mirror of
https://github.com/MISP/misp-galaxy.git
synced 2024-11-30 02:37:17 +00:00
This commit is contained in:
commit
0fe525a9db
9 changed files with 8814 additions and 101 deletions
|
@ -1157,7 +1157,19 @@
|
||||||
},
|
},
|
||||||
"uuid": "809d100b-d46d-40f4-b498-5371f46bb9d6",
|
"uuid": "809d100b-d46d-40f4-b498-5371f46bb9d6",
|
||||||
"value": "AESDDoS"
|
"value": "AESDDoS"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "A set of DDoS botnet.",
|
||||||
|
"meta": {
|
||||||
|
"synonyms": [
|
||||||
|
"Katura",
|
||||||
|
"MyraV",
|
||||||
|
"myra"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "e23d0f90-6dc5-46a5-b38d-06f176b7c601",
|
||||||
|
"value": "Arceus"
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"version": 20
|
"version": 21
|
||||||
}
|
}
|
||||||
|
|
5510
clusters/china-defence-universities.json
Normal file
5510
clusters/china-defence-universities.json
Normal file
File diff suppressed because it is too large
Load diff
|
@ -6,7 +6,8 @@
|
||||||
"Andrea Garavaglia",
|
"Andrea Garavaglia",
|
||||||
"Andras Iklody",
|
"Andras Iklody",
|
||||||
"Daniel Plohmann",
|
"Daniel Plohmann",
|
||||||
"Christophe Vandeplas"
|
"Christophe Vandeplas",
|
||||||
|
"Rmkml"
|
||||||
],
|
],
|
||||||
"category": "tool",
|
"category": "tool",
|
||||||
"description": "Malware galaxy cluster based on Malpedia.",
|
"description": "Malware galaxy cluster based on Malpedia.",
|
||||||
|
@ -18826,7 +18827,34 @@
|
||||||
},
|
},
|
||||||
"uuid": "10c03b2e-5e53-11ea-ac08-00163cdbc7b4",
|
"uuid": "10c03b2e-5e53-11ea-ac08-00163cdbc7b4",
|
||||||
"value": "Raccoon"
|
"value": "Raccoon"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "According to Bleeping Computer, the ransomware is used in targeted attacks against unpatched Citrix servers. It excludes Russian and Chinese targets using the system's Language ID for filtering. It also tries to disable Windows Defender and has a number of UNIX filepath references in its strings. Encryption method is AES using a dynamically generated key, then bundling this key up via RSA.",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://www.bleepingcomputer.com/news/security/ragnarok-ransomware-targets-citrix-adc-disables-windows-defender/",
|
||||||
|
"https://news.sophos.com/en-us/2020/05/21/asnarok2/",
|
||||||
|
"https://github.com/k-vitali/Malware-Misc-RE/blob/master/2020-01-26-ragnarok-cfg-vk.notes.raw"
|
||||||
|
],
|
||||||
|
"synonyms": [],
|
||||||
|
"type": []
|
||||||
|
},
|
||||||
|
"uuid": "10c03b2f-5e52-01ea-bc08-00153cdbc7b3",
|
||||||
|
"value": "Ragnarok"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "Conti is a new family of ransomware observed in the wild by the Carbon Black Threat Analysis Unit (TAU). Unlike most ransomware, Conti contains unique features that separate it in terms of performance and focus on network-based targets.",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://malpedia.caad.fkie.fraunhofer.de/details/win.conti",
|
||||||
|
"https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/"
|
||||||
|
],
|
||||||
|
"synonyms": [],
|
||||||
|
"type": []
|
||||||
|
},
|
||||||
|
"uuid": "10c03b2e-5f52-01fa-ac08-00253cdbc6b3",
|
||||||
|
"value": "Conti"
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"version": 2562
|
"version": 2564
|
||||||
}
|
}
|
||||||
|
|
2774
clusters/sod-matrix.json
Normal file
2774
clusters/sod-matrix.json
Normal file
File diff suppressed because it is too large
Load diff
|
@ -175,18 +175,6 @@
|
||||||
"uuid": "9e71024e-817f-45b0-92a0-d886c30bc929",
|
"uuid": "9e71024e-817f-45b0-92a0-d886c30bc929",
|
||||||
"value": "Dust Storm"
|
"value": "Dust Storm"
|
||||||
},
|
},
|
||||||
{
|
|
||||||
"description": "Adversary targeting dissident groups in China and its surroundings.",
|
|
||||||
"meta": {
|
|
||||||
"attribution-confidence": "50",
|
|
||||||
"country": "CN",
|
|
||||||
"refs": [
|
|
||||||
"https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf"
|
|
||||||
]
|
|
||||||
},
|
|
||||||
"uuid": "06e659ff-ece8-4e6c-a110-d9692ac6d8ee",
|
|
||||||
"value": "Karma Panda"
|
|
||||||
},
|
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
"attribution-confidence": "50",
|
"attribution-confidence": "50",
|
||||||
|
@ -606,13 +594,6 @@
|
||||||
"estimative-language:likelihood-probability=\"likely\""
|
"estimative-language:likelihood-probability=\"likely\""
|
||||||
],
|
],
|
||||||
"type": "similar"
|
"type": "similar"
|
||||||
},
|
|
||||||
{
|
|
||||||
"dest-uuid": "8e28dbee-4e9e-4491-9a6c-ee9c9ec4b28b",
|
|
||||||
"tags": [
|
|
||||||
"estimative-language:likelihood-probability=\"likely\""
|
|
||||||
],
|
|
||||||
"type": "similar"
|
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"uuid": "9a683d9c-8f7d-43df-bba2-ad0ca71e277c",
|
"uuid": "9a683d9c-8f7d-43df-bba2-ad0ca71e277c",
|
||||||
|
@ -982,15 +963,11 @@
|
||||||
"http://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/",
|
"http://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/",
|
||||||
"https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/",
|
"https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/",
|
||||||
"https://www.crowdstrike.com/blog/storm-chasing/",
|
"https://www.crowdstrike.com/blog/storm-chasing/",
|
||||||
"https://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/",
|
"https://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/"
|
||||||
"https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf"
|
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"Black Vine",
|
"Black Vine",
|
||||||
"TEMP.Avengers",
|
"TEMP.Avengers"
|
||||||
"Zirconium",
|
|
||||||
"APT 31",
|
|
||||||
"APT31"
|
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -1555,16 +1532,11 @@
|
||||||
"cfr-type-of-incident": "Espionage",
|
"cfr-type-of-incident": "Espionage",
|
||||||
"country": "CN",
|
"country": "CN",
|
||||||
"refs": [
|
"refs": [
|
||||||
"http://www.crowdstrike.com/blog/whois-samurai-panda/",
|
"http://www.crowdstrike.com/blog/whois-samurai-panda/"
|
||||||
"https://www.cfr.org/interactive/cyber-operations/sykipot",
|
|
||||||
"https://www.secureworks.com/research/threat-profiles/bronze-edison"
|
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"PLA Navy",
|
"PLA Navy",
|
||||||
"APT4",
|
"Wisp Team"
|
||||||
"APT 4",
|
|
||||||
"Wisp Team",
|
|
||||||
"BRONZE EDISON"
|
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -1581,13 +1553,6 @@
|
||||||
"estimative-language:likelihood-probability=\"likely\""
|
"estimative-language:likelihood-probability=\"likely\""
|
||||||
],
|
],
|
||||||
"type": "similar"
|
"type": "similar"
|
||||||
},
|
|
||||||
{
|
|
||||||
"dest-uuid": "8e28dbee-4e9e-4491-9a6c-ee9c9ec4b28b",
|
|
||||||
"tags": [
|
|
||||||
"estimative-language:likelihood-probability=\"likely\""
|
|
||||||
],
|
|
||||||
"type": "similar"
|
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"uuid": "2fb07fa4-0d7f-43c7-8ff4-b28404313fe7",
|
"uuid": "2fb07fa4-0d7f-43c7-8ff4-b28404313fe7",
|
||||||
|
@ -2013,7 +1978,8 @@
|
||||||
"https://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/",
|
"https://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/",
|
||||||
"https://www.brighttalk.com/webcast/10703/275683",
|
"https://www.brighttalk.com/webcast/10703/275683",
|
||||||
"https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage",
|
"https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage",
|
||||||
"https://www.secureworks.com/research/threat-profiles/cobalt-trinity"
|
"https://www.secureworks.com/research/threat-profiles/cobalt-trinity",
|
||||||
|
"https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"APT 33",
|
"APT 33",
|
||||||
|
@ -2323,7 +2289,7 @@
|
||||||
"meta": {
|
"meta": {
|
||||||
"attribution-confidence": "50",
|
"attribution-confidence": "50",
|
||||||
"country": "TN",
|
"country": "TN",
|
||||||
"motive": "Hacktivism-Nationalist",
|
"motive": "Hacktivists-Nationalists",
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"FallagaTeam"
|
"FallagaTeam"
|
||||||
]
|
]
|
||||||
|
@ -2390,7 +2356,7 @@
|
||||||
"https://www.apnews.com/4d174e45ef5843a0ba82e804f080988f",
|
"https://www.apnews.com/4d174e45ef5843a0ba82e804f080988f",
|
||||||
"https://www.voanews.com/a/iaaf-hack-fancy-bears/3793874.html",
|
"https://www.voanews.com/a/iaaf-hack-fancy-bears/3793874.html",
|
||||||
"https://securelist.com/a-slice-of-2017-sofacy-activity/83930/",
|
"https://securelist.com/a-slice-of-2017-sofacy-activity/83930/",
|
||||||
"http://www.dw.com/en/hackers-lurking-parliamentarians-told/a-19564630",
|
"https://www.dw.com/en/hackers-lurking-parliamentarians-told/a-19564630",
|
||||||
"https://unit42.paloaltonetworks.com/unit42-sofacys-komplex-os-x-trojan/",
|
"https://unit42.paloaltonetworks.com/unit42-sofacys-komplex-os-x-trojan/",
|
||||||
"https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/",
|
"https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/",
|
||||||
"https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html",
|
"https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html",
|
||||||
|
@ -2410,13 +2376,13 @@
|
||||||
"https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/",
|
"https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/",
|
||||||
"https://www.bleepingcomputer.com/news/security/apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild/",
|
"https://www.bleepingcomputer.com/news/security/apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild/",
|
||||||
"https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-targets-mh17-investigation-team/",
|
"https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-targets-mh17-investigation-team/",
|
||||||
"http://researchcenter.paloaltonetworks.com/2016/06/unit42-new-sofacy-attacks-against-us-government-agency/",
|
"https://researchcenter.paloaltonetworks.com/2016/06/unit42-new-sofacy-attacks-against-us-government-agency/",
|
||||||
"http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf",
|
"https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf",
|
||||||
"https://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/",
|
"https://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/",
|
||||||
"https://blogs.microsoft.com/on-the-issues/2018/08/20/we-are-taking-new-steps-against-broadening-threats-to-democracy/",
|
"https://blogs.microsoft.com/on-the-issues/2018/08/20/we-are-taking-new-steps-against-broadening-threats-to-democracy/",
|
||||||
"http://www.lse.co.uk/AllNews.asp?code=kwdwehme&headline=Russian_Hackers_Suspected_In_Cyberattack_On_German_Parliament",
|
"https://www.lse.co.uk/AllNews.asp?code=kwdwehme&headline=Russian_Hackers_Suspected_In_Cyberattack_On_German_Parliament",
|
||||||
"https://www.volkskrant.nl/cultuur-media/russen-faalden-bij-hackpogingen-ambtenaren-op-nederlandse-ministeries~b77ff391/",
|
"https://www.volkskrant.nl/cultuur-media/russen-faalden-bij-hackpogingen-ambtenaren-op-nederlandse-ministeries~b77ff391/",
|
||||||
"http://www.ibtimes.co.uk/russian-hackers-fancy-bear-likely-breached-olympic-drug-testing-agency-dnc-experts-say-1577508",
|
"https://www.ibtimes.co.uk/russian-hackers-fancy-bear-likely-breached-olympic-drug-testing-agency-dnc-experts-say-1577508",
|
||||||
"https://www.bleepingcomputer.com/news/security/microsoft-disrupts-apt28-hacking-campaign-aimed-at-us-midterm-elections/",
|
"https://www.bleepingcomputer.com/news/security/microsoft-disrupts-apt28-hacking-campaign-aimed-at-us-midterm-elections/",
|
||||||
"https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected",
|
"https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected",
|
||||||
"https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf",
|
"https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf",
|
||||||
|
@ -2426,7 +2392,8 @@
|
||||||
"https://www.washingtonpost.com/technology/2019/02/20/microsoft-says-it-has-found-another-russian-operation-targeting-prominent-think-tanks/?utm_term=.870ff11468ae",
|
"https://www.washingtonpost.com/technology/2019/02/20/microsoft-says-it-has-found-another-russian-operation-targeting-prominent-think-tanks/?utm_term=.870ff11468ae",
|
||||||
"https://www.handelsblatt.com/today/politics/election-risks-russia-linked-hackers-target-german-political-foundations/23569188.html?ticket=ST-2696734-GRHgtQukDIEXeSOwksXO-ap1",
|
"https://www.handelsblatt.com/today/politics/election-risks-russia-linked-hackers-target-german-political-foundations/23569188.html?ticket=ST-2696734-GRHgtQukDIEXeSOwksXO-ap1",
|
||||||
"https://www.accenture.com/t20190213T141124Z__w__/us-en/_acnmedia/PDF-94/Accenture-SNAKEMACKEREL-Threat-Campaign-Likely-Targeting-NATO-Members-Defense-and-Military-Outlets.pdf",
|
"https://www.accenture.com/t20190213T141124Z__w__/us-en/_acnmedia/PDF-94/Accenture-SNAKEMACKEREL-Threat-Campaign-Likely-Targeting-NATO-Members-Defense-and-Military-Outlets.pdf",
|
||||||
"https://marcoramilli.com/2019/12/05/apt28-attacks-evolution/"
|
"https://marcoramilli.com/2019/12/05/apt28-attacks-evolution/",
|
||||||
|
"https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"APT 28",
|
"APT 28",
|
||||||
|
@ -2590,7 +2557,7 @@
|
||||||
"https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/waterbug-attack-group-16-en.pdf",
|
"https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/waterbug-attack-group-16-en.pdf",
|
||||||
"https://www.theguardian.com/technology/2014/aug/07/turla-hackers-spying-governments-researcher-kaspersky-symantec",
|
"https://www.theguardian.com/technology/2014/aug/07/turla-hackers-spying-governments-researcher-kaspersky-symantec",
|
||||||
"https://www.bleepingcomputer.com/news/security/turla-outlook-backdoor-uses-clever-tactics-for-stealth-and-persistence/",
|
"https://www.bleepingcomputer.com/news/security/turla-outlook-backdoor-uses-clever-tactics-for-stealth-and-persistence/",
|
||||||
"http://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf",
|
"https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf",
|
||||||
"https://www.melani.admin.ch/melani/en/home/dokumentation/reports/technical-reports/technical-report_apt_case_ruag.html",
|
"https://www.melani.admin.ch/melani/en/home/dokumentation/reports/technical-reports/technical-report_apt_case_ruag.html",
|
||||||
"https://unit42.paloaltonetworks.com/unit42-kazuar-multiplatform-espionage-backdoor-api-access/",
|
"https://unit42.paloaltonetworks.com/unit42-kazuar-multiplatform-espionage-backdoor-api-access/",
|
||||||
"https://www.engadget.com/2017/06/07/russian-malware-hidden-britney-spears-instagram/",
|
"https://www.engadget.com/2017/06/07/russian-malware-hidden-britney-spears-instagram/",
|
||||||
|
@ -2598,6 +2565,7 @@
|
||||||
"https://www.trendmicro.com/vinfo/vn/security/news/cyber-attacks/cyberespionage-group-turla-deploys-backdoor-ahead-of-g20-summit",
|
"https://www.trendmicro.com/vinfo/vn/security/news/cyber-attacks/cyberespionage-group-turla-deploys-backdoor-ahead-of-g20-summit",
|
||||||
"https://www.zdnet.com/article/this-hacking-gang-just-updated-the-malware-it-uses-against-uk-targets/",
|
"https://www.zdnet.com/article/this-hacking-gang-just-updated-the-malware-it-uses-against-uk-targets/",
|
||||||
"https://attack.mitre.org/groups/G0010/",
|
"https://attack.mitre.org/groups/G0010/",
|
||||||
|
"https://www.telsy.com/turla-venomous-bear-updates-its-arsenal-newpass-appears-on-the-apt-threat-scene/",
|
||||||
"https://www.secureworks.com/research/threat-profiles/iron-hunter"
|
"https://www.secureworks.com/research/threat-profiles/iron-hunter"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
|
@ -2845,14 +2813,16 @@
|
||||||
"https://threatpost.com/fileless-malware-campaigns-tied-to-same-attacker/124369/",
|
"https://threatpost.com/fileless-malware-campaigns-tied-to-same-attacker/124369/",
|
||||||
"https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html",
|
"https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html",
|
||||||
"https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html",
|
"https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html",
|
||||||
"http://blog.morphisec.com/fin7-attacks-restaurant-industry",
|
"https://blog.morphisec.com/fin7-attacks-restaurant-industry",
|
||||||
"https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/",
|
"https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/",
|
||||||
"http://blog.morphisec.com/fin7-attack-modifications-revealed",
|
"https://blog.morphisec.com/fin7-attack-modifications-revealed",
|
||||||
"http://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign",
|
"https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign",
|
||||||
"https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/",
|
"https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/",
|
||||||
"https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html",
|
"https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html",
|
||||||
"https://attack.mitre.org/groups/G0046/",
|
"https://attack.mitre.org/groups/G0046/",
|
||||||
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
|
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
|
||||||
|
"https://threatintel.blog/OPBlueRaven-Part1/",
|
||||||
|
"https://threatintel.blog/OPBlueRaven-Part2/",
|
||||||
"https://www.secureworks.com/research/threat-profiles/gold-niagara"
|
"https://www.secureworks.com/research/threat-profiles/gold-niagara"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
|
@ -3111,6 +3081,7 @@
|
||||||
"https://threatpost.com/banco-de-chile-wiper-attack-just-a-cover-for-10m-swift-heist/132796/",
|
"https://threatpost.com/banco-de-chile-wiper-attack-just-a-cover-for-10m-swift-heist/132796/",
|
||||||
"https://www.darkreading.com/attacks-breaches/north-korean-hacking-group-steals-$135-million-from-indian-bank-/d/d-id/1332678",
|
"https://www.darkreading.com/attacks-breaches/north-korean-hacking-group-steals-$135-million-from-indian-bank-/d/d-id/1332678",
|
||||||
"https://www.zdnet.com/article/north-korean-hackers-infiltrate-chiles-atm-network-after-skype-job-interview/",
|
"https://www.zdnet.com/article/north-korean-hackers-infiltrate-chiles-atm-network-after-skype-job-interview/",
|
||||||
|
"https://blogs.jpcert.or.jp/en/2020/08/Lazarus-malware.html",
|
||||||
"https://www.secureworks.com/research/threat-profiles/nickel-gladstone"
|
"https://www.secureworks.com/research/threat-profiles/nickel-gladstone"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
|
@ -3850,8 +3821,7 @@
|
||||||
"cfr-type-of-incident": "Espionage",
|
"cfr-type-of-incident": "Espionage",
|
||||||
"country": "IR",
|
"country": "IR",
|
||||||
"refs": [
|
"refs": [
|
||||||
"http://www.clearskysec.com/oilrig/",
|
"https://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability",
|
||||||
"http://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability",
|
|
||||||
"https://unit42.paloaltonetworks.com/unit42-striking-oil-closer-look-adversary-infrastructure/",
|
"https://unit42.paloaltonetworks.com/unit42-striking-oil-closer-look-adversary-infrastructure/",
|
||||||
"https://unit42.paloaltonetworks.com/unit42-introducing-the-adversary-playbook-first-up-oilrig/",
|
"https://unit42.paloaltonetworks.com/unit42-introducing-the-adversary-playbook-first-up-oilrig/",
|
||||||
"https://unit42.paloaltonetworks.com/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/",
|
"https://unit42.paloaltonetworks.com/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/",
|
||||||
|
@ -3878,6 +3848,7 @@
|
||||||
"https://www.clearskysec.com/oilrig/",
|
"https://www.clearskysec.com/oilrig/",
|
||||||
"https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems/",
|
"https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems/",
|
||||||
"https://attack.mitre.org/groups/G0049/",
|
"https://attack.mitre.org/groups/G0049/",
|
||||||
|
"https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/",
|
||||||
"https://www.secureworks.com/research/threat-profiles/cobalt-gypsy"
|
"https://www.secureworks.com/research/threat-profiles/cobalt-gypsy"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
|
@ -4803,10 +4774,29 @@
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
"attribution-confidence": "50",
|
"attribution-confidence": "50",
|
||||||
|
"cfr-suspected-state-sponsor": "China",
|
||||||
|
"cfr-suspected-victims": [
|
||||||
|
"Eastern Europe",
|
||||||
|
"Japan",
|
||||||
|
"South Korea",
|
||||||
|
"Taiwan",
|
||||||
|
"US"
|
||||||
|
],
|
||||||
|
"cfr-target-category": [
|
||||||
|
"Military",
|
||||||
|
"Government",
|
||||||
|
"Private sector"
|
||||||
|
],
|
||||||
"country": "CN",
|
"country": "CN",
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://www.wsj.com/articles/chinas-secret-weapon-in-south-korea-missile-fight-hackers-1492766403?emailToken=JRrydPtyYnqTg9EyZsw31FwuZ7JNEOKCXF7LaW/HM1DLsjnUp6e6wLgph560pnmiTAN/5ssf7moyADPQj2p2Gc+YkL1yi0zhIiUM9M6aj1HTYQ==",
|
"https://arstechnica.com/information-technology/2017/04/researchers-claim-china-trying-to-hack-south-korea-missile-defense-efforts/",
|
||||||
"https://arstechnica.com/information-technology/2017/04/researchers-claim-china-trying-to-hack-south-korea-missile-defense-efforts/"
|
"https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf",
|
||||||
|
"https://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/",
|
||||||
|
"https://www.wsj.com/articles/chinas-secret-weapon-in-south-korea-missile-fight-hackers-1492766403"
|
||||||
|
],
|
||||||
|
"synonyms": [
|
||||||
|
"CactusPete",
|
||||||
|
"Karma Panda"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"uuid": "0ab7c8de-fc23-4793-99aa-7ee336199e26",
|
"uuid": "0ab7c8de-fc23-4793-99aa-7ee336199e26",
|
||||||
|
@ -5151,36 +5141,17 @@
|
||||||
"https://www.alienvault.com/open-threat-exchange/blog/new-sykipot-developments",
|
"https://www.alienvault.com/open-threat-exchange/blog/new-sykipot-developments",
|
||||||
"http://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/",
|
"http://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/",
|
||||||
"https://www.sans.org/reading-room/whitepapers/malicious/detailed-analysis-sykipot-smartcard-proxy-variant-33919",
|
"https://www.sans.org/reading-room/whitepapers/malicious/detailed-analysis-sykipot-smartcard-proxy-variant-33919",
|
||||||
"https://www.cfr.org/interactive/cyber-operations/sykipot"
|
"https://www.cfr.org/interactive/cyber-operations/sykipot",
|
||||||
|
"https://www.secureworks.com/research/threat-profiles/bronze-edison"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"PLA Navy",
|
"PLA Navy",
|
||||||
|
"APT4",
|
||||||
|
"APT 4",
|
||||||
|
"BRONZE EDISON",
|
||||||
"Sykipot"
|
"Sykipot"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
|
||||||
{
|
|
||||||
"dest-uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648",
|
|
||||||
"tags": [
|
|
||||||
"estimative-language:likelihood-probability=\"likely\""
|
|
||||||
],
|
|
||||||
"type": "similar"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"dest-uuid": "9a683d9c-8f7d-43df-bba2-ad0ca71e277c",
|
|
||||||
"tags": [
|
|
||||||
"estimative-language:likelihood-probability=\"likely\""
|
|
||||||
],
|
|
||||||
"type": "similar"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"dest-uuid": "2fb07fa4-0d7f-43c7-8ff4-b28404313fe7",
|
|
||||||
"tags": [
|
|
||||||
"estimative-language:likelihood-probability=\"likely\""
|
|
||||||
],
|
|
||||||
"type": "similar"
|
|
||||||
}
|
|
||||||
],
|
|
||||||
"uuid": "8e28dbee-4e9e-4491-9a6c-ee9c9ec4b28b",
|
"uuid": "8e28dbee-4e9e-4491-9a6c-ee9c9ec4b28b",
|
||||||
"value": "Maverick Panda"
|
"value": "Maverick Panda"
|
||||||
},
|
},
|
||||||
|
@ -5700,7 +5671,13 @@
|
||||||
"meta": {
|
"meta": {
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636/",
|
"https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636/",
|
||||||
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170759/Microcin_Technical_4PDF_eng_final_s.pdf"
|
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170759/Microcin_Technical_4PDF_eng_final_s.pdf",
|
||||||
|
"https://securelist.com/apt-trends-report-q2-2019/91897/",
|
||||||
|
"https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia/",
|
||||||
|
"https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia/"
|
||||||
|
],
|
||||||
|
"synonyms": [
|
||||||
|
"SixLittleMonkeys"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"uuid": "0a6b31cd-54cd-4f82-9b87-aab780604632",
|
"uuid": "0a6b31cd-54cd-4f82-9b87-aab780604632",
|
||||||
|
@ -5805,7 +5782,16 @@
|
||||||
"United States",
|
"United States",
|
||||||
"Hong Kong",
|
"Hong Kong",
|
||||||
"The Philippines",
|
"The Philippines",
|
||||||
"Asia Pacific Economic Cooperation"
|
"Asia Pacific Economic Cooperation",
|
||||||
|
"Cambodia",
|
||||||
|
"Belgium",
|
||||||
|
"Germany",
|
||||||
|
"Philippines",
|
||||||
|
"Malaysia",
|
||||||
|
"Norway",
|
||||||
|
"Saudi Arabia",
|
||||||
|
"Switzerland",
|
||||||
|
"United Kingdom"
|
||||||
],
|
],
|
||||||
"cfr-target-category": [
|
"cfr-target-category": [
|
||||||
"Government",
|
"Government",
|
||||||
|
@ -5828,7 +5814,9 @@
|
||||||
"https://intrusiontruth.wordpress.com/2020/01/13/who-else-works-for-this-cover-company-network",
|
"https://intrusiontruth.wordpress.com/2020/01/13/who-else-works-for-this-cover-company-network",
|
||||||
"https://intrusiontruth.wordpress.com/2020/01/14/who-is-mr-ding",
|
"https://intrusiontruth.wordpress.com/2020/01/14/who-is-mr-ding",
|
||||||
"https://intrusiontruth.wordpress.com/2020/01/15/hainan-xiandun-technology-company-is-apt40",
|
"https://intrusiontruth.wordpress.com/2020/01/15/hainan-xiandun-technology-company-is-apt40",
|
||||||
"https://www.secureworks.com/research/threat-profiles/bronze-mohawk"
|
"https://www.secureworks.com/research/threat-profiles/bronze-mohawk",
|
||||||
|
"https://www.mycert.org.my/portal/advisory?id=MA-774.022020",
|
||||||
|
"https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"TEMP.Periscope",
|
"TEMP.Periscope",
|
||||||
|
@ -7073,6 +7061,7 @@
|
||||||
"https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/",
|
"https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/",
|
||||||
"https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-february-mummy-spider/",
|
"https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-february-mummy-spider/",
|
||||||
"https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service",
|
"https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service",
|
||||||
|
"https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-summer-2020-return",
|
||||||
"https://www.secureworks.com/research/threat-profiles/gold-crestwood"
|
"https://www.secureworks.com/research/threat-profiles/gold-crestwood"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
|
@ -7220,17 +7209,6 @@
|
||||||
"uuid": "7e37be6b-5a94-45f3-bdeb-f494c520eee3",
|
"uuid": "7e37be6b-5a94-45f3-bdeb-f494c520eee3",
|
||||||
"value": "Salty Spider"
|
"value": "Salty Spider"
|
||||||
},
|
},
|
||||||
{
|
|
||||||
"description": "This adversary is suspected of continuing to target upstream providers (e.g., law firms and managed service providers) to support additional intrusions against high-profile assets. In 2018, CrowdStrike observed this adversary using spear-phishing, URL 'web bugs' and scheduled tasks to automate credential harvesting.",
|
|
||||||
"meta": {
|
|
||||||
"refs": [
|
|
||||||
"https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/",
|
|
||||||
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf"
|
|
||||||
]
|
|
||||||
},
|
|
||||||
"uuid": "d7a41ada-6687-4a6b-8b5c-396808cdd758",
|
|
||||||
"value": "Judgment Panda"
|
|
||||||
},
|
|
||||||
{
|
{
|
||||||
"description": "In the first quarter of 2018, CrowdStrike Intelligence identified NOMAD PANDA activity targeting Central Asian nations with exploit documents built with the 8.t tool.",
|
"description": "In the first quarter of 2018, CrowdStrike Intelligence identified NOMAD PANDA activity targeting Central Asian nations with exploit documents built with the 8.t tool.",
|
||||||
"meta": {
|
"meta": {
|
||||||
|
@ -7422,21 +7400,25 @@
|
||||||
"value": "Silent Librarian"
|
"value": "Silent Librarian"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"description": "FireEye characterizes APT31 as an actor specialized on intellectual property theft, focusing on data and projects that make a particular organization competetive in its field. Based on available data (April 2016), FireEye assesses that APT31 conducts network operations at the behest of the Chinese Government.",
|
"description": "FireEye characterizes APT31 as an actor specialized on intellectual property theft, focusing on data and projects that make a particular organization competetive in its field. Based on available data (April 2016), FireEye assesses that APT31 conducts network operations at the behest of the Chinese Government. Also according to Crowdstrike, this adversary is suspected of continuing to target upstream providers (e.g., law firms and managed service providers) to support additional intrusions against high-profile assets. In 2018, CrowdStrike observed this adversary using spear-phishing, URL “web bugs” and scheduled tasks to automate credential harvesting.",
|
||||||
"meta": {
|
"meta": {
|
||||||
"country": "CN",
|
"country": "CN",
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://www.microsoft.com/security/blog/2017/03/27/detecting-and-mitigating-elevation-of-privilege-exploit-for-cve-2017-0005/",
|
"https://www.microsoft.com/security/blog/2017/03/27/detecting-and-mitigating-elevation-of-privilege-exploit-for-cve-2017-0005/",
|
||||||
"https://duo.com/decipher/apt-groups-moving-down-the-supply-chain",
|
"https://duo.com/decipher/apt-groups-moving-down-the-supply-chain",
|
||||||
|
"https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf",
|
||||||
"https://redalert.nshc.net/2019/12/03/threat-actor-targeting-hong-kong-activists",
|
"https://redalert.nshc.net/2019/12/03/threat-actor-targeting-hong-kong-activists",
|
||||||
"https://twitter.com/bkMSFT/status/1201876664667582466",
|
"https://twitter.com/bkMSFT/status/1201876664667582466",
|
||||||
"https://www.secureworks.com/research/bronz-vinewood-uses-hanaloader-to-target-government-supply-chain",
|
"https://www.secureworks.com/research/bronz-vinewood-uses-hanaloader-to-target-government-supply-chain",
|
||||||
"https://www.secureworks.com/research/bronze-vinewood-targets-supply-chains",
|
"https://www.secureworks.com/research/bronze-vinewood-targets-supply-chains",
|
||||||
"https://www.secureworks.com/research/threat-profiles/bronze-vinewood"
|
"https://www.secureworks.com/research/threat-profiles/bronze-vinewood",
|
||||||
|
"https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report",
|
||||||
|
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"APT 31",
|
"APT 31",
|
||||||
"ZIRCONIUM",
|
"ZIRCONIUM",
|
||||||
|
"JUDGMENT PANDA",
|
||||||
"BRONZE VINEWOOD"
|
"BRONZE VINEWOOD"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
|
@ -8030,7 +8012,7 @@
|
||||||
"value": "SideWinder"
|
"value": "SideWinder"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"description": "Operation Wocao (我操, “Wǒ cāo”, used as “shit” or “damn”) is the name that Fox-IT uses to describe the hacking activities of a Chinese based hacking group.\nThis report details the profile of a publicly underreported threat actor that Fox-IT has dealt with over the past two years. Fox-IT assesses with high confidence that the actor is a Chinese group and that they are likely working to support the interests of the Chinese government and are tasked with obtaining information for espionage purposes. With medium confidence, Fox-IT assesses that the tools, techniques and procedures are those of the actor referred to as APT20 by industry partners. We have identified victims of this actor in more than 10 countries, in government entities, managed service providers and across a wide variety of industries, including Energy, Health Care and High-Tech.",
|
"description": "Operation Wocao (我操, “Wǒ cāo”, used as “shit” or “damn”) is the name that Fox-IT uses to describe the hacking activities of a Chinese based hacking group.\nThis report details the profile of a publicly underreported threat actor that Fox-IT has dealt with over the past two years. Fox-IT assesses with high confidence that the actor is a Chinese group and that they are likely working to support the interests of the Chinese government and are tasked with obtaining information for espionage purposes. With medium confidence, Fox-IT assesses that the tools, techniques and procedures are those of the actor referred to as APT20 by industry partners. We have identified victims of this actor in more than 10 countries, in government entities, managed service providers and across a wide variety of industries, including Energy, Health Care and High-Tech.",
|
||||||
"meta": {
|
"meta": {
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://www.fox-it.com/nl/actueel/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/"
|
"https://www.fox-it.com/nl/actueel/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/"
|
||||||
|
@ -8370,7 +8352,32 @@
|
||||||
],
|
],
|
||||||
"uuid": "e400b6c5-77cf-453d-ba0f-44575583ac6c",
|
"uuid": "e400b6c5-77cf-453d-ba0f-44575583ac6c",
|
||||||
"value": "GALLIUM"
|
"value": "GALLIUM"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "Proofpoint researchers observed a phishing campaign impersonating the World Health Organization’s (WHO) guidance on COVID-19 critical preparedness to deliver a new malware family that researchers have dubbed Sepulcher. This campaign targeted European diplomatic and legislative bodies, non-profit policy research organizations, and global organizations dealing with economic affairs. Additionally, a sender email identified in this campaign has been linked to historic Chinese APT targeting of the international Tibetan community using payloads linked to LuckyCat malware. Subsequently, a phishing campaign from July 2020 targeting Tibetan dissidents was identified delivering the same strain of Sepulcher malware. Operator email accounts identified in this campaign have been publicly linked to historic Chinese APT campaigns targeting the Tibetan community delivering ExileRAT malware. Based on the use of publicly known sender addresses associated with Tibetan dissident targeting and the delivery of Sepulcher malware payloads, Proofpoint researchers have attributed both campaigns to the APT actor TA413, which has previously been documented in association with ExileRAT. The usage of publicly known Tibetan-themed sender accounts to deliver Sepulcher malware demonstrates a short-term realignment of TA413’s targets of interest. While best known for their campaigns against the Tibetan diaspora, this APT group associated with the Chinese state interest prioritized intelligence collection around Western economies reeling from COVID-19 in March 2020 before resuming more conventional targeting later this year.",
|
||||||
|
"meta": {
|
||||||
|
"country": "CN",
|
||||||
|
"refs": [
|
||||||
|
"https://www.proofpoint.com/us/blog/threat-insight/chinese-apt-ta413-resumes-targeting-tibet-following-covid-19-themed-economic"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "cbf94f8d-20f2-45a0-b78b-54715b6b4e18",
|
||||||
|
"value": "TA413"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "ESET has analyzed the operations of Evilnum, the APT group behind the Evilnum malware previously seen in attacks against financial technology companies. While said malware has been seen in the wild since at least 2018 and documented previously, little has been published about the group behind it and how it operates. The group’s targets remain fintech companies, but its toolset and infrastructure have evolved and now consist of a mix of custom, homemade malware combined with tools purchased from Golden Chickens, a Malware-as-a-Service (MaaS) provider whose infamous customers include FIN6 and Cobalt Group.",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/",
|
||||||
|
"https://securelist.com/deathstalker-mercenary-triumvirate/98177/"
|
||||||
|
],
|
||||||
|
"synonyms": [
|
||||||
|
"DeathStalker"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "b6f3150f-2240-4c57-9dda-5144c5077058",
|
||||||
|
"value": "Evilnum"
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"version": 168
|
"version": 178
|
||||||
}
|
}
|
||||||
|
|
|
@ -8093,7 +8093,56 @@
|
||||||
"related": [],
|
"related": [],
|
||||||
"uuid": "e83d1296-027a-4f30-98e0-19622967d5c4",
|
"uuid": "e83d1296-027a-4f30-98e0-19622967d5c4",
|
||||||
"value": "CrackMapExec"
|
"value": "CrackMapExec"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "Wellmess is a Remote Access Trojan written in Golang and also have a .NET version",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://www.lac.co.jp/lacwatch/pdf/20180614_cecreport_vol3.pdf",
|
||||||
|
"https://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html",
|
||||||
|
"https://www.botconf.eu/wp-content/uploads/2018/12/2018-Y-Ishikawa-S-Nagano-Lets-go-with-a-Go-RAT-_final.pdf",
|
||||||
|
"https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf"
|
||||||
|
],
|
||||||
|
"synonyms": [],
|
||||||
|
"type": [
|
||||||
|
"RAT"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"related": [],
|
||||||
|
"uuid": "4fe80228-1142-4e70-9df8-c8f1f3356cfb",
|
||||||
|
"value": "WellMess"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "WellMail is a lightweight tool designed to run commands or scripts with the results being sent to a hardcoded Command and Control (C2) server.",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf"
|
||||||
|
],
|
||||||
|
"synonyms": [],
|
||||||
|
"type": [
|
||||||
|
"RAT"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"related": [],
|
||||||
|
"uuid": "59266c02-e3c8-47a6-b00c-bbb50c8975e9",
|
||||||
|
"value": "WellMail"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "Drovorub is a Linux malware toolset consisting of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a Command and Control (C2) server.",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF"
|
||||||
|
],
|
||||||
|
"synonyms": [],
|
||||||
|
"type": [
|
||||||
|
"Backdoor",
|
||||||
|
"Rootkit"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"related": [],
|
||||||
|
"uuid": "a0a46c1b-e774-410e-a84b-020b2558d851",
|
||||||
|
"value": "Drovorub"
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"version": 136
|
"version": 138
|
||||||
}
|
}
|
||||||
|
|
9
galaxies/china-defence-universities.json
Normal file
9
galaxies/china-defence-universities.json
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
{
|
||||||
|
"description": "China Defence Universities",
|
||||||
|
"icon": "globe",
|
||||||
|
"name": "China Defence Universities Tracker",
|
||||||
|
"namespace": "misp",
|
||||||
|
"type": "china-defence-universities",
|
||||||
|
"uuid": "c51c59e9-f213-4ad4-9913-09a43d78dff5",
|
||||||
|
"version": 1
|
||||||
|
}
|
29
galaxies/sod-matrix.json
Normal file
29
galaxies/sod-matrix.json
Normal file
|
@ -0,0 +1,29 @@
|
||||||
|
{
|
||||||
|
"description": "SoD Matrix",
|
||||||
|
"icon": "map",
|
||||||
|
"kill_chain_order": {
|
||||||
|
"during-incident-crime": [
|
||||||
|
"CSIRT",
|
||||||
|
"LEA",
|
||||||
|
"Judiciary",
|
||||||
|
"Prosecutors"
|
||||||
|
],
|
||||||
|
"post-incident-crime": [
|
||||||
|
"CSIRT",
|
||||||
|
"LEA",
|
||||||
|
"Judiciary",
|
||||||
|
"Prosecutors"
|
||||||
|
],
|
||||||
|
"prior-to-incident-crime": [
|
||||||
|
"CSIRT",
|
||||||
|
"LEA",
|
||||||
|
"Judiciary",
|
||||||
|
"Prosecutors"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"name": "SoD Matrix",
|
||||||
|
"namespace": "sod-matrix",
|
||||||
|
"type": "sod-matrix",
|
||||||
|
"uuid": "50104ead-7315-457c-b596-b4471cabf28b",
|
||||||
|
"version": 1
|
||||||
|
}
|
295
tools/gen_defence_university.py
Normal file
295
tools/gen_defence_university.py
Normal file
|
@ -0,0 +1,295 @@
|
||||||
|
#!/usr/bin/python3
|
||||||
|
import requests
|
||||||
|
import json
|
||||||
|
from bs4 import BeautifulSoup
|
||||||
|
import bs4
|
||||||
|
import uuid
|
||||||
|
|
||||||
|
# This tool is part of the MISP core project and released under the GNU Affero
|
||||||
|
# General Public License v3.0
|
||||||
|
#
|
||||||
|
# Copyright (C) 2020 Cormac Doherty
|
||||||
|
# Copyright (C) 2020 Roger Johnston
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# version 0.1 - initial
|
||||||
|
# version 0.2 - fixed typo ( _curRef NOT curRef)
|
||||||
|
|
||||||
|
def _buildArticleSection(nxtSibling):
|
||||||
|
_sectionParagraphs = []
|
||||||
|
_nxtsib = nxtSibling
|
||||||
|
|
||||||
|
# Headings and their content are at the same hierarchical
|
||||||
|
# level in the html - just a sequence. This loop is bounded on
|
||||||
|
# the next element being a <p>
|
||||||
|
while ((_nxtsib is not None) and (_nxtsib.name == 'p')):
|
||||||
|
# Almost every sentence, if not clause, in parapgraph
|
||||||
|
# text is referenced/cited/footnoted.
|
||||||
|
#
|
||||||
|
# The following iterates through the sequence of 'tokens'
|
||||||
|
# in the current <p>, building 'statements' composed of a
|
||||||
|
# statement and a reference.
|
||||||
|
#
|
||||||
|
# so-called "clauses" and "references" are accumulated over
|
||||||
|
# loop iterations i.e. a clause is appended to previous clauses
|
||||||
|
# if a reference has yet to be accumulated. (implicitly -
|
||||||
|
# references come after statements.)
|
||||||
|
#
|
||||||
|
# Once a 'clause' AND a 'statement' are accumulated, an encapsulating
|
||||||
|
# 'statement' is appended to the section's list of paragraphs and
|
||||||
|
# are reset.
|
||||||
|
#
|
||||||
|
_curClause = None
|
||||||
|
_curRef = None
|
||||||
|
|
||||||
|
for token in _nxtsib.contents:
|
||||||
|
# References (links) are interleved within text blocks as <spans>.
|
||||||
|
# The following control structure parses 'the next token' as
|
||||||
|
# - <spans> containing a link
|
||||||
|
# - disposable 'junk' if its <em>phasised and contains "Last update"
|
||||||
|
# - as relevant paragraph text to be accumulated.
|
||||||
|
if (token.name == 'span'):
|
||||||
|
_anchors = token.find_all('a', recursive=True)
|
||||||
|
_anch = None
|
||||||
|
if (len(_anchors) != 0):
|
||||||
|
_anch = _anchors[0]
|
||||||
|
|
||||||
|
if (_anch is not None):
|
||||||
|
_curRef = _anch['href']
|
||||||
|
else:
|
||||||
|
_curRef = None
|
||||||
|
elif ((token.name != 'em') or (not ("Last updated" in token.text))): # ignore the "last updated footer
|
||||||
|
if (_curClause is not None):
|
||||||
|
if (isinstance(token, bs4.element.NavigableString)):
|
||||||
|
_curClause = _curClause + token
|
||||||
|
else:
|
||||||
|
_curClause = _curClause + token.text
|
||||||
|
else:
|
||||||
|
# anomalous html handling
|
||||||
|
# - <strong> and
|
||||||
|
# - (useless) <a> tags
|
||||||
|
# appear in a few places
|
||||||
|
if ((token.name != 'strong') and
|
||||||
|
(token.name != 'em') and
|
||||||
|
(token.name != 'br') and
|
||||||
|
(token.name != 'sup') and
|
||||||
|
(token.name != 'a')):
|
||||||
|
_curClause = token # this quashes them
|
||||||
|
|
||||||
|
# Once a 'clause' AND a 'statement' are accumulated, an encapsulating
|
||||||
|
# 'statement' is appended to the section's list of paragraphs and
|
||||||
|
# are reset.
|
||||||
|
if ((_curRef is not None) and (_curClause is not None)):
|
||||||
|
statement = {}
|
||||||
|
statement["clause"] = _curClause
|
||||||
|
statement["ref"] = _curRef
|
||||||
|
_sectionParagraphs.append(statement)
|
||||||
|
_curClause = None
|
||||||
|
_curRef = None
|
||||||
|
|
||||||
|
# If a sequence of 'clauses' have been accumulated without finding a reference
|
||||||
|
# create a reference-LESS statement.
|
||||||
|
if ((_curClause is not None) and (not "Last updated" in _curClause)):
|
||||||
|
statement = {}
|
||||||
|
statement["clause"] = _curClause
|
||||||
|
_sectionParagraphs.append(statement)
|
||||||
|
|
||||||
|
_nxtsib = _nxtsib.find_next_sibling()
|
||||||
|
|
||||||
|
return _sectionParagraphs
|
||||||
|
|
||||||
|
|
||||||
|
def _buildListSection(listContent):
|
||||||
|
laboratories = []
|
||||||
|
for lab in listContent.find_all('li', recursive="False"):
|
||||||
|
_lab = {}
|
||||||
|
_lab['name'] = lab.contents[0].replace(u'\xa0', '')
|
||||||
|
|
||||||
|
ref = lab.find('a')
|
||||||
|
if (ref is not None):
|
||||||
|
_lab['ref'] = ref['href']
|
||||||
|
else:
|
||||||
|
_lab['ref'] = None
|
||||||
|
|
||||||
|
laboratories.append(_lab)
|
||||||
|
|
||||||
|
return laboratories
|
||||||
|
|
||||||
|
|
||||||
|
def _fetchArticle(url):
|
||||||
|
response = requests.get(url)
|
||||||
|
soup = BeautifulSoup(response.content, 'html5lib')
|
||||||
|
_article = soup.body.find_all('article')[0]
|
||||||
|
|
||||||
|
article = {}
|
||||||
|
article['url'] = url
|
||||||
|
article['name'] = _article.h1.text.replace('\n', '').strip()
|
||||||
|
article['_name'] = _article.h2.contents[0]
|
||||||
|
|
||||||
|
_artbody = _article.find('div', {"class": "article__copy"})
|
||||||
|
|
||||||
|
# Risk Statement
|
||||||
|
article['risk statement'] = _artbody.find('p').text
|
||||||
|
|
||||||
|
article['intro'] = _buildArticleSection(_artbody.find('p').find_next_sibling())
|
||||||
|
|
||||||
|
# Article body
|
||||||
|
sections = []
|
||||||
|
|
||||||
|
for _heading in _artbody.findChildren('h2'):
|
||||||
|
_nxtSibling = _heading.find_next_sibling()
|
||||||
|
|
||||||
|
section = {}
|
||||||
|
section['title'] = _heading.text
|
||||||
|
if (_nxtSibling.name == 'ul'):
|
||||||
|
section['body'] = _buildListSection(_nxtSibling)
|
||||||
|
else:
|
||||||
|
section['body'] = _buildArticleSection(_nxtSibling)
|
||||||
|
sections.append(section)
|
||||||
|
|
||||||
|
article['sections'] = sections
|
||||||
|
|
||||||
|
# # Logo
|
||||||
|
# logo = _article.div[0].aside[0].find("div", {"class": "aside__logo"})
|
||||||
|
|
||||||
|
_panel = _article.find("div", {"class": "aside__groups cf"})
|
||||||
|
_paneldivs = _panel.find_all('div')
|
||||||
|
|
||||||
|
for _paneldiv in _panel.find_all('div'):
|
||||||
|
_title = _paneldiv.find('h3').text
|
||||||
|
_items = []
|
||||||
|
for _item in _paneldiv.find_all('li'):
|
||||||
|
_anch = _item.find('a')
|
||||||
|
if (_anch is not None):
|
||||||
|
if ("Location" in _title): # locations
|
||||||
|
_loc = {}
|
||||||
|
_loc['name'] = _anch.contents[0].replace('\n', '').strip()
|
||||||
|
_loc['ref'] = _anch['href']
|
||||||
|
_latlong = _anch['href'].split("=")[1]
|
||||||
|
_loc['lat'] = _latlong.split(",")[0]
|
||||||
|
_loc['long'] = _latlong.split(",")[1]
|
||||||
|
_items.append(_loc)
|
||||||
|
else:
|
||||||
|
_items.append(_anch.text)
|
||||||
|
else:
|
||||||
|
_items.append(_item.text.replace('\n', '').strip())
|
||||||
|
article[_title.lower()] = _items
|
||||||
|
|
||||||
|
return article
|
||||||
|
|
||||||
|
|
||||||
|
def _gen_galaxy(scrape):
|
||||||
|
base = {
|
||||||
|
"authors": [
|
||||||
|
"Australian Strategic Policy Institute"
|
||||||
|
],
|
||||||
|
"category": "academic-institution",
|
||||||
|
"description": "The China Defence Universities Tracker is a database of Chinese institutions engaged in military or security-related science and technology research. It was created by ASPI’s International Cyber Policy Centre.",
|
||||||
|
"name": "China Defence Universities Tracker",
|
||||||
|
"source": "ASPI International Cyber Policy Centre",
|
||||||
|
"type": "china-defence-universities",
|
||||||
|
"uuid": "d985d2eb-d6ad-4b44-9c69-44eb90095e23",
|
||||||
|
"values": [
|
||||||
|
],
|
||||||
|
"version": 1
|
||||||
|
}
|
||||||
|
|
||||||
|
for uni in scrape:
|
||||||
|
new_template = template = {
|
||||||
|
"description": "",
|
||||||
|
"meta": {
|
||||||
|
"refs": []
|
||||||
|
},
|
||||||
|
"uuid": "",
|
||||||
|
"value": ""
|
||||||
|
}
|
||||||
|
|
||||||
|
new_template["uuid"] = str(uuid.uuid4())
|
||||||
|
|
||||||
|
new_template["meta"]["refs"].append(uni["url"])
|
||||||
|
|
||||||
|
new_template["value"] = uni["name"] + f" ({uni['_name']})"
|
||||||
|
|
||||||
|
def _append_meta(key, meta):
|
||||||
|
if uni.get(meta):
|
||||||
|
values = []
|
||||||
|
for value in uni[meta]:
|
||||||
|
if value != "":
|
||||||
|
values.append(value)
|
||||||
|
if values:
|
||||||
|
new_template["meta"][key] = values
|
||||||
|
|
||||||
|
if uni.get("intro"):
|
||||||
|
for intro in uni["intro"]:
|
||||||
|
new_template["description"] += intro["clause"]
|
||||||
|
if new_template["description"] == "":
|
||||||
|
new_template["description"] += uni["name"] + f" ({uni['_name']})"
|
||||||
|
else:
|
||||||
|
new_template["description"] += uni["name"] + f" ({uni['_name']})"
|
||||||
|
|
||||||
|
if uni.get("risk"):
|
||||||
|
if uni.get("risk") != "":
|
||||||
|
new_template["meta"]["risk"] = uni["risk statement"]
|
||||||
|
|
||||||
|
_append_meta("aliases", "aliases")
|
||||||
|
|
||||||
|
_append_meta("supervising agencies", "supervising agencies")
|
||||||
|
|
||||||
|
_append_meta("subsidiaries", "subsidiaries")
|
||||||
|
|
||||||
|
_append_meta("topics", "topics")
|
||||||
|
|
||||||
|
_append_meta("categories", "categories")
|
||||||
|
|
||||||
|
if uni.get("sections"):
|
||||||
|
labs = []
|
||||||
|
for section in uni["sections"]:
|
||||||
|
if section["title"] == "Major defence laboratories":
|
||||||
|
for lab in section["body"]:
|
||||||
|
if lab.get("name"):
|
||||||
|
if lab["name"] != "":
|
||||||
|
labs.append(lab["name"])
|
||||||
|
if labs:
|
||||||
|
new_template["meta"]["major defence laboratories"] = labs
|
||||||
|
|
||||||
|
if uni.get("location"):
|
||||||
|
if uni.get(uni["location"][0]["name"]) != "":
|
||||||
|
new_template["meta"]["address"] = uni["location"][0]["name"]
|
||||||
|
if uni.get(uni["location"][0]["lat"]) != "":
|
||||||
|
new_template["meta"]["lat"] = uni["location"][0]["lat"]
|
||||||
|
if uni.get(uni["location"][0]["long"]) != "":
|
||||||
|
new_template["meta"]["long"] = uni["location"][0]["long"]
|
||||||
|
|
||||||
|
base["values"].append(new_template)
|
||||||
|
|
||||||
|
return base
|
||||||
|
|
||||||
|
|
||||||
|
def main():
|
||||||
|
url = "https://unitracker.aspi.org.au"
|
||||||
|
response = requests.get(url)
|
||||||
|
|
||||||
|
soup = BeautifulSoup(response.content, 'html5lib')
|
||||||
|
|
||||||
|
table = soup.find_all('table')[0] # Grab the first table
|
||||||
|
head = None
|
||||||
|
articles = []
|
||||||
|
for row in table.find_all('tr'):
|
||||||
|
if head is not None:
|
||||||
|
colOne = row.find_all('td')[0].find_all('a')[0]['href']
|
||||||
|
article = _fetchArticle(url + colOne)
|
||||||
|
print("Processing: {}".format(url + colOne))
|
||||||
|
articles.append(article)
|
||||||
|
else:
|
||||||
|
head = "bloop"
|
||||||
|
|
||||||
|
galaxy = _gen_galaxy(articles)
|
||||||
|
|
||||||
|
print(galaxy)
|
||||||
|
|
||||||
|
with open("china-defence-universities.json", "w") as g:
|
||||||
|
g.write(json.dumps(galaxy, indent=4, sort_keys=True))
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
main()
|
Loading…
Reference in a new issue