{ "type": "bundle", "id": "bundle--edd34e37-65d1-4577-a88e-1a5c0da614f4", "spec_version": "2.1", "created": "2026-06-11T23:57:51.469Z", "modified": "2026-06-11T23:57:51.469Z", "objects": [ { "type": "extension-definition", "id": "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4", "spec_version": "2.1", "created": "2022-08-02T19:34:35.143Z", "modified": "2022-08-02T19:34:35.143Z", "name": "Attack Flow", "description": "Extends STIX 2.1 with features to create Attack Flows.", "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", "schema": "https://center-for-threat-informed-defense.github.io/attack-flow/stix/attack-flow-schema-2.0.0.json", "version": "2.0.0", "extension_types": [ "new-sdo" ], "external_references": [ { "source_name": "Documentation", "description": "Documentation for Attack Flow", "url": "https://center-for-threat-informed-defense.github.io/attack-flow" }, { "source_name": "GitHub", "description": "Source code repository for Attack Flow", "url": "https://github.com/center-for-threat-informed-defense/attack-flow" } ] }, { "type": "identity", "id": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", "spec_version": "2.1", "created": "2022-08-02T19:34:35.143Z", "modified": "2022-08-02T19:34:35.143Z", "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", "name": "MITRE Center for Threat-Informed Defense", "identity_class": "organization" }, { "type": "attack-flow", "id": "attack-flow--70b69944-7d6d-47da-a768-d0b8717a3433", "spec_version": "2.1", "created": "2022-10-27T02:44:54.520Z", "modified": "2026-06-11T23:57:51.469Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "created_by_ref": "identity--aeaadcbb-ca18-47af-bc10-9e9f31655f90", "start_refs": [ "attack-action--c4b5213a-588e-4f70-bb81-731b875ae7d8" ], "name": "JP Morgan Breach", "description": "Attack flow on the 2014 JP Morgan breach.", "scope": "incident", "external_references": [ { "source_name": "The Security Ledger", "description": "Article", "url": "https://securityledger.com/2014/10/hacked_password_behind_compromise_of_75m_jpmorgan_accounts/" }, { "source_name": "SANS", "description": "Whitepaper", "url": "https://www.sans.org/white-papers/35822/" }, { "source_name": "Computer World", "description": "Article", "url": "https://www.computerworld.com/article/2862675/twofactor-authentication-oversight-led-to-jpmorgan-breach-investigators-reportedly-found.html" }, { "source_name": "Bloomberg", "description": "Article", "url": "https://www.bloomberg.com/news/articles/2014-08-29/jpmorgan-hack-said-to-span-months-via-multiple-flaws#xj4y7vzkg" }, { "source_name": "Trend Micro", "description": "Article", "url": "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/jp-morgan-breach-affects-millions-shows-need-for-secure-web-apps" }, { "source_name": "SANS", "description": "GIAC Paper", "url": "https://www.giac.org/paper/gsec/36190/minimizing-damage-jp-morgans-data-breach/143120" } ] }, { "type": "identity", "id": "identity--aeaadcbb-ca18-47af-bc10-9e9f31655f90", "spec_version": "2.1", "created": "2026-06-11T23:57:51.469Z", "modified": "2026-06-11T23:57:51.469Z", "name": "Lauren Parker", "contact_information": "lparker@mitre.org" }, { "type": "attack-action", "id": "attack-action--c4b5213a-588e-4f70-bb81-731b875ae7d8", "spec_version": "2.1", "created": "2026-06-11T23:57:51.469Z", "modified": "2026-06-11T23:57:51.469Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Phishing", "tactic_id": "TA0001", "tactic_ref": "x-mitre-tactic--ffd5bcee-6e16-4dd2-8eca-7b3beedf33ca", "technique_id": "T1566", "technique_ref": "attack-pattern--a62a8db3-f23a-4d8f-afd6-9dbc77e7813b", "description": "Employee interacted with phishing email on their personal computer", "effect_refs": [ "attack-condition--05935c6a-636d-4ede-8575-15612d5585e5" ] }, { "type": "attack-condition", "id": "attack-condition--05935c6a-636d-4ede-8575-15612d5585e5", "spec_version": "2.1", "created": "2026-06-11T23:57:51.469Z", "modified": "2026-06-11T23:57:51.469Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Malware placed on an employee's personal computer" }, { "type": "attack-action", "id": "attack-action--b47629f7-445c-4605-a0a3-126bfad7d133", "spec_version": "2.1", "created": "2026-06-11T23:57:51.469Z", "modified": "2026-06-11T23:57:51.469Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Input Capture", "tactic_id": "TA0009", "tactic_ref": "x-mitre-tactic--d108ce10-2419-4cf9-a774-46161d6c6cfe", "technique_id": "T1056", "technique_ref": "attack-pattern--bb5a00de-e086-4859-a231-fa793f6797e2", "description": "employee used infected personal computer to connect to the victim system through a VPN, allowing attackers to steal login credentials of the employee", "asset_refs": [ "attack-asset--0ffc28be-8471-456b-ab02-bc4238777456" ], "effect_refs": [ "attack-condition--3328fd28-4441-4a1e-8e90-bf18c634f229" ] }, { "type": "attack-asset", "id": "attack-asset--0ffc28be-8471-456b-ab02-bc4238777456", "spec_version": "2.1", "created": "2026-06-11T23:57:51.469Z", "modified": "2026-06-11T23:57:51.469Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "VPN" }, { "type": "attack-condition", "id": "attack-condition--3328fd28-4441-4a1e-8e90-bf18c634f229", "spec_version": "2.1", "created": "2026-06-11T23:57:51.470Z", "modified": "2026-06-11T23:57:51.470Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Attackers collect user credentials to access the bank's network" }, { "type": "attack-action", "id": "attack-action--f6428576-e9f7-4702-9914-a4fa4c9793d7", "spec_version": "2.1", "created": "2026-06-11T23:57:51.470Z", "modified": "2026-06-11T23:57:51.470Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Exploit Public-Facing Application", "tactic_id": "TA0001", "tactic_ref": "x-mitre-tactic--ffd5bcee-6e16-4dd2-8eca-7b3beedf33ca", "technique_id": "T1190", "technique_ref": "attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c", "description": "Attackers used valid credentials to exploit the lack of 2-factor authentication into a web-development server", "asset_refs": [ "attack-asset--9b9f5d4d-7df2-454e-ba2e-c8a821417470" ], "effect_refs": [ "attack-action--5a3c9bd6-8fa0-4184-9fb6-bdff06057a1b" ] }, { "type": "attack-asset", "id": "attack-asset--9b9f5d4d-7df2-454e-ba2e-c8a821417470", "spec_version": "2.1", "created": "2026-06-11T23:57:51.470Z", "modified": "2026-06-11T23:57:51.470Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Web-development server" }, { "type": "attack-action", "id": "attack-action--5a3c9bd6-8fa0-4184-9fb6-bdff06057a1b", "spec_version": "2.1", "created": "2026-06-11T23:57:51.470Z", "modified": "2026-06-11T23:57:51.470Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Lateral Movement", "tactic_id": "TA0008", "tactic_ref": "x-mitre-tactic--7141578b-e50b-4dcc-bfa4-08a8dd689e9e", "description": "moved from the web-development server to more than 100 other servers within the network", "asset_refs": [ "attack-asset--b270e0f4-b644-410d-870e-bc3d3cf28d24", "attack-asset--c7704977-2bdf-4486-92b4-7d82d4b43f54", "attack-asset--9610b6bc-f13a-479a-92a0-5d804d8a2df3" ], "effect_refs": [ "attack-action--ec2cc0ea-2b44-40ef-bc5a-53ccc45ec8b1", "attack-action--436b5d27-34fc-45af-a0c4-6c5ac071dbf4" ] }, { "type": "attack-asset", "id": "attack-asset--b270e0f4-b644-410d-870e-bc3d3cf28d24", "spec_version": "2.1", "created": "2026-06-11T23:57:51.470Z", "modified": "2026-06-11T23:57:51.470Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Banking data center", "description": "compromised" }, { "type": "attack-asset", "id": "attack-asset--9610b6bc-f13a-479a-92a0-5d804d8a2df3", "spec_version": "2.1", "created": "2026-06-11T23:57:51.470Z", "modified": "2026-06-11T23:57:51.470Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Additional lines of business", "description": "compromised, including investment banking, credit cards, and commercial and residential banking systems" }, { "type": "attack-asset", "id": "attack-asset--c7704977-2bdf-4486-92b4-7d82d4b43f54", "spec_version": "2.1", "created": "2026-06-11T23:57:51.470Z", "modified": "2026-06-11T23:57:51.470Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Additional servers", "description": "compromised" }, { "type": "vulnerability", "id": "vulnerability--67b20076-2a37-4be8-bc74-4b125a0013e6", "spec_version": "2.1", "created": "2026-06-11T23:57:51.470Z", "modified": "2026-06-11T23:57:51.470Z", "name": "CWE-308: Use of Single-factor Authentication" }, { "type": "attack-action", "id": "attack-action--ec2cc0ea-2b44-40ef-bc5a-53ccc45ec8b1", "spec_version": "2.1", "created": "2026-06-11T23:57:51.470Z", "modified": "2026-06-11T23:57:51.470Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Exploitation for Privilege Escalation", "tactic_id": "TA0004", "tactic_ref": "x-mitre-tactic--5e29b093-294e-49e9-a803-dab3d73b77dd", "technique_id": "T1068", "technique_ref": "attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839", "description": "attackers used multiple zero-day attacks to gain access to various systems and move throughout the network", "effect_refs": [ "attack-operator--b2ddb779-301e-4f7e-abbd-c6715afe8a15" ] }, { "type": "vulnerability", "id": "vulnerability--1fa0ee57-0549-4652-932b-2dd7a262c174", "spec_version": "2.1", "created": "2026-06-11T23:57:51.470Z", "modified": "2026-06-11T23:57:51.470Z", "name": "Zero-day vulnerabilities" }, { "type": "attack-action", "id": "attack-action--436b5d27-34fc-45af-a0c4-6c5ac071dbf4", "spec_version": "2.1", "created": "2026-06-11T23:57:51.470Z", "modified": "2026-06-11T23:57:51.470Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Malware", "description": "attackers used custom malware targeting various systems/vulnerabilities to move throughout the network", "effect_refs": [ "attack-operator--b2ddb779-301e-4f7e-abbd-c6715afe8a15" ] }, { "type": "tool", "id": "tool--031e3858-57b3-490c-adcd-79174b065d72", "spec_version": "2.1", "created": "2026-06-11T23:57:51.470Z", "modified": "2026-06-11T23:57:51.470Z", "name": "Custom Malware", "tool_types": [ "unknown" ] }, { "type": "attack-action", "id": "attack-action--22366a07-5595-46c6-a246-8713fca3724e", "spec_version": "2.1", "created": "2026-06-11T23:57:51.470Z", "modified": "2026-06-11T23:57:51.470Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Input Capture", "tactic_id": "TA0009", "tactic_ref": "x-mitre-tactic--d108ce10-2419-4cf9-a774-46161d6c6cfe", "technique_id": "T1056", "technique_ref": "attack-pattern--bb5a00de-e086-4859-a231-fa793f6797e2", "description": "attackers collected credentials and other info that customers gave to the bank and vice versa", "effect_refs": [ "attack-action--72910b74-d081-4b61-a66b-b0affd2d783d" ], "asset_refs": [ "attack-asset--bc3b2ea4-5b4b-4b82-8319-c8b1d8a80c1d" ] }, { "type": "attack-operator", "id": "attack-operator--b2ddb779-301e-4f7e-abbd-c6715afe8a15", "spec_version": "2.1", "created": "2026-06-11T23:57:51.470Z", "modified": "2026-06-11T23:57:51.470Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "operator": "AND", "effect_refs": [ "attack-condition--6c3867f3-fbbf-4828-af64-18971421a044" ] }, { "type": "attack-asset", "id": "attack-asset--bc3b2ea4-5b4b-4b82-8319-c8b1d8a80c1d", "spec_version": "2.1", "created": "2026-06-11T23:57:51.470Z", "modified": "2026-06-11T23:57:51.470Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Customer Data", "description": "compromised, including credentials and sensitive information" }, { "type": "attack-action", "id": "attack-action--72910b74-d081-4b61-a66b-b0affd2d783d", "spec_version": "2.1", "created": "2026-06-11T23:57:51.470Z", "modified": "2026-06-11T23:57:51.470Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Data Transfer Size Limits", "tactic_id": "TA0010", "tactic_ref": "x-mitre-tactic--9a4e74ab-5008-408c-84bf-a10dfbc53462", "technique_id": "T1030", "technique_ref": "attack-pattern--c3888c54-775d-4b2f-b759-75a2ececcbfd", "description": "attackers slowly extracted gigabytes of data over the course of several months", "effect_refs": [ "attack-action--15f080d7-77c0-4583-ba2c-a866de1f2d9a" ] }, { "type": "attack-action", "id": "attack-action--15f080d7-77c0-4583-ba2c-a866de1f2d9a", "spec_version": "2.1", "created": "2026-06-11T23:57:51.470Z", "modified": "2026-06-11T23:57:51.470Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Multi-hop Proxy", "description": "attackers routed attacks/exfiltration through computers in several countries, including Brazil", "effect_refs": [ "attack-action--4219a30c-6b2c-48a0-98f6-d864448210b9" ] }, { "type": "infrastructure", "id": "infrastructure--ac66307f-2077-4dc1-ba05-43baac9c6a93", "spec_version": "2.1", "created": "2026-06-11T23:57:51.470Z", "modified": "2026-06-11T23:57:51.470Z", "name": "Multiple Proxies", "infrastructure_types": [ "anonymization" ] }, { "type": "attack-action", "id": "attack-action--4219a30c-6b2c-48a0-98f6-d864448210b9", "spec_version": "2.1", "created": "2026-06-11T23:57:51.470Z", "modified": "2026-06-11T23:57:51.470Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "External Proxy", "description": "Attackers redirected traffic to a large city in Russia", "effect_refs": [ "attack-action--7a4cae41-8364-43cf-adb1-5a8f2376c833" ] }, { "type": "attack-action", "id": "attack-action--7a4cae41-8364-43cf-adb1-5a8f2376c833", "spec_version": "2.1", "created": "2026-06-11T23:57:51.470Z", "modified": "2026-06-11T23:57:51.470Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Indicator Removal", "tactic_id": "TA0005", "tactic_ref": "x-mitre-tactic--78b23412-0651-46d7-a540-170a1ce8bd5a", "technique_id": "T1070", "technique_ref": "attack-pattern--799ace7f-e227-4411-baa0-8868704f2a69", "description": "Attackers used defense evasion techniques and deleted multiple log files", "asset_refs": [ "attack-asset--c1ce4235-1c78-431d-a20e-3b12aa4acfcc" ], "effect_refs": [ "attack-action--7d4a94af-cd71-42fd-8aa1-c27322d79997" ] }, { "type": "attack-asset", "id": "attack-asset--c1ce4235-1c78-431d-a20e-3b12aa4acfcc", "spec_version": "2.1", "created": "2026-06-11T23:57:51.470Z", "modified": "2026-06-11T23:57:51.470Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Log files" }, { "type": "attack-action", "id": "attack-action--7d4a94af-cd71-42fd-8aa1-c27322d79997", "spec_version": "2.1", "created": "2026-06-11T23:57:51.470Z", "modified": "2026-06-11T23:57:51.470Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Exploit Public-Facing Application", "tactic_id": "TA0001", "tactic_ref": "x-mitre-tactic--ffd5bcee-6e16-4dd2-8eca-7b3beedf33ca", "technique_id": "T1190", "technique_ref": "attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c", "description": "Security personnel discovered the breach when a routine scan triggered an alarm for a flaw in one of their websites for charitable race sponsored by the bank" }, { "type": "attack-condition", "id": "attack-condition--6c3867f3-fbbf-4828-af64-18971421a044", "spec_version": "2.1", "created": "2026-06-11T23:57:51.470Z", "modified": "2026-06-11T23:57:51.470Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Successfully compromised various servers throughout the bank's network" }, { "type": "location", "id": "location--3515815d-70d7-4269-8c8f-50ee5da8cdde", "spec_version": "2.1", "created": "2026-06-11T23:57:51.470Z", "modified": "2026-06-11T23:57:51.470Z", "name": "Brazil", "description": "location of one of the proxies", "country": "Brazil" }, { "type": "location", "id": "location--66e98888-de6a-4a76-b18e-a17ddbd9c060", "spec_version": "2.1", "created": "2026-06-11T23:57:51.470Z", "modified": "2026-06-11T23:57:51.470Z", "name": "Russia", "country": "Russia" }, { "type": "relationship", "id": "relationship--434d3049-8a93-4ec2-9ab5-7ac39375f6bc", "spec_version": "2.1", "created": "2026-06-11T23:57:51.470Z", "modified": "2026-06-11T23:57:51.470Z", "relationship_type": "related-to", "source_ref": "attack-condition--05935c6a-636d-4ede-8575-15612d5585e5", "target_ref": "attack-action--b47629f7-445c-4605-a0a3-126bfad7d133" }, { "type": "relationship", "id": "relationship--318fff79-704a-4950-aca3-45a952efe8d9", "spec_version": "2.1", "created": "2026-06-11T23:57:51.470Z", "modified": "2026-06-11T23:57:51.470Z", "relationship_type": "related-to", "source_ref": "attack-condition--3328fd28-4441-4a1e-8e90-bf18c634f229", "target_ref": "attack-action--f6428576-e9f7-4702-9914-a4fa4c9793d7" }, { "type": "relationship", "id": "relationship--32cd5689-1e35-4cc3-82ce-b7c8fd604314", "spec_version": "2.1", "created": "2026-06-11T23:57:51.470Z", "modified": "2026-06-11T23:57:51.470Z", "relationship_type": "related-to", "source_ref": "attack-action--f6428576-e9f7-4702-9914-a4fa4c9793d7", "target_ref": "vulnerability--67b20076-2a37-4be8-bc74-4b125a0013e6" }, { "type": "relationship", "id": "relationship--ad496962-0262-4733-abab-8ad8648de156", "spec_version": "2.1", "created": "2026-06-11T23:57:51.470Z", "modified": "2026-06-11T23:57:51.470Z", "relationship_type": "related-to", "source_ref": "attack-action--ec2cc0ea-2b44-40ef-bc5a-53ccc45ec8b1", "target_ref": "vulnerability--1fa0ee57-0549-4652-932b-2dd7a262c174" }, { "type": "relationship", "id": "relationship--5ce6e3a4-340c-46eb-a938-3a71ed403c23", "spec_version": "2.1", "created": "2026-06-11T23:57:51.470Z", "modified": "2026-06-11T23:57:51.470Z", "relationship_type": "related-to", "source_ref": "attack-action--436b5d27-34fc-45af-a0c4-6c5ac071dbf4", "target_ref": "tool--031e3858-57b3-490c-adcd-79174b065d72" }, { "type": "relationship", "id": "relationship--3c891f17-ddce-420e-bf69-6e330e61518f", "spec_version": "2.1", "created": "2026-06-11T23:57:51.470Z", "modified": "2026-06-11T23:57:51.470Z", "relationship_type": "related-to", "source_ref": "attack-action--15f080d7-77c0-4583-ba2c-a866de1f2d9a", "target_ref": "infrastructure--ac66307f-2077-4dc1-ba05-43baac9c6a93" }, { "type": "relationship", "id": "relationship--fb55fa39-955d-4c42-98b1-98b65f9539d7", "spec_version": "2.1", "created": "2026-06-11T23:57:51.470Z", "modified": "2026-06-11T23:57:51.470Z", "relationship_type": "related-to", "source_ref": "attack-action--15f080d7-77c0-4583-ba2c-a866de1f2d9a", "target_ref": "location--3515815d-70d7-4269-8c8f-50ee5da8cdde" }, { "type": "relationship", "id": "relationship--cbf8d0d6-38ba-45fe-a2f4-0239361102c6", "spec_version": "2.1", "created": "2026-06-11T23:57:51.470Z", "modified": "2026-06-11T23:57:51.470Z", "relationship_type": "related-to", "source_ref": "attack-action--4219a30c-6b2c-48a0-98f6-d864448210b9", "target_ref": "location--66e98888-de6a-4a76-b18e-a17ddbd9c060" }, { "type": "relationship", "id": "relationship--f21f5dc4-a37e-4584-803e-e4ab34363399", "spec_version": "2.1", "created": "2026-06-11T23:57:51.470Z", "modified": "2026-06-11T23:57:51.470Z", "relationship_type": "related-to", "source_ref": "attack-condition--6c3867f3-fbbf-4828-af64-18971421a044", "target_ref": "attack-action--22366a07-5595-46c6-a246-8713fca3724e" } ] }