misp-circl-feed/feeds/circl/misp/c578cb44-e440-486d-80a4-8cf6256c1d53.json

233 lines
25 KiB
JSON
Raw Normal View History

2023-12-14 13:47:04 +00:00
{
"type": "bundle",
"id": "bundle--c578cb44-e440-486d-80a4-8cf6256c1d53",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-12-05T07:54:14.000Z",
"modified": "2023-12-05T07:54:14.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--c578cb44-e440-486d-80a4-8cf6256c1d53",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-12-05T07:54:14.000Z",
"modified": "2023-12-05T07:54:14.000Z",
"name": "AA23-335A: IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities",
"published": "2023-12-05T08:49:26Z",
"object_refs": [
"indicator--b4097d04-408a-4279-aac4-40ae3dd0710f",
"indicator--95a83932-6e7a-4024-b3f5-d878d78fd1d0",
"indicator--eb825787-5cf3-423a-aec9-42d611cc61e1",
"indicator--695afe84-7eb6-4004-a7e1-2ad80bfa5131",
"indicator--b74311f5-0fc4-4fda-a6c3-3a13cf1d3069",
"x-misp-object--0025bc8f-1af0-48a6-9534-e82af80ee21c",
"x-misp-object--157412c1-046a-4e74-99f8-84a148792839"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:stix-2.1-attack-pattern=\"9a280255-c770-4d42-ae50-aff1896ebded\"",
"type:OSINT",
"osint:lifetime=\"perpetual\"",
"tlp:clear"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--b4097d04-408a-4279-aac4-40ae3dd0710f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-12-04T20:38:04.000Z",
"modified": "2023-12-04T20:38:04.000Z",
"pattern": "[file:hashes.SHA256 = '440b5385d3838e3f6bc21220caa83b65cd5f3618daea676f271c3671650ce9a3']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-09-13T00:00:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--95a83932-6e7a-4024-b3f5-d878d78fd1d0",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-12-04T20:38:04.000Z",
"modified": "2023-12-04T20:38:04.000Z",
"pattern": "[file:hashes.SHA1 = '66ae21571faee1e258549078144325dc9dd60303']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-09-13T00:00:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--eb825787-5cf3-423a-aec9-42d611cc61e1",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-12-04T20:38:04.000Z",
"modified": "2023-12-04T20:38:04.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '178.162.227.180']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-09-13T00:00:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--695afe84-7eb6-4004-a7e1-2ad80bfa5131",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-12-04T20:38:04.000Z",
"modified": "2023-12-04T20:38:04.000Z",
"pattern": "[file:hashes.MD5 = 'ba284a4b508a7abd8070a427386e93e0']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-09-13T00:00:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--b74311f5-0fc4-4fda-a6c3-3a13cf1d3069",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-12-04T20:38:04.000Z",
"modified": "2023-12-04T20:38:04.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.162.235.206']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-05-14T00:00:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--0025bc8f-1af0-48a6-9534-e82af80ee21c",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-12-05T07:48:53.000Z",
"modified": "2023-12-05T07:48:53.000Z",
"labels": [
"misp:name=\"original-imported-file\"",
"misp:meta-category=\"file\""
],
"x_misp_attributes": [
{
"type": "attachment",
"object_relation": "imported-sample",
"value": "AA23-335A-IRGC-Affiliated-Cyber-Actors-Exploit-PLCs-in-Multiple-Sectors-Including-US-Water-and-Wastewater-Systems-Facilities.stix_.json",
"category": "External analysis",
"uuid": "63b59f7b-462d-4bdb-9861-b2de803a358c",
"data": "ewogICAgInR5cGUiOiAiYnVuZGxlIiwKICAgICJpZCI6ICJidW5kbGUtLTk0MDVhYWFlLWNmMDAtNDAzMC1hMzI2LTcwYjk2ZWE2YmJiNSIsCiAgICAib2JqZWN0cyI6IFsKICAgICAgICB7CiAgICAgICAgICAgICJpZCI6ICJsb2NhdGlvbi0tZTJjODg5YWEtYjBiMS00ZjA1LWI5MGMtYTBhMWExNTVkYzYyIiwKICAgICAgICAgICAgInNwZWNfdmVyc2lvbiI6ICIyLjEiLAogICAgICAgICAgICAidHlwZSI6ICJsb2NhdGlvbiIsCiAgICAgICAgICAgICJjb3VudHJ5IjogIlVTIiwKICAgICAgICAgICAgImFkbWluaXN0cmF0aXZlX2FyZWEiOiAiVVMtREMiLAogICAgICAgICAgICAiY3JlYXRlZCI6ICIyMDIzLTEyLTA0VDIwOjM4OjA0LjAwMFoiLAogICAgICAgICAgICAibW9kaWZpZWQiOiAiMjAyMy0xMi0wNFQyMDozODowNC4wMDBaIiwKICAgICAgICAgICAgImNyZWF0ZWRfYnlfcmVmIjogImlkZW50aXR5LS1iM2JjYTNjMi0xZjNkLTRiNTQtYjQ0Zi1kYWM0MmMzYThmMDEiLAogICAgICAgICAgICAib2JqZWN0X21hcmtpbmdfcmVmcyI6IFsKICAgICAgICAgICAgICAgICJtYXJraW5nLWRlZmluaXRpb24tLTQ3OTA4MWM4LTNhNjAtNGViOC1iNDEwLTk2YTMwZjM5NWRlZiIsCiAgICAgICAgICAgICAgICAibWFya2luZy1kZWZpbml0aW9uLS02MTNmMmUyNi00MDdkLTQ4YzctOWVjYS1iOGU5MWRmOTlkYzkiCiAgICAgICAgICAgIF0KICAgICAgICB9LAogICAgICAgIHsKICAgICAgICAgICAgInR5cGUiOiAibWFya2luZy1kZWZpbml0aW9uIiwKICAgICAgICAgICAgInNwZWNfdmVyc2lvbiI6ICIyLjEiLAogICAgICAgICAgICAiaWQiOiAibWFya2luZy1kZWZpbml0aW9uLS00NzkwODFjOC0zYTYwLTRlYjgtYjQxMC05NmEzMGYzOTVkZWYiLAogICAgICAgICAgICAiY3JlYXRlZCI6ICIyMDIzLTAzLTAyVDE2OjQ4OjU3Ljk1OVoiLAogICAgICAgICAgICAiZXh0ZW5zaW9ucyI6IHsKICAgICAgICAgICAgICAgICJleHRlbnNpb24tZGVmaW5pdGlvbi0tM2E2NTg4NGQtMDA1YS00MjkwLTgzMzUtY2IyZDc3OGE4M2NlIjogewogICAgICAgICAgICAgICAgICAgICJleHRlbnNpb25fdHlwZSI6ICJwcm9wZXJ0eS1leHRlbnNpb24iLAogICAgICAgICAgICAgICAgICAgICJpZGVudGlmaWVyIjogImlzYTpndWlkZS4xOTAwMS5BQ1MzLTllMGNkNTBlLTZlZmMtNDViMy04YTNkLWI2Mzc2NTQxYzljNSIsCiAgICAgICAgICAgICAgICAgICAgImNyZWF0ZV9kYXRlX3RpbWUiOiAiMjAyMy0wMy0wMlQxNjo0ODo1Ny45NTlaIiwKICAgICAgICAgICAgICAgICAgICAicmVzcG9uc2libGVfZW50aXR5X2N1c3RvZGlhbiI6ICJVU0EuREhTLk5DQ0lDIiwKICAgICAgICAgICAgICAgICAgICAicmVzcG9uc2libGVfZW50aXR5X29yaWdpbmF0b3IiOiAiVVNBLkRIUy5OQ0NJQyIsCiAgICAgICAgICAgICAgICAgICAgInBvbGljeV9yZWZlcmVuY2UiOiAidXJuOmlzYTpwb2xpY3k6YWNzOm5zOnYzLjA/cHJpdmRlZmF1bHQ9ZGVueSZzaGFyZWRlZmF1bHQ9cGVybWl0IiwKICAgICAgICAgICAgICAgICAgICAiY29udHJvbF9zZXQiOiB7CiAgICAgICAgICAgICAgICAgICAgICAgICJjbGFzc2lmaWNhdGlvbiI6ICJVIiwKICAgICAgICAgICAgICAgICAgICAgICAgImZvcm1hbF9kZXRlcm1pbmF0aW9uIjogWwogICAgICAgICAgICAgICAgICAgICAgICAgICAgIklORk9STUFUSU9OLURJUkVDVExZLVJFTEFURUQtVE8tQ1lCRVJTRUNVUklUWS1USFJFQVQiLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgIlBVQlJFTCIKICAgICAgICAgICAgICAgICAgICAgICAgXQogICAgICAgICAgICAgICAgICAgIH0sCiAgICAgICAgICAgICAgICAgICAgImF1dGhvcml0eV9yZWZlcmVuY2UiOiBbCiAgICAgICAgICAgICAgICAgICAgICAgICJ1cm46aXNhOmF1dGhvcml0eTphaXMiCiAgICAgICAgICAgICAgICAgICAgXSwKICAgICAgICAgICAgICAgICAgICAiYWNjZXNzX3ByaXZpbGVnZSI6IFsKICAgICAgICAgICAgICAgICAgICAgICAgewogICAgICAgICAgICAgICAgICAgICAgICAgICAgInByaXZpbGVnZV9hY3Rpb24iOiAiQ0lTQVVTRVMiLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgInJ1bGVfZWZmZWN0IjogInBlcm1pdCIsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAicHJpdmlsZWdlX3Njb3BlIjogewogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJlbnRpdHkiOiBbCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJBTEwiCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgXSwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAicGVybWl0dGVkX25hdGlvbmFsaXRpZXMiOiBbCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJBTEwiCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgXSwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAicGVybWl0dGVkX29yZ2FuaXphdGlvbnMiOiBbCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJBTEwiCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgXSwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic2hhcmVhYmlsaXR5IjogWwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiQUxMIgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIF0KICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgICAgIF0KICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgfQogICAgICAgIH0sCiAgICAgICAgewogICAgICAgICAgICAiaWQiOiAiYXR0YWNrLXBhdHRlcm4tLTlhMjgwMjU1LWM3NzAtNGQ0Mi1hZTUwLWFmZjE4OTZlYmRlZCIsCiAgICAgICAgICAgICJ0eXBlIjogImF0dGFjay1wYXR0ZXJuIiwKICAgICAgICAgICAgImNyZWF0ZWQiOiAiMjAyMy0xMi0wNFQyMDozODowNC4wMDBaIiwKICAgICAgICAgICAgIm1vZGlmaWVkIjogIjIwMjMtMTItMDRUMjA6Mzg6MDQuMDAwWiIsCiAgICAgICAgICAgICJzcGVjX3ZlcnNpb2
},
{
"type": "text",
"object_relation": "format",
"value": "STIX 2.1",
"category": "Other",
"uuid": "a8bc59ca-67e3-4e50-acd3-c1867a2acc3c"
}
],
"x_misp_meta_category": "file",
"x_misp_name": "original-imported-file"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--157412c1-046a-4e74-99f8-84a148792839",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-12-05T07:54:14.000Z",
"modified": "2023-12-05T07:54:14.000Z",
"labels": [
"misp:name=\"report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "link",
"value": "https://www.cisa.gov/sites/default/files/2023-12/AA23-335A-IRGC-Affiliated-Cyber-Actors-Exploit-PLCs-in-Multiple-Sectors-Including-US-Water-and-Wastewater-Systems-Facilities.stix_.json",
"category": "External analysis",
"uuid": "c6fbcbef-c300-445b-85d0-025c748f5545"
},
{
"type": "text",
"object_relation": "summary",
"value": "The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Environmental Protection Agency (EPA), and the Israel National Cyber Directorate (INCD)\\\\u2014hereafter referred to as \"the authoring agencies\" - are disseminating this joint Cybersecurity Advisory (CSA) to highlight continued malicious cyber activity against operational technology devices by Iranian Government Islamic Revolutionary Guard Corps IRGC)-affiliated Advanced Persistent Threat (APT) cyber actors. \\r\\n\\r\\nThe IRGC is an Iranian military organization that the United States designated as a foreign terrorist organization in 2019. IRGC-affiliated cyber actors using the persona \\\\u201cCyberAv3ngers\\\\u201d are actively targeting and compromising Israeli-made Unitronics Vision Series programmable logic controllers (PLCs). These PLCs are commonly used in the Water and Wastewater Systems (WWS) Sector and are additionally used in other industries including, but not limited to, energy, food and beverage manufacturing, and healthcare. The PLCs may be rebranded and appear as different manufacturers and companies. In addition to the recent CISA Alert, the authoring agencies are releasing this joint CSA to share indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with IRGC cyber operations.\\r\\n",
"category": "Other",
"uuid": "548e3b68-36bd-4297-b825-3cadd87fc1c7"
}
],
"x_misp_comment": "\"AA23-335A: IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities",
"x_misp_meta_category": "misc",
"x_misp_name": "report"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}