이 글은 STIX 취약점 분석 시 Criminal IP 위협 인텔리전스 데이터를 사용하는 방법을 다룹니다. Criminal IP의 위협 인텔리전스 데이터를 STIX™(Structured Threat Information Expression)로 표현하고 분석하는 몇 가지 사례를 설명합니다. 

Criminal IP 데이터 STIX 변환 방법은 Criminal IP STIX 통합 사례와 Criminal IP 공식 깃허브 저장소를 참고할 수 있습니다.

STIX 취약점 분석 방법 1 – IP 주소에 연관된 MISP 지표 / 열린 포트 /취약점 / Exploit DB 관계성 분석 사례

43.159.195.30_json_code
{
    "type": "bundle",
    "id": "bundle--f0ddd407-a9b5-4737-870e-46d6100c8a2a",
    "objects": [
        {
            "type": "autonomous-system",
            "spec_version": "2.1",
            "id": "autonomous-system--d89ac279-9390-5d40-a34c-4980f1228a0b",
            "number": 132203,
            "name": "Tencent Building, Kejizhongyi Avenue"
        },
        {
            "type": "location",
            "spec_version": "2.1",
            "id": "location--aa199ee5-6028-4048-9fe3-9102bc39f397",
            "created": "2023-07-17T06:42:53.473205Z",
            "modified": "2023-07-17T06:42:53.473205Z",
            "name": "hk",
            "description": "Indicates the location of the band of the owner of this ip.",
            "latitude": 22.2908,
            "longitude": 114.1501,
            "region": "Central and Western District",
            "country": "hk",
            "city": "Central"
        },
        {
            "type": "grouping",
            "spec_version": "2.1",
            "id": "grouping--5595fd09-1fd5-44e8-9c57-b644dcf286e1",
            "created": "2023-07-17T06:42:53.473205Z",
            "modified": "2023-07-17T06:42:53.473205Z",
            "name": "Location",
            "description": "You can find the location of the as_Location and the information of the owner who has this ip. ",
            "context": "unspecified",
            "object_refs": [
                "autonomous-system--d89ac279-9390-5d40-a34c-4980f1228a0b"
            ]
        },
        {
            "type": "grouping",
            "spec_version": "2.1",
            "id": "grouping--5595fd09-1fd5-44e8-9c57-b644dcf286e1",
            "created": "2023-07-17T06:42:53.473205Z",
            "modified": "2023-07-17T06:42:53.473205Z",
            "name": "Location",
            "description": "You can find the location of the as_Location and the information of the owner who has this ip. ",
            "context": "unspecified",
            "object_refs": [
                "autonomous-system--d89ac279-9390-5d40-a34c-4980f1228a0b"
            ]
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--752da8ec-6097-47ab-8b52-e5eabb88a719",
            "created": "2023-07-17T06:42:53.474203Z",
            "modified": "2023-07-17T06:42:53.474203Z",
            "relationship_type": "related-to",
            "source_ref": "grouping--5595fd09-1fd5-44e8-9c57-b644dcf286e1",
            "target_ref": "location--aa199ee5-6028-4048-9fe3-9102bc39f397"
        },
        {
            "type": "grouping",
            "spec_version": "2.1",
            "id": "grouping--2cc62eeb-fcaf-44e7-b953-8fdf3beb9c6a",
            "created": "2023-07-17T06:42:56.990633Z",
            "modified": "2023-07-17T06:42:56.990633Z",
            "name": "port",
            "description": "The currently open port connected to the ip.",
            "context": "unspecified",
            "object_refs": [
                "course-of-action--31160cea-9da8-4bc3-8843-1403f14a38bd"
            ]
        },
        {
            "type": "grouping",
            "spec_version": "2.1",
            "id": "grouping--2cc62eeb-fcaf-44e7-b953-8fdf3beb9c6a",
            "created": "2023-07-17T06:42:56.990633Z",
            "modified": "2023-07-17T06:42:56.990633Z",
            "name": "port",
            "description": "The currently open port connected to the ip.",
            "context": "unspecified",
            "object_refs": [
                "course-of-action--31160cea-9da8-4bc3-8843-1403f14a38bd"
            ]
        },
        {
            "type": "grouping",
            "spec_version": "2.1",
            "id": "grouping--2cc62eeb-fcaf-44e7-b953-8fdf3beb9c6a",
            "created": "2023-07-17T06:42:56.990633Z",
            "modified": "2023-07-17T06:42:56.990633Z",
            "name": "port",
            "description": "The currently open port connected to the ip.",
            "context": "unspecified",
            "object_refs": [
                "course-of-action--31160cea-9da8-4bc3-8843-1403f14a38bd"
            ]
        },
        {
            "type": "grouping",
            "spec_version": "2.1",
            "id": "grouping--2cc62eeb-fcaf-44e7-b953-8fdf3beb9c6a",
            "created": "2023-07-17T06:42:56.990633Z",
            "modified": "2023-07-17T06:42:56.990633Z",
            "name": "port",
            "description": "The currently open port connected to the ip. ",
            "context": "unspecified",
            "object_refs": [
                "course-of-action--31160cea-9da8-4bc3-8843-1403f14a38bd"
            ]
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--a19eb3e4-708c-4886-96e3-7b18ca274356",
            "created": "2023-07-17T06:42:56.990633Z",
            "modified": "2023-07-17T06:42:56.990633Z",
            "relationship_type": "related-to",
            "source_ref": "grouping--2cc62eeb-fcaf-44e7-b953-8fdf3beb9c6a",
            "target_ref": "course-of-action--a0e1351e-0370-407c-ba1e-0cff7245b983"
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--bb429524-db70-44e7-b255-65d0e1749c66",
            "created": "2023-07-17T06:42:56.990633Z",
            "modified": "2023-07-17T06:42:56.990633Z",
            "relationship_type": "related-to",
            "source_ref": "grouping--2cc62eeb-fcaf-44e7-b953-8fdf3beb9c6a",
            "target_ref": "course-of-action--ee85f346-c7ab-4a6d-b079-406b59f1cf34"
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--88ba1973-dd8a-42cd-bc28-0d3897f22ffe",
            "created": "2023-07-17T06:42:56.99163Z",
            "modified": "2023-07-17T06:42:56.99163Z",
            "relationship_type": "related-to",
            "source_ref": "grouping--2cc62eeb-fcaf-44e7-b953-8fdf3beb9c6a",
            "target_ref": "course-of-action--8a6ca499-1743-4206-8d9c-a47e42d9257b"
        },
        {
            "type": "course-of-action",
            "spec_version": "2.1",
            "id": "course-of-action--31160cea-9da8-4bc3-8843-1403f14a38bd",
            "created": "2023-07-17T06:42:53.474203Z",
            "modified": "2023-07-17T06:42:53.474203Z",
            "name": "80",
            "description": "There is an open port 80 currently using Apache/Unknown on that IP. If it's a port you're not using, stop it."
        },
        {
            "type": "course-of-action",
            "spec_version": "2.1",
            "id": "course-of-action--a0e1351e-0370-407c-ba1e-0cff7245b983",
            "created": "2023-07-17T06:42:53.476197Z",
            "modified": "2023-07-17T06:42:53.476197Z",
            "name": "21",
            "description": "There is an open port 21 currently using Pure-FTPd/Unknown on that IP. If it's a port you're not using, stop it."
        },
        {
            "type": "course-of-action",
            "spec_version": "2.1",
            "id": "course-of-action--ee85f346-c7ab-4a6d-b079-406b59f1cf34",
            "created": "2023-07-17T06:42:53.477195Z",
            "modified": "2023-07-17T06:42:53.477195Z",
            "name": "22",
            "description": "There is an open port 22 currently using OpenSSH/7.4 on that IP. If it's a port you're not using, stop it."
        },
        {
            "type": "course-of-action",
            "spec_version": "2.1",
            "id": "course-of-action--8a6ca499-1743-4206-8d9c-a47e42d9257b",
            "created": "2023-07-17T06:42:56.986658Z",
            "modified": "2023-07-17T06:42:56.986658Z",
            "name": "443",
            "description": "There is an open port 443 currently using Apache/Unknown on that IP. If it's a port you're not using, stop it."
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--359a0f59-6cdb-4deb-aae8-6bced0ab2b0b",
            "created": "2023-07-17T06:42:53.475209Z",
            "modified": "2023-07-17T06:42:53.475209Z",
            "relationship_type": "related-to",
            "source_ref": "course-of-action--31160cea-9da8-4bc3-8843-1403f14a38bd",
            "target_ref": "software--a7891fdb-255c-52d6-91e7-8180437bd686"
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--1b55daf4-72f9-406f-8155-6f8a3e1bbfc0",
            "created": "2023-07-17T06:42:53.477195Z",
            "modified": "2023-07-17T06:42:53.477195Z",
            "relationship_type": "related-to",
            "source_ref": "course-of-action--a0e1351e-0370-407c-ba1e-0cff7245b983",
            "target_ref": "software--960903d0-6ef1-5f68-b6bf-9dbeab1ce151"
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--76fe2e9e-c96a-4d05-b3e8-6db21450d345",
            "created": "2023-07-17T06:42:56.985674Z",
            "modified": "2023-07-17T06:42:56.985674Z",
            "relationship_type": "related-to",
            "source_ref": "course-of-action--ee85f346-c7ab-4a6d-b079-406b59f1cf34",
            "target_ref": "tool--251d8d8c-7444-46b9-bc38-679306d7f54e"
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--1908b1b1-423c-4944-96c3-2803affafb0b",
            "created": "2023-07-17T06:42:56.986658Z",
            "modified": "2023-07-17T06:42:56.986658Z",
            "relationship_type": "related-to",
            "source_ref": "course-of-action--ee85f346-c7ab-4a6d-b079-406b59f1cf34",
            "target_ref": "software--b989ef70-e1c8-544a-8417-11574be404f7"
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--bcc5693c-6a6c-43e2-91e7-e2eb8a19e6da",
            "created": "2023-07-17T06:42:56.989636Z",
            "modified": "2023-07-17T06:42:56.989636Z",
            "relationship_type": "related-to",
            "source_ref": "course-of-action--8a6ca499-1743-4206-8d9c-a47e42d9257b",
            "target_ref": "software--690db0e9-b4c3-5215-ac14-49fea687d445"
        },
        {
            "type": "tool",
            "spec_version": "2.1",
            "id": "tool--251d8d8c-7444-46b9-bc38-679306d7f54e",
            "created": "2023-07-17T06:42:53.477195Z",
            "modified": "2023-07-17T06:42:53.477195Z",
            "name": "OpenSSH",
            "description": "OpenSSH/7.4",
            "tool_types": [
                "remote-access"
            ],
            "tool_version": "7.4"
        },
        {
            "type": "vulnerability",
            "spec_version": "2.1",
            "id": "vulnerability--2d6f0ee2-f67f-4067-9cd6-e22a748fe8d7",
            "created": "2023-07-17T06:42:55.33803Z",
            "modified": "2023-07-17T06:42:55.33803Z",
            "name": "CVE-2023-28531",
            "description": "ssh-add in OpenSSH before 9.3 adds smartcard keys to ssh-agent without the intended per-hop destination constraints. The earliest affected version is 8.9.",
            "external_references": [
                {
                    "source_name": "cve",
                    "external_id": "CVE-2023-28531"
                }
            ]
        },
        {
            "type": "vulnerability",
            "spec_version": "2.1",
            "id": "vulnerability--ba71bad8-22cc-4d4a-b467-b5b0e390bc14",
            "created": "2023-07-17T06:42:55.339022Z",
            "modified": "2023-07-17T06:42:55.339022Z",
            "name": "CVE-2021-41617",
            "description": "sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows privilege escalation because supplemental groups are not initialized as expected. Helper programs for AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges associated with group memberships of the sshd process, if the configuration specifies running the command as a different user.",
            "external_references": [
                {
                    "source_name": "cve",
                    "external_id": "CVE-2021-41617"
                }
            ]
        },
        {
            "type": "vulnerability",
            "spec_version": "2.1",
            "id": "vulnerability--4e5fc937-9f8f-4243-be53-d4c0d6b70ed0",
            "created": "2023-07-17T06:42:55.339022Z",
            "modified": "2023-07-17T06:42:55.339022Z",
            "name": "CVE-2021-36368",
            "description": "** DISPUTED ** An issue was discovered in OpenSSH before 8.9. If a client is using public-key authentication with agent forwarding but without -oLogLevel=verbose, and an attacker has silently modified the server to support the None authentication option, then the user cannot determine whether FIDO authentication is going to confirm that the user wishes to connect to that server, or that the user wishes to allow that server to connect to a different server on the user's behalf. NOTE: the vendor's position is 'this is not an authentication bypass, since nothing is being bypassed.'",
            "external_references": [
                {
                    "source_name": "cve",
                    "external_id": "CVE-2021-36368"
                }
            ]
        },
        {
            "type": "vulnerability",
            "spec_version": "2.1",
            "id": "vulnerability--4b2c6628-81b4-4a13-830c-9c4f023a9ffd",
            "created": "2023-07-17T06:42:55.339022Z",
            "modified": "2023-07-17T06:42:55.339022Z",
            "name": "CVE-2020-15778",
            "description": "** DISPUTED ** scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of 'anomalous argument transfers' because that could 'stand a great chance of breaking existing workflows.'",
            "external_references": [
                {
                    "source_name": "cve",
                    "external_id": "CVE-2020-15778"
                }
            ]
        },
        {
            "type": "vulnerability",
            "spec_version": "2.1",
            "id": "vulnerability--7caac978-8142-40de-b933-1db352f871d3",
            "created": "2023-07-17T06:42:55.340021Z",
            "modified": "2023-07-17T06:42:55.340021Z",
            "name": "CVE-2020-14145",
            "description": "The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client). NOTE: some reports state that 8.5 and 8.6 are also affected.",
            "external_references": [
                {
                    "source_name": "cve",
                    "external_id": "CVE-2020-14145"
                }
            ]
        },
        {
            "type": "vulnerability",
            "spec_version": "2.1",
            "id": "vulnerability--4a3be8d9-7638-4ac6-bd5a-f239b615ee2c",
            "created": "2023-07-17T06:42:55.340021Z",
            "modified": "2023-07-17T06:42:55.340021Z",
            "name": "CVE-2019-6111",
            "description": "An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the scp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized_keys file).",
            "external_references": [
                {
                    "source_name": "cve",
                    "external_id": "CVE-2019-6111"
                }
            ]
        },
        {
            "type": "course-of-action",
            "spec_version": "2.1",
            "id": "course-of-action--b66b943a-d313-4728-91a0-f719d072bdee",
            "created": "2023-07-17T06:42:55.340021Z",
            "modified": "2023-07-17T06:42:55.340021Z",
            "name": "Exploit DB",
            "description": "SCP Client - Multiple Vulnerabilities (SSHTranger Things)"
        },
        {
            "type": "vulnerability",
            "spec_version": "2.1",
            "id": "vulnerability--cf729b68-2a46-49ac-bfb2-ddc6e1147930",
            "created": "2023-07-17T06:42:55.341017Z",
            "modified": "2023-07-17T06:42:55.341017Z",
            "name": "CVE-2019-6110",
            "description": "In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred.",
            "external_references": [
                {
                    "source_name": "cve",
                    "external_id": "CVE-2019-6110"
                }
            ]
        },
        {
            "type": "course-of-action",
            "spec_version": "2.1",
            "id": "course-of-action--028b6d60-0860-4660-a07e-d003394d2834",
            "created": "2023-07-17T06:42:55.341017Z",
            "modified": "2023-07-17T06:42:55.341017Z",
            "name": "Exploit DB",
            "description": "SCP Client - Multiple Vulnerabilities (SSHTranger Things)"
        },
        {
            "type": "vulnerability",
            "spec_version": "2.1",
            "id": "vulnerability--fd49ce1f-96fc-4f10-bfca-92d3210ae6ad",
            "created": "2023-07-17T06:42:55.341017Z",
            "modified": "2023-07-17T06:42:55.341017Z",
            "name": "CVE-2019-6109",
            "description": "An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a malicious server (or Man-in-The-Middle attacker) can employ crafted object names to manipulate the client output, e.g., by using ANSI control codes to hide additional files being transferred. This affects refresh_progress_meter() in progressmeter.c.",
            "external_references": [
                {
                    "source_name": "cve",
                    "external_id": "CVE-2019-6109"
                }
            ]
        },
        {
            "type": "vulnerability",
            "spec_version": "2.1",
            "id": "vulnerability--23ee5688-b659-4225-87df-98729f9ed29e",
            "created": "2023-07-17T06:42:55.341987Z",
            "modified": "2023-07-17T06:42:55.341987Z",
            "name": "CVE-2018-20685",
            "description": "In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions via the filename of . or an empty filename. The impact is modifying the permissions of the target directory on the client side.",
            "external_references": [
                {
                    "source_name": "cve",
                    "external_id": "CVE-2018-20685"
                }
            ]
        },
        {
            "type": "vulnerability",
            "spec_version": "2.1",
            "id": "vulnerability--a041f649-bbfe-4de3-97c7-99b0a58f333a",
            "created": "2023-07-17T06:42:55.341987Z",
            "modified": "2023-07-17T06:42:55.341987Z",
            "name": "CVE-2018-15919",
            "description": "Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or 'oracle') as a vulnerability.'",
            "external_references": [
                {
                    "source_name": "cve",
                    "external_id": "CVE-2018-15919"
                }
            ]
        },
        {
            "type": "vulnerability",
            "spec_version": "2.1",
            "id": "vulnerability--1698d332-38d1-4931-877d-b3618b38fbda",
            "created": "2023-07-17T06:42:55.341987Z",
            "modified": "2023-07-17T06:42:55.341987Z",
            "name": "CVE-2018-15473",
            "description": "OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.",
            "external_references": [
                {
                    "source_name": "cve",
                    "external_id": "CVE-2018-15473"
                }
            ]
        },
        {
            "type": "course-of-action",
            "spec_version": "2.1",
            "id": "course-of-action--f0236081-bf30-419e-8100-5b22feb66d96",
            "created": "2023-07-17T06:42:55.343011Z",
            "modified": "2023-07-17T06:42:55.343011Z",
            "name": "Exploit DB",
            "description": "SCP Client - Multiple Vulnerabilities (SSHTranger Things)"
        },
        {
            "type": "vulnerability",
            "spec_version": "2.1",
            "id": "vulnerability--b39ca97b-6866-468d-80da-ca81d4ba4c5f",
            "created": "2023-07-17T06:42:55.343011Z",
            "modified": "2023-07-17T06:42:55.343011Z",
            "name": "CVE-2017-15906",
            "description": "The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in readonly mode, which allows attackers to create zero-length files.",
            "external_references": [
                {
                    "source_name": "cve",
                    "external_id": "CVE-2017-15906"
                }
            ]
        },
        {
            "type": "vulnerability",
            "spec_version": "2.1",
            "id": "vulnerability--5c7942f1-6015-489f-825c-1178c67921de",
            "created": "2023-07-17T06:42:55.343982Z",
            "modified": "2023-07-17T06:42:55.343982Z",
            "name": "CVE-2016-20012",
            "description": "** DISPUTED ** OpenSSH through 8.7 allows remote attackers, who have a suspicion that a certain combination of username and public key is known to an SSH server, to test whether this suspicion is correct. This occurs because a challenge is sent only when that combination could be valid for a login session. NOTE: the vendor does not recognize user enumeration as a vulnerability for this product.",
            "external_references": [
                {
                    "source_name": "cve",
                    "external_id": "CVE-2016-20012"
                }
            ]
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--c48b0cc7-c97b-443d-a1d0-c732fcb3c9cb",
            "created": "2023-07-17T06:42:55.339022Z",
            "modified": "2023-07-17T06:42:55.339022Z",
            "relationship_type": "related-to",
            "source_ref": "tool--251d8d8c-7444-46b9-bc38-679306d7f54e",
            "target_ref": "vulnerability--2d6f0ee2-f67f-4067-9cd6-e22a748fe8d7"
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--fb3c0d2d-f1ec-4d54-ba2f-1040f6393318",
            "created": "2023-07-17T06:42:55.339022Z",
            "modified": "2023-07-17T06:42:55.339022Z",
            "relationship_type": "related-to",
            "source_ref": "tool--251d8d8c-7444-46b9-bc38-679306d7f54e",
            "target_ref": "vulnerability--ba71bad8-22cc-4d4a-b467-b5b0e390bc14"
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--20f02a5b-d15b-4862-85a7-680abb416bc6",
            "created": "2023-07-17T06:42:55.339022Z",
            "modified": "2023-07-17T06:42:55.339022Z",
            "relationship_type": "related-to",
            "source_ref": "tool--251d8d8c-7444-46b9-bc38-679306d7f54e",
            "target_ref": "vulnerability--4e5fc937-9f8f-4243-be53-d4c0d6b70ed0"
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--e5689584-c959-4140-9626-ef1764f43a42",
            "created": "2023-07-17T06:42:55.340021Z",
            "modified": "2023-07-17T06:42:55.340021Z",
            "relationship_type": "related-to",
            "source_ref": "tool--251d8d8c-7444-46b9-bc38-679306d7f54e",
            "target_ref": "vulnerability--4b2c6628-81b4-4a13-830c-9c4f023a9ffd"
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--b1424e46-d9dc-4570-bfc6-b0cbf1aaf50d",
            "created": "2023-07-17T06:42:55.340021Z",
            "modified": "2023-07-17T06:42:55.340021Z",
            "relationship_type": "related-to",
            "source_ref": "tool--251d8d8c-7444-46b9-bc38-679306d7f54e",
            "target_ref": "vulnerability--7caac978-8142-40de-b933-1db352f871d3"
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--af4e15ed-f4d3-4176-b7ca-a6302e9ddc28",
            "created": "2023-07-17T06:42:55.340021Z",
            "modified": "2023-07-17T06:42:55.340021Z",
            "relationship_type": "related-to",
            "source_ref": "tool--251d8d8c-7444-46b9-bc38-679306d7f54e",
            "target_ref": "vulnerability--4a3be8d9-7638-4ac6-bd5a-f239b615ee2c"
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--05a4da00-0d17-4796-91bc-40986ae21a3d",
            "created": "2023-07-17T06:42:55.340021Z",
            "modified": "2023-07-17T06:42:55.340021Z",
            "relationship_type": "related-to",
            "source_ref": "course-of-action--b66b943a-d313-4728-91a0-f719d072bdee",
            "target_ref": "vulnerability--4a3be8d9-7638-4ac6-bd5a-f239b615ee2c"
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--5214b8db-a740-4ad3-b273-b415b80f271c",
            "created": "2023-07-17T06:42:55.341017Z",
            "modified": "2023-07-17T06:42:55.341017Z",
            "relationship_type": "related-to",
            "source_ref": "tool--251d8d8c-7444-46b9-bc38-679306d7f54e",
            "target_ref": "vulnerability--cf729b68-2a46-49ac-bfb2-ddc6e1147930"
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--abf13cac-c469-417c-80bb-6e2eabc27c87",
            "created": "2023-07-17T06:42:55.341017Z",
            "modified": "2023-07-17T06:42:55.341017Z",
            "relationship_type": "related-to",
            "source_ref": "course-of-action--028b6d60-0860-4660-a07e-d003394d2834",
            "target_ref": "vulnerability--cf729b68-2a46-49ac-bfb2-ddc6e1147930"
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--c88cf834-e5c1-4780-8289-e41bec60f0b4",
            "created": "2023-07-17T06:42:55.341017Z",
            "modified": "2023-07-17T06:42:55.341017Z",
            "relationship_type": "related-to",
            "source_ref": "tool--251d8d8c-7444-46b9-bc38-679306d7f54e",
            "target_ref": "vulnerability--fd49ce1f-96fc-4f10-bfca-92d3210ae6ad"
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--ff4a5a85-f75d-4a0e-a2b7-d099fb435f38",
            "created": "2023-07-17T06:42:55.341987Z",
            "modified": "2023-07-17T06:42:55.341987Z",
            "relationship_type": "related-to",
            "source_ref": "tool--251d8d8c-7444-46b9-bc38-679306d7f54e",
            "target_ref": "vulnerability--23ee5688-b659-4225-87df-98729f9ed29e"
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--04a113c0-5cff-4ebd-b9e9-63638e55bc8e",
            "created": "2023-07-17T06:42:55.341987Z",
            "modified": "2023-07-17T06:42:55.341987Z",
            "relationship_type": "related-to",
            "source_ref": "tool--251d8d8c-7444-46b9-bc38-679306d7f54e",
            "target_ref": "vulnerability--a041f649-bbfe-4de3-97c7-99b0a58f333a"
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--bd0f853d-326f-4e7e-ae10-c7433694a33c",
            "created": "2023-07-17T06:42:55.341987Z",
            "modified": "2023-07-17T06:42:55.341987Z",
            "relationship_type": "related-to",
            "source_ref": "tool--251d8d8c-7444-46b9-bc38-679306d7f54e",
            "target_ref": "vulnerability--1698d332-38d1-4931-877d-b3618b38fbda"
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--9fff9e1c-ec23-4ed3-b16a-0aefc5a2d2bf",
            "created": "2023-07-17T06:42:55.343011Z",
            "modified": "2023-07-17T06:42:55.343011Z",
            "relationship_type": "related-to",
            "source_ref": "course-of-action--f0236081-bf30-419e-8100-5b22feb66d96",
            "target_ref": "vulnerability--1698d332-38d1-4931-877d-b3618b38fbda"
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--070305fb-a219-413e-b1fc-e59a58ced0e1",
            "created": "2023-07-17T06:42:55.343011Z",
            "modified": "2023-07-17T06:42:55.343011Z",
            "relationship_type": "related-to",
            "source_ref": "tool--251d8d8c-7444-46b9-bc38-679306d7f54e",
            "target_ref": "vulnerability--b39ca97b-6866-468d-80da-ca81d4ba4c5f"
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--c3ce624a-2656-429f-9c8a-ce2d34d69fd7",
            "created": "2023-07-17T06:42:55.343982Z",
            "modified": "2023-07-17T06:42:55.343982Z",
            "relationship_type": "related-to",
            "source_ref": "tool--251d8d8c-7444-46b9-bc38-679306d7f54e",
            "target_ref": "vulnerability--5c7942f1-6015-489f-825c-1178c67921de"
        },
        {
            "type": "software",
            "spec_version": "2.1",
            "id": "software--b989ef70-e1c8-544a-8417-11574be404f7",
            "name": "OpenSSH",
            "vendor": "OpenSSH",
            "version": "7.4"
        },
        {
            "type": "software",
            "spec_version": "2.1",
            "id": "software--a7891fdb-255c-52d6-91e7-8180437bd686",
            "name": "Apache",
            "vendor": "Apache",
            "version": "Unknown"
        },
        {
            "type": "software",
            "spec_version": "2.1",
            "id": "software--960903d0-6ef1-5f68-b6bf-9dbeab1ce151",
            "name": "Pure-FTPd",
            "vendor": "Pure-FTPd",
            "version": "Unknown"
        },
        {
            "type": "software",
            "spec_version": "2.1",
            "id": "software--690db0e9-b4c3-5215-ac14-49fea687d445",
            "name": "403 Forbidden",
            "vendor": "Apache",
            "version": "Unknown"
        },
        {
            "type": "x509-certificate",
            "spec_version": "2.1",
            "id": "x509-certificate--af7dd888-bb4a-4638-9520-6f737c781793",
            "issuer": "C=US, O=Let's Encrypt, CN=R3",
            "subject": "CN=blntoniguy.com",
            "x509_v3_extensions": {
                "basic_constraints": "caritical, CA:False"
            }
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--ff917014-5e87-431b-9c0e-6673d39007df",
            "created": "2023-07-17T06:42:56.98864Z",
            "modified": "2023-07-17T06:42:56.98864Z",
            "relationship_type": "related-to",
            "source_ref": "software--690db0e9-b4c3-5215-ac14-49fea687d445",
            "target_ref": "x509-certificate--af7dd888-bb4a-4638-9520-6f737c781793"
        },
        {
            "type": "url",
            "spec_version": "2.1",
            "id": "url--c950f8ca-c91c-5860-9dc6-4eccabd103a5",
            "value": "blntoniguy.com"
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--0397e9e9-8a56-4a36-a706-e3b152126508",
            "created": "2023-07-17T06:42:56.98864Z",
            "modified": "2023-07-17T06:42:56.98864Z",
            "relationship_type": "related-to",
            "source_ref": "x509-certificate--af7dd888-bb4a-4638-9520-6f737c781793",
            "target_ref": "url--c950f8ca-c91c-5860-9dc6-4eccabd103a5"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--dc0ab0fe-f60c-4607-9632-f1250fa391ed",
            "created": "2023-07-17T06:42:56.99163Z",
            "modified": "2023-07-17T06:42:56.99163Z",
            "name": "unknowns",
            "description": "The hash value of the content related to the certificate of the web page is written. Determine if the corresponding hash value is malicious or not.",
            "indicator_types": [
                "unknown"
            ],
            "pattern": "[web:hashes.'SHA-256'='479100a168347d5cab1d5084dc57550ce384ec06a7c539e7bfd9be6919eeed83' OR web:hashes.'MD5'='16df109fc55f24ea14defcf0895299ac']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2023-07-17T06:42:56.99163Z"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--0ad90e0c-4721-4fe8-8ba7-9dc92c0d8c13",
            "created": "2023-07-17T06:42:57.001603Z",
            "modified": "2023-07-17T06:42:57.001603Z",
            "name": "https://twitter.com/ozuma5119/status/1676371909020352513",
            "description": "The hash value of the content related to the certificate of the web page is written. Determine if the corresponding hash value is malicious or not.",
            "indicator_types": [
                "malicious-activity"
            ],
            "pattern": "[ip:value = '43.159.195.30']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2023-07-17T06:42:57.001603Z"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--967656fb-50c3-4539-9212-e5fff1be2517",
            "created": "2023-07-17T06:42:57.0026Z",
            "modified": "2023-07-17T06:42:57.0026Z",
            "name": "https://twitter.com/ozuma5119/status/1678200239373598721",
            "description": "The hash value of the content related to the certificate of the web page is written. Determine if the corresponding hash value is malicious or not.",
            "indicator_types": [
                "malicious-activity"
            ],
            "pattern": "[ip:value = '43.159.195.30']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2023-07-17T06:42:57.0026Z"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--ccc61228-ecff-42c6-a1ea-769cba3d1190",
            "created": "2023-07-17T06:42:57.003598Z",
            "modified": "2023-07-17T06:42:57.003598Z",
            "name": "https://twitter.com/ozuma5119/status/1676715447021096960",
            "description": "The hash value of the content related to the certificate of the web page is written. Determine if the corresponding hash value is malicious or not.",
            "indicator_types": [
                "malicious-activity"
            ],
            "pattern": "[ip:value = '43.159.195.30']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2023-07-17T06:42:57.003598Z"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--cdf12a25-d31d-4278-8e17-374935a31d9f",
            "created": "2023-07-17T06:42:57.003598Z",
            "modified": "2023-07-17T06:42:57.003598Z",
            "name": "https://twitter.com/ozuma5119/status/1677495385793916928",
            "description": "The hash value of the content related to the certificate of the web page is written. Determine if the corresponding hash value is malicious or not.",
            "indicator_types": [
                "malicious-activity"
            ],
            "pattern": "[ip:value = '43.159.195.30']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2023-07-17T06:42:57.003598Z"
        },
        {
            "type": "grouping",
            "spec_version": "2.1",
            "id": "grouping--147b6225-52d4-45a0-8917-e2813b688a54",
            "created": "2023-07-17T06:42:57.004595Z",
            "modified": "2023-07-17T06:42:57.004595Z",
            "name": "unknown",
            "description": "Cloud service ",
            "context": "unspecified",
            "object_refs": [
                "indicator--dc0ab0fe-f60c-4607-9632-f1250fa391ed"
            ]
        },
        {
            "type": "grouping",
            "spec_version": "2.1",
            "id": "grouping--3a89bce9-c20e-4ada-97d2-ade84dd03285",
            "created": "2023-07-17T06:42:57.004595Z",
            "modified": "2023-07-17T06:42:57.004595Z",
            "name": "Reputation",
            "description": "A group of things that have done or are doing something malicious.",
            "context": "malware-analysis",
            "object_refs": [
                "indicator--0ad90e0c-4721-4fe8-8ba7-9dc92c0d8c13"
            ]
        },
        {
            "type": "grouping",
            "spec_version": "2.1",
            "id": "grouping--3a89bce9-c20e-4ada-97d2-ade84dd03285",
            "created": "2023-07-17T06:42:57.004595Z",
            "modified": "2023-07-17T06:42:57.004595Z",
            "name": "Reputation",
            "description": "A group of things that have done or are doing something malicious.",
            "context": "malware-analysis",
            "object_refs": [
                "indicator--0ad90e0c-4721-4fe8-8ba7-9dc92c0d8c13"
            ]
        },
        {
            "type": "grouping",
            "spec_version": "2.1",
            "id": "grouping--3a89bce9-c20e-4ada-97d2-ade84dd03285",
            "created": "2023-07-17T06:42:57.004595Z",
            "modified": "2023-07-17T06:42:57.004595Z",
            "name": "Reputation",
            "description": "A group of things that have done or are doing something malicious.",
            "context": "malware-analysis",
            "object_refs": [
                "indicator--0ad90e0c-4721-4fe8-8ba7-9dc92c0d8c13"
            ]
        },
        {
            "type": "grouping",
            "spec_version": "2.1",
            "id": "grouping--3a89bce9-c20e-4ada-97d2-ade84dd03285",
            "created": "2023-07-17T06:42:57.004595Z",
            "modified": "2023-07-17T06:42:57.004595Z",
            "name": "Reputation",
            "description": "A group of things that have done or are doing something malicious.",
            "context": "malware-analysis",
            "object_refs": [
                "indicator--0ad90e0c-4721-4fe8-8ba7-9dc92c0d8c13"
            ]
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--cef26930-b215-4c27-b09e-44f9b2ce26ce",
            "created": "2023-07-17T06:42:57.004595Z",
            "modified": "2023-07-17T06:42:57.004595Z",
            "relationship_type": "related-to",
            "source_ref": "grouping--3a89bce9-c20e-4ada-97d2-ade84dd03285",
            "target_ref": "indicator--967656fb-50c3-4539-9212-e5fff1be2517"
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--a0efb7bc-0d2b-4e89-b4d3-de84b5c67081",
            "created": "2023-07-17T06:42:57.005593Z",
            "modified": "2023-07-17T06:42:57.005593Z",
            "relationship_type": "related-to",
            "source_ref": "grouping--3a89bce9-c20e-4ada-97d2-ade84dd03285",
            "target_ref": "indicator--ccc61228-ecff-42c6-a1ea-769cba3d1190"
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--3ab78a1d-6f28-491e-a85c-efe9d50ee089",
            "created": "2023-07-17T06:42:57.005593Z",
            "modified": "2023-07-17T06:42:57.005593Z",
            "relationship_type": "related-to",
            "source_ref": "grouping--3a89bce9-c20e-4ada-97d2-ade84dd03285",
            "target_ref": "indicator--cdf12a25-d31d-4278-8e17-374935a31d9f"
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--86c8ded6-1af0-4463-97f8-94f871e999b4",
            "created": "2023-07-17T06:42:57.006593Z",
            "modified": "2023-07-17T06:42:57.006593Z",
            "relationship_type": "related-to",
            "source_ref": "ipv4-addr--a525965b-5fd7-5a8d-ab67-8ef8045a644c",
            "target_ref": "grouping--5595fd09-1fd5-44e8-9c57-b644dcf286e1"
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--46288bb6-ff58-4660-a718-f2085c968df5",
            "created": "2023-07-17T06:42:57.006593Z",
            "modified": "2023-07-17T06:42:57.006593Z",
            "relationship_type": "related-to",
            "source_ref": "ipv4-addr--a525965b-5fd7-5a8d-ab67-8ef8045a644c",
            "target_ref": "grouping--2cc62eeb-fcaf-44e7-b953-8fdf3beb9c6a"
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--e52b1589-6c03-4591-a0a7-d48a25c38c9e",
            "created": "2023-07-17T06:42:57.006593Z",
            "modified": "2023-07-17T06:42:57.006593Z",
            "relationship_type": "related-to",
            "source_ref": "ipv4-addr--a525965b-5fd7-5a8d-ab67-8ef8045a644c",
            "target_ref": "grouping--147b6225-52d4-45a0-8917-e2813b688a54"
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--5b1ce678-6c3b-497d-bd9a-a223ab51aa49",
            "created": "2023-07-17T06:42:57.006593Z",
            "modified": "2023-07-17T06:42:57.006593Z",
            "relationship_type": "related-to",
            "source_ref": "ipv4-addr--a525965b-5fd7-5a8d-ab67-8ef8045a644c",
            "target_ref": "grouping--3a89bce9-c20e-4ada-97d2-ade84dd03285"
        },
        {
            "type": "ipv4-addr",
            "spec_version": "2.1",
            "id": "ipv4-addr--a525965b-5fd7-5a8d-ab67-8ef8045a644c",
            "value": "43.159.195.30"
        }
    ]
}

43.159.196.30 IP 주소에 해당하는 내용을 STIX 형식의 JSON으로 변환하고 cti-stix-visualization을 사용해 그래프로 확인해 보면 아래와 같습니다(위 코드를 펼치면 JSON 파일의 원본을 확인할 수 있습니다). 지금부터 이 내용을 분석해 보겠습니다.

 STIX 취약점 분석을 위해 Criminal IP에서 IP 주소 위협 인텔리전스를 STIX로 변환한 그래프
 STIX 취약점 분석을 위해 Criminal IP에서 IP 주소 위협 인텔리전스를 STIX로 변환한 그래프

IP 주소를 기점으로 크게 3개의 그룹으로 데이터가 갈라지는 것을 확인할 수 있습니다(unknown 으로 표시된 데이터는 생략합니다). 

  1. Location
  2. Reputation
  3. Port

Location의 경우는 너무 간단한 데이터이므로 별도의 설명은 생략합니다. 

43.159.196.30 IP 주소 STIX 취약점 분석 그래프의 Requtation 데이터
43.159.196.30 IP 주소 STIX 취약점 분석 그래프의 Reputation 데이터

Reputation을 살펴보면 4개의 데이터가 존재하는 것을 볼 수 있는데, 이것은 Denylist로 신고된 이력이나 MISP등에 기록된 악성 행위의 이력이 있었다는 것으로 해석할 수 있습니다. 또한, 이 IP 주소에는 4개의 트위터 주소 데이터가 연결되어 있는 것을 볼 수 있으며, 이 트위터 주소에 들어가 보면 이 IP 주소와 연관된 악성 이력을 확인할 수 있습니다. 즉, 이 IP 주소는 최소 4번의 악성 신고 이력이 존재한다고 생각할 수 있습니다. 

43.159.196.30 IP 주소 STIX 그래프의 열린 포트 데이터
43.159.196.30 IP 주소 STIX 그래프의 열린 포트 데이터

이번에는 Port 부분을 살펴보겠습니다. 이 IP주소에 연결된 포트 정보를 알 수 있습니다. 이 데이터는 다시 21, 22, 88, 443 이렇게 4개의 포트로 분기됩니다. 

  • 21: PureFTP
  • 22: OpenSSH 
  • 88: Apache
  • 443: 확인되지 않은 웹서버

21번과 88번 포트에는 PureFTP 와 Apache 데몬이 가동되어 있는 것을 보아, 웹서버와 FTP서버를 함께 쓰는 개인 또는 호스팅 서버로서의 목적을 가지고 있는 것으로 보입니다. 또한 443 포트로 보이는 HTTPS 웹페이지는 현재 인증서가 존재합니다. 해당 인증서의 SDN은 blntoniguy[.]com 으로 확인되며, 이 도메인은 이 IP 주소의 웹사이트일 가능성이 큽니다.

43.159.196.30 IP 주소의 22번 포트 STIX 취약점 분석 그래프
43.159.196.30 IP 주소의 22번 포트 STIX 취약점 분석 그래프

무엇보다 중요한 부분은 22 번 포트의 OpenSSH입니다. 해당 Product는 현재 다수의 취약점이 존재하는 것을 확인할 수 있으며, 그 중 몇몇 취약점은 SCP Client 소프트웨어에 존재하는 보안 결함 취약점인 것으로 보입니다. 특히 CVE-2019-6110과 CVE-2019-6111, 그리고 CVE-2018-15473에는 Exploit DB 에서 제공하는 공격 코드 링크까지 확인될 정도로 공격 가능성이 높은 취약점 입니다.

지금까지의 정보를 조합해 보면, 이 IP 주소는 blntoniguy[.]com 이라는 도메인으로 웹서비스를 하는 것으로 보이지만, 해커들에게 사이트가 해킹되어, 악성 행위를 함께 동반하고 있는 것으로 판단됩니다. MISP, 트위터 등을 통해 그 악성 행위 이력을 살펴볼 수 있으며, 해커는 취약한 OpenSSH 데몬을 통해 이 서버에 직접 접근하여 악성행위를 하거나, 다른 형태로 서버를 장악한 후 OpenSSH 를 열어 놓은 채 서버를 컨트롤 하고 있을 가능성이 큽니다.

Criminal IP 데이터를 STIX로 분석한 결과, 이 IP 주소는 OpenSSH 의 보안 업데이트를 최대한 빨리 수행해야 하며, 21, 22 포트도 최대한 빨리 클로즈 해야 될 것으로 보입니다. 복잡해 보일 수 있는 Criminal IP 위협 인텔리전스 데이터를 이렇게 STIX 형태로 시각화하여 살펴보면, 데이터를 쉽게 그룹핑할 수 있으며, 데이터가 보여주는 공격의 흐름과 대응 방법에 대한 아이디어를 떠올릴 수 있습니다. 

STIX 취약점 분석 방법 2 – IP 주소와 연관된 취약점 및 Tag 정보를 표현하고 분석한 사례

5.160.159.255_json_code
{
    "type": "bundle",
    "id": "bundle--237ea964-a407-485e-a3cf-29e16f653ba0",
    "objects": [
        {
            "type": "autonomous-system",
            "spec_version": "2.1",
            "id": "autonomous-system--2f780f4e-5430-5bb4-9738-23e645ae8f8c",
            "number": 43395,
            "name": "Pooya Parto Qeshm Cooperative Company"
        },
        {
            "type": "location",
            "spec_version": "2.1",
            "id": "location--98d88eee-f803-414f-971d-b878f64d2157",
            "created": "2023-07-17T06:47:59.215883Z",
            "modified": "2023-07-17T06:47:59.215883Z",
            "name": "ir",
            "description": "Indicates the location of the band of the owner of this ip.",
            "latitude": 35.698,
            "longitude": 51.4115,
            "region": "None",
            "country": "ir",
            "city": "None"
        },
        {
            "type": "grouping",
            "spec_version": "2.1",
            "id": "grouping--26b59125-6078-4a26-802f-d4218f613dc7",
            "created": "2023-07-17T06:47:59.215883Z",
            "modified": "2023-07-17T06:47:59.215883Z",
            "name": "Location",
            "description": "You can find the location of the as_Location and the information of the owner who has this ip.",
            "context": "unspecified",
            "object_refs": [
                "autonomous-system--2f780f4e-5430-5bb4-9738-23e645ae8f8c"
            ]
        },
        {
            "type": "grouping",
            "spec_version": "2.1",
            "id": "grouping--26b59125-6078-4a26-802f-d4218f613dc7",
            "created": "2023-07-17T06:47:59.215883Z",
            "modified": "2023-07-17T06:47:59.215883Z",
            "name": "Location",
            "description": "You can find the location of the as_Location and the information of the owner who has this ip.",
            "context": "unspecified",
            "object_refs": [
                "autonomous-system--2f780f4e-5430-5bb4-9738-23e645ae8f8c"
            ]
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--0c9bd156-9217-4989-98e9-dd945bf2352d",
            "created": "2023-07-17T06:47:59.215883Z",
            "modified": "2023-07-17T06:47:59.215883Z",
            "relationship_type": "related-to",
            "source_ref": "grouping--26b59125-6078-4a26-802f-d4218f613dc7",
            "target_ref": "location--98d88eee-f803-414f-971d-b878f64d2157"
        },
        {
            "type": "grouping",
            "spec_version": "2.1",
            "id": "grouping--81fc1c3a-2f07-4c48-8df5-e54b2fb984f0",
            "created": "2023-07-17T06:48:00.344904Z",
            "modified": "2023-07-17T06:48:00.344904Z",
            "name": "port",
            "description": "The currently open port connected to the ip.",
            "context": "unspecified",
            "object_refs": [
                "course-of-action--c26ae470-3387-41ad-bf04-145de8c80b99"
            ]
        },
        {
            "type": "grouping",
            "spec_version": "2.1",
            "id": "grouping--81fc1c3a-2f07-4c48-8df5-e54b2fb984f0",
            "created": "2023-07-17T06:48:00.344904Z",
            "modified": "2023-07-17T06:48:00.344904Z",
            "name": "port",
            "description": "The currently open port connected to the ip.",
            "context": "unspecified",
            "object_refs": [
                "course-of-action--c26ae470-3387-41ad-bf04-145de8c80b99"
            ]
        },
        {
            "type": "grouping",
            "spec_version": "2.1",
            "id": "grouping--81fc1c3a-2f07-4c48-8df5-e54b2fb984f0",
            "created": "2023-07-17T06:48:00.344904Z",
            "modified": "2023-07-17T06:48:00.344904Z",
            "name": "port",
            "description":"The currently open port connected to the ip.",
            "context": "unspecified",
            "object_refs": [
                "course-of-action--c26ae470-3387-41ad-bf04-145de8c80b99"
            ]
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--162e4a11-ac7f-4080-94be-eb92dcaf1b95",
            "created": "2023-07-17T06:48:00.344904Z",
            "modified": "2023-07-17T06:48:00.344904Z",
            "relationship_type": "related-to",
            "source_ref": "grouping--81fc1c3a-2f07-4c48-8df5-e54b2fb984f0",
            "target_ref": "course-of-action--f63cf4de-662c-416d-8419-9114a3999d5d"
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--50f650b7-fdbb-4663-a099-680c12833a77",
            "created": "2023-07-17T06:48:00.344904Z",
            "modified": "2023-07-17T06:48:00.344904Z",
            "relationship_type": "related-to",
            "source_ref": "grouping--81fc1c3a-2f07-4c48-8df5-e54b2fb984f0",
            "target_ref": "course-of-action--99ded0bf-fc6f-44bb-997b-8cde74f8ff08"
        },
        {
            "type": "course-of-action",
            "spec_version": "2.1",
            "id": "course-of-action--c26ae470-3387-41ad-bf04-145de8c80b99",
            "created": "2023-07-17T06:47:59.216869Z",
            "modified": "2023-07-17T06:47:59.216869Z",
            "name": "2000",
            "description": "There is an open port 2000 currently using Unknown/Unknown on that IP. If it's a port you're not using, stop it."
        },
        {
            "type": "course-of-action",
            "spec_version": "2.1",
            "id": "course-of-action--f63cf4de-662c-416d-8419-9114a3999d5d",
            "created": "2023-07-17T06:47:59.217872Z",
            "modified": "2023-07-17T06:47:59.217872Z",
            "name": "22",
            "description": "There is an open port 22 currently using MikroTik RouterOS sshd/Unknown on that IP. If it's a port you're not using, stop it."
        },
        {
            "type": "course-of-action",
            "spec_version": "2.1",
            "id": "course-of-action--99ded0bf-fc6f-44bb-997b-8cde74f8ff08",
            "created": "2023-07-17T06:47:59.220859Z",
            "modified": "2023-07-17T06:47:59.220859Z",
            "name": "80",
            "description": "There is an open port 80 currently using Mikrotik RouterOS/6.47.9 on that IP. If it's a port you're not using, stop it."
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--d7e4374a-46bb-4138-adbd-49bc6229f78f",
            "created": "2023-07-17T06:47:59.217872Z",
            "modified": "2023-07-17T06:47:59.217872Z",
            "relationship_type": "related-to",
            "source_ref": "course-of-action--c26ae470-3387-41ad-bf04-145de8c80b99",
            "target_ref": "software--0e43d5d6-e86c-5840-8795-7874df332b0a"
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--0ee7f9f8-9aeb-4d94-98e5-41690ab2679e",
            "created": "2023-07-17T06:47:59.219861Z",
            "modified": "2023-07-17T06:47:59.219861Z",
            "relationship_type": "related-to",
            "source_ref": "course-of-action--f63cf4de-662c-416d-8419-9114a3999d5d",
            "target_ref": "tool--5d69c827-f3e9-43f7-83ec-8a0f65b3786c"
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--a815a155-dc23-4a82-9b73-3e4b2ea079b5",
            "created": "2023-07-17T06:47:59.219861Z",
            "modified": "2023-07-17T06:47:59.219861Z",
            "relationship_type": "related-to",
            "source_ref": "course-of-action--f63cf4de-662c-416d-8419-9114a3999d5d",
            "target_ref": "software--b4b13641-f1a2-5bda-9c99-8ae675797d4a"
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--461b7c0e-464a-4b8c-8665-b1d0070e87b4",
            "created": "2023-07-17T06:48:00.343905Z",
            "modified": "2023-07-17T06:48:00.343905Z",
            "relationship_type": "related-to",
            "source_ref": "course-of-action--99ded0bf-fc6f-44bb-997b-8cde74f8ff08",
            "target_ref": "software--e2d3e4d4-996b-578f-8c4a-61c2f7c9231c"
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--97effece-ea34-4716-be00-df802673ca7a",
            "created": "2023-07-17T06:48:00.343905Z",
            "modified": "2023-07-17T06:48:00.343905Z",
            "relationship_type": "related-to",
            "source_ref": "course-of-action--99ded0bf-fc6f-44bb-997b-8cde74f8ff08",
            "target_ref": "software--86481f91-cfac-5132-a41f-1003f33d2458"
        },
        {
            "type": "software",
            "spec_version": "2.1",
            "id": "software--e2d3e4d4-996b-578f-8c4a-61c2f7c9231c",
            "name": "RouterOS router configuration page",
            "vendor": "Mikrotik RouterOS",
            "version": "6.47.9"
        },
        {
            "type": "software",
            "spec_version": "2.1",
            "id": "software--86481f91-cfac-5132-a41f-1003f33d2458",
            "name": "Switch",
            "vendor": "Mikrotik RouterOS",
            "version": "6.47.9"
        },
        {
            "type": "vulnerability",
            "spec_version": "2.1",
            "id": "vulnerability--1c408db6-d2aa-472d-b71b-aa1ecd1583f6",
            "created": "2023-07-17T06:48:00.340913Z",
            "modified": "2023-07-17T06:48:00.340913Z",
            "name": "CVE-2022-45315",
            "description": "Mikrotik RouterOs before stable v7.6 was discovered to contain an out-of-bounds read in the snmp process. This vulnerability allows attackers to execute arbitrary code via a crafted packet.",
            "external_references": [
                {
                    "source_name": "cve",
                    "external_id": "CVE-2022-45315"
                }
            ]
        },
        {
            "type": "vulnerability",
            "spec_version": "2.1",
            "id": "vulnerability--099d3a88-c617-4f30-91e3-23b49774dd5a",
            "created": "2023-07-17T06:48:00.34191Z",
            "modified": "2023-07-17T06:48:00.34191Z",
            "name": "CVE-2022-45313",
            "description": "Mikrotik RouterOs before stable v7.5 was discovered to contain an out-of-bounds read in the hotspot process. This vulnerability allows attackers to execute arbitrary code via a crafted nova message.",
            "external_references": [
                {
                    "source_name": "cve",
                    "external_id": "CVE-2022-45313"
                }
            ]
        },
        {
            "type": "vulnerability",
            "spec_version": "2.1",
            "id": "vulnerability--95888b27-fdbf-467c-bf5d-344f1093b298",
            "created": "2023-07-17T06:48:00.34191Z",
            "modified": "2023-07-17T06:48:00.34191Z",
            "name": "CVE-2022-36522",
            "description": "Mikrotik RouterOs through stable v6.48.3 was discovered to contain an assertion failure in the component /advanced-tools/nova/bin/netwatch. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted packet.",
            "external_references": [
                {
                    "source_name": "cve",
                    "external_id": "CVE-2022-36522"
                }
            ]
        },
        {
            "type": "vulnerability",
            "spec_version": "2.1",
            "id": "vulnerability--9f596ebc-16ed-44c2-af51-456bf79065bc",
            "created": "2023-07-17T06:48:00.34191Z",
            "modified": "2023-07-17T06:48:00.34191Z",
            "name": "CVE-2021-41987",
            "description": "In the SCEP Server of RouterOS in certain Mikrotik products, an attacker can trigger a heap-based buffer overflow that leads to remote code execution. The attacker must know the scep_server_name value. This affects RouterOS 6.46.8, 6.47.9, and 6.47.10.",
            "external_references": [
                {
                    "source_name": "cve",
                    "external_id": "CVE-2021-41987"
                }
            ]
        },
        {
            "type": "vulnerability",
            "spec_version": "2.1",
            "id": "vulnerability--c82dfec0-1fe0-42d9-804a-d5eaf4292374",
            "created": "2023-07-17T06:48:00.34191Z",
            "modified": "2023-07-17T06:48:00.34191Z",
            "name": "CVE-2021-36614",
            "description": "Mikrotik RouterOs before stable 6.48.2 suffers from a memory corruption vulnerability in the tr069-client process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference).",
            "external_references": [
                {
                    "source_name": "cve",
                    "external_id": "CVE-2021-36614"
                }
            ]
        },
        {
            "type": "vulnerability",
            "spec_version": "2.1",
            "id": "vulnerability--ed6cdc05-ce70-4ffc-bbc3-ee81f4439f54",
            "created": "2023-07-17T06:48:00.342907Z",
            "modified": "2023-07-17T06:48:00.342907Z",
            "name": "CVE-2021-36613",
            "description": "Mikrotik RouterOs before stable 6.48.2 suffers from a memory corruption vulnerability in the ptp process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference).",
            "external_references": [
                {
                    "source_name": "cve",
                    "external_id": "CVE-2021-36613"
                }
            ]
        },
        {
            "type": "vulnerability",
            "spec_version": "2.1",
            "id": "vulnerability--9a07201b-eacb-431b-a525-6b89b4ce5ab7",
            "created": "2023-07-17T06:48:00.342907Z",
            "modified": "2023-07-17T06:48:00.342907Z",
            "name": "CVE-2021-27221",
            "description": "** DISPUTED ** MikroTik RouterOS 6.47.9 allows remote authenticated ftp users to create or overwrite arbitrary .rsc files via the /export command. NOTE: the vendor's position is that this is intended behavior because of how user policies work.",
            "external_references": [
                {
                    "source_name": "cve",
                    "external_id": "CVE-2021-27221"
                }
            ]
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--be5c2898-7ba4-4f34-9051-094d7c6476b4",
            "created": "2023-07-17T06:48:00.340913Z",
            "modified": "2023-07-17T06:48:00.340913Z",
            "relationship_type": "related-to",
            "source_ref": "software--e2d3e4d4-996b-578f-8c4a-61c2f7c9231c",
            "target_ref": "vulnerability--1c408db6-d2aa-472d-b71b-aa1ecd1583f6"
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--b41f3b3c-a9cf-4a3c-899a-16215087b907",
            "created": "2023-07-17T06:48:00.34191Z",
            "modified": "2023-07-17T06:48:00.34191Z",
            "relationship_type": "related-to",
            "source_ref": "software--e2d3e4d4-996b-578f-8c4a-61c2f7c9231c",
            "target_ref": "vulnerability--099d3a88-c617-4f30-91e3-23b49774dd5a"
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--72d13cf6-f8ef-40c2-837f-e73a1c6b2066",
            "created": "2023-07-17T06:48:00.34191Z",
            "modified": "2023-07-17T06:48:00.34191Z",
            "relationship_type": "related-to",
            "source_ref": "software--e2d3e4d4-996b-578f-8c4a-61c2f7c9231c",
            "target_ref": "vulnerability--95888b27-fdbf-467c-bf5d-344f1093b298"
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--bdec89d9-04dc-4908-b0bd-1bebf65c27a7",
            "created": "2023-07-17T06:48:00.34191Z",
            "modified": "2023-07-17T06:48:00.34191Z",
            "relationship_type": "related-to",
            "source_ref": "software--e2d3e4d4-996b-578f-8c4a-61c2f7c9231c",
            "target_ref": "vulnerability--9f596ebc-16ed-44c2-af51-456bf79065bc"
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--c3f6d4a4-c8e8-473b-b51c-419890c8af74",
            "created": "2023-07-17T06:48:00.342907Z",
            "modified": "2023-07-17T06:48:00.342907Z",
            "relationship_type": "related-to",
            "source_ref": "software--e2d3e4d4-996b-578f-8c4a-61c2f7c9231c",
            "target_ref": "vulnerability--c82dfec0-1fe0-42d9-804a-d5eaf4292374"
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--9f8656b4-695b-4a20-a937-b2cbb1960ce1",
            "created": "2023-07-17T06:48:00.342907Z",
            "modified": "2023-07-17T06:48:00.342907Z",
            "relationship_type": "related-to",
            "source_ref": "software--e2d3e4d4-996b-578f-8c4a-61c2f7c9231c",
            "target_ref": "vulnerability--ed6cdc05-ce70-4ffc-bbc3-ee81f4439f54"
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--199a96bf-bb1a-4cac-976c-a4fda972e315",
            "created": "2023-07-17T06:48:00.342907Z",
            "modified": "2023-07-17T06:48:00.342907Z",
            "relationship_type": "related-to",
            "source_ref": "software--e2d3e4d4-996b-578f-8c4a-61c2f7c9231c",
            "target_ref": "vulnerability--9a07201b-eacb-431b-a525-6b89b4ce5ab7"
        },
        {
            "type": "software",
            "spec_version": "2.1",
            "id": "software--0e43d5d6-e86c-5840-8795-7874df332b0a",
            "name": "Unknown",
            "vendor": "Unknown",
            "version": "Unknown"
        },
        {
            "type": "tool",
            "spec_version": "2.1",
            "id": "tool--5d69c827-f3e9-43f7-83ec-8a0f65b3786c",
            "created": "2023-07-17T06:47:59.218865Z",
            "modified": "2023-07-17T06:47:59.218865Z",
            "name": "MikroTik RouterOS sshd",
            "description": "MikroTik RouterOS sshd/Unknown",
            "tool_types": [
                "remote-access"
            ],
            "tool_version": "Unknown"
        },
        {
            "type": "software",
            "spec_version": "2.1",
            "id": "software--b4b13641-f1a2-5bda-9c99-8ae675797d4a",
            "name": "MikroTik RouterOS sshd",
            "vendor": "MikroTik RouterOS sshd",
            "version": "Unknown"
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--be9a893d-53b9-482c-a9a0-b810cd87b84e",
            "created": "2023-07-17T06:48:00.345901Z",
            "modified": "2023-07-17T06:48:00.345901Z",
            "relationship_type": "related-to",
            "source_ref": "ipv4-addr--f01a9825-f1a6-5c87-8228-44b705962b36",
            "target_ref": "grouping--26b59125-6078-4a26-802f-d4218f613dc7"
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--fc82707d-b4bb-4dbe-ba0c-f479f1c9c74e",
            "created": "2023-07-17T06:48:00.345901Z",
            "modified": "2023-07-17T06:48:00.345901Z",
            "relationship_type": "related-to",
            "source_ref": "ipv4-addr--f01a9825-f1a6-5c87-8228-44b705962b36",
            "target_ref": "grouping--81fc1c3a-2f07-4c48-8df5-e54b2fb984f0"
        },
        {
            "type": "ipv4-addr",
            "spec_version": "2.1",
            "id": "ipv4-addr--f01a9825-f1a6-5c87-8228-44b705962b36",
            "value": "5.160.159.255"
        }
    ]
}

다음 사례로 5.160.159.255 IP 주소에 대한 STIX 취약점 분석을 위해 Criminal IP 위협 인텔리전스 데이터를 STIX 형식으로 변환하면 아래 그래프처럼 표현할 수 있습니다. 이번에도 역시 IP 주소를 기점으로 갈라지는 내용을 살펴보면, 크게 Port 와 Location 두 개로 그룹핑된 데이터를 확인할 수 있습니다. Location 에 대해서는 누구나 쉽게 이해할 수 있는 데이터이므로 이번에도 생략하고 Port를 살펴보겠습니다.

STIX 취약점 분석을 위해 Criminal IP의 IP 주소 위협 인텔리전스를 STIX로 변환한 그래프
STIX 취약점 분석을 위해 Criminal IP의 IP 주소 위협 인텔리전스를 STIX로 변환한 그래프

이 IP 주소는 80번 포트를 RouterOS를 구성하고 있는 페이지로 사용하는 것을 확인할 수 있습니다. 또한 해당 페이지에 여러 취약점이 존재하는 것을 STIX 그래프에서 다시 확인할 수 있습니다. RouterOS에는 7개의 취약점이 존재합니다. 하지만 ExploitDB 데이터가 보이지 않는 것으로 보아, 대중화된 공격 코드는 없는 것으로 예상할 수 있습니다. 주목할 만한 점은 80번 포트에 RouterOS 외에 하나의 related-to가 더 존재한다는 것입니다. 이것은 Switch라고 되어 있습니다. 이는 RouterOS가 Switch라는 표식이며, 이는 Criminal IP 의 Tag 데이터가 분석된 내용입니다.

5.160.159.255 IP 주소의 22번 포트 STIX 분석 그래프
5.160.159.255 IP 주소의 22번 포트 STIX 분석 그래프

그 외 SSH로 사용중인 22번 포트의 MikroTik RouterOS를 볼 수 있으며, 이 쉘의 테스트 데몬으로 2000번 포트를 사용하고 있음을 확인할 수 있습니다. 2000번 포트는 SSH Custom 포트 중 하나인 것으로 보입니다. 2000번 포트는 번호로 유추할 수 있듯이 22번을 대신하는 용도로 종종 사용됩니다. 

이렇게 Criminal IP 의 Asset Search 데이터를 활용한 STIX 취약점 분석 방법을 살펴보았습니다. 아직 다루지 못한 형태의 데이터가 많으므로 다음 아티클에서 또 다른 STIX 분석 사례를 소개해보도록 하겠습니다.


이 글은 사이버 위협 인텔리전스 검색엔진 Criminal IP의 데이터를 바탕으로 작성되었습니다. Criminal IP STIX 통합 사례와 Criminal IP 공식 깃허브 저장소를 참고하여 STIX 취약점 분석을 실행할 수 있습니다.

관련 글: