2023-04-21 13:25:09 +00:00
{
2023-12-14 14:30:15 +00:00
"Event" : {
"analysis" : "2" ,
"date" : "2021-07-16" ,
"extends_uuid" : "" ,
"info" : "OSINT - Protecting customers from a private-sector offensive actor using 0-day exploits and DevilsTongue malware" ,
"publish_timestamp" : "1626429280" ,
"published" : true ,
"threat_level_id" : "1" ,
"timestamp" : "1626429105" ,
"uuid" : "21daf42e-7045-461c-8656-ff9894186820" ,
"Orgc" : {
"name" : "CIRCL" ,
"uuid" : "55f6ea5e-2c60-40e5-964f-47a8950d210f"
} ,
"Tag" : [
{
"colour" : "#004646" ,
"local" : "0" ,
"name" : "type:OSINT" ,
"relationship_type" : ""
} ,
{
"colour" : "#0071c3" ,
"local" : "0" ,
"name" : "osint:lifetime=\"perpetual\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0087e8" ,
"local" : "0" ,
"name" : "osint:certainty=\"50\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#ffffff" ,
"local" : "0" ,
"name" : "tlp:white" ,
"relationship_type" : ""
}
] ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1626427759" ,
"to_ids" : false ,
"type" : "vulnerability" ,
"uuid" : "5943081c-8a85-46d1-ab52-f76ab1ce77d3" ,
"value" : "CVE-2021-31979"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1626427759" ,
"to_ids" : false ,
"type" : "vulnerability" ,
"uuid" : "c6223f13-3052-4d17-8414-53c8247d4336" ,
"value" : "CVE-2021-33771"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1626427920" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "834bc79d-2ab9-4d6d-88ac-958e4002f0ac" ,
"value" : "noc-service-streamer.com"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1626427920" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "86e09e70-3691-4a0e-9133-ca4d34d3765e" ,
"value" : "fbcdnads.live"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1626427920" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "4dec628f-d2c8-47ae-9895-fb8bd312639a" ,
"value" : "hilocake.info"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1626427920" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "acbb4f61-a934-4e35-96a9-2c36c65695b5" ,
"value" : "backxercise.com"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1626427920" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "938519ce-9f5b-48e1-8970-9277243bde83" ,
"value" : "winmslaf.xyz"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1626427920" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "4a17d32b-67c7-494b-82af-6c94a14a40b5" ,
"value" : "service-deamon.com"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1626427920" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "03025c82-02ed-4bd2-8d35-9296d3f12028" ,
"value" : "online-affiliate-mon.com"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1626427920" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "132c25d5-9373-4ac7-9709-b07d6f38f325" ,
"value" : "codeingasmylife.com"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1626427920" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "bdc5a7cb-0b72-4e8f-b458-01c1174febad" ,
"value" : "kenoratravels.com"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1626427920" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "80c6ee70-9a34-4460-8794-c5bdec459a7c" ,
"value" : "weathercheck.digital"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1626427920" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "0242da80-8905-43f7-a732-fa6de536a012" ,
"value" : "colorpallatess.com"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1626427920" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "526b69aa-8492-4fab-9e71-940c372e9ebc" ,
"value" : "library-update.com"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1626427920" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "80ab30f5-1082-4951-bb3c-7e9262450260" ,
"value" : "online-source-validate.com"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1626427920" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "bc3cc056-18ef-4fab-ba28-6c6650d38cc6" ,
"value" : "grayhornet.com"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1626427921" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "3353c7a2-18b2-4cfc-85b6-d37bdf67a66b" ,
"value" : "johnshopkin.net"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1626427921" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "9df83f7f-03c9-4147-905d-3f0a4a7b9162" ,
"value" : "eulenformacion.com"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1626427921" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "60838fb9-3271-4bcb-bea0-7ba16bb51fa1" ,
"value" : "pochtarossiy.info"
}
] ,
"Object" : [
{
"comment" : "" ,
"deleted" : false ,
"description" : "Metadata used to generate an executive level report" ,
"meta-category" : "misc" ,
"name" : "report" ,
"template_uuid" : "70a68471-df22-4e3f-aa1a-5a3be19f82df" ,
"template_version" : "4" ,
"timestamp" : "1626427734" ,
"uuid" : "ae4dccf1-d8a4-4527-87d8-32fcd90baf61" ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "link" ,
"timestamp" : "1626427734" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "bc590081-9e82-48ce-8663-566c7421fd16" ,
"value" : "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "summary" ,
"timestamp" : "1626427734" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "b3576c06-a702-4faa-97c2-3adf00bfc1d8" ,
"value" : "The Microsoft Threat Intelligence Center (MSTIC) alongside the Microsoft Security Response Center (MSRC) has uncovered a private-sector offensive actor, or PSOA, that we are calling SOURGUM in possession of now-patched, Windows 0-day exploits (CVE-2021-31979 and CVE-2021-33771).\r\n\r\nPrivate-sector offensive actors are private companies that manufacture and sell cyberweapons in hacking-as-a-service packages, often to government agencies around the world, to hack into their targets\u2019 computers, phones, network infrastructure, and other devices. With these hacking packages, usually the government agencies choose the targets and run the actual operations themselves. The tools, tactics, and procedures used by these companies only adds to the complexity, scale, and sophistication of attacks. We take these threats seriously and have moved swiftly alongside our partners to build in the latest protections for our customers.\r\n\r\nMSTIC believes SOURGUM is an Israel-based private-sector offensive actor. We would like to thank the Citizen Lab, at the University of Toronto\u2019s Munk School, for sharing the sample of malware that initiated this work and their collaboration during the investigation. In their blog, Citizen Lab asserts with high confidence that SOURGUM is an Israeli company commonly known as Candiru. Third-party reports indicate Candiru produces \u201chacking tools [that] are used to break into computers and servers\u201d."
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "type" ,
"timestamp" : "1626427734" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "2155e6e5-2440-444e-ac36-09e37ae13e2c" ,
"value" : "Blog post"
}
]
} ,
{
"comment" : "CVE-2021-31979: Enriched via the cve_advanced module" ,
"deleted" : false ,
"description" : "Vulnerability object describing a common vulnerability enumeration which can describe published, unpublished, under review or embargo vulnerability for software, equipments or hardware." ,
"meta-category" : "vulnerability" ,
"name" : "vulnerability" ,
"template_uuid" : "81650945-f186-437b-8945-9f31715d32da" ,
"template_version" : "8" ,
"timestamp" : "1626427770" ,
"uuid" : "97622622-6ddc-43ed-a2b5-8ccc5b1289ff" ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "CVE-2021-31979: Enriched via the cve_advanced module" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "id" ,
"timestamp" : "1626427770" ,
"to_ids" : false ,
2023-04-21 13:25:09 +00:00
"type" : "vulnerability" ,
2023-12-14 14:30:15 +00:00
"uuid" : "22bb6430-51bd-48f1-ab8a-19fe6124e2a4" ,
"value" : "CVE-2021-31979"
} ,
{
"category" : "Other" ,
"comment" : "CVE-2021-31979: Enriched via the cve_advanced module" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "summary" ,
"timestamp" : "1626427770" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "ca65da82-28c6-4464-a36c-984d0feb6a5c" ,
"value" : "Windows\u00a0Kernel\u00a0Elevation\u00a0of\u00a0Privilege\u00a0Vulnerability\u00a0This\u00a0CVE\u00a0ID\u00a0is\u00a0unique\u00a0from\u00a0CVE-2021-33771,\u00a0CVE-2021-34514."
} ,
{
"category" : "Other" ,
"comment" : "CVE-2021-31979: Enriched via the cve_advanced module" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "modified" ,
"timestamp" : "1626427770" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "62118501-1cb6-4824-a1b9-0fdcd0df6635" ,
"value" : "2021-07-14T19:14:00+00:00"
} ,
{
"category" : "Other" ,
"comment" : "CVE-2021-31979: Enriched via the cve_advanced module" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "published" ,
"timestamp" : "1626427770" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "a934dd36-e310-44e0-ae03-95dba69373f1" ,
"value" : "2021-07-14T18:15:00+00:00"
} ,
{
"category" : "Other" ,
"comment" : "CVE-2021-31979: Enriched via the cve_advanced module" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "state" ,
"timestamp" : "1626427770" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "4239dfa1-ac44-4e6d-b12a-334b82c86b05" ,
"value" : "Published"
} ,
{
"category" : "External analysis" ,
"comment" : "CVE-2021-31979: Enriched via the cve_advanced module" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "references" ,
"timestamp" : "1626427770" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "ee3cf759-6446-4d83-847c-18eb2022f806" ,
"value" : "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31979"
}
]
} ,
{
"comment" : "CVE-2021-33771: Enriched via the cve_advanced module" ,
"deleted" : false ,
"description" : "Vulnerability object describing a common vulnerability enumeration which can describe published, unpublished, under review or embargo vulnerability for software, equipments or hardware." ,
"meta-category" : "vulnerability" ,
"name" : "vulnerability" ,
"template_uuid" : "81650945-f186-437b-8945-9f31715d32da" ,
"template_version" : "8" ,
"timestamp" : "1626427795" ,
"uuid" : "52713382-c72c-45c5-a3c8-5948aaaf4a66" ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "CVE-2021-33771: Enriched via the cve_advanced module" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "id" ,
"timestamp" : "1626427795" ,
"to_ids" : false ,
2023-04-21 13:25:09 +00:00
"type" : "vulnerability" ,
2023-12-14 14:30:15 +00:00
"uuid" : "4a5a5afc-f53e-4b5f-8bfa-a77ccee7747e" ,
"value" : "CVE-2021-33771"
} ,
{
"category" : "Other" ,
"comment" : "CVE-2021-33771: Enriched via the cve_advanced module" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "summary" ,
"timestamp" : "1626427795" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5e5dc1c4-f0d7-43ea-ab6a-44b8cab7f006" ,
"value" : "Windows\u00a0Kernel\u00a0Elevation\u00a0of\u00a0Privilege\u00a0Vulnerability\u00a0This\u00a0CVE\u00a0ID\u00a0is\u00a0unique\u00a0from\u00a0CVE-2021-31979,\u00a0CVE-2021-34514."
} ,
{
"category" : "Other" ,
"comment" : "CVE-2021-33771: Enriched via the cve_advanced module" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "modified" ,
"timestamp" : "1626427795" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "9c7bba95-b769-4828-86d4-6886aff9a553" ,
"value" : "2021-07-14T19:14:00+00:00"
} ,
{
"category" : "Other" ,
"comment" : "CVE-2021-33771: Enriched via the cve_advanced module" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "published" ,
"timestamp" : "1626427795" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "c1d3a07d-bb92-4e90-8101-84ce8672a9c1" ,
"value" : "2021-07-14T18:15:00+00:00"
} ,
{
"category" : "Other" ,
"comment" : "CVE-2021-33771: Enriched via the cve_advanced module" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "state" ,
"timestamp" : "1626427795" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "7151a5d0-629a-4672-9705-bca51f1942c8" ,
"value" : "Published"
} ,
{
"category" : "External analysis" ,
"comment" : "CVE-2021-33771: Enriched via the cve_advanced module" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "references" ,
"timestamp" : "1626427795" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "4b7c95bf-2393-40b1-818c-7fcc074ae254" ,
"value" : "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33771"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "An object describing a YARA rule (or a YARA rule name) along with its version." ,
"meta-category" : "misc" ,
"name" : "yara" ,
"template_uuid" : "b5acf82e-ecca-4868-82fe-9dbdf4d808c3" ,
"template_version" : "5" ,
"timestamp" : "1626427834" ,
"uuid" : "f7f3e4bd-da33-4fc9-96e3-b6b518b925fb" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "context" ,
"timestamp" : "1626427834" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "bb6a2979-54f0-4d18-b60e-fd00a16c5fa5" ,
"value" : "all"
} ,
{
"category" : "Payload installation" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara" ,
"timestamp" : "1626427834" ,
"to_ids" : true ,
"type" : "yara" ,
"uuid" : "ca9e3e49-4a94-4256-8616-82e9b9b6804e" ,
"value" : "import \"pe\"\r\nrule DevilsTongue_HijackDll\r\n{\r\nmeta:\r\ndescription = \"Detects SOURGUM's DevilsTongue hijack DLL\"\r\nauthor = \"Microsoft Threat Intelligence Center (MSTIC)\"\r\ndate = \"2021-07-15\"\r\nstrings:\r\n$str1 = \"windows.old\\\\windows\" wide\r\n$str2 = \"NtQueryInformationThread\"\r\n$str3 = \"dbgHelp.dll\" wide\r\n$str4 = \"StackWalk64\"\r\n$str5 = \"ConvertSidToStringSidW\"\r\n$str6 = \"S-1-5-18\" wide\r\n$str7 = \"SMNew.dll\" // DLL original name\r\n// Call check in stack manipulation\r\n// B8 FF 15 00 00 mov eax, 15FFh\r\n// 66 39 41 FA cmp [rcx-6], ax\r\n// 74 06 jz short loc_1800042B9\r\n// 80 79 FB E8 cmp byte ptr [rcx-5], 0E8h ; '\u00e8'\r\n$code1 = {B8 FF 15 00 00 66 39 41 FA 74 06 80 79 FB E8}\r\n// PRNG to generate number of times to sleep 1s before exiting\r\n// 44 8B C0 mov r8d, eax\r\n// B8 B5 81 4E 1B mov eax, 1B4E81B5h\r\n// 41 F7 E8 imul r8d\r\n// C1 FA 05 sar edx, 5\r\n// 8B CA mov ecx, edx\r\n// C1 E9 1F shr ecx, 1Fh\r\n// 03 D1 add edx, ecx\r\n// 69 CA 2C 01 00 00 imul ecx, edx, 12Ch\r\n// 44 2B C1 sub r8d, ecx\r\n// 45 85 C0 test r8d, r8d\r\n// 7E 19 jle short loc_1800014D0\r\n$code2 = {44 8B C0 B8 B5 81 4E 1B 41 F7 E8 C1 FA 05 8B CA C1 E9 1F 03 D1 69 CA 2C 01 00 00 44 2B C1 45 85 C0 7E 19}\r\ncondition:\r\nfilesize < 800KB and\r\nuint16(0) == 0x5A4D and\r\n(pe.characteristics & pe.DLL) and\r\n(\r\n4 of them or\r\n($code1 and $code2) or\r\n(pe.imphash() == \"9a964e810949704ff7b4a393d9adda60\")\r\n)\r\n}"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1626427894" ,
"uuid" : "b177fed6-5bf9-4647-8e4b-8e66a772f421" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1626427894" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "ef6260e9-4306-4d3b-a9b3-e08b01e1ae1e" ,
"value" : "a0e2223868b6133c5712ba5ed20c3e8a"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1626427894" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "dec067bc-8059-4ce9-8777-bb1d0e4628b3" ,
"value" : "17614fdee3b89272e99758983b99111cbb1b312c"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1626427894" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "353ac1a5-4c17-4e2c-b77c-9c984aee18b5" ,
"value" : "c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d"
}
]
}
2023-04-21 13:25:09 +00:00
]
2023-12-14 14:30:15 +00:00
}
2023-04-21 13:25:09 +00:00
}