261 lines
No EOL
8.4 KiB
JSON
261 lines
No EOL
8.4 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "1",
|
|
"date": "2023-01-19",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - CircleCI incident report for January 4, 2023 security incident",
|
|
"publish_timestamp": "1674116481",
|
|
"published": true,
|
|
"threat_level_id": "4",
|
|
"timestamp": "1674116421",
|
|
"uuid": "f2049d65-5315-4c37-9bbb-900c9b851204",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"SSH - T1021.004\""
|
|
},
|
|
{
|
|
"colour": "#004646",
|
|
"name": "type:OSINT"
|
|
},
|
|
{
|
|
"colour": "#0071c3",
|
|
"name": "osint:lifetime=\"perpetual\""
|
|
},
|
|
{
|
|
"colour": "#0087e8",
|
|
"name": "osint:certainty=\"50\""
|
|
},
|
|
{
|
|
"colour": "#ffffff",
|
|
"name": "tlp:white"
|
|
},
|
|
{
|
|
"colour": "#ffffff",
|
|
"name": "tlp:clear"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Malicious files to search for and remove:",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1674116099",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5eab642e-d3a5-4170-9aff-770721ce1f01",
|
|
"value": "8913e38592228adc067d82f66c150d87004ec946e579d4a00c53b61444ff35bf"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Malicious files to search for and remove:",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1674116087",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "b0894935-86e3-49fe-99ee-767f8c551d84",
|
|
"value": "/private/tmp/.svx856.log"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Malicious files to search for and remove:",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1674116166",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "9c1bc6dc-e391-46f5-bf31-dc501e06ddfb",
|
|
"value": "/private/tmp/.ptslog"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Review GitHub audit log files for unexpected commands such as:",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1674116193",
|
|
"to_ids": true,
|
|
"type": "regkey",
|
|
"uuid": "9ad02845-5cfb-4494-89b4-1c3795e3d5bb",
|
|
"value": "repo.download_zip"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1674115917",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "fc6531ee-17f5-4f4e-94d8-25b1b355b14f",
|
|
"value": "178.249.214.10"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Malicious files to search for and remove:",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1674116173",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "4f008530-bf04-458c-98fc-5b45a6ae66db",
|
|
"value": "PTX-Player.dmg"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1674115917",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "268efcdc-a235-4ef2-a421-b66d0b9b0e7f",
|
|
"value": "178.249.214.25"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1674115917",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "41b9f351-1bb3-4d8f-af7c-c018c050702b",
|
|
"value": "111.90.149.55"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1674115917",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "4d7b64e3-6e7c-4275-b082-8b80534015c9",
|
|
"value": "188.68.229.52"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1674115917",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "af9d8894-d05a-46d1-bfe6-8b478b30371a",
|
|
"value": "72.18.132.58"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1674115917",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "89f779a8-ac43-46cf-bf35-adae33af9936",
|
|
"value": "89.36.78.135"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1674115917",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "486b2d2f-12bd-4741-ae46-5838f798a10a",
|
|
"value": "89.36.78.109"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Block the following domain",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1674116053",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "31150471-744f-47e5-9da9-9eceaac53ca4",
|
|
"value": "potrax.com"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1674115917",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5b6801c1-e72e-4841-b908-fefce6cdf8cf",
|
|
"value": "89.36.78.75"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Malicious files to search for and remove:",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1674116076",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "413ee0ee-1509-4d44-bddd-9bde85e92562",
|
|
"value": "ptx.app"
|
|
}
|
|
],
|
|
"Object": [
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "Metadata used to generate an executive level report",
|
|
"meta-category": "misc",
|
|
"name": "report",
|
|
"template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df",
|
|
"template_version": "7",
|
|
"timestamp": "1674115825",
|
|
"uuid": "852a38c1-d1b2-43c3-8781-23b8de71e1a1",
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "link",
|
|
"timestamp": "1674115825",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "c342b42b-b831-4dd3-b01b-f496ec048e8b",
|
|
"value": "https://circleci.com/blog/jan-4-2023-incident-report/"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "summary",
|
|
"timestamp": "1674115825",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "2a8dc7bd-ec90-49b3-bfda-2117bd548733",
|
|
"value": "On January 4, 2023, we alerted customers to a security incident. Today, we want to share with you what happened, what we\u2019ve learned, and what our plans are to continuously improve our security posture for the future.\r\n\r\nWe would like to thank our customers for your attention to rotating and revoking secrets, and apologize for any disruption this incident may have caused to your work. We encourage customers who have yet to take action to do so in order to prevent unauthorized access to third-party systems and stores. Additionally, we want to thank our customers and our community for your patience while we have been conducting a thorough investigation. In aiming for responsible disclosure, we have done our best to balance speed in sharing information with maintaining the integrity of our investigation."
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "type",
|
|
"timestamp": "1674115825",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "7d775b15-8637-4e98-a4bc-bd74a19ce591",
|
|
"value": "Report"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
} |