233 строки
15 KiB
JSON
233 строки
15 KiB
JSON
[
|
|
{
|
|
"TenantId": "93fc153b-9eb9-4c04-9e00-b9bbdcb4ae32",
|
|
"SourceSystem": "RestAPI",
|
|
"MG": "",
|
|
"ManagementGroupName": "",
|
|
"TimeGenerated": "2020-12-10T15:37:45.959Z",
|
|
"Computer": "",
|
|
"RawData": "",
|
|
"id_s": "36028",
|
|
"host_s": "sd7.domain-78.com",
|
|
"Category": "DNS",
|
|
"title_s": "Fix DNS issue: The domain is resolved to reserved IP.",
|
|
"urgency_d": 8,
|
|
"is_open_b": true,
|
|
"impact_s": "The use of reserved IPs might expose private information and open opportunities for hackers.",
|
|
"summary_s": "The domain sd7.domain-78.com is resolved to reserved IP Address",
|
|
"solution_s": "Avoid using reserved IPs in public DNS records.",
|
|
"description_s": "DNS is the basis for every online communication, misconfiguration issues might expose the organization to critical security risks.\nReserved IPs, are IP addresses that were defined for specific purpose (e.g., localhost, private networks, broadcast) and cannot be used as a public IPs.the ip addresses of the domain are reserved. xx.xx.xx.xx is reserved ip of type \"loopback (local) addresses\"; Having ips of this type in a public DNS record might expose users of this domain to attacks (e.g., information leakage to programs that runs on the same machine). ",
|
|
"technical_details_s": "{}",
|
|
"opening_datetime_t": "2020-12-10T15:26:45.49Z",
|
|
"Type": "CyberpionActionItems_CL",
|
|
"_ResourceId": ""
|
|
},
|
|
{
|
|
"TenantId": "93fc153b-9eb9-4c04-9e00-b9bbdcb4ae32",
|
|
"SourceSystem": "RestAPI",
|
|
"MG": "",
|
|
"ManagementGroupName": "",
|
|
"TimeGenerated": "2020-12-10T15:37:45.959Z",
|
|
"Computer": "",
|
|
"RawData": "",
|
|
"id_s": "35985",
|
|
"host_s": "sd2.domain-14.com",
|
|
"Category": "Cloud",
|
|
"title_s": "Fix Cloud issue: Azure Cloud Service without ip",
|
|
"urgency_d": 5,
|
|
"is_open_b": true,
|
|
"impact_s": "1) The cloud instance does not work properly. Relying on inactive cloud instances is dangerous, as inactive cloud instances might not properly maintained and might be taken-over or abused by hackers.\n2) The error message that is returned due to the cloud misconfiguration, is publicly indicating on misconfiguration and lack of maintenance.\n3) The current state of the cloud might indicate that it is already controlled by hackers, or could be controlled by them.",
|
|
"summary_s": "The domain sd2.domain-14.com Azure Cloud Service (Cloudapp) instance points at 0.0.0.0 IP address.",
|
|
"solution_s": "Fix cloudapp configurations if you control it, else remove the cname record from the domain to cloudapp.",
|
|
"description_s": "The domain operates over Azure Cloud Service (Cloudapp) instance that has no IP address (might indicate on misconfiguration and possibility to take over the Cloudapp instance).",
|
|
"technical_details_s": "{}",
|
|
"opening_datetime_t": "2020-12-10T15:26:45.302Z",
|
|
"Type": "CyberpionActionItems_CL",
|
|
"_ResourceId": ""
|
|
},
|
|
{
|
|
"TenantId": "93fc153b-9eb9-4c04-9e00-b9bbdcb4ae32",
|
|
"SourceSystem": "RestAPI",
|
|
"MG": "",
|
|
"ManagementGroupName": "",
|
|
"TimeGenerated": "2020-12-10T15:37:45.959Z",
|
|
"Computer": "",
|
|
"RawData": "",
|
|
"id_s": "35976",
|
|
"host_s": "sd2.domain-589.com",
|
|
"Category": "Vulnerabilities",
|
|
"title_s": "Dangerous script inclusion (Magecart)",
|
|
"urgency_d": 9,
|
|
"is_open_b": true,
|
|
"impact_s": "",
|
|
"summary_s": " The domain sd2.domain-589.com loads script files from sd1.ext-domain-1451.com that is a cloud instance that can be taken over",
|
|
"solution_s": "Discard the dangerous connection: do not load resources from insecure domains.",
|
|
"description_s": "Websites can load scripts from other domains, and those scripts run under the origin of the loading website. Attacker who either compromises the website/server from which the script is loaded or somehow succeeds to control the loaded script, can also run script in the context (under the origin of) every website who loads this script. For the website that loads the malicious script, the effect of such an attack is the same as cross-site scripting. Hence, it is very important to make sure that scripts are loaded only from well-secured websites.\nThe domain sd1.ext-domain-1451.com operates over cloud instance that can be taken over.",
|
|
"technical_details_s": "[\"Loading page url: https://sd2.domain-589.com/agegate?destination=/&token=0.050275731580862404\", \"Resource url: https://sd1.ext-domain-1451.com/onetrust/webcore-ot-sdk.min.js\", \"Request redirection chain: -\"]",
|
|
"opening_datetime_t": "2020-12-10T15:26:45.265Z",
|
|
"Type": "CyberpionActionItems_CL",
|
|
"_ResourceId": ""
|
|
},
|
|
{
|
|
"TenantId": "93fc153b-9eb9-4c04-9e00-b9bbdcb4ae32",
|
|
"SourceSystem": "RestAPI",
|
|
"MG": "",
|
|
"ManagementGroupName": "",
|
|
"TimeGenerated": "2020-12-10T15:37:45.959Z",
|
|
"Computer": "",
|
|
"RawData": "",
|
|
"id_s": "35860",
|
|
"host_s": "sd3.domain-159.com",
|
|
"Category": "Vulnerabilities",
|
|
"title_s": "Domain takeover due to bad Heroku configuration",
|
|
"urgency_d": 10,
|
|
"is_open_b": true,
|
|
"impact_s": "",
|
|
"summary_s": " Attacker can take over domain sd3.domain-159.com due to bad Heroku configuration (domain takeover).",
|
|
"solution_s": "Either make sure that there is a mapping from your domain to your Heroku application, or remove the DNS records that point the domain to Heroku.",
|
|
"description_s": "Heroku is a cloud platform that lets companies build, deliver, monitor and scale applications. Heroku holds a map from host values to the application instance, and responds accordingly. While the DNS records of the domain sd3.domain-159.com point at Heroku, no mapping is configured between the domain and the application. Hence, it is possible for any Heroku user to create such a mapping and to hijack the domain. \nAttacker who takes over this domain can: (1) Run script in the scope of this domain (persistent XSS), (2) Access web requests that are sent to this domain, (3) Bypass security mechanisms that verify that the request was sent from some subdomain (e.g., CSP, CORS, blocking CSRF by referer/origin validation), (4) Access cookies that are shared between subdomains (e.g., *.domain.com), (5) Conduct phishing attacks from domain of the organization, (6) Perform any other malicious activity under this subdomain and hurt the reputation of organization, (7) Cause public embarrassment (e.g., \"Hacked by ISIS\").",
|
|
"technical_details_s": "[\"A records: xx.xx.xx.xx, yy.yy.yy.yy, zz.zz.zz.zz\", \"CNAME chain (if any): sd3.domain-159.com->sd1.ext-domain-964.com->sd2.ext-domain-964.com\"]",
|
|
"opening_datetime_t": "2020-12-10T15:26:44.782Z",
|
|
"Type": "CyberpionActionItems_CL",
|
|
"_ResourceId": ""
|
|
},
|
|
{
|
|
"TenantId": "93fc153b-9eb9-4c04-9e00-b9bbdcb4ae32",
|
|
"SourceSystem": "RestAPI",
|
|
"MG": "",
|
|
"ManagementGroupName": "",
|
|
"TimeGenerated": "2020-12-10T15:37:45.964Z",
|
|
"Computer": "",
|
|
"RawData": "",
|
|
"id_s": "35859",
|
|
"host_s": "sd619.domain-2.com",
|
|
"Category": "Vulnerabilities",
|
|
"title_s": "Login only over HTTP (credentials are sent in plaintext)",
|
|
"urgency_d": 7,
|
|
"is_open_b": true,
|
|
"impact_s": "",
|
|
"summary_s": " Login page can be loaded only over HTTP",
|
|
"solution_s": "Load login pages only over HTTPS. Consider using HTTP Strict-Transport-Security (HSTS).",
|
|
"description_s": "The login page in url http://sd619.domain-2.com/#/login can be loaded only using HTTP, while login pages should be loaded only using HTTPS. Pages that are delivered over HTTP are vulnerable to network level, off-path, injection attacks. Such attacks are easy to launch over Wi-Fi networks. By abusing advanced browser features (e.g., application cache), attacker can control the page even in future sessions with the vulnerable website in the same browser (persistency).",
|
|
"technical_details_s": "[\"Vulnerable url: http://sd619.domain-2.com/#/login\"]",
|
|
"opening_datetime_t": "2020-12-10T15:26:44.777Z",
|
|
"Type": "CyberpionActionItems_CL",
|
|
"_ResourceId": ""
|
|
},
|
|
{
|
|
"TenantId": "93fc153b-9eb9-4c04-9e00-b9bbdcb4ae32",
|
|
"SourceSystem": "RestAPI",
|
|
"MG": "",
|
|
"ManagementGroupName": "",
|
|
"TimeGenerated": "2020-12-10T15:37:45.964Z",
|
|
"Computer": "",
|
|
"RawData": "",
|
|
"id_s": "35683",
|
|
"host_s": "domain-640.com",
|
|
"Category": "Vulnerabilities",
|
|
"title_s": "Vulnerable application: Apache version 2.4.43",
|
|
"urgency_d": 4.9,
|
|
"is_open_b": true,
|
|
"impact_s": "",
|
|
"summary_s": " domain-640.com uses vulnerable software. Apache version 2.4.43 has 3 known vulnerabilities.",
|
|
"solution_s": "Upgrade/replace the vulnerable software",
|
|
"description_s": "The domain uses application that suffers from several known vulnerabilities: CVE-2020-11984 (CVSS 9.8), CVE-2020-9490 (CVSS 7.5), CVE-2020-11993 (CVSS 7.5)",
|
|
"technical_details_s": "[\"Detected on url: http://domain-640.com/\"]",
|
|
"opening_datetime_t": "2020-12-10T15:26:44.056Z",
|
|
"Type": "CyberpionActionItems_CL",
|
|
"_ResourceId": ""
|
|
},
|
|
{
|
|
"TenantId": "93fc153b-9eb9-4c04-9e00-b9bbdcb4ae32",
|
|
"SourceSystem": "RestAPI",
|
|
"MG": "",
|
|
"ManagementGroupName": "",
|
|
"TimeGenerated": "2020-12-10T15:37:45.969Z",
|
|
"Computer": "",
|
|
"RawData": "",
|
|
"id_s": "35872",
|
|
"host_s": "sd2.domain-98.com",
|
|
"Category": "Vulnerabilities",
|
|
"title_s": "Login over HTTP is possible",
|
|
"urgency_d": 4,
|
|
"is_open_b": true,
|
|
"impact_s": "",
|
|
"summary_s": " Login page can be loaded over HTTP",
|
|
"solution_s": "Load login pages only over HTTPS. Consider using HTTP Strict-Transport-Security (HSTS).",
|
|
"description_s": "The login page in url http://sd2.domain-98.com/media/ can be loaded using HTTP, while login pages should be loaded only using HTTPS. Pages that are delivered over HTTP are vulnerable to network level, off-path, injection attacks. Such attacks are easy to launch over Wi-Fi networks. By abusing advanced browser features (e.g., application cache), attacker can control the page even in future sessions with the vulnerable website in the same browser (persistency).",
|
|
"technical_details_s": "[\"Vulnerable url: http://sd2.domain-98.com/media/\"]",
|
|
"opening_datetime_t": "2020-12-10T15:26:44.83Z",
|
|
"Type": "CyberpionActionItems_CL",
|
|
"_ResourceId": ""
|
|
},
|
|
{
|
|
"TenantId": "93fc153b-9eb9-4c04-9e00-b9bbdcb4ae32",
|
|
"SourceSystem": "RestAPI",
|
|
"MG": "",
|
|
"ManagementGroupName": "",
|
|
"TimeGenerated": "2020-12-10T15:37:45.969Z",
|
|
"Computer": "",
|
|
"RawData": "",
|
|
"id_s": "35044",
|
|
"host_s": "sd5.domain-375.com",
|
|
"Category": "PKI",
|
|
"title_s": "Fix PKI issue: Certificate will expire within 7 days",
|
|
"urgency_d": 8,
|
|
"is_open_b": true,
|
|
"impact_s": "1) Establishing secure HTTPS connection with the host will not be possible.\n2) Access to the host over secure channel (HTTPS) using common clients (e.g., browsers) will be blocked, and security warning will be presented to the users.",
|
|
"summary_s": "The domain sd5.domain-375.com uses certificate that will expire within a week",
|
|
"solution_s": "Issue a new certificate for the domain",
|
|
"description_s": "Certificates are used to authenticate the identities in online communications. Certificate must be both valid (format, cryptographic schemes, etc.) and issued by a trusted certificate authority (CA). The certificate of the domain is about to become invalid, because the certificate will be expired within 7 days.",
|
|
"technical_details_s": "{\"Expiration date\": \"2020-11-23\"}",
|
|
"opening_datetime_t": "2020-12-10T15:26:41.591Z",
|
|
"Type": "CyberpionActionItems_CL",
|
|
"_ResourceId": ""
|
|
},
|
|
{
|
|
"TenantId": "93fc153b-9eb9-4c04-9e00-b9bbdcb4ae32",
|
|
"SourceSystem": "RestAPI",
|
|
"MG": "",
|
|
"ManagementGroupName": "",
|
|
"TimeGenerated": "2020-12-10T15:37:45.969Z",
|
|
"Computer": "",
|
|
"RawData": "",
|
|
"id_s": "35043",
|
|
"host_s": "sd483.domain-2.com",
|
|
"Category": "PKI",
|
|
"title_s": "Fix PKI issue: Certificate will expire within 30 days",
|
|
"urgency_d": 7,
|
|
"is_open_b": true,
|
|
"impact_s": "1) Establishing secure HTTPS connection with the host will not be possible.\n2) Access to the host over secure channel (HTTPS) using common clients (e.g., browsers) will be blocked, and security warning will be presented to the users.",
|
|
"summary_s": "The domain sd483.domain-2.com uses certificate that will expire within a month",
|
|
"solution_s": "Issue a new certificate for the domain",
|
|
"description_s": "Certificates are used to authenticate the identities in online communications. Certificate must be both valid (format, cryptographic schemes, etc.) and issued by a trusted certificate authority (CA). The certificate of the domain is about to become invalid, because the certificate will be expired within 30 days.",
|
|
"technical_details_s": "{\"Expiration date\": \"2020-12-08\"}",
|
|
"opening_datetime_t": "2020-12-10T15:26:41.587Z",
|
|
"Type": "CyberpionActionItems_CL",
|
|
"_ResourceId": ""
|
|
},
|
|
{
|
|
"TenantId": "93fc153b-9eb9-4c04-9e00-b9bbdcb4ae32",
|
|
"SourceSystem": "RestAPI",
|
|
"MG": "",
|
|
"ManagementGroupName": "",
|
|
"TimeGenerated": "2020-12-10T15:37:45.969Z",
|
|
"Computer": "",
|
|
"RawData": "",
|
|
"id_s": "35627",
|
|
"host_s": "sd1.domain-675.com",
|
|
"Category": "Vulnerabilities",
|
|
"title_s": "Vulnerable application: PHP version 5.2.17",
|
|
"urgency_d": 5,
|
|
"is_open_b": true,
|
|
"impact_s": "",
|
|
"summary_s": " sd1.domain-675.com uses vulnerable software. PHP version 5.2.17 has 45 known vulnerabilities.",
|
|
"solution_s": "Upgrade/replace the vulnerable software",
|
|
"description_s": "The domain uses application that suffers from several known vulnerabilities: CVE-2012-2311 (CVSS 7.5), CVE-2010-3870 (CVSS 6.8), CVE-2012-1171 (CVSS 5.0), CVE-2014-9427 (CVSS 7.5), CVE-2018-19396 (CVSS 7.5), CVE-2014-5459 (CVSS 3.6), CVE-2010-4657 (CVSS 5.0), CVE-2012-2376 (CVSS 10.0), CVE-2012-0789 (CVSS 5.0), CVE-2012-2143 (CVSS 4.3), CVE-2018-19395 (CVSS 7.5), CVE-2012-2336 (CVSS 5.0), CVE-2012-0788 (CVSS 5.0), CVE-2015-8994 (CVSS 7.5), CVE-2011-4885 (CVSS 5.0), CVE-2014-0237 (CVSS 5.0), CVE-2018-19520 (CVSS 8.8), CVE-2013-2110 (CVSS 5.0), CVE-2011-0421 (CVSS 4.3), CVE-2013-1643 (CVSS 5.0), CVE-2013-1635 (CVSS 7.5), CVE-2011-1092 (CVSS 7.5), CVE-2011-1467 (CVSS 5.0), CVE-2011-1464 (CVSS 4.3), CVE-2011-1466 (CVSS 5.0), CVE-2012-0057 (CVSS 6.4), CVE-2018-19935 (CVSS 7.5), CVE-2011-1468 (CVSS 4.3), CVE-2012-2688 (CVSS 10.0), CVE-2011-0708 (CVSS 4.3), CVE-2013-4635 (CVSS 5.0), CVE-2012-3365 (CVSS 5.0), CVE-2011-4718 (CVSS 6.8), CVE-2011-1470 (CVSS 4.3), CVE-2011-1469 (CVSS 4.3), CVE-2012-1823 (CVSS 7.5), CVE-2013-4248 (CVSS 4.3), CVE-2012-1172 (CVSS 5.8), CVE-2012-2386 (CVSS 7.5), CVE-2014-0238 (CVSS 5.0), CVE-2010-4699 (CVSS 5.0), CVE-2011-0755 (CVSS 5.0), CVE-2016-7478 (CVSS 7.5), CVE-2006-7243 (CVSS 5.0), CVE-2014-2497 (CVSS 4.3)",
|
|
"technical_details_s": "[\"Detected on url: http://sd1.domain-675.com/\"]",
|
|
"opening_datetime_t": "2020-12-10T15:26:43.835Z",
|
|
"Type": "CyberpionActionItems_CL",
|
|
"_ResourceId": ""
|
|
}
|
|
]
|