{ "type": "bundle", "id": "bundle--5dbe8440-9cdc-4af1-acb7-34b902de0b81", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-11-03T08:01:04.000Z", "modified": "2019-11-03T08:01:04.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5dbe8440-9cdc-4af1-acb7-34b902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-11-03T08:01:04.000Z", "modified": "2019-11-03T08:01:04.000Z", "name": "OSINT - Chrome 0-day exploit CVE-2019-13720 used in Operation WizardOpium", "published": "2019-11-03T08:02:19Z", "object_refs": [ "observed-data--5dbe846f-ed60-462f-84b3-640602de0b81", "url--5dbe846f-ed60-462f-84b3-640602de0b81", "indicator--5dbe849d-1290-4e0d-bc5f-640602de0b81", "indicator--5dbe849d-c064-42fa-9b30-640602de0b81", "indicator--5dbe849d-7a00-4942-9cd0-640602de0b81", "indicator--5dbe849d-89f0-424f-a505-640602de0b81", "indicator--5dbe849d-acc8-48d0-ada6-640602de0b81", "indicator--5dbe849d-ed88-418d-aca8-640602de0b81", "indicator--5dbe849d-a8bc-4d8b-8538-640602de0b81", "indicator--5dbe849d-57f8-4cfa-95f2-640602de0b81", "indicator--5dbe849d-9150-476d-9203-640602de0b81", "x-misp-attribute--5dbe84c2-fe7c-43e1-b985-2b0102de0b81", "vulnerability--5dbe84db-b1e8-44ab-8202-641e02de0b81", "observed-data--5dbe84f4-6f1c-440e-aa2d-2f6c02de0b81", "url--5dbe84f4-6f1c-440e-aa2d-2f6c02de0b81", "indicator--5dbe8574-b1bc-44c0-be7c-63fc02de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT", "osint:lifetime=\"perpetual\"", "collaborative-intelligence:request=\"sample\"", "estimative-language:likelihood-probability=\"almost-certain\"", "misp-galaxy:threat-actor=\"Operation WizardOpium\"", "misp-galaxy:mitre-attack-pattern=\"Exploitation for Client Execution - T1203\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5dbe846f-ed60-462f-84b3-640602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-11-03T07:40:31.000Z", "modified": "2019-11-03T07:40:31.000Z", "first_observed": "2019-11-03T07:40:31Z", "last_observed": "2019-11-03T07:40:31Z", "number_observed": 1, "object_refs": [ "url--5dbe846f-ed60-462f-84b3-640602de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5dbe846f-ed60-462f-84b3-640602de0b81", "value": "https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5dbe849d-1290-4e0d-bc5f-640602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-11-03T07:41:17.000Z", "modified": "2019-11-03T07:41:17.000Z", "pattern": "[domain-name:value = 'behindcorona.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-11-03T07:41:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5dbe849d-c064-42fa-9b30-640602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-11-03T07:41:17.000Z", "modified": "2019-11-03T07:41:17.000Z", "pattern": "[domain-name:value = 'code.jquery.cdn.behindcorona.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-11-03T07:41:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5dbe849d-7a00-4942-9cd0-640602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-11-03T07:41:17.000Z", "modified": "2019-11-03T07:41:17.000Z", "pattern": "[file:hashes.MD5 = '8f3cd9299b2f241daf1f5057ba0b9054']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-11-03T07:41:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5dbe849d-89f0-424f-a505-640602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-11-03T07:41:17.000Z", "modified": "2019-11-03T07:41:17.000Z", "pattern": "[file:hashes.SHA256 = '35373d07c2e408838812ff210aa28d90e97e38f2d0132a86085b0d54256cc1cd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-11-03T07:41:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5dbe849d-acc8-48d0-ada6-640602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-11-03T07:41:17.000Z", "modified": "2019-11-03T07:41:17.000Z", "pattern": "[file:hashes.MD5 = '27e941683d09a7405a9e806cc7d156c9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-11-03T07:41:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5dbe849d-ed88-418d-aca8-640602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-11-03T07:41:17.000Z", "modified": "2019-11-03T07:41:17.000Z", "pattern": "[file:hashes.SHA256 = '8fb2558765cf648305493e1dfea7a2b26f4fc8f44ff72c95e9165a904a9a6a48']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-11-03T07:41:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5dbe849d-a8bc-4d8b-8538-640602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-11-03T07:41:17.000Z", "modified": "2019-11-03T07:41:17.000Z", "pattern": "[file:hashes.MD5 = 'f614909fbd57ece81d00b01958338ec2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-11-03T07:41:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5dbe849d-57f8-4cfa-95f2-640602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-11-03T07:41:17.000Z", "modified": "2019-11-03T07:41:17.000Z", "pattern": "[file:hashes.SHA256 = 'cafe8f704095b1f5e0a885f75b1b41a7395a1c62fd893ef44348f9702b3a0deb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-11-03T07:41:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5dbe849d-9150-476d-9203-640602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-11-03T07:41:17.000Z", "modified": "2019-11-03T07:41:17.000Z", "pattern": "[email-message:from_ref.value = 'kennethosborne@protonmail.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-11-03T07:41:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"email-src\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5dbe84c2-fe7c-43e1-b985-2b0102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-11-03T07:41:54.000Z", "modified": "2019-11-03T07:41:54.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "Kaspersky Exploit Prevention is a component part of Kaspersky products that has successfully detected a number of zero-day attacks in the past. Recently, it caught a new unknown exploit for Google\u00e2\u20ac\u2122s Chrome browser. We promptly reported this to the Google Chrome security team. After reviewing of the PoC we provided, Google confirmed there was a zero-day vulnerability and assigned it CVE-2019-13720. Google has released Chrome version 78.0.3904.87 for Windows, Mac, and Linux and we recommend all Chrome users to update to this latest version as soon as possible! You can read Google\u00e2\u20ac\u2122s bulletin by clicking here.\r\n\r\nKaspersky endpoint products detect the exploit with the help of the exploit prevention component. The verdict for this attack is Exploit.Win32.Generic.\r\n\r\nWe are calling these attacks Operation WizardOpium. So far, we have been unable to establish a definitive link with any known threat actors. There are certain very weak code similarities with Lazarus attacks, although these could very well be a false flag. The profile of the targeted website is more in line with earlier DarkHotel attacks that have recently deployed similar false flag attacks." }, { "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--5dbe84db-b1e8-44ab-8202-641e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-11-03T07:42:19.000Z", "modified": "2019-11-03T07:42:19.000Z", "name": "CVE-2019-13720", "labels": [ "misp:type=\"vulnerability\"", "misp:category=\"Payload delivery\"" ], "external_references": [ { "source_name": "cve", "external_id": "CVE-2019-13720" } ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5dbe84f4-6f1c-440e-aa2d-2f6c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-11-03T07:42:44.000Z", "modified": "2019-11-03T07:42:44.000Z", "first_observed": "2019-11-03T07:42:44Z", "last_observed": "2019-11-03T07:42:44Z", "number_observed": 1, "object_refs": [ "url--5dbe84f4-6f1c-440e-aa2d-2f6c02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5dbe84f4-6f1c-440e-aa2d-2f6c02de0b81", "value": "https://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_31.html" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5dbe8574-b1bc-44c0-be7c-63fc02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-11-03T07:44:52.000Z", "modified": "2019-11-03T07:44:52.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '193.29.59.52']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-11-03T07:44:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }