Tonto Team Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (56)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en36
zh20

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

cn40
us16

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

Cobalt Strike2
Sliver1
Tonto Team1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined16
Groupware Software6
WordPress Plugin4
Router Operating System4
Content Management System4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined16
Microsoft10
MotoPress2
MikroTik2
Netgear2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Microsoft Exchange Server6
MotoPress Timetable and Event Schedule Plugin2
MikroTik RouterOS2
Matomo2
Netgear Prosafe Switch2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1DaSchTour matomo-mediawiki-extension Username Piwik.hooks.php cross site scripting3.83.7$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.000990.04CVE-2017-20175
2Apache HTTP Server server-status information disclosure5.35.2$5k-$25k$0-$5kNot DefinedWorkaround0.000000.04
3Juniper Junos JDHCPD out-of-bounds7.57.2$5k-$25k$0-$5kNot DefinedOfficial Fix0.001030.00CVE-2020-1671
4SonicWall SSLVPN SMA100 sql injection7.37.3$0-$5k$0-$5kHighNot Defined0.026280.04CVE-2021-20016
5Plesk Obsidian Login Page injection5.85.7$0-$5k$0-$5kNot DefinedNot Defined0.001750.18CVE-2023-24044
6Script Security Plugin sandbox5.55.5$0-$5k$0-$5kNot DefinedNot Defined0.000430.08CVE-2024-34144
7MikroTik RouterOS REST API access control5.45.4$0-$5k$0-$5kNot DefinedNot Defined0.000490.00CVE-2023-41570
8LangChain Configuration load_chain path traversal5.04.6$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.000450.00CVE-2024-28088
9Cisco IOS XE Linux Shell input validation8.07.7$25k-$100k$0-$5kNot DefinedOfficial Fix0.001640.00CVE-2020-3218
10Tmax Soft JEUS Web Application Server url.jsp cross site scripting4.34.1$0-$5k$0-$5kHighOfficial Fix0.000000.00
11Revive Adserver excessive authentication5.65.6$0-$5k$0-$5kNot DefinedNot Defined0.001410.00CVE-2023-26756
12Microsoft Exchange Server Privilege Escalation8.88.1$25k-$100k$0-$5kUnprovenOfficial Fix0.013780.04CVE-2022-23277
13Microsoft Exchange Server PowerShell ProxyNotShell Privilege Escalation7.77.3$5k-$25k$0-$5kHighOfficial Fix0.186100.08CVE-2022-41082
14Microsoft Exchange Server excessive authentication9.88.9$25k-$100k$5k-$25kUnprovenOfficial Fix0.003540.07CVE-2023-21709
15OMICARD EDM path traversal6.46.3$0-$5k$0-$5kNot DefinedNot Defined0.001860.00CVE-2022-32963
16HPE System Management Homepage access control6.56.2$5k-$25k$0-$5kNot DefinedOfficial Fix0.000420.04CVE-2017-12547
17Aruba Networks ArubaOS-CX Switches Recovery Console improper authentication6.56.5$5k-$25k$5k-$25kNot DefinedNot Defined0.000600.04CVE-2022-23691
18Netgear Prosafe Switch /filesystem/ Script denial of service5.35.0$5k-$25k$0-$5kProof-of-ConceptNot Defined0.965850.00CVE-2013-4776
19Microsoft Exchange Server Privilege Escalation8.07.3$5k-$25k$5k-$25kUnprovenOfficial Fix0.000970.05CVE-2023-28310
20Microsoft Windows win32k.sys code injection7.37.0$25k-$100k$0-$5kHighOfficial Fix0.510560.00CVE-2014-4148

IOC - Indicator of Compromise (2)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
145.133.194.135Tonto Team03/18/2024verifiedHigh
2XX.XX.XXX.XXXxxxx Xxxx06/11/2021verifiedHigh

TTP - Tactics, Techniques, Procedures (11)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-22Path TraversalpredictiveHigh
2T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
3T1059CAPEC-242CWE-94Argument InjectionpredictiveHigh
4TXXXX.XXXCAPEC-209CWE-XX, CWE-XXXxxxx Xxxx XxxxxxxxxpredictiveHigh
5TXXXXCAPEC-122CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
6TXXXX.XXXCAPEC-16CWE-XXXXxxx-xxxxx XxxxxxxxxxxpredictiveHigh
7TXXXXCAPEC-136CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
8TXXXX.XXXCAPEC-178CWE-XXXXxxx XxxxxxxxpredictiveHigh
9TXXXXCAPEC-108CWE-XXXxx XxxxxxxxxpredictiveHigh
10TXXXXCAPEC-116CWE-XXX, CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
11TXXXXCAPEC-CWE-XXXXxxxxxxxxxx XxxxxxpredictiveHigh

IOA - Indicator of Attack (23)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/cgi-bin/wapopenpredictiveHigh
2File/server-statuspredictiveHigh
3File/webmail/predictiveMedium
4Filexxxxxx.xxxpredictiveMedium
5Filexxxxxxx_xxxx.xxxx.xxx/xxxxxxx_xxxx.xxxpredictiveHigh
6Filexxxxxxxxxx/predictiveMedium
7Filexxx.xxpredictiveLow
8Filexxxxx.xxxxx.xxxpredictiveHigh
9Filexxxxxxx/xxxxxxxxxxxxxxxx/xxxxxxxxx/xxxxxxxx.xxxxpredictiveHigh
10Filexxxxxxxxx/xx/xx/xxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxpredictiveHigh
11Filexxx.xxxpredictiveLow
12Filexxx/xxxxx.xxxpredictiveHigh
13Filexxx_xxxxxxxx.xxxpredictiveHigh
14Libraryxxxxxx.xxxpredictiveMedium
15Argument$_xxxxxx['xxxx_xxxx_xxxxx']predictiveHigh
16ArgumentxxxxxxxxxxxxxxpredictiveHigh
17ArgumentxxxxxxxxxxpredictiveMedium
18ArgumentxxxpredictiveLow
19ArgumentxxxxpredictiveLow
20ArgumentxxxxpredictiveLow
21ArgumentxxxxxxxpredictiveLow
22ArgumentxxxxxxxxpredictiveMedium
23Input Value../..predictiveLow

References (3)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Interested in the pricing of exploits?

See the underground prices here!