Winter Vivern Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (148)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en102
de12
ru8
ja6
es4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

us64
il12
ru10
de8
ar4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

Winter Vivern8
Mirai5
RedLine Stealer5
Cobalt Strike4
Rhadamanthys3

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined56
Operating System12
Content Management System12
Web Server8
WordPress Plugin8

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined58
Microsoft18
Looknet4
YusASP2
Oracle2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Microsoft Windows12
nginx4
Looknet FineShop4
YusASP Web Asset Manager2
OpenSSH2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1Vmware Workspace ONE Access/Identity Manager Template injection9.89.4$5k-$25k$0-$5kHighOfficial Fix0.974490.00CVE-2022-22954
2nginx request smuggling6.96.9$0-$5k$0-$5kNot DefinedNot Defined0.002412.62CVE-2020-12440
3binutils Table elf.c _bfd_elf_slurp_version_tables heap-based overflow5.55.3$0-$5k$0-$5kNot DefinedOfficial Fix0.000480.00CVE-2023-1972
4Looknet FineShop index.php cross site scripting4.34.1$0-$5k$0-$5kProof-of-ConceptUnavailable0.005870.00CVE-2006-3235
5woocommerce-gutenberg-products-block sql injection7.37.0$0-$5k$0-$5kNot DefinedOfficial Fix0.097680.00CVE-2021-32789
6Microsoft Windows access control5.75.6$5k-$25k$0-$5kNot DefinedOfficial Fix0.000830.02CVE-2019-1074
7BTCPay Server Payment Button Privilege Escalation6.56.2$0-$5k$0-$5kNot DefinedOfficial Fix0.001660.02CVE-2021-29249
8BTCPay Server POS Add Products cross site scripting3.53.5$0-$5k$0-$5kNot DefinedNot Defined0.000540.02CVE-2021-29250
9MikroTik RouterOS SMB memory corruption8.58.4$0-$5k$0-$5kHighOfficial Fix0.880650.00CVE-2018-7445
10cPanel cpsrvd cross site scripting5.04.9$0-$5k$0-$5kNot DefinedOfficial Fix0.003450.03CVE-2023-29489
11Next.js _error.js redirect5.04.8$0-$5k$0-$5kNot DefinedOfficial Fix0.000660.05CVE-2021-37699
12OpenBSD OpenSSH PKCS 11 unquoted search path7.47.1$5k-$25k$5k-$25kProof-of-ConceptOfficial Fix0.029990.03CVE-2023-38408
13Aquifer CMS index.asp cross site scripting4.34.1$0-$5k$0-$5kProof-of-ConceptNot Defined0.004140.00CVE-2006-0122
14Netsweeper index.php improper authentication7.57.3$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.077880.00CVE-2014-9611
15Basti2web Book Panel books.php sql injection7.37.0$0-$5k$0-$5kHighOfficial Fix0.000640.05CVE-2009-4889
16SourceCodester Online Clothing Store offer.php cross site scripting4.84.8$0-$5k$0-$5kProof-of-ConceptNot Defined0.002200.00CVE-2020-28139
17Apache HTTP Server mod_proxy request smuggling7.47.3$5k-$25k$5k-$25kNot DefinedOfficial Fix0.007390.10CVE-2023-25690
18Citrix NetScaler ADC/NetScaler Gateway code injection9.89.6$25k-$100k$5k-$25kHighOfficial Fix0.911860.07CVE-2023-3519
19FluentForm Plugin sql injection4.74.6$0-$5k$0-$5kNot DefinedNot Defined0.000760.02CVE-2023-24410
20wkhtmltopdf HTML File pathname traversal5.95.9$0-$5k$0-$5kNot DefinedNot Defined0.004800.15CVE-2020-21365

Campaigns (1)

These are the campaigns that can be associated with the actor:

  • CVE-2023-5631

IOC - Indicator of Compromise (11)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
137.252.5.133Winter Vivern03/22/2022verifiedHigh
237.252.9.123gw.r-service.infoWinter Vivern03/22/2022verifiedHigh
338.180.76.31Winter VivernCVE-2023-563110/29/2023verifiedHigh
4XX.XXX.XXX.XXXXxxxxx Xxxxxx03/20/2024verifiedHigh
5XX.XX.XXX.XXXXxxxxx Xxxxxx03/20/2024verifiedHigh
6XX.XX.XXX.XXXxx.xx.xxx.xxx.xxxxxxx.xxXxxxxx Xxxxxx04/05/2023verifiedHigh
7XXX.XX.XX.XXXxxxxx Xxxxxx04/05/2023verifiedHigh
8XXX.XX.XXX.XXXxxxxxxxx.xxxxxxxxxxx.xxxXxxxxx Xxxxxx04/05/2023verifiedHigh
9XXX.XX.XXX.XXXxxxxxxxx.xxxxxxxxxxx.xxxXxxxxx Xxxxxx04/05/2023verifiedHigh
10XXX.XXX.XXX.XXXxxxxx Xxxxxx03/22/2022verifiedHigh
11XXX.XX.XXX.XXXxxxxx Xxxxxx04/05/2023verifiedHigh

TTP - Tactics, Techniques, Procedures (16)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-21, CWE-22Path TraversalpredictiveHigh
2T1040CAPEC-102CWE-319Authentication Bypass by Capture-replaypredictiveHigh
3T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
4T1059CAPEC-242CWE-94Argument InjectionpredictiveHigh
5TXXXX.XXXCAPEC-209CWE-XX, CWE-XXXxxxx Xxxx XxxxxxxxxpredictiveHigh
6TXXXXCAPEC-122CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
7TXXXXCAPEC-108CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
8TXXXX.XXXCAPEC-178CWE-XXXXxxx XxxxxxxxpredictiveHigh
9TXXXXCAPEC-CWE-XXX7xx Xxxxxxxx XxxxxxxxpredictiveHigh
10TXXXXCAPEC-184CWE-XXXXxxxxxxx Xx Xxxx Xxxxxxx Xxxxxxxxx XxxxxpredictiveHigh
11TXXXXCAPEC-108CWE-XXXxx XxxxxxxxxpredictiveHigh
12TXXXXCAPEC-CWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
13TXXXX.XXXCAPEC-CWE-XXXXxxxxxxx Xxxxxx XxxxpredictiveHigh
14TXXXXCAPEC-464CWE-XXXXxxxxxxx Xx Xxxxxxx Xxxxxxxx Xxxxxxxxxxx Xx Xx Xxxxxxxxxxxx XxxxxpredictiveHigh
15TXXXXCAPEC-116CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
16TXXXX.XXXCAPEC-1CWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (70)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/admin/scripts/pi-hole/phpqueryads.phppredictiveHigh
2File/etc/gsissh/sshd_configpredictiveHigh
3File/goform/WifiBasicSetpredictiveHigh
4File/login/index.phppredictiveHigh
5File/out.phppredictiveMedium
6File/spip.phppredictiveMedium
7File/web/IndexController.javapredictiveHigh
8File/youthappam/editcategory.phppredictiveHigh
9Fileadmin.php3predictiveMedium
10Filexxxxx.xxx?x=xxxxxx&x=xxxxxx&x=xxxxxxpredictiveHigh
11Filexxxxx/xxx/xxxxxxxxxxxxpredictiveHigh
12Filexxx/xxxxxxx.xpredictiveHigh
13Filexxxxxxxxxxxx.xxxpredictiveHigh
14Filexxx/xxx.xpredictiveMedium
15Filexxxxxx.xpredictiveMedium
16Filexxxxx.xxxpredictiveMedium
17Filexxxxxxx/xxxxx.xxx?x=xxxx_xxxxxpredictiveHigh
18Filexxxxxx.xxxpredictiveMedium
19Filexxxxxxxx.xpredictiveMedium
20Filexxxxxxxx/xxxx_xxxxxxxx.xxxpredictiveHigh
21Filexxxxxxxxxxxxxx.xxxpredictiveHigh
22Filexxxxxxxxxx/xxxxxxxxxx/xxxxxxxxx.xxxpredictiveHigh
23Filexxxxx.xxxpredictiveMedium
24Filexxxxx.xxx?xxxxxx=xxxxxxxxx_xxxxxxxxx/xxxxxpredictiveHigh
25Filexxxxxxxxx.xpredictiveMedium
26Filexxxxxxxx.xxxpredictiveMedium
27Filexxx/xxxxxxxxx/xxxxx_xxxx.xpredictiveHigh
28Filexxxx/xxxxx/xxxxxxx/xxxxxxxx.xxpredictiveHigh
29Filexxxxxxx/xxxxx.xxxx.xxxpredictiveHigh
30Filexxxxx.xxxpredictiveMedium
31Filexxxxx/_xxxxx.xxpredictiveHigh
32Filexxxxxx/xxxxx.xxxpredictiveHigh
33Filexxxxxxxx/xxxxxxx/xxxxxxx.xxxxxxxxxxxxxxxxxxxxx.xxxpredictiveHigh
34Filex/xxxxx.xxxpredictiveMedium
35Filexxxxxx-xxxxxx.xxxpredictiveHigh
36Filexxxx-xxxxxxxx.xxxpredictiveHigh
37Filexxxxxx.xxxpredictiveMedium
38Filexxxx/xxxxxx.xxxxpredictiveHigh
39Filexxxxx/xxxxx.xxx?xxxxxx=xxxxxpredictiveHigh
40Filexx/xxxxx/xxxxxxxx/xxxxxxxxxx-xxxx?xxxxxxxxx_xxxxxxxxx_xxxxxx[][xxxxxxxx]predictiveHigh
41Filexxxxxxxx/xxxxx/xxxxx.xxxpredictiveHigh
42Filexxxx.xxpredictiveLow
43Argument$x_xxxxxx[xxxxxxxx]predictiveHigh
44ArgumentxxxxxxpredictiveLow
45ArgumentxxxxxxpredictiveLow
46ArgumentxxxxxpredictiveLow
47ArgumentxxxxxxxxxxxxxxxpredictiveHigh
48ArgumentxxxxxxxxpredictiveMedium
49Argumentxxxxxxxxx/xx/xxxxxxxxpredictiveHigh
50Argumentx_xxxpredictiveLow
51ArgumentxxpredictiveLow
52ArgumentxxpredictiveLow
53Argumentxx/xxxxxpredictiveMedium
54Argumentxx_xxxxxpredictiveMedium
55ArgumentxxxxxxxpredictiveLow
56ArgumentxxxpredictiveLow
57Argumentxxxxx xxxxxxpredictiveMedium
58ArgumentxxxxpredictiveLow
59ArgumentxxxxxxxxpredictiveMedium
60Argumentxxxxxxxx_xxxpredictiveMedium
61Argumentxxxxxxxx_xxpredictiveMedium
62Argumentxxxx/xxxxxx/xxxxxxx/xxxxxxxxxxpredictiveHigh
63Argumentxxxxxxx[]predictiveMedium
64ArgumentxxxxxpredictiveLow
65ArgumentxxxxxxxpredictiveLow
66Argumentx-xxxx-xxxxxpredictiveMedium
67Input Value.%xx.../.%xx.../predictiveHigh
68Input Valuex' xxxxx xxxxx(x) xxx 'xxxx'='xxxxpredictiveHigh
69Patternx|xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx|xpredictiveHigh
70Network Portxxx/xxxxxpredictiveMedium

References (6)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Do you want to use VulDB in your project?

Use the official API to access entries easily!