UNC1151 Analisi

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (50)

Sequenza temporale

Linguaggio

zh32
en12
es2
de2
ru2

Nazione

cn40
us4
es2
de2
ru2

Attori

UNC11514
Meterpreter1
Hydra1
RedLine Stealer1

Attività

Interesse

Sequenza temporale

Genere

Not Defined30
Operating System8
Content Management System2
Web Server2
Router Operating System2

Fornitore

Not Defined16
Apache8
Linux4
Microsoft4
Fortinet2

Prodotto

Linux Kernel4
Microsoft Windows4
hibernate-core2
Fortinet FortiWeb2
Hibernate Validator2

Vulnerabilità

#VulnerabilitàBaseTemp0dayOggiSfrConCTIEPSSCVE
1Joseph C Dolson My Tickets Plugin cross site request forgery5.85.8$0-$5k$0-$5kNot DefinedNot Defined0.000.00062CVE-2022-47440
2mongo-java-driver autenticazione debole4.64.4$0-$5k$0-$5kNot DefinedOfficial Fix0.020.00046CVE-2021-20328
3BusyBox xfuncs_printf.c xasprintf buffer overflow5.55.5$0-$5k$0-$5kNot DefinedNot Defined0.020.00044CVE-2023-42363
4busybox ash.c buffer overflow8.07.9$0-$5k$0-$5kNot DefinedOfficial Fix0.060.00134CVE-2022-48174
5MikroTik RouterOS Winbox/HTTP Interface escalazione di privilegi7.87.8$0-$5k$0-$5kNot DefinedNot Defined0.000.00055CVE-2023-30799
6D-Link DIR-635 Wireless.shtml cross site scripting4.64.4$5k-$25k$0-$5kProof-of-ConceptNot Defined0.000.00000
7SourceCodester Employee and Visitor Gate Pass Logging System GET Parameter view_designation.php sql injection7.16.9$0-$5k$0-$5kProof-of-ConceptNot Defined0.050.00135CVE-2023-2090
8LogicBoard CMS away.php Redirect6.36.1$0-$5k$0-$5kNot DefinedUnavailable4.320.00000
9Serendipity exit.php escalazione di privilegi6.36.0$0-$5k$0-$5kProof-of-ConceptNot Defined0.490.00000
10Gin-vue-admin Parameter Validation directory traversal6.46.3$0-$5k$0-$5kNot DefinedOfficial Fix0.020.00126CVE-2022-24843
11Apache DolphinScheduler User Registration denial of service3.53.4$0-$5k$0-$5kNot DefinedOfficial Fix0.030.00090CVE-2022-25598
12ThinkPHP escalazione di privilegi8.58.4$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.030.97456CVE-2019-9082
13Microsoft Windows Runtime Remote Code Execution8.17.4$100k et plus$5k-$25kUnprovenOfficial Fix0.000.47432CVE-2022-21971
14Apache APISIX batch-requests Plugin autenticazione debole7.37.3$5k-$25k$5k-$25kNot DefinedNot Defined0.020.97415CVE-2022-24112
15Linux Kernel Timer Tree timerqueue.c timerqueue_add denial of service3.13.0$0-$5k$0-$5kNot DefinedOfficial Fix0.000.00042CVE-2021-20317
16Oracle VM VirtualBox rivelazione di un 'informazione3.83.7$0-$5k$0-$5kNot DefinedOfficial Fix0.000.00045CVE-2022-21295
17Hashicorp Consul Enterprise HTTP Event vulnerabilità sconosciuta6.05.8$0-$5k$0-$5kNot DefinedOfficial Fix0.000.00259CVE-2021-28156
18Apache Shiro autenticazione debole7.37.0$5k-$25k$0-$5kNot DefinedOfficial Fix0.010.00644CVE-2014-0074
19Cisco HyperFlex Software Graphite Interface autenticazione debole4.24.1$0-$5k$0-$5kNot DefinedOfficial Fix0.000.00042CVE-2019-1667
20RabbitMQ Management UI cross site scripting2.42.3$0-$5k$0-$5kNot DefinedOfficial Fix0.050.00096CVE-2021-32718

Campagne (3)

These are the campaigns that can be associated with the actor:

IOC - Indicator of Compromise (5)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDindirizzo IPHostnameAttoreCampagneIdentifiedGenereFiducia
188.99.104.179static.179.104.99.88.clients.your-server.deUNC1151Ghostwriter01/06/2021verifiedAlto
2XX.XXX.XXX.XXXxxxxxxxxxx.xxxxxxx.xxxxxXxxxxxxXxxxxxx13/07/2023verifiedAlto
3XXX.XXX.XX.XXxxxx.xxxxxxxxxxxx.xxXxxxxxxXxxxxxxx Xxxxxxxxx Xxxxxxxx01/03/2022verifiedAlto
4XXX.XXX.XXX.XXxxxx-xxx-xxx-xxx-xx.xxxxxxx.xxxxXxxxxxxXxxxxxxx Xxxxxxxxx Xxxxxxxx01/03/2022verifiedAlto
5XXX.XXX.XXX.XXxxxxxxxxx.xxxxxx.xxxxxXxxxxxxXxxxxxxx Xxxxxxxxx Xxxxxxxx01/03/2022verifiedAlto

TTP - Tactics, Techniques, Procedures (10)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueVulnerabilitàAccesso al vettoreGenereFiducia
1T1006CWE-22Path TraversalpredictiveAlto
2T1059CWE-94Argument InjectionpredictiveAlto
3TXXXX.XXXCWE-XXXxxxx Xxxx XxxxxxxxxpredictiveAlto
4TXXXXCWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveAlto
5TXXXX.XXXCWE-XXXXxxx-xxxxx XxxxxxxxxxxpredictiveAlto
6TXXXX.XXXCWE-XXXXxxx XxxxxxxxpredictiveAlto
7TXXXXCWE-XXXxx XxxxxxxxxpredictiveAlto
8TXXXX.XXXCWE-XXXXxxxxxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveAlto
9TXXXXCWE-XXX, CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveAlto
10TXXXX.XXXCWE-XXXXxx Xxxxxxxxxx XxxxxpredictiveAlto

IOA - Indicator of Attack (19)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClasseIndicatorGenereFiducia
1File/admin/maintenance/view_designation.phppredictiveAlto
2File/concat?/%2557EB-INF/web.xmlpredictiveAlto
3File/context/%2e/WEB-INF/web.xmlpredictiveAlto
4File/xxxxx/xxxx.xxxpredictiveAlto
5Filexxx.xpredictiveBasso
6Filexxxxx/xxxxxxxx.xxxxxpredictiveAlto
7Filexxxx.xxxpredictiveMedia
8Filexxx/xxxx/xx_xxxx.xpredictiveAlto
9Filexxxxxx/?x=xxxxx/\xxxxx\xxx/xxxxxxxxxxxxxx&xxxxxxxx=xxxx_xxxx_xxxx_xxxxx&xxxx[x]=xxxxxx&xxxx[x][]predictiveAlto
10Filexxxx/xxx/xxx_xxxx.xpredictiveAlto
11Filexxxxxx_xxxxxx.xpredictiveAlto
12Libraryxxxxxxxxxxx.xxxpredictiveAlto
13Libraryxxx/xxxxxxxxxx.xpredictiveAlto
14Argument$_xxxxxx['xxxxx_xxxxxx']predictiveAlto
15Argumentxxxxxxxxxxxxxx[x]xxxx_xxxxxxxx[x]xxxxpredictiveAlto
16ArgumentxxpredictiveBasso
17ArgumentxxxpredictiveBasso
18Input Value-xpredictiveBasso
19Network Portxxx/xx (xxx xxxxxxxx)predictiveAlto

Referenze (4)

The following list contains external sources which discuss the actor and the associated activities:

PrecedenteVisione D'insiemeIl prossimo

Might our Artificial Intelligence support you?

Check our Alexa App!