Peach Sandstorm Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (47)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en32
zh12
es2
de2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

co26
cn12
us6
fr2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

Cobalt Strike3
Peach Sandstorm3
BianLian1
Raccoon1
Meduza Stealer1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined20
Hosting Control Software4
Bug Tracking Software4
Server Management Software2
Content Management System2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined8
Interspire6
Sonus4
VMware2
Extreme2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Interspire Email Marketer6
Sonus SBC 10004
Sonus SBC 20004
Sonus SBC SWe Lite4
VMware vCenter Server2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1Interspire Email Marketer Dynamiccontenttags.php sql injection7.57.5$0-$5k$0-$5kNot DefinedNot Defined0.000870.07CVE-2018-19551
2Sales / Company Management System member_order.php sql injection8.58.5$0-$5kCalculatingNot DefinedNot Defined0.001720.00CVE-2018-19925
3Interspire Email Marketer Dynamiccontenttags.php sql injection7.57.5$0-$5k$0-$5kNot DefinedNot Defined0.000870.00CVE-2018-19549
4All-in-One WP Migration Plugin class-ai1wm-backups.php path traversal5.35.3$0-$5k$0-$5kNot DefinedNot Defined0.000970.04CVE-2022-1476
5VMware vCenter Server/Cloud Foundation vSphere Client Privilege Escalation8.07.9$5k-$25k$0-$5kHighOfficial Fix0.972990.03CVE-2021-21972
6Advanced Comment System admin.php sql injection8.57.7$0-$5k$0-$5kProof-of-ConceptNot Defined0.002300.04CVE-2018-18619
7Interspire Email Marketer Dynamiccontenttags.php sql injection7.57.5$0-$5k$0-$5kNot DefinedNot Defined0.000870.02CVE-2018-19553
8SonicWALL SMA1000 HTTP Connection access control6.36.3$0-$5k$0-$5kNot DefinedNot Defined0.002380.03CVE-2022-22282
9Omeka Classic cross site scripting3.53.4$0-$5k$0-$5kNot DefinedOfficial Fix0.001100.00CVE-2021-26799
10AgileConfig JWT Secret hard-coded key7.06.9$0-$5k$0-$5kNot DefinedOfficial Fix0.003290.00CVE-2022-35540
11Apache Airflow UI code injection7.17.0$5k-$25k$0-$5kNot DefinedOfficial Fix0.389440.02CVE-2022-40127
12Support Board Plugin sql injection7.37.0$0-$5k$0-$5kNot DefinedOfficial Fix0.002110.05CVE-2021-24741
13GitLab Project Import permission assignment8.78.6$0-$5k$0-$5kNot DefinedOfficial Fix0.634360.04CVE-2022-2185
14cPanel cpsrvd cross site scripting5.04.9$0-$5k$0-$5kNot DefinedOfficial Fix0.003450.03CVE-2023-29489
15Labstack Echo Static server-side request forgery7.57.5$0-$5k$0-$5kNot DefinedNot Defined0.029330.04CVE-2022-40083
16GitLab Community Edition/Enterprise Edition Runner Registration Token information disclosure7.67.5$0-$5k$0-$5kNot DefinedOfficial Fix0.032780.04CVE-2022-0735
17Git Plugin Build authorization6.56.5$0-$5k$0-$5kNot DefinedNot Defined0.011560.08CVE-2022-36883
18Z-BlogPHP action_crawler.php server-side request forgery8.08.0$0-$5k$0-$5kNot DefinedNot Defined0.003190.05CVE-2022-40357
19Dialogic PowerMedia XMS Administrative Console default.db Password credentials management6.56.3$0-$5k$0-$5kNot DefinedOfficial Fix0.000420.06CVE-2018-11634
20Extreme EXOS File information disclosure3.43.4$0-$5k$0-$5kNot DefinedNot Defined0.000440.04CVE-2017-14327

Campaigns (1)

These are the campaigns that can be associated with the actor:

  • Holmium

IOC - Indicator of Compromise (5)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
164.52.80.30Peach Sandstorm02/01/2024verifiedHigh
2XX.X.XX.XXXxxxx XxxxxxxxxXxxxxxx10/19/2023verifiedHigh
3XXX.XXX.XXX.XXxxxxxxxxxxxxx.xxxXxxxx XxxxxxxxxXxxxxxx10/19/2023verifiedHigh
4XXX.XX.XXX.XXXxxxxxx-xxx-xx-xxx-xxx.xxxxxxxxx.xxXxxxx XxxxxxxxxXxxxxxx10/19/2023verifiedHigh
5XXX.XX.XXX.XXxxxx-xxxxxxxx.xxxxxxxxxx.xxxXxxxx XxxxxxxxxXxxxxxx10/19/2023verifiedHigh

TTP - Tactics, Techniques, Procedures (8)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-22Path TraversalpredictiveHigh
2T1059CAPEC-242CWE-94Argument InjectionpredictiveHigh
3TXXXX.XXXCAPEC-209CWE-XX, CWE-XXXxxxx Xxxx XxxxxxxxxpredictiveHigh
4TXXXXCAPEC-122CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
5TXXXXCAPEC-108CWE-XXXxx XxxxxxxxxpredictiveHigh
6TXXXXCAPEC-CWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
7TXXXXCAPEC-116CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
8TXXXX.XXXCAPEC-CWE-XXXXxx Xxxxxxxxxx XxxxxpredictiveHigh

IOA - Indicator of Attack (18)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/var/www/xms/xmsdb/default.dbpredictiveHigh
2FileDynamiccontenttags.phppredictiveHigh
3Fileinternal/advanced_comment_system/admin.phppredictiveHigh
4Filexxxxxx/xxxxxx_xxxxx.xxxpredictiveHigh
5Filexxxxxxxx.xxpredictiveMedium
6Filexx_xxxxx/xxxxxx/xxxxxxx/xxx/xxxxxx_xxxxxxx.xxxpredictiveHigh
7Library/xxxxxxx/xxxxx/xxx.xxxpredictiveHigh
8Libraryxxx/xxx/xxxx.xxxxx.xxxpredictiveHigh
9Library~/xxx/xxxxx/xxxxx-xxxxx-xxxxxxx.xxxpredictiveHigh
10Argumentxxxxxxx[]predictiveMedium
11Argumentxxxxx/xxxxxxpredictiveMedium
12ArgumentxxpredictiveLow
13ArgumentxxxxpredictiveLow
14Argumentxxx_xxpredictiveLow
15ArgumentxxxxxxxxxpredictiveMedium
16ArgumentxxxxxxpredictiveLow
17Argumentxxxxxx_xxxx/xxxxxxxxxx/xxxx_xx/xxxxxxxxxxxx_xx/xxxxxxxxxxxx_xxxxxx_xxxx/xxxxxxxxx_xxpredictiveHigh
18Argumentxxxx/x_xxxxxpredictiveMedium

References (3)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Do you want to use VulDB in your project?

Use the official API to access entries easily!