From f5687c0162758811d39104a246f7b68be8298308 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Wed, 31 Jul 2024 02:14:11 -0700 Subject: [PATCH 1/8] [threat-actors] Add TA4903 --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index cc9fc27..0602533 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16455,6 +16455,16 @@ }, "uuid": "02768be6-853c-4239-8fb1-823427489a86", "value": "APT45" + }, + { + "description": "TA4903 is a financially motivated threat actor known for conducting credential phishing and business email compromise campaigns. They target organizations in the U.S. across various sectors, spoofing government entities and private businesses. The actor has been observed using techniques such as QR codes in phishing campaigns and spoofing supplier domains to prompt victims to provide banking information. TA4903's activities typically involve stealing corporate credentials to facilitate follow-on BEC activities.", + "meta": { + "refs": [ + "https://www.proofpoint.com/us/blog/threat-insight/ta4903-actor-spoofs-us-government-small-businesses-phishing-bec-bids" + ] + }, + "uuid": "1725e1c3-9870-4f66-8962-753c4ed3e086", + "value": "TA4903" } ], "version": 312 From cd621af35c3da510c8458495fb5c7bb9e4f13196 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Wed, 31 Jul 2024 02:14:11 -0700 Subject: [PATCH 2/8] [threat-actors] Add Storm-0506 --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 0602533..dc9b91e 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16465,6 +16465,17 @@ }, "uuid": "1725e1c3-9870-4f66-8962-753c4ed3e086", "value": "TA4903" + }, + { + "description": "Storm-0569 is an initial access broker that distributes BATLOADER using search engine optimization (SEO) poisoning with websites that spoof Zoom, TeamViewer, Tableau, and AnyDesk. It uses the loader malware to inject the Cobalt Strike payload and transfers access to Storm-0506 for the deployment of the Black Basta ransomware.", + "meta": { + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/", + "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-widely-abused-msix-app-installer-disabled-by-microsoft-active-iocs" + ] + }, + "uuid": "d1ad4392-c85a-4f07-9818-a86f805a49f6", + "value": "Storm-0506" } ], "version": 312 From ac6c63ba8a46932a2711375c994363d53936a05e Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Wed, 31 Jul 2024 02:14:11 -0700 Subject: [PATCH 3/8] [threat-actors] Add Ghostwriter aliases --- clusters/threat-actor.json | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index dc9b91e..0af0755 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -9728,14 +9728,18 @@ "https://www.bleepingcomputer.com/news/security/meta-ukrainian-officials-military-targeted-by-ghostwriter-hackers", "https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag", "https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/", - "https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html" + "https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html", + "https://socprime.com/blog/uac-0057-attack-detection-a-surge-in-adversary-activity-distributing-picassoloader-and-cobalt-strike-beacon/", + "https://socprime.com/blog/picassoloader-and-cobalt-strike-beacon-detection-uac-0057-aka-ghostwriter-hacking-group-attacks-the-ukrainian-leading-military-educational-institution/", + "https://cert.gov.ua/article/5098518" ], "synonyms": [ "UNC1151", "TA445", "PUSHCHA", "Storm-0257", - "DEV-0257" + "DEV-0257", + "UAC-0057" ] }, "related": [ From a3e9e8c9445ef95e1faa762d27d1673ca9a977f7 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Wed, 31 Jul 2024 02:14:11 -0700 Subject: [PATCH 4/8] [threat-actors] Add SAMBASPIDER --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 0af0755..a2e493d 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16480,6 +16480,17 @@ }, "uuid": "d1ad4392-c85a-4f07-9818-a86f805a49f6", "value": "Storm-0506" + }, + { + "description": "SAMBASPIDER is a threat actor associated to the Mispadu malware. On July 24, USDoD allegedly scraped and leaked a 100,000-line Indicator of Compromise list from CrowdStrike, revealing detailed threat intelligence data. The leak, posted on Breach Forums, includes critical insights into the Mispadu malware and SAMBASPIDER threat actor.", + "meta": { + "refs": [ + "https://hackread.com/hacker-scrapes-publishes-crowdstrike-ioc-list/", + "https://www.crowdstrike.com/blog/hacktivist-usdod-claims-to-have-leaked-threat-actor-list/" + ] + }, + "uuid": "0b71d2db-93fe-49b5-a9fd-7f8c94b86637", + "value": "SAMBASPIDER" } ], "version": 312 From 7289782aae93f14cb5f9ddc62616b7f294aa8bc6 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Wed, 31 Jul 2024 02:14:11 -0700 Subject: [PATCH 5/8] [threat-actors] Add UNC4393 --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index a2e493d..79ba1d4 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16491,6 +16491,16 @@ }, "uuid": "0b71d2db-93fe-49b5-a9fd-7f8c94b86637", "value": "SAMBASPIDER" + }, + { + "description": "UNC4393 is a financially motivated threat actor primarily using BASTA ransomware. They have been active since early 2022 and have targeted over 40 organizations across various industries. UNC4393 has shown a willingness to cooperate with other threat clusters for initial access and has evolved from using existing tools to developing custom malware. They focus on efficient data exfiltration and multi-faceted extortion, often utilizing tools like COGSCAN and RCLONE for reconnaissance and data theft.", + "meta": { + "refs": [ + "https://cloud.google.com/blog/topics/threat-intelligence/unc4393-goes-gently-into-silentnight" + ] + }, + "uuid": "8191e28a-fb2d-4d50-b992-b877807a2f37", + "value": "UNC4393" } ], "version": 312 From 1ebe75d3fefb9a4620cf474e30fe13ce3f53aa03 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Wed, 31 Jul 2024 02:14:11 -0700 Subject: [PATCH 6/8] [threat-actors] Add Hive0137 --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 79ba1d4..805ed89 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16501,6 +16501,16 @@ }, "uuid": "8191e28a-fb2d-4d50-b992-b877807a2f37", "value": "UNC4393" + }, + { + "description": "Being one of the most active malware distributors, Hive0137 demonstrates a willingness to explore new payloads and technologies such as GenAI. They have quickly moved onto the same level as other high-profile distributors such as TA577, and will likely be responsible for future phishing campaigns, facilitating initial access for ransomware affiliates. Hive0137’s combination of intent, capabilities and relationships with other groups presents a direct threat to organizations all over the world. As threat actors pick up the pace and increasingly adopt AI technologies for malicious purposes, it is important that organizations are aware of the most recent threats and their capabilities to maintain a strong security posture.", + "meta": { + "refs": [ + "https://securityintelligence.com/x-force/hive0137-on-ai-journey/" + ] + }, + "uuid": "34f2d3ad-e367-4058-a10b-1f7a4274c418", + "value": "Hive0137" } ], "version": 312 From cd18bf3645fe8eaa00245fcbe1b0af67d4d4af45 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Wed, 31 Jul 2024 02:14:12 -0700 Subject: [PATCH 7/8] [threat actors] Update README --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index b2295eb..06742fb 100644 --- a/README.md +++ b/README.md @@ -591,7 +591,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements [Threat Actor](https://www.misp-galaxy.org/threat-actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group. -Category: *actor* - source: *MISP Project* - total: *716* elements +Category: *actor* - source: *MISP Project* - total: *721* elements [[HTML](https://www.misp-galaxy.org/threat-actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)] From cfe181450944e5983081053e694e3a9af0c0f273 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 19 Aug 2024 18:07:20 +0200 Subject: [PATCH 8/8] chg: [threat-actor] updated --- clusters/threat-actor.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 805ed89..5db66b1 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16513,5 +16513,5 @@ "value": "Hive0137" } ], - "version": 312 + "version": 313 }