APT17 Analysisinfo

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (250)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Language

en216
zh16
ja14
es4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

US: USA104
DE: Germany80
CN: China34
JP: Japan18
MN: Mongolia4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

APT177
FunnySwitch3
Cobalt Strike3
IRGC1
Feodo1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined34
Content Management System14
WordPress Plugin6
Operating System6
Router Operating System4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined52
Microsoft4
Cisco2
GNU2
Progress2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

WordPress6
WeiPHP4
FreeBSD4
Intuitive Custom Post Order Plugin2
Postfix Admin2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

These are the vulnerabilities that we have identified as researched, approached, or attacked.

#VulnerabilityBaseTemp0dayTodayExpCouKEVEPSSCTICVE
1DZCP deV!L`z Clanportal config.php code injection7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial fix 0.009700.02CVE-2010-0966
2Thomas R. Pasawicz HyperBook Guestbook Password Database gbconfiguration.dat Hash information disclosure5.35.2$5k-$25kCalculatingHighWorkaroundpossible0.029560.00CVE-2007-1192
3jforum username User input validation5.35.3$0-$5k$0-$5kNot definedNot defined 0.004430.05CVE-2019-7550
4ESET Server Security for Linux privileges management7.57.4$0-$5k$0-$5kNot definedOfficial fix 0.000440.05CVE-2023-2847
5CrowdStrike Falcon Uninstallation authorization3.53.5$0-$5k$0-$5kFunctionalOfficial fix 0.012420.03CVE-2022-2841
6Postfix Admin functions.inc.php sql injection7.37.0$5k-$25k$0-$5kHighOfficial fix 0.005150.03CVE-2014-2655
7OpenSSH Login Session information exposure4.54.4$5k-$25k$0-$5kNot definedOfficial fix 0.200040.04CVE-2016-20012
8ESET Cyber Security/Endpoint Security temp file5.55.3$0-$5k$0-$5kNot definedOfficial fix 0.000430.08CVE-2024-6654
9Realink C-Arbre richtxt_functions.inc.php file inclusion9.88.9$0-$5k$0-$5kProof-of-ConceptNot defined 0.046600.00CVE-2007-1721
10Scripter.ch Gastebuch sinagb.php file inclusion7.36.9$0-$5k$0-$5kProof-of-ConceptUnavailable 0.057350.00CVE-2007-1130
11lighttpd burl.c burl_normalize_2F_to_slash_fix integer overflow9.08.9$0-$5k$0-$5kNot definedOfficial fix 0.050230.00CVE-2019-11072
12WP-Members Membership Plugin Setting authorization5.35.2$0-$5k$0-$5kNot definedNot defined 0.001200.00CVE-2023-2869
13SourceCodester Complaint Management System Lodge Complaint Section register-complaint.php unrestricted upload7.16.9$0-$5k$0-$5kProof-of-ConceptNot defined 0.000940.13CVE-2024-1875
14OPNsense setJob command injection7.67.5$0-$5k$0-$5kNot definedOfficial fix 0.046080.06CVE-2023-39008
15Fortinet FortiOS/FortiProxy HA Request privileges management8.88.6$0-$5k$0-$5kNot definedOfficial fix 0.001260.00CVE-2023-44250
16jQuery Cookie Prototype cross site scripting3.53.5$0-$5k$0-$5kNot definedNot defined 0.000690.00CVE-2022-23395
17Flexera FlexNet Publisher Command lmadmin.exe unusual condition6.46.4$0-$5k$0-$5kNot definedNot defined 0.003890.03CVE-2019-8960
18ESET NOD32 Antivirus File permission7.87.6$0-$5k$0-$5kNot definedOfficial fix 0.000440.00CVE-2023-3160
19Citrix StoreFront SAML Authentication cross site scripting3.53.4$0-$5k$0-$5kNot definedOfficial fix 0.005870.05CVE-2022-27503
20QNAP QTS/QuTS hero/QuTScloud os command injection9.89.6$0-$5k$0-$5kNot definedOfficial fix 0.046630.00CVE-2023-23368

Campaigns (1)

These are the campaigns that can be associated with the actor:

  • CCleaner

IOC - Indicator of Compromise (21)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
11.234.52.111APT1712/15/2020verifiedLow
28.9.11.1308.9.11.130.vultr.comAPT1703/05/2022verifiedVery Low
345.76.6.14945.76.6.149.vultr.comAPT1703/05/2022verifiedVery Low
445.76.31.15945.76.31.159.vultr.comAPT1703/05/2022verifiedVery Low
569.80.72.165APT1712/15/2020verifiedLow
6XXX.XX.XX.XXXxxx.xx.xx.xxx.xxxxxx.xxxxxxxx.xxxXxxxx03/05/2022verifiedLow
7XXX.XXX.XX.XXxxxxxxxxxx.xxxxx.xxXxxxx12/15/2020verifiedLow
8XXX.XXX.XX.XXXxxxxxxxxxxxxxx.xxxxx.xxXxxxx12/15/2020verifiedLow
9XXX.XXX.XX.XXXxxx-xxx-xx-xxx-xxxx.xxxxxxxxxxxx.xxxXxxxx03/05/2022verifiedLow
10XXX.XXX.XX.XXXxxx.xxx.xx.xxx.xxxxx.xxxXxxxx03/05/2022verifiedVery Low
11XXX.XX.XXX.XXXxxxx12/15/2020verifiedLow
12XXX.XXX.XX.XXXxxxxxxx.xxxxxxxx.xx.xx-xxx.xx.xxXxxxx12/15/2020verifiedLow
13XXX.XXX.XXX.XXXXxxxx03/05/2022verifiedLow
14XXX.XXX.XXX.XXXxxxx12/15/2020verifiedLow
15XXX.XXX.XX.XXxxxxxxx.xxxx.xxXxxxx12/15/2020verifiedLow
16XXX.XX.XX.XXXxxx.xx.xx.xxx.xxxxx.xxxXxxxx03/05/2022verifiedVery Low
17XXX.XX.XX.XXxxx.xx.xx.xx.xxxxx.xxxXxxxx03/05/2022verifiedVery Low
18XXX.XXX.XXX.XXXXxxxx12/15/2020verifiedLow
19XXX.XX.XX.XXXXxxxx12/15/2020verifiedLow
20XXX.XXX.XXX.XXXXxxxxXxxxxxxx12/23/2020verifiedLow
21XXX.XXX.XXX.XXXxxxx12/15/2020verifiedLow

TTP - Tactics, Techniques, Procedures (19)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-22Path TraversalpredictiveHigh
2T1040CAPEC-102CWE-319Authentication Bypass by Capture-replaypredictiveHigh
3T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
4T1059CAPEC-242CWE-94Argument InjectionpredictiveHigh
5TXXXX.XXXCAPEC-XXXCWE-XX, CWE-XXXxxxx Xxxxx Xxxx XxxxxxxxxpredictiveHigh
6TXXXXCAPEC-XXXCWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
7TXXXX.XXXCWE-XXXXxx-xxx Xxxx Xxxxxxx XxxxpredictiveHigh
8TXXXXCAPEC-XXXCWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
9TXXXX.XXXCAPEC-XXXCWE-XXXXxxx XxxxxxxxpredictiveHigh
10TXXXXCWE-XXX7xx Xxxxxxxx XxxxxxxxpredictiveHigh
11TXXXXCWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
12TXXXXCAPEC-XXXCWE-XXXxx XxxxxxxxxpredictiveHigh
13TXXXX.XXXCAPEC-XCWE-XXXXxxxxxxx XxxxxxxxxxxxxpredictiveHigh
14TXXXXCAPEC-XXCWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
15TXXXXCAPEC-XXCWE-XXXXxxxxxxxx Xxxxxx XxxxpredictiveHigh
16TXXXX.XXXCAPEC-XXXCWE-XXX, CWE-XXXXxxxxxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
17TXXXX.XXXCAPEC-XXXCWE-XXXXxxxxxxxpredictiveHigh
18TXXXXCAPEC-XXXCWE-XXX, CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
19TXXXX.XXXCAPEC-XCWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (62)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File.htaccesspredictiveMedium
2File/api/cron/settings/setJob/predictiveHigh
3File/api/DownloadUrlResponse.ashxpredictiveHigh
4File/wbg/core/_includes/authorization.inc.phppredictiveHigh
5Fileaddentry.phppredictiveMedium
6Fileburl.cpredictiveLow
7Filedata/gbconfiguration.datpredictiveHigh
8Filedetail.phppredictiveMedium
9Filexxxxxxxxx.xxx.xxxpredictiveHigh
10Filexxxxxx/xxxxxxxxxxxxpredictiveHigh
11Filexxxx.xxxpredictiveMedium
12Filexxxxxxxxx.xxxpredictiveHigh
13Filexxx/xxxxxx.xxxpredictiveHigh
14Filexxx/xxxxxxxxxxx/xxxxxxx.xxxpredictiveHigh
15Filexxxxxxxxxx/xxxxxxx.xpredictiveHigh
16Filexxxxxxx.xxxpredictiveMedium
17Filexxxxxxx.xxxpredictiveMedium
18Filexxx_xx_xx_xxxxxxxx.xxxpredictiveHigh
19Filexxxxx.xxxpredictiveMedium
20Filexxxxx-xxxx/xxxxx-xxxxx-xxxx.xxxpredictiveHigh
21Filexxxxxxxx.xxxpredictiveMedium
22Filexxxxxxxx/xxxxx/xxxxxxxx?xxxxxxxxpredictiveHigh
23Filexxxxxxx_xxxxxxxxx.xxx.xxxpredictiveHigh
24Filexxxx.xpredictiveLow
25Filexxxxxx.xxxpredictiveMedium
26Filexxx/xxxxxxxxx/xxxxxxxxxxxxx/xxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxx.xxxpredictiveHigh
27Filexxxxxxx.xxx.xx.xxxxxxxxxxx.xxxpredictiveHigh
28Filexxxxxxxx.xxxxx.xxxpredictiveHigh
29Filexxxxx.xxxpredictiveMedium
30Filexxxxxxx/xxxxxxxx.xxxpredictiveHigh
31Filexxxxx/xxxxxxxx-xxxxxxxxx.xxxpredictiveHigh
32Filexxxxx.xxxpredictiveMedium
33Filexx-xxxxx/xxxxx.xxxpredictiveHigh
34Filexx-xxxxx/xxxxx-xxxxxx.xxxpredictiveHigh
35Filexx-xxxxxxxx/xxxxx-xx-xxxxx.xxxpredictiveHigh
36Filexx-xxxxxxxx/xxxx-xxx/xxxxxxxxx/xxxxx-xx-xxxx-xxxxx-xxxxxxxxxx.xxxpredictiveHigh
37Filexx-xxxxx.xxxpredictiveMedium
38Libraryxxxxxxxx.xxxpredictiveMedium
39Argumentxx_xxxxx_xxx_xxxxpredictiveHigh
40ArgumentxxxxxxxxpredictiveMedium
41ArgumentxxxxxxxxxxpredictiveMedium
42ArgumentxxxxxxxpredictiveLow
43ArgumentxxxxpredictiveLow
44ArgumentxxxxpredictiveLow
45ArgumentxxxxpredictiveLow
46ArgumentxxxxpredictiveLow
47ArgumentxxxxpredictiveLow
48ArgumentxxxxpredictiveLow
49Argumentxxxx/xxxxxxxxxxxpredictiveHigh
50ArgumentxxxxxpredictiveLow
51ArgumentxxxxxxxxxxpredictiveMedium
52Argumentxxxx_xxxxpredictiveMedium
53Argumentxxxx_xxxxxpredictiveMedium
54ArgumentxxxxxxxpredictiveLow
55Argumentxxxx_xxpredictiveLow
56ArgumentxxxpredictiveLow
57Argumentxxx_xxxxxpredictiveMedium
58Argumentx_xxxxpredictiveLow
59Argument\xxxxxx\predictiveMedium
60Argument_xxx_xxxxxxxxxxx_predictiveHigh
61Input Value../../../../../xxx/xxx/xxxxx/xxxx/xxxxxxxx/xxxxx/xxx.xxxpredictiveHigh
62Input Value/%xxpredictiveLow

References (4)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

This view requires CTI permissions

Just purchase a CTI license today!