mirror of
https://github.com/MISP/misp-galaxy.git
synced 2024-11-30 02:37:17 +00:00
adding new Unit 42 names
First PR: those are the directly mappable names. I will follow up after deconfliction and then with a few new entries.
This commit is contained in:
parent
0dcb41ba57
commit
082d506b64
1 changed files with 105 additions and 47 deletions
|
@ -1042,7 +1042,8 @@
|
||||||
"https://arstechnica.com/information-technology/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/",
|
"https://arstechnica.com/information-technology/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/",
|
||||||
"https://securelist.com/luckymouse-hits-national-data-center/86083/",
|
"https://securelist.com/luckymouse-hits-national-data-center/86083/",
|
||||||
"https://attack.mitre.org/groups/G0027/",
|
"https://attack.mitre.org/groups/G0027/",
|
||||||
"https://www.secureworks.com/research/threat-profiles/bronze-union"
|
"https://www.secureworks.com/research/threat-profiles/bronze-union",
|
||||||
|
"https://unit42.paloaltonetworks.com/atoms/iron-taurus/"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"TG-3390",
|
"TG-3390",
|
||||||
|
@ -1056,7 +1057,8 @@
|
||||||
"Iron Tiger",
|
"Iron Tiger",
|
||||||
"BRONZE UNION",
|
"BRONZE UNION",
|
||||||
"Lucky Mouse",
|
"Lucky Mouse",
|
||||||
"G0027"
|
"G0027",
|
||||||
|
"Iron Taurus"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -1111,7 +1113,8 @@
|
||||||
"https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html",
|
"https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html",
|
||||||
"https://www.fbi.gov/news/stories/chinese-hackers-indicted-122018",
|
"https://www.fbi.gov/news/stories/chinese-hackers-indicted-122018",
|
||||||
"https://attack.mitre.org/groups/G0045/",
|
"https://attack.mitre.org/groups/G0045/",
|
||||||
"https://www.secureworks.com/research/threat-profiles/bronze-riverside"
|
"https://www.secureworks.com/research/threat-profiles/bronze-riverside",
|
||||||
|
"https://unit42.paloaltonetworks.com/atoms/granite-taurus/"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"APT10",
|
"APT10",
|
||||||
|
@ -1129,7 +1132,8 @@
|
||||||
"Cloud Hopper",
|
"Cloud Hopper",
|
||||||
"BRONZE RIVERSIDE",
|
"BRONZE RIVERSIDE",
|
||||||
"ATK41",
|
"ATK41",
|
||||||
"G0045"
|
"G0045",
|
||||||
|
"Granite Taurus"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -1584,13 +1588,15 @@
|
||||||
"refs": [
|
"refs": [
|
||||||
"http://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/",
|
"http://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/",
|
||||||
"https://www.fox-it.com/nl/actueel/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/",
|
"https://www.fox-it.com/nl/actueel/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/",
|
||||||
"https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/Aug.10.The_Italian_Connection_An_analysis_of_exploit_supply_chains_and_digital_quartermasters/HTExploitTelemetry.pdf"
|
"https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/Aug.10.The_Italian_Connection_An_analysis_of_exploit_supply_chains_and_digital_quartermasters/HTExploitTelemetry.pdf",
|
||||||
|
"https://unit42.paloaltonetworks.com/atoms/crawling-taurus/"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"APT20",
|
"APT20",
|
||||||
"APT 20",
|
"APT 20",
|
||||||
"TH3Bug",
|
"TH3Bug",
|
||||||
"Twivy"
|
"Twivy",
|
||||||
|
"Crawling Taurus"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"uuid": "8bcd855f-a4c1-453a-bede-ff36582f4f40",
|
"uuid": "8bcd855f-a4c1-453a-bede-ff36582f4f40",
|
||||||
|
@ -2413,7 +2419,8 @@
|
||||||
"https://marcoramilli.com/2019/12/05/apt28-attacks-evolution/",
|
"https://marcoramilli.com/2019/12/05/apt28-attacks-evolution/",
|
||||||
"https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/",
|
"https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/",
|
||||||
"https://www.bleepingcomputer.com/news/security/russian-hackers-use-fake-nato-training-docs-to-breach-govt-networks/",
|
"https://www.bleepingcomputer.com/news/security/russian-hackers-use-fake-nato-training-docs-to-breach-govt-networks/",
|
||||||
"https://quointelligence.eu/2020/09/apt28-zebrocy-malware-campaign-nato-theme/"
|
"https://quointelligence.eu/2020/09/apt28-zebrocy-malware-campaign-nato-theme/",
|
||||||
|
"https://unit42.paloaltonetworks.com/atoms/fighting-ursa/"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"APT 28",
|
"APT 28",
|
||||||
|
@ -2436,7 +2443,8 @@
|
||||||
"Grizzly Steppe",
|
"Grizzly Steppe",
|
||||||
"apt_sofacy",
|
"apt_sofacy",
|
||||||
"G0007",
|
"G0007",
|
||||||
"ATK5"
|
"ATK5",
|
||||||
|
"Fighting Ursa"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -2495,7 +2503,8 @@
|
||||||
"https://pylos.co/2018/11/18/cozybear-in-from-the-cold/",
|
"https://pylos.co/2018/11/18/cozybear-in-from-the-cold/",
|
||||||
"https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/",
|
"https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/",
|
||||||
"https://www.secureworks.com/research/threat-profiles/iron-hemlock",
|
"https://www.secureworks.com/research/threat-profiles/iron-hemlock",
|
||||||
"https://attack.mitre.org/groups/G0016"
|
"https://attack.mitre.org/groups/G0016",
|
||||||
|
"https://unit42.paloaltonetworks.com/atoms/cloaked-ursa/"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"Dukes",
|
"Dukes",
|
||||||
|
@ -2518,7 +2527,8 @@
|
||||||
"Iron Hemlock",
|
"Iron Hemlock",
|
||||||
"Grizzly Steppe",
|
"Grizzly Steppe",
|
||||||
"G0016",
|
"G0016",
|
||||||
"ATK7"
|
"ATK7",
|
||||||
|
"Cloaked Ursa"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -3437,7 +3447,8 @@
|
||||||
"https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf",
|
"https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf",
|
||||||
"https://www.secureworks.com/research/threat-profiles/zinc-emerson",
|
"https://www.secureworks.com/research/threat-profiles/zinc-emerson",
|
||||||
"https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf",
|
"https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf",
|
||||||
"https://ti.qianxin.com/blog/articles/analysis-of-the-attack-activities-of-patchwork-using-the-documents-of-relevant-government-agencies-in-pakistan-as-bait"
|
"https://ti.qianxin.com/blog/articles/analysis-of-the-attack-activities-of-patchwork-using-the-documents-of-relevant-government-agencies-in-pakistan-as-bait",
|
||||||
|
"https://unit42.paloaltonetworks.com/atoms/thirstygemini/"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"Chinastrats",
|
"Chinastrats",
|
||||||
|
@ -3449,7 +3460,8 @@
|
||||||
"ZINC EMERSON",
|
"ZINC EMERSON",
|
||||||
"ATK11",
|
"ATK11",
|
||||||
"G0040",
|
"G0040",
|
||||||
"Orannge Athos"
|
"Orange Athos",
|
||||||
|
"Thirsty Gemini"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -3479,10 +3491,12 @@
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://attack.mitre.org/wiki/Groups",
|
"https://attack.mitre.org/wiki/Groups",
|
||||||
"https://unit42.paloaltonetworks.com/scarlet-mimic-years-long-espionage-targets-minority-activists/",
|
"https://unit42.paloaltonetworks.com/scarlet-mimic-years-long-espionage-targets-minority-activists/",
|
||||||
"https://attack.mitre.org/groups/G0029/"
|
"https://attack.mitre.org/groups/G0029/",
|
||||||
|
"https://unit42.paloaltonetworks.com/atoms/golfing-taurus/"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"G0029"
|
"G0029",
|
||||||
|
"Golfing Taurus"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -3862,7 +3876,8 @@
|
||||||
"https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/",
|
"https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/",
|
||||||
"https://www.secureworks.com/research/threat-profiles/cobalt-gypsy",
|
"https://www.secureworks.com/research/threat-profiles/cobalt-gypsy",
|
||||||
"https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf",
|
"https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf",
|
||||||
"https://www.wired.com/story/apt-34-iranian-hackers-critical-infrastructure-companies/"
|
"https://www.wired.com/story/apt-34-iranian-hackers-critical-infrastructure-companies/",
|
||||||
|
"https://unit42.paloaltonetworks.com/atoms/evasive-serpens/"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"Twisted Kitten",
|
"Twisted Kitten",
|
||||||
|
@ -3873,7 +3888,8 @@
|
||||||
"APT34",
|
"APT34",
|
||||||
"IRN2",
|
"IRN2",
|
||||||
"ATK40",
|
"ATK40",
|
||||||
"G0049"
|
"G0049",
|
||||||
|
"Evasive Serpens"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -4312,13 +4328,15 @@
|
||||||
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine",
|
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine",
|
||||||
"https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/",
|
"https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/",
|
||||||
"https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/",
|
"https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/",
|
||||||
"https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/"
|
"https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/",
|
||||||
|
"https://unit42.paloaltonetworks.com/atoms/tridentursa/"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"Primitive Bear",
|
"Primitive Bear",
|
||||||
"Shuckworm",
|
"Shuckworm",
|
||||||
"ACTINIUM",
|
"ACTINIUM",
|
||||||
"G0047"
|
"G0047",
|
||||||
|
"Trident Ursa"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -4788,14 +4806,16 @@
|
||||||
"https://www.computerweekly.com/news/252446153/Three-Carbanak-cyber-heist-gang-members-arrested",
|
"https://www.computerweekly.com/news/252446153/Three-Carbanak-cyber-heist-gang-members-arrested",
|
||||||
"https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-2017-eng.pdf",
|
"https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-2017-eng.pdf",
|
||||||
"https://attack.mitre.org/groups/G0080/",
|
"https://attack.mitre.org/groups/G0080/",
|
||||||
"http://www.secureworks.com/research/threat-profiles/gold-kingswood"
|
"http://www.secureworks.com/research/threat-profiles/gold-kingswood",
|
||||||
|
"https://unit42.paloaltonetworks.com/atoms/mulelibra/"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"Cobalt Group",
|
"Cobalt Group",
|
||||||
"Cobalt Gang",
|
"Cobalt Gang",
|
||||||
"GOLD KINGSWOOD",
|
"GOLD KINGSWOOD",
|
||||||
"COBALT SPIDER",
|
"COBALT SPIDER",
|
||||||
"G0080"
|
"G0080",
|
||||||
|
"Mule Libra"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"uuid": "01967480-c49b-4d4a-a7fa-aef0eaf535fe",
|
"uuid": "01967480-c49b-4d4a-a7fa-aef0eaf535fe",
|
||||||
|
@ -4935,14 +4955,16 @@
|
||||||
"https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses",
|
"https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses",
|
||||||
"https://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/",
|
"https://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/",
|
||||||
"https://attack.mitre.org/groups/G0060/",
|
"https://attack.mitre.org/groups/G0060/",
|
||||||
"https://www.secureworks.com/research/threat-profiles/bronze-butler"
|
"https://www.secureworks.com/research/threat-profiles/bronze-butler",
|
||||||
|
"https://unit42.paloaltonetworks.com/atoms/stalkertaurus/"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"Nian",
|
"Nian",
|
||||||
"BRONZE BUTLER",
|
"BRONZE BUTLER",
|
||||||
"REDBALDKNIGHT",
|
"REDBALDKNIGHT",
|
||||||
"STALKER PANDA",
|
"STALKER PANDA",
|
||||||
"G0060"
|
"G0060",
|
||||||
|
"Stalker Taurus"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -5710,7 +5732,8 @@
|
||||||
"https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html",
|
"https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html",
|
||||||
"https://www.zdnet.com/article/new-leaks-of-iranian-cyber-espionage-operations-hit-telegram-and-the-dark-web/",
|
"https://www.zdnet.com/article/new-leaks-of-iranian-cyber-espionage-operations-hit-telegram-and-the-dark-web/",
|
||||||
"https://attack.mitre.org/groups/G0069/",
|
"https://attack.mitre.org/groups/G0069/",
|
||||||
"http://www.secureworks.com/research/threat-profiles/cobalt-ulster"
|
"http://www.secureworks.com/research/threat-profiles/cobalt-ulster",
|
||||||
|
"https://unit42.paloaltonetworks.com/atoms/boggyserpens/"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"TEMP.Zagros",
|
"TEMP.Zagros",
|
||||||
|
@ -5719,7 +5742,8 @@
|
||||||
"MERCURY",
|
"MERCURY",
|
||||||
"COBALT ULSTER",
|
"COBALT ULSTER",
|
||||||
"G0069",
|
"G0069",
|
||||||
"ATK51"
|
"ATK51",
|
||||||
|
"Boggy Serpens"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -6222,13 +6246,15 @@
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://unit42.paloaltonetworks.com/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/",
|
"https://unit42.paloaltonetworks.com/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/",
|
||||||
"https://www.cfr.org/interactive/cyber-operations/rancor",
|
"https://www.cfr.org/interactive/cyber-operations/rancor",
|
||||||
"https://attack.mitre.org/groups/G0075/"
|
"https://attack.mitre.org/groups/G0075/",
|
||||||
|
"https://unit42.paloaltonetworks.com/atoms/rancortaurus/"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"Rancor group",
|
"Rancor group",
|
||||||
"Rancor",
|
"Rancor",
|
||||||
"Rancor Group",
|
"Rancor Group",
|
||||||
"G0075"
|
"G0075",
|
||||||
|
"Rancor Taurus"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"uuid": "79c7c7e0-79d5-11e8-9b9c-1ff96be20c0b",
|
"uuid": "79c7c7e0-79d5-11e8-9b9c-1ff96be20c0b",
|
||||||
|
@ -6262,13 +6288,15 @@
|
||||||
"https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/",
|
"https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/",
|
||||||
"https://unit42.paloaltonetworks.com/unit42-tracking-subaat-targeted-phishing-attacks-point-leader-threat-actors-repository/",
|
"https://unit42.paloaltonetworks.com/unit42-tracking-subaat-targeted-phishing-attacks-point-leader-threat-actors-repository/",
|
||||||
"https://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/",
|
"https://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/",
|
||||||
"https://attack.mitre.org/groups/G0078/"
|
"https://attack.mitre.org/groups/G0078/",
|
||||||
|
"https://unit42.paloaltonetworks.com/atoms/pastygemini/"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"Gorgon Group",
|
"Gorgon Group",
|
||||||
"Subaat",
|
"Subaat",
|
||||||
"ATK92",
|
"ATK92",
|
||||||
"G0078"
|
"G0078",
|
||||||
|
"Pasty Gemini"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"uuid": "e47c2c4d-706b-4098-92a2-b93e7103e131",
|
"uuid": "e47c2c4d-706b-4098-92a2-b93e7103e131",
|
||||||
|
@ -6283,11 +6311,13 @@
|
||||||
"https://ti.360.net/blog/articles/latest-target-attack-of-darkhydruns-group-against-middle-east-en/",
|
"https://ti.360.net/blog/articles/latest-target-attack-of-darkhydruns-group-against-middle-east-en/",
|
||||||
"https://unit42.paloaltonetworks.com/unit42-darkhydrus-uses-phishery-harvest-credentials-middle-east/",
|
"https://unit42.paloaltonetworks.com/unit42-darkhydrus-uses-phishery-harvest-credentials-middle-east/",
|
||||||
"https://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/",
|
"https://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/",
|
||||||
"https://attack.mitre.org/groups/G0079/"
|
"https://attack.mitre.org/groups/G0079/",
|
||||||
|
"https://unit42.paloaltonetworks.com/atoms/obscureserpens/"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"LazyMeerkat",
|
"LazyMeerkat",
|
||||||
"G0079"
|
"G0079",
|
||||||
|
"Obscure Serpens"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"uuid": "ce2c2dfd-2445-4fbc-a747-9e7092e383f9",
|
"uuid": "ce2c2dfd-2445-4fbc-a747-9e7092e383f9",
|
||||||
|
@ -6399,7 +6429,11 @@
|
||||||
"https://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/",
|
"https://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/",
|
||||||
"https://www.symantec.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies",
|
"https://www.symantec.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies",
|
||||||
"https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/",
|
"https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/",
|
||||||
"https://www.akamai.com/uk/en/multimedia/documents/white-paper/upnproxy-blackhat-proxies-via-nat-injections-white-paper.pdf"
|
"https://www.akamai.com/uk/en/multimedia/documents/white-paper/upnproxy-blackhat-proxies-via-nat-injections-white-paper.pdf",
|
||||||
|
"https://unit42.paloaltonetworks.com/atoms/clean-ursa/"
|
||||||
|
],
|
||||||
|
"synonyms": [
|
||||||
|
"Clean Ursa"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"uuid": "71ef51ca-a791-11e8-a026-07980ca910ca",
|
"uuid": "71ef51ca-a791-11e8-a026-07980ca910ca",
|
||||||
|
@ -7084,13 +7118,15 @@
|
||||||
"https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets",
|
"https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets",
|
||||||
"https://attack.mitre.org/groups/G0087/",
|
"https://attack.mitre.org/groups/G0087/",
|
||||||
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
|
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
|
||||||
"https://www.secureworks.com/research/threat-profiles/cobalt-hickman"
|
"https://www.secureworks.com/research/threat-profiles/cobalt-hickman",
|
||||||
|
"https://unit42.paloaltonetworks.com/atoms/radioserpens/"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"Chafer",
|
"Chafer",
|
||||||
"REMIX KITTEN",
|
"REMIX KITTEN",
|
||||||
"COBALT HICKMAN",
|
"COBALT HICKMAN",
|
||||||
"G0087"
|
"G0087",
|
||||||
|
"Radio Serpens"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"uuid": "c2c64bd3-a325-446f-91a8-b4c0f173a30b",
|
"uuid": "c2c64bd3-a325-446f-91a8-b4c0f173a30b",
|
||||||
|
@ -7437,7 +7473,8 @@
|
||||||
"https://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/",
|
"https://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/",
|
||||||
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
|
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
|
||||||
"https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko",
|
"https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko",
|
||||||
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt"
|
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt",
|
||||||
|
"https://unit42.paloaltonetworks.com/atoms/mangataurus/"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"CIRCUIT PANDA",
|
"CIRCUIT PANDA",
|
||||||
|
@ -7445,7 +7482,8 @@
|
||||||
"HUAPI",
|
"HUAPI",
|
||||||
"Palmerworm",
|
"Palmerworm",
|
||||||
"G0098",
|
"G0098",
|
||||||
"T-APT-03"
|
"T-APT-03",
|
||||||
|
"Manga Taurus"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"uuid": "320c42f7-eab7-4ef9-b09a-74396caa6c3e",
|
"uuid": "320c42f7-eab7-4ef9-b09a-74396caa6c3e",
|
||||||
|
@ -7627,7 +7665,11 @@
|
||||||
"meta": {
|
"meta": {
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://unit42.paloaltonetworks.com/shifting-in-the-wind-windshift-attacks-target-middle-eastern-governments/",
|
"https://unit42.paloaltonetworks.com/shifting-in-the-wind-windshift-attacks-target-middle-eastern-governments/",
|
||||||
"https://gsec.hitb.org/materials/sg2018/D1%20COMMSEC%20-%20In%20the%20Trails%20of%20WINDSHIFT%20APT%20-%20Taha%20Karim.pdf"
|
"https://gsec.hitb.org/materials/sg2018/D1%20COMMSEC%20-%20In%20the%20Trails%20of%20WINDSHIFT%20APT%20-%20Taha%20Karim.pdf",
|
||||||
|
"https://unit42.paloaltonetworks.com/atoms/windyphoenix/"
|
||||||
|
],
|
||||||
|
"synonyms": [
|
||||||
|
"Windy Phoenix"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"uuid": "cbbbfc82-9294-11e9-8e19-2bc14137b25b",
|
"uuid": "cbbbfc82-9294-11e9-8e19-2bc14137b25b",
|
||||||
|
@ -7719,7 +7761,11 @@
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html",
|
"https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html",
|
||||||
"https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/",
|
"https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/",
|
||||||
"https://www.intezer.com/blog-technical-analysis-cryptocurrency-mining-war-on-the-cloud/"
|
"https://www.intezer.com/blog-technical-analysis-cryptocurrency-mining-war-on-the-cloud/",
|
||||||
|
"https://unit42.paloaltonetworks.com/atoms/agedlibra/"
|
||||||
|
],
|
||||||
|
"synonyms": [
|
||||||
|
"Aged Libra"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"uuid": "53583c40-935e-11e9-b4fc-d7e217a306d2",
|
"uuid": "53583c40-935e-11e9-b4fc-d7e217a306d2",
|
||||||
|
@ -8346,12 +8392,14 @@
|
||||||
"description": "COBALT KATANA has been active since at least March 2018, and it focuses many of its operations on organizations based in or associated with Kuwait. The group has targeted government, logistics, and shipping organizations. The threat actors gain initial access to targets using DNS hijacking, strategic web compromise with SMB forced authentication, and password brute force attacks. COBALT KATANA operates a custom platform referred to as the Sakabota Framework, also referred to as Sakabota Core, with a complimentary set of modular backdoors and accessory tools including Gon, Hisoka, Hisoka Netero, Killua, Diezen, and Eye. The group has implemented DNS tunnelling in its malware and malicious scripts and also operates the HyphenShell web shell to strengthen post-intrusion access. CTU researchers assess with moderate confidence that COBALT KATANA operates on behalf of Iran, and elements of its operations such as overlapping infrastructure, use of DNS hijacking, implementation of DNS-based C2 channels in malware and web shell security mechanisms suggest connections to COBALT GYPSY and COBALT EDGEWATER.",
|
"description": "COBALT KATANA has been active since at least March 2018, and it focuses many of its operations on organizations based in or associated with Kuwait. The group has targeted government, logistics, and shipping organizations. The threat actors gain initial access to targets using DNS hijacking, strategic web compromise with SMB forced authentication, and password brute force attacks. COBALT KATANA operates a custom platform referred to as the Sakabota Framework, also referred to as Sakabota Core, with a complimentary set of modular backdoors and accessory tools including Gon, Hisoka, Hisoka Netero, Killua, Diezen, and Eye. The group has implemented DNS tunnelling in its malware and malicious scripts and also operates the HyphenShell web shell to strengthen post-intrusion access. CTU researchers assess with moderate confidence that COBALT KATANA operates on behalf of Iran, and elements of its operations such as overlapping infrastructure, use of DNS hijacking, implementation of DNS-based C2 channels in malware and web shell security mechanisms suggest connections to COBALT GYPSY and COBALT EDGEWATER.",
|
||||||
"meta": {
|
"meta": {
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://www.secureworks.com/research/threat-profiles/cobalt-katana"
|
"https://www.secureworks.com/research/threat-profiles/cobalt-katana",
|
||||||
|
"https://unit42.paloaltonetworks.com/atoms/hunter-serpens/"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"Hive0081 (IBM)",
|
"Hive0081 (IBM)",
|
||||||
"SectorD01 (NHSC)",
|
"SectorD01 (NHSC)",
|
||||||
"xHunt campaign (Palo Alto)"
|
"xHunt campaign (Palo Alto)",
|
||||||
|
"Hunter Serpens"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"uuid": "d1c25b0e-e4c5-4b7c-b790-2e185cb2f07e",
|
"uuid": "d1c25b0e-e4c5-4b7c-b790-2e185cb2f07e",
|
||||||
|
@ -8374,10 +8422,12 @@
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/",
|
"https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/",
|
||||||
"https://www.youtube.com/watch?v=fBFm2fiEPTg",
|
"https://www.youtube.com/watch?v=fBFm2fiEPTg",
|
||||||
"https://troopers.de/troopers22/talks/7cv8pz/"
|
"https://troopers.de/troopers22/talks/7cv8pz/",
|
||||||
|
"https://unit42.paloaltonetworks.com/atoms/alloytaurus/"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"Red Dev 4"
|
"Red Dev 4",
|
||||||
|
"Alloy Taurus"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -8574,7 +8624,11 @@
|
||||||
"https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/",
|
"https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/",
|
||||||
"https://www.trendmicro.com/en_us/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html",
|
"https://www.trendmicro.com/en_us/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html",
|
||||||
"https://cyware.com/news/hildegard-teamtnts-new-feature-rich-malware-targeting-kubernetes-6587eb45",
|
"https://cyware.com/news/hildegard-teamtnts-new-feature-rich-malware-targeting-kubernetes-6587eb45",
|
||||||
"https://www.lacework.com/teamtnt-builds-botnet-from-chinese-cloud-servers/"
|
"https://www.lacework.com/teamtnt-builds-botnet-from-chinese-cloud-servers/",
|
||||||
|
"https://unit42.paloaltonetworks.com/atoms/adept-libra/"
|
||||||
|
],
|
||||||
|
"synonyms": [
|
||||||
|
"Adept Libra"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"uuid": "27de6a09-844b-4dcb-9ff9-7292aad826ba",
|
"uuid": "27de6a09-844b-4dcb-9ff9-7292aad826ba",
|
||||||
|
@ -8868,13 +8922,15 @@
|
||||||
"meta": {
|
"meta": {
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://www.secureworks.com/research/threat-profiles/gold-cabin",
|
"https://www.secureworks.com/research/threat-profiles/gold-cabin",
|
||||||
"https://attack.mitre.org/groups/G0127/"
|
"https://attack.mitre.org/groups/G0127/",
|
||||||
|
"https://unit42.paloaltonetworks.com/atoms/monsterlibra/"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"Shakthak",
|
"Shakthak",
|
||||||
"TA551",
|
"TA551",
|
||||||
"ATK236",
|
"ATK236",
|
||||||
"G0127"
|
"G0127",
|
||||||
|
"Monster Libra"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"uuid": "36e8c848-4d20-47ea-9fc2-31aa17bf82d1",
|
"uuid": "36e8c848-4d20-47ea-9fc2-31aa17bf82d1",
|
||||||
|
@ -9352,12 +9408,14 @@
|
||||||
"https://cert.gov.ua/article/38374",
|
"https://cert.gov.ua/article/38374",
|
||||||
"https://blog.malwarebytes.com/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room/",
|
"https://blog.malwarebytes.com/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room/",
|
||||||
"https://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/",
|
"https://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/",
|
||||||
"https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/"
|
"https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/",
|
||||||
|
"https://unit42.paloaltonetworks.com/atoms/nascentursa/"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"UNC2589",
|
"UNC2589",
|
||||||
"TA471",
|
"TA471",
|
||||||
"UAC-0056"
|
"UAC-0056",
|
||||||
|
"Nascent Ursa"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"uuid": "c67d3dfb-ab39-46e1-a971-5efdfe6a5b9f",
|
"uuid": "c67d3dfb-ab39-46e1-a971-5efdfe6a5b9f",
|
||||||
|
@ -9595,5 +9653,5 @@
|
||||||
"value": "Predatory Sparrow"
|
"value": "Predatory Sparrow"
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"version": 231
|
"version": 232
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue