User Guide
Synapse-Vulncheck User Guide
Synapse-Vulncheck adds new Storm commands to allow you to query the Vulncheck API using your existing API key.
Getting Started
Check with your Admin to enable permissions and find out if you need a personal API key.
Examples
Setting your personal API key
To set-up a personal use API key:
> vulncheck.setup.apikey --self mytoken
Setting Vulncheck API token for the current user.
Enrich risk:vuln node
Enrich a risk:vuln node with vulncheck.enrich and yield the results:
> [ risk:vuln=* :cve=cve-2019-3396 ] | vulncheck.enrich --yield
risk:vuln=86bf51459a2c22dbb833ac6e469a60b2
.created = 2024/12/20 18:17:52.730
:cisa:kev:added = 2021/11/03 00:00:00.000
:cisa:kev:duedate = 2022/05/03 00:00:00.000
:cve = cve-2019-3396
:cve:desc = The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.
:cve:references = ['http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/confluence_macro_lfi', 'http://packetstormsecurity.com/files/152568/Atlassian-Confluence-Widget-Connector-Macro-Velocity-Template-Injection.html', 'http://packetstormsecurity.com/files/161065/Atlassian-Confluence-6.12.1-Template-Injection.html', 'http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201903-909', 'http://www.rapid7.com/db/modules/exploit/multi/http/confluence_widget_connector', 'https://0day.today/exploit/32569', 'https://0day.today/exploit/35720', 'https://advisories.checkpoint.com/defense/advisories/public/2019/cpai-2019-0506.html', 'https://bdu.fstec.ru/vul/2019-02771', 'https://blogs.juniper.net/en-us/threat-research/sysrv-botnet-expands-and-gains-persistence', 'https://cisa.gov/news-events/cybersecurity-advisories/aa20-275a', 'https://cisa.gov/news-events/cybersecurity-advisories/aa21-209a', 'https://cujo.com/the-sysrv-botnet-and-how-it-evolved/', 'https://cyber.gc.ca/en/alerts/critical-vulnerabilities-atlassian-confluence-servers', 'https://dashboard.shadowserver.org/statistics/honeypot/map/?day=2023-11-14&host_type=src&vulnerability=cve-2019-3396', 'https://dashboard.shadowserver.org/statistics/honeypot/map/?day=2023-11-15&host_type=src&vulnerability=cve-2019-3396', 'https://dashboard.shadowserver.org/statistics/honeypot/map/?day=2023-11-16&host_type=src&vulnerability=cve-2019-3396', 'https://dashboard.shadowserver.org/statistics/honeypot/map/?day=2023-11-17&host_type=src&vulnerability=cve-2019-3396', 'https://dashboard.shadowserver.org/statistics/honeypot/map/?day=2023-11-18&host_type=src&vulnerability=cve-2019-3396', 'https://dashboard.shadowserver.org/statistics/honeypot/map/?day=2023-11-19&host_type=src&vulnerability=cve-2019-3396', 'https://dashboard.shadowserver.org/statistics/honeypot/map/?day=2023-11-20&host_type=src&vulnerability=cve-2019-3396', 'https://dashboard.shadowserver.org/statistics/honeypot/map/?day=2023-11-21&host_type=src&vulnerability=cve-2019-3396', 'https://dashboard.shadowserver.org/statistics/honeypot/map/?day=2023-11-22&host_type=src&vulnerability=cve-2019-3396', 'https://dashboard.shadowserver.org/statistics/honeypot/map/?day=2023-11-23&host_type=src&vulnerability=cve-2019-3396', 'https://dashboard.shadowserver.org/statistics/honeypot/map/?day=2023-11-24&host_type=src&vulnerability=cve-2019-3396', 'https://dashboard.shadowserver.org/statistics/honeypot/map/?day=2023-11-25&host_type=src&vulnerability=cve-2019-3396', 'https://dashboard.shadowserver.org/statistics/honeypot/map/?day=2023-11-26&host_type=src&vulnerability=cve-2019-3396', 'https://dashboard.shadowserver.org/statistics/honeypot/map/?day=2023-11-27&host_type=src&vulnerability=cve-2019-3396', 'https://dashboard.shadowserver.org/statistics/honeypot/map/?day=2023-11-29&host_type=src&vulnerability=cve-2019-3396', 'https://dashboard.shadowserver.org/statistics/honeypot/map/?day=2023-11-30&host_type=src&vulnerability=cve-2019-3396', 'https://dashboard.shadowserver.org/statistics/honeypot/map/?day=2023-12-01&host_type=src&vulnerability=cve-2019-3396', 'https://dashboard.shadowserver.org/statistics/honeypot/map/?day=2023-12-02&host_type=src&vulnerability=cve-2019-3396', 'https://dashboard.shadowserver.org/statistics/honeypot/map/?day=2023-12-03&host_type=src&vulnerability=cve-2019-3396', 'https://dashboard.shadowserver.org/statistics/honeypot/map/?day=2023-12-05&host_type=src&vulnerability=cve-2019-3396', 'https://dashboard.shadowserver.org/statistics/honeypot/map/?day=2023-12-06&host_type=src&vulnerability=cve-2019-3396', 'https://dashboard.shadowserver.org/statistics/honeypot/map/?day=2023-12-07&host_type=src&vulnerability=cve-2019-3396', 'https://dashboard.shadowserver.org/statistics/honeypot/map/?day=2023-12-08&host_type=src&vulnerability=cve-2019-3396', 'https://dashboard.shadowserver.org/statistics/honeypot/map/?day=2023-12-09&host_type=src&vulnerability=cve-2019-3396', 'https://dashboard.shadowserver.org/statistics/honeypot/map/?day=2023-12-10&host_type=src&vulnerability=cve-2019-3396', 'https://dashboard.shadowserver.org/statistics/honeypot/map/?day=2023-12-12&host_type=src&vulnerability=cve-2019-3396', 'https://digital.nhs.uk/cyber-alerts/2019/cc-3043', 'https://digital.nhs.uk/cyber-alerts/2021/cc-3742', 'https://digital.nhs.uk/cyber-alerts/2021/cc-3838', 'https://gitee.com/p4sschen/CVE-2019-3396_EXP', 'https://github.com/46o60/CVE-2019-3396_Confluence', 'https://github.com/PetrusViet/cve-2019-3396', 'https://github.com/Yt1g3r/CVE-2019-3396_EXP', 'https://github.com/abdallah-elsharif/cve-2019-3396', 'https://github.com/jas502n/CVE-2019-3396', 'https://github.com/x-f1v3/CVE-2019-3396', 'https://jira.atlassian.com/browse/CONFSERVER-57974', 'https://jvndb.jvn.jp/ja/contents/2019/JVNDB-2019-002816.html', 'https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF', 'https://packetstormsecurity.com/files/152568/Atlassian-Confluence-Widget-Connector-Macro-Velocity-Template-Injection.html', 'https://packetstormsecurity.com/files/161065/Atlassian-Confluence-6.12.1-Template-Injection.html', 'https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/main/http/cves/2019/CVE-2019-3396.yaml', 'https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/confluence_widget_connector.rb', 'https://risksense.com/wp-content/uploads/2019/09/RiskSense-Spotlight-Report-Ransomware.pdf', 'https://static.tenable.com/marketing/whitepapers/Whitepaper-Ransomware_Ecosystem.pdf', 'https://us-cert.cisa.gov/ncas/alerts/AA20-275A', 'https://us-cert.cisa.gov/ncas/alerts/aa20-275a', 'https://us-cert.cisa.gov/ncas/alerts/aa21-209a', 'https://viz.greynoise.io/tag/atlassian-confluence-template-injection-attempt', 'https://www.alertlogic.com/blog/active-exploitation-of-confluence-vulnerability-cve-2019-3396-dropping-gandcrab-ransomware/', 'https://www.alibabacloud.com/blog/new-outbreak-of-h2miner-worms-exploiting-redis-rce-detected_595743', 'https://www.bleepingcomputer.com/news/security/new-cryptomining-malware-builds-an-army-of-windows-linux-bots/', 'https://www.bleepingcomputer.com/news/security/vulnerable-confluence-servers-get-infected-with-ransomware-trojans/', 'https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-24-PalotayZsigovits.pdf', 'https://www.cisa.gov/known-exploited-vulnerabilities-catalog', 'https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json', 'https://www.cisa.gov/uscert/ncas/alerts/aa21-209a', 'https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf', 'https://www.coresecurity.com/core-labs/exploits', 'https://www.d2sec.com/exploits/confluence_file_disclosure.html', 'https://www.exploit-db.com/exploits/46731', 'https://www.exploit-db.com/exploits/46731/', 'https://www.exploit-db.com/exploits/49465', 'https://www.krcert.or.kr//kr/bbs/view.do?searchCnd=1&bbsId=B0000133&searchWrd=&menuNo=205020&pageIndex=66&categoryCode=&nttId=35732', 'https://www.lacework.com/blog/sysrv-hello-expands-infrastructure/', 'https://www.mandiant.com/resources/apt41-initiates-global-intrusion-campaign-using-multiple-exploits', 'https://www.mandiant.com/resources/game-over-detecting-and-stopping-an-apt41-operation', 'https://www.tenable.com/blog/cve-2019-3396-vulnerability-in-atlassian-confluence-widget-connector-exploited-in-the-wild', 'https://www.tenable.com/plugins/nessus/123008', 'https://www.tenable.com/plugins/nessus/124004', 'https://www.trendmicro.com/en_us/research/19/e/cve-2019-3396-redux-confluence-vulnerability-exploited-to-deliver-cryptocurrency-miner-with-rootkit.html']
:cvss:v3 = AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RC:C
:cvss:v3_1:score = 9.8
:cvss:v3_1:score:base = 9.8
:cvss:v3_1:score:temporal = 9.8
:cwes = ['CWE-22']
:exploited = true
:nist:nvd:published = 2019/03/25 19:29:00.000
:reporter:name = vulncheck
:timeline:exploited = 2019/04/23 00:00:00.000
:timeline:published = 2019/03/25 00:00:00.000
Pivot to risk:threat nodes which use a CVE:
> risk:vuln:cve=cve-2019-3396 <(uses)- risk:threat
risk:threat=9f9eae5ad6ff25127eebe4addf59f73b
.created = 2024/12/20 18:18:29.934
:name = china attribution (vulncheck)
:org:name = china attribution
:org:names = ['china attribution']
:reporter:name = vulncheck
risk:threat=fab048f3b7b6303cb8c027b66df9299d
.created = 2024/12/20 18:18:29.659
:name = volatile cedar (vulncheck)
:org:name = volatile cedar
:org:names = ['cf421ce6-ddfe-419a-bc65-6a9fc953232a', 'defttorero', 'g0123', 'lebanese cedar', 'volatile cedar']
:reporter:name = vulncheck
risk:threat=cbc7f6ad374dee17009e702fc1695ae8
.created = 2024/12/20 18:18:26.006
:name = wicked panda (vulncheck)
:org:name = wicked panda
:org:names = ['9c124874-042d-48cd-b72b-ccdc51ecbbd6', 'amoeba', 'apt41', 'barium', 'blackfly', 'brass typhoon', 'bronze atlas', 'bronze export', 'earth baku', 'g0044', 'g0096', 'grayfly', 'hoodoo', 'lead', 'red kelpie', 'ta415', 'vanadinite', 'wicked panda', 'wicked spider']
:reporter:name = vulncheck
risk:threat=87ba8fd767605c687a0b3a35ca9ac110
.created = 2024/12/20 18:18:36.909
:name = unattributed (vulncheck)
:org:name = unattributed
:org:names = ['unattributed']
:reporter:name = vulncheck
Pivot to media:news nodes which reference threats using a CVE:
> risk:vuln:cve=cve-2019-3396 <(uses)- risk:threat <(refs)- media:news | limit 3
media:news=f787a3fe274d0f003195a232f5daedab
.created = 2024/12/20 18:18:34.259
:published = 2022/11/07 00:00:00.000
:url = https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE5bUvv
:url:fqdn = query.prod.cms.rt.microsoft.com
media:news=51b8464adc929d800316afb6f576682c
.created = 2024/12/20 18:18:35.057
:published = 2023/06/02 00:00:00.000
:url = https://blog.eclecticiq.com/chinese-threat-actor-used-modified-cobalt-strike-variant-to-attack-taiwanese-critical-infrastructure
:url:fqdn = blog.eclecticiq.com
media:news=9e38aa4195a3d8b5fc4cd274c147ac97
.created = 2024/12/20 18:18:34.337
:published = 2022/11/25 00:00:00.000
:url = https://www.cyfirma.com/blogs/windows-internet-key-exchange-ike-remote-code-execution-vulnerability-analysis/
:url:fqdn = www.cyfirma.com
Ingest an index
Ingest entries from the threat-actors index:
> vulncheck.index threat-actors --yield --size 3
risk:threat=e77495b75e7f0d2f3a2e5ba2c09156c1
.created = 2024/12/20 18:20:13.954
:name = gui-vil (vulncheck)
:org:name = gui-vil
:org:names = ['gui-vil']
:reporter:name = vulncheck
risk:threat=f7ec522e8203191d3cca880056083e3b
.created = 2024/12/20 18:20:14.116
:name = adgholas (vulncheck)
:org:name = adgholas
:org:names = ['adgholas']
:reporter:name = vulncheck
risk:threat=1e381074a3eb46d3c44252d2ee36d8ef
.created = 2024/12/20 18:20:14.537
:name = animal farm (vulncheck)
:org:name = animal farm
:org:names = ['3b8e7462-c83f-4e7d-9511-2fe430d80aab', 'animal farm', 'atk8', 'snowglobe']
:reporter:name = vulncheck
Create a cron job to ingest updated entries from the threat-actors index daily.
> cron.add --name "Vulncheck Actor Feed" --hour 4 { vulncheck.index threat-actors --since-last }
Created cron job: e6cb7472be417ac098157aa9f890197f
Use of meta:source
nodes
Synapse-Vulncheck uses a meta:source
node and -(seen)>
light
weight edges to track nodes observed from the Vulncheck API.
> meta:source=b0da6266931fc852431353d76f015dda
meta:source=b0da6266931fc852431353d76f015dda
.created = 2024/12/20 18:20:13.862
:name = vulncheck api
Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-Vulncheck. The following example shows how to filter the results of a query to include only results observed by Synapse-Vulncheck:
> risk:vuln +{ <(seen)- meta:source=b0da6266931fc852431353d76f015dda } | limit 3
risk:vuln=2bc2f1e85af8b3112e7a5b7f21be3787
.created = 2024/12/20 18:20:14.681
:cve = cve-2011-4369
:reporter:name = vulncheck
risk:vuln=7855a10585c8939d9ad5880540f240bb
.created = 2024/12/20 18:20:14.420
:cve = cve-2016-0162
:reporter:name = vulncheck
risk:vuln=f9d11236c9fe0e4c9b890eb935d4b624
.created = 2024/12/20 18:20:14.823
:cve = cve-2014-0546
:reporter:name = vulncheck