Posts: 453
Threads: 234
Joined: Oct 2023
Reputation:
156
12-06-2023, 05:54 PM
(This post was last modified: 12-09-2023, 04:32 PM by VincaSec.)
There is no patch for stupidity - Kevin Mitnick
Posts: 1,728
Threads: 664
Joined: Sep 2022
Reputation:
126
Još jedan odličan, hvala! Da dodamo detalje:
Pa onda par zanimljivih iz "Stealer Logs":
Zaposleni u EPS 1 (prijava na više *.eps.local domena):
Ovih domena nema nigde na Google da se nađe! Što znači da je "Stealer" bio u lokalnoj mreži (ili preko VPN).
Ovde i ovde ima spominjanja eps.local kao i detalja o sistemima zaštite (koji očigledno nisu implementirani).
Quote:Infected Device - Accounts for "owa.eps.rs" were observed for sale on the Russian Market, On Aug 30, 2023
{
"country": "RS",
"date": "2023.08.29",
"files": "archive.zip",
"id": "12054486",
"isp": "Serbian BroadBand",
"links": [
"peticije.online",
"mojsbb.rs",
"login.live.com",
"cards.nis.rs",
"mdm-t.eps.local",
"login.live.com",
"login.live.com",
"cards.nis.rs",
"amibo.rs",
"katana.facebook.com",
"polovniautomobili.com",
"192.168.0.1",
"cards.nis.rs",
"jana2-p.eps.rs",
"cards.nis.rs",
"eu.snapsheetvice.com",
"prijava.eid.gov.rs",
"android.linkedin.com",
"dropbox.com",
"accounts.google.com",
"registar.kmszts.org.rs",
"cards.nis.rs",
"disneyplus.com",
"cards.nis.rs",
"he-accounts.force.com",
"login.live.com",
"email.android.com",
"spiderauto.co.rs",
"gateway.hbogo.eu",
"cards.nis.rs",
"cards.nis.rs",
"spiderauto.co.rs",
"cards.nis.rs",
"vulkancic.vulkani.rs",
"simplyfi.candy.it",
"account.samsung.com",
"jugoistok.com",
"owa.eps.rs",
"cards.nis.rs",
"cards.nis.rs",
"iceps.edu.rs",
"jugoistok.rs",
"pollinoshoes.com",
"connect.telenordigital.com",
"account.wps.com",
"piseps-p.eps.local",
"cards.nis.rs",
"cards.nis.rs",
"192.168.0.1",
"evidencije.abs.gov.rs",
"login.live.com",
"cards.nis.rs",
"piseps-p.eps.local",
"login.tidal.com",
"portal.iceps.edu.rs",
"cards.nis.rs",
"simply-fi.herokuapp.com",
"domacinskipokloni.rs",
"cards.nis.rs",
"mojsbb.rs",
"accounts.google.com",
"moj.mts.rs",
"kudaukupovinu.rs",
"cards.nis.rs",
"prijava.eid.gov.rs",
"pollinoshoes.com",
"account.live.com",
"cards.nis.rs",
"gateway.hbogo.rs",
"registracija.eid.gov.rs",
"piseps-p.eps.local",
"mdm-ggm-p.eps.local",
"secure.ikea.com",
"facebook.com",
"cards.nis.rs",
"shiftly.mobi",
"mojsbb.rs",
"activate.hbomax.com",
"owa.eps.rs",
"account.live.com",
"prijava.eid.gov.rs",
"id-dcr.peugeot.com",
"gumatic.com",
"eon.tv",
"cards.nis.rs",
"licitacije.carina.rs",
"onlineactivation.io",
"roblox.com",
"peticije.online",
"mojsbb.rs",
"mdm-t.eps.local",
"login.live.com",
"amibo.rs",
"katana.facebook.com",
"192.168.0.1",
"cards.nis.rs",
"jana2-p.eps.rs",
"eu.snapsheetvice.com",
"android.linkedin.com",
"dropbox.com",
"registar.kmszts.org.rs",
"cards.nis.rs",
"disneyplus.com",
"cards.nis.rs",
"he-accounts.force.com",
"login.live.com",
"email.android.com",
"spiderauto.co.rs",
"gateway.hbogo.eu",
"cards.nis.rs",
"spiderauto.co.rs",
"cards.nis.rs",
"vulkancic.vulkani.rs",
"simplyfi.candy.it",
"iceps.edu.rs",
"jugoistok.rs",
"pollinoshoes.com",
"connect.telenordigital.com",
"account.wps.com",
"cards.nis.rs",
"cards.nis.rs",
"piseps-p.eps.local",
"login.tidal.com",
"portal.iceps.edu.rs",
"simply-fi.herokuapp.com",
"domacinskipokloni.rs",
"cards.nis.rs",
"accounts.google.com",
"moj.mts.rs",
"kudaukupovinu.rs",
"cards.nis.rs",
"pollinoshoes.com",
"account.live.com",
"cards.nis.rs",
"gateway.hbogo.rs",
"registracija.eid.gov.rs",
"piseps-p.eps.local",
"mdm-ggm-p.eps.local",
"secure.ikea.com",
"facebook.com",
"shiftly.mobi",
"mojsbb.rs",
"activate.hbomax.com",
"accounts.google.com",
"cards.nis.rs",
"account.samsung.com",
"owa.eps.rs",
"192.168.0.1",
"evidencije.abs.gov.rs",
"login.live.com",
"cards.nis.rs",
"owa.eps.rs",
"account.live.com",
"polovniautomobili.com",
"prijava.eid.gov.rs",
"cards.nis.rs",
"cards.nis.rs",
"mojsbb.rs",
"eon.tv",
"jugoistok.com",
"cards.nis.rs",
"peticije.online",
"mojsbb.rs",
"login.live.com",
"cards.nis.rs",
"mdm-t.eps.local",
"login.live.com",
"login.live.com",
"cards.nis.rs",
"amibo.rs",
"katana.facebook.com",
"polovniautomobili.com",
"192.168.0.1",
"cards.nis.rs",
"jana2-p.eps.rs",
"cards.nis.rs",
"eu.snapsheetvice.com",
"prijava.eid.gov.rs",
"android.linkedin.com",
"dropbox.com",
"accounts.google.com",
"registar.kmszts.org.rs",
"cards.nis.rs",
"disneyplus.com",
"cards.nis.rs",
"he-accounts.force.com",
"login.live.com",
"email.android.com",
"spiderauto.co.rs",
"gateway.hbogo.eu",
"cards.nis.rs",
"cards.nis.rs",
"spiderauto.co.rs",
"cards.nis.rs",
"vulkancic.vulkani.rs",
"simplyfi.candy.it",
"account.samsung.com",
"jugoistok.com",
"owa.eps.rs",
"cards.nis.rs",
"cards.nis.rs",
"iceps.edu.rs",
"jugoistok.rs",
"pollinoshoes.com",
"connect.telenordigital.com",
"account.wps.com",
"piseps-p.eps.local",
"cards.nis.rs",
"cards.nis.rs",
"192.168.0.1",
"evidencije.abs.gov.rs",
"login.live.com",
"cards.nis.rs",
"piseps-p.eps.local",
"login.tidal.com",
"portal.iceps.edu.rs",
"cards.nis.rs",
"simply-fi.herokuapp.com",
"domacinskipokloni.rs",
"cards.nis.rs",
"mojsbb.rs",
"accounts.google.com",
"moj.mts.rs",
"kudaukupovinu.rs",
"cards.nis.rs",
"prijava.eid.gov.rs",
"pollinoshoes.com",
"account.live.com",
"cards.nis.rs",
"gateway.hbogo.rs",
"registracija.eid.gov.rs",
"piseps-p.eps.local",
"mdm-ggm-p.eps.local",
"secure.ikea.com",
"facebook.com",
"cards.nis.rs",
"shiftly.mobi",
"mojsbb.rs",
"activate.hbomax.com",
"owa.eps.rs",
"account.live.com",
"prijava.eid.gov.rs",
"id-dcr.peugeot.com",
"gumatic.com",
"eon.tv",
"cards.nis.rs",
"licitacije.carina.rs",
"onlineactivation.io",
"roblox.com",
"peticije.online",
"mojsbb.rs",
"mdm-t.eps.local",
"login.live.com",
"amibo.rs",
"katana.facebook.com",
"192.168.0.1",
"cards.nis.rs",
"jana2-p.eps.rs",
"eu.snapsheetvice.com",
"android.linkedin.com",
"dropbox.com",
"registar.kmszts.org.rs",
"cards.nis.rs",
"disneyplus.com",
"cards.nis.rs",
"he-accounts.force.com",
"login.live.com",
"email.android.com",
"spiderauto.co.rs",
"gateway.hbogo.eu",
"cards.nis.rs",
"spiderauto.co.rs",
"cards.nis.rs",
"vulkancic.vulkani.rs",
"simplyfi.candy.it",
"iceps.edu.rs",
"jugoistok.rs",
"pollinoshoes.com",
"connect.telenordigital.com",
"account.wps.com",
"cards.nis.rs",
"cards.nis.rs",
"piseps-p.eps.local",
"login.tidal.com",
"portal.iceps.edu.rs",
"simply-fi.herokuapp.com",
"domacinskipokloni.rs",
"cards.nis.rs",
"accounts.google.com",
"moj.mts.rs",
"kudaukupovinu.rs",
"cards.nis.rs",
"pollinoshoes.com",
"account.live.com",
"cards.nis.rs",
"gateway.hbogo.rs",
"registracija.eid.gov.rs",
"piseps-p.eps.local",
"mdm-ggm-p.eps.local",
"secure.ikea.com",
"facebook.com",
"shiftly.mobi",
"mojsbb.rs",
"activate.hbomax.com",
"accounts.google.com",
"cards.nis.rs",
"account.samsung.com",
"owa.eps.rs",
"192.168.0.1",
"evidencije.abs.gov.rs",
"login.live.com",
"cards.nis.rs",
"owa.eps.rs",
"account.live.com",
"polovniautomobili.com",
"prijava.eid.gov.rs",
"cards.nis.rs",
"cards.nis.rs",
"mojsbb.rs",
"eon.tv",
"jugoistok.com",
"cards.nis.rs"
],
"outlook": "-",
"price": "10.00",
"province": "Belgrade",
"size": "1.03Mb",
"stealer": "lumma ",
"vendor": "Mo####yf [Diamond]"
}
Zaposleni u EPS 2 (voli sajtove za odrasle):
Quote:Infected Device - Accounts for "owa.eps.rs" were observed for sale on the Russian Market, On Jul 24, 2023
{
"country": "RS",
"date": "2023.07.22",
"files": "archive.zip",
"id": "11594451",
"isp": "TELEKOM-BB",
"links": [
"accounts.google.com",
"owa.eps.rs",
"onlineocr.net",
"account.roomsketcher.com",
"scribd.com",
"owa.eps.rs",
"members.babesnetwork.com",
"members.twistys.com",
"members.twistys.com",
"bazalteutit.rs",
"accounts.autodesk.com",
"planetasport.rs",
"planetasport.rs",
"jasmin.rs",
"polovniautomobili.com",
"smallpdf.com",
"accounts.google.com"
],
"outlook": "-",
"price": "10.00",
"province": "Belgrade",
"size": "0.42Mb",
"stealer": "Vidar ",
"vendor": "Hy####ad [platinum]"
}
Zaposleni u EPS 3 (ns.ev.co.yu se spominje ovde):
Quote:Infected Device - Accounts for "piseps-p.eps.local" were observed for sale on the Russian Market, On Mar 06, 2023
{
"country": "RS",
"date": "2023.03.02",
"files": "archive.zip",
"id": "9469930",
"isp": "TELEKOM SRBIJA a.d.",
"links": [
"piseps-p.eps.local",
"piseps-p.eps.local",
"piseps-p.eps.local",
"sapsolman1.eps.local",
"192.168.4.4",
"owa.eps.rs",
"login.microsoftonline.com",
"owa.eps.rs",
"192.168.4.18",
"ns.ev.co.yu",
"owa.eps.rs"
],
"outlook": "-",
"price": "10.00",
"province": "Vojvodina",
"size": "0.17Mb",
"stealer": "Racoon ",
"vendor": "Mo####yf [Diamond]"
}
“If you think you are too small to make a difference, try sleeping with a mosquito.” - Dalai Lama XIV
Posts: 1,728
Threads: 664
Joined: Sep 2022
Reputation:
126
12-07-2023, 07:39 AM
(This post was last modified: 12-16-2023, 06:00 PM by 1van.
Edit Reason: Ubačeni detalji.
)
Da sumiramo EPS domene:
Quote: eps-grupa.eps.local
jana2-p.eps.rs
mdm-ggm-p.eps.local
mdm-t.eps.local
ns.ev.co.yu
owa.eps.rs (5.183.26.15, 178.220.231.243, 5.183.24.15, 195.250.121.65)
piseps-p.eps.local
sapsolman1.eps.local
“If you think you are too small to make a difference, try sleeping with a mosquito.” - Dalai Lama XIV
Posts: 1,728
Threads: 664
Joined: Sep 2022
Reputation:
126
“If you think you are too small to make a difference, try sleeping with a mosquito.” - Dalai Lama XIV
Posts: 1,728
Threads: 664
Joined: Sep 2022
Reputation:
126
“If you think you are too small to make a difference, try sleeping with a mosquito.” - Dalai Lama XIV
Posts: 1,728
Threads: 664
Joined: Sep 2022
Reputation:
126
Odgovorio je Poverenik, mislim da kaže da nije nadležan.
“If you think you are too small to make a difference, try sleeping with a mosquito.” - Dalai Lama XIV
Posts: 1,728
Threads: 664
Joined: Sep 2022
Reputation:
126
12-18-2023, 01:23 PM
(This post was last modified: 12-18-2023, 03:15 PM by 1van.
Edit Reason: Ubačeni detalji.
)
“If you think you are too small to make a difference, try sleeping with a mosquito.” - Dalai Lama XIV
Posts: 1,728
Threads: 664
Joined: Sep 2022
Reputation:
126
Drugari iz https://sosintel.co.uk/ su nam poslali još podataka:
Quote:1mln_URL48.txt:http://sapsolman1.eps.local/:vladanj:[PASSWORD_REDACTED]
sunurl-PRIVATE-22.10-2-.txt:http://imenik.eps.local/||
sunurl-PRIVATE-22.10-2-.txt:http://proxy1.eps.local/|predrag.tosic|[PASSWORD_REDACTED]
sunurl-PRIVATE-22.10-2-.txt:http://proxy3.eps.local/|eps\predrag.tosic|[PASSWORD_REDACTED]
sunurl-PRIVATE-22.10-2-.txt:http://proxy1.eps.local/|eps\predrag.tosic|[PASSWORD_REDACTED]
sunurl-PRIVATE-22.10-7-.txt:g212:1129:https://ise21.eps.local/
Daljim istraživanjem možemo da vidimo da su to:
[email protected]
[email protected]
I da, imamo i nove interne domene:
Quote:imenik.eps.local
proxy1.eps.local
proxy3.eps.local
eps-grupa.eps.local
jana2-p.eps.rs
mdm-ggm-p.eps.local
mdm-t.eps.local
piseps-p.eps.local
Da sumiramo sada imamo sa tri različita izvora detalje ( slike ekrana mejl inboksa zaposlenih i detekcije honeypot-ova, saznanja o internim EPS domenima iz Stealer logova i Password dampova) o kompromitaciji EPS-a.
“If you think you are too small to make a difference, try sleeping with a mosquito.” - Dalai Lama XIV
Posts: 453
Threads: 234
Joined: Oct 2023
Reputation:
156
Imam ovo
Quote:domain: owa.eps.rs
notes: url: https://owa.eps.rs/owa/auth/logon.aspx
usernames: danijela.klajn
source: naz.api
passwords: w************6
domain: owa.eps.rs
notes: url: https://owa.eps.rs/owa/auth/logon.aspx
usernames: ivan.mirkovic
source: naz.api
passwords: F******p
domain: owa.eps.rs
notes: url: https://owa.eps.rs/
source: naz.api
domain: owa.eps.rs
notes: url: https://owa.eps.rs/owa/auth/logon.aspx
usernames: ivan.mirkovic
source: naz.api
passwords: F******p
domain: owa.eps.rs
notes: url: https://owa.eps.rs/owa/auth/logon.aspx
usernames: nebojsa.turnic
source: naz.api
passwords: p******-
domain: owa.eps.rs
notes: url: https://owa.eps.rs
usernames: bojan.cerovic
source: naz.api
passwords: C******5
domain: owa.eps.rs
notes: url: https://owa.eps.rs/owa/auth/logon.aspx
usernames: aleksandar.glisic
source: naz.api
passwords: a*********1
domain: owa.eps.rs
notes: url: https://owa.eps.rs/owa/auth/logon.aspx
usernames: jadran.damnjanovic
source: naz.api
passwords: S******9
domain: owa.eps.rs
notes: url: https://owa.eps.rs/ecp/personalsettings/password.aspx
usernames: eps\dragan.milutinovic
source: naz.api
passwords: S********0
domain: owa.eps.rs
notes: url: https://owa.eps.rs/owa/auth/logon.aspx
usernames: eps\sinisa.atlagic
source: naz.api
passwords: K*********9
domain: owa.eps.rs
notes: url: https://owa.eps.rs/owa/auth/logon.aspx
usernames: jadran.damnjanovic
source: naz.api
passwords: S******9
domain: owa.eps.rs
notes: url: https://owa.eps.rs/owa/auth/logon.aspx
usernames: snezana.mincic
source: naz.api
passwords: S******9
domain: owa.eps.rs
notes: url: https://owa.eps.rs/owa/auth/logon.aspx
usernames: BD7487
source: naz.api
passwords: 7**7
domain: owa.eps.rs
notes: url: https://owa.eps.rs
usernames: mladenr
source: naz.api
passwords: r**********0
domain: owa.eps.rs
notes: url: https://owa.eps.rs/owa/auth/logon.aspx
usernames: jadran.damnjanovic
source: naz.api
passwords: S******9
domain: owa.eps.rs
notes: url: https://owa.eps.rs/owa/auth/logon.aspx
usernames: aleksandar.glisic
source: naz.api
passwords: a*********1
domain: owa.eps.rs
notes: url: https://owa.eps.rs/
emails: [email protected]
source: naz.api
passwords: n********
domain: owa.eps.rs
notes: url: https://owa.eps.rs/
usernames: EPS\nebojsa.krstic
source: naz.api
passwords: n********
domain: owa.eps.rs
notes: url: https://owa.eps.rs/owa/auth/logon.aspx
usernames: damir.kenig
source: naz.api
passwords: d****e
domain: owa.eps.rs
notes: url: https://owa.eps.rs/owa/auth/logon.aspx
usernames: danijela.klajn
source: naz.api
passwords: w************6
domain: owa.eps.rs
notes: url: https://owa.eps.rs/owa/auth/logon.aspx
usernames: snezana.mincic
source: naz.api
passwords: S******9
domain: owa.eps.rs
notes: url: https://owa.eps.rs
usernames: hezv
source: naz.api
passwords: h**v
domain: owa.eps.rs
notes: url: https://owa.eps.rs
usernames: boban.cvetkovic
source: naz.api
passwords: S******0
domain: owa.eps.rs
notes: url: https://owa.eps.rs/owa/auth/logon.aspx
usernames: rl6104
source: naz.api
passwords: 6**4
domain: owa.eps.rs
notes: url: https://owa.eps.rs/
usernames: vladan.jeric
source: naz.api
passwords: J*******2
domain: owa.eps.rs
notes: url: https://owa.eps.rs
usernames: boban.cvetkovic
source: naz.api
passwords: S******0
domain: owa.eps.rs
notes: url: https://owa.eps.rs
usernames: bojan.cerovic
source: naz.api
passwords: C******5
domain: owa.eps.rs
notes: url: https://owa.eps.rs/owa/auth/logon.aspx
usernames: vesna.bogdanovic
source: naz.api
passwords: i***1
domain: owa.eps.rs
notes: url: https://owa.eps.rs/
emails: [email protected]
source: naz.api
passwords: n********
domain: owa.eps.rs
notes: url: https://owa.eps.rs
usernames: hezv
source: naz.api
passwords: h**v
domain: owa.eps.rs
notes: url: https://owa.eps.rs/owa/auth/logon.aspx
usernames: rl6104
source: naz.api
passwords: 6**4
domain: owa.eps.rs
notes: url: https://owa.eps.rs
usernames: boban.cvetkovic
source: naz.api
passwords: S******0
domain: owa.eps.rs
notes: url: https://owa.eps.rs/
emails: [email protected]
source: naz.api
passwords: n********
domain: owa.eps.rs
notes: url: https://owa.eps.rs
usernames: hezv
source: naz.api
passwords: h**v
domain: owa.eps.rs
notes: url: https://owa.eps.rs/owa/auth/logon.aspx
usernames: rl6104
source: naz.api
passwords: 6**4
domain: owa.eps.rs
notes: url: https://owa.eps.rs/owa/auth/logon.aspx
usernames: eps\sinisa.atlagic
source: naz.api
passwords: K*********9
domain: owa.eps.rs
notes: url: https://owa.eps.rs/owa/auth/logon.aspx
usernames: aleksandar.glisic
source: naz.api
passwords: a*********1
domain: owa.eps.rs
notes: url: https://owa.eps.rs
usernames: hezv
source: naz.api
passwords: h**v
There is no patch for stupidity - Kevin Mitnick
|