TA413 Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (64)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en38
zh26

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

CN: China46
US: USA16
GB: Great Britain2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

TA4133
Cobalt Strike2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined20
Network Management Software10
Firewall Software6
Automation Software4
Content Management System4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined20
Citrix4
Telos4
Atlassian2
Cisco2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

PRTG Network Monitor6
Citrix ADC4
Citrix Gateway4
Citrix SD-WAN WANOP4
Telos Automated Message Handling System4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1Fortinet FortiOS SSL VPN integer overflow8.78.5$0-$5k$0-$5kNot DefinedOfficial Fix0.002700.04CVE-2021-26109
2Cisco Wireless LAN Controller CAPWAP information disclosure6.86.7$5k-$25k$0-$5kNot DefinedOfficial Fix0.001220.00CVE-2018-0442
3PRTG Network Monitor Screenshot information disclosure3.53.4$0-$5k$0-$5kNot DefinedOfficial Fix0.000840.00CVE-2021-27220
4PRTG Network Monitor Web Console os command injection6.76.6$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.486170.06CVE-2018-9276
5SPIP spip.php cross site scripting3.53.4$0-$5k$0-$5kNot DefinedOfficial Fix0.001320.40CVE-2022-28959
6WordPress wp-db-backup.php path traversal7.36.6$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.010090.00CVE-2008-0194
7WordPress wp_crop_image path traversal5.95.8$5k-$25k$0-$5kProof-of-ConceptNot Defined0.937800.03CVE-2019-8943
8open-graph code injection7.37.0$0-$5k$0-$5kNot DefinedOfficial Fix0.003610.05CVE-2021-23419
9Microsoft Windows Win32k Local Privilege Escalation7.87.1$25k-$100k$5k-$25kUnprovenOfficial Fix0.000590.00CVE-2024-20683
10Oracle Database Java VM access control5.35.2$5k-$25k$0-$5kNot DefinedOfficial Fix0.001820.05CVE-2018-3004
11Sierra Wireless AirLink LS300 access control9.89.4$0-$5k$0-$5kNot DefinedOfficial Fix0.004390.04CVE-2018-10251
12Apple iOS/iPadOS WebKit use after free6.36.0$25k-$100k$5k-$25kHighOfficial Fix0.002430.00CVE-2022-22620
13Apache APR-util apr-util apr_rmm.c apr_rmm_realloc numeric error10.09.4$25k-$100k$0-$5kProof-of-ConceptNot Defined0.148240.04CVE-2009-2412
14rails_multisite cookie validation7.47.3$0-$5k$0-$5kNot DefinedOfficial Fix0.001040.00CVE-2021-41263
15RDoc Filename Privilege Escalation5.55.3$0-$5k$0-$5kNot DefinedOfficial Fix0.000650.00CVE-2021-31799
16Fortinet FortiOS/FortiProxy autod Daemon access control8.38.1$0-$5k$0-$5kNot DefinedOfficial Fix0.000440.00CVE-2021-26110
17Citrix ADC/Gateway/SD-WAN WANOP SAML Authentication access control5.55.5$5k-$25k$5k-$25kNot DefinedNot Defined0.001570.07CVE-2021-22920
18ManageEngine Desktop Central Notification Server command injection8.58.4$0-$5k$0-$5kNot DefinedOfficial Fix0.007500.00CVE-2021-28960
19Palo Alto PAN-OS GlobalProtect Portal stack-based overflow9.89.6$0-$5k$0-$5kNot DefinedOfficial Fix0.002420.05CVE-2021-3064
20Cisco IOS XE CAPWAP Packet double free8.07.9$25k-$100k$0-$5kNot DefinedOfficial Fix0.001590.00CVE-2021-34769

Campaigns (1)

These are the campaigns that can be associated with the actor:

  • FriarFox Browser Extension

IOC - Indicator of Compromise (3)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
1115.126.6.47TA413FriarFox Browser Extension05/31/2021verifiedLow
2XXX.XX.X.XXXxxxxXxxxxxxx Xxxxxxx Xxxxxxxxx05/31/2021verifiedLow
3XXX.XXX.XX.XXXxxx.xxx.xx.xxx.xxxxx.xxxXxxxxXxxxxxxx Xxxxxxx Xxxxxxxxx05/31/2021verifiedVery Low

TTP - Tactics, Techniques, Procedures (9)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-22Path TraversalpredictiveHigh
2T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
3TXXXXCAPEC-242CWE-XXXxxxxxxx XxxxxxxxxpredictiveHigh
4TXXXX.XXXCAPEC-209CWE-XXXxxxx Xxxx XxxxxxxxxpredictiveHigh
5TXXXXCAPEC-19CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
6TXXXX.XXXCAPEC-191CWE-XXXXxxx-xxxxx XxxxxxxxxxxpredictiveHigh
7TXXXXCAPEC-136CWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
8TXXXXCAPEC-108CWE-XXXxx XxxxxxxxxpredictiveHigh
9TXXXXCAPEC-116CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (17)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/public/login.htmpredictiveHigh
2File/spip.phppredictiveMedium
3File/usr/bin/soniapredictiveHigh
4Filexxxxx.xxxpredictiveMedium
5Filexxxxxxxxxx.xxxpredictiveHigh
6Filexxxx/xxx_xxx.xpredictiveHigh
7Filexxxxx.xxxpredictiveMedium
8Filexxxxx.xpredictiveLow
9Filexxxxxxxxxxxxx.xxxpredictiveHigh
10Filexxx xxxxxxxpredictiveMedium
11Filexx-xx-xxxxxx.xxxpredictiveHigh
12Libraryxxxxxxxxxxx.xxxpredictiveHigh
13ArgumentxxxxxxpredictiveLow
14ArgumentxxxxxxxpredictiveLow
15Argumentxxxx->xxxxxxxpredictiveHigh
16Input Value.xxx?/../../xxxx.xxxpredictiveHigh
17Input ValuexxxxxxxxpredictiveMedium

References (2)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Might our Artificial Intelligence support you?

Check our Alexa App!