UNC1151 Analysis

IOB - Indicator of Behavior (43)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

zh	34
en	8
de	2

Country

cn	42
de	2

Actors

UNC1151	2

Activities

Interest

Timeline

Type

Not Defined	28
Web Browser	4
Operating System	4
Multimedia Player Software	2
Social Network Software	2

Vendor

Not Defined	14
Apache	8
Microsoft	4
Google	2
ESRI	2

Product

Google Chrome	2
xnio	2
ESRI ArcGIS for Server	2
Apache HttpClient	2
Apple QuickTime	2

Vulnerabilities

#	Vulnerability	Base	Temp	0day	Today	Exp	Rem	CTI	EPSS	CVE
1	mongo-java-driver certificate validation	4.6	4.4	$0-$5k	$0-$5k	Not Defined	Official Fix	0.01	0.00885	CVE-2021-20328
2	LogicBoard CMS away.php redirect	6.3	6.1	$0-$5k	$0-$5k	Not Defined	Unavailable	0.61	0.00000
3	Serendipity exit.php privileges management	6.3	6.0	$0-$5k	$0-$5k	Proof-of-Concept	Not Defined	0.05	0.00000
4	Gin-vue-admin Parameter Validation path traversal	6.4	6.3	$0-$5k	$0-$5k	Not Defined	Official Fix	0.05	0.00954	CVE-2022-24843
5	Apache DolphinScheduler User Registration resource consumption	3.5	3.4	$0-$5k	$0-$5k	Not Defined	Official Fix	0.05	0.00885	CVE-2022-25598
6	ThinkPHP input validation	8.5	8.2	$0-$5k	$0-$5k	Not Defined	Official Fix	0.03	0.84749	CVE-2019-9082
7	Microsoft Windows Runtime Remote Code Execution	8.1	7.4	$100k and more	$5k-$25k	Unproven	Official Fix	0.00	0.12761	CVE-2022-21971
8	Apache APISIX batch-requests Plugin authentication spoofing	7.3	7.3	$5k-$25k	$5k-$25k	Not Defined	Not Defined	0.04	0.71078	CVE-2022-24112
9	Linux Kernel Timer Tree timerqueue.c timerqueue_add initialization	3.1	3.0	$0-$5k	$0-$5k	Not Defined	Official Fix	0.00	0.01034	CVE-2021-20317
10	Oracle VM VirtualBox information disclosure	3.8	3.7	$0-$5k	$0-$5k	Not Defined	Official Fix	0.03	0.00885	CVE-2022-21295
11	Hashicorp Consul Enterprise HTTP Event unknown vulnerability	6.0	5.8	$0-$5k	$0-$5k	Not Defined	Official Fix	0.03	0.00954	CVE-2021-28156
12	Apache Shiro improper authentication	7.3	7.0	$5k-$25k	$0-$5k	Not Defined	Official Fix	0.07	0.01136	CVE-2014-0074
13	Cisco HyperFlex Software Graphite Interface data authenticity	4.3	4.2	$5k-$25k	$0-$5k	Not Defined	Official Fix	0.06	0.00885	CVE-2019-1667
14	RabbitMQ Management UI cross site scripting	2.4	2.3	$0-$5k	$0-$5k	Not Defined	Official Fix	0.06	0.02199	CVE-2021-32718
15	Google Chrome V8 type confusion	6.3	6.0	$25k-$100k	$5k-$25k	Not Defined	Official Fix	0.01	0.01213	CVE-2021-4061
16	Google Chrome Blink use after free	7.5	7.2	$25k-$100k	$5k-$25k	Not Defined	Official Fix	0.02	0.01136	CVE-2019-5787
17	Action Pack Helper polymorphic_url information exposure	3.5	3.5	$0-$5k	$0-$5k	Not Defined	Not Defined	0.01	0.02509	CVE-2021-22885
18	Eclipse Jetty Default Compliance Mode web.xml information disclosure	5.3	5.3	$0-$5k	$0-$5k	Not Defined	Not Defined	0.02	0.46512	CVE-2021-28164
19	Eclipse Jetty ConcatServlet information disclosure	5.3	5.3	$0-$5k	$0-$5k	Not Defined	Not Defined	0.02	0.27302	CVE-2021-28169
20	Mobile Viewpoint Wireless Multiplex Terminal Playout Server hard-coded credentials	6.3	6.3	$0-$5k	$0-$5k	Not Defined	Not Defined	0.01	0.00885	CVE-2020-35338

Campaigns (2)

These are the campaigns that can be associated with the actor:

Ghostwriter
Xxxxxxxx Xxxxxxxxx Xxxxxxxx

IOC - Indicator of Compromise (4)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

ID	IP address	Hostname	Actor	Campaigns	Type	Confidence
1	88.99.104.179	static.179.104.99.88.clients.your-server.de	UNC1151	Ghostwriter	verified	High
2	XXX.XXX.XX.XX	xxxx.xxxxxxxxxxxx.xx	Xxxxxxx	Xxxxxxxx Xxxxxxxxx Xxxxxxxx	verified	High
3	XXX.XXX.XXX.XX	xxxx-xxx-xxx-xxx-xx.xxxxxxx.xxxx	Xxxxxxx	Xxxxxxxx Xxxxxxxxx Xxxxxxxx	verified	High
4	XXX.XXX.XXX.XX	xxxxxxxxx.xxxxxx.xxxxx	Xxxxxxx	Xxxxxxxx Xxxxxxxxx Xxxxxxxx	verified	High

TTP - Tactics, Techniques, Procedures (9)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

ID	Technique	Vulnerabilities	Access Vector	Type	Confidence
1	T1006	CWE-22	Pathname Traversal	predictive	High
2	T1059	CWE-94	Cross Site Scripting	predictive	High
3	TXXXX.XXX	CWE-XX	Xxxxx Xxxx Xxxxxxxxx	predictive	High
4	TXXXX	CWE-XXX, CWE-XXX	Xxxxxxxxx Xxxx Xxxxxxxxxxx Xxxxxxxxxx	predictive	High
5	TXXXX.XXX	CWE-XXX	Xxxxxxxx Xxxxxxxxxxx Xx Xxxxxxxxx Xxxxxxxxxxxxxx Xxxxxxxx	predictive	High
6	TXXXX.XXX	CWE-XXX	Xxxx Xxxxxxxx	predictive	High
7	TXXXX	CWE-XX	Xxx Xxxxxxxxx	predictive	High
8	TXXXX.XXX	CWE-XXX	Xxxxxxxx Xxxxxxxxxxx Xxxxxxxxxx	predictive	High
9	TXXXX	CWE-XXX, CWE-XXX	Xxxxxxxxxxxxx	predictive	High

IOA - Indicator of Attack (13)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

ID	Class	Indicator	Type	Confidence
1	File	/concat?/%2557EB-INF/web.xml	predictive	High
2	File	/context/%2e/WEB-INF/web.xml	predictive	High
3	File	/xxxxx/xxxx.xxx	predictive	High
4	File	xxxx.xxx	predictive	Medium
5	File	xxx/xxxx/xx_xxxx.x	predictive	High
6	File	xxxxxx/?x=xxxxx/\xxxxx\xxx/xxxxxxxxxxxxxx&xxxxxxxx=xxxx_xxxx_xxxx_xxxxx&xxxx[x]=xxxxxx&xxxx[x][]	predictive	High
7	File	xxxx/xxx/xxx_xxxx.x	predictive	High
8	Library	xxxxxxxxxxx.xxx	predictive	High
9	Library	xxx/xxxxxxxxxx.x	predictive	High
10	Argument	$_xxxxxx['xxxxx_xxxxxx']	predictive	High
11	Argument	xxx	predictive	Low
12	Input Value	-x	predictive	Low
13	Network Port	xxx/xx (xxx xxxxxxxx)	predictive	High

References (3)

The following list contains external sources which discuss the actor and the associated activities:

◂ PreviousOverviewNext ▸

Interested in the pricing of exploits?

See the underground prices here!