APT32 Analysis

Activities

Timeline

The analysis of the timeline helps to identify the required approach and handling of single vulnerabilities and vulnerability collections. This overview makes it possible to see less important slices and more severe hotspots at a glance. Initiating immediate vulnerability response and prioritizing of issues is possible.

Lang

en450
it39
zh29
fr17
de6

Country

us414
cn85
vn18
tr11
id3

Actors

Activities

Interest

Timeline

The analysis of the timeline helps to identify the required approach and handling of single vulnerabilities and vulnerability collections. This overview makes it possible to see less important slices and more severe hotspots at a glance. Initiating immediate vulnerability response and prioritizing of issues is possible.

Type

The moderation team is working with the threat intelligence team to categorize software that is affected by security vulnerabilities. This helps to illustrate the assignment of these categories to determine the most affected software types.

Vendor

Identifying all affected vendors is a good starting point for an overview. This makes it possible to determine an homogeneous landscape or the most important hotspots in heterogeneous landscapes.

Product

Google Android22
Linux Kernel18
Apple iOS14
Apple macOS12
Microsoft Windows7

Grouping vulnerabilities by products helps to get an overview. This makes it possible to determine an homogeneous landscape or the most important hotspots in heterogeneous landscapes.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemCTICVE
1Thomas R. Pasawicz HyperBook Guestbook Password Database gbconfiguration.dat Hash information disclosure5.35.2$10k-$25k$0-$1kHighWorkaround0.05CVE-2007-1192
2Google Chrome V8 Remote Code Execution6.36.0$50k-$100k$10k-$25kNot DefinedOfficial Fix0.03CVE-2020-16040
3DZCP deV!L`z Clanportal config.php code injection7.36.6$2k-$5k$0-$1kProof-of-ConceptOfficial Fix0.40CVE-2010-0966
4Apache PDFbox XML Parser xml external entity reference7.87.5$10k-$25k$0-$1kNot DefinedOfficial Fix0.00CVE-2016-2175
5Google Android SimpleDecodingSource.cpp doRead privileges management9.89.6$50k-$100k$25k-$50kNot DefinedOfficial Fix0.05CVE-2021-39623
6D-Link DCS-2530L/DCS-2670L ddns_enc.cgi command injection7.57.5$10k-$25k$10k-$25kNot DefinedNot Defined0.03CVE-2020-25079
7Gempar Script Toko Online shop_display_products.php sql injection7.36.9$2k-$5k$0-$1kProof-of-ConceptNot Defined0.03CVE-2009-0296
8Puppet Agent SSL Certificate Valu certificate validation5.55.3$1k-$2k$0-$1kNot DefinedOfficial Fix0.04CVE-2018-11751
9Norton Password Manager origin validation6.36.0$2k-$5k$0-$1kNot DefinedOfficial Fix0.04CVE-2019-18381
10Facebook osquery Configuration extensions.load link following7.77.3$10k-$25k$1k-$2kNot DefinedOfficial Fix0.04CVE-2019-3567
11TP-Link AC1750 NetUSB.ko integer overflow8.88.6$2k-$5k$0-$1kNot DefinedOfficial Fix0.03CVE-2022-24354
12Pallets Werkzeug Windows SharedDataMiddleware path traversal7.57.2$2k-$5k$0-$1kNot DefinedOfficial Fix0.00CVE-2019-14322
13Peplink Balance Web Admin connector.php information disclosure5.95.6$1k-$2k$0-$1kNot DefinedOfficial Fix0.05CVE-2020-24246
14Tenda AC11 POST Request setmac stack-based overflow7.67.6$2k-$5k$1k-$2kNot DefinedNot Defined0.06CVE-2021-31755
15Apple macOS Kernel type confusion7.87.5$10k-$25k$2k-$5kHighOfficial Fix0.03CVE-2020-27932
16Apple tvOS LaunchServices sandbox5.35.1$2k-$5k$0-$1kNot DefinedOfficial Fix0.05CVE-2021-30677
17Zyxel USG/USG Flex/Zywall/ATP/VPN Web-based Management Interface improper authentication7.37.3$10k-$25k$5k-$10kNot DefinedNot Defined0.07CVE-2021-35029
18Fortinet FortiWeb Management Interface os command injection6.36.3$2k-$5k$1k-$2kNot DefinedNot Defined0.03CVE-2021-22123
19Apple iOS/iPadOS FontParser memory corruption6.36.0$100k and more$25k-$50kProof-of-ConceptOfficial Fix0.00CVE-2020-27930
20Yaws Web Server CGI os command injection8.58.5$2k-$5k$1k-$2kNot DefinedNot Defined0.04CVE-2020-24916

Campaigns (2)

These are the campaigns that can be associated with the actor:

  • Cobalt Kitty
  • OceanLotus

IOC - Indicator of Compromise (60)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsTypeConfidence
123.227.196.12623-227-196-126.static.hvvc.usAPT32Cobalt KittyverifiedHigh
223.227.196.21023-227-196-210.static.hvvc.usAPT32verifiedHigh
323.227.199.12123-227-199-121.static.hvvc.usAPT32Cobalt KittyverifiedHigh
427.102.70.211APT32Cobalt KittyverifiedHigh
537.59.198.130APT32OceanLotusverifiedHigh
637.59.198.131APT32OceanLotusverifiedHigh
745.32.100.17945.32.100.179.vultr.comAPT32OceanLotusverifiedMedium
845.32.105.45APT32OceanLotusverifiedHigh
945.32.114.4945.32.114.49.vultr.comAPT32OceanLotusverifiedMedium
1045.76.147.20145.76.147.201.vultr.comAPT32OceanLotusverifiedMedium
1145.76.179.2845.76.179.28.vultr.comAPT32OceanLotusverifiedMedium
1245.76.179.15145.76.179.151.vultr.comAPT32OceanLotusverifiedMedium
1345.77.39.10145.77.39.101.vultr.comAPT32OceanLotusverifiedMedium
1445.114.117.137APT32Cobalt KittyverifiedHigh
1545.114.117.164folien.reisnart.comAPT32OceanLotusverifiedHigh
1664.62.174.9agent2.jenkins.aoindustries.comAPT32OceanLotusverifiedHigh
1764.62.174.16unassigned16.net2.fc.aoindustries.comAPT32OceanLotusverifiedHigh
1864.62.174.17unassigned17.net2.fc.aoindustries.comAPT32OceanLotusverifiedHigh
1964.62.174.21unassigned21.net2.fc.aoindustries.comAPT32OceanLotusverifiedHigh
2064.62.174.41dev1.plant-orbit.comAPT32OceanLotusverifiedHigh
2164.62.174.99unassigned99.net2.fc.aoindustries.comAPT32OceanLotusverifiedHigh
2264.62.174.145unassigned145.net2.fc.aoindustries.comAPT32OceanLotusverifiedHigh
2364.62.174.146unassigned146.net2.fc.aoindustries.comAPT32OceanLotusverifiedHigh
2479.143.87.174APT32OceanLotusverifiedHigh
2580.255.3.87APT32verifiedHigh
2689.33.64.207APT32OceanLotusverifiedHigh
2789.33.64.232mypicsfromplane.comAPT32OceanLotusverifiedHigh
28103.28.44.112103028044112.hkserverdomain.comAPT32OceanLotusverifiedHigh
29103.28.44.115103028044115.hkserverdomain.comAPT32OceanLotusverifiedHigh
30103.41.177.33APT32Cobalt KittyverifiedHigh
31103.53.197.202sg06.dewaweb.comAPT32verifiedHigh
32104.24.118.185APT32Cobalt KittyverifiedHigh
33104.24.119.185APT32Cobalt KittyverifiedHigh
34104.27.166.79APT32Cobalt KittyverifiedHigh
35104.27.167.79APT32Cobalt KittyverifiedHigh
36104.237.218.67usgreatly.comAPT32Cobalt KittyverifiedHigh
37104.237.218.7070.utdanne.104.xandien.nlAPT32verifiedHigh
38104.237.218.72emudd.pointumetwe.comAPT32verifiedHigh
39108.170.31.69APT32Cobalt KittyverifiedHigh
40110.10.179.65APT32Cobalt KittyverifiedHigh
41128.199.90.216APT32OceanLotusverifiedHigh
42128.199.227.80426977.cloudwaysapps.comAPT32OceanLotusverifiedHigh
43138.197.236.215APT32OceanLotusverifiedHigh
44139.59.217.207APT32OceanLotusverifiedHigh
45139.59.220.10APT32OceanLotusverifiedHigh
46139.59.220.12APT32OceanLotusverifiedHigh
47139.59.223.191APT32OceanLotusverifiedHigh
48176.107.176.6176.107.176.6.ptrAPT32Cobalt KittyverifiedHigh
49176.107.177.216176.107.177.216.deltahost-ptrAPT32Cobalt KittyverifiedHigh
50176.223.111.116APT32Cobalt KittyverifiedHigh
51184.95.51.179pen179.penflexhost.comAPT32Cobalt KittyverifiedHigh
52184.95.51.181mx.earthgeneration.orgAPT32Cobalt KittyverifiedHigh
53184.95.51.190laudantiumkvgqi.finewonu.clubAPT32Cobalt KittyverifiedHigh
54185.157.79.3185.157.79.3.deltahost-ptrAPT32verifiedHigh
55188.166.219.18696006.cloudwaysapps.comAPT32OceanLotusverifiedHigh
56192.121.176.148APT32Cobalt KittyverifiedHigh
57193.169.245.78193.169.245.78.deltahost-ptrAPT32verifiedHigh
58193.169.245.137n116.deltahost.com.uaAPT32verifiedHigh
59203.114.75.22APT32OceanLotusverifiedHigh
60203.114.75.73APT32OceanLotusverifiedHigh

TTP - Tactics, Techniques, Procedures (9)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueVulnerabilitiesAccess VectorTypeConfidence
1T1059.007CWE-79, CWE-80Cross Site ScriptingpredictiveHigh
2T1068CWE-264, CWE-284Execution with Unnecessary PrivilegespredictiveHigh
3T1110.001CWE-798Improper Restriction of Excessive Authentication AttemptspredictiveHigh
4T1211CWE-2547PK Security FeaturespredictiveHigh
5T1222CWE-275Permission IssuespredictiveHigh
6T1548.002CWE-285Improper AuthorizationpredictiveHigh
7T1552CWE-319, CWE-522Unprotected Storage of CredentialspredictiveHigh
8T1587.003CWE-295Improper Certificate ValidationpredictiveHigh
9T1600CWE-310, CWE-311, CWE-327Cryptographic IssuespredictiveHigh

IOA - Indicator of Attack (205)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/admin/predictiveLow
2File/cgi-bin/cgiServer.exxpredictiveHigh
3File/cgi-bin/login_action.cgipredictiveHigh
4File/cgi-bin/nobody/Search.cgipredictiveHigh
5File/cgi-bin/webviewer_login_pagepredictiveHigh
6File/dev/sg0predictiveMedium
7File/event/runquery.dopredictiveHigh
8File/filemanager/php/connector.phppredictiveHigh
9File/forum/away.phppredictiveHigh
10File/goform/setmacpredictiveHigh
11File/log_download.cgipredictiveHigh
12File/manager?action=getlogcatpredictiveHigh
13File/mgmt/tm/util/bashpredictiveHigh
14File/pages/systemcall.php?command={COMMAND}predictiveHigh
15File/password.htmlpredictiveHigh
16File/system/ws/v11/ss/emailpredictiveHigh
17File/uncpath/predictiveMedium
18Fileadd_vhost.phppredictiveHigh
19Fileadmin/images.aspxpredictiveHigh
20Fileadmin/index.phppredictiveHigh
21Fileadv2.php?action=modifypredictiveHigh
22Fileagent.cfgpredictiveMedium
23Filearch/x86/include/asm/fpu/internal.hpredictiveHigh
24Fileasm/float.cpredictiveMedium
25Fileasm/nasm.cpredictiveMedium
26Fileauth.phppredictiveMedium
27Filebackup.cgipredictiveMedium
28Filebinder.cpredictiveMedium
29Filebitfield.cpredictiveMedium
30Fileblob.cpppredictiveMedium
31Filebooks.phppredictiveMedium
32Filec.phppredictiveLow
33Filecgi-bin/predictiveMedium
34Filecgi-bin/ddns_enc.cgipredictiveHigh
35Filecgi-bin/luci/admin/network/firewall/rulespredictiveHigh
36Filecgi-bin/MANGA/admin.cgipredictiveHigh
37Filecli.confpredictiveMedium
38Filecoders/png.cpredictiveMedium
39Filecoders/tiff.cpredictiveHigh
40Filecoffgen.cpredictiveMedium
41Fileconfig.xmlpredictiveMedium
42Filedata/gbconfiguration.datpredictiveHigh
43Filedb.phppredictiveLow
44Filedetail.phppredictiveMedium
45Filedevtools.shpredictiveMedium
46Filedomain/section/markdown/markdown.gopredictiveHigh
47Filedrivers/gpu/drm/udl/udl_fb.cpredictiveHigh
48Filedrivers/scsi/sr_ioctl.cpredictiveHigh
49Filedrivers/usb/misc/iowarrior.cpredictiveHigh
50Fileebmlstring.cpredictiveMedium
51Fileelf.cpredictiveLow
52Fileevents-manager.jspredictiveHigh
53FileExceptionHandler.phppredictiveHigh
54Fileextensions.loadpredictiveHigh
55FileFlexPaperViewer.swfpredictiveHigh
56FileFortiClientOnlineInstaller.exepredictiveHigh
57Fileframework/core/subsystems/expRouter.phppredictiveHigh
58Filefs/userfaultfd.cpredictiveHigh
59Filefunction.cpredictiveMedium
60Filefunctions.phppredictiveHigh
61Filefunctions_mod_user.phppredictiveHigh
62FilegetRemoteImage.phppredictiveHigh
63Fileget_set.ccppredictiveMedium
64Filegki_buffer.ccpredictiveHigh
65Filehandle_load_config.phppredictiveHigh
66Filehh.exepredictiveLow
67Fileimage_upload.phppredictiveHigh
68Fileimap/lmtp_sieve.cpredictiveHigh
69Fileinc/config.phppredictiveHigh
70Fileinc/filebrowser/browser.phppredictiveHigh
71Fileinclude/findusers.phppredictiveHigh
72Fileincludes/head.inc.phppredictiveHigh
73Fileindex.phppredictiveMedium
74Fileinit.inc.phppredictiveMedium
75FileintervalCheck.jsppredictiveHigh
76Fileiptc.cpredictiveLow
77FileItemReview.phppredictiveHigh
78Fileitems.cpredictiveLow
79Fileitems.queries.phppredictiveHigh
80Fileitem_show.phppredictiveHigh
81FileJBIG2Stream.ccpredictiveHigh
82FilejeecgFormDemoController.do?commonUploadpredictiveHigh
83Filejfinal_cms/admin/filemanager/listpredictiveHigh
84Filejpgraph.phppredictiveMedium
85Filekbdint.cpredictiveMedium
86Filekernel/events/core.cpredictiveHigh
87Filekernel/exit.cpredictiveHigh
88Filekernel/trace/trace_events_filter.cpredictiveHigh
89FilelaunchdpredictiveLow
90Filelibnvmmlite_video.sopredictiveHigh
91Filelibr/asm/asm.cpredictiveHigh
92Filemain/scala/authentikat/jwt/JsonWebToken.scalapredictiveHigh
93Filemm/mempolicy.cpredictiveHigh
94Filemm/oom_kill.cpredictiveHigh
95Filemodel/__show_info.phppredictiveHigh
96Filemodules/m_sasl.cpredictiveHigh
97FileNativeNfcManager.cpppredictiveHigh
98Filenet/ipv4/datagram.cpredictiveHigh
99Filenet/ipv4/inet_connection_sock.cpredictiveHigh
100Filenet/packet/af_packet.cpredictiveHigh
101Fileopenjp2/pi.cpredictiveMedium
102Fileprod.phppredictiveMedium
103Fileprog/htmlviewer.cpredictiveHigh
104Fileproxy.cgipredictiveMedium
105Filepublic/index.php/homepredictiveHigh
106Filepublic/index.php/home/membersnsfriend/findlist.htmlpredictiveHigh
107FileQueryComponentRendererValue!Default.jspapredictiveHigh
108FileRecentLocationApps.javapredictiveHigh
109Fileregister/check/username?usernamepredictiveHigh
110Fileregistration_detailed.inc.phppredictiveHigh
111Filesecure_img_render.phppredictiveHigh
112Filesetenv.shpredictiveMedium
113Filesetup/index.phppredictiveHigh
114Fileshop.cgipredictiveMedium
115Fileshop_display_products.phppredictiveHigh
116Fileshowcat.phppredictiveMedium
117FileSimpleDecodingSource.cpppredictiveHigh
118Filesoftware-description.phppredictiveHigh
119Filesvox_ssml_parser.cpppredictiveHigh
120FileSystemEvent.jsppredictiveHigh
121Filesystem_log.cgipredictiveHigh
122Filetls1.cpredictiveLow
123Fileui/artifact/uploadpredictiveHigh
124Fileupgrade_handle.phppredictiveHigh
125Fileview/ProductsView.phppredictiveHigh
126Filewelcome.phppredictiveMedium
127Filewww/content/lessons/"lessonpredictiveHigh
128LibraryAeXNSPkgDLLib.dllpredictiveHigh
129LibraryATIDXX64.DLLpredictiveMedium
130LibraryENCDEC.DLLpredictiveMedium
131Libraryfs/ncpfs/ncplib_kernel.cpredictiveHigh
132Libraryigcore19d.dllpredictiveHigh
133LibraryLib/DocXMLRPCServer.pypredictiveHigh
134Librarylib/MongoLite/Database.phppredictiveHigh
135Librarylib/rrd.phppredictiveMedium
136LibraryMonitor_win7_x64.syspredictiveHigh
137LibraryMonitor_x86.syspredictiveHigh
138Argument$linepredictiveLow
139Argument%spredictiveLow
140ArgumentagentidpredictiveLow
141ArgumentapppredictiveLow
142ArgumentAUTHENTICATEpredictiveMedium
143ArgumentbasePathpredictiveMedium
144ArgumentbauthpredictiveLow
145ArgumentbookidpredictiveLow
146ArgumentcatpredictiveLow
147ArgumentcatidpredictiveLow
148Argumentcat_idpredictiveLow
149Argumentccp_actpredictiveLow
150Argumentcode_nopredictiveLow
151ArgumentconfigFilepredictiveMedium
152ArgumentcontentpredictiveLow
153ArgumentContent-LengthpredictiveHigh
154ArgumentCPG_M_DIRpredictiveMedium
155Argumentdata3predictiveLow
156ArgumenterrpredictiveLow
157ArgumentfilepredictiveLow
158ArgumentfilenamepredictiveMedium
159ArgumentfromName/messagepredictiveHigh
160ArgumentgopredictiveLow
161ArgumentgroupspredictiveLow
162ArgumentidpredictiveLow
163ArgumentipAddrpredictiveLow
164ArgumentIP addresspredictiveMedium
165Argumentitem_idpredictiveLow
166Argumentl/dl/delpredictiveMedium
167ArgumentlayoutpredictiveLow
168ArgumentmapTitlepredictiveMedium
169ArgumentmosConfig_absolute_pathpredictiveHigh
170ArgumentnamepredictiveLow
171ArgumentpagepredictiveLow
172ArgumentpasswordpredictiveMedium
173ArgumentPasswordpredictiveMedium
174Argumentphpbb_root_pathpredictiveHigh
175ArgumentprioritypredictiveMedium
176ArgumentredirectpredictiveMedium
177ArgumentRefererpredictiveLow
178ArgumentreferrerpredictiveMedium
179ArgumentresourceNamepredictiveMedium
180ArgumentrootpathpredictiveMedium
181ArgumentsbppredictiveLow
182ArgumentsearchpredictiveLow
183ArgumentsearchidpredictiveMedium
184ArgumentsidpredictiveLow
185ArgumentsitepredictiveLow
186Argumentsms_contentpredictiveMedium
187ArgumentsrcpredictiveLow
188ArgumentSwfilepredictiveLow
189Argumenttpldir/filename/type/nidpredictiveHigh
190ArgumentupfilepredictiveLow
191ArgumentuploaddirpredictiveMedium
192Argumentup_auto_logpredictiveMedium
193ArgumenturlpredictiveLow
194ArgumentuselangpredictiveLow
195ArgumentwdpredictiveLow
196Argument_receiverspredictiveMedium
197Input Value%0a/%0dpredictiveLow
198Input Value./../../../predictiveMedium
199Input Value1" onmouseover=prompt(947671) bad="predictiveHigh
200Input Value</script><script>alert(1)</script>predictiveHigh
201Input Valuewelc0mepredictiveLow
202Input Value\x3D../../../../etc/passwdpredictiveHigh
203Network Port8888predictiveLow
204Network Porttcp/873predictiveLow
205Network Porttcp/6200predictiveMedium

References (4)

The following list contains external sources which discuss the actor and the associated activities:

Interested in the pricing of exploits?

See the underground prices here!