APT16 Analiza

IOB - Indicator of Behavior (29)

Oś czasu

Język

en22
zh6
pl2

Kraj

us20
cn10

Aktorzy

Zajęcia

Wysiłek

Oś czasu

Rodzaj

Sprzedawca

Produkt

Bootstrap2
Apple Mac OS X2
ThinkPHP2
Oracle MySQL Server2
Esoftpro Online Guestbook Pro2

Luki w zabezpieczeniach

#Słaby punktBaseTemp0dayDzisiajWykPrzCTIEPSSCVE
1Thomas R. Pasawicz HyperBook Guestbook Password Database gbconfiguration.dat Hash information disclosure5.35.2$5k-$25k$0-$5kHighWorkaround0.020.02016CVE-2007-1192
2MGB OpenSource Guestbook email.php sql injection7.37.3$0-$5k$0-$5kHighUnavailable0.440.01302CVE-2007-0354
3OpenVPN External Authentication Plug-in weak authentication3.73.7$0-$5k$0-$5kNot DefinedNot Defined0.000.00502CVE-2022-0547
4XXL-JOB privilege escalation7.17.0$0-$5k$0-$5kNot DefinedNot Defined0.020.00087CVE-2022-36157
5ThinkPHP index.php Privilege Escalation6.36.1$0-$5k$0-$5kNot DefinedNot Defined0.030.00344CVE-2021-44892
6ThinkPHP AbstractCache.php privilege escalation7.67.6$0-$5k$0-$5kNot DefinedNot Defined0.050.00201CVE-2022-33107
7XXL-Job add cross site request forgery4.34.3$0-$5k$0-$5kNot DefinedNot Defined0.000.00106CVE-2022-29002
8Bootstrap add_product.php cross site scripting3.53.5$0-$5k$0-$5kNot DefinedNot Defined0.030.00068CVE-2022-26624
9Yii ActiveRecord.php findByCondition sql injection8.58.2$0-$5k$0-$5kNot DefinedOfficial Fix0.020.00119CVE-2018-7269
10Yii unserialize privilege escalation7.76.7$0-$5k$0-$5kNot DefinedOfficial Fix0.000.02822CVE-2020-15148
11Oracle MySQL Server Stored Procedure denial of service4.94.8$0-$5k$0-$5kNot DefinedOfficial Fix0.000.00076CVE-2022-21534
12osCommerce currencies.php Reflected cross site scripting3.53.2$0-$5k$0-$5kProof-of-ConceptNot Defined0.000.00000
13Microsoft Windows Kernel privilege escalation8.58.3$25k-$100k$5k-$25kNot DefinedOfficial Fix0.000.00053CVE-2019-0881
14Esoftpro Online Guestbook Pro ogp_show.php sql injection7.36.9$0-$5k$0-$5kProof-of-ConceptNot Defined0.170.00108CVE-2009-4935
15DZCP deV!L`z Clanportal config.php privilege escalation7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.570.00943CVE-2010-0966
16DZCP deV!L`z Clanportal browser.php information disclosure5.35.0$0-$5k$0-$5kProof-of-ConceptNot Defined1.090.02733CVE-2007-1167
17Phorum register.php sql injection7.36.9$0-$5k$0-$5kProof-of-ConceptNot Defined0.020.00509CVE-2004-0035
18Expinion.net News Manager Lite comment_add.asp cross site scripting4.33.8$0-$5kObliczenieUnprovenOfficial Fix0.020.00607CVE-2004-1845
19Adult Script Pro download sql injection8.58.3$0-$5k$0-$5kProof-of-ConceptNot Defined0.020.00224CVE-2017-15959
20Apple Mac OS X File Sharing privilege escalation3.73.6$5k-$25kObliczenieNot DefinedOfficial Fix0.030.00145CVE-2003-0379

IOC - Indicator of Compromise (1)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDadres IPHostnameAktorKampanieIdentifiedRodzajPewność siebie
1121.127.249.74APT162020-12-11verifiedWysoki

TTP - Tactics, Techniques, Procedures (6)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueLuki w zabezpieczeniachWektor dostępuRodzajPewność siebie
1T1059CWE-94Argument InjectionpredictiveWysoki
2T1059.007CWE-79, CWE-80Cross Site ScriptingpredictiveWysoki
3TXXXXCWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveWysoki
4TXXXXCWE-XXXXxxxxxxxxx XxxxxxpredictiveWysoki
5TXXXXCWE-XXXxx XxxxxxxxxpredictiveWysoki
6TXXXXCWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveWysoki

IOA - Indicator of Attack (24)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDKlasaIndicatorRodzajPewność siebie
1File/downloadpredictiveMedium
2File/gaia-job-admin/user/addpredictiveWysoki
3File/oscommerce/admin/currencies.phppredictiveWysoki
4File/xxxxxx/xxxxx/xxx_xxxxxxx.xxxpredictiveWysoki
5Filexxxxxxx_xxx.xxxpredictiveWysoki
6Filexxxx/xxxxxxxxxxxxxxx.xxxpredictiveWysoki
7Filexxxxx.xxxpredictiveMedium
8Filexxxxxxxxx/xx/xxxxxxxxxxxx.xxxpredictiveWysoki
9Filexxx/xxxxxx.xxxpredictiveWysoki
10Filexxx/xxxxxxxxxxx/xxxxxxx.xxxpredictiveWysoki
11Filexxxxx.xxxpredictiveMedium
12Filexxx_xxxx.xxxpredictiveMedium
13Filexxxxxxxx.xxxpredictiveMedium
14Filexxxxxx\xxxxxx\xxxxxxxxx-xxxxxx-xxxxxxx\xxx\xxxxxxx\xxxxxxxxxxxxx.xxxpredictiveWysoki
15ArgumentxxxxxxxxpredictiveMedium
16ArgumentxxxxxxxpredictiveNiski
17ArgumentxxxxpredictiveNiski
18Argumentxxxx_xxxxxpredictiveMedium
19ArgumentxxpredictiveNiski
20ArgumentxxxxpredictiveNiski
21Argumentxxxx_xxxxpredictiveMedium
22ArgumentxxxxxpredictiveNiski
23Argumentxxxxx[_xxxxxxxx]predictiveWysoki
24Input Value%xx%xx%xxxxxxxx%xxxxxxx%xxxxxxxxxx.xxxxxx%xx%xx/xxxxxx%xx%xxxxx%xxxxxxx=%xxxpredictiveWysoki

Referencje (2)

The following list contains external sources which discuss the actor and the associated activities:

Interested in the pricing of exploits?

See the underground prices here!