EwDoor Analyse

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (237)

Chronologie

Langue

en232
ru4
jp2

De campagne

sc180
li8
ml2
us2

Acteurs

Bashlite2
EwDoor2
Cobalt Strike2
Mirai2
Miner1

Activités

Intérêt

Chronologie

Taper

Not Defined98
Firewall Software18
Content Management System10
Web Browser8
Operating System8

Fournisseur

Not Defined82
Google12
Apache10
F510
Microsoft10

Produit

F5 BIG-IP10
Microsoft Windows8
Cisco ASA8
Google Android8
Apache HTTP Server6

Vulnérabilités

#VulnérabilitéBaseTemp0dayAujourd'huiExpConEPSSCTICVE
1spring-boot-actuator-logview LogViewEndpoint.view directory traversal5.55.5$0-$5k$0-$5kNot DefinedNot Defined0.000490.05CVE-2023-29986
2Apache HTTP Server elévation de privilèges5.35.1$5k-$25k$5k-$25kNot DefinedNot Defined0.000430.04CVE-2023-38709
3Jetty URI elévation de privilèges5.35.3$0-$5k$0-$5kNot DefinedOfficial Fix0.475550.00CVE-2021-34429
4portable SDK for UPnP unique_service_name buffer overflow10.09.5$0-$5k$0-$5kHighOfficial Fix0.974450.00CVE-2012-5958
5CKFinder File Name elévation de privilèges7.47.4$0-$5k$0-$5kNot DefinedNot Defined0.001550.06CVE-2019-15862
6Asus RT-AC2900 elévation de privilèges8.58.2$0-$5k$0-$5kNot DefinedOfficial Fix0.085970.02CVE-2018-8826
7GitLab Community Edition/Enterprise Edition Permission elévation de privilèges5.35.3$0-$5k$0-$5kNot DefinedNot Defined0.000540.04CVE-2019-18446
8phpMyAdmin PMA_safeUnserialize elévation de privilèges9.89.6$5k-$25k$0-$5kNot DefinedOfficial Fix0.004330.00CVE-2016-9865
9phpMyAdmin Username sql injection7.57.3$5k-$25k$0-$5kNot DefinedOfficial Fix0.003260.03CVE-2016-9864
10Red Hat JBoss Enterprise Application Platform Class elévation de privilèges3.53.4$5k-$25k$0-$5kNot DefinedOfficial Fix0.003620.00CVE-2023-3171
11Red Hat JBoss Core Services httpd directory traversal3.53.5$5k-$25k$0-$5kNot DefinedNot Defined0.000900.04CVE-2021-3688
12Ivanti Connect Secure/Policy Secure Web elévation de privilèges8.68.6$0-$5k$0-$5kHighWorkaround0.973340.00CVE-2024-21887
13Ivanti Endpoint Manager sql injection9.29.1$0-$5k$0-$5kNot DefinedOfficial Fix0.000530.02CVE-2023-39336
14Ivanti Sentry elévation de privilèges9.29.0$0-$5k$0-$5kNot DefinedOfficial Fix0.000430.02CVE-2023-41724
15Ivanti Connect Secure/Policy Secure IPSec buffer overflow7.77.6$0-$5k$0-$5kNot DefinedOfficial Fix0.000430.06CVE-2024-21894
16F5 BIG-IP Configuration Utility directory traversal9.39.1$5k-$25k$0-$5kNot DefinedOfficial Fix0.003210.07CVE-2023-41373
17F5 BIG-IP Configuration Utility authentification faible8.98.7$5k-$25k$0-$5kNot DefinedOfficial Fix0.971350.02CVE-2023-46747
18F5 BIG-IP iControl REST Endpoint elévation de privilèges6.76.6$5k-$25k$0-$5kNot DefinedOfficial Fix0.000430.00CVE-2024-22093
19F5 BIG-IP/BIG-IQ scp elévation de privilèges7.06.8$5k-$25k$0-$5kNot DefinedOfficial Fix0.000430.02CVE-2024-21782
20F5 BIG-IP iControl REST authentification faible7.27.0$5k-$25k$0-$5kNot DefinedOfficial Fix0.000430.00CVE-2024-22389

IOC - Indicator of Compromise (3)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDadresse IPHostnameActeurCampagnesIdentifiedTaperConfiance
145.141.157.217ip-157-217.CN-GlobalEwDoor09/02/2022verifiedÉlevé
2XXX.XX.XX.XXxx.xx.xx.xxx.xx.xxx.xxXxxxxx09/02/2022verifiedÉlevé
3XXX.XXX.XX.XXXXxxxxx09/02/2022verifiedÉlevé

TTP - Tactics, Techniques, Procedures (18)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueVulnérabilitésVecteur d'accèsTaperConfiance
1T1006CWE-21, CWE-22, CWE-23Path TraversalpredictiveÉlevé
2T1040CWE-319Authentication Bypass by Capture-replaypredictiveÉlevé
3T1055CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveÉlevé
4T1059CWE-94Argument InjectionpredictiveÉlevé
5TXXXX.XXXCWE-XXXxxxx Xxxx XxxxxxxxxpredictiveÉlevé
6TXXXXCWE-XXX, CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveÉlevé
7TXXXXCWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveÉlevé
8TXXXXCWE-XXX, CWE-XXXXxxxxxxxxx XxxxxxpredictiveÉlevé
9TXXXXCWE-XXXxx XxxxxxxxxpredictiveÉlevé
10TXXXX.XXXCWE-XXXXxxxxxxx XxxxxxxxxxxxxpredictiveÉlevé
11TXXXXCWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveÉlevé
12TXXXXCWE-XXXXxxxxxxxx Xxxxxxx Xx Xxxxxxxxx XxxxxxxxxxxpredictiveÉlevé
13TXXXX.XXXCWE-XXXXxxxxxxxxxxxpredictiveÉlevé
14TXXXXCWE-XXXXxxxxxxxx Xxxxxx XxxxpredictiveÉlevé
15TXXXXCWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveÉlevé
16TXXXXCWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveÉlevé
17TXXXX.XXXCWE-XXX, CWE-XXXXxx Xxxxxxxxxx XxxxxpredictiveÉlevé
18TXXXX.XXXCWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveÉlevé

IOA - Indicator of Attack (59)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClasseIndicatorTaperConfiance
1File/admin/sysmon.phppredictiveÉlevé
2File/api/content/posts/commentspredictiveÉlevé
3File/debug/pprofpredictiveMoyen
4File/Home/GetAttachmentpredictiveÉlevé
5File/modules/projects/vw_files.phppredictiveÉlevé
6Fileadmin/limits.phppredictiveÉlevé
7Filecgi-bin/ddns_enc.cgipredictiveÉlevé
8Filexxx.xxxpredictiveFaible
9Filexxxxxx.xpredictiveMoyen
10Filexxxx/xxxxxxxxxxxxxxx.xxxpredictiveÉlevé
11Filexxxx/xxxxpredictiveMoyen
12Filexxxxxx/xxxxxxxxxx/xxxxxxxxxx.xxpredictiveÉlevé
13Filexxxxxx_xxx.xpredictiveMoyen
14Filexxxxxxxxxxxxxx.xxpredictiveÉlevé
15Filexx/xxxxxxx/xxx.xpredictiveÉlevé
16Filexxx/xx/xxxx/xxxx.xxxxx.xxxpredictiveÉlevé
17Filexxxxx.xxxpredictiveMoyen
18Filexxxxxx.xpredictiveMoyen
19Filexxxxxxxx.xxxpredictiveMoyen
20Filexxxxxxxxxxxx/xxx.xpredictiveÉlevé
21Filexxx_xxxxxxxxx.xpredictiveÉlevé
22Filexxxxxxx.xxxpredictiveMoyen
23Filexxx_xxxxx_xxxx.xpredictiveÉlevé
24Filexxxxxxx/xxxxpredictiveMoyen
25Filexxxxxxx.xxxpredictiveMoyen
26Filexxxxxxxxxxxxxxxxxxxxx.xxxxpredictiveÉlevé
27Filexxxxxxxxxxxxxxxxxxxxx.xxxxpredictiveÉlevé
28Filexxxxxxxxxxxxx.xxxpredictiveÉlevé
29Filexxxxxxxx_xxxxxxxxxxxx_xxxxxx.xxpredictiveÉlevé
30Filexxx_xxxxx_xxxxxxxxx.xpredictiveÉlevé
31Filexxxxxxxx/xxxx/xxxx.xxx?xxxxxx=xxxxxxxxxxxxxxxxpredictiveÉlevé
32Filexxxxxxxxxxxxxxx.xxxpredictiveÉlevé
33Filexxxxxxxx/xxxxxxxxxxxx-xxxxxxxxxxpredictiveÉlevé
34Filexxxxxx/xxxxxxx/xxxxxx/xxxxxxxx.xxxpredictiveÉlevé
35Filexxxx.xxxpredictiveMoyen
36Filexxx xxxx xxxxxxxpredictiveÉlevé
37Filexx-xxxxxxxx/xxxxx-xx-xxxxx.xxxpredictiveÉlevé
38Libraryxxx-xx-xxx-xxxx-xxxx-xx-x-x.xxxpredictiveÉlevé
39Argument-xpredictiveFaible
40ArgumentxxxxxxxxxxxxxxpredictiveÉlevé
41Argumentxxxxxx/xxxxxxxpredictiveÉlevé
42Argumentxxxxxxxx[xxxx_xxx]predictiveÉlevé
43Argumentxxxxxxxx xxxx/xxxxxxxx xxxxxxxx/xxxxxxxx xxxxxxx xx/xxxxxxx/xxxxpredictiveÉlevé
44Argumentxxxxxx xxxxxxpredictiveÉlevé
45Argumentxxxx_xxxxxxxpredictiveMoyen
46ArgumentxxpredictiveFaible
47ArgumentxxxxxxxxpredictiveMoyen
48ArgumentxxxxxxxxxxpredictiveMoyen
49Argumentxxxx_xxx_xxxxxxxx_xxxpredictiveÉlevé
50ArgumentxxxxxxxpredictiveFaible
51Argumentxxxxx/xxxxxxxxpredictiveÉlevé
52ArgumentxxxxxpredictiveFaible
53ArgumentxxxxpredictiveFaible
54Argumentxx_xxx_xxxxxpredictiveMoyen
55Input Value../predictiveFaible
56Input Value\xpredictiveFaible
57Network Portxxx/xxpredictiveFaible
58Network Portxxx/xxxpredictiveFaible
59Network Portxxx/xxxxpredictiveMoyen

Références (2)

The following list contains external sources which discuss the actor and the associated activities:

PrécédentAperçuSuivant

Do you need the next level of professionalism?

Upgrade your account now!