WindShift Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (83)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en74
pt6
pl2
zh2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

us48
tr6
ch2
nl2
ru2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

RedLine Stealer3
Mirai3
BitRAT3
AsyncRAT3
Nanocore RAT3

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined22
Operating System12
Web Server6
Application Server Software4
Network Encryption Software2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined24
Microsoft12
Apache6
Cisco4
Apple4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Microsoft Windows8
Apache Tomcat4
Ivanti Pulse Connect Secure2
Google Chrome2
Cisco IOS XE2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemCTIEPSSCVE
1Cisco SD-WAN CLI path traversal8.18.0$5k-$25k$0-$5kNot DefinedOfficial Fix0.000.00044CVE-2022-20818
2Cisco IOS XE Self-Healing privileges assignment7.37.2$25k-$100k$5k-$25kNot DefinedOfficial Fix0.000.00042CVE-2022-20855
3Apple iOS ImageIO null pointer dereference6.46.3$25k-$100k$0-$5kNot DefinedOfficial Fix0.000.03533CVE-2016-1811
4Acme Mini HTTPd Terminal input validation5.35.3$0-$5k$0-$5kNot DefinedNot Defined0.040.00303CVE-2009-4490
5Cisco SD-WAN CLI path traversal8.18.0$5k-$25k$0-$5kNot DefinedOfficial Fix0.000.00042CVE-2022-20775
6Apple iOS CommonCrypto information disclosure5.45.3$25k-$100k$0-$5kNot DefinedOfficial Fix0.000.00181CVE-2016-1802
7Microsoft IIS cross site scripting5.24.7$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.030.00548CVE-2017-0055
8Microsoft Word wwlib Remote Code Execution8.07.1$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.000.45352CVE-2023-21716
9Linux Kernel TPM Device use after free7.67.5$5k-$25k$0-$5kNot DefinedOfficial Fix0.000.00042CVE-2022-2977
10D-Link Go-RT-AC750 gena.php command injection7.67.6$5k-$25k$5k-$25kNot DefinedNot Defined0.030.00121CVE-2022-36523
11Multivendor Marketplace Solution for WooCommerce Order Status cross-site request forgery4.34.2$0-$5kCalculatingNot DefinedOfficial Fix0.000.00053CVE-2022-2657
12taviso Lotus 1-2-3 Worksheet process_fmt stack-based overflow7.06.9$0-$5k$0-$5kNot DefinedOfficial Fix0.000.00068CVE-2022-39843
13image-tiler command injection8.58.4$0-$5k$0-$5kNot DefinedOfficial Fix0.000.00194CVE-2020-28451
14Apple macOS Kernel out-of-bounds3.33.2$0-$5k$0-$5kNot DefinedOfficial Fix0.000.00062CVE-2022-32817
15Irfan Skiljan IrfanView ShowPlugInSaveOptions_W memory corruption5.95.9$0-$5k$0-$5kNot DefinedNot Defined0.000.00057CVE-2020-23561
16Microsoft Windows Defender Credential Guard Privilege Escalation8.37.3$25k-$100k$5k-$25kUnprovenOfficial Fix0.000.00043CVE-2022-34711
17Microsoft Windows Kerberos Privilege Escalation8.88.1$25k-$100k$5k-$25kUnprovenOfficial Fix0.000.00121CVE-2022-30165
18Microsoft Windows Kerberos AppContainer Privilege Escalation8.98.1$25k-$100k$5k-$25kUnprovenOfficial Fix0.000.00043CVE-2022-30164
19Microsoft Windows Network File System Remote Code Execution9.88.9$25k-$100k$5k-$25kUnprovenOfficial Fix0.050.88909CVE-2022-30136
20Vmware Workspace ONE Access improper authentication9.89.1$25k-$100k$0-$5kFunctionalOfficial Fix0.000.58483CVE-2022-22972

Campaigns (1)

These are the campaigns that can be associated with the actor:

  • WindShift

IOC - Indicator of Compromise (7)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
137.46.150.102HangoverWindShift08/29/2021verifiedHigh
245.133.1.133HangoverWindShift08/29/2021verifiedHigh
3XXX.XXX.XX.XXXxxx.xxxxxxxxxxx.xxx.xxXxxxxxxxXxxxxxxxx08/29/2021verifiedHigh
4XXX.XXX.XX.XXXxxxx.xx.xxxxxxxxxx.xxxXxxxxxxxXxxxxxxxx08/29/2021verifiedHigh
5XXX.XX.XX.XXXxxxx-xxxxx.xxxxxxx.xxxxXxxxxxxxxXxxxxxxxx12/22/2020verifiedHigh
6XXX.XXX.XXX.XXxxx-xxxx.xxxxx--xxxxxxx.xxxXxxxxxxxXxxxxxxxx08/29/2021verifiedHigh
7XXX.XXX.XX.XXXXxxxxxxxXxxxxxxxx08/29/2021verifiedHigh

TTP - Tactics, Techniques, Procedures (12)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueVulnerabilitiesAccess VectorTypeConfidence
1T1006CWE-22, CWE-25Path TraversalpredictiveHigh
2T1055CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
3T1059CWE-94Argument InjectionpredictiveHigh
4TXXXX.XXXCWE-XXXxxxx Xxxx XxxxxxxxxpredictiveHigh
5TXXXXCWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
6TXXXX.XXXCWE-XXXXxxx-xxxxx XxxxxxxxxxxpredictiveHigh
7TXXXXCWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
8TXXXXCWE-XX, CWE-XXXxx XxxxxxxxxpredictiveHigh
9TXXXXCWE-XXXXxxxxxx Xxxxxxxxxx Xx Xxx-xxxxxxxxpredictiveHigh
10TXXXX.XXXCWE-XXXXxxxxxxx Xxxxxx XxxxpredictiveHigh
11TXXXXCWE-XXX, CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
12TXXXX.XXXCWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (27)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File.procmailrcpredictiveMedium
2File/cgi-bin/wapopenpredictiveHigh
3File/htdocs/upnpinc/gena.phppredictiveHigh
4File/it-IT/splunkd/__raw/services/get_snapshotpredictiveHigh
5File/xxxxxxx/xxxxx/xxxxx.xxxpredictiveHigh
6File/xxxxxxx/predictiveMedium
7Filexxxxx/xxxx/xxxxxxxxxxx/xxxxxxx.xpredictiveHigh
8Filexxxx/xxxxxxxxxxxx.xxxpredictiveHigh
9Filexxxxxxxx.xxxpredictiveMedium
10Filexxx.xxx?xxx=xxxxx_xxxxpredictiveHigh
11Filexxxxxxxxxxxxxx/xxxxxxx.xxxpredictiveHigh
12Filexxxxxxxx.xxxpredictiveMedium
13Filexx-xxxxxxxxxxx.xxxpredictiveHigh
14File~/xx-xxxxxxxx.xxxpredictiveHigh
15Argument$_xxxxxx['xxx_xxxx']predictiveHigh
16Argument--xxxx=xxxpredictiveMedium
17ArgumentxxxxxxxxpredictiveMedium
18ArgumentxxxpredictiveLow
19ArgumentxxxxxxxxxxpredictiveMedium
20ArgumentxxxxxxxxpredictiveMedium
21ArgumentxxxxxpredictiveLow
22Argumentxxxxxx_xxpredictiveMedium
23Argumentxxxx_xxxxpredictiveMedium
24ArgumentxxxpredictiveLow
25ArgumentxxxpredictiveLow
26Argumentxxxxxxxx/xxxxpredictiveHigh
27Input Value../..predictiveLow

References (3)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Do you need the next level of professionalism?

Upgrade your account now!