From c7f476450db09a928839f6734e27d91f293e10bd Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Wed, 20 Mar 2019 11:47:01 +0100 Subject: [PATCH 1/5] remove mitre-relationships from readme --- README.md | 5 ----- 1 file changed, 5 deletions(-) diff --git a/README.md b/README.md index 1384c6d..9eb0244 100644 --- a/README.md +++ b/README.md @@ -40,17 +40,14 @@ to localized information (which is not shared) or additional information (that c - [clusters/mitre-enterprise-attack-attack-pattern.json](clusters/mitre-enterprise-attack-attack-pattern.json) - Attack Pattern - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Enterprise Attack - [clusters/mitre-enterprise-attack-course-of-action.json](clusters/mitre-enterprise-attack-course-of-action.json) - Course of Action - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Enterprise Attack - [clusters/mitre-enterprise-attack-intrusion-set.json](clusters/mitre-enterprise-attack-intrusion-set.json) - Intrusion Set - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Enterprise Attack - Malware - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Enterprise Attack -- [clusters/mitre-enterprise-attack-relationship.json](clusters/mitre-enterprise-attack-relationship.json) - Relationship . MITRE Relationship - V2.0 Enterprise Attack - [clusters/mitre-enterprise-attack-tool.json](clusters/mitre-enterprise-attack-tool.json) - Tool - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Enterprise Attack - [clusters/mitre-mobile-attack-attack-pattern.json](clusters/mitre-mobile-attack-attack-pattern.json) - Attack Pattern - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Mobile Attack - [clusters/mitre-mobile-attack-course-of-action.json](clusters/mitre-mobile-attack-course-of-action.json) - Course of Action - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Mobile Attack - [clusters/mitre-mobile-attack-intrusion-set.json](clusters/mitre-mobile-attack-intrusion-set.json) - Intrusion Set - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Mobile Attack - [clusters/mitre-mobile-attack-malware.json](clusters/mitre-mobile-attack-malware.json) - Malware - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Mobile Attack -- [clusters/mitre-mobile-attack-relationship.json](clusters/mitre-mobile-attack-relationship.json) - Relationship . MITRE Relationship - V2.0 Mobile Attack - [clusters/mitre-mobile-attack-tool.json](clusters/mitre-mobile-attack-tool.json) - Tool - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Mobile Attack - [clusters/mitre-pre-attack-attack-pattern.json](clusters/mitre-pre-attack-attack-pattern.json) - Attack Pattern - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Pre Attack - [clusters/mitre-pre-attack-intrusion-set.json](clusters/mitre-pre-attack-intrusion-set.json) - Intrusion Set - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Pre Attack -- [clusters/mitre-pre-attack-relationship.json](clusters/mitre-pre-attack-relationship.json) - Relationship . MITRE Relationship - V2.0 Pre Attack - [clusters/sectors.json](clusters/sectors.json) - Activity sectors - [clusters/cert-eu-govsector.json](clusters/cert-eu-govsector.json) - Cert EU GovSector @@ -121,5 +118,3 @@ or OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ~~~~~ - - From b2e1d5551ffda224a327cce5612211445fc05f9b Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Wed, 20 Mar 2019 11:47:58 +0100 Subject: [PATCH 2/5] add SPOILER vulnerability + other minor changes --- clusters/botnet.json | 5 +++-- clusters/branded_vulnerability.json | 16 +++++++++++++++- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/clusters/botnet.json b/clusters/botnet.json index 1df05f5..a57b2bf 100644 --- a/clusters/botnet.json +++ b/clusters/botnet.json @@ -697,7 +697,8 @@ "refs": [ "https://en.wikipedia.org/wiki/Mirai_(malware)", "https://researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/", - "https://www.bleepingcomputer.com/news/security/mirai-iot-malware-uses-aboriginal-linux-to-target-multiple-platforms/" + "https://www.bleepingcomputer.com/news/security/mirai-iot-malware-uses-aboriginal-linux-to-target-multiple-platforms/", + "https://www.bleepingcomputer.com/news/security/new-mirai-variant-comes-with-27-exploits-targets-enterprise-devices/" ] }, "related": [ @@ -1148,5 +1149,5 @@ "value": "Chalubo" } ], - "version": 18 + "version": 19 } diff --git a/clusters/branded_vulnerability.json b/clusters/branded_vulnerability.json index ab15a1f..c4727ef 100644 --- a/clusters/branded_vulnerability.json +++ b/clusters/branded_vulnerability.json @@ -158,7 +158,21 @@ }, "uuid": "3c2325e4-b740-11e8-9504-b32b4d974add", "value": "Blacknurse" + }, + { + "description": "SPOILER is a security vulnerability on modern computer central processing units that uses speculative execution to improve the efficiency of Rowhammer and other related memory and cache attacks. According to reports, all modern Intel CPUs are vulnerable to the attack. AMD has stated that its processors are not vulnerable.", + "meta": { + "refs": [ + "https://arxiv.org/pdf/1903.00446v1.pdf", + "https://appleinsider.com/articles/19/03/05/new-spoiler-vulnerability-in-all-intel-core-processors-exposed-by-researchers", + "https://www.overclock3d.net/news/cpu_mainboard/spoiler_alert_-_intel_cpus_impacted_by_new_vulnerability/1", + "https://www.1e.com/news-insights/blogs/the-spoiler-vulnerability/", + "https://www.bleepingcomputer.com/news/security/amd-believes-spoiler-vulnerability-does-not-impact-its-processors/" + ] + }, + "uuid": "3434339f-ea87-472e-a330-62d2b5cf2c26", + "value": "SPOILER" } ], - "version": 2 + "version": 3 } From f86c748b8cdc555bbe79f43c907ade3ec6ea6465 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Wed, 20 Mar 2019 15:45:20 +0100 Subject: [PATCH 3/5] add AOT-C-27 Goldmouse --- clusters/threat-actor.json | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 70f379b..c6f820e 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -6630,7 +6630,19 @@ }, "uuid": "35c40ce2-57c0-479e-8a56-efbb8695e395", "value": "Operation Comando" + }, + { + "meta": { + "refs": [ + "https://ti.360.net/blog/articles/apt-c-27-(goldmouse):-suspected-target-attack-against-the-middle-east-with-winrar-exploit-en/" + ], + "synonyms": [ + "Goldmouse" + ] + }, + "uuid": "ee7f535d-cc3e-40f3-99f3-c97963cfa250", + "value": "APT-C-27" } ], - "version": 100 + "version": 101 } From 3c207f69be0c6db1a3ac9741ad8063e8243e783e Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Wed, 20 Mar 2019 16:11:50 +0100 Subject: [PATCH 4/5] add Cardinal RAT ref --- clusters/rat.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/rat.json b/clusters/rat.json index 8c4d33d..5ae1e48 100644 --- a/clusters/rat.json +++ b/clusters/rat.json @@ -2543,7 +2543,8 @@ "refs": [ "https://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/", "https://www.scmagazine.com/cardinal-rats-unique-downloader-allowed-it-to-avoid-detection-for-years/article/651927/", - "https://www.cyber.nj.gov/threat-profiles/trojan-variants/cardinal" + "https://www.cyber.nj.gov/threat-profiles/trojan-variants/cardinal", + "https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/" ] }, "uuid": "cb23f563-a8b9-4427-9884-594e8d3cc836", From d0383b460f38d76d8baf562fda82f1745e731f4d Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Thu, 21 Mar 2019 09:15:16 +0100 Subject: [PATCH 5/5] jq --- clusters/threat-actor.json | 1 - 1 file changed, 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index bbd3dc5..4c56e43 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -6646,6 +6646,5 @@ "value": "APT-C-27" } ], - "version": 104 }