adulau/misp-circl-feed
1
0
Fork 0
Code Issues Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/misp/4fe85264-fb26-494e-8eb7-da101e19e291.json

909 lines
38 KiB
JSON
Raw Normal View History

chg: [feeds] updated
2024-12-27 11:52:46 +01:00
{
"Event": {
"analysis": "0",
"date": "2024-10-24",
"extends_uuid": "",
"info": "Investigating FortiManager Zero-Day Exploitation (CVE-2024-47575)",
"publish_timestamp": "1729840588",
"published": true,
"threat_level_id": "3",
"timestamp": "1729840578",
"uuid": "4fe85264-fb26-494e-8eb7-da101e19e291",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"",
"relationship_type": ""
},
{
"colour": "#004646",
"local": false,
"name": "type:OSINT",
"relationship_type": ""
},
{
"colour": "#0071c3",
"local": false,
"name": "osint:lifetime=\"perpetual\"",
"relationship_type": ""
},
{
"colour": "#0087e8",
"local": false,
"name": "osint:certainty=\"50\"",
"relationship_type": ""
},
{
"colour": "#ffffff",
"local": false,
"name": "tlp:white",
"relationship_type": ""
},
{
"colour": "#ffffff",
"local": false,
"name": "tlp:clear",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1729754802",
"to_ids": false,
"type": "vulnerability",
"uuid": "3040474b-9e08-40a1-8f7d-3a949fe20173",
"value": "CVE-2024-47575"
},
{
"category": "Network activity",
"comment": "UNC5820",
"deleted": false,
"disable_correlation": false,
"timestamp": "1729755948",
"to_ids": true,
"type": "ip-dst",
"uuid": "8fdb0102-d3f6-48c3-8d35-9dd679068cf8",
"value": "45.32.41.202"
},
{
"category": "Network activity",
"comment": "UNC5820",
"deleted": false,
"disable_correlation": false,
"timestamp": "1729755948",
"to_ids": true,
"type": "ip-dst",
"uuid": "e6f4078e-1765-4ac4-bef2-d149ea122dac",
"value": "104.238.141.143"
},
{
"category": "Network activity",
"comment": "UNC5820",
"deleted": false,
"disable_correlation": false,
"timestamp": "1729755948",
"to_ids": true,
"type": "ip-dst",
"uuid": "5432a440-b4a1-47a3-9a28-108d412d5779",
"value": "158.247.199.37"
},
{
"category": "Network activity",
"comment": "UNC5820",
"deleted": false,
"disable_correlation": false,
"timestamp": "1729755948",
"to_ids": true,
"type": "ip-dst",
"uuid": "2e10641e-2717-48b6-a5e7-cb1820514add",
"value": "195.85.114.78"
},
{
"category": "Payload delivery",
"comment": "MD5 hash of unreg_devices.txt",
"deleted": false,
"disable_correlation": false,
"timestamp": "1729755975",
"to_ids": true,
"type": "md5",
"uuid": "d990cb29-94a7-4346-95fa-6e57c827b6b3",
"value": "9dcfab171580b52deae8703157012674"
},
{
"category": "Artifacts dropped",
"comment": "Malicious Fortinet Device ID",
"deleted": false,
"disable_correlation": false,
"timestamp": "1729756506",
"to_ids": true,
"type": "text",
"uuid": "a4dcfc7e-fb91-4cc6-bef2-90f6261f8c5d",
"value": "FMG-VMTM23017412"
},
{
"category": "Artifacts dropped",
"comment": "String indicating exploitation in /log/locallog/elog",
"deleted": false,
"disable_correlation": false,
"timestamp": "1729756612",
"to_ids": false,
"type": "text",
"uuid": "6f4323f5-be15-4f24-81dd-67ce922a5f46",
"value": "msg=\"Unregistered device localhost add succeeded\""
},
{
"category": "Artifacts dropped",
"comment": "String indicating exploitation in /log/locallog/elog",
"deleted": false,
"disable_correlation": false,
"timestamp": "1729756612",
"to_ids": false,
"type": "text",
"uuid": "c6f236cd-9ac6-4163-8abb-89c623815029",
"value": "changes=\"Edited device settings (SN FMG-VMTM23017412)\""
},
{
"category": "Artifacts dropped",
"comment": "String indicating exploitation in /log/locallog/elog",
"deleted": false,
"disable_correlation": false,
"timestamp": "1729756612",
"to_ids": false,
"type": "text",
"uuid": "b909839e-e2b0-41cc-93f4-da4e077192a5",
"value": "changes=\"Added unregistered device to unregistered table.\""
},
{
"category": "Artifacts dropped",
"comment": "Observed in subs.dat and subs.dat.tmp",
"deleted": false,
"disable_correlation": false,
"timestamp": "1729756658",
"to_ids": true,
"type": "text",
"uuid": "9d8e7c05-194f-4c2c-9251-5b32dabc2dce",
"value": "Purity Supreme"
},
{
"category": "Network activity",
"comment": "via https://www.fortiguard.com/psirt/FG-IR-24-423",
"deleted": false,
"disable_correlation": false,
"timestamp": "1729840578",
"to_ids": true,
"type": "ip-dst",
"uuid": "5c9c259c-d433-4f07-bfe4-95df4b128df9",
"value": "45.32.63.2"
}
],
"Object": [
{
"comment": "",
"deleted": false,
"description": "Report object to describe a report along with its metadata.",
"meta-category": "misc",
"name": "report",
"template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df",
"template_version": "8",
"timestamp": "1729754781",
"uuid": "0a80dee7-2407-423f-8dc6-bdb40782c369",
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "link",
"timestamp": "1729754781",
"to_ids": false,
"type": "link",
"uuid": "c93c0dc0-4fee-43dd-ab23-800a7513c947",
"value": "https://cloud.google.com/blog/topics/threat-intelligence/fortimanager-zero-day-exploitation-cve-2024-47575"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "summary",
"timestamp": "1729754781",
"to_ids": false,
"type": "text",
"uuid": "aa7cbcc5-a982-414f-ab9b-97d1b88b8819",
"value": "In October 2024, Mandiant collaborated with Fortinet to investigate the mass exploitation of FortiManager appliances across 50+ potentially compromised FortiManager devices in various industries. The vulnerability, CVE-2024-47575 / FG-IR-24-423, allows a threat actor to use an unauthorized, threat actor-controlled FortiManager device to execute arbitrary code or commands against vulnerable FortiManager devices. \r\n\r\nMandiant observed a new threat cluster we now track as UNC5820 exploiting the FortiManager vulnerability as early as June 27, 2024. UNC5820 staged and exfiltrated the configuration data of the FortiGate devices managed by the exploited FortiManager. This data contains detailed configuration information of the managed appliances as well as the users and their FortiOS256-hashed passwords. This data could be used by UNC5820 to further compromise the FortiManager, move laterally to the managed Fortinet devices, and ultimately target the enterprise environment.\r\n\r\nAt this time, the data sources analyzed by Mandiant did not record the specific requests that the threat actor used to leverage the FortiManager vulnerability. Additionally, at this stage of our investigations there is no evidence that UNC5820 leveraged the obtained configuration data to move laterally and further compromise the environment. As a result, at the time of publishing, we lack sufficient data to assess actor motivation or location. As additional information becomes available through our investigations, Mandiant will update this blog\u2019s attribution assessment.\r\n\r\nOrganizations that may have their FortiManager exposed to the internet should conduct a forensic investigation immediately."
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "title",
"timestamp": "1729754781",
"to_ids": false,
"type": "text",
"uuid": "e4cf90bf-e9f3-46a3-a0e4-5e7bb85dc5e9",
"value": "Investigating FortiManager Zero-Day Exploitation (CVE-2024-47575)"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1729754781",
"to_ids": false,
"type": "text",
"uuid": "1d86df7a-6a73-437a-a0d0-50be5a7047f4",
"value": "Blog"
}
]
},
{
"comment": "CVE-2024-47575: Enriched via the cve_advanced module",
"deleted": false,
"description": "Vulnerability object describing a common vulnerability enumeration which can describe published, unpublished, under review or embargo vulnerability for software, equipments or hardware.",
"meta-category": "vulnerability",
"name": "vulnerability",
"template_uuid": "81650945-f186-437b-8945-9f31715d32da",
"template_version": "8",
"timestamp": "1729755710",
"uuid": "e321b0ca-f9ca-4817-b09f-60a85352790c",
"ObjectReference": [
{
"comment": "",
"object_uuid": "e321b0ca-f9ca-4817-b09f-60a85352790c",
"referenced_uuid": "3040474b-9e08-40a1-8f7d-3a949fe20173",
"relationship_type": "related-to",
"timestamp": "1729755711",
"uuid": "b978253e-db38-4725-8cea-11a6237addbc"
},
{
"comment": "",
"object_uuid": "e321b0ca-f9ca-4817-b09f-60a85352790c",
"referenced_uuid": "c3728e8c-9ab9-433a-aa2c-cb3868cfecce",
"relationship_type": "weakened-by",
"timestamp": "1729755711",
"uuid": "12f289c6-0771-42aa-b1da-62ffddee2d62"
},
{
"comment": "",
"object_uuid": "e321b0ca-f9ca-4817-b09f-60a85352790c",
"referenced_uuid": "aeeb0d73-4b25-45ff-b1c3-9c45db5240e6",
"relationship_type": "targeted-by",
"timestamp": "1729755711",
"uuid": "5c370659-9592-4a05-8a3e-f9c740a53e91"
},
{
"comment": "",
"object_uuid": "e321b0ca-f9ca-4817-b09f-60a85352790c",
"referenced_uuid": "854dac5d-31da-4900-8986-c076b24e6e7d",
"relationship_type": "targeted-by",
"timestamp": "1729755711",
"uuid": "ca276fb7-b015-4224-852f-28f287b872ca"
},
{
"comment": "",
"object_uuid": "e321b0ca-f9ca-4817-b09f-60a85352790c",
"referenced_uuid": "0351d7a7-3cd7-42ae-82ab-e03d8aee3e08",
"relationship_type": "targeted-by",
"timestamp": "1729755711",
"uuid": "bbf8cee4-9699-4417-a443-83744736d1fd"
},
{
"comment": "",
"object_uuid": "e321b0ca-f9ca-4817-b09f-60a85352790c",
"referenced_uuid": "3423657b-21e9-416c-a2bc-1f43e73f5905",
"relationship_type": "targeted-by",
"timestamp": "1729755711",
"uuid": "c8dd2a56-cf8b-445b-a852-836014c3b013"
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "id",
"timestamp": "1729755710",
"to_ids": false,
"type": "vulnerability",
"uuid": "c3337c14-97de-4b49-a72b-b04ff1e614cc",
"value": "CVE-2024-47575"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "summary",
"timestamp": "1729755710",
"to_ids": false,
"type": "text",
"uuid": "e96e2031-d40c-48f1-98e2-ebb59b5a1b41",
"value": "A missing authentication for critical function in FortiManager 7.6.0, FortiManager 7.4.0 through 7.4.4, FortiManager 7.2.0 through 7.2.7, FortiManager 7.0.0 through 7.0.12, FortiManager 6.4.0 through 6.4.14, FortiManager 6.2.0 through 6.2.12, Fortinet FortiManager Cloud 7.4.1 through 7.4.4, FortiManager Cloud 7.2.1 through 7.2.7, FortiManager Cloud 7.0.1 through 7.0.13, FortiManager Cloud 6.4.1 through 6.4.7 allows attacker to execute arbitrary code or commands via specially crafted requests."
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "modified",
"timestamp": "1729755710",
"to_ids": false,
"type": "datetime",
"uuid": "83c8dd6e-fb05-4b30-9853-92e9e3b4eea9",
"value": "2024-10-24T01:00:00+00:00"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "published",
"timestamp": "1729755710",
"to_ids": false,
"type": "datetime",
"uuid": "ec9dd3ef-0874-491c-ba7e-5a980abbd03b",
"value": "2024-10-23T15:15:00+00:00"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "state",
"timestamp": "1729755710",
"to_ids": false,
"type": "text",
"uuid": "4e70708a-d144-4739-bb75-98ed62090320",
"value": "Published"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "references",
"timestamp": "1729755710",
"to_ids": false,
"type": "link",
"uuid": "cca6fe5d-c6e9-4058-957a-d77eb87a2131",
"value": "https://fortiguard.fortinet.com/psirt/FG-IR-24-423"
}
]
},
{
"comment": "CVE-2024-47575: Enriched via the cve_advanced module",
"deleted": false,
"description": "Weakness object describing a common weakness enumeration which can describe usable, incomplete, draft or deprecated weakness for software, equipment of hardware.",
"meta-category": "vulnerability",
"name": "weakness",
"template_uuid": "b8713fc0-d7a2-4b27-a182-38ed47966802",
"template_version": "1",
"timestamp": "1729755710",
"uuid": "c3728e8c-9ab9-433a-aa2c-cb3868cfecce",
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "id",
"timestamp": "1729755710",
"to_ids": false,
"type": "weakness",
"uuid": "ef67c210-cef3-47a1-a327-c19f8023a774",
"value": "CWE-306"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "name",
"timestamp": "1729755710",
"to_ids": false,
"type": "text",
"uuid": "fed35c09-ee6a-4fc1-ae78-9bf962aa00d1",
"value": "Missing Authentication for Critical Function"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "status",
"timestamp": "1729755710",
"to_ids": false,
"type": "text",
"uuid": "ab2c0047-7739-47d0-ad1b-dd36cbc24a3b",
"value": "Draft"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "weakness-abs",
"timestamp": "1729755710",
"to_ids": false,
"type": "text",
"uuid": "120d8cf4-415b-45fc-a567-0b6ccdabfae7",
"value": "Base"
}
]
},
{
"comment": "CVE-2024-47575: Enriched via the cve_advanced module",
"deleted": false,
"description": "Attack pattern describing a common attack pattern enumeration and classification.",
"meta-category": "vulnerability",
"name": "attack-pattern",
"template_uuid": "35928348-56be-4d7f-9752-a80927936351",
"template_version": "1",
"timestamp": "1729755710",
"uuid": "aeeb0d73-4b25-45ff-b1c3-9c45db5240e6",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "id",
"timestamp": "1729755710",
"to_ids": false,
"type": "text",
"uuid": "b9c90d8a-9cf6-493b-a100-3894e76d7f25",
"value": "62"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "name",
"timestamp": "1729755710",
"to_ids": false,
"type": "text",
"uuid": "91ca80a2-a9cb-4567-ab4a-307b708662f2",
"value": "Cross Site Request Forgery"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "summary",
"timestamp": "1729755710",
"to_ids": false,
"type": "text",
"uuid": "4972e25a-338d-4eed-a024-24ebebeeb81c",
"value": "An attacker crafts malicious web links and distributes them (via web pages, email, etc.), typically in a targeted manner, hoping to induce users to click on the link and execute the malicious action against some third-party application. If successful, the action embedded in the malicious link will be processed and accepted by the targeted application with the users' privilege level. This type of attack leverages the persistence and implicit trust placed in user session cookies by many web applications today. In such an architecture, once the user authenticates to an application and a session cookie is created on the user's system, all following transactions for that session are authenticated using that cookie including potential actions initiated by an attacker and simply \"riding\" the existing session cookie."
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "solutions",
"timestamp": "1729755710",
"to_ids": false,
"type": "text",
"uuid": "36ecb5af-f826-44ab-9586-9ceebf5009c1",
"value": "Use cryptographic tokens to associate a request with a specific action. The token can be regenerated at every request so that if a request with an invalid token is encountered, it can be reliably discarded. The token is considered invalid if it arrived with a request other than the action it was supposed to be associated with. Although less reliable, the use of the optional HTTP Referrer header can also be used to determine whether an incoming request was actually one that the user is authorized for, in the current context. Additionally, the user can also be prompted to confirm an action every time an action concerning potentially sensitive data is invoked. This way, even if the attacker manages to get the user to click on a malicious link and request the desired action, the user has a chance to recover by denying confirmation. This solution is also implicitly tied to using a second factor of authentication before performing such actions. In general, every request must be checked for the appropriate authentication token as well as authorization in the current session context."
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "related-weakness",
"timestamp": "1729755710",
"to_ids": false,
"type": "weakness",
"uuid": "d8f104af-64f6-4a25-95b9-29f6d87cb460",
"value": "CWE-1275"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "related-weakness",
"timestamp": "1729755710",
"to_ids": false,
"type": "weakness",
"uuid": "d7cf8962-5952-44ff-864e-e554be30ebf8",
"value": "CWE-306"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "related-weakness",
"timestamp": "1729755710",
"to_ids": false,
"type": "weakness",
"uuid": "0831f14a-1b99-44fa-afd2-c1edbcd0cd3a",
"value": "CWE-352"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "related-weakness",
"timestamp": "1729755710",
"to_ids": false,
"type": "weakness",
"uuid": "c674df64-6a89-41dc-8c7c-b04a07a1a0b3",
"value": "CWE-664"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "related-weakness",
"timestamp": "1729755710",
"to_ids": false,
"type": "weakness",
"uuid": "0690eb7d-2fa7-4ec7-87a0-84012e36702f",
"value": "CWE-716"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "related-weakness",
"timestamp": "1729755710",
"to_ids": false,
"type": "weakness",
"uuid": "543e7d4b-e62b-401e-a1d4-3d34749d1a7b",
"value": "CWE-732"
}
]
},
{
"comment": "CVE-2024-47575: Enriched via the cve_advanced module",
"deleted": false,
"description": "Attack pattern describing a common attack pattern enumeration and classification.",
"meta-category": "vulnerability",
"name": "attack-pattern",
"template_uuid": "35928348-56be-4d7f-9752-a80927936351",
"template_version": "1",
"timestamp": "1729755710",
"uuid": "854dac5d-31da-4900-8986-c076b24e6e7d",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "id",
"timestamp": "1729755710",
"to_ids": false,
"type": "text",
"uuid": "05c54ada-d8a1-45fe-be3c-e685bd6e9b1d",
"value": "36"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "name",
"timestamp": "1729755710",
"to_ids": false,
"type": "text",
"uuid": "7cb0933b-a9d3-4c04-b612-7de204c4dbbb",
"value": "Using Unpublished Interfaces"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "summary",
"timestamp": "1729755710",
"to_ids": false,
"type": "text",
"uuid": "e93aabab-690a-48a3-ab6e-7c05ed7c6a58",
"value": "An adversary searches for and invokes interfaces that the target system designers did not intend to be publicly available. If these interfaces fail to authenticate requests the attacker may be able to invoke functionality they are not authorized for."
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "prerequisites",
"timestamp": "1729755710",
"to_ids": false,
"type": "text",
"uuid": "77c4fd2f-268c-4cae-90d3-035f1c423a77",
"value": "The architecture under attack must publish or otherwise make available services that clients can attach to, either in an unauthenticated fashion, or having obtained an authentication token elsewhere. The service need not be 'discoverable', but in the event it isn't it must have some way of being discovered by an attacker. This might include listening on a well-known port. Ultimately, the likelihood of exploit depends on discoverability of the vulnerable service."
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "solutions",
"timestamp": "1729755710",
"to_ids": false,
"type": "text",
"uuid": "6ade0188-cc3c-44dd-8389-b51a7e232ef7",
"value": "Authenticating both services and their discovery, and protecting that authentication mechanism simply fixes the bulk of this problem. Protecting the authentication involves the standard means, including: 1) protecting the channel over which authentication occurs, 2) preventing the theft, forgery, or prediction of authentication credentials or the resultant tokens, or 3) subversion of password reset and the like."
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "related-weakness",
"timestamp": "1729755710",
"to_ids": false,
"type": "weakness",
"uuid": "9487f649-4d5b-4381-8820-fca976df18b3",
"value": "CWE-1242"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "related-weakness",
"timestamp": "1729755710",
"to_ids": false,
"type": "weakness",
"uuid": "97cba5d7-469b-4c15-b32b-c81d00780c54",
"value": "CWE-306"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "related-weakness",
"timestamp": "1729755710",
"to_ids": false,
"type": "weakness",
"uuid": "14cf88b2-9a07-479a-b118-d8896356bcfe",
"value": "CWE-693"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "related-weakness",
"timestamp": "1729755710",
"to_ids": false,
"type": "weakness",
"uuid": "dd921ad7-93e3-47e6-993e-96929552f98b",
"value": "CWE-695"
}
]
},
{
"comment": "CVE-2024-47575: Enriched via the cve_advanced module",
"deleted": false,
"description": "Attack pattern describing a common attack pattern enumeration and classification.",
"meta-category": "vulnerability",
"name": "attack-pattern",
"template_uuid": "35928348-56be-4d7f-9752-a80927936351",
"template_version": "1",
"timestamp": "1729755710",
"uuid": "0351d7a7-3cd7-42ae-82ab-e03d8aee3e08",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "id",
"timestamp": "1729755710",
"to_ids": false,
"type": "text",
"uuid": "557af518-c5c5-4886-8671-621a708665fe",
"value": "166"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "name",
"timestamp": "1729755710",
"to_ids": false,
"type": "text",
"uuid": "86197641-ba46-4876-a765-0689c280af4b",
"value": "Force the System to Reset Values"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "summary",
"timestamp": "1729755710",
"to_ids": false,
"type": "text",
"uuid": "0beddaee-f8c1-4855-8d81-281f5a52bc56",
"value": "An attacker forces the target into a previous state in order to leverage potential weaknesses in the target dependent upon a prior configuration or state-dependent factors. Even in cases where an attacker may not be able to directly control the configuration of the targeted application, they may be able to reset the configuration to a prior state since many applications implement reset functions. Since these functions are usually intended as emergency features to return an application to a stable configuration if the current configuration degrades functionality, they may not be as strongly secured as other configuration options. The resetting of values is dangerous as it may enable undesired functionality, disable services, or modify access controls. At the very least this is a nuisance attack since the administrator will need to re-apply their configuration. At worst, this attack can open avenues for powerful attacks against the application, and, if it isn't obvious that the configuration has been reset, these vulnerabilities may be present a long time before they are notices."
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "prerequisites",
"timestamp": "1729755710",
"to_ids": false,
"type": "text",
"uuid": "05f0f32b-05d9-4f47-a5bd-e63ce9bf750e",
"value": "The targeted application must have a reset function that returns the configuration of the application to an earlier state. The reset functionality must be inadequately protected against use."
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "related-weakness",
"timestamp": "1729755710",
"to_ids": false,
"type": "weakness",
"uuid": "1d9bff4b-db27-4671-a769-a379c5f35cb2",
"value": "CWE-1232"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "related-weakness",
"timestamp": "1729755710",
"to_ids": false,
"type": "weakness",
"uuid": "a6f001c1-3a39-48fc-b5d6-15da26d2f79b",
"value": "CWE-306"
}
]
},
{
"comment": "CVE-2024-47575: Enriched via the cve_advanced module",
"deleted": false,
"description": "Attack pattern describing a common attack pattern enumeration and classification.",
"meta-category": "vulnerability",
"name": "attack-pattern",
"template_uuid": "35928348-56be-4d7f-9752-a80927936351",
"template_version": "1",
"timestamp": "1729755710",
"uuid": "3423657b-21e9-416c-a2bc-1f43e73f5905",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "id",
"timestamp": "1729755710",
"to_ids": false,
"type": "text",
"uuid": "87bde614-4547-4eca-a77b-5ca55a86c118",
"value": "12"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "name",
"timestamp": "1729755710",
"to_ids": false,
"type": "text",
"uuid": "b7dbfc91-b4b1-4082-a822-2f50fd8adcce",
"value": "Choosing Message Identifier"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "summary",
"timestamp": "1729755710",
"to_ids": false,
"type": "text",
"uuid": "b9792651-c34e-4645-be01-b798151053b3",
"value": "This pattern of attack is defined by the selection of messages distributed over via multicast or public information channels that are intended for another client by determining the parameter value assigned to that client. This attack allows the adversary to gain access to potentially privileged information, and to possibly perpetrate other attacks through the distribution means by impersonation. If the channel/message being manipulated is an input rather than output mechanism for the system, (such as a command bus), this style of attack could be used to change the adversary's identifier to more a privileged one."
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "prerequisites",
"timestamp": "1729755710",
"to_ids": false,
"type": "text",
"uuid": "29f4bd62-0b76-4d14-9771-d00cbeded47f",
"value": "Information and client-sensitive (and client-specific) data must be present through a distribution channel available to all users. Distribution means must code (through channel, message identifiers, or convention) message destination in a manner visible within the distribution means itself (such as a control channel) or in the messages themselves."
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "solutions",
"timestamp": "1729755710",
"to_ids": false,
"type": "text",
"uuid": "515dcc17-4ba5-4491-bdbb-44a62b0fe11e",
"value": "The purpose is to architect the system in a way that associates proper authentication/authorization with each channel/message. Re-architect system input/output channels as appropriate to distribute self-protecting data. That is, encrypt (or otherwise protect) channels/messages so that only authorized readers can see them."
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "related-weakness",
"timestamp": "1729755710",
"to_ids": false,
"type": "weakness",
"uuid": "878afe21-bbff-427f-9c56-3274ab6694de",
"value": "CWE-201"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "related-weakness",
"timestamp": "1729755710",
"to_ids": false,
"type": "weakness",
"uuid": "6582b190-973a-42a8-b29b-410aab958c9a",
"value": "CWE-306"
}
]
},
{
"comment": "Observed in subs.dat and subs.dat.tmp. This is a disposable email address created by the threat actor.",
"deleted": false,
"description": "Email object describing an email with meta-information",
"meta-category": "network",
"name": "email",
"template_uuid": "a0c666e0-fc65-4be8-b48f-3423d788b552",
"template_version": "19",
"timestamp": "1729756542",
"uuid": "1458d703-c8da-4c3b-a68e-888f00fd2255",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "from",
"timestamp": "1729756542",
"to_ids": true,
"type": "email-src",
"uuid": "01edfd3d-acd2-4303-8221-ac4737c4ddd4",
"value": "0qsc137p@justdefinition.com"
}
]
}
]
}
}
Reference in a new issue Copy permalink