theMx0nday Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (21)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en	18
zh	4

Country

us	12
id	6
cn	4

Actors

theMx0nday	3
RedLine Stealer	1
Nobelium	1
REvil	1
Quasar RAT	1

Activities

Interest

Timeline

Type

Operating System	6
Not Defined	4
Web Server	2
Router Operating System	2
Programming Language Software	2

Vendor

Not Defined	8
Microsoft	6
TP-LINK	2
WBCE	2
Dahua	2

Product

Microsoft Windows	6
nginx	2
TP-LINK TL-WR840N v4	2
Python	2
PRTG Network Monitor	2

Vulnerabilities

#	Vulnerability	Base	Temp	0day	Today	Exp	Rem	EPSS	CTI	CVE
1	PRTG Network Monitor login.htm access control	8.5	8.2	$0-$5k	$0-$5k	Not Defined	Official Fix	0.00288	0.04	CVE-2018-19410
2	nginx request smuggling	6.9	6.9	$0-$5k	$0-$5k	Not Defined	Not Defined	0.00241	2.29	CVE-2020-12440
3	Microsoft Windows SMB information disclosure	6.4	5.5	$25k-$100k	$5k-$25k	Unproven	Official Fix	0.00894	0.00	CVE-2021-36960
4	Microsoft Windows SMB input validation	7.7	7.5	$25k-$100k	$0-$5k	High	Official Fix	0.97427	0.04	CVE-2017-0144
5	Microsoft Windows SMB Client Security Feature information disclosure	4.3	3.8	$25k-$100k	$0-$5k	Unproven	Official Fix	0.00539	0.00	CVE-2021-31205
6	Microsoft Office PowerPoint Remote Code Execution	7.3	6.7	$5k-$25k	$0-$5k	Unproven	Official Fix	0.00383	0.04	CVE-2022-37962
7	Python path traversal	7.3	6.9	$0-$5k	$0-$5k	Proof-of-Concept	Not Defined	0.02431	0.00	CVE-2007-4559
8	Dahua DHI-HCVR7216A-S3 SmartPSS Auto Login Hash access control	6.7	6.7	$0-$5k	$0-$5k	Not Defined	Not Defined	0.00331	0.04	CVE-2017-6342
9	Microsoft Windows TIFF Image code injection	9.0	8.6	$25k-$100k	$0-$5k	High	Official Fix	0.97025	0.00	CVE-2013-3906
10	PHP EXIF exif_process_IFD_in_MAKERNOTE memory corruption	7.5	7.3	$5k-$25k	$0-$5k	Not Defined	Official Fix	0.00477	0.00	CVE-2019-9639
11	WBCE CMS cross site scripting	5.2	5.2	$0-$5k	$0-$5k	Not Defined	Not Defined	0.00118	0.00	CVE-2017-2118
12	Tapatalk Plugin XML-RPC classTTForum.php sql injection	8.5	8.2	$0-$5k	$0-$5k	Not Defined	Official Fix	0.00227	0.00	CVE-2017-14652
13	XenForo Admin Panel cross site scripting	4.1	4.1	$0-$5k	$0-$5k	Not Defined	Not Defined	0.00058	0.03	CVE-2021-43032
14	JFrog Artifactory upload unrestricted upload	8.5	7.4	$0-$5k	$0-$5k	Proof-of-Concept	Official Fix	0.11383	0.02	CVE-2016-10036
15	Kyland KPS2204 webadminget.cgi information disclosure	4.3	4.3	$0-$5k	$0-$5k	Not Defined	Not Defined	0.00411	0.05	CVE-2020-25011
16	TP-LINK TL-WR840N v4 traceroute input validation	7.5	7.5	$0-$5k	$0-$5k	Not Defined	Not Defined	0.00287	0.03	CVE-2019-15060
17	osTicket main.php file inclusion	7.3	6.6	$0-$5k	$0-$5k	Proof-of-Concept	Official Fix	0.01060	0.00	CVE-2005-1438
18	Exim EHLO Command string.c string_vformat buffer overflow	8.5	8.5	$0-$5k	$0-$5k	High	Official Fix	0.91466	0.05	CVE-2019-16928
19	Tim Kosse FileZilla format string	7.3	7.0	$25k-$100k	$0-$5k	Not Defined	Official Fix	0.03339	0.04	CVE-2007-2318
20	Joomla CMS weblinks-categories sql injection	7.3	7.1	$5k-$25k	$0-$5k	High	Unavailable	0.00119	0.04	CVE-2014-7981

Campaigns (1)

These are the campaigns that can be associated with the actor:

Ukraine Universities

IOC - Indicator of Compromise (3)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

ID	IP address	Hostname	Actor	Campaigns	Identified	Type	Confidence
1	159.223.64.156		theMx0nday	Ukraine Universities	03/05/2022	verified	High
2	XXX.XXX.XXX.XXX	xxxxxxxx.xxxx.xxxxxx.xxx	Xxxxxxxxxx	Xxxxxxx Xxxxxxxxxxxx	03/05/2022	verified	High
3	XXX.XX.XXX.XXX	xxxx.xxxx.xxx.xx	Xxxxxxxxxx	Xxxxxxx Xxxxxxxxxxxx	03/05/2022	verified	High

TTP - Tactics, Techniques, Procedures (7)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

ID	Technique	Class	Vulnerabilities	Access Vector	Type	Confidence
1	T1006	CAPEC-126	CWE-22	Path Traversal	predictive	High
2	T1059	CAPEC-242	CWE-94	Argument Injection	predictive	High
3	TXXXX.XXX	CAPEC-209	CWE-XX	Xxxxx Xxxx Xxxxxxxxx	predictive	High
4	TXXXX	CAPEC-19	CWE-XXX, CWE-XXX	Xxxxxxxxx Xxxx Xxxxxxxxxxx Xxxxxxxxxx	predictive	High
5	TXXXX	CAPEC-108	CWE-XX	Xxx Xxxxxxxxx	predictive	High
6	TXXXX	CAPEC-116	CWE-XXX	Xxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx Xxxxxxxxxxx	predictive	High
7	TXXXX.XXX	CAPEC-1	CWE-XXX	Xxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx Xxxxxxxxx	predictive	High

IOA - Indicator of Attack (11)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

ID	Class	Indicator	Type	Confidence
1	File	/cgi-bin/webadminget.cgi	predictive	High
2	File	/index.php/weblinks-categories	predictive	High
3	File	/xxxxxx/xxxxx.xxx	predictive	High
4	File	xxxx.xxx	predictive	Medium
5	File	xxxxxx.x	predictive	Medium
6	File	xx/xxxxxxxx/xxxxxx	predictive	High
7	Library	xxxxxxx/xxx/xxxxxxxxxxxx.xxx	predictive	High
8	Argument	xxxx_xxx	predictive	Medium
9	Argument	xx	predictive	Low
10	Argument	xxxxxxx_xxx	predictive	Medium
11	Input Value	x%xx%xx%xxxxxxx%xxxxxxxx%xxxxxxxxxx%xxxxxx%xx%xxxxxxx_xxxxx%xx%xx--%xx%xx	predictive	High

References (2)

The following list contains external sources which discuss the actor and the associated activities:

◂ PreviousOverviewNext ▸

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!