293 lines
No EOL
14 KiB
JSON
293 lines
No EOL
14 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--59100c44-ea98-4024-ab76-485e950d210f",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-08T06:21:32.000Z",
|
|
"modified": "2017-05-08T06:21:32.000Z",
|
|
"name": "CIRCL",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "report",
|
|
"spec_version": "2.1",
|
|
"id": "report--59100c44-ea98-4024-ab76-485e950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-08T06:21:32.000Z",
|
|
"modified": "2017-05-08T06:21:32.000Z",
|
|
"name": "OSINT - Windows Defender ATP thwarts Operation WilySupply software supply chain cyberattack",
|
|
"published": "2017-05-08T06:23:36Z",
|
|
"object_refs": [
|
|
"observed-data--59100c4f-4a94-47ce-ac77-4094950d210f",
|
|
"url--59100c4f-4a94-47ce-ac77-4094950d210f",
|
|
"x-misp-attribute--59100c72-a814-453d-9ad3-417a950d210f",
|
|
"indicator--59100db9-4d28-4a85-a7e1-4da6950d210f",
|
|
"indicator--59100dba-77c0-4a8b-840e-448a950d210f",
|
|
"indicator--59100dda-f594-411e-b4d8-4f3b950d210f",
|
|
"indicator--59100ddb-c4a8-4d9b-b640-489f950d210f",
|
|
"indicator--59100e07-8714-4329-8e8a-4ed4950d210f",
|
|
"indicator--59100e08-e13c-4632-93b8-4f7c950d210f",
|
|
"indicator--59100e70-60f0-4bae-b77d-459502de0b81",
|
|
"observed-data--59100e70-de58-4165-beaa-47eb02de0b81",
|
|
"url--59100e70-de58-4165-beaa-47eb02de0b81"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"veris:actor:motive=\"Financial\""
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--59100c4f-4a94-47ce-ac77-4094950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-08T06:21:32.000Z",
|
|
"modified": "2017-05-08T06:21:32.000Z",
|
|
"first_observed": "2017-05-08T06:21:32Z",
|
|
"last_observed": "2017-05-08T06:21:32Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--59100c4f-4a94-47ce-ac77-4094950d210f"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\"",
|
|
"osint:source-type=\"blog-post\"",
|
|
"admiralty-scale:source-reliability=\"b\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--59100c4f-4a94-47ce-ac77-4094950d210f",
|
|
"value": "https://blogs.technet.microsoft.com/mmpc/2017/05/04/windows-defender-atp-thwarts-operation-wilysupply-software-supply-chain-cyberattack/"
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--59100c72-a814-453d-9ad3-417a950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-08T06:21:32.000Z",
|
|
"modified": "2017-05-08T06:21:32.000Z",
|
|
"labels": [
|
|
"misp:type=\"text\"",
|
|
"misp:category=\"External analysis\"",
|
|
"osint:source-type=\"blog-post\"",
|
|
"admiralty-scale:source-reliability=\"b\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_type": "text",
|
|
"x_misp_value": "Several weeks ago, the Windows Defender Advanced Threat Protection (Windows Defender ATP) research team noticed security alerts that demonstrated an intriguing attack pattern. These early alerts uncovered a well-planned, finely orchestrated cyberattack that targeted several high-profile technology and financial organizations. An unknown attacker was taking advantage of a silent yet effective attack vector: the compromised update mechanism or software supply chain for a third-party editing tool. The software vendor that develops the editing tool was unaware of the issue. In fact, while their software supply chain served as a channel for attacking other organizations, they themselves were also under attack.\r\n\r\nThis cyberattack could have been much more problematic if it had gone undetected. Its early discovery allowed incident responders\u00e2\u20ac\u201da collaboration of security experts from the targeted industries and developers working for the third-party software vendor\u00e2\u20ac\u201dto work with Microsoft security researchers to promptly identify and neutralize the activities associated with this cyberespionage campaign.\r\n\r\nThanks to the collaborative response, Microsoft was able to notify known affected parties as well as the third-party software vendor, who then worked around the clock to contain the attempted attack and mitigate potential risks.\r\nInvestigating alert timelines and process trees\r\n\r\nRegardless of how an attack is executed, through sophisticated social engineering or a zero-day exploit, the first stage or the entry vector of a kill chain is often the most challenging aspect to understand about the attack. Windows Defender ATP initially called our attention to alerts flagging suspicious PowerShell scripts, self-deletion of executables, and other suspect activities. A quick check in the Windows Defender ATP console led us to the machine that was under attack. However, the source of the attack remained buried, requiring additional investigative effort to uncover."
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59100db9-4d28-4a85-a7e1-4da6950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-08T06:21:32.000Z",
|
|
"modified": "2017-05-08T06:21:32.000Z",
|
|
"description": "(used for initial infection and C&C communication)",
|
|
"pattern": "[url:value = 'http://5.39.218.205/logo.png']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-08T06:21:32Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59100dba-77c0-4a8b-840e-448a950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-08T06:21:32.000Z",
|
|
"modified": "2017-05-08T06:21:32.000Z",
|
|
"description": "(used for initial infection and C&C communication)",
|
|
"pattern": "[url:value = 'http://176.53.118.131/logo.png']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-08T06:21:32Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59100dda-f594-411e-b4d8-4f3b950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-08T06:21:32.000Z",
|
|
"modified": "2017-05-08T06:21:32.000Z",
|
|
"description": "used for initial infection and C&C communication",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '5.39.218.205']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-08T06:21:32Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59100ddb-c4a8-4d9b-b640-489f950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-08T06:21:32.000Z",
|
|
"modified": "2017-05-08T06:21:32.000Z",
|
|
"description": "used for initial infection and C&C communication",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '176.53.118.131']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-08T06:21:32Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59100e07-8714-4329-8e8a-4ed4950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-08T06:21:32.000Z",
|
|
"modified": "2017-05-08T06:21:32.000Z",
|
|
"description": "the malicious sample downloaded through the third-party updater",
|
|
"pattern": "[file:hashes.SHA1 = '75edd4ee11e7d3dabd191c316da637f939140e2f']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-08T06:21:32Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59100e08-e13c-4632-93b8-4f7c950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-08T06:21:32.000Z",
|
|
"modified": "2017-05-08T06:21:32.000Z",
|
|
"description": "the malicious sample downloaded through the third-party updater",
|
|
"pattern": "[file:hashes.MD5 = 'a34c930506b64f98cdf3ec2a474f5b31']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-08T06:21:32Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59100e70-60f0-4bae-b77d-459502de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-08T06:21:36.000Z",
|
|
"modified": "2017-05-08T06:21:36.000Z",
|
|
"description": "the malicious sample downloaded through the third-party updater - Xchecked via VT: 75edd4ee11e7d3dabd191c316da637f939140e2f",
|
|
"pattern": "[file:hashes.SHA256 = '9a4346d7ac23d3fb06050e56ab7376fa56194c21617232574a5dbcb0a4e00a57']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-08T06:21:36Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--59100e70-de58-4165-beaa-47eb02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-08T06:21:36.000Z",
|
|
"modified": "2017-05-08T06:21:36.000Z",
|
|
"first_observed": "2017-05-08T06:21:36Z",
|
|
"last_observed": "2017-05-08T06:21:36Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--59100e70-de58-4165-beaa-47eb02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--59100e70-de58-4165-beaa-47eb02de0b81",
|
|
"value": "https://www.virustotal.com/file/9a4346d7ac23d3fb06050e56ab7376fa56194c21617232574a5dbcb0a4e00a57/analysis/1494003300/"
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:WHITE",
|
|
"definition": {
|
|
"tlp": "white"
|
|
}
|
|
}
|
|
]
|
|
} |