GhostSec Analysisinfo

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (37)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Language

en28
ru10

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

RU: Russia38

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

RedLine Stealer2
GhostSec2
Kinsing1
DCRat1
GhostLocker1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined20
Web Server4
Bug Tracking Software2
Groupware Software2
Content Management System2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined20
Microsoft4
GitLab2
Nextcloud2
Qlik2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Grafana4
TinyMCE2
GitLab Community Edition2
GitLab Enterprise Edition2
Microsoft Exchange Server2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

These are the vulnerabilities that we have identified as researched, approached, or attacked.

#VulnerabilityBaseTemp0dayTodayExpCouKEVEPSSCTICVE
1nginx request smuggling6.96.9$0-$5k$0-$5kNot definedNot defined 0.000001.18CVE-2020-12440
2Bitrix Site Manager Vote Module Remote Code Execution7.37.0$0-$5k$0-$5kNot definedOfficial fix 0.097610.00CVE-2022-27228
3GitLab Community Edition/Enterprise Edition Runner Registration Token information disclosure7.67.5$0-$5k$0-$5kNot definedOfficial fixpossible0.556230.07CVE-2022-0735
4Zabbix Configuration Script userparameter_mysql.conf sql injection7.26.9$0-$5k$0-$5kProof-of-ConceptOfficial fixpossible0.449600.08CVE-2016-4338
5SourceCodester Employee and Visitor Gate Pass Logging System Master.php save_designation cross site scripting3.23.1$0-$5k$0-$5kProof-of-ConceptNot defined 0.000310.06CVE-2024-6650
6212cafe 212cafeboard view.php sql injection7.37.1$0-$5k$0-$5kHighUnavailablepossible0.001440.02CVE-2008-4713
7LogicBoard CMS away.php redirect6.36.1$0-$5k$0-$5kNot definedUnavailable 0.000001.02
8nginx Error Page request smuggling6.36.2$0-$5k$0-$5kNot definedOfficial fixpossible0.685600.08CVE-2019-20372
9Nextcloud Server Workflow os command injection7.87.7$0-$5k$0-$5kNot definedOfficial fix 0.005340.08CVE-2023-26482
10Nextcloud Server/Enterprise Server DNS Pin Middleware server-side request forgery6.46.3$0-$5k$0-$5kNot definedOfficial fix 0.005000.00CVE-2023-48306
11NextCloud Updater Reflected cross site scripting3.63.6$0-$5k$0-$5kNot definedNot defined 0.003720.07CVE-2019-15618
12WordPress Scheduled Task wp-cron.php resource consumption5.55.5$5k-$25k$0-$5kNot definedNot defined 0.030510.08CVE-2023-22622
13PHP PHAR phar_dir_read buffer overflow8.28.2$5k-$25k$0-$5kNot definedOfficial fix 0.169390.00CVE-2023-3824
14PHP xml external entity reference7.27.1$5k-$25k$0-$5kNot definedOfficial fix 0.001440.00CVE-2023-3823
15Collabora Online cross site scripting4.94.8$0-$5k$0-$5kNot definedOfficial fix 0.002480.00CVE-2023-31145
16uvicorn Request Logger urllib.parse.unquote code injection5.04.7$0-$5k$0-$5kNot definedNot defined 0.002270.00CVE-2020-7694
17TinyMCE cross site scripting5.05.0$0-$5k$0-$5kNot definedOfficial fix 0.016720.00CVE-2022-23494
18GitLab Project Import permission assignment8.78.6$0-$5k$0-$5kNot definedOfficial fixexpected0.935030.03CVE-2022-2185
19Microsoft IIS Frontpage Server Extensions shtml.dll Username information disclosure5.35.1$5k-$25k$0-$5kNot definedOfficial fix 0.016180.05CVE-2000-0114
20Telegram access control5.55.5$0-$5k$0-$5kNot definedNot defined 0.026920.07CVE-2023-26818

IOC - Indicator of Compromise (4)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
188.218.61.141host-88-218-61-141.hosted-by-vdsina.ruGhostSec11/09/2023verifiedMedium
2XX.XXX.XX.XXXxxxxxxxx.xxxxxx-xx-xxxxxx.xxXxxxxxxx11/09/2023verifiedMedium
3XX.XXX.XX.XXXxxxx-xx-xxx-xx-xxx.xxxxxx-xx-xxxxxx.xxXxxxxxxx03/06/2024verifiedMedium
4XXX.X.XX.XXXxxxx-xxx-x-xx-xxx.xxxxxx-xx-xxxxxx.xxXxxxxxxx11/09/2023verifiedMedium

TTP - Tactics, Techniques, Procedures (7)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1059CAPEC-242CWE-94Argument InjectionpredictiveHigh
2T1059.007CAPEC-209CWE-79Basic Cross Site ScriptingpredictiveHigh
3TXXXXCAPEC-XXXCWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
4TXXXXCAPEC-XXXCWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
5TXXXX.XXXCAPEC-XXXCWE-XXXXxxx XxxxxxxxpredictiveHigh
6TXXXXCAPEC-XXXCWE-XXXxx XxxxxxxxxpredictiveHigh
7TXXXXCAPEC-XXXCWE-XXX, CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (13)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/api/user/password/sent-reset-emailpredictiveHigh
2File/classes/Master.phppredictiveHigh
3File/xxxxx/xxxx.xxxpredictiveHigh
4Filexxxxxxx.xxxpredictiveMedium
5Filexxxxxxxxxxxxx_xxxxx.xxxxpredictiveHigh
6Filexxxx.xxxpredictiveMedium
7Filexx-xxxx.xxxpredictiveMedium
8Filexx-xxxxxxxx/xxxx-xxx/xxxxxxxxx/xxxxx-xx-xxxx-xxxxx-xxxxxxxxxx.xxxpredictiveHigh
9Library/_xxx_xxx/xxxxx.xxxpredictiveHigh
10Libraryxxxxxx.xxxxx.xxxxxxxpredictiveHigh
11Argumentxxxx_xxxxxx_xxxxxxxxxpredictiveHigh
12Argumentxxxxx.xxxxpredictiveMedium
13ArgumentxxxpredictiveLow

References (3)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

This view requires CTI permissions

Just purchase a CTI license today!