{ "type": "bundle", "id": "bundle--5afafce0-0598-4ca0-b52a-41f4950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-05-15T15:42:30.000Z", "modified": "2018-05-15T15:42:30.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5afafce0-0598-4ca0-b52a-41f4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-05-15T15:42:30.000Z", "modified": "2018-05-15T15:42:30.000Z", "name": "OSINT - A tale of two zero-days", "published": "2018-05-15T15:43:01Z", "object_refs": [ "observed-data--5afafcef-4ebc-4561-bcd3-4ec7950d210f", "url--5afafcef-4ebc-4561-bcd3-4ec7950d210f", "x-misp-attribute--5afafd04-9874-4fb6-afa8-3556950d210f", "vulnerability--5afafd25-5ed0-4e07-8d1e-4572950d210f", "vulnerability--5afafd37-b6d8-48ea-9226-4e32950d210f", "indicator--5afafd4a-8f80-4711-8ec3-4fb0950d210f", "indicator--5afafd4b-48e8-4271-98d2-477b950d210f", "observed-data--5afaffce-12b8-41cf-8ce1-434a950d210f", "url--5afaffce-12b8-41cf-8ce1-434a950d210f", "observed-data--5afaffe3-f688-4ddb-ad6b-4d54950d210f", "url--5afaffe3-f688-4ddb-ad6b-4d54950d210f", "x-misp-object--e1aaf6c9-d880-4111-ae8c-e18bacfa93e3", "x-misp-object--8e273621-4ed2-4eab-8afa-c8332486d797", "x-misp-object--87e5d719-47c0-48f7-a306-167eae1963bf", "x-misp-object--55b2aaba-335d-46dc-95ba-5460b43332fd", "relationship--d90c3022-61a8-4684-8eb9-676f92b01873", "relationship--351cc740-b483-4602-a4cd-3ccfb9628e06" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "osint:source-type=\"blog-post\"", "osint:certainty=\"75\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5afafcef-4ebc-4561-bcd3-4ec7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-05-15T15:29:51.000Z", "modified": "2018-05-15T15:29:51.000Z", "first_observed": "2018-05-15T15:29:51Z", "last_observed": "2018-05-15T15:29:51Z", "number_observed": 1, "object_refs": [ "url--5afafcef-4ebc-4561-bcd3-4ec7950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5afafcef-4ebc-4561-bcd3-4ec7950d210f", "value": "https://www.welivesecurity.com/2018/05/15/tale-two-zero-days/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5afafd04-9874-4fb6-afa8-3556950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-05-15T15:30:12.000Z", "modified": "2018-05-15T15:30:12.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "Late in March 2018, ESET researchers identified an interesting malicious PDF sample. A closer look revealed that the sample exploits two previously unknown vulnerabilities: a remote-code execution vulnerability in Adobe Reader and a privilege escalation vulnerability in Microsoft Windows.\r\n\r\nThe use of the combined vulnerabilities is extremely powerful, as it allows an attacker to execute arbitrary code with the highest possible privileges on the vulnerable target, and with only the most minimal of user interaction. APT groups regularly use such combinations to perform their attacks, such as in the Sednit campaign from last year.\r\n\r\nOnce the PDF sample was discovered, ESET contacted and worked together with the Microsoft Security Response Center, Windows Defender ATP research team, and Adobe Product Security Incident Response Team as they fixed these bugs." }, { "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--5afafd25-5ed0-4e07-8d1e-4572950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-05-15T15:30:45.000Z", "modified": "2018-05-15T15:30:45.000Z", "name": "CVE-2018-4990", "labels": [ "misp:type=\"vulnerability\"", "misp:category=\"Payload delivery\"", "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Exploitation of Vulnerability - T1068\"" ], "external_references": [ { "source_name": "cve", "external_id": "CVE-2018-4990" } ] }, { "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--5afafd37-b6d8-48ea-9226-4e32950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-05-15T15:31:03.000Z", "modified": "2018-05-15T15:31:03.000Z", "name": "CVE-2018-8120", "labels": [ "misp:type=\"vulnerability\"", "misp:category=\"Payload installation\"", "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Exploitation of Vulnerability - T1068\"" ], "external_references": [ { "source_name": "cve", "external_id": "CVE-2018-8120" } ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5afafd4a-8f80-4711-8ec3-4fb0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-05-15T15:31:22.000Z", "modified": "2018-05-15T15:31:22.000Z", "pattern": "[file:hashes.SHA1 = 'c82cfead292eeca601d3cf82c8c5340cb579d1c6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-05-15T15:31:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5afafd4b-48e8-4271-98d2-477b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-05-15T15:31:23.000Z", "modified": "2018-05-15T15:31:23.000Z", "pattern": "[file:hashes.SHA1 = '0d3f335ccca4575593054446f5f219eba6cd93fe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-05-15T15:31:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5afaffce-12b8-41cf-8ce1-434a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-05-15T15:42:06.000Z", "modified": "2018-05-15T15:42:06.000Z", "first_observed": "2018-05-15T15:42:06Z", "last_observed": "2018-05-15T15:42:06Z", "number_observed": 1, "object_refs": [ "url--5afaffce-12b8-41cf-8ce1-434a950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5afaffce-12b8-41cf-8ce1-434a950d210f", "value": "http://www.ivanlef0u.tuxfamily.org/?p=86" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5afaffe3-f688-4ddb-ad6b-4d54950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-05-15T15:42:27.000Z", "modified": "2018-05-15T15:42:27.000Z", "first_observed": "2018-05-15T15:42:27Z", "last_observed": "2018-05-15T15:42:27Z", "number_observed": 1, "object_refs": [ "url--5afaffe3-f688-4ddb-ad6b-4d54950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5afaffe3-f688-4ddb-ad6b-4d54950d210f", "value": "http://j00ru.vexillium.org/?p=290" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--e1aaf6c9-d880-4111-ae8c-e18bacfa93e3", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-05-15T15:32:38.000Z", "modified": "2018-05-15T15:32:38.000Z", "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"" ], "x_misp_meta_category": "file", "x_misp_name": "file" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--8e273621-4ed2-4eab-8afa-c8332486d797", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-05-15T15:32:36.000Z", "modified": "2018-05-15T15:32:36.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--87e5d719-47c0-48f7-a306-167eae1963bf", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-05-15T15:32:40.000Z", "modified": "2018-05-15T15:32:40.000Z", "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"" ], "x_misp_meta_category": "file", "x_misp_name": "file" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--55b2aaba-335d-46dc-95ba-5460b43332fd", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-05-15T15:32:38.000Z", "modified": "2018-05-15T15:32:38.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d90c3022-61a8-4684-8eb9-676f92b01873", "created": "2018-05-15T15:32:39.000Z", "modified": "2018-05-15T15:32:39.000Z", "relationship_type": "analysed-with", "source_ref": "x-misp-object--e1aaf6c9-d880-4111-ae8c-e18bacfa93e3", "target_ref": "x-misp-object--8e273621-4ed2-4eab-8afa-c8332486d797" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--351cc740-b483-4602-a4cd-3ccfb9628e06", "created": "2018-05-15T15:32:39.000Z", "modified": "2018-05-15T15:32:39.000Z", "relationship_type": "analysed-with", "source_ref": "x-misp-object--87e5d719-47c0-48f7-a306-167eae1963bf", "target_ref": "x-misp-object--55b2aaba-335d-46dc-95ba-5460b43332fd" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }