MISP
/
misp-training
mirror of https://github.com/MISP/misp-training
2
0
Fork 0
Code Issues Releases Wiki Activity
misp-training/training-support/sample-events/atm-vulnerabilities-allow-d...

2 lines
65 KiB
JSON
Raw Blame History

This file contains invisible Unicode characters!

This file contains invisible Unicode characters that may be processed differently from what appears below. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to reveal hidden characters.

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

{"response": [{"Event":{"id":"2368","orgc_id":"2","org_id":"1","date":"2021-02-16","threat_level_id":"2","info":"ATM Vulnerabilities Allow Deposit Forgery Attacks","published":true,"uuid":"848a3172-1301-4cbd-8398-435b00904c20","attribute_count":"64","analysis":"1","timestamp":"1645618764","distribution":"1","proposal_email_lock":false,"locked":true,"publish_timestamp":"1645619938","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","protected":null,"Org":{"id":"1","name":"Training","uuid":"5d6d3b30-9db0-44b9-8869-7f56a5e38e14","local":true},"Orgc":{"id":"2","name":"CIRCL","uuid":"55f6ea5e-2c60-40e5-964f-47a8950d210f","local":true},"Attribute":[{"id":"426202","type":"vulnerability","category":"Payload delivery","to_ids":false,"uuid":"5cfca8e3-183e-4e79-b4a2-3202075867be","event_id":"2368","distribution":"5","timestamp":"1614252023","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":"2020-08-28T00:00:00.000000+00:00","last_seen":null,"value":"CVE-2020-9062","Galaxy":[],"ShadowAttribute":[]},{"id":"426203","type":"vulnerability","category":"Payload delivery","to_ids":false,"uuid":"8bed0620-5cd8-4269-a1b8-b2abce9e40c4","event_id":"2368","distribution":"5","timestamp":"1613486380","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"CVE-2020-10124","Galaxy":[],"ShadowAttribute":[]}],"ShadowAttribute":[],"RelatedEvent":[{"Event":{"id":"1753","date":"2020-02-19","threat_level_id":"4","info":"OSINT - SonicWall SRA and SMA vulnerabilties","published":true,"uuid":"5e4d19a6-7b24-45dd-bb63-6fdba5e38e14","analysis":"0","timestamp":"1582117512","distribution":"1","org_id":"1","orgc_id":"1","Org":{"id":"1","name":"Training","uuid":"5d6d3b30-9db0-44b9-8869-7f56a5e38e14"},"Orgc":{"id":"1","name":"Training","uuid":"5d6d3b30-9db0-44b9-8869-7f56a5e38e14"}}}],"Galaxy":[{"id":"10","uuid":"cc0c8ae9-aec2-42c6-9939-f4f82b051836","name":"attck4fraud","type":"financial-fraud","description":"attck4fraud - Principles of MITRE ATT&CK in the fraud domain","version":"1","icon":"map","namespace":"misp","enabled":true,"local_only":false,"kill_chain_order":{"fraud-tactics":["Initiation","Target Compromise","Perform Fraud","Obtain Fraudulent Assets","Assets Transfer","Monetisation"]},"GalaxyCluster":[{"id":"1627","collection_uuid":"cc0c8ae9-aec2-42c6-9939-f4f82b051836","type":"financial-fraud","value":"ATM Black Box Attack","tag_name":"misp-galaxy:financial-fraud=\"ATM Black Box Attack\"","description":"ATM Black Box Attack","galaxy_id":"10","source":"Open Sources","authors":["Francesco Bigarella"],"version":"3","uuid":"6bec22cb-9aed-426a-bffc-b0a78db6527a","distribution":"3","sharing_group_id":null,"org_id":"0","orgc_id":"0","default":true,"locked":false,"extends_uuid":"","extends_version":"0","published":false,"deleted":false,"GalaxyClusterRelation":[],"Org":{"id":"0","name":"MISP","date_created":"","date_modified":"","description":"Automatically generated MISP organisation","type":"","nationality":"Not specified","sector":"","created_by":"0","uuid":"0","contacts":"","local":true,"restricted_to_domain":[],"landingpage":null},"Orgc":{"id":"0","name":"MISP","date_created":"","date_modified":"","description":"Automatically generated MISP organisation","type":"","nationality":"Not specified","sector":"","created_by":"0","uuid":"0","contacts":"","local":true,"restricted_to_domain":[],"landingpage":null},"meta":{"kill_chain":["fraud-tactics:Target Compromise"]},"tag_id":"1074","local":false}]},{"id":"1","uuid":"3f44af2e-1480-4b6b-9aa8-f9bb21341078","name":"Ransomware","type":"ransomware","description":"Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml","version":"4","icon":"btc","namespace":"misp","enabled":true,"local_only":false,"GalaxyCluster":[{"id":"19924","collection_uuid":"10cf658b-5d32-4c4b-bb32-61760a640372","type":"ransomware","value":"Korean","tag_name":"misp-galaxy:ransomware=\"Korean\"","description":"Ransomware Based on HiddenTear","galaxy_id":"1","source":"Various","authors":["https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml","http://pastebin.com/raw/GHgpWjar","MISP Project","https://id-ransomware.blogspot.com/2016/07/ransomware-list.html"],"version":"100","uuid":"4febffe0-3837-41d7-b95f-e26d126275e4","distribution":"3","sharing_group_id":null,"org_id":"0","orgc_id":"0","default":true,"locked":false,"extends_uuid":"","extends_version":"0","published":false,"deleted":false,"GalaxyClusterRelation":[],"Org":{"id":"0","name":"MISP","date_created":"","date_modified":"","description":"Automatically generated MISP organisation","type":"","nationality":"Not specified","sector":"","created_by":"0","uuid":"0","contacts":"","local":true,"restricted_to_domain":[],"landingpage":null},"Orgc":{"id":"0","name":"MISP","date_created":"","date_modified":"","description":"Automatically generated MISP organisation","type":"","nationality":"Not specified","sector":"","created_by":"0","uuid":"0","contacts":"","local":true,"restricted_to_domain":[],"landingpage":null},"meta":{"encryption":["AES-256"],"extensions":[".암호화됨"],"payment-method":["Bitcoin"],"price":["0.5"],"ransomnotes-filenames":["ReadMe.txt"],"refs":["http://www.nyxbone.com/malware/koreanRansom.html","http://id-ransomware.blogspot.com/2016/08/korean-ransomware.html"]},"tag_id":"1893","local":false}]},{"id":"25","uuid":"c4e851fa-775f-11e7-8163-b774922098cd","name":"Attack Pattern","type":"mitre-attack-pattern","description":"ATT&CK Tactic","version":"8","icon":"map","namespace":"mitre-attack","enabled":true,"local_only":false,"kill_chain_order":{"mitre-attack":["initial-access","execution","persistence","privilege-escalation","defense-evasion","credential-access","discovery","lateral-movement","collection","command-and-control","exfiltration","impact"],"mitre-mobile-attack":["initial-access","persistence","privilege-escalation","defense-evasion","credential-access","discovery","lateral-movement","effects","collection","exfiltration","command-and-control","network-effects","remote-service-effects"],"mitre-pre-attack":["priority-definition-planning","priority-definition-direction","target-selection","technical-information-gathering","people-information-gathering","organizational-information-gathering","technical-weakness-identification","people-weakness-identification","organizational-weakness-identification","adversary-opsec","establish-&-maintain-infrastructure","persona-development","build-capabilities","test-capabilities","stage-capabilities"]},"GalaxyCluster":[{"id":"18488","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Vulnerabilities - T1588.006","tag_name":"misp-galaxy:mitre-attack-pattern=\"Vulnerabilities - T1588.006\"","description":"Adversaries may acquire information about vulnerabilities that can be used during targeting. A vulnerability is a weakness in computer hardware or software that can, potentially, be exploited by an adversary to cause unintended or unanticipated behavior to occur. Adversaries may find vulnerability information by searching open databases or gaining access to closed vulnerability databases.(Citation: National Vulnerability Database)\n\nAn adversary may monitor vulnerability disclosures/databases to understand the state of existing, as well as newly discovered, vulnerabilities. There is usually a delay between when a vulnerability is discovered and when it is made public. An adversary may target the systems of those known to conduct vulnerability research (including commercial vendors). Knowledge of a vulnerability may cause an adversary to search for an existing exploit (i.e. [Exploits](https://attack.mitre.org/techniques/T1588/005)) or to attempt to develop one themselves (i.e. [Exploits](https://attack.mitre.org/techniques/T1587/004)).","galaxy_id":"25","source":"https://github.com/mitre/cti","authors":["MITRE"],"version":"17","uuid":"2b5aa86b-a0df-4382-848d-30abea443327","distribution":"3","sharing_group_id":null,"org_id":"0","orgc_id":"0","default":true,"locked":false,"extends_uuid":"","extends_version":"0","published":false,"deleted":false,"GalaxyClusterRelation":[{"id":"26668","galaxy_cluster_id":"18488","referenced_galaxy_cluster_id":"18434","referenced_galaxy_cluster_uuid":"ce0687a0-e692-4b77-964a-0784a8e54ff1","referenced_galaxy_cluster_type":"subtechnique-of","galaxy_cluster_uuid":"2b5aa86b-a0df-4382-848d-30abea443327","distribution":"3","sharing_group_id":null,"default":true}],"Org":{"id":"0","name":"MISP","date_created":"","date_modified":"","description":"Automatically generated MISP organisation","type":"","nationality":"Not specified","sector":"","created_by":"0","uuid":"0","contacts":"","local":true,"restricted_to_domain":[],"landingpage":null},"Orgc":{"id":"0","name":"MISP","date_created":"","date_modified":"","description":"Automatically generated MISP organisation","type":"","nationality":"Not specified","sector":"","created_by":"0","uuid":"0","contacts":"","local":true,"restricted_to_domain":[],"landingpage":null},"TargetingClusterRelation":[{"id":"15031","galaxy_cluster_id":"14224","referenced_galaxy_cluster_id":"18488","referenced_galaxy_cluster_uuid":"2b5aa86b-a0df-4382-848d-30abea443327","referenced_galaxy_cluster_type":"uses","galaxy_cluster_uuid":"381fcf73-60f6-4ab2-9991-6af3cbc35192","distribution":"3","sharing_group_id":null,"default":true},{"id":"28328","galaxy_cluster_id":"18802","referenced_galaxy_cluster_id":"18488","referenced_galaxy_cluster_uuid":"2b5aa86b-a0df-4382-848d-30abea443327","referenced_galaxy_cluster_type":"mitigates","galaxy_cluster_uuid":"78bb71be-92b4-46de-acd6-5f998fedf1cc","distribution":"3","sharing_group_id":null,"default":true}],"meta":{"external_id":["T1588.006"],"kill_chain":["mitre-attack:resource-development"],"mitre_platforms":["PRE"],"refs":["https://attack.mitre.org/techniques/T1588/006","https://nvd.nist.gov/"]},"tag_id":"1894","local":false}]}],"Object":[{"id":"30556","name":"report","meta-category":"misc","description":"Metadata used to generate an executive level report","template_uuid":"70a68471-df22-4e3f-aa1a-5a3be19f82df","template_version":"2","event_id":"2368","uuid":"723a9690-facd-419f-af10-d8b7bab01c36","timestamp":"1613486516","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"first_seen":null,"last_seen":null,"ObjectReference":[{"id":"10884","uuid":"6d8288f6-4223-44b0-b9c7-421ea98e6cc0","timestamp":"0","object_id":"30556","referenced_uuid":"56312967-1c4f-4f62-a740-e103d6b0e673","referenced_id":"30557","referenced_type":"1","relationship_type":"mentions","comment":"","deleted":false,"event_id":"2368","source_uuid":"723a9690-facd-419f-af10-d8b7bab01c36","Object":{"distribution":"5","sharing_group_id":"0","uuid":"56312967-1c4f-4f62-a740-e103d6b0e673","name":"vulnerability","meta-category":"vulnerability"}}],"Attribute":[{"id":"426204","type":"link","category":"External analysis","to_ids":false,"uuid":"a78e8137-7d8a-4ba5-8b8b-716c8d759320","event_id":"2368","distribution":"5","timestamp":"1613486110","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"30556","object_relation":"link","first_seen":null,"last_seen":null,"value":"https://www.cyber.nj.gov/alerts-advisories/atm-vulnerabilities-allow-deposit-forgery-attacks","Galaxy":[],"ShadowAttribute":[]},{"id":"426205","type":"text","category":"Other","to_ids":false,"uuid":"5aed9524-5181-4862-995b-35596a66f4e6","event_id":"2368","distribution":"5","timestamp":"1613486110","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"30556","object_relation":"summary","first_seen":null,"last_seen":null,"value":"Automated teller machine (ATM) companies Diebold and NCR released updates to fix a number of vulnerabilities discovered last year that may have permitted deposit forgery attacks. Deposit forgery flaws, which are considered rare, may be exploited by an attacker who has physical access to an affected ATM by intercepting and modifying messages while depositing funds, artificially increasing the deposited amount, and then withdrawing the excess funds. CVE-2020-9062 affects Diebold ProCash 2100xe USB ATMs running Wincore Probase software, and CVE-2020-10124 affects NCR SelfServ ATMs running APTRA XFS software. Additional flaws considered less severe were also identified and patched. This past weekend, the FBI and local police arrested dozens of suspects across NJ for exploiting vulnerabilities within Santander ATMs. The suspects purportedly withdrew funds from preloaded or fake debit cards during the incidents. Though the exploited vulnerabilities have not been correlated to those listed above, these similar incidents highlight the ease with which the ATM flaws may be exploited, as well as the importance of patching these systems. Additionally, CISA released a joint alert (AA20-239A) identifying malware and indicators of compromise (IOCs) used by the North Korean government in ATM cash-out schemes referred to by the US government as “FASTCash 2.0: North Koreas BeagleBoyz Robbing Banks.” The US does not appear to be targeted in these schemes at the time of this writing; however, organizations are urged to apply recommendations and report any suspicious activity related to the identified IOCs to local law enforcement.","Galaxy":[],"ShadowAttribute":[]}]},{"id":"30557","name":"vulnerability","meta-category":"vulnerability","description":"Vulnerability object describing a common vulnerability enumeration which can describe published, unpublished, under review or embargo vulnerability for software, equipments or hardware.","template_uuid":"81650945-f186-437b-8945-9f31715d32da","template_version":"8","event_id":"2368","uuid":"56312967-1c4f-4f62-a740-e103d6b0e673","timestamp":"1614249234","distribution":"5","sharing_group_id":"0","comment":"CVE-2020-9062: Enriched via the cve_advanced module","deleted":false,"first_seen":null,"last_seen":null,"ObjectReference":[{"id":"10885","uuid":"2b9de2ee-dc45-414b-84cb-e813ddd4ce92","timestamp":"0","object_id":"30557","referenced_uuid":"5cfca8e3-183e-4e79-b4a2-3202075867be","referenced_id":"426202","referenced_type":"0","relationship_type":"related-to ","comment":"","deleted":false,"event_id":"2368","source_uuid":"56312967-1c4f-4f62-a740-e103d6b0e673","Attribute":{"distribution":"5","sharing_group_id":"0","uuid":"5cfca8e3-183e-4e79-b4a2-3202075867be","value":"CVE-2020-9062","type":"vulnerability","category":"Payload delivery","to_ids":false}},{"id":"10886","uuid":"f162d761-b9f8-49b2-afe7-a7ac3224ab30","timestamp":"0","object_id":"30557","referenced_uuid":"225bcda5-6aa9-4ce1-bd0f-fed7a4fb5340","referenced_id":"30558","referenced_type":"1","relationship_type":"weakened-by ","comment":"","deleted":false,"event_id":"2368","source_uuid":"56312967-1c4f-4f62-a740-e103d6b0e673","Object":{"distribution":"5","sharing_group_id":"0","uuid":"225bcda5-6aa9-4ce1-bd0f-fed7a4fb5340","name":"weakness","meta-category":"vulnerability"}},{"id":"10887","uuid":"c861d708-895f-454a-82f7-ace80f5a7a83","timestamp":"0","object_id":"30557","referenced_uuid":"e735fda4-3164-4259-a5d6-dba72dfbc353","referenced_id":"30559","referenced_type":"1","relationship_type":"targeted-by ","comment":"","deleted":false,"event_id":"2368","source_uuid":"56312967-1c4f-4f62-a740-e103d6b0e673","Object":{"distribution":"5","sharing_group_id":"0","uuid":"e735fda4-3164-4259-a5d6-dba72dfbc353","name":"attack-pattern","meta-category":"vulnerability"}},{"id":"10888","uuid":"4a8425cd-0eda-47e7-8150-bfce7913b0ed","timestamp":"0","object_id":"30557","referenced_uuid":"7f358cbe-fc3c-4a64-8314-a850001c786d","referenced_id":"30560","referenced_type":"1","relationship_type":"targeted-by ","comment":"","deleted":false,"event_id":"2368","source_uuid":"56312967-1c4f-4f62-a740-e103d6b0e673","Object":{"distribution":"5","sharing_group_id":"0","uuid":"7f358cbe-fc3c-4a64-8314-a850001c786d","name":"attack-pattern","meta-category":"vulnerability"}},{"id":"10889","uuid":"7f62286e-e572-457c-bdde-5effc78a585e","timestamp":"0","object_id":"30557","referenced_uuid":"be14bf98-bac3-414d-8145-6e13783e7afa","referenced_id":"30561","referenced_type":"1","relationship_type":"targeted-by ","comment":"","deleted":false,"event_id":"2368","source_uuid":"56312967-1c4f-4f62-a740-e103d6b0e673","Object":{"distribution":"5","sharing_group_id":"0","uuid":"be14bf98-bac3-414d-8145-6e13783e7afa","name":"attack-pattern","meta-category":"vulnerability"}},{"id":"10890","uuid":"4652fcef-f118-48be-abde-25886a9ce578","timestamp":"0","object_id":"30557","referenced_uuid":"4c2354b6-4285-46fd-89fa-bb0dd36f63c6","referenced_id":"30562","referenced_type":"1","relationship_type":"targeted-by ","comment":"","deleted":false,"event_id":"2368","source_uuid":"56312967-1c4f-4f62-a740-e103d6b0e673","Object":{"distribution":"5","sharing_group_id":"0","uuid":"4c2354b6-4285-46fd-89fa-bb0dd36f63c6","name":"attack-pattern","meta-category":"vulnerability"}},{"id":"10891","uuid":"80387e86-b6c0-44cc-b4e9-1c4382aad56a","timestamp":"0","object_id":"30557","referenced_uuid":"5cfca8e3-183e-4e79-b4a2-3202075867be","referenced_id":"426202","referenced_type":"0","relationship_type":"annotates","comment":"","deleted":false,"event_id":"2368","source_uuid":"56312967-1c4f-4f62-a740-e103d6b0e673","Attribute":{"distribution":"5","sharing_group_id":"0","uuid":"5cfca8e3-183e-4e79-b4a2-3202075867be","value":"CVE-2020-9062","type":"vulnerability","category":"Payload delivery","to_ids":false}},{"id":"10908","uuid":"f2f0cb65-b424-44c8-a852-2e0dde82e873","timestamp":"1614249234","object_id":"30557","referenced_uuid":"cc5b158c-a45d-4f08-aa32-8a5124da4506","referenced_id":"30577","referenced_type":"1","relationship_type":"vulnerability-of","comment":"","deleted":false,"event_id":"2368","source_uuid":"56312967-1c4f-4f62-a740-e103d6b0e673","Object":{"distribution":"5","sharing_group_id":"0","uuid":"cc5b158c-a45d-4f08-aa32-8a5124da4506","name":"device","meta-category":"misc"}}],"Attribute":[{"id":"426206","type":"vulnerability","category":"External analysis","to_ids":false,"uuid":"6c8219de-999f-47b9-be88-841c3dc5fe18","event_id":"2368","distribution":"5","timestamp":"1613486277","comment":"CVE-2020-9062: Enriched via the cve_advanced module","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"30557","object_relation":"id","first_seen":null,"last_seen":null,"value":"CVE-2020-9062","Galaxy":[],"ShadowAttribute":[]},{"id":"426207","type":"text","category":"Other","to_ids":false,"uuid":"59339f4e-800e-41eb-9de2-c98066e1825f","event_id":"2368","distribution":"5","timestamp":"1613486277","comment":"CVE-2020-9062: Enriched via the cve_advanced module","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"30557","object_relation":"summary","first_seen":null,"last_seen":null,"value":"Diebold Nixdorf ProCash 2100xe USB ATMs running Wincor Probase version 1.1.30 do not encrypt, authenticate, or verify the integrity of messages between the CCDM and the host computer, allowing an attacker with physical access to internal ATM components to commit deposit forgery by intercepting and modifying messages to the host computer, such as the amount and value of currency being deposited.","Galaxy":[],"ShadowAttribute":[]},{"id":"426208","type":"datetime","category":"Other","to_ids":false,"uuid":"b8abfa57-91ee-4058-a0bc-9eeed344cf0f","event_id":"2368","distribution":"5","timestamp":"1613486277","comment":"CVE-2020-9062: Enriched via the cve_advanced module","sharing_group_id":"0","deleted":false,"disable_correlation":true,"object_id":"30557","object_relation":"modified","first_seen":null,"last_seen":null,"value":"2020-08-27T19:36:00.000000+0000","Galaxy":[],"ShadowAttribute":[]},{"id":"426209","type":"float","category":"Other","to_ids":false,"uuid":"08cbbc7d-b007-427c-979e-8fff7890d68e","event_id":"2368","distribution":"5","timestamp":"1613486277","comment":"CVE-2020-9062: Enriched via the cve_advanced module","sharing_group_id":"0","deleted":false,"disable_correlation":true,"object_id":"30557","object_relation":"cvss-score","first_seen":null,"last_seen":null,"value":"2.1","Galaxy":[],"ShadowAttribute":[]},{"id":"426210","type":"datetime","category":"Other","to_ids":false,"uuid":"2f36acdc-c6b1-487b-8aa3-85b5560c58f4","event_id":"2368","distribution":"5","timestamp":"1613486277","comment":"CVE-2020-9062: Enriched via the cve_advanced module","sharing_group_id":"0","deleted":false,"disable_correlation":true,"object_id":"30557","object_relation":"published","first_seen":null,"last_seen":null,"value":"2020-08-21T21:15:00.000000+0000","Galaxy":[],"ShadowAttribute":[]},{"id":"426211","type":"text","category":"Other","to_ids":false,"uuid":"6b8ce58f-6c31-4e9a-ac9e-f725db787472","event_id":"2368","distribution":"5","timestamp":"1613486277","comment":"CVE-2020-9062: Enriched via the cve_advanced module","sharing_group_id":"0","deleted":false,"disable_correlation":true,"object_id":"30557","object_relation":"state","first_seen":null,"last_seen":null,"value":"Published","Galaxy":[],"ShadowAttribute":[],"Sighting":[{"id":"81782","attribute_id":"426211","event_id":"2368","org_id":"2","date_sighting":"1613488638","uuid":"a0150000-d793-42fb-b4c4-3c0c6e8e565b","source":"","type":"0","attribute_uuid":"6b8ce58f-6c31-4e9a-ac9e-f725db787472","Organisation":{"id":"2","uuid":"55f6ea5e-2c60-40e5-964f-47a8950d210f","name":"CIRCL"}}]},{"id":"426212","type":"link","category":"External analysis","to_ids":false,"uuid":"5926846c-6170-475e-a8c1-934d33e6924c","event_id":"2368","distribution":"5","timestamp":"1613486277","comment":"CVE-2020-9062: Enriched via the cve_advanced module","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"30557","object_relation":"references","first_seen":null,"last_seen":null,"value":"https://kb.cert.org/vuls/id/221785","Galaxy":[],"ShadowAttribute":[]},{"id":"426213","type":"cpe","category":"External analysis","to_ids":false,"uuid":"c878c539-a791-434d-81a0-d21784a915fc","event_id":"2368","distribution":"5","timestamp":"1613486277","comment":"CVE-2020-9062: Enriched via the cve_advanced module","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"30557","object_relation":"vulnerable_configuration","first_seen":null,"last_seen":null,"value":"cpe:2.3:a:dieboldnixdorf:probase:1.1.30:*:*:*:*:*:*:*","Galaxy":[],"ShadowAttribute":[]},{"id":"426214","type":"cpe","category":"External analysis","to_ids":false,"uuid":"24f24cdb-a5d3-40ba-9ead-c1e174a95401","event_id":"2368","distribution":"5","timestamp":"1613486277","comment":"CVE-2020-9062: Enriched via the cve_advanced module","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"30557","object_relation":"vulnerable_configuration","first_seen":null,"last_seen":null,"value":"cpe:2.3:h:dieboldnixdorf:procash_2100xe:-:*:*:*:*:*:*:*","Galaxy":[],"ShadowAttribute":[]}]},{"id":"30558","name":"weakness","meta-category":"vulnerability","description":"Weakness object describing a common weakness enumeration which can describe usable, incomplete, draft or deprecated weakness for software, equipment of hardware.","template_uuid":"b8713fc0-d7a2-4b27-a182-38ed47966802","template_version":"1","event_id":"2368","uuid":"225bcda5-6aa9-4ce1-bd0f-fed7a4fb5340","timestamp":"1613486277","distribution":"5","sharing_group_id":"0","comment":"CVE-2020-9062: Enriched via the cve_advanced module","deleted":false,"first_seen":null,"last_seen":null,"ObjectReference":[],"Attribute":[{"id":"426215","type":"text","category":"Other","to_ids":false,"uuid":"99ab4b11-8eed-4d11-88fe-5a184d25e9bd","event_id":"2368","distribution":"5","timestamp":"1613486277","comment":"CVE-2020-9062: Enriched via the cve_advanced module","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"30558","object_relation":"name","first_seen":null,"last_seen":null,"value":"Missing Authentication for Critical Function","Galaxy":[],"ShadowAttribute":[]},{"id":"426216","type":"text","category":"Other","to_ids":false,"uuid":"6ebc5bae-b0d2-4cc7-baf4-38543ba9f733","event_id":"2368","distribution":"5","timestamp":"1613486277","comment":"CVE-2020-9062: Enriched via the cve_advanced module","sharing_group_id":"0","deleted":false,"disable_correlation":true,"object_id":"30558","object_relation":"status","first_seen":null,"last_seen":null,"value":"Draft","Galaxy":[],"ShadowAttribute":[]},{"id":"426217","type":"text","category":"Other","to_ids":false,"uuid":"0dc06a91-702b-4dac-bdde-9b689a240548","event_id":"2368","distribution":"5","timestamp":"1613486277","comment":"CVE-2020-9062: Enriched via the cve_advanced module","sharing_group_id":"0","deleted":false,"disable_correlation":true,"object_id":"30558","object_relation":"weakness-abs","first_seen":null,"last_seen":null,"value":"Base","Galaxy":[],"ShadowAttribute":[]}]},{"id":"30559","name":"attack-pattern","meta-category":"vulnerability","description":"Attack pattern describing a common attack pattern enumeration and classification.","template_uuid":"35928348-56be-4d7f-9752-a80927936351","template_version":"1","event_id":"2368","uuid":"e735fda4-3164-4259-a5d6-dba72dfbc353","timestamp":"1613486277","distribution":"5","sharing_group_id":"0","comment":"CVE-2020-9062: Enriched via the cve_advanced module","deleted":false,"first_seen":null,"last_seen":null,"ObjectReference":[],"Attribute":[{"id":"426218","type":"text","category":"Other","to_ids":false,"uuid":"3d8f94c0-3ad2-4163-b8a9-e6d1ce74fe03","event_id":"2368","distribution":"5","timestamp":"1613486277","comment":"CVE-2020-9062: Enriched via the cve_advanced module","sharing_group_id":"0","deleted":false,"disable_correlation":true,"object_id":"30559","object_relation":"id","first_seen":null,"last_seen":null,"value":"62","Galaxy":[],"ShadowAttribute":[]},{"id":"426219","type":"text","category":"Other","to_ids":false,"uuid":"8c5553ce-fe90-42f4-bad8-cc36d158dee1","event_id":"2368","distribution":"5","timestamp":"1613486277","comment":"CVE-2020-9062: Enriched via the cve_advanced module","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"30559","object_relation":"name","first_seen":null,"last_seen":null,"value":"Cross Site Request Forgery","Galaxy":[],"ShadowAttribute":[]},{"id":"426220","type":"text","category":"Other","to_ids":false,"uuid":"dd4cade4-344d-4116-b657-b13ae3368d15","event_id":"2368","distribution":"5","timestamp":"1613486277","comment":"CVE-2020-9062: Enriched via the cve_advanced module","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"30559","object_relation":"summary","first_seen":null,"last_seen":null,"value":"An attacker crafts malicious web links and distributes them (via web pages, email, etc.), typically in a targeted manner, hoping to induce users to click on the link and execute the malicious action against some third-party application. If successful, the action embedded in the malicious link will be processed and accepted by the targeted application with the users' privilege level. This type of attack leverages the persistence and implicit trust placed in user session cookies by many web applications today. In such an architecture, once the user authenticates to an application and a session cookie is created on the user's system, all following transactions for that session are authenticated using that cookie including potential actions initiated by an attacker and simply \"riding\" the existing session cookie.","Galaxy":[],"ShadowAttribute":[]},{"id":"426221","type":"text","category":"Other","to_ids":false,"uuid":"8eaf7fc3-702a-46a2-9ca4-1484faa76b75","event_id":"2368","distribution":"5","timestamp":"1613486277","comment":"CVE-2020-9062: Enriched via the cve_advanced module","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"30559","object_relation":"solutions","first_seen":null,"last_seen":null,"value":"Use cryptographic tokens to associate a request with a specific action. The token can be regenerated at every request so that if a request with an invalid token is encountered, it can be reliably discarded. The token is considered invalid if it arrived with a request other than the action it was supposed to be associated with. Although less reliable, the use of the optional HTTP Referrer header can also be used to determine whether an incoming request was actually one that the user is authorized for, in the current context. Additionally, the user can also be prompted to confirm an action every time an action concerning potentially sensitive data is invoked. This way, even if the attacker manages to get the user to click on a malicious link and request the desired action, the user has a chance to recover by denying confirmation. This solution is also implicitly tied to using a second factor of authentication before performing such actions. In general, every request must be checked for the appropriate authentication token as well as authorization in the current session context.","Galaxy":[],"ShadowAttribute":[]},{"id":"426222","type":"weakness","category":"External analysis","to_ids":false,"uuid":"7dd14898-d537-435f-bd45-27f9604d7b30","event_id":"2368","distribution":"5","timestamp":"1613486277","comment":"CVE-2020-9062: Enriched via the cve_advanced module","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"30559","object_relation":"related-weakness","first_seen":null,"last_seen":null,"value":"CWE-306","Galaxy":[],"ShadowAttribute":[]},{"id":"426223","type":"weakness","category":"External analysis","to_ids":false,"uuid":"2f9ddc62-092d-45b7-892a-faa57e06f17b","event_id":"2368","distribution":"5","timestamp":"1613486277","comment":"CVE-2020-9062: Enriched via the cve_advanced module","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"30559","object_relation":"related-weakness","first_seen":null,"last_seen":null,"value":"CWE-352","Galaxy":[],"ShadowAttribute":[]},{"id":"426224","type":"weakness","category":"External analysis","to_ids":false,"uuid":"76802a77-d0e8-458f-96d9-b4b92267b343","event_id":"2368","distribution":"5","timestamp":"1613486277","comment":"CVE-2020-9062: Enriched via the cve_advanced module","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"30559","object_relation":"related-weakness","first_seen":null,"last_seen":null,"value":"CWE-664","Galaxy":[],"ShadowAttribute":[]},{"id":"426225","type":"weakness","category":"External analysis","to_ids":false,"uuid":"976029b4-fd37-4e87-bd79-ce44a656ec3b","event_id":"2368","distribution":"5","timestamp":"1613486277","comment":"CVE-2020-9062: Enriched via the cve_advanced module","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"30559","object_relation":"related-weakness","first_seen":null,"last_seen":null,"value":"CWE-716","Galaxy":[],"ShadowAttribute":[]},{"id":"426226","type":"weakness","category":"External analysis","to_ids":false,"uuid":"5e1117b8-d4e0-4dfb-930c-4711f69b22a2","event_id":"2368","distribution":"5","timestamp":"1613486277","comment":"CVE-2020-9062: Enriched via the cve_advanced module","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"30559","object_relation":"related-weakness","first_seen":null,"last_seen":null,"value":"CWE-732","Galaxy":[],"ShadowAttribute":[]}]},{"id":"30560","name":"attack-pattern","meta-category":"vulnerability","description":"Attack pattern describing a common attack pattern enumeration and classification.","template_uuid":"35928348-56be-4d7f-9752-a80927936351","template_version":"1","event_id":"2368","uuid":"7f358cbe-fc3c-4a64-8314-a850001c786d","timestamp":"1613486277","distribution":"5","sharing_group_id":"0","comment":"CVE-2020-9062: Enriched via the cve_advanced module","deleted":false,"first_seen":null,"last_seen":null,"ObjectReference":[],"Attribute":[{"id":"426227","type":"text","category":"Other","to_ids":false,"uuid":"4d5d37d2-780f-48ce-bfc2-5149113b83e8","event_id":"2368","distribution":"5","timestamp":"1613486277","comment":"CVE-2020-9062: Enriched via the cve_advanced module","sharing_group_id":"0","deleted":false,"disable_correlation":true,"object_id":"30560","object_relation":"id","first_seen":null,"last_seen":null,"value":"12","Galaxy":[],"ShadowAttribute":[]},{"id":"426228","type":"text","category":"Other","to_ids":false,"uuid":"108fb58c-2ffd-4c46-834c-7e91b99eff0f","event_id":"2368","distribution":"5","timestamp":"1613486277","comment":"CVE-2020-9062: Enriched via the cve_advanced module","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"30560","object_relation":"name","first_seen":null,"last_seen":null,"value":"Choosing Message Identifier","Galaxy":[],"ShadowAttribute":[]},{"id":"426229","type":"text","category":"Other","to_ids":false,"uuid":"9c93343a-c7e6-4a8e-ad62-90c3451ee9e4","event_id":"2368","distribution":"5","timestamp":"1613486277","comment":"CVE-2020-9062: Enriched via the cve_advanced module","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"30560","object_relation":"summary","first_seen":null,"last_seen":null,"value":"This pattern of attack is defined by the selection of messages distributed over via multicast or public information channels that are intended for another client by determining the parameter value assigned to that client. This attack allows the adversary to gain access to potentially privileged information, and to possibly perpetrate other attacks through the distribution means by impersonation. If the channel/message being manipulated is an input rather than output mechanism for the system, (such as a command bus), this style of attack could be used to change the adversary's identifier to more a privileged one.","Galaxy":[],"ShadowAttribute":[]},{"id":"426230","type":"text","category":"Other","to_ids":false,"uuid":"e1fe9b89-1239-48e5-be18-39a3488932f9","event_id":"2368","distribution":"5","timestamp":"1613486277","comment":"CVE-2020-9062: Enriched via the cve_advanced module","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"30560","object_relation":"prerequisites","first_seen":null,"last_seen":null,"value":"Information and client-sensitive (and client-specific) data must be present through a distribution channel available to all users. Distribution means must code (through channel, message identifiers, or convention) message destination in a manner visible within the distribution means itself (such as a control channel) or in the messages themselves.","Galaxy":[],"ShadowAttribute":[]},{"id":"426231","type":"text","category":"Other","to_ids":false,"uuid":"013bc85a-ede7-44da-a756-26aa355809fe","event_id":"2368","distribution":"5","timestamp":"1613486277","comment":"CVE-2020-9062: Enriched via the cve_advanced module","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"30560","object_relation":"solutions","first_seen":null,"last_seen":null,"value":"The purpose is to architect the system in a way that associates proper authentication/authorization with each channel/message. Re-architect system input/output channels as appropriate to distribute self-protecting data. That is, encrypt (or otherwise protect) channels/messages so that only authorized readers can see them.","Galaxy":[],"ShadowAttribute":[]},{"id":"426232","type":"weakness","category":"External analysis","to_ids":false,"uuid":"b0e8719d-7963-4b7c-9321-1fb48a760f9c","event_id":"2368","distribution":"5","timestamp":"1613486277","comment":"CVE-2020-9062: Enriched via the cve_advanced module","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"30560","object_relation":"related-weakness","first_seen":null,"last_seen":null,"value":"CWE-201","Galaxy":[],"ShadowAttribute":[]},{"id":"426233","type":"weakness","category":"External analysis","to_ids":false,"uuid":"b42d2521-a72a-43ab-8431-24240d0943b1","event_id":"2368","distribution":"5","timestamp":"1613486277","comment":"CVE-2020-9062: Enriched via the cve_advanced module","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"30560","object_relation":"related-weakness","first_seen":null,"last_seen":null,"value":"CWE-306","Galaxy":[],"ShadowAttribute":[]}]},{"id":"30561","name":"attack-pattern","meta-category":"vulnerability","description":"Attack pattern describing a common attack pattern enumeration and classification.","template_uuid":"35928348-56be-4d7f-9752-a80927936351","template_version":"1","event_id":"2368","uuid":"be14bf98-bac3-414d-8145-6e13783e7afa","timestamp":"1613486277","distribution":"5","sharing_group_id":"0","comment":"CVE-2020-9062: Enriched via the cve_advanced module","deleted":false,"first_seen":null,"last_seen":null,"ObjectReference":[],"Attribute":[{"id":"426234","type":"text","category":"Other","to_ids":false,"uuid":"6f1f5131-0919-48e0-b092-4bd582e59072","event_id":"2368","distribution":"5","timestamp":"1613486277","comment":"CVE-2020-9062: Enriched via the cve_advanced module","sharing_group_id":"0","deleted":false,"disable_correlation":true,"object_id":"30561","object_relation":"id","first_seen":null,"last_seen":null,"value":"36","Galaxy":[],"ShadowAttribute":[]},{"id":"426235","type":"text","category":"Other","to_ids":false,"uuid":"c4bc620a-7ca5-411b-a506-3a20e0fa0e97","event_id":"2368","distribution":"5","timestamp":"1613486277","comment":"CVE-2020-9062: Enriched via the cve_advanced module","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"30561","object_relation":"name","first_seen":null,"last_seen":null,"value":"Using Unpublished APIs","Galaxy":[],"ShadowAttribute":[]},{"id":"426236","type":"text","category":"Other","to_ids":false,"uuid":"318d3e55-0bfa-45ac-87b3-7e192972aa25","event_id":"2368","distribution":"5","timestamp":"1613486277","comment":"CVE-2020-9062: Enriched via the cve_advanced module","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"30561","object_relation":"summary","first_seen":null,"last_seen":null,"value":"An adversary searches for and invokes APIs that the target system designers did not intend to be publicly available. If these APIs fail to authenticate requests the attacker may be able to invoke functionality they are not authorized for.","Galaxy":[],"ShadowAttribute":[]},{"id":"426237","type":"text","category":"Other","to_ids":false,"uuid":"87fd9e29-4e76-4365-9c11-f6f91e75dd3d","event_id":"2368","distribution":"5","timestamp":"1613486277","comment":"CVE-2020-9062: Enriched via the cve_advanced module","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"30561","object_relation":"prerequisites","first_seen":null,"last_seen":null,"value":"The architecture under attack must publish or otherwise make available services that clients can attach to, either in an unauthenticated fashion, or having obtained an authentication token elsewhere. The service need not be 'discoverable', but in the event it isn't it must have some way of being discovered by an attacker. This might include listening on a well-known port. Ultimately, the likelihood of exploit depends on discoverability of the vulnerable service.","Galaxy":[],"ShadowAttribute":[]},{"id":"426238","type":"text","category":"Other","to_ids":false,"uuid":"b857f3ad-b1b1-46a1-abb3-6ee42cdaf06d","event_id":"2368","distribution":"5","timestamp":"1613486277","comment":"CVE-2020-9062: Enriched via the cve_advanced module","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"30561","object_relation":"solutions","first_seen":null,"last_seen":null,"value":"Authenticating both services and their discovery, and protecting that authentication mechanism simply fixes the bulk of this problem. Protecting the authentication involves the standard means, including: 1) protecting the channel over which authentication occurs, 2) preventing the theft, forgery, or prediction of authentication credentials or the resultant tokens, or 3) subversion of password reset and the like.","Galaxy":[],"ShadowAttribute":[]},{"id":"426239","type":"weakness","category":"External analysis","to_ids":false,"uuid":"29ccf3ee-c27e-4135-a757-7536186073bb","event_id":"2368","distribution":"5","timestamp":"1613486277","comment":"CVE-2020-9062: Enriched via the cve_advanced module","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"30561","object_relation":"related-weakness","first_seen":null,"last_seen":null,"value":"CWE-306","Galaxy":[],"ShadowAttribute":[]},{"id":"426240","type":"weakness","category":"External analysis","to_ids":false,"uuid":"dd78eb22-33e2-4e3d-9c54-299e964b7d3e","event_id":"2368","distribution":"5","timestamp":"1613486277","comment":"CVE-2020-9062: Enriched via the cve_advanced module","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"30561","object_relation":"related-weakness","first_seen":null,"last_seen":null,"value":"CWE-693","Galaxy":[],"ShadowAttribute":[]},{"id":"426241","type":"weakness","category":"External analysis","to_ids":false,"uuid":"220c2389-ec0f-45e4-996b-2e46d5bfc058","event_id":"2368","distribution":"5","timestamp":"1613486277","comment":"CVE-2020-9062: Enriched via the cve_advanced module","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"30561","object_relation":"related-weakness","first_seen":null,"last_seen":null,"value":"CWE-695","Galaxy":[],"ShadowAttribute":[]}]},{"id":"30562","name":"attack-pattern","meta-category":"vulnerability","description":"Attack pattern describing a common attack pattern enumeration and classification.","template_uuid":"35928348-56be-4d7f-9752-a80927936351","template_version":"1","event_id":"2368","uuid":"4c2354b6-4285-46fd-89fa-bb0dd36f63c6","timestamp":"1613486277","distribution":"5","sharing_group_id":"0","comment":"CVE-2020-9062: Enriched via the cve_advanced module","deleted":false,"first_seen":null,"last_seen":null,"ObjectReference":[],"Attribute":[{"id":"426242","type":"text","category":"Other","to_ids":false,"uuid":"a040753d-7436-4ea6-a49f-0fa0246c7edb","event_id":"2368","distribution":"5","timestamp":"1613486277","comment":"CVE-2020-9062: Enriched via the cve_advanced module","sharing_group_id":"0","deleted":false,"disable_correlation":true,"object_id":"30562","object_relation":"id","first_seen":null,"last_seen":null,"value":"166","Galaxy":[],"ShadowAttribute":[]},{"id":"426243","type":"text","category":"Other","to_ids":false,"uuid":"1b5859d4-917b-4ebc-b720-695cdcad753a","event_id":"2368","distribution":"5","timestamp":"1613486277","comment":"CVE-2020-9062: Enriched via the cve_advanced module","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"30562","object_relation":"name","first_seen":null,"last_seen":null,"value":"Force the System to Reset Values","Galaxy":[],"ShadowAttribute":[]},{"id":"426244","type":"text","category":"Other","to_ids":false,"uuid":"68ce37e8-4973-48bb-a4df-7bdd9c40990d","event_id":"2368","distribution":"5","timestamp":"1613486277","comment":"CVE-2020-9062: Enriched via the cve_advanced module","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"30562","object_relation":"summary","first_seen":null,"last_seen":null,"value":"An attacker forces the target into a previous state in order to leverage potential weaknesses in the target dependent upon a prior configuration or state-dependent factors. Even in cases where an attacker may not be able to directly control the configuration of the targeted application, they may be able to reset the configuration to a prior state since many applications implement reset functions. Since these functions are usually intended as emergency features to return an application to a stable configuration if the current configuration degrades functionality, they may not be as strongly secured as other configuration options. The resetting of values is dangerous as it may enable undesired functionality, disable services, or modify access controls. At the very least this is a nuisance attack since the administrator will need to re-apply their configuration. At worst, this attack can open avenues for powerful attacks against the application, and, if it isn't obvious that the configuration has been reset, these vulnerabilities may be present a long time before they are notices.","Galaxy":[],"ShadowAttribute":[]},{"id":"426245","type":"text","category":"Other","to_ids":false,"uuid":"1de287fa-27c8-433a-a542-7dfbe6b94e5b","event_id":"2368","distribution":"5","timestamp":"1613486277","comment":"CVE-2020-9062: Enriched via the cve_advanced module","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"30562","object_relation":"prerequisites","first_seen":null,"last_seen":null,"value":"The targeted application must have a reset function that returns the configuration of the application to an earlier state. The reset functionality must be inadequately protected against use.","Galaxy":[],"ShadowAttribute":[]},{"id":"426246","type":"weakness","category":"External analysis","to_ids":false,"uuid":"45e7f833-3f61-4f14-b086-285b647a4070","event_id":"2368","distribution":"5","timestamp":"1613486277","comment":"CVE-2020-9062: Enriched via the cve_advanced module","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"30562","object_relation":"related-weakness","first_seen":null,"last_seen":null,"value":"CWE-306","Galaxy":[],"ShadowAttribute":[]}]},{"id":"30563","name":"vulnerability","meta-category":"vulnerability","description":"Vulnerability object describing a common vulnerability enumeration which can describe published, unpublished, under review or embargo vulnerability for software, equipments or hardware.","template_uuid":"81650945-f186-437b-8945-9f31715d32da","template_version":"8","event_id":"2368","uuid":"22693d50-e1b2-4f79-a9e5-2ad407b91217","timestamp":"1614249253","distribution":"5","sharing_group_id":"0","comment":"CVE-2020-10124: Enriched via the cve_advanced module","deleted":false,"first_seen":null,"last_seen":null,"ObjectReference":[{"id":"10892","uuid":"3b3ec2d9-8b14-4fae-88aa-04bd3ed6571a","timestamp":"0","object_id":"30563","referenced_uuid":"8bed0620-5cd8-4269-a1b8-b2abce9e40c4","referenced_id":"426203","referenced_type":"0","relationship_type":"related-to ","comment":"","deleted":false,"event_id":"2368","source_uuid":"22693d50-e1b2-4f79-a9e5-2ad407b91217","Attribute":{"distribution":"5","sharing_group_id":"0","uuid":"8bed0620-5cd8-4269-a1b8-b2abce9e40c4","value":"CVE-2020-10124","type":"vulnerability","category":"Payload delivery","to_ids":false}},{"id":"10893","uuid":"6c61f552-0fa9-4ed0-b37b-cfdb2da4ed37","timestamp":"0","object_id":"30563","referenced_uuid":"9b22af62-6b9d-4ab4-adbc-3098b56e7dc8","referenced_id":"30564","referenced_type":"1","relationship_type":"weakened-by ","comment":"","deleted":false,"event_id":"2368","source_uuid":"22693d50-e1b2-4f79-a9e5-2ad407b91217","Object":{"distribution":"5","sharing_group_id":"0","uuid":"9b22af62-6b9d-4ab4-adbc-3098b56e7dc8","name":"weakness","meta-category":"vulnerability"}},{"id":"10894","uuid":"a9f1d78c-1d6b-45f8-b176-d783a244c55d","timestamp":"0","object_id":"30563","referenced_uuid":"e735fda4-3164-4259-a5d6-dba72dfbc353","referenced_id":"30559","referenced_type":"1","relationship_type":"targeted-by ","comment":"","deleted":false,"event_id":"2368","source_uuid":"22693d50-e1b2-4f79-a9e5-2ad407b91217","Object":{"distribution":"5","sharing_group_id":"0","uuid":"e735fda4-3164-4259-a5d6-dba72dfbc353","name":"attack-pattern","meta-category":"vulnerability"}},{"id":"10895","uuid":"9512e916-c84d-46be-9a12-4349558a5ac8","timestamp":"0","object_id":"30563","referenced_uuid":"7f358cbe-fc3c-4a64-8314-a850001c786d","referenced_id":"30560","referenced_type":"1","relationship_type":"targeted-by ","comment":"","deleted":false,"event_id":"2368","source_uuid":"22693d50-e1b2-4f79-a9e5-2ad407b91217","Object":{"distribution":"5","sharing_group_id":"0","uuid":"7f358cbe-fc3c-4a64-8314-a850001c786d","name":"attack-pattern","meta-category":"vulnerability"}},{"id":"10896","uuid":"1ec6dada-5181-45b5-842f-a310e9a9312d","timestamp":"0","object_id":"30563","referenced_uuid":"be14bf98-bac3-414d-8145-6e13783e7afa","referenced_id":"30561","referenced_type":"1","relationship_type":"targeted-by ","comment":"","deleted":false,"event_id":"2368","source_uuid":"22693d50-e1b2-4f79-a9e5-2ad407b91217","Object":{"distribution":"5","sharing_group_id":"0","uuid":"be14bf98-bac3-414d-8145-6e13783e7afa","name":"attack-pattern","meta-category":"vulnerability"}},{"id":"10897","uuid":"a34aaabf-800e-40be-9938-02990ab96ca1","timestamp":"0","object_id":"30563","referenced_uuid":"4c2354b6-4285-46fd-89fa-bb0dd36f63c6","referenced_id":"30562","referenced_type":"1","relationship_type":"targeted-by ","comment":"","deleted":false,"event_id":"2368","source_uuid":"22693d50-e1b2-4f79-a9e5-2ad407b91217","Object":{"distribution":"5","sharing_group_id":"0","uuid":"4c2354b6-4285-46fd-89fa-bb0dd36f63c6","name":"attack-pattern","meta-category":"vulnerability"}},{"id":"10909","uuid":"aa1cbb2d-7c30-4d54-82e9-44a72525ce98","timestamp":"1614249253","object_id":"30563","referenced_uuid":"f308a898-eaaa-4144-802a-d99b61aecfa2","referenced_id":"30578","referenced_type":"1","relationship_type":"vulnerability-of","comment":"","deleted":false,"event_id":"2368","source_uuid":"22693d50-e1b2-4f79-a9e5-2ad407b91217","Object":{"distribution":"5","sharing_group_id":"0","uuid":"f308a898-eaaa-4144-802a-d99b61aecfa2","name":"device","meta-category":"misc"}}],"Attribute":[{"id":"426247","type":"vulnerability","category":"External analysis","to_ids":false,"uuid":"9561ac0b-993f-43a2-a938-cf80289e97b6","event_id":"2368","distribution":"5","timestamp":"1613486427","comment":"CVE-2020-10124: Enriched via the cve_advanced module","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"30563","object_relation":"id","first_seen":null,"last_seen":null,"value":"CVE-2020-10124","Galaxy":[],"ShadowAttribute":[]},{"id":"426248","type":"text","category":"Other","to_ids":false,"uuid":"40409e49-aac5-4b1f-9d76-4e2838da7f8a","event_id":"2368","distribution":"5","timestamp":"1613486427","comment":"CVE-2020-10124: Enriched via the cve_advanced module","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"30563","object_relation":"summary","first_seen":null,"last_seen":null,"value":"NCR SelfServ ATMs running APTRA XFS 05.01.00 do not encrypt, authenticate, or verify the integrity of messages between the BNA and the host computer, which could allow an attacker with physical access to the internal components of the ATM to execute arbitrary code, including code that enables the attacker to commit deposit forgery.","Galaxy":[],"ShadowAttribute":[]},{"id":"426249","type":"datetime","category":"Other","to_ids":false,"uuid":"32d583f7-d37f-4683-aa8b-5aa35e0831bf","event_id":"2368","distribution":"5","timestamp":"1613486427","comment":"CVE-2020-10124: Enriched via the cve_advanced module","sharing_group_id":"0","deleted":false,"disable_correlation":true,"object_id":"30563","object_relation":"modified","first_seen":null,"last_seen":null,"value":"2020-08-27T18:06:00.000000+0000","Galaxy":[],"ShadowAttribute":[]},{"id":"426250","type":"float","category":"Other","to_ids":false,"uuid":"b86c9f72-4b46-4fc9-930a-85eb7dac45a8","event_id":"2368","distribution":"5","timestamp":"1613486427","comment":"CVE-2020-10124: Enriched via the cve_advanced module","sharing_group_id":"0","deleted":false,"disable_correlation":true,"object_id":"30563","object_relation":"cvss-score","first_seen":null,"last_seen":null,"value":"4.4","Galaxy":[],"ShadowAttribute":[]},{"id":"426251","type":"datetime","category":"Other","to_ids":false,"uuid":"53c2ba3b-0bd3-4693-afe4-d463b03c6be4","event_id":"2368","distribution":"5","timestamp":"1613486427","comment":"CVE-2020-10124: Enriched via the cve_advanced module","sharing_group_id":"0","deleted":false,"disable_correlation":true,"object_id":"30563","object_relation":"published","first_seen":null,"last_seen":null,"value":"2020-08-21T21:15:00.000000+0000","Galaxy":[],"ShadowAttribute":[]},{"id":"426252","type":"text","category":"Other","to_ids":false,"uuid":"68ee4415-44ac-4234-b393-23008813fb7e","event_id":"2368","distribution":"5","timestamp":"1613486427","comment":"CVE-2020-10124: Enriched via the cve_advanced module","sharing_group_id":"0","deleted":false,"disable_correlation":true,"object_id":"30563","object_relation":"state","first_seen":null,"last_seen":null,"value":"Published","Galaxy":[],"ShadowAttribute":[]},{"id":"426253","type":"link","category":"External analysis","to_ids":false,"uuid":"5274d962-25bd-4a5d-b4e7-b60d2a8ef5f2","event_id":"2368","distribution":"5","timestamp":"1613486427","comment":"CVE-2020-10124: Enriched via the cve_advanced module","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"30563","object_relation":"references","first_seen":null,"last_seen":null,"value":"https://kb.cert.org/vuls/id/815655","Galaxy":[],"ShadowAttribute":[]},{"id":"426254","type":"link","category":"External analysis","to_ids":false,"uuid":"5e40957b-75fd-423d-ba45-23b06db551c1","event_id":"2368","distribution":"5","timestamp":"1613486427","comment":"CVE-2020-10124: Enriched via the cve_advanced module","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"30563","object_relation":"references","first_seen":null,"last_seen":null,"value":"https://www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Security_Alert-2018-13_APTRA_XFS_","Galaxy":[],"ShadowAttribute":[]},{"id":"426255","type":"cpe","category":"External analysis","to_ids":false,"uuid":"2667f761-6882-4ada-bf0b-fb032fc68141","event_id":"2368","distribution":"5","timestamp":"1613486427","comment":"CVE-2020-10124: Enriched via the cve_advanced module","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"30563","object_relation":"vulnerable_configuration","first_seen":null,"last_seen":null,"value":"cpe:2.3:o:ncr:aptra_xfs:05.01.00:*:*:*:*:*:*:*","Galaxy":[],"ShadowAttribute":[]},{"id":"426256","type":"cpe","category":"External analysis","to_ids":false,"uuid":"7f3f96ed-bc43-4b55-ae20-5398d91f1326","event_id":"2368","distribution":"5","timestamp":"1613486427","comment":"CVE-2020-10124: Enriched via the cve_advanced module","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"30563","object_relation":"vulnerable_configuration","first_seen":null,"last_seen":null,"value":"cpe:2.3:h:ncr:selfserv_atm:-:*:*:*:*:*:*:*","Galaxy":[],"ShadowAttribute":[]}]},{"id":"30564","name":"weakness","meta-category":"vulnerability","description":"Weakness object describing a common weakness enumeration which can describe usable, incomplete, draft or deprecated weakness for software, equipment of hardware.","template_uuid":"b8713fc0-d7a2-4b27-a182-38ed47966802","template_version":"1","event_id":"2368","uuid":"9b22af62-6b9d-4ab4-adbc-3098b56e7dc8","timestamp":"1613486427","distribution":"5","sharing_group_id":"0","comment":"CVE-2020-10124: Enriched via the cve_advanced module","deleted":false,"first_seen":null,"last_seen":null,"ObjectReference":[],"Attribute":[{"id":"426257","type":"text","category":"Other","to_ids":false,"uuid":"00f8d408-18a5-48e5-9ae3-803899551b59","event_id":"2368","distribution":"5","timestamp":"1613486427","comment":"CVE-2020-10124: Enriched via the cve_advanced module","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"30564","object_relation":"name","first_seen":null,"last_seen":null,"value":"Missing Authentication for Critical Function","Galaxy":[],"ShadowAttribute":[]},{"id":"426258","type":"text","category":"Other","to_ids":false,"uuid":"51008ec9-ea43-4b5e-8c7e-7ddfd0661ae4","event_id":"2368","distribution":"5","timestamp":"1613486427","comment":"CVE-2020-10124: Enriched via the cve_advanced module","sharing_group_id":"0","deleted":false,"disable_correlation":true,"object_id":"30564","object_relation":"status","first_seen":null,"last_seen":null,"value":"Draft","Galaxy":[],"ShadowAttribute":[]},{"id":"426259","type":"text","category":"Other","to_ids":false,"uuid":"a04a03d9-7eba-44f2-8252-5c63f045596b","event_id":"2368","distribution":"5","timestamp":"1613486427","comment":"CVE-2020-10124: Enriched via the cve_advanced module","sharing_group_id":"0","deleted":false,"disable_correlation":true,"object_id":"30564","object_relation":"weakness-abs","first_seen":null,"last_seen":null,"value":"Base","Galaxy":[],"ShadowAttribute":[]}]},{"id":"30577","name":"device","meta-category":"misc","description":"An object to define a device","template_uuid":"0c64b41a-e583-4f4d-ac92-d484163b9e52","template_version":"7","event_id":"2368","uuid":"cc5b158c-a45d-4f08-aa32-8a5124da4506","timestamp":"1614248753","distribution":"5","sharing_group_id":"0","comment":"Manufacturer: Diebold","deleted":false,"first_seen":null,"last_seen":null,"ObjectReference":[],"Attribute":[{"id":"426334","type":"text","category":"Other","to_ids":false,"uuid":"e1a04607-8d41-4068-852f-0c82761be5e1","event_id":"2368","distribution":"5","timestamp":"1614248600","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"30577","object_relation":"name","first_seen":null,"last_seen":null,"value":"ProCash 2100xe USB","Galaxy":[],"ShadowAttribute":[]},{"id":"426335","type":"text","category":"Other","to_ids":false,"uuid":"53c8f09e-21ed-45cb-911e-b41afea3066c","event_id":"2368","distribution":"5","timestamp":"1614248600","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":true,"object_id":"30577","object_relation":"device-type","first_seen":null,"last_seen":null,"value":"ATM","Galaxy":[],"ShadowAttribute":[]},{"id":"426336","type":"text","category":"Other","to_ids":false,"uuid":"ea9251a4-2fa6-40ad-be50-897b40e1a2ee","event_id":"2368","distribution":"5","timestamp":"1614248600","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":true,"object_id":"30577","object_relation":"OS","first_seen":null,"last_seen":null,"value":"Wincore Probase","Galaxy":[],"ShadowAttribute":[]}]},{"id":"30578","name":"device","meta-category":"misc","description":"An object to define a device","template_uuid":"0c64b41a-e583-4f4d-ac92-d484163b9e52","template_version":"7","event_id":"2368","uuid":"f308a898-eaaa-4144-802a-d99b61aecfa2","timestamp":"1614248760","distribution":"5","sharing_group_id":"0","comment":"Manufacturer: NCR","deleted":false,"first_seen":null,"last_seen":null,"ObjectReference":[],"Attribute":[{"id":"426337","type":"text","category":"Other","to_ids":false,"uuid":"29df8adb-4625-4db9-a829-272084074eea","event_id":"2368","distribution":"5","timestamp":"1614248639","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"30578","object_relation":"name","first_seen":null,"last_seen":null,"value":"SelfServ","Galaxy":[],"ShadowAttribute":[]},{"id":"426338","type":"text","category":"Other","to_ids":false,"uuid":"ea27fc8c-3aea-42f8-853a-c9d19cd22cdf","event_id":"2368","distribution":"5","timestamp":"1614248639","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":true,"object_id":"30578","object_relation":"device-type","first_seen":null,"last_seen":null,"value":"ATM","Galaxy":[],"ShadowAttribute":[]},{"id":"426339","type":"text","category":"Other","to_ids":false,"uuid":"5133cc3d-ba86-48b4-acd4-409bb02fb179","event_id":"2368","distribution":"5","timestamp":"1614248640","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":true,"object_id":"30578","object_relation":"OS","first_seen":null,"last_seen":null,"value":"APTRA XFS","Galaxy":[],"ShadowAttribute":[]}]}],"EventReport":[{"id":"9","uuid":"bb0eab48-b0db-4a4a-b62f-478d3faecc11","event_id":"2368","name":"Report from - https://www.cyber.nj.gov/alerts-advisories/atm-vulnerabilities-allow-deposit-forgery-attacks (1613488208)","content":"# ATM Vulnerabilities Allow Deposit Forgery Attacks\r\n\r\n## Summary\r\n\r\nAutomated teller machine (ATM) companies Diebold and NCR released updates to fix a number of vulnerabilities @[tag](misp-galaxy:mitre-attack-pattern=\"Vulnerabilities - T1588.006\") last year that may have permitted deposit forgery attacks. Deposit forgery flaws, which are considered rare, may be exploited by an attacker who has physical access to an affected ATM by intercepting and modifying messages while depositing funds, artificially increasing the deposited amount, and then withdrawing the excess funds. @[attribute](5cfca8e3-183e-4e79-b4a2-3202075867be) affects Diebold @[object](cc5b158c-a45d-4f08-aa32-8a5124da4506) and @[attribute](8bed0620-5cd8-4269-a1b8-b2abce9e40c4) affects NCR @[attribute](29df8adb-4625-4db9-a829-272084074eea) ATMs running @[attribute](5133cc3d-ba86-48b4-acd4-409bb02fb179) software. Additional flaws considered less severe were also identified and patched. This past weekend, the FBI and local police arrested dozens of suspects across NJ for exploiting vulnerabilities within Santander ATMs. The suspects purportedly withdrew funds from preloaded or fake debit cards during the incidents. Though the exploited vulnerabilities have not been correlated to those listed above, these similar incidents highlight the ease with which the ATM flaws may be exploited, as well as the importance of patching these systems. Additionally, CISA released a joint alert (AA20-239A) identifying malware and indicators of compromise (IOCs) used by the North @[tag](misp-galaxy:ransomware=\"Korean\") government in ATM cash-out schemes referred to by the US government as “FASTCash 2.0: North Koreas BeagleBoyz Robbing Banks.” The US does not appear to be targeted in these schemes at the time of this writing; however, organizations are urged to apply recommendations and report any suspicious activity related to the identified IOCs to local law enforcement.\r\n\r\n## Recommendations\r\n\r\nThe NJCCIC urges organizations using affected ATMs to apply software updates immediately after appropriate testing and advise all organizations to review any security advisories provided by vendors for additional implementations. Furthermore, we recommend limiting physical access to ATMs, adjusting deposit transaction business logic, and implementing fraud monitoring. Additional information can be found in the HelpNet Security article.","distribution":"5","sharing_group_id":"0","timestamp":"1614249051","deleted":false},{"id":"11","uuid":"e9657766-02d7-4f11-9e2a-93e4a3a7fc01","event_id":"2368","name":"Test report","content":"# ATM Vulnerabilities Allow Deposit Forgery Attacks\n\n## Summary\n\n@[attribute](79125542-da98-4d32-857f-1ac52c2125b7)\n\n\nAutomated teller machine (ATM) companies Diebold and NCR released updates to fix a number of vulnerabilities discovered last year that may have permitted deposit forgery attacks. Deposit forgery flaws, which are considered rare, may be exploited by an attacker who has physical access to an affected ATM by intercepting and modifying messages while depositing funds, artificially increasing the deposited amount, and then withdrawing the excess funds. @[attribute](5cfca8e3-183e-4e79-b4a2-3202075867be) affects Diebold ProCash 2100xe USB ATMs running Wincore Probase software, and CVE-2020-10124 affects NCR SelfServ ATMs running APTRA XFS software. Additional flaws considered less severe were also identified and patched. This past weekend, the FBI and local police arrested dozens of suspects across NJ for exploiting vulnerabilities within Santander ATMs. The suspects purportedly withdrew funds from preloaded or fake debit cards during the incidents. Though the exploited vulnerabilities have not been correlated to those listed above, these similar incidents highlight the ease with which the ATM flaws may be exploited, as well as the importance of patching these systems. Additionally, CISA released a joint alert (AA20-239A) identifying malware and indicators of compromise (IOCs) used by the North Korean government in ATM cash-out schemes referred to by the US government as “FASTCash 2.0: North Koreas BeagleBoyz Robbing Banks.” The US does not appear to be targeted in these schemes at the time of this writing; however, organizations are urged to apply recommendations and report any suspicious activity related to the identified IOCs to local law enforcement.\n\n## Recommendations\n\nThe NJCCIC urges organizations using affected ATMs to apply software updates immediately after appropriate testing and advise all organizations to review any security advisories provided by vendors for additional implementations. Furthermore, we recommend limiting physical access to ATMs, adjusting deposit transaction business logic, and implementing fraud monitoring. Additional information can be found in the HelpNet Security article.","distribution":"5","sharing_group_id":"0","timestamp":"1614264746","deleted":true}],"CryptographicKey":[],"Tag":[{"id":"21","name":"type:OSINT","colour":"#004646","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local_only":false,"local":0},{"id":"2","name":"tlp:white","colour":"#ffffff","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local_only":false,"local":0},{"id":"259","name":"workflow:state=\"incomplete\"","colour":"#e10079","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local_only":false,"local":0},{"id":"1074","name":"misp-galaxy:financial-fraud=\"ATM Black Box Attack\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":true,"is_custom_galaxy":false,"local_only":false,"local":0},{"id":"1893","name":"misp-galaxy:ransomware=\"Korean\"","colour":"#ca957b","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":true,"is_custom_galaxy":false,"local_only":false,"local":0},{"id":"1894","name":"misp-galaxy:mitre-attack-pattern=\"Vulnerabilities - T1588.006\"","colour":"#5dc0e0","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":true,"is_custom_galaxy":false,"local_only":false,"local":0}]}}]}
Reference in New Issue View Git Blame Copy Permalink