{ "Event": { "analysis": "1", "date": "2024-07-10", "extends_uuid": "", "info": "[Threat Intel] Patch or Peril: A Veeam vulnerability incident", "protected": false, "publish_timestamp": "1780042077", "published": true, "threat_level_id": "2", "timestamp": "1780042076", "uuid": "7e4ee64e-fd50-4eae-ad50-abe0022f5401", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120044", "local": false, "name": "rectifyq:sub-category=\"intrusion-analysis\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"Ransomware\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#dd2e44", "local": false, "name": "rectifyq:MY-relevancy=\"relevant\"", "relationship_type": "" }, { "colour": "#a9150c", "local": false, "name": "misp-galaxy:producer=\"Group-IB\"", "relationship_type": "" }, { "colour": "#15ccfd", "local": false, "name": "misp-galaxy:target-information=\"France\"", "relationship_type": "" }, { "colour": "#e459c3", "local": false, "name": "misp-galaxy:target-information=\"Hong Kong\"", "relationship_type": "" }, { "colour": "#915448", "local": false, "name": "misp-galaxy:target-information=\"Malaysia\"", "relationship_type": "" }, { "colour": "#a24b57", "local": false, "name": "misp-galaxy:target-information=\"United Arab Emirates\"", "relationship_type": "" }, { "colour": "#b8ab01", "local": false, "name": "misp-galaxy:target-information=\"United States\"", "relationship_type": "" }, { "colour": "#40bedd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Clear Windows Event Logs - T1070.001\"", "relationship_type": "" }, { "colour": "#a9bb6d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials from Password Stores - T1555\"", "relationship_type": "" }, { "colour": "#36d931", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data Encrypted for Impact - T1486\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disable or Modify Tools - T1562.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Domain Account - T1087.002\"", "relationship_type": "" }, { "colour": "#7773ac", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"External Remote Services - T1133\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File Deletion - T1070.004\"", "relationship_type": "" }, { "colour": "#ecc598", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Local Account - T1136.001\"", "relationship_type": "" }, { "colour": "#47d9d3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"", "relationship_type": "" }, { "colour": "#f07d7c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Non-Standard Port - T1571\"", "relationship_type": "" }, { "colour": "#370063", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote Desktop Protocol - T1021.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote System Discovery - T1018\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"SQL Stored Procedures - T1505.001\"", "relationship_type": "" }, { "colour": "#705cef", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task - T1053.005\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Service Execution - T1569.002\"", "relationship_type": "" }, { "colour": "#59699c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Valid Accounts - T1078\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1770874914", "to_ids": false, "type": "link", "uuid": "bce572b5-09b6-415c-ada7-d10b1112fcfd", "value": "https://www.group-ib.com/blog/estate-ransomware/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1770874976", "to_ids": false, "type": "vulnerability", "uuid": "8577378a-1d1b-4d8f-876d-9e9c62a2b5c1", "value": "CVE-2023-27532" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780042073", "to_ids": true, "type": "ip-dst", "uuid": "723d3dfd-5c56-45de-a461-27b5e9e57bb6", "value": "149.28.106.252", "Tag": [ { "colour": "#133012", "local": false, "name": "asn:asn=\"20473\"", "relationship_type": "" }, { "colour": "#650025", "local": false, "name": "asn:as-owner=\"AS-VULTR\"", "relationship_type": "" }, { "colour": "#d16c37", "local": false, "name": "asn:as-country=\"US\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"united states of america\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780042075", "to_ids": true, "type": "ip-dst", "uuid": "9d6ab115-6192-46e9-b939-922496112433", "value": "149.28.99.61", "Tag": [ { "colour": "#133012", "local": false, "name": "asn:asn=\"20473\"", "relationship_type": "" }, { "colour": "#650025", "local": false, "name": "asn:as-owner=\"AS-VULTR\"", "relationship_type": "" }, { "colour": "#d16c37", "local": false, "name": "asn:as-country=\"US\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"united states of america\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780042076", "to_ids": true, "type": "ip-dst", "uuid": "e1ff6d73-9e45-4142-82ed-7292044443f2", "value": "45.76.232.205", "Tag": [ { "colour": "#133012", "local": false, "name": "asn:asn=\"20473\"", "relationship_type": "" }, { "colour": "#650025", "local": false, "name": "asn:as-owner=\"AS-VULTR\"", "relationship_type": "" }, { "colour": "#d16c37", "local": false, "name": "asn:as-country=\"US\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"united states of america\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C2 connection from Svchost.exe during the incident", "deleted": false, "disable_correlation": false, "timestamp": "1770875170", "to_ids": true, "type": "ip-dst|port", "uuid": "f99c9a7a-da36-4990-8ab0-59bca1935cc0", "value": "77.238.245.11|30001" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1770875170", "to_ids": true, "type": "sha1", "uuid": "8bd20cdb-e41d-47db-9487-a25ed9524c4a", "value": "cb704d2e8df80fd3500a5b817966dc262d80ddb8" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1770875170", "to_ids": true, "type": "sha1", "uuid": "bb887284-2324-446e-83ab-e0a1bbf4383b", "value": "2c56e9beea9f0801e0110a7dc5549b4fa0661362" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1770875170", "to_ids": true, "type": "sha1", "uuid": "492812da-7446-4b66-be77-e3adb208e984", "value": "5e460a517f0579b831b09ec99ef158ac0dd3d4fa" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1770875170", "to_ids": true, "type": "sha1", "uuid": "69399a7f-99d0-4f32-add2-cf08a6cb6b60", "value": "107ec3a7ed7ad908774ad18e3e03d4b999d4690c" }, { "category": "Other", "comment": "diamond-model", "deleted": false, "disable_correlation": false, "timestamp": "1770875317", "to_ids": false, "type": "comment", "uuid": "0988b2a4-2c5b-444c-9563-338920784a41", "value": "https://raw.githubusercontent.com/rectifyq/Collections/refs/heads/main/Diamond-Models/2024/240710-Estate-Ransomware/43.png" }, { "category": "Other", "comment": "diamond-model", "deleted": false, "disable_correlation": false, "timestamp": "1770875317", "to_ids": false, "type": "comment", "uuid": "a9db596e-f5a2-4d34-9223-e7507d2c1f54", "value": "https://raw.githubusercontent.com/rectifyq/Collections/refs/heads/main/Diamond-Models/2024/240710-Estate-Ransomware/44.png" }, { "category": "Other", "comment": "diamond-model", "deleted": false, "disable_correlation": false, "timestamp": "1770875317", "to_ids": false, "type": "comment", "uuid": "1490a19a-f4f8-4d98-bb13-50aa9d0fe5c8", "value": "https://raw.githubusercontent.com/rectifyq/Collections/refs/heads/main/Diamond-Models/2024/240710-Estate-Ransomware/45.png" } ] } }