Feeds of Indicators Of Compromise ( TweetFeed )

 

Indicator of Compromise (IOC) is one type of "jewelry" (valuable artifact) that security analysts, threat intelligence professionals, cyber threat hunters, and especially malware analysts look for.

So, what is an Indicator of Compromise? Let’s break it down into two parts: "Indicator" and "Compromise."

According to the Cambridge Dictionary, an indicator is something that shows the state or level of something. For example, "Commodity prices can be a useful indicator of inflation."

On the other hand, compromise is commonly defined as a way of reaching an agreement in which each side gives up something. However, in a cybersecurity context, compromise typically refers to a security breach or intrusion.

So, putting it all together:
Indicators of Compromise (IOCs) are signs or pieces of evidence that suggest a system has been breached or has experienced malicious activity.

They are crucial for detecting, analyzing, and responding to cyber threats.

Well, maybe we don’t always have time to analyze every sample daily or constantly look for new threat feeds.

So, what are feeds?
According to the dictionary, "to feed" means to give food to a person, group, or animal. But in cybersecurity, feeds refer to streams of data about the latest cyber intrusions or threats things like IP addresses, malicious domains, URLs, file hashes, and more.

So, what can be considered an Indicator of Compromise (IOC)?
The answer is: URLs, IP addresses, hostnames, and file hashes. These are the core elements or main layers of IOCs.

In our case, we’ll focus on free and regularly updated feeds, ideally those that provide data daily or in real-time. These platforms don’t require any kind of payment to access and continue receiving nasty Indicators of Compromise (IOCs).

Platform : https://tweetfeed.live/

If you're interested in accessing feeds by year, month, week, or day, you can simply visit the following link:
👉 https://tweetfeed.live/feeds.html

From the main website, you’ll see a table where you can hunt for potential Command and Control (C2) servers listed in the feed. The feeds table contains data from today, so let’s try to conduct our investigation:

I have selected the following entry from the feed table:
http://91.241.93[.]244[:]4000/, which is identified as Evilginx.

Evilginx is a widely used open-source framework for setting up and executing phishing campaigns. It is often used by security professionals for red teaming and phishing awareness training, but it’s also abused by threat actors for malicious credential harvesting and man-in-the-middle attacks.

I'm going to upload it to VirusTotal to gather more indicators.

Opps ! it's a clean !

Well, let’s visit the main URL.

Enjoy :) .