“006 ]. investigations into this activity identified the following two banner pattern clusters containing multiple vpss each. cluster one the dhcp dns server settings of compromised small office / home office ( soho ) routers were modified to include actor - owned ip addresses. th…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1557.001Name Resolution Poisoning and SMB Relay
88%
“and desktop applications. harvested authentication material could include both passwords and oauth or similar authentication tokens. subsequent malicious logins using this stolen data may originate from further infrastructure not listed in this advisory. it is believed that the d…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1557.001Name Resolution Poisoning and SMB Relay
74%
“tactics, techniques and procedures ( ttps ) associated with apt28 ’ s exploitation of routers to enable dns hijacking operations. the dns protocol resolves human - readable domain names, for example ncsc. gov. uk, to their associated ip addresses, for example 1. 2. 3 [. ] 4, thro…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1557.001Name Resolution Poisoning and SMB Relay
69%
“006 ]. investigations into this activity identified the following two banner pattern clusters containing multiple vpss each. cluster one the dhcp dns server settings of compromised small office / home office ( soho ) routers were modified to include actor - owned ip addresses. th…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
68%
“parliament in 2015, including data theft and disrupting email accounts of german members of parliament ( mps ) and the vice chancellor - an attempted attack against the organisation for the prohibition of chemical weapons ( opcw ) in april 2018, to disrupt independent analysis of…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1557.001Name Resolution Poisoning and SMB Relay
67%
“the router ’ s primary dns server to a malicious ip address, whilst also setting the secondary dns server to the original primary dns server ’ s ip address. on occasion both the primary and secondary dns server had been set to malicious ip addresses, indicating that a router had …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1557.001Name Resolution Poisoning and SMB Relay
64%
“apt28 exploit routers to enable dns hijacking operations apt28 exploit routers to enable dns hijacking operations russian cyber actor apt28 exploit vulnerable routers to hijack dns, enabling adversary ‑ in ‑ the ‑ middle attacks and theft of passwords and authentication tokens. e…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1584.002DNS Server
40%
“##ns hijacking and aitm activity. vps banners for banner pattern 2, the dns software was only present on some servers. tp - link router models exploited by apt28 the following is a list of tp - link router models targeted by apt28. it is likely that this list is not exhaustive. t…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Russian cyber actor APT28 exploit vulnerable routers to hijack DNS, enabling adversary‑in‑the‑middle attacks and theft of passwords and authentication tokens.