Stowaway Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (51)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en38
es8
zh2
ru2
fr2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

us26
fr12
gb4
pt4
cn2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

Stowaway2
Responder1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined16
Content Management System10
Application Server Software6
Operating System4
Connectivity Software2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined18
Microsoft6
Apache4
Linux2
Dundas2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Apache Tomcat4
Linux Kernel2
Dundas BI Server2
Microsoft ASP.NET Core2
Cyberoam os2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1zhenfeng13 My-Blog Blog Management Page cross site scripting4.44.4$0-$5k$0-$5kNot DefinedNot Defined0.000560.03CVE-2023-29636
2Apache HTTP Server mod_proxy_ftp uninitialized resource8.08.0$5k-$25k$5k-$25kNot DefinedNot Defined0.001730.00CVE-2020-1934
3nginx request smuggling6.96.9$0-$5k$0-$5kNot DefinedNot Defined0.002412.20CVE-2020-12440
4Apache Tomcat Application Listener access control8.28.0$5k-$25k$0-$5kNot DefinedOfficial Fix0.003560.03CVE-2017-5648
5jQuery Property extend Pollution cross site scripting6.66.3$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.035350.00CVE-2019-11358
6Twig Template path traversal6.46.3$0-$5k$0-$5kNot DefinedOfficial Fix0.003290.03CVE-2022-39261
7LogicBoard CMS away.php redirect6.36.1$0-$5k$0-$5kNot DefinedUnavailable0.000006.99
8WP Rocket Plugin path traversal6.46.4$0-$5k$0-$5kNot DefinedNot Defined0.001540.00CVE-2017-11658
9Joomla CMS com_contact access control6.36.2$5k-$25k$0-$5kNot DefinedOfficial Fix0.000770.00CVE-2019-15028
10Microsoft Outlook denial of service5.95.1$5k-$25k$0-$5kUnprovenOfficial Fix0.000670.00CVE-2022-35742
11WordPress Installation functions.php is_blog_installed access control8.07.7$5k-$25k$0-$5kNot DefinedOfficial Fix0.024210.05CVE-2020-28037
12PHP-Fusion register.php sql injection7.37.0$0-$5k$0-$5kNot DefinedOfficial Fix0.007250.00CVE-2005-3161
13fileNice Search Box index.php cross site scripting4.34.3$0-$5k$0-$5kNot DefinedNot Defined0.002200.00CVE-2010-5031
14OpenSSH scp scp.c os command injection6.46.4$25k-$100k$5k-$25kNot DefinedUnavailable0.004110.00CVE-2020-15778
15Adobe Connect Server AMF Message deserialization8.58.4$5k-$25k$0-$5kNot DefinedOfficial Fix0.012530.00CVE-2021-40719
16WordPress URL server-side request forgery8.58.4$5k-$25k$0-$5kNot DefinedOfficial Fix0.015300.03CVE-2019-17669
17mod_ssl SSLVerifyClient Remote Code Execution9.88.8$25k-$100k$0-$5kProof-of-ConceptOfficial Fix0.002140.02CVE-2005-2700
18PHP Link Directory Administration Page index.html cross site scripting4.34.3$0-$5k$0-$5kNot DefinedNot Defined0.003740.07CVE-2007-0529
19Laravel PendingBroadcast.php dispatch deserialization6.36.3$0-$5k$0-$5kNot DefinedNot Defined0.000490.04CVE-2022-30778
20Microsoft Windows LSA Remote Code Execution8.17.6$25k-$100k$5k-$25kHighOfficial Fix0.902490.04CVE-2022-26925

Campaigns (1)

These are the campaigns that can be associated with the actor:

  • Ukraine Government

IOC - Indicator of Compromise (2)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
191.205.230.66StowawayUkraine Government12/20/2022verifiedHigh
2XXX.XXX.XX.XXXXxxxxxxxXxxxxxx Xxxxxxxxxx12/20/2022verifiedHigh

TTP - Tactics, Techniques, Procedures (10)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-22Path TraversalpredictiveHigh
2T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
3TXXXX.XXXCAPEC-209CWE-XX, CWE-XXXxxxx Xxxx XxxxxxxxxpredictiveHigh
4TXXXXCAPEC-122CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
5TXXXXCAPEC-108CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
6TXXXX.XXXCAPEC-178CWE-XXXXxxx XxxxxxxxpredictiveHigh
7TXXXXCAPEC-108CWE-XXXxx XxxxxxxxxpredictiveHigh
8TXXXXCAPEC-50CWE-XXX, CWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
9TXXXX.XXXCAPEC-459CWE-XXXXxxxxxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
10TXXXXCAPEC-116CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (27)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/etc/skyring/skyring.confpredictiveHigh
2File/forum/away.phppredictiveHigh
3File/public/plugins/predictiveHigh
4Fileapi/v1/registrypredictiveHigh
5Filexxxx/xxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxx.xxxxpredictiveHigh
6Filexxxxxxx/xxxxx.xxxxx.xxxpredictiveHigh
7Filexxx.xxxpredictiveLow
8Filexxxxxxx/xxxx/xxxxxxxxx/xxxxxxxxx_xxxxx.xpredictiveHigh
9Filexx/xxxxx.xpredictiveMedium
10Filexxxxxxxxxx\xxxxxxxxxxxx\xxxxxxxxxxxxxxxx.xxxpredictiveHigh
11Filexxxxx.xxxxpredictiveMedium
12Filexxxxx.xxxpredictiveMedium
13Filexxx/xxxx.xxxpredictiveMedium
14Filexxxxxxxx.xxxx.xxpredictiveHigh
15Filexxxxxxxx.xxxpredictiveMedium
16Filexxxxxxxx.xxxpredictiveMedium
17Filexxx.xpredictiveLow
18Filexx-xxxxxxxx/xxxxxxxxx.xxxpredictiveHigh
19Argumentxxx_xxpredictiveLow
20ArgumentxxxxxxxxpredictiveMedium
21ArgumentxxxxxxxxxxxpredictiveMedium
22ArgumentxxpredictiveLow
23ArgumentxxxxxxxpredictiveLow
24ArgumentxxxxxpredictiveLow
25ArgumentxxxpredictiveLow
26ArgumentxxxxxxxpredictiveLow
27Input Value.%xx.../.%xx.../predictiveHigh

References (2)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!