Mirrors
/
cyber_threat_intelligence
mirror of https://github.com/vuldb/cyber_threat_intelligence
6
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
cyber_threat_intelligence/actors/Tofsee/README.md

15 KiB
Raw Blame History

Tofsee - Cyber Threat Intelligence

These indicators were reported, collected, and generated during the VulDB CTI analysis of the actor known as Tofsee. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique predictive model uses big data to forecast activities and their characteristics.

Live data and more analysis capabilities are available at https://vuldb.com/?actor.tofsee

Countries

These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Tofsee:

There are 27 more country items available. Please use our online service to access the data.

IOC - Indicator of Compromise

These indicators of compromise (IOC) indicate associated network resources which are known to be part of research and attack activities of Tofsee.

ID IP address Hostname Campaign Confidence
1 2.57.187.191 - - High
2 5.8.10.237 - - High
3 5.9.32.166 static.166.32.9.5.clients.your-server.de - High
4 5.9.72.48 cpanelbk.pcready.me - High
5 5.61.37.41 - - High
6 12.167.151.116 - - High
7 13.107.21.200 - - High
8 18.209.118.139 cxr.mx.a.cloudfilter.net - High
9 18.237.235.220 ec2-18-237-235-220.us-west-2.compute.amazonaws.com - Medium
10 23.3.13.88 a23-3-13-88.deploy.static.akamaitechnologies.com - High
11 23.3.112.125 a23-3-112-125.deploy.static.akamaitechnologies.com - High
12 23.5.227.69 a23-5-227-69.deploy.static.akamaitechnologies.com - High
13 23.5.238.94 a23-5-238-94.deploy.static.akamaitechnologies.com - High
14 23.10.92.253 a23-10-92-253.deploy.static.akamaitechnologies.com - High
15 23.10.134.216 a23-10-134-216.deploy.static.akamaitechnologies.com - High
16 23.64.99.87 a23-64-99-87.deploy.static.akamaitechnologies.com - High
17 23.64.110.75 a23-64-110-75.deploy.static.akamaitechnologies.com - High
18 23.78.210.51 a23-78-210-51.deploy.static.akamaitechnologies.com - High
19 23.90.4.6 dementia.virtual-dope.com - High
20 23.160.0.108 - - High
21 23.216.244.163 a23-216-244-163.deploy.static.akamaitechnologies.com - High
22 23.239.11.30 mail.mailinator.com - High
23 31.13.64.174 instagram-p42-shv-01-amt2.fbcdn.net - High
24 31.13.65.52 instagram-p3-shv-01-atl3.fbcdn.net - High
25 31.13.65.174 instagram-p42-shv-01-atl3.fbcdn.net - High
26 31.13.93.174 instagram-p42-shv-02-dfw5.fbcdn.net - High
27 34.212.80.54 cxr.mx.a.cloudfilter.net - High
28 34.223.6.127 ec2-34-223-6-127.us-west-2.compute.amazonaws.com - Medium
29 35.162.106.154 cxr.mx.a.cloudfilter.net - High
30 35.228.103.145 145.103.228.35.bc.googleusercontent.com - Medium
31 37.1.217.172 - - High
32 37.235.1.174 resolver1.freedns.zone.powered.by.virtexxa.com - High
33 40.76.4.15 - - High
34 40.93.207.0 - - High
35 40.93.212.0 - - High
36 40.112.72.205 - - High
37 40.113.200.201 - - High
38 43.231.4.6 - - High
39 43.231.4.7 - - High
40 45.9.20.178 - - High
41 45.9.20.187 - - High
42 45.33.83.75 li1029-75.members.linode.com - High
43 45.90.34.87 - - High
44 45.90.219.105 vm1430047.firstbyte.club - High
45 45.93.6.27 - - High
46 46.4.52.109 witntech.dev - High
47 47.43.18.9 mx0.bresnan.net.msg.chrl.nc.charter.net - High
48 47.43.26.7 pkvw-mx.msg.pkvw.co.charter.net - High
49 51.81.57.58 oxsus1lb01p.external.vadesecure.com - High
50 51.158.144.223 51-158-144-223.rev.poneytelecom.eu - High
51 51.178.207.67 host-35d452a2.hostiman.com - High
52 52.11.241.224 ec2-52-11-241-224.us-west-2.compute.amazonaws.com - Medium
53 52.73.137.222 cxr.mx.a.cloudfilter.net - High
54 52.101.24.0 - - High
55 52.180.174.216 - - High
56 54.38.220.85 ns1.emailverification.info - High
57 62.42.230.22 62.42.230.22.static.user.ono.com - High
58 62.141.42.208 srv21237.dus4.fastwebserver.de - High
59 62.204.41.45 - - High
60 62.204.41.46 - - High
61 62.204.41.48 - - High
62 62.204.41.50 - - High
63 62.211.72.32 mx.tin.it - High
64 63.240.178.216 - - High
65 64.8.71.111 mx.wowway.com - High
66 64.98.36.4 mx.b.hostedemail.com - High
67 64.136.44.37 mx.dca.untd.com - High
68 64.136.52.37 mx.vgs.untd.com - High
69 64.233.184.26 wa-in-f26.1e100.net - High
70 64.233.186.26 cb-in-f26.1e100.net - High
71 64.233.186.27 cb-in-f27.1e100.net - High
72 65.9.117.69 server-65-9-117-69.qro50.r.cloudfront.net - High
73 65.9.146.69 server-65-9-146-69.qro51.r.cloudfront.net - High
74 65.20.0.49 - - High
75 65.54.188.72 - - High
76 65.55.33.135 mx1.hotmail.com - High
77 65.55.37.72 col0-mc1-f.col0.hotmail.com - High
78 ... ... ... ...

There are 308 more IOC items available. Please use our online service to access the data.

TTP - Tactics, Techniques, Procedures

Tactics, techniques, and procedures (TTP) summarize the suspected MITRE ATT&CK techniques used by Tofsee. This data is unique as it uses our predictive model for actor profiling.

ID Technique Weakness Description Confidence
1 T1059.007 CWE-79, CWE-80 Cross Site Scripting High
2 T1068 CWE-264, CWE-266, CWE-284 Execution with Unnecessary Privileges High
3 T1110.001 CWE-307, CWE-798 Improper Restriction of Excessive Authentication Attempts High
4 ... ... ... ...

There are 7 more TTP items available. Please use our online service to access the data.

IOA - Indicator of Attack

These indicators of attack (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Tofsee. This data is unique as it uses our predictive model for actor profiling.

ID Type Indicator Confidence
1 File /.env Low
2 File /?module=users&section=cpanel&page=list High
3 File /admin/powerline High
4 File /admin/syslog High
5 File /api/upload Medium
6 File /cgi-bin Medium
7 File /cgi-bin/kerbynet High
8 File /Config/SaveUploadedHotspotLogoFile High
9 File /context/%2e/WEB-INF/web.xml High
10 File /dcim/sites/add/ High
11 File /EXCU_SHELL Medium
12 File /forum/away.php High
13 File /fudforum/adm/hlplist.php High
14 File /login Low
15 File /Main_Login.asp?flag=1&productname=RT-AC88U&url=/downloadmaster/task.asp High
16 File /monitoring Medium
17 File /new Low
18 File /proc/<pid>/status High
19 File /public/plugins/ High
20 File /rom Low
21 File /scripts/killpvhost High
22 File /secure/admin/InsightDefaultCustomFieldConfig.jspa High
23 File /secure/QueryComponent!Default.jspa High
24 File /src/main/java/com/dotmarketing/filters/CMSFilter.java High
25 File /tmp Low
26 File /tmp/redis.ds High
27 File /uncpath/ Medium
28 File /ViewUserHover.jspa High
29 File /wp-admin Medium
30 File /wp-json Medium
31 File /wp-json/wc/v3/webhooks High
32 File /zm/index.php High
33 File 14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi High
34 File AccountManagerService.java High
35 File actions/CompanyDetailsSave.php High
36 File ActiveServices.java High
37 ... ... ...

There are 318 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

References

The following list contains external sources which discuss the actor and the associated activities:

Literature

The following articles explain our unique predictive cyber threat intelligence:

License

(c) 1997-2022 by vuldb.com. All data on this page is shared under the license CC BY-NC-SA 4.0. Questions? Check the FAQ, read the documentation or contact us!