FF-Rat Analysis

IOB - Indicator of Behavior (25)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

zh14
en12

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

cn16
us8

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

ONLYOFFICE Server4
Alt-N MDaemon4
vsftpd2
Oracle WebLogic Server2
PHP2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemCTIEPSSCVE
1Cisco Unity Connection unrestricted upload8.18.0$5k-$25k$0-$5kNot DefinedOfficial Fix0.040.00127CVE-2024-20272
2KeyCloak Password Reset password recovery6.56.4$0-$5k$0-$5kNot DefinedOfficial Fix0.000.00293CVE-2017-12161
3ONLYOFFICE Document Server FontFileBase.h heap-based overflow5.55.3$0-$5kCalculatingNot DefinedOfficial Fix0.000.00211CVE-2022-29777
4ONLYOFFICE Server User Name input validation4.54.3$0-$5k$0-$5kProof-of-ConceptNot Defined0.030.00071CVE-2021-43448
5ONLYOFFICE Server Document Editor Service server-side request forgery6.86.5$0-$5k$0-$5kProof-of-ConceptNot Defined0.040.00100CVE-2021-43449
6ONLYOFFICE Document Server Example editor cross site scripting3.53.4$0-$5k$0-$5kNot DefinedOfficial Fix0.030.00116CVE-2022-24229
7ONLYOFFICE Document Server WebSocket API sql injection8.58.5$0-$5k$0-$5kNot DefinedNot Defined0.000.00174CVE-2020-11537
8ONLYOFFICE Server Document Editor improper authentication6.96.6$0-$5k$0-$5kProof-of-ConceptNot Defined0.060.00076CVE-2021-43447
9ONLYOFFICE Community Server UploadProgress.ashx unrestricted upload8.07.9$0-$5k$0-$5kNot DefinedOfficial Fix0.010.00633CVE-2023-34939
10vsftpd deny_file unknown vulnerability3.73.6$0-$5k$0-$5kNot DefinedOfficial Fix0.000.00312CVE-2015-1419
11Atlassian Confluence Server/Confluence Data Center Webwork OGNL injection6.36.0$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.020.97414CVE-2021-26084
12PHPMailer Phar Deserialization addAttachment deserialization5.55.3$0-$5k$0-$5kNot DefinedOfficial Fix0.020.00748CVE-2020-36326
13Squid Proxy HTTP Header information disclosure6.66.6$5k-$25k$5k-$25kNot DefinedNot Defined0.000.00735CVE-2019-12529
14PHP com_print_typeinfo memory corruption10.09.4$25k-$100k$0-$5kProof-of-ConceptNot Defined0.040.25603CVE-2012-2376
15Oracle WebLogic Server Console Remote Code Execution9.89.4$25k-$100k$0-$5kNot DefinedOfficial Fix0.000.97493CVE-2020-14882
16PbootCMS code injection8.58.5$0-$5k$0-$5kNot DefinedNot Defined0.030.04022CVE-2018-19595
17Microsoft Windows Win32k access control7.97.7$25k-$100k$5k-$25kNot DefinedOfficial Fix0.000.00058CVE-2019-0623
18Western Digital PR4100 webfile_mgr.cgi link following7.57.2$0-$5k$0-$5kNot DefinedOfficial Fix0.000.01702CVE-2019-9949
19PHP Scripts Mall Professional Service Script review.php sql injection8.57.9$0-$5k$0-$5kNot DefinedNot Defined0.000.00212CVE-2017-17928
20Alt-N MDaemon Worldclient user session7.37.0$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.000.00000

IOC - Indicator of Compromise (4)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

TTP - Tactics, Techniques, Procedures (9)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueVulnerabilitiesAccess VectorTypeConfidence
1T1006CWE-22Path TraversalpredictiveHigh
2T1055CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
3TXXXXCWE-XXXxxxxxxx XxxxxxxxxpredictiveHigh
4TXXXX.XXXCWE-XX, CWE-XXXxxxx Xxxx XxxxxxxxxpredictiveHigh
5TXXXXCWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
6TXXXXCWE-XXXxx XxxxxxxxxpredictiveHigh
7TXXXXCWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
8TXXXXCWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
9TXXXX.XXXCWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (17)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/example/editorpredictiveHigh
2Fileadmin/review.phppredictiveHigh
3Filecgi-bin/webfile_mgr.cgipredictiveHigh
4Filexxxxxxxxxxxxx/xxxxxxxxxx/xxxxxxxxxxxxx/xxxxxxxxxxxx.xpredictiveHigh
5Filexxx.xxpredictiveLow
6Filexxxxx.xxx/xxxx/x/predictiveHigh
7Filexxxxxxxxxxxxxx.xxxxpredictiveHigh
8Libraryxxxxxxxxxxx.xxxpredictiveHigh
9ArgumentxxxxxxxpredictiveLow
10ArgumentxxxxxpredictiveLow
11ArgumentxxpredictiveLow
12ArgumentxxxxpredictiveLow
13ArgumentxxxxxxxpredictiveLow
14ArgumentxxxxpredictiveLow
15Argumentxxxx->xxxxxxxpredictiveHigh
16Input Value<xxx xxx="xxxx://x"; xx xxxxxxx="$(’x').xxxx(’xxxxxx’)" />predictiveHigh
17Input Value{xxxxx:xx(xxxx($_xxx[x]))}x{/xxxxx:xx}predictiveHigh

References (2)

The following list contains external sources which discuss the actor and the associated activities:

Want to stay up to date on a daily basis?

Enable the mail alert feature now!