Exploit And Vulnerability Intelligence

Vulnerability Enrichment

VulnCheck generates unique vulnerability enrichment that is then incorporated into VulnCheck's Exploit and Vulnerability Intelligence services.

VulnCheck Vulnerability Intelligence service provides vulnerability generation and enrichment services that are then incorporated into VulnCheck's Exploit exploits and Vulnerability Intelligence vulncheck-nvd1 and vulncheck-nvd2 services.

Vulnerability Enrichment and Generation Services Include:

Botnet Attribution

The VulnCheck Botnets index contains data related to various botnets. The index contains listings of botnets and citations for the CVE they have been known to use.

Download the Botnets index

The VulnCheck API makes it easy to download VulnCheck Vulnerability Intelligence. To start, simply query the botnets backup via the `/v3/backup/botnets API as follows:

curl --request GET \
    --url https://api.vulncheck.com/v3/backup/botnet \
    --header 'Accept: application/json' \
    --header 'Authorization: Bearer insert_token_here'

Access Individual Botnet Records

The VulnCheck API makes it easy to get started with VulnCheck Exploit & Vulnerability Intelligence. To start, simply query the botnets index via the /v3/index/botnets?botnet=:botnet API as follows:

curl --request GET \
    --url https://api.vulncheck.com/v3/index/botnets?botnet=Fbot \
    --header 'Accept: application/json' \
    --header 'Authorization: Bearer insert_token_here'

The above example searches the botnets index for information on Fbot.

Example API Response for Individual Botnet Records

After calling the /v3/index/botnets?botnet=: API endpoint with a valid botnet name, data similar to the below will be returned:

  "data": [
    {
      "botnet_name": "Fbot",
      "date_added": "2019-02-20T00:00:00Z",
      "malpedia_url": "https://malpedia.caad.fkie.fraunhofer.de/details/elf.fbot",
      "cve_references": [
        {
          "url": "https://www.trendmicro.com/vinfo/fr/security/news/internet-of-things/mirai-updates-new-variant-mukashi-targets-nas-devices-new-vulnerability-exploited-in-gpon-routers-upx-packed-fbot",
          "date_added": "2020-03-25",
          "cve": [
            "CVE-2016-20016",
            "CVE-2017-17215"
          ]
        },
        {
          "url": "https://blog.netlab.360.com/fbot-is-now-riding-the-traffic-and-transportation-smart-devices-en/",
          "date_added": "2021-03-03",
          "cve": [
            "CVE-2020-9020"
          ]
        },
        {
          "url": "https://blog.netlab.360.com/the-new-developments-of-the-fbot-en/",
          "date_added": "2019-02-20",
          "cve": [
            "CVE-2022-45045"
          ]
        },
        {
          "url": "https://blogs.juniper.net/en-us/threat-research/realtek-cve-2021-35394-exploited-in-the-wild",
          "date_added": "2021-08-27",
          "cve": [
            "CVE-2021-35394"
          ]
        }
      ],
      "cve": [
        "CVE-2016-20016",
        "CVE-2017-17215",
        "CVE-2020-9020",
        "CVE-2022-45045",
        "CVE-2021-35394"
      ],
      "_timestamp": "2024-01-29T21:21:48.319162Z"
    }
  ]
}

The above example response shows what the botnets index returns for Fbot.

CAPEC (Common Attack Pattern Enumeration and Classification)

VulnCheck generates CAPEC Attack Patterns which can be accessed on the cve record in vulncheck-nvd1 and vulncheck-nvd2.

Example CAPEC Attack Pattern

      "relatedAttackPatterns": [
        {
          "lang": "en",
          "capec_id": "CAPEC-100",
          "capec_name": "Overflow Buffers",
          "capec_url": "https://capec.mitre.org/data/definitions/100.html"
        }
      ]

The above example shows CAPEC data that the vulncheck-nvd2 index returns for CVE-2024-21762.

CPE (Common Platform Enumeration)

VulnCheck generates CPE for CVEs which can be accessed on the cve record in nist-nvd1, nist-nvd2, vulncheck-nvd1, and vulncheck-nvd2.

For more details on using VulnCheck generated CPE, see CPE Generation.

CWE (Common Weakness Enumeration)

VulnCheck generates and collects CWE from multiple sources for CVEs which can be accessed on the cve record in vulncheck-nvd1and vulncheck-nvd2.

CVSS-BT (Common Vulnerability Scoring System Base / Temporal Scoring)

VulnCheck generates CVSS Threat and Temporal scores for CVSS V2, V3, V3.1 and V4 using VulnCheck's Exploit Intelligence for CVEs which can be accessed on the cve record in vulncheck-nvd1 and vulncheck-nvd2.

Example CVSS Temporal Score

  "temporalCVSSV31": {
          "version": "3.1",
          "vectorString": "E:H/RL:X/RC:C",
          "exploitCodeMaturity": "HIGH",
          "remediationLevel": "NOT_DEFINED",
          "reportConfidence": "CONFIRMED",
          "temporalScore": 9.8,
          "associatedBaseMetricV3": {
            "source": "nvd@nist.gov",
            "type": "Primary",
            "baseScore": 9.8

The above example shows CVSS Temporal data that the vulncheck-nvd2 index returns for CVE-2024-21762.

CVSS V4 (Common Vulnerability Scoring System)

VulnCheck collects CVSS V4 scores from multiple sources for CVEs which can be accessed on the cve record in vulncheck-nvd1 and vulncheck-nvd2.

Example CVSS V4 Score

        "cvssMetricV40": [
          {
            "source": "MITRE-CVE: cisa-cg",
            "type": "Secondary",
            "cvssData": {
              "attackComplexity": "LOW",
              "attackRequirements": "PRESENT",
              "attackVector": "NETWORK",
              "baseScore": 8.7,
              "baseSeverity": "HIGH",
              "privilegesRequired": "HIGH",
              "subAvailabilityImpact": "HIGH",
              "subConfidentialityImpact": "HIGH",
              "subIntegrityImpact": "HIGH",
              "userInteraction": "ACTIVE",
              "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
              "version": "4.0",
              "vulnAvailabilityImpact": "HIGH",
              "vulnConfidentialityImpact": "HIGH",
              "vulnIntegrityImpact": "HIGH"
            }
          }
        ],
        "threatCVSSV40Secondary": [
          {
            "exploitMaturity": "ATTACKED",
            "associatedBaseMetricV40": {
              "source": "MITRE-CVE: cisa-cg",
              "type": "Secondary",
              "baseScore": 8.7
            }
          }

The above example shows CAPEC data that the vulncheck-nvd2 index returns for CVE-2024-4978.

Exploit Chains

VulnCheck identifies exploit chains from multiple sources which can be accessed on the cve record in exploit-chains.

Known Exploited Vulnerabilities

VulnCheck identifies known exploited vulnerabilities from hundreds of sources which can be accessed on the cve record in exploits and vulncheck-kev.

Mitre Att&ck Mappings

VulnCheck generates Mitre Att&ck Mappings which can be accessed on the cve record in vulncheck-nvd1 and vulncheck-nvd2.

Example Mitre Att&ck Mapping

      "mitreAttackTechniques": [
        {
          "id": "T0819",
          "url": "https://attack.mitre.org/techniques/T0819",
          "name": "Exploit Public-Facing Application",
          "domain": "ICS",
          "tactics": [
            "initial-access"
          ],
          "subtechnique": false
        },
        {
          "id": "T0866",
          "url": "https://attack.mitre.org/techniques/T0866",
          "name": "Exploitation of Remote Services",
          "domain": "ICS",
          "tactics": [
            "initial-access",
            "lateral-movement"
          ],
          "subtechnique": false
        }
      ]

The above example shows CAPEC data that the vulncheck-nvd2 index returns for CVE-2024-21762.

Ransomware Attribution

The VulnCheck ransomware index contains data related to ransomware. The index contains listings of ransomware and citations for the CVE they have been known to use.

Example API Response for Individual Ransomware Records

      "ransomware_family": "Cactus",
      "malpedia_url": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cactus",
      "cve_references": [
        {
          "url": "https://www.arcticwolf.com/resources/blog/qlik-sense-exploited-in-cactus-ransomware-campaign/",
          "date_added": "2023-11-28",
          "cve": [
            "CVE-2023-41266",
            "CVE-2023-41265",
            "CVE-2023-48365"
          ]
        },
        {
          "url": "https://blog.fox-it.com/2024/04/25/sifting-through-the-spines-identifying-potential-cactus-ransomware-victims/",
          "date_added": "2024-04-25",
          "cve": [
            "CVE-2023-41266",
            "CVE-2023-41265"
          ]
        },
        {
          "url": "https://northwave-cybersecurity.com/whitepapers-articles/pricksense-how-cactus-exploits-qlik-sense",
          "date_added": "2024-04-25",
          "cve": [
            "CVE-2023-41266",
            "CVE-2023-41265",
            "CVE-2023-48365"
          ]
        },
        {
          "url": "https://www.rapid7.com/globalassets/_pdfs/research/rapid7_2024_attack_intelligence_report.pdf",
          "date_added": "2024-05-21",
          "cve": [
            "CVE-2023-41265"
          ]
        },
        {
          "url": "https://www.trustwave.com/hubfs/Web/Library/Documents_pdf/2024_Trustwave_Professional_Services_Sector_Threat_Landscape.pdf",
          "date_added": "2024-06-26",
          "cve": [
            "CVE-2023-41266",
            "CVE-2023-41265",
            "CVE-2023-48365"
          ]
        }
      ],
      "cve": [
        "CVE-2023-41266",
        "CVE-2023-41265",
        "CVE-2023-48365"

References

VulnCheck collects references from hundreds of sources across the world for CVEs which can be accessed on the cve record in vulncheck-nvd1 and vulncheck-nvd2. We also provide many of the reference sources as indices which you can browse.

Threat Actor Attribution

VulnCheck tracks hundreds of named threat actors who have been reported to exploit specific vulnerabilities in the wild. The VulnCheck threat-actors index contains data related to various threat actors and cve counts for threat actors, is incorporated into the exploits index. The index contains listings of threat actors and citations for the CVE they have been known to use.

VulnCheck tracks Advanced Persistent Threat (APT), named Threat Actors, ransomware groups, botnets, and other adversaries. We track a wide variety of named threat actors, including Threat Actors from Russia & China, as well as Threat Actors who have been reported to target Industrial Control Systems & Operational Technology (ICS/OT). VulnCheck collects Threat Actor information from a wide variety of sources and then assembles this disparate information into the industry’s most easily consumable exploit intelligence offering, VulnCheck Exploit & Vulnerability Intelligence.

With VulnCheck Exploit & Vulnerability Intelligence, threat actors can easily be looked up by a wide variety of names and naming schemes.

In the Cybersecurity industry there exists many different naming schemes for Threat Actors. Each Cybersecurity vendor tends to name Threat Actors using their own methodologies, which makes correlating Threat Actor behaviors more challenging. At VulnCheck, we support researching Threat Actors using a wide variety of options.

MITRE Attack Group Names

Many organizations rely on MITRE Attack Group names for Threat Actors. VulnCheck Exploit & Vulnerability Intelligence includes the MITRE Attack Group name, as well as the aliases, as shown below:

{
  "name": "Dragonfly",
  "aliases": [
    "Dragonfly",
    "TG-4192",
    "Crouching Yeti",
    "IRON LIBERTY",
    "Energetic Bear"
  ]
}

MISP Threat Actor Names

Many other organizations rely on MISP Threat Actor names for correlating Threat Actor behaviors. VulnCheck Exploit Intelligence includes the MISP Threat Actor names (the value field below), as well as the aliases, shown below as synonyms:

{
  "synonyms": [
    "Dragonfly",
    "Crouching Yeti",
    "Group 24",
    "Havex",
    "CrouchingYeti",
    "Koala Team",
    "IRON LIBERTY"
  ],
  "value": "Energetic Bear"
}

Cybersecurity Vendor Names

Some of the Cybersecurity vendors have their own naming schemes and make it straightforward to follow. In these cases, VulnCheck Exploit & Vulnerability Intelligence also includes the Threat Actor names used by the vendor. Three such naming schemes VulnCheck Exploit & Vulnerability Intelligence supports natively, are CrowdStrike, Dragos, Mandiant, & Microsoft naming systems.

  "vendor_names_for_threat_actors": [
    {
      "vendor_name": "CrowdStrike",
      "threat_actor_name": "Fancy Bear"
    },
    {
      "vendor_name": "Dragos",
      "threat_actor_name": "PETROVITE",
      "url": "https://www.dragos.com/threat/petrovite/"
    },
    {
      "vendor_name": "Microsoft",
      "threat_actor_name": "Forest Blizzard",
      "url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming"
    },
    {
      "vendor_name": "Mandiant",
      "threat_actor_name": "APT28",
      "url": "https://www.mandiant.com/resources/insights/apt-groups"
    }
  ]

Regardless of what Threat Actor naming scheme your organization uses, VulnCheck Exploit & Vulnerability Intelligence makes it easy to find the Threat Actors you're looking for.

Vulnerability Categorizations

VulnCheck generates categorizations for CVEs which can be accessed on the cve record in vulncheck-nvd1 and vulncheck-nvd2. Categorizations include ICS/OT, IoMT, IoT, Mobile, Server Software, and more.

Example Vulnerability Categorization

        "categorization": {
          "tags": [
            "ICS/OT",
            "IoT"
          ]

Vulnerability Status

VulnCheck Exploit & Vulnerability Intelligence maintains a Vulnerability Status field in the header of vulnerability requests. The Vulnerability Status field helps distinguish between confirmed vulnerabilities and other vulnerabilities with a different status, such as disputed or rejected vulnerabilities.

Vulnerability Status Definitions

StatusMeaning
ConfirmedThe most common vulnerability status. Most vulnerabilities have a status of Confirmed.
DisputedIf a vulnerability is disputed, for whatever reason, a vulnerability has a status of Disputed.
PendingCVEs that do not currently have a description live in NVD and are not set to another status, such as Reserved, are set to Pending.
RejectedIf a vulnerability has been rejected for whatever reason, it has a status of Rejected.
ReservedCVEs that have been reserved in blocks by CVE Numbering Authorities (CNA), have a status of Reserved if they have not yet been published by NIST.
UnsupportedIf the CVE, at the time of publication, has been reported in End of Life or otherwise unsupported software, the vulnerability status is set to Unsupported.
UnverifiableIf the vulnerability information is ambiguous and cannot be verified, the status is set to Unverifiable.

The above table shows the currently available status' in the VulnCheck vulnerability status field.