389 lines
No EOL
12 KiB
JSON
389 lines
No EOL
12 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "0",
|
|
"date": "2022-06-22",
|
|
"extends_uuid": "",
|
|
"info": "Kinsing & Dark.IoT botnet among threats targeting CVE-2022-26134",
|
|
"publish_timestamp": "1666604816",
|
|
"published": true,
|
|
"threat_level_id": "4",
|
|
"timestamp": "1666604798",
|
|
"uuid": "d4766c50-0269-4cda-acea-850ea4fdb198",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#004646",
|
|
"local": "0",
|
|
"name": "type:OSINT",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0071c3",
|
|
"local": "0",
|
|
"name": "osint:lifetime=\"perpetual\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0087e8",
|
|
"local": "0",
|
|
"name": "osint:certainty=\"50\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#00223b",
|
|
"local": "0",
|
|
"name": "osint:source-type=\"blog-post\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:malpedia=\"Kinsing\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:mitre-malware=\"Kinsing - S0599\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:threat-actor=\"Kinsing\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:cryptominers=\"Hezb\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:threat-actor=\"Hezb\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:botnet=\"Dark.IoT\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:malpedia=\"Dark\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#22681c",
|
|
"local": "0",
|
|
"name": "\tmalware_classification:malware-category=\"Botnet\"",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1663076645",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "4cbe3026-379e-43e7-89ce-ba08ed0bcf76",
|
|
"value": "94.247.43.254"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1663076645",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "a5b7f457-b85c-4ceb-a8ce-1f3b653a3a66",
|
|
"value": "95.217.229.211"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1663076645",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "646bcbe5-10a3-4bd5-b52e-6608be4ced00",
|
|
"value": "162.243.19.47"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1663076645",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "caf56edd-20b9-4fae-ada7-43e979f55650",
|
|
"value": "94.16.114.254"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1663076645",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "6d726652-bae4-4c18-a2d6-b9193ec6172d",
|
|
"value": "194.36.144.87"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1663076850",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "7d8e361a-5752-4f4b-ab62-da4d626e8113",
|
|
"value": "144.76.157.242"
|
|
}
|
|
],
|
|
"Object": [
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "Metadata used to generate an executive level report",
|
|
"meta-category": "misc",
|
|
"name": "report",
|
|
"template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df",
|
|
"template_version": "7",
|
|
"timestamp": "1663069596",
|
|
"uuid": "68ea0702-5482-4dc6-bb9b-c7ee42e24f88",
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "link",
|
|
"timestamp": "1663069596",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "2a6e251d-8098-4c55-b905-1a78c839dfd1",
|
|
"value": "https://www.lacework.com/blog/kinsing-dark-iot-botnet-among-threats-targeting-cve-2022-26134/"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "summary",
|
|
"timestamp": "1663069596",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "cf625c35-4682-4b13-b077-3323a0a3544c",
|
|
"value": "Details regarding the recent Confluence OGNL (CVE-2022-26134) exploit were released to the public on June 3rd 2022. Shortly following this, Lacework Labs began seeing multiple attacks in the wild from both uncategorized and named threats. While this was expected, there appears to be more widespread exploitation of CVE-2022-26134 compared to previous Confluence vulnerabilities."
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "type",
|
|
"timestamp": "1663069596",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "2dad185a-880c-47a2-beb4-bdf4503dd0d7",
|
|
"value": "Blog"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "Vulnerability object describing a common vulnerability enumeration which can describe published, unpublished, under review or embargo vulnerability for software, equipments or hardware.",
|
|
"meta-category": "vulnerability",
|
|
"name": "vulnerability",
|
|
"template_uuid": "81650945-f186-437b-8945-9f31715d32da",
|
|
"template_version": "8",
|
|
"timestamp": "1663074056",
|
|
"uuid": "94ad2c57-e806-4bc4-8d35-82656f7c879e",
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "id",
|
|
"timestamp": "1663074056",
|
|
"to_ids": false,
|
|
"type": "vulnerability",
|
|
"uuid": "31536d40-3e57-45b1-86fb-9f43b04c6914",
|
|
"value": "CVE-2022-26134"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
|
|
"meta-category": "network",
|
|
"name": "domain-ip",
|
|
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
|
|
"template_version": "11",
|
|
"timestamp": "1663076512",
|
|
"uuid": "e660021e-01d4-42b5-b46c-77e4fa89c50d",
|
|
"Attribute": [
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "domain",
|
|
"timestamp": "1663076512",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "f7ec96cb-3ac7-47ad-a6f9-e715181e7234",
|
|
"value": "tempest.lib"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "ip",
|
|
"timestamp": "1663076512",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "893bdfd0-4931-44ab-bfd2-a050c1a9ca8f",
|
|
"value": "62.4.23.97"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
|
|
"meta-category": "network",
|
|
"name": "domain-ip",
|
|
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
|
|
"template_version": "11",
|
|
"timestamp": "1663077120",
|
|
"uuid": "1b1f9efe-f9ef-435a-8877-d87132ce36a5",
|
|
"Attribute": [
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "domain",
|
|
"timestamp": "1663077120",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "8b503e5c-061f-49e4-9b25-f72ff7ef5745",
|
|
"value": "dragon.lib"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "ip",
|
|
"timestamp": "1663077120",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "60ed342f-8cf0-4663-a535-8b97a998942f",
|
|
"value": "193.70.30.98"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
|
|
"meta-category": "network",
|
|
"name": "domain-ip",
|
|
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
|
|
"template_version": "11",
|
|
"timestamp": "1663077305",
|
|
"uuid": "104829a9-42bc-4f65-a0cb-1a0ad5cc8729",
|
|
"Attribute": [
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "domain",
|
|
"timestamp": "1663077305",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "ba6dbce5-0b6f-4eca-894c-a01c36f64756",
|
|
"value": "blacknurse.lib"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "ip",
|
|
"timestamp": "1663077305",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "4ac4d5ed-8309-4a8a-84d5-f65ce72a1981",
|
|
"value": "5.206.227.244"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
|
|
"meta-category": "network",
|
|
"name": "domain-ip",
|
|
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
|
|
"template_version": "11",
|
|
"timestamp": "1663077484",
|
|
"uuid": "f02dc5ba-1544-42ca-9a5a-291927cca971",
|
|
"Attribute": [
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "domain",
|
|
"timestamp": "1663077484",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "ca7780b2-a239-4c74-843b-04f82e94fd13",
|
|
"value": "babaroga.lib"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "ip",
|
|
"timestamp": "1663077484",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "e049c725-bfde-4467-9529-f2dac2efcbf4",
|
|
"value": "203.0.113.0"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
} |