{ "type": "bundle", "id": "bundle--e132e5f2-1a09-43e4-b2d6-8046c730616f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-12-19T08:57:39.000Z", "modified": "2022-12-19T08:57:39.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--e132e5f2-1a09-43e4-b2d6-8046c730616f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-12-19T08:57:39.000Z", "modified": "2022-12-19T08:57:39.000Z", "name": "OSINT - Fortinet says SSL-VPN pre-auth RCE bug is exploited in attacks", "published": "2022-12-19T08:58:29Z", "object_refs": [ "x-misp-attribute--67c635c3-156e-4374-8539-03dc022ead94", "x-misp-attribute--056cf46f-19ac-4d56-b479-2910c6338304", "x-misp-attribute--418c4e99-bc14-4758-acb7-79839693c7a5", "x-misp-attribute--d369428b-c79c-4e53-ac8b-e66b7e37bf35", "x-misp-attribute--27d86af6-151c-4222-90f4-4e78da4ea247", "x-misp-attribute--34941db8-634e-41c6-8547-3f21dc259b8f", "x-misp-attribute--25ec1150-a6b5-4ddd-8fd4-0667afc4791a", "x-misp-attribute--631df53c-1aa6-49cb-8147-2938c98de666", "indicator--c11e8f34-bd5c-455c-97c6-f8e1963cdc9f", "indicator--75c27d03-3cda-44ac-93e3-eefa8fb17262", "indicator--2694f1c0-6740-4581-a259-8258400713ac", "indicator--857a5707-7a4f-4dbe-85ed-ba23bdaf5883", "indicator--28031de1-697f-4cab-9667-a424c98a8ed0", "indicator--01257f8a-da5d-42a1-a530-daf87ab7b111", "indicator--e04f171a-85a5-4e27-a59a-e84fb0c74b0c", "x-misp-object--f22cb310-aa8a-420c-88ba-4cc741d0e3db", "indicator--52dc5914-7a94-4833-a5e9-05a7e4164a26", "indicator--53d7e397-b677-4629-8322-86bfdb015e6d", "indicator--262ad933-c9f4-4a19-b565-7803c1d7ac23", "indicator--f67e3a0b-ac50-41b1-8c51-2c42e4b19d5f", "x-misp-object--f67cc8e8-163a-4b1e-8423-5c05ed994701", "vulnerability--0ac0e406-3025-4f3a-acee-c53a15313c97" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT", "osint:lifetime=\"perpetual\"", "osint:certainty=\"50\"", "misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"", "misp-galaxy:mitre-attack-pattern=\"External Remote Services - T1133\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--67c635c3-156e-4374-8539-03dc022ead94", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-12-13T08:02:03.000Z", "modified": "2022-12-13T08:02:03.000Z", "labels": [ "misp:type=\"filename-pattern\"", "misp:category=\"Artifacts dropped\"" ], "x_misp_category": "Artifacts dropped", "x_misp_comment": "IDS not flag not set (as many FPs are possible) but for forensic evaluation it could be useful (as mentioned in Fortinet report as \"Presence of the following artifacts in the filesystem:\").", "x_misp_type": "filename-pattern", "x_misp_value": "/data/lib/libips.bak" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--056cf46f-19ac-4d56-b479-2910c6338304", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-12-13T08:02:03.000Z", "modified": "2022-12-13T08:02:03.000Z", "labels": [ "misp:type=\"filename-pattern\"", "misp:category=\"Artifacts dropped\"" ], "x_misp_category": "Artifacts dropped", "x_misp_comment": "IDS not flag not set (as many FPs are possible) but for forensic evaluation it could be useful (as mentioned in Fortinet report as \"Presence of the following artifacts in the filesystem:\").", "x_misp_type": "filename-pattern", "x_misp_value": "/data/lib/libgif.so" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--418c4e99-bc14-4758-acb7-79839693c7a5", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-12-13T08:02:03.000Z", "modified": "2022-12-13T08:02:03.000Z", "labels": [ "misp:type=\"filename-pattern\"", "misp:category=\"Artifacts dropped\"" ], "x_misp_category": "Artifacts dropped", "x_misp_comment": "IDS not flag not set (as many FPs are possible) but for forensic evaluation it could be useful (as mentioned in Fortinet report as \"Presence of the following artifacts in the filesystem:\").", "x_misp_type": "filename-pattern", "x_misp_value": "/data/lib/libiptcp.so" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--d369428b-c79c-4e53-ac8b-e66b7e37bf35", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-12-13T08:02:03.000Z", "modified": "2022-12-13T08:02:03.000Z", "labels": [ "misp:type=\"filename-pattern\"", "misp:category=\"Artifacts dropped\"" ], "x_misp_category": "Artifacts dropped", "x_misp_comment": "IDS not flag not set (as many FPs are possible) but for forensic evaluation it could be useful (as mentioned in Fortinet report as \"Presence of the following artifacts in the filesystem:\").", "x_misp_type": "filename-pattern", "x_misp_value": "/data/lib/libipudp.so" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--27d86af6-151c-4222-90f4-4e78da4ea247", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-12-13T08:02:03.000Z", "modified": "2022-12-13T08:02:03.000Z", "labels": [ "misp:type=\"filename-pattern\"", "misp:category=\"Artifacts dropped\"" ], "x_misp_category": "Artifacts dropped", "x_misp_comment": "IDS not flag not set (as many FPs are possible) but for forensic evaluation it could be useful (as mentioned in Fortinet report as \"Presence of the following artifacts in the filesystem:\").", "x_misp_type": "filename-pattern", "x_misp_value": "/data/lib/libjepg.so" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--34941db8-634e-41c6-8547-3f21dc259b8f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-12-13T08:02:03.000Z", "modified": "2022-12-13T08:02:03.000Z", "labels": [ "misp:type=\"filename-pattern\"", "misp:category=\"Artifacts dropped\"" ], "x_misp_category": "Artifacts dropped", "x_misp_comment": "IDS not flag not set (as many FPs are possible) but for forensic evaluation it could be useful (as mentioned in Fortinet report as \"Presence of the following artifacts in the filesystem:\").", "x_misp_type": "filename-pattern", "x_misp_value": "/var/.sslvpnconfigbk" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--25ec1150-a6b5-4ddd-8fd4-0667afc4791a", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-12-13T08:02:03.000Z", "modified": "2022-12-13T08:02:03.000Z", "labels": [ "misp:type=\"filename-pattern\"", "misp:category=\"Artifacts dropped\"" ], "x_misp_category": "Artifacts dropped", "x_misp_comment": "IDS not flag not set (as many FPs are possible) but for forensic evaluation it could be useful (as mentioned in Fortinet report as \"Presence of the following artifacts in the filesystem:\").", "x_misp_type": "filename-pattern", "x_misp_value": "/data/etc/wxd.conf" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--631df53c-1aa6-49cb-8147-2938c98de666", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-12-13T08:02:03.000Z", "modified": "2022-12-13T08:02:03.000Z", "labels": [ "misp:type=\"filename-pattern\"", "misp:category=\"Artifacts dropped\"" ], "x_misp_category": "Artifacts dropped", "x_misp_comment": "IDS not flag not set (as many FPs are possible) but for forensic evaluation it could be useful (as mentioned in Fortinet report as \"Presence of the following artifacts in the filesystem:\").", "x_misp_type": "filename-pattern", "x_misp_value": "/flash" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c11e8f34-bd5c-455c-97c6-f8e1963cdc9f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-12-19T08:57:39.000Z", "modified": "2022-12-19T08:57:39.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '139.180.184.197']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2022-12-19T08:57:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--75c27d03-3cda-44ac-93e3-eefa8fb17262", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-12-19T08:57:39.000Z", "modified": "2022-12-19T08:57:39.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '66.42.91.32']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2022-12-19T08:57:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--2694f1c0-6740-4581-a259-8258400713ac", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-12-19T08:57:39.000Z", "modified": "2022-12-19T08:57:39.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '158.247.221.101']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2022-12-19T08:57:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--857a5707-7a4f-4dbe-85ed-ba23bdaf5883", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-12-19T08:57:39.000Z", "modified": "2022-12-19T08:57:39.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '107.148.27.117']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2022-12-19T08:57:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--28031de1-697f-4cab-9667-a424c98a8ed0", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-12-19T08:57:39.000Z", "modified": "2022-12-19T08:57:39.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '139.180.128.142']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2022-12-19T08:57:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--01257f8a-da5d-42a1-a530-daf87ab7b111", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-12-19T08:57:39.000Z", "modified": "2022-12-19T08:57:39.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '155.138.224.122']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2022-12-19T08:57:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e04f171a-85a5-4e27-a59a-e84fb0c74b0c", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-12-19T08:57:39.000Z", "modified": "2022-12-19T08:57:39.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.174.136.20']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2022-12-19T08:57:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--f22cb310-aa8a-420c-88ba-4cc741d0e3db", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-12-13T07:42:24.000Z", "modified": "2022-12-13T07:42:24.000Z", "labels": [ "misp:name=\"report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "link", "value": "https://www.bleepingcomputer.com/news/security/fortinet-says-ssl-vpn-pre-auth-rce-bug-is-exploited-in-attacks/", "category": "External analysis", "uuid": "7ddc9a29-e3c2-4456-b9ab-0bae752dce65" }, { "type": "text", "object_relation": "summary", "value": "Fortinet urges customers to patch their appliances against an actively exploited FortiOS\u00a0SSL-VPN vulnerability that could allow unauthenticated remote code execution on devices.\r\n\r\nThe security flaw is tracked as CVE-2022-42475 and is a heap-based buffer overflow bug in FortiOS sslvpnd. When exploited, the flaw could allow unauthenticated users to crash devices remotely and potentially perform code execution.", "category": "Other", "uuid": "fc9fe6a2-b019-45db-ae35-c820003f1d8a" }, { "type": "text", "object_relation": "type", "value": "Webpage", "category": "Other", "uuid": "be393bf3-786c-429a-8f25-24d089647e04" } ], "x_misp_meta_category": "misc", "x_misp_name": "report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--52dc5914-7a94-4833-a5e9-05a7e4164a26", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-12-13T07:43:04.000Z", "modified": "2022-12-13T07:43:04.000Z", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '188.34.130.40') AND network-traffic:dst_port = '444']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2022-12-13T07:43:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--53d7e397-b677-4629-8322-86bfdb015e6d", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-12-13T07:43:53.000Z", "modified": "2022-12-13T07:43:53.000Z", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.131.189.143') AND network-traffic:dst_port = '30080' AND network-traffic:dst_port = '30081' AND network-traffic:dst_port = '30443' AND network-traffic:dst_port = '20443']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2022-12-13T07:43:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--262ad933-c9f4-4a19-b565-7803c1d7ac23", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-12-13T07:44:47.000Z", "modified": "2022-12-13T07:44:47.000Z", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '192.36.119.61') AND network-traffic:dst_port = '8443' AND network-traffic:dst_port = '444']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2022-12-13T07:44:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f67e3a0b-ac50-41b1-8c51-2c42e4b19d5f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-12-13T07:46:00.000Z", "modified": "2022-12-13T07:46:00.000Z", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '172.247.168.153') AND network-traffic:dst_port = '8033']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2022-12-13T07:46:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--f67cc8e8-163a-4b1e-8423-5c05ed994701", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-12-13T07:47:21.000Z", "modified": "2022-12-13T07:47:21.000Z", "labels": [ "misp:name=\"report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "link", "value": "https://www.fortiguard.com/psirt/FG-IR-22-398", "category": "External analysis", "uuid": "82bced44-b858-4224-9526-2c58e794b1f9" }, { "type": "text", "object_relation": "summary", "value": "A heap-based buffer overflow vulnerability [CWE-122]\u00a0in FortiOS SSL-VPN may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.", "category": "Other", "uuid": "2eb3baf8-5377-427d-a4de-fa1a351ecc7d" }, { "type": "text", "object_relation": "type", "value": "Report", "category": "Other", "uuid": "1ef68fcd-2b25-447f-8e71-48a6d80acaaf" } ], "x_misp_meta_category": "misc", "x_misp_name": "report" }, { "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--0ac0e406-3025-4f3a-acee-c53a15313c97", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-12-13T07:54:53.000Z", "modified": "2022-12-13T07:54:53.000Z", "name": "CVE-2022-42475", "description": "FG-IR-22-398", "labels": [ "misp:name=\"vulnerability\"", "misp:meta-category=\"vulnerability\"", "misp:to_ids=\"False\"" ], "external_references": [ { "source_name": "cve", "external_id": "CVE-2022-42475" } ], "x_misp_state": "Vulnerability ID Assigned", "x_misp_summary": "FortiOS version 7.2.0 through 7.2.2\r\nFortiOS version 7.0.0 through 7.0.8\r\nFortiOS version 6.4.0 through 6.4.10\r\nFortiOS version 6.2.0 through 6.2.11\r\nFortiOS-6K7K version 7.0.0 through 7.0.7\r\nFortiOS-6K7K version 6.4.0 through 6.4.9\r\nFortiOS-6K7K version 6.2.0 through 6.2.11\r\nFortiOS-6K7K version 6.0.0 through 6.0.14\r\nare vulnerable" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }