APT39 Analyse

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (338)

Chronologie

Langue

en286
es14
fr8
de6
ru6

De campagne

us186
ru32
es18
cn16
ir12

Acteurs

Chafer7
APT395
MechaFlounder2
Cobalt Strike2
Redaman1

Activités

Intérêt

Chronologie

Taper

Not Defined110
Operating System22
Content Management System18
Web Server16
Programming Language Software14

Fournisseur

Not Defined116
Microsoft28
Apache14
D-Link8
Google8

Produit

Microsoft Windows16
PHP8
WordPress8
nginx6
phpMyAdmin6

Vulnérabilités

#VulnérabilitéBaseTemp0dayAujourd'huiExpConEPSSCTICVE
1Thomas R. Pasawicz HyperBook Guestbook Password Database gbconfiguration.dat Hash divulgation de l'information5.35.2$5k-$25k$0-$5kHighWorkaround0.020160.02CVE-2007-1192
2nginx elévation de privilèges6.96.9$0-$5k$0-$5kNot DefinedNot Defined0.002415.49CVE-2020-12440
3Microsoft IIS cross site scripting5.24.7$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.005480.14CVE-2017-0055
4VMware vRealize Orchestrator Path Redirect3.02.9$5k-$25k$0-$5kNot DefinedOfficial Fix0.001190.00CVE-2021-22036
5vm2 elévation de privilèges9.99.7$0-$5k$0-$5kNot DefinedOfficial Fix0.005370.04CVE-2023-32314
6OpenSSH Authentication Username divulgation de l'information5.34.8$5k-$25k$0-$5kHighOfficial Fix0.107370.18CVE-2016-6210
7PHPMailer Phar Deserialization addAttachment elévation de privilèges5.55.3$0-$5k$0-$5kNot DefinedOfficial Fix0.007480.00CVE-2020-36326
8jQuery Property extend Pollution cross site scripting6.66.3$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.035350.18CVE-2019-11358
9Rust Programming Language Standard Library type_id buffer overflow7.77.5$0-$5k$0-$5kNot DefinedOfficial Fix0.003010.00CVE-2019-12083
10WordPress sql injection6.86.7$5k-$25k$0-$5kNot DefinedOfficial Fix0.004670.03CVE-2022-21664
11Apple iOS WebKit buffer overflow6.36.0$25k-$100k$5k-$25kHighOfficial Fix0.004240.32CVE-2021-30666
12WordPress directory traversal5.75.6$5k-$25k$0-$5kNot DefinedOfficial Fix0.003260.04CVE-2023-2745
13Canon IJ Network Tool Wi-Fi Connection Setup divulgation de l'information5.45.4$0-$5k$0-$5kNot DefinedNot Defined0.000520.00CVE-2023-1763
14ciubotaru share-on-diaspora new_window.php cross site scripting4.44.3$0-$5k$0-$5kNot DefinedOfficial Fix0.000630.05CVE-2017-20176
15Postfix Admin functions.inc.php sql injection7.37.0$5k-$25k$0-$5kHighOfficial Fix0.002530.03CVE-2014-2655
16D-Link DCS-2530L/DCS-2670L ddns_enc.cgi elévation de privilèges7.57.5$5k-$25k$5k-$25kNot DefinedNot Defined0.001350.02CVE-2020-25079
17Microsoft IIS IP/Domain Restriction elévation de privilèges6.55.7$25k-$100k$0-$5kUnprovenOfficial Fix0.008170.09CVE-2014-4078
18SourceCodester Library Management System bookdetails.php sql injection7.16.9$0-$5k$0-$5kProof-of-ConceptNot Defined0.003220.09CVE-2022-2214
19Phplinkdirectory PHP Link Directory conf_users_edit.php cross site request forgery6.36.0$0-$5k$0-$5kProof-of-ConceptNot Defined0.005260.14CVE-2011-0643
20Lotus Domino Request divulgation de l'information5.35.1$0-$5k$0-$5kNot DefinedOfficial Fix0.008770.00CVE-2002-0245

Campagnes (1)

These are the campaigns that can be associated with the actor:

  • Chafer

IOC - Indicator of Compromise (17)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDadresse IPHostnameActeurCampagnesIdentifiedTaperConfiance
183.142.230.113APT3912/12/2020verifiedÉlevé
286.105.227.224APT3912/12/2020verifiedÉlevé
387.117.204.113APT3912/12/2020verifiedÉlevé
487.117.204.115APT3912/12/2020verifiedÉlevé
5XX.XX.XX.XXXxx-xx-xx-xxx.xxxxxx-xx-xxxxxxxxxxx.xxxXxxxx12/12/2020verifiedÉlevé
6XX.XX.XX.XXX Xxxxx12/12/2020verifiedÉlevé
7XX.XXX.XXX.XXXXxxxx12/12/2020verifiedÉlevé
8XX.XXX.XXX.XXXXxxxx12/12/2020verifiedÉlevé
9XX.XXX.XX.XXXxxx.xx.xxx.xx.xxxx-xxxxx.xxxxxx.xxXxxxx12/12/2020verifiedÉlevé
10XX.XXX.XX.XXXxx-xxx-xx-xxx.xxxxxx.xxxx.xxXxxxx12/12/2020verifiedÉlevé
11XXX.XXX.XX.XXxxx.xxx.xx.xx.xxxxx.xxxXxxxx12/12/2020verifiedMoyen
12XXX.XX.XXX.XXXxxx.xx.xxx.xxx.xxxxx.xxxXxxxx15/12/2020verifiedMoyen
13XXX.XXX.XXX.XXXxxxx12/12/2020verifiedÉlevé
14XXX.XXX.XXX.XXXxxxxXxxxxx12/12/2020verifiedÉlevé
15XXX.XXX.XXX.XXXxxx-xx.xxxxxx.xxXxxxx12/12/2020verifiedÉlevé
16XXX.XX.XXX.XXxxx.xxxxxxxxxxxxxxx.xxxxXxxxx12/12/2020verifiedÉlevé
17XXX.XXX.XX.XXXxxxxXxxxxx12/12/2020verifiedÉlevé

TTP - Tactics, Techniques, Procedures (19)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueVulnérabilitésVecteur d'accèsTaperConfiance
1T1006CWE-21, CWE-22Path TraversalpredictiveÉlevé
2T1040CWE-294, CWE-319Authentication Bypass by Capture-replaypredictiveÉlevé
3T1055CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveÉlevé
4T1059CWE-94Argument InjectionpredictiveÉlevé
5TXXXX.XXXCWE-XX, CWE-XXXxxxx Xxxx XxxxxxxxxpredictiveÉlevé
6TXXXXCWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveÉlevé
7TXXXX.XXXCWE-XXXXxxx-xxxxx XxxxxxxxxxxpredictiveÉlevé
8TXXXXCWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveÉlevé
9TXXXX.XXXCWE-XXXXxxx XxxxxxxxpredictiveÉlevé
10TXXXXCWE-XXX7xx Xxxxxxxx XxxxxxxxpredictiveÉlevé
11TXXXXCWE-XXX, CWE-XXXXxxxxxxxxx XxxxxxpredictiveÉlevé
12TXXXXCWE-XXXxx XxxxxxxxxpredictiveÉlevé
13TXXXX.XXXCWE-XXXXxxxxxxx XxxxxxxxxxxxxpredictiveÉlevé
14TXXXXCWE-XXX, CWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveÉlevé
15TXXXXCWE-XXXXxxxxxxxx Xxxxxx XxxxpredictiveÉlevé
16TXXXXCWE-XXX, CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveÉlevé
17TXXXXCWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveÉlevé
18TXXXX.XXXCWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveÉlevé
19TXXXXCWE-XXXXxxxxxxxxxx XxxxxxpredictiveÉlevé

IOA - Indicator of Attack (144)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClasseIndicatorTaperConfiance
1File//etc/RT2870STA.datpredictiveÉlevé
2File/admin/index.php?id=themes&action=edit_template&filename=blogpredictiveÉlevé
3File/api/loginpredictiveMoyen
4File/appConfig/userDB.jsonpredictiveÉlevé
5File/bin/boapredictiveMoyen
6File/cgi-bin/wapopenpredictiveÉlevé
7File/CPEpredictiveFaible
8File/cwp_{SESSION_HASH}/admin/loader_ajax.phppredictiveÉlevé
9File/jquery_file_upload/server/php/index.phppredictiveÉlevé
10File/librarian/bookdetails.phppredictiveÉlevé
11File/magnoliaPublic/travel/members/login.htmlpredictiveÉlevé
12File/Main_AdmStatus_Content.asppredictiveÉlevé
13File/public/login.htmpredictiveÉlevé
14File/requests.phppredictiveÉlevé
15File/self.keypredictiveMoyen
16File/server-statuspredictiveÉlevé
17File/xxxxxxx/predictiveMoyen
18File/xxx/xxx/xxxxxpredictiveÉlevé
19File/xxxxxxxx/xxxx_xxxxx.xxxpredictiveÉlevé
20Filexxxxxxx.xxxpredictiveMoyen
21Filexxxxx.xxxpredictiveMoyen
22Filexxxxx/xxxx_xxxxx_xxxx.xxxpredictiveÉlevé
23Filexxxxx/xxxxx.xxxpredictiveÉlevé
24Filexxxxxxxxxxxxx/xxxxxxxxxx/xxx_xxxxx/xxxxxxx/xxxxx.xxxpredictiveÉlevé
25Filexxxxxxxxxx.xxxpredictiveÉlevé
26Filexxxxxxxxxxx.xxxpredictiveÉlevé
27Filexx_xxxxxxxxxx.xxxpredictiveÉlevé
28Filexxx:.xxxpredictiveMoyen
29Filexxx/xxx.xxxpredictiveMoyen
30Filexxxxxxx.xxxpredictiveMoyen
31Filexxxxxx_xxxxxx.xxxpredictiveÉlevé
32Filexxxxxxxx.xxxpredictiveMoyen
33Filexxx-xxx/xxxx_xxx.xxxpredictiveÉlevé
34Filexxxxxx.xxxpredictiveMoyen
35Filexxxx/xxxxxxxxxxxxxxx.xxxpredictiveÉlevé
36Filexxxxxx.xxxpredictiveMoyen
37Filexxx.xxxpredictiveFaible
38Filexxxxx.xxxpredictiveMoyen
39Filexxx/xxxxxxxx/xxx_xxxxxxxxxxxx.xxpredictiveÉlevé
40Filexxxxxxxxx.xxx.xxxpredictiveÉlevé
41Filexxxxxxxxxxxx_xxxx.xxxpredictiveÉlevé
42Filexxx_xxxxxx.xxxpredictiveÉlevé
43Filexxxx_xxxxxxx.xxx.xxxpredictiveÉlevé
44Filexxxx_xxxx.xpredictiveMoyen
45Filexxxxxxxxx.xxxpredictiveÉlevé
46Filexxxxxxxx/xxxxx.xxxx-xxx.xxxpredictiveÉlevé
47Filexxxxx.xxxpredictiveMoyen
48Filexxxxxx.xpredictiveMoyen
49Filexxxx/xxx_xxx.xpredictiveÉlevé
50Filexxxxxxxx.xxxpredictiveMoyen
51Filexxxxxxx/xxxxxxx/xxx_xxxxxxx.xpredictiveÉlevé
52Filexxx_xxxxxx.xxpredictiveÉlevé
53Filexxxx/xxxx/xxxxx.xxxpredictiveÉlevé
54Filexxx_xxxxxx.xxxpredictiveÉlevé
55Filexxxxxx.xxxpredictiveMoyen
56Filexxxxxxxxxxxxxx.xxxpredictiveÉlevé
57Filexxxxxxx.xxxpredictiveMoyen
58Filexxxxx.xxxxx.xxxpredictiveÉlevé
59Filexxxxxx/?x=xxxxx/\xxxxx\xxx/xxxxxxxxxxxxxx&xxxxxxxx=xxxx_xxxx_xxxx_xxxxx&xxxx[x]=xxxxxx&xxxx[x][]predictiveÉlevé
60Filexxxx/xxxxxpredictiveMoyen
61Filexxxxx.xxxpredictiveMoyen
62Filexxxxxxxx.xxxpredictiveMoyen
63Filexxxxxxxxxx.xxxpredictiveÉlevé
64Filexxxxxxxx_xxxx.xxxpredictiveÉlevé
65Filexxxxxxxx.xxx?x=xxxxxx&x=xxxxxxxxxxpredictiveÉlevé
66Filexxxxxxx.xpredictiveMoyen
67Filexxxxxx.xxxpredictiveMoyen
68Filexxxx.xxxpredictiveMoyen
69Filexxxxx/xxx/xxxx.xpredictiveÉlevé
70Filexxxxxx_xxx_xxxxx_xxx.xxxpredictiveÉlevé
71Filexxx_xxx_xxxxx.xxxpredictiveÉlevé
72Filexxxx/xxxxxxxxxxxxxxx.xxxxxxpredictiveÉlevé
73Filexxxxxxx_xxxxx.xxxpredictiveÉlevé
74Filexxxxxxx_xxxxxxxxxx.xxxpredictiveÉlevé
75Filexxx.xxxpredictiveFaible
76Filexxxxxx.xxxpredictiveMoyen
77Filexxxxxx.xxxpredictiveMoyen
78Filexxxxxxxxxxxxxx.xxxpredictiveÉlevé
79Filexxxxxxx.xxxpredictiveMoyen
80Filexx-xxxxx/xxxx-xxx.xxxpredictiveÉlevé
81Filexx-xxxxxxx/xxxxxxx/xxxx-xx-xxxx/predictiveÉlevé
82Filexx-xxxxxxxx/xxxxx-xx-xxxxx.xxxpredictiveÉlevé
83Filexx-xxxxxxxx/xxxxx-xx-xxxxxx-xxxxxx.xxxpredictiveÉlevé
84Filexx-xxxxxxxxxxx.xxxpredictiveÉlevé
85Libraryxxxxxxx/xxx/xxxxxx.xxx.xxxpredictiveÉlevé
86Libraryxxxxxx.xxxpredictiveMoyen
87Argument$xxxxx_xxxxxxxxxxpredictiveÉlevé
88Argument$_xxxxxxxpredictiveMoyen
89ArgumentxxxxxxxpredictiveFaible
90ArgumentxxxxxpredictiveFaible
91ArgumentxxxxxxpredictiveFaible
92ArgumentxxxpredictiveFaible
93ArgumentxxxxxpredictiveFaible
94ArgumentxxxxxxxxxxxxxxxpredictiveÉlevé
95Argumentxxxx/xxxxpredictiveMoyen
96ArgumentxxxxxxxxpredictiveMoyen
97ArgumentxxxxpredictiveFaible
98ArgumentxxxxxxxxxxpredictiveMoyen
99ArgumentxxxxpredictiveFaible
100ArgumentxxxxxxxxxxpredictiveMoyen
101Argumentxxxx_xxxxxxxxpredictiveÉlevé
102Argumentxx_xxpredictiveFaible
103Argumentxxxx[xxx]predictiveMoyen
104ArgumentxxpredictiveFaible
105ArgumentxxxxxxxxpredictiveMoyen
106ArgumentxxxxpredictiveFaible
107ArgumentxxxxxpredictiveFaible
108Argumentxxxxx_xxpredictiveMoyen
109Argumentxxxx_xxxxxxxpredictiveMoyen
110ArgumentxxpredictiveFaible
111ArgumentxxxxpredictiveFaible
112Argumentxxxxxxxxxxxxx/xxxxxxxxxxxxxxpredictiveÉlevé
113Argumentx/xx/xxxpredictiveMoyen
114Argumentxxxx_xxxxpredictiveMoyen
115Argumentxx_xxxxxxxpredictiveMoyen
116ArgumentxxxpredictiveFaible
117Argumentxxxxxxxxx/xxxxxx/xxxxxxxxxpredictiveÉlevé
118ArgumentxxxxxxxxxxpredictiveMoyen
119ArgumentxxxxxxxxxxxxxpredictiveÉlevé
120Argumentxxxxxxxxx_xxxxxxxx_xxxxpredictiveÉlevé
121ArgumentxxxxxxpredictiveFaible
122Argumentxxxxx_xxxxpredictiveMoyen
123ArgumentxxxxxxxxpredictiveMoyen
124ArgumentxxxxxxxxpredictiveMoyen
125ArgumentxxxxxxxxpredictiveMoyen
126ArgumentxxxxxxxpredictiveFaible
127Argumentxxxx xxxxxpredictiveMoyen
128Argumentxxxx_xxxxxpredictiveMoyen
129ArgumentxxxxpredictiveFaible
130ArgumentxxxxxxpredictiveFaible
131ArgumentxxxxxxxxxxpredictiveMoyen
132Argumentx/xxxxxxxxxxxxpredictiveÉlevé
133ArgumentxxxxpredictiveFaible
134ArgumentxxxxxxxxpredictiveMoyen
135Argumentxxxxx/xxxpredictiveMoyen
136ArgumentxxxxxxxxxxpredictiveMoyen
137ArgumentxxxpredictiveFaible
138ArgumentxxxxxxpredictiveFaible
139ArgumentxxxxxxxxpredictiveMoyen
140Argumentxxxxxxxxx_xxxxxx_xx_[xxxx]predictiveÉlevé
141Input Value' xxx (xxxxxx xxxx xxxx (xxxxxx(xxxxx(x)))xxxx)-- xxxxpredictiveÉlevé
142Input Value../..predictiveFaible
143Network Portxxx/xxxxpredictiveMoyen
144Network Portxxx/xxx (xxx)predictiveÉlevé

Références (4)

The following list contains external sources which discuss the actor and the associated activities:

PrécédentAperçuSuivant

Want to stay up to date on a daily basis?

Enable the mail alert feature now!