misp-circl-feed/feeds/circl/misp/eb8ec4e4-ea78-4cf5-80bc-974e765f08df.json

380 lines
54 KiB
JSON
Raw Permalink Normal View History

2023-04-21 13:25:09 +00:00
{
2023-12-14 14:30:15 +00:00
"Event": {
"analysis": "0",
"date": "2021-03-03",
"extends_uuid": "",
"info": "CISA.gov - AA21-062A Mitigate Microsoft Exchange Server Vulnerabilities",
"publish_timestamp": "1615717951",
"published": true,
"threat_level_id": "3",
"timestamp": "1615717945",
"uuid": "eb8ec4e4-ea78-4cf5-80bc-974e765f08df",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#ffffff",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "tlp:white",
"relationship_type": ""
},
{
"colour": "#004646",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "type:OSINT",
"relationship_type": ""
},
{
"colour": "#0071c3",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "osint:lifetime=\"perpetual\"",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "Other",
"comment": "Imported from STIX header description",
"deleted": false,
"disable_correlation": false,
"timestamp": "1615717846",
"to_ids": false,
"type": "comment",
"uuid": "2fd4e42f-f50d-4422-811e-9808d3f25658",
"value": "This STIX file provides indicators of compromise (IOCs) associated with malicious activity reported in Activity Alert, AA21-062A Mitigate Microsoft Exchange Server Vulnerabilities. For more information about this activity, to include detection and mitigation recommendations, see the Activity Alert."
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1615717846",
"to_ids": true,
"type": "sha256",
"uuid": "112dd548-221d-499a-9f1b-10fe689f1ce4",
"value": "b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1615717846",
"to_ids": true,
"type": "sha256",
"uuid": "758e07fe-3612-4c8d-b45c-bd7868620943",
"value": "811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1615717846",
"to_ids": true,
"type": "sha256",
"uuid": "5d8b036a-d99e-4b44-a341-c7d1a8d07692",
"value": "65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1615717846",
"to_ids": true,
"type": "sha256",
"uuid": "4fb975a9-b749-42b9-8d46-ce25b3174ac6",
"value": "511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1615717846",
"to_ids": true,
"type": "sha256",
"uuid": "d1fe70e7-8ccf-4f94-9855-571ff6b3e54e",
"value": "4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1615717846",
"to_ids": true,
"type": "sha256",
"uuid": "d851863a-b84b-4e99-ac91-1eb0386036ab",
"value": "2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1615717846",
"to_ids": true,
"type": "sha256",
"uuid": "7b48d4b6-6368-4a46-8605-5e941c80bf7d",
"value": "1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1615717846",
"to_ids": true,
"type": "sha256",
"uuid": "6ae59701-6443-44d2-9550-a407d109f510",
"value": "097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1615717846",
"to_ids": true,
"type": "ip-dst",
"uuid": "da4e181c-590c-4fcb-8f3d-6cd70186daa7",
"value": "91.192.103.43"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1615717846",
"to_ids": true,
"type": "ip-dst",
"uuid": "e9830dde-d7b6-42a8-a806-82564d8c0d5c",
"value": "80.92.205.81"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1615717846",
"to_ids": true,
"type": "ip-dst",
"uuid": "63a255c1-9f2e-41dc-a9b6-015eab1e4f1b",
"value": "5.2.69.14"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1615717846",
"to_ids": true,
"type": "ip-dst",
"uuid": "a45f063b-affd-4489-bb10-e091ee58707f",
"value": "5.254.43.18"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1615717846",
"to_ids": true,
"type": "ip-dst",
"uuid": "d67ab090-19b7-41cb-841b-690dc1bf0e1a",
"value": "211.56.98.146"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1615717846",
"to_ids": true,
"type": "ip-dst",
"uuid": "050c1cb5-5ff0-4b34-812e-619a259e6e3e",
"value": "203.160.69.66"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1615717846",
"to_ids": true,
"type": "ip-dst",
"uuid": "ea7b3c25-adae-4c5a-8d55-b4315272a12e",
"value": "192.81.208.169"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1615717846",
"to_ids": true,
"type": "ip-dst",
"uuid": "84084971-53b1-47e6-a40f-72854d499579",
"value": "185.250.151.72"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1615717846",
"to_ids": true,
"type": "ip-dst",
"uuid": "a9c94953-112b-40b5-93b5-b9e8eaa1877d",
"value": "167.99.168.251"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1615717846",
"to_ids": true,
"type": "ip-dst",
"uuid": "ccff1409-c0b7-4b82-a7a2-e63916d20641",
"value": "157.230.221.198"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1615717846",
"to_ids": true,
"type": "ip-dst",
"uuid": "cb5c015c-73fd-4801-987b-7e9604cc215d",
"value": "149.28.14.163"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1615717846",
"to_ids": true,
"type": "ip-dst",
"uuid": "47823cda-5b8b-4a7c-a99c-774127967a54",
"value": "108.61.246.56"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1615717846",
"to_ids": true,
"type": "ip-dst",
"uuid": "4ad23c34-2da1-45dc-b227-2d084b1a1a42",
"value": "104.250.191.110"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1615717846",
"to_ids": true,
"type": "ip-dst",
"uuid": "88f07129-c8af-4365-8cf2-16a5bd950fa0",
"value": "103.77.192.219"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1615717846",
"to_ids": true,
"type": "ip-dst",
"uuid": "d4f0de17-daa0-4907-a0e0-8fb37337fc3d",
"value": "104.140.114.110"
}
],
"Object": [
{
"comment": "",
"deleted": false,
"description": "Object describing the original file used to import data in MISP.",
"meta-category": "file",
"name": "original-imported-file",
"template_uuid": "4cd560e9-2cfe-40a1-9964-7b2e797ecac5",
"template_version": "2",
"timestamp": "1615717847",
"uuid": "39474e19-95e7-45d4-968f-91b80f5949db",
"Attribute": [
{
"category": "External analysis",
"comment": "",
"data": "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiID8+DQo8IS0tIEdlbmVyYXRlZCBieSBNUEUgMC40LjQgb24gMDMvMDMvMjAyMSAtLT4NCjxzdGl4OlNUSVhfUGFja2FnZSANCgl4bWxuczpBZGRyZXNzT2JqPSJodHRwOi8vY3lib3gubWl0cmUub3JnL29iamVjdHMjQWRkcmVzc09iamVjdC0yIg0KCXhtbG5zOnN0aXhWb2NhYnM9Imh0dHA6Ly9zdGl4Lm1pdHJlLm9yZy9kZWZhdWx0X3ZvY2FidWxhcmllcy0xIg0KCXhtbG5zOnRscE1hcmtpbmc9Imh0dHA6Ly9kYXRhLW1hcmtpbmcubWl0cmUub3JnL2V4dGVuc2lvbnMvTWFya2luZ1N0cnVjdHVyZSNUTFAtMSINCgl4bWxuczpGaWxlT2JqPSJodHRwOi8vY3lib3gubWl0cmUub3JnL29iamVjdHMjRmlsZU9iamVjdC0yIg0KCXhtbG5zOmN5Ym94Vm9jYWJzPSJodHRwOi8vY3lib3gubWl0cmUub3JnL2RlZmF1bHRfdm9jYWJ1bGFyaWVzLTIiDQoJeG1sbnM6VE9VTWFya2luZz0iaHR0cDovL2RhdGEtbWFya2luZy5taXRyZS5vcmcvZXh0ZW5zaW9ucy9NYXJraW5nU3RydWN0dXJlI1Rlcm1zX09mX1VzZS0xIg0KCXhtbG5zOnN0aXhDb21tb249Imh0dHA6Ly9zdGl4Lm1pdHJlLm9yZy9jb21tb24tMSINCgl4bWxuczppbmRpY2F0b3I9Imh0dHA6Ly9zdGl4Lm1pdHJlLm9yZy9JbmRpY2F0b3ItMiINCgl4bWxuczpjeWJveENvbW1vbj0iaHR0cDovL2N5Ym94Lm1pdHJlLm9yZy9jb21tb24tMiINCgl4bWxuczpzdGl4PSJodHRwOi8vc3RpeC5taXRyZS5vcmcvc3RpeC0xIg0KCXhtbG5zOm1hcmtpbmc9Imh0dHA6Ly9kYXRhLW1hcmtpbmcubWl0cmUub3JnL01hcmtpbmctMSINCgl4bWxuczpjeWJveD0iaHR0cDovL2N5Ym94Lm1pdHJlLm9yZy9jeWJveC0yIg0KCXhtbG5zOkNJU0E9Imh0dHA6Ly93d3cudXMtY2VydC5nb3YvbmNjaWMiDQoJeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiDQoJeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiDQoJeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIg0KCXhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiDQoJDQoJeHNpOnNjaGVtYUxvY2F0aW9uPSJodHRwOi8vY3lib3gubWl0cmUub3JnL29iamVjdHMjQWRkcmVzc09iamVjdC0yIGh0dHA6Ly9jeWJveC5taXRyZS5vcmcvWE1MU2NoZW1hL29iamVjdHMvQWRkcmVzcy8yLjEvQWRkcmVzc19PYmplY3QueHNkDQoJaHR0cDovL3N0aXgubWl0cmUub3JnL2RlZmF1bHRfdm9jYWJ1bGFyaWVzLTEgaHR0cDovL3N0aXgubWl0cmUub3JnL1hNTFNjaGVtYS9kZWZhdWx0X3ZvY2FidWxhcmllcy8xLjEuMS9zdGl4X2RlZmF1bHRfdm9jYWJ1bGFyaWVzLnhzZA0KCWh0dHA6Ly9kYXRhLW1hcmtpbmcubWl0cmUub3JnL2V4dGVuc2lvbnMvTWFya2luZ1N0cnVjdHVyZSNUTFAtMSBodHRwOi8vc3RpeC5taXRyZS5vcmcvWE1MU2NoZW1hL2V4dGVuc2lvbnMvbWFya2luZy90bHAvMS4xLjEvdGxwX21hcmtpbmcueHNkDQoJaHR0cDovL2N5Ym94Lm1pdHJlLm9yZy9vYmplY3RzI0ZpbGVPYmplY3QtMiBodHRwOi8vY3lib3gubWl0cmUub3JnL1hNTFNjaGVtYS9vYmplY3RzL0ZpbGUvMi4xL0ZpbGVfT2JqZWN0LnhzZA0KCWh0dHA6Ly9jeWJveC5taXRyZS5vcmcvZGVmYXVsdF92b2NhYnVsYXJpZXMtMiBodHRwOi8vY3lib3gubWl0cmUub3JnL1hNTFNjaGVtYS9kZWZhdWx0X3ZvY2FidWxhcmllcy8yLjEvY3lib3hfZGVmYXVsdF92b2NhYnVsYXJpZXMueHNkDQoJaHR0cDovL2RhdGEtbWFya2luZy5taXRyZS5vcmcvZXh0ZW5zaW9ucy9NYXJraW5nU3RydWN0dXJlI1Rlcm1zX09mX1VzZS0xIGh0dHA6Ly9zdGl4Lm1pdHJlLm9yZy9YTUxTY2hlbWEvZXh0ZW5zaW9ucy9tYXJraW5nL3Rlcm1zX29mX3VzZS8xLjAuMS90ZXJtc19vZl91c2VfbWFya2luZy54c2QNCglodHRwOi8vc3RpeC5taXRyZS5vcmcvY29tbW9uLTEgaHR0cDovL3N0aXgubWl0cmUub3JnL1hNTFNjaGVtYS9jb21tb24vMS4xLjEvc3RpeF9jb21tb24ueHNkDQoJaHR0cDovL3N0aXgubWl0cmUub3JnL0luZGljYXRvci0yIGh0dHA6Ly9zdGl4Lm1pdHJlLm9yZy9YTUxTY2hlbWEvaW5kaWNhdG9yLzIuMS4xL2luZGljYXRvci54c2QNCglodHRwOi8vY3lib3gubWl0cmUub3JnL2NvbW1vbi0yIGh0dHA6Ly9jeWJveC5taXRyZS5vcmcvWE1MU2NoZW1hL2NvbW1vbi8yLjEvY3lib3hfY29tbW9uLnhzZA0KCWh0dHA6Ly9zdGl4Lm1pdHJlLm9yZy9zdGl4LTEgaHR0cDovL3N0aXgubWl0cmUub3JnL1hNTFNjaGVtYS9jb3JlLzEuMS4xL3N0aXhfY29yZS54c2QNCglodHRwOi8vZGF0YS1tYXJraW5nLm1pdHJlLm9yZy9NYXJraW5nLTEgaHR0cDovL3N0aXgubWl0cmUub3JnL1hNTFNjaGVtYS9kYXRhX21hcmtpbmcvMS4xLjEvZGF0YV9tYXJraW5nLnhzZA0KCWh0dHA6Ly9jeWJveC5taXRyZS5vcmcvY3lib3gtMiBodHRwOi8vY3lib3gubWl0cmUub3JnL1hNTFNjaGVtYS9jb3JlLzIuMS9jeWJveF9jb3JlLnhzZCIgaWQ9Ik5QRy04Mzk2NDQ1IiB2ZXJzaW9uPSIxLjEuMSIgdGltZXN0YW1wPSIyMDIxLTAzLTAzVDE5OjA3OjQ0Ij4NCiAgICA8c3RpeDpTVElYX0hlYWRlcj4NCiAgICAgICAgPHN0aXg6VGl0bGU+QUEyMS0wNjJBIE1pdGlnYXRlIE1pY3Jvc29mdCBFeGNoYW5nZSBTZXJ2ZXIgVnVsbmVyYWJpbGl0aWVzPC9zdGl4OlRpdGxlPg0KICAgICAgICA8c3RpeDpQYWNrYWdlX0ludGVudCB4c2k6dHlwZT0ic3RpeFZvY2FiczpQYWNrYWdlSW50ZW50Vm9jYWItMS4wIj5JbmRpY2F0b3JzPC9zdGl4OlBhY2thZ2VfSW50ZW50Pg0KICAgICAgICA8c3RpeDpEZXNjcmlwdGlvbj5UaGlzIFNUSVggZmlsZSBwcm92aWRlcyBpbmRpY2F0b3JzIG9mIGNvbXByb21pc2UgKElPQ3MpIGFzc29jaWF0ZWQgd2l0aCBtYWxpY2lvdXMgYWN0aXZpdHkgcmVwb3J0ZWQgaW4gQWN0aXZpdHkgQWxlcnQsIEFBMjEtMDYyQSBNaXRpZ2F0ZSBNaWNyb3NvZnQgRXhjaGFuZ2UgU2VydmVyIFZ1bG5lcmFiaWxpdGllcy4gRm9yIG1vcmUgaW5mb3JtYXRpb24gYWJvdXQgdGhpcyBhY3Rpdm
"deleted": false,
"disable_correlation": true,
"object_relation": "imported-sample",
"timestamp": "1615717847",
"to_ids": false,
"type": "attachment",
"uuid": "56c86ce5-5cdd-4a9f-b783-f10c72f77efd",
"value": "AA21-062A.stix.xml"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "format",
"timestamp": "1615717847",
"to_ids": false,
"type": "text",
"uuid": "cb3a8bd6-df0e-46de-8fdf-517c6cee297d",
"value": "STIX 1.1"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Metadata used to generate an executive level report",
"meta-category": "misc",
"name": "report",
"template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df",
"template_version": "3",
"timestamp": "1615717913",
"uuid": "59512712-98b1-4439-bddd-5307480562cc",
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "link",
"timestamp": "1615717913",
"to_ids": false,
"type": "link",
"uuid": "59d841ae-a913-410b-b743-0602e5942c9f",
"value": "https://us-cert.cisa.gov/ncas/alerts/aa21-062a"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "summary",
"timestamp": "1615717913",
"to_ids": false,
"type": "text",
"uuid": "4561f74e-6aaf-4616-a0c7-7a509868d9c4",
"value": "Cybersecurity and Infrastructure Security (CISA) partners have observed active exploitation of vulnerabilities in Microsoft Exchange Server products. Successful exploitation of these vulnerabilities allows an unauthenticated attacker to execute arbitrary code on vulnerable Exchange Servers, enabling the attacker to gain persistent system access, as well as access to files and mailboxes on the server and to credentials stored on that system. Successful exploitation may additionally enable the attacker to compromise trust and identity in a vulnerable network. Microsoft released out-of-band patches to address vulnerabilities in Microsoft Exchange Server. The vulnerabilities impact on-premises Microsoft Exchange Servers and are not known to impact Exchange Online or Microsoft 365 (formerly O365) cloud email services.\r\n\r\nThis Alert includes both tactics, techniques and procedures (TTPs) and the indicators of compromise (IOCs) associated with this malicious activity. To secure against this threat, CISA recommends organizations examine their systems for the TTPs and use the IOCs to detect any malicious activity. If an organization discovers exploitation activity, they should assume network identity compromise and follow incident response procedures. If an organization finds no activity, they should apply available patches immediately and implement the mitigations in this Alert."
}
]
}
2023-04-21 13:25:09 +00:00
]
2023-12-14 14:30:15 +00:00
}
2023-04-21 13:25:09 +00:00
}