{ "type": "bundle", "id": "bundle--d4766c50-0269-4cda-acea-850ea4fdb198", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-10-24T09:46:38.000Z", "modified": "2022-10-24T09:46:38.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--d4766c50-0269-4cda-acea-850ea4fdb198", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-10-24T09:46:38.000Z", "modified": "2022-10-24T09:46:38.000Z", "name": "Kinsing & Dark.IoT botnet among threats targeting CVE-2022-26134", "published": "2022-10-24T09:46:56Z", "object_refs": [ "indicator--4cbe3026-379e-43e7-89ce-ba08ed0bcf76", "indicator--a5b7f457-b85c-4ceb-a8ce-1f3b653a3a66", "indicator--646bcbe5-10a3-4bd5-b52e-6608be4ced00", "indicator--caf56edd-20b9-4fae-ada7-43e979f55650", "indicator--6d726652-bae4-4c18-a2d6-b9193ec6172d", "indicator--7d8e361a-5752-4f4b-ab62-da4d626e8113", "x-misp-object--68ea0702-5482-4dc6-bb9b-c7ee42e24f88", "vulnerability--94ad2c57-e806-4bc4-8d35-82656f7c879e", "indicator--e660021e-01d4-42b5-b46c-77e4fa89c50d", "indicator--1b1f9efe-f9ef-435a-8877-d87132ce36a5", "indicator--104829a9-42bc-4f65-a0cb-1a0ad5cc8729", "indicator--f02dc5ba-1544-42ca-9a5a-291927cca971" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT", "osint:lifetime=\"perpetual\"", "osint:certainty=\"50\"", "osint:source-type=\"blog-post\"", "misp-galaxy:malpedia=\"Kinsing\"", "misp-galaxy:mitre-malware=\"Kinsing - S0599\"", "misp-galaxy:threat-actor=\"Kinsing\"", "misp-galaxy:cryptominers=\"Hezb\"", "misp-galaxy:threat-actor=\"Hezb\"", "misp-galaxy:botnet=\"Dark.IoT\"", "misp-galaxy:malpedia=\"Dark\"", "\tmalware_classification:malware-category=\"Botnet\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--4cbe3026-379e-43e7-89ce-ba08ed0bcf76", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-09-13T13:44:05.000Z", "modified": "2022-09-13T13:44:05.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '94.247.43.254']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2022-09-13T13:44:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a5b7f457-b85c-4ceb-a8ce-1f3b653a3a66", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-09-13T13:44:05.000Z", "modified": "2022-09-13T13:44:05.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '95.217.229.211']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2022-09-13T13:44:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--646bcbe5-10a3-4bd5-b52e-6608be4ced00", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-09-13T13:44:05.000Z", "modified": "2022-09-13T13:44:05.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '162.243.19.47']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2022-09-13T13:44:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--caf56edd-20b9-4fae-ada7-43e979f55650", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-09-13T13:44:05.000Z", "modified": "2022-09-13T13:44:05.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '94.16.114.254']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2022-09-13T13:44:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--6d726652-bae4-4c18-a2d6-b9193ec6172d", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-09-13T13:44:05.000Z", "modified": "2022-09-13T13:44:05.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '194.36.144.87']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2022-09-13T13:44:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7d8e361a-5752-4f4b-ab62-da4d626e8113", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-09-13T13:47:30.000Z", "modified": "2022-09-13T13:47:30.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '144.76.157.242']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2022-09-13T13:47:30Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--68ea0702-5482-4dc6-bb9b-c7ee42e24f88", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-09-13T11:46:36.000Z", "modified": "2022-09-13T11:46:36.000Z", "labels": [ "misp:name=\"report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "link", "value": "https://www.lacework.com/blog/kinsing-dark-iot-botnet-among-threats-targeting-cve-2022-26134/", "category": "External analysis", "uuid": "2a6e251d-8098-4c55-b905-1a78c839dfd1" }, { "type": "text", "object_relation": "summary", "value": "Details regarding the recent Confluence OGNL (CVE-2022-26134) exploit were released to the public on June 3rd 2022. Shortly following this, Lacework Labs began seeing multiple attacks in the wild from both uncategorized and named threats. While this was expected, there appears to be more widespread exploitation of CVE-2022-26134 compared to previous Confluence vulnerabilities.", "category": "Other", "uuid": "cf625c35-4682-4b13-b077-3323a0a3544c" }, { "type": "text", "object_relation": "type", "value": "Blog", "category": "Other", "uuid": "2dad185a-880c-47a2-beb4-bdf4503dd0d7" } ], "x_misp_meta_category": "misc", "x_misp_name": "report" }, { "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--94ad2c57-e806-4bc4-8d35-82656f7c879e", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-09-13T13:00:56.000Z", "modified": "2022-09-13T13:00:56.000Z", "name": "CVE-2022-26134", "labels": [ "misp:name=\"vulnerability\"", "misp:meta-category=\"vulnerability\"", "misp:to_ids=\"False\"" ], "external_references": [ { "source_name": "cve", "external_id": "CVE-2022-26134" } ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e660021e-01d4-42b5-b46c-77e4fa89c50d", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-09-13T13:41:52.000Z", "modified": "2022-09-13T13:41:52.000Z", "pattern": "[domain-name:value = 'tempest.lib' AND domain-name:resolves_to_refs[*].value = '62.4.23.97']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2022-09-13T13:41:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1b1f9efe-f9ef-435a-8877-d87132ce36a5", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-09-13T13:52:00.000Z", "modified": "2022-09-13T13:52:00.000Z", "pattern": "[domain-name:value = 'dragon.lib' AND domain-name:resolves_to_refs[*].value = '193.70.30.98']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2022-09-13T13:52:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--104829a9-42bc-4f65-a0cb-1a0ad5cc8729", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-09-13T13:55:05.000Z", "modified": "2022-09-13T13:55:05.000Z", "pattern": "[domain-name:value = 'blacknurse.lib' AND domain-name:resolves_to_refs[*].value = '5.206.227.244']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2022-09-13T13:55:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f02dc5ba-1544-42ca-9a5a-291927cca971", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-09-13T13:58:04.000Z", "modified": "2022-09-13T13:58:04.000Z", "pattern": "[domain-name:value = 'babaroga.lib' AND domain-name:resolves_to_refs[*].value = '203.0.113.0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2022-09-13T13:58:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }