e5f25f1c2c
CD - Develop / build-and-deploy (push) Failing after 11m31s
- Spring Boot service on port 8095, database hiveiq_aria - Flyway schema: threat_ioc, threat_event, precursor_sequence_alert, device_security_posture - FBI FLASH-20260219-001 IOC seed data (executables, MD5s, directories, registry keys, services) - ThreatEventClassifier — maps 20+ signal keys to severity + attack phase + IOC match - ThreatEventIngestionService — persists events, publishes HIGH/CRITICAL to Kafka - Kafka producer: topic hiveops.aria.threats (AriaThreatEvent payload) - ThreatIocController — CRUD IOC management (MSP_ADMIN/BCOS_ADMIN) - ThreatEventIngestionController — agent-facing ingest endpoint with service secret auth - CI/CD: cd-develop.yml + cd-main.yml
53 lines
4.7 KiB
SQL
53 lines
4.7 KiB
SQL
-- IOC seed data from FBI FLASH Alert FLASH-20260219-001
|
|
-- Source: ATM Jackpotting / Ploutus malware campaign
|
|
|
|
-- Malicious executables (FILENAME type)
|
|
INSERT INTO threat_ioc (ioc_type, value, description, source, source_ref, confidence) VALUES
|
|
('FILENAME', 'Newage.exe', 'Ploutus jackpotting malware', 'FBI_FLASH', 'FLASH-20260219-001', 'HIGH'),
|
|
('FILENAME', 'Color.exe', 'Ploutus jackpotting malware variant', 'FBI_FLASH', 'FLASH-20260219-001', 'HIGH'),
|
|
('FILENAME', 'Levantaito.exe', 'Ploutus jackpotting malware variant', 'FBI_FLASH', 'FLASH-20260219-001', 'HIGH'),
|
|
('FILENAME', 'NCRApp.exe', 'Ploutus masquerading as NCR application', 'FBI_FLASH', 'FLASH-20260219-001', 'HIGH'),
|
|
('FILENAME', 'sdelete.exe', 'Secure delete tool used for log cleanup', 'FBI_FLASH', 'FLASH-20260219-001', 'HIGH'),
|
|
('FILENAME', 'Promo.exe', 'Ploutus jackpotting malware variant', 'FBI_FLASH', 'FLASH-20260219-001', 'HIGH'),
|
|
('FILENAME', 'WinMonitor.exe', 'Ploutus persistence component', 'FBI_FLASH', 'FLASH-20260219-001', 'HIGH'),
|
|
('FILENAME', 'WinMonitorCheck.exe', 'Ploutus persistence watchdog', 'FBI_FLASH', 'FLASH-20260219-001', 'HIGH'),
|
|
('FILENAME', 'Anydesk1.exe', 'AnyDesk remote access trojan variant', 'FBI_FLASH', 'FLASH-20260219-001', 'HIGH');
|
|
|
|
-- MD5 hashes
|
|
INSERT INTO threat_ioc (ioc_type, value, description, source, source_ref, confidence) VALUES
|
|
('MD5', '2C2D16658D8DA6B389934273EF8F8E22', 'Ploutus malware hash', 'FBI_FLASH', 'FLASH-20260219-001', 'HIGH'),
|
|
('MD5', '5F177B84F3D92AB5711BE446125FDBE3', 'Ploutus malware hash', 'FBI_FLASH', 'FLASH-20260219-001', 'HIGH'),
|
|
('MD5', '61EECEB5F9186A0BC01DC82798CD6C5F', 'Ploutus malware hash', 'FBI_FLASH', 'FLASH-20260219-001', 'HIGH'),
|
|
('MD5', 'FDA82030AE92313E94B9339EA1FC107C', 'Ploutus malware hash', 'FBI_FLASH', 'FLASH-20260219-001', 'HIGH'),
|
|
('MD5', 'C04A7CB926CCBF829D0A36A91EBF91BD', 'Ploutus malware hash', 'FBI_FLASH', 'FLASH-20260219-001', 'HIGH');
|
|
|
|
-- Associated files and scripts
|
|
INSERT INTO threat_ioc (ioc_type, value, description, source, source_ref, confidence) VALUES
|
|
('FILENAME', 'C.dat', 'Ploutus data/config file', 'FBI_FLASH', 'FLASH-20260219-001', 'HIGH'),
|
|
('FILENAME', 'Restaurar.bat', 'Malware cleanup/restore script', 'FBI_FLASH', 'FLASH-20260219-001', 'HIGH'),
|
|
('FILENAME', 'Restauraropteva.bat', 'Malware cleanup script (Opteva ATMs)', 'FBI_FLASH', 'FLASH-20260219-001', 'HIGH'),
|
|
('FILENAME', 'Logcontrol.txt', 'Attacker log control file', 'FBI_FLASH', 'FLASH-20260219-001', 'MEDIUM'),
|
|
('FILENAME', 'Logc.txt', 'Attacker log file', 'FBI_FLASH', 'FLASH-20260219-001', 'MEDIUM'),
|
|
('FILENAME', 'Borrar_beta.txt', 'Attacker cleanup script', 'FBI_FLASH', 'FLASH-20260219-001', 'MEDIUM');
|
|
|
|
-- Suspicious directories
|
|
INSERT INTO threat_ioc (ioc_type, value, description, source, source_ref, confidence) VALUES
|
|
('DIRECTORY', 'C:\<ATM_Manufacturer>\exe\p\', 'Known Ploutus staging directory', 'FBI_FLASH', 'FLASH-20260219-001', 'HIGH'),
|
|
('DIRECTORY', 'C:\Users\SSAuto1\AppData\Local\P\', 'Known Ploutus staging directory', 'FBI_FLASH', 'FLASH-20260219-001', 'HIGH');
|
|
|
|
-- Registry persistence keys
|
|
INSERT INTO threat_ioc (ioc_type, value, description, source, source_ref, confidence) VALUES
|
|
('REGISTRY_KEY', 'HKLM\Software\Microsoft\Windows\CurrentVersion\Run', 'Common malware persistence location', 'FBI_FLASH', 'FLASH-20260219-001', 'MEDIUM'),
|
|
('REGISTRY_KEY', 'HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', 'Winlogon hijack persistence location', 'FBI_FLASH', 'FLASH-20260219-001', 'HIGH'),
|
|
('REGISTRY_KEY', 'HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit', 'Userinit hijack persistence location', 'FBI_FLASH', 'FLASH-20260219-001', 'HIGH');
|
|
|
|
-- Suspicious service names used as cover
|
|
INSERT INTO threat_ioc (ioc_type, value, description, source, source_ref, confidence) VALUES
|
|
('SERVICE_NAME', 'ATM Service', 'Generic service name used by Ploutus for persistence', 'FBI_FLASH', 'FLASH-20260219-001', 'HIGH'),
|
|
('SERVICE_NAME', 'Dispenser Service', 'Generic service name used by Ploutus for persistence', 'FBI_FLASH', 'FLASH-20260219-001', 'HIGH');
|
|
|
|
-- Unauthorized remote access tools
|
|
INSERT INTO threat_ioc (ioc_type, value, description, source, source_ref, confidence) VALUES
|
|
('FILENAME', 'TeamViewer.exe', 'Remote access tool — flag if not in authorized software list', 'FBI_FLASH', 'FLASH-20260219-001', 'MEDIUM'),
|
|
('FILENAME', 'AnyDesk.exe', 'Remote access tool — flag if not in authorized software list', 'FBI_FLASH', 'FLASH-20260219-001', 'MEDIUM');
|