PowerDuke Analys

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (48)

Tidslinje

Lang

en48

Land

cn14
be14
us10
hu8
tr2

Skådespelare

PowerDuke3
APT291

Aktiviteter

Intressera

Tidslinje

Typ

Not Defined18
Router Operating System8
Operating System6
Content Management System4
Groupware Software2

Säljare

Microsoft10
Juniper8
Not Defined6
easyii4
Cisco2

Produkt

Juniper Junos8
Microsoft Windows6
easyii CMS4
Microsoft Exchange Server2
Cisco Linksys WAG54GS2

Sårbarheter

#SårbarhetBaseTemp0dayI dagUtnRemEPSSCTICVE
1Microsoft Windows LSA Remote Code Execution8.17.4$100k och mer$5k-$25kUnprovenOfficial Fix0.906170.00CVE-2022-26925
2Thomas R. Pasawicz HyperBook Guestbook Password Database gbconfiguration.dat Hash informationsgivning5.35.2$5k-$25k$0-$5kHighWorkaround0.020160.02CVE-2007-1192
3Microsoft Windows Common Log File System Driver Privilege Escalation8.17.4$25k-$100k$5k-$25kUnprovenOfficial Fix0.001250.02CVE-2022-37969
4DZCP deV!L`z Clanportal config.php privilegier eskalering7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.009431.29CVE-2010-0966
5Softomi Advanced C2C Marketplace Software sql injektion8.58.4$0-$5k$0-$5kNot DefinedOfficial Fix0.000760.02CVE-2023-6145
6Microsoft Windows HTTP Request HTTP.sys privilegier eskalering7.37.0$25k-$100k$0-$5kHighOfficial Fix0.975370.05CVE-2015-1635
7Lanap BotDetect Captcha Asp.net privilegier eskalering5.34.8$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.034040.02CVE-2006-2918
8Microsoft ASP.NET Core Kestrel Web Application privilegier eskalering8.07.9$5k-$25k$0-$5kNot DefinedOfficial Fix0.027830.05CVE-2018-0787
9Red Hat WildFly Blacklist Filter File informationsgivning7.57.1$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.098170.00CVE-2016-0793
10CKeditor4 Instance Destroying cross site scripting5.05.0$0-$5k$0-$5kNot DefinedOfficial Fix0.003150.02CVE-2023-28439
11SAP NetWeaver GetComputerSystem informationsgivning5.34.6$5k-$25k$0-$5kHighOfficial Fix0.031010.00CVE-2013-3319
12Microsoft Exchange Server Outlook Web Access logon.aspx privilegier eskalering7.97.9$5k-$25k$25k-$100kNot DefinedNot Defined0.003790.14CVE-2018-16793
13easyii CMS out förfalskning på begäran över webbplatsen4.33.8$0-$5k$0-$5kProof-of-ConceptNot Defined0.001020.05CVE-2020-36534
14easyii CMS File Upload Management Upload.php file privilegier eskalering6.35.7$0-$5k$0-$5kProof-of-ConceptNot Defined0.001980.09CVE-2022-3771
15Microsoft ASP.NET Security Feature svag autentisering7.47.2$5k-$25kBeräknandeNot DefinedOfficial Fix0.004240.04CVE-2018-8171
16Plesk Obsidian Login Page privilegier eskalering5.85.7$0-$5k$0-$5kNot DefinedNot Defined0.001740.00CVE-2023-24044
17Microsoft Windows Scripting Language Remote Code Execution8.88.4$25k-$100k$5k-$25kFunctionalOfficial Fix0.186470.03CVE-2022-41128
18QNAP QVR privilegier eskalering9.89.6$0-$5k$0-$5kNot DefinedOfficial Fix0.001600.04CVE-2022-27588
19Microsoft Windows User Profile Service Privilege Escalation7.26.8$25k-$100k$5k-$25kFunctionalOfficial Fix0.001020.03CVE-2022-26904
20Microsoft Windows Remote Desktop Protocol Remote Code Execution8.88.1$100k och mer$5k-$25kUnprovenOfficial Fix0.015460.02CVE-2022-21893

Kampanjer (1)

These are the campaigns that can be associated with the actor:

  • PowerDuke

IOC - Indicator of Compromise (8)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP-adressHostnameSkådespelareKampanjerIdentifiedTypFörtroende
165.15.88.243adsl-065-015-088-243.sip.asm.bellsouth.netAPT29PowerDuke12/12/2020verifiedHög
281.82.196.162d5152c4a2.static.telenet.beAPT29PowerDuke12/12/2020verifiedHög
3XX.XXX.XX.XXXxxxxxxx.xxxx.xxXxxxxXxxxxxxxx12/12/2020verifiedHög
4XXX.XXX.XX.XXxxxxXxxxxxxxx12/12/2020verifiedHög
5XXX.XX.XX.XXxxx-xx-xx-xx.xxxxxxxxxxx.xxxxxXxxxxXxxxxxxxx12/12/2020verifiedHög
6XXX.XX.XXX.XXXxxxxxx.xxxx.xxxxxxxxxxxx.xxxXxxxxXxxxxxxxx12/12/2020verifiedHög
7XXX.XXX.XX.XXXxxxxxx-xx.xxxxxxxxxxxx.xxxXxxxxXxxxxxxxx12/12/2020verifiedHög
8XXX.XXX.XXX.XXxxxxxx.xxxxx.xxxXxxxxXxxxxxxxx12/12/2020verifiedHög

TTP - Tactics, Techniques, Procedures (10)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueKlassSårbarheterÅtkomstvektorTypFörtroende
1CAPEC-10CWE-19, CWE-20, CWE-119, CWE-122, CWE-287, CWE-352, CWE-400, CWE-404, CWE-862, CWE-863, CWE-918Unknown VulnerabilitypredictiveHög
2T1055CAPEC-10CWE-74, CWE-707Improper Neutralization of Data within XPath ExpressionspredictiveHög
3TXXXXCAPEC-10CWE-XX, CWE-XX, CWE-XXXXxxxxxxx XxxxxxxxxpredictiveHög
4TXXXX.XXXCAPEC-10CWE-XX, CWE-XX, CWE-XXXXxxxx Xxxx XxxxxxxxxpredictiveHög
5TXXXXCAPEC-0CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHög
6TXXXXCAPEC-10CWE-XX, CWE-XX, CWE-XXXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHög
7TXXXXCAPEC-10CWE-XX, CWE-XX, CWE-XXXXxx XxxxxxxxxpredictiveHög
8TXXXXCAPEC-50CWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHög
9TXXXXCAPEC-116CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHög
10TXXXX.XXXCAPEC-19CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHög

IOA - Indicator of Attack (15)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDKlassIndicatorTypFörtroende
1File/admin/sign/outpredictiveHög
2File/owa/auth/logon.aspxpredictiveHög
3File/setup.cgipredictiveMedium
4Filexxxxxxxxxxxxx/xxx_xxxxxxxx.xxxpredictiveHög
5Filexxxx/xxxxxxxxxxxxxxx.xxxpredictiveHög
6Filexxxxxxx/xxxxxx.xxxpredictiveHög
7Filexxxx.xxxpredictiveMedium
8Filexxx/xxxxxx.xxxpredictiveHög
9ArgumentxxxxxxxxpredictiveMedium
10ArgumentxxxxpredictiveLåg
11ArgumentxxpredictiveLåg
12ArgumentxxxxxpredictiveLåg
13ArgumentxxxxxxxxpredictiveMedium
14Input Value/../predictiveLåg
15Network Portxxx/xxxxpredictiveMedium

Referenser (3)

The following list contains external sources which discuss the actor and the associated activities:

TidigareÖversiktNästa

Interested in the pricing of exploits?

See the underground prices here!