This article covers how to use Criminal IP threat intelligence data in STIX vulnerability analysis. This article describes several cases representing and analyzing threat intelligence data from Criminal IP using STIX™ (Structured Threat Information Expression).
You can consult the Criminal IP STIX integration case and the official Criminal IP GitHub repository for guidance on converting Criminal IP data to STIX format.
STIX Vulnerability Analysis Method 1 – Case of analyzing the relationship between MISP indicators associated with IP addresses / Open ports / Vulnerabilities / Exploit DB
43.159.195.30_json_code
{
"type": "bundle",
"id": "bundle--f0ddd407-a9b5-4737-870e-46d6100c8a2a",
"objects": [
{
"type": "autonomous-system",
"spec_version": "2.1",
"id": "autonomous-system--d89ac279-9390-5d40-a34c-4980f1228a0b",
"number": 132203,
"name": "Tencent Building, Kejizhongyi Avenue"
},
{
"type": "location",
"spec_version": "2.1",
"id": "location--aa199ee5-6028-4048-9fe3-9102bc39f397",
"created": "2023-07-17T06:42:53.473205Z",
"modified": "2023-07-17T06:42:53.473205Z",
"name": "hk",
"description": "Indicates the location of the band of the owner of this ip.",
"latitude": 22.2908,
"longitude": 114.1501,
"region": "Central and Western District",
"country": "hk",
"city": "Central"
},
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--5595fd09-1fd5-44e8-9c57-b644dcf286e1",
"created": "2023-07-17T06:42:53.473205Z",
"modified": "2023-07-17T06:42:53.473205Z",
"name": "Location",
"description": "You can find the location of the as_Location and the information of the owner who has this ip. ",
"context": "unspecified",
"object_refs": [
"autonomous-system--d89ac279-9390-5d40-a34c-4980f1228a0b"
]
},
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--5595fd09-1fd5-44e8-9c57-b644dcf286e1",
"created": "2023-07-17T06:42:53.473205Z",
"modified": "2023-07-17T06:42:53.473205Z",
"name": "Location",
"description": "You can find the location of the as_Location and the information of the owner who has this ip. ",
"context": "unspecified",
"object_refs": [
"autonomous-system--d89ac279-9390-5d40-a34c-4980f1228a0b"
]
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--752da8ec-6097-47ab-8b52-e5eabb88a719",
"created": "2023-07-17T06:42:53.474203Z",
"modified": "2023-07-17T06:42:53.474203Z",
"relationship_type": "related-to",
"source_ref": "grouping--5595fd09-1fd5-44e8-9c57-b644dcf286e1",
"target_ref": "location--aa199ee5-6028-4048-9fe3-9102bc39f397"
},
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--2cc62eeb-fcaf-44e7-b953-8fdf3beb9c6a",
"created": "2023-07-17T06:42:56.990633Z",
"modified": "2023-07-17T06:42:56.990633Z",
"name": "port",
"description": "The currently open port connected to the ip.",
"context": "unspecified",
"object_refs": [
"course-of-action--31160cea-9da8-4bc3-8843-1403f14a38bd"
]
},
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--2cc62eeb-fcaf-44e7-b953-8fdf3beb9c6a",
"created": "2023-07-17T06:42:56.990633Z",
"modified": "2023-07-17T06:42:56.990633Z",
"name": "port",
"description": "The currently open port connected to the ip.",
"context": "unspecified",
"object_refs": [
"course-of-action--31160cea-9da8-4bc3-8843-1403f14a38bd"
]
},
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--2cc62eeb-fcaf-44e7-b953-8fdf3beb9c6a",
"created": "2023-07-17T06:42:56.990633Z",
"modified": "2023-07-17T06:42:56.990633Z",
"name": "port",
"description": "The currently open port connected to the ip.",
"context": "unspecified",
"object_refs": [
"course-of-action--31160cea-9da8-4bc3-8843-1403f14a38bd"
]
},
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--2cc62eeb-fcaf-44e7-b953-8fdf3beb9c6a",
"created": "2023-07-17T06:42:56.990633Z",
"modified": "2023-07-17T06:42:56.990633Z",
"name": "port",
"description": "The currently open port connected to the ip. ",
"context": "unspecified",
"object_refs": [
"course-of-action--31160cea-9da8-4bc3-8843-1403f14a38bd"
]
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--a19eb3e4-708c-4886-96e3-7b18ca274356",
"created": "2023-07-17T06:42:56.990633Z",
"modified": "2023-07-17T06:42:56.990633Z",
"relationship_type": "related-to",
"source_ref": "grouping--2cc62eeb-fcaf-44e7-b953-8fdf3beb9c6a",
"target_ref": "course-of-action--a0e1351e-0370-407c-ba1e-0cff7245b983"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--bb429524-db70-44e7-b255-65d0e1749c66",
"created": "2023-07-17T06:42:56.990633Z",
"modified": "2023-07-17T06:42:56.990633Z",
"relationship_type": "related-to",
"source_ref": "grouping--2cc62eeb-fcaf-44e7-b953-8fdf3beb9c6a",
"target_ref": "course-of-action--ee85f346-c7ab-4a6d-b079-406b59f1cf34"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--88ba1973-dd8a-42cd-bc28-0d3897f22ffe",
"created": "2023-07-17T06:42:56.99163Z",
"modified": "2023-07-17T06:42:56.99163Z",
"relationship_type": "related-to",
"source_ref": "grouping--2cc62eeb-fcaf-44e7-b953-8fdf3beb9c6a",
"target_ref": "course-of-action--8a6ca499-1743-4206-8d9c-a47e42d9257b"
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--31160cea-9da8-4bc3-8843-1403f14a38bd",
"created": "2023-07-17T06:42:53.474203Z",
"modified": "2023-07-17T06:42:53.474203Z",
"name": "80",
"description": "There is an open port 80 currently using Apache/Unknown on that IP. If it's a port you're not using, stop it."
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--a0e1351e-0370-407c-ba1e-0cff7245b983",
"created": "2023-07-17T06:42:53.476197Z",
"modified": "2023-07-17T06:42:53.476197Z",
"name": "21",
"description": "There is an open port 21 currently using Pure-FTPd/Unknown on that IP. If it's a port you're not using, stop it."
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--ee85f346-c7ab-4a6d-b079-406b59f1cf34",
"created": "2023-07-17T06:42:53.477195Z",
"modified": "2023-07-17T06:42:53.477195Z",
"name": "22",
"description": "There is an open port 22 currently using OpenSSH/7.4 on that IP. If it's a port you're not using, stop it."
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--8a6ca499-1743-4206-8d9c-a47e42d9257b",
"created": "2023-07-17T06:42:56.986658Z",
"modified": "2023-07-17T06:42:56.986658Z",
"name": "443",
"description": "There is an open port 443 currently using Apache/Unknown on that IP. If it's a port you're not using, stop it."
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--359a0f59-6cdb-4deb-aae8-6bced0ab2b0b",
"created": "2023-07-17T06:42:53.475209Z",
"modified": "2023-07-17T06:42:53.475209Z",
"relationship_type": "related-to",
"source_ref": "course-of-action--31160cea-9da8-4bc3-8843-1403f14a38bd",
"target_ref": "software--a7891fdb-255c-52d6-91e7-8180437bd686"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--1b55daf4-72f9-406f-8155-6f8a3e1bbfc0",
"created": "2023-07-17T06:42:53.477195Z",
"modified": "2023-07-17T06:42:53.477195Z",
"relationship_type": "related-to",
"source_ref": "course-of-action--a0e1351e-0370-407c-ba1e-0cff7245b983",
"target_ref": "software--960903d0-6ef1-5f68-b6bf-9dbeab1ce151"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--76fe2e9e-c96a-4d05-b3e8-6db21450d345",
"created": "2023-07-17T06:42:56.985674Z",
"modified": "2023-07-17T06:42:56.985674Z",
"relationship_type": "related-to",
"source_ref": "course-of-action--ee85f346-c7ab-4a6d-b079-406b59f1cf34",
"target_ref": "tool--251d8d8c-7444-46b9-bc38-679306d7f54e"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--1908b1b1-423c-4944-96c3-2803affafb0b",
"created": "2023-07-17T06:42:56.986658Z",
"modified": "2023-07-17T06:42:56.986658Z",
"relationship_type": "related-to",
"source_ref": "course-of-action--ee85f346-c7ab-4a6d-b079-406b59f1cf34",
"target_ref": "software--b989ef70-e1c8-544a-8417-11574be404f7"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--bcc5693c-6a6c-43e2-91e7-e2eb8a19e6da",
"created": "2023-07-17T06:42:56.989636Z",
"modified": "2023-07-17T06:42:56.989636Z",
"relationship_type": "related-to",
"source_ref": "course-of-action--8a6ca499-1743-4206-8d9c-a47e42d9257b",
"target_ref": "software--690db0e9-b4c3-5215-ac14-49fea687d445"
},
{
"type": "tool",
"spec_version": "2.1",
"id": "tool--251d8d8c-7444-46b9-bc38-679306d7f54e",
"created": "2023-07-17T06:42:53.477195Z",
"modified": "2023-07-17T06:42:53.477195Z",
"name": "OpenSSH",
"description": "OpenSSH/7.4",
"tool_types": [
"remote-access"
],
"tool_version": "7.4"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--2d6f0ee2-f67f-4067-9cd6-e22a748fe8d7",
"created": "2023-07-17T06:42:55.33803Z",
"modified": "2023-07-17T06:42:55.33803Z",
"name": "CVE-2023-28531",
"description": "ssh-add in OpenSSH before 9.3 adds smartcard keys to ssh-agent without the intended per-hop destination constraints. The earliest affected version is 8.9.",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2023-28531"
}
]
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--ba71bad8-22cc-4d4a-b467-b5b0e390bc14",
"created": "2023-07-17T06:42:55.339022Z",
"modified": "2023-07-17T06:42:55.339022Z",
"name": "CVE-2021-41617",
"description": "sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows privilege escalation because supplemental groups are not initialized as expected. Helper programs for AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges associated with group memberships of the sshd process, if the configuration specifies running the command as a different user.",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2021-41617"
}
]
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--4e5fc937-9f8f-4243-be53-d4c0d6b70ed0",
"created": "2023-07-17T06:42:55.339022Z",
"modified": "2023-07-17T06:42:55.339022Z",
"name": "CVE-2021-36368",
"description": "** DISPUTED ** An issue was discovered in OpenSSH before 8.9. If a client is using public-key authentication with agent forwarding but without -oLogLevel=verbose, and an attacker has silently modified the server to support the None authentication option, then the user cannot determine whether FIDO authentication is going to confirm that the user wishes to connect to that server, or that the user wishes to allow that server to connect to a different server on the user's behalf. NOTE: the vendor's position is 'this is not an authentication bypass, since nothing is being bypassed.'",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2021-36368"
}
]
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--4b2c6628-81b4-4a13-830c-9c4f023a9ffd",
"created": "2023-07-17T06:42:55.339022Z",
"modified": "2023-07-17T06:42:55.339022Z",
"name": "CVE-2020-15778",
"description": "** DISPUTED ** scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of 'anomalous argument transfers' because that could 'stand a great chance of breaking existing workflows.'",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2020-15778"
}
]
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--7caac978-8142-40de-b933-1db352f871d3",
"created": "2023-07-17T06:42:55.340021Z",
"modified": "2023-07-17T06:42:55.340021Z",
"name": "CVE-2020-14145",
"description": "The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client). NOTE: some reports state that 8.5 and 8.6 are also affected.",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2020-14145"
}
]
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--4a3be8d9-7638-4ac6-bd5a-f239b615ee2c",
"created": "2023-07-17T06:42:55.340021Z",
"modified": "2023-07-17T06:42:55.340021Z",
"name": "CVE-2019-6111",
"description": "An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the scp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized_keys file).",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2019-6111"
}
]
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--b66b943a-d313-4728-91a0-f719d072bdee",
"created": "2023-07-17T06:42:55.340021Z",
"modified": "2023-07-17T06:42:55.340021Z",
"name": "Exploit DB",
"description": "SCP Client - Multiple Vulnerabilities (SSHTranger Things)"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--cf729b68-2a46-49ac-bfb2-ddc6e1147930",
"created": "2023-07-17T06:42:55.341017Z",
"modified": "2023-07-17T06:42:55.341017Z",
"name": "CVE-2019-6110",
"description": "In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred.",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2019-6110"
}
]
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--028b6d60-0860-4660-a07e-d003394d2834",
"created": "2023-07-17T06:42:55.341017Z",
"modified": "2023-07-17T06:42:55.341017Z",
"name": "Exploit DB",
"description": "SCP Client - Multiple Vulnerabilities (SSHTranger Things)"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--fd49ce1f-96fc-4f10-bfca-92d3210ae6ad",
"created": "2023-07-17T06:42:55.341017Z",
"modified": "2023-07-17T06:42:55.341017Z",
"name": "CVE-2019-6109",
"description": "An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a malicious server (or Man-in-The-Middle attacker) can employ crafted object names to manipulate the client output, e.g., by using ANSI control codes to hide additional files being transferred. This affects refresh_progress_meter() in progressmeter.c.",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2019-6109"
}
]
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--23ee5688-b659-4225-87df-98729f9ed29e",
"created": "2023-07-17T06:42:55.341987Z",
"modified": "2023-07-17T06:42:55.341987Z",
"name": "CVE-2018-20685",
"description": "In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions via the filename of . or an empty filename. The impact is modifying the permissions of the target directory on the client side.",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2018-20685"
}
]
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--a041f649-bbfe-4de3-97c7-99b0a58f333a",
"created": "2023-07-17T06:42:55.341987Z",
"modified": "2023-07-17T06:42:55.341987Z",
"name": "CVE-2018-15919",
"description": "Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or 'oracle') as a vulnerability.'",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2018-15919"
}
]
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--1698d332-38d1-4931-877d-b3618b38fbda",
"created": "2023-07-17T06:42:55.341987Z",
"modified": "2023-07-17T06:42:55.341987Z",
"name": "CVE-2018-15473",
"description": "OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2018-15473"
}
]
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--f0236081-bf30-419e-8100-5b22feb66d96",
"created": "2023-07-17T06:42:55.343011Z",
"modified": "2023-07-17T06:42:55.343011Z",
"name": "Exploit DB",
"description": "SCP Client - Multiple Vulnerabilities (SSHTranger Things)"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--b39ca97b-6866-468d-80da-ca81d4ba4c5f",
"created": "2023-07-17T06:42:55.343011Z",
"modified": "2023-07-17T06:42:55.343011Z",
"name": "CVE-2017-15906",
"description": "The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in readonly mode, which allows attackers to create zero-length files.",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2017-15906"
}
]
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--5c7942f1-6015-489f-825c-1178c67921de",
"created": "2023-07-17T06:42:55.343982Z",
"modified": "2023-07-17T06:42:55.343982Z",
"name": "CVE-2016-20012",
"description": "** DISPUTED ** OpenSSH through 8.7 allows remote attackers, who have a suspicion that a certain combination of username and public key is known to an SSH server, to test whether this suspicion is correct. This occurs because a challenge is sent only when that combination could be valid for a login session. NOTE: the vendor does not recognize user enumeration as a vulnerability for this product.",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2016-20012"
}
]
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--c48b0cc7-c97b-443d-a1d0-c732fcb3c9cb",
"created": "2023-07-17T06:42:55.339022Z",
"modified": "2023-07-17T06:42:55.339022Z",
"relationship_type": "related-to",
"source_ref": "tool--251d8d8c-7444-46b9-bc38-679306d7f54e",
"target_ref": "vulnerability--2d6f0ee2-f67f-4067-9cd6-e22a748fe8d7"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--fb3c0d2d-f1ec-4d54-ba2f-1040f6393318",
"created": "2023-07-17T06:42:55.339022Z",
"modified": "2023-07-17T06:42:55.339022Z",
"relationship_type": "related-to",
"source_ref": "tool--251d8d8c-7444-46b9-bc38-679306d7f54e",
"target_ref": "vulnerability--ba71bad8-22cc-4d4a-b467-b5b0e390bc14"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--20f02a5b-d15b-4862-85a7-680abb416bc6",
"created": "2023-07-17T06:42:55.339022Z",
"modified": "2023-07-17T06:42:55.339022Z",
"relationship_type": "related-to",
"source_ref": "tool--251d8d8c-7444-46b9-bc38-679306d7f54e",
"target_ref": "vulnerability--4e5fc937-9f8f-4243-be53-d4c0d6b70ed0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--e5689584-c959-4140-9626-ef1764f43a42",
"created": "2023-07-17T06:42:55.340021Z",
"modified": "2023-07-17T06:42:55.340021Z",
"relationship_type": "related-to",
"source_ref": "tool--251d8d8c-7444-46b9-bc38-679306d7f54e",
"target_ref": "vulnerability--4b2c6628-81b4-4a13-830c-9c4f023a9ffd"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--b1424e46-d9dc-4570-bfc6-b0cbf1aaf50d",
"created": "2023-07-17T06:42:55.340021Z",
"modified": "2023-07-17T06:42:55.340021Z",
"relationship_type": "related-to",
"source_ref": "tool--251d8d8c-7444-46b9-bc38-679306d7f54e",
"target_ref": "vulnerability--7caac978-8142-40de-b933-1db352f871d3"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--af4e15ed-f4d3-4176-b7ca-a6302e9ddc28",
"created": "2023-07-17T06:42:55.340021Z",
"modified": "2023-07-17T06:42:55.340021Z",
"relationship_type": "related-to",
"source_ref": "tool--251d8d8c-7444-46b9-bc38-679306d7f54e",
"target_ref": "vulnerability--4a3be8d9-7638-4ac6-bd5a-f239b615ee2c"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--05a4da00-0d17-4796-91bc-40986ae21a3d",
"created": "2023-07-17T06:42:55.340021Z",
"modified": "2023-07-17T06:42:55.340021Z",
"relationship_type": "related-to",
"source_ref": "course-of-action--b66b943a-d313-4728-91a0-f719d072bdee",
"target_ref": "vulnerability--4a3be8d9-7638-4ac6-bd5a-f239b615ee2c"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--5214b8db-a740-4ad3-b273-b415b80f271c",
"created": "2023-07-17T06:42:55.341017Z",
"modified": "2023-07-17T06:42:55.341017Z",
"relationship_type": "related-to",
"source_ref": "tool--251d8d8c-7444-46b9-bc38-679306d7f54e",
"target_ref": "vulnerability--cf729b68-2a46-49ac-bfb2-ddc6e1147930"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--abf13cac-c469-417c-80bb-6e2eabc27c87",
"created": "2023-07-17T06:42:55.341017Z",
"modified": "2023-07-17T06:42:55.341017Z",
"relationship_type": "related-to",
"source_ref": "course-of-action--028b6d60-0860-4660-a07e-d003394d2834",
"target_ref": "vulnerability--cf729b68-2a46-49ac-bfb2-ddc6e1147930"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--c88cf834-e5c1-4780-8289-e41bec60f0b4",
"created": "2023-07-17T06:42:55.341017Z",
"modified": "2023-07-17T06:42:55.341017Z",
"relationship_type": "related-to",
"source_ref": "tool--251d8d8c-7444-46b9-bc38-679306d7f54e",
"target_ref": "vulnerability--fd49ce1f-96fc-4f10-bfca-92d3210ae6ad"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--ff4a5a85-f75d-4a0e-a2b7-d099fb435f38",
"created": "2023-07-17T06:42:55.341987Z",
"modified": "2023-07-17T06:42:55.341987Z",
"relationship_type": "related-to",
"source_ref": "tool--251d8d8c-7444-46b9-bc38-679306d7f54e",
"target_ref": "vulnerability--23ee5688-b659-4225-87df-98729f9ed29e"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--04a113c0-5cff-4ebd-b9e9-63638e55bc8e",
"created": "2023-07-17T06:42:55.341987Z",
"modified": "2023-07-17T06:42:55.341987Z",
"relationship_type": "related-to",
"source_ref": "tool--251d8d8c-7444-46b9-bc38-679306d7f54e",
"target_ref": "vulnerability--a041f649-bbfe-4de3-97c7-99b0a58f333a"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--bd0f853d-326f-4e7e-ae10-c7433694a33c",
"created": "2023-07-17T06:42:55.341987Z",
"modified": "2023-07-17T06:42:55.341987Z",
"relationship_type": "related-to",
"source_ref": "tool--251d8d8c-7444-46b9-bc38-679306d7f54e",
"target_ref": "vulnerability--1698d332-38d1-4931-877d-b3618b38fbda"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--9fff9e1c-ec23-4ed3-b16a-0aefc5a2d2bf",
"created": "2023-07-17T06:42:55.343011Z",
"modified": "2023-07-17T06:42:55.343011Z",
"relationship_type": "related-to",
"source_ref": "course-of-action--f0236081-bf30-419e-8100-5b22feb66d96",
"target_ref": "vulnerability--1698d332-38d1-4931-877d-b3618b38fbda"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--070305fb-a219-413e-b1fc-e59a58ced0e1",
"created": "2023-07-17T06:42:55.343011Z",
"modified": "2023-07-17T06:42:55.343011Z",
"relationship_type": "related-to",
"source_ref": "tool--251d8d8c-7444-46b9-bc38-679306d7f54e",
"target_ref": "vulnerability--b39ca97b-6866-468d-80da-ca81d4ba4c5f"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--c3ce624a-2656-429f-9c8a-ce2d34d69fd7",
"created": "2023-07-17T06:42:55.343982Z",
"modified": "2023-07-17T06:42:55.343982Z",
"relationship_type": "related-to",
"source_ref": "tool--251d8d8c-7444-46b9-bc38-679306d7f54e",
"target_ref": "vulnerability--5c7942f1-6015-489f-825c-1178c67921de"
},
{
"type": "software",
"spec_version": "2.1",
"id": "software--b989ef70-e1c8-544a-8417-11574be404f7",
"name": "OpenSSH",
"vendor": "OpenSSH",
"version": "7.4"
},
{
"type": "software",
"spec_version": "2.1",
"id": "software--a7891fdb-255c-52d6-91e7-8180437bd686",
"name": "Apache",
"vendor": "Apache",
"version": "Unknown"
},
{
"type": "software",
"spec_version": "2.1",
"id": "software--960903d0-6ef1-5f68-b6bf-9dbeab1ce151",
"name": "Pure-FTPd",
"vendor": "Pure-FTPd",
"version": "Unknown"
},
{
"type": "software",
"spec_version": "2.1",
"id": "software--690db0e9-b4c3-5215-ac14-49fea687d445",
"name": "403 Forbidden",
"vendor": "Apache",
"version": "Unknown"
},
{
"type": "x509-certificate",
"spec_version": "2.1",
"id": "x509-certificate--af7dd888-bb4a-4638-9520-6f737c781793",
"issuer": "C=US, O=Let's Encrypt, CN=R3",
"subject": "CN=blntoniguy.com",
"x509_v3_extensions": {
"basic_constraints": "caritical, CA:False"
}
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--ff917014-5e87-431b-9c0e-6673d39007df",
"created": "2023-07-17T06:42:56.98864Z",
"modified": "2023-07-17T06:42:56.98864Z",
"relationship_type": "related-to",
"source_ref": "software--690db0e9-b4c3-5215-ac14-49fea687d445",
"target_ref": "x509-certificate--af7dd888-bb4a-4638-9520-6f737c781793"
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--c950f8ca-c91c-5860-9dc6-4eccabd103a5",
"value": "blntoniguy.com"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--0397e9e9-8a56-4a36-a706-e3b152126508",
"created": "2023-07-17T06:42:56.98864Z",
"modified": "2023-07-17T06:42:56.98864Z",
"relationship_type": "related-to",
"source_ref": "x509-certificate--af7dd888-bb4a-4638-9520-6f737c781793",
"target_ref": "url--c950f8ca-c91c-5860-9dc6-4eccabd103a5"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--dc0ab0fe-f60c-4607-9632-f1250fa391ed",
"created": "2023-07-17T06:42:56.99163Z",
"modified": "2023-07-17T06:42:56.99163Z",
"name": "unknowns",
"description": "The hash value of the content related to the certificate of the web page is written. Determine if the corresponding hash value is malicious or not.",
"indicator_types": [
"unknown"
],
"pattern": "[web:hashes.'SHA-256'='479100a168347d5cab1d5084dc57550ce384ec06a7c539e7bfd9be6919eeed83' OR web:hashes.'MD5'='16df109fc55f24ea14defcf0895299ac']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-07-17T06:42:56.99163Z"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--0ad90e0c-4721-4fe8-8ba7-9dc92c0d8c13",
"created": "2023-07-17T06:42:57.001603Z",
"modified": "2023-07-17T06:42:57.001603Z",
"name": "https://twitter.com/ozuma5119/status/1676371909020352513",
"description": "The hash value of the content related to the certificate of the web page is written. Determine if the corresponding hash value is malicious or not.",
"indicator_types": [
"malicious-activity"
],
"pattern": "[ip:value = '43.159.195.30']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-07-17T06:42:57.001603Z"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--967656fb-50c3-4539-9212-e5fff1be2517",
"created": "2023-07-17T06:42:57.0026Z",
"modified": "2023-07-17T06:42:57.0026Z",
"name": "https://twitter.com/ozuma5119/status/1678200239373598721",
"description": "The hash value of the content related to the certificate of the web page is written. Determine if the corresponding hash value is malicious or not.",
"indicator_types": [
"malicious-activity"
],
"pattern": "[ip:value = '43.159.195.30']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-07-17T06:42:57.0026Z"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--ccc61228-ecff-42c6-a1ea-769cba3d1190",
"created": "2023-07-17T06:42:57.003598Z",
"modified": "2023-07-17T06:42:57.003598Z",
"name": "https://twitter.com/ozuma5119/status/1676715447021096960",
"description": "The hash value of the content related to the certificate of the web page is written. Determine if the corresponding hash value is malicious or not.",
"indicator_types": [
"malicious-activity"
],
"pattern": "[ip:value = '43.159.195.30']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-07-17T06:42:57.003598Z"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--cdf12a25-d31d-4278-8e17-374935a31d9f",
"created": "2023-07-17T06:42:57.003598Z",
"modified": "2023-07-17T06:42:57.003598Z",
"name": "https://twitter.com/ozuma5119/status/1677495385793916928",
"description": "The hash value of the content related to the certificate of the web page is written. Determine if the corresponding hash value is malicious or not.",
"indicator_types": [
"malicious-activity"
],
"pattern": "[ip:value = '43.159.195.30']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-07-17T06:42:57.003598Z"
},
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--147b6225-52d4-45a0-8917-e2813b688a54",
"created": "2023-07-17T06:42:57.004595Z",
"modified": "2023-07-17T06:42:57.004595Z",
"name": "unknown",
"description": "Cloud service ",
"context": "unspecified",
"object_refs": [
"indicator--dc0ab0fe-f60c-4607-9632-f1250fa391ed"
]
},
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--3a89bce9-c20e-4ada-97d2-ade84dd03285",
"created": "2023-07-17T06:42:57.004595Z",
"modified": "2023-07-17T06:42:57.004595Z",
"name": "Reputation",
"description": "A group of things that have done or are doing something malicious.",
"context": "malware-analysis",
"object_refs": [
"indicator--0ad90e0c-4721-4fe8-8ba7-9dc92c0d8c13"
]
},
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--3a89bce9-c20e-4ada-97d2-ade84dd03285",
"created": "2023-07-17T06:42:57.004595Z",
"modified": "2023-07-17T06:42:57.004595Z",
"name": "Reputation",
"description": "A group of things that have done or are doing something malicious.",
"context": "malware-analysis",
"object_refs": [
"indicator--0ad90e0c-4721-4fe8-8ba7-9dc92c0d8c13"
]
},
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--3a89bce9-c20e-4ada-97d2-ade84dd03285",
"created": "2023-07-17T06:42:57.004595Z",
"modified": "2023-07-17T06:42:57.004595Z",
"name": "Reputation",
"description": "A group of things that have done or are doing something malicious.",
"context": "malware-analysis",
"object_refs": [
"indicator--0ad90e0c-4721-4fe8-8ba7-9dc92c0d8c13"
]
},
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--3a89bce9-c20e-4ada-97d2-ade84dd03285",
"created": "2023-07-17T06:42:57.004595Z",
"modified": "2023-07-17T06:42:57.004595Z",
"name": "Reputation",
"description": "A group of things that have done or are doing something malicious.",
"context": "malware-analysis",
"object_refs": [
"indicator--0ad90e0c-4721-4fe8-8ba7-9dc92c0d8c13"
]
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--cef26930-b215-4c27-b09e-44f9b2ce26ce",
"created": "2023-07-17T06:42:57.004595Z",
"modified": "2023-07-17T06:42:57.004595Z",
"relationship_type": "related-to",
"source_ref": "grouping--3a89bce9-c20e-4ada-97d2-ade84dd03285",
"target_ref": "indicator--967656fb-50c3-4539-9212-e5fff1be2517"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--a0efb7bc-0d2b-4e89-b4d3-de84b5c67081",
"created": "2023-07-17T06:42:57.005593Z",
"modified": "2023-07-17T06:42:57.005593Z",
"relationship_type": "related-to",
"source_ref": "grouping--3a89bce9-c20e-4ada-97d2-ade84dd03285",
"target_ref": "indicator--ccc61228-ecff-42c6-a1ea-769cba3d1190"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--3ab78a1d-6f28-491e-a85c-efe9d50ee089",
"created": "2023-07-17T06:42:57.005593Z",
"modified": "2023-07-17T06:42:57.005593Z",
"relationship_type": "related-to",
"source_ref": "grouping--3a89bce9-c20e-4ada-97d2-ade84dd03285",
"target_ref": "indicator--cdf12a25-d31d-4278-8e17-374935a31d9f"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--86c8ded6-1af0-4463-97f8-94f871e999b4",
"created": "2023-07-17T06:42:57.006593Z",
"modified": "2023-07-17T06:42:57.006593Z",
"relationship_type": "related-to",
"source_ref": "ipv4-addr--a525965b-5fd7-5a8d-ab67-8ef8045a644c",
"target_ref": "grouping--5595fd09-1fd5-44e8-9c57-b644dcf286e1"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--46288bb6-ff58-4660-a718-f2085c968df5",
"created": "2023-07-17T06:42:57.006593Z",
"modified": "2023-07-17T06:42:57.006593Z",
"relationship_type": "related-to",
"source_ref": "ipv4-addr--a525965b-5fd7-5a8d-ab67-8ef8045a644c",
"target_ref": "grouping--2cc62eeb-fcaf-44e7-b953-8fdf3beb9c6a"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--e52b1589-6c03-4591-a0a7-d48a25c38c9e",
"created": "2023-07-17T06:42:57.006593Z",
"modified": "2023-07-17T06:42:57.006593Z",
"relationship_type": "related-to",
"source_ref": "ipv4-addr--a525965b-5fd7-5a8d-ab67-8ef8045a644c",
"target_ref": "grouping--147b6225-52d4-45a0-8917-e2813b688a54"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--5b1ce678-6c3b-497d-bd9a-a223ab51aa49",
"created": "2023-07-17T06:42:57.006593Z",
"modified": "2023-07-17T06:42:57.006593Z",
"relationship_type": "related-to",
"source_ref": "ipv4-addr--a525965b-5fd7-5a8d-ab67-8ef8045a644c",
"target_ref": "grouping--3a89bce9-c20e-4ada-97d2-ade84dd03285"
},
{
"type": "ipv4-addr",
"spec_version": "2.1",
"id": "ipv4-addr--a525965b-5fd7-5a8d-ab67-8ef8045a644c",
"value": "43.159.195.30"
}
]
}When you convert the equivalent of the IP address 43.159.196.30 to JSON in STIX format and check it graphically using cti-stix-visualization, it will look as follows (you can see the original JSON file by expanding the code above). We will now begin examining this content.
You can see the data is divided into three groups based on the IP address (the data marked as unknown is omitted).
- Location
- Reputation
- Port
We will skip the Location part as it is simple data.
When reviewing the Reputation data, you will notice four distinct types, suggesting a history of reported malicious behavior in Denylist or recorded in MISP. Additionally, there are four Twitter addresses linked to this IP address. Exploring these addresses will reveal the associated malicious history. In other words, one might infer that this IP address has been reported maliciously at least four times.
In the following section, we will explore the Port details. This data is further branched into four ports: 21, 22, 88, and 443.
- 21: PureFTP
- 22: OpenSSH
- 88: Apache
- 443: Unverified web server
You can see PureFTP and Apache daemons are running on ports 21 and 88. It is expected that the purpose of this personal server or hosting server is to use both a web server and an FTP server together. Additionally, we can notice the HTTPS webpage, which appears to be port 443, currently has a certificate. The SDN of that certificate is blntoniguy[.] com, and this domain is most likely the website of this IP address.
The most critical part is OpenSSH on port 22. The product in question currently exhibits numerous vulnerabilities, some of which are believed to be security flaws within the SCP client software. In particular, CVE-2019-6110, CVE-2019-6111, and CVE-2018-15473 are vulnerabilities with a high attack potential to the extent that even the attack code link provided by Exploit DB is identified.
Combining the information so far, we believe this IP address appears to be running a web service with the domain blntoniguy[.]com, but the site has been hacked by hackers and is accompanied by malicious behavior. To investigate the history of this malicious behavior, tools such as MISP and Twitter can be utilized. It is likely the hackers gained access to the server directly through a vulnerable OpenSSH daemon, engaging in malicious activities. Alternatively, they may have assumed control of the server in another way, leaving OpenSSH accessible.
Based on STIX analysis of the Criminal IP data, this IP address should be updated with OpenSSH security as soon as possible, and ports 21 and 22 should be closed promptly. When you visualize complex Criminal IP threat intelligence data in STIX format in such a way, you can easily group the data. This allows you to see the patterns in the attacks and develop how to respond effectively.
STIX Vulnerability Analysis Method 2 – Case of expressing and analyzing vulnerability and tag information related to IP addresses
5.160.159.255_json_code
{
"type": "bundle",
"id": "bundle--237ea964-a407-485e-a3cf-29e16f653ba0",
"objects": [
{
"type": "autonomous-system",
"spec_version": "2.1",
"id": "autonomous-system--2f780f4e-5430-5bb4-9738-23e645ae8f8c",
"number": 43395,
"name": "Pooya Parto Qeshm Cooperative Company"
},
{
"type": "location",
"spec_version": "2.1",
"id": "location--98d88eee-f803-414f-971d-b878f64d2157",
"created": "2023-07-17T06:47:59.215883Z",
"modified": "2023-07-17T06:47:59.215883Z",
"name": "ir",
"description": "Indicates the location of the band of the owner of this ip.",
"latitude": 35.698,
"longitude": 51.4115,
"region": "None",
"country": "ir",
"city": "None"
},
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--26b59125-6078-4a26-802f-d4218f613dc7",
"created": "2023-07-17T06:47:59.215883Z",
"modified": "2023-07-17T06:47:59.215883Z",
"name": "Location",
"description": "You can find the location of the as_Location and the information of the owner who has this ip.",
"context": "unspecified",
"object_refs": [
"autonomous-system--2f780f4e-5430-5bb4-9738-23e645ae8f8c"
]
},
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--26b59125-6078-4a26-802f-d4218f613dc7",
"created": "2023-07-17T06:47:59.215883Z",
"modified": "2023-07-17T06:47:59.215883Z",
"name": "Location",
"description": "You can find the location of the as_Location and the information of the owner who has this ip.",
"context": "unspecified",
"object_refs": [
"autonomous-system--2f780f4e-5430-5bb4-9738-23e645ae8f8c"
]
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--0c9bd156-9217-4989-98e9-dd945bf2352d",
"created": "2023-07-17T06:47:59.215883Z",
"modified": "2023-07-17T06:47:59.215883Z",
"relationship_type": "related-to",
"source_ref": "grouping--26b59125-6078-4a26-802f-d4218f613dc7",
"target_ref": "location--98d88eee-f803-414f-971d-b878f64d2157"
},
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--81fc1c3a-2f07-4c48-8df5-e54b2fb984f0",
"created": "2023-07-17T06:48:00.344904Z",
"modified": "2023-07-17T06:48:00.344904Z",
"name": "port",
"description": "The currently open port connected to the ip.",
"context": "unspecified",
"object_refs": [
"course-of-action--c26ae470-3387-41ad-bf04-145de8c80b99"
]
},
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--81fc1c3a-2f07-4c48-8df5-e54b2fb984f0",
"created": "2023-07-17T06:48:00.344904Z",
"modified": "2023-07-17T06:48:00.344904Z",
"name": "port",
"description": "The currently open port connected to the ip.",
"context": "unspecified",
"object_refs": [
"course-of-action--c26ae470-3387-41ad-bf04-145de8c80b99"
]
},
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--81fc1c3a-2f07-4c48-8df5-e54b2fb984f0",
"created": "2023-07-17T06:48:00.344904Z",
"modified": "2023-07-17T06:48:00.344904Z",
"name": "port",
"description":"The currently open port connected to the ip.",
"context": "unspecified",
"object_refs": [
"course-of-action--c26ae470-3387-41ad-bf04-145de8c80b99"
]
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--162e4a11-ac7f-4080-94be-eb92dcaf1b95",
"created": "2023-07-17T06:48:00.344904Z",
"modified": "2023-07-17T06:48:00.344904Z",
"relationship_type": "related-to",
"source_ref": "grouping--81fc1c3a-2f07-4c48-8df5-e54b2fb984f0",
"target_ref": "course-of-action--f63cf4de-662c-416d-8419-9114a3999d5d"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--50f650b7-fdbb-4663-a099-680c12833a77",
"created": "2023-07-17T06:48:00.344904Z",
"modified": "2023-07-17T06:48:00.344904Z",
"relationship_type": "related-to",
"source_ref": "grouping--81fc1c3a-2f07-4c48-8df5-e54b2fb984f0",
"target_ref": "course-of-action--99ded0bf-fc6f-44bb-997b-8cde74f8ff08"
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--c26ae470-3387-41ad-bf04-145de8c80b99",
"created": "2023-07-17T06:47:59.216869Z",
"modified": "2023-07-17T06:47:59.216869Z",
"name": "2000",
"description": "There is an open port 2000 currently using Unknown/Unknown on that IP. If it's a port you're not using, stop it."
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--f63cf4de-662c-416d-8419-9114a3999d5d",
"created": "2023-07-17T06:47:59.217872Z",
"modified": "2023-07-17T06:47:59.217872Z",
"name": "22",
"description": "There is an open port 22 currently using MikroTik RouterOS sshd/Unknown on that IP. If it's a port you're not using, stop it."
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--99ded0bf-fc6f-44bb-997b-8cde74f8ff08",
"created": "2023-07-17T06:47:59.220859Z",
"modified": "2023-07-17T06:47:59.220859Z",
"name": "80",
"description": "There is an open port 80 currently using Mikrotik RouterOS/6.47.9 on that IP. If it's a port you're not using, stop it."
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--d7e4374a-46bb-4138-adbd-49bc6229f78f",
"created": "2023-07-17T06:47:59.217872Z",
"modified": "2023-07-17T06:47:59.217872Z",
"relationship_type": "related-to",
"source_ref": "course-of-action--c26ae470-3387-41ad-bf04-145de8c80b99",
"target_ref": "software--0e43d5d6-e86c-5840-8795-7874df332b0a"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--0ee7f9f8-9aeb-4d94-98e5-41690ab2679e",
"created": "2023-07-17T06:47:59.219861Z",
"modified": "2023-07-17T06:47:59.219861Z",
"relationship_type": "related-to",
"source_ref": "course-of-action--f63cf4de-662c-416d-8419-9114a3999d5d",
"target_ref": "tool--5d69c827-f3e9-43f7-83ec-8a0f65b3786c"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--a815a155-dc23-4a82-9b73-3e4b2ea079b5",
"created": "2023-07-17T06:47:59.219861Z",
"modified": "2023-07-17T06:47:59.219861Z",
"relationship_type": "related-to",
"source_ref": "course-of-action--f63cf4de-662c-416d-8419-9114a3999d5d",
"target_ref": "software--b4b13641-f1a2-5bda-9c99-8ae675797d4a"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--461b7c0e-464a-4b8c-8665-b1d0070e87b4",
"created": "2023-07-17T06:48:00.343905Z",
"modified": "2023-07-17T06:48:00.343905Z",
"relationship_type": "related-to",
"source_ref": "course-of-action--99ded0bf-fc6f-44bb-997b-8cde74f8ff08",
"target_ref": "software--e2d3e4d4-996b-578f-8c4a-61c2f7c9231c"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--97effece-ea34-4716-be00-df802673ca7a",
"created": "2023-07-17T06:48:00.343905Z",
"modified": "2023-07-17T06:48:00.343905Z",
"relationship_type": "related-to",
"source_ref": "course-of-action--99ded0bf-fc6f-44bb-997b-8cde74f8ff08",
"target_ref": "software--86481f91-cfac-5132-a41f-1003f33d2458"
},
{
"type": "software",
"spec_version": "2.1",
"id": "software--e2d3e4d4-996b-578f-8c4a-61c2f7c9231c",
"name": "RouterOS router configuration page",
"vendor": "Mikrotik RouterOS",
"version": "6.47.9"
},
{
"type": "software",
"spec_version": "2.1",
"id": "software--86481f91-cfac-5132-a41f-1003f33d2458",
"name": "Switch",
"vendor": "Mikrotik RouterOS",
"version": "6.47.9"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--1c408db6-d2aa-472d-b71b-aa1ecd1583f6",
"created": "2023-07-17T06:48:00.340913Z",
"modified": "2023-07-17T06:48:00.340913Z",
"name": "CVE-2022-45315",
"description": "Mikrotik RouterOs before stable v7.6 was discovered to contain an out-of-bounds read in the snmp process. This vulnerability allows attackers to execute arbitrary code via a crafted packet.",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2022-45315"
}
]
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--099d3a88-c617-4f30-91e3-23b49774dd5a",
"created": "2023-07-17T06:48:00.34191Z",
"modified": "2023-07-17T06:48:00.34191Z",
"name": "CVE-2022-45313",
"description": "Mikrotik RouterOs before stable v7.5 was discovered to contain an out-of-bounds read in the hotspot process. This vulnerability allows attackers to execute arbitrary code via a crafted nova message.",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2022-45313"
}
]
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--95888b27-fdbf-467c-bf5d-344f1093b298",
"created": "2023-07-17T06:48:00.34191Z",
"modified": "2023-07-17T06:48:00.34191Z",
"name": "CVE-2022-36522",
"description": "Mikrotik RouterOs through stable v6.48.3 was discovered to contain an assertion failure in the component /advanced-tools/nova/bin/netwatch. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted packet.",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2022-36522"
}
]
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--9f596ebc-16ed-44c2-af51-456bf79065bc",
"created": "2023-07-17T06:48:00.34191Z",
"modified": "2023-07-17T06:48:00.34191Z",
"name": "CVE-2021-41987",
"description": "In the SCEP Server of RouterOS in certain Mikrotik products, an attacker can trigger a heap-based buffer overflow that leads to remote code execution. The attacker must know the scep_server_name value. This affects RouterOS 6.46.8, 6.47.9, and 6.47.10.",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2021-41987"
}
]
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--c82dfec0-1fe0-42d9-804a-d5eaf4292374",
"created": "2023-07-17T06:48:00.34191Z",
"modified": "2023-07-17T06:48:00.34191Z",
"name": "CVE-2021-36614",
"description": "Mikrotik RouterOs before stable 6.48.2 suffers from a memory corruption vulnerability in the tr069-client process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference).",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2021-36614"
}
]
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--ed6cdc05-ce70-4ffc-bbc3-ee81f4439f54",
"created": "2023-07-17T06:48:00.342907Z",
"modified": "2023-07-17T06:48:00.342907Z",
"name": "CVE-2021-36613",
"description": "Mikrotik RouterOs before stable 6.48.2 suffers from a memory corruption vulnerability in the ptp process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference).",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2021-36613"
}
]
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--9a07201b-eacb-431b-a525-6b89b4ce5ab7",
"created": "2023-07-17T06:48:00.342907Z",
"modified": "2023-07-17T06:48:00.342907Z",
"name": "CVE-2021-27221",
"description": "** DISPUTED ** MikroTik RouterOS 6.47.9 allows remote authenticated ftp users to create or overwrite arbitrary .rsc files via the /export command. NOTE: the vendor's position is that this is intended behavior because of how user policies work.",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2021-27221"
}
]
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--be5c2898-7ba4-4f34-9051-094d7c6476b4",
"created": "2023-07-17T06:48:00.340913Z",
"modified": "2023-07-17T06:48:00.340913Z",
"relationship_type": "related-to",
"source_ref": "software--e2d3e4d4-996b-578f-8c4a-61c2f7c9231c",
"target_ref": "vulnerability--1c408db6-d2aa-472d-b71b-aa1ecd1583f6"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--b41f3b3c-a9cf-4a3c-899a-16215087b907",
"created": "2023-07-17T06:48:00.34191Z",
"modified": "2023-07-17T06:48:00.34191Z",
"relationship_type": "related-to",
"source_ref": "software--e2d3e4d4-996b-578f-8c4a-61c2f7c9231c",
"target_ref": "vulnerability--099d3a88-c617-4f30-91e3-23b49774dd5a"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--72d13cf6-f8ef-40c2-837f-e73a1c6b2066",
"created": "2023-07-17T06:48:00.34191Z",
"modified": "2023-07-17T06:48:00.34191Z",
"relationship_type": "related-to",
"source_ref": "software--e2d3e4d4-996b-578f-8c4a-61c2f7c9231c",
"target_ref": "vulnerability--95888b27-fdbf-467c-bf5d-344f1093b298"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--bdec89d9-04dc-4908-b0bd-1bebf65c27a7",
"created": "2023-07-17T06:48:00.34191Z",
"modified": "2023-07-17T06:48:00.34191Z",
"relationship_type": "related-to",
"source_ref": "software--e2d3e4d4-996b-578f-8c4a-61c2f7c9231c",
"target_ref": "vulnerability--9f596ebc-16ed-44c2-af51-456bf79065bc"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--c3f6d4a4-c8e8-473b-b51c-419890c8af74",
"created": "2023-07-17T06:48:00.342907Z",
"modified": "2023-07-17T06:48:00.342907Z",
"relationship_type": "related-to",
"source_ref": "software--e2d3e4d4-996b-578f-8c4a-61c2f7c9231c",
"target_ref": "vulnerability--c82dfec0-1fe0-42d9-804a-d5eaf4292374"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--9f8656b4-695b-4a20-a937-b2cbb1960ce1",
"created": "2023-07-17T06:48:00.342907Z",
"modified": "2023-07-17T06:48:00.342907Z",
"relationship_type": "related-to",
"source_ref": "software--e2d3e4d4-996b-578f-8c4a-61c2f7c9231c",
"target_ref": "vulnerability--ed6cdc05-ce70-4ffc-bbc3-ee81f4439f54"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--199a96bf-bb1a-4cac-976c-a4fda972e315",
"created": "2023-07-17T06:48:00.342907Z",
"modified": "2023-07-17T06:48:00.342907Z",
"relationship_type": "related-to",
"source_ref": "software--e2d3e4d4-996b-578f-8c4a-61c2f7c9231c",
"target_ref": "vulnerability--9a07201b-eacb-431b-a525-6b89b4ce5ab7"
},
{
"type": "software",
"spec_version": "2.1",
"id": "software--0e43d5d6-e86c-5840-8795-7874df332b0a",
"name": "Unknown",
"vendor": "Unknown",
"version": "Unknown"
},
{
"type": "tool",
"spec_version": "2.1",
"id": "tool--5d69c827-f3e9-43f7-83ec-8a0f65b3786c",
"created": "2023-07-17T06:47:59.218865Z",
"modified": "2023-07-17T06:47:59.218865Z",
"name": "MikroTik RouterOS sshd",
"description": "MikroTik RouterOS sshd/Unknown",
"tool_types": [
"remote-access"
],
"tool_version": "Unknown"
},
{
"type": "software",
"spec_version": "2.1",
"id": "software--b4b13641-f1a2-5bda-9c99-8ae675797d4a",
"name": "MikroTik RouterOS sshd",
"vendor": "MikroTik RouterOS sshd",
"version": "Unknown"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--be9a893d-53b9-482c-a9a0-b810cd87b84e",
"created": "2023-07-17T06:48:00.345901Z",
"modified": "2023-07-17T06:48:00.345901Z",
"relationship_type": "related-to",
"source_ref": "ipv4-addr--f01a9825-f1a6-5c87-8228-44b705962b36",
"target_ref": "grouping--26b59125-6078-4a26-802f-d4218f613dc7"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--fc82707d-b4bb-4dbe-ba0c-f479f1c9c74e",
"created": "2023-07-17T06:48:00.345901Z",
"modified": "2023-07-17T06:48:00.345901Z",
"relationship_type": "related-to",
"source_ref": "ipv4-addr--f01a9825-f1a6-5c87-8228-44b705962b36",
"target_ref": "grouping--81fc1c3a-2f07-4c48-8df5-e54b2fb984f0"
},
{
"type": "ipv4-addr",
"spec_version": "2.1",
"id": "ipv4-addr--f01a9825-f1a6-5c87-8228-44b705962b36",
"value": "5.160.159.255"
}
]
}In the following case, when you convert the Criminal IP Threat Intelligence data to STIX format for STIX vulnerability analysis for the IP address 5.160.159.255, you can represent it as shown in the graph below. Again, if you look at the content divided by IP address, you can see that the data is grouped into two main groups: Port and Location. As Location is data anyone can easily understand, we will skip again and investigate the Port details.
This IP address uses port 80 as the page for configuring RouterOS. Additionally, multiple vulnerabilities are evident on that page in the STIX graph. When we look into RouterOS, it has seven vulnerabilities. However, given the lack of ExploitDB data, we can assume there is no known attack code. It is worth noting that there is one more ‘related-to’ on port 80 besides RouterOS. This is shown as Switch. This indicates that the RouterOS is a Switch, which is what the Tag data from Criminal IP is analyzed for.
Additionally, you can see MikroTik RouterOS on port 22, which is being used for SSH, and port 2000 is being used as a test daemon for this shell. Port 2000 appears to be one of the SSH Custom ports. Port 2000 is often used as a replacement for the number 22, as can be inferred from the number.
We have examined the method of STIX vulnerability analysis using Asset Search data from Criminal IP. Since there are still many unexplored data forms, we will introduce another STIX analysis case in the next article.
This report is based on data from Criminal IP, a Cyberthreat Intelligence search engine. You can use the Criminal IP STIX integration case and the official Criminal IP GitHub repository to perform STIX vulnerability analysis.
Related Article(s): https://blog.criminalip.io/2023/03/22/osint-search-engine/
Leave a Reply