misp-circl-feed/feeds/circl/misp/9802116c-3ec3-4a8e-8b39-5c69b08df5ab.json

461 lines
20 KiB
JSON
Raw Permalink Normal View History

2024-08-07 08:13:15 +00:00
{
"Event": {
"analysis": "2",
"date": "2024-04-13",
"extends_uuid": "",
"info": "OSINT - Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400)",
"publish_timestamp": "1713023054",
"published": true,
"threat_level_id": "1",
"timestamp": "1713023036",
"uuid": "9802116c-3ec3-4a8e-8b39-5c69b08df5ab",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:mitre-attack-pattern=\"External Remote Services - T1133\"",
"relationship_type": ""
},
{
"colour": "#004646",
"local": false,
"name": "type:OSINT",
"relationship_type": ""
},
{
"colour": "#0071c3",
"local": false,
"name": "osint:lifetime=\"perpetual\"",
"relationship_type": ""
},
{
"colour": "#ffffff",
"local": false,
"name": "tlp:white",
"relationship_type": ""
},
{
"colour": "#ffffff",
"local": false,
"name": "tlp:clear",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1713022471",
"to_ids": false,
"type": "vulnerability",
"uuid": "d59172f5-ad8b-4b0d-8c17-f9a6bda23de0",
"value": "CVE-2024-3400"
},
{
"category": "Network activity",
"comment": "server used by the attacker to host malicious files server used by the attacker to host malicious files",
"deleted": false,
"disable_correlation": false,
"timestamp": "1713022532",
"to_ids": true,
"type": "ip-dst",
"uuid": "e35ebfcb-027e-4fb0-a1de-068121a30af9",
"value": "198.58.109.149"
},
{
"category": "Network activity",
"comment": "server used by the attacker to host malicious files server used by the attacker to host malicious files",
"deleted": false,
"disable_correlation": false,
"timestamp": "1713022532",
"to_ids": true,
"type": "ip-dst",
"uuid": "af170b81-f692-401e-9a7a-dcd090a82f36",
"value": "144.172.79.92"
},
{
"category": "Network activity",
"comment": "server used by the attacker to host malicious files server used by the attacker to host malicious files",
"deleted": false,
"disable_correlation": false,
"timestamp": "1713022532",
"to_ids": true,
"type": "ip-dst",
"uuid": "0090d107-48f1-473c-92c8-9995f8df86c1",
"value": "172.233.228.93"
},
{
"category": "Network activity",
"comment": "Compromised ASUS router used by attacker to interact with compromised devices",
"deleted": false,
"disable_correlation": false,
"timestamp": "1713022563",
"to_ids": true,
"type": "ip-dst",
"uuid": "1bf69d21-1511-4706-9827-13f11a7c602d",
"value": "71.9.135.100"
},
{
"category": "Network activity",
"comment": "Surfshark VPN address used in exploitation attempts.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1713022579",
"to_ids": true,
"type": "ip-dst",
"uuid": "9e5a170a-8246-4ad0-8cb3-886b61ac6e29",
"value": "89.187.187.69"
},
{
"category": "Network activity",
"comment": "Compromised S3 bucket used to host files by UTA0218",
"deleted": false,
"disable_correlation": false,
"timestamp": "1713022597",
"to_ids": true,
"type": "hostname",
"uuid": "3b065774-3bd2-4387-baf1-0815b9f07301",
"value": "nhdata.s3-us-west-2.amazonaws.com"
},
{
"category": "Network activity",
"comment": "Compromised ASUS router used by attacker to interact with compromised devices",
"deleted": false,
"disable_correlation": false,
"timestamp": "1713022622",
"to_ids": true,
"type": "ip-dst",
"uuid": "e9227309-0a42-4772-8b49-aaaaaca8c25e",
"value": "23.242.208.175"
},
{
"category": "Network activity",
"comment": "Compromised ASUS router used by attacker to interact with compromised devices",
"deleted": false,
"disable_correlation": false,
"timestamp": "1713022622",
"to_ids": true,
"type": "ip-dst",
"uuid": "46678675-7083-4935-a139-23809fd3e63f",
"value": "137.118.185.101"
},
{
"category": "Network activity",
"comment": "Surfshark VPN address used in exploitation attempts.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1713022644",
"to_ids": true,
"type": "ip-dst",
"uuid": "bbf52063-1901-4b76-96b2-51a252d63f6b",
"value": "66.235.168.222"
}
],
"Object": [
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1713022686",
"uuid": "cdc97c09-bb75-4bb2-81b4-b5d4a7556b2b",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1713022686",
"to_ids": false,
"type": "text",
"uuid": "53097464-66a9-4116-aa6e-95be6eb4ff0e",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1713022686",
"to_ids": true,
"type": "yara",
"uuid": "3f56445e-022c-4280-9d04-667f1113b9ee",
"value": "rule apt_malware_py_upstyle : UTA0218\r\n{\r\n meta:\r\n author = \"threatintel@volexity.com\"\r\n date = \"2024-04-11\"\r\n description = \"Detect the UPSTYLE webshell.\"\r\n hash1 = \"3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac\"\r\n hash2 = \"0d59d7bddac6c22230187ef6cf7fa22bca93759edc6f9127c41dc28a2cea19d8\"\r\n hash3 = \"4dd4bd027f060f325bf6a90d01bfcf4e7751a3775ad0246beacc6eb2bad5ec6f\"\r\n os = \"linux\"\r\n os_arch = \"all\"\r\n report = \"TIB-20240412\"\r\n scan_context = \"file,memory\"\r\n last_modified = \"2024-04-12T13:05Z\"\r\n license = \"See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt\"\r\n rule_id = 10429\r\n version = 2\r\n\r\n strings:\r\n $stage1_str1 = \"/opt/pancfg/mgmt/licenses/PA_VM\"\r\n $stage1_str2 = \"exec(base64.\"\r\n\r\n $stage2_str1 = \"signal.signal(signal.SIGTERM,stop)\"\r\n $stage2_str2 = \"exec(base64.\"\r\n\r\n $stage3_str1 = \"write(\\\"/*\\\"+output+\\\"*/\\\")\"\r\n $stage3_str2 = \"SHELL_PATTERN\"\r\n\r\n condition:\r\n all of ($stage1*) or\r\n all of ($stage2*) or\r\n all of ($stage3*)\r\n}"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1713022721",
"uuid": "84975d5f-3811-4d77-957a-d0ef1a5a0667",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1713022721",
"to_ids": false,
"type": "text",
"uuid": "64b6785c-8108-4d0d-b43e-27e0c3a856a6",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1713022721",
"to_ids": true,
"type": "yara",
"uuid": "5d13f09e-164e-47b8-b7b4-8af490fbf2a9",
"value": "rule susp_any_gost_arguments\r\n{\r\n meta:\r\n author = \"threatintel@volexity.com\"\r\n date = \"2024-04-10\"\r\n description = \"Looks for common arguments passed to the hacktool GOST that are sometimes used by attackers in scripts (for example cronjobs etc).\"\r\n os = \"all\"\r\n os_arch = \"all\"\r\n report = \"TIB-20240412\"\r\n scan_context = \"file\"\r\n last_modified = \"2024-04-12T13:06Z\"\r\n license = \"See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt\"\r\n rule_id = 10425\r\n version = 2\r\n\r\n strings:\r\n $s1 = \"-L=socks5://\" ascii\r\n $s2 = \"-L rtcp://\" ascii\r\n\r\n condition:\r\n filesize < 10KB and\r\n any of them\r\n}"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1713022792",
"uuid": "359ffec8-c6a6-4fc1-a841-0bf9220401f6",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1713022792",
"to_ids": false,
"type": "text",
"uuid": "3c6a4cfd-ce21-441e-a096-249f668cfb5c",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1713022792",
"to_ids": true,
"type": "yara",
"uuid": "71f30d18-92f2-4fed-88ee-9195ca4e83b1",
"value": "rule susp_any_jarischf_user_path\r\n{\r\n meta:\r\n author = \"threatintel@volexity.com\"\r\n date = \"2024-04-10\"\r\n description = \"Detects paths embedded in samples in released projects written by Ferdinand Jarisch, a pentester in AISEC. These tools are sometimes used by attackers in real world intrusions.\"\r\n hash1 = \"161fd76c83e557269bee39a57baa2ccbbac679f59d9adff1e1b73b0f4bb277a6\"\r\n os = \"all\"\r\n os_arch = \"all\"\r\n report = \"TIB-20240412\"\r\n scan_context = \"file,memory\"\r\n last_modified = \"2024-04-12T13:06Z\"\r\n license = \"See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt\"\r\n rule_id = 10424\r\n version = 4\r\n\r\n strings:\r\n $proj_1 = \"/home/jarischf/\"\r\n\r\n condition:\r\n any of ($proj_*)\r\n}"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1713022817",
"uuid": "9d0b011a-872f-42de-a2cc-8353d6928863",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1713022817",
"to_ids": false,
"type": "text",
"uuid": "24e7cc2c-ae2c-425e-9f4a-6d584482b2cc",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1713022817",
"to_ids": true,
"type": "yara",
"uuid": "61f4257b-e5c0-44f2-aa03-2c29692a31cb",
"value": "rule hacktool_golang_reversessh_fahrj\r\n{\r\n meta:\r\n author = \"threatintel@volexity.com\"\r\n date = \"2024-04-10\"\r\n description = \"Detects a reverse SSH utility available on GitHub. Attackers may use this tool or similar tools in post-exploitation activity.\"\r\n hash1 = \"161fd76c83e557269bee39a57baa2ccbbac679f59d9adff1e1b73b0f4bb277a6\"\r\n os = \"all\"\r\n os_arch = \"all\"\r\n reference = \"https://github.com/Fahrj/reverse-ssh\"\r\n report = \"TIB-20240412\"\r\n scan_context = \"file,memory\"\r\n last_modified = \"2024-04-12T13:06Z\"\r\n license = \"See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt\"\r\n rule_id = 10423\r\n version = 5\r\n\r\n strings:\r\n $fun_1 = \"createLocalPortForwardingCallback\"\r\n $fun_2 = \"createReversePortForwardingCallback\"\r\n $fun_3 = \"createPasswordHandler\"\r\n $fun_4 = \"createPublicKeyHandler\"\r\n $fun_5 = \"createSFTPHandler\"\r\n $fun_6 = \"dialHomeAndListen\"\r\n $fun_7 = \"createExtraInfoHandler\"\r\n $fun_8 = \"createSSHSessionHandler\"\r\n $fun_9 = \"createReversePortForwardingCallback\"\r\n\r\n $proj_1 = \"github.com/Fahrj/reverse-ssh\"\r\n\r\n condition:\r\n any of ($proj_*) or\r\n 4 of ($fun_*)\r\n}"
}
]
},
{
"comment": "CVE-2024-3400: Enriched via the cve_advanced module",
"deleted": false,
"description": "Vulnerability object describing a common vulnerability enumeration which can describe published, unpublished, under review or embargo vulnerability for software, equipments or hardware.",
"meta-category": "vulnerability",
"name": "vulnerability",
"template_uuid": "81650945-f186-437b-8945-9f31715d32da",
"template_version": "8",
"timestamp": "1713022829",
"uuid": "5bef5cb3-abb2-4eb1-831a-e8965c8e47b2",
"ObjectReference": [
{
"comment": "",
"object_uuid": "5bef5cb3-abb2-4eb1-831a-e8965c8e47b2",
"referenced_uuid": "d59172f5-ad8b-4b0d-8c17-f9a6bda23de0",
"relationship_type": "related-to",
"timestamp": "1713022829",
"uuid": "e279e93a-f633-4be5-bb65-b64cc85c1451"
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "id",
"timestamp": "1713022829",
"to_ids": false,
"type": "vulnerability",
"uuid": "3c6fecfb-f4dc-4f0d-8d81-d24510f62cf4",
"value": "CVE-2024-3400"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "summary",
"timestamp": "1713022829",
"to_ids": false,
"type": "text",
"uuid": "7b70b496-2640-4b86-8979-c456a579a465",
"value": "A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.\n\nFixes for PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 are in development and are expected to be released by April 14, 2024. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability. All other versions of PAN-OS are also not impacted."
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "modified",
"timestamp": "1713022829",
"to_ids": false,
"type": "datetime",
"uuid": "9825d42c-bafa-4757-8364-236e63c9c690",
"value": "2024-04-13T01:00:00+00:00"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "published",
"timestamp": "1713022829",
"to_ids": false,
"type": "datetime",
"uuid": "1514d639-efcb-48ab-bf66-fa50d80d0558",
"value": "2024-04-12T08:15:00+00:00"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "state",
"timestamp": "1713022829",
"to_ids": false,
"type": "text",
"uuid": "0bafaf98-6168-4c46-9601-29f076c8dc3c",
"value": "Published"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "references",
"timestamp": "1713022829",
"to_ids": false,
"type": "link",
"uuid": "fdbf2439-5f9a-447f-abcb-a4d6bf5f336b",
"value": "https://security.paloaltonetworks.com/CVE-2024-3400"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Report object to describe a report along with its metadata.",
"meta-category": "misc",
"name": "report",
"template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df",
"template_version": "8",
"timestamp": "1713022857",
"uuid": "04e823a2-8ab9-4403-ac81-350f4a8f27a1",
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "link",
"timestamp": "1713022857",
"to_ids": false,
"type": "link",
"uuid": "e0a8434e-5cf3-42b4-915d-e379b2200543",
"value": "https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "summary",
"timestamp": "1713022857",
"to_ids": false,
"type": "text",
"uuid": "50a54b52-d8a7-4eda-8941-22914ff73321",
"value": "Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400)"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1713022857",
"to_ids": false,
"type": "text",
"uuid": "c7f265fb-ff27-413e-b32f-0b5873e6a45e",
"value": "Blog"
}
]
}
]
}
}