added CN actors from secureworks threat profile

https://www.secureworks.com/research/threat-profiles?filter=item-china and fixed some AKAs
This commit is contained in:
Rony 2022-07-20 14:52:58 +05:30
parent 000bfe92d9
commit 082039b3b0

View file

@ -956,7 +956,7 @@
"value": "Lotus Panda" "value": "Lotus Panda"
}, },
{ {
"description": "We have investigated their intrusions since 2013 and have been battling them nonstop over the last year at several large telecommunications and technology companies. The determination of this China-based adversary is truly impressive: they are like a dog with a bone.\nHURRICANE PANDAs preferred initial vector of compromise and persistence is a China Chopper webshell a tiny and easily obfuscated 70 byte text file that consists of an eval() command, which is then used to provide full command execution and file upload/download capabilities to the attackers. This script is typically uploaded to a web server via a SQL injection or WebDAV vulnerability, which is often trivial to uncover in a company with a large external web presence.\nOnce inside, the adversary immediately moves on to execution of a credential theft tool such as Mimikatz (repacked to avoid AV detection). If they are lucky to have caught an administrator who might be logged into that web server at the time, they will have gained domain administrator credentials and can now roam your network at will via net use and wmic commands executed through the webshell terminal.", "description": "We have investigated their intrusions since 2013 and have been battling them nonstop over the last year at several large telecommunications and technology companies. The determination of this China-based adversary is truly impressive: they are like a dog with a bone.\nHURRICANE PANDA's preferred initial vector of compromise and persistence is a China Chopper webshell a tiny and easily obfuscated 70 byte text file that consists of an eval() command, which is then used to provide full command execution and file upload/download capabilities to the attackers. This script is typically uploaded to a web server via a SQL injection or WebDAV vulnerability, which is often trivial to uncover in a company with a large external web presence.\nOnce inside, the adversary immediately moves on to execution of a credential theft tool such as Mimikatz (repacked to avoid AV detection). If they are lucky to have caught an administrator who might be logged into that web server at the time, they will have gained domain administrator credentials and can now roam your network at will via net use and wmic commands executed through the webshell terminal.",
"meta": { "meta": {
"attribution-confidence": "50", "attribution-confidence": "50",
"country": "CN", "country": "CN",
@ -1676,9 +1676,7 @@
], ],
"synonyms": [ "synonyms": [
"APT23", "APT23",
"APT 23",
"KeyBoy", "KeyBoy",
"TropicTrooper",
"Tropic Trooper", "Tropic Trooper",
"BRONZE HOBART", "BRONZE HOBART",
"G0081" "G0081"
@ -2421,14 +2419,15 @@
"https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/", "https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/",
"https://www.bleepingcomputer.com/news/security/russian-hackers-use-fake-nato-training-docs-to-breach-govt-networks/", "https://www.bleepingcomputer.com/news/security/russian-hackers-use-fake-nato-training-docs-to-breach-govt-networks/",
"https://quointelligence.eu/2020/09/apt28-zebrocy-malware-campaign-nato-theme/", "https://quointelligence.eu/2020/09/apt28-zebrocy-malware-campaign-nato-theme/",
"https://unit42.paloaltonetworks.com/atoms/fighting-ursa/" "https://unit42.paloaltonetworks.com/atoms/fighting-ursa/",
"https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag"
], ],
"synonyms": [ "synonyms": [
"APT 28", "APT 28",
"APT28", "APT28",
"Pawn Storm", "Pawn Storm",
"PawnStorm", "PawnStorm",
"Fancy Bear", "FANCY BEAR",
"Sednit", "Sednit",
"SNAKEMACKEREL", "SNAKEMACKEREL",
"TsarTeam", "TsarTeam",
@ -2603,7 +2602,8 @@
"https://attack.mitre.org/groups/G0010/", "https://attack.mitre.org/groups/G0010/",
"https://www.telsy.com/turla-venomous-bear-updates-its-arsenal-newpass-appears-on-the-apt-threat-scene/", "https://www.telsy.com/turla-venomous-bear-updates-its-arsenal-newpass-appears-on-the-apt-threat-scene/",
"https://www.secureworks.com/research/threat-profiles/iron-hunter", "https://www.secureworks.com/research/threat-profiles/iron-hunter",
"https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/" "https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/",
"https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag"
], ],
"synonyms": [ "synonyms": [
"Turla", "Turla",
@ -2747,14 +2747,15 @@
"https://web.archive.org/web/20141016132823/https://www.symantec.com/connect/blogs/sandworm-windows-zero-day-vulnerability-being-actively-exploited-targeted-attacks", "https://web.archive.org/web/20141016132823/https://www.symantec.com/connect/blogs/sandworm-windows-zero-day-vulnerability-being-actively-exploited-targeted-attacks",
"https://ics.sans.org/blog/2015/12/30/current-reporting-on-the-cyber-attack-in-ukraine-resulting-in-power-outage", "https://ics.sans.org/blog/2015/12/30/current-reporting-on-the-cyber-attack-in-ukraine-resulting-in-power-outage",
"https://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks/", "https://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks/",
"https://attack.mitre.org/groups/G0034/" "https://attack.mitre.org/groups/G0034/",
"https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag"
], ],
"synonyms": [ "synonyms": [
"Sandworm Team", "Sandworm Team",
"Black Energy", "Black Energy",
"BlackEnergy", "BlackEnergy",
"Quedagh", "Quedagh",
"Voodoo Bear", "VOODOO BEAR",
"TEMP.Noble", "TEMP.Noble",
"Iron Viking", "Iron Viking",
"G0034" "G0034"
@ -4510,7 +4511,11 @@
"description": "The Callisto Group is an advanced threat actor whose known targets include military personnel, government officials, think tanks, and journalists in Europe and the South Caucasus. Their primary interest appears to be gathering intelligence related to foreign and security policy in the Eastern Europe and South Caucasus regions.", "description": "The Callisto Group is an advanced threat actor whose known targets include military personnel, government officials, think tanks, and journalists in Europe and the South Caucasus. Their primary interest appears to be gathering intelligence related to foreign and security policy in the Eastern Europe and South Caucasus regions.",
"meta": { "meta": {
"refs": [ "refs": [
"https://www.f-secure.com/documents/996508/1030745/callisto-group" "https://www.f-secure.com/documents/996508/1030745/callisto-group",
"https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag"
],
"synonyms": [
"COLDRIVER"
] ]
}, },
"uuid": "fbd279ab-c095-48dc-ba48-4bece3dd5b0f", "uuid": "fbd279ab-c095-48dc-ba48-4bece3dd5b0f",
@ -4882,7 +4887,7 @@
], ],
"synonyms": [ "synonyms": [
"CactusPete", "CactusPete",
"Karma Panda", "KARMA PANDA",
"BRONZE HUNTLEY" "BRONZE HUNTLEY"
] ]
}, },
@ -6510,11 +6515,12 @@
"synonyms": [ "synonyms": [
"BRONZE PRESIDENT", "BRONZE PRESIDENT",
"HoneyMyte", "HoneyMyte",
"Red Lich" "Red Lich",
"TEMP.HEX"
] ]
}, },
"uuid": "78bf726c-a9e6-11e8-9e43-77249a2f7339", "uuid": "78bf726c-a9e6-11e8-9e43-77249a2f7339",
"value": "Mustang Panda" "value": "MUSTANG PANDA"
}, },
{ {
"description": "This threat actor targets organizations in the satellite communications, telecommunications, geospatial-imaging, and defense sectors in the United States and Southeast Asia for espionage purposes.", "description": "This threat actor targets organizations in the satellite communications, telecommunications, geospatial-imaging, and defense sectors in the United States and Southeast Asia for espionage purposes.",
@ -7827,7 +7833,20 @@
"meta": { "meta": {
"country": "CN", "country": "CN",
"refs": [ "refs": [
"https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology" "https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology",
"https://www.recordedfuture.com/china-linked-ta428-threat-group",
"https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia",
"https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop",
"https://blog.group-ib.com/task",
"https://www.sentinelone.com/labs/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op",
"https://www.youtube.com/watch?v=1WfPlgtfWnQ",
"https://vb2020.vblocalhost.com/uploads/VB2020-20.pdf",
"https://vb2020.vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf",
"https://st.drweb.com/static/new-www/news/2021/april/drweb_research_attacks_on_russian_research_institutes_en.pdf"
],
"synonyms": [
"Colourful Panda",
"BRONZE DUDLEY"
] ]
}, },
"uuid": "5533d062-18ab-4c70-9472-0eac03f95a1d", "uuid": "5533d062-18ab-4c70-9472-0eac03f95a1d",
@ -7992,10 +8011,13 @@
"meta": { "meta": {
"refs": [ "refs": [
"https://www.ptsecurity.com/upload/corporate/ru-ru/analytics/calypso-apt-2019-rus.pdf" "https://www.ptsecurity.com/upload/corporate/ru-ru/analytics/calypso-apt-2019-rus.pdf"
],
"synonyms": [
"BRONZE MEDLEY"
] ]
}, },
"uuid": "200d04c8-a11f-45c4-86fd-35bb5de3f7a3", "uuid": "200d04c8-a11f-45c4-86fd-35bb5de3f7a3",
"value": "Calypso group" "value": "Calypso"
}, },
{ {
"description": "Proofpoint researchers detected campaigns from a relatively new actor, tracked internally as TA2101, targeting German companies and organizations to deliver and install backdoor malware. The actor initiated their campaigns impersonating the Bundeszentralamt fur Steuern, the German Federal Ministry of Finance, with lookalike domains, verbiage, and stolen branding in the emails. For their campaigns in Germany, the actor chose Cobalt Strike, a commercially licensed software tool that is generally used for penetration testing and emulates the type of backdoor framework used by Metasploit, a similar penetration testing tool. Proofpoint researchers have also observed this actor distributing Maze ransomware, employing similar social engineering techniques to those it uses for Cobalt Strike, while also targeting organizations in Italy and impersonating the Agenzia Delle Entrate, the Italian Revenue Agency. We have also recently observed the actor targeting organizations in the United States using the IcedID banking Trojan while impersonating the United States Postal Service (USPS).", "description": "Proofpoint researchers detected campaigns from a relatively new actor, tracked internally as TA2101, targeting German companies and organizations to deliver and install backdoor malware. The actor initiated their campaigns impersonating the Bundeszentralamt fur Steuern, the German Federal Ministry of Finance, with lookalike domains, verbiage, and stolen branding in the emails. For their campaigns in Germany, the actor chose Cobalt Strike, a commercially licensed software tool that is generally used for penetration testing and emulates the type of backdoor framework used by Metasploit, a similar penetration testing tool. Proofpoint researchers have also observed this actor distributing Maze ransomware, employing similar social engineering techniques to those it uses for Cobalt Strike, while also targeting organizations in Italy and impersonating the Agenzia Delle Entrate, the Italian Revenue Agency. We have also recently observed the actor targeting organizations in the United States using the IcedID banking Trojan while impersonating the United States Postal Service (USPS).",
@ -8708,7 +8730,8 @@
"https://www.fireeye.com/blog/threat-research/2020/07/ghostwriter-influence-campaign.html", "https://www.fireeye.com/blog/threat-research/2020/07/ghostwriter-influence-campaign.html",
"https://twitter.com/hatr/status/1377220336597483520", "https://twitter.com/hatr/status/1377220336597483520",
"https://www.mandiant.com/resources/unc1151-linked-to-belarus-government", "https://www.mandiant.com/resources/unc1151-linked-to-belarus-government",
"https://www.bleepingcomputer.com/news/security/meta-ukrainian-officials-military-targeted-by-ghostwriter-hackers/" "https://www.bleepingcomputer.com/news/security/meta-ukrainian-officials-military-targeted-by-ghostwriter-hackers",
"https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag"
], ],
"synonyms": [ "synonyms": [
"UNC1151", "UNC1151",
@ -9734,6 +9757,7 @@
"ControlX", "ControlX",
"TAG-22", "TAG-22",
"FISHMONGER", "FISHMONGER",
"BRONZE UNIVERSITY",
"Red Dev 10" "Red Dev 10"
] ]
}, },
@ -9803,6 +9827,142 @@
}, },
"uuid": "7e6d82a4-3b7d-4c24-a2c5-e211ce6eafc5", "uuid": "7e6d82a4-3b7d-4c24-a2c5-e211ce6eafc5",
"value": "APT9" "value": "APT9"
},
{
"description": "BRONZE SPRING is a threat group that CTU researchers assess with high confidence operates on behalf of China in the theft of intellectual property from defense, engineering, pharmaceutical and technology companies. The threat group typically uses scan-and-exploit for initial access, deploys the China Chopper webshell for remote execution and persistence, and creates RAR archives with a '.jpg' file extension for data exfiltration. \nIn July 2020 the U.S. Department of Justice indicted two Chinese hackers CTU researchers assess are members of the BRONZE SPRING threat group. The Department of Justice allege these hackers were responsible for compromising networks of hundreds of organisations and individuals in the U.S. and abroad since 2009, and that exfiltrated data would be passed to the Chinese Ministry of State Security or sold for financial gain.",
"meta": {
"cfr-suspected-victims": [
"United States",
"Australia",
"Belgium",
"Germany",
"Japan",
"Lithuania",
"Netherlands",
"Spain",
"South Korea",
"Sweden",
"United Kingdom"
],
"cfr-target-category": [
"Information technology",
"Medical",
"Civil engineering",
"Business",
"Education",
"Gaming",
"Energy",
"Pharmaceuticals",
"Defense industrial base"
],
"country": "CN",
"refs": [
"https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion",
"https://www.justice.gov/opa/press-release/file/1295981/download",
"https://www.justice.gov/opa/press-release/file/1295986/download",
"https://intrusiontruth.wordpress.com/2021/05/06/an-apt-with-no-name",
"https://twitter.com/MrDanPerez/status/1390285821786394624"
],
"synonyms": [
"UNC302"
]
},
"uuid": "8b77424e-18bc-4ea7-baa4-d87441978e20",
"value": "BRONZE SPRING"
},
{
"description": "BRONZE STARLIGHT has been active since mid 2021 and targets organizations globally across a range of industry verticals. The group leverages HUI Loader to load Cobalt Strike and PlugX payloads for command and control. CTU researchers have observed BRONZE STARLIGHT deploying ransomware to compromised networks as part of name-and-shame ransomware schemes, and posted victim names to leak sites. \nCTU researchers assess with moderate confidence that BRONZE STARLIGHT is located in China based on observed tradecraft, including the use of HUI Loader and PlugX which are associated with China-based threat group activity. It is plausible that BRONZE STARLIGHT deploys ransomware as a smokescreen rather than for financial gain, with the underlying motivation of stealing intellectual property theft or conducting espionage.",
"meta": {
"country": "CN",
"refs": [
"https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
"https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation",
"https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility",
"https://twitter.com/cglyer/status/1480734487000453121"
],
"synonyms": [
"DEV-0401"
]
},
"uuid": "737c0207-1a1a-4480-86e7-b6a5066e1ee5",
"value": "BRONZE STARLIGHT"
},
{
"description": "BRONZE HIGHLAND has been observed using spearphishing as an initial infection vector to deploy the MgBot remote access trojan against targets in Hong Kong. Third party reporting suggests the threat group also targets India, Malaysia and Taiwan and leverages Cobalt Strike and KsRemote Android Rat. CTU researchers assess with moderate confidence that BRONZE HIGHLAND operates on behalf of China and has a remit covering espionage against domestic human rights and pro-democracy advocates and nations neighbouring China",
"meta": {
"cfr-suspected-victims": [
"Hong Kong",
"Malaysia",
"India",
"Taiwan"
],
"country": "CN",
"refs": [
"https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware",
"https://vb2020.vblocalhost.com/uploads/VB2020-43.pdf",
"https://www.youtube.com/watch?v=LeKi0KfzOow&list=PLffioUnqXWkdzWcZXH-bzPVgcs2R4r7iS&index=1&t=2154s"
],
"synonyms": [
"Evasive Panda"
]
},
"uuid": "62710572-e416-419d-bb1f-81ffc1ddc976",
"value": "BRONZE HIGHLAND"
},
{
"description": "In December 2020, the IT management software provider SolarWinds announced that an unidentified threat actor had exploited a vulnerability in their Orion Platform software to deploy a web shell dubbed SUPERNOVA. CTU researchers track the operators of the SUPERNOVA web shell as BRONZE SPIRAL and assess with low confidence that the group is of Chinese origin. SUPERNOVA was likely deployed through exploitation of CVE-2020-10148, and CTU researchers observed post-exploitation reconnaissance commands roughly 30 minutes before the web shell was deployed. This may have been indicative of the threat actor conducting scan-and-exploit activity and then triaging for victims of particular interest, before deploying SUPERNOVA and attempting to dump credentials and move laterally.\n\nBRONZE SPIRAL has been associated with previous intrusions involving the targeting of ManageEngine servers, maintenance of long-term access to periodically harvest credentials and exfiltrate data, and espionage or theft of intellectual property. The threat group makes extensive use of native system tools and 'living off the land' techniques.",
"meta": {
"country": "CN",
"refs": [
"https://unit42.paloaltonetworks.com/solarstorm-supernova",
"https://www.guidepointsecurity.com/blog/supernova-solarwinds-net-webshell-analysis",
"https://www.secureworks.com/blog/supernova-web-shell-deployment-linked-to-spiral-threat-group",
"https://www.sentinelone.com/labs/solarwinds-understanding-detecting-the-supernova-webshell-trojan",
"https://us-cert.cisa.gov/ncas/analysis-reports/ar21-027a",
"https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112"
]
},
"uuid": "3f04dbbc-69bc-409b-82a1-6135f0b6a41c",
"value": "BRONZE SPIRAL"
},
{
"description": "BRONZE VAPOR is a targeted threat group assessed with moderate confidence to be of Chinese origin. Artefacts from tools associated with this group and open source reporting on related incidents indicate that BRONZE VAPOR have operated since at least 2017. The group conducts espionage against multiple industries including semiconductors, aviation and telecommunications. CTU researchers assess BRONZE VAPOR's intent to be information theft, with operations focused on intellectual property (semiconductors) and personally identifiable information such as traveller records (aviation). Compromise of telecommunications companies can yield personally identifiable information and meta data on client communications such as Call Data Records (CDR).\n\nPrior to 2019 their operational focus, with some exceptions, revolved around targets in East Asia particularity Taiwan with it's thriving semiconductor industry. In 2021 details emerged in open source of attacks on at least one European semiconductor company believed to date back to 2017. In 2019 BRONZE VAPOR attacked one of more entities in the European airlines sector. The group gains initial access via VPN services, may use spearphishing with 'Letter of Appointment' themed lures, and deploys Cobalt Strike along with custom data exfiltration tools to target organizations. Post-intrusion activity involves living-of-the-land using legitimate tools and commands available within victim environment as well as using AceHash for credential harvesting, WATERCYCLE for data exfiltration and STOCKPIPE for proxying information through Microsoft Exchange servers over email.\n\nBRONZE VAPOR uses a set of tactics that, although not individually unique, when viewed in aggregate create a relatively distinct playbook. Intrusions begin with credential based attacks against an existing remote access solution (Citrix, VPN etc.) or B2B network access. Cobalt Strike is deployed into the environment and further access is then conducted via Cobalt Strike Beacon and other features of the platform. Sharphound is deployed to map out the victim's Active Directory infrastructure and and collect critical information about the domain including important account names. Command and control infrastructure is hosted on subdomains of Azure and Appspot services to blend in with legitimate traffic. The threat actor also registers their own domains for command and control, often with a \"sync\" or \"update\" related theme. WinRAR is commonly used for compressing data prior to exfiltration. Filenames for these archives often involve a string of numbers and variations of the word \"update\". Data is exfiltrated using WATERCYCLE to cloud based platforms such as OneDrive and GoogleDrive.",
"meta": {
"cfr-suspected-victims": [
"Taiwan"
],
"cfr-target-category": [
"Semiconductor Industry"
],
"country": "CN",
"refs": [
"https://www.secureworks.com/research/threat-profiles/bronze-vapor"
]
},
"uuid": "af12a336-bb68-41ff-866a-834cedc0b5fc",
"value": "BRONZE VAPOR"
},
{
"description": "Check Point Research discovered a new campaign against the Mongolian public sector, which takes advantage of the current Coronavirus scare, in order to deliver a previously unknown malware implant to the target. \nA closer look at this campaign allowed us to tie it to other operations which were carried out by the same anonymous group, dating back to at least 2016. Over the years, these operations targeted different sectors in multiple countries, such as Ukraine, Russia, and Belarus.",
"meta": {
"cfr-suspected-victims": [
"Belarus",
"Russia",
"Mongolia",
"Ukraine"
],
"country": "CN",
"refs": [
"https://securelist.com/microcin-is-here/97353",
"https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia",
"https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia",
"https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign",
"https://unit42.paloaltonetworks.com/unit42-threat-actors-target-government-belarus-using-cmstar-trojan",
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170759/Microcin_Technical_4PDF_eng_final_s.pdf"
]
},
"uuid": "68d8c25b-8595-4c20-a5c7-a11a2a34b717",
"value": "Vicious Panda"
} }
], ],
"version": 233 "version": 233