UNC5221 Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (66)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en50
zh10
es6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

us50
cn12
ru2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

UNC52213
Mirai2
Sliver2
Cobalt Strike2
Ave Maria2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined32
WordPress Plugin4
Router Operating System2
Network Attached Storage Software2
Smartphone Operating System2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined18
Magento4
Canvas2
Xiaomi2
Synology2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Magento6
Magento LTS4
Canvas LMS2
Xiaomi Mi Router 32
Synology DiskStation Manager2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1Magento Search Module sql injection7.37.3$0-$5k$0-$5kNot DefinedNot Defined0.000700.02CVE-2021-21024
2DZCP deV!L`z Clanportal browser.php information disclosure5.35.0$0-$5k$0-$5kProof-of-ConceptNot Defined0.027330.60CVE-2007-1167
3Magento code injection8.08.0$0-$5k$0-$5kNot DefinedNot Defined0.003630.00CVE-2020-9585
4Magento File Upload unrestricted upload4.74.7$0-$5k$0-$5kNot DefinedNot Defined0.000850.00CVE-2020-24407
5Magento WebAPI os command injection4.14.1$0-$5k$0-$5kNot DefinedNot Defined0.001680.00CVE-2021-21016
6Magento unrestricted upload4.74.7$0-$5k$0-$5kNot DefinedNot Defined0.001200.00CVE-2021-21014
7MGB OpenSource Guestbook email.php sql injection7.37.3$0-$5k$0-$5kHighUnavailable0.013020.83CVE-2007-0354
8Magento session expiration5.65.6$0-$5k$0-$5kNot DefinedNot Defined0.002710.00CVE-2021-21032
9D-Link DNS-320L/DNS-325/DNS-327L/DNS-340L HTTP GET Request nas_sharing.cgi command injection7.37.1$5k-$25k$0-$5kHighWorkaround0.833610.30CVE-2024-3273
10F-logic DataCube3 Configuration File access control5.35.3$0-$5k$0-$5kNot DefinedNot Defined0.000430.05CVE-2024-25830
11linkding cross site scripting4.14.0$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.000570.04CVE-2023-6646
12Google Android KeyChainActivity App permission7.57.4$5k-$25k$5k-$25kNot DefinedOfficial Fix0.000610.02CVE-2023-48417
13WP Crowdfunding Plugin Setting cross site scripting3.63.5$0-$5k$0-$5kNot DefinedOfficial Fix0.000450.00CVE-2023-5757
14Mozilla Firefox Document URI clickjacking4.34.2$5k-$25k$0-$5kNot DefinedOfficial Fix0.000460.06CVE-2024-0748
15Paid Memberships Pro Plugin Level Orders Update cross-site request forgery4.84.7$0-$5k$0-$5kNot DefinedNot Defined0.000650.02CVE-2024-0624
16Log Command Plugin args4j path traversal5.95.8$0-$5k$0-$5kNot DefinedOfficial Fix0.000930.04CVE-2024-23904
17ZTE ZXHN F677/ZXHN F477 FTP pathname traversal6.36.0$0-$5k$0-$5kNot DefinedOfficial Fix0.000890.02CVE-2022-23135
18Joomla CMS com_easyblog sql injection6.36.1$5k-$25k$5k-$25kNot DefinedNot Defined0.000000.38
19Akamai Technologies Download Manager ActiveX Control downloadmanagerv2.ocx getprivateprofilesectionw stack-based overflow10.09.0$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.349050.00CVE-2007-1891
20ProductCart AffiliateLogin.asp cross site scripting4.34.1$0-$5k$0-$5kProof-of-ConceptNot Defined0.002420.03CVE-2010-3421

Campaigns (1)

These are the campaigns that can be associated with the actor:

  • CVE-2023-46805 / CVE-2024-21887

IOC - Indicator of Compromise (8)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
18.137.112.245UNC5221CVE-2023-46805 / CVE-2024-2188702/13/2024verifiedHigh
245.61.136.14UNC5221CVE-2023-46805 / CVE-2024-2188702/13/2024verifiedHigh
3XX.XXX.XX.XXXxxxxxxXxx-xxxx-xxxxx / Xxx-xxxx-xxxxx02/13/2024verifiedHigh
4XX.XX.XXX.XXXxxxxxxXxx-xxxx-xxxxx / Xxx-xxxx-xxxxx02/13/2024verifiedHigh
5XXX.X.XXX.XXXxxxxxxXxx-xxxx-xxxxx / Xxx-xxxx-xxxxx02/13/2024verifiedHigh
6XXX.XX.XXX.XXXXxxxxxxXxx-xxxx-xxxxx / Xxx-xxxx-xxxxx02/13/2024verifiedHigh
7XXX.XXX.XXX.XXXxxx-xxxxxxxx.xxxxxx.xxxxxxxxx.xxxXxxxxxxXxx-xxxx-xxxxx / Xxx-xxxx-xxxxx02/13/2024verifiedHigh
8XXX.XXX.XX.XXXXxxxxxxXxx-xxxx-xxxxx / Xxx-xxxx-xxxxx02/13/2024verifiedHigh

TTP - Tactics, Techniques, Procedures (14)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-21, CWE-22Path TraversalpredictiveHigh
2T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
3T1059CAPEC-242CWE-94Argument InjectionpredictiveHigh
4TXXXX.XXXCAPEC-209CWE-XXXxxxx Xxxx XxxxxxxxxpredictiveHigh
5TXXXXCAPEC-19CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
6TXXXXCAPEC-136CWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
7TXXXXCAPEC-CWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
8TXXXXCAPEC-108CWE-XX, CWE-XXXxx XxxxxxxxxpredictiveHigh
9TXXXX.XXXCAPEC-1CWE-XXXXxxxxxxx XxxxxxxxxxxxxpredictiveHigh
10TXXXX.XXXCAPEC-154CWE-XXXXxxxxxxxxxxxpredictiveHigh
11TXXXXCAPEC-116CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
12TXXXX.XXXCAPEC-CWE-XXXxxxxxxxxxxxxpredictiveHigh
13TXXXXCAPEC-CWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh
14TXXXX.XXXCAPEC-1CWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (28)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/cgi-bin/nas_sharing.cgipredictiveHigh
2File/jeecg-boot/sys/common/uploadpredictiveHigh
3File/thruk/#cgi-bin/extinfo.cgi?type=2predictiveHigh
4Fileadmin/conf_users_edit.phppredictiveHigh
5Filexxxxxxxxxxxxxx.xxxpredictiveHigh
6Filexxxxxxx.xxxxpredictiveMedium
7Filexxxx/xxxxxxxxxxxxxxx.xxxpredictiveHigh
8Filexxxxxxxxxxxxxxxxx.xxxpredictiveHigh
9Filexxxxx.xxxpredictiveMedium
10Filexxx/xxxxxxxxxxx/xxxxxxx.xxxpredictiveHigh
11Filexxxxx.xxxpredictiveMedium
12Filexxx.xxxpredictiveLow
13Filexxxxxxxx.xxxpredictiveMedium
14Filexxxxxxxx.xxxpredictiveMedium
15Filexxx/xxxxxxx.xpredictiveHigh
16Filexxxxx/xxxxxxx/xxxxxxxx/xxxxx.xxx.xxxxpredictiveHigh
17ArgumentxxxxxxpredictiveLow
18ArgumentxxxxxxxpredictiveLow
19ArgumentxxxxxxxxxxpredictiveMedium
20ArgumentxxxxpredictiveLow
21Argumentxxxx/xxxxxxx/xxxxxxxpredictiveHigh
22ArgumentxxpredictiveLow
23ArgumentxxxxxpredictiveLow
24ArgumentxxxxxxxpredictiveLow
25Argumentxxxxxxxx_xxxxxxxpredictiveHigh
26ArgumentxxxxxxxxxxxpredictiveMedium
27ArgumentxxxxxxpredictiveLow
28ArgumentxxxxpredictiveLow

References (2)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!