Sofacy Analysis

IOB - Indicator of Behavior (151)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en	136
de	14
zh	2

Country

us	48
ch	44
tr	10
cn	6
co	2

Actors

Sofacy	8
APT28	3
RTM	1
APT10	1
Needles	1

Activities

Interest

Timeline

Type

Not Defined	42
Content Management System	20
Operating System	8
Web Server	8
Router Operating System	6

Vendor

Not Defined	66
Microsoft	8
Apache	4
Oracle	4
Citrix	2

Product

WordPress	12
phpMyAdmin	6
Microsoft Windows	4
Drupal	4
Citrix Gateway Plug-in	2

Vulnerabilities

#	Vulnerability	Base	Temp	0day	Today	Exp	Rem	CTI	EPSS	CVE
1	Backdoor.Win32.Tiny.c Service Port 7778 backdoor	7.3	6.4	$0-$5k	$0-$5k	Proof-of-Concept	Workaround	0.01	0.00000
2	Linux Kernel NILFS File System inode.c security_inode_alloc use after free	8.3	8.1	$25k-$100k	$0-$5k	Not Defined	Official Fix	0.04	0.01404	CVE-2022-2978
3	SourceCodester Simple and Nice Shopping Cart Script profile.php unrestricted upload	6.3	5.7	$0-$5k	$0-$5k	Proof-of-Concept	Not Defined	0.02	0.00885	CVE-2022-2909
4	Crow HTTP Pipelining use after free	8.5	8.4	$0-$5k	$0-$5k	Not Defined	Official Fix	0.02	0.02509	CVE-2022-38667
5	mySCADA myPRO command injection	9.2	9.0	$0-$5k	$0-$5k	Not Defined	Official Fix	0.02	0.00885	CVE-2022-2234
6	GNU Bash Environment Variable variables.c Shellshock os command injection	9.8	9.3	$100k and more	$0-$5k	High	Official Fix	0.00	0.96235	CVE-2014-6271
7	WordPress Editor information disclosure	4.3	4.1	$5k-$25k	$0-$5k	Not Defined	Official Fix	0.08	0.00950	CVE-2021-29450
8	AnyMacro AnyMacro Mail System path traversal	5.3	5.3	$0-$5k	Calculating	Not Defined	Not Defined	0.02	0.01213	CVE-2011-2468
9	phpMyAdmin Configuration File setup.php code injection	7.3	7.0	$5k-$25k	$0-$5k	High	Official Fix	0.02	0.86435	CVE-2009-1151
10	WordPress class-wp-customize-widgets.php privileges management	7.3	6.4	$5k-$25k	$0-$5k	Unproven	Official Fix	0.03	0.06523	CVE-2014-5203
11	Zeus Zeus Web Server memory corruption	10.0	9.0	$0-$5k	$0-$5k	Proof-of-Concept	Official Fix	0.02	0.35205	CVE-2010-0359
12	x-text Language Tag out-of-bounds	5.5	5.4	$0-$5k	$0-$5k	Not Defined	Official Fix	0.27	0.01018	CVE-2021-38561
13	WordPress Pingback server-side request forgery	5.7	5.7	$5k-$25k	$5k-$25k	Not Defined	Not Defined	1.49	0.00885	CVE-2022-3590
14	Telepad missing authentication	7.3	7.3	$0-$5k	$0-$5k	Not Defined	Not Defined	0.08	0.01156	CVE-2022-45477
15	FreeBSD Ping pr_pack stack-based overflow	7.3	7.0	$5k-$25k	$0-$5k	Not Defined	Official Fix	0.00	0.00000	CVE-2022-23093
16	Red Hat OpenShift server_priv.pem default permission	4.5	4.5	$5k-$25k	$5k-$25k	Not Defined	Not Defined	0.04	0.00885	CVE-2013-4281
17	Linux Kernel NTFS3 Subsystem cleanup	7.0	7.0	$5k-$25k	$5k-$25k	Not Defined	Not Defined	0.00	0.00885	CVE-2022-3238
18	Microsoft Windows Mark of the Web unknown vulnerability	5.4	5.1	$25k-$100k	$5k-$25k	Functional	Official Fix	0.08	0.09127	CVE-2022-41049
19	Drupal Database Abstraction API expandArguments sql injection	7.3	7.0	$0-$5k	$0-$5k	High	Official Fix	0.04	0.93531	CVE-2014-3704
20	SQLite ALTER TABLE memory corruption	8.0	8.0	$0-$5k	$0-$5k	Not Defined	Not Defined	0.05	0.00885	CVE-2020-35527

Campaigns (2)

These are the campaigns that can be associated with the actor:

DealersChoice
Xxxxxxx

IOC - Indicator of Compromise (14)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

ID	IP address	Hostname	Actor	Campaigns	Type	Confidence
1	1.6.3.8		Sofacy		verified	High
2	23.0.0.185	a23-0-0-185.deploy.static.akamaitechnologies.com	Sofacy		verified	High
3	40.112.210.240		Sofacy		verified	High
4	XX.XXX.XXX.XXX	xxxxx.xxxxxxxxxxx.xxx	Xxxxxx	Xxxxxxx	verified	High
5	XX.XX.XX.XX		Xxxxxx		verified	High
6	XX.XX.XX.XXX		Xxxxxx		verified	High
7	XX.XXX.XX.XXX	xxxxxxxxxxxxxxxx.xxx	Xxxxxx	Xxxxxxx	verified	High
8	XX.XXX.XXX.XXX		Xxxxxx	Xxxxxxx	verified	High
9	XX.XXX.XX.XX	xxxxxx-xx.xxxxxxxx.xx	Xxxxxx	Xxxxxxxxxxxxx	verified	High
10	XXX.XX.XX.XX	xxxxx-xxxxx.xxxxxxx.xxxx	Xxxxxx		verified	High
11	XXX.XX.XX.XXX	xxxx-xxxxx.xxxxxxx.xxxx	Xxxxxx		verified	High
12	XXX.XXX.XX.XXX	xxxxxxx.xxxx-xxxxxx.xxx	Xxxxxx		verified	High
13	XXX.XXX.XXX.XX	xxxxxxxxxxxxx.xxx	Xxxxxx		verified	High
14	XXX.XXX.XXX.XXX		Xxxxxx		verified	High

TTP - Tactics, Techniques, Procedures (19)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

ID	Technique	Vulnerabilities	Access Vector	Type	Confidence
1	T1006	CWE-22	Pathname Traversal	predictive	High
2	T1040	CWE-294	Authentication Bypass by Capture-replay	predictive	High
3	T1055	CWE-74	Injection	predictive	High
4	T1059	CWE-94	Cross Site Scripting	predictive	High
5	TXXXX.XXX	CWE-XX, CWE-XX	Xxxxx Xxxx Xxxxxxxxx	predictive	High
6	TXXXX	CWE-XXX, CWE-XXX, CWE-XXX	Xxxxxxxxx Xxxx Xxxxxxxxxxx Xxxxxxxxxx	predictive	High
7	TXXXX.XXX	CWE-XXX	Xxxxxxxx Xxxxxxxxxxx Xx Xxxxxxxxx Xxxxxxxxxxxxxx Xxxxxxxx	predictive	High
8	TXXXX	CWE-XX, CWE-XX	Xxxxxxx Xxxxxxxxx	predictive	High
9	TXXXX.XXX	CWE-XXX	Xxxx Xxxxxxxx	predictive	High
10	TXXXX	CWE-XXX	7xx Xxxxxxxx Xxxxxxxx	predictive	High
11	TXXXX	CWE-XXX	Xxxxxxxxxx Xxxxxx	predictive	High
12	TXXXX	CWE-XXX	Xxxxxxxx Xx Xxxx Xxxxxxx Xxxxxxxxx Xxxxx	predictive	High
13	TXXXX	CWE-XX, CWE-XX	Xxx Xxxxxxxxx	predictive	High
14	TXXXX.XXX	CWE-XXX	Xxxxxxxx Xxxxxx Xxxx	predictive	High
15	TXXXX.XXX	CWE-XXX	Xxxxxxxx Xxxxxxxxxxx Xxxxxxxxxx	predictive	High
16	TXXXX.XXX	CWE-XXX	Xxxxxxxx	predictive	High
17	TXXXX	CWE-XXX	Xxxxxxxxxxxxx	predictive	High
18	TXXXX	CWE-XXX, CWE-XXX	X2xx Xxxxxxxxxxxxxxxx: Xxxx Xxxxxxxxxxxx Xxxxxxx Xxxxxxxxxx	predictive	High
19	TXXXX.XXX	CWE-XXX	Xxxxxxxxxxxx Xxxxxx	predictive	High

IOA - Indicator of Attack (77)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

ID	Class	Indicator	Type	Confidence
1	File	.procmailrc	predictive	Medium
2	File	/dashboard/updatelogo.php	predictive	High
3	File	/etc/openshift/server_priv.pem	predictive	High
4	File	/files.md5	predictive	Medium
5	File	/index.php	predictive	Medium
6	File	/info/headers	predictive	High
7	File	/mkshop/Men/profile.php	predictive	High
8	File	/Noxen-master/users.php	predictive	High
9	File	/uncpath/	predictive	Medium
10	File	xxxxxxx/xxxxxxxx.xxx	predictive	High
11	File	xxxxxxx/xxxx.xxx	predictive	High
12	File	xxxxxxx/xxxxxxxxxxxxx.xxx	predictive	High
13	File	xxxxx/xxxx/xxxxxxxxxx/xxxxxxxxxxx.xxx	predictive	High
14	File	xx/xxxxxx_xxx.xxx	predictive	High
15	File	xxxx/xxxxxxxxxxxx.xxx	predictive	High
16	File	xxx.xxx?xxx=xxxxx_xxxx	predictive	High
17	File	xxxxxxxx/xxxx	predictive	High
18	File	xx.x	predictive	Low
19	File	xxxxx.xxx	predictive	Medium
20	File	xxxxxxxxxx.xxx	predictive	High
21	File	xxxxxx.x	predictive	Medium
22	File	xxxxxxxx.xxx	predictive	Medium
23	File	xxxx_xxxx.x	predictive	Medium
24	File	xxxxx.xxx	predictive	Medium
25	File	xxxxxx.xxx	predictive	Medium
26	File	xxxxx.x	predictive	Low
27	File	xxxxxxxxxx.xxx	predictive	High
28	File	xxxxx_xxxxxxx.xxx	predictive	High
29	File	xxx/xxxxxxx/xxxxxx/xxxx/xxxxx/xxxxxxx/xxxxxx/xxxxx/xxx%xxxxxxxxxxxxx.xx.xxx	predictive	High
30	File	xxxx.xxx	predictive	Medium
31	File	xxxxx.xxx	predictive	Medium
32	File	xxxxx/xxxxx-xxxx-xxxxxxxx.xxx	predictive	High
33	File	xxxx.xxx.xxxxxxxxxx	predictive	High
34	File	xxxxxxxxx/xxxxx/xxxxxx.xxxx	predictive	High
35	File	xxxxxx/xxxx.xxx	predictive	High
36	File	xxxxxxxxxxxxxxxxx.xxx	predictive	High
37	File	xxxx/xxx/xxxx-xxxxx.xxx	predictive	High
38	File	xxxxxxxxx.x	predictive	Medium
39	File	xxxxxxx.xxx	predictive	Medium
40	File	xx-xxxxxxxx/xxxxx-xx-xxxxxxxxx-xxxxxxx.xxx	predictive	High
41	File	xx-xxxxxxxx/xxxxxxxxx.xxx	predictive	High
42	File	xxxxxx.xxx	predictive	Medium
43	File	xx_xxxxxxx.x	predictive	Medium
44	Library	xxxxxxxxx/xxx-xxxxxx/xxxxxxxx.xxx	predictive	High
45	Library	xxxxx.xxx	predictive	Medium
46	Argument	xxxx	predictive	Low
47	Argument	xxxxxxxxx	predictive	Medium
48	Argument	xxxx/xxxx	predictive	Medium
49	Argument	xxxxxx_xxxx_xxxxxxxx	predictive	High
50	Argument	xxxx	predictive	Low
51	Argument	xxx_xxxx/xxx_xxxxxxx	predictive	High
52	Argument	xxxxxx	predictive	Low
53	Argument	xxxxxxxxxxx	predictive	Medium
54	Argument	xxxx_xx	predictive	Low
55	Argument	xxxx	predictive	Low
56	Argument	xxx_xx	predictive	Low
57	Argument	xxxxxxxx	predictive	Medium
58	Argument	xxxxxxx[xxxxx]/xxxxxxx[xxxxxxxxxxx]	predictive	High
59	Argument	xxxx_xxxx	predictive	Medium
60	Argument	xxxxxx	predictive	Low
61	Argument	xxxxxxxxxxxx	predictive	Medium
62	Argument	xxxxxx	predictive	Low
63	Argument	xxxxxx_xx	predictive	Medium
64	Argument	xxxxx	predictive	Low
65	Argument	xxxx	predictive	Low
66	Argument	xxxxxx_xx	predictive	Medium
67	Argument	xxx	predictive	Low
68	Argument	xxxxxxxx	predictive	Medium
69	Argument	xxxxxxx	predictive	Low
70	Argument	xxxxx/xxxxx	predictive	Medium
71	Argument	_xxxx	predictive	Low
72	Input Value	"><xxxxxx>xxxxx(/xxx/)</xxxxxx>	predictive	High
73	Input Value	xxxxx' xxx (xxxxxx xxxx xxxx (xxxxxx(xxxxx(x)))xxxx) xxx 'xxxx'='xxxx&xxxxxxxx=xxxxxxxxxx	predictive	High
74	Input Value	xxx=/&xxx	predictive	Medium
75	Pattern	() {	predictive	Low
76	Network Port	xxx/xxxx (xxx)	predictive	High
77	Network Port	xxx/xxxx	predictive	Medium

References (6)

The following list contains external sources which discuss the actor and the associated activities:

◂ PreviousOverviewNext ▸

Do you need the next level of professionalism?

Upgrade your account now!