User Guide

Synapse-Vulncheck User Guide

Synapse-Vulncheck adds new Storm commands to allow you to query the Vulncheck API using your existing API key.

Getting Started

Check with your Admin to enable permissions and find out if you need a personal API key.

Examples

Setting your personal API key

To set-up a personal use API key:

> vulncheck.setup.apikey --self mytoken
Setting Vulncheck API token for the current user.

Enrich risk:vuln node

Enrich a risk:vuln node with vulncheck.enrich and yield the results:

> [ risk:vuln=* :cve=cve-2019-3396 ] | vulncheck.enrich --yield
WARNING: The form risk:hasvuln is deprecated or using a deprecated type and will be removed in 3.0.0
risk:vuln=86bf51459a2c22dbb833ac6e469a60b2
        .created = 2024/04/25 15:30:27.046
        :cisa:kev:added = 2021/11/03 00:00:00.000
        :cisa:kev:duedate = 2022/05/03 00:00:00.000
        :cve = cve-2019-3396
        :cve:desc = The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.
        :cve:references = ['http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/confluence_macro_lfi', 'http://packetstormsecurity.com/files/152568/Atlassian-Confluence-Widget-Connector-Macro-Velocity-Template-Injection.html', 'http://packetstormsecurity.com/files/161065/Atlassian-Confluence-6.12.1-Template-Injection.html', 'http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201903-909', 'http://www.rapid7.com/db/modules/exploit/multi/http/confluence_widget_connector', 'https://0day.today/exploit/32569', 'https://0day.today/exploit/35720', 'https://advisories.checkpoint.com/defense/advisories/public/2019/cpai-2019-0506.html', 'https://bdu.fstec.ru/vul/2019-02771', 'https://blogs.juniper.net/en-us/threat-research/sysrv-botnet-expands-and-gains-persistence', 'https://cisa.gov/news-events/cybersecurity-advisories/aa20-275a', 'https://cisa.gov/news-events/cybersecurity-advisories/aa21-209a', 'https://cujo.com/the-sysrv-botnet-and-how-it-evolved/', 'https://cyber.gc.ca/en/alerts/critical-vulnerabilities-atlassian-confluence-servers', 'https://dashboard.shadowserver.org/statistics/honeypot/map/?day=2023-11-14&host_type=src&vulnerability=cve-2019-3396', 'https://dashboard.shadowserver.org/statistics/honeypot/map/?day=2023-11-15&host_type=src&vulnerability=cve-2019-3396', 'https://dashboard.shadowserver.org/statistics/honeypot/map/?day=2023-11-16&host_type=src&vulnerability=cve-2019-3396', 'https://dashboard.shadowserver.org/statistics/honeypot/map/?day=2023-11-17&host_type=src&vulnerability=cve-2019-3396', 'https://dashboard.shadowserver.org/statistics/honeypot/map/?day=2023-11-18&host_type=src&vulnerability=cve-2019-3396', 'https://dashboard.shadowserver.org/statistics/honeypot/map/?day=2023-11-19&host_type=src&vulnerability=cve-2019-3396', 'https://dashboard.shadowserver.org/statistics/honeypot/map/?day=2023-11-20&host_type=src&vulnerability=cve-2019-3396', 'https://dashboard.shadowserver.org/statistics/honeypot/map/?day=2023-11-21&host_type=src&vulnerability=cve-2019-3396', 'https://dashboard.shadowserver.org/statistics/honeypot/map/?day=2023-11-22&host_type=src&vulnerability=cve-2019-3396', 'https://dashboard.shadowserver.org/statistics/honeypot/map/?day=2023-11-23&host_type=src&vulnerability=cve-2019-3396', 'https://dashboard.shadowserver.org/statistics/honeypot/map/?day=2023-11-24&host_type=src&vulnerability=cve-2019-3396', 'https://dashboard.shadowserver.org/statistics/honeypot/map/?day=2023-11-25&host_type=src&vulnerability=cve-2019-3396', 'https://dashboard.shadowserver.org/statistics/honeypot/map/?day=2023-11-26&host_type=src&vulnerability=cve-2019-3396', 'https://dashboard.shadowserver.org/statistics/honeypot/map/?day=2023-11-27&host_type=src&vulnerability=cve-2019-3396', 'https://dashboard.shadowserver.org/statistics/honeypot/map/?day=2023-11-29&host_type=src&vulnerability=cve-2019-3396', 'https://dashboard.shadowserver.org/statistics/honeypot/map/?day=2023-11-30&host_type=src&vulnerability=cve-2019-3396', 'https://dashboard.shadowserver.org/statistics/honeypot/map/?day=2023-12-01&host_type=src&vulnerability=cve-2019-3396', 'https://dashboard.shadowserver.org/statistics/honeypot/map/?day=2023-12-02&host_type=src&vulnerability=cve-2019-3396', 'https://dashboard.shadowserver.org/statistics/honeypot/map/?day=2023-12-03&host_type=src&vulnerability=cve-2019-3396', 'https://dashboard.shadowserver.org/statistics/honeypot/map/?day=2023-12-05&host_type=src&vulnerability=cve-2019-3396', 'https://dashboard.shadowserver.org/statistics/honeypot/map/?day=2023-12-06&host_type=src&vulnerability=cve-2019-3396', 'https://dashboard.shadowserver.org/statistics/honeypot/map/?day=2023-12-07&host_type=src&vulnerability=cve-2019-3396', 'https://dashboard.shadowserver.org/statistics/honeypot/map/?day=2023-12-08&host_type=src&vulnerability=cve-2019-3396', 'https://dashboard.shadowserver.org/statistics/honeypot/map/?day=2023-12-09&host_type=src&vulnerability=cve-2019-3396', 'https://dashboard.shadowserver.org/statistics/honeypot/map/?day=2023-12-10&host_type=src&vulnerability=cve-2019-3396', 'https://dashboard.shadowserver.org/statistics/honeypot/map/?day=2023-12-12&host_type=src&vulnerability=cve-2019-3396', 'https://digital.nhs.uk/cyber-alerts/2019/cc-3043', 'https://digital.nhs.uk/cyber-alerts/2021/cc-3742', 'https://digital.nhs.uk/cyber-alerts/2021/cc-3838', 'https://gitee.com/p4sschen/CVE-2019-3396_EXP', 'https://github.com/46o60/CVE-2019-3396_Confluence', 'https://github.com/PetrusViet/cve-2019-3396', 'https://github.com/Yt1g3r/CVE-2019-3396_EXP', 'https://github.com/abdallah-elsharif/cve-2019-3396', 'https://github.com/jas502n/CVE-2019-3396', 'https://github.com/x-f1v3/CVE-2019-3396', 'https://jira.atlassian.com/browse/CONFSERVER-57974', 'https://jvndb.jvn.jp/ja/contents/2019/JVNDB-2019-002816.html', 'https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF', 'https://packetstormsecurity.com/files/152568/Atlassian-Confluence-Widget-Connector-Macro-Velocity-Template-Injection.html', 'https://packetstormsecurity.com/files/161065/Atlassian-Confluence-6.12.1-Template-Injection.html', 'https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/main/http/cves/2019/CVE-2019-3396.yaml', 'https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/confluence_widget_connector.rb', 'https://risksense.com/wp-content/uploads/2019/09/RiskSense-Spotlight-Report-Ransomware.pdf', 'https://static.tenable.com/marketing/whitepapers/Whitepaper-Ransomware_Ecosystem.pdf', 'https://us-cert.cisa.gov/ncas/alerts/AA20-275A', 'https://us-cert.cisa.gov/ncas/alerts/aa20-275a', 'https://us-cert.cisa.gov/ncas/alerts/aa21-209a', 'https://viz.greynoise.io/tag/atlassian-confluence-template-injection-attempt', 'https://www.alertlogic.com/blog/active-exploitation-of-confluence-vulnerability-cve-2019-3396-dropping-gandcrab-ransomware/', 'https://www.alibabacloud.com/blog/new-outbreak-of-h2miner-worms-exploiting-redis-rce-detected_595743', 'https://www.bleepingcomputer.com/news/security/new-cryptomining-malware-builds-an-army-of-windows-linux-bots/', 'https://www.bleepingcomputer.com/news/security/vulnerable-confluence-servers-get-infected-with-ransomware-trojans/', 'https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-24-PalotayZsigovits.pdf', 'https://www.cisa.gov/known-exploited-vulnerabilities-catalog', 'https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json', 'https://www.cisa.gov/uscert/ncas/alerts/aa21-209a', 'https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf', 'https://www.coresecurity.com/core-labs/exploits', 'https://www.d2sec.com/exploits/confluence_file_disclosure.html', 'https://www.exploit-db.com/exploits/46731', 'https://www.exploit-db.com/exploits/46731/', 'https://www.exploit-db.com/exploits/49465', 'https://www.krcert.or.kr//kr/bbs/view.do?searchCnd=1&bbsId=B0000133&searchWrd=&menuNo=205020&pageIndex=66&categoryCode=&nttId=35732', 'https://www.lacework.com/blog/sysrv-hello-expands-infrastructure/', 'https://www.mandiant.com/resources/apt41-initiates-global-intrusion-campaign-using-multiple-exploits', 'https://www.mandiant.com/resources/game-over-detecting-and-stopping-an-apt41-operation', 'https://www.tenable.com/blog/cve-2019-3396-vulnerability-in-atlassian-confluence-widget-connector-exploited-in-the-wild', 'https://www.tenable.com/plugins/nessus/123008', 'https://www.tenable.com/plugins/nessus/124004', 'https://www.trendmicro.com/en_us/research/19/e/cve-2019-3396-redux-confluence-vulnerability-exploited-to-deliver-cryptocurrency-miner-with-rootkit.html']
        :cvss:v3 = AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RC:C
        :cvss:v3_1:score = 9.8
        :cvss:v3_1:score:base = 9.8
        :cvss:v3_1:score:temporal = 9.8
        :cwes = ['CWE-22']
        :exploited = true
        :nist:nvd:published = 2019/03/25 19:29:00.000
        :reporter:name = vulncheck
        :timeline:exploited = 2019/04/23 00:00:00.000
        :timeline:published = 2019/03/25 00:00:00.000

Pivot to risk:threat nodes which use a CVE:

> risk:vuln:cve=cve-2019-3396 <(uses)- risk:threat
risk:threat=a5ca35472b2f6d02040e5140279194ed
        .created = 2024/04/25 15:31:09.557
        :name = unattributed (vulncheck)
        :org:name = unattributed
        :org:names = ['unattributed']
        :reporter:name = vulncheck
risk:threat=94bddc3452ea1ca17794912192a8405a
        .created = 2024/04/25 15:31:02.780
        :name = china attribution (vulncheck)
        :org:name = china attribution
        :org:names = ['china attribution']
        :reporter:name = vulncheck
risk:threat=954177b93a2b7c30d12efc059903a053
        .created = 2024/04/25 15:30:58.933
        :name = wicked panda (vulncheck)
        :org:name = wicked panda
        :org:names = ['9c124874-042d-48cd-b72b-ccdc51ecbbd6', 'amoeba', 'apt41', 'barium', 'blackfly', 'brass typhoon', 'bronze atlas', 'bronze export', 'earth baku', 'g0044', 'g0096', 'grayfly', 'hoodoo', 'lead', 'red kelpie', 'ta415', 'vanadinite', 'wicked panda', 'wicked spider']
        :reporter:name = vulncheck
risk:threat=9c7f473b2982caac3a4bbd1d28164199
        .created = 2024/04/25 15:31:02.511
        :name = volatile cedar (vulncheck)
        :org:name = volatile cedar
        :org:names = ['cf421ce6-ddfe-419a-bc65-6a9fc953232a', 'defttorero', 'g0123', 'lebanese cedar', 'volatile cedar']
        :reporter:name = vulncheck

Pivot to media:news nodes which reference threats using a CVE:

> risk:vuln:cve=cve-2019-3396 <(uses)- risk:threat <(refs)- media:news | limit 3
media:news=144af02196ffd74b25e25f926b131d45
        .created = 2024/04/25 15:32:06.425
        :published = 2021/12/06 00:00:00.000
        :url = https://us-cert.cisa.gov/ncas/alerts/aa21-336a
        :url:fqdn = us-cert.cisa.gov
media:news=473611a5096ecac4121e1f5416cf1a63
        .created = 2024/04/25 15:31:32.170
        :published = 2023/09/07 00:00:00.000
        :url = https://www.cisa.gov/news-events/analysis-reports/ar23-250a-0
        :url:fqdn = www.cisa.gov
media:news=93eaac49986ff4def2f3295528b079dc
        .created = 2024/04/25 15:31:30.314
        :published = 2023/06/19 00:00:00.000
        :url = https://www.surevine.com/openfire-cve-2023-32315-what-we-know/
        :url:fqdn = www.surevine.com

Ingest an index

Ingest entries from the threat-actors index:

> vulncheck.index threat-actors --yield --size 3
risk:threat=70f5f1881c45dac86d0997228f69f538
        .created = 2024/04/25 15:32:43.179
        :name = gui-vil (vulncheck)
        :org:name = gui-vil
        :org:names = ['gui-vil']
        :reporter:name = vulncheck
risk:threat=dba0e62f9025044d1d6294a1c8e7f43f
        .created = 2024/04/25 15:32:43.336
        :name = adgholas (vulncheck)
        :org:name = adgholas
        :org:names = ['adgholas']
        :reporter:name = vulncheck
risk:threat=5a88223accc6915e1f5bfab3f2393cca
        .created = 2024/04/25 15:32:43.744
        :name = animal farm (vulncheck)
        :org:name = animal farm
        :org:names = ['3b8e7462-c83f-4e7d-9511-2fe430d80aab', 'animal farm', 'atk8', 'snowglobe']
        :reporter:name = vulncheck

Create a cron job to ingest updated entries from the threat-actors index daily.

> cron.add --name "Vulncheck Actor Feed" --hour 4 { vulncheck.index threat-actors --since-last }
Created cron job: f8505ebec6cb8df3beff5f849aed17d0

Use of meta:source nodes

Synapse-Vulncheck uses a meta:source node and -(seen)> light weight edges to track nodes observed from the Vulncheck API.

> meta:source=b0da6266931fc852431353d76f015dda
meta:source=b0da6266931fc852431353d76f015dda
        .created = 2024/04/25 15:32:43.090
        :name = vulncheck api

Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-Vulncheck. The following example shows how to filter the results of a query to include only results observed by Synapse-Vulncheck:

> risk:vuln +{ <(seen)- meta:source=b0da6266931fc852431353d76f015dda } | limit 3
risk:vuln=2bc2f1e85af8b3112e7a5b7f21be3787
        .created = 2024/04/25 15:32:43.884
        :cve = cve-2011-4369
        :reporter:name = vulncheck
risk:vuln=7855a10585c8939d9ad5880540f240bb
        .created = 2024/04/25 15:32:43.630
        :cve = cve-2016-0162
        :reporter:name = vulncheck
risk:vuln=f9d11236c9fe0e4c9b890eb935d4b624
        .created = 2024/04/25 15:32:44.018
        :cve = cve-2014-0546
        :reporter:name = vulncheck