From 050a864be04d1e60257e9033fef4757b33cb831a Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Wed, 8 Aug 2018 14:20:38 +0200 Subject: [PATCH 1/7] update some clusters and try to add a relationship system --- clusters/ransomware.json | 4 ++- clusters/threat-actor.json | 61 ++++++++++++++++++++++++++++++++++---- 2 files changed, 59 insertions(+), 6 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index e64aa02..ed79dad 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -8016,7 +8016,9 @@ "https://download.bleepingcomputer.com/demonslay335/SamSamStringDecrypter.zip", "http://blog.talosintel.com/2016/03/samsam-ransomware.html", "http://www.intelsecurity.com/advanced-threat-research/content/Analysis_SamSa_Ransomware.pdf", - "https://www.bleepingcomputer.com/news/security/new-samsam-variant-requires-special-password-before-infection/" + "https://www.bleepingcomputer.com/news/security/new-samsam-variant-requires-special-password-before-infection/", + "https://www.bleepingcomputer.com/news/security/samsam-ransomware-crew-made-nearly-6-million-from-ransom-payments/", + "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf" ] }, "uuid": "731e4a5e-35f2-47b1-80ba-150b95fdc14d" diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 2b4c767..db68cd8 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -774,10 +774,22 @@ "refs": [ "https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html", "http://arstechnica.com/security/2015/04/elite-cyber-crime-group-strikes-back-after-attack-by-rival-apt-gang/", - "https://github.com/nccgroup/Royal_APT" + "https://github.com/nccgroup/Royal_APT", + "https://www.cfr.org/interactive/cyber-operations/mirage" + ], + "cfr-suspected-victims": [ + "European Union", + "India", + "United Kingdom" + ], + "cfr-suspected-state-sponsor": "China", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Government" ] }, "value": "Mirage", + "description": "This threat actor uses phishing techniques to compromise the networks of foreign ministries of European countries for espionage purposes.", "uuid": "3501fbf2-098f-47e7-be6a-6b0ff5742ce8" }, { @@ -967,7 +979,19 @@ ], "country": "CN", "refs": [ - "http://www.crowdstrike.com/blog/whois-samurai-panda/" + "http://www.crowdstrike.com/blog/whois-samurai-panda/", + "https://www.cfr.org/interactive/cyber-operations/sykipot" + ], + "cfr-suspected-victims": [ + "United States", + "United Kingdom", + "Hong Kong" + ], + "cfr-suspected-state-sponsor": "China", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Private sector", + "Military" ] }, "value": "Samurai Panda", @@ -1082,7 +1106,14 @@ }, "value": "Flying Kitten", "description": "Activity: defense and aerospace sectors, also interested in targeting entities in the oil/gas industry.", - "uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48" + "uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48", + "related": [ + { + "dest-uuid": "f873db71-3d53-41d5-b141-530675ade27a", + "type": "similar", + "likelihood-probability": "very-likely" + } + ] }, { "meta": { @@ -1189,6 +1220,7 @@ "synonyms": [ "TEMP.Beanie", "Operation Woolen Goldfish", + "Operation Woolen-Goldfish", "Thamar Reservoir", "Timberworm" ], @@ -1230,7 +1262,14 @@ }, "description": "Targets Saudi Arabia, Israel, US, Iran, high ranking defense officials, embassies of various target countries, notable Iran researchers, human rights activists, media and journalists, academic institutions and various scholars, including scientists in the fields of physics and nuclear sciences.", "value": "Rocket Kitten", - "uuid": "f873db71-3d53-41d5-b141-530675ade27a" + "uuid": "f873db71-3d53-41d5-b141-530675ade27a", + "related": [ + { + "dest-uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48", + "type": "similar", + "likelihood-probability": "very-likely" + } + ] }, { "meta": { @@ -3056,7 +3095,19 @@ "refs": [ "https://www.alienvault.com/open-threat-exchange/blog/new-sykipot-developments", "http://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/", - "https://www.sans.org/reading-room/whitepapers/malicious/detailed-analysis-sykipot-smartcard-proxy-variant-33919" + "https://www.sans.org/reading-room/whitepapers/malicious/detailed-analysis-sykipot-smartcard-proxy-variant-33919", + "https://www.cfr.org/interactive/cyber-operations/sykipot" + ], + "cfr-suspected-victims": [ + "United States", + "United Kingdom", + "Hong Kong" + ], + "cfr-suspected-state-sponsor": "China", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Private sector", + "Military" ] }, "value": "Maverick Panda", From b857be9cabb02fb24aa5ef7db8e0c209a630189b Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Wed, 8 Aug 2018 15:51:22 +0200 Subject: [PATCH 2/7] relationship system - v2 --- clusters/threat-actor.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index db68cd8..afac4d8 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1111,7 +1111,7 @@ { "dest-uuid": "f873db71-3d53-41d5-b141-530675ade27a", "type": "similar", - "likelihood-probability": "very-likely" + "tags": "estimative-language:likelihood-probability=\"very-likely\"" } ] }, @@ -1267,7 +1267,7 @@ { "dest-uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48", "type": "similar", - "likelihood-probability": "very-likely" + "tags": "estimative-language:likelihood-probability=\"very-likely\"" } ] }, From 33a300b77327116160ab03a0bf7086a4422a7c28 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Wed, 8 Aug 2018 15:59:44 +0200 Subject: [PATCH 3/7] tags is an array --- clusters/threat-actor.json | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index afac4d8..781cf40 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1111,7 +1111,9 @@ { "dest-uuid": "f873db71-3d53-41d5-b141-530675ade27a", "type": "similar", - "tags": "estimative-language:likelihood-probability=\"very-likely\"" + "tags": [ + "estimative-language:likelihood-probability=\"very-likely\"" + ] } ] }, @@ -1267,7 +1269,9 @@ { "dest-uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48", "type": "similar", - "tags": "estimative-language:likelihood-probability=\"very-likely\"" + "tags": [ + "estimative-language:likelihood-probability=\"very-likely\"" + ] } ] }, From 803b75647e6cc688c46f0fd143034630908f7a8d Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Wed, 8 Aug 2018 16:05:11 +0200 Subject: [PATCH 4/7] update schema --- schema_clusters.json | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/schema_clusters.json b/schema_clusters.json index 87b0485..cd22fc5 100644 --- a/schema_clusters.json +++ b/schema_clusters.json @@ -37,7 +37,26 @@ "type": "string" }, "uuid": { - "type": "string" + "type": "string", + "related": { + "type": "object", + "additionalProperties": false, + "properties": { + "dest-uuid": { + "type": "string" + }, + "type": { + "type": "string" + }, + "tags": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "string" + } + } + } + } }, "meta": { "type": "object", From ebc7287e14d51b57461e8c51a347ff915c150f8e Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Wed, 8 Aug 2018 16:12:29 +0200 Subject: [PATCH 5/7] update schema --- clusters/threat-actor.json | 7 ++----- schema_clusters.json | 4 ++-- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 781cf40..ad1e74e 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1107,15 +1107,13 @@ "value": "Flying Kitten", "description": "Activity: defense and aerospace sectors, also interested in targeting entities in the oil/gas industry.", "uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48", - "related": [ - { + "related": { "dest-uuid": "f873db71-3d53-41d5-b141-530675ade27a", "type": "similar", "tags": [ "estimative-language:likelihood-probability=\"very-likely\"" ] } - ] }, { "meta": { @@ -1265,7 +1263,7 @@ "description": "Targets Saudi Arabia, Israel, US, Iran, high ranking defense officials, embassies of various target countries, notable Iran researchers, human rights activists, media and journalists, academic institutions and various scholars, including scientists in the fields of physics and nuclear sciences.", "value": "Rocket Kitten", "uuid": "f873db71-3d53-41d5-b141-530675ade27a", - "related": [ + "related": { "dest-uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48", "type": "similar", @@ -1273,7 +1271,6 @@ "estimative-language:likelihood-probability=\"very-likely\"" ] } - ] }, { "meta": { diff --git a/schema_clusters.json b/schema_clusters.json index cd22fc5..50e74e1 100644 --- a/schema_clusters.json +++ b/schema_clusters.json @@ -37,7 +37,8 @@ "type": "string" }, "uuid": { - "type": "string", + "type": "string" + }, "related": { "type": "object", "additionalProperties": false, @@ -56,7 +57,6 @@ } } } - } }, "meta": { "type": "object", From 0af22724a6ada7638b5afb4a6576153fba428c5a Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 8 Aug 2018 16:37:59 +0200 Subject: [PATCH 6/7] chg: [schema clusters] fix the JSON indentation --- schema_clusters.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schema_clusters.json b/schema_clusters.json index 50e74e1..9c11e4d 100644 --- a/schema_clusters.json +++ b/schema_clusters.json @@ -38,7 +38,7 @@ }, "uuid": { "type": "string" - }, + }, "related": { "type": "object", "additionalProperties": false, From 1429b60555117ec5e7c5388944f64a9b09d63b84 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 8 Aug 2018 16:38:39 +0200 Subject: [PATCH 7/7] chg: [threat-actor] jq document --- clusters/threat-actor.json | 27 +++++++++++++-------------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index ad1e74e..73fb8cc 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1108,12 +1108,12 @@ "description": "Activity: defense and aerospace sectors, also interested in targeting entities in the oil/gas industry.", "uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48", "related": { - "dest-uuid": "f873db71-3d53-41d5-b141-530675ade27a", - "type": "similar", - "tags": [ - "estimative-language:likelihood-probability=\"very-likely\"" - ] - } + "dest-uuid": "f873db71-3d53-41d5-b141-530675ade27a", + "type": "similar", + "tags": [ + "estimative-language:likelihood-probability=\"very-likely\"" + ] + } }, { "meta": { @@ -1263,14 +1263,13 @@ "description": "Targets Saudi Arabia, Israel, US, Iran, high ranking defense officials, embassies of various target countries, notable Iran researchers, human rights activists, media and journalists, academic institutions and various scholars, including scientists in the fields of physics and nuclear sciences.", "value": "Rocket Kitten", "uuid": "f873db71-3d53-41d5-b141-530675ade27a", - "related": - { - "dest-uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48", - "type": "similar", - "tags": [ - "estimative-language:likelihood-probability=\"very-likely\"" - ] - } + "related": { + "dest-uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48", + "type": "similar", + "tags": [ + "estimative-language:likelihood-probability=\"very-likely\"" + ] + } }, { "meta": {