Ghost Dragon Analysisinfo

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (148)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Language

en124
zh20
de4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

MS: Montserrat148

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

Ponystealer1
BlackTech1
Winwebsec1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined62
Content Management System16
Business Process Management Software4
Reporting Software4
Database Administration Software4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined64
Apache4
Joomla4
Microsoft4
Fortinet2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

WordPress6
Joomla4
phpThumb4
Joomla CMS4
phpMyAdmin4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

These are the vulnerabilities that we have identified as researched, approached, or attacked.

#VulnerabilityBaseTemp0dayTodayExpCouKEVEPSSCTICVE
1vTiger CRM sql injection7.57.2$0-$5k$0-$5kNot definedOfficial fix 0.007510.03CVE-2019-11057
2Microsoft Exchange Server ProxyShell server-side request forgery9.59.1$25k-$100k$5k-$25kAttackedOfficial fixverified0.942550.06CVE-2021-34473
3WordPress WP_Query class-wp-query.php sql injection8.58.4$5k-$25k$0-$5kProof-of-ConceptOfficial fix 0.088390.09CVE-2017-5611
4Apache Solr ResourceLoader path traversal5.35.1$5k-$25k$0-$5kNot definedOfficial fixexpected0.933460.02CVE-2013-6397
5ThinkPHP invokefunction code injection8.07.9$0-$5kCalculatingAttackedOfficial fixverified0.941490.05CVE-2019-9082
6Mailman input validation6.56.3$0-$5k$0-$5kNot definedOfficial fix 0.001920.00CVE-2018-13796
7Pivotal RabbitMQ password access control7.77.6$0-$5k$0-$5kNot definedOfficial fix 0.003990.03CVE-2016-9877
8phpThumb Default Configuration server-side request forgery5.35.1$0-$5k$0-$5kNot definedOfficial fix 0.002340.05CVE-2013-6919
9phpThumb phpThumb.demo.showpic.php cross site scripting5.24.9$0-$5k$0-$5kNot definedOfficial fix 0.001900.04CVE-2016-10508
10Thomas R. Pasawicz HyperBook Guestbook Password Database gbconfiguration.dat Hash information disclosure5.35.2$5k-$25kCalculatingHighWorkaroundpossible0.029560.00CVE-2007-1192
11XenForo privileges management8.67.9$0-$5k$0-$5kNot definedOfficial fix 0.000000.00
12PrestaShop information disclosure5.35.2$0-$5k$0-$5kNot definedOfficial fix 0.003870.02CVE-2024-34717
13Python urllib.parse input validation6.56.4$0-$5k$0-$5kNot definedOfficial fix 0.010500.00CVE-2023-24329
14Oracle MySQL Server Optimizer5.55.3$5k-$25k$0-$5kNot definedOfficial fix 0.002060.00CVE-2020-14760
15WordPress Update URI Plugin Header Remote Code Execution7.87.8$5k-$25k$0-$5kNot definedOfficial fixpossible0.398710.07CVE-2021-44223
16RuoYi edit sql injection7.67.5$0-$5k$0-$5kNot definedNot definedexpected0.828150.00CVE-2023-49371
17Apple iPhone UBS checkm8 privileges management6.45.9$5k-$25k$0-$5kFunctionalOfficial fix 0.001910.02CVE-2019-8900
18André Bräkling WP-Matomo Integration Plugin cross site scripting4.44.4$0-$5k$0-$5kNot definedNot defined 0.000580.00CVE-2023-33211
19Cacti graph_settings.php code injection7.37.3$0-$5k$0-$5kNot definedNot defined 0.013370.00CVE-2014-5261
20crewjam saml signature verification3.53.4$0-$5k$0-$5kNot definedOfficial fix 0.153450.03CVE-2020-27846

IOC - Indicator of Compromise (18)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
131.170.179.179Ghost Dragon12/23/2020verifiedLow
258.64.187.22Ghost Dragon12/23/2020verifiedLow
360.215.128.246Ghost Dragon12/23/2020verifiedLow
464.111.220.218colt.isprime.comGhost Dragon12/23/2020verifiedLow
5XXX.XX.X.XXXXxxxx Xxxxxx12/23/2020verifiedLow
6XXX.XX.XXX.XXXXxxxx Xxxxxx12/23/2020verifiedLow
7XXX.X.XXX.XXxxx-xxx-x-xxx-xx.xxxxxxx.xxxxxxxx-xxx.xxxXxxxx Xxxxxx12/23/2020verifiedVery Low
8XXX.X.XXX.XXXxxx-xxx-x-xxx-xxx.xxxxxxx.xxxxxxxx-xxx.xxxXxxxx Xxxxxx12/23/2020verifiedVery Low
9XXX.X.XXX.XXXxxx-xxx-x-xxx-xxx.xxxxxxx.xxxx-xxxxx-xxx.xxxxxx-xxxxxxxx.xxxXxxxx Xxxxxx12/23/2020verifiedVery Low
10XXX.X.XXX.XXXxxx-xxx-x-xxx-xxx.xxxxxxx.xxxxxxxx-xxx.xxxXxxxx Xxxxxx12/23/2020verifiedVery Low
11XXX.XX.XX.XXXXxxxx Xxxxxx12/23/2020verifiedLow
12XXX.XX.XX.XXXxxxx Xxxxxx12/23/2020verifiedLow
13XXX.XX.XX.XXXxxxx Xxxxxx12/23/2020verifiedLow
14XXX.XX.XX.XXXxxxx Xxxxxx12/23/2020verifiedLow
15XXX.XX.XX.XXXxxxx Xxxxxx12/23/2020verifiedLow
16XXX.XXX.XXX.XXxxxxx.xxxx.xxXxxxx Xxxxxx12/23/2020verifiedLow
17XXX.XXX.XXX.XXXXxxxx Xxxxxx12/23/2020verifiedLow
18XXX.XX.XXX.XXXXxxxx Xxxxxx12/23/2020verifiedLow

TTP - Tactics, Techniques, Procedures (18)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-21, CWE-22, CWE-23Path TraversalpredictiveHigh
2T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
3T1059CAPEC-242CWE-94Argument InjectionpredictiveHigh
4T1059.007CAPEC-209CWE-79, CWE-80Basic Cross Site ScriptingpredictiveHigh
5TXXXXCAPEC-XXXCWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
6TXXXX.XXXCAPEC-XXXCWE-XXXXxxx-xxxxx XxxxxxxxxxxpredictiveHigh
7TXXXXCAPEC-XXXCWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
8TXXXX.XXXCAPEC-XXXCWE-XXXXxxx XxxxxxxxpredictiveHigh
9TXXXXCWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
10TXXXXCAPEC-XXXCWE-XX, CWE-XXXxx XxxxxxxxxpredictiveHigh
11TXXXX.XXXCAPEC-XCWE-XXXXxxxxxxx XxxxxxxxxxxxxpredictiveHigh
12TXXXXCAPEC-XXCWE-XXX, CWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
13TXXXX.XXXCAPEC-XXXCWE-XXXXxxxxxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
14TXXXXCAPEC-XXXCWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
15TXXXX.XXXCWE-XXXxxxxxxxxxxxxpredictiveHigh
16TXXXXCAPEC-XXXCWE-XXX, CWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh
17TXXXX.XXXCWE-XXXXxx Xxxxxxxxxx XxxxxpredictiveHigh
18TXXXX.XXXCAPEC-XCWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (85)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/cdsms/classes/Master.php?f=delete_enrollmentpredictiveHigh
2File/mifs/c/i/reg/reg.htmlpredictiveHigh
3File/server-infopredictiveMedium
4File/system/dept/editpredictiveHigh
5File/wp-json/oembed/1.0/embed?urlpredictiveHigh
6Filea2billing/customer/iridium_threed.phppredictiveHigh
7Fileadmin.php?s=/Channel/add.htmlpredictiveHigh
8Fileadmin/class-bulk-editor-list-table.phppredictiveHigh
9Fileadministrator/components/com_media/helpers/media.phppredictiveHigh
10Fileauth.asppredictiveMedium
11Filexxxx/xxxxxxxxxxxx.xxxpredictiveHigh
12Filexxx-xxx/xxxxxxpredictiveHigh
13Filexxxx/xxxxxxxxxxxxx/xxxxxxx.xxxpredictiveHigh
14Filexxxx/xxxxxxxxxxxxxxx.xxxpredictiveHigh
15Filexxxx_xxxxx.xxxpredictiveHigh
16Filexxxxxx.xxxpredictiveMedium
17Filexxxx/xxxxxxxx.xxxx.xxxxxxx.xxxpredictiveHigh
18Filexxxxxxxxxxx/xxxx-xxxxxx-xxxxxx.xxxpredictiveHigh
19Filexxxxxxxxx/xx/xxxxxxxxxxxx.xxxpredictiveHigh
20Filexxxxx_xxxxxxxx.xxxpredictiveHigh
21Filexxxx/xxxxxxxxxx.xxxpredictiveHigh
22Filexxxxx.xxxpredictiveMedium
23Filexxxxxxx.xxxpredictiveMedium
24Filexxxxxxxxx/xxxxxxx.xxx.xxxpredictiveHigh
25Filexxx.xpredictiveLow
26Filexxxxxxx.xxxpredictiveMedium
27Filexxx_xxxx.xxxpredictiveMedium
28Filexxxxx/xxxxx.xxxpredictiveHigh
29Filexxxxxxx/xxxx.xxxpredictiveHigh
30Filexxxxxx/?x=xxxxx/\xxxxx\xxx/xxxxxxxxxxxxxx&xxxxxxxx=xxxx_xxxx_xxxx_xxxxx&xxxx[x]=xxxxxx&xxxx[x][]predictiveHigh
31Filexxxxxxx/xxxxx/xxxx-xxx/xxxxxx.xpredictiveHigh
32Filexxxxx.xxxpredictiveMedium
33Filexxxxxx.xxxpredictiveMedium
34Filexxxx.xxxxpredictiveMedium
35Filexxxxxxxxx.xpredictiveMedium
36Filexxxxxxxx/xxxxxxxxpredictiveHigh
37Filexxxxx.xxxpredictiveMedium
38Filexxxxx/xxxxxxx/xxxxxxxx/xxxxx.xxx.xxxxpredictiveHigh
39Filexxxxxxx/xxxxxx/xxxxx/xxxxxxx/xxx/xxx.xxxpredictiveHigh
40Filexxxxxxx.xxxpredictiveMedium
41Filexx-xxxxx/xxxxx-xxxx.xxxpredictiveHigh
42Filexx-xxxxx/xxxxxx-xxxx.xxxpredictiveHigh
43Filexx-xxxxxxxx/xxxxx-xx-xxxxx.xxxpredictiveHigh
44Libraryxxx/xxxx/xxxxxx.xxxxx.xxxpredictiveHigh
45Libraryxxx/xxx.xxxpredictiveMedium
46Argumentxxxxxx_xxxxpredictiveMedium
47ArgumentxxxxxxxpredictiveLow
48Argumentxxxxxxx-xxxxxxpredictiveHigh
49Argumentxxxxxxx_xxpredictiveMedium
50ArgumentxxxxxxxxxxxxxxxpredictiveHigh
51ArgumentxxxxxxpredictiveLow
52ArgumentxxxxpredictiveLow
53ArgumentxxxxxxxpredictiveLow
54ArgumentxxxxpredictiveLow
55ArgumentxxpredictiveLow
56ArgumentxxxxxxxxxpredictiveMedium
57Argumentxx_xxxxpredictiveLow
58Argumentx/xx/xxxpredictiveMedium
59ArgumentxxxxxxxxxxpredictiveMedium
60ArgumentxxxxpredictiveLow
61Argumentxxxx/xxxxxxxpredictiveMedium
62ArgumentxxxxxxxxxxxxxxxxxxxxxxxpredictiveHigh
63ArgumentxxxxxpredictiveLow
64Argumentxxxxxx_xxxxpredictiveMedium
65ArgumentxxxxxxxxxxxxxpredictiveHigh
66Argumentxxxxxxxx_xxxxxxxpredictiveHigh
67ArgumentxxxxxxpredictiveLow
68ArgumentxxxxpredictiveLow
69Argumentxxxxxx/xxxxxpredictiveMedium
70Argumentxxxxxx_xxxpredictiveMedium
71Argumentxxxxxxxx[]predictiveMedium
72Argumentxxxxxxxx[xxxx]predictiveHigh
73ArgumentxxxpredictiveLow
74Argumentxxx_xxxx[x][]predictiveHigh
75Argumentxxxxxxxx/xxxpredictiveMedium
76ArgumentxxpredictiveLow
77ArgumentxxxxxxxxxxxxxpredictiveHigh
78ArgumentxxxpredictiveLow
79ArgumentxxxxxxxxpredictiveMedium
80ArgumentxxxxxxxxxxxxxpredictiveHigh
81Argumentxxxx xxxxpredictiveMedium
82Input Value-xpredictiveLow
83Input Valuexxxxx"][xxxxxx]xxxxx('xxx')[/xxxxxx]predictiveHigh
84Input Value…/.predictiveLow
85Network Portxxx xxxxxx xxxxpredictiveHigh

References (2)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

This view requires CTI permissions

Just purchase a CTI license today!