WindShift Analyse

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (83)

Chronologie

Langue

en76
pt6
pl2

De campagne

us52
tr4
pl2
ch2
ru2

Acteurs

Mirai3
BitRAT3
AsyncRAT3
RedLine Stealer3
Nanocore RAT3

Activités

Intérêt

Chronologie

Taper

Not Defined30
Web Server8
Operating System6
WordPress Plugin4
Application Server Software4

Fournisseur

Not Defined22
Microsoft10
Phusion4
Apache4
Linux4

Produit

Microsoft IIS4
Phusion Passenger4
Apache Tomcat4
Linux Kernel4
Boa Webserver2

Vulnérabilités

#VulnérabilitéBaseTemp0dayAujourd'huiExpConEPSSCTICVE
1Cisco SD-WAN CLI Privilege Escalation8.18.0$5k-$25k$0-$5kNot DefinedOfficial Fix0.000440.00CVE-2022-20818
2Cisco IOS XE Self-Healing elévation de privilèges7.37.2$25k-$100k$0-$5kNot DefinedOfficial Fix0.000420.06CVE-2022-20855
3Apple iOS ImageIO dénie de service6.46.3$25k-$100k$0-$5kNot DefinedOfficial Fix0.035330.00CVE-2016-1811
4Acme Mini HTTPd Terminal elévation de privilèges5.35.3$0-$5k$0-$5kNot DefinedNot Defined0.003030.04CVE-2009-4490
5Cisco SD-WAN CLI Privilege Escalation8.18.0$5k-$25k$0-$5kNot DefinedOfficial Fix0.000420.00CVE-2022-20775
6Apple iOS CommonCrypto divulgation de l'information5.45.3$25k-$100k$0-$5kNot DefinedOfficial Fix0.001810.00CVE-2016-1802
7Microsoft IIS cross site scripting5.24.7$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.005480.17CVE-2017-0055
8Microsoft Word wwlib Remote Code Execution8.07.1$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.453520.00CVE-2023-21716
9Linux Kernel TPM Device buffer overflow7.67.5$5k-$25k$0-$5kNot DefinedOfficial Fix0.000420.00CVE-2022-2977
10D-Link Go-RT-AC750 gena.php elévation de privilèges7.67.6$5k-$25k$5k-$25kNot DefinedNot Defined0.001210.03CVE-2022-36523
11Multivendor Marketplace Solution for WooCommerce Order Status cross site request forgery4.34.2$0-$5k$0-$5kNot DefinedOfficial Fix0.000530.00CVE-2022-2657
12taviso Lotus 1-2-3 Worksheet process_fmt buffer overflow7.06.9$0-$5k$0-$5kNot DefinedOfficial Fix0.000680.00CVE-2022-39843
13image-tiler elévation de privilèges8.58.4$0-$5k$0-$5kNot DefinedOfficial Fix0.001940.00CVE-2020-28451
14Apple macOS Kernel divulgation de l'information3.33.2$0-$5k$0-$5kNot DefinedOfficial Fix0.000620.00CVE-2022-32817
15Irfan Skiljan IrfanView ShowPlugInSaveOptions_W buffer overflow5.95.9$0-$5k$0-$5kNot DefinedNot Defined0.000570.00CVE-2020-23561
16Microsoft Windows Defender Credential Guard Privilege Escalation8.37.3$25k-$100k$5k-$25kUnprovenOfficial Fix0.000430.00CVE-2022-34711
17Microsoft Windows Kerberos Privilege Escalation8.88.1$25k-$100k$5k-$25kUnprovenOfficial Fix0.001210.00CVE-2022-30165
18Microsoft Windows Kerberos AppContainer Privilege Escalation8.98.1$25k-$100k$5k-$25kUnprovenOfficial Fix0.000430.00CVE-2022-30164
19Microsoft Windows Network File System Remote Code Execution9.88.9$25k-$100k$5k-$25kUnprovenOfficial Fix0.889090.04CVE-2022-30136
20Vmware Workspace ONE Access authentification faible9.89.1$25k-$100k$0-$5kFunctionalOfficial Fix0.584830.00CVE-2022-22972

Campagnes (1)

These are the campaigns that can be associated with the actor:

  • WindShift

IOC - Indicator of Compromise (7)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDadresse IPHostnameActeurCampagnesIdentifiedTaperConfiance
137.46.150.102HangoverWindShift29/08/2021verifiedÉlevé
245.133.1.133HangoverWindShift29/08/2021verifiedÉlevé
3XXX.XXX.XX.XXXxxx.xxxxxxxxxxx.xxx.xxXxxxxxxxXxxxxxxxx29/08/2021verifiedÉlevé
4XXX.XXX.XX.XXXxxxx.xx.xxxxxxxxxx.xxxXxxxxxxxXxxxxxxxx29/08/2021verifiedÉlevé
5XXX.XX.XX.XXXxxxx-xxxxx.xxxxxxx.xxxxXxxxxxxxxXxxxxxxxx22/12/2020verifiedÉlevé
6XXX.XXX.XXX.XXxxx-xxxx.xxxxx--xxxxxxx.xxxXxxxxxxxXxxxxxxxx29/08/2021verifiedÉlevé
7XXX.XXX.XX.XXXXxxxxxxxXxxxxxxxx29/08/2021verifiedÉlevé

TTP - Tactics, Techniques, Procedures (12)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueVulnérabilitésVecteur d'accèsTaperConfiance
1T1006CWE-22, CWE-25Path TraversalpredictiveÉlevé
2T1055CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveÉlevé
3T1059CWE-94Argument InjectionpredictiveÉlevé
4TXXXX.XXXCWE-XXXxxxx Xxxx XxxxxxxxxpredictiveÉlevé
5TXXXXCWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveÉlevé
6TXXXX.XXXCWE-XXXXxxx-xxxxx XxxxxxxxxxxpredictiveÉlevé
7TXXXXCWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveÉlevé
8TXXXXCWE-XX, CWE-XXXxx XxxxxxxxxpredictiveÉlevé
9TXXXXCWE-XXXXxxxxxx Xxxxxxxxxx Xx Xxx-xxxxxxxxpredictiveÉlevé
10TXXXX.XXXCWE-XXXXxxxxxxx Xxxxxx XxxxpredictiveÉlevé
11TXXXXCWE-XXX, CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveÉlevé
12TXXXX.XXXCWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveÉlevé

IOA - Indicator of Attack (27)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClasseIndicatorTaperConfiance
1File.procmailrcpredictiveMoyen
2File/cgi-bin/wapopenpredictiveÉlevé
3File/htdocs/upnpinc/gena.phppredictiveÉlevé
4File/it-IT/splunkd/__raw/services/get_snapshotpredictiveÉlevé
5File/xxxxxxx/xxxxx/xxxxx.xxxpredictiveÉlevé
6File/xxxxxxx/predictiveMoyen
7Filexxxxx/xxxx/xxxxxxxxxxx/xxxxxxx.xpredictiveÉlevé
8Filexxxx/xxxxxxxxxxxx.xxxpredictiveÉlevé
9Filexxxxxxxx.xxxpredictiveMoyen
10Filexxx.xxx?xxx=xxxxx_xxxxpredictiveÉlevé
11Filexxxxxxxxxxxxxx/xxxxxxx.xxxpredictiveÉlevé
12Filexxxxxxxx.xxxpredictiveMoyen
13Filexx-xxxxxxxxxxx.xxxpredictiveÉlevé
14File~/xx-xxxxxxxx.xxxpredictiveÉlevé
15Argument$_xxxxxx['xxx_xxxx']predictiveÉlevé
16Argument--xxxx=xxxpredictiveMoyen
17ArgumentxxxxxxxxpredictiveMoyen
18ArgumentxxxpredictiveFaible
19ArgumentxxxxxxxxxxpredictiveMoyen
20ArgumentxxxxxxxxpredictiveMoyen
21ArgumentxxxxxpredictiveFaible
22Argumentxxxxxx_xxpredictiveMoyen
23Argumentxxxx_xxxxpredictiveMoyen
24ArgumentxxxpredictiveFaible
25ArgumentxxxpredictiveFaible
26Argumentxxxxxxxx/xxxxpredictiveÉlevé
27Input Value../..predictiveFaible

Références (3)

The following list contains external sources which discuss the actor and the associated activities:

PrécédentAperçuSuivant

Interested in the pricing of exploits?

See the underground prices here!