Ghost Dragon Analysis

IOB - Indicator of Behavior (141)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en120
zh16
de4
es2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

ms140
cn2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

Ponystealer1
BlackTech1
Ghost Dragon1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined54
Content Management System16
Groupware Software4
Application Server Software4
Directory Service Software4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined64
Atlassian4
Microsoft4
Apache4
Synology2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

WordPress6
Car Driving School Management System6
OpenLDAP4
phpMyAdmin4
Synology DiskStation Manager2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemCTIEPSSCVE
1vTiger CRM sql injection7.57.2$0-$5k$0-$5kNot DefinedOfficial Fix0.030.00890CVE-2019-11057
2Microsoft Exchange Server ProxyShell Remote Code Execution9.58.2$25k-$100k$5k-$25kUnprovenOfficial Fix0.080.61804CVE-2021-34473
3WordPress WP_Query class-wp-query.php sql injection8.58.4$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.030.01974CVE-2017-5611
4Apache Solr ResourceLoader path traversal5.35.1$5k-$25k$0-$5kNot DefinedOfficial Fix0.000.03384CVE-2013-6397
5ThinkPHP input validation8.58.2$0-$5k$0-$5kNot DefinedOfficial Fix0.000.84749CVE-2019-9082
6Mailman input validation6.56.2$0-$5kCalculatingNot DefinedOfficial Fix0.010.01018CVE-2018-13796
7Pivotal RabbitMQ password access control7.77.4$0-$5k$0-$5kNot DefinedOfficial Fix0.050.01018CVE-2016-9877
8phpThumb Default Configuration server-side request forgery5.35.1$0-$5kCalculatingNot DefinedOfficial Fix0.030.01055CVE-2013-6919
9phpThumb phpThumb.demo.showpic.php cross site scripting5.24.9$0-$5k$0-$5kNot DefinedOfficial Fix0.070.01055CVE-2016-10508
10Thomas R. Pasawicz HyperBook Guestbook Password Database gbconfiguration.dat Hash information disclosure5.35.2$5k-$25kCalculatingHighWorkaround0.040.04187CVE-2007-1192
11XenForo privileges management8.67.9$0-$5k$0-$5kNot DefinedOfficial Fix0.000.00000
12Cacti graph_settings.php code injection7.37.3$0-$5kCalculatingNot DefinedNot Defined0.040.01408CVE-2014-5261
13crewjam saml signature verification3.53.5$0-$5k$0-$5kNot DefinedOfficial Fix0.040.01108CVE-2020-27846
14VestaCP user.conf permission4.64.6$0-$5k$0-$5kNot DefinedNot Defined0.010.00885CVE-2021-30463
15MobileIron Core/Connector improper authentication8.58.2$0-$5k$0-$5kNot DefinedOfficial Fix0.020.01055CVE-2020-15506
16IceWarp Mail Server css.php path traversal6.45.5$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.030.08382CVE-2015-1503
17Cisco Expressway-C/TelePresence VCS certificate validation7.37.0$5k-$25k$0-$5kNot DefinedOfficial Fix0.030.00000CVE-2022-20814
18Car Driving School Management System Login Page sql injection6.36.1$0-$5k$0-$5kNot DefinedNot Defined0.030.00954CVE-2022-24571
19Car Driving School Management System User Enrollment Form cross site scripting2.42.4$0-$5k$0-$5kNot DefinedNot Defined0.000.00885CVE-2022-24572
20Car Driving School Management System sql injection6.35.7$0-$5k$0-$5kProof-of-ConceptNot Defined0.070.00885CVE-2022-28413

IOC - Indicator of Compromise (18)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsTypeConfidence
131.170.179.179Ghost DragonverifiedHigh
258.64.187.22Ghost DragonverifiedHigh
360.215.128.246Ghost DragonverifiedHigh
464.111.220.218colt.isprime.comGhost DragonverifiedHigh
5XXX.XX.X.XXXXxxxx XxxxxxverifiedHigh
6XXX.XX.XXX.XXXXxxxx XxxxxxverifiedHigh
7XXX.X.XXX.XXxxx-xxx-x-xxx-xx.xxxxxxx.xxxxxxxx-xxx.xxxXxxxx XxxxxxverifiedHigh
8XXX.X.XXX.XXXxxx-xxx-x-xxx-xxx.xxxxxxx.xxxxxxxx-xxx.xxxXxxxx XxxxxxverifiedHigh
9XXX.X.XXX.XXXxxx-xxx-x-xxx-xxx.xxxxxxx.xxxx-xxxxx-xxx.xxxxxx-xxxxxxxx.xxxXxxxx XxxxxxverifiedHigh
10XXX.X.XXX.XXXxxx-xxx-x-xxx-xxx.xxxxxxx.xxxxxxxx-xxx.xxxXxxxx XxxxxxverifiedHigh
11XXX.XX.XX.XXXXxxxx XxxxxxverifiedHigh
12XXX.XX.XX.XXXxxxx XxxxxxverifiedHigh
13XXX.XX.XX.XXXxxxx XxxxxxverifiedHigh
14XXX.XX.XX.XXXxxxx XxxxxxverifiedHigh
15XXX.XX.XX.XXXxxxx XxxxxxverifiedHigh
16XXX.XXX.XXX.XXxxxxx.xxxx.xxXxxxx XxxxxxverifiedHigh
17XXX.XXX.XXX.XXXXxxxx XxxxxxverifiedHigh
18XXX.XX.XXX.XXXXxxxx XxxxxxverifiedHigh

TTP - Tactics, Techniques, Procedures (17)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueVulnerabilitiesAccess VectorTypeConfidence
1T1006CWE-21, CWE-22, CWE-23Pathname TraversalpredictiveHigh
2T1055CWE-74InjectionpredictiveHigh
3T1059CWE-94Cross Site ScriptingpredictiveHigh
4T1059.007CWE-79, CWE-80Cross Site ScriptingpredictiveHigh
5TXXXXCWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
6TXXXX.XXXCWE-XXXXxxxxxxx Xxxxxxxxxxx Xx Xxxxxxxxx Xxxxxxxxxxxxxx XxxxxxxxpredictiveHigh
7TXXXXCWE-XXXxxxxxx XxxxxxxxxpredictiveHigh
8TXXXX.XXXCWE-XXXXxxx XxxxxxxxpredictiveHigh
9TXXXXCWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
10TXXXXCWE-XXXxx XxxxxxxxxpredictiveHigh
11TXXXX.XXXCWE-XXXXxxxxxxx XxxxxxxxxxxxxpredictiveHigh
12TXXXXCWE-XXX, CWE-XXXXxx.xxx Xxxxxxxxxxxxxxxx: Xxxxxxxx Xx Xxxxxxxxxxxxx XxxxpredictiveHigh
13TXXXX.XXXCWE-XXXXxxxxxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
14TXXXXCWE-XXXXxxxxxxxxxxxxpredictiveHigh
15TXXXX.XXXCWE-XXXxxxxxxxxxxxxpredictiveHigh
16TXXXXCWE-XXX, CWE-XXXX2xx Xxxxxxxxxxxxxxxx: Xxxx Xxxxxxxxxxxx Xxxxxxx XxxxxxxxxxpredictiveHigh
17TXXXX.XXXCWE-XXXXxxxxxxxxxxx XxxxxxpredictiveHigh

IOA - Indicator of Attack (83)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/cdsms/classes/Master.php?f=delete_enrollmentpredictiveHigh
2File/mifs/c/i/reg/reg.htmlpredictiveHigh
3File/server-infopredictiveMedium
4File/wp-json/oembed/1.0/embed?urlpredictiveHigh
5Filea2billing/customer/iridium_threed.phppredictiveHigh
6Fileadmin.php?s=/Channel/add.htmlpredictiveHigh
7Fileadmin/class-bulk-editor-list-table.phppredictiveHigh
8Fileadministrator/components/com_media/helpers/media.phppredictiveHigh
9Fileauth.asppredictiveMedium
10Filebase/ErrorHandler.phppredictiveHigh
11Filexxx-xxx/xxxxxxpredictiveHigh
12Filexxxx/xxxxxxxxxxxxx/xxxxxxx.xxxpredictiveHigh
13Filexxxx/xxxxxxxxxxxxxxx.xxxpredictiveHigh
14Filexxxx_xxxxx.xxxpredictiveHigh
15Filexxxxxx.xxxpredictiveMedium
16Filexxxx/xxxxxxxx.xxxx.xxxxxxx.xxxpredictiveHigh
17Filexxxxxxxxxxx/xxxx-xxxxxx-xxxxxx.xxxpredictiveHigh
18Filexxxxxxxxx/xx/xxxxxxxxxxxx.xxxpredictiveHigh
19Filexxxxx_xxxxxxxx.xxxpredictiveHigh
20Filexxxx/xxxxxxxxxx.xxxpredictiveHigh
21Filexxxxx.xxxpredictiveMedium
22Filexxxxxxx.xxxpredictiveMedium
23Filexxxxxxxxx/xxxxxxx.xxx.xxxpredictiveHigh
24Filexxx.xpredictiveLow
25Filexxxxxxx.xxxpredictiveMedium
26Filexxx_xxxx.xxxpredictiveMedium
27Filexxxxx/xxxxx.xxxpredictiveHigh
28Filexxxxxxx/xxxx.xxxpredictiveHigh
29Filexxxxxx/?x=xxxxx/\xxxxx\xxx/xxxxxxxxxxxxxx&xxxxxxxx=xxxx_xxxx_xxxx_xxxxx&xxxx[x]=xxxxxx&xxxx[x][]predictiveHigh
30Filexxxxxxx/xxxxx/xxxx-xxx/xxxxxx.xpredictiveHigh
31Filexxxxx.xxxpredictiveMedium
32Filexxxxxx.xxxpredictiveMedium
33Filexxxx.xxxxpredictiveMedium
34Filexxxxxxxxx.xpredictiveMedium
35Filexxxxxxxx/xxxxxxxxpredictiveHigh
36Filexxxxx.xxxpredictiveMedium
37Filexxxxx/xxxxxxx/xxxxxxxx/xxxxx.xxx.xxxxpredictiveHigh
38Filexxxxxxx/xxxxxx/xxxxx/xxxxxxx/xxx/xxx.xxxpredictiveHigh
39Filexxxxxxx.xxxpredictiveMedium
40Filexx-xxxxx/xxxxx-xxxx.xxxpredictiveHigh
41Filexx-xxxxx/xxxxxx-xxxx.xxxpredictiveHigh
42Filexx-xxxxxxxx/xxxxx-xx-xxxxx.xxxpredictiveHigh
43Libraryxxx/xxxx/xxxxxx.xxxxx.xxxpredictiveHigh
44Libraryxxx/xxx.xxxpredictiveMedium
45Argumentxxxxxx_xxxxpredictiveMedium
46ArgumentxxxxxxxpredictiveLow
47Argumentxxxxxxx-xxxxxxpredictiveHigh
48Argumentxxxxxxx_xxpredictiveMedium
49ArgumentxxxxxxxxxxxxxxxpredictiveHigh
50ArgumentxxxxxxpredictiveLow
51ArgumentxxxxpredictiveLow
52ArgumentxxxxxxxpredictiveLow
53ArgumentxxxxpredictiveLow
54ArgumentxxpredictiveLow
55ArgumentxxxxxxxxxpredictiveMedium
56Argumentxx_xxxxpredictiveLow
57Argumentx/xx/xxxpredictiveMedium
58ArgumentxxxxxxxxxxpredictiveMedium
59ArgumentxxxxpredictiveLow
60Argumentxxxx/xxxxxxxpredictiveMedium
61ArgumentxxxxxxxxxxxxxxxxxxxxxxxpredictiveHigh
62ArgumentxxxxxpredictiveLow
63Argumentxxxxxx_xxxxpredictiveMedium
64ArgumentxxxxxxxxxxxxxpredictiveHigh
65Argumentxxxxxxxx_xxxxxxxpredictiveHigh
66ArgumentxxxxxxpredictiveLow
67ArgumentxxxxpredictiveLow
68Argumentxxxxxx/xxxxxpredictiveMedium
69Argumentxxxxxxxx[]predictiveMedium
70Argumentxxxxxxxx[xxxx]predictiveHigh
71ArgumentxxxpredictiveLow
72Argumentxxx_xxxx[x][]predictiveHigh
73Argumentxxxxxxxx/xxxpredictiveMedium
74ArgumentxxpredictiveLow
75ArgumentxxxxxxxxxxxxxpredictiveHigh
76ArgumentxxxpredictiveLow
77ArgumentxxxxxxxxpredictiveMedium
78ArgumentxxxxxxxxxxxxxpredictiveHigh
79Argumentxxxx xxxxpredictiveMedium
80Input Value-xpredictiveLow
81Input Valuexxxxx"][xxxxxx]xxxxx('xxx')[/xxxxxx]predictiveHigh
82Input Value…/.predictiveLow
83Network Portxxx xxxxxx xxxxpredictiveHigh

References (2)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!