misp-circl-feed/feeds/circl/stix-2.1/233c76c8-f94a-4ff7-9664-b666618e9de4.json

184 lines
655 KiB
JSON
Raw Normal View History

2024-08-07 08:13:15 +00:00
{
"type": "bundle",
"id": "bundle--233c76c8-f94a-4ff7-9664-b666618e9de4",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-02-12T10:29:16.000Z",
"modified": "2024-02-12T10:29:16.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--233c76c8-f94a-4ff7-9664-b666618e9de4",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-02-12T10:29:16.000Z",
"modified": "2024-02-12T10:29:16.000Z",
"name": "OSINT - Ivanti Connect Secure: Journey to the core of the DSLog backdoor",
"published": "2024-02-12T10:29:21Z",
"object_refs": [
"indicator--56987adb-df31-41d6-a45d-a09395d5a45f",
"x-misp-object--817cf557-d986-42c5-8cdf-3a55abf9d54d",
"indicator--949f5d0e-5d7d-4c46-afac-447c7bdbbc7e",
"x-misp-object--6d6dd94f-1bf8-4d9d-b1d3-60300f6a10c1"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"PAP:CLEAR",
"misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"",
"type:OSINT",
"osint:lifetime=\"perpetual\"",
"osint:certainty=\"50\"",
"tlp:clear"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56987adb-df31-41d6-a45d-a09395d5a45f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-02-12T08:25:41.000Z",
"modified": "2024-02-12T08:25:41.000Z",
"description": "Massive exploitation activity (comment: sounds like a VPN gateway)",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '159.65.123.122']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-02-12T08:25:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--817cf557-d986-42c5-8cdf-3a55abf9d54d",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-02-12T08:25:05.000Z",
"modified": "2024-02-12T08:25:05.000Z",
"labels": [
"misp:name=\"report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "link",
"value": "https://www.orangecyberdefense.com/fileadmin/general/pdf/Ivanti_Connect_Secure_-_Journey_to_the_core_of_the_DSLog_backdoor.pdf",
"category": "External analysis",
"uuid": "6b91027e-e603-47b6-81b5-3ad1b1ed994f"
},
{
"type": "text",
"object_relation": "summary",
"value": "Ivanti Connect Secure:\r\nJourney to the core of the\r\nDSLog backdoor",
"category": "Other",
"uuid": "74b6e33a-318e-48dc-8d2b-8540b20262a0"
},
{
"type": "text",
"object_relation": "title",
"value": "Ivanti Connect Secure: Journey to the core of the DSLog backdoor",
"category": "Other",
"uuid": "ebb95e49-3784-448e-b5d2-fc5e120da03a"
},
{
"type": "text",
"object_relation": "type",
"value": "Report",
"category": "Other",
"uuid": "b2ee8936-f137-41d5-93c1-4e6920da6648"
},
{
"type": "attachment",
"object_relation": "report-file",
"value": "Ivanti_Connect_Secure_-_Journey_to_the_core_of_the_DSLog_backdoor.pdf",
"category": "External analysis",
"uuid": "e16e7849-f6a6-4b4c-aac8-4a22f9469495",
"data": "JVBERi0xLjYNJeLjz9MNCjQ5NSAwIG9iag08PC9MaW5lYXJpemVkIDEvTCA0OTczNjYvTyA0OTcvRSA0NTU2OS9OIDEyL1QgNDk2ODY1L0ggWyA1MjUgNDgwXT4+DWVuZG9iag0gICAgICAgICAgICAgDQo1MjEgMCBvYmoNPDwvRGVjb2RlUGFybXM8PC9Db2x1bW5zIDQvUHJlZGljdG9yIDEyPj4vRmlsdGVyL0ZsYXRlRGVjb2RlL0lEWzw4MTg3NEI2MDcxOUI3MDQ5QUYxOTg4NDIxNUVBNDMwNz48REY2Q0U1M0FBREI5OTI0MjlDNjQ4QzFDQjE0NDRCRTk+XS9JbmRleFs0OTUgMzhdL0luZm8gNDk0IDAgUi9MZW5ndGggMTE1L1ByZXYgNDk2ODY2L1Jvb3QgNDk2IDAgUi9TaXplIDUzMy9UeXBlL1hSZWYvV1sxIDIgMV0+PnN0cmVhbQ0KaN5iYmQQYGBiYL4LJBinAgmmzSBuGYirCWLtAYldARIsN4AE618Q8QpE/AKJvQCx/oFY20HEbxBXC6R3BpAQWQEkjEOBhGIfkOCeDSQYTEHm6YOUMIGIaUAi4DYDEyNjHUgWJEok8Z9R+jtAgAEAr1UUXQ0KZW5kc3RyZWFtDWVuZG9iag1zdGFydHhyZWYNCjANCiUlRU9GDQogICAgICAgIA0KNTMyIDAgb2JqDTw8L0MgNDQ1L0ZpbHRlci9GbGF0ZURlY29kZS9JIDQ2Ny9MZW5ndGggMzg1L08gNDI5L1MgMzI2Pj5zdHJlYW0NCmjeYmBgYAKiRQysDAycCxmEGBBACCjGxsDCwLHBiYFBgcOFQeN7AwODq4/QQ2bFg+xN+zbw/mVldzA42/2AbVXwU7Z1fnOuXIDpdeLxlEg53O8oMjvLwYnHLa7giHQd88VS5caJD5oFJ/PVMV9w3dLIYagCUiN2iUXhCYgBFLGUEHzm0yh+IefbJAuB5onPfCx/8APF+dxcOF+csd0h7ymR5PDAmcNTLs1YyUkkoXbzJaAyAZBFINMKgAzxIAaGio4OBkZB9Y6ODqCDGdw7oIwKMM2WDqQYmM1BbCUTqGRoOEQNM0gSpNvFrQIiEw4iGMWBbDzeBxoux8A6exKQlgBiVXAYmDIIMNYxOzJ8YWpnnM+8mOUEy1aWo8ybWU6yNDEfY/nKkCxcbKygEMmdBlT7i+EsYyKjMaMD49WI2T1MTIIVEQzfGeR5bjNoecUxOrLYwQJWm4E9LgxIMwIjrRRI6zCwJ5wG0iwMDLJ+8KgzYmCf9BqiivEbQIABANRahU8NCmVuZHN0cmVhbQ1lbmRvYmoNNDk2IDAgb2JqDTw8L01hcmtJbmZvPDwvTWFya2VkIHRydWU+Pi9NZXRhZGF0YSA0OCAwIFIvT3V0bGluZXMgNzIgMCBSL1BhZ2VMYXlvdXQvT25lQ29sdW1uL1BhZ2VzIDQ5MSAwIFIvU3RydWN0VHJlZVJvb3QgOTUgMCBSL1R5cGUvQ2F0YWxvZz4+DWVuZG9iag00OTcgMCBvYmoNPDwvQ29udGVudHNbNTAyIDAgUiA1MDMgMCBSIDUwNCAwIFIgNTA1IDAgUiA1MDYgMCBSIDUwNyAwIFIgNTA4IDAgUiA1MTAgMCBSXS9Dcm9wQm94WzAuMCAwLjAgNTk1LjAyIDg0MS45OF0vR3JvdXAgNTMxIDAgUi9NZWRpYUJveFswLjAgMC4wIDU5NS4wMiA4NDEuOThdL1BhcmVudCA0OTIgMCBSL1Jlc291cmNlczw8L0NvbG9yU3BhY2U8PC9DUzAgNTIyIDAgUi9DUzEgNTIzIDAgUj4+L0V4dEdTdGF0ZTw8L0dTMCA1MjQgMCBSPj4vRm9udDw8L1RUMCA1MjYgMCBSL1RUMSA1MjggMCBSL1RUMiA1MzAgMCBSPj4vUHJvY1NldFsvUERGL1RleHQvSW1hZ2VDL0ltYWdlSV0vWE9iamVjdDw8L0ltMCA1MDkgMCBSL0ltMSA1MTggMCBSL0ltMiA1MjAgMCBSPj4+Pi9Sb3RhdGUgMC9TdHJ1Y3RQYXJlbnRzIDAvVGFicy9TL1R5cGUvUGFnZT4+DWVuZG9iag00OTggMCBvYmoNPDwvRmlsdGVyL0ZsYXRlRGVjb2RlL0ZpcnN0IDc5L0xlbmd0aCA3ODkvTiAxMC9UeXBlL09ialN0bT4+c3RyZWFtDQpo3qxWbU8TQRD+K/NRY3B3b98TQ9JWECKg4UBUwoezXeHi9a7pHQb+vTNzbUmJpUJMM5m5nfeZfTa1WQYSbKZBK2QGHDELynrkDoyib5QD8QBBW+QR9QoFLUF5F1BQkKkQ4FIc1pN0lybiffpdjtPphyFoAxajSDi9+psasyvH2nfvxOAwh59F1SYxPBYnzXxaVGI0APVWik+fF5pPn49BiXwA3fw2ify4aH+haZ3E2f0sib277kPeFV0S44L9mlnvt7tL8dtxqjuIzotRMTtI5fVNB14ZrKfX7GQmiP2quG5BZ2K/qbvhsLm73FHOsQ6UtJL8r1i5X0zL6v7VQap+p67EjMbCEQV93avLKmXYH834lE9OimkS5wdHo72Pb1ZeJ+k27bAb2+TdPHXjm2X/dHTRV6qlFIddUZXjQX1dJZAi79L0CzjTN0+m1Mm8nHXNXHxdNIgD5u6HRZvI5KkC9upxMynra3FR1oO6LVff++W87UY3xXw5mIdEfGOow6PiwSS//dFRTWe4JS7urDmvSwyWwMTI5quaMdmku2kvMx+u1vbk9cv35B35b9iTtXDaTIt6fU96fU8n59+PP357NCZ227Ins2FPIWzZk1/f0xMFvHBPfn1PKvinFmWl3LgoyGwEg0+EtT0pidYOn4SlkkjbDJzsz3SIPdd65bSNOBYSxVgSnQeScc0uWPD4hnlJTxe+Ud6Ax7x0RvmtiuCc73286m1d78sc/UlmP9RRjIhNEef4yLkPrJm4XMzEaowZ9RrPouM4XDflzzLOTzzYRc+kJ3skngNG0/SUkg5lb7EWFVg2QfZ50Z+448zbf8uZ0XKIljX/2884vd3i/6EU578Zpd7CsKkm6yA16yA9+v7ty+HoEUbIawtG/QaMKiOfB9LNBbwQo/ERRjP1NEbVZozKZ/8eezHAEFzeKKaVXewvreSr/GDPIDKRgUPf0Zi/ZCEYLOG65HzFSY4EtbCwIilKx6cMygXRY0KgoweGAZVJCHg3GJAq9hd0lD/80RA5Tq+o21kxT/X4fnf3jwADAHsBcOANCmVuZHN0cmVhbQ1lbmRvYmoNNDk5IDAgb2JqDTw8L0ZpbHRlci9GbGF0ZURlY29kZS9MZW5ndGggMjI2Pj5zdHJlYW0NCkiJXJDPasQgEMbvPsUcdw+L2ZwlULYUcugfmvYBjE5SoRllYg55+442bKEDKuP3/eRz9K1/7Clk0G8c3YAZpkCecY0bO4QR50Dq2oIPLh9d3d1ik9ICD/uacelpisoY0O8irpl3OD34OOJZ6Vf2yIFmOH3ehjPoYUvpGxekDA10HXic5KFnm17sgqArdum96CHvF2H+HB97Qmhrf/0N46LHNVmHbGlGZRqpDsyTVKeQ/D/9oMbJfVlWpi3eppGjeI/bQsnn4B7JbcySpk6gxigBAuF9SCkmEKos9SPAANnGbzANCmVuZHN0cmVhbQ1lbmRvYmoNNTAwIDAgb2JqDTw8L0ZpbHRlci9GbGF0ZURlY29kZS9MZW5ndGggNjI5Pj5zdHJlYW0NCkiJXNTNauJQGMbxfa7iLNtFieb9akAEa1twMR+MMxegybETGGOIduHdTx6f0oERNP+QnOTnWbzlevO86btLKr+Pp2abL+nQ9e2Yz6f3sclpn9+6vphXqe2ay8fZ7bc57oainBZvr+dLPm76w6lYLFL5Y7p4vozXdLdqT/t8X5TfxjaPXf+W7n6tt/ep3L4Pw598zP0lzdJymdp8mB70ZTd83R1zKm/LHjbtdL27XB+mNf/u+Hkdcqpu53NimlObz8OuyeOuf8vFYjZ9lmnxOn2WRe7b/67PZzOu2x+a37uxWF
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--949f5d0e-5d7d-4c46-afac-447c7bdbbc7e",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-02-12T08:29:31.000Z",
"modified": "2024-02-12T08:29:31.000Z",
"pattern": "[file:x_misp_state = 'Malicious' AND file:x_misp_fullpath = '/root/home/webserver/htdocs/dana-na/imgs/index.txt' AND file:x_misp_fullpath = '/root/home/webserver/htdocs/dana-na/imgs/index1.txt' AND file:x_misp_fullpath = '/root/home/webserver/htdocs/dana-na/imgs/logo.png' AND file:x_misp_fullpath = '/root/home/webserver/htdocs/dana-na/imgs/index2.txt' AND file:x_misp_fullpath = '/root/home/perl/DSLog.pm']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-02-12T08:29:31Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--6d6dd94f-1bf8-4d9d-b1d3-60300f6a10c1",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-02-12T10:25:21.000Z",
"modified": "2024-02-12T10:25:21.000Z",
"labels": [
"misp:name=\"report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "link",
"value": "https://www.orangecyberdefense.com/global/blog/cybersecurity/ivanti-0-day",
"category": "External analysis",
"uuid": "a192481b-64f6-45f4-bb73-1b67f057c5a5"
},
{
"type": "text",
"object_relation": "title",
"value": "CERT alert: Zero-day in Ivanti software (Update 09. Feb)",
"category": "Other",
"uuid": "dc9f2478-c01d-4358-9969-a1b708a01334"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "report"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}