BlueNoroff Analysisinfo

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (86)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Language

en70
zh6
de4
fr2
it2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

US: USA72
VN: Vietnam6
JP: Japan6
DE: Germany2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

BlueNoroff4
IcedID2
Feodo2
RecordBreaker2
DanaBot2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined34
Content Management System6
Forum Software6
Programming Language Software4
Web Server4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined28
Apache6
SourceCodester4
Synacor2
Timeclock2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

SourceCodester Grade Point Average GPA Calculator4
PHP4
phpMyAdmin4
UliCMS2
Synacor Zimbra Collaboration2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

These are the vulnerabilities that we have identified as researched, approached, or attacked.

#VulnerabilityBaseTemp0dayTodayExpCouKEVEPSSCTICVE
1Thomas R. Pasawicz HyperBook Guestbook Password Database gbconfiguration.dat Hash information disclosure5.35.2$5k-$25kCalculatingHighWorkaroundpossible0.029560.00CVE-2007-1192
2Microsoft Windows Domain Name Service privilege escalation6.66.1$25k-$100k$5k-$25kUnprovenOfficial fix 0.025490.00CVE-2023-28223
3LogicBoard CMS away.php redirect6.36.1$0-$5k$0-$5kNot definedUnavailable 0.000000.67
4Bludit Login Panel cross site scripting4.44.4$0-$5k$0-$5kNot definedNot defined 0.026750.06CVE-2021-45745
5MGB OpenSource Guestbook email.php sql injection7.37.3$0-$5k$0-$5kHighUnavailablepossible0.016860.06CVE-2007-0354
6FLDS redir.php sql injection7.37.3$0-$5k$0-$5kHighUnavailablepossible0.002020.17CVE-2008-5928
7DZCP deV!L`z Clanportal config.php code injection7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial fix 0.009700.07CVE-2010-0966
8HTTP/2 Stream Rapid Reset denial of service6.86.7$0-$5k$0-$5kHighOfficial fixverified0.944370.00CVE-2023-44487
9Apache James Server os command injection8.17.9$5k-$25k$0-$5kProof-of-ConceptOfficial fixpossible0.788290.00CVE-2015-7611
10Devilz Clanportal index.php sql injection7.36.6$0-$5k$0-$5kProof-of-ConceptUnavailable 0.010160.04CVE-2006-3347
11TeamViewer Remote Full Client/Remote Host Printer Driver Installation TeamViewer_service.exe signature verification8.37.9$0-$5k$0-$5kProof-of-ConceptOfficial fix 0.000910.00CVE-2024-7481
12Mikrobi Babel redirect.php6.66.6$0-$5k$0-$5kNot definedNot defined 0.219470.00CVE-2019-1010290
13My Link Trader out.php sql injection6.35.7$0-$5k$0-$5kProof-of-ConceptNot defined 0.000000.02
14phpMyAdmin Redirect url.php 7pk security7.37.0$5k-$25k$0-$5kNot definedOfficial fix 0.006250.03CVE-2015-7873
15UliCMS index.php cross site scripting5.75.5$0-$5k$0-$5kProof-of-ConceptNot defined 0.046110.06CVE-2019-11398
16CData API Server Embedded Jetty Server path traversal9.89.6$0-$5k$0-$5kNot definedOfficial fixexpected0.917880.00CVE-2024-31848
17Schneider Electric Galaxy VS/Galaxy VL Network Management Card path traversal5.35.2$0-$5k$0-$5kNot definedOfficial fix 0.002720.00CVE-2023-6032
18Microsoft Windows DWM Core Library heap-based overflow7.87.5$25k-$100k$0-$5kHighOfficial fixverified0.566290.00CVE-2024-30051
19Frappe Framework sql injection7.57.4$0-$5k$0-$5kNot definedOfficial fix 0.010680.00CVE-2019-14966
20Alt-N MDaemon Worldclient injection4.94.7$5k-$25k$0-$5kNot definedOfficial fix 0.014170.06CVE-2021-27182

IOC - Indicator of Compromise (9)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
145.238.25.2ip-45-238-25-2.interlink.com.brBlueNoroff03/22/2022verifiedLow
2104.168.174.80client-104-168-174-80.hostwindsdns.comBlueNoroff01/05/2023verifiedMedium
3XXX.XXX.XXX.XXxxxxxx-xxx-xxx-xxx-xx.xxxxxxxxxxxx.xxxXxxxxxxxxx01/05/2023verifiedMedium
4XXX.XX.XXX.XXXXxxxxxxxxx03/22/2022verifiedLow
5XXX.XX.XXX.XXxxx.xx.xxx.xx.xxxxxxxxxxxxxxxx.xxxXxxxxxxxxx01/05/2023verifiedLow
6XXX.XX.XXX.XXXxxxxxxxxx01/05/2023verifiedMedium
7XXX.XXX.XXX.XXxxx.xxx.xxx.xx.xxxxxxxxxxxxxxxx.xxxXxxxxxxxxx01/05/2023verifiedLow
8XXX.XX.XX.XXXxxxxxxxxx03/22/2022verifiedLow
9XXX.XX.XXX.XXXxxx-xx-xxx-xxx.xxxxxx.xxxx.xxXxxxxxxxxx01/05/2023verifiedMedium

TTP - Tactics, Techniques, Procedures (12)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-21, CWE-22Path TraversalpredictiveHigh
2T1040CAPEC-102CWE-319Authentication Bypass by Capture-replaypredictiveHigh
3T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
4TXXXXCAPEC-XXXCWE-XXXxxxxxxx XxxxxxxxxpredictiveHigh
5TXXXX.XXXCAPEC-XXXCWE-XX, CWE-XXXxxxx Xxxxx Xxxx XxxxxxxxxpredictiveHigh
6TXXXXCAPEC-XXXCWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
7TXXXXCAPEC-XXXCWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
8TXXXX.XXXCAPEC-XXXCWE-XXXXxxx XxxxxxxxpredictiveHigh
9TXXXXCWE-XXX7xx Xxxxxxxx XxxxxxxxpredictiveHigh
10TXXXXCAPEC-XXXCWE-XXXxx XxxxxxxxxpredictiveHigh
11TXXXXCAPEC-XXXCWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
12TXXXXCAPEC-XXXCWE-XXX, CWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh

IOA - Indicator of Attack (50)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/forum/away.phppredictiveHigh
2File/mgmt/tm/util/bashpredictiveHigh
3File/out.phppredictiveMedium
4File14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgipredictiveHigh
5Fileacme_certificate_edit.phppredictiveHigh
6Fileadmin/index.phppredictiveHigh
7Fileauth.phppredictiveMedium
8Filexxxxx.xxxpredictiveMedium
9Filexxxxx_xx_xxxxxxxxx.xxxpredictiveHigh
10Filexxxx_xxxxxxxx/xx.xxxpredictiveHigh
11Filexxxx/xxxxxxxxxxxxxxx.xxxpredictiveHigh
12Filexxxxx.xxxpredictiveMedium
13Filexxxxxxxxxxxx.xxxpredictiveHigh
14Filexxx/xxxxxx.xxxpredictiveHigh
15Filexxxxx.xxxpredictiveMedium
16Filexxxxxxx.xxxpredictiveMedium
17Filexxxxxxxx.xxx.xxxpredictiveHigh
18Filexxx_xxxx_xxx_xxxxxxxxxx.xpredictiveHigh
19Filexxxxxxx.xxxpredictiveMedium
20Filexxxxx.xxxpredictiveMedium
21Filexxxxxxxx.xxxpredictiveMedium
22Filexxxxxxxx/xxxxx/xxxxxxxx?xxxxxxxxpredictiveHigh
23Filexxxxxx_xxxxx.xxx/xxxxx_xxxxxxx_xxxxxxxxxx.xxpredictiveHigh
24Filexxxxxxxx.xxxpredictiveMedium
25Filexxxxx_xxxxx.xxxpredictiveHigh
26Filexxxxxxxxxx_xxxxxxx.xxxpredictiveHigh
27Filexxxx_x_xxxxxx.xxx.xxxpredictiveHigh
28Filexxx.xxxpredictiveLow
29Filexxxxxx.xxxpredictiveMedium
30Libraryxxxxxx[xxxxxx_xxxxpredictiveHigh
31Argumentxxx_xxxxpredictiveMedium
32ArgumentxxxxxxxxpredictiveMedium
33ArgumentxxxxxxpredictiveLow
34ArgumentxxxpredictiveLow
35Argumentxxxxxx[xxxxxx_xxxx]predictiveHigh
36ArgumentxxxxxxxxpredictiveMedium
37ArgumentxxpredictiveLow
38ArgumentxxpredictiveLow
39ArgumentxxxxxxxxxxxpredictiveMedium
40Argumentxxxxxxx_xxxpredictiveMedium
41Argumentxxxxx_xxxpredictiveMedium
42ArgumentxxxxxxpredictiveLow
43ArgumentxxxxpredictiveLow
44ArgumentxxxxxxxxpredictiveMedium
45ArgumentxxxxpredictiveLow
46ArgumentxxxxxxxxxxpredictiveMedium
47Argumentxxxxxx_xxxxpredictiveMedium
48ArgumentxxxpredictiveLow
49Argument_xxxx[_xxx_xxxx_xxxxpredictiveHigh
50Input Valuexxx://xxxxxx/xxxx=xxxxxxx.xxxxxx-xxxxxx/xxxxxxxx=xxxxx_xxxxxpredictiveHigh

References (3)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

This view requires CTI permissions

Just purchase a CTI license today!