{"Event": {"info": "OSINT -  AESDDoS Botnet Malware Exploits CVE-2019-3396 to Perform Remote Code Execution, DDoS Attacks, and Cryptocurrency Mining", "Tag": [{"colour": "#00223b", "exportable": true, "name": "osint:source-type=\"blog-post\""}, {"colour": "#ffffff", "exportable": true, "name": "tlp:white"}, {"colour": "#72003d", "exportable": true, "name": "workflow:todo=\"add-missing-misp-galaxy-cluster-values\""}, {"colour": "#22681c", "exportable": true, "name": "malware_classification:malware-category=\"Botnet\""}], "publish_timestamp": "0", "timestamp": "1556786521", "Object": [{"comment": "", "template_uuid": "81650945-f186-437b-8945-9f31715d32da", "uuid": "5ccaa846-4cc4-4b86-badd-48c9950d210f", "sharing_group_id": "0", "timestamp": "1556785222", "description": "Vulnerability object describing a common vulnerability enumeration which can describe published, unpublished, under review or embargo vulnerability for software, equipments or hardware.", "template_version": "5", "Attribute": [{"comment": "", "category": "Other", "uuid": "5ccaa846-c408-414c-9089-49e6950d210f", "timestamp": "1556785222", "to_ids": false, "value": "Published", "disable_correlation": true, "object_relation": "state", "type": "text"}, {"comment": "", "category": "Other", "uuid": "5ccaa846-1e1c-47e7-91c1-4e02950d210f", "timestamp": "1556785222", "to_ids": false, "value": "CVE-2019-3396", "disable_correlation": false, "object_relation": "id", "type": "text"}], "distribution": "5", "meta-category": "vulnerability", "name": "vulnerability"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "5ccaa8c5-e6bc-4cb0-9102-4b99950d210f", "sharing_group_id": "0", "timestamp": "1556785349", "description": "File object describing a file with meta-information", "template_version": "17", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5ccaa8c5-bff0-4bad-b764-487f950d210f", "timestamp": "1556785349", "to_ids": true, "value": "b14d5602c8aa16e3db4518832d567a4ca5b9545ce09f9a87684d58f8b1d9daaf", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}, {"comment": "", "category": "Other", "uuid": "5ccaa8c5-6cf8-44ad-96a5-472b950d210f", "timestamp": "1556785349", "to_ids": false, "value": "Malicious", "disable_correlation": true, "object_relation": "state", "type": "text"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "5ccaa97d-d23c-402d-98a5-4373950d210f", "sharing_group_id": "0", "timestamp": "1556785533", "description": "File object describing a file with meta-information", "template_version": "17", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5ccaa97d-e9dc-46dc-9bbb-4cfa950d210f", "timestamp": "1556785533", "to_ids": true, "value": "2e4f18e28830771414c9d0cb99c1696d202fe001d1aa41f64d2f7ce6aef7f7c4", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}, {"comment": "", "category": "Other", "uuid": "5ccaa97d-9fd8-4742-acc4-4045950d210f", "timestamp": "1556785533", "to_ids": false, "value": "Malicious", "disable_correlation": true, "object_relation": "state", "type": "text"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "5ccaac11-9dc4-4811-9b60-b711950d210f", "sharing_group_id": "0", "timestamp": "1556786193", "description": "File object describing a file with meta-information", "template_version": "17", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5ccaac11-9c60-4820-8ea1-b711950d210f", "timestamp": "1556786193", "to_ids": true, "value": "f82dc01b04dfbdab3ccaacd20449395e0175d9ab4f0732019651480358d44ac6", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}, {"comment": "", "category": "Other", "uuid": "5ccaac11-4e90-4cac-bf33-b711950d210f", "timestamp": "1556786193", "to_ids": false, "value": "Malicious", "disable_correlation": true, "object_relation": "state", "type": "text"}], "distribution": "5", "meta-category": "file", "name": "file"}], "analysis": "0", "Attribute": [{"comment": "", "category": "External analysis", "uuid": "5ccaa784-cd9c-454e-b957-b833950d210f", "timestamp": "1556785028", "to_ids": false, "value": "https://blog.trendmicro.com/trendlabs-security-intelligence/aesddos-botnet-malware-exploits-cve-2019-3396-to-perform-remote-code-execution-ddos-attacks-and-cryptocurrency-mining/", "disable_correlation": false, "object_relation": null, "type": "link"}, {"comment": "", "category": "External analysis", "uuid": "5ccaa7f1-ed14-40d2-88a6-4fa1950d210f", "timestamp": "1556785137", "to_ids": false, "value": "Our honeypot sensors recently detected an AESDDoS botnet malware variant (detected by Trend Micro as Backdoor.Linux.AESDDOS.J) exploiting a server-side template injection vulnerability (CVE-2019-3396) in the Widget Connector macro in Atlassian Confluence Server, a collaboration software program used by DevOps professionals.\r\n\r\nWe discovered that this malware variant can perform DDoS attacks, remote code execution, and cryptocurrency mining on systems that run vulnerable versions of Confluence Server and Data Center. Atlassian already took steps to fix these issues and recommended that users upgrade to the latest version (6.15.1).", "disable_correlation": false, "object_relation": null, "type": "text"}], "extends_uuid": "", "published": false, "date": "2019-04-26", "Orgc": {"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", "name": "CIRCL"}, "threat_level_id": "3", "uuid": "5cca9eb0-d22c-45cc-829d-40d6950d210f"}}