EwDoor Analiza

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (237)

Oś czasu

Język

en224
ru14

Kraj

sc180
li16
us4
cn2
ml2

Aktorzy

EwDoor3
Bashlite2
Cobalt Strike2
Mirai2
Miner1

Zajęcia

Wysiłek

Oś czasu

Rodzaj

Not Defined92
Firewall Software18
Operating System12
Application Server Software10
SCADA Software8

Sprzedawca

Not Defined64
Microsoft14
Google12
Cisco10
Siemens8

Produkt

Microsoft Windows8
F5 BIG-IP8
Cisco ASA8
Google Android6
Google Chrome6

Luki w zabezpieczeniach

#Słaby punktBaseTemp0dayDzisiajWykPrzEPSSCTICVE
1spring-boot-actuator-logview LogViewEndpoint.view directory traversal5.55.5$0-$5k$0-$5kNot DefinedNot Defined0.000490.05CVE-2023-29986
2Apache HTTP Server privilege escalation5.35.1$5k-$25k$5k-$25kNot DefinedNot Defined0.000430.00CVE-2023-38709
3Jetty URI privilege escalation5.35.3$0-$5k$0-$5kNot DefinedOfficial Fix0.475550.00CVE-2021-34429
4portable SDK for UPnP unique_service_name memory corruption10.09.5$0-$5k$0-$5kHighOfficial Fix0.974450.00CVE-2012-5958
5CKFinder File Name privilege escalation7.47.4$0-$5k$0-$5kNot DefinedNot Defined0.001550.06CVE-2019-15862
6Asus RT-AC2900 privilege escalation8.58.2$0-$5k$0-$5kNot DefinedOfficial Fix0.085970.02CVE-2018-8826
7GitLab Community Edition/Enterprise Edition Permission privilege escalation5.35.3$0-$5k$0-$5kNot DefinedNot Defined0.000540.04CVE-2019-18446
8phpMyAdmin PMA_safeUnserialize privilege escalation9.89.6$5k-$25k$0-$5kNot DefinedOfficial Fix0.004330.00CVE-2016-9865
9phpMyAdmin Username sql injection7.57.3$5k-$25k$0-$5kNot DefinedOfficial Fix0.003260.03CVE-2016-9864
10Red Hat JBoss Enterprise Application Platform Class privilege escalation3.53.4$5k-$25k$0-$5kNot DefinedOfficial Fix0.003620.00CVE-2023-3171
11Red Hat JBoss Core Services httpd directory traversal3.53.5$5k-$25k$0-$5kNot DefinedNot Defined0.000900.04CVE-2021-3688
12Ivanti Connect Secure/Policy Secure Web privilege escalation8.68.6$0-$5k$0-$5kHighWorkaround0.973220.00CVE-2024-21887
13Ivanti Endpoint Manager sql injection9.29.1$0-$5k$0-$5kNot DefinedOfficial Fix0.000530.02CVE-2023-39336
14Ivanti Sentry privilege escalation9.29.0$0-$5k$0-$5kNot DefinedOfficial Fix0.000430.02CVE-2023-41724
15Ivanti Connect Secure/Policy Secure IPSec memory corruption7.77.6$0-$5k$0-$5kNot DefinedOfficial Fix0.000430.06CVE-2024-21894
16F5 BIG-IP Configuration Utility directory traversal9.39.1$5k-$25k$0-$5kNot DefinedOfficial Fix0.003210.07CVE-2023-41373
17F5 BIG-IP Configuration Utility weak authentication8.98.7$5k-$25k$0-$5kNot DefinedOfficial Fix0.971350.00CVE-2023-46747
18F5 BIG-IP iControl REST Endpoint privilege escalation6.76.6$5k-$25k$0-$5kNot DefinedOfficial Fix0.000430.00CVE-2024-22093
19F5 BIG-IP/BIG-IQ scp privilege escalation7.06.8$5k-$25k$0-$5kNot DefinedOfficial Fix0.000430.04CVE-2024-21782
20F5 BIG-IP iControl REST weak authentication7.27.0$5k-$25k$0-$5kNot DefinedOfficial Fix0.000430.00CVE-2024-22389

IOC - Indicator of Compromise (3)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDadres IPHostnameAktorKampanieIdentifiedRodzajPewność siebie
145.141.157.217ip-157-217.CN-GlobalEwDoor2022-02-09verifiedWysoki
2XXX.XX.XX.XXxx.xx.xx.xxx.xx.xxx.xxXxxxxx2022-02-09verifiedWysoki
3XXX.XXX.XX.XXXXxxxxx2022-02-09verifiedWysoki

TTP - Tactics, Techniques, Procedures (18)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueLuki w zabezpieczeniachWektor dostępuRodzajPewność siebie
1T1006CWE-21, CWE-22, CWE-23Path TraversalpredictiveWysoki
2T1040CWE-319Authentication Bypass by Capture-replaypredictiveWysoki
3T1055CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveWysoki
4T1059CWE-94Argument InjectionpredictiveWysoki
5TXXXX.XXXCWE-XXXxxxx Xxxx XxxxxxxxxpredictiveWysoki
6TXXXXCWE-XXX, CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveWysoki
7TXXXXCWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveWysoki
8TXXXXCWE-XXX, CWE-XXXXxxxxxxxxx XxxxxxpredictiveWysoki
9TXXXXCWE-XXXxx XxxxxxxxxpredictiveWysoki
10TXXXX.XXXCWE-XXXXxxxxxxx XxxxxxxxxxxxxpredictiveWysoki
11TXXXXCWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveWysoki
12TXXXXCWE-XXXXxxxxxxxx Xxxxxxx Xx Xxxxxxxxx XxxxxxxxxxxpredictiveWysoki
13TXXXX.XXXCWE-XXXXxxxxxxxxxxxpredictiveWysoki
14TXXXXCWE-XXXXxxxxxxxx Xxxxxx XxxxpredictiveWysoki
15TXXXXCWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveWysoki
16TXXXXCWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveWysoki
17TXXXX.XXXCWE-XXX, CWE-XXXXxx Xxxxxxxxxx XxxxxpredictiveWysoki
18TXXXX.XXXCWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveWysoki

IOA - Indicator of Attack (59)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDKlasaIndicatorRodzajPewność siebie
1File/admin/sysmon.phppredictiveWysoki
2File/api/content/posts/commentspredictiveWysoki
3File/debug/pprofpredictiveMedium
4File/Home/GetAttachmentpredictiveWysoki
5File/modules/projects/vw_files.phppredictiveWysoki
6Fileadmin/limits.phppredictiveWysoki
7Filecgi-bin/ddns_enc.cgipredictiveWysoki
8Filexxx.xxxpredictiveNiski
9Filexxxxxx.xpredictiveMedium
10Filexxxx/xxxxxxxxxxxxxxx.xxxpredictiveWysoki
11Filexxxx/xxxxpredictiveMedium
12Filexxxxxx/xxxxxxxxxx/xxxxxxxxxx.xxpredictiveWysoki
13Filexxxxxx_xxx.xpredictiveMedium
14Filexxxxxxxxxxxxxx.xxpredictiveWysoki
15Filexx/xxxxxxx/xxx.xpredictiveWysoki
16Filexxx/xx/xxxx/xxxx.xxxxx.xxxpredictiveWysoki
17Filexxxxx.xxxpredictiveMedium
18Filexxxxxx.xpredictiveMedium
19Filexxxxxxxx.xxxpredictiveMedium
20Filexxxxxxxxxxxx/xxx.xpredictiveWysoki
21Filexxx_xxxxxxxxx.xpredictiveWysoki
22Filexxxxxxx.xxxpredictiveMedium
23Filexxx_xxxxx_xxxx.xpredictiveWysoki
24Filexxxxxxx/xxxxpredictiveMedium
25Filexxxxxxx.xxxpredictiveMedium
26Filexxxxxxxxxxxxxxxxxxxxx.xxxxpredictiveWysoki
27Filexxxxxxxxxxxxxxxxxxxxx.xxxxpredictiveWysoki
28Filexxxxxxxxxxxxx.xxxpredictiveWysoki
29Filexxxxxxxx_xxxxxxxxxxxx_xxxxxx.xxpredictiveWysoki
30Filexxx_xxxxx_xxxxxxxxx.xpredictiveWysoki
31Filexxxxxxxx/xxxx/xxxx.xxx?xxxxxx=xxxxxxxxxxxxxxxxpredictiveWysoki
32Filexxxxxxxxxxxxxxx.xxxpredictiveWysoki
33Filexxxxxxxx/xxxxxxxxxxxx-xxxxxxxxxxpredictiveWysoki
34Filexxxxxx/xxxxxxx/xxxxxx/xxxxxxxx.xxxpredictiveWysoki
35Filexxxx.xxxpredictiveMedium
36Filexxx xxxx xxxxxxxpredictiveWysoki
37Filexx-xxxxxxxx/xxxxx-xx-xxxxx.xxxpredictiveWysoki
38Libraryxxx-xx-xxx-xxxx-xxxx-xx-x-x.xxxpredictiveWysoki
39Argument-xpredictiveNiski
40ArgumentxxxxxxxxxxxxxxpredictiveWysoki
41Argumentxxxxxx/xxxxxxxpredictiveWysoki
42Argumentxxxxxxxx[xxxx_xxx]predictiveWysoki
43Argumentxxxxxxxx xxxx/xxxxxxxx xxxxxxxx/xxxxxxxx xxxxxxx xx/xxxxxxx/xxxxpredictiveWysoki
44Argumentxxxxxx xxxxxxpredictiveWysoki
45Argumentxxxx_xxxxxxxpredictiveMedium
46ArgumentxxpredictiveNiski
47ArgumentxxxxxxxxpredictiveMedium
48ArgumentxxxxxxxxxxpredictiveMedium
49Argumentxxxx_xxx_xxxxxxxx_xxxpredictiveWysoki
50ArgumentxxxxxxxpredictiveNiski
51Argumentxxxxx/xxxxxxxxpredictiveWysoki
52ArgumentxxxxxpredictiveNiski
53ArgumentxxxxpredictiveNiski
54Argumentxx_xxx_xxxxxpredictiveMedium
55Input Value../predictiveNiski
56Input Value\xpredictiveNiski
57Network Portxxx/xxpredictiveNiski
58Network Portxxx/xxxpredictiveNiski
59Network Portxxx/xxxxpredictiveMedium

Referencje (2)

The following list contains external sources which discuss the actor and the associated activities:

PoprzedniPrzeglądKolejny

Do you know our Splunk app?

Download it now for free!