From dff2a827d6e977ec5da598a92340cdb36a7c6750 Mon Sep 17 00:00:00 2001 From: Bart Date: Sun, 17 Mar 2019 21:47:54 +0000 Subject: [PATCH 01/20] Update preventive-measure.json Add ACL --- clusters/preventive-measure.json | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/clusters/preventive-measure.json b/clusters/preventive-measure.json index 4e6592b..f8fb4d9 100644 --- a/clusters/preventive-measure.json +++ b/clusters/preventive-measure.json @@ -284,6 +284,19 @@ }, "uuid": "123e20c5-8f44-4de5-a183-6890788e5a81", "value": "Blacklist-phone-numbers" + }, + { + "description": "Restrict access to shares users should not be allowed to write to", + "meta": { + "complexity": "Medium", + "effectiveness": "Medium", + "impact": "Medium", + "refs": [ + "https://docs.microsoft.com/en-us/windows/desktop/secauthz/access-control-lists" + ] + }, + "uuid": "3e7a7fb5-8db2-4033-8f4f-d76721819765", + "value": "ACL" } ], "version": 3 From 824465d8799edeccaba0ff55a3323b51d80fbe90 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 19 Mar 2019 08:09:23 +0100 Subject: [PATCH 02/20] add: [attck4fraud] initial attck-like matrix for fraud from https://github.com/burritoblue/attck4fraud (WiP) --- clusters/attck4fraud.json | 89 +++++++++++++++++++++++++++++++++++++++ galaxies/attck4fraud.json | 19 +++++++++ 2 files changed, 108 insertions(+) create mode 100644 clusters/attck4fraud.json create mode 100644 galaxies/attck4fraud.json diff --git a/clusters/attck4fraud.json b/clusters/attck4fraud.json new file mode 100644 index 0000000..55e0a96 --- /dev/null +++ b/clusters/attck4fraud.json @@ -0,0 +1,89 @@ +{ + "authors": [ + "Francesco Bigarella" + ], + "category": "guidelines", + "description": "attck4fraud - Principles of MITRE ATT&CK in the fraud domain", + "name": "attck4fraud", + "source": "Open Sources", + "type": "guidelines", + "uuid": "4ae4ceec-2fe5-423e-99a5-44a7cf30c999", + "values": [ + { + "description": "In the context of ATT&CK for Fraud, phishing is described as the sending of fraudulent emails to a large audience in order to obtain sensitive information (PII, credentials, payment information). Phishing is never targeted to a specific individual or organisation. Phishing tries to create a sense of urgency or curiosity in order to capture the victim.", + "meta": { + "detection": "Email sender is spoofed; Email sender belongs to a domain recently created; Presence of typos or poor grammar in the email text; The request in the mail is unsolicited and creates urgency; No recollection of the subject or the sender of the phishing email; Request for credentials; Presence of a suspicious URL or attachment.", + "examples": [ + "Phishing messages were sent to Amazon users posing as the Amazon customer support", + "Fake Apple invoices were sent to Apple App Store customers in order to obtain their Apple ID credentials" + ], + "external_id": "FT1001", + "kill_chain": [ + "fraud-tactics:Initiation" + ], + "mitigation": "Implementation of DKIM and SPF authentication to detected spoofed email senders; anti-phishing solutions.", + "refs": [ + "https://blog.malwarebytes.com/cybercrime/2015/02/amazon-notice-ticket-number-phish-seeks-card-details/", + "https://www.bleepingcomputer.com/news/security/widespread-apple-id-phishing-attack-pretends-to-be-app-store-receipts/" + ], + "victim": "end customer, enterprise" + }, + "uuid": "65d9dc34-d0eb-4b12-ab96-2e382845ab75", + "value": "Phishing" + }, + { + "description": "Spear phishing is the use of targeted emails to gain the trust of the target with the goal of committing fraud. Spear phishing messages are generally specific to the target and show an understanding of the target’s organisation structure, supply chain or business.", + "meta": { + "detection": "Email sender is spoofed; Email sender belongs to a domain recently created; The request in the mail is unsolicited and creates urgency; No recollection of the subject or the sender of the phishing email; Request for credentials; Presence of a suspicious URL or attachment.", + "examples": [ + "In 2013 a Lithuanian man was able to obtain the trust of Facebook and Google and gain a sum of over USD 100 million in fraudulent payments.", + "World Anti-Doping Agency was targeted by spear phishing emails trying to obtain valid credentials" + ], + "external_id": "FT1002", + "kill_chain": [ + "fraud-tactics:Initiation" + ], + "mitigation": "Implementation of DKIM and SPF authentication to detected spoofed email senders; flagging email coming from outside the enterprise (enterprise); anti-phishing solutions; awareness training (enterprise).", + "refs": [ + "http://fortune.com/2017/04/27/facebook-google-rimasauskas/", + "https://www.ibtimes.co.uk/russian-hackers-fancy-bear-likely-breached-olympic-drug-testing-agency-dnc-experts-say-1577508" + ], + "victim": "end customer, enterprise" + }, + "uuid": "41f7cfc1-51ed-4a8d-aba9-34f9c6b8388b", + "value": "Spear phishing" + }, + { + "description": "Spear phishing is the use of targeted emails to gain the trust of the target with the goal of committing fraud. Spear phishing messages are generally specific to the target and show an understanding of the target’s organisation structure, supply chain or business.", + "meta": { + "detection": "Anti-skimming technology: metal detection for card readers, card jitter motion. Visual evidence of tampering with the ATM; comparison to nearby ATMs of the same manufacturer and model; Presence of hidden cameras in the ATM fascia or near the PIN pad.", + "examples": [ + "Insert skimmer", + "Deep-insert skimmer", + "overlay pad skimmer", + "Green skimmer", + "wiretapping" + ], + "external_id": "FT1003", + "kill_chain": [ + "fraud-tactics:Initiation" + ], + "mitigation": "Anti-skimming technology: metal detection for card readers, card jitter motion (enterprise). Cover the numerical input pad while entering the PIN (customer); Avoid self-standing ATMs in isolated areas (customer); Chip installed on bank cards (enterprise).", + "refs": [ + "https://krebsonsecurity.com/2015/07/spike-in-atm-skimming-in-mexico/", + "https://krebsonsecurity.com/2011/12/pro-grade-3d-printer-made-atm-skimmer/", + "https://krebsonsecurity.com/2017/08/dumping-data-from-deep-insert-skimmers/", + "https://krebsonsecurity.com/2016/06/atm-insert-skimmers-in-action/", + "https://krebsonsecurity.com/2014/11/skimmer-innovation-wiretapping-atms/", + "https://krebsonsecurity.com/2016/09/secret-service-warns-of-periscope-skimmers/", + "https://krebsonsecurity.com/2011/03/green-skimmers-skimming-green", + "https://blog.dieboldnixdorf.com/have-you-asked-yourself-this-question-about-skimming/" + ], + "victim": "end customer, enterprise" + }, + "uuid": "0e45e11c-9c24-49a2-b1fe-5d78a235844b", + "value": "ATM skimming" + } + ], + "version": 1 +} diff --git a/galaxies/attck4fraud.json b/galaxies/attck4fraud.json new file mode 100644 index 0000000..6f5052b --- /dev/null +++ b/galaxies/attck4fraud.json @@ -0,0 +1,19 @@ +{ + "description": "attck4fraud - Principles of MITRE ATT&CK in the fraud domain", + "icon": "map", + "kill_chain_order": { + "fraud-tactics": [ + "Initiation", + "Target Compromise", + "Perform Fraud", + "Obtain Fraudulent Assets", + "Assets Transfer", + "Monetisation" + ] + }, + "name": "attck4fraud", + "namespace": "misp", + "type": "guidelines", + "uuid": "cc0c8ae9-aec2-42c6-9939-f4f82b051836", + "version": 1 +} From 779bc4a6a01df0dac7de87de6b52c27f4f861b3c Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 19 Mar 2019 08:11:33 +0100 Subject: [PATCH 03/20] chg: [attck4fraud] description fixed for FT1003 --- clusters/attck4fraud.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/attck4fraud.json b/clusters/attck4fraud.json index 55e0a96..b075bca 100644 --- a/clusters/attck4fraud.json +++ b/clusters/attck4fraud.json @@ -54,7 +54,7 @@ "value": "Spear phishing" }, { - "description": "Spear phishing is the use of targeted emails to gain the trust of the target with the goal of committing fraud. Spear phishing messages are generally specific to the target and show an understanding of the target’s organisation structure, supply chain or business.", + "description": "ATM Skimming refers to the act of capturing the data stored on a bank cards (tracks) and the Personal Identification Number (PIN) associated to that card. Upon obtaining the data, the criminal proceeds to encode the same information into a new card and use it in combination with the PIN to perform illicit cash withdrawals. ATM Skimming is often achieved with a combination of a skimmer device for the card and a camera to capture the PIN.", "meta": { "detection": "Anti-skimming technology: metal detection for card readers, card jitter motion. Visual evidence of tampering with the ATM; comparison to nearby ATMs of the same manufacturer and model; Presence of hidden cameras in the ATM fascia or near the PIN pad.", "examples": [ From 2419a3380733dc7e2094f9b94558e3a4aac01725 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 19 Mar 2019 08:33:08 +0100 Subject: [PATCH 04/20] chg: [attck4fraud] ATM Shimming added --- clusters/attck4fraud.json | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/clusters/attck4fraud.json b/clusters/attck4fraud.json index b075bca..5339145 100644 --- a/clusters/attck4fraud.json +++ b/clusters/attck4fraud.json @@ -83,6 +83,30 @@ }, "uuid": "0e45e11c-9c24-49a2-b1fe-5d78a235844b", "value": "ATM skimming" + }, + { + "description": "ATM Shimming refers to the act of capturing a bank card data accessing the EMV chip installed on the card while presenting the card to a ATM. Due to their low profile, shimmers can be fit inside ATM card readers and are therefore more difficult to detect.", + "meta": { + "detection": "Inspection of motorised card slot for the presence of unrecognised devices; Visual evidence of tampering with the ATM.", + "examples": [ + "Shimmer device found inside a Diebold Opteva 520", + "Shimmer installed inside point-of-sale terminals at Coquitlam" + ], + "external_id": "FT1004", + "kill_chain": [ + "fraud-tactics:Initiation" + ], + "mitigation": "Cover the numerical input pad while entering the PIN (customer); Avoid self-standing ATMs in isolated areas (customer); Anti-skimming technology: metal detection for card readers, card jitter motion (enterprise); verification of transaction using the codes generated by the EMV chip (enterprise).", + "refs": [ + "https://krebsonsecurity.com/2015/08/chip-card-atm-shimmer-found-in-mexico/", + "https://www.cbc.ca/news/canada/british-columbia/shimmers-criminal-chip-card-reader-fraud-1.3953438", + "https://krebsonsecurity.com/2017/01/atm-shimmers-target-chip-based-cards/", + "https://blog.dieboldnixdorf.com/atm-security-skimming-vs-shimming/" + ], + "victim": "end customer, enterprise" + }, + "uuid": "469d22c1-7a73-4034-a449-74db7f021255", + "value": "ATM Shimming" } ], "version": 1 From a80283672cd94418f3ad6a82fb07f00356fb17c6 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 19 Mar 2019 08:39:08 +0100 Subject: [PATCH 05/20] chg: [attck4fraud] uuid fixed --- clusters/attck4fraud.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/attck4fraud.json b/clusters/attck4fraud.json index 5339145..2c1ddf1 100644 --- a/clusters/attck4fraud.json +++ b/clusters/attck4fraud.json @@ -7,7 +7,7 @@ "name": "attck4fraud", "source": "Open Sources", "type": "guidelines", - "uuid": "4ae4ceec-2fe5-423e-99a5-44a7cf30c999", + "uuid": "cc0c8ae9-aec2-42c6-9939-f4f82b051836", "values": [ { "description": "In the context of ATT&CK for Fraud, phishing is described as the sending of fraudulent emails to a large audience in order to obtain sensitive information (PII, credentials, payment information). Phishing is never targeted to a specific individual or organisation. Phishing tries to create a sense of urgency or curiosity in order to capture the victim.", From e56cb330976d86dcd94e97082bbc761f5b9074b3 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 19 Mar 2019 10:03:33 +0100 Subject: [PATCH 06/20] chg: [attck4fraud] fix the type issue --- clusters/attck4fraud.json | 2 +- galaxies/attck4fraud.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/clusters/attck4fraud.json b/clusters/attck4fraud.json index 2c1ddf1..572f31f 100644 --- a/clusters/attck4fraud.json +++ b/clusters/attck4fraud.json @@ -6,7 +6,7 @@ "description": "attck4fraud - Principles of MITRE ATT&CK in the fraud domain", "name": "attck4fraud", "source": "Open Sources", - "type": "guidelines", + "type": "financial-fraud", "uuid": "cc0c8ae9-aec2-42c6-9939-f4f82b051836", "values": [ { diff --git a/galaxies/attck4fraud.json b/galaxies/attck4fraud.json index 6f5052b..a4aad0f 100644 --- a/galaxies/attck4fraud.json +++ b/galaxies/attck4fraud.json @@ -13,7 +13,7 @@ }, "name": "attck4fraud", "namespace": "misp", - "type": "guidelines", + "type": "financial-fraud", "uuid": "cc0c8ae9-aec2-42c6-9939-f4f82b051836", "version": 1 } From c2f10410f51e4ef4331d2f5d654b64b549659ceb Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 19 Mar 2019 12:36:19 +0100 Subject: [PATCH 07/20] chg: [sector] typo fixed - reported in #364 --- clusters/sector.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/clusters/sector.json b/clusters/sector.json index 89c2927..97ffeba 100644 --- a/clusters/sector.json +++ b/clusters/sector.json @@ -303,7 +303,7 @@ }, { "uuid": "a26ae91b-df10-4c6f-b7bc-14c7ba13f21d", - "value": "Retai" + "value": "Retail" }, { "uuid": "6ce2374c-2c81-4298-a941-666bf4258c00", @@ -482,5 +482,5 @@ "value": "Immigration" } ], - "version": 2 + "version": 3 } From 9a6b5973874f69fa056c6359779c9e4b3950a1b6 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 19 Mar 2019 14:44:49 +0100 Subject: [PATCH 08/20] chg: [threat-actor] updated the version to avoid the past issue with 0 value for integer values --- clusters/threat-actor.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 70f379b..8eeda82 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -5240,7 +5240,8 @@ "TEMP.Periscope", "TEMP.Jumper", "APT 40", - "APT40" + "APT40", + "BRONZE MOHAWK" ] }, "related": [ @@ -6632,5 +6633,5 @@ "value": "Operation Comando" } ], - "version": 100 + "version": 101 } From 4f454493b70169fda2368080ee2b53efa1f42cbd Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 19 Mar 2019 14:47:03 +0100 Subject: [PATCH 09/20] chg: [threat-actor] BRONZE UNION is also uppercase --- clusters/threat-actor.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 8eeda82..42e22cc 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -971,7 +971,8 @@ "HIPPOTeam", "APT27", "Operation Iron Tiger", - "Iron Tiger APT" + "Iron Tiger APT", + "BRONZE UNION" ] }, "related": [ @@ -6633,5 +6634,5 @@ "value": "Operation Comando" } ], - "version": 101 + "version": 102 } From e26918d7492c4881a4a187fd7c594f11f113a8a7 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 19 Mar 2019 15:08:44 +0100 Subject: [PATCH 10/20] chg: [attck4fraud] more techniques --- clusters/attck4fraud.json | 40 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/clusters/attck4fraud.json b/clusters/attck4fraud.json index 572f31f..2904f02 100644 --- a/clusters/attck4fraud.json +++ b/clusters/attck4fraud.json @@ -107,6 +107,46 @@ }, "uuid": "469d22c1-7a73-4034-a449-74db7f021255", "value": "ATM Shimming" + }, + { + "uuid": "308fb88c-412a-4468-91ed-468d07fe4170", + "value": "Vishing", + "description": "Vishing", + "meta": { + "kill_chain": [ + "fraud-tactics:Initiation" + ] + } + }, + { + "uuid": "c33778e5-b5cc-4d12-8e4e-a329156d988c", + "value": "POS Skimming", + "description": "POS Skimming", + "meta": { + "kill_chain": [ + "fraud-tactics:Initiation" + ] + } + }, + { + "uuid": "8702106a-2ceb-4cf2-8d93-c569224f0eee", + "value": "Social Media Scams", + "description": "Social Media Scams", + "meta": { + "kill_chain": [ + "fraud-tactics:Initiation" + ] + } + }, + { + "uuid": "6ee0f7cd-a0ef-46c5-9d80-f0fbac2a9140", + "value": "Malware", + "description": "Malware", + "meta": { + "kill_chain": [ + "fraud-tactics:Target Compromise" + ] + } } ], "version": 1 From e398cc3ef2fda7ee8563505763d884f4c69f1516 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 19 Mar 2019 15:17:25 +0100 Subject: [PATCH 11/20] chg: [attck4fraud] Target compromise updated --- clusters/attck4fraud.json | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/clusters/attck4fraud.json b/clusters/attck4fraud.json index 2904f02..96ec474 100644 --- a/clusters/attck4fraud.json +++ b/clusters/attck4fraud.json @@ -147,6 +147,36 @@ "fraud-tactics:Target Compromise" ] } + }, + { + "uuid": "1ca518cb-77e0-4261-8fb1-a16a877bce0d", + "value": "Account-Checking Services", + "description": "Account-Checking Services", + "meta": { + "kill_chain": [ + "fraud-tactics:Target Compromise" + ] + } + }, + { + "uuid": "6bec22cb-9aed-426a-bffc-b0a78db6527a", + "value": "ATM Black Box Attack", + "description": "ATM Black Box Attack", + "meta": { + "kill_chain": [ + "fraud-tactics:Target Compromise" + ] + } + }, + { + "uuid": "824bccd3-9dea-4579-8642-8dd15afcfacc", + "value": "Account-Checking Services", + "description": "Account-Checking Services", + "meta": { + "kill_chain": [ + "fraud-tactics:Target Compromise" + ] + } } ], "version": 1 From bf6a605f6d9004c6c873bd98fa13de8f058e2a5f Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 19 Mar 2019 15:33:46 +0100 Subject: [PATCH 12/20] chg: [attck4fraud] Perform fraud added --- clusters/attck4fraud.json | 40 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/clusters/attck4fraud.json b/clusters/attck4fraud.json index 96ec474..9f76802 100644 --- a/clusters/attck4fraud.json +++ b/clusters/attck4fraud.json @@ -177,6 +177,46 @@ "fraud-tactics:Target Compromise" ] } + }, + { + "uuid": "102e0d9e-8807-4c52-8a79-455d5e688081", + "value": "Insider Trading", + "description": "Insider Trading", + "meta": { + "kill_chain": [ + "fraud-tactics:Perform Fraud" + ] + } + }, + { + "uuid": "d09cd56c-d817-4c9f-bba7-1f26b788238f", + "value": "Business Email Compromise", + "description": "Business Email Compromise", + "meta": { + "kill_chain": [ + "fraud-tactics:Perform Fraud" + ] + } + }, + { + "uuid": "0c8b8a09-9caa-49f6-8f96-9302e516373e", + "value": "Scam", + "description": "Scam", + "meta": { + "kill_chain": [ + "fraud-tactics:Perform Fraud" + ] + } + }, + { + "uuid": "76bd07d8-67f4-4af6-9730-723aa2a5b90d", + "value": "CxO Fraud", + "description": "CxO Fraud", + "meta": { + "kill_chain": [ + "fraud-tactics:Perform Fraud" + ] + } } ], "version": 1 From 75b4a3a951609be4cf3058afa272e2519bf5a913 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 19 Mar 2019 15:44:16 +0100 Subject: [PATCH 13/20] chg: [attck4fraud] Obtain Fraudulent Assets added --- clusters/attck4fraud.json | 40 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/clusters/attck4fraud.json b/clusters/attck4fraud.json index 9f76802..59c53db 100644 --- a/clusters/attck4fraud.json +++ b/clusters/attck4fraud.json @@ -217,6 +217,46 @@ "fraud-tactics:Perform Fraud" ] } + }, + { + "uuid": "d46e397f-8957-41f1-8736-13400b9e82fc", + "value": "Compromised Payment Cards", + "description": "Compromised Payment Cards", + "meta": { + "kill_chain": [ + "fraud-tactics:Obtain Fraudulent Assets" + ] + } + }, + { + "uuid": "7d71e71c-502f-412a-8fc7-584de8a9d203", + "value": "Compromised Account Credentials", + "description": "Compromised Account Credentials", + "meta": { + "kill_chain": [ + "fraud-tactics:Obtain Fraudulent Assets" + ] + } + }, + { + "uuid": "5537becf-4397-4b9f-916b-d6b776e30c2f", + "value": "Compromised Personally Identifiable Information (PII)", + "description": "Compromised Personally Identifiable Information (PII)", + "meta": { + "kill_chain": [ + "fraud-tactics:Obtain Fraudulent Assets" + ] + } + }, + { + "uuid": "699e86ad-1188-4189-a7c6-2e2a77422af0", + "value": "Compromised Intellectual Property (IP)", + "description": "Compromised Intellectual Property (IP)", + "meta": { + "kill_chain": [ + "fraud-tactics:Obtain Fraudulent Assets" + ] + } } ], "version": 1 From 2b619dd9b716ff4eb3655d6984cea58a0ee589a9 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 19 Mar 2019 15:52:33 +0100 Subject: [PATCH 14/20] chg: [attck4fraud] Assets Transfer added --- clusters/attck4fraud.json | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/clusters/attck4fraud.json b/clusters/attck4fraud.json index 59c53db..7e61b24 100644 --- a/clusters/attck4fraud.json +++ b/clusters/attck4fraud.json @@ -257,6 +257,36 @@ "fraud-tactics:Obtain Fraudulent Assets" ] } + }, + { + "uuid": "7ea5b06e-ba99-4115-b1b6-6fc4eef7bd3b", + "value": "SWIFT Transaction", + "description": "SWIFT Transaction", + "meta": { + "kill_chain": [ + "fraud-tactics:Assets Transfer" + ] + } + }, + { + "uuid": "72ffa97e-d128-4c41-b323-0297b43d8a1b", + "value": "Fund Transfer", + "description": "Fund Transfer", + "meta": { + "kill_chain": [ + "fraud-tactics:Assets Transfer" + ] + } + }, + { + "uuid": "c76a990c-c7ac-4c96-984f-a03fc8676394", + "value": "Cryptocurrency Exchange", + "description": "Cryptocurrency Exchange", + "meta": { + "kill_chain": [ + "fraud-tactics:Assets Transfer" + ] + } } ], "version": 1 From 3cf53b670eb14a7eba81aad29b498e4ff2c81119 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 19 Mar 2019 16:02:08 +0100 Subject: [PATCH 15/20] chg: [attck4fraud] completed --- clusters/attck4fraud.json | 60 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) diff --git a/clusters/attck4fraud.json b/clusters/attck4fraud.json index 7e61b24..5682ce2 100644 --- a/clusters/attck4fraud.json +++ b/clusters/attck4fraud.json @@ -287,6 +287,66 @@ "fraud-tactics:Assets Transfer" ] } + }, + { + "uuid": "08a6e487-6987-4764-a6ad-a1d1f3a4d172", + "value": "ATM Jackpotting", + "description": "ATM Jackpotting", + "meta": { + "kill_chain": [ + "fraud-tactics:Monetisation" + ] + } + }, + { + "uuid": "f1243265-d50a-42fb-a83c-4696f95636e9", + "value": "Money Mules", + "description": "Money Mules", + "meta": { + "kill_chain": [ + "fraud-tactics:Monetisation" + ] + } + }, + { + "uuid": "a8913af2-8f22-44b2-b6bc-32b7489d8f96", + "value": "Fund Transfer", + "description": "Fund Transfer", + "meta": { + "kill_chain": [ + "fraud-tactics:Monetisation" + ] + } + }, + { + "uuid": "372dfb2e-5df6-4f76-8fc2-9437377ff812", + "value": "Prepaid Cards", + "description": "Prepaid Cards", + "meta": { + "kill_chain": [ + "fraud-tactics:Monetisation" + ] + } + }, + { + "uuid": "e5a3297e-dd0d-4c2a-8133-d07ad6aadfd8", + "value": "Resell Stolen Data", + "description": "Resell Stolen Data", + "meta": { + "kill_chain": [ + "fraud-tactics:Monetisation" + ] + } + }, + { + "uuid": "9bfd2f4f-39a7-43fe-b5cd-a345a065276d", + "value": "ATM Explosive Attack", + "description": "ATM Explosive Attack", + "meta": { + "kill_chain": [ + "fraud-tactics:Monetisation" + ] + } } ], "version": 1 From 095b0a4d81bf2195e8eb70826abe599f92bc28d3 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 19 Mar 2019 16:33:27 +0100 Subject: [PATCH 16/20] chg: [attck4fraud] updated --- clusters/attck4fraud.json | 144 +++++++++++++++++++------------------- 1 file changed, 72 insertions(+), 72 deletions(-) diff --git a/clusters/attck4fraud.json b/clusters/attck4fraud.json index 5682ce2..1b9a4b0 100644 --- a/clusters/attck4fraud.json +++ b/clusters/attck4fraud.json @@ -109,244 +109,244 @@ "value": "ATM Shimming" }, { - "uuid": "308fb88c-412a-4468-91ed-468d07fe4170", - "value": "Vishing", "description": "Vishing", "meta": { "kill_chain": [ "fraud-tactics:Initiation" ] - } + }, + "uuid": "308fb88c-412a-4468-91ed-468d07fe4170", + "value": "Vishing" }, { - "uuid": "c33778e5-b5cc-4d12-8e4e-a329156d988c", - "value": "POS Skimming", "description": "POS Skimming", "meta": { "kill_chain": [ "fraud-tactics:Initiation" ] - } + }, + "uuid": "c33778e5-b5cc-4d12-8e4e-a329156d988c", + "value": "POS Skimming" }, { - "uuid": "8702106a-2ceb-4cf2-8d93-c569224f0eee", - "value": "Social Media Scams", "description": "Social Media Scams", "meta": { "kill_chain": [ "fraud-tactics:Initiation" ] - } + }, + "uuid": "8702106a-2ceb-4cf2-8d93-c569224f0eee", + "value": "Social Media Scams" }, { - "uuid": "6ee0f7cd-a0ef-46c5-9d80-f0fbac2a9140", - "value": "Malware", "description": "Malware", "meta": { "kill_chain": [ "fraud-tactics:Target Compromise" ] - } + }, + "uuid": "6ee0f7cd-a0ef-46c5-9d80-f0fbac2a9140", + "value": "Malware" }, { - "uuid": "1ca518cb-77e0-4261-8fb1-a16a877bce0d", - "value": "Account-Checking Services", "description": "Account-Checking Services", "meta": { "kill_chain": [ "fraud-tactics:Target Compromise" ] - } + }, + "uuid": "1ca518cb-77e0-4261-8fb1-a16a877bce0d", + "value": "Account-Checking Services" }, { - "uuid": "6bec22cb-9aed-426a-bffc-b0a78db6527a", - "value": "ATM Black Box Attack", "description": "ATM Black Box Attack", "meta": { "kill_chain": [ "fraud-tactics:Target Compromise" ] - } + }, + "uuid": "6bec22cb-9aed-426a-bffc-b0a78db6527a", + "value": "ATM Black Box Attack" }, { - "uuid": "824bccd3-9dea-4579-8642-8dd15afcfacc", - "value": "Account-Checking Services", "description": "Account-Checking Services", "meta": { "kill_chain": [ "fraud-tactics:Target Compromise" ] - } + }, + "uuid": "824bccd3-9dea-4579-8642-8dd15afcfacc", + "value": "Account-Checking Services" }, { - "uuid": "102e0d9e-8807-4c52-8a79-455d5e688081", - "value": "Insider Trading", "description": "Insider Trading", "meta": { "kill_chain": [ "fraud-tactics:Perform Fraud" ] - } + }, + "uuid": "102e0d9e-8807-4c52-8a79-455d5e688081", + "value": "Insider Trading" }, { - "uuid": "d09cd56c-d817-4c9f-bba7-1f26b788238f", - "value": "Business Email Compromise", "description": "Business Email Compromise", "meta": { "kill_chain": [ "fraud-tactics:Perform Fraud" ] - } + }, + "uuid": "d09cd56c-d817-4c9f-bba7-1f26b788238f", + "value": "Business Email Compromise" }, { - "uuid": "0c8b8a09-9caa-49f6-8f96-9302e516373e", - "value": "Scam", "description": "Scam", "meta": { "kill_chain": [ "fraud-tactics:Perform Fraud" ] - } + }, + "uuid": "0c8b8a09-9caa-49f6-8f96-9302e516373e", + "value": "Scam" }, { - "uuid": "76bd07d8-67f4-4af6-9730-723aa2a5b90d", - "value": "CxO Fraud", "description": "CxO Fraud", "meta": { "kill_chain": [ "fraud-tactics:Perform Fraud" ] - } + }, + "uuid": "76bd07d8-67f4-4af6-9730-723aa2a5b90d", + "value": "CxO Fraud" }, { - "uuid": "d46e397f-8957-41f1-8736-13400b9e82fc", - "value": "Compromised Payment Cards", "description": "Compromised Payment Cards", "meta": { "kill_chain": [ "fraud-tactics:Obtain Fraudulent Assets" ] - } + }, + "uuid": "d46e397f-8957-41f1-8736-13400b9e82fc", + "value": "Compromised Payment Cards" }, { - "uuid": "7d71e71c-502f-412a-8fc7-584de8a9d203", - "value": "Compromised Account Credentials", "description": "Compromised Account Credentials", "meta": { "kill_chain": [ "fraud-tactics:Obtain Fraudulent Assets" ] - } + }, + "uuid": "7d71e71c-502f-412a-8fc7-584de8a9d203", + "value": "Compromised Account Credentials" }, { - "uuid": "5537becf-4397-4b9f-916b-d6b776e30c2f", - "value": "Compromised Personally Identifiable Information (PII)", "description": "Compromised Personally Identifiable Information (PII)", "meta": { "kill_chain": [ "fraud-tactics:Obtain Fraudulent Assets" ] - } + }, + "uuid": "5537becf-4397-4b9f-916b-d6b776e30c2f", + "value": "Compromised Personally Identifiable Information (PII)" }, { - "uuid": "699e86ad-1188-4189-a7c6-2e2a77422af0", - "value": "Compromised Intellectual Property (IP)", "description": "Compromised Intellectual Property (IP)", "meta": { "kill_chain": [ "fraud-tactics:Obtain Fraudulent Assets" ] - } + }, + "uuid": "699e86ad-1188-4189-a7c6-2e2a77422af0", + "value": "Compromised Intellectual Property (IP)" }, { - "uuid": "7ea5b06e-ba99-4115-b1b6-6fc4eef7bd3b", - "value": "SWIFT Transaction", "description": "SWIFT Transaction", "meta": { "kill_chain": [ "fraud-tactics:Assets Transfer" ] - } + }, + "uuid": "7ea5b06e-ba99-4115-b1b6-6fc4eef7bd3b", + "value": "SWIFT Transaction" }, { - "uuid": "72ffa97e-d128-4c41-b323-0297b43d8a1b", - "value": "Fund Transfer", "description": "Fund Transfer", "meta": { "kill_chain": [ "fraud-tactics:Assets Transfer" ] - } + }, + "uuid": "72ffa97e-d128-4c41-b323-0297b43d8a1b", + "value": "Fund Transfer" }, { - "uuid": "c76a990c-c7ac-4c96-984f-a03fc8676394", - "value": "Cryptocurrency Exchange", "description": "Cryptocurrency Exchange", "meta": { "kill_chain": [ "fraud-tactics:Assets Transfer" ] - } + }, + "uuid": "c76a990c-c7ac-4c96-984f-a03fc8676394", + "value": "Cryptocurrency Exchange" }, { - "uuid": "08a6e487-6987-4764-a6ad-a1d1f3a4d172", - "value": "ATM Jackpotting", "description": "ATM Jackpotting", "meta": { "kill_chain": [ "fraud-tactics:Monetisation" ] - } + }, + "uuid": "08a6e487-6987-4764-a6ad-a1d1f3a4d172", + "value": "ATM Jackpotting" }, { - "uuid": "f1243265-d50a-42fb-a83c-4696f95636e9", - "value": "Money Mules", "description": "Money Mules", "meta": { "kill_chain": [ "fraud-tactics:Monetisation" ] - } + }, + "uuid": "f1243265-d50a-42fb-a83c-4696f95636e9", + "value": "Money Mules" }, { - "uuid": "a8913af2-8f22-44b2-b6bc-32b7489d8f96", - "value": "Fund Transfer", "description": "Fund Transfer", "meta": { "kill_chain": [ "fraud-tactics:Monetisation" ] - } + }, + "uuid": "a8913af2-8f22-44b2-b6bc-32b7489d8f96", + "value": "Fund Transfer" }, { - "uuid": "372dfb2e-5df6-4f76-8fc2-9437377ff812", - "value": "Prepaid Cards", "description": "Prepaid Cards", "meta": { "kill_chain": [ "fraud-tactics:Monetisation" ] - } + }, + "uuid": "372dfb2e-5df6-4f76-8fc2-9437377ff812", + "value": "Prepaid Cards" }, { - "uuid": "e5a3297e-dd0d-4c2a-8133-d07ad6aadfd8", - "value": "Resell Stolen Data", "description": "Resell Stolen Data", "meta": { "kill_chain": [ "fraud-tactics:Monetisation" ] - } + }, + "uuid": "e5a3297e-dd0d-4c2a-8133-d07ad6aadfd8", + "value": "Resell Stolen Data" }, { - "uuid": "9bfd2f4f-39a7-43fe-b5cd-a345a065276d", - "value": "ATM Explosive Attack", "description": "ATM Explosive Attack", "meta": { "kill_chain": [ "fraud-tactics:Monetisation" ] - } + }, + "uuid": "9bfd2f4f-39a7-43fe-b5cd-a345a065276d", + "value": "ATM Explosive Attack" } ], "version": 1 From 6e19d21d3aec4bdedcfc9b3a042bb302f340c1ee Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 19 Mar 2019 16:49:19 +0100 Subject: [PATCH 17/20] chg: [tools] fix the attribution confidence level --- tools/add_missing_attribution-confidence.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/tools/add_missing_attribution-confidence.py b/tools/add_missing_attribution-confidence.py index e80a3e8..fab5247 100755 --- a/tools/add_missing_attribution-confidence.py +++ b/tools/add_missing_attribution-confidence.py @@ -16,7 +16,11 @@ with open(args.filename) as json_file: for value in data['values']: if value.get('meta'): if not value.get('meta').get('attribution-confidence') and (value.get('meta').get('cfr-suspected-state-sponsor') or value.get('meta').get('country')): - value.get('meta')['attribution-confidence'] = 50 + value.set('meta')['attribution-confidence'] = "50" + elif value.get('meta').get('attribution-confidence') and (value.get('meta').get('cfr-suspected-state-sponsor') or value.get('meta').get('country')): + value.get('meta')['attribution-confidence'] = str(value.get('meta').get('attribution-confidence')) + + with open(args.filename, 'w') as json_file: json.dump(data, json_file, indent=2, sort_keys=True, ensure_ascii=False) From b2538a1f8ac16e377df8d94bc87f5d089e418690 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 19 Mar 2019 16:51:41 +0100 Subject: [PATCH 18/20] chg: [threat-actor] change attribution confidence to be a string by default --- clusters/threat-actor.json | 332 ++++++++++++++++++------------------- 1 file changed, 166 insertions(+), 166 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 42e22cc..b3bcf16 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16,7 +16,7 @@ { "description": "PLA Unit 61398 (Chinese: 61398部队, Pinyin: 61398 bùduì) is the Military Unit Cover Designator (MUCD)[1] of a People's Liberation Army advanced persistent threat unit that has been alleged to be a source of Chinese computer hacking attacks", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "United States", @@ -76,7 +76,7 @@ { "description": "The group appears to have close ties to the Chinese National University of Defense and Technology, which is possibly linked to the PLA. Stalker Panda has been observed conducting targeted attacks against Japan, Taiwan, Hong Kong, and the United States. The attacks appear to be centered on political, media, and engineering sectors. The group appears to have been active since around 2010 and they maintain and upgrade their tools regularly.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "CN", "refs": [ "https://wikileaks.org/vault7/document/2015-08-20150814-256-CSIR-15005-Stalker-Panda/2015-08-20150814-256-CSIR-15005-Stalker-Panda.pdf" @@ -88,7 +88,7 @@ { "description": "These attackers were the subject of an extensive report by Symantec in 2011, which termed the attackers Nitro and stated: 'The goal of the attackers appears to be to collect intellectual property such as design documents, formulas, and manufacturing processes. In addition, the same attackers appear to have a lengthy operation history including attacks on other industries and organizations. Attacks on the chemical industry are merely their latest attack wave. As part of our investigations, we were also able to identify and contact one of the attackers to try and gain insights into the motivations behind these attacks.' Palo Alto Networks reported on continued activity by the attackers in 2014. ", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "CN", "refs": [ "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_nitro_attacks.pdf" @@ -103,7 +103,7 @@ { "description": "The New York Times described Codoso as: 'A collection of hackers for hire that the security industry has been tracking for years. Over the years, the group has breached banks, law firms and tech companies, and once hijacked the Forbes website to try to infect visitors’ computers with malware.'", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "CN", "refs": [ "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks", @@ -166,7 +166,7 @@ { "description": "Adversary targeting dissident groups in China and its surroundings.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "CN", "refs": [ "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" @@ -177,7 +177,7 @@ }, { "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "CN", "synonyms": [ "temp.bottle" @@ -188,7 +188,7 @@ }, { "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "CN", "refs": [ "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf" @@ -200,7 +200,7 @@ { "description": "Adversary group targeting telecommunication and technology organizations.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "CN", "refs": [ "https://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf" @@ -211,7 +211,7 @@ }, { "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "CN", "refs": [ "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf" @@ -222,7 +222,7 @@ }, { "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "CN", "refs": [ "http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf" @@ -233,7 +233,7 @@ }, { "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "CN", "refs": [ "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf" @@ -244,7 +244,7 @@ }, { "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "CN", "refs": [ "http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf" @@ -265,7 +265,7 @@ { "description": "Putter Panda were the subject of an extensive report by CrowdStrike, which stated: 'The CrowdStrike Intelligence team has been tracking this particular unit since2012, under the codename PUTTER PANDA, and has documented activity dating back to 2007. The report identifies Chen Ping, aka cpyy, and the primary location of Unit 61486.'", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "U.S. satellite and aerospace sector" @@ -306,7 +306,7 @@ { "description": "Symantec described UPS in 2016 report as: 'Buckeye (also known as APT3, Gothic Panda, UPS Team, and TG-0110) is a cyberespionage group that is believed to have been operating for well over half a decade. Traditionally, the group attacked organizations in the US as well as other targets. However, Buckeyes focus appears to have changed as of June 2015, when the group began compromising political entities in Hong Kong.'", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "United States", @@ -349,7 +349,7 @@ { "description": "Kaspersky described DarkHotel in a 2014 report as: '... DarkHotel drives its campaigns by spear-phishing targets with highly advanced Flash zero-day exploits that effectively evade the latest Windows and Adobe defenses, and yet they also imprecisely spread among large numbers of vague targets with peer-to-peer spreading tactics. Moreover, this crews most unusual characteristic is that for several years the Darkhotel APT has maintained a capability to use hotel networks to follow and hit selected targets as they travel around the world.'", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Korea (Republic of)", "cfr-suspected-victims": [ "Japan", @@ -397,7 +397,7 @@ { "description": "A group of China-based attackers, who conducted a number of spear phishing attacks in 2013.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "Taiwan", @@ -440,7 +440,7 @@ }, { "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "Japan", @@ -462,7 +462,7 @@ { "description": "FireEye described APT17 in a 2015 report as: 'APT17, also known as DeputyDog, is a China based threat group that FireEye Intelligence has observed conducting network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations.'", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "United States" @@ -524,7 +524,7 @@ { "description": "Wekby was described by Palo Alto Networks in a 2015 report as: 'Wekby is a group that has been active for a number of years, targeting various industries such as healthcare, telecommunications, aerospace, defense, and high tech. The group is known to leverage recently released exploits very shortly after those exploits are available, such as in the case of HackingTeams Flash zero - day exploit.'", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "United States" @@ -594,7 +594,7 @@ { "description": "The Winnti grouping of activity is large and may actually be a number of linked groups rather than a single discrete entity. Kaspersky describe Winnti as: 'The Winnti group has been attacking companies in the online video game industry since 2009 and is currently still active. The groups objectives are stealing digital certificates signed by legitimate software vendors in addition to intellectual property theft, including the source code of online game projects. The majority of the victims are from South East Asia.'", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "United States", @@ -675,7 +675,7 @@ { "description": "Adversary group targeting financial, technology, non-profit organisations.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "United States" @@ -731,7 +731,7 @@ { "description": "Kaspersky described Naikon in a 2015 report as: 'The Naikon group is mostly active in countries such as the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, and Nepal, hitting a variety of targets in a very opportunistic way.'", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "India", @@ -805,7 +805,7 @@ }, { "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "Japan", @@ -849,7 +849,7 @@ }, { "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "CN", "refs": [ "http://www.crowdstrike.com/blog/rhetoric-foreshadows-cyber-activity-in-the-south-china-sea/" @@ -893,7 +893,7 @@ }, { "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "CN", "refs": [ "http://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/" @@ -932,7 +932,7 @@ { "description": "A China-based actor that targets foreign embassies to collect data on government, defence, and technology sectors.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Unknown", "cfr-suspected-victims": [ "United States", @@ -1003,7 +1003,7 @@ }, { "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "Japan", @@ -1063,7 +1063,7 @@ }, { "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "CN", "refs": [ "https://otx.alienvault.com/pulse/55bbc68e67db8c2d547ae393/" @@ -1081,7 +1081,7 @@ { "description": "This threat actor uses spear-phishing techniques to compromise diplomatic targets in Southeast Asia, India, and the United States. It also seems to have targeted the APT 30. Possibly uses the same infrastructure as Mirage", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "Malaysia", @@ -1109,7 +1109,7 @@ }, { "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "CN", "refs": [ "https://kc.mcafee.com/corporate/index?page=content&id=KB71150" @@ -1130,7 +1130,7 @@ { "description": "This threat actor uses phishing techniques to compromise the networks of foreign ministries of European countries for espionage purposes.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "European Union", @@ -1167,7 +1167,7 @@ { "description": "PLA Navy", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "United States", @@ -1199,7 +1199,7 @@ }, { "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "Mongolia", @@ -1238,7 +1238,7 @@ { "description": "Operate since at least 2011, from several locations in China, with members in Korea and Japan as well. Possibly linked to Onion Dog. This threat actor targets government institutions, military contractors, maritime and shipbuilding groups, telecommunications operators, and others, primarily in Japan and South Korea.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "South Korea", @@ -1269,7 +1269,7 @@ { "description": "The Pitty Tiger group has been active since at least 2011. They have been seen using HeartBleed vulnerability in order to directly get valid credentials", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "CN", "refs": [ "http://blog.airbuscybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2" @@ -1302,7 +1302,7 @@ }, { "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "United States", @@ -1343,7 +1343,7 @@ }, { "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "CN", "synonyms": [ "Shrouded Crossbow" @@ -1354,7 +1354,7 @@ }, { "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "CN", "refs": [ "http://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/" @@ -1365,7 +1365,7 @@ }, { "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "United States", @@ -1420,7 +1420,7 @@ }, { "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "CN" }, "uuid": "b56ecbda-6b2a-4aa9-b592-d9a0bc810ec1", @@ -1428,7 +1428,7 @@ }, { "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "CN", "refs": [ "http://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/" @@ -1447,7 +1447,7 @@ { "description": "A group targeting dissident groups in China and at the boundaries.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "CN", "refs": [ "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" @@ -1459,7 +1459,7 @@ { "description": "China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors. This threat actor targets prodemocratic activists and organizations in Hong Kong, European and international financial institutions, and a U.S.-based think tank.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "Hong Kong", @@ -1498,7 +1498,7 @@ }, { "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "CN", "refs": [ "https://community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india", @@ -1515,7 +1515,7 @@ { "description": "Activity: defense and aerospace sectors, also interested in targeting entities in the oil/gas industry.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)", "cfr-suspected-victims": [ "United States", @@ -1612,7 +1612,7 @@ { "description": "While tracking a suspected Iran-based threat group known as Threat Group-2889[1] (TG-2889), Dell SecureWorks Counter Threat Unit™ (CTU) researchers uncovered a network of fake LinkedIn profiles. These convincing profiles form a self-referenced network of seemingly established LinkedIn users. CTU researchers assess with high confidence the purpose of this network is to target potential victims through social engineering. Most of the legitimate LinkedIn accounts associated with the fake accounts belong to individuals in the Middle East, and CTU researchers assess with medium confidence that these individuals are likely targets of TG-2889. One of the threat actors responsible for the denial of service attacks against U.S in 2012–2013. Three individuals associated with the group—believed to be have been working on behalf of Iran’s Islamic Revolutionary Guard Corps—were indicted by the Justice Department in 2016. ", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)", "cfr-suspected-victims": [ "Bank of America", @@ -1691,7 +1691,7 @@ { "description": "Charming Kitten (aka Parastoo, aka Newscaster) is an group with a suspected nexus to Iran that targets organizations involved in government, defense technology, military, and diplomacy sectors.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)", "cfr-suspected-victims": [ "U.S. government/defense sector websites", @@ -1804,7 +1804,7 @@ { "description": "Our analysis reveals that APT33 is a capable group that has carried out cyber espionage operations since at least 2013. We assess APT33 works at the behest of the Iranian government.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "IR", "refs": [ "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" @@ -1833,7 +1833,7 @@ { "description": "Earliest activity back to November 2008. An established group of cyber attackers based in Iran, who carried on several campaigns in 2013, including a series of attacks targeting political dissidents and those supporting Iranian political opposition.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "IR", "refs": [ "http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/" @@ -1848,7 +1848,7 @@ { "description": "Targets Saudi Arabia, Israel, US, Iran, high ranking defense officials, embassies of various target countries, notable Iran researchers, human rights activists, media and journalists, academic institutions and various scholars, including scientists in the fields of physics and nuclear sciences.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)", "cfr-suspected-victims": [ "Saudi Arabia", @@ -1963,7 +1963,7 @@ { "description": "A group of cyber actors utilizing infrastructure located in Iran have been conducting computer network exploitation activity against public and private U.S. organizations, including Cleared Defense Contractors (CDCs), academic institutions, and energy sector companies. This threat actor targets entities in the government, energy, and technology sectors that are located in or do business with Saudi Arabia.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)", "cfr-suspected-victims": [ "Canada", @@ -2085,7 +2085,7 @@ }, { "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "IR" }, "uuid": "1de1a64e-ea14-4e79-9e41-6958bdb6c0ff", @@ -2094,7 +2094,7 @@ { "description": "This is a pro-Islamist organization that generally conducts attacks motivated by real world events in which its members believe that members of the Muslim faith were wronged. Its attacks generally involve website defacements; however, the group did develop a RAT that it refers to as Fallaga RAT, but which appears to simply be a fork of the njRAT malware popular amongst hackers in the Middle East/North Africa region.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "TN", "motive": "Hacktivism-Nationalist", "synonyms": [ @@ -2106,7 +2106,7 @@ }, { "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "AE", "synonyms": [ "Vikingdom" @@ -2118,7 +2118,7 @@ { "description": "The Sofacy Group (also known as APT28, Pawn Storm, Fancy Bear and Sednit) is a cyber espionage group believed to have ties to the Russian government. Likely operating since 2007, the group is known to target government, military, and security organizations. It has been characterized as an advanced persistent threat.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Russian Federation", "cfr-suspected-victims": [ "Georgia", @@ -2207,7 +2207,7 @@ { "description": "A 2015 report by F-Secure describe APT29 as: 'The Dukes are a well-resourced, highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making. The Dukes show unusual confidence in their ability to continue successfully compromising their targets, as well as in their ability to operate with impunity. The Dukes primarily target Western governments and related organizations, such as government ministries and agencies, political think tanks, and governmental subcontractors. Their targets have also included the governments of members of the Commonwealth of Independent States;Asian, African, and Middle Eastern governments;organizations associated with Chechen extremism;and Russian speakers engaged in the illicit trade of controlled substances and drugs. The Dukes are known to employ a vast arsenal of malware toolsets, which we identify as MiniDuke, CosmicDuke, OnionDuke, CozyDuke, CloudDuke, SeaDuke, HammerDuke, PinchDuke, and GeminiDuke. In recent years, the Dukes have engaged in apparently biannual large - scale spear - phishing campaigns against hundreds or even thousands of recipients associated with governmental institutions and affiliated organizations. These campaigns utilize a smash - and - grab approach involving a fast but noisy breakin followed by the rapid collection and exfiltration of as much data as possible.If the compromised target is discovered to be of value, the Dukes will quickly switch the toolset used and move to using stealthier tactics focused on persistent compromise and long - term intelligence gathering. This threat actor targets government ministries and agencies in the West, Central Asia, East Africa, and the Middle East; Chechen extremist groups; Russian organized crime; and think tanks. It is suspected to be behind the 2015 compromise of unclassified networks at the White House, Department of State, Pentagon, and the Joint Chiefs of Staff. The threat actor includes all of the Dukes tool sets, including MiniDuke, CosmicDuke, OnionDuke, CozyDuke, SeaDuke, CloudDuke (aka MiniDionis), and HammerDuke (aka Hammertoss). '", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Russian Federation", "cfr-suspected-victims": [ "United States", @@ -2276,7 +2276,7 @@ { "description": "A 2014 Guardian article described Turla as: 'Dubbed the Turla hackers, initial intelligence had indicated western powers were key targets, but it was later determined embassies for Eastern Bloc nations were of more interest. Embassies in Belgium, Ukraine, China, Jordan, Greece, Kazakhstan, Armenia, Poland, and Germany were all attacked, though researchers from Kaspersky Lab and Symantec could not confirm which countries were the true targets. In one case from May 2012, the office of the prime minister of a former Soviet Union member country was infected, leading to 60 further computers being affected, Symantec researchers said. There were some other victims, including the ministry for health of a Western European country, the ministry for education of a Central American country, a state electricity provider in the Middle East and a medical organisation in the US, according to Symantec. It is believed the group was also responsible for a much - documented 2008 attack on the US Central Command. The attackers - who continue to operate - have ostensibly sought to carry out surveillance on targets and pilfer data, though their use of encryption across their networks has made it difficult to ascertain exactly what the hackers took.Kaspersky Lab, however, picked up a number of the attackers searches through their victims emails, which included terms such as Nato and EU energy dialogue Though attribution is difficult to substantiate, Russia has previously been suspected of carrying out the attacks and Symantecs Gavin O’ Gorman told the Guardian a number of the hackers appeared to be using Russian names and language in their notes for their malicious code. Cyrillic was also seen in use.'", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Russian Federation", "cfr-suspected-victims": [ "France", @@ -2352,7 +2352,7 @@ { "description": "A Russian group that collects intelligence on the energy industry.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Russian Federation", "cfr-suspected-victims": [ "United States", @@ -2403,7 +2403,7 @@ { "description": "This threat actor targets industrial control systems, using a tool called Black Energy, associated with electricity and power generation for espionage, denial of service, and data destruction purposes. Some believe that the threat actor is linked to the 2015 compromise of the Ukrainian electrical grid and a distributed denial of service prior to the Russian invasion of Georgia. Believed to be responsible for the 2008 DDoS attacks in Georgia and the 2015 Ukraine power grid outage", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Russian Federation", "cfr-suspected-victims": [ "Russia", @@ -2477,7 +2477,7 @@ { "description": "We will refer to the gang behind the malware as TeleBots. However it’s important to say that these attackers, and the toolset used, share a number of similarities with the BlackEnergy group, which conducted attacks against the energy industry in Ukraine in December 2015 and January 2016. In fact, we think that the BlackEnergy group has evolved into the TeleBots group.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "RU", "refs": [ "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" @@ -2515,7 +2515,7 @@ { "description": "Groups targeting financial organizations or people with significant financial assets.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "RU", "motive": "Cybercrime", "refs": [ @@ -2555,7 +2555,7 @@ }, { "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Russian Federation", "cfr-suspected-victims": [ "Hungary", @@ -2592,7 +2592,7 @@ }, { "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "RU", "refs": [ "https://www.welivesecurity.com/2015/11/11/operation-buhtrap-malware-distributed-via-ammyy-com/" @@ -2603,7 +2603,7 @@ }, { "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "RU" }, "related": [ @@ -2620,7 +2620,7 @@ }, { "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "RO", "synonyms": [ "FIN4" @@ -2632,7 +2632,7 @@ { "description": "First observed activity in December 2013.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "RU" }, "uuid": "85b40169-3d1c-491b-9fbf-877ed57f32e0", @@ -2641,7 +2641,7 @@ { "description": "This group's activity was first observed in November 2013. It leverages a banking Trojan more commonly known as Shylock which aims to compromise online banking credentials and credentials related to Bitcoin wallets.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "RU" }, "uuid": "7dd7a8df-9012-4d14-977f-b3f9f71266b4", @@ -2650,7 +2650,7 @@ { "description": "Adversary targeting manufacturing and industrial organizations.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "RU", "refs": [ "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" @@ -2661,7 +2661,7 @@ }, { "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "KP", "refs": [ "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" @@ -2679,7 +2679,7 @@ { "description": "Since 2009, HIDDEN COBRA actors have leveraged their capabilities to target and compromise a range of victims; some intrusions have resulted in the exfiltration of data while others have been disruptive in nature. Commercial reporting has referred to this activity as Lazarus Group and Guardians of Peace. Tools and capabilities used by HIDDEN COBRA actors include DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware. Variants of malware and tools used by HIDDEN COBRA actors include Destover, Duuzer, and Hangman.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Korea (Democratic People's Republic of)", "cfr-suspected-victims": [ "South Korea", @@ -2774,7 +2774,7 @@ }, { "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "IN", "refs": [ "http://enterprise-manage.norman.c.bitbit.net/resources/files/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf" @@ -2789,7 +2789,7 @@ }, { "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "US", "synonyms": [ "DD4BC", @@ -2801,7 +2801,7 @@ }, { "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "TN", "refs": [ "https://www.crowdstrike.com/blog/regional-conflict-and-cyber-blowback/" @@ -2816,7 +2816,7 @@ { "description": "In 2014, researchers at Kaspersky Lab discovered and reported on three zero-days that were being used in cyberattacks in the wild. Two of these zero-day vulnerabilities are associated with an advanced threat actor we call Animal Farm. Over the past few years, Animal Farm has targeted a wide range of global organizations. The group has been active since at least 2009 and there are signs that earlier malware versions were developed as far back as 2007.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "France", "cfr-suspected-victims": [ "Syria", @@ -2859,7 +2859,7 @@ { "description": "The Syrian Electronic Army (SEA) is a group of computer hackers which first surfaced online in 2011 to support the government of Syrian President Bashar al-Assad. Using spamming, website defacement, malware, phishing, and denial of service attacks, it has targeted political opposition groups, western news organizations, human rights groups and websites that are seemingly neutral to the Syrian conflict. It has also hacked government websites in the Middle East and Europe, as well as US defense contractors. As of 2011 the SEA has been *the first Arab country to have a public Internet Army hosted on its national networks to openly launch cyber attacks on its enemies*. The precise nature of SEA's relationship with the Syrian government has changed over time and is unclear", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "SY", "refs": [ "https://en.wikipedia.org/wiki/Syrian_Electronic_Army" @@ -2875,7 +2875,7 @@ { "description": "Group targeting Indian Army or related assets in India, as well as activists and civil society in Pakistan. Attribution to a Pakistani connection has been made by TrendMicro and others.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Pakistan", "cfr-target-category": [ "Civil society", @@ -2910,7 +2910,7 @@ { "description": "This threat actor targets civil society groups and Emirati journalists, activists, and dissidents. ", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "United Arab Emirates", "cfr-suspected-victims": [ "United Arab Emirates", @@ -2975,7 +2975,7 @@ { "description": "Bitdefender detected and blocked an ongoing cyber-espionage campaign against Romanian institutions and other foreign targets. The attacks started in 2014, with the latest reported occurrences in May of 2016. The APT, dubbed Pacifier by Bitdefender researchers, makes use of malicious .doc documents and .zip files distributed via spear phishing e-mail.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "RU", "refs": [ "http://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf" @@ -2991,7 +2991,7 @@ { "description": "This group created a malware that takes over Android devices and generates $300,000 per month in fraudulent ad revenue. The group effectively controls an arsenal of over 85 million mobile devices around the world. With the potential to sell access to these devices to the highest bidder", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "CN", "refs": [ "http://blog.checkpoint.com/wp-content/uploads/2016/07/HummingBad-Research-report_FINAL-62916.pdf" @@ -3003,7 +3003,7 @@ { "description": "Dropping Elephant (also known as “Chinastrats” and “Patchwork“) is a relatively new threat actor that is targeting a variety of high profile diplomatic and economic targets using a custom set of attack tools. Its victims are all involved with China’s foreign relations in some way, and are generally caught through spear-phishing or watering hole attacks.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "India", "cfr-suspected-victims": [ "Bangladesh", @@ -3052,7 +3052,7 @@ { "description": "Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, it has not been concluded that the groups are the same.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "CN", "refs": [ "https://attack.mitre.org/wiki/Groups", @@ -3074,7 +3074,7 @@ { "description": "Poseidon Group is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the Poseidon Group as a security firm.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "BR", "refs": [ "https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/", @@ -3096,7 +3096,7 @@ { "description": "Threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, DragonOK is thought to have a direct or indirect relationship with the threat group Moafee. 2223 It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "United States" @@ -3141,7 +3141,7 @@ { "description": "Chinese threat group that has extensively used strategic Web compromises to target victims.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": " China", "cfr-suspected-victims": [ "United States", @@ -3193,7 +3193,7 @@ { "description": "ProjectSauron is the name for a top level modular cyber-espionage platform, designed to enable and manage long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods. Technical details show how attackers learned from other extremely advanced actors in order to avoid repeating their mistakes. As such, all artifacts are customized per given target, reducing their value as indicators of compromise for any other victim. Usually APT campaigns have a geographical nexus, aimed at extracting information within a specific region or from a given industry. That usually results in several infections in countries within that region, or in the targeted industry around the world. Interestingly, ProjectSauron seems to be dedicated to just a couple of countries, focused on collecting high value intelligence by compromising almost all key entities it could possibly reach within the target area. The name, ProjectSauron reflects the fact that the code authors refer to ‘Sauron’ in the Lua scripts.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "United States", "cfr-suspected-victims": [ "Russia", @@ -3234,7 +3234,7 @@ { "description": "APT 30 is a threat group suspected to be associated with the Chinese government. While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "India", @@ -3303,7 +3303,7 @@ { "description": "TA530, who we previously examined in relation to large-scale personalized phishing campaigns", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "CN", "refs": [ "https://www.proofpoint.com/uk/threat-insight/post/august-in-december-new-information-stealer-hits-the-scene" @@ -3315,7 +3315,7 @@ { "description": "GCMAN is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency services.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "RU", "refs": [ "https://securelist.com/blog/research/73638/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/" @@ -3336,7 +3336,7 @@ { "description": "Suckfly is a China-based threat group that has been active since at least 2014", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "CN", "refs": [ "http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates", @@ -3377,7 +3377,7 @@ { "description": "Libyan Scorpions is a malware operation in use since September 2015 and operated by a politically motivated group whose main objective is intelligence gathering, spying on influentials and political figures and operate an espionage campaign within Libya.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "LY" }, "uuid": "815cbe98-e157-4078-9caa-c5a25dd64731", @@ -3399,7 +3399,7 @@ { "description": "OilRig is an Iranian threat group operating primarily in the Middle East by targeting organizations in this region that are in a variety of different industries; however, this group has occasionally targeted organizations outside of the Middle East as well. It also appears OilRig carries out supply chain attacks, where the threat group leverages the trust relationship between organizations to attack their primary targets. \r\n\r\nOilRig is an active and organized threat group, which is evident based on their systematic targeting of specific organizations that appear to be carefully chosen for strategic purposes. Attacks attributed to this group primarily rely on social engineering to exploit the human rather than software vulnerabilities; however, on occasion this group has used recently patched vulnerabilities in the delivery phase of their attacks. The lack of software vulnerability exploitation does not necessarily suggest a lack of sophistication, as OilRig has shown maturity in other aspects of their operations. Such maturities involve:\r\n\r\n-Organized evasion testing used the during development of their tools.\r\n-Use of custom DNS Tunneling protocols for command and control (C2) and data exfiltration.\r\n-Custom web-shells and backdoors used to persistently access servers.\r\n\r\nOilRig relies on stolen account credentials for lateral movement. After OilRig gains access to a system, they use credential dumping tools, such as Mimikatz, to steal credentials to accounts logged into the compromised system. The group uses these credentials to access and to move laterally to other systems on the network. After obtaining credentials from a system, operators in this group prefer to use tools other than their backdoors to access the compromised systems, such as remote desktop and putty. OilRig also uses phishing sites to harvest credentials to individuals at targeted organizations to gain access to internet accessible resources, such as Outlook Web Access.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)", "cfr-suspected-victims": [ "Israel", @@ -3595,7 +3595,7 @@ { "description": "PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features—this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "TR", "refs": [ "https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/", @@ -3663,7 +3663,7 @@ { "description": "Symantec telemetry identified Cadelle and Chafer activity dating from as far back as July 2014, however, it’s likely that activity began well before this date. Command-and-control (C&C) registrant information points to activity possibly as early as 2011, while executable compilation times suggest early 2012. Their attacks continue to the present day. Symantec estimates that each team is made up of between 5 and 10 people.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "IR", "refs": [ "https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets" @@ -3675,7 +3675,7 @@ { "description": "Symantec telemetry identified Cadelle and Chafer activity dating from as far back as July 2014, however, it’s likely that activity began well before this date. Command-and-control (C&C) registrant information points to activity possibly as early as 2011, while executable compilation times suggest early 2012. Their attacks continue to the present day. Symantec estimates that each team is made up of between 5 and 10 people.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "IR", "refs": [ "https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets", @@ -3688,7 +3688,7 @@ { "description": "The PassCV group continues to be one of the most successful and active threat groups that leverage a wide array of stolen Authenticode-signing certificates. Snorre Fagerland of Blue Coat Systems first coined the term PassCV in a blog post. His post provides a good introduction to the group and covers some of the older infrastructure, stolen code-signing certificate reuse, and other connections associated with the PassCV malware. There are several clues alluding to the possibility that multiple groups may be utilizing the same stolen signing certificates, but at this time SPEAR believes the current attacks are more likely being perpetrated by a single group employing multiple publicly available Remote Administration Tools (RATs). The PassCV group has been operating with continued success and has already started to expand their malware repertoire into different off-the-shelf RATs and custom code. SPEAR identified eighteen previously undisclosed stolen Authenticode certificates. These certificates were originally issued to companies and individuals scattered across China, Taiwan, Korea, Europe, the United States and Russia. In this post we expand the usage of the term ‘PassCV’ to encompass the malware mentioned in the Blue Coat Systems report, as well as the APT group behind the larger C2 infrastructure and stolen Authenticode certificates. We’d like to share some of our findings as they pertain to the stolen certificates, command and control infrastructure, and some of the newer custom RATs they’ve begun development on. ", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "CN", "refs": [ "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies" @@ -3700,7 +3700,7 @@ { "description": "A Turkish hacking group, Sath-ı Müdafaa, is encouraging individuals to join its DDoS-for-Points platform that features points and prizes for carrying out distributed denial-of-service (DDoS) attacks against a list of predetermined targets. Their DDoS tool also contains a backdoor to hack the hackers. So the overarching motivation and allegiance of the group is not entirely clear.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "TR", "motive": "Hacktivists-Nationalists" }, @@ -3710,7 +3710,7 @@ { "description": "Turkish nationalist hacktivist group that has been active for roughly one year. According to Domaintools, the group’s site has been registered since December 2015, with an active Twitter account since January 2016. The group carries out distributed denial-of-service (DDoS) attacks and defacements against the sites of news organizations and governments perceived to be critical of Turkey’s policies or leadership, and purports to act in defense of Islam", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "TR", "motive": "Hacktivists-Nationalists", "synonyms": [ @@ -3724,7 +3724,7 @@ { "description": "Ayyıldız (Crescent and Star) Tim is a nationalist hacking group founded in 2002. It performs defacements and DDoS attacks against the websites of governments that it considers to be repressing Muslim minorities or engaged in Islamophobic policies.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "TR", "motive": "Hacktivists-Nationalists", "synonyms": [ @@ -3737,7 +3737,7 @@ { "description": "Founded in 2004, Turkhackteam is one of Turkey’s oldest and most high-profile hacking collectives. According to a list compiled on Turkhackteam’s forum, the group has carried out almost 30 highly publicized hacking campaigns targeting foreign government and commercial websites, including websites of international corporations. ", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "TR", "motive": "Hacktivists-Nationalists", "synonyms": [ @@ -3750,7 +3750,7 @@ { "description": "The Equation Group is a highly sophisticated threat actor described by its discoverers at Kaspersky Labs as one of the most sophisticated cyber attack groups in the world, operating alongside but always from a position of superiority with the creators of Stuxnet and Flame", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "United States", "cfr-suspected-victims": [ "Iran", @@ -3800,7 +3800,7 @@ { "description": "Greenbug was discovered targeting a range of organizations in the Middle East including companies in the aviation, energy, government, investment, and education sectors.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "IR", "refs": [ "https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon", @@ -3848,7 +3848,7 @@ { "description": "Hammer Panda is a group of suspected Chinese origin targeting organisations in Russia.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "CN", "refs": [ "http://www.darkreading.com/endpoint/chinese-cyberspies-pivot-to-russia-in-wake-of-obama-xi-pact/d/d-id/1324242" @@ -3864,7 +3864,7 @@ { "description": "Infy is a group of suspected Iranian origin.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)", "cfr-suspected-victims": [ "Israel", @@ -3907,7 +3907,7 @@ { "description": "Sima is a group of suspected Iranian origin targeting Iranians in diaspora.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "IR", "refs": [ "https://www.blackhat.com/docs/us-16/materials/us-16-Guarnieri-Iran-And-The-Soft-War-For-Internet-Dominance-wp.pdf", @@ -3920,7 +3920,7 @@ { "description": "Blue Termite is a group of suspected Chinese origin active in Japan.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Unknown", "cfr-suspected-victims": [ "Japan" @@ -3947,7 +3947,7 @@ { "description": "Groundbait is a group targeting anti-government separatists in the self-declared Donetsk and Luhansk People’s Republics.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "UA", "refs": [ "http://www.welivesecurity.com/2016/05/18/groundbait" @@ -3959,7 +3959,7 @@ { "description": "Longhorn has been active since at least 2011. It has used a range of back door Trojans in addition to zero-day vulnerabilities to compromise its targets. Longhorn has infiltrated governments and internationally operating organizations, in addition to targets in the financial, telecoms, energy, aerospace, information technology, education, and natural resources sectors. All of the organizations targeted would be of interest to a nation-state attacker. Longhorn has infected 40 targets in at least 16 countries across the Middle East, Europe, Asia, and Africa. On one occasion a computer in the United States was compromised but, following infection, an uninstaller was launched within hours, which may indicate this victim was infected unintentionally. According to cfr, this threat actor compromises governments, international organizations, academic institutions, and financial, telecommunications, energy, aerospace, information technology, and natural resource industries for espionage purposes. Some of the tools used by this threat actor were released by Wikileaks under the name \"Vault 7.\"", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "United States", "cfr-suspected-victims": [ "Global" @@ -4005,7 +4005,7 @@ { "description": "Cyber espionage actors, now designated by FireEye as APT32 (OceanLotus Group), are carrying out intrusions into private sector companies across multiple industries and have also targeted foreign governments, dissidents, and journalists. FireEye assesses that APT32 leverages a unique suite of fully-featured malware, in conjunction with commercially-available tools, to conduct targeted operations that are aligned with Vietnamese state interests.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Vietnam", "cfr-suspected-victims": [ "China", @@ -4063,7 +4063,7 @@ { "description": "As these tools rise and fall in popularity (and more importantly, as detection rates by antivirus vendors improve), SilverTerrier actors have consistently adopted new malware families and shifted to the latest packing tools available. ", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "NG", "refs": [ "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/silverterrier-next-evolution-in-nigerian-cybercrime.pdf" @@ -4203,7 +4203,7 @@ { "description": "El Machete is one of these threats that was first publicly disclosed and named by Kaspersky here. We’ve found that this group has continued to operate successfully, predominantly in Latin America, since 2014. All attackers simply moved to new C2 infrastructure, based largely around dynamic DNS domains, in addition to making minimal changes to the malware in order to evade signature-based detection.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Unknown", "cfr-suspected-victims": [ "Venezuela", @@ -4260,7 +4260,7 @@ }, { "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "CN", "refs": [ "https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts#.WS3IBVFV4no.twitter" @@ -4280,7 +4280,7 @@ }, { "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "RU", "refs": [ "https://www.threatconnect.com/blog/russia-hacks-bellingcat-mh17-investigation/#.V-wnrubaeEU.twitter" @@ -4291,7 +4291,7 @@ }, { "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "CN", "refs": [ "https://www.wsj.com/articles/chinas-secret-weapon-in-south-korea-missile-fight-hackers-1492766403?emailToken=JRrydPtyYnqTg9EyZsw31FwuZ7JNEOKCXF7LaW/HM1DLsjnUp6e6wLgph560pnmiTAN/5ssf7moyADPQj2p2Gc+YkL1yi0zhIiUM9M6aj1HTYQ==", @@ -4321,7 +4321,7 @@ }, { "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "CN", "refs": [ "http://www.slideshare.net/CTruncer/ever-present-persistence-established-footholds-seen-in-the-wild" @@ -4336,7 +4336,7 @@ { "description": "This threat actor targets organizations in the critical infrastructure, heavy industry, manufacturing, and international relations sectors for espionage purposes.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "Japan", @@ -4375,7 +4375,7 @@ }, { "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "CN", "synonyms": [ "APT26", @@ -4405,7 +4405,7 @@ }, { "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "CN", "refs": [ "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf" @@ -4416,7 +4416,7 @@ }, { "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "CN", "refs": [ "http://www.darkreading.com/attacks-and-breaches/crowdstrike-falcon-traces-attacks-back-to-hackers/d/d-id/1110402?" @@ -4427,7 +4427,7 @@ }, { "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "CN", "refs": [ "http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf" @@ -4447,7 +4447,7 @@ }, { "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "KP", "refs": [ "https://www.isightpartners.com/2016/02/threatscape-media-highlights-update-week-of-february-17th/" @@ -4458,7 +4458,7 @@ }, { "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "Myanmar", @@ -4489,7 +4489,7 @@ }, { "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)", "cfr-suspected-victims": [ "Israel", @@ -4540,7 +4540,7 @@ { "description": "The referenced link links this group to Temper Panda", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "CN", "refs": [ "https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/" @@ -4551,7 +4551,7 @@ }, { "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "CN", "refs": [ "http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem" @@ -4562,7 +4562,7 @@ }, { "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)", "cfr-suspected-victims": [ "Iran", @@ -4587,7 +4587,7 @@ }, { "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "CN", "refs": [ "http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem" @@ -4598,7 +4598,7 @@ }, { "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "United States", @@ -4651,7 +4651,7 @@ { "description": "This threat actor targets South Korean think tanks, industry, nuclear power operators, and the Ministry of Unification for espionage purposes.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Korea (Democratic People's Republic of)", "cfr-suspected-victims": [ "Ministry of Unification", @@ -4688,7 +4688,7 @@ { "description": "This threat actor targets governments, diplomatic missions, private companies in the energy sector, and academics for espionage purposes.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Spain", "cfr-suspected-victims": [ "Morocco", @@ -4727,7 +4727,7 @@ }, { "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "CN", "refs": [ "http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem" @@ -4739,7 +4739,7 @@ { "description": "This threat actor targets the South Korean government, transportation, and energy sectors.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Unknown", "cfr-suspected-victims": [ "South Korea" @@ -4760,7 +4760,7 @@ }, { "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "IR", "refs": [ "http://www.crowdstrike.com/blog/whois-clever-kitten/" @@ -4872,7 +4872,7 @@ }, { "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "RU", "refs": [ "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf" @@ -4883,7 +4883,7 @@ }, { "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "CN", "refs": [ "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Pointed-Dagger.pdf" @@ -4903,7 +4903,7 @@ }, { "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "IR", "refs": [ "http://pastebin.com/u/QassamCyberFighters", @@ -4918,7 +4918,7 @@ }, { "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "CN", "synonyms": [ "1.php Group", @@ -4962,7 +4962,7 @@ }, { "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Israel", "cfr-suspected-victims": [ "Iran", @@ -4990,7 +4990,7 @@ }, { "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Russian Federation", "cfr-suspected-victims": [ "United States", @@ -5017,7 +5017,7 @@ }, { "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "CN", "refs": [ "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf" @@ -5028,7 +5028,7 @@ }, { "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "CN", "refs": [ "https://www.isightpartners.com/2016/02/threatscape-media-highlights-update-week-of-february-17th/" @@ -5040,7 +5040,7 @@ { "description": "Sowbug has been conducting highly targeted cyber attacks against organizations in South America and Southeast Asia and appears to be heavily focused on foreign policy institutions and diplomatic targets. Sowbug has been seen mounting classic espionage attacks by stealing documents from the organizations it infiltrates. ", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Unknown", "cfr-suspected-victims": [ "Argentina", @@ -5074,7 +5074,7 @@ { "description": "The MuddyWater attacks are primarily against Middle Eastern nations. However, we have also observed attacks against surrounding nations and beyond, including targets in India and the USA. MuddyWater attacks are characterized by the use of a slowly evolving PowerShell-based first stage backdoor we call “POWERSTATS”. Despite broad scrutiny and reports on MuddyWater attacks, the activity continues with only incremental changes to the tools and techniques.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)", "cfr-suspected-victims": [ "Saudi Arabia", @@ -5139,7 +5139,7 @@ { "description": "Lookout and Electronic Frontier Foundation (EFF) have discovered Dark Caracal, a persistent and prolific actor, who at the time of writing is believed to be administered out of a building belonging to the Lebanese General Security Directorate in Beirut. At present, we have knowledge of hundreds of gigabytes of exfiltrated data, in 21+ countries, across thousands of victims. Stolen data includes enterprise intellectual property and personally identifiable information.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "LB", "refs": [ "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" @@ -5161,7 +5161,7 @@ { "description": "APT37 has likely been active since at least 2012 and focuses on targeting the public and private sectors primarily in South Korea. In 2017, APT37 expanded its targeting beyond the Korean peninsula to include Japan, Vietnam and the Middle East, and to a wider range of industry verticals, including chemicals, electronics, manufacturing, aerospace, automotive and healthcare entities", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Korea (Democratic People's Republic of)", "cfr-suspected-victims": [ "Republic of Korea", @@ -5217,7 +5217,7 @@ { "description": "Leviathan is an espionage actor targeting organizations and high-value targets in defense and government. Active since at least 2014, this actor has long-standing interest in maritime industries, naval defense contractors, and associated research institutions in the United States and Western Europe.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "United States", @@ -5260,7 +5260,7 @@ { "description": "Since at least 2014, an Iranian threat group tracked by FireEye as APT34 has conducted reconnaissance aligned with the strategic interests of Iran. The group conducts operations primarily in the Middle East, targeting financial, government, energy, chemical, telecommunications and other industries. Repeated targeting of Middle Eastern financial, energy and government organizations leads FireEye to assess that those sectors are a primary concern of APT34. The use of infrastructure tied to Iranian operations, timing and alignment with the national interests of Iran also lead FireEye to assess that APT34 acts on behalf of the Iranian government.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)", "cfr-suspected-victims": [ "Middle East" @@ -5296,7 +5296,7 @@ { "description": "FireEye has identified APT35 operations dating back to 2014. APT35, also known as the Newscaster Team, is a threat group sponsored by the Iranian government that conducts long term, resource-intensive operations to collect strategic intelligence. APT35 typically targets U.S. and the Middle Eastern military, diplomatic and government personnel, organizations in the media, energy and defense industrial base (DIB), and engineering, business services and telecommunications sectors.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "country": "IR", "refs": [ "https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf" @@ -5340,7 +5340,7 @@ { "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).\nThis threat actor targets organizations involved in oil, gas, and electricity production, primarily in the Gulf region, for espionage purposes. According to one cybersecurity company, the threat actor “compromises a target machine and passes it off to another threat actor for further exploitation.”", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "capabilities": "Watering holes, 64-bit malware, covert C2 via IPv6 DNS, ISMDOOR", "cfr-suspected-state-sponsor": "Unknown", "cfr-suspected-victims": [ @@ -5458,7 +5458,7 @@ { "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).\nThis threat actor compromises the networks of companies involved in electric power, specifically looking for intellectual property and information about the companies’ operations.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "capabilities": "Encoded binaries in documents, evasion techniques", "cfr-suspected-state-sponsor": "Unknown", "cfr-suspected-victims": [ @@ -5503,7 +5503,7 @@ { "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).\nThis threat actor targets industrial control systems in Turkey, Europe, and North America.\n Believed to be linked to Crouching Yeti", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "capabilities": "GOODOR, DORSHEL, KARAGANY, Mimikatz", "cfr-suspected-state-sponsor": "Unknown", "cfr-suspected-victims": [ @@ -5532,7 +5532,7 @@ { "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "capabilities": "STONEDRILL wiper, variants of TURNEDUP malware", "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)", "cfr-suspected-victims": [ @@ -5604,7 +5604,7 @@ { "description": "Experts assigned the codename of LuckyMouse to the group behind this hack, but they later realized the attackers were an older Chinese threat actor known under various names in the reports of other cyber-security firms, such as Emissary Panda, APT27, Threat Group 3390, Bronze Union, ZipToken, and Iron Tiger", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Unknown", "cfr-suspected-victims": [ "United States", @@ -5672,7 +5672,7 @@ { "description": "The Rancor group’s attacks use two primary malware families which are naming DDKONG and PLAINTEE. DDKONG is used throughout the campaign and PLAINTEE appears to be new addition to these attackers’ toolkit. Countries Unit 42 has identified as targeted by Rancor with these malware families include, but are not limited to Singapore and Cambodia.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "Singapore", @@ -5768,7 +5768,7 @@ { "description": "This threat actor targets organizations in the finance, defense, aerospace, technology, health-care, and automotive sectors and media organizations in East Asia for the purpose of espionage. Believed to be responsible for the targeting of South Korean actors prior to the meeting of Donald J. Trump and Kim Jong-un", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "South Korea", @@ -5789,7 +5789,7 @@ { "description": "This threat actor uses spear-phishing techniques to target parliaments, government ministries, academics, and media organizations, primarily in the Middle East, for the purpose of espionage.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Unknown", "cfr-suspected-victims": [ "Palestine", @@ -5836,7 +5836,7 @@ { "description": "This threat actor uses spear-phishing techniques to target private-sector energy, defense, aerospace, research, and media organizations and embassies in Africa, Europe, and the Middle East, for the purpose of espionage.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Unknown", "cfr-suspected-victims": [ "South Africa", @@ -5860,7 +5860,7 @@ { "description": "This threat actor targets software companies and political organizations in the United States, China, Japan, and South Korea. It primarily acts to support cyber operations conducted by other threat actors affiliated with Chinese intelligence services.\nBelieved to be associated with the Axiom, APT 17, and Mirage threat actors. Believed to share the same tools and infrastructure as the threat actors that carried out Operation Aurora, the 2015 targeting of video game companies, the 2015 targeting of the Thai government, and the 2017 targeting of Chinese-language news websites", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "United States", @@ -5884,7 +5884,7 @@ { "description": "This threat actor targets Uighurs—a minority ethnic group located primarily in northwestern China—and devices from Chinese mobile phone manufacturer Xiaomi, for espionage purposes.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "Uighurs" @@ -5904,7 +5904,7 @@ { "description": "This threat actor targets nongovernmental organizations using Mongolian-themed lures for espionage purposes.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "United States" @@ -5924,7 +5924,7 @@ { "description": "This threat actor targets organizations in the satellite communications, telecommunications, geospatial-imaging, and defense sectors in the United States and Southeast Asia for espionage purposes.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Unknown", "cfr-suspected-victims": [ "United States" @@ -5944,7 +5944,7 @@ { "description": "This threat actor targets organizations in the satellite communications, telecommunications, geospatial-imaging, and defense sectors in the United States and Southeast Asia for espionage purposes.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Pakistan", "cfr-suspected-victims": [ "Pakistan", @@ -6006,7 +6006,7 @@ { "description": "This threat actor targets critical infrastructure entities in the oil and gas sector, primarily in Ukraine. The threat actors deploy the BugDrop malware to remotely access the microphones in their targets' computers to eavesdrop on conversations.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Russian Federation", "cfr-suspected-victims": [ "Ukraine", @@ -6029,7 +6029,7 @@ { "description": "This threat actor targets governments, diplomatic missions, academics, and energy and aerospace organizations for the purpose of espionage. Also known as the Rocra and believed to be the same threat actor as Cloud Atlas", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Russian Federation", "cfr-suspected-victims": [ "Russia", @@ -6067,7 +6067,7 @@ { "description": "This threat actor targets governments and diplomatic organizations for espionage purposes.", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Russian Federation", "cfr-suspected-victims": [ "Russia", @@ -6091,7 +6091,7 @@ { "description": "This threat actor compromises civil society groups the Chinese Communist Party views as hostile to its interests, such as Tibetan, Uyghur, Hong Kong, and Taiwanese activist. The threat actor also targeted the Myanmar electoral commission. ", "meta": { - "attribution-confidence": 50, + "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "China", @@ -6634,5 +6634,5 @@ "value": "Operation Comando" } ], - "version": 102 + "version": 103 } From 04accabaabea7b7307e1f687d6c0a39e6d136a80 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 20 Mar 2019 12:37:38 +0100 Subject: [PATCH 19/20] chg: [mitre att&ck] updated with new version --- clusters/mitre-course-of-action.json | 4 +- ...re-enterprise-attack-course-of-action.json | 4 +- clusters/mitre-intrusion-set.json | 4 +- clusters/mitre-malware.json | 4 +- .../mitre-mobile-attack-attack-pattern.json | 139 ++++++++++++++++- .../mitre-mobile-attack-course-of-action.json | 60 +++++++- clusters/mitre-mobile-attack-malware.json | 144 +++++++++++++++++- clusters/mitre-pre-attack-attack-pattern.json | 46 +++++- clusters/mitre-pre-attack-intrusion-set.json | 25 ++- clusters/mitre-tool.json | 4 +- 10 files changed, 414 insertions(+), 20 deletions(-) diff --git a/clusters/mitre-course-of-action.json b/clusters/mitre-course-of-action.json index a625231..70db0ec 100644 --- a/clusters/mitre-course-of-action.json +++ b/clusters/mitre-course-of-action.json @@ -5951,5 +5951,5 @@ "value": "Attestation - M1002" } ], - "version": 9 -} + "version": 10 +} \ No newline at end of file diff --git a/clusters/mitre-enterprise-attack-course-of-action.json b/clusters/mitre-enterprise-attack-course-of-action.json index 1057876..7c14e0b 100644 --- a/clusters/mitre-enterprise-attack-course-of-action.json +++ b/clusters/mitre-enterprise-attack-course-of-action.json @@ -3665,5 +3665,5 @@ "value": "Security Software Discovery Mitigation - T1063" } ], - "version": 5 -} + "version": 6 +} \ No newline at end of file diff --git a/clusters/mitre-intrusion-set.json b/clusters/mitre-intrusion-set.json index 6453d0d..6eca44e 100644 --- a/clusters/mitre-intrusion-set.json +++ b/clusters/mitre-intrusion-set.json @@ -11171,5 +11171,5 @@ "value": "DarkHydrus - G0079" } ], - "version": 12 -} + "version": 13 +} \ No newline at end of file diff --git a/clusters/mitre-malware.json b/clusters/mitre-malware.json index 9ab327a..5667496 100644 --- a/clusters/mitre-malware.json +++ b/clusters/mitre-malware.json @@ -22878,5 +22878,5 @@ "value": "NotCompatible - S0299" } ], - "version": 11 -} + "version": 12 +} \ No newline at end of file diff --git a/clusters/mitre-mobile-attack-attack-pattern.json b/clusters/mitre-mobile-attack-attack-pattern.json index a7fbc97..75a7aba 100644 --- a/clusters/mitre-mobile-attack-attack-pattern.json +++ b/clusters/mitre-mobile-attack-attack-pattern.json @@ -26,6 +26,15 @@ "https://srlabs.de/bites/rooting-sim-cards/" ] }, + "related": [ + { + "dest-uuid": "2d646840-f6f5-4619-a5a8-29c8316bbac5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "0bcc4ec1-a897-49a9-a9ff-c00df1d1209d", "value": "Malicious SMS Message - MOB-T1057" }, @@ -330,6 +339,15 @@ "https://www.usenix.org/conference/usenixsecurity13/technical-sessions/presentation/wang%20tielei" ] }, + "related": [ + { + "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "b765efd1-02e6-4e67-aebf-0fef5c37e54b", "value": "Detect App Analysis Environment - MOB-T1043" }, @@ -368,6 +386,15 @@ "https://jon.oberheide.org/files/summercon12-bouncer.pdf" ] }, + "related": [ + { + "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "e30cc912-7ea1-4683-9219-543b86cbdec9", "value": "Fake Developer Accounts - MOB-T1045" }, @@ -388,6 +415,15 @@ "https://blog.zimperium.com/experts-found-a-unicorn-in-the-heart-of-android/" ] }, + "related": [ + { + "dest-uuid": "fd339382-bfec-4bf0-8d47-1caedc9e7e57", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "a9cab8f6-4c94-4c9b-9e7d-9d863ff53431", "value": "Malicious Media Content - MOB-T1060" }, @@ -408,6 +444,15 @@ "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-13.html" ] }, + "related": [ + { + "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "1f96d624-8409-4472-ad8a-30618ee6b2e2", "value": "App Delivered via Email Attachment - MOB-T1037" }, @@ -500,6 +545,15 @@ "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1076" ] }, + "related": [ + { + "dest-uuid": "0d95940f-9583-4e0f-824c-a42c1be47fad", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "f9e4f526-ac9d-4df5-8949-833a82a1d2df", "value": "Malicious or Vulnerable Built-in Device Functionality - MOB-T1076" }, @@ -568,6 +622,15 @@ "https://www.usenix.org/system/files/conference/woot12/woot12-final24.pdf" ] }, + "related": [ + { + "dest-uuid": "2d646840-f6f5-4619-a5a8-29c8316bbac5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "c91c304a-975d-4501-9789-0db1c57afd3f", "value": "Exploit Baseband Vulnerability - MOB-T1058" }, @@ -624,6 +687,15 @@ "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-21.html" ] }, + "related": [ + { + "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "6b846ad0-cc20-4db6-aa34-91561397c5e2", "value": "App Delivered via Web Download - MOB-T1034" }, @@ -680,6 +752,15 @@ "http://www.slideshare.net/Shakacon/fruit-vs-zombies-defeat-nonjailbroken-ios-malware-by-claud-xiao" ] }, + "related": [ + { + "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "51aedbd6-2837-4d15-aeb0-cb09f2bf22ac", "value": "Abuse of iOS Enterprise App Signing Key - MOB-T1048" }, @@ -756,6 +837,15 @@ "http://www.popsci.com/box-can-figure-out-your-4-digit-iphone-passcode" ] }, + "related": [ + { + "dest-uuid": "dfe29258-ce59-421c-9dee-e85cb9fa90cd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "f296fc9c-2ff5-43ee-941e-6b49c438270a", "value": "Device Unlock Code Guessing or Brute Force - MOB-T1062" }, @@ -840,6 +930,15 @@ "https://support.apple.com/en-us/HT204587" ] }, + "related": [ + { + "dest-uuid": "dfe29258-ce59-421c-9dee-e85cb9fa90cd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "45dcbc83-4abc-4de1-b643-e528d1e9df09", "value": "Biometric Spoofing - MOB-T1063" }, @@ -924,6 +1023,15 @@ "http://www.infoworld.com/article/2854963/mobile-development/how-to-keep-your-app-store-dev-account-from-being-hijacked.html" ] }, + "related": [ + { + "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "a21a6a79-f9a1-4c87-aed9-ba2d79536881", "value": "Stolen Developer Credentials or Signing Keys - MOB-T1044" }, @@ -1204,6 +1312,15 @@ "https://www.nowsecure.com/blog/2015/06/15/a-pattern-for-remote-code-execution-using-arbitrary-file-writes-and-multidex-applications/" ] }, + "related": [ + { + "dest-uuid": "0d95940f-9583-4e0f-824c-a42c1be47fad", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "11bd699b-f2c2-4e48-bf46-fb3f8acd9799", "value": "Insecure Third-Party Libraries - MOB-T1028" }, @@ -1309,6 +1426,15 @@ "http://www.vvdveen.com/publications/BAndroid.pdf" ] }, + "related": [ + { + "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "831e3269-da49-48ac-94dc-948008e8fd16", "value": "Remotely Install Application - MOB-T1046" }, @@ -1531,9 +1657,18 @@ "http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/" ] }, + "related": [ + { + "dest-uuid": "0d95940f-9583-4e0f-824c-a42c1be47fad", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "b928b94a-4966-4e2a-9e61-36505b896ebc", "value": "Malicious Software Development Tools - MOB-T1065" } ], - "version": 3 -} + "version": 4 +} \ No newline at end of file diff --git a/clusters/mitre-mobile-attack-course-of-action.json b/clusters/mitre-mobile-attack-course-of-action.json index acccfb5..3613623 100644 --- a/clusters/mitre-mobile-attack-course-of-action.json +++ b/clusters/mitre-mobile-attack-course-of-action.json @@ -38,6 +38,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" + }, + { + "dest-uuid": "52651225-0b3a-482d-aa7e-10618fd063b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" } ], "uuid": "e829ee51-1caf-4665-ba15-7f8979634124", @@ -72,6 +79,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" + }, + { + "dest-uuid": "2204c371-6100-4ae0-82f3-25c07c29772a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" } ], "uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564", @@ -89,6 +103,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" + }, + { + "dest-uuid": "3b0b604f-10db-41a0-b54c-493124d455b9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" } ], "uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", @@ -106,6 +127,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" + }, + { + "dest-uuid": "667e5707-3843-4da8-bd34-88b922526f0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" } ], "uuid": "8ccd428d-39da-4e8f-a55b-d48ea1d56e58", @@ -191,6 +219,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" + }, + { + "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" } ], "uuid": "1553b156-6767-47f7-9eb4-2a692505666d", @@ -208,6 +243,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" + }, + { + "dest-uuid": "6f86d346-f092-4abc-80df-8558a90c426a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" } ], "uuid": "653492e3-27be-4a0e-b08c-938dd2b7e0e1", @@ -225,6 +267,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" + }, + { + "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" } ], "uuid": "649f7268-4c12-483b-ac84-4b7bca9fe2ee", @@ -242,11 +291,18 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" + }, + { + "dest-uuid": "a5de0540-73e7-4c67-96da-4143afedc7ed", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" } ], "uuid": "8220b57e-c400-4525-bf69-f8edc6b389a8", "value": "Encrypt Network Traffic - MOB-M1009" } ], - "version": 4 -} + "version": 5 +} \ No newline at end of file diff --git a/clusters/mitre-mobile-attack-malware.json b/clusters/mitre-mobile-attack-malware.json index d78f394..49d5c8f 100644 --- a/clusters/mitre-mobile-attack-malware.json +++ b/clusters/mitre-mobile-attack-malware.json @@ -35,6 +35,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "a3dad2be-ce62-4440-953b-00fbce7aba93", @@ -113,6 +120,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50", @@ -138,6 +152,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "e13d084c-382f-40fd-aa9a-98d69e20301e", @@ -172,6 +193,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "c80a6bef-b3ce-44d0-b113-946e93124898", @@ -221,6 +249,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "f6ac21b6-2592-400c-8472-10d0e2f1bfaf", @@ -260,6 +295,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "33d9d91d-aad9-49d5-a516-220ce101ac8a", @@ -315,6 +357,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "76c12fc8-a4eb-45d6-a3b7-e371a7248f69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "c8770c81-c29f-40d2-a140-38544206b2b4", @@ -394,6 +443,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "5ddf81ea-2c06-497b-8c30-5f1ab89a40f9", @@ -498,6 +554,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1", @@ -646,6 +709,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "56660521-6db4-4e5a-a927-464f22954b7c", @@ -718,6 +788,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "d05f7357-4cbe-47ea-bf83-b8604226d533", @@ -742,6 +819,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "8f0e39c6-82c9-41ec-9f93-5696c0f2e274", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "c709da93-20c3-4d17-ab68-48cba76b2137", @@ -766,6 +850,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "b6d3657a-2d6a-400f-8b7e-4d60391aa1f7", @@ -790,6 +881,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "3c3b55a6-c3e9-4043-8aae-283fe96220c0", @@ -814,6 +912,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "20dbaf05-59b8-4dc6-8777-0b17f4553a23", @@ -838,6 +943,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", @@ -869,6 +981,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "d1c600f8-0fb6-4367-921b-85b71947d950", @@ -892,6 +1011,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "a15c9357-2be0-4836-beec-594f28b9b4a9", @@ -932,6 +1058,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "93799a9d-3537-43d8-b6f4-17215de1657c", @@ -957,11 +1090,18 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "0d95940f-9583-4e0f-824c-a42c1be47fad", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "d9e07aea-baad-4b68-bdca-90c77647d7f9", "value": "XcodeGhost - MOB-S0013" } ], - "version": 6 -} + "version": 7 +} \ No newline at end of file diff --git a/clusters/mitre-pre-attack-attack-pattern.json b/clusters/mitre-pre-attack-attack-pattern.json index f293b24..b17de7d 100644 --- a/clusters/mitre-pre-attack-attack-pattern.json +++ b/clusters/mitre-pre-attack-attack-pattern.json @@ -534,6 +534,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "7baccb84-356c-4e89-8c5d-58e701f033fc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "96eb59d1-6c46-44bb-bfcd-56be02a00d41", @@ -664,6 +671,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "59369f72-3005-4e54-9095-3d00efcece73", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "78e41091-d10d-4001-b202-89612892b6ff", @@ -1422,6 +1436,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "74a3288e-eee9-4f8e-973a-fbc128e033f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "a757670d-d600-48d9-8ae9-601d42c184a5", @@ -2290,6 +2311,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "784ff1bc-1483-41fe-a172-4cd9ae25c06b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "2b9a666e-bd59-4f67-9031-ed41b428e04a", @@ -2355,6 +2383,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "7baccb84-356c-4e89-8c5d-58e701f033fc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc", @@ -2653,6 +2688,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "a757670d-d600-48d9-8ae9-601d42c184a5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "af358cad-eb71-4e91-a752-236edc237dae", @@ -2743,5 +2785,5 @@ "value": "Data Hiding - PRE-T1097" } ], - "version": 4 -} + "version": 5 +} \ No newline at end of file diff --git a/clusters/mitre-pre-attack-intrusion-set.json b/clusters/mitre-pre-attack-intrusion-set.json index 94ed408..175019f 100644 --- a/clusters/mitre-pre-attack-intrusion-set.json +++ b/clusters/mitre-pre-attack-intrusion-set.json @@ -76,6 +76,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", @@ -208,6 +215,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "ad4f146f-e3ec-444a-ba71-24bffd7f0f8e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb", @@ -242,6 +256,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", @@ -334,5 +355,5 @@ "value": "APT17 - G0025" } ], - "version": 6 -} + "version": 7 +} \ No newline at end of file diff --git a/clusters/mitre-tool.json b/clusters/mitre-tool.json index 544d558..45b2f23 100644 --- a/clusters/mitre-tool.json +++ b/clusters/mitre-tool.json @@ -2608,5 +2608,5 @@ "value": "Xbot - S0298" } ], - "version": 10 -} + "version": 11 +} \ No newline at end of file From 6be42e6a1a2a8b917597c24b8c385911aa161f69 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Wed, 20 Mar 2019 12:58:18 +0100 Subject: [PATCH 20/20] fix: Make validate all happy --- clusters/mitre-course-of-action.json | 2 +- clusters/mitre-enterprise-attack-course-of-action.json | 2 +- clusters/mitre-intrusion-set.json | 2 +- clusters/mitre-malware.json | 2 +- clusters/mitre-mobile-attack-attack-pattern.json | 2 +- clusters/mitre-mobile-attack-course-of-action.json | 2 +- clusters/mitre-mobile-attack-malware.json | 2 +- clusters/mitre-pre-attack-attack-pattern.json | 2 +- clusters/mitre-pre-attack-intrusion-set.json | 2 +- clusters/mitre-tool.json | 2 +- 10 files changed, 10 insertions(+), 10 deletions(-) diff --git a/clusters/mitre-course-of-action.json b/clusters/mitre-course-of-action.json index 70db0ec..23efe07 100644 --- a/clusters/mitre-course-of-action.json +++ b/clusters/mitre-course-of-action.json @@ -5952,4 +5952,4 @@ } ], "version": 10 -} \ No newline at end of file +} diff --git a/clusters/mitre-enterprise-attack-course-of-action.json b/clusters/mitre-enterprise-attack-course-of-action.json index 7c14e0b..69a4f2f 100644 --- a/clusters/mitre-enterprise-attack-course-of-action.json +++ b/clusters/mitre-enterprise-attack-course-of-action.json @@ -3666,4 +3666,4 @@ } ], "version": 6 -} \ No newline at end of file +} diff --git a/clusters/mitre-intrusion-set.json b/clusters/mitre-intrusion-set.json index 6eca44e..db80e2e 100644 --- a/clusters/mitre-intrusion-set.json +++ b/clusters/mitre-intrusion-set.json @@ -11172,4 +11172,4 @@ } ], "version": 13 -} \ No newline at end of file +} diff --git a/clusters/mitre-malware.json b/clusters/mitre-malware.json index 5667496..9bbca20 100644 --- a/clusters/mitre-malware.json +++ b/clusters/mitre-malware.json @@ -22879,4 +22879,4 @@ } ], "version": 12 -} \ No newline at end of file +} diff --git a/clusters/mitre-mobile-attack-attack-pattern.json b/clusters/mitre-mobile-attack-attack-pattern.json index 75a7aba..f634fb8 100644 --- a/clusters/mitre-mobile-attack-attack-pattern.json +++ b/clusters/mitre-mobile-attack-attack-pattern.json @@ -1671,4 +1671,4 @@ } ], "version": 4 -} \ No newline at end of file +} diff --git a/clusters/mitre-mobile-attack-course-of-action.json b/clusters/mitre-mobile-attack-course-of-action.json index 3613623..32e4b1d 100644 --- a/clusters/mitre-mobile-attack-course-of-action.json +++ b/clusters/mitre-mobile-attack-course-of-action.json @@ -305,4 +305,4 @@ } ], "version": 5 -} \ No newline at end of file +} diff --git a/clusters/mitre-mobile-attack-malware.json b/clusters/mitre-mobile-attack-malware.json index 49d5c8f..1c59431 100644 --- a/clusters/mitre-mobile-attack-malware.json +++ b/clusters/mitre-mobile-attack-malware.json @@ -1104,4 +1104,4 @@ } ], "version": 7 -} \ No newline at end of file +} diff --git a/clusters/mitre-pre-attack-attack-pattern.json b/clusters/mitre-pre-attack-attack-pattern.json index b17de7d..ac865ae 100644 --- a/clusters/mitre-pre-attack-attack-pattern.json +++ b/clusters/mitre-pre-attack-attack-pattern.json @@ -2786,4 +2786,4 @@ } ], "version": 5 -} \ No newline at end of file +} diff --git a/clusters/mitre-pre-attack-intrusion-set.json b/clusters/mitre-pre-attack-intrusion-set.json index 175019f..ca083fe 100644 --- a/clusters/mitre-pre-attack-intrusion-set.json +++ b/clusters/mitre-pre-attack-intrusion-set.json @@ -356,4 +356,4 @@ } ], "version": 7 -} \ No newline at end of file +} diff --git a/clusters/mitre-tool.json b/clusters/mitre-tool.json index 45b2f23..988757b 100644 --- a/clusters/mitre-tool.json +++ b/clusters/mitre-tool.json @@ -2609,4 +2609,4 @@ } ], "version": 11 -} \ No newline at end of file +}