From 03c54a3e05b40afb6fbf14fa0ec24351d4e16ca2 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 13 Dec 2019 11:47:31 +0100 Subject: [PATCH] add GALLIUM as microsoft activities group and similar to Operation Soft Cell --- clusters/microsoft-activity-group.json | 24 +++++++++++++++++++++++- clusters/threat-actor.json | 7 +++++++ 2 files changed, 30 insertions(+), 1 deletion(-) diff --git a/clusters/microsoft-activity-group.json b/clusters/microsoft-activity-group.json index 8538392..25b4a46 100644 --- a/clusters/microsoft-activity-group.json +++ b/clusters/microsoft-activity-group.json @@ -236,7 +236,29 @@ ], "uuid": "2a410eea-a9da-11e8-b404-37b7060746c8", "value": "https://www.cfr.org/interactive/cyber-operations/mythic-leopard" + }, + { + "description": "Microsoft Threat Intelligence Center (MSTIC) is raising awareness of the ongoing activity by a group we call GALLIUM, targeting telecommunication providers. When Microsoft customers have been targeted by this activity, we notified them directly with the relevant information they need to protect themselves. By sharing the detailed methodology and indicators related to GALLIUM activity, we’re encouraging the security community to implement active defenses to secure the broader ecosystem from these attacks.\nTo compromise targeted networks, GALLIUM target unpatched internet-facing services using publicly available exploits and have been known to target vulnerabilities in WildFly/JBoss. Once persistence is established in a network, GALLIUM uses common techniques and tools like Mimikatz to obtain credentials that allows for lateral movement across the target network. Within compromised networks, GALLIUM makes no attempt to obfuscate their intent and are known to use common versions of malware and publicly available toolkits with small modifications. The operators rely on low cost and easy to replace infrastructure that consists of dynamic-DNS domains and regularly reused hop points.\nThis activity from GALLIUM has been identified predominantly through 2018 to mid-2019. GALLIUM is still active; however, activity levels have dropped when compared to what was previously observed.", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/" + ], + "synonyms": [ + "Operation Soft Cell" + ] + }, + "related": [ + { + "dest-uuid": "8dda51ef-9a30-48f7-b0fd-5b6f0a62262d", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ], + "uuid": "6085aad0-1d95-11ea-a140-078d42aced40", + "value": "GALLIUM" } ], - "version": 6 + "version": 7 } diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index bd212f7..5686de6 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7787,6 +7787,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "suspected-link" + }, + { + "dest-uuid": "6085aad0-1d95-11ea-a140-078d42aced40", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" } ], "uuid": "8dda51ef-9a30-48f7-b0fd-5b6f0a62262d",