ioc[.]one - OSINT Cyber Threat Intelligence Database

Cisco Talos shares insights related to recent cyber attack on Cisco

Tags

cmtmf-attack-pattern:	Application Layer Protocol Event Triggered Execution Masquerading
country:	Russia Ukraine
maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Accessibility Features - T1546.008 Application Layer Protocol - T1437 Asymmetric Cryptography - T1521.002 Asymmetric Cryptography - T1573.002 Clear Windows Event Logs - T1070.001 Code Signing - T1553.002 Credentials - T1589.001 Device Registration - T1098.005 Disable Or Modify System Firewall - T1562.004 Domains - T1583.001 Domains - T1584.001 Email Addresses - T1589.002 Encrypted Channel - T1521 Encrypted Channel - T1573 Event Triggered Execution - T1624 Event Triggered Execution - T1546 Exfiltration Over Alternative Protocol - T1639 Image File Execution Options Injection - T1546.012 Impair Defenses - T1562 Impair Defenses - T1629 Indicator Removal On Host - T1630 Ip Addresses - T1590.005 Local Account - T1087.001 Local Account - T1136.001 Lsass Memory - T1003.001 Malware - T1587.001 Malware - T1588.001 Masquerading - T1655 Match Legitimate Name Or Location - T1036.005 Match Legitimate Name Or Location - T1655.001 Msiexec - T1218.007 Multi-Factor Authentication - T1556.006 Multi-Factor Authentication Request Generation - T1621 Multi-Hop Proxy - T1090.003 Ntds - T1003.003 Phishing - T1660 Phishing - T1566 Powershell - T1059.001 Remote Access Software - T1663 Remote Desktop Protocol - T1021.001 Rundll32 - T1218.011 Security Account Manager - T1003.002 Server - T1583.004 Server - T1584.004 Service Execution - T1569.002 Software - T1592.002 System Services - T1569 Web Protocols - T1071.001 Web Protocols - T1437.001 Accessibility Features - T1015 Account Manipulation - T1098 Standard Application Layer Protocol - T1071 Brute Force - T1110 Code Signing - T1116 Connection Proxy - T1090 Create Account - T1136 Credential Dumping - T1003 Exfiltration Over Alternative Protocol - T1048 Image File Execution Options Injection - T1183 Indicator Removal On Host - T1070 Masquerading - T1036 Modify Registry - T1112 Multi-Hop Proxy - T1188 Powershell - T1086 Query Registry - T1012 Remote Access Tools - T1219 Remote Desktop Protocol - T1076 Remote Services - T1021 Rundll32 - T1085 Service Execution - T1035 Valid Accounts - T1078 Indicator Removal On Host Masquerading Valid Accounts

Show in Graph

Common Information

Type	Value
UUID	e02458ac-4d17-497e-86d5-89a543b11731
Fingerprint	2cbfa4111827a3c5
Analysis status	DONE
Considered CTI value	2
Text language
Published	Aug. 10, 2022, 3:08 p.m.
Added to db	Jan. 16, 2023, 3:57 p.m.
Last updated	Nov. 17, 2024, 6:56 p.m.
Headline	Cisco Talos Intelligence Blog
Title	Cisco Talos shares insights related to recent cyber attack on Cisco
Detected Hints/Tags/Attributes	170/4/138

Source URLs

	Redirection	Url
Details	Source	http://blog.talosintelligence.com/2022/08/recent-cyber-attack.html

URL Provider

Details	Provider	Source level domain
Details	talosintelligence.com	blog.talosintelligence.com

Attributes

Details	Type	#Events	Value
Details	MITRE ATT&CK Techniques	409	T1566
Details	MITRE ATT&CK Techniques	306	T1078
Details	MITRE ATT&CK Techniques	174	T1569.002
Details	MITRE ATT&CK Techniques	51	T1136.001
Details	MITRE ATT&CK Techniques	11	T1098.005
Details	MITRE ATT&CK Techniques	13	T1546.012
Details	MITRE ATT&CK Techniques	247	T1070
Details	MITRE ATT&CK Techniques	92	T1070.001
Details	MITRE ATT&CK Techniques	183	T1036.005
Details	MITRE ATT&CK Techniques	70	T1562.004
Details	MITRE ATT&CK Techniques	550	T1112
Details	MITRE ATT&CK Techniques	173	T1003.001
Details	MITRE ATT&CK Techniques	43	T1003.002
Details	MITRE ATT&CK Techniques	67	T1003.003
Details	MITRE ATT&CK Techniques	14	T1621
Details	MITRE ATT&CK Techniques	159	T1021
Details	MITRE ATT&CK Techniques	501	T1012
Details	MITRE ATT&CK Techniques	442	T1071.001
Details	MITRE ATT&CK Techniques	141	T1219
Details	MITRE ATT&CK Techniques	74	T1573.002
Details	MITRE ATT&CK Techniques	48	T1090.003
Details	MITRE ATT&CK Techniques	92	T1048
Details	Windows Registry Key	2	HKLM\security
Details	Windows Registry Key	164	HKLM\SOFTWARE\Microsoft\Windows
Details	Domain	2	cisco-help.cf
Details	Domain	2	cisco-helpdesk.cf
Details	Domain	2	ciscovpn1.com
Details	Domain	2	ciscovpn2.com
Details	Domain	2	ciscovpn3.com
Details	Domain	2	devcisco.com
Details	Domain	2	devciscoprograms.com
Details	Domain	2	helpzonecisco.com
Details	Domain	2	kazaboldu.net
Details	Domain	2	mycisco.cf
Details	Domain	2	mycisco.gq
Details	Domain	2	mycisco-helpdesk.ml
Details	Domain	2	primecisco.com
Details	Domain	2	pwresetcisco.com
Details	Domain	396	protonmail.com
Details	Email	2	costacancordia@protonmail.com
Details	File	59	ntdsutil.exe
Details	File	256	net.exe
Details	File	1018	rundll32.exe
Details	File	27	c:\windows\system32\comsvcs.dll
Details	File	1	c:\windows\temp\lsass.dmp
Details	File	95	wevtutil.exe
Details	File	27	c:\windows\system32\msiexec.exe
Details	File	1	logmein.msi
Details	File	31	psexesvc.exe
Details	File	7	narrator.exe
Details	File	409	c:\windows\system32\cmd.exe
Details	File	33	sethc.exe
Details	File	16	cmd.php
Details	File	101	gate.php
Details	File	1	bdata.ini
Details	File	1	c:\users\public\win\cmd.exe
Details	sha256	1	184a2570d71eedc3c77b63fd9d2a066cd025d20ceef0f75d428c6f7e5c6965f3
Details	sha256	1	2fc5bf9edcfa19d48e235315e8f571638c99a1220be867e24f3965328fe94a03
Details	sha256	1	542c9da985633d027317e9a226ee70b4f0742dcbc59dfd2d4e59977bb870058d
Details	sha256	1	61176a5756c7b953bc31e5a53580d640629980a344aa5ff147a20fb7d770b610
Details	sha256	1	753952aed395ea845c52e3037f19738cfc9a415070515de277e1a1baeff20647
Details	sha256	1	8df89eef51cdf43b2a992ade6ad998b267ebb5e61305aeb765e4232e66eaf79a
Details	sha256	1	8e5733484982d0833abbd9c73a05a667ec2d9d005bbf517b1c8cd4b1daf57190
Details	sha256	1	99be6e7e31f0a1d7eebd1e45ac3b9398384c1f0fa594565137abb14dc28c8a7f
Details	sha256	1	bb62138d173de997b36e9b07c20b2ca13ea15e9e6cd75ea0e8162e0d3ded83b7
Details	sha256	1	eb3452c64970f805f1448b78cd3c05d851d758421896edd5dfbe68e08e783d18
Details	IPv4	2	104.131.30.201
Details	IPv4	2	108.191.224.47
Details	IPv4	2	131.150.216.118
Details	IPv4	2	134.209.88.140
Details	IPv4	2	138.68.227.71
Details	IPv4	2	139.177.192.145
Details	IPv4	2	139.60.160.20
Details	IPv4	3	139.60.161.99
Details	IPv4	2	143.198.110.248
Details	IPv4	2	143.198.131.210
Details	IPv4	2	159.65.246.188
Details	IPv4	2	161.35.137.163
Details	IPv4	2	162.33.177.27
Details	IPv4	2	162.33.178.244
Details	IPv4	2	162.33.179.17
Details	IPv4	2	165.227.219.211
Details	IPv4	2	165.227.23.218
Details	IPv4	2	165.232.154.73
Details	IPv4	2	166.205.190.23
Details	IPv4	2	167.99.160.91
Details	IPv4	2	172.56.42.39
Details	IPv4	2	172.58.220.52
Details	IPv4	2	172.58.239.34
Details	IPv4	2	174.205.239.164
Details	IPv4	2	176.59.109.115
Details	IPv4	2	178.128.171.206
Details	IPv4	5	185.220.100.244
Details	IPv4	2	185.220.101.10
Details	IPv4	2	185.220.101.13
Details	IPv4	4	185.220.101.15
Details	IPv4	2	185.220.101.16
Details	IPv4	2	185.220.101.2
Details	IPv4	2	185.220.101.20
Details	IPv4	6	185.220.101.34
Details	IPv4	4	185.220.101.45
Details	IPv4	5	185.220.101.6
Details	IPv4	2	185.220.101.65
Details	IPv4	2	185.220.101.73
Details	IPv4	2	185.220.101.79
Details	IPv4	6	185.220.102.242
Details	IPv4	3	185.220.102.250
Details	IPv4	2	192.241.133.130
Details	IPv4	2	194.165.16.98
Details	IPv4	2	195.149.87.136
Details	IPv4	1	24.6.144.43
Details	IPv4	1	45.145.67.170
Details	IPv4	1	45.227.255.215
Details	IPv4	1	45.32.141.138
Details	IPv4	1	45.32.228.189
Details	IPv4	1	45.32.228.190
Details	IPv4	1	45.55.36.143
Details	IPv4	1	45.61.136.207
Details	IPv4	1	45.61.136.5
Details	IPv4	1	45.61.136.83
Details	IPv4	1	46.161.27.117
Details	IPv4	1	5.165.200.7
Details	IPv4	1	52.154.0.241
Details	IPv4	1	64.227.0.177
Details	IPv4	1	64.4.238.56
Details	IPv4	1	65.188.102.43
Details	IPv4	1	66.42.97.210
Details	IPv4	1	67.171.114.251
Details	IPv4	1	68.183.200.63
Details	IPv4	1	68.46.232.60
Details	IPv4	1	73.153.192.98
Details	IPv4	1	74.119.194.203
Details	IPv4	1	74.119.194.4
Details	IPv4	1	76.22.236.142
Details	IPv4	1	82.116.32.77
Details	IPv4	1	87.251.67.41
Details	IPv4	2	94.142.241.194
Details	Mandiant Uncategorized Groups	20	UNC2447