PowerDuke Analysisinfo

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (76)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Language

en74
es2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

TR: Turkey34
US: USA14
CN: China10
BE: Belgium8
HU: Hungary8

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

PowerDuke3
APT291

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined24
Content Management System6
Operating System6
Firewall Software6
Application Server Software4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Microsoft12
Not Defined8
Cisco6
easyii4
Check Point4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Microsoft Windows6
easyii CMS4
Check Point Mobile Access4
Juniper Junos4
Cisco FirePOWER Management Center4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

These are the vulnerabilities that we have identified as researched, approached, or attacked.

#VulnerabilityBaseTemp0dayTodayExpCouKEVEPSSCTICVE
1easyii CMS File Upload Management Upload.php file unrestricted upload6.35.7$0-$5k$0-$5kProof-of-ConceptNot defined 0.000460.03CVE-2022-3771
2Microsoft Windows LSA missing authentication7.67.2$25k-$100k$5k-$25kAttackedOfficial fixverified0.352650.00CVE-2022-26925
3Thomas R. Pasawicz HyperBook Guestbook Password Database gbconfiguration.dat Hash information disclosure5.35.2$5k-$25kCalculatingHighWorkaroundpossible0.029560.00CVE-2007-1192
4Microsoft .NET Framework Array Copy memory corruption7.37.0$5k-$25kCalculatingNot definedOfficial fix 0.258000.02CVE-2015-2504
5AWS SDK for Java S3 TransferManager downloadDirectory path traversal6.36.3$0-$5k$0-$5kNot definedOfficial fix 0.000450.00CVE-2022-31159
6Microsoft IIS Frontpage Server Extensions shtml.dll Username information disclosure5.35.1$5k-$25k$0-$5kNot definedOfficial fix 0.031370.02CVE-2000-0114
7Microsoft Windows Common Log File System Driver out-of-bounds write8.17.7$100k and more$5k-$25kAttackedOfficial fixverified0.048240.00CVE-2022-37969
8DZCP deV!L`z Clanportal config.php code injection7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial fix 0.009700.06CVE-2010-0966
9Avaya IP Office Application Server Web UI cross site scripting5.45.3$0-$5k$0-$5kProof-of-ConceptOfficial fix 0.005570.02CVE-2019-7004
10Check Point Mobile Access Portal cross site scripting4.44.4$0-$5k$0-$5kNot definedNot defined 0.000340.05CVE-2024-52888
11Check Point Mobile Access SNX Bookmark cross site scripting3.53.5$0-$5k$0-$5kNot definedNot defined 0.000350.00CVE-2024-52887
12HPE iLO 5 Remote Code Execution8.17.9$5k-$25k$0-$5kNot definedOfficial fix 0.000730.02CVE-2022-28633
13Red Hat Enterprise Virtualization addAlert cross site scripting4.34.3$5k-$25k$0-$5kNot definedNot defined 0.002630.00CVE-2013-4181
14File file memory corruption5.45.1$0-$5k$0-$5kNot definedOfficial fix 0.000730.00CVE-2017-1000249
15IBM Rational Build Forge File access control4.33.8$5k-$25k$0-$5kUnprovenOfficial fix 0.003270.00CVE-2011-3391
16Apache Tomcat request smuggling5.35.2$5k-$25k$0-$5kNot definedOfficial fix 0.007530.09CVE-2023-45648
17Apache MINA SSHD path traversal4.34.2$5k-$25k$0-$5kNot definedOfficial fix 0.001000.09CVE-2023-35887
18Microsoft .NET Framework cross site scripting7.37.0$5k-$25k$0-$5kNot definedOfficial fix 0.251790.00CVE-2015-6099
19Hazelcast Client Protocol permissions6.96.8$0-$5k$0-$5kNot definedOfficial fix 0.001480.06CVE-2023-45859
20Grafana API Endpoint improper isolation or compartmentalization4.74.5$0-$5k$0-$5kNot definedOfficial fix 0.000410.00CVE-2024-8118

Campaigns (1)

These are the campaigns that can be associated with the actor:

  • PowerDuke

IOC - Indicator of Compromise (8)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
165.15.88.243adsl-065-015-088-243.sip.asm.bellsouth.netAPT29PowerDuke12/12/2020verifiedVery Low
281.82.196.162d5152c4a2.static.telenet.beAPT29PowerDuke12/12/2020verifiedLow
3XX.XXX.XX.XXXxxxxxxx.xxxx.xxXxxxxXxxxxxxxx12/12/2020verifiedLow
4XXX.XXX.XX.XXxxxxXxxxxxxxx12/12/2020verifiedLow
5XXX.XX.XX.XXxxx-xx-xx-xx.xxxxxxxxxxx.xxxxxXxxxxXxxxxxxxx12/12/2020verifiedLow
6XXX.XX.XXX.XXXxxxxxx.xxxx.xxxxxxxxxxxx.xxxXxxxxXxxxxxxxx12/12/2020verifiedVery Low
7XXX.XXX.XX.XXXxxxxxx-xx.xxxxxxxxxxxx.xxxXxxxxXxxxxxxxx12/12/2020verifiedVery Low
8XXX.XXX.XXX.XXxxxxxx.xxxxx.xxxXxxxxXxxxxxxxx12/12/2020verifiedLow

TTP - Tactics, Techniques, Procedures (12)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-22, CWE-24Path TraversalpredictiveHigh
2T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
3T1059CAPEC-242CWE-94Argument InjectionpredictiveHigh
4TXXXX.XXXCAPEC-XXXCWE-XXXxxxx Xxxxx Xxxx XxxxxxxxxpredictiveHigh
5TXXXXCWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
6TXXXXCAPEC-XXXCWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
7TXXXXCWE-XXX7xx Xxxxxxxx XxxxxxxxpredictiveHigh
8TXXXXCWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
9TXXXXCAPEC-XXXCWE-XXXxx XxxxxxxxxpredictiveHigh
10TXXXXCAPEC-XXCWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
11TXXXXCAPEC-XXXCWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
12TXXXX.XXXCAPEC-XCWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (20)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/admin/sign/outpredictiveHigh
2File/owa/auth/logon.aspxpredictiveHigh
3File/setup.cgipredictiveMedium
4File/xxxx/xxxxxxx_xxxxxxx_xxxxxxx.xxxpredictiveHigh
5Filexxxxxxxxxxxxx/xxx_xxxxxxxx.xxxpredictiveHigh
6Filexxxx/xxxxxxxxxxxxxxx.xxxpredictiveHigh
7Filexxxxxxx/xxxxxx.xxxpredictiveHigh
8Filexxxx.xxxpredictiveMedium
9Filexxx/xxxxxx.xxxpredictiveHigh
10Library/_xxx_xxx/xxxxx.xxxpredictiveHigh
11ArgumentxxxxxxxxpredictiveMedium
12ArgumentxxxxxxxxpredictiveMedium
13ArgumentxxxxpredictiveLow
14ArgumentxxpredictiveLow
15ArgumentxxpredictiveLow
16ArgumentxxxxxpredictiveLow
17ArgumentxxxxxpredictiveLow
18ArgumentxxxxxxxxpredictiveMedium
19Input Value/../predictiveLow
20Network Portxxx/xxxxpredictiveMedium

References (3)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

This view requires CTI permissions

Just purchase a CTI license today!