GhostSec Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (35)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en	28
ru	8

Country

ru	36

Actors

RedLine Stealer	2
GhostSec	2
Kinsing	1
catDDoS	1
Responder	1

Activities

Interest

Timeline

Type

Not Defined	12
Web Server	6
Content Management System	6
Cloud Software	4
Programming Language Software	2

Vendor

Not Defined	20
Nextcloud	2
Bitrix	2
Apache	2
GitLab	2

Product

nginx	4
WordPress	4
Grafana	4
PHP	2
Nextcloud Server	2

Vulnerabilities

#	Vulnerability	Base	Temp	0day	Today	Exp	Rem	EPSS	CTI	CVE
1	nginx request smuggling	6.9	6.9	$0-$5k	$0-$5k	Not Defined	Not Defined	0.00241	1.72	CVE-2020-12440
2	Bitrix Site Manager Vote Module Remote Code Execution	7.3	7.0	$0-$5k	$0-$5k	Not Defined	Official Fix	0.00668	0.08	CVE-2022-27228
3	GitLab Community Edition/Enterprise Edition Runner Registration Token information disclosure	7.6	7.5	$0-$5k	$0-$5k	Not Defined	Official Fix	0.03278	0.04	CVE-2022-0735
4	212cafe 212cafeboard view.php sql injection	7.3	7.1	$0-$5k	$0-$5k	High	Unavailable	0.00064	0.06	CVE-2008-4713
5	LogicBoard CMS away.php redirect	6.3	6.1	$0-$5k	$0-$5k	Not Defined	Unavailable	0.00000	2.84
6	nginx Error Page request smuggling	6.3	6.2	$0-$5k	$0-$5k	Not Defined	Official Fix	0.00273	0.04	CVE-2019-20372
7	Nextcloud Server Workflow os command injection	7.8	7.7	$0-$5k	$0-$5k	Not Defined	Official Fix	0.00147	0.05	CVE-2023-26482
8	Nextcloud Server/Enterprise Server DNS Pin Middleware server-side request forgery	6.4	6.3	$0-$5k	$0-$5k	Not Defined	Official Fix	0.00068	0.00	CVE-2023-48306
9	NextCloud Updater Reflected cross site scripting	3.6	3.6	$0-$5k	$0-$5k	Not Defined	Not Defined	0.00054	0.00	CVE-2019-15618
10	WordPress Scheduled Task wp-cron.php resource consumption	6.5	6.5	$5k-$25k	$5k-$25k	Not Defined	Not Defined	0.00096	0.04	CVE-2023-22622
11	PHP PHAR phar_dir_read buffer overflow	8.2	8.2	$5k-$25k	$0-$5k	Not Defined	Official Fix	0.00083	0.15	CVE-2023-3824
12	PHP xml external entity reference	7.2	7.1	$5k-$25k	$0-$5k	Not Defined	Official Fix	0.00059	0.07	CVE-2023-3823
13	Collabora Online cross site scripting	4.9	4.8	$0-$5k	$0-$5k	Not Defined	Official Fix	0.00052	0.00	CVE-2023-31145
14	uvicorn Request Logger urllib.parse.unquote code injection	5.0	4.7	$0-$5k	$0-$5k	Not Defined	Not Defined	0.00140	0.05	CVE-2020-7694
15	TinyMCE cross site scripting	5.0	5.0	$0-$5k	$0-$5k	Not Defined	Official Fix	0.00210	0.04	CVE-2022-23494
16	GitLab Project Import permission assignment	8.7	8.6	$0-$5k	$0-$5k	Not Defined	Official Fix	0.63436	0.04	CVE-2022-2185
17	Microsoft IIS Frontpage Server Extensions shtml.dll Username information disclosure	5.3	5.1	$5k-$25k	$0-$5k	Not Defined	Official Fix	0.15958	0.08	CVE-2000-0114
18	Telegram access control	5.5	5.5	$0-$5k	$0-$5k	Not Defined	Not Defined	0.00043	0.04	CVE-2023-26818
19	Adminer adminer.php server-side request forgery	7.3	7.0	$0-$5k	$0-$5k	Not Defined	Official Fix	0.02092	0.05	CVE-2021-21311
20	Microsoft Exchange Server Privilege Escalation	8.8	8.1	$25k-$100k	$5k-$25k	Unproven	Official Fix	0.51598	0.05	CVE-2023-21707

IOC - Indicator of Compromise (4)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

ID	IP address	Hostname	Actor	Identified	Type	Confidence
1	88.218.61.141	host-88-218-61-141.hosted-by-vdsina.ru	GhostSec	11/09/2023	verified	High
2	XX.XXX.XX.XXX	xxxxxxxx.xxxxxx-xx-xxxxxx.xx	Xxxxxxxx	11/09/2023	verified	High
3	XX.XXX.XX.XXX	xxxx-xx-xxx-xx-xxx.xxxxxx-xx-xxxxxx.xx	Xxxxxxxx	03/06/2024	verified	High
4	XXX.X.XX.XXX	xxxx-xxx-x-xx-xxx.xxxxxx-xx-xxxxxx.xx	Xxxxxxxx	11/09/2023	verified	High

TTP - Tactics, Techniques, Procedures (7)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

ID	Technique	Class	Vulnerabilities	Access Vector	Type	Confidence
1	T1059	CAPEC-242	CWE-94	Argument Injection	predictive	High
2	T1059.007	CAPEC-209	CWE-79	Cross Site Scripting	predictive	High
3	TXXXX	CAPEC-122	CWE-XXX, CWE-XXX	Xxxxxxxxx Xxxx Xxxxxxxxxxx Xxxxxxxxxx	predictive	High
4	TXXXX	CAPEC-108	CWE-XX	Xxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx Xxxxxxxxx	predictive	High
5	TXXXX.XXX	CAPEC-178	CWE-XXX	Xxxx Xxxxxxxx	predictive	High
6	TXXXX	CAPEC-108	CWE-XX	Xxx Xxxxxxxxx	predictive	High
7	TXXXX	CAPEC-116	CWE-XXX, CWE-XXX	Xxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx Xxxxxxxxxxx	predictive	High

IOA - Indicator of Attack (10)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

ID	Class	Indicator	Type	Confidence
1	File	/api/user/password/sent-reset-email	predictive	High
2	File	/forum/away.php	predictive	High
3	File	xxxxxxx.xxx	predictive	Medium
4	File	xxxx.xxx	predictive	Medium
5	File	xx-xxxx.xxx	predictive	Medium
6	File	xx-xxxxxxxx/xxxx-xxx/xxxxxxxxx/xxxxx-xx-xxxx-xxxxx-xxxxxxxxxx.xxx	predictive	High
7	Library	/_xxx_xxx/xxxxx.xxx	predictive	High
8	Library	xxxxxx.xxxxx.xxxxxxx	predictive	High
9	Argument	xxxx_xxxxxx_xxxxxxxxx	predictive	High
10	Argument	xxx	predictive	Low

References (3)

The following list contains external sources which discuss the actor and the associated activities:

◂ PreviousOverviewNext ▸

Interested in the pricing of exploits?

See the underground prices here!