APT17 Analysis

IOB - Indicator of Behavior (214)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en196
ja8
zh6
es4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

de92
us90
cn18
jp8
mn4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

APT177
FunnySwitch2
Emotet1
IRGC1
Nanocore1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined28
Content Management System14
Router Operating System6
Firewall Software4
Web Server4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined24
Cisco6
Apache6
Microsoft4
Thomas R. Pasawicz2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

WordPress6
Thomas R. Pasawicz HyperBook Guestbook2
FineCMS2
FileCapsule Deluxe Portable2
Kentico CMS2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemCTIEPSSCVE
1DZCP deV!L`z Clanportal config.php code injection7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.420.04187CVE-2010-0966
2Thomas R. Pasawicz HyperBook Guestbook Password Database gbconfiguration.dat Hash information disclosure5.35.2$5k-$25k$0-$5kHighWorkaround0.040.04187CVE-2007-1192
3jforum User input validation5.35.3$0-$5k$0-$5kNot DefinedNot Defined0.020.04499CVE-2019-7550
4Postfix Admin functions.inc.php sql injection7.37.0$5k-$25k$0-$5kHighOfficial Fix0.040.01232CVE-2014-2655
5laravel-jqgrid EloquentRepositoryAbstract.php getRows sql injection6.96.9$0-$5k$0-$5kNot DefinedOfficial Fix0.050.00954CVE-2021-4262
6FreeBSD Ping pr_pack stack-based overflow7.37.0$5k-$25k$5k-$25kNot DefinedOfficial Fix0.030.00000CVE-2022-23093
7WordPress setup-config.php cross site scripting8.87.9$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.030.06523CVE-2011-4899
8Hitachi RAID Manager Storage Replication Adapter information exposure6.66.5$0-$5k$0-$5kNot DefinedOfficial Fix0.040.01055CVE-2022-34882
9Oracle MySQL Server Packaging name resolution8.17.9$5k-$25k$0-$5kNot DefinedOfficial Fix0.020.01018CVE-2022-27778
10PrestaShop Twig Code code injection8.18.0$0-$5k$0-$5kNot DefinedOfficial Fix0.020.00954CVE-2022-21686
11Apache Jakarta Tomcat AJP12 Protocol denial of service5.35.1$5k-$25k$0-$5kNot DefinedOfficial Fix0.020.01484CVE-2005-0808
12Fortinet FortiGate SSLVPN certificate validation5.65.6$0-$5k$0-$5kNot DefinedNot Defined0.030.00885CVE-2021-24012
13Esri ArcGIS Server sql injection8.18.0$0-$5k$0-$5kNot DefinedOfficial Fix0.000.01055CVE-2021-29114
14Progress Telerik UI for ASP.NET AJAX Telerik.Web.UI.WebResource.axd command injection8.08.0$0-$5k$0-$5kNot DefinedNot Defined0.020.01440CVE-2021-28141
15Pydio pydio-core proxy.php unrestricted upload8.58.5$0-$5k$0-$5kNot DefinedNot Defined0.000.01440CVE-2019-9642
16Kentico CMS Blog Module sql injection8.07.6$0-$5k$0-$5kProof-of-ConceptNot Defined0.020.00954CVE-2021-27581
17Sophos Firewall User Portal/Webadmin improper authentication8.58.5$0-$5k$0-$5kNot DefinedNot Defined0.030.64728CVE-2022-1040
18WordPress sql injection6.86.7$5k-$25k$0-$5kNot DefinedOfficial Fix0.020.01034CVE-2022-21664
19Advanced Custom Fields Plugin authorization4.34.1$0-$5k$0-$5kNot DefinedOfficial Fix0.030.01061CVE-2022-23183
20SonicWALL Secure Remote Access cross site scripting3.53.5$0-$5k$0-$5kNot DefinedNot Defined0.050.00885CVE-2021-20028

Campaigns (1)

These are the campaigns that can be associated with the actor:

  • CCleaner

IOC - Indicator of Compromise (21)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsTypeConfidence
11.234.52.111APT17verifiedHigh
28.9.11.1308.9.11.130.vultr.comAPT17verifiedMedium
345.76.6.14945.76.6.149.vultr.comAPT17verifiedMedium
445.76.31.15945.76.31.159.vultr.comAPT17verifiedMedium
569.80.72.165APT17verifiedHigh
6XXX.XX.XX.XXXxxx.xx.xx.xxx.xxxxxx.xxxxxxxx.xxxXxxxxverifiedHigh
7XXX.XXX.XX.XXxxxxxxxxxx.xxxxx.xxXxxxxverifiedHigh
8XXX.XXX.XX.XXXxxxxxxxxxxxxxx.xxxxx.xxXxxxxverifiedHigh
9XXX.XXX.XX.XXXxxx-xxx-xx-xxx-xxxx.xxxxxxxxxxxx.xxxXxxxxverifiedHigh
10XXX.XXX.XX.XXXxxx.xxx.xx.xxx.xxxxx.xxxXxxxxverifiedMedium
11XXX.XX.XXX.XXXxxxxverifiedHigh
12XXX.XXX.XX.XXXxxxxxxx.xxxxxxxx.xx.xx-xxx.xx.xxXxxxxverifiedHigh
13XXX.XXX.XXX.XXXXxxxxverifiedHigh
14XXX.XXX.XXX.XXXxxxxverifiedHigh
15XXX.XXX.XX.XXxxxxxxx.xxxx.xxXxxxxverifiedHigh
16XXX.XX.XX.XXXxxx.xx.xx.xxx.xxxxx.xxxXxxxxverifiedMedium
17XXX.XX.XX.XXxxx.xx.xx.xx.xxxxx.xxxXxxxxverifiedMedium
18XXX.XXX.XXX.XXXXxxxxverifiedHigh
19XXX.XX.XX.XXXXxxxxverifiedHigh
20XXX.XXX.XXX.XXXXxxxxXxxxxxxxverifiedHigh
21XXX.XXX.XXX.XXXxxxxverifiedHigh

TTP - Tactics, Techniques, Procedures (16)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueVulnerabilitiesAccess VectorTypeConfidence
1T1006CWE-22Pathname TraversalpredictiveHigh
2T1055CWE-74InjectionpredictiveHigh
3T1059CWE-94Cross Site ScriptingpredictiveHigh
4T1059.007CWE-79, CWE-80Cross Site ScriptingpredictiveHigh
5TXXXXCWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
6TXXXX.XXXCWE-XXXXxx-xxx Xxxx Xxxxxxx XxxxpredictiveHigh
7TXXXXCWE-XX, CWE-XXXxxxxxx XxxxxxxxxpredictiveHigh
8TXXXX.XXXCWE-XXXXxxx XxxxxxxxpredictiveHigh
9TXXXXCWE-XXX7xx Xxxxxxxx XxxxxxxxpredictiveHigh
10TXXXXCWE-XXXxx XxxxxxxxxpredictiveHigh
11TXXXXCWE-XXXXxx.xxx Xxxxxxxxxxxxxxxx: Xxxxxxxx Xx Xxxxxxxxxxxxx XxxxpredictiveHigh
12TXXXXCWE-XXXXxxxxxxxx Xxxxxx XxxxpredictiveHigh
13TXXXX.XXXCWE-XXX, CWE-XXXXxxxxxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
14TXXXX.XXXCWE-XXXXxxxxxxxpredictiveHigh
15TXXXXCWE-XXX, CWE-XXXXxxxxxxxxxxxxpredictiveHigh
16TXXXX.XXXCWE-XXXXxxxxxxxxxxx XxxxxxpredictiveHigh

IOA - Indicator of Attack (46)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File.htaccesspredictiveMedium
2File/api/DownloadUrlResponse.ashxpredictiveHigh
3File/wbg/core/_includes/authorization.inc.phppredictiveHigh
4Fileaddentry.phppredictiveMedium
5Filedata/gbconfiguration.datpredictiveHigh
6Filedetail.phppredictiveMedium
7Filexxxxxxxxx.xxx.xxxpredictiveHigh
8Filexxxxxx/xxxxxxxxxxxxpredictiveHigh
9Filexxxx.xxxpredictiveMedium
10Filexxxxxxxxx.xxxpredictiveHigh
11Filexxx/xxxxxx.xxxpredictiveHigh
12Filexxx/xxxxxxxxxxx/xxxxxxx.xxxpredictiveHigh
13Filexxx_xx_xx_xxxxxxxx.xxxpredictiveHigh
14Filexxxxx.xxxpredictiveMedium
15Filexxxxx-xxxx/xxxxx-xxxxx-xxxx.xxxpredictiveHigh
16Filexxxxxxxx.xxxpredictiveMedium
17Filexxxxxxxx/xxxxx/xxxxxxxx?xxxxxxxxpredictiveHigh
18Filexxxx.xpredictiveLow
19Filexxx/xxxxxxxxx/xxxxxxxxxxxxx/xxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxx.xxxpredictiveHigh
20Filexxxxxxx.xxx.xx.xxxxxxxxxxx.xxxpredictiveHigh
21Filexxxxxxxx.xxxxx.xxxpredictiveHigh
22Filexxxxx.xxxpredictiveMedium
23Filexxxxxxx/xxxxxxxx.xxxpredictiveHigh
24Filexxxxx.xxxpredictiveMedium
25Filexx-xxxxx/xxxxx.xxxpredictiveHigh
26Filexx-xxxxx/xxxxx-xxxxxx.xxxpredictiveHigh
27Filexx-xxxxxxxx/xxxxx-xx-xxxxx.xxxpredictiveHigh
28Filexx-xxxxxxxx/xxxx-xxx/xxxxxxxxx/xxxxx-xx-xxxx-xxxxx-xxxxxxxxxx.xxxpredictiveHigh
29Filexx-xxxxx.xxxpredictiveMedium
30Argumentxx_xxxxx_xxx_xxxxpredictiveHigh
31ArgumentxxxxxxxxpredictiveMedium
32ArgumentxxxxxxxxxxpredictiveMedium
33ArgumentxxxxxxxpredictiveLow
34ArgumentxxxxpredictiveLow
35ArgumentxxxxpredictiveLow
36ArgumentxxxxpredictiveLow
37ArgumentxxxxpredictiveLow
38ArgumentxxxxxpredictiveLow
39Argumentxxxx_xxxxxpredictiveMedium
40ArgumentxxxxxxxpredictiveLow
41Argumentxxxx_xxpredictiveLow
42ArgumentxxxpredictiveLow
43Argumentxxx_xxxxxpredictiveMedium
44Argument\xxxxxx\predictiveMedium
45Argument_xxx_xxxxxxxxxxx_predictiveHigh
46Input Value../../../../../xxx/xxx/xxxxx/xxxx/xxxxxxxx/xxxxx/xxx.xxxpredictiveHigh

References (4)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Want to stay up to date on a daily basis?

Enable the mail alert feature now!