From 193b474ad2881aac96ef67c6a84f6a3afc4d4732 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Thu, 25 Jan 2018 15:41:47 +0100
Subject: [PATCH] add: Nexus Zeta is no stranger when it comes to implementing
 SOAP relatedrelated exploit ;-)

---
 clusters/threat-actor.json | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 123bc15..dab86b1 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -2264,6 +2264,10 @@
       },
       "value": "Dark Caracal",
       "description": "Lookout and Electronic Frontier Foundation (EFF) have discovered Dark Caracal, a persistent and prolific actor, who at the time of writing is believed to be administered out of a building belonging to the Lebanese General Security Directorate in Beirut. At present, we have knowledge of hundreds of gigabytes of exfiltrated data, in 21+ countries, across thousands of victims. Stolen data includes enterprise intellectual property and personally identifiable information."
+    },
+    {
+      "value": "Nexus Zeta",
+      "description": "Nexus Zeta is no stranger when it comes to implementing SOAP related exploits. The threat actor has already been observed in implementing two other known SOAP related exploits, CVE-2014–8361 and CVE-2017–17215 in his Satori botnet project. A third SOAP exploit, TR-069 bug has also been observed previously in IoT botnets. This makes EDB 38722 the fourth SOAP related exploit which is discovered in the wild by IoT botnets."
     }
   ],
   "name": "Threat actor",
@@ -2278,5 +2282,5 @@
   ],
   "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.",
   "uuid": "7cdff317-a673-4474-84ec-4f1754947823",
-  "version": 31
+  "version": 33
 }