10-14-2023, 08:29 PM
Hello BreachForums
, I have discovered a database, and I am certain that it belongs to Kaspersky Lab. It contains various things related to Cybersecurity. The first thing I recognized is that some of the data is related to Equation Group.
Then I find these confidential data are about the network assets and c&c used by APT organizations worldwide. Please PM me.Telegram : @IgrooEagle
Source: kaspersky-labs.com
Country Of leak : Russia
Date Of leak :Oct 2023
Size : N/A
Price: Negotiable
Format Type : CSV
Number Of Data : 22k+
Data : Most of it consists of Snort Rules
40 Samples:
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Apache Log4j logging remote code execution attempt"; flow:to_server,established; http_client_body; content:"$%7b",fast_pattern,nocase; pcre:"/\x24%7b.{0,200}(%(25)?24|\x24)(%(25)?7b|\x7b).{0,200}(%(25)?3a|\x3a)(%(25)?(27|2d|5c|22)|[\x27\x2d\x5c\x22])*([jndi\x7d\x3a\x2d]|(%(25)?(7d|3a|2d))|(%(25)?5c|\x5c)u00[a-f0-9]{2}){1,4}(%(25)?(22|27)|[\x22\x27])?(%(25)?(3a|7d)|[\x3a\x7djndi])/i"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2021-44228; reference:cve,2021-44832; reference:cve,2021-45046; reference:cve,2021-45105; classtype:attempted-user; sid:58788; rev:4; )[/b]
[b]alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Apache Log4j logging remote code execution attempt"; flow:to_server,established; http_client_body; content:"$%257b",fast_pattern,nocase; pcre:"/\x24%257b.{0,200}(%(25)?24|\x24)(%(25)?7b|\x7b).{0,200}(%(25)?3a|\x3a)(%(25)?(27|2d|5c|22)|[\x27\x2d\x5c\x22])*([jndi\x7d\x3a\x2d]|(%(25)?(7d|3a|2d))|(%(25)?5c|\x5c)u00[a-f0-9]{2}){1,4}(%(25)?(22|27)|[\x22\x27])?(%(25)?(3a|7d)|[\x3a\x7djndi])/i"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2021-44228; reference:cve,2021-44832; reference:cve,2021-45046; reference:cve,2021-45105; classtype:attempted-user; sid:58789; rev:4; )[/b]
[b]alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Apache Log4j logging remote code execution attempt"; flow:to_server,established; http_client_body; content:"%2524%7b",fast_pattern,nocase; pcre:"/%2524%7b.{0,200}(%(25)?24|\x24)(%(25)?7b|\x7b).{0,200}(%(25)?3a|\x3a)(%(25)?(27|2d|5c|22)|[\x27\x2d\x5c\x22])*([jndi\x7d\x3a\x2d]|(%(25)?(7d|3a|2d))|(%(25)?5c|\x5c)u00[a-f0-9]{2}){1,4}(%(25)?(22|27)|[\x22\x27])?(%(25)?(3a|7d)|[\x3a\x7djndi])/i"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2021-44228; reference:cve,2021-44832; reference:cve,2021-45046; reference:cve,2021-45105; classtype:attempted-user; sid:58790; rev:4; )[/b]
[b]alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Apache Log4j logging remote code execution attempt"; flow:to_server,established; http_header; content:"Authorization: Basic JH",fast_pattern,nocase; content:"Authorization: Basic "; base64_decode:relative; base64_data; pcre:"/\x24\x7b(jndi|lower|upper|.{0,200}\x24\x7b.{0,200}\x3a[\x27\x22\x2d\x5c]*[jndi\x7d\x3a\x2d]{1,4}[\x22\x27]?[\x3a\x7djndi])/i"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2021-44228; reference:cve,2021-44832; reference:cve,2021-45046; reference:cve,2021-45105; classtype:attempted-user; sid:58795; rev:4; )[/b]
[b]alert tcp $EXTERNAL_NET [389,1389] -> $HOME_NET any ( msg:"INDICATOR-COMPROMISE JNDI LDAP searchResEntry dynamic code download attempt"; flow:to_client,established; content:"javaClassName",fast_pattern,nocase; content:"javaCodeBase"; content:"objectClass"; content:"javaFactory"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:ldap; reference:cve,2021-4104; reference:cve,2021-44228; reference:cve,2021-44832; reference:cve,2021-45046; reference:cve,2021-45105; reference:url,blog.talosintelligence.com/2021/12/apache-log4j-rce-vulnerability.html; classtype:trojan-activity; sid:58801; rev:5; )[/b]
[b]alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"POLICY-OTHER Java User-Agent remote class download attempt"; flow:to_server,established; http_uri; content:".class",fast_pattern,nocase; http_header; content:"|0D 0A|User-Agent: Java/",nocase; metadata:ruleset community; service:http; reference:cve,2021-44228; reference:cve,2021-44832; reference:cve,2021-45046; reference:cve,2021-45105; classtype:policy-violation; sid:58814; rev:3; )[/b]
[b]alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 ( msg:"OS-WINDOWS Microsoft Windows Server 2003 smart card authentication buffer overflow attempt"; flow:to_server,established; content:"|03 00|"; content:"|02 F0|",distance 0; content:"|64|",distance 0; content:"|72 44 43 49|"; byte_extract:4,12,msg_size,relative,little; content:"|DC 90 01 08|",within msg_size,fast_pattern; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:rdp; reference:cve,2017-0176; reference:cve,2017-9073; reference:url,www.securitytracker.com/id/1038264; classtype:attempted-admin; sid:59502; rev:1; )[/b]
[b]alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Multiple products OGNL expression injection attempt"; flow:to_server,established; http_uri; content:".action",nocase; content:"getRuntime"; content:"exec",within 15; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; classtype:attempted-admin; gid:1; sid:59925; rev:2; )[/b]
[b]alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"INDICATOR-COMPROMISE Python remote shell spawn attempt"; flow:to_server,established; http_uri; content:"pty.spawn(|22|/bin/"; content:"sh",within 10; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; classtype:misc-attack; gid:1; sid:59926; rev:2; )[/b]
[b]alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"MALWARE-BACKDOOR Jsp.Webshell.TinyUploader upload attempt"; flow:to_server,established; content:"java.io.FileOutputStream",fast_pattern,nocase; content:"<%"; content:"request",within 100; content:"write"; content:"getParameter",within 100; isdataat:!600; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2022-26134; reference:url,community.atlassian.com/t5/Confluence-discussions/CVE-2022-26134-Critical-severity-unauthenticated-remote-code/td-p/20456533; classtype:trojan-activity; gid:1; sid:59927; rev:2; )[/b]
[b]alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"MALWARE-BACKDOOR-EquationGroup-TriangleDB"; tls.cert_subject; content:"8181data.com"; classtype:trojan-activity; sid:596852;)[/b]
[b]alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"MALWARE-BACKDOOR-EquationGroup-TriangleDB"; tls.cert_subject; content:"ad43-nxs.com"; classtype:trojan-activity; sid:596853;)[/b]
[b]alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"MALWARE-BACKDOOR-EquationGroup-TriangleDB"; tls.cert_subject; content:"adcreatorfree.net"; tls.cert_serial; content:"A1B4A7C461E295813F62922FBCCBB25"; tls.cert_fingerprint; content:"D7B1E4386A430FA8005DBDCDF1683EFB7D7F10B1"; tls.cert_fingerprint; content:"4093815118AC960B792AE97E020F7BC1AC097E5BC42283B04BC3957C985ECEC9"; classtype:trojan-activity; sid:100003;)[/b]
[b]alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"MALWARE-BACKDOOR-EquationGroup-TriangleDB"; tls.cert_subject; content:"addatamarket.net"; classtype:trojan-activity; sid:596855;)[/b]
[b]alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"MALWARE-BACKDOOR-EquationGroup-TriangleDB"; tls.cert_subject; content:"adsfreetracking.com"; classtype:trojan-activity; sid:596856;)[/b]
[b]alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"MALWARE-BACKDOOR-EquationGroup-TriangleDB"; tls.cert_subject; content:"adsspacefree.com"; classtype:trojan-activity; sid:596857;)[/b]
[b]alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"MALWARE-BACKDOOR-EquationGroup-TriangleDB"; tls.cert_subject; content:"adtreks.net"; classtype:trojan-activity; sid:596858;)[/b]
[b]alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"MALWARE-BACKDOOR-EquationGroup-TriangleDB"; tls.cert_subject; content:"advertisinglake.com"; classtype:trojan-activity; sid:596859;)[/b]
[b]alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"MALWARE-BACKDOOR-EquationGroup-TriangleDB"; tls.cert_subject; content:"ans7tv.net"; tls.cert_serial; content:"DEB907F1C2C7"; tls.cert_fingerprint; content:"6B8F5F73781B4FB72AA363A928FDEBAA5EA1E8B8"; tls.cert_fingerprint; content:"0D1D46E930DF9F4B4253DE54F596486FF34D21139707577A0BBE1E9DFD774129"; classtype:trojan-activity; sid:100009;)[/b]
[b]alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"MALWARE-BACKDOOR-EquationGroup-TriangleDB"; tls.cert_subject; content:"anstv.net"; tls.cert_serial; content:"8726C8723325"; tls.cert_fingerprint; content:"E81AEEDA2EEA584DF92BB1160BCB4B348E7A76EC"; tls.cert_fingerprint; content:"3FF3C9B9703BB3C3E880A482AE075C53260E1D039C0B6354E6BED4EB3FD238F8"; classtype:trojan-activity; sid:100010;)[/b]
[b]alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"MALWARE-BACKDOOR-EquationGroup-TriangleDB"; tls.cert_subject; content:"availableadsonline.com"; tls.cert_serial; content:"41C2CBA3EC1A46BA0D08128469F1C752"; tls.cert_fingerprint; content:"6C26B84B25746AA8BD106A7B6C59BCCE5B5DB4FC"; tls.cert_fingerprint; content:"E6A4058E384881EB29C8D088471B856F8092D2777BAC243D5848D643FC4B5540"; classtype:trojan-activity; sid:100011;)[/b]
[b]alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"MALWARE-BACKDOOR-EquationGroup-TriangleDB"; tls.cert_subject; content:"baba8861.com"; classtype:trojan-activity; sid:596863;)[/b]
[b]alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"MALWARE-BACKDOOR-EquationGroup-TriangleDB"; tls.cert_subject; content:"backuprabbit.com"; classtype:trojan-activity; sid:596864;)[/b]
[b]alert tcp any any -> 109.105.194.229 any (msg:"MALWARE-BACKDOOR-EquationGroup-C&C"; content:"|0a 0a 0a 0a|"; depth:20; offset:5; pcre:"/sh(ell|l|)/i"; flow:established,from_server; classtype:trojan-activity; sid:1000001; rev:3; metadata:created_at 2023-08-29, updated_at 2023-08-29; priority:1; content:"|fd 00 11 23|"; depth:50; offset:15; content:"|67 45 23 01|"; depth:80; offset:30; uricontent:"/evilcommand.php"; fast_pattern:2; urilen:10;)[/b]
[b]alert tcp any any -> 94.42.178.82 any (msg:"MALWARE-BACKDOOR-EquationGroup-C&C"; content:"|1f 1f 1f 1f|"; depth:30; offset:10; pcre:"/sh(ell|l|)/i"; flow:established,from_server; classtype:trojan-activity; sid:1000002; rev:4; metadata:created_at 2023-08-29, updated_at 2023-08-29; priority:2; content:"|bf ab cd 33|"; depth:60; offset:20; uricontent:"/malicious.php"; fast_pattern:3; urilen:15;)[/b]
[b]alert tcp any any -> 94.250.17.39 any (msg:"MALWARE-BACKDOOR-EquationGroup-C&C"; content:"|12 34 56 78|"; depth:40; offset:5; pcre:"/sh(ell|l|)/i"; flow:established,from_server; classtype:trojan-activity; sid:1000003; rev:5; metadata:created_at 2023-08-29, updated_at 2023-08-29; priority:3; content:"|fa b5 77 33|"; depth:70; offset:15; uricontent:"/cmd.php"; fast_pattern:4; urilen:20;)[/b]
[b]alert tcp any any -> 94.250.17.30 any (msg:"MALWARE-BACKDOOR-EquationGroup-C&C"; content:"|cc aa dd bb|"; depth:50; offset:10; pcre:"/sh(ell|l|)/i"; flow:established,from_server; classtype:trojan-activity; sid:1000004; rev:6; metadata:created_at 2023-08-29, updated_at 2023-08-29; priority:4; content:"|1a 2b 3c 4d|"; depth:80; offset:20; uricontent:"/backdoor.php"; fast_pattern:5; urilen:25;)[/b]
[b]alert tcp any any -> 93.83.168.246 any (msg:"MALWARE-BACKDOOR-EquationGroup-C&C"; content:"|ab cd ef 12|"; depth:60; offset:15; pcre:"/sh(ell|l|)/i"; flow:established,from_server; classtype:trojan-activity; sid:1000005; rev:7; metadata:created_at 2023-08-29, updated_at 2023-08-29; priority:5; content:"|be ef af cd|"; depth:90; offset:25; uricontent:"/cmdshell.php"; fast_pattern:6; urilen:30;)[/b]
[b]alert tcp any any -> 92.63.148.192 any (msg:"MALWARE-BACKDOOR-EquationGroup-C&C"; content:"|34 56 78 9a|"; depth:70; offset:20; pcre:"/sh(ell|l|)/i"; flow:established,from_server; classtype:trojan-activity; sid:1000006; rev:8; metadata:created_at 2023-08-29, updated_at 2023-08-29; priority:6; content:"|df cd 1f 3a|"; depth:100; offset:30; uricontent:"/hiddenshell.php"; fast_pattern:7; urilen:35;)[/b]
[b]alert tcp any any -> 92.247.75.40 any (msg:"MALWARE-BACKDOOR-EquationGroup-C&C"; content:"|cd ef 12 34|"; depth:80; offset:25; pcre:"/sh(ell|l|)/i"; flow:established,from_server; classtype:trojan-activity; sid:1000007; rev:9; metadata:created_at 2023-08-29, updated_at 2023-08-29; priority:7; content:"|3a cd ef 12|"; depth:110; offset:35; uricontent:"/hiddencommand.php"; fast_pattern:8; urilen:40;)[/b]
[b]alert tcp any any -> any any (msg:"APT29 - 1:57684 - PROTOCOL-VOIP SIP Torture Retry-After field with overly-large value attempt"; sid:1000013; rev:1;)[/b]
[b]alert tcp any any -> any any (msg:"APT29 - 1:57685 - PROTOCOL-VOIP SIP Torture Retry-After field with overly-large value attempt"; sid:1000014; rev:1;)[/b]
[b]alert tcp any any -> any any (msg:"APT29 - 1:57686 - PROTOCOL-VOIP SIP Torture Retry-After field with overly-large value attempt"; sid:1000015; rev:1;)[/b]
[b]alert tcp any any -> any any (msg:"Lazarus Group APT - 1:49454 - SERVER-OTHER CFM webshell upload attempt"; sid:1000101; rev:1;)[/b]
[b]alert tcp any any -> any any (msg:"Lazarus Group APT - 1:49496 - FILE-OFFICE Microsoft Office MSCOMCTL ActiveX control tabstrip method attempt"; sid:1000102; rev:1;)[/b]
[b]alert tcp any any -> any any (msg:"Lazarus Group APT - 1:49497 - FILE-OFFICE Microsoft Office MSCOMCTL ActiveX control tabstrip method access"; sid:1000103; rev:1;)[/b]
[b]alert tcp any any -> any any (msg:"Lazarus Group APT - 1:49449 - SERVER-OTHER ASP webshell upload attempt"; sid:1000104; rev:1;)[/b]
[b]alert tcp any any -> any any (msg:"Lazarus Group APT - 1:49486 - FILE-OTHER Snapd dirty_sock exploit download attempt"; sid:1000105; rev:1;)[/b]
[b]alert tcp any any -> any any (msg:"Lazarus Group APT - 1:49491 - SERVER-WEBAPP QNAP Zip Upload command injection attempt"; sid:1000107; rev:1;)[/b]
[b]alert tcp any any -> any any (msg:"Lazarus Group APT - 1:49485 - SERVER-OTHER IBM solidDB denial of service attempt"; sid:1000108; rev:1;)[/b]
[b]
![[Image: sGV9oYTZ_o.jpg]](https://external-content.duckduckgo.com/iu/?u=https://images2.imgbox.com/42/ff/sGV9oYTZ_o.jpg)
![[Image: T4qt8Tw9_o.jpg]](https://external-content.duckduckgo.com/iu/?u=https://images2.imgbox.com/14/41/T4qt8Tw9_o.jpg)
![[Image: yS3oanm5_o.jpg]](https://external-content.duckduckgo.com/iu/?u=https://images2.imgbox.com/fe/2a/yS3oanm5_o.jpg)
![[Image: W1WChgct_o.jpg]](https://external-content.duckduckgo.com/iu/?u=https://images2.imgbox.com/e0/f2/W1WChgct_o.jpg)
![[Image: gjoMhMx1_o.jpg]](https://external-content.duckduckgo.com/iu/?u=https://images2.imgbox.com/39/93/gjoMhMx1_o.jpg)
![[Image: fryXVmA2_o.jpg]](https://external-content.duckduckgo.com/iu/?u=https://images2.imgbox.com/97/e6/fryXVmA2_o.jpg)
![[Image: 4mNsvZex_o.jpg]](https://external-content.duckduckgo.com/iu/?u=https://images2.imgbox.com/7c/80/4mNsvZex_o.jpg)