245 lines
No EOL
8.1 KiB
JSON
245 lines
No EOL
8.1 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2017-02-07",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - The Curious Case of a Reconnaissance Campaign Targeting Ministry and Embassy Sites",
|
|
"publish_timestamp": "1486497512",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1486497239",
|
|
"uuid": "589a2465-af44-4854-8eea-468d950d210f",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#065100",
|
|
"local": false,
|
|
"name": "misp-galaxy:tool=\"Turla\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": false,
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486496896",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "589a2480-7b68-44ae-8e33-4ce1950d210f",
|
|
"value": "Forcepoint Security Labs\u00e2\u201e\u00a2 came across a malicious reconnaissance campaign that targets websites. It is unknown what is the intent behind the campaign as of this writing, however, the profile of the targets resembles those that are common targets of Advanced Persistent Threat (APT) actors. As the attack is currently active, it effectively turns compromised sites into attack surfaces against their visitors.\r\n\r\nFurthermore, the injections resemble those used by the Turla group, such as those previously documented by Swiss GovCERT last year. In this post, we will share our findings on this campaign's targets and injected code as well as provide insights to its timeline."
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Landing Pages",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486496938",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "589a24aa-505c-4b6f-b706-484a950d210f",
|
|
"value": "http://rss.nbcpost.com/news/today/content.php"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Landing Pages",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486496939",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "589a24ab-22cc-426a-8a01-4386950d210f",
|
|
"value": "http://drivers.epsoncorp.com/plugin/analytics/counter.js"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Landing Pages",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486496940",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "589a24ac-c1e8-412a-8d78-43a7950d210f",
|
|
"value": "http://www.mentalhealthcheck.net/update/check.php"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Landing Pages",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486496941",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "589a24ad-f13c-40e8-aab8-41c4950d210f",
|
|
"value": "http://www.mentalhealthcheck.net/update/counter.js"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Landing Pages",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486496942",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "589a24ae-0cb4-4a8a-a8a5-4437950d210f",
|
|
"value": "http://static.travelclothes.org/main.js"
|
|
},
|
|
{
|
|
"category": "Targeting data",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486497045",
|
|
"to_ids": false,
|
|
"type": "target-external",
|
|
"uuid": "589a2515-1f2c-44b9-8f5b-4921950d210f",
|
|
"value": "Foreign affairs ministries of Kyrgyzstan, Moldova and Uzbekistan"
|
|
},
|
|
{
|
|
"category": "Targeting data",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486497046",
|
|
"to_ids": false,
|
|
"type": "target-external",
|
|
"uuid": "589a2516-eed8-44ce-ae04-4cbd950d210f",
|
|
"value": "Embassy sites of Iraq, Jordan, Zambia and Russia"
|
|
},
|
|
{
|
|
"category": "Targeting data",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486497046",
|
|
"to_ids": false,
|
|
"type": "target-external",
|
|
"uuid": "589a2516-f488-4298-aafc-46ba950d210f",
|
|
"value": "A political party in Austria"
|
|
},
|
|
{
|
|
"category": "Targeting data",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486497047",
|
|
"to_ids": false,
|
|
"type": "target-external",
|
|
"uuid": "589a2517-4ce0-4f23-ac97-48d3950d210f",
|
|
"value": "A government-run, sustainability site in Austria"
|
|
},
|
|
{
|
|
"category": "Targeting data",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486497048",
|
|
"to_ids": false,
|
|
"type": "target-external",
|
|
"uuid": "589a2518-0034-4804-be23-4b7b950d210f",
|
|
"value": "A sports association in Austria"
|
|
},
|
|
{
|
|
"category": "Targeting data",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486497049",
|
|
"to_ids": false,
|
|
"type": "target-external",
|
|
"uuid": "589a2519-229c-4fc7-9181-4121950d210f",
|
|
"value": "A Somalian news site"
|
|
},
|
|
{
|
|
"category": "Targeting data",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486497050",
|
|
"to_ids": false,
|
|
"type": "target-external",
|
|
"uuid": "589a251a-1d2c-4aa6-be92-46c8950d210f",
|
|
"value": "A socialist organization in Spain"
|
|
},
|
|
{
|
|
"category": "Targeting data",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486497051",
|
|
"to_ids": false,
|
|
"type": "target-external",
|
|
"uuid": "589a251b-d124-4cf0-b8b2-4bb3950d210f",
|
|
"value": "An international cooperation organization based in France"
|
|
},
|
|
{
|
|
"category": "Targeting data",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486497052",
|
|
"to_ids": false,
|
|
"type": "target-external",
|
|
"uuid": "589a251c-2e34-4550-b107-41aa950d210f",
|
|
"value": "An African union site"
|
|
},
|
|
{
|
|
"category": "Targeting data",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486497053",
|
|
"to_ids": false,
|
|
"type": "target-external",
|
|
"uuid": "589a251d-1f24-4f83-a9a8-48a7950d210f",
|
|
"value": "A road safety site from Ukraine"
|
|
},
|
|
{
|
|
"category": "Targeting data",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486497054",
|
|
"to_ids": false,
|
|
"type": "target-external",
|
|
"uuid": "589a251e-9d7c-4341-94bb-4505950d210f",
|
|
"value": "An African plant society"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486497239",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "589a2583-b4f0-40e7-a3ee-487c950d210f",
|
|
"value": "https://blogs.forcepoint.com/security-labs/curious-case-reconnaissance-campaign-targeting-ministry-and-embassy-sites",
|
|
"Tag": [
|
|
{
|
|
"colour": "#00223b",
|
|
"local": false,
|
|
"name": "osint:source-type=\"blog-post\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#075200",
|
|
"local": false,
|
|
"name": "admiralty-scale:source-reliability=\"b\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
} |