本記事は、 STIX脆弱性の分析 の際、Criminal IPの脅威インテリジェンスデータを使用する方法を語ります。Criminal IPの脅威インテリジェンスデータをSTIX™(Structured Threat Information Expression)で表現し、分析するいくつかの事例を紹介します。
Criminal IPデータのSTIX変換方法は、Criminal IP STIX統合事例とCriminal IPの公式GitHubをご参照ください。
STIX脆弱性の分析1:IPアドレスに関連するMISP指標・オープンポート・脆弱性・Exploit DBの関係性を分析した事例
43.159.195.30_json_code
{
"type": "bundle",
"id": "bundle--f0ddd407-a9b5-4737-870e-46d6100c8a2a",
"objects": [
{
"type": "autonomous-system",
"spec_version": "2.1",
"id": "autonomous-system--d89ac279-9390-5d40-a34c-4980f1228a0b",
"number": 132203,
"name": "Tencent Building, Kejizhongyi Avenue"
},
{
"type": "location",
"spec_version": "2.1",
"id": "location--aa199ee5-6028-4048-9fe3-9102bc39f397",
"created": "2023-07-17T06:42:53.473205Z",
"modified": "2023-07-17T06:42:53.473205Z",
"name": "hk",
"description": "Indicates the location of the band of the owner of this ip.",
"latitude": 22.2908,
"longitude": 114.1501,
"region": "Central and Western District",
"country": "hk",
"city": "Central"
},
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--5595fd09-1fd5-44e8-9c57-b644dcf286e1",
"created": "2023-07-17T06:42:53.473205Z",
"modified": "2023-07-17T06:42:53.473205Z",
"name": "Location",
"description": "You can find the location of the as_Location and the information of the owner who has this ip. ",
"context": "unspecified",
"object_refs": [
"autonomous-system--d89ac279-9390-5d40-a34c-4980f1228a0b"
]
},
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--5595fd09-1fd5-44e8-9c57-b644dcf286e1",
"created": "2023-07-17T06:42:53.473205Z",
"modified": "2023-07-17T06:42:53.473205Z",
"name": "Location",
"description": "You can find the location of the as_Location and the information of the owner who has this ip. ",
"context": "unspecified",
"object_refs": [
"autonomous-system--d89ac279-9390-5d40-a34c-4980f1228a0b"
]
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--752da8ec-6097-47ab-8b52-e5eabb88a719",
"created": "2023-07-17T06:42:53.474203Z",
"modified": "2023-07-17T06:42:53.474203Z",
"relationship_type": "related-to",
"source_ref": "grouping--5595fd09-1fd5-44e8-9c57-b644dcf286e1",
"target_ref": "location--aa199ee5-6028-4048-9fe3-9102bc39f397"
},
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--2cc62eeb-fcaf-44e7-b953-8fdf3beb9c6a",
"created": "2023-07-17T06:42:56.990633Z",
"modified": "2023-07-17T06:42:56.990633Z",
"name": "port",
"description": "The currently open port connected to the ip.",
"context": "unspecified",
"object_refs": [
"course-of-action--31160cea-9da8-4bc3-8843-1403f14a38bd"
]
},
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--2cc62eeb-fcaf-44e7-b953-8fdf3beb9c6a",
"created": "2023-07-17T06:42:56.990633Z",
"modified": "2023-07-17T06:42:56.990633Z",
"name": "port",
"description": "The currently open port connected to the ip.",
"context": "unspecified",
"object_refs": [
"course-of-action--31160cea-9da8-4bc3-8843-1403f14a38bd"
]
},
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--2cc62eeb-fcaf-44e7-b953-8fdf3beb9c6a",
"created": "2023-07-17T06:42:56.990633Z",
"modified": "2023-07-17T06:42:56.990633Z",
"name": "port",
"description": "The currently open port connected to the ip.",
"context": "unspecified",
"object_refs": [
"course-of-action--31160cea-9da8-4bc3-8843-1403f14a38bd"
]
},
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--2cc62eeb-fcaf-44e7-b953-8fdf3beb9c6a",
"created": "2023-07-17T06:42:56.990633Z",
"modified": "2023-07-17T06:42:56.990633Z",
"name": "port",
"description": "The currently open port connected to the ip. ",
"context": "unspecified",
"object_refs": [
"course-of-action--31160cea-9da8-4bc3-8843-1403f14a38bd"
]
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--a19eb3e4-708c-4886-96e3-7b18ca274356",
"created": "2023-07-17T06:42:56.990633Z",
"modified": "2023-07-17T06:42:56.990633Z",
"relationship_type": "related-to",
"source_ref": "grouping--2cc62eeb-fcaf-44e7-b953-8fdf3beb9c6a",
"target_ref": "course-of-action--a0e1351e-0370-407c-ba1e-0cff7245b983"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--bb429524-db70-44e7-b255-65d0e1749c66",
"created": "2023-07-17T06:42:56.990633Z",
"modified": "2023-07-17T06:42:56.990633Z",
"relationship_type": "related-to",
"source_ref": "grouping--2cc62eeb-fcaf-44e7-b953-8fdf3beb9c6a",
"target_ref": "course-of-action--ee85f346-c7ab-4a6d-b079-406b59f1cf34"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--88ba1973-dd8a-42cd-bc28-0d3897f22ffe",
"created": "2023-07-17T06:42:56.99163Z",
"modified": "2023-07-17T06:42:56.99163Z",
"relationship_type": "related-to",
"source_ref": "grouping--2cc62eeb-fcaf-44e7-b953-8fdf3beb9c6a",
"target_ref": "course-of-action--8a6ca499-1743-4206-8d9c-a47e42d9257b"
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--31160cea-9da8-4bc3-8843-1403f14a38bd",
"created": "2023-07-17T06:42:53.474203Z",
"modified": "2023-07-17T06:42:53.474203Z",
"name": "80",
"description": "There is an open port 80 currently using Apache/Unknown on that IP. If it's a port you're not using, stop it."
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--a0e1351e-0370-407c-ba1e-0cff7245b983",
"created": "2023-07-17T06:42:53.476197Z",
"modified": "2023-07-17T06:42:53.476197Z",
"name": "21",
"description": "There is an open port 21 currently using Pure-FTPd/Unknown on that IP. If it's a port you're not using, stop it."
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--ee85f346-c7ab-4a6d-b079-406b59f1cf34",
"created": "2023-07-17T06:42:53.477195Z",
"modified": "2023-07-17T06:42:53.477195Z",
"name": "22",
"description": "There is an open port 22 currently using OpenSSH/7.4 on that IP. If it's a port you're not using, stop it."
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--8a6ca499-1743-4206-8d9c-a47e42d9257b",
"created": "2023-07-17T06:42:56.986658Z",
"modified": "2023-07-17T06:42:56.986658Z",
"name": "443",
"description": "There is an open port 443 currently using Apache/Unknown on that IP. If it's a port you're not using, stop it."
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--359a0f59-6cdb-4deb-aae8-6bced0ab2b0b",
"created": "2023-07-17T06:42:53.475209Z",
"modified": "2023-07-17T06:42:53.475209Z",
"relationship_type": "related-to",
"source_ref": "course-of-action--31160cea-9da8-4bc3-8843-1403f14a38bd",
"target_ref": "software--a7891fdb-255c-52d6-91e7-8180437bd686"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--1b55daf4-72f9-406f-8155-6f8a3e1bbfc0",
"created": "2023-07-17T06:42:53.477195Z",
"modified": "2023-07-17T06:42:53.477195Z",
"relationship_type": "related-to",
"source_ref": "course-of-action--a0e1351e-0370-407c-ba1e-0cff7245b983",
"target_ref": "software--960903d0-6ef1-5f68-b6bf-9dbeab1ce151"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--76fe2e9e-c96a-4d05-b3e8-6db21450d345",
"created": "2023-07-17T06:42:56.985674Z",
"modified": "2023-07-17T06:42:56.985674Z",
"relationship_type": "related-to",
"source_ref": "course-of-action--ee85f346-c7ab-4a6d-b079-406b59f1cf34",
"target_ref": "tool--251d8d8c-7444-46b9-bc38-679306d7f54e"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--1908b1b1-423c-4944-96c3-2803affafb0b",
"created": "2023-07-17T06:42:56.986658Z",
"modified": "2023-07-17T06:42:56.986658Z",
"relationship_type": "related-to",
"source_ref": "course-of-action--ee85f346-c7ab-4a6d-b079-406b59f1cf34",
"target_ref": "software--b989ef70-e1c8-544a-8417-11574be404f7"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--bcc5693c-6a6c-43e2-91e7-e2eb8a19e6da",
"created": "2023-07-17T06:42:56.989636Z",
"modified": "2023-07-17T06:42:56.989636Z",
"relationship_type": "related-to",
"source_ref": "course-of-action--8a6ca499-1743-4206-8d9c-a47e42d9257b",
"target_ref": "software--690db0e9-b4c3-5215-ac14-49fea687d445"
},
{
"type": "tool",
"spec_version": "2.1",
"id": "tool--251d8d8c-7444-46b9-bc38-679306d7f54e",
"created": "2023-07-17T06:42:53.477195Z",
"modified": "2023-07-17T06:42:53.477195Z",
"name": "OpenSSH",
"description": "OpenSSH/7.4",
"tool_types": [
"remote-access"
],
"tool_version": "7.4"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--2d6f0ee2-f67f-4067-9cd6-e22a748fe8d7",
"created": "2023-07-17T06:42:55.33803Z",
"modified": "2023-07-17T06:42:55.33803Z",
"name": "CVE-2023-28531",
"description": "ssh-add in OpenSSH before 9.3 adds smartcard keys to ssh-agent without the intended per-hop destination constraints. The earliest affected version is 8.9.",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2023-28531"
}
]
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--ba71bad8-22cc-4d4a-b467-b5b0e390bc14",
"created": "2023-07-17T06:42:55.339022Z",
"modified": "2023-07-17T06:42:55.339022Z",
"name": "CVE-2021-41617",
"description": "sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows privilege escalation because supplemental groups are not initialized as expected. Helper programs for AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges associated with group memberships of the sshd process, if the configuration specifies running the command as a different user.",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2021-41617"
}
]
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--4e5fc937-9f8f-4243-be53-d4c0d6b70ed0",
"created": "2023-07-17T06:42:55.339022Z",
"modified": "2023-07-17T06:42:55.339022Z",
"name": "CVE-2021-36368",
"description": "** DISPUTED ** An issue was discovered in OpenSSH before 8.9. If a client is using public-key authentication with agent forwarding but without -oLogLevel=verbose, and an attacker has silently modified the server to support the None authentication option, then the user cannot determine whether FIDO authentication is going to confirm that the user wishes to connect to that server, or that the user wishes to allow that server to connect to a different server on the user's behalf. NOTE: the vendor's position is 'this is not an authentication bypass, since nothing is being bypassed.'",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2021-36368"
}
]
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--4b2c6628-81b4-4a13-830c-9c4f023a9ffd",
"created": "2023-07-17T06:42:55.339022Z",
"modified": "2023-07-17T06:42:55.339022Z",
"name": "CVE-2020-15778",
"description": "** DISPUTED ** scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of 'anomalous argument transfers' because that could 'stand a great chance of breaking existing workflows.'",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2020-15778"
}
]
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--7caac978-8142-40de-b933-1db352f871d3",
"created": "2023-07-17T06:42:55.340021Z",
"modified": "2023-07-17T06:42:55.340021Z",
"name": "CVE-2020-14145",
"description": "The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client). NOTE: some reports state that 8.5 and 8.6 are also affected.",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2020-14145"
}
]
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--4a3be8d9-7638-4ac6-bd5a-f239b615ee2c",
"created": "2023-07-17T06:42:55.340021Z",
"modified": "2023-07-17T06:42:55.340021Z",
"name": "CVE-2019-6111",
"description": "An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the scp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized_keys file).",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2019-6111"
}
]
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--b66b943a-d313-4728-91a0-f719d072bdee",
"created": "2023-07-17T06:42:55.340021Z",
"modified": "2023-07-17T06:42:55.340021Z",
"name": "Exploit DB",
"description": "SCP Client - Multiple Vulnerabilities (SSHTranger Things)"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--cf729b68-2a46-49ac-bfb2-ddc6e1147930",
"created": "2023-07-17T06:42:55.341017Z",
"modified": "2023-07-17T06:42:55.341017Z",
"name": "CVE-2019-6110",
"description": "In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred.",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2019-6110"
}
]
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--028b6d60-0860-4660-a07e-d003394d2834",
"created": "2023-07-17T06:42:55.341017Z",
"modified": "2023-07-17T06:42:55.341017Z",
"name": "Exploit DB",
"description": "SCP Client - Multiple Vulnerabilities (SSHTranger Things)"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--fd49ce1f-96fc-4f10-bfca-92d3210ae6ad",
"created": "2023-07-17T06:42:55.341017Z",
"modified": "2023-07-17T06:42:55.341017Z",
"name": "CVE-2019-6109",
"description": "An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a malicious server (or Man-in-The-Middle attacker) can employ crafted object names to manipulate the client output, e.g., by using ANSI control codes to hide additional files being transferred. This affects refresh_progress_meter() in progressmeter.c.",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2019-6109"
}
]
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--23ee5688-b659-4225-87df-98729f9ed29e",
"created": "2023-07-17T06:42:55.341987Z",
"modified": "2023-07-17T06:42:55.341987Z",
"name": "CVE-2018-20685",
"description": "In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions via the filename of . or an empty filename. The impact is modifying the permissions of the target directory on the client side.",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2018-20685"
}
]
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--a041f649-bbfe-4de3-97c7-99b0a58f333a",
"created": "2023-07-17T06:42:55.341987Z",
"modified": "2023-07-17T06:42:55.341987Z",
"name": "CVE-2018-15919",
"description": "Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or 'oracle') as a vulnerability.'",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2018-15919"
}
]
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--1698d332-38d1-4931-877d-b3618b38fbda",
"created": "2023-07-17T06:42:55.341987Z",
"modified": "2023-07-17T06:42:55.341987Z",
"name": "CVE-2018-15473",
"description": "OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2018-15473"
}
]
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--f0236081-bf30-419e-8100-5b22feb66d96",
"created": "2023-07-17T06:42:55.343011Z",
"modified": "2023-07-17T06:42:55.343011Z",
"name": "Exploit DB",
"description": "SCP Client - Multiple Vulnerabilities (SSHTranger Things)"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--b39ca97b-6866-468d-80da-ca81d4ba4c5f",
"created": "2023-07-17T06:42:55.343011Z",
"modified": "2023-07-17T06:42:55.343011Z",
"name": "CVE-2017-15906",
"description": "The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in readonly mode, which allows attackers to create zero-length files.",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2017-15906"
}
]
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--5c7942f1-6015-489f-825c-1178c67921de",
"created": "2023-07-17T06:42:55.343982Z",
"modified": "2023-07-17T06:42:55.343982Z",
"name": "CVE-2016-20012",
"description": "** DISPUTED ** OpenSSH through 8.7 allows remote attackers, who have a suspicion that a certain combination of username and public key is known to an SSH server, to test whether this suspicion is correct. This occurs because a challenge is sent only when that combination could be valid for a login session. NOTE: the vendor does not recognize user enumeration as a vulnerability for this product.",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2016-20012"
}
]
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--c48b0cc7-c97b-443d-a1d0-c732fcb3c9cb",
"created": "2023-07-17T06:42:55.339022Z",
"modified": "2023-07-17T06:42:55.339022Z",
"relationship_type": "related-to",
"source_ref": "tool--251d8d8c-7444-46b9-bc38-679306d7f54e",
"target_ref": "vulnerability--2d6f0ee2-f67f-4067-9cd6-e22a748fe8d7"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--fb3c0d2d-f1ec-4d54-ba2f-1040f6393318",
"created": "2023-07-17T06:42:55.339022Z",
"modified": "2023-07-17T06:42:55.339022Z",
"relationship_type": "related-to",
"source_ref": "tool--251d8d8c-7444-46b9-bc38-679306d7f54e",
"target_ref": "vulnerability--ba71bad8-22cc-4d4a-b467-b5b0e390bc14"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--20f02a5b-d15b-4862-85a7-680abb416bc6",
"created": "2023-07-17T06:42:55.339022Z",
"modified": "2023-07-17T06:42:55.339022Z",
"relationship_type": "related-to",
"source_ref": "tool--251d8d8c-7444-46b9-bc38-679306d7f54e",
"target_ref": "vulnerability--4e5fc937-9f8f-4243-be53-d4c0d6b70ed0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--e5689584-c959-4140-9626-ef1764f43a42",
"created": "2023-07-17T06:42:55.340021Z",
"modified": "2023-07-17T06:42:55.340021Z",
"relationship_type": "related-to",
"source_ref": "tool--251d8d8c-7444-46b9-bc38-679306d7f54e",
"target_ref": "vulnerability--4b2c6628-81b4-4a13-830c-9c4f023a9ffd"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--b1424e46-d9dc-4570-bfc6-b0cbf1aaf50d",
"created": "2023-07-17T06:42:55.340021Z",
"modified": "2023-07-17T06:42:55.340021Z",
"relationship_type": "related-to",
"source_ref": "tool--251d8d8c-7444-46b9-bc38-679306d7f54e",
"target_ref": "vulnerability--7caac978-8142-40de-b933-1db352f871d3"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--af4e15ed-f4d3-4176-b7ca-a6302e9ddc28",
"created": "2023-07-17T06:42:55.340021Z",
"modified": "2023-07-17T06:42:55.340021Z",
"relationship_type": "related-to",
"source_ref": "tool--251d8d8c-7444-46b9-bc38-679306d7f54e",
"target_ref": "vulnerability--4a3be8d9-7638-4ac6-bd5a-f239b615ee2c"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--05a4da00-0d17-4796-91bc-40986ae21a3d",
"created": "2023-07-17T06:42:55.340021Z",
"modified": "2023-07-17T06:42:55.340021Z",
"relationship_type": "related-to",
"source_ref": "course-of-action--b66b943a-d313-4728-91a0-f719d072bdee",
"target_ref": "vulnerability--4a3be8d9-7638-4ac6-bd5a-f239b615ee2c"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--5214b8db-a740-4ad3-b273-b415b80f271c",
"created": "2023-07-17T06:42:55.341017Z",
"modified": "2023-07-17T06:42:55.341017Z",
"relationship_type": "related-to",
"source_ref": "tool--251d8d8c-7444-46b9-bc38-679306d7f54e",
"target_ref": "vulnerability--cf729b68-2a46-49ac-bfb2-ddc6e1147930"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--abf13cac-c469-417c-80bb-6e2eabc27c87",
"created": "2023-07-17T06:42:55.341017Z",
"modified": "2023-07-17T06:42:55.341017Z",
"relationship_type": "related-to",
"source_ref": "course-of-action--028b6d60-0860-4660-a07e-d003394d2834",
"target_ref": "vulnerability--cf729b68-2a46-49ac-bfb2-ddc6e1147930"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--c88cf834-e5c1-4780-8289-e41bec60f0b4",
"created": "2023-07-17T06:42:55.341017Z",
"modified": "2023-07-17T06:42:55.341017Z",
"relationship_type": "related-to",
"source_ref": "tool--251d8d8c-7444-46b9-bc38-679306d7f54e",
"target_ref": "vulnerability--fd49ce1f-96fc-4f10-bfca-92d3210ae6ad"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--ff4a5a85-f75d-4a0e-a2b7-d099fb435f38",
"created": "2023-07-17T06:42:55.341987Z",
"modified": "2023-07-17T06:42:55.341987Z",
"relationship_type": "related-to",
"source_ref": "tool--251d8d8c-7444-46b9-bc38-679306d7f54e",
"target_ref": "vulnerability--23ee5688-b659-4225-87df-98729f9ed29e"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--04a113c0-5cff-4ebd-b9e9-63638e55bc8e",
"created": "2023-07-17T06:42:55.341987Z",
"modified": "2023-07-17T06:42:55.341987Z",
"relationship_type": "related-to",
"source_ref": "tool--251d8d8c-7444-46b9-bc38-679306d7f54e",
"target_ref": "vulnerability--a041f649-bbfe-4de3-97c7-99b0a58f333a"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--bd0f853d-326f-4e7e-ae10-c7433694a33c",
"created": "2023-07-17T06:42:55.341987Z",
"modified": "2023-07-17T06:42:55.341987Z",
"relationship_type": "related-to",
"source_ref": "tool--251d8d8c-7444-46b9-bc38-679306d7f54e",
"target_ref": "vulnerability--1698d332-38d1-4931-877d-b3618b38fbda"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--9fff9e1c-ec23-4ed3-b16a-0aefc5a2d2bf",
"created": "2023-07-17T06:42:55.343011Z",
"modified": "2023-07-17T06:42:55.343011Z",
"relationship_type": "related-to",
"source_ref": "course-of-action--f0236081-bf30-419e-8100-5b22feb66d96",
"target_ref": "vulnerability--1698d332-38d1-4931-877d-b3618b38fbda"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--070305fb-a219-413e-b1fc-e59a58ced0e1",
"created": "2023-07-17T06:42:55.343011Z",
"modified": "2023-07-17T06:42:55.343011Z",
"relationship_type": "related-to",
"source_ref": "tool--251d8d8c-7444-46b9-bc38-679306d7f54e",
"target_ref": "vulnerability--b39ca97b-6866-468d-80da-ca81d4ba4c5f"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--c3ce624a-2656-429f-9c8a-ce2d34d69fd7",
"created": "2023-07-17T06:42:55.343982Z",
"modified": "2023-07-17T06:42:55.343982Z",
"relationship_type": "related-to",
"source_ref": "tool--251d8d8c-7444-46b9-bc38-679306d7f54e",
"target_ref": "vulnerability--5c7942f1-6015-489f-825c-1178c67921de"
},
{
"type": "software",
"spec_version": "2.1",
"id": "software--b989ef70-e1c8-544a-8417-11574be404f7",
"name": "OpenSSH",
"vendor": "OpenSSH",
"version": "7.4"
},
{
"type": "software",
"spec_version": "2.1",
"id": "software--a7891fdb-255c-52d6-91e7-8180437bd686",
"name": "Apache",
"vendor": "Apache",
"version": "Unknown"
},
{
"type": "software",
"spec_version": "2.1",
"id": "software--960903d0-6ef1-5f68-b6bf-9dbeab1ce151",
"name": "Pure-FTPd",
"vendor": "Pure-FTPd",
"version": "Unknown"
},
{
"type": "software",
"spec_version": "2.1",
"id": "software--690db0e9-b4c3-5215-ac14-49fea687d445",
"name": "403 Forbidden",
"vendor": "Apache",
"version": "Unknown"
},
{
"type": "x509-certificate",
"spec_version": "2.1",
"id": "x509-certificate--af7dd888-bb4a-4638-9520-6f737c781793",
"issuer": "C=US, O=Let's Encrypt, CN=R3",
"subject": "CN=blntoniguy.com",
"x509_v3_extensions": {
"basic_constraints": "caritical, CA:False"
}
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--ff917014-5e87-431b-9c0e-6673d39007df",
"created": "2023-07-17T06:42:56.98864Z",
"modified": "2023-07-17T06:42:56.98864Z",
"relationship_type": "related-to",
"source_ref": "software--690db0e9-b4c3-5215-ac14-49fea687d445",
"target_ref": "x509-certificate--af7dd888-bb4a-4638-9520-6f737c781793"
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--c950f8ca-c91c-5860-9dc6-4eccabd103a5",
"value": "blntoniguy.com"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--0397e9e9-8a56-4a36-a706-e3b152126508",
"created": "2023-07-17T06:42:56.98864Z",
"modified": "2023-07-17T06:42:56.98864Z",
"relationship_type": "related-to",
"source_ref": "x509-certificate--af7dd888-bb4a-4638-9520-6f737c781793",
"target_ref": "url--c950f8ca-c91c-5860-9dc6-4eccabd103a5"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--dc0ab0fe-f60c-4607-9632-f1250fa391ed",
"created": "2023-07-17T06:42:56.99163Z",
"modified": "2023-07-17T06:42:56.99163Z",
"name": "unknowns",
"description": "The hash value of the content related to the certificate of the web page is written. Determine if the corresponding hash value is malicious or not.",
"indicator_types": [
"unknown"
],
"pattern": "[web:hashes.'SHA-256'='479100a168347d5cab1d5084dc57550ce384ec06a7c539e7bfd9be6919eeed83' OR web:hashes.'MD5'='16df109fc55f24ea14defcf0895299ac']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-07-17T06:42:56.99163Z"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--0ad90e0c-4721-4fe8-8ba7-9dc92c0d8c13",
"created": "2023-07-17T06:42:57.001603Z",
"modified": "2023-07-17T06:42:57.001603Z",
"name": "https://twitter.com/ozuma5119/status/1676371909020352513",
"description": "The hash value of the content related to the certificate of the web page is written. Determine if the corresponding hash value is malicious or not.",
"indicator_types": [
"malicious-activity"
],
"pattern": "[ip:value = '43.159.195.30']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-07-17T06:42:57.001603Z"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--967656fb-50c3-4539-9212-e5fff1be2517",
"created": "2023-07-17T06:42:57.0026Z",
"modified": "2023-07-17T06:42:57.0026Z",
"name": "https://twitter.com/ozuma5119/status/1678200239373598721",
"description": "The hash value of the content related to the certificate of the web page is written. Determine if the corresponding hash value is malicious or not.",
"indicator_types": [
"malicious-activity"
],
"pattern": "[ip:value = '43.159.195.30']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-07-17T06:42:57.0026Z"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--ccc61228-ecff-42c6-a1ea-769cba3d1190",
"created": "2023-07-17T06:42:57.003598Z",
"modified": "2023-07-17T06:42:57.003598Z",
"name": "https://twitter.com/ozuma5119/status/1676715447021096960",
"description": "The hash value of the content related to the certificate of the web page is written. Determine if the corresponding hash value is malicious or not.",
"indicator_types": [
"malicious-activity"
],
"pattern": "[ip:value = '43.159.195.30']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-07-17T06:42:57.003598Z"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--cdf12a25-d31d-4278-8e17-374935a31d9f",
"created": "2023-07-17T06:42:57.003598Z",
"modified": "2023-07-17T06:42:57.003598Z",
"name": "https://twitter.com/ozuma5119/status/1677495385793916928",
"description": "The hash value of the content related to the certificate of the web page is written. Determine if the corresponding hash value is malicious or not.",
"indicator_types": [
"malicious-activity"
],
"pattern": "[ip:value = '43.159.195.30']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-07-17T06:42:57.003598Z"
},
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--147b6225-52d4-45a0-8917-e2813b688a54",
"created": "2023-07-17T06:42:57.004595Z",
"modified": "2023-07-17T06:42:57.004595Z",
"name": "unknown",
"description": "Cloud service ",
"context": "unspecified",
"object_refs": [
"indicator--dc0ab0fe-f60c-4607-9632-f1250fa391ed"
]
},
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--3a89bce9-c20e-4ada-97d2-ade84dd03285",
"created": "2023-07-17T06:42:57.004595Z",
"modified": "2023-07-17T06:42:57.004595Z",
"name": "Reputation",
"description": "A group of things that have done or are doing something malicious.",
"context": "malware-analysis",
"object_refs": [
"indicator--0ad90e0c-4721-4fe8-8ba7-9dc92c0d8c13"
]
},
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--3a89bce9-c20e-4ada-97d2-ade84dd03285",
"created": "2023-07-17T06:42:57.004595Z",
"modified": "2023-07-17T06:42:57.004595Z",
"name": "Reputation",
"description": "A group of things that have done or are doing something malicious.",
"context": "malware-analysis",
"object_refs": [
"indicator--0ad90e0c-4721-4fe8-8ba7-9dc92c0d8c13"
]
},
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--3a89bce9-c20e-4ada-97d2-ade84dd03285",
"created": "2023-07-17T06:42:57.004595Z",
"modified": "2023-07-17T06:42:57.004595Z",
"name": "Reputation",
"description": "A group of things that have done or are doing something malicious.",
"context": "malware-analysis",
"object_refs": [
"indicator--0ad90e0c-4721-4fe8-8ba7-9dc92c0d8c13"
]
},
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--3a89bce9-c20e-4ada-97d2-ade84dd03285",
"created": "2023-07-17T06:42:57.004595Z",
"modified": "2023-07-17T06:42:57.004595Z",
"name": "Reputation",
"description": "A group of things that have done or are doing something malicious.",
"context": "malware-analysis",
"object_refs": [
"indicator--0ad90e0c-4721-4fe8-8ba7-9dc92c0d8c13"
]
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--cef26930-b215-4c27-b09e-44f9b2ce26ce",
"created": "2023-07-17T06:42:57.004595Z",
"modified": "2023-07-17T06:42:57.004595Z",
"relationship_type": "related-to",
"source_ref": "grouping--3a89bce9-c20e-4ada-97d2-ade84dd03285",
"target_ref": "indicator--967656fb-50c3-4539-9212-e5fff1be2517"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--a0efb7bc-0d2b-4e89-b4d3-de84b5c67081",
"created": "2023-07-17T06:42:57.005593Z",
"modified": "2023-07-17T06:42:57.005593Z",
"relationship_type": "related-to",
"source_ref": "grouping--3a89bce9-c20e-4ada-97d2-ade84dd03285",
"target_ref": "indicator--ccc61228-ecff-42c6-a1ea-769cba3d1190"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--3ab78a1d-6f28-491e-a85c-efe9d50ee089",
"created": "2023-07-17T06:42:57.005593Z",
"modified": "2023-07-17T06:42:57.005593Z",
"relationship_type": "related-to",
"source_ref": "grouping--3a89bce9-c20e-4ada-97d2-ade84dd03285",
"target_ref": "indicator--cdf12a25-d31d-4278-8e17-374935a31d9f"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--86c8ded6-1af0-4463-97f8-94f871e999b4",
"created": "2023-07-17T06:42:57.006593Z",
"modified": "2023-07-17T06:42:57.006593Z",
"relationship_type": "related-to",
"source_ref": "ipv4-addr--a525965b-5fd7-5a8d-ab67-8ef8045a644c",
"target_ref": "grouping--5595fd09-1fd5-44e8-9c57-b644dcf286e1"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--46288bb6-ff58-4660-a718-f2085c968df5",
"created": "2023-07-17T06:42:57.006593Z",
"modified": "2023-07-17T06:42:57.006593Z",
"relationship_type": "related-to",
"source_ref": "ipv4-addr--a525965b-5fd7-5a8d-ab67-8ef8045a644c",
"target_ref": "grouping--2cc62eeb-fcaf-44e7-b953-8fdf3beb9c6a"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--e52b1589-6c03-4591-a0a7-d48a25c38c9e",
"created": "2023-07-17T06:42:57.006593Z",
"modified": "2023-07-17T06:42:57.006593Z",
"relationship_type": "related-to",
"source_ref": "ipv4-addr--a525965b-5fd7-5a8d-ab67-8ef8045a644c",
"target_ref": "grouping--147b6225-52d4-45a0-8917-e2813b688a54"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--5b1ce678-6c3b-497d-bd9a-a223ab51aa49",
"created": "2023-07-17T06:42:57.006593Z",
"modified": "2023-07-17T06:42:57.006593Z",
"relationship_type": "related-to",
"source_ref": "ipv4-addr--a525965b-5fd7-5a8d-ab67-8ef8045a644c",
"target_ref": "grouping--3a89bce9-c20e-4ada-97d2-ade84dd03285"
},
{
"type": "ipv4-addr",
"spec_version": "2.1",
"id": "ipv4-addr--a525965b-5fd7-5a8d-ab67-8ef8045a644c",
"value": "43.159.195.30"
}
]
}「43.159.196.30」のIPアドレスに当たる内容をSTIX式のJSONに変換し、cti-stix-visualizationを使い、グラフで確認してみると、以下のようです。(上記のコードを広げ、JSONファイルの原本を確認できます。)これからこちらの内容を分析してみます。
IPアドレスを起点として、大きく3つのグループにデータが分かれていることがわかります。(「unknown」で表示されたデータは省略します。)
- Location
- Reputation
- Port
Locationの場合、非常に簡単なデータですので、別途の説明は省略します。
Reputationを調べると、4つのデータが存在することが分かります。こちらは拒否リストで報告された履歴やMISPなどに記録された悪性行為の履歴があったという意味で解析できます。こちらのIPアドレスのRequtationには、4つのツイッターアドレスデータが連結されていて、そのツイッターのアドレスにアクセスしてみると、こちらのIPアドレスと関連する悪性履歴を確認することがあります。つまり、こちらのIPアドレスには、最小4回の悪性報告の履歴が存在すると考えられます。
今度はポートを調べてみます。こちらのIPアドレスに連結されているポート情報を確認できます。このデータは、また21、22、88、443の4つのポートで分けられます。
- 21:PureFTP
- 22:OpenSSH
- 88:Apache
- 443:未確認のWebサーバー
21番と88番のポートには、PureFTPとApacheのデーモンが稼働されていることから見て、WebサーバーとFTPサーバーを一緒に使う個人やホスティングサーバーとしての目的を持っていると見られます。また、443ポートに見えるHTTPSウェブページは、現在、証明書が存在します。その証明書のSDNは、blntoniguy[.]comに確認され、このドメインは、このIPアドレスのウェブサイトである可能性が高いです。
何よりも大事なことは22番ポートのOpenSSHです。当製品には現在、複数の脆弱性が存在することが確認でき、その中でいくつかの脆弱性は、SCPクライエントのソフトウェアに存在するセキュリティ脆弱性に見えます。特に、CVE-2019-6110とCVE-2019-6111、そしてCVE-2018-15473にはExploit DBで提供する攻撃コードリンクまで確認されるほど攻撃の可能性が高い脆弱性です。
今までの情報を組み合わせてみると、このIPアドレスは、blntoniguy[.]comというドメインでウェブサービスを運営しているように見えますが、ハッカーによってサイトがハッキングされ、悪性行為を伴っていると判断されます。MISP、ツイッターなどを通じて、その悪性行為の履歴を調べることができ、ハッカーは脆弱なOpenSSHのデーモンを通じてこのサーバーに直接アクセスし、悪性行為を行ったり、他の形でサーバーを掌握した後、OpenSSHをオープンしたまま、サーバーをコントロールしている可能性が高いです。
Criminal IPデータをSTIXで分析した結果、こちらのIPアドレスはOpenSSHのセキュリティアップデートをできるだけ早く行い、21と22番ポートもできるだけ早くクローズしなければならないようです。複雑に見えるCriminal IPの脅威インテリジェンスデータをSTIXで可視化して調べることでデータを簡単にグルーピングでき、データが見せてくれる攻撃の流れや対応に対するアイデアが思いつくかもしれません。
STIX脆弱性の分析 2:IPアドレスと関連する脆弱性およびタグ情報を表現して分析した事例
5.160.159.255_json_code
{
"type": "bundle",
"id": "bundle--237ea964-a407-485e-a3cf-29e16f653ba0",
"objects": [
{
"type": "autonomous-system",
"spec_version": "2.1",
"id": "autonomous-system--2f780f4e-5430-5bb4-9738-23e645ae8f8c",
"number": 43395,
"name": "Pooya Parto Qeshm Cooperative Company"
},
{
"type": "location",
"spec_version": "2.1",
"id": "location--98d88eee-f803-414f-971d-b878f64d2157",
"created": "2023-07-17T06:47:59.215883Z",
"modified": "2023-07-17T06:47:59.215883Z",
"name": "ir",
"description": "Indicates the location of the band of the owner of this ip.",
"latitude": 35.698,
"longitude": 51.4115,
"region": "None",
"country": "ir",
"city": "None"
},
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--26b59125-6078-4a26-802f-d4218f613dc7",
"created": "2023-07-17T06:47:59.215883Z",
"modified": "2023-07-17T06:47:59.215883Z",
"name": "Location",
"description": "You can find the location of the as_Location and the information of the owner who has this ip.",
"context": "unspecified",
"object_refs": [
"autonomous-system--2f780f4e-5430-5bb4-9738-23e645ae8f8c"
]
},
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--26b59125-6078-4a26-802f-d4218f613dc7",
"created": "2023-07-17T06:47:59.215883Z",
"modified": "2023-07-17T06:47:59.215883Z",
"name": "Location",
"description": "You can find the location of the as_Location and the information of the owner who has this ip.",
"context": "unspecified",
"object_refs": [
"autonomous-system--2f780f4e-5430-5bb4-9738-23e645ae8f8c"
]
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--0c9bd156-9217-4989-98e9-dd945bf2352d",
"created": "2023-07-17T06:47:59.215883Z",
"modified": "2023-07-17T06:47:59.215883Z",
"relationship_type": "related-to",
"source_ref": "grouping--26b59125-6078-4a26-802f-d4218f613dc7",
"target_ref": "location--98d88eee-f803-414f-971d-b878f64d2157"
},
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--81fc1c3a-2f07-4c48-8df5-e54b2fb984f0",
"created": "2023-07-17T06:48:00.344904Z",
"modified": "2023-07-17T06:48:00.344904Z",
"name": "port",
"description": "The currently open port connected to the ip.",
"context": "unspecified",
"object_refs": [
"course-of-action--c26ae470-3387-41ad-bf04-145de8c80b99"
]
},
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--81fc1c3a-2f07-4c48-8df5-e54b2fb984f0",
"created": "2023-07-17T06:48:00.344904Z",
"modified": "2023-07-17T06:48:00.344904Z",
"name": "port",
"description": "The currently open port connected to the ip.",
"context": "unspecified",
"object_refs": [
"course-of-action--c26ae470-3387-41ad-bf04-145de8c80b99"
]
},
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--81fc1c3a-2f07-4c48-8df5-e54b2fb984f0",
"created": "2023-07-17T06:48:00.344904Z",
"modified": "2023-07-17T06:48:00.344904Z",
"name": "port",
"description":"The currently open port connected to the ip.",
"context": "unspecified",
"object_refs": [
"course-of-action--c26ae470-3387-41ad-bf04-145de8c80b99"
]
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--162e4a11-ac7f-4080-94be-eb92dcaf1b95",
"created": "2023-07-17T06:48:00.344904Z",
"modified": "2023-07-17T06:48:00.344904Z",
"relationship_type": "related-to",
"source_ref": "grouping--81fc1c3a-2f07-4c48-8df5-e54b2fb984f0",
"target_ref": "course-of-action--f63cf4de-662c-416d-8419-9114a3999d5d"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--50f650b7-fdbb-4663-a099-680c12833a77",
"created": "2023-07-17T06:48:00.344904Z",
"modified": "2023-07-17T06:48:00.344904Z",
"relationship_type": "related-to",
"source_ref": "grouping--81fc1c3a-2f07-4c48-8df5-e54b2fb984f0",
"target_ref": "course-of-action--99ded0bf-fc6f-44bb-997b-8cde74f8ff08"
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--c26ae470-3387-41ad-bf04-145de8c80b99",
"created": "2023-07-17T06:47:59.216869Z",
"modified": "2023-07-17T06:47:59.216869Z",
"name": "2000",
"description": "There is an open port 2000 currently using Unknown/Unknown on that IP. If it's a port you're not using, stop it."
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--f63cf4de-662c-416d-8419-9114a3999d5d",
"created": "2023-07-17T06:47:59.217872Z",
"modified": "2023-07-17T06:47:59.217872Z",
"name": "22",
"description": "There is an open port 22 currently using MikroTik RouterOS sshd/Unknown on that IP. If it's a port you're not using, stop it."
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--99ded0bf-fc6f-44bb-997b-8cde74f8ff08",
"created": "2023-07-17T06:47:59.220859Z",
"modified": "2023-07-17T06:47:59.220859Z",
"name": "80",
"description": "There is an open port 80 currently using Mikrotik RouterOS/6.47.9 on that IP. If it's a port you're not using, stop it."
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--d7e4374a-46bb-4138-adbd-49bc6229f78f",
"created": "2023-07-17T06:47:59.217872Z",
"modified": "2023-07-17T06:47:59.217872Z",
"relationship_type": "related-to",
"source_ref": "course-of-action--c26ae470-3387-41ad-bf04-145de8c80b99",
"target_ref": "software--0e43d5d6-e86c-5840-8795-7874df332b0a"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--0ee7f9f8-9aeb-4d94-98e5-41690ab2679e",
"created": "2023-07-17T06:47:59.219861Z",
"modified": "2023-07-17T06:47:59.219861Z",
"relationship_type": "related-to",
"source_ref": "course-of-action--f63cf4de-662c-416d-8419-9114a3999d5d",
"target_ref": "tool--5d69c827-f3e9-43f7-83ec-8a0f65b3786c"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--a815a155-dc23-4a82-9b73-3e4b2ea079b5",
"created": "2023-07-17T06:47:59.219861Z",
"modified": "2023-07-17T06:47:59.219861Z",
"relationship_type": "related-to",
"source_ref": "course-of-action--f63cf4de-662c-416d-8419-9114a3999d5d",
"target_ref": "software--b4b13641-f1a2-5bda-9c99-8ae675797d4a"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--461b7c0e-464a-4b8c-8665-b1d0070e87b4",
"created": "2023-07-17T06:48:00.343905Z",
"modified": "2023-07-17T06:48:00.343905Z",
"relationship_type": "related-to",
"source_ref": "course-of-action--99ded0bf-fc6f-44bb-997b-8cde74f8ff08",
"target_ref": "software--e2d3e4d4-996b-578f-8c4a-61c2f7c9231c"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--97effece-ea34-4716-be00-df802673ca7a",
"created": "2023-07-17T06:48:00.343905Z",
"modified": "2023-07-17T06:48:00.343905Z",
"relationship_type": "related-to",
"source_ref": "course-of-action--99ded0bf-fc6f-44bb-997b-8cde74f8ff08",
"target_ref": "software--86481f91-cfac-5132-a41f-1003f33d2458"
},
{
"type": "software",
"spec_version": "2.1",
"id": "software--e2d3e4d4-996b-578f-8c4a-61c2f7c9231c",
"name": "RouterOS router configuration page",
"vendor": "Mikrotik RouterOS",
"version": "6.47.9"
},
{
"type": "software",
"spec_version": "2.1",
"id": "software--86481f91-cfac-5132-a41f-1003f33d2458",
"name": "Switch",
"vendor": "Mikrotik RouterOS",
"version": "6.47.9"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--1c408db6-d2aa-472d-b71b-aa1ecd1583f6",
"created": "2023-07-17T06:48:00.340913Z",
"modified": "2023-07-17T06:48:00.340913Z",
"name": "CVE-2022-45315",
"description": "Mikrotik RouterOs before stable v7.6 was discovered to contain an out-of-bounds read in the snmp process. This vulnerability allows attackers to execute arbitrary code via a crafted packet.",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2022-45315"
}
]
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--099d3a88-c617-4f30-91e3-23b49774dd5a",
"created": "2023-07-17T06:48:00.34191Z",
"modified": "2023-07-17T06:48:00.34191Z",
"name": "CVE-2022-45313",
"description": "Mikrotik RouterOs before stable v7.5 was discovered to contain an out-of-bounds read in the hotspot process. This vulnerability allows attackers to execute arbitrary code via a crafted nova message.",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2022-45313"
}
]
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--95888b27-fdbf-467c-bf5d-344f1093b298",
"created": "2023-07-17T06:48:00.34191Z",
"modified": "2023-07-17T06:48:00.34191Z",
"name": "CVE-2022-36522",
"description": "Mikrotik RouterOs through stable v6.48.3 was discovered to contain an assertion failure in the component /advanced-tools/nova/bin/netwatch. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted packet.",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2022-36522"
}
]
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--9f596ebc-16ed-44c2-af51-456bf79065bc",
"created": "2023-07-17T06:48:00.34191Z",
"modified": "2023-07-17T06:48:00.34191Z",
"name": "CVE-2021-41987",
"description": "In the SCEP Server of RouterOS in certain Mikrotik products, an attacker can trigger a heap-based buffer overflow that leads to remote code execution. The attacker must know the scep_server_name value. This affects RouterOS 6.46.8, 6.47.9, and 6.47.10.",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2021-41987"
}
]
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--c82dfec0-1fe0-42d9-804a-d5eaf4292374",
"created": "2023-07-17T06:48:00.34191Z",
"modified": "2023-07-17T06:48:00.34191Z",
"name": "CVE-2021-36614",
"description": "Mikrotik RouterOs before stable 6.48.2 suffers from a memory corruption vulnerability in the tr069-client process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference).",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2021-36614"
}
]
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--ed6cdc05-ce70-4ffc-bbc3-ee81f4439f54",
"created": "2023-07-17T06:48:00.342907Z",
"modified": "2023-07-17T06:48:00.342907Z",
"name": "CVE-2021-36613",
"description": "Mikrotik RouterOs before stable 6.48.2 suffers from a memory corruption vulnerability in the ptp process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference).",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2021-36613"
}
]
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--9a07201b-eacb-431b-a525-6b89b4ce5ab7",
"created": "2023-07-17T06:48:00.342907Z",
"modified": "2023-07-17T06:48:00.342907Z",
"name": "CVE-2021-27221",
"description": "** DISPUTED ** MikroTik RouterOS 6.47.9 allows remote authenticated ftp users to create or overwrite arbitrary .rsc files via the /export command. NOTE: the vendor's position is that this is intended behavior because of how user policies work.",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2021-27221"
}
]
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--be5c2898-7ba4-4f34-9051-094d7c6476b4",
"created": "2023-07-17T06:48:00.340913Z",
"modified": "2023-07-17T06:48:00.340913Z",
"relationship_type": "related-to",
"source_ref": "software--e2d3e4d4-996b-578f-8c4a-61c2f7c9231c",
"target_ref": "vulnerability--1c408db6-d2aa-472d-b71b-aa1ecd1583f6"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--b41f3b3c-a9cf-4a3c-899a-16215087b907",
"created": "2023-07-17T06:48:00.34191Z",
"modified": "2023-07-17T06:48:00.34191Z",
"relationship_type": "related-to",
"source_ref": "software--e2d3e4d4-996b-578f-8c4a-61c2f7c9231c",
"target_ref": "vulnerability--099d3a88-c617-4f30-91e3-23b49774dd5a"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--72d13cf6-f8ef-40c2-837f-e73a1c6b2066",
"created": "2023-07-17T06:48:00.34191Z",
"modified": "2023-07-17T06:48:00.34191Z",
"relationship_type": "related-to",
"source_ref": "software--e2d3e4d4-996b-578f-8c4a-61c2f7c9231c",
"target_ref": "vulnerability--95888b27-fdbf-467c-bf5d-344f1093b298"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--bdec89d9-04dc-4908-b0bd-1bebf65c27a7",
"created": "2023-07-17T06:48:00.34191Z",
"modified": "2023-07-17T06:48:00.34191Z",
"relationship_type": "related-to",
"source_ref": "software--e2d3e4d4-996b-578f-8c4a-61c2f7c9231c",
"target_ref": "vulnerability--9f596ebc-16ed-44c2-af51-456bf79065bc"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--c3f6d4a4-c8e8-473b-b51c-419890c8af74",
"created": "2023-07-17T06:48:00.342907Z",
"modified": "2023-07-17T06:48:00.342907Z",
"relationship_type": "related-to",
"source_ref": "software--e2d3e4d4-996b-578f-8c4a-61c2f7c9231c",
"target_ref": "vulnerability--c82dfec0-1fe0-42d9-804a-d5eaf4292374"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--9f8656b4-695b-4a20-a937-b2cbb1960ce1",
"created": "2023-07-17T06:48:00.342907Z",
"modified": "2023-07-17T06:48:00.342907Z",
"relationship_type": "related-to",
"source_ref": "software--e2d3e4d4-996b-578f-8c4a-61c2f7c9231c",
"target_ref": "vulnerability--ed6cdc05-ce70-4ffc-bbc3-ee81f4439f54"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--199a96bf-bb1a-4cac-976c-a4fda972e315",
"created": "2023-07-17T06:48:00.342907Z",
"modified": "2023-07-17T06:48:00.342907Z",
"relationship_type": "related-to",
"source_ref": "software--e2d3e4d4-996b-578f-8c4a-61c2f7c9231c",
"target_ref": "vulnerability--9a07201b-eacb-431b-a525-6b89b4ce5ab7"
},
{
"type": "software",
"spec_version": "2.1",
"id": "software--0e43d5d6-e86c-5840-8795-7874df332b0a",
"name": "Unknown",
"vendor": "Unknown",
"version": "Unknown"
},
{
"type": "tool",
"spec_version": "2.1",
"id": "tool--5d69c827-f3e9-43f7-83ec-8a0f65b3786c",
"created": "2023-07-17T06:47:59.218865Z",
"modified": "2023-07-17T06:47:59.218865Z",
"name": "MikroTik RouterOS sshd",
"description": "MikroTik RouterOS sshd/Unknown",
"tool_types": [
"remote-access"
],
"tool_version": "Unknown"
},
{
"type": "software",
"spec_version": "2.1",
"id": "software--b4b13641-f1a2-5bda-9c99-8ae675797d4a",
"name": "MikroTik RouterOS sshd",
"vendor": "MikroTik RouterOS sshd",
"version": "Unknown"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--be9a893d-53b9-482c-a9a0-b810cd87b84e",
"created": "2023-07-17T06:48:00.345901Z",
"modified": "2023-07-17T06:48:00.345901Z",
"relationship_type": "related-to",
"source_ref": "ipv4-addr--f01a9825-f1a6-5c87-8228-44b705962b36",
"target_ref": "grouping--26b59125-6078-4a26-802f-d4218f613dc7"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--fc82707d-b4bb-4dbe-ba0c-f479f1c9c74e",
"created": "2023-07-17T06:48:00.345901Z",
"modified": "2023-07-17T06:48:00.345901Z",
"relationship_type": "related-to",
"source_ref": "ipv4-addr--f01a9825-f1a6-5c87-8228-44b705962b36",
"target_ref": "grouping--81fc1c3a-2f07-4c48-8df5-e54b2fb984f0"
},
{
"type": "ipv4-addr",
"spec_version": "2.1",
"id": "ipv4-addr--f01a9825-f1a6-5c87-8228-44b705962b36",
"value": "5.160.159.255"
}
]
}次の例で、IPアドレス「5.160.159.255」に対するSTIX脆弱性の分析のために、Criminal IP脅威インテリジェンスデータをSTIX式で変換すると、以下のグラフのように表現できます。今回もやはりIPアドレスを起点として分けられる内容を見ると、大きくPortとLocationの2つにグルーピングされたデータを確認することができます。Locationに対しては、誰でも簡単に理解できるめ、今回も省略してPortを調べてみます。
このIPアドレスは、80番ポートを、RouterOSを構成しているページに使用したことがわかります。また、当ページに様々な脆弱性が存在することをSTIXグラフで改めて確認いただけます。RouterOSには、7つの脆弱性が存在します。しかし、ExploitDBのデータが見当たらないことから見ると、大衆化された攻撃コードはないと考えられます。注目すべきことは、80番ポートにRouterOSの他に、もう1つのrelated-toが存在するということです。これは「Switch」と表記されています。つまり、RouterOSがSwitchである意味で、Criminal IPのタグデータが分析された内容です。
その他にSSHで使用中の22番ポートのMikroTik RouterOSを確認でき、こちらのシェルのテストデーモンとして2000番ポートを使用していることがわかります。2000番ポートは、SSH Customポートの1つに見えます。2000番ポートは、番号からも予想できるように22番を代わる用途でしばしば使用されます。
このようにCriminal IPのIT資産検索のデータを活用したSTIX脆弱性の分析法について調べてみました。まだ語れなかった形のデータがたくさん残っているので、次回の記事でまた他のSTIX分析の事例を紹介します。
当レポートはサイバー脅威インテリジェンス検索エンジン「Criminal IP」のデータに基づいて作成されました。Criminal IP STIXの統合事例とCriminal IPの公式GitHub를をご参照し、STIX脆弱性分析を行えます。
ご参照:
