355 lines
14 KiB
JSON
355 lines
14 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--e8141fc5-e84d-4aeb-8879-f71caffab35a",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2023-08-29T13:44:26.000Z",
|
||
|
"modified": "2023-08-29T13:44:26.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--e8141fc5-e84d-4aeb-8879-f71caffab35a",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2023-08-29T13:44:26.000Z",
|
||
|
"modified": "2023-08-29T13:44:26.000Z",
|
||
|
"name": "FIN8-LINKED ACTOR TARGETS CITRIX NETSCALER SYSTEMS",
|
||
|
"published": "2023-08-29T13:45:05Z",
|
||
|
"object_refs": [
|
||
|
"indicator--14f20043-2e62-43b0-92ff-f0aac97f3bd6",
|
||
|
"indicator--50beeb77-22e3-408b-b1a7-081e17e4d087",
|
||
|
"indicator--4efab437-35ff-4c9d-8e6b-448f06df320d",
|
||
|
"indicator--9767d317-7f96-4d64-aae1-3c8102e08226",
|
||
|
"indicator--bb3747d5-07b1-44fd-8ecf-84807514b5bc",
|
||
|
"indicator--71bb09f8-b274-403b-98c0-e15e46c62382",
|
||
|
"indicator--8d152d5d-8d23-4791-bf82-9583f51eb30e",
|
||
|
"indicator--30767882-5846-4f4b-9887-5faac3f0aec0",
|
||
|
"indicator--d6756678-c4d9-4c96-ac80-9477ac1a28e1",
|
||
|
"indicator--d287851e-8762-4e63-96bc-b5ec5e9e93bf",
|
||
|
"x-misp-object--04d8530b-7834-425b-8db9-83c89bf9712b",
|
||
|
"x-misp-object--d18c50e6-70d7-4ddf-8f19-67b233b1b9df"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"type:OSINT",
|
||
|
"osint:lifetime=\"perpetual\"",
|
||
|
"osint:certainty=\"50\"",
|
||
|
"tlp:clear",
|
||
|
"misp-galaxy:malpedia=\"Unidentified 103 (FIN8)\"",
|
||
|
"misp-galaxy:mitre-enterprise-attack-intrusion-set=\"FIN8 - G0061\"",
|
||
|
"misp-galaxy:mitre-intrusion-set=\"FIN8 - G0061\"",
|
||
|
"misp-galaxy:threat-actor=\"FIN8\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--14f20043-2e62-43b0-92ff-f0aac97f3bd6",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2023-08-29T13:42:56.000Z",
|
||
|
"modified": "2023-08-29T13:42:56.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = 'ec89ec41f0e0a7e60fa3f6267d0197c7fa8568e11a2c564f6d59855ddd9e1d64']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2023-08-29T13:42:56Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--50beeb77-22e3-408b-b1a7-081e17e4d087",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2023-08-29T13:42:56.000Z",
|
||
|
"modified": "2023-08-29T13:42:56.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = 'bb28ba8d838c8eefdd5ae1e23d5872968d84e8cb86bf292b2c3bf4c84ad7dbd0']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2023-08-29T13:42:56Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--4efab437-35ff-4c9d-8e6b-448f06df320d",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2023-08-29T13:42:56.000Z",
|
||
|
"modified": "2023-08-29T13:42:56.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = '94f09d01e1397ca80c71b488b8775acfe2776b5ab42e9a54547d9e5f58caf11a']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2023-08-29T13:42:56Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--9767d317-7f96-4d64-aae1-3c8102e08226",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2023-08-29T13:42:56.000Z",
|
||
|
"modified": "2023-08-29T13:42:56.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = '857d6f7e4b96738adb9cc023e2c504362fe8b73bdce422f8f8cb791dd6ac2449']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2023-08-29T13:42:56Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--bb3747d5-07b1-44fd-8ecf-84807514b5bc",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2023-08-29T13:42:56.000Z",
|
||
|
"modified": "2023-08-29T13:42:56.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = '383df272841f9a677ee03f6f553bc6cf3197427d792dc9f86b7fb1911dc83d71']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2023-08-29T13:42:56Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--71bb09f8-b274-403b-98c0-e15e46c62382",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2023-08-29T13:42:56.000Z",
|
||
|
"modified": "2023-08-29T13:42:56.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = '2d53aaa2638f9a986779b9e36a7b6dfdaddf3cc06698f4aa9f558c1a0591dc9a']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2023-08-29T13:42:56Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--8d152d5d-8d23-4791-bf82-9583f51eb30e",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2023-08-29T13:42:56.000Z",
|
||
|
"modified": "2023-08-29T13:42:56.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = '20b375ac4487a5955d4b0dd0a600e851d1e455a30c3f8babd0e7e1e97d11a073']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2023-08-29T13:42:56Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--30767882-5846-4f4b-9887-5faac3f0aec0",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2023-08-29T13:42:57.000Z",
|
||
|
"modified": "2023-08-29T13:42:57.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = '03657d8f9dcb49a690d4b07da4f49ead58000efe458ca3ba7f878233dd25e391']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2023-08-29T13:42:57Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--d6756678-c4d9-4c96-ac80-9477ac1a28e1",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2023-08-29T13:43:51.000Z",
|
||
|
"modified": "2023-08-29T13:43:51.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '85.239.53.49']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2023-08-29T13:43:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--d287851e-8762-4e63-96bc-b5ec5e9e93bf",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2023-08-29T13:43:51.000Z",
|
||
|
"modified": "2023-08-29T13:43:51.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.66.248.189']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2023-08-29T13:43:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--04d8530b-7834-425b-8db9-83c89bf9712b",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2023-08-29T13:42:15.000Z",
|
||
|
"modified": "2023-08-29T13:42:15.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"report\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "link",
|
||
|
"object_relation": "link",
|
||
|
"value": "https://github.com/sophoslabs/IoCs/blob/master/2023-08-25%20Citrix%20CVE-2023-3519%20attacks.csv",
|
||
|
"category": "External analysis",
|
||
|
"uuid": "23aa69bc-7ae8-46fc-b56c-4259becdfb82"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "type",
|
||
|
"value": "IoC-list",
|
||
|
"category": "Other",
|
||
|
"uuid": "22abc447-5527-43fc-ac45-f4b4de056416"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "report"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--d18c50e6-70d7-4ddf-8f19-67b233b1b9df",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2023-08-29T13:42:36.000Z",
|
||
|
"modified": "2023-08-29T13:42:36.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"report\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "link",
|
||
|
"object_relation": "link",
|
||
|
"value": "https://securityaffairs.com/150028/hacking/fin8-citrix-netscaler.html",
|
||
|
"category": "External analysis",
|
||
|
"uuid": "3596e269-9e73-423f-b31a-b69988a2b29c"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "type",
|
||
|
"value": "Blog",
|
||
|
"category": "Other",
|
||
|
"uuid": "ca88fda9-df20-49b6-be1c-b98cf066f145"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "report"
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|