TA413 Analysis

IOB - Indicator of Behavior (63)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en50
zh14

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

cn38
us22
gb4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Citrix ADC4
Citrix Gateway4
Citrix SD-WAN WANOP4
WordPress4
Cisco Wireless LAN Controller4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemCTIEPSSCVE
1Fortinet FortiOS SSL VPN integer overflow8.78.5$0-$5k$0-$5kNot DefinedOfficial Fix0.020.00261CVE-2021-26109
2Cisco Wireless LAN Controller CAPWAP information disclosure6.86.7$5k-$25kCalculatingNot DefinedOfficial Fix0.000.00249CVE-2018-0442
3PRTG Network Monitor Screenshot information disclosure3.53.4$0-$5k$0-$5kNot DefinedOfficial Fix0.000.00084CVE-2021-27220
4PRTG Network Monitor Web Console os command injection6.76.6$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.020.61999CVE-2018-9276
5WordPress wp-db-backup.php path traversal7.36.6$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.020.01009CVE-2008-0194
6WordPress wp_crop_image path traversal5.95.8$5k-$25k$0-$5kProof-of-ConceptNot Defined0.040.95884CVE-2019-8943
7open-graph code injection7.37.0$0-$5kCalculatingNot DefinedOfficial Fix0.030.00236CVE-2021-23419
8Microsoft Windows Win32k Local Privilege Escalation7.87.1$25k-$100k$5k-$25kUnprovenOfficial Fix0.060.00048CVE-2024-20683
9Oracle Database Java VM access control5.35.2$5k-$25k$0-$5kNot DefinedOfficial Fix0.020.00182CVE-2018-3004
10Sierra Wireless AirLink LS300 access control9.89.4$0-$5k$0-$5kNot DefinedOfficial Fix0.020.00439CVE-2018-10251
11Apple iOS/iPadOS WebKit use after free6.36.0$100k and more$5k-$25kHighOfficial Fix0.000.00243CVE-2022-22620
12Apache APR-util apr-util apr_rmm.c apr_rmm_realloc numeric error10.09.4$25k-$100k$0-$5kProof-of-ConceptNot Defined0.000.10955CVE-2009-2412
13rails_multisite cookie validation7.47.3$0-$5k$0-$5kNot DefinedOfficial Fix0.000.00104CVE-2021-41263
14RDoc Filename Privilege Escalation5.55.3$0-$5k$0-$5kNot DefinedOfficial Fix0.000.00065CVE-2021-31799
15Fortinet FortiOS/FortiProxy autod Daemon access control8.38.1$0-$5k$0-$5kNot DefinedOfficial Fix0.040.00044CVE-2021-26110
16Citrix ADC/Gateway/SD-WAN WANOP SAML Authentication access control5.55.5$5k-$25k$5k-$25kNot DefinedNot Defined0.020.00152CVE-2021-22920
17ManageEngine Desktop Central Notification Server command injection8.58.4$0-$5k$0-$5kNot DefinedOfficial Fix0.000.00111CVE-2021-28960
18Palo Alto PAN-OS GlobalProtect Portal stack-based overflow9.89.6$0-$5k$0-$5kNot DefinedOfficial Fix0.030.00234CVE-2021-3064
19Cisco IOS XE CAPWAP Packet double free8.07.9$25k-$100k$5k-$25kNot DefinedOfficial Fix0.000.00137CVE-2021-34769
20Fortinet FortiOS Two Factor Authentication improper authentication8.07.7$0-$5k$0-$5kNot DefinedOfficial Fix0.000.02923CVE-2020-12812

Campaigns (1)

These are the campaigns that can be associated with the actor:

  • FriarFox Browser Extension

IOC - Indicator of Compromise (3)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
1115.126.6.47TA413FriarFox Browser Extension05/31/2021verifiedHigh
2XXX.XX.X.XXXxxxxXxxxxxxx Xxxxxxx Xxxxxxxxx05/31/2021verifiedHigh
3XXX.XXX.XX.XXXxxx.xxx.xx.xxx.xxxxx.xxxXxxxxXxxxxxxx Xxxxxxx Xxxxxxxxx05/31/2021verifiedMedium

TTP - Tactics, Techniques, Procedures (9)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueVulnerabilitiesAccess VectorTypeConfidence
1T1006CWE-22Path TraversalpredictiveHigh
2T1055CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
3TXXXXCWE-XXXxxxxxxx XxxxxxxxxpredictiveHigh
4TXXXX.XXXCWE-XXXxxxx Xxxx XxxxxxxxxpredictiveHigh
5TXXXXCWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
6TXXXX.XXXCWE-XXXXxxx-xxxxx XxxxxxxxxxxpredictiveHigh
7TXXXXCWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
8TXXXXCWE-XXXxx XxxxxxxxxpredictiveHigh
9TXXXXCWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (16)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/public/login.htmpredictiveHigh
2File/usr/bin/soniapredictiveHigh
3Fileindex.phppredictiveMedium
4Filexxxxxxxxxx.xxxpredictiveHigh
5Filexxxx/xxx_xxx.xpredictiveHigh
6Filexxxxx.xxxpredictiveMedium
7Filexxxxx.xpredictiveLow
8Filexxxxxxxxxxxxx.xxxpredictiveHigh
9Filexxx xxxxxxxpredictiveMedium
10Filexx-xx-xxxxxx.xxxpredictiveHigh
11Libraryxxxxxxxxxxx.xxxpredictiveHigh
12ArgumentxxxxxxpredictiveLow
13ArgumentxxxxxxxpredictiveLow
14Argumentxxxx->xxxxxxxpredictiveHigh
15Input Value.xxx?/../../xxxx.xxxpredictiveHigh
16Input ValuexxxxxxxxpredictiveMedium

References (2)

The following list contains external sources which discuss the actor and the associated activities:

Do you know our Splunk app?

Download it now for free!