Polonium Analysis

IOB - Indicator of Behavior (344)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en310
de14
fr6
es4
it4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

us196
gb24
ru22
tr16
ag14

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

Polonium9
Cobalt Strike5
Redaman2
Vidar2
Bitter1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined112
Content Management System22
Operating System18
Programming Language Software16
WordPress Plugin14

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined124
Microsoft20
Apache12
Adobe6
GNU6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Microsoft Windows12
Exim6
OpenSSH4
phpMyAdmin4
F5 FirePass4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemCTIEPSSCVE
1Microsoft IIS cross site scripting5.24.7$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.190.00282CVE-2017-0055
2nginx request smuggling6.96.9$0-$5k$0-$5kNot DefinedNot Defined4.370.00000CVE-2020-12440
3Popup Builder Plugin path traversal6.36.0$0-$5k$0-$5kNot DefinedOfficial Fix0.000.00081CVE-2021-25082
4pfSense pkg.php echo Privilege Escalation5.55.3$0-$5k$0-$5kNot DefinedOfficial Fix0.030.00085CVE-2022-23993
5Maran PHP Shop prod.php sql injection7.37.3$0-$5k$0-$5kHighUnavailable0.050.00127CVE-2008-4879
6Synacor Zimbra Collaboration Suite ClientUploader unrestricted upload4.74.6$0-$5k$0-$5kNot DefinedNot Defined0.030.00092CVE-2022-45912
7FileCloud API Endpoint Privilege Escalation6.76.7$0-$5k$0-$5kNot DefinedNot Defined0.090.00096CVE-2022-39833
8Dahua IP Camera/PTZ Dome Camera password recovery5.55.5$0-$5k$0-$5kNot DefinedNot Defined0.060.00149CVE-2021-33046
9Bitrix Site Manager redirect.php link following5.34.7$0-$5k$0-$5kUnprovenUnavailable0.490.00151CVE-2008-2052
10Serendipity exit.php privileges management6.36.0$0-$5k$0-$5kProof-of-ConceptNot Defined0.150.00000
11Linux Kernel IPsec idt77252.c tst_timer use after free6.05.9$5k-$25k$0-$5kNot DefinedOfficial Fix0.060.00042CVE-2022-3635
12Apache HTTP Server mod_rewrite redirect6.76.7$25k-$100k$5k-$25kNot DefinedNot Defined0.040.00138CVE-2020-1927
13phpMyAdmin Privileges.php sql injection7.16.8$5k-$25k$0-$5kNot DefinedOfficial Fix0.060.00158CVE-2020-10804
14Hikvision Product Message command injection5.55.5$0-$5k$0-$5kNot DefinedNot Defined0.080.97497CVE-2021-36260
15Gallarific PHP Photo Gallery script gallery.php sql injection7.36.9$0-$5k$0-$5kProof-of-ConceptNot Defined0.080.00068CVE-2011-0519
16Ecommerce Online Store Kit shop.php sql injection9.89.4$0-$5k$0-$5kNot DefinedOfficial Fix0.050.03763CVE-2004-0300
17WordPress wpdb->prepare sql injection8.58.4$5k-$25k$0-$5kNot DefinedOfficial Fix0.030.00389CVE-2017-16510
18WordPress WP_Query class-wp-query.php sql injection8.58.4$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.050.00318CVE-2017-5611
19OrangeHRM Login Page information disclosure9.88.8$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.000.00343CVE-2007-1193

Campaigns (1)

These are the campaigns that can be associated with the actor:

  • CreepySnail

IOC - Indicator of Compromise (22)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
137.120.233.89no-rdns.m247.comPolonium10/18/2022verifiedHigh
245.80.148.119Polonium10/18/2022verifiedHigh
345.80.148.167Polonium10/18/2022verifiedHigh
445.80.148.186Polonium10/18/2022verifiedHigh
545.80.149.22Polonium10/18/2022verifiedHigh
6XX.XX.XXX.XXXxxxxxxxXxxxxxxxxxx06/03/2022verifiedHigh
7XX.XX.XXX.XXXxxxxxxxXxxxxxxxxxx06/03/2022verifiedHigh
8XX.XX.XXX.XXXxxxxxxxXxxxxxxxxxx06/03/2022verifiedHigh
9XX.XX.XXX.XXXXxxxxxxxXxxxxxxxxxx06/03/2022verifiedHigh
10XX.XX.XXX.XXXxxxxxxxxxxx.xxXxxxxxxx10/18/2022verifiedHigh
11XX.XXX.XXX.Xxx-xx-xxx-xxx-x-xxxxx.xxx.xxxxxx-xx-xxxx.xxxXxxxxxxx10/18/2022verifiedHigh
12XX.XX.XXX.XXXxxxxxxx06/03/2022verifiedHigh
13XX.XXX.XXX.XXXXxxxxxxx10/18/2022verifiedHigh
14XXX.XXX.XXX.XXXxxxxxxxxx.xxxxxxxxxxxxxxxxxxxx.xxxXxxxxxxxXxxxxxxxxxx06/03/2022verifiedHigh
15XXX.XX.XX.XXxxxxxxx10/18/2022verifiedHigh
16XXX.XX.XXX.XXxxx.xx.xxx.xx-xxxxxx.xxxxxxx.xxxxxxxxxxxxx.xxxXxxxxxxx06/03/2022verifiedHigh
17XXX.XXX.XXX.XXXxxxxxxx10/18/2022verifiedHigh
18XXX.XXX.XXX.XXXxxxxxxxXxxxxxxxxxx06/03/2022verifiedHigh
19XXX.XXX.XXX.XXXXxxxxxxx06/03/2022verifiedHigh
20XXX.XXX.XXX.XXXXxxxxxxx10/18/2022verifiedHigh
21XXX.XXX.XXX.XXxxx.xxxxxx.xx.xxxx.xxxXxxxxxxx10/18/2022verifiedHigh
22XXX.XX.XXX.XXXXxxxxxxx10/18/2022verifiedHigh

TTP - Tactics, Techniques, Procedures (20)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueVulnerabilitiesAccess VectorTypeConfidence
1T1006CWE-21, CWE-22Pathname TraversalpredictiveHigh
2T1055CWE-74InjectionpredictiveHigh
3T1059CWE-94Cross Site ScriptingpredictiveHigh
4T1059.007CWE-79, CWE-80Cross Site ScriptingpredictiveHigh
5TXXXXCWE-XXX, CWE-XXX, CWE-XXX, CWE-XXXX2xx Xxxxxxxxxxxxxxxx: Xxxx Xxxxxx Xxxxxxxxxxx Xxx Xxx XxxxxxxpredictiveHigh
6TXXXX.XXXCWE-XXX, CWE-XXXXxxxxxxx Xxxxxxxxxxx Xx Xxxxxxxxx Xxxxxxxxxxxxxx XxxxxxxxpredictiveHigh
7TXXXXCWE-XX, CWE-XXXxxxxxx XxxxxxxxxpredictiveHigh
8TXXXX.XXXCWE-XXXXxxx XxxxxxxxpredictiveHigh
9TXXXXCWE-XXX7xx Xxxxxxxx XxxxxxxxpredictiveHigh
10TXXXXCWE-XXX, CWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
11TXXXXCWE-XX, CWE-XXXxx XxxxxxxxxpredictiveHigh
12TXXXX.XXXCWE-XXXXxxxxxxx XxxxxxxxxxxxxpredictiveHigh
13TXXXXCWE-XXX, CWE-XXX, CWE-XXXXxx.xxx Xxxxxxxxxxxxxxxx: Xxxxxxxx Xx Xxxxxxxxxxxxx XxxxpredictiveHigh
14TXXXXCWE-XXX, CWE-XXXXxxxxxxxx Xxxxxx XxxxpredictiveHigh
15TXXXX.XXXCWE-XXXXxxxxxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
16TXXXX.XXXCWE-XXXXxxxxxxxpredictiveHigh
17TXXXXCWE-XXXXxxxxxxxxxxxxpredictiveHigh
18TXXXX.XXXCWE-XXXxxxxxxxxxxxxpredictiveHigh
19TXXXXCWE-XXXX2xx Xxxxxxxxxxxxxxxx: Xxxx Xxxxxxxxxxxx Xxxxxxx XxxxxxxxxxpredictiveHigh
20TXXXX.XXXCWE-XXXXxxxxxxxxxxx XxxxxxpredictiveHigh

IOA - Indicator of Attack (185)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File.htaccesspredictiveMedium
2File/etc/gsissh/sshd_configpredictiveHigh
3File/etc/passwdpredictiveMedium
4File/forms/nslookupHandlerpredictiveHigh
5File/index.phppredictiveMedium
6File/modules/profile/index.phppredictiveHigh
7File/news.dtl.phppredictiveHigh
8File/opt/zimbra/jetty/webapps/zimbra/publicpredictiveHigh
9File/out.phppredictiveMedium
10File/ptms/?page=userpredictiveHigh
11File/sqfs/bin/sccdpredictiveHigh
12File/tmppredictiveLow
13File/uncpath/predictiveMedium
14File/upload/file.phppredictiveHigh
15File/usr/bin/atpredictiveMedium
16File/usr/local/www/pkg.phppredictiveHigh
17File/wp-admin/admin-ajax.phppredictiveHigh
18File/wp-content/plugins/woocommerce/templates/emails/plain/predictiveHigh
19File5.2.9\syscrb.exepredictiveHigh
20Fileadmin.cgipredictiveMedium
21Fileadmin/cal_login.phppredictiveHigh
22Fileadmin/category.inc.phppredictiveHigh
23Filexxxxxx.xxxpredictiveMedium
24Filexxxxxx/predictiveLow
25Filexxxxx-xxx.xpredictiveMedium
26Filexxxxx/xxx.xpredictiveMedium
27Filexxxxxxxxxxxxxx/xxxx/xxxx/xx.xxxxxxxxxx.xx_xxxx/xxx.xxx.xxx.xxxxxxxxx.xxxxxxx/xxx_xx_xxxx_xxxx_xxx/xxx_xx_xxxx_xxxx_xxx.xxx/xxxxpredictiveHigh
28Filexxxxxxxxxxxxxx.xxxxpredictiveHigh
29Filexx_xxxxx_xxxxx.xxxpredictiveHigh
30Filexxxxxxxxxxxxx.xxxpredictiveHigh
31Filexxxx/xxx_xxxxxx.xpredictiveHigh
32Filexxx/xxxxx/xxxxx.xpredictiveHigh
33Filexxxxx/xxxxxxxxxxxxxx/xxxxxxxxxxx.xxxpredictiveHigh
34Filexxx-xxx/xxxxxxx.xxpredictiveHigh
35Filexxxxx_xxx.xxxpredictiveHigh
36Filexxxxx.xxxxxxxxx.xxxpredictiveHigh
37Filexxxxxxx.xxxpredictiveMedium
38Filexxxx/xxxxxxxx.xxxx.xxxxxxx.xxxpredictiveHigh
39Filexxxxxxx.xxxpredictiveMedium
40Filexxxxxxx/xxx/xxxxxxxx.xpredictiveHigh
41Filexxxxxxxxxxxxxxxxxxxxxxxx.xxxxpredictiveHigh
42Filexxxx.xxxpredictiveMedium
43Filexxx/xxx/xxx_xxxxxxxx.xpredictiveHigh
44Filexxxxxxxxxxx/xxxxx.xxxpredictiveHigh
45Filexxxx_xxxxxxxx_xxxxxxxxx.xpredictiveHigh
46Filexxxxxxx.xxxpredictiveMedium
47Filexxxxxxxxxx.xxxxpredictiveHigh
48Filexxxxxxxxx.xxxpredictiveHigh
49Filexxxxxxxxxxxxxxxxxxx.xxxxpredictiveHigh
50Filexxxxxxxx/xxxxx/xxxxx/xxxxxxxxxxx.xxxpredictiveHigh
51Filexxxxxxxx/xxxxx-xx-xxxxxxxxx.xxxpredictiveHigh
52Filexxxxxxxx/xxxxxxxx/xxxxxxxxxxxxxxxxxxxxx.xxxpredictiveHigh
53Filexxxxx.xxxpredictiveMedium
54Filexxxxx.xxxpredictiveMedium
55Filexxxxx.xxx?xx=xxxxxxx&xxx=xxxpredictiveHigh
56Filexxxx.xxxpredictiveMedium
57Filexxxxxxxxxx.xxxpredictiveHigh
58Filexxxxxx.xxx/xxxxxx.xxxpredictiveHigh
59Filexxxxx/xxxxxxxx/xxxxxxxxxxxx/xxxxxxxxxxxxpredictiveHigh
60Filexxxxxxxx.xpredictiveMedium
61Filexxxxxxxxx/xxxxxxx/xxxxxx/xxxxxxxxxx.xxxpredictiveHigh
62Filexxxx/xxxxx.xxxpredictiveHigh
63Filexxxxxxxxxxx/xxxxxxxxx/xxxxxxxxx/xxxxxxx/xxxxxx.xxxpredictiveHigh
64Filexxxxxx/xxxxxx_xxxx.xxxpredictiveHigh
65Filexxxxxxxxx.xxxpredictiveHigh
66Filexxxxxxxxxxxxxxx.xxxpredictiveHigh
67Filexxxxxxx/xxxxxxx_xxxxxxx_xxxxxxx/xxxxxxx.xxxxxx.xxxxxxx_xxxxxxx_xxxxxxx.xxxpredictiveHigh
68Filexx.xxxxxxxxxx.xxxxpredictiveHigh
69Filexxxxxxxxx.xxxpredictiveHigh
70Filexxxx.xxxpredictiveMedium
71Filexxxxxx/xxx_xxxxxx/xpredictiveHigh
72Filexxxxxxxxxxxx.xxxpredictiveHigh
73Filexxxxxxx/xxxxxxxxxxxxxxxx/xxxxxxxxx/xxxxxxxx.xxxxpredictiveHigh
74Filexxxx.xxxpredictiveMedium
75Filexxxxxxx_xxxx.xxxpredictiveHigh
76Filexxxxxxxx_xxx_xxxxxxxxxx.xxxpredictiveHigh
77Filexxxxxxxxxxxxxx.xxxpredictiveHigh
78Filexxxxxxxx.xpredictiveMedium
79Filexxxxx.xxxpredictiveMedium
80Filexxxxxx.xxxpredictiveMedium
81Filexxxxx.xxxpredictiveMedium
82Filexxxxxxxx.xxxpredictiveMedium
83Filexxxxxxx.xxpredictiveMedium
84Filexxxxxxxx.xxxpredictiveMedium
85Filexxxxxxxxxxxx_xxxxxxxx.xxx.xxxpredictiveHigh
86Filexxxxxxx.xxxpredictiveMedium
87Filexxxxxxxxxxx.xxxxpredictiveHigh
88Filexxx.xxxpredictiveLow
89Filexxxxxx.xxpredictiveMedium
90Filexxxxx.xxxpredictiveMedium
91Filexxxx.xxxpredictiveMedium
92Filexxxxxxxxxxxxxxxx.xxxpredictiveHigh
93Filexxxx_xxxxxxx_xxxxxxxx.xxxpredictiveHigh
94Filexxx/xxxxxx/xxxxx/xxx.xxpredictiveHigh
95Filexxx.xxxpredictiveLow
96Filexxxxx_xxxxx.xxxpredictiveHigh
97Filexxxxxx.xpredictiveMedium
98Filexxxxxx_xxxxxxxx.xxxpredictiveHigh
99Filexxx_xxxx.xpredictiveMedium
100Filex_xxxxxx.xxxpredictiveMedium
101Filexxxxxxxx/xxxxxxxxx.xxxxxxx_xxxxxxxxx.xxxpredictiveHigh
102Filexxx-xxxxxxx.xpredictiveHigh
103Filexxxxx/xxx/xxxxxxx/xxxxxx.xxxpredictiveHigh
104Filexxxxxx.xxxpredictiveMedium
105Filexxxxxx/xxxxxxxxxxxxx.xxxpredictiveHigh
106Filexxxxxx_xxxxxx.xxxpredictiveHigh
107Filexx-xxxxxxxx/xxxxx-xx-xxxxx.xxxpredictiveHigh
108File_xxxxxx/xxxxxxxx.xpredictiveHigh
109File~/xxxxxxxx/xxxxx-xx-xxxxxxxxxx-xxxx.xxxpredictiveHigh
110Library/_xxx_xxx/xxxxx.xxxpredictiveHigh
111Libraryx:/xxxxxxx xxxxx/xxxxx/xxxxxxx.xxxpredictiveHigh
112Libraryxxxxxxxxx/xxx/xxx/xxxxxx.xxx.xxxpredictiveHigh
113Libraryxxxxxx[xxxxxx_xxxxpredictiveHigh
114Libraryxxx/xxxxxxxx.xxpredictiveHigh
115Libraryxxx/xx/xxx.xxpredictiveHigh
116Libraryxxx.xxxpredictiveLow
117Libraryxxxxxxxx/xxxxxxx/xxxxx/xxx.xxxpredictiveHigh
118Argument$_xxxpredictiveLow
119Argument$_xxxxxxx['xxx_xxxxxx']predictiveHigh
120Argument-xpredictiveLow
121Argument?xxxx_xxxx=xxxxxxx.xxx/xxxx=xxxxxx/xxx=xxx+/xxx/.xxxxxxxx/xxxxxxx=//xxxxxxxxxxxxxx.xxx=xpredictiveHigh
122ArgumentxxxxxxpredictiveLow
123Argumentxxxxx_xxxx/xxx_xxxx/xxxx_xxpredictiveHigh
124ArgumentxxxxxxpredictiveLow
125ArgumentxxxpredictiveLow
126Argumentxxxxxxxx[xxxxxxx]predictiveHigh
127Argumentxxx_xxpredictiveLow
128ArgumentxxxxpredictiveLow
129ArgumentxxxxxxpredictiveLow
130Argumentxxxxxx[xxxxxx_xxxx]predictiveHigh
131Argumentx_xxxxxx.xxxx_xxxxxpredictiveHigh
132Argumentx_xxpredictiveLow
133Argumentxxxxxxxx-xxxxxxpredictiveHigh
134ArgumentxxxxxxxxpredictiveMedium
135ArgumentxxxxxxpredictiveLow
136ArgumentxxxxxxxxxpredictiveMedium
137ArgumentxxxxpredictiveLow
138ArgumentxxxxpredictiveLow
139ArgumentxxpredictiveLow
140Argumentxx/xxxxpredictiveLow
141ArgumentxxxxxxxxxxxpredictiveMedium
142ArgumentxxpredictiveLow
143Argumentxxxx/xxxxxx_xxxxpredictiveHigh
144Argumentxxxx_xxxxxxpredictiveMedium
145ArgumentxxxxxpredictiveLow
146Argumentxxxxxxxxx_xxxxxxxx_xxxxpredictiveHigh
147ArgumentxxxxpredictiveLow
148ArgumentxxxxpredictiveLow
149ArgumentxxxxxxpredictiveLow
150ArgumentxxxxxxxxxxxxxxpredictiveHigh
151ArgumentxxpredictiveLow
152ArgumentxxxxxpredictiveLow
153ArgumentxxxxxxxxpredictiveMedium
154ArgumentxxxxpredictiveLow
155Argumentxxxx_xxxpredictiveMedium
156ArgumentxxxxxxxpredictiveLow
157Argumentxxxxx_xxxx_xxxxpredictiveHigh
158ArgumentxxxxxxpredictiveLow
159Argumentxxxxxxx_xx/xxxx_xxpredictiveHigh
160ArgumentxxxxxxxxxxpredictiveMedium
161ArgumentxxxxxxxxxxxpredictiveMedium
162Argumentxxx_xxxpredictiveLow
163ArgumentxxxxxxpredictiveLow
164ArgumentxxxxxpredictiveLow
165Argumentxxxxxx/xxxxxx_xxxxxxpredictiveHigh
166ArgumentxxxxxxxxxxpredictiveMedium
167Argumentxxxx_xxxxpredictiveMedium
168ArgumentxxxxxxpredictiveLow
169ArgumentxxxxxpredictiveLow
170ArgumentxxxxxxpredictiveLow
171Argumentxxxxxx($xxx)predictiveMedium
172ArgumentxxxxpredictiveLow
173ArgumentxxxpredictiveLow
174Argumentxxxx xxxxpredictiveMedium
175Argumentx-xxxxxxxxx-xxxpredictiveHigh
176Input Value'"<xxxxxx>xxxxx(/xxxx.xx/)</xxxxxx>predictiveHigh
177Input Value.%xx.../.%xx.../predictiveHigh
178Input Value../predictiveLow
179Input Valuexxxxx' xxx (xxxxxx xxxx xxxx (xxxxxx(xxxxx(x)))xxxx) xxx 'xxxx'='xxxx&xxxxxxxx=xxxxxxxxxxpredictiveHigh
180Input Valuexxxxxx_xxxxxxxxxxxxxxxxxxxxxxxpredictiveHigh
181Input Value\xpredictiveLow
182Input Value|xxx${xxx}predictiveMedium
183Network PortxxxxxpredictiveLow
184Network PortxxxxxpredictiveLow
185Network Portxxx/xxxxxpredictiveMedium

References (3)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Interested in the pricing of exploits?

See the underground prices here!