Hermit Analysis

IOB - Indicator of Behavior (56)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en	42
ru	8
it	6

Country

us	20
ru	20
it	12
cn	2
kz	2

Actors

Hermit	4

Activities

Interest

Timeline

Type

Not Defined	10
Web Server	6
Operating System	6
Firewall Software	4
Network Encryption Software	2

Vendor

Not Defined	10
Microsoft	8
Untangle	4
Apache	4
Dag.wieers	2

Product

Microsoft Windows	6
Apache HTTP Server	4
Untangle Firewall NG	2
Dag.wieers dstat	2
Microsoft IIS	2

Vulnerabilities

#	Vulnerability	Base	Temp	0day	Today	Exp	Rem	CTI	EPSS	CVE
1	1C:Enterprise URL Parameter information disclosure	5.9	5.6	$0-$5k	$0-$5k	Not Defined	Official Fix	0.00	0.00150	CVE-2021-3131
2	Untangle NG Firewall injection	6.7	6.7	$0-$5k	$0-$5k	Not Defined	Not Defined	0.04	0.00177	CVE-2019-18647
3	Moodle User Profile Field cross site scripting	3.5	3.4	$5k-$25k	$0-$5k	Not Defined	Official Fix	0.03	0.00064	CVE-2022-45151
4	RouterOS DNS Cache Poisoning missing authentication	6.5	6.5	$0-$5k	$0-$5k	Not Defined	Not Defined	0.05	0.00606	CVE-2019-3978
5	Microsoft Windows Remote Desktop Service BlueKeep input validation	9.8	9.4	$100k and more	$0-$5k	High	Official Fix	0.04	0.97549	CVE-2019-0708
6	Moodle sql injection	6.3	6.0	$5k-$25k	$0-$5k	Not Defined	Official Fix	0.00	0.00120	CVE-2012-2363
7	Hisilicon HI3510 RTSP Stream/Web Portal access control	6.4	6.2	$0-$5k	$0-$5k	Not Defined	Workaround	0.00	0.00168	CVE-2019-10711
8	Dag.wieers dstat Local Privilege Escalation	5.9	5.7	$0-$5k	$0-$5k	Not Defined	Official Fix	0.03	0.00042	CVE-2009-4081
9	phpListPro addsite.php privileges management	5.3	5.0	$0-$5k	$0-$5k	Proof-of-Concept	Not Defined	0.04	0.06142	CVE-2006-1749
10	Microsoft Windows Mark of the Web unknown vulnerability	5.4	4.9	$25k-$100k	$5k-$25k	Unproven	Official Fix	0.03	0.00237	CVE-2022-41091
11	Moodle Administration Page sql injection	7.2	7.2	$5k-$25k	$5k-$25k	Not Defined	Not Defined	0.05	0.00076	CVE-2022-40315
12	PHP mysqli_real_escape_string integer overflow	8.5	8.4	$5k-$25k	$0-$5k	Not Defined	Official Fix	0.06	0.00842	CVE-2017-9120
13	PHP FPM SAPI out-of-bounds write	8.0	7.7	$25k-$100k	$5k-$25k	Not Defined	Official Fix	0.06	0.00116	CVE-2021-21703
14	VMware Spring Cloud Function SpEL Expression code injection	9.8	9.3	$5k-$25k	$0-$5k	Proof-of-Concept	Official Fix	0.05	0.97538	CVE-2022-22963
15	Google Chrome WebRTC heap-based overflow	6.3	6.0	$25k-$100k	$5k-$25k	High	Official Fix	0.09	0.00426	CVE-2022-2294
16	Truecrypt/VeraCrypt Symbolic Links Ntdriver.c IsDriveLetterAvailable access control	6.5	5.6	$0-$5k	$0-$5k	Proof-of-Concept	Official Fix	0.06	0.00061	CVE-2015-7358
17	Adobe Acrobat resource management	7.3	6.6	$25k-$100k	$0-$5k	Proof-of-Concept	Official Fix	0.02	0.36630	CVE-2009-1858
18	Adobe Photoshop out-of-bounds write	7.0	6.9	$5k-$25k	$0-$5k	Not Defined	Official Fix	0.02	0.00482	CVE-2022-23205
19	Apache HTTP Server mod_rewrite redirect	6.7	6.7	$25k-$100k	$5k-$25k	Not Defined	Not Defined	0.04	0.00138	CVE-2020-1927

IOC - Indicator of Compromise (6)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

ID	IP address	Hostname	Actor	Identified	Type	Confidence
1	2.228.150.86	2-228-150-86.ip192.fastwebnet.it	Hermit	07/30/2022	verified	High
2	2.229.68.182	2-229-68-182.ip195.fastwebnet.it	Hermit	07/30/2022	verified	High
3	XX.XXX.XX.XXX		Xxxxxx	07/30/2022	verified	High
4	XX.XXX.XX.XX		Xxxxxx	08/04/2022	verified	High
5	XX.XX.XXX.XXX	xx-xx-xxx-xxx.xxxx.xxxxxxxxxx.xx	Xxxxxx	07/30/2022	verified	High
6	XX.XX.XX.XX	xx-xx-xx-xx.xxxxx.xxxxxxxxxx.xx	Xxxxxx	08/04/2022	verified	High

TTP - Tactics, Techniques, Procedures (11)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

ID	Technique	Vulnerabilities	Access Vector	Type	Confidence
1	T1006	CWE-22	Pathname Traversal	predictive	High
2	T1055	CWE-74	Injection	predictive	High
3	T1059	CWE-94	Cross Site Scripting	predictive	High
4	TXXXX.XXX	CWE-XX, CWE-XX	Xxxxx Xxxx Xxxxxxxxx	predictive	High
5	TXXXX	CWE-XXX, CWE-XXX	X2xx Xxxxxxxxxxxxxxxx: Xxxx Xxxxxx Xxxxxxxxxxx Xxx Xxx Xxxxxxx	predictive	High
6	TXXXX	CWE-XX	Xxxxxxx Xxxxxxxxx	predictive	High
7	TXXXX.XXX	CWE-XXX	Xxxx Xxxxxxxx	predictive	High
8	TXXXX	CWE-XX	Xxx Xxxxxxxxx	predictive	High
9	TXXXX	CWE-XXX	Xxx.xxx Xxxxxxxxxxxxxxxx: Xxxxxxxx Xx Xxxxxxxxxxxxx Xxxx	predictive	High
10	TXXXX	CWE-XXX	Xxxxxxxxxxxxx	predictive	High
11	TXXXX	CWE-XXX	X2xx Xxxxxxxxxxxxxxxx: Xxxx Xxxxxxxxxxxx Xxxxxxx Xxxxxxxxxx	predictive	High

IOA - Indicator of Attack (14)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

ID	Class	Indicator	Type	Confidence
1	File	/admin/template.php	predictive	High
2	File	/uncpath/	predictive	Medium
3	File	xxxxxxx.xxx	predictive	Medium
4	File	xxxx_xxxx_xxxxxxxx.xxx	predictive	High
5	File	xxxx/xxxxxxxxxxxxxxx.xxx	predictive	High
6	File	xxxxxx/xxxxxxxx.x	predictive	High
7	File	xxx_xxxxxxxx.x	predictive	High
8	File	xxx/xxxxxxx.xxx	predictive	High
9	Argument	xx	predictive	Low
10	Argument	xxxxx_xxxx	predictive	Medium
11	Argument	xxxxxxxx	predictive	Medium
12	Argument	xxxxxxxxxx	predictive	Medium
13	Argument	xxxxx	predictive	Low
14	Argument	xxx	predictive	Low

References (3)

The following list contains external sources which discuss the actor and the associated activities:

◂ PreviousOverviewNext ▸

Do you know our Splunk app?

Download it now for free!