VulnCheck Vulnerability Intelligence service provides vulnerability generation and enrichment services that are then incorporated into VulnCheck's Exploit exploits and Vulnerability Intelligence vulncheck-nvd and vulncheck-nvd2 services.
Vulnerability Enrichment and Generation Services Include:
The VulnCheck Botnets index contains data related to various botnets. The index contains listings of botnets and citations for the CVE they have been known to use.
The VulnCheck API makes it easy to download VulnCheck Vulnerability Intelligence. To start, simply query the botnets backup via the /v3/backup/botnets API as follows:
curl --request GET \
--url https://api.vulncheck.com/v3/backup/botnet \
--header 'Accept: application/json' \
--header 'Authorization: Bearer insert_token_here'
package main
import (
"fmt"
"github.com/vulncheck-oss/sdk-go"
)
func main() {
client := sdk.Connect("https://api.vulncheck.com", "insert_token_here")
response, err := client.GetIndexBackup("botnets")
if err != nil {
panic(err)
}
fmt.Println(response.Urls())
}
import vulncheck_sdk
configuration = vulncheck_sdk.Configuration(host="https://api.vulncheck.com/v3")
configuration.api_key["Bearer"] = "insert_token_here"
with vulncheck_sdk.ApiClient(configuration) as api_client:
endpoints_client = vulncheck_sdk.EndpointsApi(api_client)
api_response = endpoints_client.backup_index_get("botnets")
print(api_response.data[0].url)
vulncheck backup download botnets
The VulnCheck API makes it easy to get started with VulnCheck Exploit & Vulnerability Intelligence. To start, simply query the botnets index via the /v3/index/botnets?botnet=:botnet API as follows:
curl --request GET \
--url https://api.vulncheck.com/v3/index/botnets?botnet=Fbot \
--header 'Accept: application/json' \
--header 'Authorization: Bearer insert_token_here'
package main
import (
"encoding/json"
"fmt"
"log"
"github.com/vulncheck-oss/sdk-go"
)
func main() {
client := sdk.Connect("https://api.vulncheck.com", "insert_token_here")
response, err := client.GetIndexBotnets(sdk.IndexQueryParameters{
Botnet: "Fbot",
})
if err != nil {
panic(err)
}
prettyJSON, err := json.MarshalIndent(response.Data, "", " ")
if err != nil {
log.Fatalf("Failed to generate JSON: %v", err)
return
}
fmt.Println(string(prettyJSON))
}
import vulncheck_sdk
configuration = vulncheck_sdk.Configuration(host="https://api.vulncheck.com/v3")
configuration.api_key["Bearer"] = "insert_token_here"
with vulncheck_sdk.ApiClient(configuration) as api_client:
indices_client = vulncheck_sdk.IndicesApi(api_client)
api_response = indices_client.index_botnets_get(botnetName="Fbot")
print(api_response.data)
vulncheck index browse botnets --botnet Fbot
The above example searches the botnets index for information on Fbot.
After calling the /v3/index/botnets?botnet=Fbot API endpoint with a valid botnet name (such as Fbot), data similar to the below will be returned:
"data": [
{
"botnet_name": "Fbot",
"date_added": "2019-02-20T00:00:00Z",
"malpedia_url": "https://malpedia.caad.fkie.fraunhofer.de/details/elf.fbot",
"cve_references": [
{
"url": "https://www.trendmicro.com/vinfo/fr/security/news/internet-of-things/mirai-updates-new-variant-mukashi-targets-nas-devices-new-vulnerability-exploited-in-gpon-routers-upx-packed-fbot",
"date_added": "2020-03-25",
"cve": [
"CVE-2016-20016",
"CVE-2017-17215"
]
},
{
"url": "https://blog.netlab.360.com/fbot-is-now-riding-the-traffic-and-transportation-smart-devices-en/",
"date_added": "2021-03-03",
"cve": [
"CVE-2020-9020"
]
},
{
"url": "https://blog.netlab.360.com/the-new-developments-of-the-fbot-en/",
"date_added": "2019-02-20",
"cve": [
"CVE-2022-45045"
]
},
{
"url": "https://blogs.juniper.net/en-us/threat-research/realtek-cve-2021-35394-exploited-in-the-wild",
"date_added": "2021-08-27",
"cve": [
"CVE-2021-35394"
]
}
],
"cve": [
"CVE-2016-20016",
"CVE-2017-17215",
"CVE-2020-9020",
"CVE-2022-45045",
"CVE-2021-35394"
],
"_timestamp": "2024-01-29T21:21:48.319162Z"
}
]
}
The above example response shows what the
botnetsindex returns forFbot.
VulnCheck generates CAPEC Attack Patterns which can be accessed on the cve record in vulncheck-nvd and vulncheck-nvd2.
"relatedAttackPatterns": [
{
"lang": "en",
"capec_id": "CAPEC-100",
"capec_name": "Overflow Buffers",
"capec_url": "https://capec.mitre.org/data/definitions/100.html"
}
]
The above example shows CAPEC data that the
vulncheck-nvd2index returns forCVE-2024-21762.
VulnCheck generates CPE for CVEs which can be accessed on the cve record in nist-nvd, nist-nvd2, vulncheck-nvd, and vulncheck-nvd2.
For more details on using VulnCheck generated CPE, see CPE Generation.
VulnCheck generates and collects CWE from multiple sources for CVEs which can be accessed on the cve record in vulncheck-nvdand vulncheck-nvd2.
VulnCheck generates CVSS Threat and Temporal scores for CVSS V2, V3, V3.1 and V4 using VulnCheck's Exploit Intelligence for CVEs which can be accessed on the cve record in vulncheck-nvd and vulncheck-nvd2.
"temporalCVSSV31": {
"version": "3.1",
"vectorString": "E:H/RL:X/RC:C",
"exploitCodeMaturity": "HIGH",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "CONFIRMED",
"temporalScore": 9.8,
"associatedBaseMetricV3": {
"source": "nvd@nist.gov",
"type": "Primary",
"baseScore": 9.8
The above example shows CVSS Temporal data that the
vulncheck-nvd2index returns forCVE-2024-21762.
VulnCheck collects CVSS V4 scores from multiple sources for CVEs which can be accessed on the cve record in vulncheck-nvd and vulncheck-nvd2.
"cvssMetricV40": [
{
"source": "MITRE-CVE: cisa-cg",
"type": "Secondary",
"cvssData": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"threatCVSSV40Secondary": [
{
"exploitMaturity": "ATTACKED",
"associatedBaseMetricV40": {
"source": "MITRE-CVE: cisa-cg",
"type": "Secondary",
"baseScore": 8.7
}
}
Vulncheck enriches CVEs with CISA Vulnrichment SSVC metrics and generates VulnCheck SSVC metrics using VulnCheck Intelligence in vulncheck-nvd and vulncheck-nvd2. Details on VulnCheck SSVC generation are available here.
"ssvc": [
{
"source": "CISA-ADP",
"exploitation": "ACTIVE",
"automatable": "YES",
"technicalImpact": "TOTAL"
},
{
"source": "VulnCheck",
"exploitation": "ACTIVE",
"automatable": "YES",
"technicalImpact": "TOTAL"
}
]
VulnCheck identifies exploit chains from multiple sources which can be accessed on the cve record in exploit-chains.
VulnCheck identifies known exploited vulnerabilities from hundreds of sources which can be accessed on the cve record in exploits and vulncheck-kev.
VulnCheck generates Mitre Att&ck Mappings which can be accessed on the cve record in vulncheck-nvd and vulncheck-nvd2.
"mitreAttackTechniques": [
{
"id": "T0819",
"url": "https://attack.mitre.org/techniques/T0819",
"name": "Exploit Public-Facing Application",
"domain": "ICS",
"tactics": [
"initial-access"
],
"subtechnique": false
},
{
"id": "T0866",
"url": "https://attack.mitre.org/techniques/T0866",
"name": "Exploitation of Remote Services",
"domain": "ICS",
"tactics": [
"initial-access",
"lateral-movement"
],
"subtechnique": false
}
]
The above example shows MITRE ATT&CK data that the
vulncheck-nvd2index returns when mappings are available.
The VulnCheck ransomware index contains data related to ransomware. The index contains listings of ransomware and citations for the CVE they have been known to use.
"ransomware_family": "Cactus",
"malpedia_url": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cactus",
"cve_references": [
{
"url": "https://www.arcticwolf.com/resources/blog/qlik-sense-exploited-in-cactus-ransomware-campaign/",
"date_added": "2023-11-28",
"cve": [
"CVE-2023-41266",
"CVE-2023-48365"
]
},
{
"url": "https://blog.fox-it.com/2024/04/25/sifting-through-the-spines-identifying-potential-cactus-ransomware-victims/",
"date_added": "2024-04-25",
"cve": [
"CVE-2023-41266",
"CVE-2023-41265"
]
}
// ...
],
"cve": [
"CVE-2023-41266",
"CVE-2023-48365"
VulnCheck collects references from hundreds of sources across the world for CVEs which can be accessed on the cve record in vulncheck-nvd1 and vulncheck-nvd2. We also provide many of the reference sources as indices which you can browse.
VulnCheck tracks hundreds of named threat actors who have been reported to exploit specific vulnerabilities in the wild. The VulnCheck threat-actors index contains data related to various threat actors and cve counts for threat actors, is incorporated into the exploits index. The index contains listings of threat actors and citations for the CVE they have been known to use.
VulnCheck tracks Advanced Persistent Threat (APT), named Threat Actors, ransomware groups, botnets, and other adversaries. We track a wide variety of named threat actors, including Threat Actors from Russia & China, as well as Threat Actors who have been reported to target Industrial Control Systems & Operational Technology (ICS/OT). VulnCheck collects Threat Actor information from a wide variety of sources and then assembles this disparate information into the industry’s most easily consumable exploit intelligence offering, VulnCheck Exploit & Vulnerability Intelligence.
With VulnCheck Exploit & Vulnerability Intelligence, threat actors can easily be looked up by a wide variety of names and naming schemes.
In the Cybersecurity industry there exists many different naming schemes for Threat Actors. Each Cybersecurity vendor tends to name Threat Actors using their own methodologies, which makes correlating Threat Actor behaviors more challenging. At VulnCheck, we support researching Threat Actors using a wide variety of options.
Many organizations rely on MITRE Attack Group names for Threat Actors. VulnCheck Exploit & Vulnerability Intelligence includes the MITRE Attack Group name, as well as the aliases, as shown below:
{
"name": "Dragonfly",
"aliases": [
"Dragonfly",
"TG-4192",
"Crouching Yeti",
"IRON LIBERTY",
"Energetic Bear"
]
}
Many other organizations rely on MISP Threat Actor names for correlating Threat Actor behaviors. VulnCheck Exploit Intelligence includes the MISP Threat Actor names (the value field below), as well as the aliases, shown below as synonyms:
{
"synonyms": [
"Dragonfly",
"Crouching Yeti",
"Group 24",
"Havex",
"CrouchingYeti",
"Koala Team",
"IRON LIBERTY"
],
"value": "Energetic Bear"
}
Some of the Cybersecurity vendors have their own naming schemes and make it straightforward to follow. In these cases, VulnCheck Exploit & Vulnerability Intelligence also includes the Threat Actor names used by the vendor. Three such naming schemes VulnCheck Exploit & Vulnerability Intelligence supports natively, are CrowdStrike, Dragos, Mandiant, & Microsoft naming systems.
"vendor_names_for_threat_actors": [
{
"vendor_name": "CrowdStrike",
"threat_actor_name": "Fancy Bear"
},
{
"vendor_name": "Mandiant",
"threat_actor_name": "APT28",
"url": "https://www.mandiant.com/resources/insights/apt-groups"
}
]
Regardless of what Threat Actor naming scheme your organization uses, VulnCheck Exploit & Vulnerability Intelligence makes it easy to find the Threat Actors you're looking for.
VulnCheck generates categorizations for CVEs which can be accessed on the cve record in vulncheck-nvd and vulncheck-nvd2. Categorizations include ICS/OT, IoMT, IoT, Mobile, Server Software, and more.
"categorization": {
"tags": [
"ICS/OT",
"IoT"
]
VulnCheck Exploit & Vulnerability Intelligence maintains a Vulnerability Status field in the header of vulnerability requests. The Vulnerability Status field helps distinguish between confirmed vulnerabilities and other vulnerabilities with a different status, such as disputed or rejected vulnerabilities.
| Status | Meaning |
|---|---|
| Confirmed | The most common vulnerability status. Most vulnerabilities have a status of Confirmed. |
| Disputed | If a vulnerability is disputed, for whatever reason, a vulnerability has a status of Disputed. |
| Pending | CVEs that do not currently have a description live in NVD and are not set to another status, such as Reserved, are set to Pending. |
| Rejected | If a vulnerability has been rejected for whatever reason, it has a status of Rejected. |
| Reserved | CVEs that have been reserved in blocks by CVE Numbering Authorities (CNA), have a status of Reserved if they have not yet been published by NIST. |
| Unsupported | If the CVE, at the time of publication, has been reported in End of Life or otherwise unsupported software, the vulnerability status is set to Unsupported. |
| Unverifiable | If the vulnerability information is ambiguous and cannot be verified, the status is set to Unverifiable. |
The above table shows the currently available status' in the VulnCheck vulnerability status field.