Potao Analysis

Activities

Timeline

The analysis of the timeline helps to identify the required approach and handling of single vulnerabilities and vulnerability collections. This overview makes it possible to see less important slices and more severe hotspots at a glance. Initiating immediate vulnerability response and prioritizing of issues is possible.

Lang

en73
de7
es1
it1

Country

us37
ru13
cn7
gb2
de2

Actors

Potao41
FIN738
CosmicDuke2
Emissary1

Activities

Interest

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemCTICVE
1polkit pkexec access control8.88.1$0-$5k$0-$5kProof-of-ConceptWorkaround10.00CVE-2021-4034
2Juniper SRX credentials management7.77.7$5k-$25k$5k-$25kNot DefinedNot Defined0.04CVE-2018-0025
3OmniSecure AddUrlShield index.php sql injection6.35.7$0-$5k$0-$5kProof-of-ConceptNot Defined0.24
4NexusPHP messages.php cross site scripting5.25.2$0-$5k$0-$5kNot DefinedNot Defined0.08CVE-2017-15305
5SonicWALL AntiSpam / EMail Security Appliance MTA Queue Report Module reports_mta_queue_status.html cross site scriting8.07.6$0-$5k$0-$5kNot DefinedOfficial Fix0.06
6OpenX adclick.php redirect5.34.7$0-$5k$0-$5kUnprovenNot Defined0.12CVE-2014-2230
7Smiths-Medical Medfusion 4000 Wireless Syringe Infusion Pump DHCP memory corruption6.85.9$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.00CVE-2017-12718
8Python memory corruption6.36.0$0-$5k$0-$5kNot DefinedOfficial Fix0.00CVE-2005-0089
9Apache Tomcat Connectors mod_jk information disclosure6.55.7$5k-$25k$0-$5kUnprovenOfficial Fix0.05CVE-2014-8111
10Juniper Junos Shell Session access control8.38.0$5k-$25k$0-$5kNot DefinedOfficial Fix0.02CVE-2018-0024
11Winn Winn GuestBook addPost cross site scripting4.34.1$0-$5k$0-$5kHighOfficial Fix0.07CVE-2011-5026
12Microsoft IIS cross site scripting5.24.7$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.94CVE-2017-0055
13Microsoft IIS IP/Domain Restriction access control6.55.7$25k-$100k$0-$5kUnprovenOfficial Fix0.47CVE-2014-4078
14Microsoft IIS File Name Tilde privileges management6.55.9$25k-$100k$0-$5kProof-of-ConceptOfficial Fix0.12CVE-2005-4360
15ProFTPD mod_sql sql injection7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.05CVE-2009-0542
16Apple macOS Firmware access control5.55.3$5k-$25k$0-$5kNot DefinedOfficial Fix0.04CVE-2018-4251
17Fortinet FortiWebManager Access Control access control8.58.2$0-$5k$0-$5kNot DefinedOfficial Fix0.08CVE-2017-14189
18Fortinet FortiOS SSL VPN Web Portal information disclosure5.35.1$0-$5k$0-$5kNot DefinedOfficial Fix0.05CVE-2017-14185
19IW Guestbook badwords_edit.asp sql injection6.35.7$0-$5k$0-$5kProof-of-ConceptNot Defined0.09
20Auto-Surf Traffic Exchange Script register.php cross site scriting3.53.5$0-$5k$0-$5kNot DefinedNot Defined0.08

Campaigns (2)

These are the campaigns that can be associated with the actor:

  • Potao
  • Potao Express

IOC - Indicator of Compromise (38)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameCampaignsConfidence
15.44.99.46server.toastedweb.euPotao ExpressHigh
237.139.47.16237-139-47-162.vm.clodoserver.ruPotao ExpressHigh
346.163.73.99lvps46-163-73-99.dedicated.hosteurope.dePotao ExpressHigh
446.165.228.130Potao ExpressHigh
562.76.42.1462-76-42-14.vm.clodoserver.ruPotao ExpressHigh
662.76.184.24562-76-184-245.vm.clodoserver.ruPotao ExpressHigh
762.76.189.181srv.planetaexcel.ruPotao ExpressHigh
8XX.XX.XXX.XXXxxxxHigh
9XX.XX.XXX.XXXxxxxHigh
10XX.XXX.XXX.XXXx-xx-xxx-xxx-xxx.xxxx.xx.xxxxxxxxxxxxxx.xxxXxxxxHigh
11XX.XX.XX.XXXxxxxxxxxxx.xxxXxxxxHigh
12XX.XX.XXX.XXXxx.xx.xxxx.xxxxxx.xxxxxxxxx.xxxXxxxxHigh
13XX.XXX.XX.XXXxxxxxxxxx.xxxxxxxxxx-xxxxxx.xxxXxxxxHigh
14XX.XX.XXX.XXXxxxxxxx.xxxx.xxx.xxxx.xxXxxxx XxxxxxxHigh
15XX.XXX.XX.XXXXxxxx XxxxxxxHigh
16XX.XXX.XX.XXxxx.xxxxxxxxxx.xxxXxxxx XxxxxxxHigh
17XX.XXX.XX.XXXxxxx.xxxxxxxxxxxx.xxxXxxxx XxxxxxxHigh
18XX.XXX.XX.XXXxxxxxxxxx.xxxxxxxxxx-xxxxxx.xxxxXxxxxHigh
19XX.XXX.XXX.XXxxxxx-xxxxxx.xxxxxxx.xxXxxxx XxxxxxxHigh
20XX.XX.XXX.XXxxxx-xx-xx-xxx-xx.xxxxx.xxXxxxx XxxxxxxHigh
21XX.XXX.XXX.XXxxxxx-x.xxxxxxxxxxxxxx.xxxXxxxx XxxxxxxHigh
22XXX.X.XX.XXXxxx.xx.x.xxx.xxxxxxx.xxx.xxXxxxxHigh
23XXX.XXX.XXX.XXxxx-xxx-xxx-xx.xxxxxxxxxxxx.xxxXxxxxHigh
24XXX.XX.XX.XXXXxxxx XxxxxxxHigh
25XXX.XX.XXX.XXXXxxxxHigh
26XXX.XXX.XX.XXXxxxxxx.xxx.xx.xxx.xxx.xxxxxxx.xxxx-xxxxxx.xxXxxxx XxxxxxxHigh
27XXX.XXX.XX.XXXxxxx XxxxxxxHigh
28XXX.XX.XX.XXXxxxxxx.xxx.xx.xx.xxx.xxxxxxx.xxxx-xxxxxx.xxXxxxx XxxxxxxHigh
29XXX.XX.XX.XXXxxxxxx.xxx.xx.xx.xxx.xxxxxxx.xxxx-xxxxxx.xxXxxxx XxxxxxxHigh
30XXX.XXX.XXX.XXXxxxx XxxxxxxHigh
31XXX.XXX.XX.XXxxxx XxxxxxxHigh
32XXX.XXX.XXX.XXXxxxxxx.xxxxxxxxxxxx.xxx.xxXxxxx XxxxxxxHigh
33XXX.XXX.XX.XXXxxx-xxx-xx-xxx.xxxxxx.xxxxxxxxxxxxxx.xxxXxxxx XxxxxxxHigh
34XXX.XX.XXX.XXxxxxxxxxx.xxxxxxxxxxxxx.xxxXxxxx XxxxxxxHigh
35XXX.XX.XXX.XXXXxxxx XxxxxxxHigh
36XXX.XXX.XX.XXXxxxxxx.xxx.xxxxxx.xxxXxxxxHigh
37XXX.XXX.XX.XXXxxx-xxx-xx-xxx.xxxxxx.xxxxxxxxxxxxxx.xxxXxxxx XxxxxxxHigh
38XXX.XXX.XXX.XXXxxxxxxxxxxxxx.xxxxxxxxxx.xxxxXxxxx XxxxxxxHigh

TTP - Tactics, Techniques, Procedures (4)

Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueVulnerabilitiesAccess VectorConfidence
1T1059.007CWE-79, CWE-80Cross Site ScriptingHigh
2T1068CWE-264, CWE-284Execution with Unnecessary PrivilegesHigh
3T1499CWE-400Resource ConsumptionHigh
4TXXXXCWE-XXXXxxxxxxxxxxxx XxxxxxHigh

IOA - Indicator of Attack (67)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorConfidence
1File/frontend/x3/cpanelpro/filelist-thumbs.htmlHigh
2File/htdocs/admin/dict.php?id=3High
3File/iwguestbook/admin/badwords_edit.aspHigh
4File/setSystemAdminHigh
5File/uncpath/Medium
6File/usr/bin/pkexecHigh
7File/webpages/dataHigh
8File/xx/xxxxx.xxxHigh
9Filexxxxxxx.xxxMedium
10Filexxxxx\xxxxx\xxxxxxx\xxxxxxxx.xxxHigh
11Filexxx.xxxLow
12Filexxxx/xxx/xxxx/xxxxxxxxxxxHigh
13Filexxx/xxxxxxxxxxx/xxxxxxxxxxx_xxxxxxxxxx.xxHigh
14Filexxxx.xLow
15Filexxx-xxx/Medium
16Filexxxxxx.xMedium
17Filexxxx/xxxxxxxxxxxxxxx.xxxHigh
18Filexxxxxx.xxxMedium
19Filexxxxxxx/xxxx/xxxxxxx/xxxxxxx_xxx.xHigh
20Filexxxxxx.xxxMedium
21Filexxxx.xxxMedium
22Filexxx/xxxxxx.xxxHigh
23Filexxx/xxxxxxxxxxx/xxxxxxx.xxxHigh
24Filexxxxx.xxxMedium
25Filexxxxxx/xxxxx.xHigh
26Filexxxxxxxx.xxxMedium
27Filexxxxxxxxxxxxxxx.xxxHigh
28Filexxxxxxx_xxxxxxx.xxxHigh
29Filexxxxxxxx.xxxMedium
30Filexxxxxxx_xxx_xxxxx_xxxxxx.xxxxHigh
31Filexxx.xLow
32Filexxxxxxxx.xxxMedium
33Library/xxx/xxx/xxx/xxxx/xxxxxxxxxx/xxxxx/xxxxxx.xxxHigh
34Library/xxx/xxx/xxx/xxxx/xxxxxxxxxx/xxxxx/xxxxxxxxxx.xxxHigh
35Libraryxxxx.xxxMedium
36Argumentxxxxxx=xxxxMedium
37ArgumentxxxxxxxLow
38Argumentxxxx_xxxMedium
39ArgumentxxxxxxxxMedium
40ArgumentxxxxLow
41ArgumentxxxxxxLow
42ArgumentxxxxLow
43ArgumentxxxxxxxxMedium
44Argumentxxxxx_xxMedium
45ArgumentxxxxxxxxMedium
46ArgumentxxLow
47ArgumentxxxxxLow
48ArgumentxxxxxLow
49ArgumentxxxxxxxLow
50ArgumentxxxxLow
51ArgumentxxxxLow
52Argumentxxxx_xxxxMedium
53Argumentxxxxxxxx_xxxxxHigh
54ArgumentxxxLow
55Argumentxxx_xxxxx/xxxx_xxxxx/xxxx_xxxxxHigh
56ArgumentxxxxxLow
57Argumentx_xxxxxxMedium
58ArgumentxxxLow
59ArgumentxxxxxLow
60Input Value../Low
61Input Value/%xxLow
62Input Valuex+xxxxx+xxxxxx+x,xxxxxxx,xxxxxxxxxxx+xxxx+xxxxx#High
63Input ValuexxxxxxLow
64Input Value::$xxxxx_xxxxxxxxxxHigh
65Input Value@xxxxxxxx.xxxHigh
66Network Portxxx/xxxxMedium
67Network Portxxx xxxxxx xxxxHigh

References (2)

The following list contains external sources which discuss the actor and the associated activities:

Interested in the pricing of exploits?

See the underground prices here!