789 lines
No EOL
33 KiB
JSON
789 lines
No EOL
33 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--fba1fa66-183d-4e82-bb89-78bfcb4d6e29",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631",
|
|
"created": "2022-10-24T13:17:48.000Z",
|
|
"modified": "2022-10-24T13:17:48.000Z",
|
|
"name": "Centre for Cyber security Belgium",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "report",
|
|
"spec_version": "2.1",
|
|
"id": "report--fba1fa66-183d-4e82-bb89-78bfcb4d6e29",
|
|
"created_by_ref": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631",
|
|
"created": "2022-10-24T13:17:48.000Z",
|
|
"modified": "2022-10-24T13:17:48.000Z",
|
|
"name": "OSINT of Exchange 0-day campaign (Atos)",
|
|
"published": "2024-05-31T11:03:45Z",
|
|
"object_refs": [
|
|
"indicator--ba307599-e813-4e5f-94ff-f4e36fd71d41",
|
|
"indicator--de4ccfb9-0453-4b83-93ca-80893d086abb",
|
|
"indicator--61be67f9-ec2a-4429-8161-f09e7cba0905",
|
|
"indicator--5c05c0b0-0cc8-4446-a4c8-335b9ffa085f",
|
|
"indicator--bf62496c-e4ad-49cc-bff7-53235eba9c76",
|
|
"indicator--ae79c28f-487c-4652-9b7e-71637cd2e8e9",
|
|
"indicator--1890b51c-0238-4495-93ee-634cb4f9e869",
|
|
"indicator--0238308c-bf90-4503-906b-fca2d4e2f060",
|
|
"indicator--3a1765c3-086d-4a3d-b404-ce336f2600b0",
|
|
"indicator--82c5c66e-934c-4f00-afa9-26e148296ba1",
|
|
"indicator--e1cadeb5-bef6-41b3-ae08-7aa7946f4589",
|
|
"indicator--a8591697-e631-48c7-b2c7-feea313372c9",
|
|
"indicator--d98d097f-cadb-440e-b172-37799f9f4fd7",
|
|
"indicator--116795b5-4ebd-4792-8116-b220518aed43",
|
|
"indicator--f6f0cc0c-c369-41dd-9f8f-dc941b9d0cc1",
|
|
"indicator--9b57c1c2-dc85-478a-b1ec-7bb6a587e03f",
|
|
"indicator--d21024e3-6ee7-4939-b808-9e545cad0331",
|
|
"indicator--5c2ab9b0-db03-494b-b621-3ac188bf3f7d",
|
|
"indicator--ce3af728-e3b9-4f40-846f-f03cb1a28327",
|
|
"indicator--2c77ecad-aada-42a2-9696-c27a56506ed6",
|
|
"indicator--d4092f08-8029-4e76-9055-2607dee1781f",
|
|
"indicator--e4687f58-79d8-4d06-a8a9-8ecbf8d4d0d2",
|
|
"indicator--d768ea49-139f-4dcf-8af5-4e837888c5fb",
|
|
"indicator--fdbc158a-2253-4cb3-af63-2eed91f6cf2e",
|
|
"indicator--29466e30-8056-4cd3-89b0-bc6aa16b48f3",
|
|
"indicator--83fd3c39-85b1-4e21-9735-9a006ddabc01",
|
|
"indicator--91b7b424-d362-49a1-b9f4-494cfe17b960",
|
|
"indicator--5053b6b1-6a3a-4a23-8560-fb69b72ba8a8",
|
|
"x-misp-object--239abc6c-9a8a-4fe5-8b09-14b2ee4c570b"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"tlp:clear",
|
|
"admiralty-scale:source-reliability=\"b\"",
|
|
"Microsoft Exchange Vulnerability",
|
|
"Zero Day",
|
|
"OSINT",
|
|
"osint:source-type=\"blog-post\"",
|
|
"cert-ist:threat_targeted_sector=\"Gov\"",
|
|
"misp-galaxy:financial-fraud=\"Spear phishing\"",
|
|
"cert-ist:threat_targeted_sector=\"Media\"",
|
|
"misp-galaxy:sector=\"Government, Administration\"",
|
|
"misp-galaxy:region=\"142 - Asia\"",
|
|
"misp-galaxy:region=\"150 - Europe\"",
|
|
"admiralty-scale:information-credibility=\"3\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--ba307599-e813-4e5f-94ff-f4e36fd71d41",
|
|
"created_by_ref": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631",
|
|
"created": "2022-10-03T14:16:38.000Z",
|
|
"modified": "2022-10-03T14:16:38.000Z",
|
|
"description": "Used as part of targeted attacks against government sectors",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '206.188.196.77']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-03T14:16:38Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--de4ccfb9-0453-4b83-93ca-80893d086abb",
|
|
"created_by_ref": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631",
|
|
"created": "2022-10-03T14:16:38.000Z",
|
|
"modified": "2022-10-03T14:16:38.000Z",
|
|
"description": "Used as part of targeted attacks against government sectors",
|
|
"pattern": "[domain-name:value = 'rkn-redirect.net']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-03T14:16:38Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--61be67f9-ec2a-4429-8161-f09e7cba0905",
|
|
"created_by_ref": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631",
|
|
"created": "2022-10-03T14:16:38.000Z",
|
|
"modified": "2022-10-03T14:16:38.000Z",
|
|
"description": "Used as part of targeted attacks against government sectors",
|
|
"pattern": "[domain-name:value = 'mail.ticaret.gov.tr-redirect.net']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-03T14:16:38Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c05c0b0-0cc8-4446-a4c8-335b9ffa085f",
|
|
"created_by_ref": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631",
|
|
"created": "2022-10-03T14:16:38.000Z",
|
|
"modified": "2022-10-03T14:16:38.000Z",
|
|
"description": "Used as part of targeted attacks against government sectors",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '162.33.179.130']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-03T14:16:38Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--bf62496c-e4ad-49cc-bff7-53235eba9c76",
|
|
"created_by_ref": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631",
|
|
"created": "2022-10-03T14:16:38.000Z",
|
|
"modified": "2022-10-03T14:16:38.000Z",
|
|
"description": "Used as part of targeted attacks against government sectors",
|
|
"pattern": "[email-message:from_ref.value = 'vpscontrollervnc@protonmail.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-03T14:16:38Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"email-src\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--ae79c28f-487c-4652-9b7e-71637cd2e8e9",
|
|
"created_by_ref": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631",
|
|
"created": "2022-10-03T14:16:38.000Z",
|
|
"modified": "2022-10-03T14:16:38.000Z",
|
|
"description": "Used as part of targeted attacks against government sectors",
|
|
"pattern": "[domain-name:value = 'openattachment.net']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-03T14:16:38Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--1890b51c-0238-4495-93ee-634cb4f9e869",
|
|
"created_by_ref": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631",
|
|
"created": "2022-10-03T14:16:38.000Z",
|
|
"modified": "2022-10-03T14:16:38.000Z",
|
|
"description": "Used as part of targeted attacks against government sectors",
|
|
"pattern": "[domain-name:value = 'openingfile.net']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-03T14:16:38Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--0238308c-bf90-4503-906b-fca2d4e2f060",
|
|
"created_by_ref": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631",
|
|
"created": "2022-10-03T14:16:38.000Z",
|
|
"modified": "2022-10-03T14:16:38.000Z",
|
|
"description": "Used as part of targeted attacks against government sectors",
|
|
"pattern": "[domain-name:value = 'northapollon.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-03T14:16:38Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--3a1765c3-086d-4a3d-b404-ce336f2600b0",
|
|
"created_by_ref": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631",
|
|
"created": "2022-10-03T14:16:38.000Z",
|
|
"modified": "2022-10-03T14:16:38.000Z",
|
|
"description": "Used as part of targeted attacks against government sectors",
|
|
"pattern": "[domain-name:value = 'openfile-attachment.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-03T14:16:38Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--82c5c66e-934c-4f00-afa9-26e148296ba1",
|
|
"created_by_ref": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631",
|
|
"created": "2022-10-03T14:16:38.000Z",
|
|
"modified": "2022-10-03T14:16:38.000Z",
|
|
"description": "Used as part of targeted attacks against government sectors",
|
|
"pattern": "[domain-name:value = 'united-nation-news.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-03T14:16:38Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--e1cadeb5-bef6-41b3-ae08-7aa7946f4589",
|
|
"created_by_ref": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631",
|
|
"created": "2022-10-03T14:16:39.000Z",
|
|
"modified": "2022-10-03T14:16:39.000Z",
|
|
"description": "Used as part of targeted attacks against government sectors",
|
|
"pattern": "[domain-name:value = 'byannika.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-03T14:16:39Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--a8591697-e631-48c7-b2c7-feea313372c9",
|
|
"created_by_ref": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631",
|
|
"created": "2022-10-03T14:16:39.000Z",
|
|
"modified": "2022-10-03T14:16:39.000Z",
|
|
"description": "Used as part of targeted attacks against government sectors",
|
|
"pattern": "[email-message:from_ref.value = 'netxv@bk.ru']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-03T14:16:39Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"email-src\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--d98d097f-cadb-440e-b172-37799f9f4fd7",
|
|
"created_by_ref": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631",
|
|
"created": "2022-10-03T14:16:39.000Z",
|
|
"modified": "2022-10-03T14:16:39.000Z",
|
|
"description": "Used as part of targeted attacks against government sectors",
|
|
"pattern": "[domain-name:value = 'tr-redirect.net']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-03T14:16:39Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--116795b5-4ebd-4792-8116-b220518aed43",
|
|
"created_by_ref": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631",
|
|
"created": "2022-10-03T14:16:39.000Z",
|
|
"modified": "2022-10-03T14:16:39.000Z",
|
|
"description": "Used as part of targeted attacks against government sectors",
|
|
"pattern": "[domain-name:value = 'web-document.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-03T14:16:39Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--f6f0cc0c-c369-41dd-9f8f-dc941b9d0cc1",
|
|
"created_by_ref": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631",
|
|
"created": "2022-10-03T14:16:39.000Z",
|
|
"modified": "2022-10-03T14:16:39.000Z",
|
|
"description": "Used as part of targeted attacks against government sectors",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '178.20.40.95']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-03T14:16:39Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--9b57c1c2-dc85-478a-b1ec-7bb6a587e03f",
|
|
"created_by_ref": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631",
|
|
"created": "2022-10-03T14:16:39.000Z",
|
|
"modified": "2022-10-03T14:16:39.000Z",
|
|
"description": "Used as part of targeted attacks against government sectors",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '168.100.10.30']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-03T14:16:39Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--d21024e3-6ee7-4939-b808-9e545cad0331",
|
|
"created_by_ref": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631",
|
|
"created": "2022-10-03T14:16:39.000Z",
|
|
"modified": "2022-10-03T14:16:39.000Z",
|
|
"description": "Used as part of targeted attacks against government sectors",
|
|
"pattern": "[domain-name:value = 'mfa-tj.download']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-03T14:16:39Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c2ab9b0-db03-494b-b621-3ac188bf3f7d",
|
|
"created_by_ref": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631",
|
|
"created": "2022-10-03T14:16:39.000Z",
|
|
"modified": "2022-10-03T14:16:39.000Z",
|
|
"description": "Used as part of targeted attacks against government sectors",
|
|
"pattern": "[domain-name:value = 'akipress.news']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-03T14:16:39Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--ce3af728-e3b9-4f40-846f-f03cb1a28327",
|
|
"created_by_ref": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631",
|
|
"created": "2022-10-03T14:16:39.000Z",
|
|
"modified": "2022-10-03T14:16:39.000Z",
|
|
"description": "Used as part of targeted attacks against government sectors",
|
|
"pattern": "[domain-name:value = 'mail.antikor.gov.kz.openingfile.net']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-03T14:16:39Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--2c77ecad-aada-42a2-9696-c27a56506ed6",
|
|
"created_by_ref": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631",
|
|
"created": "2022-10-03T14:16:39.000Z",
|
|
"modified": "2022-10-03T14:16:39.000Z",
|
|
"description": "Used as part of targeted attacks against government sectors",
|
|
"pattern": "[domain-name:value = 'mail.gov.kg.openingfile.net']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-03T14:16:39Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--d4092f08-8029-4e76-9055-2607dee1781f",
|
|
"created_by_ref": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631",
|
|
"created": "2022-10-03T14:16:39.000Z",
|
|
"modified": "2022-10-03T14:16:39.000Z",
|
|
"description": "Used as part of targeted attacks against government sectors",
|
|
"pattern": "[domain-name:value = 'mail.agro.gov.kg.openingfile.net']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-03T14:16:39Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--e4687f58-79d8-4d06-a8a9-8ecbf8d4d0d2",
|
|
"created_by_ref": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631",
|
|
"created": "2022-10-03T14:16:39.000Z",
|
|
"modified": "2022-10-03T14:16:39.000Z",
|
|
"description": "Used as part of targeted attacks against government sectors",
|
|
"pattern": "[domain-name:value = 'telegram.akipress.news']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-03T14:16:39Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--d768ea49-139f-4dcf-8af5-4e837888c5fb",
|
|
"created_by_ref": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631",
|
|
"created": "2022-10-03T14:16:39.000Z",
|
|
"modified": "2022-10-03T14:16:39.000Z",
|
|
"description": "Used as part of targeted attacks against government sectors",
|
|
"pattern": "[domain-name:value = 'mail.mfa.gov.kg.openingfile.net']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-03T14:16:39Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--fdbc158a-2253-4cb3-af63-2eed91f6cf2e",
|
|
"created_by_ref": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631",
|
|
"created": "2022-10-03T14:16:39.000Z",
|
|
"modified": "2022-10-03T14:16:39.000Z",
|
|
"description": "Used as part of targeted attacks against government sectors",
|
|
"pattern": "[domain-name:value = 'mail.aop.gov.af.openingfile.net']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-03T14:16:39Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--29466e30-8056-4cd3-89b0-bc6aa16b48f3",
|
|
"created_by_ref": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631",
|
|
"created": "2022-10-03T14:16:39.000Z",
|
|
"modified": "2022-10-03T14:16:39.000Z",
|
|
"description": "Used as part of targeted attacks against government sectors",
|
|
"pattern": "[email-message:from_ref.value = 'account0021@protonmail.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-03T14:16:39Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"email-src\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--83fd3c39-85b1-4e21-9735-9a006ddabc01",
|
|
"created_by_ref": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631",
|
|
"created": "2022-10-03T14:16:39.000Z",
|
|
"modified": "2022-10-03T14:16:39.000Z",
|
|
"description": "Used as part of targeted attacks against government sectors",
|
|
"pattern": "[domain-name:value = 'auth0rization.cloud']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-03T14:16:39Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--91b7b424-d362-49a1-b9f4-494cfe17b960",
|
|
"created_by_ref": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631",
|
|
"created": "2022-10-03T14:16:39.000Z",
|
|
"modified": "2022-10-03T14:16:39.000Z",
|
|
"description": "Used as part of targeted attacks against government sectors",
|
|
"pattern": "[domain-name:value = 'united-nations-news.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-03T14:16:39Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5053b6b1-6a3a-4a23-8560-fb69b72ba8a8",
|
|
"created_by_ref": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631",
|
|
"created": "2022-10-03T14:16:39.000Z",
|
|
"modified": "2022-10-03T14:16:39.000Z",
|
|
"description": "Used as part of targeted attacks against government sectors",
|
|
"pattern": "[domain-name:value = 'application-download.net']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-03T14:16:39Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--239abc6c-9a8a-4fe5-8b09-14b2ee4c570b",
|
|
"created_by_ref": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631",
|
|
"created": "2022-10-24T13:11:26.000Z",
|
|
"modified": "2022-10-24T13:11:26.000Z",
|
|
"labels": [
|
|
"misp:name=\"annotation\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "creation-date",
|
|
"value": "2022-10-03T00:00:00+00:00",
|
|
"category": "Other",
|
|
"uuid": "9b07c0fa-65f5-437b-8f2e-4e3a8e939826"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "ref",
|
|
"value": "https://atos.net/en/lp/security-dive-blog-vulnerability-0-day-exchange",
|
|
"category": "External analysis",
|
|
"uuid": "9b630af7-92a2-4e22-aa39-9b7b253cfd8d"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "text",
|
|
"value": "Reports of new 0-day vulnerabilities electrify the Cybersecurity community, especially when they affect commonly used products. Recent news about the successor of the infamous ProxyShell -CVE-2022-41040, CVE-2022-41082 \u2013 found in Microsoft Exchange and disclosed by researchers at GTSC Research Lab on 28/09/2022 pushed our TI operations to understand the attackers\u2019 infrastructure better. Our brief analysis is evidence that it is worthwhile to do enrichment of available IOCs to build additional context and try to determine the motivations and origins of threat actors.",
|
|
"category": "Other",
|
|
"uuid": "decb8987-f071-416c-86f9-08f11b0aad32"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "type",
|
|
"value": "Full Report",
|
|
"category": "External analysis",
|
|
"uuid": "0b930c20-ddbb-4092-941e-5ef42965783e"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "annotation"
|
|
}
|
|
]
|
|
} |