APT17 Analysis

IOB - Indicator of Behavior (244)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en202
ja24
zh12
es2
pt2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

us92
de84
cn36
jp24
mn4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

WordPress6
WeiPHP4
Oracle MySQL Server4
Fortinet FortiOS4
Esri ArcGIS Server2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1DZCP deV!L`z Clanportal config.php code injection7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.009430.32CVE-2010-0966
2Thomas R. Pasawicz HyperBook Guestbook Password Database gbconfiguration.dat Hash information disclosure5.35.2$5k-$25kCalculatingHighWorkaround0.020160.00CVE-2007-1192
3jforum User input validation5.35.3$0-$5k$0-$5kNot DefinedNot Defined0.002890.00CVE-2019-7550
4ESET Server Security for Linux privileges management7.57.4$0-$5k$0-$5kNot DefinedOfficial Fix0.000420.06CVE-2023-2847
5CrowdStrike Falcon Uninstallation authorization3.53.5$0-$5k$0-$5kFunctionalOfficial Fix0.012900.16CVE-2022-2841
6Postfix Admin functions.inc.php sql injection7.37.0$5k-$25k$0-$5kHighOfficial Fix0.002530.03CVE-2014-2655
7SourceCodester Complaint Management System Lodge Complaint Section register-complaint.php unrestricted upload6.36.0$0-$5k$0-$5kProof-of-ConceptNot Defined0.000450.19CVE-2024-1875
8OPNsense command injection7.67.5$0-$5k$0-$5kNot DefinedOfficial Fix0.001220.04CVE-2023-39008
9Fortinet FortiOS/FortiProxy HA Request privileges management8.88.6$0-$5k$0-$5kNot DefinedOfficial Fix0.000500.00CVE-2023-44250
10jQuery Cookie Prototype cross site scripting3.53.5$0-$5k$0-$5kNot DefinedNot Defined0.000680.00CVE-2022-23395
11Flexera FlexNet Publisher Command lmadmin.exe unusual condition6.46.4$0-$5k$0-$5kNot DefinedNot Defined0.001030.04CVE-2019-8960
12ESET NOD32 Antivirus File permission7.87.6$0-$5k$0-$5kNot DefinedOfficial Fix0.000460.04CVE-2023-3160
13Citrix StoreFront SAML Authentication cross site scripting3.53.4$0-$5k$0-$5kNot DefinedOfficial Fix0.000720.00CVE-2022-27503
14QNAP QTS/QuTS hero/QuTScloud os command injection9.89.6$0-$5k$0-$5kNot DefinedOfficial Fix0.000680.00CVE-2023-23368
15cURL SOCKS5 Proxy heap-based overflow4.64.4$0-$5k$0-$5kNot DefinedOfficial Fix0.003190.00CVE-2023-38545
16Fortinet FortiOS prof-admin Profile improper authorization7.77.6$0-$5k$0-$5kNot DefinedOfficial Fix0.000500.03CVE-2023-41841
17Juniper Junos OS J-Web external variable5.35.2$5k-$25k$0-$5kHighOfficial Fix0.966630.03CVE-2023-36845
18QNAP QTS/QuTS Hero cleartext transmission4.64.5$0-$5k$0-$5kNot DefinedOfficial Fix0.000520.00CVE-2023-34972
19Hitachi Energy TXpert Hub CoreTec 4 os command injection8.38.2$0-$5k$0-$5kNot DefinedOfficial Fix0.000430.00CVE-2023-2625
20Trend Micro Apex One/Apex One as a Service Management Server path traversal8.58.5$5k-$25k$5k-$25kNot DefinedNot Defined0.002210.00CVE-2023-32557

Campaigns (1)

These are the campaigns that can be associated with the actor:

  • CCleaner

IOC - Indicator of Compromise (21)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

TTP - Tactics, Techniques, Procedures (19)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IOA - Indicator of Attack (56)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File.htaccesspredictiveMedium
2File/api/cron/settings/setJob/predictiveHigh
3File/api/DownloadUrlResponse.ashxpredictiveHigh
4File/wbg/core/_includes/authorization.inc.phppredictiveHigh
5Fileaddentry.phppredictiveMedium
6Filedata/gbconfiguration.datpredictiveHigh
7Filedetail.phppredictiveMedium
8Filexxxxxxxxx.xxx.xxxpredictiveHigh
9Filexxxxxx/xxxxxxxxxxxxpredictiveHigh
10Filexxxx.xxxpredictiveMedium
11Filexxxxxxxxx.xxxpredictiveHigh
12Filexxx/xxxxxx.xxxpredictiveHigh
13Filexxx/xxxxxxxxxxx/xxxxxxx.xxxpredictiveHigh
14Filexxxxxxxxxx/xxxxxxx.xpredictiveHigh
15Filexxxxxxx.xxxpredictiveMedium
16Filexxxxxxx.xxxpredictiveMedium
17Filexxx_xx_xx_xxxxxxxx.xxxpredictiveHigh
18Filexxxxx.xxxpredictiveMedium
19Filexxxxx-xxxx/xxxxx-xxxxx-xxxx.xxxpredictiveHigh
20Filexxxxxxxx.xxxpredictiveMedium
21Filexxxxxxxx/xxxxx/xxxxxxxx?xxxxxxxxpredictiveHigh
22Filexxxx.xpredictiveLow
23Filexxx/xxxxxxxxx/xxxxxxxxxxxxx/xxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxx.xxxpredictiveHigh
24Filexxxxxxx.xxx.xx.xxxxxxxxxxx.xxxpredictiveHigh
25Filexxxxxxxx.xxxxx.xxxpredictiveHigh
26Filexxxxx.xxxpredictiveMedium
27Filexxxxxxx/xxxxxxxx.xxxpredictiveHigh
28Filexxxxx/xxxxxxxx-xxxxxxxxx.xxxpredictiveHigh
29Filexxxxx.xxxpredictiveMedium
30Filexx-xxxxx/xxxxx.xxxpredictiveHigh
31Filexx-xxxxx/xxxxx-xxxxxx.xxxpredictiveHigh
32Filexx-xxxxxxxx/xxxxx-xx-xxxxx.xxxpredictiveHigh
33Filexx-xxxxxxxx/xxxx-xxx/xxxxxxxxx/xxxxx-xx-xxxx-xxxxx-xxxxxxxxxx.xxxpredictiveHigh
34Filexx-xxxxx.xxxpredictiveMedium
35Libraryxxxxxxxx.xxxpredictiveMedium
36Argumentxx_xxxxx_xxx_xxxxpredictiveHigh
37ArgumentxxxxxxxxpredictiveMedium
38ArgumentxxxxxxxxxxpredictiveMedium
39ArgumentxxxxxxxpredictiveLow
40ArgumentxxxxpredictiveLow
41ArgumentxxxxpredictiveLow
42ArgumentxxxxpredictiveLow
43ArgumentxxxxpredictiveLow
44ArgumentxxxxpredictiveLow
45Argumentxxxx/xxxxxxxxxxxpredictiveHigh
46ArgumentxxxxxpredictiveLow
47ArgumentxxxxxxxxxxpredictiveMedium
48Argumentxxxx_xxxxxpredictiveMedium
49ArgumentxxxxxxxpredictiveLow
50Argumentxxxx_xxpredictiveLow
51ArgumentxxxpredictiveLow
52Argumentxxx_xxxxxpredictiveMedium
53Argumentx_xxxxpredictiveLow
54Argument\xxxxxx\predictiveMedium
55Argument_xxx_xxxxxxxxxxx_predictiveHigh
56Input Value../../../../../xxx/xxx/xxxxx/xxxx/xxxxxxxx/xxxxx/xxx.xxxpredictiveHigh

References (4)

The following list contains external sources which discuss the actor and the associated activities:

Interested in the pricing of exploits?

See the underground prices here!