adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/stix-2.1/34237efb-adf4-452b-a322-0cbed70c7b33.json

815 lines
82 KiB
JSON
Raw Permalink Normal View History

chg: [feeds] updated
2024-08-07 08:13:15 +00:00
{
"type": "bundle",
"id": "bundle--34237efb-adf4-452b-a322-0cbed70c7b33",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-31T19:55:21.000Z",
"modified": "2024-01-31T19:55:21.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--34237efb-adf4-452b-a322-0cbed70c7b33",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-31T19:55:21.000Z",
"modified": "2024-01-31T19:55:21.000Z",
"name": "OSINT - Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation",
"published": "2024-01-31T19:56:12Z",
"object_refs": [
"indicator--097b466b-5964-43d5-a4d5-18bb503d3336",
"indicator--9ad402bc-b0d4-42e6-a34d-a731d33fa93c",
"indicator--dfef87dc-c4d5-4b14-943e-cc7cc623a5c3",
"indicator--9d60e463-adc3-44bb-be48-ec973485cff1",
"indicator--07dde0ea-e363-4162-bcdf-f0cdcfed9d02",
"indicator--a3aff888-895f-4aa2-90b2-e6038d436c75",
"indicator--1dbb8c23-945b-4d26-b63c-4fa36f7d0940",
"indicator--a8d27aca-54ae-4f0b-981e-0807e6c565e8",
"indicator--f59d17cd-187c-4a3a-ba28-11be34df2f40",
"indicator--56b22645-99fa-4684-beab-0b79a92fa0d1",
"indicator--7b528c7e-780e-434b-95c2-4248ba0c04ba",
"indicator--5b5e0358-58cb-4bef-b2bd-5934e1751ba8",
"indicator--0ef4ce51-fb7a-42d0-8925-9c6b2bbf9d19",
"indicator--ec208a18-c962-4ff6-8bc8-e4a40ca1b7f9",
"indicator--514e7637-1078-4908-a706-cae7d17524ba",
"indicator--5aaa9588-becf-4317-a04b-c312691e8229",
"indicator--43b9f253-c33c-4d24-bb05-7bd203990ebd",
"indicator--263db6db-2a91-454f-862f-42d76d2a8153",
"indicator--8db36071-6d50-43df-94fd-b148802357fa",
"indicator--0fad72d4-ae50-43ce-bb9f-a479b4a90c1c",
"x-misp-object--bc0bbe47-980e-4641-8136-88c8dd4eea06",
"indicator--e0a26f37-4a36-41c7-bfe7-e249e03339c4",
"indicator--4baf011f-70ce-4dce-bf4e-90001e1889e0",
"indicator--a63d0871-116e-4373-b676-cfde0f7eab68",
"indicator--fa2ed52d-c8bb-4c88-a331-1f16f48733e6",
"indicator--1eca4c10-f005-44bc-ae13-a68d0fc0b921",
"indicator--73ca8ee2-2418-45a0-b171-99a492b3b7b9",
"indicator--7f76662a-520a-439c-aa32-a1671c206fa7",
"indicator--bf920237-658b-4601-97fc-842fcb06055c",
"note--bca78d65-fde0-45e0-b223-18bc04e4ad20"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:country=\"china\"",
"misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"",
"type:OSINT",
"osint:lifetime=\"perpetual\"",
"osint:certainty=\"50\"",
"tlp:clear"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--097b466b-5964-43d5-a4d5-18bb503d3336",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-31T19:43:21.000Z",
"modified": "2024-01-31T19:43:21.000Z",
"description": "WARPWIRE C2 server",
"pattern": "[domain-name:value = 'symantke.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-01-31T19:43:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--9ad402bc-b0d4-42e6-a34d-a731d33fa93c",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-31T19:43:21.000Z",
"modified": "2024-01-31T19:43:21.000Z",
"description": "WARPWIRE variant C2 server",
"pattern": "[domain-name:value = 'miltonhouse.nl']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-01-31T19:43:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--dfef87dc-c4d5-4b14-943e-cc7cc623a5c3",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-31T19:43:21.000Z",
"modified": "2024-01-31T19:43:21.000Z",
"description": "WARPWIRE variant C2 server",
"pattern": "[domain-name:value = 'entraide-internationale.fr']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-01-31T19:43:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--9d60e463-adc3-44bb-be48-ec973485cff1",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-31T19:43:21.000Z",
"modified": "2024-01-31T19:43:21.000Z",
"description": "WARPWIRE variant C2 server",
"pattern": "[domain-name:value = 'api.d-n-s.name']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-01-31T19:43:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--07dde0ea-e363-4162-bcdf-f0cdcfed9d02",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-31T19:43:21.000Z",
"modified": "2024-01-31T19:43:21.000Z",
"description": "WARPWIRE variant C2 server",
"pattern": "[domain-name:value = 'cpanel.netbar.org']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-01-31T19:43:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--a3aff888-895f-4aa2-90b2-e6038d436c75",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-31T19:43:21.000Z",
"modified": "2024-01-31T19:43:21.000Z",
"description": "WARPWIRE variant C2 server",
"pattern": "[domain-name:value = 'clickcom.click']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-01-31T19:43:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--1dbb8c23-945b-4d26-b63c-4fa36f7d0940",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-31T19:43:22.000Z",
"modified": "2024-01-31T19:43:22.000Z",
"description": "WARPWIRE variant C2 server",
"pattern": "[domain-name:value = 'clicko.click']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-01-31T19:43:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--a8d27aca-54ae-4f0b-981e-0807e6c565e8",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-31T19:43:22.000Z",
"modified": "2024-01-31T19:43:22.000Z",
"description": "WARPWIRE variant C2 server",
"pattern": "[domain-name:value = 'duorhytm.fun']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-01-31T19:43:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--f59d17cd-187c-4a3a-ba28-11be34df2f40",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-31T19:43:22.000Z",
"modified": "2024-01-31T19:43:22.000Z",
"description": "WARPWIRE variant C2 server",
"pattern": "[domain-name:value = 'line-api.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-01-31T19:43:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56b22645-99fa-4684-beab-0b79a92fa0d1",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-31T19:43:22.000Z",
"modified": "2024-01-31T19:43:22.000Z",
"description": "WARPWIRE variant C2 server",
"pattern": "[domain-name:value = 'areekaweb.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-01-31T19:43:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--7b528c7e-780e-434b-95c2-4248ba0c04ba",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-31T19:43:22.000Z",
"modified": "2024-01-31T19:43:22.000Z",
"description": "WARPWIRE variant C2 server",
"pattern": "[domain-name:value = 'ehangmun.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-01-31T19:43:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b5e0358-58cb-4bef-b2bd-5934e1751ba8",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-31T19:43:22.000Z",
"modified": "2024-01-31T19:43:22.000Z",
"description": "WARPWIRE variant C2 server",
"pattern": "[domain-name:value = 'secure-cama.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-01-31T19:43:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--0ef4ce51-fb7a-42d0-8925-9c6b2bbf9d19",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-31T19:55:21.000Z",
"modified": "2024-01-31T19:55:21.000Z",
"description": "WARPWIRE variant C2 server",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '146.0.228.66']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-01-31T19:55:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--ec208a18-c962-4ff6-8bc8-e4a40ca1b7f9",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-31T19:55:21.000Z",
"modified": "2024-01-31T19:55:21.000Z",
"description": "WARPWIRE variant C2 server",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '159.65.130.146']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-01-31T19:55:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--514e7637-1078-4908-a706-cae7d17524ba",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-31T19:55:21.000Z",
"modified": "2024-01-31T19:55:21.000Z",
"description": "WARPWIRE variant C2 server",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '8.137.112.245']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-01-31T19:55:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5aaa9588-becf-4317-a04b-c312691e8229",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-31T19:55:21.000Z",
"modified": "2024-01-31T19:55:21.000Z",
"description": "WARPWIRE variant C2 server",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '91.92.254.14']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-01-31T19:55:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--43b9f253-c33c-4d24-bb05-7bd203990ebd",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-31T19:55:21.000Z",
"modified": "2024-01-31T19:55:21.000Z",
"description": "Mass exploitation activity",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '186.179.39.235']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-01-31T19:55:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--263db6db-2a91-454f-862f-42d76d2a8153",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-31T19:55:21.000Z",
"modified": "2024-01-31T19:55:21.000Z",
"description": "Post-exploitation activity",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '50.215.39.49']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-01-31T19:55:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--8db36071-6d50-43df-94fd-b148802357fa",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-31T19:55:21.000Z",
"modified": "2024-01-31T19:55:21.000Z",
"description": "Post-exploitation activity",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.61.136.14']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-01-31T19:55:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--0fad72d4-ae50-43ce-bb9f-a479b4a90c1c",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-31T19:55:21.000Z",
"modified": "2024-01-31T19:55:21.000Z",
"description": "Post-exploitation activity",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '173.220.106.166']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-01-31T19:55:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--bc0bbe47-980e-4641-8136-88c8dd4eea06",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-31T19:30:02.000Z",
"modified": "2024-01-31T19:30:02.000Z",
"labels": [
"misp:name=\"report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "link",
"value": "https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation",
"category": "External analysis",
"uuid": "b891afdc-c01b-4fe1-aa99-b7b0b719b18c"
},
{
"type": "text",
"object_relation": "summary",
"value": "On Jan. 12, 2024, Mandiant published a blog post detailing two high-impact zero-day vulnerabilities, CVE-2023-46805 and CVE-2024-21887, affecting Ivanti Connect Secure VPN (CS, formerly Pulse Secure) and Ivanti Policy Secure (PS) appliances. On Jan. 31, 2024, Ivanti disclosed two additional vulnerabilities impacting CS and PS devices, CVE-2024-21888 and CVE-2024-21893.\r\n\r\nThe vulnerabilities allow for an unauthenticated threat actor to execute arbitrary commands on the appliance with elevated privileges. As previously reported, Mandiant has identified zero-day exploitation of these vulnerabilities in the wild beginning as early as Dec. 3, 2023 by a suspected China-nexus espionage threat actor currently being tracked as UNC5221. \r\n\r\nMandiant has identified broad exploitation activity following the disclosure of the two vulnerabilities, both by UNC5221 and other uncategorized threat groups. Mandiant assesses that a significant portion of the post-advisory activity has been performed through automated methods.\r\n\r\nIn this follow-up blog post, we detail additional tactics, techniques, and procedures (TTPs) employed by UNC5221 and other threat groups during post-exploitation activity across our incident response engagements. We also detail new malware families and variants to previously identified malware families being used by UNC5221. We acknowledge the possibility that one or more related groups may be associated with the activity described in this blog post. It is likely that additional groups beyond UNC5221 have adopted one or more of these tools.\r\n\r\nThese observations have been supported through Mandiant's incident response engagements, working with Ivanti, and our partners. Mandiant is also providing additional recommendations for network defenders, including indicators of compromise (IOCs), and YARA rules.\r\n\r\nNote: Ivanti has released its first round of patches starting today, and it is scheduled to continue rolling out additional patches over the coming weeks. Ivanti recommends customers awaiting patches to apply the mitigation, run the external Integrity Checker Tool (ICT) to check for evidence of exploitation, and continue following the KB article to receive product updates as they become available.",
"category": "Other",
"uuid": "76c539f5-ecd5-4fed-8dc5-9aa8956f8812"
},
{
"type": "text",
"object_relation": "title",
"value": "Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation",
"category": "Other",
"uuid": "4222c19f-b759-47d9-99ac-edd4eb9219af"
},
{
"type": "text",
"object_relation": "type",
"value": "Blog",
"category": "Other",
"uuid": "69d9a31f-eef5-4e3a-a3ce-d1b59a54974a"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--e0a26f37-4a36-41c7-bfe7-e249e03339c4",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-31T19:36:15.000Z",
"modified": "2024-01-31T19:36:15.000Z",
"description": "LIGHTWIRE web shell",
"pattern": "[file:hashes.MD5 = '3d97f55a03ceb4f71671aa2ecf5b24e9' AND file:name = 'compcheckresult.cgi']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-01-31T19:36:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--4baf011f-70ce-4dce-bf4e-90001e1889e0",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-31T19:36:59.000Z",
"modified": "2024-01-31T19:36:59.000Z",
"description": "CHAINLINE web shell",
"pattern": "[file:hashes.MD5 = '3045f5b3d355a9ab26ab6f44cc831a83' AND file:name = 'health.py']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-01-31T19:36:59Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--a63d0871-116e-4373-b676-cfde0f7eab68",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-31T19:37:48.000Z",
"modified": "2024-01-31T19:37:48.000Z",
"description": "WARPWIRE credential harvester variant",
"pattern": "[file:hashes.MD5 = '2ec505088b942c234f39a37188e80d7a' AND file:name = 'lastauthserverused.js']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-01-31T19:37:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--fa2ed52d-c8bb-4c88-a331-1f16f48733e6",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-31T19:46:11.000Z",
"modified": "2024-01-31T19:46:11.000Z",
"name": "M_Hunting_Webshell_BUSHWALK_1",
"pattern": "rule M_Hunting_Webshell_BUSHWALK_1 {\r\n\r\n meta:\r\n\r\n author = \\\\\"Mandiant\\\\\"\r\n\r\n description = \\\\\"This rule detects BUSHWALK, a webshell written in Perl CGI that is embedded into a legitimate Pulse Secure file to enable file transfers\\\\\"\r\n\r\n \r\n\r\n strings:\r\n\r\n $s1 = \\\\\"SafariiOS\\\\\" ascii\r\n\r\n $s2 = \\\\\"command\\\\\" ascii\r\n\r\n $s3 = \\\\\"change\\\\\" ascii\r\n\r\n $s4 = \\\\\"update\\\\\" ascii\r\n\r\n $s5 = \\\\\"$data = RC4($key, $data);\\\\\" ascii\r\n\r\n condition:\r\n\r\n filesize < 5KB\r\n\r\n and all of them\r\n\r\n}",
"pattern_type": "yara",
"pattern_version": "2.1",
"valid_from": "2024-01-31T19:46:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "misc"
}
],
"labels": [
"misp:name=\"yara\"",
"misp:meta-category=\"misc\"",
"misp:to_ids=\"True\""
],
"x_misp_context": "all"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--1eca4c10-f005-44bc-ae13-a68d0fc0b921",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-31T19:47:12.000Z",
"modified": "2024-01-31T19:47:12.000Z",
"name": "M_Hunting_Webshell_CHAINLINE_1",
"pattern": "rule M_Hunting_Webshell_CHAINLINE_1 {\r\n\r\n meta:\r\n\r\n author = \\\\\"Mandiant\\\\\"\r\n\r\n description = \\\\\"This rule detects the CHAINLINE webshell, which receives \r\nRC4 encrypted commands and returns the execution result\\\\\"\r\n\r\n md5 = \\\\\"3045f5b3d355a9ab26ab6f44cc831a83\\\\\"\r\n\r\n strings:\r\n\r\n $s1 = \\\\\"crypt(command: str)\\\\\" ascii\r\n\r\n $s2 = \\\\\"tmp[i] = chr(ord(tmp[i])\\\\\" ascii\r\n\r\n $s3 = \\\\\"ord(RC4_KEY[i \\\\% len(RC4_KEY)])\\\\\" ascii\r\n\r\n $s4 = \\\\\"class Health(Resource)\\\\\" ascii\r\n\r\n $s5 = \\\\\"crypt(base64.b64decode(command.encode(\\\\\" ascii\r\n\r\n $s6 = \\\\\"base64.b64encode(crypt(result)\\\\\" ascii\r\n\r\n $s7 = \\\\\"{\\\\\\\\\"message\\\\\\\\\": \\'ok\\', \\\\\\\\\"stats\\\\\\\\\": result}\\\\\" ascii\r\n\r\n condition:\r\n\r\n filesize < 100KB and\r\n\r\n any of them\r\n\r\n}",
"pattern_type": "yara",
"pattern_version": "2.1",
"valid_from": "2024-01-31T19:47:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "misc"
}
],
"labels": [
"misp:name=\"yara\"",
"misp:meta-category=\"misc\"",
"misp:to_ids=\"True\""
],
"x_misp_context": "all"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--73ca8ee2-2418-45a0-b171-99a492b3b7b9",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-31T19:48:06.000Z",
"modified": "2024-01-31T19:48:06.000Z",
"name": "M_HUNTING_APT_Webshell_FRAMESTING_result",
"pattern": "rule M_HUNTING_APT_Webshell_FRAMESTING_result\r\n\r\n{\r\n\r\n meta:\r\n\r\n author = \\\\\"Mandiant\\\\\"\r\n\r\n description = \\\\\"Detects strings associated with FRAMESTING webshell\\\\\"\r\n\r\n md5 = \\\\\"465600cece80861497e8c1c86a07a23e\\\\\"\r\n\r\n strings:\r\n\r\n $s1 = \\\\\"exec(zlib.decompress(aes.decrypt(base64.b64decode(data))),{\\'request\\':request,\\'cache\\'\\\\\"\r\n\r\n $s2 = \\\\\"result={\\'message\\':\\'\\',\\'action\\':0}\\\\\"\r\n\r\n \r\n\r\n condition:\r\n\r\n any of them\r\n\r\n}",
"pattern_type": "yara",
"pattern_version": "2.1",
"valid_from": "2024-01-31T19:48:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "misc"
}
],
"labels": [
"misp:name=\"yara\"",
"misp:meta-category=\"misc\"",
"misp:to_ids=\"True\""
],
"x_misp_context": "all"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--7f76662a-520a-439c-aa32-a1671c206fa7",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-31T19:48:44.000Z",
"modified": "2024-01-31T19:48:44.000Z",
"name": "M_Hunting_Webshell_LIGHTWIRE_4",
"pattern": "rule M_Hunting_Webshell_LIGHTWIRE_4 {\r\n\r\n meta:\r\n\r\n author = \\\\\"Mandiant\\\\\"\r\n\r\n description = \\\\\"Detects LIGHTWIRE based on the RC4 \r\ndecoding and execution 1-liner.\\\\\"\r\n\r\n md5 = \\\\\"3d97f55a03ceb4f71671aa2ecf5b24e9\\\\\"\r\n\r\n strings:\r\n\r\n $re1 = /eval\\\\{my.{1,20}Crypt::RC4->new\\\\(\\\\\\\\\".{1,50}->RC4\\\\(decode_base64\\\\(CGI::param\\\\(\\\\\\'.{1,30};eval\\\\s\\\\$.{1,30}\\\\\\\\\"Compatibility\\\\scheck:\\\\s\\\\$@\\\\\\\\\";\\\\}/\r\n\r\n condition:\r\n\r\n filesize < 1MB and all of them\r\n\r\n}",
"pattern_type": "yara",
"pattern_version": "2.1",
"valid_from": "2024-01-31T19:48:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "misc"
}
],
"labels": [
"misp:name=\"yara\"",
"misp:meta-category=\"misc\"",
"misp:to_ids=\"True\""
],
"x_misp_context": "all"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--bf920237-658b-4601-97fc-842fcb06055c",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-31T19:49:37.000Z",
"modified": "2024-01-31T19:49:37.000Z",
"name": "M_Hunting_CredTheft_WARPWIRE_strings",
"pattern": "rule M_Hunting_CredTheft_WARPWIRE_strings\r\n\r\n{\r\n\r\n meta:\r\n\r\n author = \\\\\"Mandiant\\\\\"\r\n\r\n description = \\\\\"Detects strings within WARPWIRE credential harvester\\\\\"\r\n\r\n md5 = \\\\\"b15f47e234b5d26fb2cc81fc6fd89775\\\\\"\r\n\r\n strings:\r\n\r\n $header = \\\\\"function SetLastRealm(sValue) {\\\\\"\r\n\r\n \r\n\r\n // password fields\r\n\r\n $username = \\\\\"document.frmLogin.username.value;\\\\\"\r\n\r\n $password = \\\\\"document.frmLogin.password.value;\\\\\"\r\n\r\n \r\n\r\n // post version\r\n\r\n $btoa = \\\\\"btoa(\\\\\"\r\n\r\n $xhr_post = /xhr.open\\\\(.POST.,( )?url,/\r\n\r\n \r\n\r\n // get version\r\n\r\n $xhr_get = /xhr.open\\\\(.GET.,( )?url,/\r\n\r\n $xhr_send = \\\\\"xhr.send(null);\\\\\"\r\n\r\n \r\n\r\n condition:\r\n\r\n $header in (0..100) \r\n\r\n and $password in (@username[1]..@username[1]+100)\r\n\r\n and ((#btoa > 1 and $xhr_post) or ($xhr_send in (@xhr_get[1]..@xhr_get[1]+50)))\r\n\r\n}",
"pattern_type": "yara",
"pattern_version": "2.1",
"valid_from": "2024-01-31T19:49:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "misc"
}
],
"labels": [
"misp:name=\"yara\"",
"misp:meta-category=\"misc\"",
"misp:to_ids=\"True\""
],
"x_misp_context": "all"
},
{
"type": "note",
"spec_version": "2.1",
"id": "note--bca78d65-fde0-45e0-b223-18bc04e4ad20",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-01-31T19:51:28.000Z",
"modified": "2024-01-31T19:51:28.000Z",
"abstract": "Report from - https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation (1706730657)",
"content": "# Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation\r\n\r\n## Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation\r\n\r\nMatt Lin, Robert Wallace, John Wolfram, Dimiter Andonov, Tyler McLellan Jan 31, 202420 min readThreat IntelligenceIncident ResponseUncategorized Groups (UNC Groups)Zero Day ThreatsVulnerabilitiesOn Jan. 12, 2024, Mandiant published a blog post detailing two high-impact zero-day vulnerabilities, CVE-2023-46805 and CVE-2024-21887, affecting Ivanti Connect Secure VPN (CS, formerly Pulse Secure) and Ivanti Policy Secure (PS) appliances. On Jan. 31, 2024, Ivanti disclosed two additional vulnerabilities impacting CS and PS devices, CVE-2024-21888 and CVE-2024-21893.\r\n\r\nThe vulnerabilities allow for an unauthenticated threat actor to execute arbitrary commands on the appliance with elevated privileges. As previously reported, Mandiant has identified zero-day exploitation of these vulnerabilities in the wild beginning as early as Dec. 3, 2023 by a suspected China-nexus espionage threat actor currently being tracked as UNC5221. \r\n\r\nMandiant has identified broad exploitation activity following the disclosure of the two vulnerabilities, both by UNC5221 and other uncategorized threat groups. Mandiant assesses that a significant portion of the post-advisory activity has been performed through automated methods.\r\n\r\nIn this follow-up blog post, we detail additional tactics, techniques, and procedures (TTPs) employed by UNC5221 and other threat groups during post-exploitation activity across our incident response engagements. We also detail new malware families and variants to previously identified malware families being used by UNC5221. We acknowledge the possibility that one or more related groups may be associated with the activity described in this blog post. It is likely that additional groups beyond UNC5221 have adopted one or more of these tools.\r\n\r\nThese observations have been supported through Mandiant's incident response engagements, working with Ivanti, and our partners. Mandiant is also providing additional recommendations for network defenders, including indicators of compromise (IOCs), and YARA rules.\r\n\r\n**Note:** Ivanti has released its first round of patches starting today, and it is scheduled to continue rolling out additional patches over the coming weeks. Ivanti recommends customers awaiting patches to apply the mitigation, run the external Integrity Checker Tool (ICT) to check for evidence of exploitation, and continue following the KB article to receive product updates as they become available. \r\n\r\n## Post Exploitation Activity Updates\r\n\r\n### Mitigation Bypass\r\n\r\nA mitigation bypass technique was recently identified that led to the deployment of a custom webshell tracked as BUSHWALK. Successful exploitation would bypass the initial mitigation provided by Ivanti on Jan. 10, 2024. At this time, Mandiant assesses the mitigation bypass activity is highly targeted, limited, and is distinct from the post-advisory mass exploitation activity. \r\n\r\n**Note:** The external ICT successfully detected the presence of the new web shell. We have observed the threat actor clean up traces of their activity and restore the system to a clean state after deploying BUSHWALK through the mitigation bypass technique. The ICT is a snapshot of the current state of the appliance and cannot necessarily detect threat actor activity if they have returned the appliance to a clean state. In addition, the patches address and fix the mitigation bypass.\r\n\r\nSimilar to other web shells observed in this campaign, BUSHWALK is written in Perl and is embedded into a legitimate CS file, querymanifest.cgi. BUSHWALK provides a threat actor the ability to read or write to files to a server.\r\n\r\nBUSHWALK executes its malicious Perl function, validateVersion, if the web request platform parameter is SafariiOS. It uses Base64 and RC4 to decode and decrypt the threat actor\u2019s payload in the web request\u2019s co
"object_refs": [
"report--34237efb-adf4-452b-a322-0cbed70c7b33"
]
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}
Reference in a new issue Copy permalink