UAC-0057 Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (49)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en28
ru14
zh6
it2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

us12
ru8
cn8
sg4
it2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

UAC-00572
Mars Stealer1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined16
Groupware Software4
Remote Access Software4
WordPress Plugin4
Financial Software2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined12
SourceCodester4
Microsoft4
TSplus4
Ubuntu2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Microsoft Exchange Server4
TSplus Remote Access4
SourceCodester Microfinance Management System2
Ubuntu maas2
Apache CXF2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1Adminer adminer.php server-side request forgery7.37.0$0-$5k$0-$5kNot DefinedOfficial Fix0.020920.05CVE-2021-21311
2School Club Application System resource injection6.56.2$0-$5k$0-$5kProof-of-ConceptNot Defined0.002010.08CVE-2022-1287
3phpMyAdmin improper authentication7.57.4$5k-$25k$0-$5kHighOfficial Fix0.973690.02CVE-2018-12613
4VMware Spring Cloud Function SpEL Expression code injection9.89.6$5k-$25k$0-$5kHighOfficial Fix0.975330.04CVE-2022-22963
5SAP Information System POST Request add_admin.php improper authentication7.36.9$0-$5k$0-$5kProof-of-ConceptNot Defined0.001480.06CVE-2022-1248
6Dromara HuTool Aviator Template Engine sql injection7.67.6$0-$5k$0-$5kNot DefinedNot Defined0.003070.05CVE-2023-24163
7Synology CardDAV Server WebAPI sql injection7.87.7$0-$5k$0-$5kNot DefinedOfficial Fix0.000680.05CVE-2022-27613
8SEMCMS Ant_Suxin.php sql injection7.67.6$0-$5k$0-$5kNot DefinedNot Defined0.000680.00CVE-2023-37647
9SEMCMS Ant_Rponse.php sql injection7.67.5$0-$5k$0-$5kNot DefinedNot Defined0.000890.00CVE-2023-31707
10TSplus Remote Access source code5.95.7$0-$5k$0-$5kProof-of-ConceptNot Defined0.007990.04CVE-2023-31069
11TSplus Remote Access www. permission7.57.3$0-$5k$0-$5kProof-of-ConceptNot Defined0.015850.00CVE-2023-31067
12Microsoft Exchange Server Privilege Escalation8.88.1$25k-$100k$5k-$25kUnprovenOfficial Fix0.515980.05CVE-2023-21707
13Microsoft Exchange Server Privilege Escalation7.26.6$5k-$25k$5k-$25kUnprovenOfficial Fix0.016410.04CVE-2023-21710
14Microsoft Exchange Server excessive authentication9.88.9$25k-$100k$5k-$25kUnprovenOfficial Fix0.003330.06CVE-2023-21709
15Grafana Snapshot denial of service6.46.1$0-$5k$0-$5kNot DefinedOfficial Fix0.024150.05CVE-2021-27358
16click5 Sitemap Plugin REST Endpoint authorization4.34.1$0-$5k$0-$5kNot DefinedOfficial Fix0.457510.00CVE-2022-0952
17Primetek Primefaces inadequate encryption8.58.3$0-$5k$0-$5kHighNot Defined0.970130.00CVE-2017-1000486
18Plesk Obsidian Login Page injection5.85.7$0-$5k$0-$5kNot DefinedNot Defined0.001740.16CVE-2023-24044
19PHP cgi_main.c input validation7.37.0$25k-$100k$0-$5kHighOfficial Fix0.973630.00CVE-2012-1823
20WP Statistics Plugin esc_sql sql injection6.36.0$0-$5k$0-$5kNot DefinedOfficial Fix0.016060.04CVE-2021-24340

Campaigns (1)

These are the campaigns that can be associated with the actor:

  • CVE-2023-38831

IOC - Indicator of Compromise (2)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
131.192.234.194cdn.exiro.siteUAC-0057CVE-2023-3883103/20/2024verifiedHigh
2XX.X.XX.XXXxxxxxxxxx.xxxxx-xxxxxxxxxx.xxxxxxxxxXxx-xxxxXxx-xxxx-xxxxx03/20/2024verifiedHigh

TTP - Tactics, Techniques, Procedures (10)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-21, CWE-22Path TraversalpredictiveHigh
2T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
3TXXXXCAPEC-242CWE-XXXxxxxxxx XxxxxxxxxpredictiveHigh
4TXXXX.XXXCAPEC-209CWE-XXXxxxx Xxxx XxxxxxxxxpredictiveHigh
5TXXXXCAPEC-19CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
6TXXXX.XXXCAPEC-16CWE-XXX, CWE-XXXXxxx-xxxxx XxxxxxxxxxxpredictiveHigh
7TXXXXCAPEC-CWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
8TXXXXCAPEC-108CWE-XXXxx XxxxxxxxxpredictiveHigh
9TXXXXCAPEC-189CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
10TXXXXCAPEC-112CWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh

IOA - Indicator of Attack (29)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File%PROGRAMFILES(X86)%\TSplus\Clients\www.predictiveHigh
2File/Ant_Suxin.phppredictiveHigh
3File/aqpg/users/login.phppredictiveHigh
4File/cwms/classes/Master.php?f=save_contactpredictiveHigh
5File/xxxx/xxx/xxxxxxxxxxxxxxxxxx.xxxpredictiveHigh
6File/xxxx/xxxxx.xxxpredictiveHigh
7File/xxx_xxxxxx/xxxxxxxxxxxx.xxxpredictiveHigh
8File/xxx_xxxxxxxxxxx_xxxxxx/xxxxxxxxxxx/xxx_xxxxx.xxxpredictiveHigh
9File/xxxx/xxxxxxx/xxxxx.xxx?x=xxxx_xxxxpredictiveHigh
10File/xxxxxxxxpredictiveMedium
11Filexxxxx.xxxpredictiveMedium
12Filexxxxxxx.xxxpredictiveMedium
13Filexxx_xxxxxx.xxxpredictiveHigh
14Filexxxx/xxx/xxx/xxxxxxx.xpredictiveHigh
15Filexxxxxxxxxx.xxxpredictiveHigh
16Filexxxx/xxx/xxx_xxxx.xpredictiveHigh
17Filexxxxx.xxxpredictiveMedium
18Argument$_xxxxxx['xxxxx_xxxxxx']predictiveHigh
19Argumentxxxxx xxxx/xxxxxx xxxx/xxxx xxxxpredictiveHigh
20Argumentxxxxx_xxxxpredictiveMedium
21Argumentxxxxx_xxxx/xxxxxx_xxxx/xxxxxxxpredictiveHigh
22Argumentxxxxx_xxpredictiveMedium
23ArgumentxxxxpredictiveLow
24ArgumentxxpredictiveLow
25ArgumentxxxxxxxpredictiveLow
26Argumentxxxxxxxx/xxxxxxxxpredictiveHigh
27Input Value'||x=x#predictiveLow
28Input Value-xpredictiveLow
29Network Portxxx/xx (xxx xxxxxxxx)predictiveHigh

References (2)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Might our Artificial Intelligence support you?

Check our Alexa App!