get_software_used_by_group returns all tools for groups with no actual tools/ software

[osV22]

Hello Roberto,

When getting all the software/ tools used by a group, there is an issue with groups that have no software listed.
The result is getting all 605 tools listed for those groups that have no actual software listed on the site.

Example:

groups = lift.get_groups()
one_group = groups[40] # FIN4/ G0085
group_software = lift.get_software_used_by_group(one_group) # returns all 605 tools

MITRE's site does not list any software for the group.
This is also the case with groups such as "APT34" (67) which is just an alias to "OilRig" (73/ G0049) which has the actual tools listed. Groups with the same issue include [2, 8, 20, 40, 41, 61, 67].

Possible reference: all_software_list

Apologies in advance if this was done by design which I know can be omitted if we choose to. I tried MITRE's live cti server to confirm this and indeed they did not list the tools or the group either if they had no software/ tools.

[beerMT]

+1 I am getting the same behavior

[Cyb3rWard0g]

Hello @osV22 !

I think I know what is going on 😱 ! The FILTER method from stix2 when the filter returns zero and it is part of a multiple filters query, it treats the filters as OR statements and not AND statements.

This is the filter in this function

relationships = self.get_relationships_by_object(stix_object)
        software_relationships = list()
        for relation in relationships:
            if get_type_from_id(relation.target_ref) in ['malware', 'tool']:
                software_relationships.append(relation)
        filter_objects = [
            Filter('type', 'in', ['malware', 'tool']),
            Filter('id', '=', [r.target_ref for r in software_relationships])
        ]

As you can see in the filters above, I look for ALL malware or tools that have the RELATIONSHIP id as a target reference equal to RELATIONSHIPS that belong to the GROUP object.

However, while looking at all the relationships of the GROUP FIN4, I only see objects of type ATTACK PATTERN -> TECHNIQUE

>>> for relation in relationships:
...     get_type_from_id(relation.target_ref):
... 
'attack-pattern'
'attack-pattern'
'attack-pattern'
'attack-pattern'
'attack-pattern'
'attack-pattern'
'attack-pattern'
'attack-pattern'
'attack-pattern'
'attack-pattern'
'attack-pattern'
'attack-pattern'

Therefore, it seems that when the FILTER returns a null expression or it is empty, it is not used at all. Since we have two filters (MALWARE/TOOLS + RELATIONSHIPS IDs) but the relationships one is empty, then it returns all MALWARE and TOOLS.

[Cyb3rWard0g]

Fixing it now and pushing a hotfix soon.

[Cyb3rWard0g]

Added a quick fix in my lab and it seems to work now

I tried it with a different group and it seems to be working fine. There were similar loops in other functions, so I fixed those too.

Group: https://attack.mitre.org/groups/G0120

[Cyb3rWard0g]

I tested it with groups 2, 8, 20, 40, 41, 61, 67

However, group 61 (https://attack.mitre.org/groups/G0066/) does have SOFTWARE:

9 SOFTWARE

[Cyb3rWard0g]

I updated the library to version 0.3.4.4

https://pypi.org/project/attackcti/

it seems to be working fine now :) Thank you very much @osV22 and @beerMT ! Enjoy your weekend!

[beerMT]

Nicely done, thanks for jumping on that. Cheers!