Winter Vivern Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (131)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en86
de10
ar6
pt6
es4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

us44
ru8
de8
il8
ar6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

Winter Vivern7
RedLine Stealer5
Mirai4
Cobalt Strike3
Rhadamanthys2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined52
Operating System12
Content Management System10
WordPress Plugin6
Forum Software4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined40
Microsoft14
Linux4
Tenda4
FatPipe2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Microsoft Windows8
Linux Kernel4
WordPress4
binutils2
FatPipe WARP2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemCTIEPSSCVE
1Vmware Workspace ONE Access/Identity Manager Template injection9.88.8$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.070.97532CVE-2022-22954
2binutils Table elf.c _bfd_elf_slurp_version_tables heap-based overflow5.55.3$0-$5k$0-$5kNot DefinedOfficial Fix0.040.00046CVE-2023-1972
3Looknet FineShop index.php cross site scripting4.34.1$0-$5k$0-$5kProof-of-ConceptUnavailable0.020.00587CVE-2006-3235
4woocommerce-gutenberg-products-block sql injection7.37.0$0-$5k$0-$5kNot DefinedOfficial Fix0.080.09420CVE-2021-32789
5Microsoft Windows access control5.75.5$25k-$100k$0-$5kNot DefinedOfficial Fix0.010.00083CVE-2019-1074
6FluentForm Plugin sql injection4.74.6$0-$5k$0-$5kNot DefinedNot Defined0.040.00000CVE-2023-24410
7wkhtmltopdf HTML File pathname traversal5.95.9$0-$5k$0-$5kNot DefinedNot Defined0.060.00394CVE-2020-21365
8vldPersonals index.php cross site scripting4.33.9$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.040.00155CVE-2014-9004
9SunHater KCFinder upload.php cross site scripting5.75.7$0-$5k$0-$5kNot DefinedNot Defined0.110.00131CVE-2019-14315
10microweber unknown vulnerability6.05.9$0-$5k$0-$5kNot DefinedOfficial Fix0.000.00049CVE-2023-2239
11NVIDIA GPU Display Driver Kernel Mode Layer untrusted pointer dereference8.18.1$0-$5k$0-$5kNot DefinedNot Defined0.070.00043CVE-2023-0184
12SourceCodester Automatic Question Paper Generator System sql injection7.57.3$0-$5k$0-$5kProof-of-ConceptNot Defined0.040.00090CVE-2023-1591
13Qualcomm WCD9330 Modem information disclosure6.46.3$5k-$25k$0-$5kNot DefinedOfficial Fix0.040.00074CVE-2022-25737
14SourceCodester Alphaware Simple E-Commerce System edit_customer.php sql injection7.06.8$0-$5k$0-$5kProof-of-ConceptNot Defined0.000.00100CVE-2023-1502
15WPML Multilingual CMS Premium Plugin cross-site request forgery4.34.2$0-$5k$0-$5kNot DefinedNot Defined0.050.00046CVE-2022-45072
16WP Rocket Plugin path traversal6.46.4$0-$5k$0-$5kNot DefinedNot Defined0.070.00154CVE-2017-11658
17Microsoft SharePoint Server Remote Code Execution4.13.6$5k-$25k$0-$5kUnprovenOfficial Fix0.030.00063CVE-2023-23395
18WP Meta SEO Plugin Sitemap regenerateSitemaps authorization4.34.2$0-$5k$0-$5kNot DefinedNot Defined0.070.00051CVE-2023-1024
19Microsoft PowerShell Core Windows Defender Application Control 7pk security4.03.8$0-$5k$0-$5kNot DefinedOfficial Fix0.030.00043CVE-2019-1167
20Erlang OTP Client Authentication improper authentication8.07.9$0-$5k$0-$5kNot DefinedOfficial Fix0.000.00079CVE-2022-37026

IOC - Indicator of Compromise (8)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
137.252.5.133Winter Vivern03/22/2022verifiedHigh
237.252.9.123gw.r-service.infoWinter Vivern03/22/2022verifiedHigh
3XX.XX.XXX.XXXxx.xx.xxx.xxx.xxxxxxx.xxXxxxxx Xxxxxx04/05/2023verifiedHigh
4XXX.XX.XX.XXXxxxxx Xxxxxx04/05/2023verifiedHigh
5XXX.XX.XXX.XXXxxxxxxxx.xxxxxxxxxxx.xxxXxxxxx Xxxxxx04/05/2023verifiedHigh
6XXX.XX.XXX.XXXxxxxxxxx.xxxxxxxxxxx.xxxXxxxxx Xxxxxx04/05/2023verifiedHigh
7XXX.XXX.XXX.XXXxxxxx Xxxxxx03/22/2022verifiedHigh
8XXX.XX.XXX.XXXxxxxx Xxxxxx04/05/2023verifiedHigh

TTP - Tactics, Techniques, Procedures (15)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueVulnerabilitiesAccess VectorTypeConfidence
1T1006CWE-21, CWE-22Pathname TraversalpredictiveHigh
2T1040CWE-319Authentication Bypass by Capture-replaypredictiveHigh
3T1055CWE-74InjectionpredictiveHigh
4TXXXXCWE-XXXxxxx Xxxx XxxxxxxxxpredictiveHigh
5TXXXX.XXXCWE-XX, CWE-XXXxxxx Xxxx XxxxxxxxxpredictiveHigh
6TXXXXCWE-XXX, CWE-XXX, CWE-XXXX2xx Xxxxxxxxxxxxxxxx: Xxxx Xxxxxx Xxxxxxxxxxx Xxx Xxx XxxxxxxpredictiveHigh
7TXXXXCWE-XXXxxxxxx XxxxxxxxxpredictiveHigh
8TXXXX.XXXCWE-XXXXxxx XxxxxxxxpredictiveHigh
9TXXXXCWE-XXX7xx Xxxxxxxx XxxxxxxxpredictiveHigh
10TXXXXCWE-XXXXxxxxxxx Xx Xxxx Xxxxxxx Xxxxxxxxx XxxxxpredictiveHigh
11TXXXXCWE-XXXxx XxxxxxxxxpredictiveHigh
12TXXXXCWE-XXXXxx.xxx Xxxxxxxxxxxxxxxx: Xxxxxxxx Xx Xxxxxxxxxxxxx XxxxpredictiveHigh
13TXXXXCWE-XXXXxxxxxxx Xx Xxxxxxx Xxxxxxxx Xxxxxxxxxxx Xx Xx Xxxxxxxxxxxx XxxxxpredictiveHigh
14TXXXXCWE-XXXXxxxxxxxxxxxxpredictiveHigh
15TXXXX.XXXCWE-XXXXxxxxxxxxxxx XxxxxxpredictiveHigh

IOA - Indicator of Attack (62)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/admin/scripts/pi-hole/phpqueryads.phppredictiveHigh
2File/etc/gsissh/sshd_configpredictiveHigh
3File/goform/WifiBasicSetpredictiveHigh
4File/login/index.phppredictiveHigh
5File/out.phppredictiveMedium
6File/spip.phppredictiveMedium
7File/web/IndexController.javapredictiveHigh
8File/youthappam/editcategory.phppredictiveHigh
9Filexxxxx.xxxxpredictiveMedium
10Filexxxxx.xxx?x=xxxxxx&x=xxxxxx&x=xxxxxxpredictiveHigh
11Filexxxxx/xxx/xxxxxxxxxxxxpredictiveHigh
12Filexxx/xxxxxxx.xpredictiveHigh
13Filexxxxxxxxxxxx.xxxpredictiveHigh
14Filexxx/xxx.xpredictiveMedium
15Filexxxxxx.xpredictiveMedium
16Filexxxxxxx/xxxxx.xxx?x=xxxx_xxxxxpredictiveHigh
17Filexxxxxx.xxxpredictiveMedium
18Filexxxxxxxx.xpredictiveMedium
19Filexxxxxxxx/xxxx_xxxxxxxx.xxxpredictiveHigh
20Filexxxxxxxxxxxxxx.xxxpredictiveHigh
21Filexxxxxxxxxx/xxxxxxxxxx/xxxxxxxxx.xxxpredictiveHigh
22Filexxxxx.xxxpredictiveMedium
23Filexxxxx.xxx?xxxxxx=xxxxxxxxx_xxxxxxxxx/xxxxxpredictiveHigh
24Filexxxxxxxxx.xpredictiveMedium
25Filexxxxxxxx.xxxpredictiveMedium
26Filexxx/xxxxxxxxx/xxxxx_xxxx.xpredictiveHigh
27Filexxxx/xxxxx/xxxxxxx/xxxxxxxx.xxpredictiveHigh
28Filexxxxxxx/xxxxx.xxxx.xxxpredictiveHigh
29Filexxxxxxxx/xxxxxxx/xxxxxxx.xxxxxxxxxxxxxxxxxxxxx.xxxpredictiveHigh
30Filex/xxxxx.xxxpredictiveMedium
31Filexxxxxx-xxxxxx.xxxpredictiveHigh
32Filexxxx-xxxxxxxx.xxxpredictiveHigh
33Filexxxxxx.xxxpredictiveMedium
34Filexxxx/xxxxxx.xxxxpredictiveHigh
35Filexxxxx/xxxxx.xxx?xxxxxx=xxxxxpredictiveHigh
36Filexx/xxxxx/xxxxxxxx/xxxxxxxxxx-xxxx?xxxxxxxxx_xxxxxxxxx_xxxxxx[][xxxxxxxx]predictiveHigh
37Filexxxx.xxpredictiveLow
38Argument$x_xxxxxx[xxxxxxxx]predictiveHigh
39ArgumentxxxxxxpredictiveLow
40ArgumentxxxxxpredictiveLow
41ArgumentxxxxxxxxxxxxxxxpredictiveHigh
42ArgumentxxxxxxxxpredictiveMedium
43Argumentxxxxxxxxx/xx/xxxxxxxxpredictiveHigh
44Argumentx_xxxpredictiveLow
45ArgumentxxpredictiveLow
46ArgumentxxpredictiveLow
47Argumentxx/xxxxxpredictiveMedium
48Argumentxx_xxxxxpredictiveMedium
49ArgumentxxxpredictiveLow
50ArgumentxxxxpredictiveLow
51ArgumentxxxxxxxxpredictiveMedium
52Argumentxxxxxxxx_xxxpredictiveMedium
53Argumentxxxxxxxx_xxpredictiveMedium
54Argumentxxxx/xxxxxx/xxxxxxx/xxxxxxxxxxpredictiveHigh
55Argumentxxxxxxx[]predictiveMedium
56ArgumentxxxxxpredictiveLow
57ArgumentxxxxxxxpredictiveLow
58Argumentx-xxxx-xxxxxpredictiveMedium
59Input Value.%xx.../.%xx.../predictiveHigh
60Input Valuex' xxxxx xxxxx(x) xxx 'xxxx'='xxxxpredictiveHigh
61Patternx|xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx|xpredictiveHigh
62Network Portxxx/xxxxxpredictiveMedium

References (4)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Do you know our Splunk app?

Download it now for free!