356 lines
15 KiB
JSON
356 lines
15 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--d4766c50-0269-4cda-acea-850ea4fdb198",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2022-10-24T09:46:38.000Z",
|
||
|
"modified": "2022-10-24T09:46:38.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--d4766c50-0269-4cda-acea-850ea4fdb198",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2022-10-24T09:46:38.000Z",
|
||
|
"modified": "2022-10-24T09:46:38.000Z",
|
||
|
"name": "Kinsing & Dark.IoT botnet among threats targeting CVE-2022-26134",
|
||
|
"published": "2022-10-24T09:46:56Z",
|
||
|
"object_refs": [
|
||
|
"indicator--4cbe3026-379e-43e7-89ce-ba08ed0bcf76",
|
||
|
"indicator--a5b7f457-b85c-4ceb-a8ce-1f3b653a3a66",
|
||
|
"indicator--646bcbe5-10a3-4bd5-b52e-6608be4ced00",
|
||
|
"indicator--caf56edd-20b9-4fae-ada7-43e979f55650",
|
||
|
"indicator--6d726652-bae4-4c18-a2d6-b9193ec6172d",
|
||
|
"indicator--7d8e361a-5752-4f4b-ab62-da4d626e8113",
|
||
|
"x-misp-object--68ea0702-5482-4dc6-bb9b-c7ee42e24f88",
|
||
|
"vulnerability--94ad2c57-e806-4bc4-8d35-82656f7c879e",
|
||
|
"indicator--e660021e-01d4-42b5-b46c-77e4fa89c50d",
|
||
|
"indicator--1b1f9efe-f9ef-435a-8877-d87132ce36a5",
|
||
|
"indicator--104829a9-42bc-4f65-a0cb-1a0ad5cc8729",
|
||
|
"indicator--f02dc5ba-1544-42ca-9a5a-291927cca971"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"type:OSINT",
|
||
|
"osint:lifetime=\"perpetual\"",
|
||
|
"osint:certainty=\"50\"",
|
||
|
"osint:source-type=\"blog-post\"",
|
||
|
"misp-galaxy:malpedia=\"Kinsing\"",
|
||
|
"misp-galaxy:mitre-malware=\"Kinsing - S0599\"",
|
||
|
"misp-galaxy:threat-actor=\"Kinsing\"",
|
||
|
"misp-galaxy:cryptominers=\"Hezb\"",
|
||
|
"misp-galaxy:threat-actor=\"Hezb\"",
|
||
|
"misp-galaxy:botnet=\"Dark.IoT\"",
|
||
|
"misp-galaxy:malpedia=\"Dark\"",
|
||
|
"\tmalware_classification:malware-category=\"Botnet\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--4cbe3026-379e-43e7-89ce-ba08ed0bcf76",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2022-09-13T13:44:05.000Z",
|
||
|
"modified": "2022-09-13T13:44:05.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '94.247.43.254']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2022-09-13T13:44:05Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--a5b7f457-b85c-4ceb-a8ce-1f3b653a3a66",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2022-09-13T13:44:05.000Z",
|
||
|
"modified": "2022-09-13T13:44:05.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '95.217.229.211']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2022-09-13T13:44:05Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--646bcbe5-10a3-4bd5-b52e-6608be4ced00",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2022-09-13T13:44:05.000Z",
|
||
|
"modified": "2022-09-13T13:44:05.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '162.243.19.47']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2022-09-13T13:44:05Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--caf56edd-20b9-4fae-ada7-43e979f55650",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2022-09-13T13:44:05.000Z",
|
||
|
"modified": "2022-09-13T13:44:05.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '94.16.114.254']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2022-09-13T13:44:05Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--6d726652-bae4-4c18-a2d6-b9193ec6172d",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2022-09-13T13:44:05.000Z",
|
||
|
"modified": "2022-09-13T13:44:05.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '194.36.144.87']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2022-09-13T13:44:05Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--7d8e361a-5752-4f4b-ab62-da4d626e8113",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2022-09-13T13:47:30.000Z",
|
||
|
"modified": "2022-09-13T13:47:30.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '144.76.157.242']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2022-09-13T13:47:30Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--68ea0702-5482-4dc6-bb9b-c7ee42e24f88",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2022-09-13T11:46:36.000Z",
|
||
|
"modified": "2022-09-13T11:46:36.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"report\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "link",
|
||
|
"object_relation": "link",
|
||
|
"value": "https://www.lacework.com/blog/kinsing-dark-iot-botnet-among-threats-targeting-cve-2022-26134/",
|
||
|
"category": "External analysis",
|
||
|
"uuid": "2a6e251d-8098-4c55-b905-1a78c839dfd1"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "summary",
|
||
|
"value": "Details regarding the recent Confluence OGNL (CVE-2022-26134) exploit were released to the public on June 3rd 2022. Shortly following this, Lacework Labs began seeing multiple attacks in the wild from both uncategorized and named threats. While this was expected, there appears to be more widespread exploitation of CVE-2022-26134 compared to previous Confluence vulnerabilities.",
|
||
|
"category": "Other",
|
||
|
"uuid": "cf625c35-4682-4b13-b077-3323a0a3544c"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "type",
|
||
|
"value": "Blog",
|
||
|
"category": "Other",
|
||
|
"uuid": "2dad185a-880c-47a2-beb4-bdf4503dd0d7"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "report"
|
||
|
},
|
||
|
{
|
||
|
"type": "vulnerability",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "vulnerability--94ad2c57-e806-4bc4-8d35-82656f7c879e",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2022-09-13T13:00:56.000Z",
|
||
|
"modified": "2022-09-13T13:00:56.000Z",
|
||
|
"name": "CVE-2022-26134",
|
||
|
"labels": [
|
||
|
"misp:name=\"vulnerability\"",
|
||
|
"misp:meta-category=\"vulnerability\"",
|
||
|
"misp:to_ids=\"False\""
|
||
|
],
|
||
|
"external_references": [
|
||
|
{
|
||
|
"source_name": "cve",
|
||
|
"external_id": "CVE-2022-26134"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--e660021e-01d4-42b5-b46c-77e4fa89c50d",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2022-09-13T13:41:52.000Z",
|
||
|
"modified": "2022-09-13T13:41:52.000Z",
|
||
|
"pattern": "[domain-name:value = 'tempest.lib' AND domain-name:resolves_to_refs[*].value = '62.4.23.97']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2022-09-13T13:41:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "network"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"domain-ip\"",
|
||
|
"misp:meta-category=\"network\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--1b1f9efe-f9ef-435a-8877-d87132ce36a5",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2022-09-13T13:52:00.000Z",
|
||
|
"modified": "2022-09-13T13:52:00.000Z",
|
||
|
"pattern": "[domain-name:value = 'dragon.lib' AND domain-name:resolves_to_refs[*].value = '193.70.30.98']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2022-09-13T13:52:00Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "network"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"domain-ip\"",
|
||
|
"misp:meta-category=\"network\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--104829a9-42bc-4f65-a0cb-1a0ad5cc8729",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2022-09-13T13:55:05.000Z",
|
||
|
"modified": "2022-09-13T13:55:05.000Z",
|
||
|
"pattern": "[domain-name:value = 'blacknurse.lib' AND domain-name:resolves_to_refs[*].value = '5.206.227.244']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2022-09-13T13:55:05Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "network"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"domain-ip\"",
|
||
|
"misp:meta-category=\"network\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--f02dc5ba-1544-42ca-9a5a-291927cca971",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2022-09-13T13:58:04.000Z",
|
||
|
"modified": "2022-09-13T13:58:04.000Z",
|
||
|
"pattern": "[domain-name:value = 'babaroga.lib' AND domain-name:resolves_to_refs[*].value = '203.0.113.0']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2022-09-13T13:58:04Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "network"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"domain-ip\"",
|
||
|
"misp:meta-category=\"network\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|