misp-circl-feed/feeds/circl/misp/5cca9eb0-d22c-45cc-829d-40d6950d210f.json

184 lines
No EOL
8.1 KiB
JSON

{
"type": "bundle",
"id": "bundle--5cca9eb0-d22c-45cc-829d-40d6950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-02T08:42:01.000Z",
"modified": "2019-05-02T08:42:01.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--5cca9eb0-d22c-45cc-829d-40d6950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-02T08:42:01.000Z",
"modified": "2019-05-02T08:42:01.000Z",
"name": "OSINT - AESDDoS Botnet Malware Exploits CVE-2019-3396 to Perform Remote Code Execution, DDoS Attacks, and Cryptocurrency Mining",
"context": "suspicious-activity",
"object_refs": [
"observed-data--5ccaa784-cd9c-454e-b957-b833950d210f",
"url--5ccaa784-cd9c-454e-b957-b833950d210f",
"x-misp-attribute--5ccaa7f1-ed14-40d2-88a6-4fa1950d210f",
"vulnerability--5ccaa846-4cc4-4b86-badd-48c9950d210f",
"indicator--5ccaa8c5-e6bc-4cb0-9102-4b99950d210f",
"indicator--5ccaa97d-d23c-402d-98a5-4373950d210f",
"indicator--5ccaac11-9dc4-4811-9b60-b711950d210f"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"osint:source-type=\"blog-post\"",
"workflow:todo=\"add-missing-misp-galaxy-cluster-values\"",
"malware_classification:malware-category=\"Botnet\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5ccaa784-cd9c-454e-b957-b833950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-02T08:17:08.000Z",
"modified": "2019-05-02T08:17:08.000Z",
"first_observed": "2019-05-02T08:17:08Z",
"last_observed": "2019-05-02T08:17:08Z",
"number_observed": 1,
"object_refs": [
"url--5ccaa784-cd9c-454e-b957-b833950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5ccaa784-cd9c-454e-b957-b833950d210f",
"value": "https://blog.trendmicro.com/trendlabs-security-intelligence/aesddos-botnet-malware-exploits-cve-2019-3396-to-perform-remote-code-execution-ddos-attacks-and-cryptocurrency-mining/"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5ccaa7f1-ed14-40d2-88a6-4fa1950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-02T08:18:57.000Z",
"modified": "2019-05-02T08:18:57.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "Our honeypot sensors recently detected an AESDDoS botnet malware variant (detected by Trend Micro as Backdoor.Linux.AESDDOS.J) exploiting a server-side template injection vulnerability (CVE-2019-3396) in the Widget Connector macro in Atlassian Confluence Server, a collaboration software program used by DevOps professionals.\r\n\r\nWe discovered that this malware variant can perform DDoS attacks, remote code execution, and cryptocurrency mining on systems that run vulnerable versions of Confluence Server and Data Center. Atlassian already took steps to fix these issues and recommended that users upgrade to the latest version (6.15.1)."
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--5ccaa846-4cc4-4b86-badd-48c9950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-02T08:20:22.000Z",
"modified": "2019-05-02T08:20:22.000Z",
"name": "CVE-2019-3396",
"labels": [
"misp:name=\"vulnerability\"",
"misp:meta-category=\"vulnerability\"",
"misp:to_ids=\"False\""
],
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2019-3396"
}
],
"x_misp_state": "Published"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5ccaa8c5-e6bc-4cb0-9102-4b99950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-02T08:22:29.000Z",
"modified": "2019-05-02T08:22:29.000Z",
"pattern": "[file:hashes.SHA256 = 'b14d5602c8aa16e3db4518832d567a4ca5b9545ce09f9a87684d58f8b1d9daaf' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-02T08:22:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5ccaa97d-d23c-402d-98a5-4373950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-02T08:25:33.000Z",
"modified": "2019-05-02T08:25:33.000Z",
"pattern": "[file:hashes.SHA256 = '2e4f18e28830771414c9d0cb99c1696d202fe001d1aa41f64d2f7ce6aef7f7c4' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-02T08:25:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5ccaac11-9dc4-4811-9b60-b711950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-02T08:36:33.000Z",
"modified": "2019-05-02T08:36:33.000Z",
"pattern": "[file:hashes.SHA256 = 'f82dc01b04dfbdab3ccaacd20449395e0175d9ab4f0732019651480358d44ac6' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-02T08:36:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}