{ "type": "bundle", "id": "bundle--9802116c-3ec3-4a8e-8b39-5c69b08df5ab", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2024-04-13T15:43:56.000Z", "modified": "2024-04-13T15:43:56.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--9802116c-3ec3-4a8e-8b39-5c69b08df5ab", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2024-04-13T15:43:56.000Z", "modified": "2024-04-13T15:43:56.000Z", "name": "OSINT - Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400)", "published": "2024-04-13T15:44:14Z", "object_refs": [ "vulnerability--d59172f5-ad8b-4b0d-8c17-f9a6bda23de0", "indicator--e35ebfcb-027e-4fb0-a1de-068121a30af9", "indicator--af170b81-f692-401e-9a7a-dcd090a82f36", "indicator--0090d107-48f1-473c-92c8-9995f8df86c1", "indicator--1bf69d21-1511-4706-9827-13f11a7c602d", "indicator--9e5a170a-8246-4ad0-8cb3-886b61ac6e29", "indicator--3b065774-3bd2-4387-baf1-0815b9f07301", "indicator--e9227309-0a42-4772-8b49-aaaaaca8c25e", "indicator--46678675-7083-4935-a139-23809fd3e63f", "indicator--bbf52063-1901-4b76-96b2-51a252d63f6b", "indicator--cdc97c09-bb75-4bb2-81b4-b5d4a7556b2b", "indicator--84975d5f-3811-4d77-957a-d0ef1a5a0667", "indicator--359ffec8-c6a6-4fc1-a841-0bf9220401f6", "indicator--9d0b011a-872f-42de-a2cc-8353d6928863", "vulnerability--5bef5cb3-abb2-4eb1-831a-e8965c8e47b2", "x-misp-object--04e823a2-8ab9-4403-ac81-350f4a8f27a1", "relationship--994ac0e1-4859-48c3-bcaa-a396856c7f9e" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"", "misp-galaxy:mitre-attack-pattern=\"External Remote Services - T1133\"", "type:OSINT", "osint:lifetime=\"perpetual\"", "tlp:clear" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--d59172f5-ad8b-4b0d-8c17-f9a6bda23de0", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2024-04-13T15:34:31.000Z", "modified": "2024-04-13T15:34:31.000Z", "name": "CVE-2024-3400", "labels": [ "misp:type=\"vulnerability\"", "misp:category=\"Payload delivery\"" ], "external_references": [ { "source_name": "cve", "external_id": "CVE-2024-3400" } ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e35ebfcb-027e-4fb0-a1de-068121a30af9", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2024-04-13T15:35:32.000Z", "modified": "2024-04-13T15:35:32.000Z", "description": "server used by the attacker to host malicious files server used by the attacker to host malicious files", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '198.58.109.149']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2024-04-13T15:35:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--af170b81-f692-401e-9a7a-dcd090a82f36", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2024-04-13T15:35:32.000Z", "modified": "2024-04-13T15:35:32.000Z", "description": "server used by the attacker to host malicious files server used by the attacker to host malicious files", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '144.172.79.92']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2024-04-13T15:35:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--0090d107-48f1-473c-92c8-9995f8df86c1", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2024-04-13T15:35:32.000Z", "modified": "2024-04-13T15:35:32.000Z", "description": "server used by the attacker to host malicious files server used by the attacker to host malicious files", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '172.233.228.93']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2024-04-13T15:35:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1bf69d21-1511-4706-9827-13f11a7c602d", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2024-04-13T15:36:03.000Z", "modified": "2024-04-13T15:36:03.000Z", "description": "Compromised ASUS router used by attacker to interact with compromised devices", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '71.9.135.100']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2024-04-13T15:36:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9e5a170a-8246-4ad0-8cb3-886b61ac6e29", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2024-04-13T15:36:19.000Z", "modified": "2024-04-13T15:36:19.000Z", "description": "Surfshark VPN address used in exploitation attempts.", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '89.187.187.69']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2024-04-13T15:36:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--3b065774-3bd2-4387-baf1-0815b9f07301", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2024-04-13T15:36:37.000Z", "modified": "2024-04-13T15:36:37.000Z", "description": "Compromised S3 bucket used to host files by UTA0218", "pattern": "[domain-name:value = 'nhdata.s3-us-west-2.amazonaws.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2024-04-13T15:36:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e9227309-0a42-4772-8b49-aaaaaca8c25e", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2024-04-13T15:37:02.000Z", "modified": "2024-04-13T15:37:02.000Z", "description": "Compromised ASUS router used by attacker to interact with compromised devices", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '23.242.208.175']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2024-04-13T15:37:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--46678675-7083-4935-a139-23809fd3e63f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2024-04-13T15:37:02.000Z", "modified": "2024-04-13T15:37:02.000Z", "description": "Compromised ASUS router used by attacker to interact with compromised devices", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '137.118.185.101']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2024-04-13T15:37:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--bbf52063-1901-4b76-96b2-51a252d63f6b", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2024-04-13T15:37:24.000Z", "modified": "2024-04-13T15:37:24.000Z", "description": "Surfshark VPN address used in exploitation attempts.", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '66.235.168.222']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2024-04-13T15:37:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--cdc97c09-bb75-4bb2-81b4-b5d4a7556b2b", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2024-04-13T15:38:06.000Z", "modified": "2024-04-13T15:38:06.000Z", "pattern": "rule apt_malware_py_upstyle : UTA0218\r\n{\r\n meta:\r\n author = \\\\\"threatintel@volexity.com\\\\\"\r\n date = \\\\\"2024-04-11\\\\\"\r\n description = \\\\\"Detect the UPSTYLE webshell.\\\\\"\r\n hash1 = \\\\\"3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac\\\\\"\r\n hash2 = \\\\\"0d59d7bddac6c22230187ef6cf7fa22bca93759edc6f9127c41dc28a2cea19d8\\\\\"\r\n hash3 = \\\\\"4dd4bd027f060f325bf6a90d01bfcf4e7751a3775ad0246beacc6eb2bad5ec6f\\\\\"\r\n os = \\\\\"linux\\\\\"\r\n os_arch = \\\\\"all\\\\\"\r\n report = \\\\\"TIB-20240412\\\\\"\r\n scan_context = \\\\\"file,memory\\\\\"\r\n last_modified = \\\\\"2024-04-12T13:05Z\\\\\"\r\n license = \\\\\"See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt\\\\\"\r\n rule_id = 10429\r\n version = 2\r\n\r\n strings:\r\n $stage1_str1 = \\\\\"/opt/pancfg/mgmt/licenses/PA_VM\\\\\"\r\n $stage1_str2 = \\\\\"exec(base64.\\\\\"\r\n\r\n $stage2_str1 = \\\\\"signal.signal(signal.SIGTERM,stop)\\\\\"\r\n $stage2_str2 = \\\\\"exec(base64.\\\\\"\r\n\r\n $stage3_str1 = \\\\\"write(\\\\\\\\\"/*\\\\\\\\\"+output+\\\\\\\\\"*/\\\\\\\\\")\\\\\"\r\n $stage3_str2 = \\\\\"SHELL_PATTERN\\\\\"\r\n\r\n condition:\r\n all of ($stage1*) or\r\n all of ($stage2*) or\r\n all of ($stage3*)\r\n}", "pattern_type": "yara", "pattern_version": "2.1", "valid_from": "2024-04-13T15:38:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "labels": [ "misp:name=\"yara\"", "misp:meta-category=\"misc\"", "misp:to_ids=\"True\"" ], "x_misp_context": "all" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--84975d5f-3811-4d77-957a-d0ef1a5a0667", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2024-04-13T15:38:41.000Z", "modified": "2024-04-13T15:38:41.000Z", "pattern": "rule susp_any_gost_arguments\r\n{\r\n meta:\r\n author = \\\\\"threatintel@volexity.com\\\\\"\r\n date = \\\\\"2024-04-10\\\\\"\r\n description = \\\\\"Looks for common arguments passed to the hacktool GOST that are sometimes used by attackers in scripts (for example cronjobs etc).\\\\\"\r\n os = \\\\\"all\\\\\"\r\n os_arch = \\\\\"all\\\\\"\r\n report = \\\\\"TIB-20240412\\\\\"\r\n scan_context = \\\\\"file\\\\\"\r\n last_modified = \\\\\"2024-04-12T13:06Z\\\\\"\r\n license = \\\\\"See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt\\\\\"\r\n rule_id = 10425\r\n version = 2\r\n\r\n strings:\r\n $s1 = \\\\\"-L=socks5://\\\\\" ascii\r\n $s2 = \\\\\"-L rtcp://\\\\\" ascii\r\n\r\n condition:\r\n filesize < 10KB and\r\n any of them\r\n}", "pattern_type": "yara", "pattern_version": "2.1", "valid_from": "2024-04-13T15:38:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "labels": [ "misp:name=\"yara\"", "misp:meta-category=\"misc\"", "misp:to_ids=\"True\"" ], "x_misp_context": "all" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--359ffec8-c6a6-4fc1-a841-0bf9220401f6", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2024-04-13T15:39:52.000Z", "modified": "2024-04-13T15:39:52.000Z", "pattern": "rule susp_any_jarischf_user_path\r\n{\r\n meta:\r\n author = \\\\\"threatintel@volexity.com\\\\\"\r\n date = \\\\\"2024-04-10\\\\\"\r\n description = \\\\\"Detects paths embedded in samples in released projects written by Ferdinand Jarisch, a pentester in AISEC. These tools are sometimes used by attackers in real world intrusions.\\\\\"\r\n hash1 = \\\\\"161fd76c83e557269bee39a57baa2ccbbac679f59d9adff1e1b73b0f4bb277a6\\\\\"\r\n os = \\\\\"all\\\\\"\r\n os_arch = \\\\\"all\\\\\"\r\n report = \\\\\"TIB-20240412\\\\\"\r\n scan_context = \\\\\"file,memory\\\\\"\r\n last_modified = \\\\\"2024-04-12T13:06Z\\\\\"\r\n license = \\\\\"See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt\\\\\"\r\n rule_id = 10424\r\n version = 4\r\n\r\n strings:\r\n $proj_1 = \\\\\"/home/jarischf/\\\\\"\r\n\r\n condition:\r\n any of ($proj_*)\r\n}", "pattern_type": "yara", "pattern_version": "2.1", "valid_from": "2024-04-13T15:39:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "labels": [ "misp:name=\"yara\"", "misp:meta-category=\"misc\"", "misp:to_ids=\"True\"" ], "x_misp_context": "all" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9d0b011a-872f-42de-a2cc-8353d6928863", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2024-04-13T15:40:17.000Z", "modified": "2024-04-13T15:40:17.000Z", "pattern": "rule hacktool_golang_reversessh_fahrj\r\n{\r\n meta:\r\n author = \\\\\"threatintel@volexity.com\\\\\"\r\n date = \\\\\"2024-04-10\\\\\"\r\n description = \\\\\"Detects a reverse SSH utility available on GitHub. Attackers may use this tool or similar tools in post-exploitation activity.\\\\\"\r\n hash1 = \\\\\"161fd76c83e557269bee39a57baa2ccbbac679f59d9adff1e1b73b0f4bb277a6\\\\\"\r\n os = \\\\\"all\\\\\"\r\n os_arch = \\\\\"all\\\\\"\r\n reference = \\\\\"https://github.com/Fahrj/reverse-ssh\\\\\"\r\n report = \\\\\"TIB-20240412\\\\\"\r\n scan_context = \\\\\"file,memory\\\\\"\r\n last_modified = \\\\\"2024-04-12T13:06Z\\\\\"\r\n license = \\\\\"See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt\\\\\"\r\n rule_id = 10423\r\n version = 5\r\n\r\n strings:\r\n $fun_1 = \\\\\"createLocalPortForwardingCallback\\\\\"\r\n $fun_2 = \\\\\"createReversePortForwardingCallback\\\\\"\r\n $fun_3 = \\\\\"createPasswordHandler\\\\\"\r\n $fun_4 = \\\\\"createPublicKeyHandler\\\\\"\r\n $fun_5 = \\\\\"createSFTPHandler\\\\\"\r\n $fun_6 = \\\\\"dialHomeAndListen\\\\\"\r\n $fun_7 = \\\\\"createExtraInfoHandler\\\\\"\r\n $fun_8 = \\\\\"createSSHSessionHandler\\\\\"\r\n $fun_9 = \\\\\"createReversePortForwardingCallback\\\\\"\r\n\r\n $proj_1 = \\\\\"github.com/Fahrj/reverse-ssh\\\\\"\r\n\r\n condition:\r\n any of ($proj_*) or\r\n 4 of ($fun_*)\r\n}", "pattern_type": "yara", "pattern_version": "2.1", "valid_from": "2024-04-13T15:40:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "labels": [ "misp:name=\"yara\"", "misp:meta-category=\"misc\"", "misp:to_ids=\"True\"" ], "x_misp_context": "all" }, { "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--5bef5cb3-abb2-4eb1-831a-e8965c8e47b2", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2024-04-13T15:40:29.000Z", "modified": "2024-04-13T15:40:29.000Z", "name": "CVE-2024-3400", "description": "A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.\n\nFixes for PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 are in development and are expected to be released by April 14, 2024. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability. All other versions of PAN-OS are also not impacted.", "labels": [ "misp:name=\"vulnerability\"", "misp:meta-category=\"vulnerability\"", "misp:to_ids=\"False\"" ], "external_references": [ { "source_name": "cve", "external_id": "CVE-2024-3400" }, { "source_name": "url", "url": "https://security.paloaltonetworks.com/CVE-2024-3400" } ], "x_misp_modified": "2024-04-13T01:00:00+00:00", "x_misp_published": "2024-04-12T08:15:00+00:00", "x_misp_state": "Published" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--04e823a2-8ab9-4403-ac81-350f4a8f27a1", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2024-04-13T15:40:57.000Z", "modified": "2024-04-13T15:40:57.000Z", "labels": [ "misp:name=\"report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "link", "value": "https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/", "category": "External analysis", "uuid": "e0a8434e-5cf3-42b4-915d-e379b2200543" }, { "type": "text", "object_relation": "summary", "value": "Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400)", "category": "Other", "uuid": "50a54b52-d8a7-4eda-8941-22914ff73321" }, { "type": "text", "object_relation": "type", "value": "Blog", "category": "Other", "uuid": "c7f265fb-ff27-413e-b32f-0b5873e6a45e" } ], "x_misp_meta_category": "misc", "x_misp_name": "report" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--994ac0e1-4859-48c3-bcaa-a396856c7f9e", "created": "2024-04-13T15:40:29.000Z", "modified": "2024-04-13T15:40:29.000Z", "relationship_type": "related-to", "source_ref": "vulnerability--5bef5cb3-abb2-4eb1-831a-e8965c8e47b2", "target_ref": "vulnerability--d59172f5-ad8b-4b0d-8c17-f9a6bda23de0" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }