APT2 Analysis

IOB - Indicator of Behavior (82)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en68
es8
zh4
ko2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

cn72
fj4
kr4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

APT25

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined32
Operating System8
Web Browser6
Router Operating System4
Content Management System4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined28
Microsoft6
Apache4
FileZilla2
Ordasoft2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Microsoft Windows4
ajenti2
YFCMF2
FileZilla FileZilla Server Terminal2
Ordasoft Com Medialibrary2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemCTIEPSSCVE
1Cisco ASA/Firepower Threat Defense RSA Key information exposure6.26.2$5k-$25k$0-$5kNot DefinedOfficial Fix0.020.16581CVE-2022-20866
2Kibana Region Map cross site scripting4.44.3$0-$5k$0-$5kNot DefinedOfficial Fix0.020.00885CVE-2019-7621
3Apple Mac OS X Server Wiki Server cross site scripting4.34.3$5k-$25k$0-$5kNot DefinedNot Defined0.030.01319CVE-2009-2814
4ajenti API privileges management6.35.2$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.020.07308CVE-2019-25066
5Oracle MySQL Server InnoDB numeric error9.18.7$25k-$100k$0-$5kNot DefinedOfficial Fix0.020.02686CVE-2016-9843
6Redmine Issues API permission7.67.3$0-$5k$0-$5kNot DefinedOfficial Fix0.040.00885CVE-2021-30164
7Google Go WASM module buffer overflow5.55.3$5k-$25k$0-$5kNot DefinedOfficial Fix0.020.01108CVE-2021-38297
8D-Link DIR-867/DIR-878/DIR-882 unknown vulnerability7.57.5$5k-$25k$5k-$25kNot DefinedNot Defined0.040.01005CVE-2020-8863
9Ruckus Wireless C110 webs information disclosure6.46.4$0-$5k$0-$5kNot DefinedNot Defined0.030.01055CVE-2020-13918
10Cisco IOS XE Easy Virtual Switching System memory corruption8.98.5$25k-$100k$5k-$25kNot DefinedOfficial Fix0.000.01156CVE-2021-1451
11NullSoft WinAmp memory corruption10.09.4$0-$5k$0-$5kProof-of-ConceptNot Defined0.010.06604CVE-2009-1788
12EDGEPHP EZArticles articles.php cross site scripting4.34.3$0-$5k$0-$5kNot DefinedNot Defined0.000.01917CVE-2009-2586
13Ubuntu Linux Access Restriction clamav-milter.init access control7.87.5$5k-$25k$0-$5kNot DefinedOfficial Fix0.020.00950CVE-2009-1601
14Ordasoft Com Medialibrary com_media toolbar_ext.php code injection7.36.9$0-$5k$0-$5kProof-of-ConceptNot Defined0.000.04187CVE-2009-2634
15Zenas Pao-bacheca Guestbook login.php access control7.37.3$0-$5k$0-$5kHighUnavailable0.000.04187CVE-2009-3421
16DragDropCart getstate.php cross site scripting3.53.5$0-$5k$0-$5kNot DefinedNot Defined0.000.00000
17Mozilla Firefox memory corruption8.07.7$25k-$100k$0-$5kNot DefinedOfficial Fix0.020.02686CVE-2018-5150
18WXSLToken mintToken integer overflow7.47.4$0-$5k$0-$5kNot DefinedNot Defined0.010.00885CVE-2018-13624
19SuperEnergy mintToken integer overflow7.47.4$0-$5k$0-$5kNot DefinedNot Defined0.010.00885CVE-2018-13743

Campaigns (1)

These are the campaigns that can be associated with the actor:

  • Putter Panda

IOC - Indicator of Compromise (42)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsTypeConfidence
131.170.110.163io.uu3.netAPT2Putter PandaverifiedHigh
258.196.156.15APT2Putter PandaverifiedHigh
359.120.168.19959-120-168-199.hinet-ip.hinet.netAPT2verifiedHigh
461.34.97.69APT2verifiedHigh
561.74.190.14APT2verifiedHigh
661.78.37.121APT2verifiedHigh
761.78.75.96APT2verifiedHigh
861.221.54.9961-221-54-99.hinet-ip.hinet.netAPT2verifiedHigh
967.42.255.50mail.provocc.orgAPT2verifiedHigh
10XXX.XX.XXX.XXXxxxxxxx.xxxxxx.xxXxxxXxxxxx XxxxxverifiedHigh
11XXX.XXX.XXX.XXXXxxxverifiedHigh
12XXX.XXX.XXX.XXXxxxxxxx.xxxx.xxx.xxxxx.xxxXxxxverifiedHigh
13XXX.XXX.XX.XXXxxxxxxxx.xx.xxx.xxx.xxXxxxverifiedHigh
14XXX.XXX.XX.Xxxxxxxxxxx.xx.xxx.xxx.xxXxxxverifiedHigh
15XXX.XXX.XX.XXXxx-xx-xxx.xx.xxxx.xxx.xxXxxxverifiedHigh
16XXX.XXX.XXX.XXxxxxxxx.xx.xxxx.xxx.xxXxxxverifiedHigh
17XXX.XXX.XX.XXxxxxxxxxx.xxxx.xxx.xxXxxxverifiedHigh
18XXX.XXX.XX.XXXxxx-xxx-xx-xxx.xxxxxx.xxxxx.xxxXxxxverifiedHigh
19XXX.XXX.XXX.XXxxx-xxx-xxx-xx.xxxxxxxxxxxxxx.xxxXxxxverifiedHigh
20XXX.XXX.XXX.XXxxx-xxx-xxx-xx.xxxxxxxxxxxxxx.xxxXxxxverifiedHigh
21XXX.XXX.XXX.XXxxxverifiedHigh
22XXX.XXX.XXX.XXXxxx-xxx-xxx-xxx.xxxxxxxxx.xxxxxxx.xxxXxxxverifiedHigh
23XXX.XXX.XX.XXXxxxx.xxxxxxxxx.xxxxxxx.xx.xxXxxxverifiedHigh
24XXX.XX.XXX.XXXxxxxxxxxxx.xxxXxxxverifiedHigh
25XXX.XXX.XXX.XXXXxxxverifiedHigh
26XXX.XXX.XX.XXXxxxverifiedHigh
27XXX.X.XX.XXXxxxverifiedHigh
28XXX.X.XX.XXXxxxverifiedHigh
29XXX.XX.XXX.XXXXxxxverifiedHigh
30XXX.XXX.XX.XXxxxxx-xxx-xx-xx.xxxx.xxxxxx.xxxx.xxx.xxXxxxverifiedHigh
31XXX.XX.XX.XXxxx-xx-xx-xx.xxxxx-xx.xxxxx.xxxXxxxverifiedHigh
32XXX.XX.XX.XXXxxx-xx-xx-xxx.xxxxx-xx.xxxxx.xxxXxxxverifiedHigh
33XXX.XX.XXX.XXXxxxverifiedHigh
34XXX.XXX.XXX.XXXxxxx.xxxxxxxxx.xxXxxxverifiedHigh
35XXX.XXX.XXX.XXXxxxxxxx.xxxxxxxxx.xxx.xxXxxxXxxxxx XxxxxverifiedHigh
36XXX.XXX.XX.XXXxxxverifiedHigh
37XXX.XXX.XX.XXXXxxxverifiedHigh
38XXX.XXX.XX.XXXxxxverifiedHigh
39XXX.XXX.XX.XXXxxxverifiedHigh
40XXX.XXX.XX.XXXXxxxverifiedHigh
41XXX.XXX.XXX.XXxxxverifiedHigh
42XXX.XXX.XX.XXXXxxxverifiedHigh

TTP - Tactics, Techniques, Procedures (9)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueVulnerabilitiesAccess VectorTypeConfidence
1T1006CWE-22Pathname TraversalpredictiveHigh
2T1059CWE-94Cross Site ScriptingpredictiveHigh
3TXXXX.XXXCWE-XX, CWE-XXXxxxx Xxxx XxxxxxxxxpredictiveHigh
4TXXXXCWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
5TXXXXCWE-XXX7xx Xxxxxxxx XxxxxxxxpredictiveHigh
6TXXXXCWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
7TXXXXCWE-XXXxx XxxxxxxxxpredictiveHigh
8TXXXXCWE-XXX, CWE-XXXXxxxxxxxxxxxxpredictiveHigh
9TXXXXCWE-XXXX2xx Xxxxxxxxxxxxxxxx: Xxxx Xxxxxxxxxxxx Xxxxxxx XxxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (30)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/admin/blog/blogcategory/add/?_to_field=id&_popup=1predictiveHigh
2File/bin/boapredictiveMedium
3File/DOWN/FIRMWAREUPDATE/ROM1predictiveHigh
4Fileadmin/admin/adminsave.htmlpredictiveHigh
5Filexxxxxxxx.xxxpredictiveMedium
6Filexxxxxx-xxxxxx.xxxxpredictiveHigh
7Filexxxxxxxxxx.xxxpredictiveHigh
8Filexxxx/xxxxxxxxxxxx.xxxpredictiveHigh
9Filexxxxxxx/xxx/xxxxxxxxx/xxxxx.xpredictiveHigh
10Filexxxxxxxx/xxxx/xxxxxxxx.xxxpredictiveHigh
11Filexxxxxxxx/xxxx.xxx.xxxpredictiveHigh
12Filexxxxx.xxxpredictiveMedium
13Filexxx_xxxxxxxx.xpredictiveHigh
14Filexxxxxx/xxxxx.xxxpredictiveHigh
15Filexxxxxxx_xxx.xxxpredictiveHigh
16Libraryxxx_xxxxx_xxxxxxxpredictiveHigh
17Libraryxxxxxxxx.xxxpredictiveMedium
18ArgumentxxxxxxxxxxxxxpredictiveHigh
19Argumentxxxxxxx-xxxxxxpredictiveHigh
20Argumentxxx_xxxxpredictiveMedium
21ArgumentxxxxxxxxpredictiveMedium
22Argumentxxxxx_xxpredictiveMedium
23Argumentxxxxxxxxx_xxxxxxxx_xxxxpredictiveHigh
24Argumentxxxx_xxxxxxpredictiveMedium
25ArgumentxxxxxxpredictiveLow
26ArgumentxxxxxxxpredictiveLow
27ArgumentxxxxxpredictiveLow
28ArgumentxxxxpredictiveLow
29ArgumentxxxxxxxxpredictiveMedium
30Patternxxxxxxx-xxxxxx|xx|predictiveHigh

References (3)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Interested in the pricing of exploits?

See the underground prices here!