391 lines
17 KiB
JSON
391 lines
17 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--589a2465-af44-4854-8eea-468d950d210f",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-07T19:53:59.000Z",
|
||
|
"modified": "2017-02-07T19:53:59.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--589a2465-af44-4854-8eea-468d950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-07T19:53:59.000Z",
|
||
|
"modified": "2017-02-07T19:53:59.000Z",
|
||
|
"name": "OSINT - The Curious Case of a Reconnaissance Campaign Targeting Ministry and Embassy Sites",
|
||
|
"published": "2017-02-07T19:58:32Z",
|
||
|
"object_refs": [
|
||
|
"x-misp-attribute--589a2480-7b68-44ae-8e33-4ce1950d210f",
|
||
|
"indicator--589a24aa-505c-4b6f-b706-484a950d210f",
|
||
|
"indicator--589a24ab-22cc-426a-8a01-4386950d210f",
|
||
|
"indicator--589a24ac-c1e8-412a-8d78-43a7950d210f",
|
||
|
"indicator--589a24ad-f13c-40e8-aab8-41c4950d210f",
|
||
|
"indicator--589a24ae-0cb4-4a8a-a8a5-4437950d210f",
|
||
|
"x-misp-attribute--589a2515-1f2c-44b9-8f5b-4921950d210f",
|
||
|
"x-misp-attribute--589a2516-eed8-44ce-ae04-4cbd950d210f",
|
||
|
"x-misp-attribute--589a2516-f488-4298-aafc-46ba950d210f",
|
||
|
"x-misp-attribute--589a2517-4ce0-4f23-ac97-48d3950d210f",
|
||
|
"x-misp-attribute--589a2518-0034-4804-be23-4b7b950d210f",
|
||
|
"x-misp-attribute--589a2519-229c-4fc7-9181-4121950d210f",
|
||
|
"x-misp-attribute--589a251a-1d2c-4aa6-be92-46c8950d210f",
|
||
|
"x-misp-attribute--589a251b-d124-4cf0-b8b2-4bb3950d210f",
|
||
|
"x-misp-attribute--589a251c-2e34-4550-b107-41aa950d210f",
|
||
|
"x-misp-attribute--589a251d-1f24-4f83-a9a8-48a7950d210f",
|
||
|
"x-misp-attribute--589a251e-9d7c-4341-94bb-4505950d210f",
|
||
|
"observed-data--589a2583-b4f0-40e7-a3ee-487c950d210f",
|
||
|
"url--589a2583-b4f0-40e7-a3ee-487c950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"misp-galaxy:tool=\"Turla\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--589a2480-7b68-44ae-8e33-4ce1950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-07T19:48:16.000Z",
|
||
|
"modified": "2017-02-07T19:48:16.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"text\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "text",
|
||
|
"x_misp_value": "Forcepoint Security Labs\u00e2\u201e\u00a2 came across a malicious reconnaissance campaign that targets websites. It is unknown what is the intent behind the campaign as of this writing, however, the profile of the targets resembles those that are common targets of Advanced Persistent Threat (APT) actors. As the attack is currently active, it effectively turns compromised sites into attack surfaces against their visitors.\r\n\r\nFurthermore, the injections resemble those used by the Turla group, such as those previously documented by Swiss GovCERT last year. In this post, we will share our findings on this campaign's targets and injected code as well as provide insights to its timeline."
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589a24aa-505c-4b6f-b706-484a950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-07T19:48:58.000Z",
|
||
|
"modified": "2017-02-07T19:48:58.000Z",
|
||
|
"description": "Landing Pages",
|
||
|
"pattern": "[url:value = 'http://rss.nbcpost.com/news/today/content.php']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-07T19:48:58Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589a24ab-22cc-426a-8a01-4386950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-07T19:48:59.000Z",
|
||
|
"modified": "2017-02-07T19:48:59.000Z",
|
||
|
"description": "Landing Pages",
|
||
|
"pattern": "[url:value = 'http://drivers.epsoncorp.com/plugin/analytics/counter.js']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-07T19:48:59Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589a24ac-c1e8-412a-8d78-43a7950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-07T19:49:00.000Z",
|
||
|
"modified": "2017-02-07T19:49:00.000Z",
|
||
|
"description": "Landing Pages",
|
||
|
"pattern": "[url:value = 'http://www.mentalhealthcheck.net/update/check.php']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-07T19:49:00Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589a24ad-f13c-40e8-aab8-41c4950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-07T19:49:01.000Z",
|
||
|
"modified": "2017-02-07T19:49:01.000Z",
|
||
|
"description": "Landing Pages",
|
||
|
"pattern": "[url:value = 'http://www.mentalhealthcheck.net/update/counter.js']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-07T19:49:01Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589a24ae-0cb4-4a8a-a8a5-4437950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-07T19:49:02.000Z",
|
||
|
"modified": "2017-02-07T19:49:02.000Z",
|
||
|
"description": "Landing Pages",
|
||
|
"pattern": "[url:value = 'http://static.travelclothes.org/main.js']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-07T19:49:02Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--589a2515-1f2c-44b9-8f5b-4921950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-07T19:50:45.000Z",
|
||
|
"modified": "2017-02-07T19:50:45.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"target-external\"",
|
||
|
"misp:category=\"Targeting data\""
|
||
|
],
|
||
|
"x_misp_category": "Targeting data",
|
||
|
"x_misp_type": "target-external",
|
||
|
"x_misp_value": "Foreign affairs ministries of Kyrgyzstan, Moldova and Uzbekistan"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--589a2516-eed8-44ce-ae04-4cbd950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-07T19:50:46.000Z",
|
||
|
"modified": "2017-02-07T19:50:46.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"target-external\"",
|
||
|
"misp:category=\"Targeting data\""
|
||
|
],
|
||
|
"x_misp_category": "Targeting data",
|
||
|
"x_misp_type": "target-external",
|
||
|
"x_misp_value": "Embassy sites of Iraq, Jordan, Zambia and Russia"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--589a2516-f488-4298-aafc-46ba950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-07T19:50:46.000Z",
|
||
|
"modified": "2017-02-07T19:50:46.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"target-external\"",
|
||
|
"misp:category=\"Targeting data\""
|
||
|
],
|
||
|
"x_misp_category": "Targeting data",
|
||
|
"x_misp_type": "target-external",
|
||
|
"x_misp_value": "A political party in Austria"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--589a2517-4ce0-4f23-ac97-48d3950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-07T19:50:47.000Z",
|
||
|
"modified": "2017-02-07T19:50:47.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"target-external\"",
|
||
|
"misp:category=\"Targeting data\""
|
||
|
],
|
||
|
"x_misp_category": "Targeting data",
|
||
|
"x_misp_type": "target-external",
|
||
|
"x_misp_value": "A government-run, sustainability site in Austria"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--589a2518-0034-4804-be23-4b7b950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-07T19:50:48.000Z",
|
||
|
"modified": "2017-02-07T19:50:48.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"target-external\"",
|
||
|
"misp:category=\"Targeting data\""
|
||
|
],
|
||
|
"x_misp_category": "Targeting data",
|
||
|
"x_misp_type": "target-external",
|
||
|
"x_misp_value": "A sports association in Austria"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--589a2519-229c-4fc7-9181-4121950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-07T19:50:49.000Z",
|
||
|
"modified": "2017-02-07T19:50:49.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"target-external\"",
|
||
|
"misp:category=\"Targeting data\""
|
||
|
],
|
||
|
"x_misp_category": "Targeting data",
|
||
|
"x_misp_type": "target-external",
|
||
|
"x_misp_value": "A Somalian news site"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--589a251a-1d2c-4aa6-be92-46c8950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-07T19:50:50.000Z",
|
||
|
"modified": "2017-02-07T19:50:50.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"target-external\"",
|
||
|
"misp:category=\"Targeting data\""
|
||
|
],
|
||
|
"x_misp_category": "Targeting data",
|
||
|
"x_misp_type": "target-external",
|
||
|
"x_misp_value": "A socialist organization in Spain"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--589a251b-d124-4cf0-b8b2-4bb3950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-07T19:50:51.000Z",
|
||
|
"modified": "2017-02-07T19:50:51.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"target-external\"",
|
||
|
"misp:category=\"Targeting data\""
|
||
|
],
|
||
|
"x_misp_category": "Targeting data",
|
||
|
"x_misp_type": "target-external",
|
||
|
"x_misp_value": "An international cooperation organization based in France"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--589a251c-2e34-4550-b107-41aa950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-07T19:50:52.000Z",
|
||
|
"modified": "2017-02-07T19:50:52.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"target-external\"",
|
||
|
"misp:category=\"Targeting data\""
|
||
|
],
|
||
|
"x_misp_category": "Targeting data",
|
||
|
"x_misp_type": "target-external",
|
||
|
"x_misp_value": "An African union site"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--589a251d-1f24-4f83-a9a8-48a7950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-07T19:50:53.000Z",
|
||
|
"modified": "2017-02-07T19:50:53.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"target-external\"",
|
||
|
"misp:category=\"Targeting data\""
|
||
|
],
|
||
|
"x_misp_category": "Targeting data",
|
||
|
"x_misp_type": "target-external",
|
||
|
"x_misp_value": "A road safety site from Ukraine"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--589a251e-9d7c-4341-94bb-4505950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-07T19:50:54.000Z",
|
||
|
"modified": "2017-02-07T19:50:54.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"target-external\"",
|
||
|
"misp:category=\"Targeting data\""
|
||
|
],
|
||
|
"x_misp_category": "Targeting data",
|
||
|
"x_misp_type": "target-external",
|
||
|
"x_misp_value": "An African plant society"
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--589a2583-b4f0-40e7-a3ee-487c950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-07T19:53:59.000Z",
|
||
|
"modified": "2017-02-07T19:53:59.000Z",
|
||
|
"first_observed": "2017-02-07T19:53:59Z",
|
||
|
"last_observed": "2017-02-07T19:53:59Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--589a2583-b4f0-40e7-a3ee-487c950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\"",
|
||
|
"osint:source-type=\"blog-post\"",
|
||
|
"admiralty-scale:source-reliability=\"b\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--589a2583-b4f0-40e7-a3ee-487c950d210f",
|
||
|
"value": "https://blogs.forcepoint.com/security-labs/curious-case-reconnaissance-campaign-targeting-ministry-and-embassy-sites"
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|