Hafnium Analysis

IOB - Indicator of Behavior (55)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

zh32
en24

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

cn54
us2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Google Chrome4
Microsoft Windows4
Zoho ManageEngine ADSelfService Plus2
Pritunl Client2
AppArmor2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemCTIEPSSCVE
1Laravel Framework Permission .env writeNewEnvironmentFileWith Password information disclosure6.46.4$0-$5k$0-$5kNot DefinedNot Defined0.020.12492CVE-2017-16894
2Pritunl Error Message session Username information disclosure4.34.3$0-$5k$0-$5kNot DefinedNot Defined0.000.05736CVE-2020-25200
3Pritunl Client pritunl-service neutralization for logs7.87.5$0-$5k$0-$5kNot DefinedOfficial Fix0.020.01365CVE-2020-27519
4Microsoft Windows Remote Desktop Client Remote Code Execution8.87.7$100k and more$5k-$25kUnprovenOfficial Fix0.030.01601CVE-2021-38666
5Linux Kernel Inter-Process Communication crypto.c tipc_crypto_key_rcv missing encryption7.06.9$5k-$25k$0-$5kNot DefinedOfficial Fix0.000.12300CVE-2021-43267
6Google Chrome WebRTC use after free7.57.2$25k-$100k$5k-$25kNot DefinedOfficial Fix0.050.01213CVE-2021-21191
7JBMC DirectAdmin CMD_ACCOUNT_ADMIN cross-site request forgery8.88.8$0-$5k$0-$5kNot DefinedNot Defined0.040.08382CVE-2019-9625
8RaspAP GET Parameter get_netcfg.php os command injection6.36.3$0-$5k$0-$5kNot DefinedNot Defined0.050.00885CVE-2021-33357
9Laravel Password Reset URL Phishing input validation6.25.9$0-$5k$0-$5kNot DefinedOfficial Fix0.000.01055CVE-2017-9303
10Bomgar Remote Support Serialization code injection7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.030.07584CVE-2015-0935
11Bomgar Remote Support Agent untrusted search path7.57.2$0-$5k$0-$5kNot DefinedOfficial Fix0.050.00885CVE-2017-5996
12Microsoft Windows WalletService privileges management7.86.8$25k-$100k$5k-$25kUnprovenOfficial Fix0.030.01372CVE-2021-26885
13Aviatrix Controller pathname traversal6.36.0$0-$5k$0-$5kNot DefinedOfficial Fix0.030.02509CVE-2021-40870
14Fortinet FortiWeb Authorization Header sql injection7.77.4$0-$5k$0-$5kNot DefinedOfficial Fix0.040.01055CVE-2020-29015
15Pear Admin Think UploadService.php unrestricted upload6.36.3$0-$5k$0-$5kNot DefinedNot Defined0.000.01338CVE-2021-29377
16DZCP deV!L`z Clanportal config.php code injection7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.430.04187CVE-2010-0966
17Zoho ManageEngine ADSelfService Plus REST API improper authentication7.37.0$0-$5k$0-$5kHighOfficial Fix0.060.95954CVE-2021-40539
18MacCMS index.php command injection8.58.5$0-$5k$0-$5kNot DefinedNot Defined0.000.01382CVE-2017-17733
19All in One SEO Best WordPress SEO Plugin Import/Export code injection5.55.3$0-$5k$0-$5kNot DefinedOfficial Fix0.040.01440CVE-2021-24307
20Horde Groupware Webmail Edition add.php unrestricted upload5.35.3$0-$5k$0-$5kNot DefinedNot Defined0.000.04571CVE-2020-8866

Campaigns (1)

These are the campaigns that can be associated with the actor:

  • Hafnium

IOC - Indicator of Compromise (3)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsTypeConfidence
1172.105.174.117172-105-174-117.ip.linodeusercontent.comHafniumHafniumverifiedHigh
2XXX.XXX.XXX.XXXxxx.xxx.xxx.xxx.xx.xxxxxxxxxxx.xxxXxxxxxxXxxxxxxverifiedHigh
3XXX.XXX.XXX.XXXxxx.xxx.xxx.xxx.xx.xxxxxxxxxxx.xxxXxxxxxxXxxxxxxverifiedHigh

TTP - Tactics, Techniques, Procedures (12)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueVulnerabilitiesAccess VectorTypeConfidence
1T1006CWE-21, CWE-22Pathname TraversalpredictiveHigh
2T1055CWE-74InjectionpredictiveHigh
3T1059CWE-94Cross Site ScriptingpredictiveHigh
4TXXXX.XXXCWE-XXXxxxx Xxxx XxxxxxxxxpredictiveHigh
5TXXXXCWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
6TXXXXCWE-XX, CWE-XXXxxxxxx XxxxxxxxxpredictiveHigh
7TXXXXCWE-XXX7xx Xxxxxxxx XxxxxxxxpredictiveHigh
8TXXXXCWE-XXXxx XxxxxxxxxpredictiveHigh
9TXXXXCWE-XXXXxxxxxxxx Xxxxxx XxxxpredictiveHigh
10TXXXXCWE-XXXXxxxxxxxxxxxxpredictiveHigh
11TXXXXCWE-XXXX2xx Xxxxxxxxxxxxxxxx: Xxxx Xxxxxxxxxxxx Xxxxxxx XxxxxxxxxxpredictiveHigh
12TXXXX.XXXCWE-XXXXxxxxxxxxxxx XxxxxxpredictiveHigh

IOA - Indicator of Attack (25)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/.envpredictiveLow
2File/ajax/networking/get_netcfg.phppredictiveHigh
3File/auth/sessionpredictiveHigh
4File/CMD_ACCOUNT_ADMINpredictiveHigh
5Filexxxxxxx.xxxpredictiveMedium
6Filexxx.xxxpredictiveLow
7Filexxxxx.xxx/xxxxx/xxxxxx xxxxxxx xxx/xxxxxx/xxxxxxx/xxxxxxxxxxxxx.xxxpredictiveHigh
8Filexxxxx/_xxxxxxx.xxxpredictiveHigh
9Filexxxxx/xxxxxxxxxxxxxx/xxxxxxxxxxx.xxxpredictiveHigh
10Filexxx/xxxxxx.xxxpredictiveHigh
11Filexxxxx.xxxpredictiveMedium
12Filexxxxx.xxx?x=xxxx&x=xxxxxxx&x=xxxpredictiveHigh
13Filexxx/xxxx/xxxxxx.xpredictiveHigh
14Filexxxxxxxxx.xpredictiveMedium
15ArgumentxxxxxxxxpredictiveMedium
16ArgumentxxxxpredictiveLow
17ArgumentxxxxxxxxxxxpredictiveMedium
18ArgumentxxxxxxxpredictiveLow
19ArgumentxxxxxpredictiveLow
20ArgumentxxxxpredictiveLow
21ArgumentxxxxxxxxxxpredictiveMedium
22ArgumentxxpredictiveLow
23Input Value=xxxxxxxxx("xxxx://[xxxxxxxx_xx:xxxx]/xxxxxxxxxxxxxx","xxxxxxx")predictiveHigh
24Input Valuexxxx=xxxxxx-xxxxxxxxpredictiveHigh
25Network Portxxx/xxxpredictiveLow

References (3)

The following list contains external sources which discuss the actor and the associated activities:

Want to stay up to date on a daily basis?

Enable the mail alert feature now!