UNC1151 Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (51)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

zh36
en10
ru2
es2
de2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

cn44
us2
ru2
es2
de2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

UNC11514
Meterpreter1
Hydra1
RedLine Stealer1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined26
Operating System6
Web Server4
Router Operating System4
Virtualization Software2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined12
Apache10
Linux4
Eclipse4
ESRI2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Apache HTTP Server4
Linux Kernel4
Eclipse Jetty4
ESRI ArcGIS for Server2
SourceCodester Employee and Visitor Gate Pass Logg ...2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1Joseph C Dolson My Tickets Plugin cross-site request forgery5.85.8$0-$5k$0-$5kNot DefinedNot Defined0.000630.00CVE-2022-47440
2mongo-java-driver certificate validation4.64.4$0-$5k$0-$5kNot DefinedOfficial Fix0.000460.00CVE-2021-20328
3xrdp-sesman Service Service Port 3350 stack-based overflow6.45.6$0-$5k$0-$5kNot DefinedOfficial Fix0.000610.04CVE-2020-4044
4BusyBox xfuncs_printf.c xasprintf use after free5.55.5$0-$5k$0-$5kNot DefinedNot Defined0.000440.00CVE-2023-42363
5busybox ash.c stack-based overflow8.07.9$0-$5k$0-$5kNot DefinedOfficial Fix0.001340.00CVE-2022-48174
6MikroTik RouterOS Winbox/HTTP Interface privileges management7.87.8$0-$5k$0-$5kNot DefinedNot Defined0.000550.08CVE-2023-30799
7D-Link DIR-635 Wireless.shtml cross site scripting4.64.4$5k-$25k$0-$5kProof-of-ConceptNot Defined0.000000.00
8SourceCodester Employee and Visitor Gate Pass Logging System GET Parameter view_designation.php sql injection7.16.9$0-$5k$0-$5kProof-of-ConceptNot Defined0.002200.04CVE-2023-2090
9LogicBoard CMS away.php redirect6.36.1$0-$5k$0-$5kNot DefinedUnavailable0.000003.98
10Serendipity exit.php privileges management6.36.0$0-$5k$0-$5kProof-of-ConceptNot Defined0.000000.32
11Gin-vue-admin Parameter Validation path traversal6.46.3$0-$5k$0-$5kNot DefinedOfficial Fix0.001260.00CVE-2022-24843
12Apache DolphinScheduler User Registration resource consumption3.53.4$0-$5k$0-$5kNot DefinedOfficial Fix0.000900.03CVE-2022-25598
13ThinkPHP input validation8.58.4$0-$5k$0-$5kHighOfficial Fix0.974550.03CVE-2019-9082
14Microsoft Windows Runtime Remote Code Execution8.17.7$25k-$100k$5k-$25kHighOfficial Fix0.382670.00CVE-2022-21971
15Apache APISIX batch-requests Plugin authentication spoofing7.37.3$5k-$25k$5k-$25kHighNot Defined0.974110.00CVE-2022-24112
16Linux Kernel Timer Tree timerqueue.c timerqueue_add initialization3.13.0$0-$5k$0-$5kNot DefinedOfficial Fix0.000420.00CVE-2021-20317
17Oracle VM VirtualBox information disclosure3.83.7$0-$5k$0-$5kNot DefinedOfficial Fix0.000450.00CVE-2022-21295
18Hashicorp Consul Enterprise HTTP Event unknown vulnerability6.05.8$0-$5k$0-$5kNot DefinedOfficial Fix0.002590.00CVE-2021-28156
19Apache Shiro improper authentication7.37.0$5k-$25k$0-$5kNot DefinedOfficial Fix0.006440.01CVE-2014-0074
20Cisco HyperFlex Software Graphite Interface data authenticity4.24.1$0-$5k$0-$5kNot DefinedOfficial Fix0.000420.00CVE-2019-1667

Campaigns (3)

These are the campaigns that can be associated with the actor:

IOC - Indicator of Compromise (5)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
188.99.104.179static.179.104.99.88.clients.your-server.deUNC1151Ghostwriter06/01/2021verifiedHigh
2XX.XXX.XXX.XXXxxxxxxxxxx.xxxxxxx.xxxxxXxxxxxxXxxxxxx07/13/2023verifiedHigh
3XXX.XXX.XX.XXxxxx.xxxxxxxxxxxx.xxXxxxxxxXxxxxxxx Xxxxxxxxx Xxxxxxxx03/01/2022verifiedHigh
4XXX.XXX.XXX.XXxxxx-xxx-xxx-xxx-xx.xxxxxxx.xxxxXxxxxxxXxxxxxxx Xxxxxxxxx Xxxxxxxx03/01/2022verifiedHigh
5XXX.XXX.XXX.XXxxxxxxxxx.xxxxxx.xxxxxXxxxxxxXxxxxxxx Xxxxxxxxx Xxxxxxxx03/01/2022verifiedHigh

TTP - Tactics, Techniques, Procedures (10)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-22Path TraversalpredictiveHigh
2T1059CAPEC-242CWE-94Argument InjectionpredictiveHigh
3TXXXX.XXXCAPEC-18CWE-XXXxxxx Xxxx XxxxxxxxxpredictiveHigh
4TXXXXCAPEC-122CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
5TXXXX.XXXCAPEC-191CWE-XXXXxxx-xxxxx XxxxxxxxxxxpredictiveHigh
6TXXXX.XXXCAPEC-178CWE-XXXXxxx XxxxxxxxpredictiveHigh
7TXXXXCAPEC-108CWE-XXXxx XxxxxxxxxpredictiveHigh
8TXXXX.XXXCAPEC-459CWE-XXXXxxxxxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
9TXXXXCAPEC-116CWE-XXX, CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
10TXXXX.XXXCAPEC-112CWE-XXXXxx Xxxxxxxxxx XxxxxpredictiveHigh

IOA - Indicator of Attack (19)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/admin/maintenance/view_designation.phppredictiveHigh
2File/concat?/%2557EB-INF/web.xmlpredictiveHigh
3File/context/%2e/WEB-INF/web.xmlpredictiveHigh
4File/xxxxx/xxxx.xxxpredictiveHigh
5Filexxx.xpredictiveLow
6Filexxxxx/xxxxxxxx.xxxxxpredictiveHigh
7Filexxxx.xxxpredictiveMedium
8Filexxx/xxxx/xx_xxxx.xpredictiveHigh
9Filexxxxxx/?x=xxxxx/\xxxxx\xxx/xxxxxxxxxxxxxx&xxxxxxxx=xxxx_xxxx_xxxx_xxxxx&xxxx[x]=xxxxxx&xxxx[x][]predictiveHigh
10Filexxxx/xxx/xxx_xxxx.xpredictiveHigh
11Filexxxxxx_xxxxxx.xpredictiveHigh
12Libraryxxxxxxxxxxx.xxxpredictiveHigh
13Libraryxxx/xxxxxxxxxx.xpredictiveHigh
14Argument$_xxxxxx['xxxxx_xxxxxx']predictiveHigh
15Argumentxxxxxxxxxxxxxx[x]xxxx_xxxxxxxx[x]xxxxpredictiveHigh
16ArgumentxxpredictiveLow
17ArgumentxxxpredictiveLow
18Input Value-xpredictiveLow
19Network Portxxx/xx (xxx xxxxxxxx)predictiveHigh

References (4)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Interested in the pricing of exploits?

See the underground prices here!