mirror of
https://github.com/MISP/misp-galaxy.git
synced 2024-11-26 16:57:18 +00:00
commit
01b03ca5b0
3 changed files with 140 additions and 71 deletions
|
@ -297,7 +297,20 @@
|
|||
},
|
||||
"uuid": "3e7a7fb5-8db2-4033-8f4f-d76721819765",
|
||||
"value": "ACL"
|
||||
},
|
||||
{
|
||||
"description": "Limit access to a service by network/packet filtering the access to",
|
||||
"meta": {
|
||||
"complexity": "Low",
|
||||
"effectiveness": "Medium",
|
||||
"impact": "Low",
|
||||
"refs": [
|
||||
"https://en.wikipedia.org/wiki/Firewall_(computing)"
|
||||
]
|
||||
},
|
||||
"uuid": "19c98fa6-45f7-47cc-830d-2d4f39301b06",
|
||||
"value": "Packet filtering"
|
||||
}
|
||||
],
|
||||
"version": 3
|
||||
"version": 4
|
||||
}
|
||||
|
|
|
@ -181,7 +181,7 @@
|
|||
"attribution-confidence": "50",
|
||||
"country": "CN",
|
||||
"refs": [
|
||||
"http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf"
|
||||
"https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf"
|
||||
]
|
||||
},
|
||||
"uuid": "06e659ff-ece8-4e6c-a110-d9692ac6d8ee",
|
||||
|
@ -386,12 +386,13 @@
|
|||
"https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2",
|
||||
"https://securelist.com/blog/research/66779/the-darkhotel-apt/",
|
||||
"https://securelist.com/the-darkhotel-apt/66779/",
|
||||
"http://drops.wooyun.org/tips/11726",
|
||||
"https://web.archive.org/web/20160104165148/http://drops.wooyun.org/tips/11726",
|
||||
"https://labs.bitdefender.com/wp-content/uploads/downloads/inexsmar-an-unusual-darkhotel-campaign/",
|
||||
"https://www.cfr.org/interactive/cyber-operations/darkhotel",
|
||||
"https://www.securityweek.com/darkhotel-apt-uses-new-methods-target-politicians",
|
||||
"https://attack.mitre.org/groups/G0012/",
|
||||
"http://www.secureworks.com/research/threat-profiles/tungsten-bridge"
|
||||
"https://www.secureworks.com/research/threat-profiles/tungsten-bridge",
|
||||
"https://www.antiy.cn/research/notice&report/research_report/20200522.html"
|
||||
],
|
||||
"synonyms": [
|
||||
"DUBNIUM",
|
||||
|
@ -405,7 +406,8 @@
|
|||
"Shadow Crane",
|
||||
"APT-C-06",
|
||||
"SIG25",
|
||||
"TUNGSTEN BRIDGE"
|
||||
"TUNGSTEN BRIDGE",
|
||||
"T-APT-02"
|
||||
]
|
||||
},
|
||||
"related": [
|
||||
|
@ -509,7 +511,7 @@
|
|||
"cfr-type-of-incident": "Espionage",
|
||||
"country": "CN",
|
||||
"refs": [
|
||||
"http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html",
|
||||
"https://web.archive.org/web/20130924130243/https://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html",
|
||||
"https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/hidden_lynx.pdf",
|
||||
"https://www.cfr.org/interactive/cyber-operations/apt-17",
|
||||
"https://www.carbonblack.com/2013/02/08/bit9-and-our-customers-security/",
|
||||
|
@ -647,7 +649,6 @@
|
|||
"https://www.microsoft.com/security/blog/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/",
|
||||
"https://www.cfr.org/interactive/cyber-operations/axiom",
|
||||
"https://securelist.com/games-are-over/70991/",
|
||||
"https://vsec.com.vn/en/blogen/initial-winnti-analysis-against-vietnam-game-company.html",
|
||||
"https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a",
|
||||
"https://www.dw.com/en/thyssenkrupp-victim-of-cyber-attack/a-36695341",
|
||||
"https://www.bleepingcomputer.com/news/security/teamviewer-confirms-undisclosed-breach-from-2016/",
|
||||
|
@ -734,7 +735,7 @@
|
|||
"country": "CN",
|
||||
"refs": [
|
||||
"http://cybercampaigns.net/wp-content/uploads/2013/06/Deep-Panda.pdf",
|
||||
"http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf",
|
||||
"https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf",
|
||||
"https://www.cfr.org/interactive/cyber-operations/deep-panda",
|
||||
"https://eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/",
|
||||
"https://eromang.zataz.com/2013/01/02/capstone-turbine-corporation-also-targeted-in-the-cfr-watering-hole-attack-and-more/",
|
||||
|
@ -979,8 +980,10 @@
|
|||
"country": "CN",
|
||||
"refs": [
|
||||
"http://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/",
|
||||
"https://blog.confiant.com/uncovering-2017s-largest-malvertising-operation-b84cd38d6b85",
|
||||
"https://blog.confiant.com/zirconium-was-one-step-ahead-of-chromes-redirect-blocker-with-0-day-2d61802efd0d"
|
||||
"https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/",
|
||||
"https://www.crowdstrike.com/blog/storm-chasing/",
|
||||
"https://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/",
|
||||
"https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf"
|
||||
],
|
||||
"synonyms": [
|
||||
"Black Vine",
|
||||
|
@ -1043,7 +1046,7 @@
|
|||
"country": "CN",
|
||||
"refs": [
|
||||
"http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/",
|
||||
"http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/",
|
||||
"https://web.archive.org/web/20140129192702/https://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/",
|
||||
"https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/",
|
||||
"https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-inside-a-highly-specialized-espionage-infrastructure/",
|
||||
"https://www.cfr.org/interactive/cyber-operations/iron-tiger"
|
||||
|
@ -1124,13 +1127,12 @@
|
|||
"https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html",
|
||||
"https://www.eweek.com/security/chinese-nation-state-hackers-target-u.s-in-operation-tradesecret",
|
||||
"https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/",
|
||||
"https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf",
|
||||
"https://www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf",
|
||||
"https://www.us-cert.gov/sites/default/files/publications/IR-ALERT-MED-17-093-01C-Intrusions_Affecting_Multiple_Victims_Across_Multiple_Sectors.pdf",
|
||||
"https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html",
|
||||
"https://www.fbi.gov/news/stories/chinese-hackers-indicted-122018",
|
||||
"https://attack.mitre.org/groups/G0045/",
|
||||
"http://www.secureworks.com/research/threat-profiles/bronze-riverside"
|
||||
"https://www.secureworks.com/research/threat-profiles/bronze-riverside"
|
||||
],
|
||||
"synonyms": [
|
||||
"APT10",
|
||||
|
@ -1206,10 +1208,12 @@
|
|||
"https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/",
|
||||
"https://www.cfr.org/interactive/cyber-operations/hellsing",
|
||||
"https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-august-goblin-panda/",
|
||||
"https://securelist.com/cycldek-bridging-the-air-gap/97157/",
|
||||
"https://www.fortinet.com/blog/threat-research/cta-security-playbook--goblin-panda.html"
|
||||
],
|
||||
"synonyms": [
|
||||
"Goblin Panda",
|
||||
"Conimes",
|
||||
"Cycldek"
|
||||
]
|
||||
},
|
||||
|
@ -1263,7 +1267,7 @@
|
|||
"https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/",
|
||||
"https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/",
|
||||
"https://attack.mitre.org/groups/G0004/",
|
||||
"http://www.secureworks.com/research/threat-profiles/bronze-palace"
|
||||
"https://www.secureworks.com/research/threat-profiles/bronze-palace"
|
||||
],
|
||||
"synonyms": [
|
||||
"Vixen Panda",
|
||||
|
@ -1464,7 +1468,7 @@
|
|||
"refs": [
|
||||
"https://unit42.paloaltonetworks.com/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/",
|
||||
"http://2014.zeronights.org/assets/files/slides/roaming_tiger_zeronights_2014.pdf",
|
||||
"http://www.secureworks.com/research/threat-profiles/bronze-woodland"
|
||||
"https://www.secureworks.com/research/threat-profiles/bronze-woodland"
|
||||
],
|
||||
"synonyms": [
|
||||
"BRONZE WOODLAND",
|
||||
|
@ -1630,7 +1634,7 @@
|
|||
"attribution-confidence": "50",
|
||||
"country": "CN",
|
||||
"refs": [
|
||||
"http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf"
|
||||
"https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf"
|
||||
]
|
||||
},
|
||||
"uuid": "1514546d-f6ea-4af3-bbea-24d6fd9e6761",
|
||||
|
@ -2016,7 +2020,7 @@
|
|||
"https://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/",
|
||||
"https://www.brighttalk.com/webcast/10703/275683",
|
||||
"https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage",
|
||||
"http://www.secureworks.com/research/threat-profiles/cobalt-trinity"
|
||||
"https://www.secureworks.com/research/threat-profiles/cobalt-trinity"
|
||||
],
|
||||
"synonyms": [
|
||||
"APT 33",
|
||||
|
@ -2508,7 +2512,7 @@
|
|||
"https://www.cfr.org/interactive/cyber-operations/dukes",
|
||||
"https://pylos.co/2018/11/18/cozybear-in-from-the-cold/",
|
||||
"https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/",
|
||||
"http://www.secureworks.com/research/threat-profiles/iron-hemlock"
|
||||
"https://www.secureworks.com/research/threat-profiles/iron-hemlock"
|
||||
],
|
||||
"synonyms": [
|
||||
"Dukes",
|
||||
|
@ -2601,7 +2605,7 @@
|
|||
"https://www.trendmicro.com/vinfo/vn/security/news/cyber-attacks/cyberespionage-group-turla-deploys-backdoor-ahead-of-g20-summit",
|
||||
"https://www.zdnet.com/article/this-hacking-gang-just-updated-the-malware-it-uses-against-uk-targets/",
|
||||
"https://attack.mitre.org/groups/G0010/",
|
||||
"http://www.secureworks.com/research/threat-profiles/iron-hunter"
|
||||
"https://www.secureworks.com/research/threat-profiles/iron-hunter"
|
||||
],
|
||||
"synonyms": [
|
||||
"Turla",
|
||||
|
@ -2856,7 +2860,7 @@
|
|||
"https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html",
|
||||
"https://attack.mitre.org/groups/G0046/",
|
||||
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
|
||||
"http://www.secureworks.com/research/threat-profiles/gold-niagara"
|
||||
"https://www.secureworks.com/research/threat-profiles/gold-niagara"
|
||||
],
|
||||
"synonyms": [
|
||||
"Carbanak",
|
||||
|
@ -3005,7 +3009,7 @@
|
|||
"attribution-confidence": "50",
|
||||
"country": "RU",
|
||||
"refs": [
|
||||
"http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf"
|
||||
"https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf"
|
||||
]
|
||||
},
|
||||
"uuid": "db774b7d-a0ee-4375-b24e-fd278f5ab2fd",
|
||||
|
@ -3016,7 +3020,7 @@
|
|||
"attribution-confidence": "50",
|
||||
"country": "KP",
|
||||
"refs": [
|
||||
"http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf"
|
||||
"https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf"
|
||||
],
|
||||
"synonyms": [
|
||||
"OperationTroy",
|
||||
|
@ -3114,7 +3118,7 @@
|
|||
"https://threatpost.com/banco-de-chile-wiper-attack-just-a-cover-for-10m-swift-heist/132796/",
|
||||
"https://www.darkreading.com/attacks-breaches/north-korean-hacking-group-steals-$135-million-from-indian-bank-/d/d-id/1332678",
|
||||
"https://www.zdnet.com/article/north-korean-hackers-infiltrate-chiles-atm-network-after-skype-job-interview/",
|
||||
"http://www.secureworks.com/research/threat-profiles/nickel-gladstone"
|
||||
"https://www.secureworks.com/research/threat-profiles/nickel-gladstone"
|
||||
],
|
||||
"synonyms": [
|
||||
"Operation DarkSeoul",
|
||||
|
@ -3181,7 +3185,7 @@
|
|||
"attribution-confidence": "50",
|
||||
"country": "IN",
|
||||
"refs": [
|
||||
"http://enterprise-manage.norman.c.bitbit.net/resources/files/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf"
|
||||
"https://kung_foo.keybase.pub/papers_and_presentations/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf"
|
||||
],
|
||||
"synonyms": [
|
||||
"Appin",
|
||||
|
@ -3248,8 +3252,8 @@
|
|||
"refs": [
|
||||
"https://securelist.com/blog/research/69114/animals-in-the-apt-farm/",
|
||||
"https://motherboard.vice.com/read/meet-babar-a-new-malware-almost-certainly-created-by-france",
|
||||
"http://www.cyphort.com/evilbunny-malware-instrumented-lua/",
|
||||
"http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/",
|
||||
"https://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/",
|
||||
"https://web.archive.org/web/20150218192803/http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/",
|
||||
"https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope",
|
||||
"https://www.cfr.org/interactive/cyber-operations/snowglobe",
|
||||
"https://resources.infosecinstitute.com/animal-farm-apt-and-the-shadow-of-france-intelligence/"
|
||||
|
@ -3300,7 +3304,7 @@
|
|||
"https://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials",
|
||||
"https://s.tencent.com/research/report/669.html",
|
||||
"https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html",
|
||||
"http://www.secureworks.com/research/threat-profiles/copper-fieldstone"
|
||||
"https://www.secureworks.com/research/threat-profiles/copper-fieldstone"
|
||||
],
|
||||
"synonyms": [
|
||||
"C-Major",
|
||||
|
@ -3433,7 +3437,7 @@
|
|||
"https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf",
|
||||
"https://securelist.com/the-dropping-elephant-actor/75328/",
|
||||
"https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf",
|
||||
"http://www.secureworks.com/research/threat-profiles/zinc-emerson"
|
||||
"https://www.secureworks.com/research/threat-profiles/zinc-emerson"
|
||||
],
|
||||
"synonyms": [
|
||||
"Chinastrats",
|
||||
|
@ -3534,7 +3538,7 @@
|
|||
"https://www.phnompenhpost.com/national/kingdom-targeted-new-malware",
|
||||
"https://attack.mitre.org/groups/G0017/",
|
||||
"https://attack.mitre.org/groups/G0002/",
|
||||
"http://www.secureworks.com/research/threat-profiles/bronze-overbrook"
|
||||
"https://www.secureworks.com/research/threat-profiles/bronze-overbrook"
|
||||
],
|
||||
"synonyms": [
|
||||
"Moafee",
|
||||
|
@ -3880,7 +3884,7 @@
|
|||
"https://www.clearskysec.com/oilrig/",
|
||||
"https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems/",
|
||||
"https://attack.mitre.org/groups/G0049/",
|
||||
"http://www.secureworks.com/research/threat-profiles/cobalt-gypsy"
|
||||
"https://www.secureworks.com/research/threat-profiles/cobalt-gypsy"
|
||||
],
|
||||
"synonyms": [
|
||||
"Twisted Kitten",
|
||||
|
@ -4026,7 +4030,6 @@
|
|||
"meta": {
|
||||
"refs": [
|
||||
"https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html",
|
||||
"http://blog.vectranetworks.com/blog/moonlight-middle-east-targeted-attacks",
|
||||
"https://ti.360.net/blog/articles/suspected-molerats-new-attack-in-the-middle-east/",
|
||||
"https://ti.360.net/blog/articles/suspected-molerats-new-attack-in-the-middle-east-en/",
|
||||
"https://middle-east-online.com/en/cyber-war-gaza-hackers-deface-israel-fire-service-website",
|
||||
|
@ -4139,24 +4142,12 @@
|
|||
"attribution-confidence": "50",
|
||||
"country": "IR",
|
||||
"refs": [
|
||||
"https://web.archive.org/web/20191221064439/https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets"
|
||||
"https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets"
|
||||
]
|
||||
},
|
||||
"uuid": "03f13462-003c-4296-8784-bccea16710a9",
|
||||
"value": "Cadelle"
|
||||
},
|
||||
{
|
||||
"description": "Symantec telemetry identified Cadelle and Chafer activity dating from as far back as July 2014, however, it’s likely that activity began well before this date. Command-and-control (C&C) registrant information points to activity possibly as early as 2011, while executable compilation times suggest early 2012. Their attacks continue to the present day. Symantec estimates that each team is made up of between 5 and 10 people.",
|
||||
"meta": {
|
||||
"attribution-confidence": "50",
|
||||
"country": "IR",
|
||||
"refs": [
|
||||
"https://symantec-blogs.broadcom.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions"
|
||||
]
|
||||
},
|
||||
"uuid": "ddd95696-3d9a-4d0c-beec-a34d396182f3",
|
||||
"value": "Chafer"
|
||||
},
|
||||
{
|
||||
"description": "The PassCV group continues to be one of the most successful and active threat groups that leverage a wide array of stolen Authenticode-signing certificates. Snorre Fagerland of Blue Coat Systems first coined the term PassCV in a blog post. His post provides a good introduction to the group and covers some of the older infrastructure, stolen code-signing certificate reuse, and other connections associated with the PassCV malware. There are several clues alluding to the possibility that multiple groups may be utilizing the same stolen signing certificates, but at this time SPEAR believes the current attacks are more likely being perpetrated by a single group employing multiple publicly available Remote Administration Tools (RATs). The PassCV group has been operating with continued success and has already started to expand their malware repertoire into different off-the-shelf RATs and custom code. SPEAR identified eighteen previously undisclosed stolen Authenticode certificates. These certificates were originally issued to companies and individuals scattered across China, Taiwan, Korea, Europe, the United States and Russia. In this post we expand the usage of the term ‘PassCV’ to encompass the malware mentioned in the Blue Coat Systems report, as well as the APT group behind the larger C2 infrastructure and stolen Authenticode certificates. We’d like to share some of our findings as they pertain to the stolen certificates, command and control infrastructure, and some of the newer custom RATs they’ve begun development on.",
|
||||
"meta": {
|
||||
|
@ -4255,7 +4246,7 @@
|
|||
"https://en.wikipedia.org/wiki/Stuxnet",
|
||||
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf",
|
||||
"https://attack.mitre.org/groups/G0020/",
|
||||
"http://www.secureworks.com/research/threat-profiles/platinum-terminal"
|
||||
"https://www.secureworks.com/research/threat-profiles/platinum-terminal"
|
||||
],
|
||||
"synonyms": [
|
||||
"Tilded Team",
|
||||
|
@ -4523,7 +4514,7 @@
|
|||
"https://github.com/eset/malware-research/tree/master/oceanlotus",
|
||||
"https://www.cfr.org/interactive/cyber-operations/ocean-lotus",
|
||||
"https://www.accenture.com/us-en/blogs/blogs-pond-loach-delivers-badcake-malware",
|
||||
"http://www.secureworks.com/research/threat-profiles/tin-woodlawn"
|
||||
"https://www.secureworks.com/research/threat-profiles/tin-woodlawn"
|
||||
],
|
||||
"synonyms": [
|
||||
"OceanLotus Group",
|
||||
|
@ -4691,7 +4682,7 @@
|
|||
"https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html",
|
||||
"https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html",
|
||||
"https://www.root9b.com/sites/default/files/whitepapers/PoS%20Malware%20ShellTea%20PoSlurp.pdf",
|
||||
"http://files.shareholder.com/downloads/AMDA-254Q5F/0x0x938351/665BA6A3-9573-486C-B96F-80FA35759E8C/FEYE_rpt-mtrends-2017_FINAL2.pdf",
|
||||
"https://afyonluoglu.org/PublicWebFiles/Reports-TR/2017%20FireEye%20M-Trends%20Report.pdf",
|
||||
"https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html",
|
||||
"https://attack.mitre.org/groups/G0061"
|
||||
]
|
||||
|
@ -4972,7 +4963,7 @@
|
|||
"attribution-confidence": "50",
|
||||
"country": "CN",
|
||||
"refs": [
|
||||
"http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf"
|
||||
"https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492182276.pdf"
|
||||
]
|
||||
},
|
||||
"uuid": "5bc7382d-ddc6-46d3-96f5-1dbdadbd601c",
|
||||
|
@ -5021,7 +5012,7 @@
|
|||
"https://blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/",
|
||||
"https://www.cfr.org/interactive/cyber-operations/mofang",
|
||||
"https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf",
|
||||
"http://www.secureworks.com/research/threat-profiles/bronze-walker"
|
||||
"https://www.secureworks.com/research/threat-profiles/bronze-walker"
|
||||
],
|
||||
"synonyms": [
|
||||
"Superman",
|
||||
|
@ -5460,7 +5451,7 @@
|
|||
{
|
||||
"meta": {
|
||||
"refs": [
|
||||
"https://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf"
|
||||
"https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf"
|
||||
]
|
||||
},
|
||||
"uuid": "769bf551-ff39-4f84-b7f2-654a28df1e50",
|
||||
|
@ -5523,7 +5514,7 @@
|
|||
{
|
||||
"meta": {
|
||||
"refs": [
|
||||
"https://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf"
|
||||
"https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf"
|
||||
]
|
||||
},
|
||||
"uuid": "445c7b62-028b-455e-9d65-74899b7006a4",
|
||||
|
@ -5601,7 +5592,7 @@
|
|||
"attribution-confidence": "50",
|
||||
"country": "CN",
|
||||
"refs": [
|
||||
"http://en.hackdig.com/02/39538.htm"
|
||||
"http://webcache.googleusercontent.com/search?q=cache:TWoHHzH9gU0J:en.hackdig.com/02/39538.htm"
|
||||
]
|
||||
},
|
||||
"uuid": "110792e8-38d2-4df2-9ea3-08b60321e994",
|
||||
|
@ -6251,7 +6242,7 @@
|
|||
"https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/",
|
||||
"https://securelist.com/luckymouse-hits-national-data-center/86083/",
|
||||
"https://attack.mitre.org/groups/G0027/",
|
||||
"http://www.secureworks.com/research/threat-profiles/bronze-union"
|
||||
"https://www.secureworks.com/research/threat-profiles/bronze-union"
|
||||
],
|
||||
"synonyms": [
|
||||
"Emissary Panda",
|
||||
|
@ -6567,7 +6558,7 @@
|
|||
"https://www.cfr.org/interactive/cyber-operations/mustang-panda",
|
||||
"https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/",
|
||||
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
|
||||
"http://www.secureworks.com/research/threat-profiles/bronze-president"
|
||||
"https://www.secureworks.com/research/threat-profiles/bronze-president"
|
||||
],
|
||||
"synonyms": [
|
||||
"BRONZE PRESIDENT",
|
||||
|
@ -6919,7 +6910,7 @@
|
|||
"https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html",
|
||||
"https://www.crowdstrike.com/blog/widespread-dns-hijacking-activity-targets-multiple-sectors/",
|
||||
"https://krebsonsecurity.com/tag/dnspionage/",
|
||||
"http://www.secureworks.com/research/threat-profiles/cobalt-edgewater"
|
||||
"https://www.secureworks.com/research/threat-profiles/cobalt-edgewater"
|
||||
],
|
||||
"synonyms": [
|
||||
"COBALT EDGEWATER"
|
||||
|
@ -7028,7 +7019,7 @@
|
|||
"https://threatpost.com/ta505-servhelper-malware/140792/",
|
||||
"https://blog.yoroi.company/research/the-stealthy-email-stealer-in-the-ta505-arsenal/",
|
||||
"https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/",
|
||||
"http://www.secureworks.com/research/threat-profiles/gold-tahoe"
|
||||
"https://www.secureworks.com/research/threat-profiles/gold-tahoe"
|
||||
],
|
||||
"synonyms": [
|
||||
"SectorJ04 Group",
|
||||
|
@ -7064,7 +7055,7 @@
|
|||
"https://www.crowdstrike.com/blog/wizard-spider-adds-new-feature-to-ryuk-ransomware/",
|
||||
"https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware",
|
||||
"https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html",
|
||||
"http://www.secureworks.com/research/threat-profiles/gold-ulrick"
|
||||
"https://www.secureworks.com/research/threat-profiles/gold-ulrick"
|
||||
],
|
||||
"synonyms": [
|
||||
"TEMP.MixMaster"
|
||||
|
@ -7080,7 +7071,7 @@
|
|||
"https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/",
|
||||
"https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-february-mummy-spider/",
|
||||
"https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service",
|
||||
"http://www.secureworks.com/research/threat-profiles/gold-crestwood"
|
||||
"https://www.secureworks.com/research/threat-profiles/gold-crestwood"
|
||||
],
|
||||
"synonyms": [
|
||||
"TA542",
|
||||
|
@ -7138,6 +7129,8 @@
|
|||
{
|
||||
"description": "APT39 was created to bring together previous activities and methods used by this actor, and its activities largely align with a group publicly referred to as \"Chafer.\" However, there are differences in what has been publicly reported due to the variances in how organizations track activity. APT39 primarily leverages the SEAWEED and CACHEMONEY backdoors along with a specific variant of the POWBAT backdoor. While APT39's targeting scope is global, its activities are concentrated in the Middle East. APT39 has prioritized the telecommunications sector, with additional targeting of the travel industry and IT firms that support it and the high-tech industry.",
|
||||
"meta": {
|
||||
"attribution-confidence": "50",
|
||||
"country": "IR",
|
||||
"refs": [
|
||||
"https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html",
|
||||
"https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions",
|
||||
|
@ -7146,7 +7139,7 @@
|
|||
"https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets",
|
||||
"https://attack.mitre.org/groups/G0087/",
|
||||
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
|
||||
"http://www.secureworks.com/research/threat-profiles/cobalt-hickman"
|
||||
"https://www.secureworks.com/research/threat-profiles/cobalt-hickman"
|
||||
],
|
||||
"synonyms": [
|
||||
"APT 39",
|
||||
|
@ -7183,7 +7176,7 @@
|
|||
"meta": {
|
||||
"refs": [
|
||||
"https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/",
|
||||
"http://www.secureworks.com/research/threat-profiles/gold-lowell"
|
||||
"https://www.secureworks.com/research/threat-profiles/gold-lowell"
|
||||
],
|
||||
"synonyms": [
|
||||
"GOLD LOWELL"
|
||||
|
@ -7283,7 +7276,7 @@
|
|||
"https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/",
|
||||
"https://www.crowdstrike.com/blog/wizard-spider-lunar-spider-shared-proxy-module/",
|
||||
"https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/",
|
||||
"http://www.secureworks.com/research/threat-profiles/gold-swathmore"
|
||||
"https://www.secureworks.com/research/threat-profiles/gold-swathmore"
|
||||
],
|
||||
"synonyms": [
|
||||
"GOLD SWATHMORE"
|
||||
|
@ -7415,7 +7408,7 @@
|
|||
"https://www.secureworks.com/blog/back-to-school-cobalt-dickens-targets-universities",
|
||||
"https://www.proofpoint.com/us/threat-insight/post/seems-phishy-back-school-lures-target-university-students-and-staff",
|
||||
"https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian",
|
||||
"http://www.secureworks.com/research/threat-profiles/cobalt-dickens"
|
||||
"https://www.secureworks.com/research/threat-profiles/cobalt-dickens"
|
||||
],
|
||||
"synonyms": [
|
||||
"COBALT DICKENS",
|
||||
|
@ -7433,8 +7426,9 @@
|
|||
"refs": [
|
||||
"https://www.microsoft.com/security/blog/2017/03/27/detecting-and-mitigating-elevation-of-privilege-exploit-for-cve-2017-0005/",
|
||||
"https://duo.com/decipher/apt-groups-moving-down-the-supply-chain",
|
||||
"https://github.com/GuardaCyber/APT-Groups-and-Operations/blob/master/Reports/FireEye%20Intel%20-%20APT31%20Threat%20Group%20Profile.pdf",
|
||||
"http://www.secureworks.com/research/threat-profiles/bronze-vinewood"
|
||||
"https://redalert.nshc.net/2019/12/03/threat-actor-targeting-hong-kong-activists",
|
||||
"https:/twitter.com/bkMSFT/status/1201876664667582466",
|
||||
"https://www.secureworks.com/research/threat-profiles/bronze-vinewood"
|
||||
],
|
||||
"synonyms": [
|
||||
"APT 31",
|
||||
|
@ -7802,7 +7796,7 @@
|
|||
"meta": {
|
||||
"refs": [
|
||||
"https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign",
|
||||
"http://www.secureworks.com/research/threat-profiles/cobalt-lyceum"
|
||||
"https://www.secureworks.com/research/threat-profiles/cobalt-lyceum"
|
||||
],
|
||||
"synonyms": [
|
||||
"COBALT LYCEUM"
|
||||
|
@ -7995,7 +7989,7 @@
|
|||
"meta": {
|
||||
"refs": [
|
||||
"https://ti.360.net/blog/articles/analysis-of-apt-c-27/",
|
||||
"http://csecybsec.com/download/zlab/20180723_CSE_APT27_Syria_v1.pdf"
|
||||
"https://www.pbwcz.cz/Reporty/20180723_CSE_APT27_Syria_v1.pdf"
|
||||
],
|
||||
"since": "2014",
|
||||
"synonyms": [
|
||||
|
@ -8310,7 +8304,8 @@
|
|||
],
|
||||
"country": "KR",
|
||||
"refs": [
|
||||
"https://s.tencent.com/research/report/836.html"
|
||||
"https://s.tencent.com/research/report/836.html",
|
||||
"https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/"
|
||||
]
|
||||
},
|
||||
"uuid": "a9df6cb7-74ff-482f-b23b-ac40e975a31a",
|
||||
|
@ -8320,7 +8315,7 @@
|
|||
"description": "COBALT JUNO has operated since at least 2013 and focused on targets located in the Middle East including Iran, Jordan, Egypt & Lebanon. COBALT JUNO custom spyware families SABER1 and SABER2, include surveillance functionality and masquerade as legitimate software utilities such as Adobe Updater, StickyNote and ASKDownloader. CTU researchers assess with moderate confidence that COBALT JUNO operated the ZooPark Android spyware since at least mid-2015. ZooPark was publicly exposed in 2018 in both vendor reporting and a high profile leak of C2 server data. COBALT JUNO is linked to a private security company in Iran and outsources aspects of tool development work to commercial software developers. CTU researchers have observed the group using strategic web compromises to deliver malware. CTU researchers’ discovery of new C2 domains in 2019 suggest the group is still actively performing operations.",
|
||||
"meta": {
|
||||
"refs": [
|
||||
"http://www.secureworks.com/research/threat-profiles/cobalt-juno"
|
||||
"https://www.secureworks.com/research/threat-profiles/cobalt-juno"
|
||||
],
|
||||
"synonyms": [
|
||||
"APT-C-38 (QiAnXin)",
|
||||
|
@ -8335,7 +8330,7 @@
|
|||
"description": "COBALT KATANA has been active since at least March 2018, and it focuses many of its operations on organizations based in or associated with Kuwait. The group has targeted government, logistics, and shipping organizations. The threat actors gain initial access to targets using DNS hijacking, strategic web compromise with SMB forced authentication, and password brute force attacks. COBALT KATANA operates a custom platform referred to as the Sakabota Framework, also referred to as Sakabota Core, with a complimentary set of modular backdoors and accessory tools including Gon, Hisoka, Hisoka Netero, Killua, Diezen, and Eye. The group has implemented DNS tunnelling in its malware and malicious scripts and also operates the HyphenShell web shell to strengthen post-intrusion access. CTU researchers assess with moderate confidence that COBALT KATANA operates on behalf of Iran, and elements of its operations such as overlapping infrastructure, use of DNS hijacking, implementation of DNS-based C2 channels in malware and web shell security mechanisms suggest connections to COBALT GYPSY and COBALT EDGEWATER.",
|
||||
"meta": {
|
||||
"refs": [
|
||||
"http://www.secureworks.com/research/threat-profiles/cobalt-katana"
|
||||
"https://www.secureworks.com/research/threat-profiles/cobalt-katana"
|
||||
],
|
||||
"synonyms": [
|
||||
"Hive0081 (IBM)",
|
||||
|
@ -8347,5 +8342,5 @@
|
|||
"value": "COBALT KATANA"
|
||||
}
|
||||
],
|
||||
"version": 159
|
||||
"version": 163
|
||||
}
|
||||
|
|
|
@ -8032,7 +8032,68 @@
|
|||
"related": [],
|
||||
"uuid": "a2d1cdd6-1c3d-47b3-803b-9a3fffe2f051",
|
||||
"value": "Sedkit"
|
||||
},
|
||||
{
|
||||
"description": "Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier, and serve as a collaborative command and control platform for red teamers.",
|
||||
"meta": {
|
||||
"refs": [
|
||||
"https://github.com/cobbr/Covenant/"
|
||||
],
|
||||
"synonyms": [],
|
||||
"type": [
|
||||
"post-exploitation framework"
|
||||
]
|
||||
},
|
||||
"related": [],
|
||||
"uuid": "01a4f3c4-a578-49bd-b6ab-eb3b7d27d8c1",
|
||||
"value": "Covenant"
|
||||
},
|
||||
{
|
||||
"description": "Cobalt Strike is a post-exploitation framework.",
|
||||
"meta": {
|
||||
"refs": [
|
||||
"https://www.cobaltstrike.com"
|
||||
],
|
||||
"synonyms": [],
|
||||
"type": [
|
||||
"post-exploitation framework"
|
||||
]
|
||||
},
|
||||
"related": [],
|
||||
"uuid": "97f26fab-af0e-4da9-b4c1-aec70cace22d",
|
||||
"value": "Cobalt Strike"
|
||||
},
|
||||
{
|
||||
"description": "Penetration testing framework.",
|
||||
"meta": {
|
||||
"refs": [
|
||||
"https://www.metasploit.com"
|
||||
],
|
||||
"synonyms": [],
|
||||
"type": [
|
||||
"exploitation framework"
|
||||
]
|
||||
},
|
||||
"related": [],
|
||||
"uuid": "be419332-61ab-45f0-979e-56f78a223c8e",
|
||||
"value": "metasploit"
|
||||
},
|
||||
{
|
||||
"description": "A swiss army knife for pentesting networks.",
|
||||
"meta": {
|
||||
"refs": [
|
||||
"https://github.com/byt3bl33d3r/CrackMapExec",
|
||||
"https://bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf"
|
||||
],
|
||||
"synonyms": [],
|
||||
"type": [
|
||||
"exploitation framework"
|
||||
]
|
||||
},
|
||||
"related": [],
|
||||
"uuid": "e83d1296-027a-4f30-98e0-19622967d5c4",
|
||||
"value": "CrackMapExec"
|
||||
}
|
||||
],
|
||||
"version": 135
|
||||
"version": 136
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue