Tonto Team Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (53)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en	38
zh	16

Country

cn	36
us	18

Actors

Cobalt Strike	2
Sliver	1
Tonto Team	1

Activities

Interest

Timeline

Type

Not Defined	12
Groupware Software	6
Firewall Software	6
Web Server	4
WordPress Plugin	4

Vendor

Not Defined	16
Microsoft	10
Palo Alto	4
Apache	2
Ivanti	2

Product

Microsoft Exchange Server	6
Palo Alto PAN-OS	4
Dropbear	2
Apache HTTP Server	2
vsftpd	2

Vulnerabilities

#	Vulnerability	Base	Temp	0day	Today	Exp	Rem	EPSS	CTI	CVE
1	DaSchTour matomo-mediawiki-extension Username Piwik.hooks.php cross site scripting	3.8	3.7	$0-$5k	$0-$5k	Proof-of-Concept	Official Fix	0.00094	0.14	CVE-2017-20175
2	Apache HTTP Server server-status information disclosure	5.3	5.2	$5k-$25k	$0-$5k	Not Defined	Workaround	0.00000	0.04
3	Juniper Junos JDHCPD out-of-bounds	7.5	7.2	$5k-$25k	$0-$5k	Not Defined	Official Fix	0.00103	0.00	CVE-2020-1671
4	SonicWall SSLVPN SMA100 sql injection	7.3	7.3	$0-$5k	$0-$5k	High	Not Defined	0.02628	0.04	CVE-2021-20016
5	LangChain Configuration load_chain path traversal	5.0	4.6	$0-$5k	$0-$5k	Proof-of-Concept	Official Fix	0.00045	0.08	CVE-2024-28088
6	Cisco IOS XE Linux Shell input validation	8.0	7.7	$25k-$100k	$5k-$25k	Not Defined	Official Fix	0.00164	0.05	CVE-2020-3218
7	Tmax Soft JEUS Web Application Server url.jsp cross site scripting	4.3	4.1	$0-$5k	$0-$5k	High	Official Fix	0.00000	0.02
8	Revive Adserver excessive authentication	5.6	5.6	$0-$5k	$0-$5k	Not Defined	Not Defined	0.00151	0.00	CVE-2023-26756
9	Microsoft Exchange Server Privilege Escalation	8.8	8.1	$25k-$100k	$0-$5k	Unproven	Official Fix	0.01502	0.03	CVE-2022-23277
10	Microsoft Exchange Server PowerShell ProxyNotShell Privilege Escalation	7.7	7.3	$5k-$25k	$0-$5k	High	Official Fix	0.10698	0.00	CVE-2022-41082
11	Microsoft Exchange Server excessive authentication	9.8	8.9	$25k-$100k	$5k-$25k	Unproven	Official Fix	0.00333	0.05	CVE-2023-21709
12	OMICARD EDM path traversal	6.4	6.3	$0-$5k	$0-$5k	Not Defined	Not Defined	0.00186	0.00	CVE-2022-32963
13	HPE System Management Homepage access control	6.5	6.2	$5k-$25k	$0-$5k	Not Defined	Official Fix	0.00042	0.04	CVE-2017-12547
14	Aruba Networks ArubaOS-CX Switches Recovery Console improper authentication	6.5	6.5	$5k-$25k	$5k-$25k	Not Defined	Not Defined	0.00060	0.04	CVE-2022-23691
15	Netgear Prosafe Switch /filesystem/ Script denial of service	5.3	5.0	$5k-$25k	$0-$5k	Proof-of-Concept	Not Defined	0.96771	0.00	CVE-2013-4776
16	Microsoft Exchange Server Privilege Escalation	8.0	7.3	$5k-$25k	$5k-$25k	Unproven	Official Fix	0.00111	0.04	CVE-2023-28310
17	Microsoft Windows win32k.sys code injection	7.3	7.0	$25k-$100k	$0-$5k	High	Official Fix	0.49900	0.00	CVE-2014-4148
18	Dreamer CMS File Upload cross site scripting	4.1	4.1	$0-$5k	$0-$5k	Not Defined	Not Defined	0.00082	0.06	CVE-2023-1746
19	Netgate pfSense XML File config.xml restore_rrddata command injection	5.5	5.3	$0-$5k	$0-$5k	Not Defined	Official Fix	0.45928	0.01	CVE-2023-27253
20	Boa Webserver GET wapopen path traversal	6.4	6.0	$0-$5k	$0-$5k	Proof-of-Concept	Not Defined	0.73540	0.05	CVE-2017-9833

IOC - Indicator of Compromise (2)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

ID	IP address	Hostname	Actor	Campaigns	Identified	Type	Confidence
1	45.133.194.135		Tonto Team		03/18/2024	verified	High
2	XX.XX.XXX.XX		Xxxxx Xxxx		06/11/2021	verified	High

TTP - Tactics, Techniques, Procedures (9)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

ID	Technique	Class	Vulnerabilities	Access Vector	Type	Confidence
1	T1006	CAPEC-126	CWE-22	Path Traversal	predictive	High
2	T1059	CAPEC-242	CWE-94	Argument Injection	predictive	High
3	TXXXX.XXX	CAPEC-209	CWE-XX, CWE-XX	Xxxxx Xxxx Xxxxxxxxx	predictive	High
4	TXXXX	CAPEC-122	CWE-XXX, CWE-XXX, CWE-XXX	Xxxxxxxxx Xxxx Xxxxxxxxxxx Xxxxxxxxxx	predictive	High
5	TXXXX.XXX	CAPEC-16	CWE-XXX	Xxxx-xxxxx Xxxxxxxxxxx	predictive	High
6	TXXXX	CAPEC-136	CWE-XX	Xxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx Xxxxxxxxx	predictive	High
7	TXXXX.XXX	CAPEC-178	CWE-XXX	Xxxx Xxxxxxxx	predictive	High
8	TXXXX	CAPEC-108	CWE-XX	Xxx Xxxxxxxxx	predictive	High
9	TXXXX	CAPEC-116	CWE-XXX, CWE-XXX	Xxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx Xxxxxxxxxxx	predictive	High

IOA - Indicator of Attack (22)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

ID	Class	Indicator	Type	Confidence
1	File	/cgi-bin/wapopen	predictive	High
2	File	/server-status	predictive	High
3	File	/webmail/	predictive	Medium
4	File	xxxxxx.xxx	predictive	Medium
5	File	xxxxxxx_xxxx.xxxx.xxx/xxxxxxx_xxxx.xxx	predictive	High
6	File	xxxxxxxxxx/	predictive	Medium
7	File	xxx.xx	predictive	Low
8	File	xxxxx.xxxxx.xxx	predictive	High
9	File	xxxxxxx/xxxxxxxxxxxxxxxx/xxxxxxxxx/xxxxxxxx.xxxx	predictive	High
10	File	xxxxxxxxx/xx/xx/xxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxx	predictive	High
11	File	xxx.xxx	predictive	Low
12	File	xxx/xxxxx.xxx	predictive	High
13	File	xxx_xxxxxxxx.xxx	predictive	High
14	Library	xxxxxx.xxx	predictive	Medium
15	Argument	$_xxxxxx['xxxx_xxxx_xxxxx']	predictive	High
16	Argument	xxxxxxxxxxxxxx	predictive	High
17	Argument	xxxxxxxxxx	predictive	Medium
18	Argument	xxx	predictive	Low
19	Argument	xxxx	predictive	Low
20	Argument	xxxxxxx	predictive	Low
21	Argument	xxxxxxxx	predictive	Medium
22	Input Value	../..	predictive	Low

References (3)

The following list contains external sources which discuss the actor and the associated activities:

◂ PreviousOverviewNext ▸

Might our Artificial Intelligence support you?

Check our Alexa App!