648 lines
38 KiB
JSON
648 lines
38 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--ab1a2393-2d57-46c9-91ab-16a4cc4b0b03",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2024-01-11T09:17:31.000Z",
|
||
|
"modified": "2024-01-11T09:17:31.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--ab1a2393-2d57-46c9-91ab-16a4cc4b0b03",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2024-01-11T09:17:31.000Z",
|
||
|
"modified": "2024-01-11T09:17:31.000Z",
|
||
|
"name": "Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN",
|
||
|
"published": "2024-01-11T09:18:07Z",
|
||
|
"object_refs": [
|
||
|
"indicator--f1d712c8-f336-400d-bbf0-c9e8b27a795b",
|
||
|
"indicator--de5c9a32-5ba3-4239-92d8-de6c2142358b",
|
||
|
"indicator--ada02401-f889-4449-b295-8601cf5f38b8",
|
||
|
"indicator--728e4788-1426-4e11-83f9-b8f48687977f",
|
||
|
"indicator--32fbec85-2e02-4189-b059-371cf8bb3a10",
|
||
|
"indicator--218e87c7-80fc-4da2-ad8e-b2bcf45d400a",
|
||
|
"indicator--1f1dbd3d-97bb-48dd-a894-fc3677083c9d",
|
||
|
"indicator--641694ff-1188-4881-b338-7d937166b227",
|
||
|
"indicator--80f560c4-17af-4dad-bb29-a571855158f3",
|
||
|
"indicator--e32a8926-cd0d-4ef6-a9d5-299285c308d5",
|
||
|
"indicator--4ff1da96-2964-420e-b7b9-342ab6b4531a",
|
||
|
"indicator--03660afe-c0b1-47cb-b2b4-a655462bc508",
|
||
|
"indicator--8ddecf8b-e114-49bc-aec0-3411cea29b3a",
|
||
|
"indicator--bba1dda1-0549-4ff3-9bd5-a171607feff0",
|
||
|
"indicator--d986eda3-042b-4545-b215-67b958f2158a",
|
||
|
"indicator--273692af-e54a-47e3-868c-2f4127a9926b",
|
||
|
"indicator--a0a58c68-a293-4c79-855e-d3d2d7a7485c",
|
||
|
"indicator--3fe18b3b-2e24-4db0-b0b4-5646f8a97f02",
|
||
|
"indicator--928de076-6e3d-4492-b5d5-36ba2008bfdc",
|
||
|
"indicator--97b583de-2744-4fac-80e2-56e10ee609e7",
|
||
|
"indicator--f1c5f3fa-9eb1-48b7-afac-b325b0eb7678",
|
||
|
"indicator--0ad979bb-2a53-4901-b0ce-57b059bbe50e",
|
||
|
"x-misp-object--da71a896-f3b8-41c8-8c55-021aba0d14a7"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"",
|
||
|
"type:OSINT",
|
||
|
"osint:lifetime=\"perpetual\"",
|
||
|
"tlp:clear"
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--f1d712c8-f336-400d-bbf0-c9e8b27a795b",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2024-01-11T09:07:55.000Z",
|
||
|
"modified": "2024-01-11T09:07:55.000Z",
|
||
|
"description": "DigitalOcean IP address tied to UTA0178",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '206.189.208.156']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2024-01-11T09:07:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--de5c9a32-5ba3-4239-92d8-de6c2142358b",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2024-01-11T09:08:19.000Z",
|
||
|
"modified": "2024-01-11T09:08:19.000Z",
|
||
|
"description": "Suspected UTA0178 domain discovered via domain registration patterns",
|
||
|
"pattern": "[domain-name:value = 'gpoaccess.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2024-01-11T09:08:19Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--ada02401-f889-4449-b295-8601cf5f38b8",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2024-01-11T09:08:39.000Z",
|
||
|
"modified": "2024-01-11T09:08:39.000Z",
|
||
|
"description": "Suspected UTA0178 domain discovered via domain registration patterns",
|
||
|
"pattern": "[domain-name:value = 'webb-institute.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2024-01-11T09:08:39Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--728e4788-1426-4e11-83f9-b8f48687977f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2024-01-11T09:08:57.000Z",
|
||
|
"modified": "2024-01-11T09:08:57.000Z",
|
||
|
"description": "UTA0178 domain used to collect credentials from compromised devices",
|
||
|
"pattern": "[domain-name:value = 'symantke.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2024-01-11T09:08:57Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--32fbec85-2e02-4189-b059-371cf8bb3a10",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2024-01-11T09:09:29.000Z",
|
||
|
"modified": "2024-01-11T09:09:29.000Z",
|
||
|
"description": "UTA0178 IP address observed interacting with compromised device",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '75.145.243.85']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2024-01-11T09:09:29Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--218e87c7-80fc-4da2-ad8e-b2bcf45d400a",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2024-01-11T09:09:58.000Z",
|
||
|
"modified": "2024-01-11T09:09:58.000Z",
|
||
|
"description": "UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '47.207.9.89']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2024-01-11T09:09:58Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--1f1dbd3d-97bb-48dd-a894-fc3677083c9d",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2024-01-11T09:09:58.000Z",
|
||
|
"modified": "2024-01-11T09:09:58.000Z",
|
||
|
"description": "UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '98.160.48.170']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2024-01-11T09:09:58Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--641694ff-1188-4881-b338-7d937166b227",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2024-01-11T09:09:58.000Z",
|
||
|
"modified": "2024-01-11T09:09:58.000Z",
|
||
|
"description": "UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '173.220.106.166']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2024-01-11T09:09:58Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--80f560c4-17af-4dad-bb29-a571855158f3",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2024-01-11T09:09:58.000Z",
|
||
|
"modified": "2024-01-11T09:09:58.000Z",
|
||
|
"description": "UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '73.128.178.221']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2024-01-11T09:09:58Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--e32a8926-cd0d-4ef6-a9d5-299285c308d5",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2024-01-11T09:09:58.000Z",
|
||
|
"modified": "2024-01-11T09:09:58.000Z",
|
||
|
"description": "UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '50.243.177.161']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2024-01-11T09:09:58Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--4ff1da96-2964-420e-b7b9-342ab6b4531a",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2024-01-11T09:09:58.000Z",
|
||
|
"modified": "2024-01-11T09:09:58.000Z",
|
||
|
"description": "UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '50.213.208.89']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2024-01-11T09:09:58Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--03660afe-c0b1-47cb-b2b4-a655462bc508",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2024-01-11T09:09:58.000Z",
|
||
|
"modified": "2024-01-11T09:09:58.000Z",
|
||
|
"description": "UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '64.24.179.210']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2024-01-11T09:09:58Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--8ddecf8b-e114-49bc-aec0-3411cea29b3a",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2024-01-11T09:09:58.000Z",
|
||
|
"modified": "2024-01-11T09:09:58.000Z",
|
||
|
"description": "UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '75.145.224.109']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2024-01-11T09:09:58Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--bba1dda1-0549-4ff3-9bd5-a171607feff0",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2024-01-11T09:09:58.000Z",
|
||
|
"modified": "2024-01-11T09:09:58.000Z",
|
||
|
"description": "UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '50.215.39.49']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2024-01-11T09:09:58Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--d986eda3-042b-4545-b215-67b958f2158a",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2024-01-11T09:09:58.000Z",
|
||
|
"modified": "2024-01-11T09:09:58.000Z",
|
||
|
"description": "UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '71.127.149.194']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2024-01-11T09:09:58Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--273692af-e54a-47e3-868c-2f4127a9926b",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2024-01-11T09:09:58.000Z",
|
||
|
"modified": "2024-01-11T09:09:58.000Z",
|
||
|
"description": "UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '173.53.43.7']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2024-01-11T09:09:58Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--a0a58c68-a293-4c79-855e-d3d2d7a7485c",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2024-01-11T09:13:48.000Z",
|
||
|
"modified": "2024-01-11T09:13:48.000Z",
|
||
|
"description": "GLASSTOKEN webshells",
|
||
|
"pattern": "[file:hashes.MD5 = '701fdc38b2dc9a605fe3f0877baca62e' AND file:hashes.SHA1 = '4602efceb1cca1f2521193a6703362f27d424a91' AND file:hashes.SHA256 = 'a24d442980715a861674d45085c2f2c138c8a2354cc9c2cb02395533f6d37d85' AND file:name = 'glasstoken_v2.aspx' AND file:size = '818' AND (file:content_ref.payload_bin = 'UEsDBBQACQAIALhJK1iikQW0pAEAADIDAAAgABwANzAxZmRjMzhiMmRjOWE2MDVmZTNmMDg3N2JhY2E2MmVVVAkAA0yxn2VMsZ9ldXgLAAEEIQAAAAQhAAAAGtFq0wsq86RPEzBYdqDjiVzzJD8tdqa9s3KbTRdxuNCIyvjsCt+65ZwJkzCPLVtHEtCWVjXZhITSi2CpeeRKhBb2Os/BQQZgh3a/JLz89Of2oswbpc6FvYBwXqWytVxARCbJ50Dx/1IIShgs+gH7l0/U7JKpPVzxPHuZ2oy+1+sUvtNQx932oju3NgQJZs/8X75qy1ZUTN/0UXhRwkEVKrVJ860fmmKae9C62bVvSHAHDOFO/AJyG5KazDBDoH9lfutWEP39v2gV11OcqVeZHBX4dqcLjmez4ChFh20lpETdzbsHxks7v3iwXPPxD2VTA2Qp+eD1gEbyirQWmA/uAxc1c2TN6aDSuxgnetaOE9oARuDQJvse2bgxLGbZ9Gb6QfizRW631yse9xOnw90GDikCnLIdRwM+GY/1Oo/2QMm7AGt1SlobV7mtocR8SXKm/G5rc7Das9TvBGB6Lvf8Cyw+qtJf0EeXTACVY5p8GA+SQDC726NKYFLXJ0LkHbPTAv788KhZRxaCvGuzCwFMkI/Pt/T16erZBZYGo32WpVqs7CmsUEsHCKKRBbSkAQAAMgMAAFBLAwQKAAkAAAC4SStYQZwl8R4AAAASAAAALQAcADcwMWZkYzM4YjJkYzlhNjA1ZmUzZjA4NzdiYWNhNjJlLmZpbGVuYW1lLnR4dFVUCQADTLGfZUyxn2V1eAsAAQQhAAAABCEAAAC4OlsOJ67fq30o/Ay1x8ug2IYA7cqPGXHdXdZk/cNQSwcIQZwl8R4AAAASAAAAUEsBAh4DFAAJAAgAuEkrWKKRBbSkAQAAMgMAACAAGAAAAAAAAQAAAKSBAAAAADcwMWZkYzM4YjJkYzlhNjA1ZmUzZjA4NzdiYWNhNjJlVVQFAANMsZ9ldXgLAAEEIQAAAAQhAAAAUEsBAh4DCgAJAAAAuEkrWEGcJfEeAAAAEgAAAC0AGAAAAAAAAQAAAKSBDgIAADcwMWZkYzM4YjJkYzlhNjA1ZmUzZjA4NzdiYWNhNjJlLmZpbGVuYW1lLnR4dFVUBQADTLGfZXV4CwABBCEAAAAEIQAAAFBLBQYAAAAAAgACANkAAACjAgAAAAA=' AND file:content_ref.x_misp_filename = 'glasstoken_v2.aspx' AND file:content_ref.hashes.MD5 = '701fdc38b2dc9a605fe3f0877baca62e' AND file:content_ref.mime_type = 'application/zip' AND file:content_ref.encryption_algorithm = 'mime-type-indicated' AND file:content_ref.decryption_key = 'infected')]",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2024-01-11T09:13:48Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--3fe18b3b-2e24-4db0-b0b4-5646f8a97f02",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2024-01-11T09:13:48.000Z",
|
||
|
"modified": "2024-01-11T09:13:48.000Z",
|
||
|
"description": "GLASSTOKEN webshells",
|
||
|
"pattern": "[file:hashes.MD5 = 'da0e21202e53d590e4258a893456ab44' AND file:hashes.SHA1 = 'dec06ef16010de8a3a713d929b33bbc0ca0d4380' AND file:hashes.SHA256 = '00161c82ad7b297bb96d06c24706e6688ea1fdd54399aeebc442e36c6cf5bee0' AND file:name = 'glasstoken_v1.aspx' AND file:size = '2265' AND (file:content_ref.payload_bin = 'UEsDBBQACQAIALhJK1gGJAX21gMAANkIAAAgABwAZGEwZTIxMjAyZTUzZDU5MGU0MjU4YTg5MzQ1NmFiNDRVVAkAA0yxn2VMsZ9ldXgLAAEEIQAAAAQhAAAAWjU22UakYhB0x8E88pgq8WkZ+nxiO66F+D0wwlyDSfv4qyJis+mxgMSM/5kWv7P6ePXLnabFSXYMoiEc/dMjPt3o6A336ANMCY7UyiD3LRNNTHO1guN3nTz+BrOXmdi30qX+Q1YpNVbUUxcqTvSWAZYcSjLNqm1LcDZIApt6lm58SNtYGWYZoCENNSYDese3ZcGh6Eu1pYb/mLTrmZ9jBmo33YVLQteAoyVVxr5z09PuRSvCvLNHzmi3eOLevhbvmMG7po9v1Z1M+zLAmthh8o82Xm1W1HlGfUo4I+nmgR7Qk+gWYABfp6+OoWRJZ5uCRJJAc4v9z/EfKkecvpH6roKVWwDXbW2RHpK2yYCE0dlsDiSGgD/UzJ1fJxWho/LQ8M8BvxJ8VTsofF4kJfkBoveX/6xwrPBjkbXwS9swZ58OJcNLTCaP1+K8UIntlddvfbUTrJm2GrCMwv/qDJra8wsMZVZWzizNZV+2iUDouQPoF0dGWv8dC95BkWPEaHCAbzdwYCOE8OM4UArMLKlvDVn1q1FPiQcXiNW3NuxMMXt4S05owR8WpkBCVpsLDr0lFQCu/dPBbamsqTPxEm0NFFvCrnIQgg+754P+sZT12YTEXGRXlxJtDycvKiYyiT/0ZnZxDKlbcsaNOfEyba92DGLJWDOrw6F1uemsbwfp9yTKu5UZt9laH8KjfdPtF8t1yoEiWLk5G5mUiwPEAMf+WY1CenDhffdGk/l8Jt4qOsxZBNcubyNWdvaspkSOkYRX6yzUpd7HGApdqd9Etr4cHXNpBpJLDC1vBpl3Ev5kmiE9BSCbIscFySyVlzoHc04JkDTN3UjYxVQ5Vt1LGCEUpL7zww6nXP9Cg9Xk+EEY4vD9rA3WGITra+2QKAPj/oqKyDTYHmwbU2ATxMfkX77YwqQXEXHXOZX1YUFF25ZSLjc8nfhSh0oS6c/f1zqE3KvQvGtCm+uJ60QQu9iIB/s7LHJrlaRM4TqfeP8DwF9yetEEI0Oi+aV3Q0vmysD/vgksyD4GAVa0+n/UNIw3MwcBN37eg4ss1ijh45NKg0eGWezBO7zgpJbI8W9WfooUqTu56CTEbem0iItuCKLcvZTt1LH4Yv8jBEyD/ANitKnvuGq1iRcLScVS4mAVQd5/7X7QiexrttFl3fONOrwBgJFVyZnSKK+b6lB1CbaqUJaV/Wpc5kEXbWf0QUVL39wEdXsinSSlM6xau8jD/R6vYU1khf20AQxat1sQzH1lRGj76+yfSQ3CP1Yeu1mibR2SCOMOdD08nZTzakd5qkYqUvKR3si6AzhjaVBLBwgGJAX21gMAANkIAABQSwMECgAJAAAAuEkrWO/usXceAAAAEgAAAC0AHABkYTBlMjEyMDJlNTNkNTkwZTQyNThhODkzNDU2YWI0NC5maWxlbmFtZS50eHRVVAkAA0yxn2VMsZ9ldXgLAAEEIQAAAAQhAAAAK6Z4N6QFCskRpYL9JqE8bGBxegFMxnkRQQlmwUFmUEsHCO/usXceAAAAEgAAAFBLAQIeAxQACQAIALhJK1gGJAX21gMAANkIAAAgABgAAAAAAAEAAACkgQAAAABkYTBlMjEyMDJlNTNkNTkwZTQyNThhODkzNDU2YWI0NFVUBQADTLGfZXV4CwABBCEAAAAEIQAAAFBLAQIeAwoACQAAALhJK1jv7rF3HgAAABIAAAAtABgAAAAAAAEAAACkgUAEAABkYTBlMjEyMDJlNTNkNTkwZTQyNThhODkzNDU2YWI0NC5maWxlbmFtZS50eHRVVAUAA0yxn2V1eAsAAQQhAAAABCEAAABQSwUGAAAAAAIAAgDZAAAA1QQAAAAA' AND file:content_ref.x_misp_filename = 'glasstoken_v1.aspx' AND file:content_ref.hashes.MD5 = 'da0e21202e53d590e4258a893456ab44' AND file:content_ref.mime_type = 'application/zip' AND file:content_ref.encryption_algorithm = 'mime-type-indicated' AND file:content_ref.decryption_key = 'infected')]",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2024-01-11T09:13:48Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--928de076-6e3d-4492-b5d5-36ba2008bfdc",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2024-01-11T09:14:44.000Z",
|
||
|
"modified": "2024-01-11T09:14:44.000Z",
|
||
|
"name": "hacktool_py_pysoxy",
|
||
|
"pattern": "rule hacktool_py_pysoxy\r\n{\r\n meta:\r\n author = \\\\\"threatintel@volexity.com\\\\\"\r\n date = \\\\\"2024-01-09\\\\\"\r\n description = \\\\\"SOCKS5 proxy tool used to relay connections.\\\\\"\r\n hash1 = \\\\\"e192932d834292478c9b1032543c53edfc2b252fdf7e27e4c438f4b249544eeb\\\\\"\r\n os = \\\\\"all\\\\\"\r\n os_arch = \\\\\"all\\\\\"\r\n reference = \\\\\"https://github.com/MisterDaneel/pysoxy/blob/master/pysoxy.py\\\\\"\r\n report = \\\\\"TIB-20240109\\\\\"\r\n scan_context = \\\\\"file,memory\\\\\"\r\n last_modified = \\\\\"2024-01-09T13:45Z\\\\\"\r\n license = \\\\\"See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt\\\\\"\r\n rule_id = 10065\r\n version = 3\r\n\r\n strings:\r\n $s1 = \\\\\"proxy_loop\\\\\" ascii\r\n $s2 = \\\\\"connect_to_dst\\\\\" ascii\r\n $s3 = \\\\\"request_client\\\\\" ascii\r\n $s4 = \\\\\"subnegotiation_client\\\\\" ascii\r\n $s5 = \\\\\"bind_port\\\\\" ascii\r\n\r\n condition:\r\n all of them\r\n}",
|
||
|
"pattern_type": "yara",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2024-01-11T09:14:44Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "misc"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"yara\"",
|
||
|
"misp:meta-category=\"misc\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
],
|
||
|
"x_misp_context": "all"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--97b583de-2744-4fac-80e2-56e10ee609e7",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2024-01-11T09:15:24.000Z",
|
||
|
"modified": "2024-01-11T09:15:24.000Z",
|
||
|
"name": "webshell_aspx_regeorg",
|
||
|
"pattern": "rule webshell_aspx_regeorg\r\n{\r\n meta:\r\n author = \\\\\"threatintel@volexity.com\\\\\"\r\n date = \\\\\"2018-08-29\\\\\"\r\n description = \\\\\"Detects the reGeorg webshell based on common strings in the webshell. May also detect other webshells which borrow code from ReGeorg.\\\\\"\r\n hash = \\\\\"9d901f1a494ffa98d967ee6ee30a46402c12a807ce425d5f51252eb69941d988\\\\\"\r\n os = \\\\\"win\\\\\"\r\n os_arch = \\\\\"all\\\\\"\r\n reference = \\\\\"https://github.com/L-codes/Neo-reGeorg/blob/master/templates/tunnel.aspx\\\\\"\r\n report = \\\\\"TIB-20231215\\\\\"\r\n scan_context = \\\\\"file,memory\\\\\"\r\n last_modified = \\\\\"2024-01-09T10:04Z\\\\\"\r\n license = \\\\\"See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt\\\\\"\r\n rule_id = 410\r\n version = 7\r\n\r\n strings:\r\n $a1 = \\\\\"every office needs a tool like Georg\\\\\" ascii\r\n $a2 = \\\\\"cmd = Request.QueryString.Get(\\\\\\\\\"cmd\\\\\\\\\")\\\\\" ascii\r\n $a3 = \\\\\"exKak.Message\\\\\" ascii\r\n\r\n $proxy1 = \\\\\"if (rkey != \\\\\\\\\"Content-Length\\\\\\\\\" && rkey != \\\\\\\\\"Transfer-Encoding\\\\\\\\\")\\\\\"\r\n\r\n $proxy_b1 = \\\\\"StreamReader repBody = new StreamReader(response.GetResponseStream(), Encoding.GetEncoding(\\\\\\\\\"UTF-8\\\\\\\\\"));\\\\\" ascii\r\n $proxy_b2 = \\\\\"string rbody = repBody.ReadToEnd();\\\\\" ascii\r\n $proxy_b3 = \\\\\"Response.AddHeader(\\\\\\\\\"Content-Length\\\\\\\\\", rbody.Length.ToString());\\\\\" ascii\r\n\r\n condition:\r\n any of ($a*) or\r\n $proxy1 or\r\n all of ($proxy_b*)\r\n}",
|
||
|
"pattern_type": "yara",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2024-01-11T09:15:24Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "misc"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"yara\"",
|
||
|
"misp:meta-category=\"misc\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
],
|
||
|
"x_misp_context": "all"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--f1c5f3fa-9eb1-48b7-afac-b325b0eb7678",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2024-01-11T09:15:56.000Z",
|
||
|
"modified": "2024-01-11T09:15:56.000Z",
|
||
|
"name": "apt_webshell_aspx_glasstoken",
|
||
|
"pattern": "rule apt_webshell_aspx_glasstoken: UTA0178\r\n{\r\n meta:\r\n author = \\\\\"threatintel@volexity.com\\\\\"\r\n date = \\\\\"2023-12-12\\\\\"\r\n description = \\\\\"Detection for a custom webshell seen on external facing server. The webshell contains two functions, the first is to act as a Tunnel, using code borrowed from reGeorg, the second is custom code to execute arbitrary .NET code.\\\\\"\r\n hash1 = \\\\\"26cbb54b1feb75fe008e36285334d747428f80aacdb57badf294e597f3e9430d\\\\\"\r\n os = \\\\\"win\\\\\"\r\n os_arch = \\\\\"all\\\\\"\r\n report = \\\\\"TIB-20231215\\\\\"\r\n scan_context = \\\\\"file,memory\\\\\"\r\n last_modified = \\\\\"2024-01-09T10:08Z\\\\\"\r\n license = \\\\\"See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt\\\\\"\r\n rule_id = 9994\r\n version = 5\r\n\r\n strings:\r\n $s1 = \\\\\"=Convert.FromBase64String(System.Text.Encoding.Default.GetString(\\\\\" ascii\r\n $re = /Assembly\\\\.Load\\\\(errors\\\\)\\\\.CreateInstance\\\\(\\\\\"[a-z0-9A-Z]{4,12}\\\\\"\\\\).GetHashCode\\\\(\\\\);/\r\n\r\n condition:\r\n for any i in (0..#s1):\r\n (\r\n $re in (@s1[i]..@s1[i]+512)\r\n )\r\n}",
|
||
|
"pattern_type": "yara",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2024-01-11T09:15:56Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "misc"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"yara\"",
|
||
|
"misp:meta-category=\"misc\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
],
|
||
|
"x_misp_context": "all"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--0ad979bb-2a53-4901-b0ce-57b059bbe50e",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2024-01-11T09:16:29.000Z",
|
||
|
"modified": "2024-01-11T09:16:29.000Z",
|
||
|
"name": "apt_webshell_pl_complyshell",
|
||
|
"pattern": "rule apt_webshell_pl_complyshell: UTA0178\r\n{\r\n meta:\r\n author = \\\\\"threatintel@volexity.com\\\\\"\r\n date = \\\\\"2023-12-13\\\\\"\r\n description = \\\\\"Detection for the COMPLYSHELL webshell.\\\\\"\r\n hash1 = \\\\\"8bc8f4da98ee05c9d403d2cb76097818de0b524d90bea8ed846615e42cb031d2\\\\\"\r\n os = \\\\\"linux\\\\\"\r\n os_arch = \\\\\"all\\\\\"\r\n report = \\\\\"TIB-20231215\\\\\"\r\n scan_context = \\\\\"file,memory\\\\\"\r\n last_modified = \\\\\"2024-01-09T10:05Z\\\\\"\r\n license = \\\\\"See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt\\\\\"\r\n rule_id = 9995\r\n version = 4\r\n\r\n strings:\r\n $s = \\\\\"eval{my $c=Crypt::RC4->new(\\\\\"\r\n\r\n condition:\r\n $s\r\n}",
|
||
|
"pattern_type": "yara",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2024-01-11T09:16:29Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "misc"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"yara\"",
|
||
|
"misp:meta-category=\"misc\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
],
|
||
|
"x_misp_context": "all"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--da71a896-f3b8-41c8-8c55-021aba0d14a7",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2024-01-11T09:17:31.000Z",
|
||
|
"modified": "2024-01-11T09:17:31.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"report\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "link",
|
||
|
"object_relation": "link",
|
||
|
"value": "https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/",
|
||
|
"category": "External analysis",
|
||
|
"uuid": "731eabc1-de80-4ba2-8926-7708dcb4275b"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "summary",
|
||
|
"value": "Volexity has uncovered active in-the-wild exploitation of two vulnerabilities allowing unauthenticated remote code execution in Ivanti Connect Secure VPN devices. An official security advisory and knowledge base article have been released by Ivanti that includes mitigation that should be applied immediately. However, a mitigation does not remedy a past or ongoing compromise. Systems should simultaneously be thoroughly analyzed per details in this post to look for signs of a breach.\r\n\r\nDuring the second week of December 2023, Volexity detected suspicious lateral movement on the network of one of its Network Security Monitoring service customers. Upon closer inspection, Volexity found that an attacker was placing webshells on multiple internal and external-facing web servers. These detections kicked off an incident response investigation across multiple systems that Volexity ultimately tracked back to the organization's Internet-facing Ivanti Connect Secure (ICS) VPN appliance (formerly known as Pulse Connect Secure, or simply Pulse Secure). A closer inspection of the ICS VPN appliance showed that its logs had been wiped and logging had been disabled. Further review of historic network traffic from the device also revealed suspect outbound and inbound communication from its management IP address. Volexity found that there was suspect activity originating from the device as early as December 3, 2023.\r\n\r\nAt this point in its incident response investigation, Volexity suspected a zero-day exploit was likely at play but did not yet have enough evidence to support this theory. Volexity and its customer worked closely with Ivanti in order to obtain disk and memory images from the impacted devices. Forensic analysis of the collected data provided insight into a variety of the attacker's tools, malware, and methods for operating.",
|
||
|
"category": "Other",
|
||
|
"uuid": "96a02e09-d398-400d-836e-4aadd424f28f"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "title",
|
||
|
"value": "Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN",
|
||
|
"category": "Other",
|
||
|
"uuid": "00fc2f04-1a99-4428-9daf-3023e1815aa5"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "type",
|
||
|
"value": "Blog",
|
||
|
"category": "Other",
|
||
|
"uuid": "419da355-8e16-4be2-8ab5-a43bf512e0eb"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "report"
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|