APT2 Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (95)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en64
zh18
es10
sv2
it2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

cn84
us6
kr4
fj2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

APT26

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined28
Operating System8
Web Browser8
Content Management System8
Router Operating System4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined20
Microsoft6
Cisco6
Oracle6
Apple4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Microsoft Internet Explorer4
Cisco IOS XE4
Apple Mac OS X Server2
Nuclide2
Google Chrome2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1Zoho ManageEngine Applications Manager Agent.java sql injection7.57.2$0-$5k$0-$5kNot DefinedOfficial Fix0.002730.00CVE-2019-19650
2Cisco ASA/Firepower Threat Defense RSA Key information exposure6.26.2$5k-$25k$0-$5kNot DefinedOfficial Fix0.001630.02CVE-2022-20866
3TikiWiki tiki-register.php input validation7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.010757.06CVE-2006-6168
4Sun Solaris denial of service6.26.2$5k-$25k$0-$5kNot DefinedNot Defined0.000440.06CVE-2011-2259
5Spring Boot Admins Notifier env code injection7.57.4$0-$5k$0-$5kNot DefinedOfficial Fix0.002620.00CVE-2022-46166
6ASUS RT-AC51U Network Request cross site scripting3.53.5$0-$5k$0-$5kNot DefinedNot Defined0.000620.00CVE-2023-29772
7Zoho ManageEngine Desktop Central HTTP Redirect information disclosure3.53.4$0-$5k$0-$5kNot DefinedOfficial Fix0.006120.05CVE-2022-23779
8Dropbear SSH dropbearconvert input validation8.07.7$0-$5k$0-$5kNot DefinedOfficial Fix0.009560.02CVE-2016-7407
9MediaTek MT6983 tinysys out-of-bounds write5.45.3$0-$5k$0-$5kNot DefinedOfficial Fix0.000420.00CVE-2023-20621
10Router/Firewall Routing privileges management7.37.1$0-$5k$0-$5kNot DefinedWorkaround0.015000.00CVE-1999-0510
11Kibana Region Map cross site scripting4.44.4$0-$5k$0-$5kNot DefinedOfficial Fix0.000540.00CVE-2019-7621
12Apple Mac OS X Server Wiki Server cross site scripting4.34.3$5k-$25k$0-$5kNot DefinedNot Defined0.002630.05CVE-2009-2814
13ajenti API privileges management7.16.8$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.012850.21CVE-2019-25066
14Oracle MySQL Server InnoDB numeric error9.19.0$5k-$25k$0-$5kNot DefinedOfficial Fix0.013810.03CVE-2016-9843
15Redmine Issues API permission7.67.3$0-$5k$0-$5kNot DefinedOfficial Fix0.001440.03CVE-2021-30164
16Google Go WASM module buffer overflow5.55.3$5k-$25k$0-$5kNot DefinedOfficial Fix0.004420.06CVE-2021-38297
17D-Link DIR-867/DIR-878/DIR-882 unknown vulnerability8.08.0$5k-$25k$5k-$25kNot DefinedNot Defined0.002400.00CVE-2020-8863
18Ruckus Wireless C110 webs information disclosure6.46.4$0-$5k$0-$5kNot DefinedNot Defined0.004720.00CVE-2020-13918
19Cisco IOS XE Easy Virtual Switching System memory corruption8.98.5$25k-$100k$0-$5kNot DefinedOfficial Fix0.004380.03CVE-2021-1451

Campaigns (1)

These are the campaigns that can be associated with the actor:

  • Putter Panda

IOC - Indicator of Compromise (42)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
131.170.110.163io.uu3.netAPT2Putter Panda01/01/2021verifiedHigh
258.196.156.15APT2Putter Panda01/01/2021verifiedHigh
359.120.168.19959-120-168-199.hinet-ip.hinet.netAPT212/20/2020verifiedHigh
461.34.97.69APT212/20/2020verifiedHigh
561.74.190.14APT212/20/2020verifiedHigh
661.78.37.121APT212/20/2020verifiedHigh
761.78.75.96APT212/20/2020verifiedHigh
861.221.54.9961-221-54-99.hinet-ip.hinet.netAPT212/20/2020verifiedHigh
967.42.255.50mail.provocc.orgAPT212/20/2020verifiedHigh
10XXX.XX.XXX.XXXxxxxxxx.xxxxxx.xxXxxxXxxxxx Xxxxx01/01/2021verifiedHigh
11XXX.XXX.XXX.XXXXxxx12/20/2020verifiedHigh
12XXX.XXX.XXX.XXXxxxxxxx.xxxx.xxx.xxxxx.xxxXxxx12/20/2020verifiedHigh
13XXX.XXX.XX.XXXxxxxxxxx.xx.xxx.xxx.xxXxxx12/20/2020verifiedHigh
14XXX.XXX.XX.Xxxxxxxxxxx.xx.xxx.xxx.xxXxxx12/20/2020verifiedHigh
15XXX.XXX.XX.XXXxx-xx-xxx.xx.xxxx.xxx.xxXxxx12/20/2020verifiedHigh
16XXX.XXX.XXX.XXxxxxxxx.xx.xxxx.xxx.xxXxxx12/20/2020verifiedHigh
17XXX.XXX.XX.XXxxxxxxxxx.xxxx.xxx.xxXxxx12/20/2020verifiedHigh
18XXX.XXX.XX.XXXxxx-xxx-xx-xxx.xxxxxx.xxxxx.xxxXxxx12/20/2020verifiedHigh
19XXX.XXX.XXX.XXxxx-xxx-xxx-xx.xxxxxxxxxxxxxx.xxxXxxx12/20/2020verifiedHigh
20XXX.XXX.XXX.XXxxx-xxx-xxx-xx.xxxxxxxxxxxxxx.xxxXxxx12/20/2020verifiedHigh
21XXX.XXX.XXX.XXxxx12/20/2020verifiedHigh
22XXX.XXX.XXX.XXXxxx-xxx-xxx-xxx.xxxxxxxxx.xxxxxxx.xxxXxxx12/20/2020verifiedHigh
23XXX.XXX.XX.XXXxxxx.xxxxxxxxx.xxxxxxx.xx.xxXxxx12/20/2020verifiedHigh
24XXX.XX.XXX.XXXxxxxxxxxxx.xxxXxxx12/20/2020verifiedHigh
25XXX.XXX.XXX.XXXXxxx12/20/2020verifiedHigh
26XXX.XXX.XX.XXXxxx12/20/2020verifiedHigh
27XXX.X.XX.XXXxxx12/20/2020verifiedHigh
28XXX.X.XX.XXXxxx12/20/2020verifiedHigh
29XXX.XX.XXX.XXXXxxx12/20/2020verifiedHigh
30XXX.XXX.XX.XXxxxxx-xxx-xx-xx.xxxx.xxxxxx.xxxx.xxx.xxXxxx12/20/2020verifiedHigh
31XXX.XX.XX.XXxxx-xx-xx-xx.xxxxx-xx.xxxxx.xxxXxxx12/20/2020verifiedHigh
32XXX.XX.XX.XXXxxx-xx-xx-xxx.xxxxx-xx.xxxxx.xxxXxxx12/20/2020verifiedHigh
33XXX.XX.XXX.XXXxxx12/20/2020verifiedHigh
34XXX.XXX.XXX.XXXxxxx.xxxxxxxxx.xxXxxx12/20/2020verifiedHigh
35XXX.XXX.XXX.XXXxxxxxxx.xxxxxxxxx.xxx.xxXxxxXxxxxx Xxxxx01/01/2021verifiedHigh
36XXX.XXX.XX.XXXxxx12/20/2020verifiedHigh
37XXX.XXX.XX.XXXXxxx12/20/2020verifiedHigh
38XXX.XXX.XX.XXXxxx12/20/2020verifiedHigh
39XXX.XXX.XX.XXXxxx12/20/2020verifiedHigh
40XXX.XXX.XX.XXXXxxx12/20/2020verifiedHigh
41XXX.XXX.XXX.XXxxx12/20/2020verifiedHigh
42XXX.XXX.XX.XXXXxxx12/20/2020verifiedHigh

TTP - Tactics, Techniques, Procedures (10)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-22Path TraversalpredictiveHigh
2T1059CAPEC-242CWE-94Argument InjectionpredictiveHigh
3TXXXX.XXXCAPEC-209CWE-XX, CWE-XXXxxxx Xxxx XxxxxxxxxpredictiveHigh
4TXXXXCAPEC-122CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
5TXXXXCAPEC-CWE-XXX7xx Xxxxxxxx XxxxxxxxpredictiveHigh
6TXXXXCAPEC-CWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
7TXXXXCAPEC-108CWE-XXXxx XxxxxxxxxpredictiveHigh
8TXXXXCAPEC-116CWE-XXX, CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
9TXXXXCAPEC-CWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh
10TXXXX.XXXCAPEC-CWE-XXXXxx Xxxxxxxxxx XxxxxpredictiveHigh

IOA - Indicator of Attack (33)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/admin/blog/blogcategory/add/?_to_field=id&_popup=1predictiveHigh
2File/bin/boapredictiveMedium
3File/DOWN/FIRMWAREUPDATE/ROM1predictiveHigh
4File/envpredictiveLow
5Filexxxxx/xxxxx/xxxxxxxxx.xxxxpredictiveHigh
6Filexxxxxxxx.xxxpredictiveMedium
7Filexxxxxx-xxxxxx.xxxxpredictiveHigh
8Filexxxxxxxxxx.xxxpredictiveHigh
9Filexxxx/xxxxxxxxxxxx.xxxpredictiveHigh
10Filexxxxxxx/xxx/xxxxxxxxx/xxxxx.xpredictiveHigh
11Filexxxxxxxx/xxxx/xxxxxxxx.xxxpredictiveHigh
12Filexxxxxxxx/xxxx.xxx.xxxpredictiveHigh
13Filexxxxx.xxxpredictiveMedium
14Filexxx_xxxxxxxx.xpredictiveHigh
15Filexxxxxx/xxxxx.xxxpredictiveHigh
16Filexxxx-xxxxxxxx.xxxpredictiveHigh
17Filexxxxxxx_xxx.xxxpredictiveHigh
18Libraryxxx_xxxxx_xxxxxxxpredictiveHigh
19Libraryxxxxxxxx.xxxpredictiveMedium
20ArgumentxxxxxxxpredictiveLow
21ArgumentxxxxxxxxxxxxxpredictiveHigh
22Argumentxxxxxxx-xxxxxxpredictiveHigh
23Argumentxxx_xxxxpredictiveMedium
24ArgumentxxxxxxxxpredictiveMedium
25Argumentxxxxx_xxpredictiveMedium
26Argumentxxxxxxxxx_xxxxxxxx_xxxxpredictiveHigh
27Argumentxxxx_xxxxxxpredictiveMedium
28ArgumentxxxxxxpredictiveLow
29ArgumentxxxxxxxpredictiveLow
30ArgumentxxxxxpredictiveLow
31ArgumentxxxxpredictiveLow
32ArgumentxxxxxxxxpredictiveMedium
33Patternxxxxxxx-xxxxxx|xx|predictiveHigh

References (3)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Want to stay up to date on a daily basis?

Enable the mail alert feature now!