Hafnium Analysis

Activities

Timeline

The analysis of the timeline helps to identify the required approach and handling of single vulnerabilities and vulnerability collections. This overview makes it possible to see less important slices and more severe hotspots at a glance. Initiating immediate vulnerability response and prioritizing of issues is possible.

Lang

zh28
en27

Country

cn54
us1

Actors

Activities

Interest

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemCTICVE
1Laravel Framework Permission .env writeNewEnvironmentFileWith Password information disclosure6.46.4$0-$5k$0-$5kNot DefinedNot Defined0.05CVE-2017-16894
2Pritunl Error Message session Username information disclosure4.34.3$0-$5k$0-$5kNot DefinedNot Defined0.05CVE-2020-25200
3Pritunl Client pritunl-service neutralization for logs7.87.5$0-$5k$0-$5kNot DefinedOfficial Fix0.04CVE-2020-27519
4Microsoft Windows Remote Desktop Client Remote Code Execution8.87.7$100k and more$25k-$100kUnprovenOfficial Fix0.03CVE-2021-38666
5Linux Kernel Inter-Process Communication crypto.c tipc_crypto_key_rcv missing encryption7.06.9$5k-$25k$0-$5kNot DefinedOfficial Fix0.03CVE-2021-43267
6Google Chrome WebRTC use after free7.57.2$25k-$100k$5k-$25kNot DefinedOfficial Fix0.04CVE-2021-21191
7JBMC DirectAdmin CMD_ACCOUNT_ADMIN cross-site request forgery8.88.8$0-$5k$0-$5kNot DefinedNot Defined0.02CVE-2019-9625
8RaspAP GET Parameter get_netcfg.php os command injection6.36.3$0-$5k$0-$5kNot DefinedNot Defined0.03CVE-2021-33357
9Laravel Password Reset URL Phishing input validation6.25.9$0-$5k$0-$5kNot DefinedOfficial Fix0.00CVE-2017-9303
10Bomgar Remote Support Serialization code injection7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.03CVE-2015-0935
11Bomgar Remote Support Agent untrusted search path7.57.2$0-$5k$0-$5kNot DefinedOfficial Fix0.05CVE-2017-5996
12Microsoft Windows WalletService privileges management7.86.8$25k-$100k$5k-$25kUnprovenOfficial Fix0.07CVE-2021-26885
13Aviatrix Controller pathname traversal6.36.0$0-$5k$0-$5kNot DefinedOfficial Fix0.03CVE-2021-40870
14Fortinet FortiWeb Authorization Header sql injection7.77.4$0-$5k$0-$5kNot DefinedOfficial Fix0.03CVE-2020-29015
15Pear Admin Think UploadService.php unrestricted upload6.36.3$0-$5k$0-$5kNot DefinedNot Defined0.05CVE-2021-29377
16DZCP deV!L`z Clanportal config.php code injection7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.74CVE-2010-0966
17Zoho ManageEngine ADSelfService Plus REST API improper authentication7.37.0$0-$5k$0-$5kHighOfficial Fix0.07CVE-2021-40539
18MacCMS index.php command injection8.58.5$0-$5k$0-$5kNot DefinedNot Defined0.03CVE-2017-17733
19All in One SEO Best WordPress SEO Plugin Import/Export code injection5.55.3$0-$5k$0-$5kNot DefinedOfficial Fix0.04CVE-2021-24307
20Horde Groupware Webmail Edition add.php unrestricted upload5.35.3$0-$5k$0-$5kNot DefinedNot Defined0.04CVE-2020-8866

Campaigns (1)

These are the campaigns that can be associated with the actor:

  • Hafnium

IOC - Indicator of Compromise (3)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsTypeConfidence
1172.105.174.117172-105-174-117.ip.linodeusercontent.comHafniumHafniumverifiedHigh
2XXX.XXX.XXX.XXXxxx.xxx.xxx.xxx.xx.xxxxxxxxxxx.xxxXxxxxxxXxxxxxxverifiedHigh
3XXX.XXX.XXX.XXXxxx.xxx.xxx.xxx.xx.xxxxxxxxxxx.xxxXxxxxxxXxxxxxxverifiedHigh

TTP - Tactics, Techniques, Procedures (4)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueVulnerabilitiesAccess VectorTypeConfidence
1T1059.007CWE-79Cross Site ScriptingpredictiveHigh
2TXXXXCWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
3TXXXXCWE-XXX7xx Xxxxxxxx XxxxxxxxpredictiveHigh
4TXXXXCWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh

IOA - Indicator of Attack (25)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/.envpredictiveLow
2File/ajax/networking/get_netcfg.phppredictiveHigh
3File/auth/sessionpredictiveHigh
4File/CMD_ACCOUNT_ADMINpredictiveHigh
5Filexxxxxxx.xxxpredictiveMedium
6Filexxx.xxxpredictiveLow
7Filexxxxx.xxx/xxxxx/xxxxxx xxxxxxx xxx/xxxxxx/xxxxxxx/xxxxxxxxxxxxx.xxxpredictiveHigh
8Filexxxxx/_xxxxxxx.xxxpredictiveHigh
9Filexxxxx/xxxxxxxxxxxxxx/xxxxxxxxxxx.xxxpredictiveHigh
10Filexxx/xxxxxx.xxxpredictiveHigh
11Filexxxxx.xxxpredictiveMedium
12Filexxxxx.xxx?x=xxxx&x=xxxxxxx&x=xxxpredictiveHigh
13Filexxx/xxxx/xxxxxx.xpredictiveHigh
14Filexxxxxxxxx.xpredictiveMedium
15ArgumentxxxxxxxxpredictiveMedium
16ArgumentxxxxpredictiveLow
17ArgumentxxxxxxxxxxxpredictiveMedium
18ArgumentxxxxxxxpredictiveLow
19ArgumentxxxxxpredictiveLow
20ArgumentxxxxpredictiveLow
21ArgumentxxxxxxxxxxpredictiveMedium
22ArgumentxxpredictiveLow
23Input Value=xxxxxxxxx("xxxx://[xxxxxxxx_xx:xxxx]/xxxxxxxxxxxxxx","xxxxxxx")predictiveHigh
24Input Valuexxxx=xxxxxx-xxxxxxxxpredictiveHigh
25Network Portxxx/xxxpredictiveLow

References (3)

The following list contains external sources which discuss the actor and the associated activities:

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!