adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/misp/ab1a2393-2d57-46c9-91ab-16a4cc4b0b03.json

658 lines
31 KiB
JSON
Raw Normal View History

chg: [feeds] updated
2024-08-07 08:13:15 +00:00
{
"Event": {
"analysis": "2",
"date": "2024-01-11",
"extends_uuid": "",
"info": "Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN",
"publish_timestamp": "1704964687",
"published": true,
"threat_level_id": "1",
"timestamp": "1704964651",
"uuid": "ab1a2393-2d57-46c9-91ab-16a4cc4b0b03",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"",
"relationship_type": ""
},
{
"colour": "#004646",
"local": false,
"name": "type:OSINT",
"relationship_type": ""
},
{
"colour": "#0071c3",
"local": false,
"name": "osint:lifetime=\"perpetual\"",
"relationship_type": ""
},
{
"colour": "#ffffff",
"local": false,
"name": "tlp:white",
"relationship_type": ""
},
{
"colour": "#ffffff",
"local": false,
"name": "tlp:clear",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "Network activity",
"comment": "DigitalOcean IP address tied to UTA0178",
"deleted": false,
"disable_correlation": false,
"timestamp": "1704964075",
"to_ids": true,
"type": "ip-dst",
"uuid": "f1d712c8-f336-400d-bbf0-c9e8b27a795b",
"value": "206.189.208.156"
},
{
"category": "Network activity",
"comment": "Suspected UTA0178 domain discovered via domain registration patterns",
"deleted": false,
"disable_correlation": false,
"timestamp": "1704964099",
"to_ids": true,
"type": "domain",
"uuid": "de5c9a32-5ba3-4239-92d8-de6c2142358b",
"value": "gpoaccess.com"
},
{
"category": "Network activity",
"comment": "Suspected UTA0178 domain discovered via domain registration patterns",
"deleted": false,
"disable_correlation": false,
"timestamp": "1704964119",
"to_ids": true,
"type": "domain",
"uuid": "ada02401-f889-4449-b295-8601cf5f38b8",
"value": "webb-institute.com"
},
{
"category": "Network activity",
"comment": "UTA0178 domain used to collect credentials from compromised devices",
"deleted": false,
"disable_correlation": false,
"timestamp": "1704964137",
"to_ids": true,
"type": "domain",
"uuid": "728e4788-1426-4e11-83f9-b8f48687977f",
"value": "symantke.com"
},
{
"category": "Network activity",
"comment": "UTA0178 IP address observed interacting with compromised device",
"deleted": false,
"disable_correlation": false,
"timestamp": "1704964169",
"to_ids": true,
"type": "ip-dst",
"uuid": "32fbec85-2e02-4189-b059-371cf8bb3a10",
"value": "75.145.243.85"
},
{
"category": "Network activity",
"comment": "UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network",
"deleted": false,
"disable_correlation": false,
"timestamp": "1704964198",
"to_ids": true,
"type": "ip-dst",
"uuid": "218e87c7-80fc-4da2-ad8e-b2bcf45d400a",
"value": "47.207.9.89"
},
{
"category": "Network activity",
"comment": "UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network",
"deleted": false,
"disable_correlation": false,
"timestamp": "1704964198",
"to_ids": true,
"type": "ip-dst",
"uuid": "1f1dbd3d-97bb-48dd-a894-fc3677083c9d",
"value": "98.160.48.170"
},
{
"category": "Network activity",
"comment": "UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network",
"deleted": false,
"disable_correlation": false,
"timestamp": "1704964198",
"to_ids": true,
"type": "ip-dst",
"uuid": "641694ff-1188-4881-b338-7d937166b227",
"value": "173.220.106.166"
},
{
"category": "Network activity",
"comment": "UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network",
"deleted": false,
"disable_correlation": false,
"timestamp": "1704964198",
"to_ids": true,
"type": "ip-dst",
"uuid": "80f560c4-17af-4dad-bb29-a571855158f3",
"value": "73.128.178.221"
},
{
"category": "Network activity",
"comment": "UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network",
"deleted": false,
"disable_correlation": false,
"timestamp": "1704964198",
"to_ids": true,
"type": "ip-dst",
"uuid": "e32a8926-cd0d-4ef6-a9d5-299285c308d5",
"value": "50.243.177.161"
},
{
"category": "Network activity",
"comment": "UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network",
"deleted": false,
"disable_correlation": false,
"timestamp": "1704964198",
"to_ids": true,
"type": "ip-dst",
"uuid": "4ff1da96-2964-420e-b7b9-342ab6b4531a",
"value": "50.213.208.89"
},
{
"category": "Network activity",
"comment": "UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network",
"deleted": false,
"disable_correlation": false,
"timestamp": "1704964198",
"to_ids": true,
"type": "ip-dst",
"uuid": "03660afe-c0b1-47cb-b2b4-a655462bc508",
"value": "64.24.179.210"
},
{
"category": "Network activity",
"comment": "UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network",
"deleted": false,
"disable_correlation": false,
"timestamp": "1704964198",
"to_ids": true,
"type": "ip-dst",
"uuid": "8ddecf8b-e114-49bc-aec0-3411cea29b3a",
"value": "75.145.224.109"
},
{
"category": "Network activity",
"comment": "UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network",
"deleted": false,
"disable_correlation": false,
"timestamp": "1704964198",
"to_ids": true,
"type": "ip-dst",
"uuid": "bba1dda1-0549-4ff3-9bd5-a171607feff0",
"value": "50.215.39.49"
},
{
"category": "Network activity",
"comment": "UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network",
"deleted": false,
"disable_correlation": false,
"timestamp": "1704964198",
"to_ids": true,
"type": "ip-dst",
"uuid": "d986eda3-042b-4545-b215-67b958f2158a",
"value": "71.127.149.194"
},
{
"category": "Network activity",
"comment": "UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network",
"deleted": false,
"disable_correlation": false,
"timestamp": "1704964198",
"to_ids": true,
"type": "ip-dst",
"uuid": "273692af-e54a-47e3-868c-2f4127a9926b",
"value": "173.53.43.7"
}
],
"Object": [
{
"comment": "GLASSTOKEN webshells",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1704964428",
"uuid": "a0a58c68-a293-4c79-855e-d3d2d7a7485c",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"data": "UEsDBBQACQAIALhJK1iikQW0pAEAADIDAAAgABwANzAxZmRjMzhiMmRjOWE2MDVmZTNmMDg3N2JhY2E2MmVVVAkAA0yxn2VMsZ9ldXgLAAEEIQAAAAQhAAAAGtFq0wsq86RPEzBYdqDjiVzzJD8tdqa9s3KbTRdxuNCIyvjsCt+65ZwJkzCPLVtHEtCWVjXZhITSi2CpeeRKhBb2Os/BQQZgh3a/JLz89Of2oswbpc6FvYBwXqWytVxARCbJ50Dx/1IIShgs+gH7l0/U7JKpPVzxPHuZ2oy+1+sUvtNQx932oju3NgQJZs/8X75qy1ZUTN/0UXhRwkEVKrVJ860fmmKae9C62bVvSHAHDOFO/AJyG5KazDBDoH9lfutWEP39v2gV11OcqVeZHBX4dqcLjmez4ChFh20lpETdzbsHxks7v3iwXPPxD2VTA2Qp+eD1gEbyirQWmA/uAxc1c2TN6aDSuxgnetaOE9oARuDQJvse2bgxLGbZ9Gb6QfizRW631yse9xOnw90GDikCnLIdRwM+GY/1Oo/2QMm7AGt1SlobV7mtocR8SXKm/G5rc7Das9TvBGB6Lvf8Cyw+qtJf0EeXTACVY5p8GA+SQDC726NKYFLXJ0LkHbPTAv788KhZRxaCvGuzCwFMkI/Pt/T16erZBZYGo32WpVqs7CmsUEsHCKKRBbSkAQAAMgMAAFBLAwQKAAkAAAC4SStYQZwl8R4AAAASAAAALQAcADcwMWZkYzM4YjJkYzlhNjA1ZmUzZjA4NzdiYWNhNjJlLmZpbGVuYW1lLnR4dFVUCQADTLGfZUyxn2V1eAsAAQQhAAAABCEAAAC4OlsOJ67fq30o/Ay1x8ug2IYA7cqPGXHdXdZk/cNQSwcIQZwl8R4AAAASAAAAUEsBAh4DFAAJAAgAuEkrWKKRBbSkAQAAMgMAACAAGAAAAAAAAQAAAKSBAAAAADcwMWZkYzM4YjJkYzlhNjA1ZmUzZjA4NzdiYWNhNjJlVVQFAANMsZ9ldXgLAAEEIQAAAAQhAAAAUEsBAh4DCgAJAAAAuEkrWEGcJfEeAAAAEgAAAC0AGAAAAAAAAQAAAKSBDgIAADcwMWZkYzM4YjJkYzlhNjA1ZmUzZjA4NzdiYWNhNjJlLmZpbGVuYW1lLnR4dFVUBQADTLGfZXV4CwABBCEAAAAEIQAAAFBLBQYAAAAAAgACANkAAACjAgAAAAA=",
"deleted": false,
"disable_correlation": false,
"object_relation": "malware-sample",
"timestamp": "1704964428",
"to_ids": true,
"type": "malware-sample",
"uuid": "198c92e6-5974-4931-8166-972fc376417f",
"value": "glasstoken_v2.aspx|701fdc38b2dc9a605fe3f0877baca62e"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "filename",
"timestamp": "1704964428",
"to_ids": false,
"type": "filename",
"uuid": "e80cd2db-8d89-4d82-ad4e-5a2ba04c83bc",
"value": "glasstoken_v2.aspx"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1704964428",
"to_ids": true,
"type": "md5",
"uuid": "e3bf9fff-c45a-4912-8c9d-398275442888",
"value": "701fdc38b2dc9a605fe3f0877baca62e"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1704964428",
"to_ids": true,
"type": "sha1",
"uuid": "daadaa0f-96b1-44db-b3c9-869d91eed257",
"value": "4602efceb1cca1f2521193a6703362f27d424a91"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1704964428",
"to_ids": true,
"type": "sha256",
"uuid": "d3974a44-1bb9-427b-9aec-12787ff9c4ed",
"value": "a24d442980715a861674d45085c2f2c138c8a2354cc9c2cb02395533f6d37d85"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1704964428",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "a48f49b6-9e84-4677-98e9-545e33fa045e",
"value": "818"
}
]
},
{
"comment": "GLASSTOKEN webshells",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1704964428",
"uuid": "3fe18b3b-2e24-4db0-b0b4-5646f8a97f02",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"data": "UEsDBBQACQAIALhJK1gGJAX21gMAANkIAAAgABwAZGEwZTIxMjAyZTUzZDU5MGU0MjU4YTg5MzQ1NmFiNDRVVAkAA0yxn2VMsZ9ldXgLAAEEIQAAAAQhAAAAWjU22UakYhB0x8E88pgq8WkZ+nxiO66F+D0wwlyDSfv4qyJis+mxgMSM/5kWv7P6ePXLnabFSXYMoiEc/dMjPt3o6A336ANMCY7UyiD3LRNNTHO1guN3nTz+BrOXmdi30qX+Q1YpNVbUUxcqTvSWAZYcSjLNqm1LcDZIApt6lm58SNtYGWYZoCENNSYDese3ZcGh6Eu1pYb/mLTrmZ9jBmo33YVLQteAoyVVxr5z09PuRSvCvLNHzmi3eOLevhbvmMG7po9v1Z1M+zLAmthh8o82Xm1W1HlGfUo4I+nmgR7Qk+gWYABfp6+OoWRJZ5uCRJJAc4v9z/EfKkecvpH6roKVWwDXbW2RHpK2yYCE0dlsDiSGgD/UzJ1fJxWho/LQ8M8BvxJ8VTsofF4kJfkBoveX/6xwrPBjkbXwS9swZ58OJcNLTCaP1+K8UIntlddvfbUTrJm2GrCMwv/qDJra8wsMZVZWzizNZV+2iUDouQPoF0dGWv8dC95BkWPEaHCAbzdwYCOE8OM4UArMLKlvDVn1q1FPiQcXiNW3NuxMMXt4S05owR8WpkBCVpsLDr0lFQCu/dPBbamsqTPxEm0NFFvCrnIQgg+754P+sZT12YTEXGRXlxJtDycvKiYyiT/0ZnZxDKlbcsaNOfEyba92DGLJWDOrw6F1uemsbwfp9yTKu5UZt9laH8KjfdPtF8t1yoEiWLk5G5mUiwPEAMf+WY1CenDhffdGk/l8Jt4qOsxZBNcubyNWdvaspkSOkYRX6yzUpd7HGApdqd9Etr4cHXNpBpJLDC1vBpl3Ev5kmiE9BSCbIscFySyVlzoHc04JkDTN3UjYxVQ5Vt1LGCEUpL7zww6nXP9Cg9Xk+EEY4vD9rA3WGITra+2QKAPj/oqKyDTYHmwbU2ATxMfkX77YwqQXEXHXOZX1YUFF25ZSLjc8nfhSh0oS6c/f1zqE3KvQvGtCm+uJ60QQu9iIB/s7LHJrlaRM4TqfeP8DwF9yetEEI0Oi+aV3Q0vmysD/vgksyD4GAVa0+n/UNIw3MwcBN37eg4ss1ijh45NKg0eGWezBO7zgpJbI8W9WfooUqTu56CTEbem0iItuCKLcvZTt1LH4Yv8jBEyD/ANitKnvuGq1iRcLScVS4mAVQd5/7X7QiexrttFl3fONOrwBgJFVyZnSKK+b6lB1CbaqUJaV/Wpc5kEXbWf0QUVL39wEdXsinSSlM6xau8jD/R6vYU1khf20AQxat1sQzH1lRGj76+yfSQ3CP1Yeu1mibR2SCOMOdD08nZTzakd5qkYqUvKR3si6AzhjaVBLBwgGJAX21gMAANkIAABQSwMECgAJAAAAuEkrWO/usXceAAAAEgAAAC0AHABkYTBlMjEyMDJlNTNkNTkwZTQyNThhODkzNDU2YWI0NC5maWxlbmFtZS50eHRVVAkAA0yxn2VMsZ9ldXgLAAEEIQAAAAQhAAAAK6Z4N6QFCskRpYL9JqE8bGBxegFMxnkRQQlmwUFmUEsHCO/usXceAAAAEgAAAFBLAQIeAxQACQAIALhJK1gGJAX21gMAANkIAAAgABgAAAAAAAEAAACkgQAAAABkYTBlMjEyMDJlNTNkNTkwZTQyNThhODkzNDU2YWI0NFVUBQADTLGfZXV4CwABBCEAAAAEIQAAAFBLAQIeAwoACQAAALhJK1jv7rF3HgAAABIAAAAtABgAAAAAAAEAAACkgUAEAABkYTBlMjEyMDJlNTNkNTkwZTQyNThhODkzNDU2YWI0NC5maWxlbmFtZS50eHRVVAUAA0yxn2V1eAsAAQQhAAAABCEAAABQSwUGAAAAAAIAAgDZAAAA1QQAAAAA",
"deleted": false,
"disable_correlation": false,
"object_relation": "malware-sample",
"timestamp": "1704964428",
"to_ids": true,
"type": "malware-sample",
"uuid": "cb06bc81-796b-495f-a090-e303964cf3ee",
"value": "glasstoken_v1.aspx|da0e21202e53d590e4258a893456ab44"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "filename",
"timestamp": "1704964428",
"to_ids": false,
"type": "filename",
"uuid": "1aac0eb2-152c-4de5-9ec2-64f374b4303c",
"value": "glasstoken_v1.aspx"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1704964428",
"to_ids": true,
"type": "md5",
"uuid": "8a7ea89a-0824-4256-b3df-79b65524b65c",
"value": "da0e21202e53d590e4258a893456ab44"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1704964428",
"to_ids": true,
"type": "sha1",
"uuid": "01841c46-8c1a-403a-9361-d943daf1d1e5",
"value": "dec06ef16010de8a3a713d929b33bbc0ca0d4380"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1704964428",
"to_ids": true,
"type": "sha256",
"uuid": "72bc57fe-2af9-460f-87c2-eb50c1defefb",
"value": "00161c82ad7b297bb96d06c24706e6688ea1fdd54399aeebc442e36c6cf5bee0"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1704964428",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "29ee9092-bc4f-4941-a8ff-48fc7e930171",
"value": "2265"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1704964484",
"uuid": "928de076-6e3d-4492-b5d5-36ba2008bfdc",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1704964484",
"to_ids": false,
"type": "text",
"uuid": "eaad9a3f-452b-4fe3-b39d-ddd1bc219c34",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1704964484",
"to_ids": true,
"type": "yara",
"uuid": "4b571dc9-f9cc-4bcb-b65a-e17ab890cd1a",
"value": "rule hacktool_py_pysoxy\r\n{\r\n meta:\r\n author = \"threatintel@volexity.com\"\r\n date = \"2024-01-09\"\r\n description = \"SOCKS5 proxy tool used to relay connections.\"\r\n hash1 = \"e192932d834292478c9b1032543c53edfc2b252fdf7e27e4c438f4b249544eeb\"\r\n os = \"all\"\r\n os_arch = \"all\"\r\n reference = \"https://github.com/MisterDaneel/pysoxy/blob/master/pysoxy.py\"\r\n report = \"TIB-20240109\"\r\n scan_context = \"file,memory\"\r\n last_modified = \"2024-01-09T13:45Z\"\r\n license = \"See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt\"\r\n rule_id = 10065\r\n version = 3\r\n\r\n strings:\r\n $s1 = \"proxy_loop\" ascii\r\n $s2 = \"connect_to_dst\" ascii\r\n $s3 = \"request_client\" ascii\r\n $s4 = \"subnegotiation_client\" ascii\r\n $s5 = \"bind_port\" ascii\r\n\r\n condition:\r\n all of them\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1704964484",
"to_ids": false,
"type": "text",
"uuid": "785666a0-8ded-4c0c-8208-c15f0e7e7f71",
"value": "hacktool_py_pysoxy"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1704964524",
"uuid": "97b583de-2744-4fac-80e2-56e10ee609e7",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1704964524",
"to_ids": false,
"type": "text",
"uuid": "dd82d423-9038-4089-b25e-63360206963d",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1704964524",
"to_ids": true,
"type": "yara",
"uuid": "a4afb9f4-d67b-46b9-80ce-a77892532bd5",
"value": "rule webshell_aspx_regeorg\r\n{\r\n meta:\r\n author = \"threatintel@volexity.com\"\r\n date = \"2018-08-29\"\r\n description = \"Detects the reGeorg webshell based on common strings in the webshell. May also detect other webshells which borrow code from ReGeorg.\"\r\n hash = \"9d901f1a494ffa98d967ee6ee30a46402c12a807ce425d5f51252eb69941d988\"\r\n os = \"win\"\r\n os_arch = \"all\"\r\n reference = \"https://github.com/L-codes/Neo-reGeorg/blob/master/templates/tunnel.aspx\"\r\n report = \"TIB-20231215\"\r\n scan_context = \"file,memory\"\r\n last_modified = \"2024-01-09T10:04Z\"\r\n license = \"See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt\"\r\n rule_id = 410\r\n version = 7\r\n\r\n strings:\r\n $a1 = \"every office needs a tool like Georg\" ascii\r\n $a2 = \"cmd = Request.QueryString.Get(\\\"cmd\\\")\" ascii\r\n $a3 = \"exKak.Message\" ascii\r\n\r\n $proxy1 = \"if (rkey != \\\"Content-Length\\\" && rkey != \\\"Transfer-Encoding\\\")\"\r\n\r\n $proxy_b1 = \"StreamReader repBody = new StreamReader(response.GetResponseStream(), Encoding.GetEncoding(\\\"UTF-8\\\"));\" ascii\r\n $proxy_b2 = \"string rbody = repBody.ReadToEnd();\" ascii\r\n $proxy_b3 = \"Response.AddHeader(\\\"Content-Length\\\", rbody.Length.ToString());\" ascii\r\n\r\n condition:\r\n any of ($a*) or\r\n $proxy1 or\r\n all of ($proxy_b*)\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1704964524",
"to_ids": false,
"type": "text",
"uuid": "41deffc4-e31c-4b9f-88c9-5b6347e176ae",
"value": "webshell_aspx_regeorg"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1704964556",
"uuid": "f1c5f3fa-9eb1-48b7-afac-b325b0eb7678",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1704964556",
"to_ids": false,
"type": "text",
"uuid": "bed8040c-3c51-4653-b2c7-1bf2bbc4e5f9",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1704964556",
"to_ids": true,
"type": "yara",
"uuid": "33ae6f26-d8eb-4d52-9fa0-1b673a68e7a2",
"value": "rule apt_webshell_aspx_glasstoken: UTA0178\r\n{\r\n meta:\r\n author = \"threatintel@volexity.com\"\r\n date = \"2023-12-12\"\r\n description = \"Detection for a custom webshell seen on external facing server. The webshell contains two functions, the first is to act as a Tunnel, using code borrowed from reGeorg, the second is custom code to execute arbitrary .NET code.\"\r\n hash1 = \"26cbb54b1feb75fe008e36285334d747428f80aacdb57badf294e597f3e9430d\"\r\n os = \"win\"\r\n os_arch = \"all\"\r\n report = \"TIB-20231215\"\r\n scan_context = \"file,memory\"\r\n last_modified = \"2024-01-09T10:08Z\"\r\n license = \"See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt\"\r\n rule_id = 9994\r\n version = 5\r\n\r\n strings:\r\n $s1 = \"=Convert.FromBase64String(System.Text.Encoding.Default.GetString(\" ascii\r\n $re = /Assembly\\.Load\\(errors\\)\\.CreateInstance\\(\"[a-z0-9A-Z]{4,12}\"\\).GetHashCode\\(\\);/\r\n\r\n condition:\r\n for any i in (0..#s1):\r\n (\r\n $re in (@s1[i]..@s1[i]+512)\r\n )\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1704964556",
"to_ids": false,
"type": "text",
"uuid": "c1728ab0-c186-475e-9449-d8b440498d34",
"value": "apt_webshell_aspx_glasstoken"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1704964589",
"uuid": "0ad979bb-2a53-4901-b0ce-57b059bbe50e",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1704964589",
"to_ids": false,
"type": "text",
"uuid": "3e730816-2bd9-4aeb-b0c7-cae9d6b5ecbb",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1704964589",
"to_ids": true,
"type": "yara",
"uuid": "d122a589-41d1-4181-8f31-2cffc3186a0b",
"value": "rule apt_webshell_pl_complyshell: UTA0178\r\n{\r\n meta:\r\n author = \"threatintel@volexity.com\"\r\n date = \"2023-12-13\"\r\n description = \"Detection for the COMPLYSHELL webshell.\"\r\n hash1 = \"8bc8f4da98ee05c9d403d2cb76097818de0b524d90bea8ed846615e42cb031d2\"\r\n os = \"linux\"\r\n os_arch = \"all\"\r\n report = \"TIB-20231215\"\r\n scan_context = \"file,memory\"\r\n last_modified = \"2024-01-09T10:05Z\"\r\n license = \"See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt\"\r\n rule_id = 9995\r\n version = 4\r\n\r\n strings:\r\n $s = \"eval{my $c=Crypt::RC4->new(\"\r\n\r\n condition:\r\n $s\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1704964589",
"to_ids": false,
"type": "text",
"uuid": "bde8d41a-6cd3-4c53-a7bc-0a18929aad37",
"value": "apt_webshell_pl_complyshell"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Report object to describe a report along with its metadata.",
"meta-category": "misc",
"name": "report",
"template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df",
"template_version": "8",
"timestamp": "1704964651",
"uuid": "da71a896-f3b8-41c8-8c55-021aba0d14a7",
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "link",
"timestamp": "1704964651",
"to_ids": false,
"type": "link",
"uuid": "731eabc1-de80-4ba2-8926-7708dcb4275b",
"value": "https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "summary",
"timestamp": "1704964651",
"to_ids": false,
"type": "text",
"uuid": "96a02e09-d398-400d-836e-4aadd424f28f",
"value": "Volexity has uncovered active in-the-wild exploitation of two vulnerabilities allowing unauthenticated remote code execution in Ivanti Connect Secure VPN devices. An official security advisory and knowledge base article have been released by Ivanti that includes mitigation that should be applied immediately. However, a mitigation does not remedy a past or ongoing compromise. Systems should simultaneously be thoroughly analyzed per details in this post to look for signs of a breach.\r\n\r\nDuring the second week of December 2023, Volexity detected suspicious lateral movement on the network of one of its Network Security Monitoring service customers. Upon closer inspection, Volexity found that an attacker was placing webshells on multiple internal and external-facing web servers. These detections kicked off an incident response investigation across multiple systems that Volexity ultimately tracked back to the organization's Internet-facing Ivanti Connect Secure (ICS) VPN appliance (formerly known as Pulse Connect Secure, or simply Pulse Secure). A closer inspection of the ICS VPN appliance showed that its logs had been wiped and logging had been disabled. Further review of historic network traffic from the device also revealed suspect outbound and inbound communication from its management IP address. Volexity found that there was suspect activity originating from the device as early as December 3, 2023.\r\n\r\nAt this point in its incident response investigation, Volexity suspected a zero-day exploit was likely at play but did not yet have enough evidence to support this theory. Volexity and its customer worked closely with Ivanti in order to obtain disk and memory images from the impacted devices. Forensic analysis of the collected data provided insight into a variety of the attacker's tools, malware, and methods for operating."
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "title",
"timestamp": "1704964651",
"to_ids": false,
"type": "text",
"uuid": "00fc2f04-1a99-4428-9daf-3023e1815aa5",
"value": "Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1704964651",
"to_ids": false,
"type": "text",
"uuid": "419da355-8e16-4be2-8ab5-a43bf512e0eb",
"value": "Blog"
}
]
}
]
}
}
Reference in a new issue Copy permalink