com/?ip.64.237.44.247) | 64-237-44-247.constant.com | - | High
|
||||
67 | [64.237.45.18](https://vuldb.com/?ip.64.237.45.18) | 64-237-45-18.constant.com | - | High
|
||||
68 | [64.237.47.178](https://vuldb.com/?ip.64.237.47.178) | 64-237-47-178.constant.com | - | High
|
||||
69 | [64.237.47.210](https://vuldb.com/?ip.64.237.47.210) | 64-237-47-210.choopa.net | - | High
|
||||
70 | [64.237.53.3](https://vuldb.com/?ip.64.237.53.3) | 64.237.53.3.choopa.net | - | High
|
||||
71 | [64.237.53.4](https://vuldb.com/?ip.64.237.53.4) | 64.237.53.4.choopa.net | - | High
|
||||
72 | [64.237.56.64](https://vuldb.com/?ip.64.237.56.64) | 64-237-56-64.choopa.net | - | High
|
||||
73 | [64.237.57.37](https://vuldb.com/?ip.64.237.57.37) | 64.237.57.37.choopa.com | - | High
|
||||
74 | [64.237.57.92](https://vuldb.com/?ip.64.237.57.92) | tsca-057092.toscaa.com | - | High
|
||||
75 | [64.237.57.202](https://vuldb.com/?ip.64.237.57.202) | 64.237.57.202.choopa.com | - | High
|
||||
76 | [64.237.57.205](https://vuldb.com/?ip.64.237.57.205) | 64.237.57.205.choopa.com | - | High
|
||||
77 | [64.237.57.206](https://vuldb.com/?ip.64.237.57.206) | 64.237.57.206.choopa.com | - | High
|
||||
78 | [64.237.57.215](https://vuldb.com/?ip.64.237.57.215) | 64-237-57-215.reliableservers.com | - | High
|
||||
79 | [64.246.18.41](https://vuldb.com/?ip.64.246.18.41) | ev1s-64-246-18-41.theplanet.com | - | High
|
||||
80 | [64.246.33.179](https://vuldb.com/?ip.64.246.33.179) | ev1s-64-246-33-179.theplanet.com | - | High
|
||||
81 | [64.246.33.191](https://vuldb.com/?ip.64.246.33.191) | bignaturalboobs.org | - | High
|
||||
82 | [64.246.40.84](https://vuldb.com/?ip.64.246.40.84) | ev1s-64-246-40-84.theplanet.com | - | High
|
||||
83 | [64.250.235.140](https://vuldb.com/?ip.64.250.235.140) | ip-64-250-235-140.lasvegas.net | - | High
|
||||
84 | [64.255.161.101](https://vuldb.com/?ip.64.255.161.101) | 64-255-161-101.jupiter.navisite.com | - | High
|
||||
85 | [65.39.191.71](https://vuldb.com/?ip.65.39.191.71) | - | - | High
|
||||
86 | [65.75.143.119](https://vuldb.com/?ip.65.75.143.119) | ip-65-75-143-119.local | - | High
|
||||
87 | [65.75.161.13](https://vuldb.com/?ip.65.75.161.13) | galt1.seowebhosting.net | - | High
|
||||
88 | [65.75.175.64](https://vuldb.com/?ip.65.75.175.64) | ip-65-75-175-64.local | - | High
|
||||
89 | [65.75.187.94](https://vuldb.com/?ip.65.75.187.94) | ip-65-75-187-94.local | - | High
|
||||
90 | [65.77.129.178](https://vuldb.com/?ip.65.77.129.178) | - | - | High
|
||||
91 | [65.77.129.212](https://vuldb.com/?ip.65.77.129.212) | - | - | High
|
||||
92 | [65.110.40.789](https://vuldb.com/?ip.65.110.40.789) | - | - | High
|
||||
93 | [65.115.110.251](https://vuldb.com/?ip.65.115.110.251) | - | - | High
|
||||
94 | [66.28.176.79](https://vuldb.com/?ip.66.28.176.79) | - | - | High
|
||||
95 | [66.28.176.138](https://vuldb.com/?ip.66.28.176.138) | - | - | High
|
||||
96 | [66.28.176.154](https://vuldb.com/?ip.66.28.176.154) | - | - | High
|
||||
97 | [66.40.28.3](https://vuldb.com/?ip.66.40.28.3) | host3.maxim.net | - | High
|
||||
98 | [66.40.28.12](https://vuldb.com/?ip.66.40.28.12) | host12.maxim.net | - | High
|
||||
99 | [66.40.28.51](https://vuldb.com/?ip.66.40.28.51) | host51.maxim.net | - | High
|
||||
100 | [66.40.28.61](https://vuldb.com/?ip.66.40.28.61) | host61.maxim.net | - | High
|
||||
101 | [66.45.237.99](https://vuldb.com/?ip.66.45.237.99) | athostech.website | - | High
|
||||
102 | [66.55.128.76](https://vuldb.com/?ip.66.55.128.76) | 66.55.128.76.choopa.com | - | High
|
||||
103 | [66.55.134.98](https://vuldb.com/?ip.66.55.134.98) | 66-55-134-98.choopa.net | - | High
|
||||
104 | [66.55.136.82](https://vuldb.com/?ip.66.55.136.82) | 66.55.136.82.choopa.com | - | High
|
||||
105 | [66.55.136.84](https://vuldb.com/?ip.66.55.136.84) | 66.55.136.84.choopa.com | - | High
|
||||
106 | [66.55.136.87](https://vuldb.com/?ip.66.55.136.87) | 66.55.136.87.choopa.com | - | High
|
||||
107 | [66.55.136.93](https://vuldb.com/?ip.66.55.136.93) | 66-55-136-93.constant.com | - | High
|
||||
108 | [66.55.139.28](https://vuldb.com/?ip.66.55.139.28) | 66-55-139-28.choopa.net | - | High
|
||||
109 | [66.55.139.29](https://vuldb.com/?ip.66.55.139.29) | 66-55-139-29.choopa.net | - | High
|
||||
110 | [66.55.140.119](https://vuldb.com/?ip.66.55.140.119) | - | - | High
|
||||
111 | [66.55.141.3](https://vuldb.com/?ip.66.55.141.3) | - | - | High
|
||||
112 | [66.55.144.200](https://vuldb.com/?ip.66.55.144.200) | 66.55.144.200.choopa.net | - | High
|
||||
113 | [66.70.44.60](https://vuldb.com/?ip.66.70.44.60) | tunders.com | - | High
|
||||
114 | [66.70.68.147](https://vuldb.com/?ip.66.70.68.147) | - | - | High
|
||||
115 | [66.79.171.70](https://vuldb.com/?ip.66.79.171.70) | - | - | High
|
||||
116 | [66.79.171.75](https://vuldb.com/?ip.66.79.171.75) | - | - | High
|
||||
117 | [66.79.183.140](https://vuldb.com/?ip.66.79.183.140) | - | - | High
|
||||
118 | [66.79.189.120](https://vuldb.com/?ip.66.79.189.120) | - | - | High
|
||||
119 | [66.79.191.231](https://vuldb.com/?ip.66.79.191.231) | - | - | High
|
||||
120 | [66.90.65.252](https://vuldb.com/?ip.66.90.65.252) | - | - | High
|
||||
121 | [66.98.142.163](https://vuldb.com/?ip.66.98.142.163) | ns106.ehostpros.com | - | High
|
||||
122 | [66.98.176.62](https://vuldb.com/?ip.66.98.176.62) | ev1s-66-98-176-62.theplanet.com | - | High
|
||||
123 | [66.98.194.89](https://vuldb.com/?ip.66.98.194.89) | ns1.mygreatwebsite.net | - | High
|
||||
124 | ... | ... | ... | ...
|
||||
|
||||
There are 494 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by CoolWebSearch. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _CoolWebSearch_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-266, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
There are 6 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by CoolWebSearch. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by CoolWebSearch. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/.ssh/authorized_keys` | High
|
||||
2 | File | `/car.php` | Medium
|
||||
3 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
4 | File | `/dashboards/#` | High
|
||||
5 | File | `/etc/controller-agent/agent.conf` | High
|
||||
6 | File | `/etc/sudoers` | Medium
|
||||
7 | File | `/filemanager/php/connector.php` | High
|
||||
8 | File | `/forum/away.php` | High
|
||||
9 | File | `/fudforum/adm/hlplist.php` | High
|
||||
10 | File | `/GponForm/fsetup_Form` | High
|
||||
11 | File | `/log_download.cgi` | High
|
||||
12 | File | `/modules/profile/index.php` | High
|
||||
13 | File | `/monitoring` | Medium
|
||||
14 | File | `/new` | Low
|
||||
15 | File | `/out.php` | Medium
|
||||
16 | File | `/proc/<pid>/status` | High
|
||||
17 | File | `/public/plugins/` | High
|
||||
18 | File | `/s/` | Low
|
||||
19 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
20 | File | `/server-info` | Medium
|
||||
21 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
|
||||
22 | File | `/tmp` | Low
|
||||
23 | File | `/tmp/kamailio_ctl` | High
|
||||
24 | File | `/tmp/kamailio_fifo` | High
|
||||
25 | File | `/uncpath/` | Medium
|
||||
26 | File | `/updown/upload.cgi` | High
|
||||
27 | File | `/usr/bin/pkexec` | High
|
||||
28 | File | `/way4acs/enroll` | High
|
||||
29 | File | `/WEB-INF/web.xml` | High
|
||||
30 | File | `/wp-json/wc/v3/webhooks` | High
|
||||
31 | File | `4.2.0.CP09` | Medium
|
||||
32 | File | `actions/CompanyDetailsSave.php` | High
|
||||
3 | File | `/CMD_ACCOUNT_ADMIN` | High
|
||||
4 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
5 | File | `/core/admin/categories.php` | High
|
||||
6 | File | `/dashboards/#` | High
|
||||
7 | File | `/etc/sudoers` | Medium
|
||||
8 | File | `/filemanager/php/connector.php` | High
|
||||
9 | File | `/forum/away.php` | High
|
||||
10 | File | `/fudforum/adm/hlplist.php` | High
|
||||
11 | File | `/GponForm/fsetup_Form` | High
|
||||
12 | File | `/log_download.cgi` | High
|
||||
13 | File | `/modules/profile/index.php` | High
|
||||
14 | File | `/monitoring` | Medium
|
||||
15 | File | `/MTFWU` | Low
|
||||
16 | File | `/new` | Low
|
||||
17 | File | `/out.php` | Medium
|
||||
18 | File | `/proc/<pid>/status` | High
|
||||
19 | File | `/public/plugins/` | High
|
||||
20 | File | `/s/` | Low
|
||||
21 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
22 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
23 | File | `/server-info` | Medium
|
||||
24 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
|
||||
25 | File | `/tmp` | Low
|
||||
26 | File | `/uncpath/` | Medium
|
||||
27 | File | `/updown/upload.cgi` | High
|
||||
28 | File | `/usr/bin/pkexec` | High
|
||||
29 | File | `/way4acs/enroll` | High
|
||||
30 | File | `/WEB-INF/web.xml` | High
|
||||
31 | File | `/wp-json/wc/v3/webhooks` | High
|
||||
32 | File | `4.2.0.CP09` | Medium
|
||||
33 | ... | ... | ...
|
||||
|
||||
There are 283 more IOA items available. Please use our online service to access the data.
|
||||
There are 277 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://ddanchev.blogspot.com/2022/01/exposing-currently-active-coolwebsearch.html
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# CopyKittens - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [CopyKittens](https://vuldb.com/?actor.copykittens). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [CopyKittens](https://vuldb.com/?actor.copykittens). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.copykittens](https://vuldb.com/?actor.copykittens)
|
||||
|
||||
|
@ -14,9 +14,9 @@ The following _campaigns_ are known and can be associated with CopyKittens:
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with CopyKittens:
|
||||
|
||||
* PL
|
||||
* FR
|
||||
* ES
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* [PL](https://vuldb.com/?country.pl)
|
||||
* [FR](https://vuldb.com/?country.fr)
|
||||
* ...
|
||||
|
||||
There are 5 more country items available. Please use our online service to access the data.
|
||||
|
@ -27,30 +27,30 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 5.34.180.252 | vds-uuallex-113169.hosted-by-itldc.com | Wilted Tulip | High
|
||||
2 | 5.34.181.13 | backups231.com | Wilted Tulip | High
|
||||
3 | 31.192.105.16 | down-it-niscat.cosmeticdentistwellesley.com | Wilted Tulip | High
|
||||
4 | 31.192.105.17 | - | Wilted Tulip | High
|
||||
5 | 31.192.105.28 | - | Wilted Tulip | High
|
||||
6 | 38.130.75.20 | h20-us75.fcsrv.net | Wilted Tulip | High
|
||||
7 | 51.254.76.54 | - | Wilted Tulip | High
|
||||
8 | 62.109.2.52 | ns.leangroup.ru | Wilted Tulip | High
|
||||
9 | 62.109.2.109 | mediclick.ru | - | High
|
||||
10 | 66.55.152.164 | 66-55-152-164.choopa.net | Wilted Tulip | High
|
||||
11 | 68.232.180.122 | 68-232-180-122.choopa.net | Wilted Tulip | High
|
||||
12 | 80.179.42.37 | 80.179.42.37.forward.012.net.il | Wilted Tulip | High
|
||||
13 | 80.179.42.44 | lnkrten-dazling.linegrace.com | - | High
|
||||
14 | 86.105.18.5 | - | - | High
|
||||
15 | 93.190.138.137 | 93-190-138-137.hosted-by-worldstream.net | Wilted Tulip | High
|
||||
16 | 104.200.128.48 | - | Wilted Tulip | High
|
||||
17 | 104.200.128.58 | - | Wilted Tulip | High
|
||||
1 | [5.34.180.252](https://vuldb.com/?ip.5.34.180.252) | vds-uuallex-113169.hosted-by-itldc.com | Wilted Tulip | High
|
||||
2 | [5.34.181.13](https://vuldb.com/?ip.5.34.181.13) | backups231.com | Wilted Tulip | High
|
||||
3 | [31.192.105.16](https://vuldb.com/?ip.31.192.105.16) | down-it-niscat.cosmeticdentistwellesley.com | Wilted Tulip | High
|
||||
4 | [31.192.105.17](https://vuldb.com/?ip.31.192.105.17) | - | Wilted Tulip | High
|
||||
5 | [31.192.105.28](https://vuldb.com/?ip.31.192.105.28) | - | Wilted Tulip | High
|
||||
6 | [38.130.75.20](https://vuldb.com/?ip.38.130.75.20) | h20-us75.fcsrv.net | Wilted Tulip | High
|
||||
7 | [51.254.76.54](https://vuldb.com/?ip.51.254.76.54) | - | Wilted Tulip | High
|
||||
8 | [62.109.2.52](https://vuldb.com/?ip.62.109.2.52) | ns.leangroup.ru | Wilted Tulip | High
|
||||
9 | [62.109.2.109](https://vuldb.com/?ip.62.109.2.109) | mediclick.ru | - | High
|
||||
10 | [66.55.152.164](https://vuldb.com/?ip.66.55.152.164) | 66-55-152-164.choopa.net | Wilted Tulip | High
|
||||
11 | [68.232.180.122](https://vuldb.com/?ip.68.232.180.122) | 68-232-180-122.choopa.net | Wilted Tulip | High
|
||||
12 | [80.179.42.37](https://vuldb.com/?ip.80.179.42.37) | 80.179.42.37.forward.012.net.il | Wilted Tulip | High
|
||||
13 | [80.179.42.44](https://vuldb.com/?ip.80.179.42.44) | lnkrten-dazling.linegrace.com | - | High
|
||||
14 | [86.105.18.5](https://vuldb.com/?ip.86.105.18.5) | - | - | High
|
||||
15 | [93.190.138.137](https://vuldb.com/?ip.93.190.138.137) | 93-190-138-137.hosted-by-worldstream.net | Wilted Tulip | High
|
||||
16 | [104.200.128.48](https://vuldb.com/?ip.104.200.128.48) | - | Wilted Tulip | High
|
||||
17 | [104.200.128.58](https://vuldb.com/?ip.104.200.128.58) | - | Wilted Tulip | High
|
||||
18 | ... | ... | ... | ...
|
||||
|
||||
There are 67 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by CopyKittens. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _CopyKittens_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
|
@ -69,32 +69,27 @@ ID | Type | Indicator | Confidence
|
|||
-- | ---- | --------- | ----------
|
||||
1 | File | `/about/../` | Medium
|
||||
2 | File | `/admin/admin.php?module=admin_group_edit&agID` | High
|
||||
3 | File | `/admin/comment.php` | High
|
||||
4 | File | `/admin/configure.php` | High
|
||||
5 | File | `/admin/index.php?lfj=member&action=editmember` | High
|
||||
6 | File | `/admin/login.php` | High
|
||||
7 | File | `/api/notify.php` | High
|
||||
8 | File | `/box_code_base.c` | High
|
||||
9 | File | `/EXCU_SHELL` | Medium
|
||||
10 | File | `/forgetpassword.php` | High
|
||||
11 | File | `/formAdvFirewall` | High
|
||||
12 | File | `/function/booksave.php` | High
|
||||
13 | File | `/home/user/dir` | High
|
||||
14 | File | `/jerry-core/ecma/base/ecma-helpers-conversion.c` | High
|
||||
15 | File | `/moddable/xs/sources/xsDataView.c` | High
|
||||
16 | File | `abc2ps.c` | Medium
|
||||
17 | File | `acknow.php` | Medium
|
||||
18 | File | `adminlogin.php` | High
|
||||
19 | File | `admin_home.php` | High
|
||||
3 | File | `/admin/configure.php` | High
|
||||
4 | File | `/admin/index.php?lfj=member&action=editmember` | High
|
||||
5 | File | `/admin/login.php` | High
|
||||
6 | File | `/apilog.php` | Medium
|
||||
7 | File | `/box_code_base.c` | High
|
||||
8 | File | `/cloud_config/router_post/upgrade_info` | High
|
||||
9 | File | `/forgetpassword.php` | High
|
||||
10 | File | `/formAdvFirewall` | High
|
||||
11 | File | `/function/booksave.php` | High
|
||||
12 | File | `/jerry-core/ecma/base/ecma-helpers-conversion.c` | High
|
||||
13 | File | `/moddable/xs/sources/xsDataView.c` | High
|
||||
14 | File | `/ok_png.c` | Medium
|
||||
15 | File | `abc2ps.c` | Medium
|
||||
16 | File | `acknow.php` | Medium
|
||||
17 | File | `adminlogin.php` | High
|
||||
18 | File | `admin_home.php` | High
|
||||
19 | File | `alfresco/s/admin/admin-nodebrowser` | High
|
||||
20 | File | `allocator.cc` | Medium
|
||||
21 | File | `AndroidManifest.xml` | High
|
||||
22 | File | `archive_read_support_format_iso9660.c` | High
|
||||
23 | File | `AscoServer.exe` | High
|
||||
24 | File | `AudioOutputSpeech.cpp` | High
|
||||
25 | File | `box_code_base.c` | High
|
||||
26 | ... | ... | ...
|
||||
21 | ... | ... | ...
|
||||
|
||||
There are 216 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 178 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -1,26 +1,26 @@
|
|||
# CryptoWall 2.0 - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [CryptoWall 2.0](https://vuldb.com/?actor.cryptowall_2.0). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [CryptoWall 2.0](https://vuldb.com/?actor.cryptowall_2.0). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.cryptowall_2.0](https://vuldb.com/?actor.cryptowall_2.0)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.cryptowall_2.0](https://vuldb.com/?actor.cryptowall_2.0)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of CryptoWall 2.0.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of CryptoWall 2.0.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 151.248.115.146 | et-cetera.ru | High
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [151.248.115.146](https://vuldb.com/?ip.151.248.115.146) | et-cetera.ru | - | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://unit42.paloaltonetworks.com/tracking-new-ransomware-cryptowall-2-0/
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -32,7 +32,7 @@ There are 20 more IOC items available. Please use our online service to access t
|
|||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Cyclops Blink_. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Cyclops Blink_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
|
@ -58,7 +58,7 @@ ID | Type | Indicator | Confidence
|
|||
7 | File | `ajax.php?type=../admin-panel/autoload&page=manage-users` | High
|
||||
8 | ... | ... | ...
|
||||
|
||||
There are 59 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 60 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -33,7 +33,7 @@ There are 11 more IOC items available. Please use our online service to access t
|
|||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _DEV-0322_. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _DEV-0322_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
|
|
|
@ -10,7 +10,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* [FR](https://vuldb.com/?country.fr)
|
||||
* [IO](https://vuldb.com/?country.io)
|
||||
* ...
|
||||
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
|
@ -30,7 +30,7 @@ There are 1 more IOC items available. Please use our online service to access th
|
|||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _DNSBirthday_. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _DNSBirthday_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
|
@ -45,10 +45,10 @@ ID | Type | Indicator | Confidence
|
|||
-- | ---- | --------- | ----------
|
||||
1 | File | `/forum/away.php` | High
|
||||
2 | File | `/modules/profile/index.php` | High
|
||||
3 | File | `data/gbconfiguration.dat` | High
|
||||
3 | File | `/probe?target` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 19 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 20 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -1,26 +1,26 @@
|
|||
# Darkkomet - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Darkkomet](https://vuldb.com/?actor.darkkomet). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Darkkomet](https://vuldb.com/?actor.darkkomet). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.darkkomet](https://vuldb.com/?actor.darkkomet)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.darkkomet](https://vuldb.com/?actor.darkkomet)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Darkkomet.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Darkkomet.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 209.99.40.222 | 209-99-40-222.fwd.datafoundry.com | High
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [209.99.40.222](https://vuldb.com/?ip.209.99.40.222) | 209-99-40-222.fwd.datafoundry.com | - | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Deep Panda - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Deep Panda](https://vuldb.com/?actor.deep_panda). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Deep Panda](https://vuldb.com/?actor.deep_panda). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.deep_panda](https://vuldb.com/?actor.deep_panda)
|
||||
|
||||
|
@ -8,8 +8,8 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Deep Panda:
|
||||
|
||||
* CA
|
||||
* US
|
||||
* [CA](https://vuldb.com/?country.ca)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -17,9 +17,9 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 1.9.5.38 | - | - | High
|
||||
2 | 142.91.76.134 | mx3.29v.info | - | High
|
||||
3 | 184.71.210.4 | - | - | High
|
||||
1 | [1.9.5.38](https://vuldb.com/?ip.1.9.5.38) | - | - | High
|
||||
2 | [142.91.76.134](https://vuldb.com/?ip.142.91.76.134) | mx3.29v.info | - | High
|
||||
3 | [184.71.210.4](https://vuldb.com/?ip.184.71.210.4) | - | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 3 more IOC items available. Please use our online service to access the data.
|
||||
|
|
|
@ -1,26 +1,26 @@
|
|||
# Dokkaebi - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Dokkaebi](https://vuldb.com/?actor.dokkaebi). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Dokkaebi](https://vuldb.com/?actor.dokkaebi). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.dokkaebi](https://vuldb.com/?actor.dokkaebi)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.dokkaebi](https://vuldb.com/?actor.dokkaebi)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Dokkaebi.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Dokkaebi.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 7.0.4.325 | - | High
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [7.0.4.325](https://vuldb.com/?ip.7.0.4.325) | - | - | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://www.threatminer.org/report.php?q=FSIThreatIntelligenceReport-CampaignDOKKAEBI.pdf&y=2018
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -43,7 +43,7 @@ There are 38 more IOC items available. Please use our online service to access t
|
|||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Donot_. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Donot_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
|
|
|
@ -32,7 +32,7 @@ There are 22 more IOC items available. Please use our online service to access t
|
|||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Dukes_. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Dukes_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Emotet - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Emotet](https://vuldb.com/?actor.emotet). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Emotet](https://vuldb.com/?actor.emotet). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.emotet](https://vuldb.com/?actor.emotet)
|
||||
|
||||
|
@ -8,9 +8,9 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Emotet:
|
||||
|
||||
* VN
|
||||
* CN
|
||||
* US
|
||||
* [VN](https://vuldb.com/?country.vn)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* ...
|
||||
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
|
@ -21,174 +21,180 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 1.186.249.82 | 1.186.249.82.dvois.com | - | High
|
||||
2 | 1.226.84.243 | - | - | High
|
||||
3 | 2.58.16.86 | - | - | High
|
||||
4 | 2.58.16.89 | - | - | High
|
||||
5 | 2.82.75.215 | bl21-75-215.dsl.telepac.pt | - | High
|
||||
6 | 5.2.84.232 | momos.alastyr.com | - | High
|
||||
7 | 5.2.136.90 | static-5-2-136-90.rdsnet.ro | - | High
|
||||
8 | 5.2.182.7 | static-5-2-182-7.rdsnet.ro | - | High
|
||||
9 | 5.2.212.254 | static-5-2-212-254.rdsnet.ro | - | High
|
||||
10 | 5.9.189.24 | static.24.189.9.5.clients.your-server.de | - | High
|
||||
11 | 5.12.246.155 | 5-12-246-155.residential.rdsnet.ro | - | High
|
||||
12 | 5.35.249.46 | rs250366.rs.hosteurope.de | - | High
|
||||
13 | 5.39.91.110 | ns3278366.ip-5-39-91.eu | - | High
|
||||
14 | 5.79.70.250 | - | - | High
|
||||
15 | 5.89.33.136 | net-5-89-33-136.cust.vodafonedsl.it | - | High
|
||||
16 | 5.159.57.195 | www-riedle.transfermarkt.de | - | High
|
||||
17 | 5.196.35.138 | vps10.open-techno.net | - | High
|
||||
18 | 5.230.193.41 | casagarcia-web.sys.netzfabrik.eu | - | High
|
||||
19 | 8.4.9.137 | onlinehorizons.net | - | High
|
||||
20 | 8.247.6.134 | - | - | High
|
||||
21 | 12.32.68.154 | mail.sealscoinc.com | - | High
|
||||
22 | 12.149.72.170 | - | - | High
|
||||
23 | 12.162.84.2 | - | - | High
|
||||
24 | 12.163.208.58 | - | - | High
|
||||
25 | 12.182.146.226 | - | - | High
|
||||
26 | 12.184.217.101 | - | - | High
|
||||
27 | 23.6.65.194 | a23-6-65-194.deploy.static.akamaitechnologies.com | - | High
|
||||
28 | 23.36.85.183 | a23-36-85-183.deploy.static.akamaitechnologies.com | - | High
|
||||
29 | 23.199.63.11 | a23-199-63-11.deploy.static.akamaitechnologies.com | - | High
|
||||
30 | 23.199.71.185 | a23-199-71-185.deploy.static.akamaitechnologies.com | - | High
|
||||
31 | 23.239.2.11 | li683-11.members.linode.com | - | High
|
||||
32 | 24.43.99.75 | rrcs-24-43-99-75.west.biz.rr.com | - | High
|
||||
33 | 24.101.229.82 | dynamic-acs-24-101-229-82.zoominternet.net | - | High
|
||||
34 | 24.119.116.230 | 24-119-116-230.cpe.sparklight.net | - | High
|
||||
35 | 24.121.176.48 | 24-121-176-48.prkrcmtc01.com.sta.suddenlink.net | - | High
|
||||
36 | 24.137.76.62 | host-24-137-76-62.public.eastlink.ca | - | High
|
||||
37 | 24.178.90.49 | 024-178-090-049.res.spectrum.com | - | High
|
||||
38 | 24.179.13.119 | 024-179-013-119.res.spectrum.com | - | High
|
||||
39 | 24.217.117.217 | 024-217-117-217.res.spectrum.com | - | High
|
||||
40 | 24.232.228.233 | OL233-228.fibertel.com.ar | - | High
|
||||
41 | 24.244.177.40 | - | - | High
|
||||
42 | 27.78.27.110 | localhost | - | High
|
||||
43 | 27.82.13.10 | KD027082013010.ppp-bb.dion.ne.jp | - | High
|
||||
44 | 27.109.24.214 | - | - | High
|
||||
45 | 27.114.9.93 | i27-114-9-93.s41.a011.ap.plala.or.jp | - | High
|
||||
46 | 36.91.44.183 | - | - | High
|
||||
47 | 37.46.129.215 | we-too.ru | - | High
|
||||
48 | 37.97.135.82 | 37-97-135-82.colo.transip.net | - | High
|
||||
49 | 37.139.21.175 | 37.139.21.175-e2-8080-keep-up | - | High
|
||||
50 | 37.179.204.33 | - | - | High
|
||||
51 | 37.187.4.178 | ks2.kku.io | - | High
|
||||
52 | 37.187.57.57 | ns3357940.ovh.net | - | High
|
||||
53 | 37.187.72.193 | ns3362285.ip-37-187-72.eu | - | High
|
||||
54 | 37.187.161.206 | toolbox.alabs.io | - | High
|
||||
55 | 37.205.9.252 | s1.ithelp24.eu | - | High
|
||||
56 | 37.221.70.250 | b2b-customer.inftele.net | - | High
|
||||
57 | 41.76.108.46 | - | - | High
|
||||
58 | 41.169.36.237 | - | - | High
|
||||
59 | 41.185.28.84 | brf01-nix01.wadns.net | - | High
|
||||
60 | 41.185.29.128 | abp79-nix01.wadns.net | - | High
|
||||
61 | 41.231.225.139 | - | - | High
|
||||
62 | 42.62.40.103 | - | - | High
|
||||
63 | 45.16.226.117 | 45-16-226-117.lightspeed.sndgca.sbcglobal.net | - | High
|
||||
64 | 45.33.77.42 | li1023-42.members.linode.com | - | High
|
||||
65 | 45.46.37.97 | cpe-45-46-37-97.maine.res.rr.com | - | High
|
||||
66 | 45.55.36.51 | - | - | High
|
||||
67 | 45.55.219.163 | - | - | High
|
||||
68 | 45.79.95.107 | li1194-107.members.linode.com | - | High
|
||||
69 | 45.80.148.200 | - | - | High
|
||||
70 | 45.118.115.99 | - | - | High
|
||||
71 | 45.118.135.203 | 45-118-135-203.ip.linodeusercontent.com | - | High
|
||||
72 | 45.142.114.231 | mail.dounutmail.de | - | High
|
||||
73 | 45.230.45.171 | - | - | High
|
||||
74 | 46.4.100.178 | support.wizard-shopservice.de | - | High
|
||||
75 | 46.4.192.185 | static.185.192.4.46.clients.your-server.de | - | High
|
||||
76 | 46.28.111.142 | enkindu.jsuchy.net | - | High
|
||||
77 | 46.32.229.152 | 094882.vps-10.com | - | High
|
||||
78 | 46.32.233.226 | yetitoolusa.com | - | High
|
||||
79 | 46.38.238.8 | v2202109122001163131.happysrv.de | - | High
|
||||
80 | 46.43.2.95 | chris.default.cjenkinson.uk0.bigv.io | - | High
|
||||
81 | 46.55.222.11 | - | - | High
|
||||
82 | 46.101.58.37 | 46.101.58.37-e1-8080 | - | High
|
||||
83 | 46.105.81.76 | myu0.cylipo.sbs | - | High
|
||||
84 | 46.105.114.137 | ns3188253.ip-46-105-114.eu | - | High
|
||||
85 | 46.105.131.68 | http.adven.fr | - | High
|
||||
86 | 46.105.131.79 | relay.adven.fr | - | High
|
||||
87 | 46.105.131.87 | pop.adven.fr | - | High
|
||||
88 | 46.105.236.18 | - | - | High
|
||||
89 | 46.165.254.206 | - | - | High
|
||||
90 | 46.214.107.142 | 46-214-107-142.next-gen.ro | - | High
|
||||
91 | 47.36.140.164 | 047-036-140-164.res.spectrum.com | - | High
|
||||
92 | 47.146.39.147 | - | - | High
|
||||
93 | 47.188.131.94 | - | - | High
|
||||
94 | 49.12.121.47 | filezilla-project.org | - | High
|
||||
95 | 49.50.209.131 | 131.host-49-50-209.euba.megatel.co.nz | - | High
|
||||
96 | 49.212.135.76 | os3-321-50322.vs.sakura.ne.jp | - | High
|
||||
97 | 49.212.155.94 | os3-325-52340.vs.sakura.ne.jp | - | High
|
||||
98 | 50.28.51.143 | - | - | High
|
||||
99 | 50.31.146.101 | mail.brillinjurylaw.com | - | High
|
||||
100 | 50.56.135.44 | - | - | High
|
||||
101 | 50.91.114.38 | 050-091-114-038.res.spectrum.com | - | High
|
||||
102 | 50.116.78.109 | intersearchmedia.com | - | High
|
||||
103 | 50.245.107.73 | 50-245-107-73-static.hfc.comcastbusiness.net | - | High
|
||||
104 | 51.15.4.22 | 51-15-4-22.rev.poneytelecom.eu | - | High
|
||||
105 | 51.15.7.145 | 51-15-7-145.rev.poneytelecom.eu | - | High
|
||||
106 | 51.75.33.127 | ip127.ip-51-75-33.eu | - | High
|
||||
107 | 51.89.36.180 | ip180.ip-51-89-36.eu | - | High
|
||||
108 | 51.89.199.141 | ip141.ip-51-89-199.eu | - | High
|
||||
109 | 51.255.165.160 | 160.ip-51-255-165.eu | - | High
|
||||
110 | 54.38.143.245 | tools.inovato.me | - | High
|
||||
111 | 58.27.215.3 | 58-27-215-3.wateen.net | - | High
|
||||
112 | 58.94.58.13 | i58-94-58-13.s41.a014.ap.plala.or.jp | - | High
|
||||
113 | 58.227.42.236 | - | - | High
|
||||
114 | 59.148.253.194 | 059148253194.ctinets.com | - | High
|
||||
115 | 60.93.23.51 | softbank060093023051.bbtec.net | - | High
|
||||
116 | 60.108.128.186 | softbank060108128186.bbtec.net | - | High
|
||||
117 | 60.125.114.64 | softbank060125114064.bbtec.net | - | High
|
||||
118 | 60.249.78.226 | 60-249-78-226.hinet-ip.hinet.net | - | High
|
||||
119 | 61.19.246.238 | - | - | High
|
||||
120 | 62.30.7.67 | 67.7-30-62.static.virginmediabusiness.co.uk | - | High
|
||||
121 | 62.75.141.82 | static-ip-62-75-141-82.inaddr.ip-pool.com | - | High
|
||||
122 | 62.84.75.50 | mail.saadegrp.com.lb | - | High
|
||||
123 | 62.171.142.179 | vmi499457.contaboserver.net | - | High
|
||||
124 | 62.212.34.102 | - | - | High
|
||||
125 | 64.207.182.168 | - | - | High
|
||||
126 | 66.54.51.172 | - | - | High
|
||||
127 | 66.76.26.33 | 66-76-26-33.hdsncmta01.com.sta.suddenlink.net | - | High
|
||||
128 | 66.228.61.248 | li318-248.members.linode.com | - | High
|
||||
129 | 67.19.105.107 | ns2.datatrust.com.br | - | High
|
||||
130 | 67.170.250.203 | c-67-170-250-203.hsd1.ca.comcast.net | - | High
|
||||
131 | 68.2.97.91 | ip68-2-97-91.ph.ph.cox.net | - | High
|
||||
132 | 68.183.170.114 | 68.183.170.114-e1-8080-keep-up | - | High
|
||||
133 | 68.183.190.199 | 68.183.190.199-e1-8080-keep-up | - | High
|
||||
134 | 69.17.170.58 | unallocated-static.rogers.com | - | High
|
||||
135 | 69.43.168.200 | ns0.imunplugged.com | - | High
|
||||
136 | 69.45.19.251 | coastinet.com | - | High
|
||||
137 | 69.167.152.111 | - | - | High
|
||||
138 | 70.32.84.74 | - | - | High
|
||||
139 | 70.32.89.105 | parties-at-sea.com | - | High
|
||||
140 | 70.32.92.133 | popdesigngroup.com | - | High
|
||||
141 | 70.32.115.157 | harpotripofalifetime.com | - | High
|
||||
142 | 70.168.7.6 | wsip-70-168-7-6.ri.ri.cox.net | - | High
|
||||
143 | 70.182.77.184 | wsip-70-182-77-184.ok.ok.cox.net | - | High
|
||||
144 | 70.184.125.132 | wsip-70-184-125-132.ph.ph.cox.net | - | High
|
||||
145 | 71.15.245.148 | 071-015-245-148.res.spectrum.com | - | High
|
||||
146 | 71.197.211.156 | c-71-197-211-156.hsd1.wa.comcast.net | - | High
|
||||
147 | 71.244.60.231 | static-71-244-60-231.dllstx.fios.frontiernet.net | - | High
|
||||
148 | 72.10.49.117 | rtw7-rfpn.accessdomain.com | - | High
|
||||
149 | 72.18.204.17 | lasvegas-nv-datacenter.com | - | High
|
||||
150 | 72.45.212.62 | nyinstituteofmassage.com | - | High
|
||||
151 | 72.186.136.247 | 072-186-136-247.biz.spectrum.com | - | High
|
||||
152 | 73.8.195.237 | c-73-8-195-237.hsd1.il.comcast.net | - | High
|
||||
153 | ... | ... | ... | ...
|
||||
1 | [1.186.249.82](https://vuldb.com/?ip.1.186.249.82) | 1.186.249.82.dvois.com | - | High
|
||||
2 | [1.226.84.243](https://vuldb.com/?ip.1.226.84.243) | - | - | High
|
||||
3 | [2.58.16.86](https://vuldb.com/?ip.2.58.16.86) | - | - | High
|
||||
4 | [2.58.16.89](https://vuldb.com/?ip.2.58.16.89) | - | - | High
|
||||
5 | [2.82.75.215](https://vuldb.com/?ip.2.82.75.215) | bl21-75-215.dsl.telepac.pt | - | High
|
||||
6 | [5.2.84.232](https://vuldb.com/?ip.5.2.84.232) | momos.alastyr.com | - | High
|
||||
7 | [5.2.136.90](https://vuldb.com/?ip.5.2.136.90) | static-5-2-136-90.rdsnet.ro | - | High
|
||||
8 | [5.2.182.7](https://vuldb.com/?ip.5.2.182.7) | static-5-2-182-7.rdsnet.ro | - | High
|
||||
9 | [5.2.212.254](https://vuldb.com/?ip.5.2.212.254) | static-5-2-212-254.rdsnet.ro | - | High
|
||||
10 | [5.9.189.24](https://vuldb.com/?ip.5.9.189.24) | static.24.189.9.5.clients.your-server.de | - | High
|
||||
11 | [5.12.246.155](https://vuldb.com/?ip.5.12.246.155) | 5-12-246-155.residential.rdsnet.ro | - | High
|
||||
12 | [5.35.249.46](https://vuldb.com/?ip.5.35.249.46) | rs250366.rs.hosteurope.de | - | High
|
||||
13 | [5.39.91.110](https://vuldb.com/?ip.5.39.91.110) | ns3278366.ip-5-39-91.eu | - | High
|
||||
14 | [5.79.70.250](https://vuldb.com/?ip.5.79.70.250) | - | - | High
|
||||
15 | [5.89.33.136](https://vuldb.com/?ip.5.89.33.136) | net-5-89-33-136.cust.vodafonedsl.it | - | High
|
||||
16 | [5.159.57.195](https://vuldb.com/?ip.5.159.57.195) | www-riedle.transfermarkt.de | - | High
|
||||
17 | [5.196.35.138](https://vuldb.com/?ip.5.196.35.138) | vps10.open-techno.net | - | High
|
||||
18 | [5.230.193.41](https://vuldb.com/?ip.5.230.193.41) | casagarcia-web.sys.netzfabrik.eu | - | High
|
||||
19 | [8.4.9.137](https://vuldb.com/?ip.8.4.9.137) | onlinehorizons.net | - | High
|
||||
20 | [8.247.6.134](https://vuldb.com/?ip.8.247.6.134) | - | - | High
|
||||
21 | [12.32.68.154](https://vuldb.com/?ip.12.32.68.154) | mail.sealscoinc.com | - | High
|
||||
22 | [12.149.72.170](https://vuldb.com/?ip.12.149.72.170) | - | - | High
|
||||
23 | [12.162.84.2](https://vuldb.com/?ip.12.162.84.2) | - | - | High
|
||||
24 | [12.163.208.58](https://vuldb.com/?ip.12.163.208.58) | - | - | High
|
||||
25 | [12.182.146.226](https://vuldb.com/?ip.12.182.146.226) | - | - | High
|
||||
26 | [12.184.217.101](https://vuldb.com/?ip.12.184.217.101) | - | - | High
|
||||
27 | [23.6.65.194](https://vuldb.com/?ip.23.6.65.194) | a23-6-65-194.deploy.static.akamaitechnologies.com | - | High
|
||||
28 | [23.36.85.183](https://vuldb.com/?ip.23.36.85.183) | a23-36-85-183.deploy.static.akamaitechnologies.com | - | High
|
||||
29 | [23.199.63.11](https://vuldb.com/?ip.23.199.63.11) | a23-199-63-11.deploy.static.akamaitechnologies.com | - | High
|
||||
30 | [23.199.71.185](https://vuldb.com/?ip.23.199.71.185) | a23-199-71-185.deploy.static.akamaitechnologies.com | - | High
|
||||
31 | [23.239.2.11](https://vuldb.com/?ip.23.239.2.11) | li683-11.members.linode.com | - | High
|
||||
32 | [24.43.99.75](https://vuldb.com/?ip.24.43.99.75) | rrcs-24-43-99-75.west.biz.rr.com | - | High
|
||||
33 | [24.101.229.82](https://vuldb.com/?ip.24.101.229.82) | dynamic-acs-24-101-229-82.zoominternet.net | - | High
|
||||
34 | [24.119.116.230](https://vuldb.com/?ip.24.119.116.230) | 24-119-116-230.cpe.sparklight.net | - | High
|
||||
35 | [24.121.176.48](https://vuldb.com/?ip.24.121.176.48) | 24-121-176-48.prkrcmtc01.com.sta.suddenlink.net | - | High
|
||||
36 | [24.137.76.62](https://vuldb.com/?ip.24.137.76.62) | host-24-137-76-62.public.eastlink.ca | - | High
|
||||
37 | [24.178.90.49](https://vuldb.com/?ip.24.178.90.49) | 024-178-090-049.res.spectrum.com | - | High
|
||||
38 | [24.179.13.119](https://vuldb.com/?ip.24.179.13.119) | 024-179-013-119.res.spectrum.com | - | High
|
||||
39 | [24.217.117.217](https://vuldb.com/?ip.24.217.117.217) | 024-217-117-217.res.spectrum.com | - | High
|
||||
40 | [24.232.228.233](https://vuldb.com/?ip.24.232.228.233) | OL233-228.fibertel.com.ar | - | High
|
||||
41 | [24.244.177.40](https://vuldb.com/?ip.24.244.177.40) | - | - | High
|
||||
42 | [27.78.27.110](https://vuldb.com/?ip.27.78.27.110) | localhost | - | High
|
||||
43 | [27.82.13.10](https://vuldb.com/?ip.27.82.13.10) | KD027082013010.ppp-bb.dion.ne.jp | - | High
|
||||
44 | [27.109.24.214](https://vuldb.com/?ip.27.109.24.214) | - | - | High
|
||||
45 | [27.114.9.93](https://vuldb.com/?ip.27.114.9.93) | i27-114-9-93.s41.a011.ap.plala.or.jp | - | High
|
||||
46 | [35.190.87.116](https://vuldb.com/?ip.35.190.87.116) | 116.87.190.35.bc.googleusercontent.com | - | Medium
|
||||
47 | [36.91.44.183](https://vuldb.com/?ip.36.91.44.183) | - | - | High
|
||||
48 | [37.46.129.215](https://vuldb.com/?ip.37.46.129.215) | we-too.ru | - | High
|
||||
49 | [37.97.135.82](https://vuldb.com/?ip.37.97.135.82) | 37-97-135-82.colo.transip.net | - | High
|
||||
50 | [37.139.21.175](https://vuldb.com/?ip.37.139.21.175) | 37.139.21.175-e2-8080-keep-up | - | High
|
||||
51 | [37.179.204.33](https://vuldb.com/?ip.37.179.204.33) | - | - | High
|
||||
52 | [37.187.4.178](https://vuldb.com/?ip.37.187.4.178) | ks2.kku.io | - | High
|
||||
53 | [37.187.57.57](https://vuldb.com/?ip.37.187.57.57) | ns3357940.ovh.net | - | High
|
||||
54 | [37.187.72.193](https://vuldb.com/?ip.37.187.72.193) | ns3362285.ip-37-187-72.eu | - | High
|
||||
55 | [37.187.161.206](https://vuldb.com/?ip.37.187.161.206) | toolbox.alabs.io | - | High
|
||||
56 | [37.205.9.252](https://vuldb.com/?ip.37.205.9.252) | s1.ithelp24.eu | - | High
|
||||
57 | [37.221.70.250](https://vuldb.com/?ip.37.221.70.250) | b2b-customer.inftele.net | - | High
|
||||
58 | [41.76.108.46](https://vuldb.com/?ip.41.76.108.46) | - | - | High
|
||||
59 | [41.169.36.237](https://vuldb.com/?ip.41.169.36.237) | - | - | High
|
||||
60 | [41.185.28.84](https://vuldb.com/?ip.41.185.28.84) | brf01-nix01.wadns.net | - | High
|
||||
61 | [41.185.29.128](https://vuldb.com/?ip.41.185.29.128) | abp79-nix01.wadns.net | - | High
|
||||
62 | [41.231.225.139](https://vuldb.com/?ip.41.231.225.139) | - | - | High
|
||||
63 | [42.62.40.103](https://vuldb.com/?ip.42.62.40.103) | - | - | High
|
||||
64 | [45.16.226.117](https://vuldb.com/?ip.45.16.226.117) | 45-16-226-117.lightspeed.sndgca.sbcglobal.net | - | High
|
||||
65 | [45.33.77.42](https://vuldb.com/?ip.45.33.77.42) | li1023-42.members.linode.com | - | High
|
||||
66 | [45.46.37.97](https://vuldb.com/?ip.45.46.37.97) | cpe-45-46-37-97.maine.res.rr.com | - | High
|
||||
67 | [45.55.36.51](https://vuldb.com/?ip.45.55.36.51) | - | - | High
|
||||
68 | [45.55.219.163](https://vuldb.com/?ip.45.55.219.163) | - | - | High
|
||||
69 | [45.79.95.107](https://vuldb.com/?ip.45.79.95.107) | li1194-107.members.linode.com | - | High
|
||||
70 | [45.80.148.200](https://vuldb.com/?ip.45.80.148.200) | - | - | High
|
||||
71 | [45.118.115.99](https://vuldb.com/?ip.45.118.115.99) | - | - | High
|
||||
72 | [45.118.135.203](https://vuldb.com/?ip.45.118.135.203) | 45-118-135-203.ip.linodeusercontent.com | - | High
|
||||
73 | [45.142.114.231](https://vuldb.com/?ip.45.142.114.231) | mail.dounutmail.de | - | High
|
||||
74 | [45.230.45.171](https://vuldb.com/?ip.45.230.45.171) | - | - | High
|
||||
75 | [46.4.100.178](https://vuldb.com/?ip.46.4.100.178) | support.wizard-shopservice.de | - | High
|
||||
76 | [46.4.192.185](https://vuldb.com/?ip.46.4.192.185) | static.185.192.4.46.clients.your-server.de | - | High
|
||||
77 | [46.28.111.142](https://vuldb.com/?ip.46.28.111.142) | enkindu.jsuchy.net | - | High
|
||||
78 | [46.32.229.152](https://vuldb.com/?ip.46.32.229.152) | 094882.vps-10.com | - | High
|
||||
79 | [46.32.233.226](https://vuldb.com/?ip.46.32.233.226) | yetitoolusa.com | - | High
|
||||
80 | [46.38.238.8](https://vuldb.com/?ip.46.38.238.8) | v2202109122001163131.happysrv.de | - | High
|
||||
81 | [46.43.2.95](https://vuldb.com/?ip.46.43.2.95) | chris.default.cjenkinson.uk0.bigv.io | - | High
|
||||
82 | [46.55.222.11](https://vuldb.com/?ip.46.55.222.11) | - | - | High
|
||||
83 | [46.101.58.37](https://vuldb.com/?ip.46.101.58.37) | 46.101.58.37-e1-8080 | - | High
|
||||
84 | [46.105.81.76](https://vuldb.com/?ip.46.105.81.76) | myu0.cylipo.sbs | - | High
|
||||
85 | [46.105.114.137](https://vuldb.com/?ip.46.105.114.137) | ns3188253.ip-46-105-114.eu | - | High
|
||||
86 | [46.105.131.68](https://vuldb.com/?ip.46.105.131.68) | http.adven.fr | - | High
|
||||
87 | [46.105.131.79](https://vuldb.com/?ip.46.105.131.79) | relay.adven.fr | - | High
|
||||
88 | [46.105.131.87](https://vuldb.com/?ip.46.105.131.87) | pop.adven.fr | - | High
|
||||
89 | [46.105.236.18](https://vuldb.com/?ip.46.105.236.18) | - | - | High
|
||||
90 | [46.165.254.206](https://vuldb.com/?ip.46.165.254.206) | - | - | High
|
||||
91 | [46.214.107.142](https://vuldb.com/?ip.46.214.107.142) | 46-214-107-142.next-gen.ro | - | High
|
||||
92 | [47.36.140.164](https://vuldb.com/?ip.47.36.140.164) | 047-036-140-164.res.spectrum.com | - | High
|
||||
93 | [47.146.39.147](https://vuldb.com/?ip.47.146.39.147) | - | - | High
|
||||
94 | [47.188.131.94](https://vuldb.com/?ip.47.188.131.94) | - | - | High
|
||||
95 | [47.246.24.225](https://vuldb.com/?ip.47.246.24.225) | - | - | High
|
||||
96 | [47.246.24.226](https://vuldb.com/?ip.47.246.24.226) | - | - | High
|
||||
97 | [47.246.24.230](https://vuldb.com/?ip.47.246.24.230) | - | - | High
|
||||
98 | [47.246.24.232](https://vuldb.com/?ip.47.246.24.232) | - | - | High
|
||||
99 | [49.12.121.47](https://vuldb.com/?ip.49.12.121.47) | filezilla-project.org | - | High
|
||||
100 | [49.50.209.131](https://vuldb.com/?ip.49.50.209.131) | 131.host-49-50-209.euba.megatel.co.nz | - | High
|
||||
101 | [49.212.135.76](https://vuldb.com/?ip.49.212.135.76) | os3-321-50322.vs.sakura.ne.jp | - | High
|
||||
102 | [49.212.155.94](https://vuldb.com/?ip.49.212.155.94) | os3-325-52340.vs.sakura.ne.jp | - | High
|
||||
103 | [50.28.51.143](https://vuldb.com/?ip.50.28.51.143) | - | - | High
|
||||
104 | [50.31.146.101](https://vuldb.com/?ip.50.31.146.101) | mail.brillinjurylaw.com | - | High
|
||||
105 | [50.56.135.44](https://vuldb.com/?ip.50.56.135.44) | - | - | High
|
||||
106 | [50.91.114.38](https://vuldb.com/?ip.50.91.114.38) | 050-091-114-038.res.spectrum.com | - | High
|
||||
107 | [50.116.78.109](https://vuldb.com/?ip.50.116.78.109) | intersearchmedia.com | - | High
|
||||
108 | [50.245.107.73](https://vuldb.com/?ip.50.245.107.73) | 50-245-107-73-static.hfc.comcastbusiness.net | - | High
|
||||
109 | [51.15.4.22](https://vuldb.com/?ip.51.15.4.22) | 51-15-4-22.rev.poneytelecom.eu | - | High
|
||||
110 | [51.15.7.145](https://vuldb.com/?ip.51.15.7.145) | 51-15-7-145.rev.poneytelecom.eu | - | High
|
||||
111 | [51.75.33.127](https://vuldb.com/?ip.51.75.33.127) | ip127.ip-51-75-33.eu | - | High
|
||||
112 | [51.89.36.180](https://vuldb.com/?ip.51.89.36.180) | ip180.ip-51-89-36.eu | - | High
|
||||
113 | [51.89.199.141](https://vuldb.com/?ip.51.89.199.141) | ip141.ip-51-89-199.eu | - | High
|
||||
114 | [51.255.165.160](https://vuldb.com/?ip.51.255.165.160) | 160.ip-51-255-165.eu | - | High
|
||||
115 | [54.38.143.245](https://vuldb.com/?ip.54.38.143.245) | tools.inovato.me | - | High
|
||||
116 | [58.27.215.3](https://vuldb.com/?ip.58.27.215.3) | 58-27-215-3.wateen.net | - | High
|
||||
117 | [58.94.58.13](https://vuldb.com/?ip.58.94.58.13) | i58-94-58-13.s41.a014.ap.plala.or.jp | - | High
|
||||
118 | [58.216.16.130](https://vuldb.com/?ip.58.216.16.130) | - | - | High
|
||||
119 | [58.227.42.236](https://vuldb.com/?ip.58.227.42.236) | - | - | High
|
||||
120 | [59.148.253.194](https://vuldb.com/?ip.59.148.253.194) | 059148253194.ctinets.com | - | High
|
||||
121 | [60.93.23.51](https://vuldb.com/?ip.60.93.23.51) | softbank060093023051.bbtec.net | - | High
|
||||
122 | [60.108.128.186](https://vuldb.com/?ip.60.108.128.186) | softbank060108128186.bbtec.net | - | High
|
||||
123 | [60.125.114.64](https://vuldb.com/?ip.60.125.114.64) | softbank060125114064.bbtec.net | - | High
|
||||
124 | [60.249.78.226](https://vuldb.com/?ip.60.249.78.226) | 60-249-78-226.hinet-ip.hinet.net | - | High
|
||||
125 | [61.19.246.238](https://vuldb.com/?ip.61.19.246.238) | - | - | High
|
||||
126 | [62.30.7.67](https://vuldb.com/?ip.62.30.7.67) | 67.7-30-62.static.virginmediabusiness.co.uk | - | High
|
||||
127 | [62.75.141.82](https://vuldb.com/?ip.62.75.141.82) | static-ip-62-75-141-82.inaddr.ip-pool.com | - | High
|
||||
128 | [62.84.75.50](https://vuldb.com/?ip.62.84.75.50) | mail.saadegrp.com.lb | - | High
|
||||
129 | [62.171.142.179](https://vuldb.com/?ip.62.171.142.179) | vmi499457.contaboserver.net | - | High
|
||||
130 | [62.212.34.102](https://vuldb.com/?ip.62.212.34.102) | - | - | High
|
||||
131 | [64.190.63.136](https://vuldb.com/?ip.64.190.63.136) | - | - | High
|
||||
132 | [64.207.182.168](https://vuldb.com/?ip.64.207.182.168) | - | - | High
|
||||
133 | [66.54.51.172](https://vuldb.com/?ip.66.54.51.172) | - | - | High
|
||||
134 | [66.76.26.33](https://vuldb.com/?ip.66.76.26.33) | 66-76-26-33.hdsncmta01.com.sta.suddenlink.net | - | High
|
||||
135 | [66.228.61.248](https://vuldb.com/?ip.66.228.61.248) | li318-248.members.linode.com | - | High
|
||||
136 | [67.19.105.107](https://vuldb.com/?ip.67.19.105.107) | ns2.datatrust.com.br | - | High
|
||||
137 | [67.170.250.203](https://vuldb.com/?ip.67.170.250.203) | c-67-170-250-203.hsd1.ca.comcast.net | - | High
|
||||
138 | [67.225.218.50](https://vuldb.com/?ip.67.225.218.50) | lb01.parklogic.com | - | High
|
||||
139 | [68.2.97.91](https://vuldb.com/?ip.68.2.97.91) | ip68-2-97-91.ph.ph.cox.net | - | High
|
||||
140 | [68.183.170.114](https://vuldb.com/?ip.68.183.170.114) | 68.183.170.114-e1-8080-keep-up | - | High
|
||||
141 | [68.183.190.199](https://vuldb.com/?ip.68.183.190.199) | 68.183.190.199-e1-8080-keep-up | - | High
|
||||
142 | [69.17.170.58](https://vuldb.com/?ip.69.17.170.58) | unallocated-static.rogers.com | - | High
|
||||
143 | [69.43.168.200](https://vuldb.com/?ip.69.43.168.200) | ns0.imunplugged.com | - | High
|
||||
144 | [69.45.19.251](https://vuldb.com/?ip.69.45.19.251) | coastinet.com | - | High
|
||||
145 | [69.167.152.111](https://vuldb.com/?ip.69.167.152.111) | - | - | High
|
||||
146 | [69.198.17.49](https://vuldb.com/?ip.69.198.17.49) | 69-198-17-49.customerip.birch.net | - | High
|
||||
147 | [70.32.84.74](https://vuldb.com/?ip.70.32.84.74) | - | - | High
|
||||
148 | [70.32.89.105](https://vuldb.com/?ip.70.32.89.105) | parties-at-sea.com | - | High
|
||||
149 | [70.32.92.133](https://vuldb.com/?ip.70.32.92.133) | popdesigngroup.com | - | High
|
||||
150 | [70.32.115.157](https://vuldb.com/?ip.70.32.115.157) | harpotripofalifetime.com | - | High
|
||||
151 | [70.168.7.6](https://vuldb.com/?ip.70.168.7.6) | wsip-70-168-7-6.ri.ri.cox.net | - | High
|
||||
152 | [70.182.77.184](https://vuldb.com/?ip.70.182.77.184) | wsip-70-182-77-184.ok.ok.cox.net | - | High
|
||||
153 | [70.184.125.132](https://vuldb.com/?ip.70.184.125.132) | wsip-70-184-125-132.ph.ph.cox.net | - | High
|
||||
154 | [71.15.245.148](https://vuldb.com/?ip.71.15.245.148) | 071-015-245-148.res.spectrum.com | - | High
|
||||
155 | [71.197.211.156](https://vuldb.com/?ip.71.197.211.156) | c-71-197-211-156.hsd1.wa.comcast.net | - | High
|
||||
156 | [71.244.60.231](https://vuldb.com/?ip.71.244.60.231) | static-71-244-60-231.dllstx.fios.frontiernet.net | - | High
|
||||
157 | [72.10.49.117](https://vuldb.com/?ip.72.10.49.117) | rtw7-rfpn.accessdomain.com | - | High
|
||||
158 | [72.18.204.17](https://vuldb.com/?ip.72.18.204.17) | lasvegas-nv-datacenter.com | - | High
|
||||
159 | ... | ... | ... | ...
|
||||
|
||||
There are 606 more IOC items available. Please use our online service to access the data.
|
||||
There are 630 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Emotet. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Emotet_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
There are 6 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -196,21 +202,20 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/appliance/users?action=edit` | High
|
||||
2 | File | `/CMD_ACCOUNT_ADMIN` | High
|
||||
3 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
4 | File | `/horde/util/go.php` | High
|
||||
5 | File | `/jeecg-boot/sys/user/queryUserByDepId` | High
|
||||
6 | File | `/js/js-parser.c` | High
|
||||
7 | File | `/MobiPlusWeb/Handlers/MainHandler.ashx?MethodName=GridData&GridName=Users` | High
|
||||
8 | File | `/ms/cms/content/list.do` | High
|
||||
9 | File | `/ms/file/uploadTemplate.do` | High
|
||||
10 | File | `/ping.html` | Medium
|
||||
11 | File | `/SASWebReportStudio/logonAndRender.do` | High
|
||||
12 | File | `/sys/user/queryUserComponentData` | High
|
||||
13 | ... | ... | ...
|
||||
1 | File | `/.htaccess` | Medium
|
||||
2 | File | `/admin/ajax/avatar.php` | High
|
||||
3 | File | `/admin/uploads.php` | High
|
||||
4 | File | `/alerts/alertConfigField.php` | High
|
||||
5 | File | `/alerts/alertLightbox.php` | High
|
||||
6 | File | `/aqpg/users/login.php` | High
|
||||
7 | File | `/classes/ajax/Functions.php` | High
|
||||
8 | File | `/cwms/admin/?page=articles/view_article/` | High
|
||||
9 | File | `/cwms/classes/Master.php?f=save_contact` | High
|
||||
10 | File | `/i/:data/ipa.plist` | High
|
||||
11 | File | `/jquery_file_upload/server/php/index.php` | High
|
||||
12 | ... | ... | ...
|
||||
|
||||
There are 104 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 95 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -228,6 +233,8 @@ The following list contains _external sources_ which discuss the actor and the a
|
|||
* https://blog.talosintelligence.com/2022/01/threat-roundup-0121-0128.html
|
||||
* https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html
|
||||
* https://blog.talosintelligence.com/2022/02/threat-roundup-0211-0218.html
|
||||
* https://blog.talosintelligence.com/2022/03/threat-roundup-0225-0304.html
|
||||
* https://blogs.blackberry.com/en/2017/12/threat-spotlight-emotet-infostealer-malware
|
||||
* https://community.blueliv.com/#!/s/5fb2ee2482df413eaf344b29
|
||||
* https://ddanchev.blogspot.com/2022/01/profiling-emotet-botnet-c.html
|
||||
* https://pastebin.com/uPn1zM6b
|
||||
|
|
|
@ -1,58 +1,58 @@
|
|||
# Equation - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Equation](https://vuldb.com/?actor.equation). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Equation](https://vuldb.com/?actor.equation). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.equation](https://vuldb.com/?actor.equation)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.equation](https://vuldb.com/?actor.equation)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with Equation:
|
||||
The following _campaigns_ are known and can be associated with Equation:
|
||||
|
||||
* Gauss
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Equation:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Equation:
|
||||
|
||||
* US
|
||||
* ES
|
||||
* GB
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [GB](https://vuldb.com/?country.gb)
|
||||
* ...
|
||||
|
||||
There are 4 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Equation.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Equation.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 41.222.35.70 | 70.35.static.rdns.co.za | High
|
||||
2 | 62.216.152.67 | - | High
|
||||
3 | 64.76.82.52 | c647682-52.static.impsat.com.co | High
|
||||
4 | 80.77.4.3 | - | High
|
||||
5 | 81.31.34.175 | 81-31-34-175.static.masterinter.net | High
|
||||
6 | 81.31.36.174 | vl504.sl509s.r1-3.dc1.4d.prg.masterinter.net | High
|
||||
7 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [41.222.35.70](https://vuldb.com/?ip.41.222.35.70) | 70.35.static.rdns.co.za | - | High
|
||||
2 | [62.216.152.67](https://vuldb.com/?ip.62.216.152.67) | - | - | High
|
||||
3 | [64.76.82.52](https://vuldb.com/?ip.64.76.82.52) | c647682-52.static.impsat.com.co | - | High
|
||||
4 | [80.77.4.3](https://vuldb.com/?ip.80.77.4.3) | - | - | High
|
||||
5 | [81.31.34.175](https://vuldb.com/?ip.81.31.34.175) | 81-31-34-175.static.masterinter.net | - | High
|
||||
6 | [81.31.36.174](https://vuldb.com/?ip.81.31.36.174) | vl504.sl509s.r1-3.dc1.4d.prg.masterinter.net | - | High
|
||||
7 | ... | ... | ... | ...
|
||||
|
||||
There are 24 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Equation. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Equation_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | 7PK Security Features | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | CWE-254 | 7PK Security Features | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Equation. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Equation. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -61,18 +61,18 @@ ID | Type | Indicator | Confidence
|
|||
3 | File | `GetRules.asp` | Medium
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 9 more IOA items available. Please use our online service to access the data.
|
||||
There are 9 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf
|
||||
* https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134940/kaspersky-lab-gauss.pdf
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,26 +1,26 @@
|
|||
# EquationDrug - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [EquationDrug](https://vuldb.com/?actor.equationdrug). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [EquationDrug](https://vuldb.com/?actor.equationdrug). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.equationdrug](https://vuldb.com/?actor.equationdrug)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.equationdrug](https://vuldb.com/?actor.equationdrug)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of EquationDrug.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of EquationDrug.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 213.198.79.49 | - | High
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [213.198.79.49](https://vuldb.com/?ip.213.198.79.49) | - | - | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://www.threatminer.org/report.php?q=Inside_EquationDrug_Espionage_Platform.pdf&y=2015
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -0,0 +1,65 @@
|
|||
# FF-Rat - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [FF-Rat](https://vuldb.com/?actor.ff-rat). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.ff-rat](https://vuldb.com/?actor.ff-rat)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with FF-Rat:
|
||||
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [GB](https://vuldb.com/?country.gb)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of FF-Rat.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [59.188.16.147](https://vuldb.com/?ip.59.188.16.147) | - | - | High
|
||||
2 | [68.68.43.149](https://vuldb.com/?ip.68.68.43.149) | 149.43.68.68.client.static.strong11.as22781.net | - | High
|
||||
3 | [103.27.108.121](https://vuldb.com/?ip.103.27.108.121) | - | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _FF-Rat_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by FF-Rat. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `admin/review.php` | High
|
||||
2 | File | `cgi-bin/webfile_mgr.cgi` | High
|
||||
3 | File | `img.pl` | Low
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 10 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blogs.blackberry.com/en/2017/06/breaking-down-ff-rat-malware
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -27,7 +27,7 @@ There are 2 more IOC items available. Please use our online service to access th
|
|||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _FIN12_. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _FIN12_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# FIN6 - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [FIN6](https://vuldb.com/?actor.fin6). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [FIN6](https://vuldb.com/?actor.fin6). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.fin6](https://vuldb.com/?actor.fin6)
|
||||
|
||||
|
@ -14,9 +14,9 @@ The following _campaigns_ are known and can be associated with FIN6:
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with FIN6:
|
||||
|
||||
* DE
|
||||
* US
|
||||
* RU
|
||||
* [DE](https://vuldb.com/?country.de)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* ...
|
||||
|
||||
There are 12 more country items available. Please use our online service to access the data.
|
||||
|
@ -27,18 +27,18 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 5.199.167.188 | - | MAZE | High
|
||||
2 | 31.220.45.151 | - | - | High
|
||||
3 | 37.1.213.9 | - | MAZE | High
|
||||
4 | 37.1.221.212 | adspect.net | - | High
|
||||
5 | 37.252.7.142 | - | MAZE | High
|
||||
6 | 46.4.113.237 | static.237.113.4.46.clients.your-server.de | - | High
|
||||
7 | 46.166.173.109 | - | - | High
|
||||
8 | 54.39.233.188 | mail.ov120.slpmt.net | MAZE | High
|
||||
9 | 62.210.136.65 | 62-210-136-65.rev.poneytelecom.eu | - | High
|
||||
10 | 89.105.194.236 | - | - | High
|
||||
11 | 91.208.184.174 | sell.mybeststore.club | MAZE | High
|
||||
12 | 91.218.114.4 | - | MAZE | High
|
||||
1 | [5.199.167.188](https://vuldb.com/?ip.5.199.167.188) | - | MAZE | High
|
||||
2 | [31.220.45.151](https://vuldb.com/?ip.31.220.45.151) | - | - | High
|
||||
3 | [37.1.213.9](https://vuldb.com/?ip.37.1.213.9) | - | MAZE | High
|
||||
4 | [37.1.221.212](https://vuldb.com/?ip.37.1.221.212) | adspect.net | - | High
|
||||
5 | [37.252.7.142](https://vuldb.com/?ip.37.252.7.142) | - | MAZE | High
|
||||
6 | [46.4.113.237](https://vuldb.com/?ip.46.4.113.237) | static.237.113.4.46.clients.your-server.de | - | High
|
||||
7 | [46.166.173.109](https://vuldb.com/?ip.46.166.173.109) | - | - | High
|
||||
8 | [54.39.233.188](https://vuldb.com/?ip.54.39.233.188) | mail.ov120.slpmt.net | MAZE | High
|
||||
9 | [62.210.136.65](https://vuldb.com/?ip.62.210.136.65) | 62-210-136-65.rev.poneytelecom.eu | - | High
|
||||
10 | [89.105.194.236](https://vuldb.com/?ip.89.105.194.236) | - | - | High
|
||||
11 | [91.208.184.174](https://vuldb.com/?ip.91.208.184.174) | sell.mybeststore.club | MAZE | High
|
||||
12 | [91.218.114.4](https://vuldb.com/?ip.91.218.114.4) | - | MAZE | High
|
||||
13 | ... | ... | ... | ...
|
||||
|
||||
There are 48 more IOC items available. Please use our online service to access the data.
|
||||
|
|
|
@ -15,8 +15,8 @@ The following _campaigns_ are known and can be associated with FIN7:
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with FIN7:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [DE](https://vuldb.com/?country.de)
|
||||
* ...
|
||||
|
||||
|
@ -77,7 +77,7 @@ There are 172 more IOC items available. Please use our online service to access
|
|||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _FIN7_. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _FIN7_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
|
@ -95,59 +95,59 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/+CSCOE+/logon.html` | High
|
||||
2 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
3 | File | `/debug/pprof` | Medium
|
||||
4 | File | `/ext/phar/phar_object.c` | High
|
||||
5 | File | `/filemanager/php/connector.php` | High
|
||||
6 | File | `/get_getnetworkconf.cgi` | High
|
||||
7 | File | `/HNAP1` | Low
|
||||
8 | File | `/modx/manager/index.php` | High
|
||||
9 | File | `/monitoring` | Medium
|
||||
10 | File | `/new` | Low
|
||||
11 | File | `/proc/<pid>/status` | High
|
||||
12 | File | `/public/plugins/` | High
|
||||
13 | File | `/replication` | Medium
|
||||
14 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
15 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
16 | File | `/siteminderagent/pwcgi/smpwservicescgi.exe` | High
|
||||
17 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
|
||||
18 | File | `/tmp` | Low
|
||||
19 | File | `/type.php` | Medium
|
||||
20 | File | `/uncpath/` | Medium
|
||||
21 | File | `/usr/bin/pkexec` | High
|
||||
22 | File | `/wp-json/wc/v3/webhooks` | High
|
||||
23 | File | `4.2.0.CP09` | Medium
|
||||
24 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
25 | File | `802dot1xclientcert.cgi` | High
|
||||
26 | File | `AccountManagerService.java` | High
|
||||
27 | File | `actions/CompanyDetailsSave.php` | High
|
||||
28 | File | `ActivityManagerService.java` | High
|
||||
29 | File | `add.exe` | Low
|
||||
30 | File | `admin.color.php` | High
|
||||
31 | File | `admin.cropcanvas.php` | High
|
||||
32 | File | `admin.joomlaradiov5.php` | High
|
||||
33 | File | `admin.php` | Medium
|
||||
34 | File | `admin.php?m=Food&a=addsave` | High
|
||||
35 | File | `admin/add-glossary.php` | High
|
||||
36 | File | `admin/conf_users_edit.php` | High
|
||||
37 | File | `admin/edit-comments.php` | High
|
||||
38 | File | `admin/index.php` | High
|
||||
39 | File | `admin/src/containers/InputModalStepperProvider/index.js` | High
|
||||
40 | File | `admin/write-post.php` | High
|
||||
41 | File | `administrator/components/com_media/helpers/media.php` | High
|
||||
42 | File | `admin_events.php` | High
|
||||
43 | File | `AjaxApplication.java` | High
|
||||
44 | File | `akocomments.php` | High
|
||||
45 | File | `allopass-error.php` | High
|
||||
46 | File | `AllowBindAppWidgetActivity.java` | High
|
||||
47 | File | `android/webkit/SearchBoxImpl.java` | High
|
||||
48 | File | `AndroidManifest.xml` | High
|
||||
49 | File | `announcement.php` | High
|
||||
2 | File | `/cloud_config/router_post/check_reg_verify_code` | High
|
||||
3 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
4 | File | `/debug/pprof` | Medium
|
||||
5 | File | `/ext/phar/phar_object.c` | High
|
||||
6 | File | `/filemanager/php/connector.php` | High
|
||||
7 | File | `/get_getnetworkconf.cgi` | High
|
||||
8 | File | `/HNAP1` | Low
|
||||
9 | File | `/modx/manager/index.php` | High
|
||||
10 | File | `/monitoring` | Medium
|
||||
11 | File | `/new` | Low
|
||||
12 | File | `/proc/<pid>/status` | High
|
||||
13 | File | `/public/plugins/` | High
|
||||
14 | File | `/replication` | Medium
|
||||
15 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
16 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
17 | File | `/siteminderagent/pwcgi/smpwservicescgi.exe` | High
|
||||
18 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
|
||||
19 | File | `/tmp` | Low
|
||||
20 | File | `/type.php` | Medium
|
||||
21 | File | `/uncpath/` | Medium
|
||||
22 | File | `/usr/bin/pkexec` | High
|
||||
23 | File | `/wp-json/wc/v3/webhooks` | High
|
||||
24 | File | `4.2.0.CP09` | Medium
|
||||
25 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
26 | File | `802dot1xclientcert.cgi` | High
|
||||
27 | File | `AccountManagerService.java` | High
|
||||
28 | File | `actions/CompanyDetailsSave.php` | High
|
||||
29 | File | `ActivityManagerService.java` | High
|
||||
30 | File | `add.exe` | Low
|
||||
31 | File | `admin.color.php` | High
|
||||
32 | File | `admin.cropcanvas.php` | High
|
||||
33 | File | `admin.joomlaradiov5.php` | High
|
||||
34 | File | `admin.php` | Medium
|
||||
35 | File | `admin.php?m=Food&a=addsave` | High
|
||||
36 | File | `admin/add-glossary.php` | High
|
||||
37 | File | `admin/conf_users_edit.php` | High
|
||||
38 | File | `admin/edit-comments.php` | High
|
||||
39 | File | `admin/index.php` | High
|
||||
40 | File | `admin/src/containers/InputModalStepperProvider/index.js` | High
|
||||
41 | File | `admin/write-post.php` | High
|
||||
42 | File | `administrator/components/com_media/helpers/media.php` | High
|
||||
43 | File | `admin_events.php` | High
|
||||
44 | File | `AjaxApplication.java` | High
|
||||
45 | File | `akocomments.php` | High
|
||||
46 | File | `allopass-error.php` | High
|
||||
47 | File | `AllowBindAppWidgetActivity.java` | High
|
||||
48 | File | `android/webkit/SearchBoxImpl.java` | High
|
||||
49 | File | `AndroidManifest.xml` | High
|
||||
50 | File | `api/settings/values` | High
|
||||
51 | File | `app/topic/action/admin/topic.php` | High
|
||||
52 | ... | ... | ...
|
||||
|
||||
There are 451 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 449 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# FakeAlert - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [FakeAlert](https://vuldb.com/?actor.fakealert). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [FakeAlert](https://vuldb.com/?actor.fakealert). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.fakealert](https://vuldb.com/?actor.fakealert)
|
||||
|
||||
|
@ -8,9 +8,9 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with FakeAlert:
|
||||
|
||||
* US
|
||||
* PT
|
||||
* RU
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [PT](https://vuldb.com/?country.pt)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
* ...
|
||||
|
||||
There are 4 more country items available. Please use our online service to access the data.
|
||||
|
@ -21,9 +21,9 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 3.8.23.195 | ec2-3-8-23-195.eu-west-2.compute.amazonaws.com | - | Medium
|
||||
2 | 3.8.191.167 | ec2-3-8-191-167.eu-west-2.compute.amazonaws.com | - | Medium
|
||||
3 | 18.130.240.77 | ec2-18-130-240-77.eu-west-2.compute.amazonaws.com | - | Medium
|
||||
1 | [3.8.23.195](https://vuldb.com/?ip.3.8.23.195) | ec2-3-8-23-195.eu-west-2.compute.amazonaws.com | - | Medium
|
||||
2 | [3.8.191.167](https://vuldb.com/?ip.3.8.191.167) | ec2-3-8-191-167.eu-west-2.compute.amazonaws.com | - | Medium
|
||||
3 | [18.130.240.77](https://vuldb.com/?ip.18.130.240.77) | ec2-18-130-240-77.eu-west-2.compute.amazonaws.com | - | Medium
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 10 more IOC items available. Please use our online service to access the data.
|
||||
|
|
|
@ -22,7 +22,7 @@ ID | IP address | Hostname | Campaign | Confidence
|
|||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _FamousSparrow_. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _FamousSparrow_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
|
|
|
@ -1,19 +1,25 @@
|
|||
# Formbook - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Formbook](https://vuldb.com/?actor.formbook). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Formbook](https://vuldb.com/?actor.formbook). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.formbook](https://vuldb.com/?actor.formbook)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following _campaigns_ are known and can be associated with Formbook:
|
||||
|
||||
* Ukraine
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Formbook:
|
||||
|
||||
* US
|
||||
* CN
|
||||
* FR
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [FR](https://vuldb.com/?country.fr)
|
||||
* ...
|
||||
|
||||
There are 8 more country items available. Please use our online service to access the data.
|
||||
There are 9 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -21,34 +27,35 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 3.143.65.214 | ec2-3-143-65-214.us-east-2.compute.amazonaws.com | - | Medium
|
||||
2 | 3.223.115.185 | ec2-3-223-115-185.compute-1.amazonaws.com | - | Medium
|
||||
3 | 5.134.13.72 | i51.gds.guru.net.uk | - | High
|
||||
4 | 13.59.53.244 | ec2-13-59-53-244.us-east-2.compute.amazonaws.com | - | Medium
|
||||
5 | 13.107.42.12 | 1drv.ms | - | High
|
||||
6 | 13.248.216.40 | afdda383cf24ec8c3.awsglobalaccelerator.com | - | High
|
||||
7 | 20.36.253.92 | - | - | High
|
||||
8 | 23.6.69.99 | a23-6-69-99.deploy.static.akamaitechnologies.com | - | High
|
||||
9 | 23.227.38.74 | - | - | High
|
||||
10 | 34.98.99.30 | 30.99.98.34.bc.googleusercontent.com | - | Medium
|
||||
11 | 34.102.136.180 | 180.136.102.34.bc.googleusercontent.com | - | Medium
|
||||
12 | 34.214.40.214 | ec2-34-214-40-214.us-west-2.compute.amazonaws.com | - | Medium
|
||||
13 | 34.216.47.14 | ec2-34-216-47-14.us-west-2.compute.amazonaws.com | - | Medium
|
||||
14 | 34.242.63.192 | ec2-34-242-63-192.eu-west-1.compute.amazonaws.com | - | Medium
|
||||
15 | 34.243.160.251 | ec2-34-243-160-251.eu-west-1.compute.amazonaws.com | - | Medium
|
||||
16 | 34.255.61.59 | ec2-34-255-61-59.eu-west-1.compute.amazonaws.com | - | Medium
|
||||
17 | 35.178.125.63 | ec2-35-178-125-63.eu-west-2.compute.amazonaws.com | - | Medium
|
||||
18 | 40.77.18.167 | - | - | High
|
||||
19 | 40.126.26.134 | - | - | High
|
||||
20 | 44.227.65.245 | ec2-44-227-65-245.us-west-2.compute.amazonaws.com | - | Medium
|
||||
21 | 44.230.27.49 | ec2-44-230-27-49.us-west-2.compute.amazonaws.com | - | Medium
|
||||
22 | ... | ... | ... | ...
|
||||
1 | [3.143.65.214](https://vuldb.com/?ip.3.143.65.214) | ec2-3-143-65-214.us-east-2.compute.amazonaws.com | - | Medium
|
||||
2 | [3.223.115.185](https://vuldb.com/?ip.3.223.115.185) | ec2-3-223-115-185.compute-1.amazonaws.com | - | Medium
|
||||
3 | [5.134.13.72](https://vuldb.com/?ip.5.134.13.72) | i51.gds.guru.net.uk | - | High
|
||||
4 | [13.59.53.244](https://vuldb.com/?ip.13.59.53.244) | ec2-13-59-53-244.us-east-2.compute.amazonaws.com | - | Medium
|
||||
5 | [13.107.42.12](https://vuldb.com/?ip.13.107.42.12) | 1drv.ms | - | High
|
||||
6 | [13.248.216.40](https://vuldb.com/?ip.13.248.216.40) | afdda383cf24ec8c3.awsglobalaccelerator.com | - | High
|
||||
7 | [20.36.253.92](https://vuldb.com/?ip.20.36.253.92) | - | - | High
|
||||
8 | [23.6.69.99](https://vuldb.com/?ip.23.6.69.99) | a23-6-69-99.deploy.static.akamaitechnologies.com | - | High
|
||||
9 | [23.227.38.74](https://vuldb.com/?ip.23.227.38.74) | - | - | High
|
||||
10 | [34.98.99.30](https://vuldb.com/?ip.34.98.99.30) | 30.99.98.34.bc.googleusercontent.com | - | Medium
|
||||
11 | [34.102.136.180](https://vuldb.com/?ip.34.102.136.180) | 180.136.102.34.bc.googleusercontent.com | - | Medium
|
||||
12 | [34.214.40.214](https://vuldb.com/?ip.34.214.40.214) | ec2-34-214-40-214.us-west-2.compute.amazonaws.com | - | Medium
|
||||
13 | [34.216.47.14](https://vuldb.com/?ip.34.216.47.14) | ec2-34-216-47-14.us-west-2.compute.amazonaws.com | - | Medium
|
||||
14 | [34.242.63.192](https://vuldb.com/?ip.34.242.63.192) | ec2-34-242-63-192.eu-west-1.compute.amazonaws.com | - | Medium
|
||||
15 | [34.243.160.251](https://vuldb.com/?ip.34.243.160.251) | ec2-34-243-160-251.eu-west-1.compute.amazonaws.com | - | Medium
|
||||
16 | [34.255.61.59](https://vuldb.com/?ip.34.255.61.59) | ec2-34-255-61-59.eu-west-1.compute.amazonaws.com | - | Medium
|
||||
17 | [35.178.125.63](https://vuldb.com/?ip.35.178.125.63) | ec2-35-178-125-63.eu-west-2.compute.amazonaws.com | - | Medium
|
||||
18 | [40.77.18.167](https://vuldb.com/?ip.40.77.18.167) | - | - | High
|
||||
19 | [40.126.26.134](https://vuldb.com/?ip.40.126.26.134) | - | - | High
|
||||
20 | [44.227.65.245](https://vuldb.com/?ip.44.227.65.245) | ec2-44-227-65-245.us-west-2.compute.amazonaws.com | - | Medium
|
||||
21 | [44.230.27.49](https://vuldb.com/?ip.44.230.27.49) | ec2-44-230-27-49.us-west-2.compute.amazonaws.com | - | Medium
|
||||
22 | [45.135.229.212](https://vuldb.com/?ip.45.135.229.212) | iad.scarletshark.net | - | High
|
||||
23 | ... | ... | ... | ...
|
||||
|
||||
There are 86 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Formbook. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Formbook_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
|
@ -57,7 +64,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
3 | T1211 | CWE-254 | 7PK Security Features | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 4 more TTP items available. Please use our online service to access the data.
|
||||
There are 3 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -85,6 +92,7 @@ There are 104 more IOA items available (file, library, argument, input value, pa
|
|||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.malwarebytes.com/threat-intelligence/2022/03/formbook-spam-campaign-targets-citizens-of-ukraine%ef%b8%8f/
|
||||
* https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html
|
||||
* https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.html
|
||||
* https://blog.talosintelligence.com/2021/07/threat-roundup-0723-0730.html
|
||||
|
|
|
@ -1,26 +1,26 @@
|
|||
# Foudre - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Foudre](https://vuldb.com/?actor.foudre). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Foudre](https://vuldb.com/?actor.foudre). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.foudre](https://vuldb.com/?actor.foudre)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.foudre](https://vuldb.com/?actor.foudre)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Foudre.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Foudre.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 185.61.154.26 | premium46-3.web-hosting.com | High
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [185.61.154.26](https://vuldb.com/?ip.185.61.154.26) | premium46-3.web-hosting.com | - | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://www.threatminer.org/report.php?q=PrinceofPersia_TheSandsofFoudre-Intezer.pdf&y=2018
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -30,7 +30,7 @@ There are 7 more IOC items available. Please use our online service to access th
|
|||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _GRU_. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _GRU_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
|
@ -59,7 +59,7 @@ ID | Type | Indicator | Confidence
|
|||
10 | File | `admin/create-package.php` | High
|
||||
11 | ... | ... | ...
|
||||
|
||||
There are 84 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 88 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Gafgyt - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Gafgyt](https://vuldb.com/?actor.gafgyt). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Gafgyt](https://vuldb.com/?actor.gafgyt). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.gafgyt](https://vuldb.com/?actor.gafgyt)
|
||||
|
||||
|
@ -10,17 +10,18 @@ The following _campaigns_ are known and can be associated with Gafgyt:
|
|||
|
||||
* CVE-2014-8361 / CVE-2017-17215 / CVE-2017-18368
|
||||
* CVE-2017-5638 / CVE-2018-9866
|
||||
* DDoS Ukraine
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Gafgyt:
|
||||
|
||||
* [SC](https://vuldb.com/?country.sc)
|
||||
* [LI](https://vuldb.com/?country.li)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [LI](https://vuldb.com/?country.li)
|
||||
* ...
|
||||
|
||||
There are 2 more country items available. Please use our online service to access the data.
|
||||
There are 3 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -28,22 +29,25 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [185.10.68.127](https://vuldb.com/?ip.185.10.68.127) | 127.68.10.185.ro.ovo.sc | CVE-2017-5638 / CVE-2018-9866 | High
|
||||
2 | [185.10.68.213](https://vuldb.com/?ip.185.10.68.213) | 213.68.10.185.ro.ovo.sc | CVE-2017-5638 / CVE-2018-9866 | High
|
||||
3 | [185.172.110.224](https://vuldb.com/?ip.185.172.110.224) | - | CVE-2014-8361 / CVE-2017-17215 / CVE-2017-18368 | High
|
||||
1 | [46.249.32.109](https://vuldb.com/?ip.46.249.32.109) | reverse.hostingbb.com | DDoS Ukraine | High
|
||||
2 | [172.245.6.134](https://vuldb.com/?ip.172.245.6.134) | 172-245-6-134-host.colocrossing.com | - | High
|
||||
3 | [185.10.68.127](https://vuldb.com/?ip.185.10.68.127) | 127.68.10.185.ro.ovo.sc | CVE-2017-5638 / CVE-2018-9866 | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 5 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Gafgyt. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Gafgyt_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1222 | CWE-275 | Permission Issues | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 5 more TTP items available. Please use our online service to access the data.
|
||||
There are 4 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -53,18 +57,23 @@ ID | Type | Indicator | Confidence
|
|||
-- | ---- | --------- | ----------
|
||||
1 | File | `/admin/sysmon.php` | High
|
||||
2 | File | `/api/content/posts/comments` | High
|
||||
3 | File | `/Home/GetAttachment` | High
|
||||
4 | File | `/modules/projects/vw_files.php` | High
|
||||
5 | File | `admin/limits.php` | High
|
||||
6 | File | `AjaxFileUploadHandler.axd` | High
|
||||
7 | ... | ... | ...
|
||||
3 | File | `/cimom` | Low
|
||||
4 | File | `/Home/GetAttachment` | High
|
||||
5 | File | `/LogoStore/search.php` | High
|
||||
6 | File | `/modules/projects/vw_files.php` | High
|
||||
7 | File | `admin/limits.php` | High
|
||||
8 | File | `AjaxFileUploadHandler.axd` | High
|
||||
9 | File | `CarelDataServer.exe` | High
|
||||
10 | ... | ... | ...
|
||||
|
||||
There are 49 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 77 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/
|
||||
* https://blog.netlab.360.com/wo-men-kan-dao-de-wu-ke-lan-bei-ddosgong-ji-xi-jie/
|
||||
* https://unit42.paloaltonetworks.com/home-small-office-wireless-routers-exploited-to-attack-gaming-servers/
|
||||
* https://unit42.paloaltonetworks.com/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/
|
||||
|
||||
|
|
|
@ -77,7 +77,7 @@ There are 198 more IOC items available. Please use our online service to access
|
|||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Gamaredon_. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Gamaredon_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
|
|
|
@ -36,7 +36,7 @@ There are 35 more IOC items available. Please use our online service to access t
|
|||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Gamarue. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Gamarue_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
|
@ -45,7 +45,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
|
|
@ -51,7 +51,7 @@ There are 97 more IOC items available. Please use our online service to access t
|
|||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Gh0stRAT_. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Gh0stRAT_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
|
@ -80,33 +80,32 @@ ID | Type | Indicator | Confidence
|
|||
10 | File | `/dashboards/#` | High
|
||||
11 | File | `/data/remove` | Medium
|
||||
12 | File | `/etc/controller-agent/agent.conf` | High
|
||||
13 | File | `/etc/postfix/sender_login` | High
|
||||
14 | File | `/etc/sudoers` | Medium
|
||||
15 | File | `/etc/tomcat8/Catalina/attack` | High
|
||||
16 | File | `/filemanager/php/connector.php` | High
|
||||
17 | File | `/forum/away.php` | High
|
||||
18 | File | `/fudforum/adm/hlplist.php` | High
|
||||
19 | File | `/GponForm/fsetup_Form` | High
|
||||
20 | File | `/log_download.cgi` | High
|
||||
21 | File | `/modules/profile/index.php` | High
|
||||
22 | File | `/MTFWU` | Low
|
||||
23 | File | `/navigate/navigate_download.php` | High
|
||||
24 | File | `/out.php` | Medium
|
||||
25 | File | `/password.html` | High
|
||||
26 | File | `/property-list/property_view.php` | High
|
||||
27 | File | `/public/plugins/` | High
|
||||
28 | File | `/rest/api/2/search` | High
|
||||
29 | File | `/s/` | Low
|
||||
30 | File | `/scripts/cpan_config` | High
|
||||
31 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
32 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
33 | File | `/server-info` | Medium
|
||||
34 | File | `/tmp` | Low
|
||||
35 | File | `/tmp/app/.env` | High
|
||||
36 | File | `/tmp/kamailio_ctl` | High
|
||||
37 | ... | ... | ...
|
||||
13 | File | `/etc/sudoers` | Medium
|
||||
14 | File | `/etc/tomcat8/Catalina/attack` | High
|
||||
15 | File | `/filemanager/php/connector.php` | High
|
||||
16 | File | `/forum/away.php` | High
|
||||
17 | File | `/fudforum/adm/hlplist.php` | High
|
||||
18 | File | `/GponForm/fsetup_Form` | High
|
||||
19 | File | `/log_download.cgi` | High
|
||||
20 | File | `/modules/profile/index.php` | High
|
||||
21 | File | `/MTFWU` | Low
|
||||
22 | File | `/navigate/navigate_download.php` | High
|
||||
23 | File | `/out.php` | Medium
|
||||
24 | File | `/password.html` | High
|
||||
25 | File | `/property-list/property_view.php` | High
|
||||
26 | File | `/public/plugins/` | High
|
||||
27 | File | `/rest/api/2/search` | High
|
||||
28 | File | `/s/` | Low
|
||||
29 | File | `/scripts/cpan_config` | High
|
||||
30 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
31 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
32 | File | `/server-info` | Medium
|
||||
33 | File | `/tmp` | Low
|
||||
34 | File | `/tmp/app/.env` | High
|
||||
35 | File | `/tmp/kamailio_ctl` | High
|
||||
36 | ... | ... | ...
|
||||
|
||||
There are 317 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 307 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -13,7 +13,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [RO](https://vuldb.com/?country.ro)
|
||||
* ...
|
||||
|
||||
There are 26 more country items available. Please use our online service to access the data.
|
||||
There are 25 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -32,7 +32,7 @@ There are 22 more IOC items available. Please use our online service to access t
|
|||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _GreyEnergy_. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _GreyEnergy_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
|
@ -56,14 +56,14 @@ ID | Type | Indicator | Confidence
|
|||
5 | File | `/cgi-bin` | Medium
|
||||
6 | File | `/cgi-bin/kerbynet` | High
|
||||
7 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
8 | File | `/dcim/sites/add/` | High
|
||||
9 | File | `/fudforum/adm/hlplist.php` | High
|
||||
10 | File | `/login` | Low
|
||||
11 | File | `/Main_Login.asp?flag=1&productname=RT-AC88U&url=/downloadmaster/task.asp` | High
|
||||
12 | File | `/monitoring` | Medium
|
||||
13 | File | `/new` | Low
|
||||
14 | File | `/proc/<pid>/status` | High
|
||||
15 | File | `/public/plugins/` | High
|
||||
8 | File | `/fudforum/adm/hlplist.php` | High
|
||||
9 | File | `/login` | Low
|
||||
10 | File | `/Main_Login.asp?flag=1&productname=RT-AC88U&url=/downloadmaster/task.asp` | High
|
||||
11 | File | `/monitoring` | Medium
|
||||
12 | File | `/new` | Low
|
||||
13 | File | `/proc/<pid>/status` | High
|
||||
14 | File | `/public/plugins/` | High
|
||||
15 | File | `/REBOOTSYSTEM` | High
|
||||
16 | File | `/rom` | Low
|
||||
17 | File | `/scripts/killpvhost` | High
|
||||
18 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
|
@ -74,15 +74,15 @@ ID | Type | Indicator | Confidence
|
|||
23 | File | `/uncpath/` | Medium
|
||||
24 | File | `/wp-admin` | Medium
|
||||
25 | File | `/wp-json/wc/v3/webhooks` | High
|
||||
26 | File | `AccountManagerService.java` | High
|
||||
27 | File | `actions/CompanyDetailsSave.php` | High
|
||||
28 | File | `ActiveServices.java` | High
|
||||
29 | File | `ActivityManagerService.java` | High
|
||||
30 | File | `admin.php` | Medium
|
||||
31 | File | `admin/?n=user&c=admin_user&a=doGetUserInfo` | High
|
||||
32 | File | `admin/add-glossary.php` | High
|
||||
33 | File | `admin/conf_users_edit.php` | High
|
||||
34 | File | `admin/dashboard.php` | High
|
||||
26 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
|
||||
27 | File | `AccountManagerService.java` | High
|
||||
28 | File | `actions/CompanyDetailsSave.php` | High
|
||||
29 | File | `ActiveServices.java` | High
|
||||
30 | File | `ActivityManagerService.java` | High
|
||||
31 | File | `admin.php` | Medium
|
||||
32 | File | `admin/?n=user&c=admin_user&a=doGetUserInfo` | High
|
||||
33 | File | `admin/add-glossary.php` | High
|
||||
34 | File | `admin/conf_users_edit.php` | High
|
||||
35 | File | `admin/edit-comments.php` | High
|
||||
36 | ... | ... | ...
|
||||
|
||||
|
|
|
@ -151,7 +151,7 @@ There are 496 more IOC items available. Please use our online service to access
|
|||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Grizzly Steppe_. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Grizzly Steppe_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
|
@ -160,7 +160,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
3 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 7 more TTP items available. Please use our online service to access the data.
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -179,13 +179,13 @@ ID | Type | Indicator | Confidence
|
|||
9 | File | `/dev/dri/card1` | High
|
||||
10 | File | `/domain/service/.ewell-known/caldav` | High
|
||||
11 | File | `/download` | Medium
|
||||
12 | File | `/formWlanSetup` | High
|
||||
13 | File | `/goform/setIPv6Status` | High
|
||||
14 | File | `/images` | Low
|
||||
15 | File | `/include/chart_generator.php` | High
|
||||
16 | File | `/InternalPages/ExecuteTask.aspx` | High
|
||||
17 | File | `/modules/profile/index.php` | High
|
||||
18 | File | `/monitoring` | Medium
|
||||
12 | File | `/file?action=download&file` | High
|
||||
13 | File | `/formWlanSetup` | High
|
||||
14 | File | `/goform/setIPv6Status` | High
|
||||
15 | File | `/images` | Low
|
||||
16 | File | `/include/chart_generator.php` | High
|
||||
17 | File | `/InternalPages/ExecuteTask.aspx` | High
|
||||
18 | File | `/modules/profile/index.php` | High
|
||||
19 | File | `/music/ajax.php` | High
|
||||
20 | File | `/pandora_console/ajax.php` | High
|
||||
21 | File | `/plugins/servlet/audit/resource` | High
|
||||
|
@ -198,10 +198,9 @@ ID | Type | Indicator | Confidence
|
|||
28 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
29 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
30 | File | `/tmp` | Low
|
||||
31 | File | `/uncpath/` | Medium
|
||||
32 | ... | ... | ...
|
||||
31 | ... | ... | ...
|
||||
|
||||
There are 272 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 267 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Guccifer 2.0 - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Guccifer 2.0](https://vuldb.com/?actor.guccifer_2.0). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Guccifer 2.0](https://vuldb.com/?actor.guccifer_2.0). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.guccifer_2.0](https://vuldb.com/?actor.guccifer_2.0)
|
||||
|
||||
|
@ -8,9 +8,9 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Guccifer 2.0:
|
||||
|
||||
* US
|
||||
* FR
|
||||
* RU
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [FR](https://vuldb.com/?country.fr)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -18,9 +18,9 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 95.130.9.198 | - | - | High
|
||||
2 | 95.130.15.34 | - | - | High
|
||||
3 | 95.130.15.36 | - | - | High
|
||||
1 | [95.130.9.198](https://vuldb.com/?ip.95.130.9.198) | - | - | High
|
||||
2 | [95.130.15.34](https://vuldb.com/?ip.95.130.15.34) | - | - | High
|
||||
3 | [95.130.15.36](https://vuldb.com/?ip.95.130.15.36) | - | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 4 more IOC items available. Please use our online service to access the data.
|
||||
|
|
|
@ -16,7 +16,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* [SV](https://vuldb.com/?country.sv)
|
||||
* [DE](https://vuldb.com/?country.de)
|
||||
* [PL](https://vuldb.com/?country.pl)
|
||||
* ...
|
||||
|
||||
There are 4 more country items available. Please use our online service to access the data.
|
||||
|
@ -36,13 +36,13 @@ There are 7 more IOC items available. Please use our online service to access th
|
|||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Inception_. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Inception_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-250, CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
|
@ -53,31 +53,31 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/admin/page_edit/3` | High
|
||||
2 | File | `/api/notify.php` | High
|
||||
3 | File | `/domain/service/.ewell-known/caldav` | High
|
||||
4 | File | `/formAdvFirewall` | High
|
||||
5 | File | `/mobile/SelectUsers.jsp` | High
|
||||
6 | File | `/ProteinArraySignificanceTest.json` | High
|
||||
7 | File | `/usr/local/bin/mjs` | High
|
||||
8 | File | `/web` | Low
|
||||
9 | File | `admin/bad.php` | High
|
||||
10 | File | `admin/dl_sendmail.php` | High
|
||||
11 | File | `admin/pages/useredit.php` | High
|
||||
12 | File | `AdminBaseController.class.php` | High
|
||||
13 | File | `AlertReceiver.java` | High
|
||||
14 | File | `alfresco/s/admin/admin-nodebrowser` | High
|
||||
15 | File | `AndroidFuture.java` | High
|
||||
16 | File | `AndroidManifest.xml` | High
|
||||
17 | File | `api/info.php` | Medium
|
||||
18 | File | `attach.c` | Medium
|
||||
19 | File | `box_code_apple.c` | High
|
||||
20 | File | `bug_actiongroup.php` | High
|
||||
21 | File | `bug_report_page.php` | High
|
||||
22 | File | `cavsdec.c` | Medium
|
||||
1 | File | `/admin/news/news_mod.php` | High
|
||||
2 | File | `/admin/page_edit/3` | High
|
||||
3 | File | `/api/notify.php` | High
|
||||
4 | File | `/domain/service/.ewell-known/caldav` | High
|
||||
5 | File | `/formAdvFirewall` | High
|
||||
6 | File | `/mobile/SelectUsers.jsp` | High
|
||||
7 | File | `/ProteinArraySignificanceTest.json` | High
|
||||
8 | File | `/system/bin/osi_bin` | High
|
||||
9 | File | `/usr/local/bin/mjs` | High
|
||||
10 | File | `/web` | Low
|
||||
11 | File | `admin/bad.php` | High
|
||||
12 | File | `admin/dl_sendmail.php` | High
|
||||
13 | File | `admin/pages/useredit.php` | High
|
||||
14 | File | `AdminBaseController.class.php` | High
|
||||
15 | File | `AlertReceiver.java` | High
|
||||
16 | File | `alfresco/s/admin/admin-nodebrowser` | High
|
||||
17 | File | `AndroidFuture.java` | High
|
||||
18 | File | `AndroidManifest.xml` | High
|
||||
19 | File | `api/info.php` | Medium
|
||||
20 | File | `attach.c` | Medium
|
||||
21 | File | `box_code_apple.c` | High
|
||||
22 | File | `bug_actiongroup.php` | High
|
||||
23 | ... | ... | ...
|
||||
|
||||
There are 192 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 194 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -13,7 +13,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [US](https://vuldb.com/?country.us)
|
||||
* ...
|
||||
|
||||
There are 2 more country items available. Please use our online service to access the data.
|
||||
There are 3 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -283,16 +283,16 @@ There are 1024 more IOC items available. Please use our online service to access
|
|||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Indexsinas_. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Indexsinas_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-307 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
1 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
|
||||
2 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
3 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 6 more TTP items available. Please use our online service to access the data.
|
||||
There are 8 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -300,16 +300,17 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/config/getuser` | High
|
||||
2 | File | `/etc/passwd` | Medium
|
||||
3 | File | `/mdiy/dict/listExcludeApp` | High
|
||||
4 | File | `/public/login.htm` | High
|
||||
5 | File | `/web/MCmsAction.java` | High
|
||||
6 | File | `admin.php` | Medium
|
||||
7 | File | `admin/cgi-bin/listdir.pl` | High
|
||||
8 | ... | ... | ...
|
||||
1 | File | `/.htaccess` | Medium
|
||||
2 | File | `/admin/link/link_ok.php` | High
|
||||
3 | File | `/admin/upload/upload` | High
|
||||
4 | File | `/api/appInternals/1.0/agent/configuration` | High
|
||||
5 | File | `/api/appInternals/1.0/agent/da/pcf` | High
|
||||
6 | File | `/api/appInternals/1.0/agent/diagnostic/logs` | High
|
||||
7 | File | `/api/appInternals/1.0/plugin/pmx` | High
|
||||
8 | File | `/api/eventinstance` | High
|
||||
9 | ... | ... | ...
|
||||
|
||||
There are 59 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 61 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# InvisiMole - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [InvisiMole](https://vuldb.com/?actor.invisimole). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [InvisiMole](https://vuldb.com/?actor.invisimole). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.invisimole](https://vuldb.com/?actor.invisimole)
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Ircbot - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Ircbot](https://vuldb.com/?actor.ircbot). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Ircbot](https://vuldb.com/?actor.ircbot). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.ircbot](https://vuldb.com/?actor.ircbot)
|
||||
|
||||
|
@ -8,7 +8,7 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Ircbot:
|
||||
|
||||
* US
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -16,9 +16,9 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 70.39.99.203 | ns2.4.cn | - | High
|
||||
2 | 91.134.203.49 | - | - | High
|
||||
3 | 95.173.180.252 | 2522nimdu.alanyareklam.com | - | High
|
||||
1 | [70.39.99.203](https://vuldb.com/?ip.70.39.99.203) | ns2.4.cn | - | High
|
||||
2 | [91.134.203.49](https://vuldb.com/?ip.91.134.203.49) | - | - | High
|
||||
3 | [95.173.180.252](https://vuldb.com/?ip.95.173.180.252) | 2522nimdu.alanyareklam.com | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more IOC items available. Please use our online service to access the data.
|
||||
|
|
|
@ -1,52 +1,52 @@
|
|||
# Johnnie - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Johnnie](https://vuldb.com/?actor.johnnie). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Johnnie](https://vuldb.com/?actor.johnnie). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.johnnie](https://vuldb.com/?actor.johnnie)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.johnnie](https://vuldb.com/?actor.johnnie)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Johnnie:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Johnnie:
|
||||
|
||||
* US
|
||||
* ES
|
||||
* DE
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* [DE](https://vuldb.com/?country.de)
|
||||
* ...
|
||||
|
||||
There are 5 more country items available. Please use our online service to access the data.
|
||||
There are 6 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Johnnie.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Johnnie.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 20.36.253.92 | - | High
|
||||
2 | 23.6.69.99 | a23-6-69-99.deploy.static.akamaitechnologies.com | High
|
||||
3 | 23.105.131.235 | - | High
|
||||
4 | 23.218.140.208 | a23-218-140-208.deploy.static.akamaitechnologies.com | High
|
||||
5 | 34.107.221.82 | 82.221.107.34.bc.googleusercontent.com | Medium
|
||||
6 | 34.215.65.187 | ec2-34-215-65-187.us-west-2.compute.amazonaws.com | Medium
|
||||
7 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [20.36.253.92](https://vuldb.com/?ip.20.36.253.92) | - | - | High
|
||||
2 | [23.6.69.99](https://vuldb.com/?ip.23.6.69.99) | a23-6-69-99.deploy.static.akamaitechnologies.com | - | High
|
||||
3 | [23.105.131.235](https://vuldb.com/?ip.23.105.131.235) | - | - | High
|
||||
4 | [23.218.140.208](https://vuldb.com/?ip.23.218.140.208) | a23-218-140-208.deploy.static.akamaitechnologies.com | - | High
|
||||
5 | [34.107.221.82](https://vuldb.com/?ip.34.107.221.82) | 82.221.107.34.bc.googleusercontent.com | - | Medium
|
||||
6 | [34.215.65.187](https://vuldb.com/?ip.34.215.65.187) | ec2-34-215-65-187.us-west-2.compute.amazonaws.com | - | Medium
|
||||
7 | ... | ... | ... | ...
|
||||
|
||||
There are 25 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Johnnie. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Johnnie. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | 7PK Security Features | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | CWE-254, CWE-358 | 7PK Security Features | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 4 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Johnnie. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Johnnie. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -66,18 +66,18 @@ ID | Type | Indicator | Confidence
|
|||
14 | File | `bmp.c` | Low
|
||||
15 | ... | ... | ...
|
||||
|
||||
There are 124 more IOA items available. Please use our online service to access the data.
|
||||
There are 124 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.talosintelligence.com/2021/03/threat-roundup-0226-0305.html
|
||||
* https://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Jupyter - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Jupyter](https://vuldb.com/?actor.jupyter). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Jupyter](https://vuldb.com/?actor.jupyter). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.jupyter](https://vuldb.com/?actor.jupyter)
|
||||
|
||||
|
@ -8,12 +8,12 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Jupyter:
|
||||
|
||||
* US
|
||||
* FR
|
||||
* RU
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [FR](https://vuldb.com/?country.fr)
|
||||
* [GB](https://vuldb.com/?country.gb)
|
||||
* ...
|
||||
|
||||
There are 11 more country items available. Please use our online service to access the data.
|
||||
There are 12 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -21,16 +21,16 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 23.29.115.175 | 23-29-115-175.static.hvvc.us | - | High
|
||||
2 | 37.221.114.23 | - | - | High
|
||||
3 | 69.46.15.151 | 69-46-15-151.static.hvvc.us | - | High
|
||||
1 | [23.29.115.175](https://vuldb.com/?ip.23.29.115.175) | 23-29-115-175.static.hvvc.us | - | High
|
||||
2 | [37.221.114.23](https://vuldb.com/?ip.37.221.114.23) | - | - | High
|
||||
3 | [69.46.15.151](https://vuldb.com/?ip.69.46.15.151) | 69-46-15-151.static.hvvc.us | - | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 4 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Jupyter. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Jupyter_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
|
@ -51,14 +51,15 @@ ID | Type | Indicator | Confidence
|
|||
2 | File | `/include/chart_generator.php` | High
|
||||
3 | File | `/login` | Low
|
||||
4 | File | `/modules/profile/index.php` | High
|
||||
5 | File | `/uncpath/` | Medium
|
||||
6 | File | `/usr/bin/pkexec` | High
|
||||
7 | File | `/wp-admin` | Medium
|
||||
8 | File | `adclick.php` | Medium
|
||||
9 | File | `admin-ajax.php` | High
|
||||
10 | ... | ... | ...
|
||||
5 | File | `/setup/finish` | High
|
||||
6 | File | `/uncpath/` | Medium
|
||||
7 | File | `/usr/bin/pkexec` | High
|
||||
8 | File | `/wp-admin` | Medium
|
||||
9 | File | `/wp-content/plugins/woocommerce/templates/emails/plain/` | High
|
||||
10 | File | `adclick.php` | Medium
|
||||
11 | ... | ... | ...
|
||||
|
||||
There are 79 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 84 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -1,36 +1,35 @@
|
|||
# KilllSomeOne - Cyber Threat Intelligence
|
||||
# KillSomeOne - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [KilllSomeOne](https://vuldb.com/?actor.killlsomeone). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [KillSomeOne](https://vuldb.com/?actor.killsomeone). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.killlsomeone](https://vuldb.com/?actor.killlsomeone)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.killsomeone](https://vuldb.com/?actor.killsomeone)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with KilllSomeOne:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with KillSomeOne:
|
||||
|
||||
* US
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of KilllSomeOne.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of KillSomeOne.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 160.20.147.254 | - | - | High
|
||||
1 | [160.20.147.254](https://vuldb.com/?ip.160.20.147.254) | - | - | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by KilllSomeOne. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _KillSomeOne_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
|
||||
3 | T1499 | CWE-404 | Resource Consumption | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by KilllSomeOne. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by KillSomeOne. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
|
|
@ -36,16 +36,16 @@ There are 6 more IOC items available. Please use our online service to access th
|
|||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Kimsuky_. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Kimsuky_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 4 more TTP items available. Please use our online service to access the data.
|
||||
There are 5 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -54,14 +54,20 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/.env` | Low
|
||||
2 | File | `/cgi-bin/webproc` | High
|
||||
3 | File | `/expert_wizard.php` | High
|
||||
4 | File | `/mc` | Low
|
||||
5 | File | `/tlogin.cgi` | Medium
|
||||
6 | File | `/upload` | Low
|
||||
7 | ... | ... | ...
|
||||
2 | File | `/?/admin/snippet/add` | High
|
||||
3 | File | `/bin/false` | Medium
|
||||
4 | File | `/cgi-bin/webproc` | High
|
||||
5 | File | `/expert_wizard.php` | High
|
||||
6 | File | `/images/browserslide.jpg` | High
|
||||
7 | File | `/includes/lib/get.php` | High
|
||||
8 | File | `/main?cmd=invalid_browser` | High
|
||||
9 | File | `/manager?action=getlogcat` | High
|
||||
10 | File | `/mc` | Low
|
||||
11 | File | `/rest/jpo/1.0/hierarchyConfiguration` | High
|
||||
12 | File | `/SASWebReportStudio/logonAndRender.do` | High
|
||||
13 | ... | ... | ...
|
||||
|
||||
There are 51 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 99 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -32,7 +32,7 @@ There are 20 more IOC items available. Please use our online service to access t
|
|||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Kuluoz. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Kuluoz_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
|
|
|
@ -24,7 +24,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [IN](https://vuldb.com/?country.in)
|
||||
* ...
|
||||
|
||||
There are 3 more country items available. Please use our online service to access the data.
|
||||
There are 1 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -218,16 +218,16 @@ There are 722 more IOC items available. Please use our online service to access
|
|||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Lazarus_. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Lazarus_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-307 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 5 more TTP items available. Please use our online service to access the data.
|
||||
There are 6 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
@ -235,16 +235,18 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/etc/passwd` | Medium
|
||||
2 | File | `/mdiy/dict/listExcludeApp` | High
|
||||
3 | File | `/uncpath/` | Medium
|
||||
4 | File | `/web/MCmsAction.java` | High
|
||||
5 | File | `admin.php` | Medium
|
||||
6 | File | `admin/cgi-bin/listdir.pl` | High
|
||||
7 | File | `admin/cgi-bin/rulemgr.pl/getfile/` | High
|
||||
8 | ... | ... | ...
|
||||
1 | File | `/.htaccess` | Medium
|
||||
2 | File | `/admin/link/link_ok.php` | High
|
||||
3 | File | `/alerts/alertConfigField.php` | High
|
||||
4 | File | `/alerts/alertLightbox.php` | High
|
||||
5 | File | `/aqpg/users/login.php` | High
|
||||
6 | File | `/cwms/admin/?page=articles/view_article/` | High
|
||||
7 | File | `/cwms/classes/Master.php?f=save_contact` | High
|
||||
8 | File | `/download/` | Medium
|
||||
9 | File | `/i/:data/ipa.plist` | High
|
||||
10 | ... | ... | ...
|
||||
|
||||
There are 58 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 71 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -30,7 +30,7 @@ There are 6 more IOC items available. Please use our online service to access th
|
|||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _LightBasin_. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _LightBasin_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
|
|
|
@ -28,7 +28,7 @@ ID | IP address | Hostname | Campaign | Confidence
|
|||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Lock360_. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Lock360_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
|
|
|
@ -13,7 +13,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [CN](https://vuldb.com/?country.cn)
|
||||
* ...
|
||||
|
||||
There are 13 more country items available. Please use our online service to access the data.
|
||||
There are 10 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -21,31 +21,36 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [15.197.142.173](https://vuldb.com/?ip.15.197.142.173) | a4ec4c6ea1c92e2e6.awsglobalaccelerator.com | - | High
|
||||
2 | [23.21.173.155](https://vuldb.com/?ip.23.21.173.155) | ec2-23-21-173-155.compute-1.amazonaws.com | - | Medium
|
||||
3 | [23.21.211.162](https://vuldb.com/?ip.23.21.211.162) | ec2-23-21-211-162.compute-1.amazonaws.com | - | Medium
|
||||
4 | [23.95.132.48](https://vuldb.com/?ip.23.95.132.48) | 23-95-132-48-host.colocrossing.com | - | High
|
||||
5 | [31.220.52.219](https://vuldb.com/?ip.31.220.52.219) | workshop.piguno.com | - | High
|
||||
6 | [34.102.136.180](https://vuldb.com/?ip.34.102.136.180) | 180.136.102.34.bc.googleusercontent.com | - | Medium
|
||||
7 | [35.247.234.230](https://vuldb.com/?ip.35.247.234.230) | 230.234.247.35.bc.googleusercontent.com | - | Medium
|
||||
8 | [37.235.1.174](https://vuldb.com/?ip.37.235.1.174) | resolver1.freedns.zone.powered.by.virtexxa.com | - | High
|
||||
9 | [37.235.1.177](https://vuldb.com/?ip.37.235.1.177) | resolver2.freedns.zone.powered.by.virtexxa.com | - | High
|
||||
10 | [45.33.83.75](https://vuldb.com/?ip.45.33.83.75) | li1029-75.members.linode.com | - | High
|
||||
11 | [45.147.229.85](https://vuldb.com/?ip.45.147.229.85) | - | - | High
|
||||
12 | [50.16.216.118](https://vuldb.com/?ip.50.16.216.118) | ec2-50-16-216-118.compute-1.amazonaws.com | - | Medium
|
||||
13 | [50.19.92.227](https://vuldb.com/?ip.50.19.92.227) | ec2-50-19-92-227.compute-1.amazonaws.com | - | Medium
|
||||
14 | [52.60.87.163](https://vuldb.com/?ip.52.60.87.163) | ec2-52-60-87-163.ca-central-1.compute.amazonaws.com | - | Medium
|
||||
15 | [54.225.78.40](https://vuldb.com/?ip.54.225.78.40) | ec2-54-225-78-40.compute-1.amazonaws.com | - | Medium
|
||||
16 | [54.225.165.85](https://vuldb.com/?ip.54.225.165.85) | ec2-54-225-165-85.compute-1.amazonaws.com | - | Medium
|
||||
17 | [54.225.245.108](https://vuldb.com/?ip.54.225.245.108) | ec2-54-225-245-108.compute-1.amazonaws.com | - | Medium
|
||||
18 | [54.235.88.121](https://vuldb.com/?ip.54.235.88.121) | ec2-54-235-88-121.compute-1.amazonaws.com | - | Medium
|
||||
19 | ... | ... | ... | ...
|
||||
1 | [2.57.186.170](https://vuldb.com/?ip.2.57.186.170) | - | - | High
|
||||
2 | [13.107.21.200](https://vuldb.com/?ip.13.107.21.200) | - | - | High
|
||||
3 | [15.197.142.173](https://vuldb.com/?ip.15.197.142.173) | a4ec4c6ea1c92e2e6.awsglobalaccelerator.com | - | High
|
||||
4 | [20.189.173.20](https://vuldb.com/?ip.20.189.173.20) | - | - | High
|
||||
5 | [23.21.173.155](https://vuldb.com/?ip.23.21.173.155) | ec2-23-21-173-155.compute-1.amazonaws.com | - | Medium
|
||||
6 | [23.21.211.162](https://vuldb.com/?ip.23.21.211.162) | ec2-23-21-211-162.compute-1.amazonaws.com | - | Medium
|
||||
7 | [23.95.132.48](https://vuldb.com/?ip.23.95.132.48) | 23-95-132-48-host.colocrossing.com | - | High
|
||||
8 | [23.205.105.153](https://vuldb.com/?ip.23.205.105.153) | a23-205-105-153.deploy.static.akamaitechnologies.com | - | High
|
||||
9 | [23.205.105.157](https://vuldb.com/?ip.23.205.105.157) | a23-205-105-157.deploy.static.akamaitechnologies.com | - | High
|
||||
10 | [23.222.5.37](https://vuldb.com/?ip.23.222.5.37) | a23-222-5-37.deploy.static.akamaitechnologies.com | - | High
|
||||
11 | [31.41.46.120](https://vuldb.com/?ip.31.41.46.120) | maldova873.example.com | - | High
|
||||
12 | [31.220.52.219](https://vuldb.com/?ip.31.220.52.219) | workshop.piguno.com | - | High
|
||||
13 | [34.102.136.180](https://vuldb.com/?ip.34.102.136.180) | 180.136.102.34.bc.googleusercontent.com | - | Medium
|
||||
14 | [35.247.234.230](https://vuldb.com/?ip.35.247.234.230) | 230.234.247.35.bc.googleusercontent.com | - | Medium
|
||||
15 | [37.235.1.174](https://vuldb.com/?ip.37.235.1.174) | resolver1.freedns.zone.powered.by.virtexxa.com | - | High
|
||||
16 | [37.235.1.177](https://vuldb.com/?ip.37.235.1.177) | resolver2.freedns.zone.powered.by.virtexxa.com | - | High
|
||||
17 | [45.33.83.75](https://vuldb.com/?ip.45.33.83.75) | li1029-75.members.linode.com | - | High
|
||||
18 | [45.128.184.132](https://vuldb.com/?ip.45.128.184.132) | vds107519.mgn-host.ru | - | High
|
||||
19 | [45.147.229.85](https://vuldb.com/?ip.45.147.229.85) | - | - | High
|
||||
20 | [45.154.253.150](https://vuldb.com/?ip.45.154.253.150) | shared04.cust05.proxy.is | - | High
|
||||
21 | [45.154.253.152](https://vuldb.com/?ip.45.154.253.152) | shared06.cust05.proxy.is | - | High
|
||||
22 | [50.16.216.118](https://vuldb.com/?ip.50.16.216.118) | ec2-50-16-216-118.compute-1.amazonaws.com | - | Medium
|
||||
23 | [50.19.92.227](https://vuldb.com/?ip.50.19.92.227) | ec2-50-19-92-227.compute-1.amazonaws.com | - | Medium
|
||||
24 | ... | ... | ... | ...
|
||||
|
||||
There are 71 more IOC items available. Please use our online service to access the data.
|
||||
There are 91 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _LokiBot_. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _LokiBot_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
|
@ -67,37 +72,36 @@ ID | Type | Indicator | Confidence
|
|||
3 | File | `/car.php` | Medium
|
||||
4 | File | `/CMD_ACCOUNT_ADMIN` | High
|
||||
5 | File | `/config/getuser` | High
|
||||
6 | File | `/core/admin/categories.php` | High
|
||||
7 | File | `/dashboards/#` | High
|
||||
8 | File | `/etc/controller-agent/agent.conf` | High
|
||||
9 | File | `/etc/postfix/sender_login` | High
|
||||
10 | File | `/etc/sudoers` | Medium
|
||||
11 | File | `/etc/tomcat8/Catalina/attack` | High
|
||||
12 | File | `/filemanager/php/connector.php` | High
|
||||
13 | File | `/forum/away.php` | High
|
||||
14 | File | `/fudforum/adm/hlplist.php` | High
|
||||
15 | File | `/GponForm/fsetup_Form` | High
|
||||
16 | File | `/log_download.cgi` | High
|
||||
17 | File | `/modules/profile/index.php` | High
|
||||
18 | File | `/MTFWU` | Low
|
||||
19 | File | `/out.php` | Medium
|
||||
20 | File | `/public/plugins/` | High
|
||||
21 | File | `/s/` | Low
|
||||
22 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
23 | File | `/server-info` | Medium
|
||||
24 | File | `/tmp` | Low
|
||||
25 | File | `/tmp/app/.env` | High
|
||||
26 | File | `/tmp/kamailio_ctl` | High
|
||||
27 | File | `/tmp/kamailio_fifo` | High
|
||||
28 | File | `/uncpath/` | Medium
|
||||
29 | File | `/updown/upload.cgi` | High
|
||||
30 | File | `/usr/bin/pkexec` | High
|
||||
31 | File | `/way4acs/enroll` | High
|
||||
32 | File | `/WEB-INF/web.xml` | High
|
||||
33 | File | `/wp-json/wc/v3/webhooks` | High
|
||||
34 | ... | ... | ...
|
||||
6 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
7 | File | `/core/admin/categories.php` | High
|
||||
8 | File | `/dashboards/#` | High
|
||||
9 | File | `/etc/controller-agent/agent.conf` | High
|
||||
10 | File | `/etc/postfix/sender_login` | High
|
||||
11 | File | `/etc/sudoers` | Medium
|
||||
12 | File | `/etc/tomcat8/Catalina/attack` | High
|
||||
13 | File | `/filemanager/php/connector.php` | High
|
||||
14 | File | `/forum/away.php` | High
|
||||
15 | File | `/fudforum/adm/hlplist.php` | High
|
||||
16 | File | `/GponForm/fsetup_Form` | High
|
||||
17 | File | `/log_download.cgi` | High
|
||||
18 | File | `/modules/profile/index.php` | High
|
||||
19 | File | `/MTFWU` | Low
|
||||
20 | File | `/out.php` | Medium
|
||||
21 | File | `/public/plugins/` | High
|
||||
22 | File | `/s/` | Low
|
||||
23 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
24 | File | `/server-info` | Medium
|
||||
25 | File | `/tmp` | Low
|
||||
26 | File | `/tmp/app/.env` | High
|
||||
27 | File | `/tmp/kamailio_ctl` | High
|
||||
28 | File | `/tmp/kamailio_fifo` | High
|
||||
29 | File | `/uncpath/` | Medium
|
||||
30 | File | `/updown/upload.cgi` | High
|
||||
31 | File | `/usr/bin/at` | Medium
|
||||
32 | File | `/usr/bin/pkexec` | High
|
||||
33 | ... | ... | ...
|
||||
|
||||
There are 288 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 282 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -114,6 +118,7 @@ The following list contains _external sources_ which discuss the actor and the a
|
|||
* https://blog.talosintelligence.com/2021/11/threat-roundup-1112-1119.html
|
||||
* https://blog.talosintelligence.com/2022/01/threat-roundup-0121-0128.html
|
||||
* https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html
|
||||
* https://blog.talosintelligence.com/2022/03/threat-roundup-0304-0311.html
|
||||
* https://vxug.fakedoma.in/archive/APTs/2021/2021.01.06(1)/LokiBot%20Infection%20Chain.pdf
|
||||
|
||||
## Literature
|
||||
|
|
|
@ -33,7 +33,7 @@ ID | IP address | Hostname | Campaign | Confidence
|
|||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Lorec53. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Lorec53_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
|
|
|
@ -10,7 +10,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [FR](https://vuldb.com/?country.fr)
|
||||
* [DE](https://vuldb.com/?country.de)
|
||||
* [IT](https://vuldb.com/?country.it)
|
||||
* ...
|
||||
|
||||
There are 14 more country items available. Please use our online service to access the data.
|
||||
|
@ -34,7 +34,7 @@ There are 27 more IOC items available. Please use our online service to access t
|
|||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Magecart_. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Magecart_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
|
@ -55,32 +55,31 @@ ID | Type | Indicator | Confidence
|
|||
2 | File | `/admin/delete_image.php` | High
|
||||
3 | File | `/admin/login.php` | High
|
||||
4 | File | `/administrator/components/table_manager/` | High
|
||||
5 | File | `/changePassword` | High
|
||||
6 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
7 | File | `/data-service/users/` | High
|
||||
8 | File | `/Hospital-Management-System-master/func.php` | High
|
||||
9 | File | `/jeecg-boot/sys/user/queryUserByDepId` | High
|
||||
10 | File | `/jerry-core/ecma/builtin-objects/ecma-builtin-date-prototype.c` | High
|
||||
11 | File | `/js/app.js` | Medium
|
||||
12 | File | `/message-bus/_diagnostics` | High
|
||||
13 | File | `/ms/cms/content/list.do` | High
|
||||
14 | File | `/plugin/jcapture/applet.php` | High
|
||||
15 | File | `/preferences/tags` | High
|
||||
16 | File | `/proc/<pid>/status` | High
|
||||
17 | File | `/public/plugins/` | High
|
||||
18 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
19 | File | `/secure/EditSubscription.jspa` | High
|
||||
20 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
21 | File | `/tmp` | Low
|
||||
22 | File | `/uncpath/` | Medium
|
||||
23 | File | `1.2.2.pl4` | Medium
|
||||
24 | File | `AccountManagerService.java` | High
|
||||
25 | File | `actions/CompanyDetailsSave.php` | High
|
||||
26 | File | `ActivityManagerService.java` | High
|
||||
27 | File | `admin.php` | Medium
|
||||
28 | ... | ... | ...
|
||||
5 | File | `/aqpg/users/login.php` | High
|
||||
6 | File | `/changePassword` | High
|
||||
7 | File | `/cloud_config/router_post/check_reg_verify_code` | High
|
||||
8 | File | `/context/%2e/WEB-INF/web.xml` | High
|
||||
9 | File | `/data-service/users/` | High
|
||||
10 | File | `/Hospital-Management-System-master/func.php` | High
|
||||
11 | File | `/jeecg-boot/sys/user/queryUserByDepId` | High
|
||||
12 | File | `/jerry-core/ecma/builtin-objects/ecma-builtin-date-prototype.c` | High
|
||||
13 | File | `/js/app.js` | Medium
|
||||
14 | File | `/ManageRoute/postRoute` | High
|
||||
15 | File | `/message-bus/_diagnostics` | High
|
||||
16 | File | `/ms/cms/content/list.do` | High
|
||||
17 | File | `/plugin/jcapture/applet.php` | High
|
||||
18 | File | `/preferences/tags` | High
|
||||
19 | File | `/proc/<pid>/status` | High
|
||||
20 | File | `/public/plugins/` | High
|
||||
21 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
22 | File | `/secure/EditSubscription.jspa` | High
|
||||
23 | File | `/secure/QueryComponent!Default.jspa` | High
|
||||
24 | File | `/tmp` | Low
|
||||
25 | File | `/uncpath/` | Medium
|
||||
26 | File | `1.2.2.pl4` | Medium
|
||||
27 | ... | ... | ...
|
||||
|
||||
There are 234 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 227 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -28,16 +28,13 @@ ID | IP address | Hostname | Campaign | Confidence
|
|||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by MalKamak. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _MalKamak_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1499 | CWE-770 | Resource Consumption | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 1 more TTP items available. Please use our online service to access the data.
|
||||
3 | T1555 | CWE-312 | Cleartext Storage of Sensitive Information | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
|
|
@ -1,21 +1,53 @@
|
|||
# Maze - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Maze](https://vuldb.com/?actor.maze). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Maze](https://vuldb.com/?actor.maze). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.maze](https://vuldb.com/?actor.maze)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Maze:
|
||||
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [RU](https://vuldb.com/?country.ru)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Maze.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 94.232.40.167 | - | - | High
|
||||
1 | [91.218.114.4](https://vuldb.com/?ip.91.218.114.4) | - | - | High
|
||||
2 | [91.218.114.11](https://vuldb.com/?ip.91.218.114.11) | - | - | High
|
||||
3 | [94.232.40.167](https://vuldb.com/?ip.94.232.40.167) | - | - | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Maze_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Maze. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/uncpath/` | Medium
|
||||
2 | File | `/var/log/nginx` | High
|
||||
3 | File | `ext/standard/var_unserializer.re` | High
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 4 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.talosintelligence.com/2022/03/threat-roundup-0304-0311.html
|
||||
* https://github.com/sophoslabs/IoCs/blob/master/Ransomware-Maze.csv
|
||||
|
||||
## Literature
|
||||
|
|
|
@ -0,0 +1,72 @@
|
|||
# Miner - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Miner](https://vuldb.com/?actor.miner). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.miner](https://vuldb.com/?actor.miner)
|
||||
|
||||
## Countries
|
||||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Miner:
|
||||
|
||||
* [SC](https://vuldb.com/?country.sc)
|
||||
* [LI](https://vuldb.com/?country.li)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* ...
|
||||
|
||||
There are 2 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Miner.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [91.211.89.29](https://vuldb.com/?ip.91.211.89.29) | - | - | High
|
||||
2 | [185.10.68.123](https://vuldb.com/?ip.185.10.68.123) | 123.68.10.185.ro.ovo.sc | - | High
|
||||
3 | [185.10.68.220](https://vuldb.com/?ip.185.10.68.220) | 220.68.10.185.ro.ovo.sc | - | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Miner_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 5 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Miner. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/admin/sysmon.php` | High
|
||||
2 | File | `/api/content/posts/comments` | High
|
||||
3 | File | `/Home/GetAttachment` | High
|
||||
4 | File | `/members/view_member.php` | High
|
||||
5 | File | `/modules/projects/vw_files.php` | High
|
||||
6 | File | `admin/limits.php` | High
|
||||
7 | ... | ... | ...
|
||||
|
||||
There are 50 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.talosintelligence.com/2022/03/threat-roundup-0304-0311.html
|
||||
|
||||
## Literature
|
||||
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
|
@ -20,7 +20,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
|
|||
* [CN](https://vuldb.com/?country.cn)
|
||||
* ...
|
||||
|
||||
There are 6 more country items available. Please use our online service to access the data.
|
||||
There are 7 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -39,7 +39,7 @@ There are 22 more IOC items available. Please use our online service to access t
|
|||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Mirai_. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Mirai_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
|
|
|
@ -42,7 +42,7 @@ There are 17 more IOC items available. Please use our online service to access t
|
|||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Molerats_. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Molerats_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
|
|
|
@ -1,23 +1,31 @@
|
|||
# Moses Staff - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Moses Staff](https://vuldb.com/?actor.moses_staff). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Moses Staff](https://vuldb.com/?actor.moses_staff). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.moses_staff](https://vuldb.com/?actor.moses_staff)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following _campaigns_ are known and can be associated with Moses Staff:
|
||||
|
||||
* DriveGuard
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Moses Staff.
|
||||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 95.169.196.52 | - | - | High
|
||||
2 | 185.206.180.138 | 25.http-proxy2.cloudns.net | - | High
|
||||
1 | [87.120.8.210](https://vuldb.com/?ip.87.120.8.210) | - | DriveGuard | High
|
||||
2 | [95.169.196.52](https://vuldb.com/?ip.95.169.196.52) | - | - | High
|
||||
3 | [185.206.180.138](https://vuldb.com/?ip.185.206.180.138) | 25.http-proxy2.cloudns.net | - | High
|
||||
|
||||
## References
|
||||
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://ddanchev.blogspot.com/2021/10/exposing-moses-staff-data-leaks-gang.html
|
||||
* https://www.fortinet.com/blog/threat-research/guard-your-drive-from-driveguard
|
||||
|
||||
## Literature
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Muhstik - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Muhstik](https://vuldb.com/?actor.muhstik). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Muhstik](https://vuldb.com/?actor.muhstik). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.muhstik](https://vuldb.com/?actor.muhstik)
|
||||
|
||||
|
@ -16,9 +16,9 @@ The following _campaigns_ are known and can be associated with Muhstik:
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Muhstik:
|
||||
|
||||
* FR
|
||||
* US
|
||||
* NL
|
||||
* [FR](https://vuldb.com/?country.fr)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [NL](https://vuldb.com/?country.nl)
|
||||
* ...
|
||||
|
||||
There are 15 more country items available. Please use our online service to access the data.
|
||||
|
@ -29,20 +29,20 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 1.116.59.211 | - | - | High
|
||||
2 | 3.10.224.87 | ec2-3-10-224-87.eu-west-2.compute.amazonaws.com | - | Medium
|
||||
3 | 5.19.4.15 | relay.zmk.spb.ru | - | High
|
||||
4 | 18.228.7.109 | ec2-18-228-7-109.sa-east-1.compute.amazonaws.com | Log4Shell | Medium
|
||||
5 | 34.66.229.152 | 152.229.66.34.bc.googleusercontent.com | - | Medium
|
||||
6 | 34.221.40.237 | ec2-34-221-40-237.us-west-2.compute.amazonaws.com | - | Medium
|
||||
7 | 35.160.222.182 | ec2-35-160-222-182.us-west-2.compute.amazonaws.com | - | Medium
|
||||
8 | 37.187.107.139 | ns326418.ip-37-187-107.eu | - | High
|
||||
9 | 37.187.253.12 | ns347308.ip-37-187-253.eu | - | High
|
||||
10 | 45.130.229.168 | - | Log4Shell | High
|
||||
11 | 46.29.160.149 | - | - | High
|
||||
12 | 46.218.149.85 | reverse.completel.fr | - | High
|
||||
13 | 47.135.208.145 | 047-135-208-145.res.spectrum.com | CVE-2018-7600 / CVE-2017-10271 | High
|
||||
14 | 51.254.219.134 | 134.ip-51-254-219.eu | CVE-2018-7600 / CVE-2017-10271 | High
|
||||
1 | [1.116.59.211](https://vuldb.com/?ip.1.116.59.211) | - | - | High
|
||||
2 | [3.10.224.87](https://vuldb.com/?ip.3.10.224.87) | ec2-3-10-224-87.eu-west-2.compute.amazonaws.com | - | Medium
|
||||
3 | [5.19.4.15](https://vuldb.com/?ip.5.19.4.15) | relay.zmk.spb.ru | - | High
|
||||
4 | [18.228.7.109](https://vuldb.com/?ip.18.228.7.109) | ec2-18-228-7-109.sa-east-1.compute.amazonaws.com | Log4Shell | Medium
|
||||
5 | [34.66.229.152](https://vuldb.com/?ip.34.66.229.152) | 152.229.66.34.bc.googleusercontent.com | - | Medium
|
||||
6 | [34.221.40.237](https://vuldb.com/?ip.34.221.40.237) | ec2-34-221-40-237.us-west-2.compute.amazonaws.com | - | Medium
|
||||
7 | [35.160.222.182](https://vuldb.com/?ip.35.160.222.182) | ec2-35-160-222-182.us-west-2.compute.amazonaws.com | - | Medium
|
||||
8 | [37.187.107.139](https://vuldb.com/?ip.37.187.107.139) | ns326418.ip-37-187-107.eu | - | High
|
||||
9 | [37.187.253.12](https://vuldb.com/?ip.37.187.253.12) | ns347308.ip-37-187-253.eu | - | High
|
||||
10 | [45.130.229.168](https://vuldb.com/?ip.45.130.229.168) | - | Log4Shell | High
|
||||
11 | [46.29.160.149](https://vuldb.com/?ip.46.29.160.149) | - | - | High
|
||||
12 | [46.218.149.85](https://vuldb.com/?ip.46.218.149.85) | reverse.completel.fr | - | High
|
||||
13 | [47.135.208.145](https://vuldb.com/?ip.47.135.208.145) | 047-135-208-145.res.spectrum.com | CVE-2018-7600 / CVE-2017-10271 | High
|
||||
14 | [51.254.219.134](https://vuldb.com/?ip.51.254.219.134) | 134.ip-51-254-219.eu | CVE-2018-7600 / CVE-2017-10271 | High
|
||||
15 | ... | ... | ... | ...
|
||||
|
||||
There are 56 more IOC items available. Please use our online service to access the data.
|
||||
|
@ -89,7 +89,7 @@ ID | Type | Indicator | Confidence
|
|||
21 | File | `adm1n/admin_config.php` | High
|
||||
22 | ... | ... | ...
|
||||
|
||||
There are 183 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 184 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -35,7 +35,7 @@ There are 22 more IOC items available. Please use our online service to access t
|
|||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Mustang Panda_. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Mustang Panda_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
|
|
|
@ -43,7 +43,7 @@ There are 31 more IOC items available. Please use our online service to access t
|
|||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _NSO Group_. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _NSO Group_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
|
@ -66,21 +66,21 @@ ID | Type | Indicator | Confidence
|
|||
4 | File | `/forms/web_importTFTP` | High
|
||||
5 | File | `/forum/away.php` | High
|
||||
6 | File | `/graphql` | Medium
|
||||
7 | File | `/localhost/u` | Medium
|
||||
8 | File | `/out.php` | Medium
|
||||
9 | File | `/PluXml/core/admin/parametres_edittpl.php` | High
|
||||
10 | File | `/public_html/admin/plugins/bad_behavior2/blacklist.php` | High
|
||||
11 | File | `/rom-0` | Low
|
||||
12 | File | `/root/run/adm.php?admin-ediy&part=exdiy` | High
|
||||
13 | File | `/v2/devices/add` | High
|
||||
14 | File | `/var/ipfire/backup/bin/backup.pl` | High
|
||||
15 | File | `/wp-json/wc/v3/webhooks` | High
|
||||
16 | File | `adclick.php` | Medium
|
||||
17 | File | `AddEvent.php` | Medium
|
||||
18 | File | `admin.php` | Medium
|
||||
7 | File | `/jeecg-boot/jmreport/view` | High
|
||||
8 | File | `/localhost/u` | Medium
|
||||
9 | File | `/out.php` | Medium
|
||||
10 | File | `/PluXml/core/admin/parametres_edittpl.php` | High
|
||||
11 | File | `/public_html/admin/plugins/bad_behavior2/blacklist.php` | High
|
||||
12 | File | `/rom-0` | Low
|
||||
13 | File | `/root/run/adm.php?admin-ediy&part=exdiy` | High
|
||||
14 | File | `/v2/devices/add` | High
|
||||
15 | File | `/var/ipfire/backup/bin/backup.pl` | High
|
||||
16 | File | `/wp-json/wc/v3/webhooks` | High
|
||||
17 | File | `adclick.php` | Medium
|
||||
18 | File | `AddEvent.php` | Medium
|
||||
19 | ... | ... | ...
|
||||
|
||||
There are 154 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 155 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -1,71 +1,72 @@
|
|||
# Naikon - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Naikon](https://vuldb.com/?actor.naikon). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Naikon](https://vuldb.com/?actor.naikon). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.naikon](https://vuldb.com/?actor.naikon)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.naikon](https://vuldb.com/?actor.naikon)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with Naikon:
|
||||
The following _campaigns_ are known and can be associated with Naikon:
|
||||
|
||||
* Camerashy
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Naikon:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Naikon:
|
||||
|
||||
* US
|
||||
* CN
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Naikon.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Naikon.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 47.241.127.190 | - | High
|
||||
2 | 50.117.115.89 | - | High
|
||||
3 | 50.117.115.90 | - | High
|
||||
4 | 65.19.141.203 | shibakov.org | High
|
||||
5 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [47.241.127.190](https://vuldb.com/?ip.47.241.127.190) | - | - | High
|
||||
2 | [50.117.115.89](https://vuldb.com/?ip.50.117.115.89) | - | Camerashy | High
|
||||
3 | [50.117.115.90](https://vuldb.com/?ip.50.117.115.90) | - | Camerashy | High
|
||||
4 | [65.19.141.203](https://vuldb.com/?ip.65.19.141.203) | shibakov.org | Camerashy | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 16 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Naikon. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Naikon_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 5 more TTP items available. Please use our online service to access the data.
|
||||
There are 4 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Naikon. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Naikon. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `%windir%\Internet Logs\` | High
|
||||
2 | File | `/crypto_keyfile.bin` | High
|
||||
3 | File | `/show_news.php` | High
|
||||
4 | File | `/squashfs-root/www/HNAP1/control/SetWizardConfig.php` | High
|
||||
5 | File | `500page.jsp` | Medium
|
||||
6 | File | `admin/admin_process.php` | High
|
||||
7 | File | `admin/user_activate_submit.php` | High
|
||||
8 | File | `browse-scategory.php` | High
|
||||
9 | File | `classes/Visualizer/Gutenberg/Block.php` | High
|
||||
10 | ... | ... | ...
|
||||
4 | File | `/siteminderagent/pwcgi/smpwservicescgi.exe` | High
|
||||
5 | File | `/squashfs-root/www/HNAP1/control/SetWizardConfig.php` | High
|
||||
6 | File | `500page.jsp` | Medium
|
||||
7 | File | `admin/admin_process.php` | High
|
||||
8 | File | `admin/user_activate_submit.php` | High
|
||||
9 | File | `browse-scategory.php` | High
|
||||
10 | File | `classes/Visualizer/Gutenberg/Block.php` | High
|
||||
11 | ... | ... | ...
|
||||
|
||||
There are 78 more IOA items available. Please use our online service to access the data.
|
||||
There are 83 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* http://cdn2.hubspot.net/hubfs/454298/Project_CAMERASHY_ThreatConnect_Copyright_2015.pdf
|
||||
* https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/
|
||||
|
@ -74,7 +75,7 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,70 +1,70 @@
|
|||
# Nanocore - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Nanocore](https://vuldb.com/?actor.nanocore). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Nanocore](https://vuldb.com/?actor.nanocore). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.nanocore](https://vuldb.com/?actor.nanocore)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.nanocore](https://vuldb.com/?actor.nanocore)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with Nanocore:
|
||||
The following _campaigns_ are known and can be associated with Nanocore:
|
||||
|
||||
* Tax-Themed Phishing
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Nanocore:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Nanocore:
|
||||
|
||||
* US
|
||||
* CN
|
||||
* GB
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [GB](https://vuldb.com/?country.gb)
|
||||
* ...
|
||||
|
||||
There are 6 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Nanocore.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Nanocore.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 8.8.8.8 | dns.google | High
|
||||
2 | 20.42.65.92 | - | High
|
||||
3 | 23.235.221.158 | vps53141.inmotionhosting.com | High
|
||||
4 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [8.8.8.8](https://vuldb.com/?ip.8.8.8.8) | dns.google | - | High
|
||||
2 | [20.42.65.92](https://vuldb.com/?ip.20.42.65.92) | - | - | High
|
||||
3 | [23.235.221.158](https://vuldb.com/?ip.23.235.221.158) | vps53141.inmotionhosting.com | Tax-Themed Phishing | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 14 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Nanocore. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Nanocore_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | 7PK Security Features | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1211 | CWE-254 | 7PK Security Features | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 4 more TTP items available. Please use our online service to access the data.
|
||||
There are 3 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Nanocore. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Nanocore. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/services/details.asp` | High
|
||||
2 | File | `/uncpath/` | Medium
|
||||
3 | File | `browser.php` | Medium
|
||||
4 | File | `cat.php` | Low
|
||||
5 | File | `CompanionDeviceManagerService.java` | High
|
||||
1 | File | `/etc/sudoers` | Medium
|
||||
2 | File | `/services/details.asp` | High
|
||||
3 | File | `/uncpath/` | Medium
|
||||
4 | File | `browser.php` | Medium
|
||||
5 | File | `cat.php` | Low
|
||||
6 | ... | ... | ...
|
||||
|
||||
There are 42 more IOA items available. Please use our online service to access the data.
|
||||
There are 43 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://blog.talosintelligence.com/2021/07/threat-roundup-0716-0723.html
|
||||
* https://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html
|
||||
|
@ -72,7 +72,7 @@ The following list contains external sources which discuss the actor and the ass
|
|||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -1,37 +1,37 @@
|
|||
# Nobelium - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Nobelium](https://vuldb.com/?actor.nobelium). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Nobelium](https://vuldb.com/?actor.nobelium). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.nobelium](https://vuldb.com/?actor.nobelium)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.nobelium](https://vuldb.com/?actor.nobelium)
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Nobelium:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Nobelium:
|
||||
|
||||
* CN
|
||||
* US
|
||||
* DE
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [DE](https://vuldb.com/?country.de)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Nobelium.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Nobelium.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 83.171.237.173 | 83.171.237.173.static.as201206.net | High
|
||||
2 | 192.99.221.77 | ip77.ip-192-99-221.net | High
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [83.171.237.173](https://vuldb.com/?ip.83.171.237.173) | 83.171.237.173.static.as201206.net | - | High
|
||||
2 | [192.99.221.77](https://vuldb.com/?ip.192.99.221.77) | ip77.ip-192-99-221.net | - | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Nobelium. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Nobelium_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1068 | Execution with Unnecessary Privileges | High
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1068 | CWE-284 | Execution with Unnecessary Privileges | High
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Nobelium. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Nobelium. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
|
@ -40,17 +40,17 @@ ID | Type | Indicator | Confidence
|
|||
3 | File | `burl.c` | Low
|
||||
4 | ... | ... | ...
|
||||
|
||||
There are 8 more IOA items available. Please use our online service to access the data.
|
||||
There are 8 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
|
|
@ -33,7 +33,7 @@ There are 22 more IOC items available. Please use our online service to access t
|
|||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Nymaim_. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Nymaim_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
|
@ -50,34 +50,34 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
|
|||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/adfs/ls` | Medium
|
||||
2 | File | `/admin/doctors/view_doctor.php` | High
|
||||
3 | File | `/appliance/users?action=edit` | High
|
||||
4 | File | `/config/getuser` | High
|
||||
5 | File | `/data-service/users/` | High
|
||||
6 | File | `/IISADMPWD` | Medium
|
||||
7 | File | `/js/app.js` | Medium
|
||||
8 | File | `/login` | Low
|
||||
9 | File | `/monitor/s_headmodel.php` | High
|
||||
10 | File | `/pro/repo-create.html` | High
|
||||
11 | File | `/public/plugins/` | High
|
||||
12 | File | `/rest/api/1.0/issues/{id}/ActionsAndOperations` | High
|
||||
13 | File | `/rest/api/latest/projectvalidate/key` | High
|
||||
14 | File | `/rest/collectors/1.0/template/custom` | High
|
||||
15 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
16 | File | `/server-info` | Medium
|
||||
17 | File | `/services` | Medium
|
||||
18 | File | `/test/cookie/` | High
|
||||
19 | File | `/uncpath/` | Medium
|
||||
20 | File | `/usr/bin/at` | Medium
|
||||
21 | File | `/usr/bin/pkexec` | High
|
||||
22 | File | `/WEB-INF/web.xml` | High
|
||||
23 | File | `admin-ajax.php` | High
|
||||
24 | File | `AndroidManifest.xml` | High
|
||||
25 | File | `app/View/Galaxies/view.ctp` | High
|
||||
1 | File | `//` | Low
|
||||
2 | File | `/adfs/ls` | Medium
|
||||
3 | File | `/admin/doctors/view_doctor.php` | High
|
||||
4 | File | `/appliance/users?action=edit` | High
|
||||
5 | File | `/config/getuser` | High
|
||||
6 | File | `/data-service/users/` | High
|
||||
7 | File | `/IISADMPWD` | Medium
|
||||
8 | File | `/js/app.js` | Medium
|
||||
9 | File | `/login` | Low
|
||||
10 | File | `/monitor/s_headmodel.php` | High
|
||||
11 | File | `/pro/repo-create.html` | High
|
||||
12 | File | `/public/plugins/` | High
|
||||
13 | File | `/rest/api/1.0/issues/{id}/ActionsAndOperations` | High
|
||||
14 | File | `/rest/api/latest/projectvalidate/key` | High
|
||||
15 | File | `/rest/collectors/1.0/template/custom` | High
|
||||
16 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
|
||||
17 | File | `/server-info` | Medium
|
||||
18 | File | `/services` | Medium
|
||||
19 | File | `/test/cookie/` | High
|
||||
20 | File | `/uncpath/` | Medium
|
||||
21 | File | `/usr/bin/at` | Medium
|
||||
22 | File | `/usr/bin/pkexec` | High
|
||||
23 | File | `/WEB-INF/web.xml` | High
|
||||
24 | File | `admin-ajax.php` | High
|
||||
25 | File | `AndroidManifest.xml` | High
|
||||
26 | ... | ... | ...
|
||||
|
||||
There are 217 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
There are 220 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -31,7 +31,7 @@ There are 14 more IOC items available. Please use our online service to access t
|
|||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _OilRig_. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _OilRig_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Omni - Cyber Threat Intelligence
|
||||
|
||||
These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Omni](https://vuldb.com/?actor.omni). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Omni](https://vuldb.com/?actor.omni). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.omni](https://vuldb.com/?actor.omni)
|
||||
|
||||
|
@ -8,12 +8,12 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
|
|||
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Omni:
|
||||
|
||||
* US
|
||||
* PW
|
||||
* ES
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
* [PW](https://vuldb.com/?country.pw)
|
||||
* [ES](https://vuldb.com/?country.es)
|
||||
* ...
|
||||
|
||||
There are 3 more country items available. Please use our online service to access the data.
|
||||
There are 4 more country items available. Please use our online service to access the data.
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
|
@ -21,12 +21,12 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
|
|||
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | 51.15.106.135 | 135-106-15-51.instances.scw.cloud | - | High
|
||||
2 | 185.246.152.173 | free.ds.melbicom.net | - | High
|
||||
1 | [51.15.106.135](https://vuldb.com/?ip.51.15.106.135) | 135-106-15-51.instances.scw.cloud | - | High
|
||||
2 | [185.246.152.173](https://vuldb.com/?ip.185.246.152.173) | free.ds.melbicom.net | - | High
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Omni. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Omni_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
|
@ -35,7 +35,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
3 | T1211 | CWE-254 | 7PK Security Features | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 5 more TTP items available. Please use our online service to access the data.
|
||||
There are 4 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
|
|
@ -30,7 +30,7 @@ There are 4 more IOC items available. Please use our online service to access th
|
|||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by OnePercent. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _OnePercent_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
|
@ -39,7 +39,7 @@ ID | Technique | Weakness | Description | Confidence
|
|||
3 | T1211 | CWE-254 | 7PK Security Features | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 2 more TTP items available. Please use our online service to access the data.
|
||||
There are 1 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
|
|
|
@ -30,7 +30,7 @@ There are 1 more IOC items available. Please use our online service to access th
|
|||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Oto Gonderici_. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Oto Gonderici_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
|
|
|
@ -1,85 +1,78 @@
|
|||
# PKPLUG - Cyber Threat Intelligence
|
||||
|
||||
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [PKPLUG](https://vuldb.com/?actor.pkplug). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
|
||||
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [PKPLUG](https://vuldb.com/?actor.pkplug). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
|
||||
|
||||
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.pkplug](https://vuldb.com/?actor.pkplug)
|
||||
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.pkplug](https://vuldb.com/?actor.pkplug)
|
||||
|
||||
## Campaigns
|
||||
|
||||
The following campaigns are known and can be associated with PKPLUG:
|
||||
The following _campaigns_ are known and can be associated with PKPLUG:
|
||||
|
||||
* THOR
|
||||
|
||||
## Countries
|
||||
|
||||
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with PKPLUG:
|
||||
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with PKPLUG:
|
||||
|
||||
* CN
|
||||
* US
|
||||
* [CN](https://vuldb.com/?country.cn)
|
||||
* [US](https://vuldb.com/?country.us)
|
||||
|
||||
## IOC - Indicator of Compromise
|
||||
|
||||
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of PKPLUG.
|
||||
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of PKPLUG.
|
||||
|
||||
ID | IP address | Hostname | Confidence
|
||||
-- | ---------- | -------- | ----------
|
||||
1 | 42.99.117.92 | - | High
|
||||
2 | 42.99.117.95 | - | High
|
||||
3 | 43.254.217.165 | - | High
|
||||
4 | 45.142.166.112 | - | High
|
||||
5 | 45.248.87.140 | - | High
|
||||
6 | 45.248.87.162 | - | High
|
||||
7 | 45.248.87.217 | - | High
|
||||
8 | ... | ... | ...
|
||||
ID | IP address | Hostname | Campaign | Confidence
|
||||
-- | ---------- | -------- | -------- | ----------
|
||||
1 | [42.99.117.92](https://vuldb.com/?ip.42.99.117.92) | - | THOR | High
|
||||
2 | [42.99.117.95](https://vuldb.com/?ip.42.99.117.95) | - | THOR | High
|
||||
3 | [43.254.217.165](https://vuldb.com/?ip.43.254.217.165) | - | THOR | High
|
||||
4 | [45.142.166.112](https://vuldb.com/?ip.45.142.166.112) | - | THOR | High
|
||||
5 | ... | ... | ... | ...
|
||||
|
||||
There are 13 more IOC items available. Please use our online service to access the data.
|
||||
There are 16 more IOC items available. Please use our online service to access the data.
|
||||
|
||||
## TTP - Tactics, Techniques, Procedures
|
||||
|
||||
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by PKPLUG. This data is unique as it uses our predictive model for actor profiling.
|
||||
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _PKPLUG_. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Technique | Description | Confidence
|
||||
-- | --------- | ----------- | ----------
|
||||
1 | T1059.007 | Cross Site Scripting | High
|
||||
2 | T1068 | Execution with Unnecessary Privileges | High
|
||||
3 | T1222 | Permission Issues | High
|
||||
4 | ... | ... | ...
|
||||
ID | Technique | Weakness | Description | Confidence
|
||||
-- | --------- | -------- | ----------- | ----------
|
||||
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
|
||||
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
|
||||
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
|
||||
4 | ... | ... | ... | ...
|
||||
|
||||
There are 2 more TTP items available. Please use our online service to access the data.
|
||||
There are 3 more TTP items available. Please use our online service to access the data.
|
||||
|
||||
## IOA - Indicator of Attack
|
||||
|
||||
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by PKPLUG. This data is unique as it uses our predictive model for actor profiling.
|
||||
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by PKPLUG. This data is unique as it uses our predictive model for actor profiling.
|
||||
|
||||
ID | Type | Indicator | Confidence
|
||||
-- | ---- | --------- | ----------
|
||||
1 | File | `/etc/shadow` | Medium
|
||||
2 | File | `/htmlcode/html/indexdefault.asp` | High
|
||||
3 | File | `/include/config.cache.php` | High
|
||||
4 | File | `/include/helpers/upload.helper.php` | High
|
||||
5 | File | `/tmp` | Low
|
||||
6 | File | `admin.php` | Medium
|
||||
7 | File | `app\admin\controller\RouteController.php` | High
|
||||
8 | File | `archiver\index.php` | High
|
||||
9 | File | `cmd.exe` | Low
|
||||
10 | File | `drivers/media/platform/vivid` | High
|
||||
11 | ... | ... | ...
|
||||
1 | File | `/cgi-bin/portal` | High
|
||||
2 | File | `/etc/passwd` | Medium
|
||||
3 | File | `/etc/shadow` | Medium
|
||||
4 | File | `/htmlcode/html/indexdefault.asp` | High
|
||||
5 | File | `/include/config.cache.php` | High
|
||||
6 | File | `/include/helpers/upload.helper.php` | High
|
||||
7 | ... | ... | ...
|
||||
|
||||
There are 36 more IOA items available. Please use our online service to access the data.
|
||||
There are 49 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
|
||||
|
||||
## References
|
||||
|
||||
The following list contains external sources which discuss the actor and the associated activities:
|
||||
The following list contains _external sources_ which discuss the actor and the associated activities:
|
||||
|
||||
* https://unit42.paloaltonetworks.com/thor-plugx-variant/
|
||||
|
||||
## Literature
|
||||
|
||||
The following articles explain our unique predictive cyber threat intelligence:
|
||||
The following _articles_ explain our unique predictive cyber threat intelligence:
|
||||
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
|
||||
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
|
||||
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
|
||||
|
||||
## License
|
||||
|
||||
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
|
||||
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue