BEAR Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (87)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en70
ru8
de4
zh2
es2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

ee42
us22
ua10
ru8
tr2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

BEAR2
RedLine Stealer2
BlackEnergy1
TA5051
WebCobra1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined28
SSH Server Software6
Web Server6
Automation Software4
Content Management System4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined22
Microsoft6
Oracle6
Apache4
GNU2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Microsoft Windows4
Dropbear SSH4
GNU wget2
eSST Monitoring2
Apache Mina SSHD2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1Thomas R. Pasawicz HyperBook Guestbook Password Database gbconfiguration.dat Hash information disclosure5.35.2$5k-$25k$0-$5kHighWorkaround0.020160.02CVE-2007-1192
2Huawei SmartCare Dashboard Stored cross site scripting4.44.4$0-$5k$0-$5kNot DefinedNot Defined0.000650.00CVE-2017-15312
3Microsoft IIS cross site scripting5.24.7$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.005480.13CVE-2017-0055
4IBM Security AppScan Enterprise Enterprise Source Database cryptographic issues9.88.5$5k-$25k$0-$5kUnprovenOfficial Fix0.000820.00CVE-2013-3989
5raspap-webgui activate_ovpncfg.php command injection8.08.0$0-$5k$0-$5kNot DefinedNot Defined0.899660.00CVE-2022-39986
6PHP Everywhere Plugin Shortcode Privilege Escalation6.36.0$0-$5k$0-$5kNot DefinedOfficial Fix0.001080.02CVE-2022-24663
7Forumer / IPB Board Show Topic index.php sql injection7.37.1$0-$5k$0-$5kNot DefinedNot Defined0.000000.04
8WordPress Metadata deserialization8.58.4$5k-$25k$0-$5kNot DefinedOfficial Fix0.015780.00CVE-2018-20148
9Add Link to Facebook Plugin profile.php cross site scripting4.44.4$0-$5k$0-$5kNot DefinedNot Defined0.000570.03CVE-2018-5214
10SeedProd Website Builder Plugin seedprod_lite_new_lpage authorization7.37.3$0-$5k$0-$5kNot DefinedNot Defined0.000570.00CVE-2024-1072
11Patreon Plugin cross-site request forgery5.85.8$0-$5k$0-$5kNot DefinedNot Defined0.000580.00CVE-2023-41129
12Database Administrator Plugin sql injection4.74.6$0-$5k$0-$5kNot DefinedNot Defined0.005300.02CVE-2023-3211
13Telegram Web cross site scripting4.84.7$0-$5k$0-$5kNot DefinedNot Defined0.000750.04CVE-2022-43363
14User Post Gallery Plugin authorization8.58.4$0-$5k$0-$5kNot DefinedNot Defined0.051920.00CVE-2022-4060
15eSST Monitoring unrestricted upload7.57.4$0-$5k$0-$5kNot DefinedNot Defined0.001160.00CVE-2023-41631
16Microsoft Windows IIS Server Remote Code Execution9.88.9$25k-$100k$5k-$25kUnprovenOfficial Fix0.001330.22CVE-2023-36434
17Boa Web Server HEAD Method improper authorization6.36.2$0-$5k$0-$5kNot DefinedNot Defined0.001120.04CVE-2022-45956
18GitLab Privilege Escalation5.15.0$0-$5k$0-$5kNot DefinedOfficial Fix0.001180.04CVE-2021-22263
19ThinkPHP unrestricted upload7.17.1$0-$5k$0-$5kNot DefinedNot Defined0.000580.00CVE-2022-44289
20Microsoft Lync Server/Skype for Business Server unknown vulnerability6.55.9$25k-$100k$5k-$25kProof-of-ConceptOfficial Fix0.000740.02CVE-2021-24073

IOC - Indicator of Compromise (6)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
15.149.248.67mx1-mail.comBEAR12/23/2020verifiedHigh
25.149.248.193BEAR12/23/2020verifiedHigh
3X.XXX.XXX.XXXXxxx12/23/2020verifiedHigh
4X.XXX.XXX.XXXxxxxx.xxxxxxxxxxxxxxxx.xxxxXxxx12/23/2020verifiedHigh
5XX.XXX.XX.XXxxx.xxxxxxxxxxxxxxxxxxx.xxxXxxx12/23/2020verifiedHigh
6XXX.XXX.XX.XXXXxxx12/23/2020verifiedHigh

TTP - Tactics, Techniques, Procedures (11)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-22Path TraversalpredictiveHigh
2T1059.007CAPEC-209CWE-79, CWE-80Cross Site ScriptingpredictiveHigh
3T1068CAPEC-122CWE-264, CWE-269, CWE-284Execution with Unnecessary PrivilegespredictiveHigh
4TXXXXCAPEC-136CWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
5TXXXXCAPEC-0CWE-XXX7xx Xxxxxxxx XxxxxxxxpredictiveHigh
6TXXXXCAPEC-108CWE-XXXxx XxxxxxxxxpredictiveHigh
7TXXXX.XXXCAPEC-1CWE-XXXXxxxxxxx XxxxxxxxxxxxxpredictiveHigh
8TXXXXCAPEC-102CWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
9TXXXXCAPEC-116CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
10TXXXXCAPEC-20CWE-XXX, CWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh
11TXXXX.XXXCAPEC-1CWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (34)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/ajax/openvpn/activate_ovpncfg.phppredictiveHigh
2File/cgi-bin/wlogin.cgipredictiveHigh
3File/index.phppredictiveMedium
4File/uncpath/predictiveMedium
5Filexxx_xxxxxxx.xxxpredictiveHigh
6Filexxxx/xxxxxxxxxxxxxxx.xxxpredictiveHigh
7Filexxxxxxxx.xxxpredictiveMedium
8Filexxxxxx.xxxxpredictiveMedium
9Filexxxxxx.xxxpredictiveMedium
10Filexxxxx.xxxpredictiveMedium
11Filexxxxxxx.xxxpredictiveMedium
12Filexxxxx-xxxxxxx.xxxpredictiveHigh
13Filexxxxxxxx.xxpredictiveMedium
14Filexxxxx.xxxxxxx.xxpredictiveHigh
15Filexxxxxxxxx/xxxxx/xxxxxx.xxxxpredictiveHigh
16Filexx-xxxxx/xxxxxxx.xxxpredictiveHigh
17Libraryxxx/xxxxxxxxx/xxxxxxx/xxxxxxxx/xxx.xxxpredictiveHigh
18Libraryxxx/xxxxxxx-xxxxxxxxx-x.x.x.xxxpredictiveHigh
19Argument-xpredictiveLow
20Argumentxx/xxpredictiveLow
21Argumentxxxxx_xxxxxxxx/xxxxx_xxxxxxxxpredictiveHigh
22Argumentxxxxx_xxxxxxxx_xxpredictiveHigh
23ArgumentxxxxxpredictiveLow
24Argumentxxx_xxpredictiveLow
25ArgumentxxpredictiveLow
26ArgumentxxxxxpredictiveLow
27ArgumentxxxxxxxxxpredictiveMedium
28Argumentx[]predictiveLow
29Argumentxxx_xxpredictiveLow
30Argumentxxxxx_xxxpredictiveMedium
31ArgumentxxxxpredictiveLow
32Argumentxxxxxxxx/xxxxpredictiveHigh
33Argument_xxxxpredictiveLow
34Input ValuexxxpredictiveLow

References (3)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Interested in the pricing of exploits?

See the underground prices here!