3CX Backdoor Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (220)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en144
zh30
pl26
de8
it6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

us166
cn40
pl8

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

3CX Backdoor8
Cobalt Strike4
Mirai1
ScanBox1
ENT111

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined62
Smartphone Operating System18
Content Management System8
Forum Software6
Operating System6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined58
Huawei14
Oracle6
Samsung4
DZCP4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Huawei P30 Pro8
JForum6
Samsung Mobile Devices4
Devilz Clanportal4
DZCP deV!L`z Clanportal4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1Thomas R. Pasawicz HyperBook Guestbook Password Database gbconfiguration.dat Hash information disclosure5.35.2$10k-$25kCalculatingHighWorkaround0.020160.00CVE-2007-1192
2DZCP deV!L`z Clanportal config.php code injection7.36.6$2k-$5k$0-$1kProof-of-ConceptOfficial Fix0.009430.30CVE-2010-0966
3TikiWiki tiki-register.php input validation7.36.6$2k-$5k$0-$1kProof-of-ConceptOfficial Fix0.010755.78CVE-2006-6168
4Tiki Admin Password tiki-login.php improper authentication8.07.7$1k-$2k$0-$1kNot DefinedOfficial Fix0.009362.28CVE-2020-15906
5MGB OpenSource Guestbook email.php sql injection7.37.3$2k-$5k$0-$1kHighUnavailable0.013020.72CVE-2007-0354
6OpenX adclick.php redirect5.34.7$1k-$2k$0-$1kUnprovenUnavailable0.004400.04CVE-2014-2230
7Simple Machines Forum memberlist.php sql injection7.37.3$2k-$5k$0-$1kNot DefinedNot Defined0.011110.00CVE-2005-4159
8NotificationX Plugin SQL Statement sql injection5.65.4$2k-$5k$0-$1kNot DefinedOfficial Fix0.024140.04CVE-2022-0349
9DeDeCMS recommend.php sql injection8.58.5$2k-$5k$0-$1kNot DefinedNot Defined0.024880.04CVE-2017-17731
10Pligg cloud.php sql injection6.36.3$2k-$5k$0-$1kNot DefinedNot Defined0.000000.82
11SAP ERP HCM Travel Management privileges management5.95.9$10k-$25k$10k-$25kNot DefinedNot Defined0.000650.00CVE-2020-6301
12Samsung Mobile Devices Exynos Chipset buffer overflow8.58.5$2k-$5k$0-$1kNot DefinedNot Defined0.001730.00CVE-2020-25279
13Huawei P30 memory leak4.34.1$2k-$5k$0-$1kNot DefinedOfficial Fix0.000580.00CVE-2020-9104
14JForum Login input validation6.56.5$2k-$5k$0-$1kNot DefinedNot Defined0.001570.06CVE-2012-5338
15DZCP deV!L`z Clanportal browser.php information disclosure5.35.0$1k-$2k$0-$1kProof-of-ConceptNot Defined0.027330.22CVE-2007-1167
16Microsoft Windows PostMessage input validation5.55.2$10k-$25k$0-$1kProof-of-ConceptNot Defined0.000440.00CVE-2010-1735
17PHPWind goto.php cross site scripting4.34.3$0-$1k$0-$1kNot DefinedNot Defined0.002540.04CVE-2015-4135
18Advisto Peel SHOPPING caddie_ajout.php cross-site request forgery6.56.5$1k-$2k$0-$1kNot DefinedNot Defined0.001180.07CVE-2018-20848
19Hibernate ORM JPA Criteria API sql injection6.46.1$1k-$2k$0-$1kNot DefinedOfficial Fix0.001040.00CVE-2019-14900
20JForum jforum.page cross-site request forgery4.34.2$0-$1k$0-$1kNot DefinedNot Defined0.001730.02CVE-2022-26173

IOC - Indicator of Compromise (23)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
18.134.69.223CX Backdoor04/06/2024verifiedHigh
220.205.173.2503CX Backdoor04/06/2024verifiedHigh
334.81.83.8787.83.81.34.bc.googleusercontent.com3CX Backdoor04/06/2024verifiedMedium
438.6.218.2043CX Backdoor04/06/2024verifiedHigh
539.101.70.823CX Backdoor04/06/2024verifiedHigh
6XX.XXX.XXX.XXXXxx Xxxxxxxx04/06/2024verifiedHigh
7XX.XXX.XX.XXXXxx Xxxxxxxx04/06/2024verifiedHigh
8XXX.XX.XXX.XXXXxx Xxxxxxxx04/06/2024verifiedHigh
9XXX.XXX.XXX.XXXXxx Xxxxxxxx04/06/2024verifiedHigh
10XXX.XXX.XX.XXXXxx Xxxxxxxx04/06/2024verifiedHigh
11XXX.XXX.XXX.XXXxxx-xxx-xxx-xxx-xxxx.xxxxxxxxxxxx.xxxXxx Xxxxxxxx04/06/2024verifiedHigh
12XXX.XXX.XX.XXxxx-xxx-xx-xx-xxxx.xxxxxxxxxxxx.xxxXxx Xxxxxxxx04/06/2024verifiedHigh
13XXX.XX.XXX.XXXXxx Xxxxxxxx04/06/2024verifiedHigh
14XXX.XX.X.XXXxx Xxxxxxxx04/06/2024verifiedHigh
15XXX.XX.XX.XXXxx Xxxxxxxx04/06/2024verifiedHigh
16XXX.XX.X.XXXxx Xxxxxxxx04/06/2024verifiedHigh
17XXX.XX.XX.XXXXxx Xxxxxxxx04/06/2024verifiedHigh
18XXX.X.XXX.XXXxxxxxxxxxxxx.xxxxxx.xxxxxxx.xxxXxx Xxxxxxxx04/06/2024verifiedHigh
19XXX.XX.XXX.XXXxxx-xxx-xx-xxx-xxx.xxxxxxx.xxxxxxxx-xxx.xxxXxx Xxxxxxxx04/06/2024verifiedHigh
20XXX.XXX.XX.XXXxxx-xx-xx-xxx-xxxxxxxxx.xxxxxxxx.xxxXxx Xxxxxxxx04/06/2024verifiedHigh
21XXX.XX.XX.XXXxx Xxxxxxxx04/06/2024verifiedHigh
22XXX.XXX.XX.XXXxxx-xxx-xx-xxx-xxxx.xxxxxxxxxxxx.xxxXxx Xxxxxxxx04/06/2024verifiedHigh
23XXX.XX.XXX.XXXXxx Xxxxxxxx04/06/2024verifiedHigh

TTP - Tactics, Techniques, Procedures (18)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-22Path TraversalpredictiveHigh
2T1040CAPEC-102CWE-319Authentication Bypass by Capture-replaypredictiveHigh
3T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
4T1059CAPEC-242CWE-94Argument InjectionpredictiveHigh
5TXXXX.XXXCAPEC-209CWE-XX, CWE-XXXxxxx Xxxx XxxxxxxxxpredictiveHigh
6TXXXXCAPEC-122CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
7TXXXX.XXXCAPEC-191CWE-XXXXxxx-xxxxx XxxxxxxxxxxpredictiveHigh
8TXXXXCAPEC-136CWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
9TXXXX.XXXCAPEC-178CWE-XXXXxxx XxxxxxxxpredictiveHigh
10TXXXXCAPEC-CWE-XXX7xx Xxxxxxxx XxxxxxxxpredictiveHigh
11TXXXXCAPEC-CWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
12TXXXXCAPEC-108CWE-XXXxx XxxxxxxxxpredictiveHigh
13TXXXX.XXXCAPEC-1CWE-XXXXxxxxxxx XxxxxxxxxxxxxpredictiveHigh
14TXXXXCAPEC-CWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
15TXXXX.XXXCAPEC-459CWE-XXXXxxxxxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
16TXXXXCAPEC-116CWE-XXX, CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
17TXXXXCAPEC-CWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh
18TXXXX.XXXCAPEC-1CWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (71)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/.htpasswdpredictiveMedium
2File/folder/listpredictiveMedium
3File/wp-admin/options.phppredictiveHigh
4File/WWW//app/admin/controller/admincontroller.phppredictiveHigh
5Fileadclick.phppredictiveMedium
6Fileadd_comment.phppredictiveHigh
7Filecloud.phppredictiveMedium
8Filecomment_add.asppredictiveHigh
9Filedata/gbconfiguration.datpredictiveHigh
10Filexxxx/xxxxxxx.xxxpredictiveHigh
11Filexxxxxxx/xxx/xxx/xxx_xxxxx.xpredictiveHigh
12Filexxxxxxxx.xxxpredictiveMedium
13Filexxxxx.xxxpredictiveMedium
14Filexx/xxxxx/xxxxxx_xxxxx.xxxpredictiveHigh
15Filexxxx.xxxpredictiveMedium
16Filexxxxxxxxxxxxxxxxxxxxxx.xxxxpredictiveHigh
17Filexxxxxxx/xxxxxxx_xxxxxx/xxxx/xxxxx_xxxx/xxxx_xxxxxx.xxxpredictiveHigh
18Filexxxx.xxxpredictiveMedium
19Filexxxxxx/xxxx/xxxxxxxxxxxxxxxxx.xxxpredictiveHigh
20Filexxx/xxxxxx.xxxpredictiveHigh
21Filexxx/xxxxxxxxxxx/xxxxxxx.xxxpredictiveHigh
22Filexxxxxxxx/xxx/xxx_xxxxxxx.xxxpredictiveHigh
23Filexxxxx.xxxpredictiveMedium
24Filexxxxxxx.xpredictiveMedium
25Filexxxxxx.xxxxpredictiveMedium
26Filexxxxxxxxx/xxxxxxx/xxxxx.xxxpredictiveHigh
27Filexxxxx.xxxpredictiveMedium
28Filexx-xxxxx/xxxx-xxxx.xxxpredictiveHigh
29Filexxxxxxxxxx.xxxpredictiveHigh
30Filexxx/xxx_xxx_xxxxxxx.xpredictiveHigh
31Filexxx/xxxxxxxxx/x_xxxxxx.xpredictiveHigh
32Filexxxx/xxxxxxxxx.xxxpredictiveHigh
33Filexxxxxx/xxxxx.xxx/xxxxx/xxxx/xxxxx/xxxpredictiveHigh
34Filexxxxxxxx-x.xxpredictiveHigh
35Filexxxxxxxx.xxxpredictiveMedium
36Filexxxxxxxx/xxxxx/xxxxxxxx?xxxxxxxxpredictiveHigh
37Filexxxxxxxx.xxxpredictiveMedium
38Filexxxxxx.xxxpredictiveMedium
39Filexxxx-xxxxx.xxxpredictiveHigh
40Filexxxx-xxxxxxxx.xxxpredictiveHigh
41Filexxxxxxx.xxx/xxxxxxx.xxxxxxxxxxxx/xxxxxxx/xxxxxxxxx/xxxxxxxxx.xxxx.xxpredictiveHigh
42Filexxxxxx.xxxpredictiveMedium
43Filexxxxxxx/xxxxxxxx-xxxxpredictiveHigh
44Filexxx-xxx-xxxxx/xxx/xxxx/xxxx/xxx/xxx/xxx/xxxxx/xxxxxxxxxx/xxxxxxxxxxxxxx.xxxxpredictiveHigh
45Libraryxxxx.xxxpredictiveMedium
46Argument$_xxxxxpredictiveLow
47ArgumentxxxxxxxxpredictiveMedium
48ArgumentxxxxxxxxxxpredictiveMedium
49ArgumentxxxxxxxxxxxxxpredictiveHigh
50ArgumentxxxxxxxxxxxxxpredictiveHigh
51Argumentxxxxxxxxx[x]predictiveMedium
52ArgumentxxxxpredictiveLow
53Argumentxxxxx_xxxpredictiveMedium
54Argumentxxxxxxx=xxxxxxxxpredictiveHigh
55ArgumentxxxxpredictiveLow
56ArgumentxxxxxpredictiveLow
57ArgumentxxxxxxpredictiveLow
58ArgumentxxpredictiveLow
59ArgumentxxxxpredictiveLow
60Argumentxx_xxpredictiveLow
61ArgumentxxxxxxpredictiveLow
62ArgumentxxxxxxxxpredictiveMedium
63ArgumentxxxxxxxpredictiveLow
64ArgumentxxxxxxxxxxpredictiveMedium
65ArgumentxxxxxxxxxxpredictiveMedium
66Argumentxxx_xxpredictiveLow
67ArgumentxxxxxxxxpredictiveMedium
68ArgumentxxxxxpredictiveLow
69ArgumentxxxpredictiveLow
70Argumentxxxxxxxx/xxxxxxxxpredictiveHigh
71Input Valuexxxxxxxxxx:xxxxxxxxxpredictiveHigh

References (2)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Want to stay up to date on a daily basis?

Enable the mail alert feature now!