Heroes, large vulnerability in the observability playform, Grafana to address. Also, a candidate for headline of the year "Cryptographic Association Cancels Election After Losing Decryption Key."
Here's a detailed look at the current cybersecurity landscape for November 22, 2025.
Grafana has released urgent security updates to address a maximum severity vulnerability, CVE-2025-41115, rated 10.0 on the CVSS scale. The flaw resides in the System for Cross-domain Identity Management (SCIM) functionality and, under certain configurations, can be exploited to achieve privilege escalation or complete user impersonation.
Business impact
An attacker could exploit this vulnerability to gain administrative control over a Grafana instance. This would grant them access to all sensitive data, dashboards, and connected data sources, potentially leading to a significant data breach and compromise of underlying infrastructure monitored by Grafana.
Recommended action
All organizations using Grafana with SCIM enabled must upgrade to a patched version immediately. Review Grafana access logs and audit trails for any unauthorized account activity or privilege changes.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical pre-authentication Remote Code Execution (RCE) vulnerability in Oracle Fusion Middleware and Oracle Identity Manager to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, tracked as CVE-2025-61757 with a CVSS score of 9.8, is confirmed to be under active exploitation, potentially as a zero-day. This action mandates that Federal Civilian Executive Branch agencies patch the vulnerability by a specified deadline.
Business impact
Unpatched systems are at immediate and severe risk of complete compromise. Attackers can gain initial access to networks, deploy ransomware, exfiltrate sensitive data, and disrupt business operations. Failure to patch may result in non-compliance with federal directives and significant reputational damage.
Recommended action
Immediately apply the security patches provided by Oracle to all affected Oracle Fusion Middleware and Identity Manager instances. Prioritize public-facing servers. Hunt for signs of compromise using available indicators and review access logs for anomalous activity.
Security reporting highlights a surge in advanced AI-driven attacks, specifically noting the use of second-order prompt injection techniques. Unlike direct injection, this method involves an attacker planting a malicious prompt into a data source that an AI model will later process, causing the model to execute unintended actions or reveal sensitive information when a legitimate user interacts with it.
Business impact
This attack vector can compromise AI-integrated applications, leading to data leakage, unauthorized actions performed on behalf of users, and manipulation of business logic. It represents a sophisticated threat that can bypass traditional input validation and security controls.
Recommended action
Development and security teams should implement strict data sanitization for all information ingested by AI/LLM models. Employ content filtering on model outputs and design applications with the principle of least privilege to limit the potential damage from a compromised AI agent.
The International Association of Cryptologic Research (IACR) was forced to cancel its annual leadership election results after an official lost the encryption key required to decrypt the votes. This incident serves as a stark reminder of the critical importance of key management and operational security, even within expert organizations.
A digital privacy organization has filed a lawsuit against the U.S. federal government to release records of its discussions with technology companies. The communications reportedly led to the removal of apps and websites that tracked the activities of Immigration and Customs Enforcement (ICE), raising questions about government influence on content moderation.
For the ninth consecutive year, Microsoft has been recognized as a Leader in the Gartner® Magic Quadrant™ for Access Management. This continued recognition highlights the company's strategic importance in the identity and access management (IAM) space, a critical component of modern zero-trust security architectures.
Strategic analysis suggests that while technical debt slows down operations, "innovation debt"—the failure to adopt new technologies and processes—poses a greater existential threat in the era of AI. Leaders are urged to prioritize strategic innovation, particularly in security, to avoid being outpaced by more agile and AI-enabled adversaries.
Spotlight Rationale: Today's critical threats, including the actively exploited Oracle RCE flaw ([CVE-2025-61757](https://nvd.nist.gov/vuln/detail/CVE-2025-61757)) and the Grafana SCIM vulnerability ([CVE-2025-41115](https://nvd.nist.gov/vuln/detail/CVE-2025-41115)), underscore the urgent need for comprehensive visibility, rapid vulnerability identification, and robust endpoint detection and response (EDR) to counter post-exploitation activity.
CrowdStrike provides a cloud-native platform that unifies next-generation antivirus (NGAV), EDR, and a 24/7 managed threat hunting service. Its Falcon Spotlight module can help organizations quickly identify assets vulnerable to flaws like CVE-2025-61757, while its core EDR capabilities are designed to detect and block the subsequent malicious behaviors that occur after an initial exploit, providing a critical defense-in-depth layer.
Actionable Platform Guidance: Based on available intelligence, the following actions can enhance detection and response capabilities for threats similar to those reported today.
⚠️ Disclaimer: Test all detection logic in non-production environments before deployment.
1. Vendor Platform Configuration - CrowdStrike
# Disclaimer: This guidance is based on general platform knowledge.
# Verify against current CrowdStrike documentation.
# --- Immediate Actions ---
# 1. Create a High-Severity Vulnerability Dashboard for Oracle/Grafana
# - In Falcon Spotlight, navigate to Dashboards.
# - Create a new dashboard titled "Critical App Vulnerabilities - Nov 2025".
# - Add widgets to filter for hosts with CVE-2025-61757 and CVE-2025-41115.
# - Set filters for 'Exploitable' and 'Actively Exploited in the Wild'.
# 2. Implement Proactive Threat Hunting Queries
# - In Falcon Investigate, run queries to search for post-exploitation behavior
# associated with Oracle Fusion Middleware or Grafana processes.
# - Example: event_simpleName=ProcessRollup2 | search FileName IN ("java.exe", "grafana-server.exe")
# | search CommandLine="*powershell*" OR CommandLine="*cmd.exe*"
# - Save these queries for recurring hunts.
# 3. Escalate Detections on Critical Oracle/Grafana Servers
# - Create a host group for all servers running Oracle Fusion and Grafana.
# - In the Prevention Policy, create a rule that applies a more aggressive
# prevention posture (e.g., 'Aggressive' or 'Extra Aggressive') for this host group.
# --- Verification Steps ---
# 1. Verify Asset Inventory
# - In Falcon Discover, ensure that all known Oracle and Grafana servers are
# correctly inventoried and have the Falcon sensor installed and active.
# 2. Confirm Log Scale Coverage
# - Ensure logs from critical application servers are being ingested into your SIEM
# or log management solution and are accessible via Falcon Investigate if integrated.
2. YARA Rule for Oracle Fusion Post-Exploitation Artifacts
rule Detect_Oracle_RCE_PostExploit_CVE_2025_61757 {
meta:
description = "Detects potential webshells or suspicious script files dropped after exploiting CVE-2025-61757 in Oracle Fusion Middleware."
author = "Threat Rundown"
date = "2025-11-22"
reference = "https://securityaffairs.com/?p=184935"
severity = "high"
tlp = "white"
strings:
$s1 = "Runtime.getRuntime().exec" ascii wide
$s2 = "ProcessBuilder(\"cmd.exe\"" ascii wide
$s3 = "getInputStream()" ascii wide
$s4 = "eval(request.getParameter" ascii wide
condition:
uint16(0) == 0x504B and filesize < 100KB and all of them
}
3. SIEM Query — Hunting for Grafana Exploitation
index=proxy sourcetype="web_proxy" http_method="POST" url="*/api/scim/*"
| stats count by src_ip, user_agent, url
| where count > 10
| `comment("Looks for an unusual volume of POST requests to the SCIM API endpoint from a single source, potentially indicating brute-force or exploitation attempts against CVE-2025-41115.")`
| sort -count
4. PowerShell Script — Check for Oracle Vulnerability Indicators
# This script checks for suspicious files in a common web directory.
# Customize $webDirectories for your specific Oracle environment.
$webDirectories = @(
"C:\Oracle\Middleware\Oracle_Home\user_projects\domains\base_domain\servers\AdminServer\tmp",
"C:\Oracle\Middleware\Oracle_Home\user_projects\domains\base_domain\servers\managed_server_1\tmp"
)
$suspiciousExtensions = @(".jsp", ".jspx", ".war")
$keywords = "cmd.exe", "powershell", "getRuntime"
Write-Host "Scanning for suspicious files related to potential Oracle exploitation..."
foreach ($dir in $webDirectories) {
if (Test-Path $dir) {
Get-ChildItem -Path $dir -Recurse -Include $suspiciousExtensions | ForEach-Object {
$content = Get-Content $_.FullName -Raw
foreach ($keyword in $keywords) {
if ($content -match $keyword) {
Write-Warning "Suspicious keyword '$keyword' found in file: $($_.FullName)"
}
}
}
} else {
Write-Host "Directory not found: $dir"
}
}
Cookie Notice
We use essential cookies to provide our cybersecurity newsletter service and analytics cookies to improve your experience. We respect your privacy and comply with GDPR requirements.
About STIX 2.1: Structured Threat Information eXpression (STIX) is the machine language of cybersecurity. This bundle contains validated threat objects, indicators, and relationships that can be directly imported into your SIEM, TIP, or security orchestration platform.
Usage: Download or copy the JSON below and import it directly into your threat intelligence platform, SIEM, or security orchestration tools for automated threat detection and response.
{
"type": "bundle",
"id": "bundle--f791aa7d-c0b3-4fd0-8a77-369dafd25d2e",
"objects": [
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"created": "2022-10-01T00:00:00.000Z",
"definition_type": "tlp:2.0",
"name": "TLP:CLEAR",
"definition": {
"tlp": "clear"
}
},
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--45da7fca-9d0f-4cd1-9dce-58e4ce4307f9",
"created": "2025-11-22T14:22:49.830Z",
"modified": "2025-11-22T14:22:49.830Z",
"name": "MikeGPT Intelligence Platform",
"description": "AI-powered threat intelligence collection and analysis platform providing automated cybersecurity intelligence feeds",
"identity_class": "organization",
"sectors": [
"technology",
"defense"
],
"contact_information": "Website: https://mikegptai.com | Email: intel@mikegptai.com",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--c6a88401-129b-4502-bd57-6db49127d723",
"created": "2025-11-22T14:22:49.830Z",
"modified": "2025-11-22T14:22:49.830Z",
"name": "Threat Intelligence Report - 2025-11-22",
"description": "Threat Intelligence Report - 2025-11-22\n\nThis report consolidates actionable cybersecurity intelligence from 86 sources, processed through automated threat analysis and relationship extraction.\n\nKEY FINDINGS:\n• U.S. CISA adds an Oracle Fusion Middleware flaw to its Known Exploited Vulnerabilities catalog (Score: 100)\n• CISA warns Oracle Identity Manager RCE flaw is being actively exploited (Score: 100)\n• CISA Warns of Actively Exploited Critical Oracle Identity Manager Zero-Day Vulnerability (Score: 100)\n• CISA warns Oracle Identity Manager RCE flaw is being actively exploited (Score: 100)\n• Microsoft named a Leader in the Gartner® Magic QuadrantTM for Access Management for the ninth consec (Score: 100)\n\nEXTRACTED ENTITIES:\n• 25 Attack Pattern(s)\n• 1 Malware(s)\n• 1 Marking Definition(s)\n• 6 Relationship(s)\n• 3 Threat Actor(s)\n• 1 Tool(s)\n• 2 Vulnerability(s)\n\nCONFIDENCE ASSESSMENT:\nVariable confidence scoring applied based on entity type and intelligence source reliability. Confidence ranges from 30-95% reflecting professional intelligence assessment practices.\n\nGENERATION METADATA:\n- Processing Time: Automated\n- Validation: Three-LLM consensus committee\n- Standards Compliance: STIX 2.1\n",
"published": "2025-11-22T14:22:49.830Z",
"object_refs": [
"identity--45da7fca-9d0f-4cd1-9dce-58e4ce4307f9",
"identity--666fc7fe-c911-419e-a1d6-ea47e6b3646f",
"vulnerability--4c60379b-1de8-4209-a6c9-53f351ceed6d",
"identity--ae4d5f46-29c5-40ae-842b-378abf057c12",
"threat-actor--86e4d679-b5fa-4512-9470-4602474f160f",
"identity--437b7cf0-8e51-4d57-8ed6-fd20a9f08d8c",
"identity--a04504b2-a380-40ae-816a-e5302a523273",
"identity--e364ad90-7577-414f-b4c3-873c5e843001",
"identity--5653d5fd-3625-41d2-b03e-b4bf2db2b5f8",
"threat-actor--11b59dfe-0df2-47ce-9305-82c2821d5449",
"identity--22adc8cf-bc50-4bc0-9266-ca8b9bdf4494",
"tool--6e9d3c62-6229-4522-8080-cd8887e5c5d4",
"malware--a03aeea6-2f00-4d3d-ae3b-b53480ca8c16",
"identity--9602c33d-5759-40f1-83ac-74cf4aed6790",
"identity--cfa2e10f-978d-46f7-9803-61841babb448",
"identity--74c66e24-b566-4ff8-a7f1-7f5affd05350",
"identity--946bd2b9-49e1-4a5b-b70d-bf36eeae66e8",
"identity--c5ee4b6e-5085-4c3b-b1ec-8dcdf4b2b313",
"vulnerability--2ddb7a05-f8ad-4499-b4d9-8b9612ade6b0",
"identity--fd1e3790-7e3a-48a3-8684-16f17330c96f",
"identity--383b3fde-7ceb-4c55-ba9d-b89a6dc48e8e",
"identity--047d2419-e763-4d1f-a7b5-90690d1c55ae",
"identity--25637169-7ddd-4492-8374-970a603e58cc",
"identity--34e4c0d8-2173-49d9-a034-fa400d21bd60",
"identity--5839c70b-4177-4f97-8015-33c3a7596260",
"identity--38b803aa-fc7a-4e0c-af52-f1265421c957",
"identity--cac86f86-5a0a-494c-bf36-5dd7d052c1a3",
"identity--60a5a184-0ae5-4b00-b920-8f704ea62d9d",
"identity--3b6b39e5-a811-4080-89b7-adba3f4ac83d",
"identity--bc16a911-1fe7-4b6f-8ce5-63c3cf19f01d",
"identity--e7ee6b46-a485-47a0-9f24-5208ec7a218f",
"identity--73e2fb2e-2ffc-4fce-b6d6-3ef14b49533b",
"threat-actor--e5680db4-88e5-427d-a873-6cf55a8a316d",
"identity--3b436e3d-8e0a-4189-bae9-6127822147b2",
"identity--016ba4c3-2cb5-4b03-8192-5694e6eecac1",
"identity--8b8d7be6-0a30-4c25-a8b2-dc917a230b06",
"identity--d2dc1825-0d8c-4107-80c9-cc4a66070a6c",
"identity--237bded2-e2c0-4816-8f67-6ea0427df08e",
"identity--07a59964-2f3f-460e-ba0c-6df55abb9118",
"identity--a7024a48-6cf8-4e04-a74a-a8cbded294e4",
"attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc",
"attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678",
"attack-pattern--f33f5834-6a9a-4727-88a5-9d35eeba1cff",
"attack-pattern--2d26e3d0-4bbf-44c3-aa9e-5aeab4937638",
"attack-pattern--c3286059-b33e-4b64-9fda-22075baf9afa",
"attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d",
"attack-pattern--13fc9cbe-9444-4eba-872b-a44565ae3ab7",
"attack-pattern--9df8a3ab-356d-40ee-a3ef-bad3413bd273",
"attack-pattern--4a2578d4-fdf6-48d3-b66a-93c681e1e21e",
"attack-pattern--68a5c7b8-09b4-49b1-8149-bc23ed0260c9",
"attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c",
"attack-pattern--baad7d00-8591-4c49-8f48-fabb6a35df65",
"attack-pattern--c627c29c-1385-4d76-9046-9c2db86dab11",
"attack-pattern--9f64016e-c8af-4b0a-a70c-58ee69745d18",
"attack-pattern--b6ffdce7-d75a-4165-9bfc-c8adc6c9b5ea",
"attack-pattern--0b9d5f9a-d372-4a5d-8f9f-e62f6d5e8719",
"attack-pattern--d2a77ce3-d278-4f77-97f0-227b744a33d3",
"attack-pattern--a6ff86fe-f269-42e5-9428-ab17d04e30e2",
"attack-pattern--e8d516a9-a107-4c4b-806f-bc9c612eef18",
"attack-pattern--27b36b6d-ae90-4767-b07a-563ecef589ea",
"attack-pattern--ed3369e1-8515-458a-99e3-cb9283fb73d1",
"attack-pattern--e03eb8e0-183c-4351-82cb-2d9c193d1530",
"attack-pattern--775a5581-fd79-4cfc-a505-6d409b3bbfba",
"attack-pattern--172f3845-7870-4c1c-80bd-251e10ce9f1e",
"attack-pattern--648fba01-e867-4fc6-96df-cc8f6217bee6",
"relationship--46b3a464-c76a-4814-9b09-956f8306638d",
"relationship--2ec233ed-2720-481f-b5a2-442cc58da468",
"relationship--1db455d1-ea73-4a89-9638-e61f7986a5f3",
"relationship--360817b5-9bae-46aa-b037-ac3f158d7cbf",
"relationship--f1c940b3-f86b-42c0-a10e-de130a859f93",
"relationship--8ea5c023-c47b-4019-87a0-dadb10c8089a"
],
"labels": [
"threat-report",
"threat-intelligence"
],
"created_by_ref": "identity--45da7fca-9d0f-4cd1-9dce-58e4ce4307f9",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.829Z",
"modified": "2025-11-22T14:22:49.829Z",
"confidence": 95,
"type": "identity",
"id": "identity--666fc7fe-c911-419e-a1d6-ea47e6b3646f",
"name": "Known Exploited Vulnerabilities",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Known Exploited Vulnerabilities is a US government database that tracks and publicly discloses known exploited vulnerabilities in software and hardware, allowing organizations to prioritize patching and mitigation efforts to prevent cyber attacks.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.829Z",
"modified": "2025-11-22T14:22:49.829Z",
"confidence": 95,
"type": "vulnerability",
"id": "vulnerability--4c60379b-1de8-4209-a6c9-53f351ceed6d",
"name": "CVE-2025-61757",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2025-61757",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61757"
},
{
"source_name": "nvd",
"external_id": "CVE-2025-61757",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61757"
}
],
"description": "y Amanda E. Clark . In 2025, compliance is key to remaining in",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"vulnerability"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.829Z",
"modified": "2025-11-22T14:22:49.829Z",
"confidence": 95,
"type": "identity",
"id": "identity--ae4d5f46-29c5-40ae-842b-378abf057c12",
"name": "Microsoft",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Microsoft is a multinational technology company that develops, manufactures, licenses, and supports a wide range of software products, services, and devices.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.829Z",
"modified": "2025-11-22T14:22:49.829Z",
"confidence": 95,
"type": "threat-actor",
"id": "threat-actor--86e4d679-b5fa-4512-9470-4602474f160f",
"name": "OWASP",
"threat_actor_types": [
"hacker"
],
"labels": [
"threat-actor"
],
"description": "OWASP (Open Web Application Security Project) is a nonprofit organization that aims to improve the security of web applications. They release a list of the top 10 most critical risks for web applications each year, which helps organizations prioritize their security efforts. The OWASP Top 10 2025 release candidate marks an important milestone in the evolution of application security best practices.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.829Z",
"modified": "2025-11-22T14:22:49.829Z",
"confidence": 95,
"type": "identity",
"id": "identity--437b7cf0-8e51-4d57-8ed6-fd20a9f08d8c",
"name": "Creators & Presenters",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Creators & Presenters is a company.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.829Z",
"modified": "2025-11-22T14:22:49.829Z",
"confidence": 95,
"type": "identity",
"id": "identity--a04504b2-a380-40ae-816a-e5302a523273",
"name": "Fudan University",
"identity_class": "organization",
"labels": [
"organization"
],
"description": "Fudan University is a public research university located in Shanghai, China. It is one of the most prestigious universities in China and has a strong reputation for academic excellence. In the context of cybersecurity, researchers from Fudan University have made significant contributions to the field, including the discovery of vulnerabilities and the development of new security technologies.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.829Z",
"modified": "2025-11-22T14:22:49.829Z",
"confidence": 95,
"type": "identity",
"id": "identity--e364ad90-7577-414f-b4c3-873c5e843001",
"name": "SolarWinds",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "SolarWinds is a company that provides network management software and tools for IT professionals to monitor, manage, and optimize their IT infrastructure.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.829Z",
"modified": "2025-11-22T14:22:49.829Z",
"confidence": 95,
"type": "identity",
"id": "identity--5653d5fd-3625-41d2-b03e-b4bf2db2b5f8",
"name": "Amazon",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Amazon is a multinational technology company that specializes in e-commerce, cloud computing, digital streaming, and artificial intelligence.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.829Z",
"modified": "2025-11-22T14:22:49.829Z",
"confidence": 90,
"type": "threat-actor",
"id": "threat-actor--11b59dfe-0df2-47ce-9305-82c2821d5449",
"name": "CyLab-Africa",
"threat_actor_types": [
"hacker"
],
"labels": [
"threat-actor"
],
"description": "CyLab-Africa is a research group that partners with mobile security providers to explore the security of common financial services apps used across Africa.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.829Z",
"modified": "2025-11-22T14:22:49.829Z",
"confidence": 95,
"type": "identity",
"id": "identity--22adc8cf-bc50-4bc0-9266-ca8b9bdf4494",
"name": "Approov",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Approov is a company",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.829Z",
"modified": "2025-11-22T14:22:49.829Z",
"confidence": 95,
"type": "tool",
"id": "tool--6e9d3c62-6229-4522-8080-cd8887e5c5d4",
"name": "WhatsApp",
"tool_types": [
"unknown"
],
"labels": [
"tool"
],
"description": "WhatsApp is a popular messaging application and service owned by Meta Platforms, Inc. It provides end-to-end encrypted messaging, voice and video calls, and multimedia messaging. The app has faced multiple security vulnerabilities and attacks over the years, which necessitate constant patching and updates.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.829Z",
"modified": "2025-11-22T14:22:49.829Z",
"confidence": 90,
"type": "malware",
"id": "malware--a03aeea6-2f00-4d3d-ae3b-b53480ca8c16",
"name": "Akira",
"is_family": true,
"malware_types": [
"trojan"
],
"labels": [
"malicious-activity"
],
"description": "Akira is a ransomware that exploits Multi-Factor Authentication (MFA) push-spam, weak VPN security, and identity gaps to compromise systems. It is part of a larger campaign called Operation WrtHug, which has compromised tens of thousands of outdated or end-of-life ASUS routers worldwide, mainly in Taiwan, the U.S., and Russia.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.829Z",
"modified": "2025-11-22T14:22:49.829Z",
"confidence": 95,
"type": "identity",
"id": "identity--9602c33d-5759-40f1-83ac-74cf4aed6790",
"name": "KnowBe4",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "KnowBe4 is a cybersecurity awareness training company that provides educational resources, including interactive simulations and videos, to help organizations improve their employees' cybersecurity knowledge and behaviors.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.829Z",
"modified": "2025-11-22T14:22:49.829Z",
"confidence": 95,
"type": "identity",
"id": "identity--cfa2e10f-978d-46f7-9803-61841babb448",
"name": "github.com",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "github.com is a web-based platform for version control and collaboration, allowing users to host and share software projects, including open-source code and documentation.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.829Z",
"modified": "2025-11-22T14:22:49.829Z",
"confidence": 85,
"type": "identity",
"id": "identity--74c66e24-b566-4ff8-a7f1-7f5affd05350",
"name": "Oracle Fusion Middleware",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Oracle Fusion Middleware is a software framework that provides a set of tools and services for building, deploying, and managing enterprise applications and services.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.829Z",
"modified": "2025-11-22T14:22:49.829Z",
"confidence": 95,
"type": "identity",
"id": "identity--946bd2b9-49e1-4a5b-b70d-bf36eeae66e8",
"name": "Oracle Identity Manag",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Oracle Identity Manager is a software solution that automates and streamlines identity management processes, including user provisioning, password management, and access control, to enhance security and efficiency within organizations.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.829Z",
"modified": "2025-11-22T14:22:49.829Z",
"confidence": 95,
"type": "identity",
"id": "identity--c5ee4b6e-5085-4c3b-b1ec-8dcdf4b2b313",
"name": "Grafana",
"identity_class": "organization",
"labels": [
"organization"
],
"description": "Grafana is a software company that provides data visualization and monitoring tools, including Grafana Enterprise, which is a commercial version of their open-source platform. The company has released security updates to address a maximum severity security flaw that could allow privilege escalation or user impersonation under certain configurations.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.829Z",
"modified": "2025-11-22T14:22:49.829Z",
"confidence": 95,
"type": "vulnerability",
"id": "vulnerability--2ddb7a05-f8ad-4499-b4d9-8b9612ade6b0",
"name": "CVE-2025-41115",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2025-41115",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-41115"
},
{
"source_name": "nvd",
"external_id": "CVE-2025-41115",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41115"
}
],
"description": "We feel this recognition underscores the impa",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"vulnerability"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.829Z",
"modified": "2025-11-22T14:22:49.829Z",
"confidence": 95,
"type": "identity",
"id": "identity--fd1e3790-7e3a-48a3-8684-16f17330c96f",
"name": "Palo Alto Networks",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Palo Alto Networks is a cybersecurity company that specializes in network security, threat prevention, and cloud security solutions.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.829Z",
"modified": "2025-11-22T14:22:49.829Z",
"confidence": 95,
"type": "identity",
"id": "identity--383b3fde-7ceb-4c55-ba9d-b89a6dc48e8e",
"name": "Apple",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Apple is a technology company that designs, manufactures, and markets consumer electronics, computer software, and online services.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.829Z",
"modified": "2025-11-22T14:22:49.829Z",
"confidence": 95,
"type": "identity",
"id": "identity--047d2419-e763-4d1f-a7b5-90690d1c55ae",
"name": "Yutong Wu",
"identity_class": "individual",
"labels": [
"identity"
],
"description": "Yutong Wu is a researcher in the field of AI safety, holding a position at Nanyang Technological University. Together with Jie Zhang, Florian Kerschbaum, and Tianwei Zhang, Wu has authored a paper on Al Safety.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.829Z",
"modified": "2025-11-22T14:22:49.829Z",
"confidence": 95,
"type": "identity",
"id": "identity--25637169-7ddd-4492-8374-970a603e58cc",
"name": "Nanyang Technological University",
"identity_class": "organization",
"labels": [
"organization"
],
"description": "Nanyang Technological University (NTU) is a research-intensive public university in Singapore. It is one of the top universities in the world and is known for its strong programs in engineering, business, and science. In the context of cybersecurity, NTU has been involved in various research initiatives and collaborations to advance the field of artificial intelligence and its applications in security.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.829Z",
"modified": "2025-11-22T14:22:49.829Z",
"confidence": 95,
"type": "identity",
"id": "identity--34e4c0d8-2173-49d9-a034-fa400d21bd60",
"name": "University of Waterloo",
"identity_class": "organization",
"labels": [
"organization"
],
"description": "The University of Waterloo is a public research university in Canada that is involved in various research activities, including those related to cybersecurity and artificial intelligence. In the context of the provided text, the university is mentioned as the affiliation of one of the authors of a research paper on AI safety.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.829Z",
"modified": "2025-11-22T14:22:49.829Z",
"confidence": 95,
"type": "identity",
"id": "identity--5839c70b-4177-4f97-8015-33c3a7596260",
"name": "CrowdStrike",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "CrowdStrike is a cloud-delivered endpoint security company that provides threat intelligence, incident response, and vulnerability management solutions to protect against cyber threats and advanced persistent threats.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.829Z",
"modified": "2025-11-22T14:22:49.829Z",
"confidence": 95,
"type": "identity",
"id": "identity--38b803aa-fc7a-4e0c-af52-f1265421c957",
"name": "Miaomiao Wang",
"identity_class": "individual",
"labels": [
"identity"
],
"description": "Miaomiao Wang is a researcher affiliated with Shanghai University. In the context provided, she is an author of a security paper along with other researchers from Singapore Institute of Technology, Fudan University, and Shanghai University.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.829Z",
"modified": "2025-11-22T14:22:49.829Z",
"confidence": 95,
"type": "identity",
"id": "identity--cac86f86-5a0a-494c-bf36-5dd7d052c1a3",
"name": "Shanghai University",
"identity_class": "organization",
"labels": [
"organization"
],
"description": "Shanghai University is a research university located in Shanghai, China. It is one of the largest and most prestigious universities in China, with a strong focus on science, technology, engineering, and mathematics (STEM) fields. In the context of cybersecurity, researchers from Shanghai University have been involved in various projects and publications, including the development of a key-driven framework for identity-preserving facial recognition.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.829Z",
"modified": "2025-11-22T14:22:49.829Z",
"confidence": 95,
"type": "identity",
"id": "identity--60a5a184-0ae5-4b00-b920-8f704ea62d9d",
"name": "Singapore Institute of Technology",
"identity_class": "organization",
"labels": [
"organization"
],
"description": "The Singapore Institute of Technology (SIT) is a university of applied learning and research in Singapore. It is a reputable academic institution that focuses on providing industry-relevant education and research in various fields, including cybersecurity.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.829Z",
"modified": "2025-11-22T14:22:49.829Z",
"confidence": 95,
"type": "identity",
"id": "identity--3b6b39e5-a811-4080-89b7-adba3f4ac83d",
"name": "Guorui Feng",
"identity_class": "individual",
"labels": [
"identity"
],
"description": "Guorui Feng is a researcher affiliated with Shanghai University, contributing to the field of artificial intelligence and security, as evident from their involvement in the presentation 'A Key-Driven Framework for Identity-Preserving Facial Expression Transfer' at a security conference.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.829Z",
"modified": "2025-11-22T14:22:49.829Z",
"confidence": 95,
"type": "identity",
"id": "identity--bc16a911-1fe7-4b6f-8ce5-63c3cf19f01d",
"name": "Grafana Labs",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Grafana Labs is a software company that provides a platform for building and deploying data visualization and monitoring tools for various data sources and systems.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.829Z",
"modified": "2025-11-22T14:22:49.829Z",
"confidence": 95,
"type": "identity",
"id": "identity--e7ee6b46-a485-47a0-9f24-5208ec7a218f",
"name": "The Federal Communications Commission",
"identity_class": "organization",
"labels": [
"organization"
],
"description": "The Federal Communications Commission (FCC) is an independent agency of the US federal government that is responsible for regulating interstate and international communications by radio, television, wire, satellite, and cable. In the context of cybersecurity, the FCC plays a crucial role in setting policies and regulations to protect the nation's communication infrastructure from cyber threats.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.829Z",
"modified": "2025-11-22T14:22:49.829Z",
"confidence": 95,
"type": "identity",
"id": "identity--73e2fb2e-2ffc-4fce-b6d6-3ef14b49533b",
"name": "The 2024 State of AI",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "The 2024 State of AI is a report or publication that provides insights and trends on the current state of artificial intelligence.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.829Z",
"modified": "2025-11-22T14:22:49.829Z",
"confidence": 90,
"type": "threat-actor",
"id": "threat-actor--e5680db4-88e5-427d-a873-6cf55a8a316d",
"name": "China",
"threat_actor_types": [
"hacker"
],
"labels": [
"threat-actor"
],
"description": "China is a suspected state-sponsored threat actor group believed to be responsible for a mass compromise of thousands of Asus routers. The group's intentions for the hacking spree are currently unknown, but their actions suggest a focus on exploiting vulnerabilities in network infrastructure.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.829Z",
"modified": "2025-11-22T14:22:49.829Z",
"confidence": 95,
"type": "identity",
"id": "identity--3b436e3d-8e0a-4189-bae9-6127822147b2",
"name": "Managed Security Service Providers",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Managed Security Service Providers is a company that offers outsourced cybersecurity services, monitoring, and management to help organizations protect themselves from cyber threats and vulnerabilities.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.829Z",
"modified": "2025-11-22T14:22:49.829Z",
"confidence": 95,
"type": "identity",
"id": "identity--016ba4c3-2cb5-4b03-8192-5694e6eecac1",
"name": "Protiviti",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Protiviti is a global consulting firm specializing in risk, internal audit, and compliance services, helping organizations navigate complex regulatory environments and improve their overall resilience and performance.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.829Z",
"modified": "2025-11-22T14:22:49.829Z",
"confidence": 95,
"type": "identity",
"id": "identity--8b8d7be6-0a30-4c25-a8b2-dc917a230b06",
"name": "Antonio Maio",
"identity_class": "individual",
"labels": [
"identity"
],
"description": "Antonio Maio is a managing director at global consulting firm Protiviti, known for his expertise in data security. He spoke about the challenges faced by organizations in implementing data security measures.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.829Z",
"modified": "2025-11-22T14:22:49.829Z",
"confidence": 95,
"type": "identity",
"id": "identity--d2dc1825-0d8c-4107-80c9-cc4a66070a6c",
"name": "VirtualBox",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "VirtualBox is a free and open-source virtualization platform that allows users to create and run virtual machines on a host operating system, enabling sandboxed environments for testing, development, and security research.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.829Z",
"modified": "2025-11-22T14:22:49.829Z",
"confidence": 30,
"type": "identity",
"id": "identity--237bded2-e2c0-4816-8f67-6ea0427df08e",
"name": "Nvidia",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Nvidia is a multinational technology company specializing in designing and manufacturing graphics processing units (GPUs) and high-performance computing hardware.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.829Z",
"modified": "2025-11-22T14:22:49.829Z",
"confidence": 95,
"type": "identity",
"id": "identity--07a59964-2f3f-460e-ba0c-6df55abb9118",
"name": "tryhackme.com",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "tryhackme.com is a cybersecurity training platform that offers interactive hacking labs and challenges for users to learn and practice various security skills.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.829Z",
"modified": "2025-11-22T14:22:49.829Z",
"confidence": 95,
"type": "identity",
"id": "identity--a7024a48-6cf8-4e04-a74a-a8cbded294e4",
"name": "www.axios.com",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "www.axios.com is a news website providing in-depth coverage of politics, business, and global news.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.829Z",
"modified": "2025-11-22T14:22:49.829Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc",
"name": "Exploit Public-Facing Application",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"x_mitre_id": "T1190",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1190/",
"external_id": "T1190"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.829Z",
"modified": "2025-11-22T14:22:49.829Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678",
"name": "Exploitation for Client Execution",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"x_mitre_id": "T1203",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1203/",
"external_id": "T1203"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.829Z",
"modified": "2025-11-22T14:22:49.829Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--f33f5834-6a9a-4727-88a5-9d35eeba1cff",
"name": "Abuse Elevation Control Mechanism",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
}
],
"x_mitre_id": "T1548",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1548/",
"external_id": "T1548"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.829Z",
"modified": "2025-11-22T14:22:49.829Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--2d26e3d0-4bbf-44c3-aa9e-5aeab4937638",
"name": "Access Token Manipulation",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"x_mitre_id": "T1134",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1134/",
"external_id": "T1134"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.829Z",
"modified": "2025-11-22T14:22:49.829Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--c3286059-b33e-4b64-9fda-22075baf9afa",
"name": "Ingress Tool Transfer",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "command-and-control"
}
],
"x_mitre_id": "T1105",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1105/",
"external_id": "T1105"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.830Z",
"modified": "2025-11-22T14:22:49.830Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d",
"name": "Command and Scripting Interpreter",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"x_mitre_id": "T1059",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1059/",
"external_id": "T1059"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.830Z",
"modified": "2025-11-22T14:22:49.830Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--13fc9cbe-9444-4eba-872b-a44565ae3ab7",
"name": "Supply Chain Compromise",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"x_mitre_id": "T1195",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1195/",
"external_id": "T1195"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.830Z",
"modified": "2025-11-22T14:22:49.830Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--9df8a3ab-356d-40ee-a3ef-bad3413bd273",
"name": "Obfuscated Files or Information",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
}
],
"x_mitre_id": "T1027",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1027/",
"external_id": "T1027"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.830Z",
"modified": "2025-11-22T14:22:49.830Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--4a2578d4-fdf6-48d3-b66a-93c681e1e21e",
"name": "Application Layer Protocol",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "command-and-control"
}
],
"x_mitre_id": "T1071",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1071/",
"external_id": "T1071"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.830Z",
"modified": "2025-11-22T14:22:49.830Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--68a5c7b8-09b4-49b1-8149-bc23ed0260c9",
"name": "Non-Application Layer Protocol",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "command-and-control"
}
],
"x_mitre_id": "T1095",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1095/",
"external_id": "T1095"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.830Z",
"modified": "2025-11-22T14:22:49.830Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c",
"name": "Spearphishing Attachment",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"x_mitre_id": "T1566.001",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1566/001/",
"external_id": "T1566.001"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.830Z",
"modified": "2025-11-22T14:22:49.830Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--baad7d00-8591-4c49-8f48-fabb6a35df65",
"name": "Spearphishing Link",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"x_mitre_id": "T1566.002",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1566/002/",
"external_id": "T1566.002"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.830Z",
"modified": "2025-11-22T14:22:49.830Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--c627c29c-1385-4d76-9046-9c2db86dab11",
"name": "Spearphishing via Service",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"x_mitre_id": "T1566.003",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1566/003/",
"external_id": "T1566.003"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.830Z",
"modified": "2025-11-22T14:22:49.830Z",
"confidence": 85,
"type": "attack-pattern",
"id": "attack-pattern--9f64016e-c8af-4b0a-a70c-58ee69745d18",
"name": "SEO Poisoning",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "resource-development"
}
],
"x_mitre_id": "T1608.006",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1608/006/",
"external_id": "T1608.006"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.830Z",
"modified": "2025-11-22T14:22:49.830Z",
"confidence": 85,
"type": "attack-pattern",
"id": "attack-pattern--b6ffdce7-d75a-4165-9bfc-c8adc6c9b5ea",
"name": "Drive-by Compromise",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"x_mitre_id": "T1189",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1189/",
"external_id": "T1189"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.830Z",
"modified": "2025-11-22T14:22:49.830Z",
"confidence": 72,
"type": "attack-pattern",
"id": "attack-pattern--0b9d5f9a-d372-4a5d-8f9f-e62f6d5e8719",
"name": "Vulnerabilities",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "resource-development"
}
],
"x_mitre_id": "T1588.006",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1588/006/",
"external_id": "T1588.006"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.830Z",
"modified": "2025-11-22T14:22:49.830Z",
"confidence": 70,
"type": "attack-pattern",
"id": "attack-pattern--d2a77ce3-d278-4f77-97f0-227b744a33d3",
"name": "Archive via Utility",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"x_mitre_id": "T1560.001",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1560/001/",
"external_id": "T1560.001"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.830Z",
"modified": "2025-11-22T14:22:49.830Z",
"confidence": 70,
"type": "attack-pattern",
"id": "attack-pattern--a6ff86fe-f269-42e5-9428-ab17d04e30e2",
"name": "Screen Capture",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"x_mitre_id": "T1113",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1113/",
"external_id": "T1113"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.830Z",
"modified": "2025-11-22T14:22:49.830Z",
"confidence": 70,
"type": "attack-pattern",
"id": "attack-pattern--e8d516a9-a107-4c4b-806f-bc9c612eef18",
"name": "Adversary-in-the-Middle",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"x_mitre_id": "T1557",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1557/",
"external_id": "T1557"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.830Z",
"modified": "2025-11-22T14:22:49.830Z",
"confidence": 70,
"type": "attack-pattern",
"id": "attack-pattern--27b36b6d-ae90-4767-b07a-563ecef589ea",
"name": "Scheduled Task",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"x_mitre_id": "T1053.005",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1053/005/",
"external_id": "T1053.005"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.830Z",
"modified": "2025-11-22T14:22:49.830Z",
"confidence": 70,
"type": "attack-pattern",
"id": "attack-pattern--ed3369e1-8515-458a-99e3-cb9283fb73d1",
"name": "Socket Filters",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "command-and-control"
}
],
"x_mitre_id": "T1205.002",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1205/002/",
"external_id": "T1205.002"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.830Z",
"modified": "2025-11-22T14:22:49.830Z",
"confidence": 70,
"type": "attack-pattern",
"id": "attack-pattern--e03eb8e0-183c-4351-82cb-2d9c193d1530",
"name": "Malicious Shell Modification",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
}
],
"x_mitre_id": "T1156",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1156/",
"external_id": "T1156"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.830Z",
"modified": "2025-11-22T14:22:49.830Z",
"confidence": 68,
"type": "attack-pattern",
"id": "attack-pattern--775a5581-fd79-4cfc-a505-6d409b3bbfba",
"name": "Browser Session Hijacking",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"x_mitre_id": "T1185",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1185/",
"external_id": "T1185"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.830Z",
"modified": "2025-11-22T14:22:49.830Z",
"confidence": 68,
"type": "attack-pattern",
"id": "attack-pattern--172f3845-7870-4c1c-80bd-251e10ce9f1e",
"name": "Browser Extensions",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
}
],
"x_mitre_id": "T1176.001",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1176/001/",
"external_id": "T1176.001"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-22T14:22:49.830Z",
"modified": "2025-11-22T14:22:49.830Z",
"confidence": 67,
"type": "attack-pattern",
"id": "attack-pattern--648fba01-e867-4fc6-96df-cc8f6217bee6",
"name": "Artificial Intelligence",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "resource-development"
}
],
"x_mitre_id": "T1588.007",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1588/007/",
"external_id": "T1588.007"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--46b3a464-c76a-4814-9b09-956f8306638d",
"created": "2025-11-22T14:22:49.830Z",
"modified": "2025-11-22T14:22:49.830Z",
"relationship_type": "uses",
"source_ref": "threat-actor--86e4d679-b5fa-4512-9470-4602474f160f",
"target_ref": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d",
"confidence": 75,
"description": "MITRE ATT&CK mapping: owasp uses command and scripting interpreter (T1059)",
"x_validation_method": "mitre-mapper"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--2ec233ed-2720-481f-b5a2-442cc58da468",
"created": "2025-11-22T14:22:49.830Z",
"modified": "2025-11-22T14:22:49.830Z",
"relationship_type": "uses",
"source_ref": "threat-actor--86e4d679-b5fa-4512-9470-4602474f160f",
"target_ref": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c",
"confidence": 75,
"description": "MITRE ATT&CK mapping: owasp uses spearphishing attachment (T1566.001)",
"x_validation_method": "mitre-mapper"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--1db455d1-ea73-4a89-9638-e61f7986a5f3",
"created": "2025-11-22T14:22:49.830Z",
"modified": "2025-11-22T14:22:49.830Z",
"relationship_type": "uses",
"source_ref": "threat-actor--11b59dfe-0df2-47ce-9305-82c2821d5449",
"target_ref": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d",
"confidence": 75,
"description": "MITRE ATT&CK mapping: cylab-africa uses command and scripting interpreter (T1059)",
"x_validation_method": "mitre-mapper"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--360817b5-9bae-46aa-b037-ac3f158d7cbf",
"created": "2025-11-22T14:22:49.830Z",
"modified": "2025-11-22T14:22:49.830Z",
"relationship_type": "uses",
"source_ref": "threat-actor--11b59dfe-0df2-47ce-9305-82c2821d5449",
"target_ref": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c",
"confidence": 75,
"description": "MITRE ATT&CK mapping: cylab-africa uses spearphishing attachment (T1566.001)",
"x_validation_method": "mitre-mapper"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--f1c940b3-f86b-42c0-a10e-de130a859f93",
"created": "2025-11-22T14:22:49.830Z",
"modified": "2025-11-22T14:22:49.830Z",
"relationship_type": "uses",
"source_ref": "threat-actor--e5680db4-88e5-427d-a873-6cf55a8a316d",
"target_ref": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d",
"confidence": 75,
"description": "MITRE ATT&CK mapping: china uses command and scripting interpreter (T1059)",
"x_validation_method": "mitre-mapper"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--8ea5c023-c47b-4019-87a0-dadb10c8089a",
"created": "2025-11-22T14:22:49.830Z",
"modified": "2025-11-22T14:22:49.830Z",
"relationship_type": "uses",
"source_ref": "threat-actor--e5680db4-88e5-427d-a873-6cf55a8a316d",
"target_ref": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c",
"confidence": 75,
"description": "MITRE ATT&CK mapping: china uses spearphishing attachment (T1566.001)",
"x_validation_method": "mitre-mapper"
}
]
}
California-based Organizations (CCPA)
STEADY
CRITICAL ITEMS
HIGH SEVERITY ITEMS
EXECUTIVE INSIGHTS
VENDOR SPOTLIGHT
DETECTION & RESPONSE KIT