APT16 Analysisinfo

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (29)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Language

en20
zh6
ja2
pl2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

US: USA24
CN: China6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

APT161
Cobalt Strike1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined14
Database Software2
Operating System2
Forum Software2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined10
Oracle2
Esoftpro2
Thomas R. Pasawicz2
DZCP2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Yii2
Oracle MySQL Server2
Adult Script Pro2
XXL-Job2
Esoftpro Online Guestbook Pro2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

These are the vulnerabilities that we have identified as researched, approached, or attacked.

#VulnerabilityBaseTemp0dayTodayExpCouKEVEPSSCTICVE
1Thomas R. Pasawicz HyperBook Guestbook Password Database gbconfiguration.dat Hash information disclosure5.35.2$10k-$25kCalculatingHighWorkaroundpossible0.029560.00CVE-2007-1192
2MGB OpenSource Guestbook email.php sql injection7.37.3$2k-$5k$0-$1kHighUnavailablepossible0.016860.40CVE-2007-0354
3OpenVPN External Authentication Plug-in authentication bypass3.73.6$1k-$2k$0-$1kNot definedOfficial fix 0.006070.05CVE-2022-0547
4XXL-JOB permission7.17.0$1k-$2k$0-$1kNot definedNot defined 0.075650.02CVE-2022-36157
5ThinkPHP index.php privilege escalation6.36.1$2k-$5k$0-$1kNot definedNot defined 0.019890.04CVE-2021-44892
6ThinkPHP AbstractCache.php deserialization7.67.6$1k-$2k$0-$1kNot definedNot definedpossible0.497710.05CVE-2022-33107
7XXL-Job add cross-site request forgery4.34.3$0-$1k$0-$1kNot definedNot defined 0.001020.05CVE-2022-29002
8Bootstrap add_product.php cross site scripting3.53.5$0-$1k$0-$1kNot definedNot defined 0.001640.00CVE-2022-26624
9Yii ActiveRecord.php findByCondition sql injection8.58.2$2k-$5k$0-$1kNot definedOfficial fix 0.006430.08CVE-2018-7269
10Yii unserialize deserialization7.76.7$2k-$5k$0-$1kNot definedOfficial fixexpected0.901980.05CVE-2020-15148
11Oracle MySQL Server Stored Procedure denial of service4.94.8$2k-$5k$0-$1kNot definedOfficial fix 0.000910.00CVE-2022-21534
12osCommerce currencies.php Reflected cross site scripting3.53.2$1k-$2kCalculatingProof-of-ConceptNot defined 0.000000.00
13Microsoft Windows Kernel access control8.58.3$50k-$100k$10k-$25kNot definedOfficial fix 0.020110.00CVE-2019-0881
14Esoftpro Online Guestbook Pro ogp_show.php sql injection7.36.9$2k-$5k$0-$1kProof-of-ConceptNot defined 0.003300.61CVE-2009-4935
15DZCP deV!L`z Clanportal config.php code injection7.36.6$2k-$5k$0-$1kProof-of-ConceptOfficial fix 0.009700.61CVE-2010-0966
16DZCP deV!L`z Clanportal browser.php information disclosure5.35.0$1k-$2k$0-$1kProof-of-ConceptNot defined 0.081890.30CVE-2007-1167
17Phorum register.php sql injection7.36.9$2k-$5k$0-$1kProof-of-ConceptNot defined 0.006190.00CVE-2004-0035
18Expinion.net News Manager Lite comment_add.asp cross site scripting4.33.9$1k-$2k$0-$1kProof-of-ConceptOfficial fix 0.006590.05CVE-2004-1845
19Adult Script Pro download sql injection8.58.3$1k-$2k$0-$1kProof-of-ConceptNot defined 0.024640.00CVE-2017-15959
20Apple Mac OS X File Sharing privileges management3.73.6$10k-$25k$0-$1kNot definedOfficial fix 0.004820.00CVE-2003-0379

IOC - Indicator of Compromise (1)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
1121.127.249.74APT1612/11/2020verifiedLow

TTP - Tactics, Techniques, Procedures (6)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1059CAPEC-242CWE-94Argument InjectionpredictiveHigh
2T1059.007CAPEC-209CWE-79, CWE-80Basic Cross Site ScriptingpredictiveHigh
3TXXXXCAPEC-XXXCWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
4TXXXXCWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
5TXXXXCAPEC-XXXCWE-XXXxx XxxxxxxxxpredictiveHigh
6TXXXXCAPEC-XXXCWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (24)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/downloadpredictiveMedium
2File/gaia-job-admin/user/addpredictiveHigh
3File/oscommerce/admin/currencies.phppredictiveHigh
4File/xxxxxx/xxxxx/xxx_xxxxxxx.xxxpredictiveHigh
5Filexxxxxxx_xxx.xxxpredictiveHigh
6Filexxxx/xxxxxxxxxxxxxxx.xxxpredictiveHigh
7Filexxxxx.xxxpredictiveMedium
8Filexxxxxxxxx/xx/xxxxxxxxxxxx.xxxpredictiveHigh
9Filexxx/xxxxxx.xxxpredictiveHigh
10Filexxx/xxxxxxxxxxx/xxxxxxx.xxxpredictiveHigh
11Filexxxxx.xxxpredictiveMedium
12Filexxx_xxxx.xxxpredictiveMedium
13Filexxxxxxxx.xxxpredictiveMedium
14Filexxxxxx\xxxxxx\xxxxxxxxx-xxxxxx-xxxxxxx\xxx\xxxxxxx\xxxxxxxxxxxxx.xxxpredictiveHigh
15ArgumentxxxxxxxxpredictiveMedium
16ArgumentxxxxxxxpredictiveLow
17ArgumentxxxxpredictiveLow
18Argumentxxxx_xxxxxpredictiveMedium
19ArgumentxxpredictiveLow
20ArgumentxxxxpredictiveLow
21Argumentxxxx_xxxxpredictiveMedium
22ArgumentxxxxxpredictiveLow
23Argumentxxxxx[_xxxxxxxx]predictiveHigh
24Input Value%xx%xx%xxxxxxxx%xxxxxxx%xxxxxxxxxx.xxxxxx%xx%xx/xxxxxx%xx%xxxxx%xxxxxxx=%xxxpredictiveHigh

References (2)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

This view requires CTI permissions

Just purchase a CTI license today!