2023-12-14 14:30:15 +00:00
{
"type" : "bundle" ,
"id" : "bundle--c578cb44-e440-486d-80a4-8cf6256c1d53" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
2024-04-05 12:15:17 +00:00
"created" : "2023-12-15T08:49:07.000Z" ,
"modified" : "2023-12-15T08:49:07.000Z" ,
2023-12-14 14:30:15 +00:00
"name" : "CIRCL" ,
"identity_class" : "organization"
} ,
{
"type" : "report" ,
"spec_version" : "2.1" ,
"id" : "report--c578cb44-e440-486d-80a4-8cf6256c1d53" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
2024-04-05 12:15:17 +00:00
"created" : "2023-12-15T08:49:07.000Z" ,
"modified" : "2023-12-15T08:49:07.000Z" ,
2023-12-14 14:30:15 +00:00
"name" : "AA23-335A: IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities" ,
2024-04-05 12:15:17 +00:00
"published" : "2023-12-15T08:49:17Z" ,
2023-12-14 14:30:15 +00:00
"object_refs" : [
"indicator--b4097d04-408a-4279-aac4-40ae3dd0710f" ,
"indicator--95a83932-6e7a-4024-b3f5-d878d78fd1d0" ,
"indicator--eb825787-5cf3-423a-aec9-42d611cc61e1" ,
"indicator--695afe84-7eb6-4004-a7e1-2ad80bfa5131" ,
"indicator--b74311f5-0fc4-4fda-a6c3-3a13cf1d3069" ,
2024-04-05 12:15:17 +00:00
"vulnerability--8f057a13-41e4-4e2f-ade8-19802a62f278" ,
2023-12-14 14:30:15 +00:00
"x-misp-object--0025bc8f-1af0-48a6-9534-e82af80ee21c" ,
2024-04-05 12:15:17 +00:00
"x-misp-object--157412c1-046a-4e74-99f8-84a148792839" ,
"vulnerability--a2a355a0-75b3-42c8-93f7-401b8566ed00" ,
"x-misp-object--25eafc23-5529-4c84-9cb9-13df3517f784" ,
"attack-pattern--ea5919da-346f-4b22-89c3-6dfeef61dba8" ,
"attack-pattern--5d27dada-7e8c-45bf-8237-e2acf772667b" ,
"relationship--37239644-7022-4083-b5dc-d87178229983" ,
"relationship--2e6cc1a1-52c9-40ba-985a-ec1dedf37a9b" ,
"relationship--3a3a5a5b-0e75-4cd3-9d51-7b08333c178b" ,
"relationship--9194c7c2-8d5c-44b4-b479-5e2975f455c9"
2023-12-14 14:30:15 +00:00
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\"" ,
"misp-galaxy:stix-2.1-attack-pattern=\"9a280255-c770-4d42-ae50-aff1896ebded\"" ,
"type:OSINT" ,
"osint:lifetime=\"perpetual\"" ,
"tlp:clear"
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--b4097d04-408a-4279-aac4-40ae3dd0710f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-12-04T20:38:04.000Z" ,
"modified" : "2023-12-04T20:38:04.000Z" ,
"pattern" : "[file:hashes.SHA256 = '440b5385d3838e3f6bc21220caa83b65cd5f3618daea676f271c3671650ce9a3']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-09-13T00:00:00Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--95a83932-6e7a-4024-b3f5-d878d78fd1d0" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-12-04T20:38:04.000Z" ,
"modified" : "2023-12-04T20:38:04.000Z" ,
"pattern" : "[file:hashes.SHA1 = '66ae21571faee1e258549078144325dc9dd60303']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-09-13T00:00:00Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--eb825787-5cf3-423a-aec9-42d611cc61e1" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-12-04T20:38:04.000Z" ,
"modified" : "2023-12-04T20:38:04.000Z" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '178.162.227.180']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-09-13T00:00:00Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--695afe84-7eb6-4004-a7e1-2ad80bfa5131" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-12-04T20:38:04.000Z" ,
"modified" : "2023-12-04T20:38:04.000Z" ,
"pattern" : "[file:hashes.MD5 = 'ba284a4b508a7abd8070a427386e93e0']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-09-13T00:00:00Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--b74311f5-0fc4-4fda-a6c3-3a13cf1d3069" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-12-04T20:38:04.000Z" ,
"modified" : "2023-12-04T20:38:04.000Z" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.162.235.206']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-05-14T00:00:00Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
2024-04-05 12:15:17 +00:00
{
"type" : "vulnerability" ,
"spec_version" : "2.1" ,
"id" : "vulnerability--8f057a13-41e4-4e2f-ade8-19802a62f278" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-12-15T08:48:48.000Z" ,
"modified" : "2023-12-15T08:48:48.000Z" ,
"name" : "CVE-2023-6448" ,
"labels" : [
"misp:type=\"vulnerability\"" ,
"misp:category=\"Payload delivery\""
] ,
"external_references" : [
{
"source_name" : "cve" ,
"external_id" : "CVE-2023-6448"
}
]
} ,
2023-12-14 14:30:15 +00:00
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--0025bc8f-1af0-48a6-9534-e82af80ee21c" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-12-05T07:48:53.000Z" ,
"modified" : "2023-12-05T07:48:53.000Z" ,
"labels" : [
"misp:name=\"original-imported-file\"" ,
"misp:meta-category=\"file\""
] ,
"x_misp_attributes" : [
{
"type" : "attachment" ,
"object_relation" : "imported-sample" ,
"value" : "AA23-335A-IRGC-Affiliated-Cyber-Actors-Exploit-PLCs-in-Multiple-Sectors-Including-US-Water-and-Wastewater-Systems-Facilities.stix_.json" ,
"category" : "External analysis" ,
"uuid" : "63b59f7b-462d-4bdb-9861-b2de803a358c" ,
"data" : " e w o g I C A g I n R 5 c G U i O i A i Y n V u Z G x l I i w K I C A g I C J p Z C I 6 I C J i d W 5 k b G U t L T k 0 M D V h Y W F l L W N m M D A t N D A z M C 1 h M z I 2 L T c w Y j k 2 Z W E 2 Y m J i N S I s C i A g I C A i b 2 J q Z W N 0 c y I 6 I F s K I C A g I C A g I C B 7 C i A g I C A g I C A g I C A g I C J p Z C I 6 I C J s b 2 N h d G l v b i 0 t Z T J j O D g 5 Y W E t Y j B i M S 0 0 Z j A 1 L W I 5 M G M t Y T B h M W E x N T V k Y z Y y I i w K I C A g I C A g I C A g I C A g I n N w Z W N f d m V y c 2 l v b i I 6 I C I y L j E i L A o g I C A g I C A g I C A g I C A i d H l w Z S I 6 I C J s b 2 N h d G l v b i I s C i A g I C A g I C A g I C A g I C J j b 3 V u d H J 5 I j o g I l V T I i w K I C A g I C A g I C A g I C A g I m F k b W l u a X N 0 c m F 0 a X Z l X 2 F y Z W E i O i A i V V M t R E M i L A o g I C A g I C A g I C A g I C A i Y 3 J l Y X R l Z C I 6 I C I y M D I z L T E y L T A 0 V D I w O j M 4 O j A 0 L j A w M F o i L A o g I C A g I C A g I C A g I C A i b W 9 k a W Z p Z W Q i O i A i M j A y M y 0 x M i 0 w N F Q y M D o z O D o w N C 4 w M D B a I i w K I C A g I C A g I C A g I C A g I m N y Z W F 0 Z W R f Y n l f c m V m I j o g I m l k Z W 50 a X R 5 L S 1 i M 2 J j Y T N j M i 0 x Z j N k L T R i N T Q t Y j Q 0 Z i 1 k Y W M 0 M m M z Y T h m M D E i L A o g I C A g I C A g I C A g I C A i b 2 J q Z W N 0 X 21 h c m t p b m d f c m V m c y I 6 I F s K I C A g I C A g I C A g I C A g I C A g I C J t Y X J r a W 5 n L W R l Z m l u a X R p b 24 t L T Q 3 O T A 4 M W M 4 L T N h N j A t N G V i O C 1 i N D E w L T k 2 Y T M w Z j M 5 N W R l Z i I s C i A g I C A g I C A g I C A g I C A g I C A i b W F y a 2 l u Z y 1 k Z W Z p b m l 0 a W 9 u L S 0 2 M T N m M m U y N i 0 0 M D d k L T Q 4 Y z c t O W V j Y S 1 i O G U 5 M W R m O T l k Y z k i C i A g I C A g I C A g I C A g I F 0 K I C A g I C A g I C B 9 L A o g I C A g I C A g I H s K I C A g I C A g I C A g I C A g I n R 5 c G U i O i A i b W F y a 2 l u Z y 1 k Z W Z p b m l 0 a W 9 u I i w K I C A g I C A g I C A g I C A g I n N w Z W N f d m V y c 2 l v b i I 6 I C I y L j E i L A o g I C A g I C A g I C A g I C A i a W Q i O i A i b W F y a 2 l u Z y 1 k Z W Z p b m l 0 a W 9 u L S 0 0 N z k w O D F j O C 0 z Y T Y w L T R l Y j g t Y j Q x M C 0 5 N m E z M G Y z O T V k Z W Y i L A o g I C A g I C A g I C A g I C A i Y 3 J l Y X R l Z C I 6 I C I y M D I z L T A z L T A y V D E 2 O j Q 4 O j U 3 L j k 1 O V o i L A o g I C A g I C A g I C A g I C A i Z X h 0 Z W 5 z a W 9 u c y I 6 I H s K I C A g I C A g I C A g I C A g I C A g I C J l e H R l b n N p b 24 t Z G V m a W 5 p d G l v b i 0 t M 2E2 N T g 4 N G Q t M D A 1 Y S 0 0 M j k w L T g z M z U t Y 2 I y Z D c 3 O G E 4 M 2 N l I j o g e w o g I C A g I C A g I C A g I C A g I C A g I C A g I C J l e H R l b n N p b 25 f d H l w Z S I 6 I C J w c m 9 w Z X J 0 e S 1 l e H R l b n N p b 24 i L A o g I C A g I C A g I C A g I C A g I C A g I C A g I C J p Z G V u d G l m a W V y I j o g I m l z Y T p n d W l k Z S 4 x O T A w M S 5 B Q 1 M z L T l l M G N k N T B l L T Z l Z m M t N D V i M y 0 4 Y T N k L W I 2 M z c 2 N T Q x Y z l j N S I s C i A g I C A g I C A g I C A g I C A g I C A g I C A g I m N y Z W F 0 Z V 9 k Y X R l X 3 R p b W U i O i A i M j A y M y 0 w M y 0 w M l Q x N j o 0 O D o 1 N y 45 N T l a I i w K I C A g I C A g I C A g I C A g I C A g I C A g I C A i c m V z c G 9 u c 2 l i b G V f Z W 50 a X R 5 X 2 N 1 c 3 R v Z G l h b i I 6 I C J V U 0 E u R E h T L k 5 D Q 0 l D I i w K I C A g I C A g I C A g I C A g I C A g I C A g I C A i c m V z c G 9 u c 2 l i b G V f Z W 50 a X R 5 X 29 y a W d p b m F 0 b 3 I i O i A i V V N B L k R I U y 5 O Q 0 N J Q y I s C i A g I C A g I C A g I C A g I C A g I C A g I C A g I n B v b G l j e V 9 y Z W Z l c m V u Y 2 U i O i A i d X J u O m l z Y T p w b 2 x p Y 3 k 6 Y W N z O m 5 z O n Y z L j A / c H J p d m R l Z m F 1 b H Q 9 Z G V u e S Z z a G F y Z W R l Z m F 1 b H Q 9 c G V y b W l 0 I i w K I C A g I C A g I C A g I C A g I C A g I C A g I C A i Y 29 u d H J v b F 9 z Z X Q i O i B 7 C i A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C J j b G F z c 2 l m a W N h d G l v b i I 6 I C J V I i w K I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I m Z v c m 1 h b F 9 k Z X R l c m 1 p b m F 0 a W 9 u I j o g W w o g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I k l O R k 9 S T U F U S U 9 O L U R J U k V D V E x Z L V J F T E F U R U Q t V E 8 t Q 1 l C R V J T R U N V U k l U W S 1 U S F J F Q V Q i L A o g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I l B V Q l J F T C I K I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g X Q o g I C A g I C A g I C A g I C A g I C A g I C A g I H 0 s C i A g I C A g I C A g I C A g I C A g I C A g I C A g I m F 1 d G h v c m l 0 e V 9 y Z W Z l c m V u Y 2 U i O i B b C i A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C J 1 c m 46 a X N h O m F 1 d G h v c m l 0 e T p h a X M i C i A g I C A g I C A g I C A g I C A g I C A g I C A g X S w K I C A g I C A g I C A g I C A g I C A g I C A g I C A i Y W N j Z X N z X 3 B y a X Z p b G V n Z S I 6 I F s K I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g e w o g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I n B y a X Z p b G V n Z V 9 h Y 3 R p b 24 i O i A i Q 0 l T Q V V T R V M i L A o g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I n J 1 b G V f Z W Z m Z W N 0 I j o g I n B l c m 1 p d C I s C i A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A i c H J p d m l s Z W d l X 3 N j b 3 B l I j o g e w o g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C J l b n R p d H k i O i B b C i A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C J B T E w i C i A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g X S w K I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A i c G V y b W l 0 d G V k X 25 h d G l v b m F s a X R p Z X M i O i B b C i A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C J B T E w i C i A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g X S w K I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A i c G V y b W l 0 d G V k X 29 y Z 2 F u a X p h d G l v b n M i O i B b C i A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C J B T E w i C i A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g X S w K I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A i c 2 h h c m V h Y m l s a X R 5 I j o g W w o g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A i Q U x M I g o g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I F 0 K I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g I H 0 K I C A g I C A g I C A g I C A g I C A g I C A g I C A g I C A g f Q o g I C A g I C A g I C A g I C A g I C A g I C A g I F 0 K I C A g I C A g I C A g I C A g I C A g I H 0 K I C A g I C A g I C A g I C A g f Q o g I C A g I C A g I H 0 s C i A g I C A g I C A g e w o g I C A g I C A g I C A g I C A i a W Q i O i A i Y X R 0 Y W N r L X B h d H R l c m 4 t L T l h M j g w M j U 1 L W M 3 N z A t N G Q 0 M i 1 h Z T U w L W F m Z j E 4 O T Z l Y m R l Z C I s C i A g I C A g I C A g I C A g I C J 0 e X B l I j o g I m F 0 d G F j a y 1 w Y X R 0 Z X J u I i w K I C A g I C A g I C A g I C A g I m N y Z W F 0 Z W Q i O i A i M j A y M y 0 x M i 0 w N F Q y M D o z O D o w N C 4 w M D B a I i w K I C A g I C A g I C A g I C A g I m 1 v Z G l m a W V k I j o g I j I w M j M t M T I t M D R U M j A 6 M z g 6 M D Q u M D A w W i I s C i A g I C A g I C A g I C A g I C J z c G V j X 3 Z l c n N p b 2
} ,
{
"type" : "text" ,
"object_relation" : "format" ,
"value" : "STIX 2.1" ,
"category" : "Other" ,
"uuid" : "a8bc59ca-67e3-4e50-acd3-c1867a2acc3c"
}
] ,
"x_misp_meta_category" : "file" ,
"x_misp_name" : "original-imported-file"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--157412c1-046a-4e74-99f8-84a148792839" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-12-05T07:54:14.000Z" ,
"modified" : "2023-12-05T07:54:14.000Z" ,
"labels" : [
"misp:name=\"report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "link" ,
"object_relation" : "link" ,
"value" : "https://www.cisa.gov/sites/default/files/2023-12/AA23-335A-IRGC-Affiliated-Cyber-Actors-Exploit-PLCs-in-Multiple-Sectors-Including-US-Water-and-Wastewater-Systems-Facilities.stix_.json" ,
"category" : "External analysis" ,
"uuid" : "c6fbcbef-c300-445b-85d0-025c748f5545"
} ,
{
"type" : "text" ,
"object_relation" : "summary" ,
"value" : "The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Environmental Protection Agency (EPA), and the Israel National Cyber Directorate (INCD)\\\\u2014hereafter referred to as \"the authoring agencies\" - are disseminating this joint Cybersecurity Advisory (CSA) to highlight continued malicious cyber activity against operational technology devices by Iranian Government Islamic Revolutionary Guard Corps IRGC)-affiliated Advanced Persistent Threat (APT) cyber actors. \\r\\n\\r\\nThe IRGC is an Iranian military organization that the United States designated as a foreign terrorist organization in 2019. IRGC-affiliated cyber actors using the persona \\\\u201cCyberAv3ngers\\\\u201d are actively targeting and compromising Israeli-made Unitronics Vision Series programmable logic controllers (PLCs). These PLCs are commonly used in the Water and Wastewater Systems (WWS) Sector and are additionally used in other industries including, but not limited to, energy, food and beverage manufacturing, and healthcare. The PLCs may be rebranded and appear as different manufacturers and companies. In addition to the recent CISA Alert, the authoring agencies are releasing this joint CSA to share indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with IRGC cyber operations.\\r\\n" ,
"category" : "Other" ,
"uuid" : "548e3b68-36bd-4297-b825-3cadd87fc1c7"
}
] ,
"x_misp_comment" : "\"AA23-335A: IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities" ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "report"
} ,
2024-04-05 12:15:17 +00:00
{
"type" : "vulnerability" ,
"spec_version" : "2.1" ,
"id" : "vulnerability--a2a355a0-75b3-42c8-93f7-401b8566ed00" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-12-15T08:49:07.000Z" ,
"modified" : "2023-12-15T08:49:07.000Z" ,
"name" : "CVE-2023-6448" ,
"description" : "Unitronics VisiLogic before version 9.9.00, used in Vision and Samba PLCs and HMIs, uses a default administrative password. An unauthenticated attacker with network access can take administrative control of a vulnerable system." ,
"labels" : [
"misp:name=\"vulnerability\"" ,
"misp:meta-category=\"vulnerability\"" ,
"misp:to_ids=\"False\""
] ,
"external_references" : [
{
"source_name" : "cve" ,
"external_id" : "CVE-2023-6448"
} ,
{
"source_name" : "url" ,
"url" : "https://www.cisa.gov/news-events/alerts/2023/11/28/exploitation-unitronics-plcs-used-water-and-wastewater-systems"
} ,
{
"source_name" : "url" ,
"url" : "https://www.unitronicsplc.com/cyber_security_vision-samba/"
} ,
{
"source_name" : "url" ,
"url" : "https://downloads.unitronicsplc.com/Sites/plc/Visilogic/Version_Changes-Bug_Reports/VisiLogic\\\\%209.9.00\\\\%20Version\\\\%20changes.pdf"
}
] ,
"x_misp_cvss_score" : "9.8" ,
"x_misp_cvss_string" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" ,
"x_misp_modified" : "2023-12-13T17:15:00+00:00" ,
"x_misp_published" : "2023-12-05T18:15:00+00:00" ,
"x_misp_state" : "Published" ,
"x_misp_vulnerable_configuration" : [
"cpe:2.3:o:unitronics:vision1210_firmware:-:*:*:*:*:*:*:*" ,
"cpe:2.3:h:unitronics:vision1210:-:*:*:*:*:*:*:*" ,
"cpe:2.3:o:unitronics:vision1040_firmware:-:*:*:*:*:*:*:*" ,
"cpe:2.3:h:unitronics:vision1040:-:*:*:*:*:*:*:*" ,
"cpe:2.3:o:unitronics:vision700_firmware:-:*:*:*:*:*:*:*" ,
"cpe:2.3:h:unitronics:vision700:-:*:*:*:*:*:*:*" ,
"cpe:2.3:o:unitronics:vision570_firmware:-:*:*:*:*:*:*:*" ,
"cpe:2.3:h:unitronics:vision570:-:*:*:*:*:*:*:*" ,
"cpe:2.3:o:unitronics:vision560_firmware:-:*:*:*:*:*:*:*" ,
"cpe:2.3:h:unitronics:vision560:-:*:*:*:*:*:*:*" ,
"cpe:2.3:o:unitronics:vision430_firmware:-:*:*:*:*:*:*:*" ,
"cpe:2.3:h:unitronics:vision430:-:*:*:*:*:*:*:*" ,
"cpe:2.3:o:unitronics:vision350_firmware:-:*:*:*:*:*:*:*" ,
"cpe:2.3:h:unitronics:vision350:-:*:*:*:*:*:*:*" ,
"cpe:2.3:o:unitronics:vision130_firmware:-:*:*:*:*:*:*:*" ,
"cpe:2.3:h:unitronics:vision130:-:*:*:*:*:*:*:*" ,
"cpe:2.3:o:unitronics:vision230_firmware:-:*:*:*:*:*:*:*" ,
"cpe:2.3:h:unitronics:vision230:-:*:*:*:*:*:*:*" ,
"cpe:2.3:o:unitronics:vision280_firmware:-:*:*:*:*:*:*:*" ,
"cpe:2.3:h:unitronics:vision280:-:*:*:*:*:*:*:*" ,
"cpe:2.3:o:unitronics:vision290_firmware:-:*:*:*:*:*:*:*" ,
"cpe:2.3:h:unitronics:vision290:-:*:*:*:*:*:*:*" ,
"cpe:2.3:o:unitronics:vision530_firmware:-:*:*:*:*:*:*:*" ,
"cpe:2.3:h:unitronics:vision530:-:*:*:*:*:*:*:*" ,
"cpe:2.3:o:unitronics:vision120_firmware:-:*:*:*:*:*:*:*" ,
"cpe:2.3:h:unitronics:vision120:-:*:*:*:*:*:*:*"
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--25eafc23-5529-4c84-9cb9-13df3517f784" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-12-15T08:49:07.000Z" ,
"modified" : "2023-12-15T08:49:07.000Z" ,
"labels" : [
"misp:name=\"weakness\"" ,
"misp:meta-category=\"vulnerability\""
] ,
"x_misp_attributes" : [
{
"type" : "weakness" ,
"object_relation" : "id" ,
"value" : "CWE-798" ,
"category" : "External analysis" ,
"uuid" : "b29a1b99-ff49-4ab7-80da-3267910b36ac"
} ,
{
"type" : "text" ,
"object_relation" : "name" ,
"value" : "Use of Hard-coded Credentials" ,
"category" : "Other" ,
"uuid" : "7ab12f43-9356-45b0-b368-91f2b682750d"
} ,
{
"type" : "text" ,
"object_relation" : "status" ,
"value" : "Draft" ,
"category" : "Other" ,
"uuid" : "d64d1466-dc39-45ee-b281-0f7332c5564d"
} ,
{
"type" : "text" ,
"object_relation" : "weakness-abs" ,
"value" : "Base" ,
"category" : "Other" ,
"uuid" : "a4cb95b3-7531-4f14-bce9-df6c266964df"
}
] ,
"x_misp_comment" : "CVE-2023-6448: Enriched via the cve_advanced module" ,
"x_misp_meta_category" : "vulnerability" ,
"x_misp_name" : "weakness"
} ,
{
"type" : "attack-pattern" ,
"spec_version" : "2.1" ,
"id" : "attack-pattern--ea5919da-346f-4b22-89c3-6dfeef61dba8" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-12-15T08:49:07.000Z" ,
"modified" : "2023-12-15T08:49:07.000Z" ,
"name" : "Try Common or Default Usernames and Passwords" ,
"description" : "An adversary may try certain common or default usernames and passwords to gain access into the system and perform unauthorized actions. An adversary may try an intelligent brute force using empty passwords, known vendor default credentials, as well as a dictionary of common usernames and passwords. Many vendor products come preconfigured with default (and thus well-known) usernames and passwords that should be deleted prior to usage in a production environment. It is a common mistake to forget to remove these default login credentials. Another problem is that users would pick very simple (common) passwords (e.g. \\\\\"secret\\\\\" or \\\\\"password\\\\\") that make it easier for the attacker to gain access to the system compared to using a brute force attack or even a dictionary attack using a full dictionary." ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "vulnerability"
}
] ,
"labels" : [
"misp:name=\"attack-pattern\"" ,
"misp:meta-category=\"vulnerability\"" ,
"misp:to_ids=\"False\""
] ,
"external_references" : [
{
"source_name" : "capec" ,
"external_id" : "CAPEC-70"
}
] ,
"x_misp_prerequisites" : "The system uses one factor password based authentication.The adversary has the means to interact with the system." ,
"x_misp_related_weakness" : [
"CWE-262" ,
"CWE-263" ,
"CWE-308" ,
"CWE-309" ,
"CWE-521" ,
"CWE-654" ,
"CWE-798"
] ,
"x_misp_solutions" : "Delete all default account credentials that may be put in by the product vendor. Implement a password throttling mechanism. This mechanism should take into account both the IP address and the log in name of the user. Put together a strong password policy and make sure that all user created passwords comply with it. Alternatively automatically generate strong passwords for users. Passwords need to be recycled to prevent aging, that is every once in a while a new password must be chosen."
} ,
{
"type" : "attack-pattern" ,
"spec_version" : "2.1" ,
"id" : "attack-pattern--5d27dada-7e8c-45bf-8237-e2acf772667b" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-12-15T08:49:07.000Z" ,
"modified" : "2023-12-15T08:49:07.000Z" ,
"name" : "Read Sensitive Constants Within an Executable" ,
"description" : "An adversary engages in activities to discover any sensitive constants present within the compiled code of an executable.\n These constants may include literal ASCII strings within the file itself, or possibly strings hard-coded into particular routines that can be revealed by code refactoring methods including static and dynamic analysis. One specific example of a sensitive string is a hard-coded password. Typical examples of software with hard-coded passwords include server-side executables which may check for a hard-coded password or key during a user\\'s authentication with the server. Hard-coded passwords can also be present in client-side executables which utilize the password or key when connecting to either a remote component, such as a database server, licensing server, or otherwise, or a processes on the same host that expects a key or password. When analyzing an executable the adversary may search for the presence of such strings by analyzing the byte-code of the file itself. Example utilities for revealing strings within a file include \\'strings,\\' \\'grep,\\' or other variants of these programs depending upon the type of operating system used. These programs can be used to dump any ASCII or UNICODE strings contained within a program. Strings can also be searched for using a hex editors by loading the binary or object code file and utilizing native search functions such as regular expressions.\n Additionally, sensitive numeric values can occur within an executable. This can be used to discover the location of cryptographic constants." ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "vulnerability"
}
] ,
"labels" : [
"misp:name=\"attack-pattern\"" ,
"misp:meta-category=\"vulnerability\"" ,
"misp:to_ids=\"False\""
] ,
"external_references" : [
{
"source_name" : "capec" ,
"external_id" : "CAPEC-191"
}
] ,
"x_misp_prerequisites" : "Access to a binary or executable such that it can be analyzed by various utilities." ,
"x_misp_related_weakness" : "CWE-798"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
"id" : "relationship--37239644-7022-4083-b5dc-d87178229983" ,
"created" : "2023-12-15T08:49:07.000Z" ,
"modified" : "2023-12-15T08:49:07.000Z" ,
"relationship_type" : "related-to" ,
"source_ref" : "vulnerability--a2a355a0-75b3-42c8-93f7-401b8566ed00" ,
"target_ref" : "vulnerability--8f057a13-41e4-4e2f-ade8-19802a62f278"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
"id" : "relationship--2e6cc1a1-52c9-40ba-985a-ec1dedf37a9b" ,
"created" : "2023-12-15T08:49:07.000Z" ,
"modified" : "2023-12-15T08:49:07.000Z" ,
"relationship_type" : "weakened-by" ,
"source_ref" : "vulnerability--a2a355a0-75b3-42c8-93f7-401b8566ed00" ,
"target_ref" : "x-misp-object--25eafc23-5529-4c84-9cb9-13df3517f784"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
"id" : "relationship--3a3a5a5b-0e75-4cd3-9d51-7b08333c178b" ,
"created" : "2023-12-15T08:49:07.000Z" ,
"modified" : "2023-12-15T08:49:07.000Z" ,
"relationship_type" : "targeted-by" ,
"source_ref" : "vulnerability--a2a355a0-75b3-42c8-93f7-401b8566ed00" ,
"target_ref" : "attack-pattern--ea5919da-346f-4b22-89c3-6dfeef61dba8"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
"id" : "relationship--9194c7c2-8d5c-44b4-b479-5e2975f455c9" ,
"created" : "2023-12-15T08:49:07.000Z" ,
"modified" : "2023-12-15T08:49:07.000Z" ,
"relationship_type" : "targeted-by" ,
"source_ref" : "vulnerability--a2a355a0-75b3-42c8-93f7-401b8566ed00" ,
"target_ref" : "attack-pattern--5d27dada-7e8c-45bf-8237-e2acf772667b"
} ,
2023-12-14 14:30:15 +00:00
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
}
]
}