416 lines
48 KiB
JSON
416 lines
48 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--92214b3e-76c6-48b1-bf92-061c7f55e302",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2024-04-26T12:01:50.000Z",
|
||
|
"modified": "2024-04-26T12:01:50.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--92214b3e-76c6-48b1-bf92-061c7f55e302",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2024-04-26T12:01:50.000Z",
|
||
|
"modified": "2024-04-26T12:01:50.000Z",
|
||
|
"name": "OSINT - ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices",
|
||
|
"published": "2024-04-26T12:02:28Z",
|
||
|
"object_refs": [
|
||
|
"vulnerability--d2308b7f-920b-45e4-b902-30855f64ec91",
|
||
|
"vulnerability--b5c337b6-ac51-4a95-b7d8-0663d6847978",
|
||
|
"vulnerability--30140c43-9b0e-4731-8254-283d98dd016f",
|
||
|
"x-misp-object--3e1516ac-fe11-478f-aac8-c0083c42e4c9",
|
||
|
"vulnerability--0d6f8c29-a5d7-4e0b-8d68-1c390e94134d",
|
||
|
"indicator--85e3eade-a4dc-4c19-b119-d4258bbfd957",
|
||
|
"indicator--7deae7be-9a3d-459b-915c-1294d1e1f6a2",
|
||
|
"x-misp-object--0208b8b4-acd8-4828-b6a2-8b7a5606ee93",
|
||
|
"x-misp-object--edce3b9b-3cc1-4621-a0e6-8bcda0de4318",
|
||
|
"note--e03f267e-103c-4c40-a9b8-83a09502db13",
|
||
|
"relationship--d22cbb75-c345-41cd-8b30-678a244689a5",
|
||
|
"relationship--abac6509-634d-489e-9f20-6bc9b4d3a426",
|
||
|
"relationship--6e8d646f-330c-4f3e-b39f-ac9e672d01c5",
|
||
|
"relationship--9c9cc33c-050c-4891-9dc5-32cbe90c0e99",
|
||
|
"relationship--264f99f1-579e-4f0b-95f4-f1994025bc28",
|
||
|
"relationship--e732520b-fb19-4eb9-9408-6d5e195a6088",
|
||
|
"relationship--7d2d1bd4-570e-45d6-acd9-0c0f59ade867",
|
||
|
"relationship--9bfcc691-f8b6-423c-8c7e-3f8c16cb3a8c"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"type:OSINT",
|
||
|
"osint:lifetime=\"perpetual\"",
|
||
|
"tlp:clear",
|
||
|
"misp-galaxy:mitre-attack-pattern=\"External Remote Services - T1133\"",
|
||
|
"misp-galaxy:threat-actor=\"ArcaneDoor\"",
|
||
|
"misp-galaxy:producer=\"Cisco Talos Intelligence Group\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "vulnerability",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "vulnerability--d2308b7f-920b-45e4-b902-30855f64ec91",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2024-04-25T11:22:35.000Z",
|
||
|
"modified": "2024-04-25T11:22:35.000Z",
|
||
|
"name": "CVE-2024-20353",
|
||
|
"labels": [
|
||
|
"misp:type=\"vulnerability\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"external_references": [
|
||
|
{
|
||
|
"source_name": "cve",
|
||
|
"external_id": "CVE-2024-20353"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "vulnerability",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "vulnerability--b5c337b6-ac51-4a95-b7d8-0663d6847978",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2024-04-25T11:25:45.000Z",
|
||
|
"modified": "2024-04-25T11:25:45.000Z",
|
||
|
"name": "CVE-2024-20359",
|
||
|
"labels": [
|
||
|
"misp:type=\"vulnerability\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"external_references": [
|
||
|
{
|
||
|
"source_name": "cve",
|
||
|
"external_id": "CVE-2024-20359"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "vulnerability",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "vulnerability--30140c43-9b0e-4731-8254-283d98dd016f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2024-04-25T11:22:45.000Z",
|
||
|
"modified": "2024-04-25T11:22:45.000Z",
|
||
|
"name": "CVE-2024-20353",
|
||
|
"description": "A vulnerability in the management and VPN web servers for Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition.\n\n This vulnerability is due to incomplete error checking when parsing an HTTP header. An attacker could exploit this vulnerability by sending a crafted HTTP request to a targeted web server on a device. A successful exploit could allow the attacker to cause a DoS condition when the device reloads.",
|
||
|
"labels": [
|
||
|
"misp:name=\"vulnerability\"",
|
||
|
"misp:meta-category=\"vulnerability\"",
|
||
|
"misp:to_ids=\"False\""
|
||
|
],
|
||
|
"external_references": [
|
||
|
{
|
||
|
"source_name": "cve",
|
||
|
"external_id": "CVE-2024-20353"
|
||
|
},
|
||
|
{
|
||
|
"source_name": "url",
|
||
|
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-websrvs-dos-X8gNucD2"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_modified": "2024-04-24T19:58:00+00:00",
|
||
|
"x_misp_published": "2024-04-24T19:15:00+00:00",
|
||
|
"x_misp_state": "Published"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--3e1516ac-fe11-478f-aac8-c0083c42e4c9",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2024-04-25T11:24:58.000Z",
|
||
|
"modified": "2024-04-25T11:24:58.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"script\"",
|
||
|
"misp:meta-category=\"misc\"",
|
||
|
"cycat:scope=\"detection\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "script",
|
||
|
"value": "show memory region | include lina",
|
||
|
"category": "Other",
|
||
|
"uuid": "15323ff3-4308-4b2b-9023-d2577560415e"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "comment",
|
||
|
"value": "Additionally, organizations can issue the command show memory region | include lina to identify another indicator of compromise. If the output indicates more than one executable memory region (memory regions having r-xp permissions, see output examples), especially if one of these memory sections is exactly 0x1000 bytes, then this is a sign of potential tampering.",
|
||
|
"category": "Other",
|
||
|
"uuid": "cfcadedb-7c72-475e-adf0-4d2d1e99878e"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "state",
|
||
|
"value": "Trusted",
|
||
|
"category": "Other",
|
||
|
"uuid": "d36b5e3d-799b-468e-bd54-fc80c19ab3e8"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "script"
|
||
|
},
|
||
|
{
|
||
|
"type": "vulnerability",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "vulnerability--0d6f8c29-a5d7-4e0b-8d68-1c390e94134d",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2024-04-25T11:25:55.000Z",
|
||
|
"modified": "2024-04-25T11:25:55.000Z",
|
||
|
"name": "CVE-2024-20359",
|
||
|
"description": "A vulnerability in a legacy capability that allowed for the preloading of VPN clients and plug-ins and that has been available in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to execute arbitrary code with root-level privileges. Administrator-level privileges are required to exploit this vulnerability.\n\n This vulnerability is due to improper validation of a file when it is read from system flash memory. An attacker could exploit this vulnerability by copying a crafted file to the disk0: file system of an affected device. A successful exploit could allow the attacker to execute arbitrary code on the affected device after the next reload of the device, which could alter system behavior. Because the injected code could persist across device reboots, Cisco has raised the Security Impact Rating (SIR) of this advisory from Medium to High.",
|
||
|
"labels": [
|
||
|
"misp:name=\"vulnerability\"",
|
||
|
"misp:meta-category=\"vulnerability\"",
|
||
|
"misp:to_ids=\"False\""
|
||
|
],
|
||
|
"external_references": [
|
||
|
{
|
||
|
"source_name": "cve",
|
||
|
"external_id": "CVE-2024-20359"
|
||
|
},
|
||
|
{
|
||
|
"source_name": "url",
|
||
|
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-rce-FLsNXF4h"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_modified": "2024-04-24T19:58:00+00:00",
|
||
|
"x_misp_published": "2024-04-24T19:15:00+00:00",
|
||
|
"x_misp_state": "Published"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--85e3eade-a4dc-4c19-b119-d4258bbfd957",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2024-04-26T09:53:19.000Z",
|
||
|
"modified": "2024-04-26T09:53:19.000Z",
|
||
|
"description": "Adversary controlled as mentioned in the blog post",
|
||
|
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '192.36.57.181') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.167.60.85') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.227.111.17') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '176.31.18.153') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '172.105.90.154') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.244.210.120') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.86.163.224') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '172.105.94.93') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '213.156.138.77') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '89.44.198.189') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.77.52.253') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.114.200.230') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '212.193.2.48') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '51.15.145.37') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '89.44.198.196') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '131.196.252.148') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '213.156.138.78') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '121.227.168.69') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '213.156.138.68') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '194.4.49.6') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.244.210.65') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '216.238.75.155')]",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2024-04-26T09:53:19Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "network"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"ip-port\"",
|
||
|
"misp:meta-category=\"network\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--7deae7be-9a3d-459b-915c-1294d1e1f6a2",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2024-04-26T09:56:53.000Z",
|
||
|
"modified": "2024-04-26T09:56:53.000Z",
|
||
|
"description": "Multi-tenant infrastructure",
|
||
|
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '5.183.95.95') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.63.119.131') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.76.118.87') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.77.54.14') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.86.163.244') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.128.134.189') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '89.44.198.16') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '96.44.159.46') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.20.222.218') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.27.132.69') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.51.140.101') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.119.3.230') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.125.218.198') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '104.156.232.22') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '107.148.19.88') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '107.172.16.208') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '107.173.140.111') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '121.37.174.139') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '139.162.135.12') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '149.28.166.244') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '152.70.83.47') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '154.22.235.13') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '154.22.235.17') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '154.39.142.47') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '172.233.245.241') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.123.101.250') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '192.210.137.35') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '194.32.78.183') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '205.234.232.196') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '207.148.74.250') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '216.155.157.136') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '216.238.66.251') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '216.238.71.49') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '216.238.72.201') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '216.238.74.95') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '216.238.81.149') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '216.238.85.220') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '216.238.86.24')]",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2024-04-26T09:56:53Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "network"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"ip-port\"",
|
||
|
"misp:meta-category=\"network\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--0208b8b4-acd8-4828-b6a2-8b7a5606ee93",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2024-04-26T10:02:26.000Z",
|
||
|
"modified": "2024-04-26T10:02:26.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"report\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "link",
|
||
|
"object_relation": "link",
|
||
|
"value": "https://www.circl.lu/pub/tr-85/",
|
||
|
"category": "External analysis",
|
||
|
"uuid": "4adedfd7-ebec-49d0-918d-3f6d72b0ad7f"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "title",
|
||
|
"value": "TR-85 - Three vulnerabilities in Cisco ASA software/applicance and FTD software being exploited",
|
||
|
"category": "Other",
|
||
|
"uuid": "876a0562-e07d-4941-b07c-59d6b7828d78"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "type",
|
||
|
"value": "Report",
|
||
|
"category": "Other",
|
||
|
"uuid": "59600f8c-3f2a-4170-a608-1bd6bc011f41"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "report"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--edce3b9b-3cc1-4621-a0e6-8bcda0de4318",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2024-04-26T10:03:03.000Z",
|
||
|
"modified": "2024-04-26T10:03:03.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"report\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "link",
|
||
|
"object_relation": "link",
|
||
|
"value": "https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/",
|
||
|
"category": "External analysis",
|
||
|
"uuid": "89c350a4-bfa3-4bd7-bb55-7797fd8aec30"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "title",
|
||
|
"value": "ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices",
|
||
|
"category": "Other",
|
||
|
"uuid": "7b4c9d6b-d223-4233-a32b-fee0a6b28a1b"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "type",
|
||
|
"value": "Blog",
|
||
|
"category": "Other",
|
||
|
"uuid": "84d26378-d46c-4687-9700-055579df03dc"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "report"
|
||
|
},
|
||
|
{
|
||
|
"type": "note",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "note--e03f267e-103c-4c40-a9b8-83a09502db13",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2024-04-25T11:27:12.000Z",
|
||
|
"modified": "2024-04-25T11:27:12.000Z",
|
||
|
"abstract": "Report from - https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/ (1714044381)",
|
||
|
"content": "# ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices\r\n\r\nBy Cisco Talos \r\n\r\nWednesday, April 24, 2024 11:54 Threat Advisory Threats APT ArcaneDoor is a campaign that is the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors. Coveted by these actors, perimeter network devices are the perfect intrusion point for espionage-focused campaigns. As a critical path for data into and out of the network, these devices need to be routinely and promptly patched; using up-to-date hardware and software versions and configurations; and be closely monitored from a security perspective. Gaining a foothold on these devices allows an actor to directly pivot into an organization, reroute or modify traffic and monitor network communications. In the past two years, we have seen a dramatic and sustained increase in the targeting of these devices in areas such as telecommunications providers and energy sector organizations \u2014 critical infrastructure entities that are likely strategic targets of interest for many foreign governments. \r\n\r\nCisco\u2019s position as a leading global network infrastructure vendor gives Talos\u2019 Intelligence and Interdiction team immense visibility into the general state of network hygiene. This also gives us uniquely positioned investigative capability into attacks of this nature. Early in 2024, a vigilant customer reached out to both Cisco\u2019s Product Security Incident Response Team (PSIRT) and Cisco Talos to discuss security concerns with their Cisco Adaptive Security Appliances (ASA). PSIRT and Talos came together to launch an investigation to assist the customer. During that investigation, which eventually included several external intelligence partners and spanned several months, we identified a previously unknown actor now tracked as UAT4356 by Talos and STORM-1849 by the Microsoft Threat Intelligence Center. This actor utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor. \r\n\r\nUAT4356 deployed two backdoors as components of this campaign, \u201cLine Runner\u201d and \u201cLine Dancer,\u201d which were used collectively to conduct malicious actions on-target, which included configuration modification, reconnaissance, network traffic capture/exfiltration and potentially lateral movement. \r\n\r\n## **Critical Fixes Available**\r\n\r\nWorking with victims and intelligence partners, Cisco uncovered a sophisticated attack chain that was used to implant custom malware and execute commands across a small set of customers. While we have been unable to identify the initial attack vector, we have identified two vulnerabilities (CVE-2024-20353 and CVE-2024-20359), which we detail below. Customers are strongly advised to follow the guidance published in the security advisories discussed below. \r\n\r\nFurther, network telemetry and information from intelligence partners indicate the actor is interested in \u2014 and potentially attacking \u2014 network devices from Microsoft and other vendors. Regardless of your network equipment provider, now is the time to ensure that the devices are properly patched, logging to a central, secure location, and configured to have strong, multi-factor authentication (MFA). Additional recommendations specific to Cisco are available here. \r\n\r\n## **Timeline**\r\n\r\nCisco was initially alerted to suspicious activity on an ASA device in early 2024. The investigation that followed identified additional victims, all of which involved government networks globally. During the investigation, we identified actor-controlled infrastructure dating back to early November 2023, with most activity taking place between December 2023 and early January 2024. Further, we have identified evidence that suggests this capability was being tested and developed as early as July 2023. \r\n\r\nCisco has identified two vulnerabilities that w
|
||
|
"object_refs": [
|
||
|
"report--92214b3e-76c6-48b1-bf92-061c7f55e302"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "relationship",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "relationship--d22cbb75-c345-41cd-8b30-678a244689a5",
|
||
|
"created": "2024-04-25T11:22:45.000Z",
|
||
|
"modified": "2024-04-25T11:22:45.000Z",
|
||
|
"relationship_type": "related-to",
|
||
|
"source_ref": "vulnerability--30140c43-9b0e-4731-8254-283d98dd016f",
|
||
|
"target_ref": "vulnerability--d2308b7f-920b-45e4-b902-30855f64ec91"
|
||
|
},
|
||
|
{
|
||
|
"type": "relationship",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "relationship--abac6509-634d-489e-9f20-6bc9b4d3a426",
|
||
|
"created": "2024-04-25T11:25:55.000Z",
|
||
|
"modified": "2024-04-25T11:25:55.000Z",
|
||
|
"relationship_type": "related-to",
|
||
|
"source_ref": "vulnerability--0d6f8c29-a5d7-4e0b-8d68-1c390e94134d",
|
||
|
"target_ref": "vulnerability--b5c337b6-ac51-4a95-b7d8-0663d6847978"
|
||
|
},
|
||
|
{
|
||
|
"type": "relationship",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "relationship--6e8d646f-330c-4f3e-b39f-ac9e672d01c5",
|
||
|
"created": "2024-04-26T10:01:21.000Z",
|
||
|
"modified": "2024-04-26T10:01:21.000Z",
|
||
|
"relationship_type": "references",
|
||
|
"source_ref": "x-misp-object--0208b8b4-acd8-4828-b6a2-8b7a5606ee93",
|
||
|
"target_ref": "x-misp-object--3e1516ac-fe11-478f-aac8-c0083c42e4c9"
|
||
|
},
|
||
|
{
|
||
|
"type": "relationship",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "relationship--9c9cc33c-050c-4891-9dc5-32cbe90c0e99",
|
||
|
"created": "2024-04-26T10:02:26.000Z",
|
||
|
"modified": "2024-04-26T10:02:26.000Z",
|
||
|
"relationship_type": "references",
|
||
|
"source_ref": "x-misp-object--0208b8b4-acd8-4828-b6a2-8b7a5606ee93",
|
||
|
"target_ref": "x-misp-object--edce3b9b-3cc1-4621-a0e6-8bcda0de4318"
|
||
|
},
|
||
|
{
|
||
|
"type": "relationship",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "relationship--264f99f1-579e-4f0b-95f4-f1994025bc28",
|
||
|
"created": "2024-04-26T10:01:46.000Z",
|
||
|
"modified": "2024-04-26T10:01:46.000Z",
|
||
|
"relationship_type": "references",
|
||
|
"source_ref": "x-misp-object--edce3b9b-3cc1-4621-a0e6-8bcda0de4318",
|
||
|
"target_ref": "indicator--7deae7be-9a3d-459b-915c-1294d1e1f6a2"
|
||
|
},
|
||
|
{
|
||
|
"type": "relationship",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "relationship--e732520b-fb19-4eb9-9408-6d5e195a6088",
|
||
|
"created": "2024-04-26T10:02:08.000Z",
|
||
|
"modified": "2024-04-26T10:02:08.000Z",
|
||
|
"relationship_type": "references",
|
||
|
"source_ref": "x-misp-object--edce3b9b-3cc1-4621-a0e6-8bcda0de4318",
|
||
|
"target_ref": "indicator--85e3eade-a4dc-4c19-b119-d4258bbfd957"
|
||
|
},
|
||
|
{
|
||
|
"type": "relationship",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "relationship--7d2d1bd4-570e-45d6-acd9-0c0f59ade867",
|
||
|
"created": "2024-04-26T10:02:41.000Z",
|
||
|
"modified": "2024-04-26T10:02:41.000Z",
|
||
|
"relationship_type": "references",
|
||
|
"source_ref": "x-misp-object--edce3b9b-3cc1-4621-a0e6-8bcda0de4318",
|
||
|
"target_ref": "vulnerability--30140c43-9b0e-4731-8254-283d98dd016f"
|
||
|
},
|
||
|
{
|
||
|
"type": "relationship",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "relationship--9bfcc691-f8b6-423c-8c7e-3f8c16cb3a8c",
|
||
|
"created": "2024-04-26T10:03:03.000Z",
|
||
|
"modified": "2024-04-26T10:03:03.000Z",
|
||
|
"relationship_type": "references",
|
||
|
"source_ref": "x-misp-object--edce3b9b-3cc1-4621-a0e6-8bcda0de4318",
|
||
|
"target_ref": "vulnerability--0d6f8c29-a5d7-4e0b-8d68-1c390e94134d"
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|