Files
hiveops-aria/target/classes/db/migration/V2__seed_fbi_flash_ioc.sql
T
johannes e5f25f1c2c
CD - Develop / build-and-deploy (push) Failing after 11m31s
feat: Phase 1 — ARIA ATM threat monitoring service
- Spring Boot service on port 8095, database hiveiq_aria
- Flyway schema: threat_ioc, threat_event, precursor_sequence_alert, device_security_posture
- FBI FLASH-20260219-001 IOC seed data (executables, MD5s, directories, registry keys, services)
- ThreatEventClassifier — maps 20+ signal keys to severity + attack phase + IOC match
- ThreatEventIngestionService — persists events, publishes HIGH/CRITICAL to Kafka
- Kafka producer: topic hiveops.aria.threats (AriaThreatEvent payload)
- ThreatIocController — CRUD IOC management (MSP_ADMIN/BCOS_ADMIN)
- ThreatEventIngestionController — agent-facing ingest endpoint with service secret auth
- CI/CD: cd-develop.yml + cd-main.yml
2026-06-14 09:30:46 -04:00

53 lines
4.7 KiB
SQL

-- IOC seed data from FBI FLASH Alert FLASH-20260219-001
-- Source: ATM Jackpotting / Ploutus malware campaign
-- Malicious executables (FILENAME type)
INSERT INTO threat_ioc (ioc_type, value, description, source, source_ref, confidence) VALUES
('FILENAME', 'Newage.exe', 'Ploutus jackpotting malware', 'FBI_FLASH', 'FLASH-20260219-001', 'HIGH'),
('FILENAME', 'Color.exe', 'Ploutus jackpotting malware variant', 'FBI_FLASH', 'FLASH-20260219-001', 'HIGH'),
('FILENAME', 'Levantaito.exe', 'Ploutus jackpotting malware variant', 'FBI_FLASH', 'FLASH-20260219-001', 'HIGH'),
('FILENAME', 'NCRApp.exe', 'Ploutus masquerading as NCR application', 'FBI_FLASH', 'FLASH-20260219-001', 'HIGH'),
('FILENAME', 'sdelete.exe', 'Secure delete tool used for log cleanup', 'FBI_FLASH', 'FLASH-20260219-001', 'HIGH'),
('FILENAME', 'Promo.exe', 'Ploutus jackpotting malware variant', 'FBI_FLASH', 'FLASH-20260219-001', 'HIGH'),
('FILENAME', 'WinMonitor.exe', 'Ploutus persistence component', 'FBI_FLASH', 'FLASH-20260219-001', 'HIGH'),
('FILENAME', 'WinMonitorCheck.exe', 'Ploutus persistence watchdog', 'FBI_FLASH', 'FLASH-20260219-001', 'HIGH'),
('FILENAME', 'Anydesk1.exe', 'AnyDesk remote access trojan variant', 'FBI_FLASH', 'FLASH-20260219-001', 'HIGH');
-- MD5 hashes
INSERT INTO threat_ioc (ioc_type, value, description, source, source_ref, confidence) VALUES
('MD5', '2C2D16658D8DA6B389934273EF8F8E22', 'Ploutus malware hash', 'FBI_FLASH', 'FLASH-20260219-001', 'HIGH'),
('MD5', '5F177B84F3D92AB5711BE446125FDBE3', 'Ploutus malware hash', 'FBI_FLASH', 'FLASH-20260219-001', 'HIGH'),
('MD5', '61EECEB5F9186A0BC01DC82798CD6C5F', 'Ploutus malware hash', 'FBI_FLASH', 'FLASH-20260219-001', 'HIGH'),
('MD5', 'FDA82030AE92313E94B9339EA1FC107C', 'Ploutus malware hash', 'FBI_FLASH', 'FLASH-20260219-001', 'HIGH'),
('MD5', 'C04A7CB926CCBF829D0A36A91EBF91BD', 'Ploutus malware hash', 'FBI_FLASH', 'FLASH-20260219-001', 'HIGH');
-- Associated files and scripts
INSERT INTO threat_ioc (ioc_type, value, description, source, source_ref, confidence) VALUES
('FILENAME', 'C.dat', 'Ploutus data/config file', 'FBI_FLASH', 'FLASH-20260219-001', 'HIGH'),
('FILENAME', 'Restaurar.bat', 'Malware cleanup/restore script', 'FBI_FLASH', 'FLASH-20260219-001', 'HIGH'),
('FILENAME', 'Restauraropteva.bat', 'Malware cleanup script (Opteva ATMs)', 'FBI_FLASH', 'FLASH-20260219-001', 'HIGH'),
('FILENAME', 'Logcontrol.txt', 'Attacker log control file', 'FBI_FLASH', 'FLASH-20260219-001', 'MEDIUM'),
('FILENAME', 'Logc.txt', 'Attacker log file', 'FBI_FLASH', 'FLASH-20260219-001', 'MEDIUM'),
('FILENAME', 'Borrar_beta.txt', 'Attacker cleanup script', 'FBI_FLASH', 'FLASH-20260219-001', 'MEDIUM');
-- Suspicious directories
INSERT INTO threat_ioc (ioc_type, value, description, source, source_ref, confidence) VALUES
('DIRECTORY', 'C:\<ATM_Manufacturer>\exe\p\', 'Known Ploutus staging directory', 'FBI_FLASH', 'FLASH-20260219-001', 'HIGH'),
('DIRECTORY', 'C:\Users\SSAuto1\AppData\Local\P\', 'Known Ploutus staging directory', 'FBI_FLASH', 'FLASH-20260219-001', 'HIGH');
-- Registry persistence keys
INSERT INTO threat_ioc (ioc_type, value, description, source, source_ref, confidence) VALUES
('REGISTRY_KEY', 'HKLM\Software\Microsoft\Windows\CurrentVersion\Run', 'Common malware persistence location', 'FBI_FLASH', 'FLASH-20260219-001', 'MEDIUM'),
('REGISTRY_KEY', 'HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', 'Winlogon hijack persistence location', 'FBI_FLASH', 'FLASH-20260219-001', 'HIGH'),
('REGISTRY_KEY', 'HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit', 'Userinit hijack persistence location', 'FBI_FLASH', 'FLASH-20260219-001', 'HIGH');
-- Suspicious service names used as cover
INSERT INTO threat_ioc (ioc_type, value, description, source, source_ref, confidence) VALUES
('SERVICE_NAME', 'ATM Service', 'Generic service name used by Ploutus for persistence', 'FBI_FLASH', 'FLASH-20260219-001', 'HIGH'),
('SERVICE_NAME', 'Dispenser Service', 'Generic service name used by Ploutus for persistence', 'FBI_FLASH', 'FLASH-20260219-001', 'HIGH');
-- Unauthorized remote access tools
INSERT INTO threat_ioc (ioc_type, value, description, source, source_ref, confidence) VALUES
('FILENAME', 'TeamViewer.exe', 'Remote access tool — flag if not in authorized software list', 'FBI_FLASH', 'FLASH-20260219-001', 'MEDIUM'),
('FILENAME', 'AnyDesk.exe', 'Remote access tool — flag if not in authorized software list', 'FBI_FLASH', 'FLASH-20260219-001', 'MEDIUM');