Exchange Marauder Analysis

IOB - Indicator of Behavior (241)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en214
zh22
ru2
fr2
ko2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

us144
cn74
kr8
in2
il2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

Exchange Marauder11
FIN72
Wirte1
Qakbot1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined64
Operating System22
WordPress Plugin10
Router Operating System10
Content Management System8

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined62
Microsoft10
Zoho ManageEngine6
SolarWinds6
Linux6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Linux Kernel6
FreeBSD6
Microsoft Windows6
Wowza Streaming Engine4
WordPress4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemCTIEPSSCVE
1Thomas R. Pasawicz HyperBook Guestbook Password Database gbconfiguration.dat Hash information disclosure5.35.2$5k-$25kCalculatingHighWorkaround0.040.04187CVE-2007-1192
2net2ftp path traversal7.36.4$0-$5k$0-$5kUnprovenOfficial Fix0.020.06523CVE-2008-5275
3Linux Kernel Pipe Dirty Pipe Privilege Escalation6.35.7$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.060.06503CVE-2022-0847
4Microsoft IIS IP/Domain Restriction access control6.55.7$25k-$100k$0-$5kUnprovenOfficial Fix0.520.29797CVE-2014-4078
5FuelPHP code injection7.37.3$0-$5k$0-$5kNot DefinedNot Defined0.020.06523CVE-2014-1999
6phpLDAPadmin LDAP injection ldap injection8.57.7$0-$5k$0-$5kProof-of-ConceptNot Defined0.000.08382CVE-2018-12689
7FreeBSD setrlimit memory corruption6.55.6$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.000.02108CVE-2017-1085
8DZCP deV!L`z Clanportal config.php code injection7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.830.04187CVE-2010-0966
9Zoho ManageEngine ServiceDesk Plus API Endpoint User credentials management5.35.3$0-$5k$0-$5kNot DefinedNot Defined0.000.01760CVE-2018-7248
10WebARX Plugin Stored cross site scripting5.25.2$0-$5k$0-$5kNot DefinedNot Defined0.000.00885CVE-2019-17213
11jforum User input validation5.35.3$0-$5k$0-$5kNot DefinedNot Defined0.040.04499CVE-2019-7550
12ShowDoc access control5.35.3$0-$5k$0-$5kNot DefinedNot Defined0.000.01061CVE-2018-19620
13Chevereto CMS Stored cross site scripting5.24.9$0-$5kCalculatingNot DefinedOfficial Fix0.040.00885CVE-2017-1000058
14OpenBB read.php sql injection7.37.0$0-$5k$0-$5kNot DefinedOfficial Fix0.750.00986CVE-2005-1612
15Proxmox Mail Gateway redirect6.25.9$0-$5k$0-$5kNot DefinedOfficial Fix0.040.01055CVE-2015-9058
16WordPress Object injection5.35.2$5k-$25k$0-$5kNot DefinedOfficial Fix0.030.01034CVE-2022-21663
17phpMyAdmin SearchController sql injection8.07.7$5k-$25k$0-$5kNot DefinedOfficial Fix0.060.17166CVE-2020-26935
18FormCraft Plugin formcraft3_get server-side request forgery6.36.0$0-$5k$0-$5kNot DefinedOfficial Fix0.060.00885CVE-2022-0591
19CuteSoft Components Cute Editor for ASP.NET path traversal5.35.1$0-$5k$0-$5kHighOfficial Fix0.060.04187CVE-2009-4665
20Wowza Streaming Engine path traversal5.95.2$0-$5k$0-$5kNot DefinedOfficial Fix0.000.00885CVE-2017-16922

Campaigns (1)

These are the campaigns that can be associated with the actor:

  • Exchange Marauder

IOC - Indicator of Compromise (13)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsTypeConfidence
15.254.43.18Exchange MarauderExchange MarauderverifiedHigh
280.92.205.81vm302679.pq.hostingExchange MarauderExchange MarauderverifiedHigh
3103.77.192.219Exchange MarauderExchange MarauderverifiedHigh
4XXX.XXX.XXX.XXXxxxxxxxxx.xxxxxxxxx.xxxXxxxxxxx XxxxxxxxXxxxxxxx XxxxxxxxverifiedHigh
5XXX.XXX.XXX.XXXXxxxxxxx XxxxxxxxXxxxxxxx XxxxxxxxverifiedHigh
6XXX.XX.XXX.XXxxx.xx.xxx.xx.xxxxx.xxxXxxxxxxx XxxxxxxxXxxxxxxx XxxxxxxxverifiedMedium
7XXX.XX.XX.XXXxxx.xx.xx.xxx.xxxxx.xxxXxxxxxxx XxxxxxxxXxxxxxxx XxxxxxxxverifiedMedium
8XXX.XXX.XXX.XXXXxxxxxxx XxxxxxxxXxxxxxxx XxxxxxxxverifiedHigh
9XXX.XX.XXX.XXXXxxxxxxx XxxxxxxxXxxxxxxx XxxxxxxxverifiedHigh
10XXX.XXX.XXX.XXxxxxxx.xxxxxxxxx.xxXxxxxxxx XxxxxxxxXxxxxxxx XxxxxxxxverifiedHigh
11XXX.XX.XXX.XXXXxxxxxxx XxxxxxxxXxxxxxxx XxxxxxxxverifiedHigh
12XXX.XXX.XX.XXXxxxxxxx XxxxxxxxXxxxxxxx XxxxxxxxverifiedHigh
13XXX.XX.XX.XXXXxxxxxxx XxxxxxxxXxxxxxxx XxxxxxxxverifiedHigh

TTP - Tactics, Techniques, Procedures (17)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueVulnerabilitiesAccess VectorTypeConfidence
1T1006CWE-22, CWE-23Pathname TraversalpredictiveHigh
2T1055CWE-74InjectionpredictiveHigh
3T1059CWE-94Cross Site ScriptingpredictiveHigh
4T1059.007CWE-79, CWE-80Cross Site ScriptingpredictiveHigh
5TXXXXCWE-XXX, CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
6TXXXX.XXXCWE-XXXXxxxxxxx Xxxxxxxxxxx Xx Xxxxxxxxx Xxxxxxxxxxxxxx XxxxxxxxpredictiveHigh
7TXXXX.XXXCWE-XXXXxx-xxx Xxxx Xxxxxxx XxxxpredictiveHigh
8TXXXXCWE-XX, CWE-XXXxxxxxx XxxxxxxxxpredictiveHigh
9TXXXX.XXXCWE-XXXXxxx XxxxxxxxpredictiveHigh
10TXXXXCWE-XXX, CWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
11TXXXXCWE-XX, CWE-XXXxx XxxxxxxxxpredictiveHigh
12TXXXXCWE-XXXXxx.xxx Xxxxxxxxxxxxxxxx: Xxxxxxxx Xx Xxxxxxxxxxxxx XxxxpredictiveHigh
13TXXXXCWE-XXXXxxxxxxxx Xxxxxx XxxxpredictiveHigh
14TXXXX.XXXCWE-XXXXxxxxxxxpredictiveHigh
15TXXXXCWE-XXX, CWE-XXXXxxxxxxxxxxxxpredictiveHigh
16TXXXX.XXXCWE-XXXxxxxxxxxxxxxpredictiveHigh
17TXXXX.XXXCWE-XXXXxxxxxxxxxxx XxxxxxpredictiveHigh

IOA - Indicator of Attack (70)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/cgi-bin/luci/api/authpredictiveHigh
2File/filemanager/upload.phppredictiveHigh
3File/resources//../predictiveHigh
4File/usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.phppredictiveHigh
5File/usr/local/WowzaStreamingEngine/bin/predictiveHigh
6File/wp-json/oembed/1.0/embed?urlpredictiveHigh
7Fileadmin/modules/tools/ip_history_logs.phppredictiveHigh
8Fileadmin_feature.phppredictiveHigh
9Filexxx_xxxxxx.xxxpredictiveHigh
10Filexxxxxxxxxxx/xxxxxxxxxxx/xxxxx/xxxxxxxxx.xxxpredictiveHigh
11Filexxx.xxx?xxx=xxxxx_xxxxpredictiveHigh
12Filexxx.xxxpredictiveLow
13Filexxxx/xxxxxxxxxxxxxxx.xxxpredictiveHigh
14Filexxxx_xxxxxxx.xxxpredictiveHigh
15Filexxxxxxxxxxxxx.xxxpredictiveHigh
16Filexxxxxxxxx/xx/xxxxxxxxxxxx.xxxpredictiveHigh
17Filexxxxxxxxx.xxxpredictiveHigh
18Filexxx/xxxxxx.xxxpredictiveHigh
19Filexxxxxxxx/xxxx/xxxxx-xxxxx.xxxpredictiveHigh
20Filexxxxx.xxxpredictiveMedium
21Filexxxxxxx/xxxxxxxx.xxxpredictiveHigh
22Filexxxxxx/xxx/xxxxxxxx.xpredictiveHigh
23Filexxxxxxx.xxxpredictiveMedium
24Filexxxxxx.xxpredictiveMedium
25Filexxxxxxx/xx?xxxxxxxx=predictiveHigh
26Filexxxxxxxxxxx-xxxx.xxpredictiveHigh
27Filexxxxxxx/xxxxx/xxxxxxxxxxx/xxxxx.xxxpredictiveHigh
28Filexxxx.xxxpredictiveMedium
29Filexxxxx-xxxxxxpredictiveMedium
30Filexxxxxxxx/xxxxx/xxxxxxxx?xxxxxxxxpredictiveHigh
31Filexxxxxx/xxx/xx/xxx.xxpredictiveHigh
32Filexxxxxxxxxx.xxxxpredictiveHigh
33Filexxxxxx_xxxxx.xxx/xxxxx_xxxxxxx_xxxxxxxxxx.xxpredictiveHigh
34Filexxxx/xxxxxxxx/xxxxxxxx.xxxxpredictiveHigh
35Library/xxx/xxx/xxxx.xxxpredictiveHigh
36Libraryxxxxxx.xxxpredictiveMedium
37Libraryxx-xxxxxxx/xxxxxxx/xx-xxxx-xxxxxxx/xxx/xxxxx/predictiveHigh
38Argument%xpredictiveLow
39Argumentxxxxxx_xxxxpredictiveMedium
40ArgumentxxxxxxxxpredictiveMedium
41ArgumentxxxxpredictiveLow
42ArgumentxxxpredictiveLow
43ArgumentxxxxxxxxpredictiveMedium
44ArgumentxxxxxxxxxpredictiveMedium
45ArgumentxxxxxxxxxxxpredictiveMedium
46ArgumentxxxxpredictiveLow
47ArgumentxxpredictiveLow
48Argumentxxxx/xxx_xxxxpredictiveHigh
49ArgumentxxxxpredictiveLow
50Argumentxxxxx_xxpredictiveMedium
51Argumentxxxx_xxpredictiveLow
52ArgumentxxxxxxxxxxxxxpredictiveHigh
53Argumentxxxxx_xxxxxxpredictiveMedium
54Argumentxxxxxx xxxxpredictiveMedium
55ArgumentxxxxxxxpredictiveLow
56Argumentxxxxxxx xxxxpredictiveMedium
57ArgumentxxxxxxpredictiveLow
58Argumentxxxxxx_xxpredictiveMedium
59ArgumentxxxxpredictiveLow
60Argumentxxxxxxxx_xxxxxpredictiveHigh
61ArgumentxxxpredictiveLow
62Argumentxxxxxxxxxx/xxxxxxxxxxxxxxxpredictiveHigh
63ArgumentxxxpredictiveLow
64ArgumentxxxpredictiveLow
65ArgumentxxxxxxxxxpredictiveMedium
66ArgumentxxxxxxpredictiveLow
67Argumentxxxx_xxpredictiveLow
68Argumentx-xxxxxxxxx-xxxpredictiveHigh
69Argumentxx_xxxx_xxxxxpredictiveHigh
70Argument_xxxpredictiveLow

References (2)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Interested in the pricing of exploits?

See the underground prices here!