{ "type": "URL", "indicator": "https://secure.elavon.com.internal-message.app/a34fc9f417efef3c2/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://secure.elavon.com.internal-message.app/a34fc9f417efef3c2/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 1920140773, "indicator": "https://secure.elavon.com.internal-message.app/a34fc9f417efef3c2/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "5d135b851e416718559d8ffa", "name": "Gift Cardsharks", "description": "Investigative journalist Brian Krebs first reported the attack on his website\n\u201cKrebs on Security,\u201d which explained how Wipro\u2019s IT systems were\ncompromised and used to attack the company's customers. After contacting\nWipro, Krebs followed up on his article by publishing updates on the\nbreach. While Wipro was generally close-lipped on the incident, some of the\nvictims breached through Wipro spoke with him and provided Indicators of\nCompromise (IOCs) they uncovered. Krebs proceeded to publish this small set\nof IOCs on his website", "modified": "2019-06-26T11:48:20.862000", "created": "2019-06-26T11:48:20.862000", "tags": [], "references": [ "https://www.riskiq.com/gift-cardsharks-iocs/", "https://cdn.riskiq.com/wp-content/uploads/2019/06/Gift-Cardsharks-Intelligence-Report-2019-RiskIQ.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 90, "domain": 27, "hostname": 256, "FileHash-MD5": 7, "FileHash-SHA1": 9 }, "indicator_count": 389, "is_author": false, "is_subscribing": null, "subscriber_count": 386542, "modified_text": "2530 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "5cb882dfe59a59351e1895d3", "name": "Indicators from Wipro Breach", "description": "Wipro endpoints that were seeded with ScreenConnect, a legitimate remote access tool sold by Connectwise.com. Investigators believe the intruders were using the ScreenConnect software on the hacked Wipro systems to connect remotely to Wipro client systems, which were then used to leverage further access into Wipro customer networks.\n\nAdditionally, investigators found at least one of the compromised endpoints was attacked with Mimikatz, an open source tool that can dump passwords stored in the temporary memory cache of a Microsoft Windows device.", "modified": "2019-04-18T14:44:20.456000", "created": "2019-04-18T13:59:59.632000", "tags": [ "wipro" ], "references": [ "https://krebsonsecurity.com/wp-content/uploads/2019/04/wiproiocs.txt", "https://krebsonsecurity.com/2019/04/how-not-to-acknowledge-a-data-breach/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 90, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 24, "hostname": 15, "domain": 9, "FileHash-MD5": 2, "FileHash-SHA1": 2 }, "indicator_count": 52, "is_author": false, "is_subscribing": null, "subscriber_count": 386565, "modified_text": "2599 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://cdn.riskiq.com/wp-content/uploads/2019/06/Gift-Cardsharks-Intelligence-Report-2019-RiskIQ.pdf", "https://www.riskiq.com/gift-cardsharks-iocs/", "https://krebsonsecurity.com/wp-content/uploads/2019/04/wiproiocs.txt", "https://krebsonsecurity.com/2019/04/how-not-to-acknowledge-a-data-breach/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [ "Technology" ], "unique_indicators": 412 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/internal-message.app", "whois": "http://whois.domaintools.com/internal-message.app", "domain": "internal-message.app", "hostname": "secure.elavon.com.internal-message.app" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "5d135b851e416718559d8ffa", "name": "Gift Cardsharks", "description": "Investigative journalist Brian Krebs first reported the attack on his website\n\u201cKrebs on Security,\u201d which explained how Wipro\u2019s IT systems were\ncompromised and used to attack the company's customers. After contacting\nWipro, Krebs followed up on his article by publishing updates on the\nbreach. While Wipro was generally close-lipped on the incident, some of the\nvictims breached through Wipro spoke with him and provided Indicators of\nCompromise (IOCs) they uncovered. Krebs proceeded to publish this small set\nof IOCs on his website", "modified": "2019-06-26T11:48:20.862000", "created": "2019-06-26T11:48:20.862000", "tags": [], "references": [ "https://www.riskiq.com/gift-cardsharks-iocs/", "https://cdn.riskiq.com/wp-content/uploads/2019/06/Gift-Cardsharks-Intelligence-Report-2019-RiskIQ.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 90, "domain": 27, "hostname": 256, "FileHash-MD5": 7, "FileHash-SHA1": 9 }, "indicator_count": 389, "is_author": false, "is_subscribing": null, "subscriber_count": 386542, "modified_text": "2530 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "5cb882dfe59a59351e1895d3", "name": "Indicators from Wipro Breach", "description": "Wipro endpoints that were seeded with ScreenConnect, a legitimate remote access tool sold by Connectwise.com. Investigators believe the intruders were using the ScreenConnect software on the hacked Wipro systems to connect remotely to Wipro client systems, which were then used to leverage further access into Wipro customer networks.\n\nAdditionally, investigators found at least one of the compromised endpoints was attacked with Mimikatz, an open source tool that can dump passwords stored in the temporary memory cache of a Microsoft Windows device.", "modified": "2019-04-18T14:44:20.456000", "created": "2019-04-18T13:59:59.632000", "tags": [ "wipro" ], "references": [ "https://krebsonsecurity.com/wp-content/uploads/2019/04/wiproiocs.txt", "https://krebsonsecurity.com/2019/04/how-not-to-acknowledge-a-data-breach/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 90, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 24, "hostname": 15, "domain": 9, "FileHash-MD5": 2, "FileHash-SHA1": 2 }, "indicator_count": 52, "is_author": false, "is_subscribing": null, "subscriber_count": 386565, "modified_text": "2599 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://secure.elavon.com.internal-message.app/a34fc9f417efef3c2/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://secure.elavon.com.internal-message.app/a34fc9f417efef3c2/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780221936.1271572 }