WindShift 分析

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (83)

时间轴

语言

en80
zh2
pt2

国家/地区

us50
ch4
nl2
tr2
ru2

演员

Mirai3
Remcos3
AsyncRAT3
RedLine Stealer3
Nanocore RAT3

活动

利益

时间轴

类型

Not Defined22
Web Server6
Operating System6
WordPress Plugin6
Application Server Software4

供应商

Not Defined24
Apple8
Microsoft8
Apache4
Cisco4

产品

Apple iOS4
Microsoft Windows4
OAID Tengine2
Google Chrome2
taviso Lotus 1-2-32

漏洞

#漏洞BaseTemp0day今天修正EPSSCTICVE
1Cisco SD-WAN CLI Privilege Escalation8.18.0$5k-$25k$0-$5kNot DefinedOfficial Fix0.000440.00CVE-2022-20818
2Cisco IOS XE Self-Healing 权限升级7.37.2$25k-$100k$0-$5kNot DefinedOfficial Fix0.000420.06CVE-2022-20855
3Apple iOS ImageIO 拒绝服务6.46.3$25k-$100k$0-$5kNot DefinedOfficial Fix0.035330.00CVE-2016-1811
4Acme Mini HTTPd Terminal 权限升级5.35.3$0-$5k$0-$5kNot DefinedNot Defined0.003030.04CVE-2009-4490
5Cisco SD-WAN CLI Privilege Escalation8.18.0$5k-$25k$0-$5kNot DefinedOfficial Fix0.000420.00CVE-2022-20775
6Apple iOS CommonCrypto 信息公开5.45.3$25k-$100k$0-$5kNot DefinedOfficial Fix0.001810.00CVE-2016-1802
7Microsoft IIS 跨网站脚本5.24.7$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.005480.06CVE-2017-0055
8Microsoft Word wwlib Remote Code Execution8.07.1$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.453520.00CVE-2023-21716
9Linux Kernel TPM Device 内存损坏7.67.5$5k-$25k$0-$5kNot DefinedOfficial Fix0.000420.00CVE-2022-2977
10D-Link Go-RT-AC750 gena.php 权限升级7.67.6$5k-$25k$5k-$25kNot DefinedNot Defined0.001210.03CVE-2022-36523
11Multivendor Marketplace Solution for WooCommerce Order Status 跨网站请求伪造4.34.2$0-$5k$0-$5kNot DefinedOfficial Fix0.000530.00CVE-2022-2657
12taviso Lotus 1-2-3 Worksheet process_fmt 内存损坏7.06.9$0-$5k$0-$5kNot DefinedOfficial Fix0.000680.00CVE-2022-39843
13image-tiler 权限升级8.58.4$0-$5k$0-$5kNot DefinedOfficial Fix0.001940.00CVE-2020-28451
14Apple macOS Kernel 信息公开3.33.2$0-$5k$0-$5kNot DefinedOfficial Fix0.000620.00CVE-2022-32817
15Irfan Skiljan IrfanView ShowPlugInSaveOptions_W 内存损坏5.95.9$0-$5k$0-$5kNot DefinedNot Defined0.000570.00CVE-2020-23561
16Microsoft Windows Defender Credential Guard Privilege Escalation8.37.3$25k-$100k$5k-$25kUnprovenOfficial Fix0.000430.00CVE-2022-34711
17Microsoft Windows Kerberos Privilege Escalation8.88.1$25k-$100k$5k-$25kUnprovenOfficial Fix0.001210.00CVE-2022-30165
18Microsoft Windows Kerberos AppContainer Privilege Escalation8.98.1$25k-$100k$5k-$25kUnprovenOfficial Fix0.000430.00CVE-2022-30164
19Microsoft Windows Network File System Remote Code Execution9.88.9$25k-$100k$5k-$25kUnprovenOfficial Fix0.889090.05CVE-2022-30136
20Vmware Workspace ONE Access 弱身份验证9.89.1$25k-$100k$0-$5kFunctionalOfficial Fix0.584830.00CVE-2022-22972

活动 (1)

These are the campaigns that can be associated with the actor:

  • WindShift

IOC - Indicator of Compromise (7)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP地址Hostname参与者活动Identified类型可信度
137.46.150.102HangoverWindShift2021-08-29verified
245.133.1.133HangoverWindShift2021-08-29verified
3XXX.XXX.XX.XXXxxx.xxxxxxxxxxx.xxx.xxXxxxxxxxXxxxxxxxx2021-08-29verified
4XXX.XXX.XX.XXXxxxx.xx.xxxxxxxxxx.xxxXxxxxxxxXxxxxxxxx2021-08-29verified
5XXX.XX.XX.XXXxxxx-xxxxx.xxxxxxx.xxxxXxxxxxxxxXxxxxxxxx2020-12-22verified
6XXX.XXX.XXX.XXxxx-xxxx.xxxxx--xxxxxxx.xxxXxxxxxxxXxxxxxxxx2021-08-29verified
7XXX.XXX.XX.XXXXxxxxxxxXxxxxxxxx2021-08-29verified

TTP - Tactics, Techniques, Procedures (12)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechnique漏洞访问向量类型可信度
1T1006CWE-22, CWE-25Path Traversalpredictive
2T1055CWE-74Improper Neutralization of Data within XPath Expressionspredictive
3T1059CWE-94Argument Injectionpredictive
4TXXXX.XXXCWE-XXXxxxx Xxxx Xxxxxxxxxpredictive
5TXXXXCWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx Xxxxxxxxxxpredictive
6TXXXX.XXXCWE-XXXXxxx-xxxxx Xxxxxxxxxxxpredictive
7TXXXXCWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx Xxxxxxxxxpredictive
8TXXXXCWE-XX, CWE-XXXxx Xxxxxxxxxpredictive
9TXXXXCWE-XXXXxxxxxx Xxxxxxxxxx Xx Xxx-xxxxxxxxpredictive
10TXXXX.XXXCWE-XXXXxxxxxxx Xxxxxx Xxxxpredictive
11TXXXXCWE-XXX, CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx Xxxxxxxxxxxpredictive
12TXXXX.XXXCWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx Xxxxxxxxxpredictive

IOA - Indicator of Attack (27)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

ID分类Indicator类型可信度
1File.procmailrcpredictive
2File/cgi-bin/wapopenpredictive
3File/htdocs/upnpinc/gena.phppredictive
4File/it-IT/splunkd/__raw/services/get_snapshotpredictive
5File/xxxxxxx/xxxxx/xxxxx.xxxpredictive
6File/xxxxxxx/predictive
7Filexxxxx/xxxx/xxxxxxxxxxx/xxxxxxx.xpredictive
8Filexxxx/xxxxxxxxxxxx.xxxpredictive
9Filexxxxxxxx.xxxpredictive
10Filexxx.xxx?xxx=xxxxx_xxxxpredictive
11Filexxxxxxxxxxxxxx/xxxxxxx.xxxpredictive
12Filexxxxxxxx.xxxpredictive
13Filexx-xxxxxxxxxxx.xxxpredictive
14File~/xx-xxxxxxxx.xxxpredictive
15Argument$_xxxxxx['xxx_xxxx']predictive
16Argument--xxxx=xxxpredictive
17Argumentxxxxxxxxpredictive
18Argumentxxxpredictive
19Argumentxxxxxxxxxxpredictive
20Argumentxxxxxxxxpredictive
21Argumentxxxxxpredictive
22Argumentxxxxxx_xxpredictive
23Argumentxxxx_xxxxpredictive
24Argumentxxxpredictive
25Argumentxxxpredictive
26Argumentxxxxxxxx/xxxxpredictive
27Input Value../..predictive

参考 (3)

The following list contains external sources which discuss the actor and the associated activities:

上一步一览下一步

Do you need the next level of professionalism?

Upgrade your account now!