mirror of
https://github.com/MISP/misp-galaxy.git
synced 2024-11-29 18:27:19 +00:00
Merge branch 'MISP:main' into main
This commit is contained in:
commit
1c549bc6f1
13 changed files with 12734 additions and 3481 deletions
26
README.md
26
README.md
|
@ -211,6 +211,14 @@ Category: *firearm* - source: *https://www.impactguns.com* - total: *5953* eleme
|
|||
|
||||
[[HTML](https://www.misp-galaxy.org/firearms)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/firearms.json)]
|
||||
|
||||
## FIRST CSIRT Services Framework
|
||||
|
||||
[FIRST CSIRT Services Framework](https://www.misp-galaxy.org/first-csirt-services-framework) - The Computer Security Incident Response Team (CSIRT) Services Framework is a high-level document describing in a structured way a collection of cyber security services and associated functions that Computer Security Incident Response Teams and other teams providing incident management related services may provide
|
||||
|
||||
Category: *csirt* - source: *https://www.first.org/standards/frameworks/csirts/csirt_services_framework_v2.1* - total: *97* elements
|
||||
|
||||
[[HTML](https://www.misp-galaxy.org/first-csirt-services-framework)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/first-csirt-services-framework.json)]
|
||||
|
||||
## FIRST DNS Abuse Techniques Matrix
|
||||
|
||||
[FIRST DNS Abuse Techniques Matrix](https://www.misp-galaxy.org/first-dns) - The Domain Name System (DNS) is a critical part of the Internet, including mapping domain names to IP addresses. Malicious threat actors use domain names, their corresponding technical resources, and other parts of the DNS infrastructure, including its protocols, for their malicious cyber operations. CERTs are confronted with reported DNS abuse on a continuous basis, and rely heavily on DNS analysis and infrastructure to protect their constituencies. Understanding the international customary norms applicable for detecting and mitigating DNS abuse from the perspective of the global incident response community is critical for the open Internet’s stability, security and resiliency. See also https://www.first.org/global/sigs/dns/ for more information.
|
||||
|
@ -487,15 +495,15 @@ Category: *measure* - source: *MISP Project* - total: *20* elements
|
|||
|
||||
[Producer](https://www.misp-galaxy.org/producer) - List of threat intelligence producer from security vendors to CERTs including any producer of intelligence at large.
|
||||
|
||||
Category: *actor* - source: *MISP Project* - total: *33* elements
|
||||
Category: *actor* - source: *MISP Project* - total: *37* elements
|
||||
|
||||
[[HTML](https://www.misp-galaxy.org/producer)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/producer.json)]
|
||||
|
||||
## Ransomware
|
||||
|
||||
[Ransomware](https://www.misp-galaxy.org/ransomware) - Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar
|
||||
[Ransomware](https://www.misp-galaxy.org/ransomware) - Ransomware galaxy based on different sources and maintained by the MISP Project.
|
||||
|
||||
Category: *tool* - source: *Various* - total: *1799* elements
|
||||
Category: *tool* - source: *Various* - total: *1804* elements
|
||||
|
||||
[[HTML](https://www.misp-galaxy.org/ransomware)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/ransomware.json)]
|
||||
|
||||
|
@ -535,7 +543,7 @@ Category: *sector* - source: *CERT-EU* - total: *118* elements
|
|||
|
||||
[Sigma-Rules](https://www.misp-galaxy.org/sigma-rules) - MISP galaxy cluster based on Sigma Rules.
|
||||
|
||||
Category: *rules* - source: *https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma* - total: *2932* elements
|
||||
Category: *rules* - source: *https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma* - total: *2964* elements
|
||||
|
||||
[[HTML](https://www.misp-galaxy.org/sigma-rules)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/sigma-rules.json)]
|
||||
|
||||
|
@ -599,7 +607,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements
|
|||
|
||||
[Threat Actor](https://www.misp-galaxy.org/threat-actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group.
|
||||
|
||||
Category: *actor* - source: *MISP Project* - total: *721* elements
|
||||
Category: *actor* - source: *MISP Project* - total: *736* elements
|
||||
|
||||
[[HTML](https://www.misp-galaxy.org/threat-actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)]
|
||||
|
||||
|
@ -607,7 +615,7 @@ Category: *actor* - source: *MISP Project* - total: *721* elements
|
|||
|
||||
[Tidal Campaigns](https://www.misp-galaxy.org/tidal-campaigns) - Tidal Campaigns Cluster
|
||||
|
||||
Category: *Campaigns* - source: *https://app-api.tidalcyber.com/api/v1/campaigns/* - total: *48* elements
|
||||
Category: *Campaigns* - source: *https://app-api.tidalcyber.com/api/v1/campaigns/* - total: *78* elements
|
||||
|
||||
[[HTML](https://www.misp-galaxy.org/tidal-campaigns)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-campaigns.json)]
|
||||
|
||||
|
@ -615,7 +623,7 @@ Category: *Campaigns* - source: *https://app-api.tidalcyber.com/api/v1/campaigns
|
|||
|
||||
[Tidal Groups](https://www.misp-galaxy.org/tidal-groups) - Tidal Groups Galaxy
|
||||
|
||||
Category: *Threat Groups* - source: *https://app-api.tidalcyber.com/api/v1/groups/* - total: *172* elements
|
||||
Category: *Threat Groups* - source: *https://app-api.tidalcyber.com/api/v1/groups/* - total: *200* elements
|
||||
|
||||
[[HTML](https://www.misp-galaxy.org/tidal-groups)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-groups.json)]
|
||||
|
||||
|
@ -623,7 +631,7 @@ Category: *Threat Groups* - source: *https://app-api.tidalcyber.com/api/v1/group
|
|||
|
||||
[Tidal References](https://www.misp-galaxy.org/tidal-references) - Tidal References Cluster
|
||||
|
||||
Category: *References* - source: *https://app-api.tidalcyber.com/api/v1/references/* - total: *4261* elements
|
||||
Category: *References* - source: *https://app-api.tidalcyber.com/api/v1/references/* - total: *4309* elements
|
||||
|
||||
[[HTML](https://www.misp-galaxy.org/tidal-references)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-references.json)]
|
||||
|
||||
|
@ -631,7 +639,7 @@ Category: *References* - source: *https://app-api.tidalcyber.com/api/v1/referenc
|
|||
|
||||
[Tidal Software](https://www.misp-galaxy.org/tidal-software) - Tidal Software Cluster
|
||||
|
||||
Category: *Software* - source: *https://app-api.tidalcyber.com/api/v1/software/* - total: *1003* elements
|
||||
Category: *Software* - source: *https://app-api.tidalcyber.com/api/v1/software/* - total: *1014* elements
|
||||
|
||||
[[HTML](https://www.misp-galaxy.org/tidal-software)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-software.json)]
|
||||
|
||||
|
|
1366
clusters/first-csirt-services-framework.json
Normal file
1366
clusters/first-csirt-services-framework.json
Normal file
File diff suppressed because it is too large
Load diff
|
@ -619,7 +619,51 @@
|
|||
},
|
||||
"uuid": "3caca164-4600-42a2-b2f0-7a552a66e7b6",
|
||||
"value": "JPCERT"
|
||||
},
|
||||
{
|
||||
"description": "Proofpoint, Inc. is an American enterprise cybersecurity company based in Sunnyvale, California that provides software as a service and products for email security, identity threat defense, data loss prevention, electronic discovery, and email archiving.",
|
||||
"meta": {
|
||||
"country": "US",
|
||||
"official-refs": [
|
||||
"https://www.proofpoint.com/"
|
||||
]
|
||||
},
|
||||
"uuid": "cae79680-67a6-4411-903c-f824dbcc813f",
|
||||
"value": "Proofpoint"
|
||||
},
|
||||
{
|
||||
"description": "Qihoo 360 (Chinese: 奇虎 360; pinyin: Qíhǔ Sānliùlíng; approximate pronunciation CHEE-hoo), full name 360 Security Technology Inc., is a Chinese internet security company that has developed the antivirus software programs 360 Safeguard and 360 Mobile Safe, the Web browser 360 Secure Browser, and the mobile application store 360 Mobile Assistant.",
|
||||
"meta": {
|
||||
"country": "CN",
|
||||
"official-refs": [
|
||||
"https://www.360.cn/"
|
||||
]
|
||||
},
|
||||
"uuid": "28bceaef-f6ab-418b-ac5b-7e4089a808b5",
|
||||
"value": "Qihoo 360"
|
||||
},
|
||||
{
|
||||
"description": "Bitdefender provides cybersecurity solutions with leading security efficacy, performance and ease of use to small and medium businesses, mid-market enterprises and consumers.",
|
||||
"meta": {
|
||||
"country": "RO",
|
||||
"official-refs": [
|
||||
"https://www.bitdefender.com/"
|
||||
]
|
||||
},
|
||||
"uuid": "1c141c9b-ec78-4f86-a8ea-b02944fa5492",
|
||||
"value": "Bitdefender"
|
||||
},
|
||||
{
|
||||
"description": "Avira Operations GmbH & Co. KG is a German multinational computer security software company mainly known for its Avira Free Security antivirus software. Since 2021, Avira has been owned by American software company NortonLifeLock (now Gen Digital), which also operates Norton, Avast and AVG. It was previously owned by investment firm Investcorp.",
|
||||
"meta": {
|
||||
"country": "DE",
|
||||
"official-refs": [
|
||||
"https://www.avira.com"
|
||||
]
|
||||
},
|
||||
"uuid": "e5964f36-7644-4f73-bdfd-f24d9e006656",
|
||||
"value": "Avira"
|
||||
}
|
||||
],
|
||||
"version": 10
|
||||
"version": 11
|
||||
}
|
||||
|
|
|
@ -3,10 +3,11 @@
|
|||
"https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml",
|
||||
"http://pastebin.com/raw/GHgpWjar",
|
||||
"MISP Project",
|
||||
"https://id-ransomware.blogspot.com/2016/07/ransomware-list.html"
|
||||
"https://id-ransomware.blogspot.com/2016/07/ransomware-list.html",
|
||||
"ransomlook.io"
|
||||
],
|
||||
"category": "tool",
|
||||
"description": "Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar",
|
||||
"description": "Ransomware galaxy based on different sources and maintained by the MISP Project.",
|
||||
"name": "Ransomware",
|
||||
"source": "Various",
|
||||
"type": "ransomware",
|
||||
|
@ -28151,7 +28152,8 @@
|
|||
"http://3slz4povugieoi3tw7sblxoowxhbzxeju427cffsst5fo2tizepwatid.onion",
|
||||
"http://h3reihqb2y7woqdary2g3bmk3apgtxuyhx4j2ftovbhe3l5svev7bdyd.onion",
|
||||
"http://h3reihqb2y7woqdary2g3bmk3apgtxuyhx4j2ftovbhe3l5svev7bdyd.onion/stm.html",
|
||||
"http://pdcizqzjitsgfcgqeyhuee5u6uki6zy5slzioinlhx6xjnsw25irdgqd.onion"
|
||||
"http://pdcizqzjitsgfcgqeyhuee5u6uki6zy5slzioinlhx6xjnsw25irdgqd.onion",
|
||||
"http://6sf5xa7eso3e3vk46i5tpcqhnlayczztj7zjktzaztlotyy75zs6j7qd.onion"
|
||||
],
|
||||
"refs": [
|
||||
"https://www.ransomlook.io/group/stormous"
|
||||
|
@ -28414,7 +28416,8 @@
|
|||
"meta": {
|
||||
"links": [
|
||||
"https://hunters55rdxciehoqzwv7vgyv6nt37tbwax2reroyzxhou7my5ejyid.onion",
|
||||
"https://hunters33mmcwww7ek7q5ndahul6nmzmrsumfs6aenicbqon6mxfiqyd.onion/login"
|
||||
"https://hunters33mmcwww7ek7q5ndahul6nmzmrsumfs6aenicbqon6mxfiqyd.onion/login",
|
||||
"https://huntersinternational.net"
|
||||
],
|
||||
"refs": [
|
||||
"https://www.ransomlook.io/group/hunters"
|
||||
|
@ -29288,7 +29291,9 @@
|
|||
{
|
||||
"meta": {
|
||||
"links": [
|
||||
"http://dataleakypypu7uwblm5kttv726l3iripago6p336xjnbstkjwrlnlid.onion/"
|
||||
"http://dataleakypypu7uwblm5kttv726l3iripago6p336xjnbstkjwrlnlid.onion/",
|
||||
"http://panelqbinglxczi2gqkwderfvgq6bcv5cbjwxrksjtvr5xv7ozh5wqad.onion",
|
||||
"http://panelqbinglxczi2gqkwderfvgq6bcv5cbjwxrksjtvr5xv7ozh5wqad.onion/Url=4094dd92-0f91-4699-8328-fdb7070a8230"
|
||||
],
|
||||
"refs": [
|
||||
"https://www.ransomlook.io/group/el dorado"
|
||||
|
@ -29444,7 +29449,9 @@
|
|||
"meta": {
|
||||
"links": [
|
||||
"http://c2mdhim6btaiyae3xqthnxsz64brvdxsnbty4tvos65zb565y4v55iid.onion",
|
||||
"http://c2mdhim6btaiyae3xqthnxsz64brvdxsnbty4tvos65zb565y4v55iid.onion/b/"
|
||||
"http://c2mdhim6btaiyae3xqthnxsz64brvdxsnbty4tvos65zb565y4v55iid.onion/b/",
|
||||
"http://c2mdhim6btaiyae3xqthnxsz64brvdxsnbty4tvos65zb565y4v55iid.onion/blogs.html",
|
||||
"http://pyrx.cc"
|
||||
],
|
||||
"refs": [
|
||||
"https://www.ransomlook.io/group/pyrx"
|
||||
|
@ -29472,7 +29479,11 @@
|
|||
"links": [
|
||||
"http://e27z5kd2rjsern2gpgukhcioysqlfquxgf7rxpvcwepxl4lfc736piyd.onion",
|
||||
"http://cybertube.video/web/index.html#!/details?id=0c3b52f6e73709725dc6e12b30b139d9&serverId=2be5e68176ff4f8fbb930fe66321ab72",
|
||||
"http://e27z5kd2rjsern2gpgukhcioysqlfquxgf7rxpvcwepxl4lfc736piyd.onion/back/getallblogs"
|
||||
"http://e27z5kd2rjsern2gpgukhcioysqlfquxgf7rxpvcwepxl4lfc736piyd.onion/back/getallblogs",
|
||||
"http://dispossessor.com",
|
||||
"http://dispossessor-cloud.com",
|
||||
"http://cybernewsint.com",
|
||||
"http://redhotcypher.com"
|
||||
],
|
||||
"refs": [
|
||||
"https://www.ransomlook.io/group/dispossessor"
|
||||
|
@ -29488,7 +29499,8 @@
|
|||
"http://nullbulge.co/blog.html",
|
||||
"http://nullbulge.se",
|
||||
"http://nullbulge.com",
|
||||
"http://goocasino.org"
|
||||
"http://goocasino.org",
|
||||
"http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion"
|
||||
],
|
||||
"refs": [
|
||||
"https://www.ransomlook.io/group/nullbulge"
|
||||
|
@ -29570,12 +29582,26 @@
|
|||
"value": "ransomcortex"
|
||||
},
|
||||
{
|
||||
"description": "",
|
||||
"meta": {
|
||||
"links": [
|
||||
"http://lynxblog.net/",
|
||||
"http://lynxbllrfr5262yvbgtqoyq76s7mpztcqkv6tjjxgpilpma7nyoeohyd.onion/leaks",
|
||||
"http://lynxch2k5xi35j7hlbmwl7d6u2oz4vp2wqp6qkwol624cod3d6iqiyqd.onion/login",
|
||||
"http://lynxblog.net/leaks"
|
||||
"http://lynxblog.net/leaks",
|
||||
"http://lynxchatly4zludmhmi75jrwhycnoqvkxb4prohxmyzf4euf5gjxroad.onion/login",
|
||||
"http://lynxchatohmppv6au67lloc2vs6chy7nya7dsu2hhs55mcjxp2joglad.onion/login",
|
||||
"http://lynxchatbykq2vycvyrtjqb3yuj4ze2wvdubzr2u6b632trwvdbsgmyd.onion/login",
|
||||
"http://lynxchatde4spv5x6xlwxf47jdo7wtwwgikdoeroxamphu3e7xx5doqd.onion/login",
|
||||
"http://lynxchatdy3tgcuijsqofhssopcepirjfq2f4pvb5qd4un4dhqyxswqd.onion/login",
|
||||
"http://lynxchatdykpoelffqlvcbtry6o7gxk3rs2aiagh7ddz5yfttd6quxqd.onion/login",
|
||||
"http://lynxblogxstgzsarfyk2pvhdv45igghb4zmthnzmsipzeoduruz3xwqd.onion",
|
||||
"http://lynxblogco7r37jt7p5wrmfxzqze7ghxw6rihzkqc455qluacwotciyd.onion",
|
||||
"http://lynxblogijy4jfoblgix2klxmkbgee4leoeuge7qt4fpfkj4zbi2sjyd.onion",
|
||||
"http://lynxblogmx3rbiwg3rpj4nds25hjsnrwkpxt5gaznetfikz4gz2csyad.onion",
|
||||
"http://lynxblogoxllth4b46cfwlop5pfj4s7dyv37yuy7qn2ftan6gd72hsad.onion",
|
||||
"http://lynxblogtwatfsrwj3oatpejwxk5bngqcd5f7s26iskagfu7ouaomjad.onion",
|
||||
"http://lynxblogxutufossaeawlij3j3uikaloll5ko6grzhkwdclrjngrfoid.onion"
|
||||
],
|
||||
"refs": [
|
||||
"https://www.ransomlook.io/group/lynx"
|
||||
|
@ -29595,7 +29621,68 @@
|
|||
},
|
||||
"uuid": "5cc68850-aeb0-507f-a981-9457bcf37c0c",
|
||||
"value": "rtm locker"
|
||||
},
|
||||
{
|
||||
"meta": {
|
||||
"links": [
|
||||
"http://radar.ltd"
|
||||
],
|
||||
"refs": [
|
||||
"https://www.ransomlook.io/group/radar"
|
||||
]
|
||||
},
|
||||
"uuid": "0b0e39f8-1a22-58da-98ea-96f4819a68fa",
|
||||
"value": "radar"
|
||||
},
|
||||
{
|
||||
"meta": {
|
||||
"links": [
|
||||
"http://onyxcgfg4pjevvp5h34zvhaj45kbft3dg5r33j5vu3nyp7xic3vrzvad.onion/"
|
||||
],
|
||||
"refs": [
|
||||
"https://www.ransomlook.io/group/helldown"
|
||||
]
|
||||
},
|
||||
"uuid": "1fe17577-91bb-581b-8189-c61f05cf35aa",
|
||||
"value": "helldown"
|
||||
},
|
||||
{
|
||||
"description": "Official twitter account: https://x.com/ValenciaLeaks72",
|
||||
"meta": {
|
||||
"links": [
|
||||
"http://6doyqxqqj36vnedtt2zwxmngx52mgyp7brbrtwkyd75jgiolocoybgid.onion/"
|
||||
],
|
||||
"refs": [
|
||||
"https://www.ransomlook.io/group/valencia leaks"
|
||||
]
|
||||
},
|
||||
"uuid": "af5911d6-37d6-513c-a90e-1b373378f55f",
|
||||
"value": "valencia leaks"
|
||||
},
|
||||
{
|
||||
"meta": {
|
||||
"links": [
|
||||
"http://xzbltrroh4ocknyi7kj2ucjuw63fhyy23dh6lplydl545d33kbygw2id.onion/home"
|
||||
],
|
||||
"refs": [
|
||||
"https://www.ransomlook.io/group/soleenya"
|
||||
]
|
||||
},
|
||||
"uuid": "c6c0200a-9c77-5285-ad47-74c7a3d53bdb",
|
||||
"value": "soleenya"
|
||||
},
|
||||
{
|
||||
"meta": {
|
||||
"links": [
|
||||
"http://orca66hwnpciepupe5626k2ib6dds6zizjwuuashz67usjps2wehz4id.onion"
|
||||
],
|
||||
"refs": [
|
||||
"https://www.ransomlook.io/group/orca"
|
||||
]
|
||||
},
|
||||
"uuid": "2a1e103b-da5f-56d6-a0c8-5daff4c4fd87",
|
||||
"value": "orca"
|
||||
}
|
||||
],
|
||||
"version": 130
|
||||
"version": 133
|
||||
}
|
||||
|
|
File diff suppressed because it is too large
Load diff
|
@ -13773,7 +13773,11 @@
|
|||
"meta": {
|
||||
"refs": [
|
||||
"https://www.securonix.com/blog/securonix-threat-labs-monthly-intelligence-insights-june-2023/",
|
||||
"https://www.paloaltonetworks.com/blog/security-operations/through-the-cortex-xdr-lens-uncovering-a-new-activity-group-targeting-governments-in-the-middle-east-and-africa/"
|
||||
"https://www.paloaltonetworks.com/blog/security-operations/through-the-cortex-xdr-lens-uncovering-a-new-activity-group-targeting-governments-in-the-middle-east-and-africa/",
|
||||
"https://unit42.paloaltonetworks.com/operation-diplomatic-specter/"
|
||||
],
|
||||
"synonyms": [
|
||||
"TGR-STA-0043"
|
||||
]
|
||||
},
|
||||
"uuid": "5d0aee14-f18a-44da-a44d-28d950f06b9c",
|
||||
|
@ -16511,6 +16515,179 @@
|
|||
},
|
||||
"uuid": "34f2d3ad-e367-4058-a10b-1f7a4274c418",
|
||||
"value": "Hive0137"
|
||||
},
|
||||
{
|
||||
"description": "UNC4540 is a suspected Chinese threat actor targeting unpatched SonicWall Secure Mobile Access appliances to deploy custom malware that establishes long-term persistence for cyber espionage. The malware is designed to steal hashed credentials, provide shell access, and persist through firmware upgrades, utilizing a variant of the TinyShell backdoor. Mandiant has tracked UNC4540's activities back to 2021, noting their focus on maintaining access to compromised devices. The group's tactics are consistent with patterns observed in other Chinese threat actor campaigns targeting network devices for zero-day exploits.",
|
||||
"meta": {
|
||||
"country": "CN",
|
||||
"refs": [
|
||||
"https://www.mandiant.com/resources/blog/suspected-chinese-persist-sonicwall"
|
||||
]
|
||||
},
|
||||
"uuid": "e6b27374-5055-4c2c-950b-06b4fc75a210",
|
||||
"value": "UNC4540"
|
||||
},
|
||||
{
|
||||
"description": "TIDRONE is an unidentified threat actor linked to Chinese-speaking groups, with a focus on military-related industry chains, particularly drone manufacturers in Taiwan. The actor employs advanced malware variants such as CXCLNT and CLNTEND, which are distributed through ERP software or remote desktops. The consistency in file compilation times and operational patterns aligns with other Chinese espionage activities, indicating a likely espionage motive.",
|
||||
"meta": {
|
||||
"country": "CN",
|
||||
"refs": [
|
||||
"https://www.trendmicro.com/en_us/research/24/i/tidrone-targets-military-and-satellite-industries-in-taiwan.html"
|
||||
]
|
||||
},
|
||||
"uuid": "020d512f-0636-482b-8033-2bd404e0321f",
|
||||
"value": "TIDRONE"
|
||||
},
|
||||
{
|
||||
"description": "Actor240524 is a newly identified APT group that targeted Azerbaijani and Israeli diplomats through spear-phishing emails to steal sensitive data. The group employs a Trojan program known as ABCloader and ABCsync, demonstrating capabilities to steal secrets and modify file data. Their operations appear to focus on undermining the cooperative relationship between Azerbaijan and Israel. Actor240524 utilizes various countermeasures to obscure their attack tactics and techniques.",
|
||||
"meta": {
|
||||
"refs": [
|
||||
"https://nsfocusglobal.com/new-apt-group-actor240524-a-closer-look-at-its-cyber-tactics-against-azerbaijan-and-israel/"
|
||||
]
|
||||
},
|
||||
"uuid": "6f394add-1703-41e7-be27-d79613f9929c",
|
||||
"value": "Actor240524"
|
||||
},
|
||||
{
|
||||
"description": "ZeroSevenGroup is a threat actor that claims to have breached a U.S. branch of Toyota, stealing 240GB of sensitive data, including employee and customer information, contracts, and financial details. They have also allegedly gained full network access to critical Israeli infrastructure, with access to 80TB of sensitive data across various sectors. The group has threatened to use the stolen data for malicious activities, including ransomware attacks. Their operations involve exploiting vulnerabilities, as indicated by their reference to manipulating memory through buffer overflow techniques.",
|
||||
"meta": {
|
||||
"refs": [
|
||||
"https://siliconangle.com/2024/08/20/toyota-alleges-stolen-customer-data-published-hacking-site-came-outside-supplier/",
|
||||
"https://www.oodaloop.com/briefs/2024/08/21/toyota-customer-employee-data-leaked-in-confirmed-data-breach/"
|
||||
]
|
||||
},
|
||||
"uuid": "c54b9a98-1436-4e29-b194-e5bde003dd4d",
|
||||
"value": "ZeroSevenGroup"
|
||||
},
|
||||
{
|
||||
"description": "UNC2970 is a North Korean threat actor that primarily targets organizations through spear-phishing emails with job recruitment themes, often utilizing fake LinkedIn accounts to engage victims. The group employs the PLANKWALK backdoor and other malware families, leveraging compromised WordPress sites for command and control. They have been observed using BYOVD techniques to exploit vulnerable drivers for evading detection. Mandiant has noted a shift in UNC2970's targeting strategy, including a focus on security researchers and advancements in their operational capabilities against EDR tools.",
|
||||
"meta": {
|
||||
"country": "KP",
|
||||
"refs": [
|
||||
"https://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970"
|
||||
]
|
||||
},
|
||||
"uuid": "e40cf515-f155-46d4-b174-88b38383f9bb",
|
||||
"value": "UNC2970"
|
||||
},
|
||||
{
|
||||
"description": "SILKFIN AGENCY has claimed responsibility for multiple significant data breaches, including the compromise of DimeCuba.com, which exposed over 1 million SMS records and more than 100,000 email records. They also targeted the Sri Lankan Department of Agrarian Development, allegedly compromising the personal and agricultural data of over 1.45 million farmers. Additionally, they claimed a breach of the Siam Cement Group's database. The breaches involved sensitive data such as NIC numbers and transaction details.",
|
||||
"meta": {
|
||||
"refs": [
|
||||
"https://dailydarkweb.net/threat-actor-claims-breach-of-siam-cement-group-database/",
|
||||
"https://dailydarkweb.net/threat-actor-claimed-to-breach-database-of-dimecuba/",
|
||||
"https://dailydarkweb.net/a-threat-actor-alleged-breach-of-sri-lankan-farmers-community-database/"
|
||||
]
|
||||
},
|
||||
"uuid": "b1fd5c1a-f0e9-42b1-b386-9925c02ba508",
|
||||
"value": "SILKFIN AGENCY"
|
||||
},
|
||||
{
|
||||
"description": "UNC4536 is a threat actor that distributes malware, including ICEDID, REDLINESTEALER, and CARBANAK, primarily through malvertising and trojanized MSIX installers masquerading as popular software. They utilize SEO poisoning tactics to direct victims to malicious sites that mimic legitimate software hosting platforms, facilitating the download of compromised installers. The actor employs a PowerShell script known as NUMOZYLOD to deliver tailored payloads, such as the CARBANAK backdoor, to their partners. Additionally, UNC4536 has been linked to campaigns that distribute NetSupport RAT, targeting IT administrators through fake sites promoted via Google Ads.",
|
||||
"meta": {
|
||||
"refs": [
|
||||
"https://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Unveiling-NUMOZYLOD-with-Google-Security/ba-p/789551"
|
||||
]
|
||||
},
|
||||
"uuid": "5a00ccdb-7987-4563-af4f-e368af8406df",
|
||||
"value": "UNC4536"
|
||||
},
|
||||
{
|
||||
"description": "UAC-0154 is a threat actor orchestrating the STARK#VORTEX phishing campaign, specifically targeting Ukraine’s military. They employ a Microsoft Help file containing obfuscated JavaScript as a lure, disguised as a manual for Pilot-in-Command Drones, to deliver the MerlinAgent malware. This PowerShell-based RAT is heavily obfuscated and downloads a payload from a remote server, enabling full control over compromised systems. The group initially targeted Ukrainian entities using military-themed documents sent via email to @ukr.net addresses.",
|
||||
"meta": {
|
||||
"refs": [
|
||||
"https://www.securonix.com/blog/securonix-threat-labs-monthly-intelligence-insights-september-2023/"
|
||||
]
|
||||
},
|
||||
"uuid": "8356805a-5612-449c-9fdc-cbe536c1f392",
|
||||
"value": "UAC-0154"
|
||||
},
|
||||
{
|
||||
"description": "IRLeaks is a threat actor known for significant cyberattacks targeting Iranian organizations, including a major breach of SnappFood, where they exfiltrated 3TB of sensitive data from 20 million user profiles. They have also compromised data from 23 leading Iranian insurance companies, offering over 160 million records for sale. Their operations involve extortion tactics, as seen in the ransom negotiations with Tosan, and they utilize malware such as StealC for data extraction. IRLeaks communicates primarily in Persian and has been active in selling stolen data on cybercriminal marketplaces.",
|
||||
"meta": {
|
||||
"refs": [
|
||||
"https://www.hackread.com/iranian-food-delivery-snappfood-cyber-attack/",
|
||||
"https://cisoseries.com/cyber-security-headlines-google-5b-suit-settled-orbit-chain-loses-80m-fda-cyber-agreement/",
|
||||
"https://www.oodaloop.com/briefs/2024/01/04/pilfered-data-from-iranian-insurance-and-food-delivery-firms-leaked-online/",
|
||||
"https://cybershafarat.com/2024/09/04/major-ir-leaks/",
|
||||
"https://www.scmagazine.com/brief/significant-ransom-payment-by-major-iranian-it-firm-underway"
|
||||
]
|
||||
},
|
||||
"uuid": "f0a50fa0-25ca-4346-a666-390923f2c5a1",
|
||||
"value": "IRLeaks"
|
||||
},
|
||||
{
|
||||
"description": "RaHDit is a pro-Kremlin hacktivist group known for orchestrating hack-and-leak operations, including the publication of personal information about Ukrainian military intelligence personnel and their associates. The group has been linked to Russian intelligence and has claimed to provide actionable intelligence to the Russian army. RaHDit operates a website called NemeZida, where they disclose sensitive data, and has been involved in disinformation campaigns supporting Russian narratives. Their activities include collaboration with other hacktivist groups and targeting Ukrainian cyberdefense efforts.",
|
||||
"meta": {
|
||||
"country": "RU",
|
||||
"refs": [
|
||||
"https://flashpoint.io/blog/pro-kremlin-hacktivist-groups/",
|
||||
"https://news.risky.biz/risky-biz-news-doppelganger-gets-a-kick-in-the-butt-from-uncle-sam/"
|
||||
],
|
||||
"synonyms": [
|
||||
"Russian Angry Hackers Did It"
|
||||
]
|
||||
},
|
||||
"uuid": "1e3efe43-9006-4ac8-b9ee-f1fbb9794cd9",
|
||||
"value": "RaHDit"
|
||||
},
|
||||
{
|
||||
"description": "UAT-5394 is a state-sponsored North Korean threat actor known for developing the MoonPeak RAT, which is based on XenoRAT. They have transitioned from using QuasarRAT to MoonPeak and have established command and control infrastructure. UAT-5394 employs tactics such as using RDP for remote access and has implemented State Machines in their malware to complicate analysis. Their activity indicates a focus on rapidly evolving their malware and infrastructure to enhance operational capabilities.",
|
||||
"meta": {
|
||||
"country": "KP",
|
||||
"refs": [
|
||||
"https://blog.talosintelligence.com/moonpeak-malware-infrastructure-north-korea/"
|
||||
]
|
||||
},
|
||||
"uuid": "6038ceaf-4c1b-470d-af36-c62948488786",
|
||||
"value": "UAT-5394"
|
||||
},
|
||||
{
|
||||
"description": "Storm-1679 is a Russian disinformation group believed to be a spinoff of the Internet Research Agency, actively engaged in influence operations targeting the International Olympic Committee and the 2024 Olympic Games. The group has employed AI-generated content, including deepfake videos and fabricated narratives about violence, to discredit the IOC and instill fear among potential attendees. Their campaigns have been identified across multiple languages and platforms, utilizing techniques such as impersonation of media outlets and the creation of disinformation websites. Microsoft attributes significant disinformation activities related to the Olympics to Storm-1679, highlighting their focus on spreading falsehoods and promoting anti-Olympics messaging.",
|
||||
"meta": {
|
||||
"country": "RU",
|
||||
"refs": [
|
||||
"https://blogs.microsoft.com/on-the-issues/2024/06/02/russia-cyber-bots-disinformation-2024-paris-olympics/"
|
||||
]
|
||||
},
|
||||
"uuid": "10582c97-90de-4f2b-8e4d-21513c3971fc",
|
||||
"value": "Storm-1679"
|
||||
},
|
||||
{
|
||||
"description": "Fail0verflow is a hacking group known for exploiting vulnerabilities in gaming consoles, notably the Nintendo Wii and PlayStation 3. They utilized techniques such as RAM shorting, buffer overflow, and a signing bug to achieve code execution and develop the Homebrew Channel for the Wii. In 2010, they compromised an ECDSA key for the PS3, and later announced the retrieval of PS5 symmetric root keys, enabling the potential for custom firmware and homebrew software. Their exploits often involve kernel access and have raised concerns about the implications for piracy and litigation in the gaming community.",
|
||||
"meta": {
|
||||
"refs": [
|
||||
"https://blog.0x7d0.dev/history/how-the-nintendo-wii-security-was-defeated/",
|
||||
"https://arstechnica.com/gaming/2021/11/uncovered-ps5-encryption-keys-are-the-first-step-to-unlocking-the-console/",
|
||||
"https://malware.news/t/playstation-5-hacked-twice/54441/1"
|
||||
],
|
||||
"synonyms": [
|
||||
"Team Twiizer"
|
||||
]
|
||||
},
|
||||
"uuid": "096c57c1-263f-463e-8089-e553872db149",
|
||||
"value": "Fail0verflow"
|
||||
},
|
||||
{
|
||||
"description": "UTG-Q-010 is a financially motivated APT group from East Asia that has been active since late 2022, primarily targeting the pharmaceutical industry and cryptocurrency enthusiasts. They exploit legitimate Windows processes, such as \"WerFault.exe,\" to sideload malicious DLLs like \"faultrep.dll\" and employ sophisticated phishing campaigns to deliver malware disguised as enticing content. Their recent campaigns have involved the use of the Pupy RAT and advanced defense evasion techniques, including in-memory execution and reflective DLL loading. UTG-Q-010's strategic focus on HR departments and the cryptocurrency sector highlights their understanding of target vulnerabilities and their ability to evade detection.",
|
||||
"meta": {
|
||||
"refs": [
|
||||
"https://cyble.com/blog/analysing-the-utg-q-010-campaign/"
|
||||
]
|
||||
},
|
||||
"uuid": "279ca8a7-1d04-4d95-aa8c-32c758c2de2b",
|
||||
"value": "UTG-Q-010"
|
||||
},
|
||||
{
|
||||
"description": "Hikki-Chan has claimed responsibility for multiple significant data breaches, including the theft of data from 390.4 million users of VKontakte, which included sensitive personal information. The actor has also targeted Strong Current Enterprises and disclosed a breach involving the Israeli Ministry of Welfare and Social Affairs, leaking over 457,000 records. Additionally, Hikki-Chan is attributed with a breach of the Florida Office of Financial Regulation, exposing tens of thousands of records across various industries.",
|
||||
"meta": {
|
||||
"refs": [
|
||||
"https://hackread.com/hacker-leaks-data-of-vk-users-russian-social-network/",
|
||||
"https://dailydarkweb.net/sensitive-israeli-ministry-data-allegedly-leaked-on-dark-web/"
|
||||
]
|
||||
},
|
||||
"uuid": "071d271a-313f-442d-9bf0-10e6eeba0a8e",
|
||||
"value": "HikkI-Chan"
|
||||
}
|
||||
],
|
||||
"version": 313
|
||||
|
|
|
@ -15,7 +15,10 @@
|
|||
"campaign_attack_id": "C0028",
|
||||
"first_seen": "2015-12-01T05:00:00Z",
|
||||
"last_seen": "2016-01-01T05:00:00Z",
|
||||
"source": "MITRE"
|
||||
"source": "MITRE",
|
||||
"tags": [
|
||||
"3ed3f7a6-b446-4fbc-a433-ff1d63c0e647"
|
||||
]
|
||||
},
|
||||
"related": [],
|
||||
"uuid": "96e367d0-a744-5b63-85ec-595f505248a3",
|
||||
|
@ -27,7 +30,10 @@
|
|||
"campaign_attack_id": "C0025",
|
||||
"first_seen": "2016-12-01T05:00:00Z",
|
||||
"last_seen": "2016-12-01T05:00:00Z",
|
||||
"source": "MITRE"
|
||||
"source": "MITRE",
|
||||
"tags": [
|
||||
"3ed3f7a6-b446-4fbc-a433-ff1d63c0e647"
|
||||
]
|
||||
},
|
||||
"related": [],
|
||||
"uuid": "06197e03-e1c1-56af-ba98-5071f98f91f1",
|
||||
|
@ -39,7 +45,10 @@
|
|||
"campaign_attack_id": "C0034",
|
||||
"first_seen": "2022-06-01T04:00:00Z",
|
||||
"last_seen": "2022-10-01T04:00:00Z",
|
||||
"source": "MITRE"
|
||||
"source": "MITRE",
|
||||
"tags": [
|
||||
"3ed3f7a6-b446-4fbc-a433-ff1d63c0e647"
|
||||
]
|
||||
},
|
||||
"related": [],
|
||||
"uuid": "a79e06d1-df08-5c72-9180-2c373274f889",
|
||||
|
@ -103,6 +112,110 @@
|
|||
"uuid": "d25f0485-fdf3-4b85-b2ec-53e98e215d0b",
|
||||
"value": "2023 Zoho ManageEngine APT Exploits"
|
||||
},
|
||||
{
|
||||
"description": "AMBERSQUID is a \"cloud-native\" financially motivated threat operation that specifically leverages AWS services. Researchers estimated that AMBERSQUID cryptojacking activity could cost its victims more than $10,000 per day.<sup>[[Sysdig AMBERSQUID September 18 2023](/references/7ffa880f-5854-4b8a-83f5-da42c1c39345)]</sup>",
|
||||
"meta": {
|
||||
"campaign_attack_id": "C5031",
|
||||
"first_seen": "2022-05-01T00:00:00Z",
|
||||
"last_seen": "2023-03-31T00:00:00Z",
|
||||
"owner": "TidalCyberIan",
|
||||
"source": "Tidal Cyber",
|
||||
"tags": [
|
||||
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
|
||||
"2e5f6e4a-4579-46f7-9997-6923180815dd",
|
||||
"8d95e4d6-9a1e-4920-9f5c-83d9fe07a66e",
|
||||
"2feda37d-5579-4102-a073-aa02e82cb49f"
|
||||
]
|
||||
},
|
||||
"related": [],
|
||||
"uuid": "cf42d51a-8002-4f04-a930-21c15115769f",
|
||||
"value": "AMBERSQUID"
|
||||
},
|
||||
{
|
||||
"description": "In July 2024, U.S. cybersecurity authorities and international partners published Cybersecurity Advisory AA24-207A, which detailed North Korean state-sponsored cyber espionage activity likely intended to support the regime's military and nuclear development programs. The advisory focused on an actor group tracked as Andariel, Onyx Sleet, and APT45 and highlighted how this group has shifted from conducting destructive attacks to carrying out espionage operations that have been funded through ransomware. Where past destructive operations mainly targeted U.S. and South Korean entities, recent espionage attacks targeted various defense, aerospace, nuclear, and engineering organizations, while ransomware attacks targeted U.S. healthcare entities.\n\nAndariel actors gain initial access especially by exploiting software vulnerabilities, use widely available tools for discovery and privilege escalation, and leverage a wide range of custom as well as commodity malware. The advisory does not clearly identify the timeframe in which malicious activities were observed, although it discusses actors' exploits of vulnerabilities disclosed in 2017, 2019, and especially 2021, 2022, and 2023 and referenced public threat reporting published from March 2021 through May 2024.<sup>[[U.S. CISA Andariel July 25 2024](/references/b615953e-3c6c-4201-914c-4b75e45bb9ed)]</sup>",
|
||||
"meta": {
|
||||
"campaign_attack_id": "C5048",
|
||||
"first_seen": "2021-03-01T00:00:00Z",
|
||||
"last_seen": "2024-05-30T00:00:00Z",
|
||||
"owner": "TidalCyberIan",
|
||||
"source": "Tidal Cyber",
|
||||
"tags": [
|
||||
"af5e9be5-b86e-47af-91dd-966a5e34a186",
|
||||
"27a117ce-bb19-4f79-9bc2-a851b69c5c50",
|
||||
"6070668f-1cbd-4878-8066-c636d1d8659c",
|
||||
"61cdbb28-cbfd-498b-9ab1-1f14337f9524",
|
||||
"e551ae97-d1b4-484e-9267-89f33829ec2c",
|
||||
"15787198-6c8b-4f79-bf50-258d55072fee",
|
||||
"4f4744b0-8401-423c-9ed0-3cb2985d9fd3",
|
||||
"ddfaecd0-bd3e-41ac-85c7-ca2156684343",
|
||||
"0dbed83d-af67-4ce0-a1ee-16f1165fdc0f",
|
||||
"6422a882-7606-4aa3-b994-f917f53c2ada",
|
||||
"c1b123d2-ce58-4345-8482-d1da27b3c053",
|
||||
"f166e59e-9877-4102-a39b-fae38df4b790",
|
||||
"6a82d685-3f77-498d-91c3-a759292ec2da",
|
||||
"a32a757a-9d6b-43ca-ac4b-5f695dd0f110",
|
||||
"ac70560d-c3e7-4b40-a4d6-a3287e3d952b",
|
||||
"75f62312-a7ee-4534-8c8a-e3b7366a3a4b",
|
||||
"887d1cfe-d0c5-431c-8dce-0e1b9a2505aa",
|
||||
"96eec53f-355c-406c-87ba-18c3be4c69a1",
|
||||
"54fafdbe-1ea0-4f48-99ad-757c8fe50df2",
|
||||
"35b334ec-4169-4898-ab90-487eea7feb69",
|
||||
"4ac4e1b9-2192-47ac-a4d1-3a31aa0f2140",
|
||||
"936a56f5-a4f1-42d8-83b7-c44399ead661",
|
||||
"0d19ceed-28f6-4258-b365-f6e6f296121d",
|
||||
"037cc75c-9683-49db-aaa8-c8142763bb87",
|
||||
"ff71ed89-8355-4abc-9da4-eb4768a38c9c",
|
||||
"6fade0a3-0c26-4a11-b81e-25d20e38bdd3",
|
||||
"3b54d8a5-580f-43bf-a12d-8e011f953bad",
|
||||
"0f6e72e1-ba8f-4d1d-920d-d8945a4fee59",
|
||||
"7bbc5366-897a-4505-bc68-3a18e3d4cf44",
|
||||
"4cd85398-c33a-4374-9a76-2bbf297cca63",
|
||||
"5ec8231e-70e9-4675-b922-368bcb9e914a",
|
||||
"21c64d34-e52a-42ba-a8c7-85aa82dc0b3f",
|
||||
"cd9ab9e7-248f-4097-b120-a42834ce0f89",
|
||||
"91ddbeac-b587-4978-a80d-543a5d96cb77",
|
||||
"b8448700-7ed0-48b8-85f5-ed23e0d9ab97",
|
||||
"12b074b9-6748-4ad7-880f-836cb80587e1",
|
||||
"45f92502-0775-4fc6-8fcd-97b325ea49a9",
|
||||
"cddb4563-fe90-4c72-be81-6256d175a698",
|
||||
"69f278d7-194f-42d0-8f83-11de9f861264",
|
||||
"f0c58aa3-5d21-4ade-95a0-b775dde7e8a3",
|
||||
"5f9b1c23-81f8-4aa3-8d97-235302e77eec",
|
||||
"d842c7ff-e3d3-4534-9ed7-283752f4bbe2",
|
||||
"ecd84106-2a5b-4d25-854e-b8d1f57f6b75",
|
||||
"7e6ef160-8e4f-4132-bdc4-9991f01c472e",
|
||||
"532b7819-d407-41e9-9733-0d716b69eb17",
|
||||
"e401022a-36ac-486d-8503-dd531410a927",
|
||||
"173e1480-8d9b-49c5-854d-594dde9740d6",
|
||||
"7551097a-dfdd-426f-aaa2-a2916dd9b873",
|
||||
"c475ad68-3fdc-4725-8abc-784c56125e96",
|
||||
"08809fa0-61b6-4394-b103-1c4d19a5be16",
|
||||
"4ac8dcde-2665-4066-9ad9-b5572d5f0d28",
|
||||
"5e7433ad-a894-4489-93bc-41e90da90019",
|
||||
"7e7b0c67-bb85-4996-a289-da0e792d7172"
|
||||
]
|
||||
},
|
||||
"related": [],
|
||||
"uuid": "458dc371-5dc2-4e6c-8157-3a872dd29726",
|
||||
"value": "Andariel Espionage Activity"
|
||||
},
|
||||
{
|
||||
"description": "Threat actors, believed to be associated with the FIN7 financially motivated adversary group, stood up malicious hosting websites impersonating prominent brands in the financial services, technology/SaaS, and media sectors, then used paid web search advertisements to direct victims to these sites. Victims were then tricked into downloading malicious binaries, which ultimately led to the ingress of the NetSupport RAT and/or DiceLoader (aka Lizar) malware (these latter tools are known to be used for a range of persistent access and malware ingress purposes).<sup>[[Esentire 5 8 2024](/references/67c3a7ed-e2e2-4566-aca7-61e766f177bf)]</sup>",
|
||||
"meta": {
|
||||
"campaign_attack_id": "C5038",
|
||||
"first_seen": "2024-04-01T00:00:00Z",
|
||||
"last_seen": "2024-04-30T00:00:00Z",
|
||||
"owner": "TidalCyberIan",
|
||||
"source": "Tidal Cyber",
|
||||
"tags": [
|
||||
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
|
||||
"2feda37d-5579-4102-a073-aa02e82cb49f"
|
||||
]
|
||||
},
|
||||
"related": [],
|
||||
"uuid": "2b869157-0b66-42fc-8ead-171160412660",
|
||||
"value": "April 2024 FIN7 Malvertising Campaign"
|
||||
},
|
||||
{
|
||||
"description": "In April 2023, U.S. and UK cybersecurity authorities released joint Cybersecurity Advisory AA23-108, which detailed a campaign by Russia-backed APT28 to compromise vulnerable routers running Cisco Internetworking Operating System (IOS). Actors collected device information and conducted further network reconnaissance on victims “worldwide”, including U.S. government institutions, 250 Ukrainian entities, and “a small number” of victims elsewhere in Europe. Adversary activity occurred over an unspecified timeframe in 2021.\n\nActors exploited CVE-2017-6742, a Simple Network Management Protocol (SNMP) vulnerability for which Cisco released a patch in 2017, and used default authentication strings to gain initial access to devices and subsequently gather router information, such as router interface details. In some cases, authorities observed actors deploying Jaguar Tooth, a malicious software bundle consisting of a series of payloads and patches. Jaguar Tooth deployments allowed actors to collect further device information via execution of Cisco IOS Command Line Interface commands, discover other network devices, and achieve unauthenticated, backdoor access to victim systems.<sup>[[U.S. CISA APT28 Cisco Routers April 18 2023](/references/c532a6fc-b27f-4240-a071-3eaa866bce89)]</sup>\n\nIn addition to behavioral observations, the Advisory also provided mitigation recommendations and indicators of compromise, which can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-108).\n\n**Related Vulnerabilities**: CVE-2017-6742<sup>[[U.S. CISA APT28 Cisco Routers April 18 2023](/references/c532a6fc-b27f-4240-a071-3eaa866bce89)]</sup>",
|
||||
"meta": {
|
||||
|
@ -178,6 +291,54 @@
|
|||
"uuid": "80ae546a-70e5-4427-be1d-e74efc428ffd",
|
||||
"value": "APT29 TeamCity Exploits"
|
||||
},
|
||||
{
|
||||
"description": "On July 8, 2024, international authorities published an advisory (CISA Alert AA24-190A) that detailed recent activity associated with APT40, a Chinese state-sponsored cyber espionage group. The advisory covers observed attacks on Australian organizations, but the group has been recently active elsewhere (Tidal metadata shows observed activity historically across East/Southeast Asia, the Middle East, Europe, and North America). The advisory emphasized that the recently published TTPs are relevant for defenders at organizations “globally”.\n\nThe advisory spotlighted the group's efforts to compromise outdated small-office/home-office (SOHO) routers via vulnerability exploits, using the routers as infrastructure to carry out further attacks. However, the advisory also summarized a range of other Techniques not previously associated with APT40, which were used at phases across the attack chain, including for persistence, credential access, lateral movement, collection, and exfiltration.<sup>[[U.S. CISA APT40 July 8 2024](/references/3bf90a48-caf6-4b9d-adc2-3d1176f49ffc)]</sup>",
|
||||
"meta": {
|
||||
"campaign_attack_id": "C5047",
|
||||
"first_seen": "2022-04-01T00:00:00Z",
|
||||
"last_seen": "2022-09-30T00:00:00Z",
|
||||
"owner": "TidalCyberIan",
|
||||
"source": "Tidal Cyber",
|
||||
"tags": [
|
||||
"96d58ca1-ab18-4e53-8891-d8ba62a47e5d",
|
||||
"6070668f-1cbd-4878-8066-c636d1d8659c",
|
||||
"d8f7e071-fbfd-46f8-b431-e241bb1513ac",
|
||||
"758c3085-2f79-40a8-ab95-f8a684737927",
|
||||
"1dc8fd1e-0737-405a-98a1-111dd557f1b5",
|
||||
"61cdbb28-cbfd-498b-9ab1-1f14337f9524",
|
||||
"e551ae97-d1b4-484e-9267-89f33829ec2c",
|
||||
"15787198-6c8b-4f79-bf50-258d55072fee",
|
||||
"35e694ec-5133-46e3-b7e1-5831867c3b55",
|
||||
"375983b3-6e87-4281-99e2-1561519dd17b",
|
||||
"3ed2343c-a29c-42e2-8259-410381164c6a",
|
||||
"a46c422c-5dad-49fc-a4ac-169a075a4d9a",
|
||||
"2eeef0b4-08b5-4d25-84f7-25d41fe6305b",
|
||||
"64d3f7d8-30b7-4b03-bee2-a6029672216c",
|
||||
"7e6ef160-8e4f-4132-bdc4-9991f01c472e",
|
||||
"b20e7912-6a8d-46e3-8e13-9a3fc4813852"
|
||||
]
|
||||
},
|
||||
"related": [],
|
||||
"uuid": "3db5682a-0b99-4653-b487-bd0d30292a19",
|
||||
"value": "APT40 Recent Tradecraft"
|
||||
},
|
||||
{
|
||||
"description": "In July 2024, security researchers publicized a campaign attributed to Chinese state-sponsored espionage group APT41, where actors gained and maintained long-term access to various organizations' networks in multiple sectors around the world. Victims belonged to the shipping/logistics, media, entertainment, technology, and automotive industries and were located in western Europe, the Middle East, and East and Southeast Asia. Actors used a combination of red teaming tools, publicly available software, and custom malware for persistence, command and control, data collection, and exfiltration to Microsoft OneDrive accounts. The intrusions were notable for featuring the reemergence of DUSTPAN, a dropper not observed since a series of older APT41 compromises in 2021 & 2022.<sup>[[Mandiant APT41 July 18 2024](/references/34ee3a7c-27c0-492f-a3c6-a5a3e86915f0)]</sup>",
|
||||
"meta": {
|
||||
"campaign_attack_id": "C5049",
|
||||
"first_seen": "2023-03-21T00:00:00Z",
|
||||
"last_seen": "2024-07-16T00:00:00Z",
|
||||
"owner": "TidalCyberIan",
|
||||
"source": "Tidal Cyber",
|
||||
"tags": [
|
||||
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
|
||||
"2feda37d-5579-4102-a073-aa02e82cb49f"
|
||||
]
|
||||
},
|
||||
"related": [],
|
||||
"uuid": "ea6266fd-50a7-4223-ade3-e60c3467f540",
|
||||
"value": "APT41 2023-2024 Persistence & Exfiltration Activity"
|
||||
},
|
||||
{
|
||||
"description": "ArcaneDoor was a campaign, which likely ran from November 2023 until around February 2024, that targeted Cisco Adaptive Security Appliances (ASAs). ASAs are network devices that combine firewall, VPN, and other functionality. The campaign targeted unspecified government institutions around the world and was believed to have been conducted for espionage purposes.<sup>[[Cisco Talos ArcaneDoor April 24 2024](/references/531c3f6f-2d2b-4774-b069-e2b7a13602c1)]</sup>\n\nResearchers attributed the campaign to UAT4356 (aka Storm-1849), a possible China-linked adversary.<sup>[[Wired ArcaneDoor April 24 2024](/references/05a8afd3-0173-41ca-b23b-196ea0f3b1c1)]</sup> The initial access vector for the ArcaneDoor attacks remains unclear. After gaining a foothold, actors used the Line Dancer tool to upload Line Runner, a persistence and arbitrary code execution capability, to compromised ASAs (Cisco assigned two vulnerabilities, CVE-2024-20359 and CVE-2024-20353, to these activities). Responders observed various actions on objectives during the attacks, including device configuration modification, network traffic capture, and possible lateral movement.<sup>[[Cisco Talos ArcaneDoor April 24 2024](/references/531c3f6f-2d2b-4774-b069-e2b7a13602c1)]</sup>",
|
||||
"meta": {
|
||||
|
@ -201,6 +362,102 @@
|
|||
"uuid": "ccc6401a-b79f-424b-8617-3c2d55475584",
|
||||
"value": "ArcaneDoor"
|
||||
},
|
||||
{
|
||||
"description": "This object represents a collection of MITRE ATT&CK® Techniques related to an incident response where an attacker used exposed cloud credentials to gain access to an AWS environment and ultimately collect and exfiltrate data before deleting files and leaving a ransom note extorting the victim to recover the stolen data.<sup>[[Www.invictus-ir.com 1 11 2024](/references/5e2a0756-d8f6-4359-9ca3-1e96fb8b5ac9)]</sup>",
|
||||
"meta": {
|
||||
"campaign_attack_id": "C5035",
|
||||
"first_seen": "2024-01-01T00:00:00Z",
|
||||
"last_seen": "2024-01-01T00:00:00Z",
|
||||
"owner": "TidalCyberIan",
|
||||
"source": "Tidal Cyber",
|
||||
"tags": [
|
||||
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
|
||||
"2e5f6e4a-4579-46f7-9997-6923180815dd",
|
||||
"5e7433ad-a894-4489-93bc-41e90da90019",
|
||||
"7e7b0c67-bb85-4996-a289-da0e792d7172",
|
||||
"2feda37d-5579-4102-a073-aa02e82cb49f"
|
||||
]
|
||||
},
|
||||
"related": [],
|
||||
"uuid": "9779935d-e316-4482-bec8-3d0704a26dc0",
|
||||
"value": "AWS Data Theft & Ransom Attack"
|
||||
},
|
||||
{
|
||||
"description": "Security researchers observed adversary activity that involved deployment of hundreds of AWS ECS Fargate clusters used to run XMRig cryptomining software. Researchers assessed that the activity was likely part of a wider campaign involving potentially hundreds of thousands of environments.<sup>[[Datadog ECS January 19 2024](/references/7e4e44a7-b079-41af-b41d-176ba7e99563)]</sup>",
|
||||
"meta": {
|
||||
"campaign_attack_id": "C5032",
|
||||
"first_seen": "2023-12-01T00:00:00Z",
|
||||
"last_seen": "2024-01-19T00:00:00Z",
|
||||
"owner": "TidalCyberIan",
|
||||
"source": "Tidal Cyber",
|
||||
"tags": [
|
||||
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
|
||||
"2e5f6e4a-4579-46f7-9997-6923180815dd",
|
||||
"8d95e4d6-9a1e-4920-9f5c-83d9fe07a66e",
|
||||
"2feda37d-5579-4102-a073-aa02e82cb49f"
|
||||
]
|
||||
},
|
||||
"related": [],
|
||||
"uuid": "a94a5919-953e-4607-aaa4-dfccf6d938b5",
|
||||
"value": "AWS Fargate Cryptojacking Activity"
|
||||
},
|
||||
{
|
||||
"description": "This object represents a collection of MITRE ATT&CK® Techniques related to an incident response where an attacker was able to steal AWS Lambda credentials, use them to execute various API calls and enumerate various cloud services, and ultimately perform a cloud-based phishing attack, which reportedly cost the target organization considerable financial damage.<sup>[[Unit 42 12 8 2022](/references/e7a4a0cf-ffa2-48cc-9b21-a2333592c773)]</sup>",
|
||||
"meta": {
|
||||
"campaign_attack_id": "C5033",
|
||||
"first_seen": "2022-05-20T00:00:00Z",
|
||||
"last_seen": "2022-05-20T00:00:00Z",
|
||||
"owner": "TidalCyberIan",
|
||||
"source": "Tidal Cyber",
|
||||
"tags": [
|
||||
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
|
||||
"2e5f6e4a-4579-46f7-9997-6923180815dd",
|
||||
"2feda37d-5579-4102-a073-aa02e82cb49f"
|
||||
]
|
||||
},
|
||||
"related": [],
|
||||
"uuid": "64bddb9e-8bb4-481e-851a-0ddd7ba34615",
|
||||
"value": "AWS Lambda Credential Theft & Phishing Attack"
|
||||
},
|
||||
{
|
||||
"description": "Adversaries used email bombing and subsequent voice phishing to convince target users into granting the actors remote access to victim systems via legitimate tools including AnyDesk and the built-in Windows Quick Assist utility. The actors then used malicious remote access tools to access other assets within compromised environments, in some cases followed by deployment of Black Basta ransomware.<sup>[[Rapid7 Blog 5 10 2024](/references/ba749fe0-1ac7-4767-85df-97e6351c37f9)]</sup><sup>[[Microsoft Security Blog 5 15 2024](/references/0876de6e-ea0c-4717-89a4-9c7baed53b6f)]</sup>",
|
||||
"meta": {
|
||||
"campaign_attack_id": "C5037",
|
||||
"first_seen": "2024-04-15T00:00:00Z",
|
||||
"last_seen": "2024-05-15T00:00:00Z",
|
||||
"owner": "TidalCyberIan",
|
||||
"source": "Tidal Cyber",
|
||||
"tags": [
|
||||
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
|
||||
"562e535e-19f5-4d6c-81ed-ce2aec544f09",
|
||||
"5e7433ad-a894-4489-93bc-41e90da90019",
|
||||
"7e7b0c67-bb85-4996-a289-da0e792d7172",
|
||||
"2feda37d-5579-4102-a073-aa02e82cb49f"
|
||||
]
|
||||
},
|
||||
"related": [],
|
||||
"uuid": "b6ce227e-7240-4591-a8b9-641822c1f9f4",
|
||||
"value": "Black Basta Operator Social Engineering Campaign"
|
||||
},
|
||||
{
|
||||
"description": "This object represents observed pre-attack, initial access, execution, and other techniques used to distribute Bumblebee malware in 2023 and early 2024. Further background & contextual details can be found in the References tab below, and additional techniques associated with the technical mechanics of Bumblebee binaries can be found in the relevant Software object.",
|
||||
"meta": {
|
||||
"campaign_attack_id": "C5029",
|
||||
"first_seen": "2023-03-01T00:00:00Z",
|
||||
"last_seen": "2024-02-01T00:00:00Z",
|
||||
"owner": "TidalCyberIan",
|
||||
"source": "Tidal Cyber",
|
||||
"tags": [
|
||||
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
|
||||
"f8669b82-2194-49a9-8e20-92e7f9ab0a6f",
|
||||
"84615fe0-c2a5-4e07-8957-78ebc29b4635",
|
||||
"2feda37d-5579-4102-a073-aa02e82cb49f"
|
||||
]
|
||||
},
|
||||
"related": [],
|
||||
"uuid": "0e3a0fa7-78eb-4820-9881-d62b04fe6f92",
|
||||
"value": "Bumblebee Distribution Campaigns 2023-24"
|
||||
},
|
||||
{
|
||||
"description": "[C0010](https://app.tidalcyber.com/campaigns/a1e33caf-6eb0-442f-b97a-f6042f21df48) was a cyber espionage campaign conducted by UNC3890 that targeted Israeli shipping, government, aviation, energy, and healthcare organizations. Security researcher assess UNC3890 conducts operations in support of Iranian interests, and noted several limited technical connections to Iran, including PDB strings and Farsi language artifacts. [C0010](https://app.tidalcyber.com/campaigns/a1e33caf-6eb0-442f-b97a-f6042f21df48) began by at least late 2020, and was still ongoing as of mid-2022.<sup>[[Mandiant UNC3890 Aug 2022](https://app.tidalcyber.com/references/7b3fda0b-d327-4f02-bebe-2b8974f9959d)]</sup>",
|
||||
"meta": {
|
||||
|
@ -350,6 +607,24 @@
|
|||
"uuid": "f20c935b-e0c5-4941-b710-73cf06dd2b4a",
|
||||
"value": "Clop MOVEit Transfer Vulnerability Exploitation"
|
||||
},
|
||||
{
|
||||
"description": "This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to the specified threat activity. Further background & contextual details can be found in the References tab below.",
|
||||
"meta": {
|
||||
"campaign_attack_id": "C5026",
|
||||
"first_seen": "2023-11-14T00:00:00Z",
|
||||
"last_seen": "2023-11-24T00:00:00Z",
|
||||
"owner": "TidalCyberIan",
|
||||
"source": "Tidal Cyber",
|
||||
"tags": [
|
||||
"fe28cf32-a15c-44cf-892c-faa0360d6109",
|
||||
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
|
||||
"2feda37d-5579-4102-a073-aa02e82cb49f"
|
||||
]
|
||||
},
|
||||
"related": [],
|
||||
"uuid": "bbbdc2a2-bd7e-4251-a064-b7f4997ac2a4",
|
||||
"value": "Cloudflare Thanksgiving 2023 security incident"
|
||||
},
|
||||
{
|
||||
"description": "[CostaRicto](https://app.tidalcyber.com/campaigns/fb011ed2-bfb9-4f0f-bd88-8b3fa0cf9b48) was a suspected hacker-for-hire cyber espionage campaign that targeted multiple industries worldwide, with a large number being financial institutions. [CostaRicto](https://app.tidalcyber.com/campaigns/fb011ed2-bfb9-4f0f-bd88-8b3fa0cf9b48) actors targeted organizations in Europe, the Americas, Asia, Australia, and Africa, with a large concentration in South Asia (especially India, Bangladesh, and Singapore), using custom malware, open source tools, and a complex network of proxies and SSH tunnels.<sup>[[BlackBerry CostaRicto November 2020](https://app.tidalcyber.com/references/93a23447-641c-4ee2-9fbd-64b2adea8a5f)]</sup>",
|
||||
"meta": {
|
||||
|
@ -370,6 +645,7 @@
|
|||
"last_seen": "2024-02-01T05:00:00Z",
|
||||
"source": "MITRE",
|
||||
"tags": [
|
||||
"fe984a01-910d-4e39-9c49-179aa03f75ab",
|
||||
"9768aada-9d63-4d46-ab9f-d41b8c8e4010",
|
||||
"758c3085-2f79-40a8-ab95-f8a684737927",
|
||||
"af5e9be5-b86e-47af-91dd-966a5e34a186",
|
||||
|
@ -385,6 +661,24 @@
|
|||
"uuid": "4e605e33-57fe-5bb2-b0ad-ec146aac041b",
|
||||
"value": "Cutting Edge"
|
||||
},
|
||||
{
|
||||
"description": "This object represents a collection of MITRE ATT&CK® Techniques related to an incident response where an attacker gained initial access to an AWS environment using an \"accidentally exposed long term access key belonging to an IAM user\". The actor persisted for approximately a month and ultimately used their access to carry out limited cryptomining acitivty, conduct phishing and spam email attacks via AWS SES, and establish domains for further phishing/spam campaigns.<sup>[[Www.invictus-ir.com 1 31 2024](/references/803a084a-0468-4c43-9843-a0b5652acdba)]</sup>",
|
||||
"meta": {
|
||||
"campaign_attack_id": "C5034",
|
||||
"first_seen": "2024-01-01T00:00:00Z",
|
||||
"last_seen": "2024-01-31T00:00:00Z",
|
||||
"owner": "TidalCyberIan",
|
||||
"source": "Tidal Cyber",
|
||||
"tags": [
|
||||
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
|
||||
"2e5f6e4a-4579-46f7-9997-6923180815dd",
|
||||
"2feda37d-5579-4102-a073-aa02e82cb49f"
|
||||
]
|
||||
},
|
||||
"related": [],
|
||||
"uuid": "8ee9d9f1-9906-4f0d-a4a7-0e6ed1aa4069",
|
||||
"value": "DangerDev AWS Attack"
|
||||
},
|
||||
{
|
||||
"description": "German and South Korean cybersecurity authorities published an advisory highlighting recent attempts by North Korea-linked cyber actors to target enterprises and research centers in the defense sector. The advisory detailed a supply chain attack, attributed to an unnamed threat group, in which actors compromised a company that maintained a defense sector research center's web servers, then used stolen SSH credentials to remotely access the research center's network. The actors then used various methods to evade defenses, including impersonating security staff, deployed malware via a patch management system, and stole account information and email contents before being evicted from the network.<sup>[[BfV North Korea February 17 2024](/references/cc76be15-6d9d-40b2-b7f3-196bb0a7106a)]</sup>",
|
||||
"meta": {
|
||||
|
@ -412,6 +706,7 @@
|
|||
"owner": "TidalCyberIan",
|
||||
"source": "Tidal Cyber",
|
||||
"tags": [
|
||||
"89c5b94b-ecf4-4d53-9b74-3465086d4565",
|
||||
"2743d495-7728-4a75-9e5f-b64854039792",
|
||||
"ecd84106-2a5b-4d25-854e-b8d1f57f6b75",
|
||||
"a6ba64e1-4b4a-4bbd-a26d-ce35c22b2530",
|
||||
|
@ -447,6 +742,41 @@
|
|||
"uuid": "94587edf-0292-445b-8c66-b16629597f1e",
|
||||
"value": "FunnyDream"
|
||||
},
|
||||
{
|
||||
"description": "U.S. cybersecurity authorities released an advisory that warned of recent attacks targeting healthcare entities and providers, which leveraged social engineering techniques for initial access and ultimately led to financial theft. The attacks used voice phishing and phishing domains, and sometimes bypassed multi-factor authentication measures, to gain footholds. Actors often used information gathered through extensive reconnaissance to facilitate these efforts.\n\nActors then used \"living off the land\" (LOTL) techniques to persist stealthily in compromised environments. Ultimately, actors sought to modify patient automated clearinghouse (ACH) account information to divert payments to actor-controlled bank accounts. The advisory did not attribute the recent campaign to a named adversary group.<sup>[[FBI Social Engineering Attacks June 24 2024](/references/527ac41a-a65e-4cf9-a9c9-194443b37c5b)]</sup>",
|
||||
"meta": {
|
||||
"campaign_attack_id": "C5042",
|
||||
"first_seen": "2023-08-01T00:00:00Z",
|
||||
"last_seen": "2024-06-24T00:00:00Z",
|
||||
"owner": "TidalCyberIan",
|
||||
"source": "Tidal Cyber",
|
||||
"tags": [
|
||||
"d903e38b-600d-4736-9e3b-cf1a6e436481",
|
||||
"e551ae97-d1b4-484e-9267-89f33829ec2c"
|
||||
]
|
||||
},
|
||||
"related": [],
|
||||
"uuid": "1610257c-e2fc-4b05-bd63-5c2cbfb2342e",
|
||||
"value": "Healthcare Social Engineering & Payment Diversion Activity"
|
||||
},
|
||||
{
|
||||
"description": "This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to the specified threat activity. Further background & contextual details can be found in the References tab below.",
|
||||
"meta": {
|
||||
"campaign_attack_id": "C5025",
|
||||
"first_seen": "2023-05-01T00:00:00Z",
|
||||
"last_seen": "2023-12-12T00:00:00Z",
|
||||
"owner": "TidalCyberIan",
|
||||
"source": "Tidal Cyber",
|
||||
"tags": [
|
||||
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
|
||||
"15f2277a-a17e-4d85-8acd-480bf84f16b4",
|
||||
"2feda37d-5579-4102-a073-aa02e82cb49f"
|
||||
]
|
||||
},
|
||||
"related": [],
|
||||
"uuid": "d1244338-85dd-4650-989a-9df8020860b9",
|
||||
"value": "HPE Midnight Blizzard Office 365 Email Exfiltration"
|
||||
},
|
||||
{
|
||||
"description": "In November 2022, U.S. cybersecurity authorities released Cybersecurity Advisory AA22-320A, which detailed an incident response engagement at an unspecified U.S. Federal Civilian Executive Branch organization. Authorities assessed that the network compromise was carried out by unspecified Iranian government-sponsored advanced persistent threat (APT) actors. The actors achieved initial network access by exploiting the Log4Shell vulnerability in an unpatched VMware Horizon server. Post-exploit activities included installing XMRig crypto mining software and executing Mimikatz to harvest credentials, as well as moving laterally to the domain controller and implanting Ngrok reverse proxies on multiple hosts to maintain persistence.\n\nAdditional details, including incident response guidance and relevant mitigations, can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-320a).<sup>[[U.S. CISA Advisory November 25 2022](/references/daae1f54-8471-4620-82d5-023d04144acd)]</sup>\n\n**Related Vulnerabilities**: CVE-2021-44228<sup>[[U.S. CISA Advisory November 25 2022](/references/daae1f54-8471-4620-82d5-023d04144acd)]</sup>",
|
||||
"meta": {
|
||||
|
@ -486,6 +816,9 @@
|
|||
"owner": "TidalCyberIan",
|
||||
"source": "Tidal Cyber",
|
||||
"tags": [
|
||||
"3ed2343c-a29c-42e2-8259-410381164c6a",
|
||||
"375983b3-6e87-4281-99e2-1561519dd17b",
|
||||
"64d3f7d8-30b7-4b03-bee2-a6029672216c",
|
||||
"5e7433ad-a894-4489-93bc-41e90da90019",
|
||||
"7e7b0c67-bb85-4996-a289-da0e792d7172",
|
||||
"15787198-6c8b-4f79-bf50-258d55072fee",
|
||||
|
@ -505,7 +838,7 @@
|
|||
"value": "Iranian IRGC Data Extortion Operations"
|
||||
},
|
||||
{
|
||||
"description": "This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to joint Cybersecurity Advisory AA24-060B, which detailed recent exploits of vulnerabilities (CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893) affecting Ivanti Connect Secure and Policy Secure VPN and gateway appliances by unspecified threat actors. Further background & contextual details can be found in the References tab below.",
|
||||
"description": "*We are no longer maintaining this object in favor of a similar object subsequently published by MITRE: \"Cutting Edge\" (Campaign). All relevant Tidal content extensions (e.g. additional Technique and Object relationships and metadata) have been added to the MITRE-authored object.*\n\n\nThis object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to joint Cybersecurity Advisory AA24-060B, which detailed recent exploits of vulnerabilities (CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893) affecting Ivanti Connect Secure and Policy Secure VPN and gateway appliances by unspecified threat actors. Further background & contextual details can be found in the References tab below.",
|
||||
"meta": {
|
||||
"campaign_attack_id": "C5017",
|
||||
"first_seen": "2023-12-01T00:00:00Z",
|
||||
|
@ -527,7 +860,24 @@
|
|||
},
|
||||
"related": [],
|
||||
"uuid": "c2544d1d-3c99-4601-86fe-8b62020aaffc",
|
||||
"value": "Ivanti Gateway Vulnerability Exploits"
|
||||
"value": "Ivanti Gateway Vulnerability Exploits (Deprecated)"
|
||||
},
|
||||
{
|
||||
"description": "JOKERSPY (aka REF9134) was an intrusion involving a Python-based backdoor, which was used to deploy a malicious macOS-based enumeration tool called Swiftbelt and other open-source tools.<sup>[[elastic.co 6 21 2023](/references/42c40ec8-f46a-48fa-bd97-818e3d3d320e)]</sup>",
|
||||
"meta": {
|
||||
"campaign_attack_id": "C5036",
|
||||
"first_seen": "2023-05-31T00:00:00Z",
|
||||
"last_seen": "2023-06-01T00:00:00Z",
|
||||
"owner": "TidalCyberIan",
|
||||
"source": "Tidal Cyber",
|
||||
"tags": [
|
||||
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
|
||||
"2feda37d-5579-4102-a073-aa02e82cb49f"
|
||||
]
|
||||
},
|
||||
"related": [],
|
||||
"uuid": "c44d9a29-3025-40b3-8c12-45390597cc0f",
|
||||
"value": "JOKERSPY Intrusion"
|
||||
},
|
||||
{
|
||||
"description": "In July 2023, U.S. Cybersecurity & Infrastructure Security Agency authorities released Cybersecurity Advisory AA23-201A, which detailed an observed exploit of a zero-day vulnerability (CVE-2023-3519) affecting NetScaler (formerly Citrix) Application Delivery Controller (\"ADC\") and NetScaler Gateway appliances. According to the Advisory, the exploitation activity occurred in June 2023, and the victim (an undisclosed entity in the critical infrastructure sector) reported it in July 2023.<sup>[[U.S. CISA CVE-2023-3519 Exploits](/references/021c4caa-7a7a-4e49-9c5c-6eec176bf923)]</sup> Citrix acknowledged the reported exploit of the vulnerability, which enables unauthenticated remote code execution, and released a patch on July 18, 2023.<sup>[[Citrix Bulletin CVE-2023-3519](/references/245ef1b7-778d-4df2-99a9-b51c95c57580)]</sup>\n\nAfter achieving initial access via exploit of CVE-2023-3519, threat actors dropped a web shell on the vulnerable ADC appliance, which was present on a non-production environment. The web shell enabled subsequent information discovery on the victim's Active Directory (\"AD\"), followed by collection and exfiltration of AD-related data. The actors also attempted lateral movement to a domain controller, but the Advisory indicated that network segementation controls for the ADC appliance blocked this attempted activity.<sup>[[U.S. CISA CVE-2023-3519 Exploits](/references/021c4caa-7a7a-4e49-9c5c-6eec176bf923)]</sup> Separately, in a blog on CVE-2023-3519 exploit investigations released the day after the CISA Advisory, Mandiant indicated that the type of activity observed is \"consistent with previous operations by China-nexus actors\".<sup>[[Mandiant CVE-2023-3519 Exploitation](/references/4404ed65-3020-453d-8c51-2885018ba03b)]</sup>\n\n**Related Vulnerabilities**: CVE-2023-3519<sup>[[U.S. CISA CVE-2023-3519 Exploits](/references/021c4caa-7a7a-4e49-9c5c-6eec176bf923)]</sup>",
|
||||
|
@ -567,6 +917,75 @@
|
|||
"uuid": "f4225d6a-8734-401f-aa2a-1a73c23b16e6",
|
||||
"value": "LockBit Affiliate Citrix Bleed Exploits"
|
||||
},
|
||||
{
|
||||
"description": "The DFIR Report researchers reported about activity taking place in May 2023, which saw an adversary, attributed to FIN11 and Lace Tempest, achieve initial access into a victim environment via a spearphishing email, leading to the download of Truebot malware. Several other tools and malware were then subsequently used to move laterally, discover and collect victim information, exfiltrate it, and ultimately deploy a wiper. These included: FlawedGrace, Cobalt Strike, Impacket, various native utilities, and MBR Killer. In total, the activity lasted for 29 hours.<sup>[[The DFIR Report Truebot June 12 2023](/references/a6311a66-bb36-4cad-a98f-2b0b89aafa3d)]</sup>",
|
||||
"meta": {
|
||||
"campaign_attack_id": "C5021",
|
||||
"first_seen": "2023-05-01T00:00:00Z",
|
||||
"last_seen": "2023-05-31T00:00:00Z",
|
||||
"owner": "TidalCyberIan",
|
||||
"source": "Tidal Cyber",
|
||||
"tags": [
|
||||
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
|
||||
"2feda37d-5579-4102-a073-aa02e82cb49f"
|
||||
]
|
||||
},
|
||||
"related": [],
|
||||
"uuid": "f74885c3-c39b-4db4-ab4f-2990929450a2",
|
||||
"value": "May 2023 Exfiltration & Wiper Activity (Truebot + FlawedGrace + MBR Killer)"
|
||||
},
|
||||
{
|
||||
"description": "This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to the specified threat activity. Further background & contextual details can be found in the References tab below.",
|
||||
"meta": {
|
||||
"campaign_attack_id": "C5027",
|
||||
"first_seen": "2023-11-30T00:00:00Z",
|
||||
"last_seen": "2024-01-12T00:00:00Z",
|
||||
"owner": "TidalCyberIan",
|
||||
"source": "Tidal Cyber",
|
||||
"tags": [
|
||||
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
|
||||
"15f2277a-a17e-4d85-8acd-480bf84f16b4",
|
||||
"2feda37d-5579-4102-a073-aa02e82cb49f"
|
||||
]
|
||||
},
|
||||
"related": [],
|
||||
"uuid": "4c01ad48-6a09-462a-abf4-24ba0a4cea56",
|
||||
"value": "Microsoft Midnight Blizzard Breach"
|
||||
},
|
||||
{
|
||||
"description": "Researchers observed a campaign that took place in the latter half of 2021, apparently directed at individuals representing financial and political figures in Palestine and Tukery, that used malicious, macro-based Microsoft Office files to compromise victim systems with the aim of installing a .NET-based backdoor tool. Researchers attributed the activity to the Molerats APT group.<sup>[[Zscaler Molerats Campaign](/references/3b39e73e-229f-4ff4-bec3-d83e6364a66e)]</sup>",
|
||||
"meta": {
|
||||
"campaign_attack_id": "C5022",
|
||||
"first_seen": "2021-07-01T00:00:00Z",
|
||||
"last_seen": "2021-12-01T00:00:00Z",
|
||||
"owner": "TidalCyberIan",
|
||||
"source": "Tidal Cyber",
|
||||
"tags": [
|
||||
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
|
||||
"2feda37d-5579-4102-a073-aa02e82cb49f"
|
||||
]
|
||||
},
|
||||
"related": [],
|
||||
"uuid": "f1922702-2c16-496e-9d21-f32fc9c6daee",
|
||||
"value": "Molerats 2021 Backdoor Delivery Campaign"
|
||||
},
|
||||
{
|
||||
"description": "This object represents a collection of MITRE ATT&CK® Techniques related to multiple incidents attributed to the North Korean actor group Moonstone Sleet that took place from August 2023 through May 2024. Attacks targeted individuals and organizations related to the software, information technology, education, and defense industrial base sectors, and are believed to have been carried out for both financial gain and espionage purposes.<sup>[[Microsoft Security Blog 5 28 2024](/references/faf315ed-71f7-4e29-8334-701da35a69ad)]</sup>",
|
||||
"meta": {
|
||||
"campaign_attack_id": "C5039",
|
||||
"first_seen": "2023-08-01T00:00:00Z",
|
||||
"last_seen": "2024-05-28T00:00:00Z",
|
||||
"owner": "TidalCyberIan",
|
||||
"source": "Tidal Cyber",
|
||||
"tags": [
|
||||
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
|
||||
"2feda37d-5579-4102-a073-aa02e82cb49f"
|
||||
]
|
||||
},
|
||||
"related": [],
|
||||
"uuid": "6e63729b-6483-4a87-923c-2de179a32f17",
|
||||
"value": "Moonstone Sleet Operations"
|
||||
},
|
||||
{
|
||||
"description": "[Night Dragon](https://app.tidalcyber.com/campaigns/85f136b3-d5a3-4c4c-a37c-40e4418dc989) was a cyber espionage campaign that targeted oil, energy, and petrochemical companies, along with individuals and executives in Kazakhstan, Taiwan, Greece, and the United States. The unidentified threat actors searched for information related to oil and gas field production systems, financials, and collected data from SCADA systems. Based on the observed techniques, tools, and network activities, security researchers assessed the campaign involved a threat group based in China.<sup>[[McAfee Night Dragon](https://app.tidalcyber.com/references/242d2933-ca2b-4511-803a-454727a3acc5)]</sup>",
|
||||
"meta": {
|
||||
|
@ -579,6 +998,24 @@
|
|||
"uuid": "85f136b3-d5a3-4c4c-a37c-40e4418dc989",
|
||||
"value": "Night Dragon"
|
||||
},
|
||||
{
|
||||
"description": "According to details published by Okta Security, threat actors gained unauthorized access to Okta’s customer support management system from September 28 to October 17, 2023. Initial access to the system was believed to have been achieved after an employee signed into a personal cloud account on their Okta-managed laptop and saved the legitimate credentials for an Okta service account into that cloud profile. Okta Security believes the personal cloud account was most likely compromised (through unspecified means), exposing the Okta service account credentials.\n\nAfter gaining access to the Okta customer support management system using the valid service account credentials, the threat actor accessed HTTP Archive (HAR) files provided by Okta customers, which can contain cookies and session tokens. Okta indicated that the threat actor used session tokens compromised during the incident to hijack the legitimate Okta sessions of at least five customers. The threat actor is also believed to have run and downloaded a report that contained the names and email addresses of all Okta customer support system users. Considering that customers’ names and email addresses were downloaded, Okta Security indicated that they assessed there is an increased risk of phishing and social engineering attacks directed at those users following the incident.<sup>[[Okta HAR Files Incident Notice](/references/14855034-494e-477d-8c91-fc534fd7790d)]</sup><sup>[[Okta HAR Files RCA](/references/742d095c-9bd1-4f4a-8bc6-16db6d15a9f4)]</sup><sup>[[Okta HAR Files Incident Update](/references/5e09ab9c-8cb2-49f5-b65f-fd5447e71ef4)]</sup>",
|
||||
"meta": {
|
||||
"campaign_attack_id": "C5023",
|
||||
"first_seen": "2023-09-28T00:00:00Z",
|
||||
"last_seen": "2023-10-17T00:00:00Z",
|
||||
"owner": "TidalCyberIan",
|
||||
"source": "Tidal Cyber",
|
||||
"tags": [
|
||||
"fe28cf32-a15c-44cf-892c-faa0360d6109",
|
||||
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
|
||||
"2feda37d-5579-4102-a073-aa02e82cb49f"
|
||||
]
|
||||
},
|
||||
"related": [],
|
||||
"uuid": "a11d1575-5487-41cd-83b5-1601aa9d5487",
|
||||
"value": "Okta Customer Support Security Incident"
|
||||
},
|
||||
{
|
||||
"description": "\"Operation Bearded Barbie\" was a suspected AridViper (aka APT-C-23/Desert Falcon) campaign that appeared to target Israeli individuals, especially \"high-profile\" defense, law enforcement, and other government service personnel. The campaign heavily relied upon social engineering techniques, including the use of well-developed social media personas, aimed at tricking targets into installing backdoors for Windows and Android devices. The campaign appeared to be motivated by information collection for espionage purposes.<sup>[[Cybereason Operation Bearded Barbie April 5 2022](/references/7d71b7c9-531e-4e4f-ab85-df2380555b7a)]</sup>",
|
||||
"meta": {
|
||||
|
@ -586,7 +1023,11 @@
|
|||
"first_seen": "2022-03-01T00:00:00Z",
|
||||
"last_seen": "2022-04-01T00:00:00Z",
|
||||
"owner": "TidalCyberIan",
|
||||
"source": "Tidal Cyber"
|
||||
"source": "Tidal Cyber",
|
||||
"tags": [
|
||||
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
|
||||
"2feda37d-5579-4102-a073-aa02e82cb49f"
|
||||
]
|
||||
},
|
||||
"related": [],
|
||||
"uuid": "0496e076-1813-4f51-86e6-8f551983e8f8",
|
||||
|
@ -652,6 +1093,23 @@
|
|||
"uuid": "f741ed36-2d52-40ae-bbdc-70722f4071c7",
|
||||
"value": "Operation Honeybee"
|
||||
},
|
||||
{
|
||||
"description": "Operation In(ter)ception refers to a series of threat activities attributed to Lazarus Group dating back to at least late 2019. Operation In(ter)ception campaigns are considered a sub-component of broader Lazarus Group espionage activities known as Operation Dream Job. Operation In(ter)ception attacks typically feature social engineering lures containing fake job vacany announcements for cryptocurrency companies. They are designed to ultimately infect targets with macOS malware.<sup>[[SentinelOne 9 26 2022](/references/973a110c-f1cd-46cd-b92b-5c7d8e7492b1)]</sup>",
|
||||
"meta": {
|
||||
"campaign_attack_id": "C5040",
|
||||
"first_seen": "2019-12-01T00:00:00Z",
|
||||
"last_seen": "2022-09-26T00:00:00Z",
|
||||
"owner": "TidalCyberIan",
|
||||
"source": "Tidal Cyber",
|
||||
"tags": [
|
||||
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
|
||||
"2feda37d-5579-4102-a073-aa02e82cb49f"
|
||||
]
|
||||
},
|
||||
"related": [],
|
||||
"uuid": "9637ff1e-803e-47f7-b808-f4d1ef6fd500",
|
||||
"value": "Operation In(ter)ception"
|
||||
},
|
||||
{
|
||||
"description": "[Operation Sharpshooter](https://app.tidalcyber.com/campaigns/57e858c8-fd0b-4382-a178-0165d03aa8a9) was a global cyber espionage campaign that targeted nuclear, defense, government, energy, and financial companies, with many located in Germany, Turkey, the United Kingdom, and the United States. Security researchers noted the campaign shared many similarities with previous [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) operations, including fake job recruitment lures and shared malware code.<sup>[[McAfee Sharpshooter December 2018](https://app.tidalcyber.com/references/96b6d012-8620-4ef5-bf9a-5f88e465a495)]</sup><sup>[[Bleeping Computer Op Sharpshooter March 2019](https://app.tidalcyber.com/references/84430646-6568-4288-8710-2827692a8862)]</sup><sup>[[Threatpost New Op Sharpshooter Data March 2019](https://app.tidalcyber.com/references/2361b5b1-3a01-4d77-99c6-261f444a498e)]</sup> ",
|
||||
"meta": {
|
||||
|
@ -725,6 +1183,100 @@
|
|||
"uuid": "71f6d3b1-c45e-421c-99cb-3b695647cf0b",
|
||||
"value": "Pikabot Distribution Campaigns 2023"
|
||||
},
|
||||
{
|
||||
"description": "Researchers observed a campaign, with activity occurring between March and at least June 2024, where multiple discrete threat actor clusters used similar social engineering techniques to trick users into copying and executing PowerShell scripts, which ultimately led to malware deployment on the victim's system. Payloads included droppers, RATs, and information stealer malware.\n\nInitial contact with the victim occurred through both malspam email campaigns and web browser injects, which would trigger a popup claiming an error occurred when trying to open a document or webpage. The popup would prompt the user to run a script in the PowerShell terminal or Windows Run dialog box. Researchers attributed these campaigns to TA571, an initial access broker, a known intrusion set (ClearFake), and a newer group dubbed ClickFix.<sup>[[Proofpoint June 17 2024](/references/a65d7492-04a4-46d4-85ed-134786c6828b)]</sup><sup>[[BleepingComputer Fake Chrome Errors June 17 2024](/references/6efa70e3-d8eb-4260-b0ab-62335681e6fd)]</sup>",
|
||||
"meta": {
|
||||
"campaign_attack_id": "C5045",
|
||||
"first_seen": "2024-03-01T00:00:00Z",
|
||||
"last_seen": "2024-06-07T00:00:00Z",
|
||||
"owner": "TidalCyberIan",
|
||||
"source": "Tidal Cyber",
|
||||
"tags": [
|
||||
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
|
||||
"2feda37d-5579-4102-a073-aa02e82cb49f"
|
||||
]
|
||||
},
|
||||
"related": [],
|
||||
"uuid": "9864ed5a-0633-4c04-85f1-728d3ff37e82",
|
||||
"value": "PowerShell User Execution Social Engineering Campaign (TA571, ClearFake, ClickFix)"
|
||||
},
|
||||
{
|
||||
"description": "A collections of TTPs associated with a phishing-based campaign that resulted in QakBot deployments. The campaign comes about four months after the reported disruption of QakBot distribution networks in an international law enforcement operation.<sup>[[K7 QakBot Returns January 4 2024](/references/5cb5e645-b77b-4bd1-a742-c8f53f234713)]</sup>",
|
||||
"meta": {
|
||||
"campaign_attack_id": "C5024",
|
||||
"first_seen": "2023-12-11T00:00:00Z",
|
||||
"last_seen": "2024-01-04T00:00:00Z",
|
||||
"owner": "TidalCyberIan",
|
||||
"source": "Tidal Cyber",
|
||||
"tags": [
|
||||
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
|
||||
"e809d252-12cc-494d-94f5-954c49eb87ce",
|
||||
"2feda37d-5579-4102-a073-aa02e82cb49f"
|
||||
]
|
||||
},
|
||||
"related": [],
|
||||
"uuid": "6292123a-3d7e-4e8e-8ff0-daa7868433b7",
|
||||
"value": "QakBot January 2024 Campaign"
|
||||
},
|
||||
{
|
||||
"description": "Independent investigators reported details about a response to a compromise involving Quantum ransomware. The date of the attack was not disclosed, but the incident was reported in April 2022. IcedID was used to gain an initial foothold, Cobalt Strike and RDP were leveraged for lateral movement, and WMI and PsExec were used to deploy the ransomware payload. The incident was described as \"one of the fastest ransomware cases\" the investigators had handled, with domain-wide encryption occurring within four hours of initial access.<sup>[[The DFIR Report April 25 2022](/references/2e28c754-911a-4f08-a7bd-4580f5283571)]</sup>",
|
||||
"meta": {
|
||||
"campaign_attack_id": "C5043",
|
||||
"first_seen": "2022-04-01T00:00:00Z",
|
||||
"last_seen": "2022-04-25T00:00:00Z",
|
||||
"owner": "TidalCyberIan",
|
||||
"source": "Tidal Cyber",
|
||||
"tags": [
|
||||
"5e7433ad-a894-4489-93bc-41e90da90019",
|
||||
"7e7b0c67-bb85-4996-a289-da0e792d7172",
|
||||
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
|
||||
"2feda37d-5579-4102-a073-aa02e82cb49f"
|
||||
]
|
||||
},
|
||||
"related": [],
|
||||
"uuid": "a9bef150-04e6-41f2-9f94-069f9912f5e3",
|
||||
"value": "Quantum Ransomware Compromise"
|
||||
},
|
||||
{
|
||||
"description": "Researchers have observed an evolution in Scattered Spider's/UNC3944's TTPs since the second half of 2023, with actors especially focusing on gaining wide access to victim SaaS environments for reconnaissance, data theft, and subsequent extortion purposes. This object reflects the MITRE ATT&CK® Techniques associated with this activity.<sup>[[Google Cloud June 13 2024](/references/161423a2-165d-448f-90e9-0c53e319a125)]</sup>\n\nNotable Techniques newly associated with Scattered Spider via this Campaign object include Forge Web Credentials: SAML Tokens (T1606.002), Impair Defenses: Disable or Modify Tools (T1562.001), Indicator Removal: Clear Windows Event Logs (T1070.001), Software Discovery: Security Software Discovery (T1518.001), and Pre-OS Boot: System Firmware (T1542.001).",
|
||||
"meta": {
|
||||
"campaign_attack_id": "C5041",
|
||||
"first_seen": "2023-08-13T00:00:00Z",
|
||||
"last_seen": "2024-06-13T00:00:00Z",
|
||||
"owner": "TidalCyberIan",
|
||||
"source": "Tidal Cyber",
|
||||
"tags": [
|
||||
"fe28cf32-a15c-44cf-892c-faa0360d6109",
|
||||
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
|
||||
"2feda37d-5579-4102-a073-aa02e82cb49f"
|
||||
]
|
||||
},
|
||||
"related": [],
|
||||
"uuid": "43f29c00-437f-43f3-8d69-052a06f1a2eb",
|
||||
"value": "Scattered Spider TTP Evolution - SaaS Targeting"
|
||||
},
|
||||
{
|
||||
"description": "This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to recently reported attacks that featured exploits of recently disclosed vulnerabilities in the ConnectWise ScreenConnect utility (CVE-2024-1709 and CVE-2024-1708, aka \"SlashAndGrab\"). Several of the observed attacks saw the ingress of various malicious tools, including suspected ransomware.\n\nFurther background & contextual details can be found in the References tab below.",
|
||||
"meta": {
|
||||
"campaign_attack_id": "C5028",
|
||||
"first_seen": "2024-02-19T00:00:00Z",
|
||||
"last_seen": "2024-02-23T00:00:00Z",
|
||||
"owner": "TidalCyberIan",
|
||||
"source": "Tidal Cyber",
|
||||
"tags": [
|
||||
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
|
||||
"fdd53e62-5bf1-41f1-8bd6-b970a866c39d",
|
||||
"d431939f-2dc0-410b-83f7-86c458125444",
|
||||
"7e7b0c67-bb85-4996-a289-da0e792d7172",
|
||||
"e727eaa6-ef41-4965-b93a-8ad0c51d0236",
|
||||
"509a90c7-9ca9-4b23-bca2-cd38ef6a6207",
|
||||
"2feda37d-5579-4102-a073-aa02e82cb49f"
|
||||
]
|
||||
},
|
||||
"related": [],
|
||||
"uuid": "365150b8-94ed-4d43-895e-fb07d0a8a7cd",
|
||||
"value": "ScreenConnect Vulnerability Exploit Attacks"
|
||||
},
|
||||
{
|
||||
"description": "The [SolarWinds Compromise](https://app.tidalcyber.com/campaigns/8bde8146-0656-5800-82e6-e24e008e4f4a) was a sophisticated supply chain cyber operation conducted by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) that was discovered in mid-December 2020. [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) used customized malware to inject malicious code into the SolarWinds Orion software build process that was later distributed through a normal software update; they also used password spraying, token theft, API abuse, spear phishing, and other supply chain attacks to compromise user accounts and leverage their associated access. Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. Industry reporting initially referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.<sup>[[SolarWinds Advisory Dec 2020](https://app.tidalcyber.com/references/4e8b908a-bdc5-441b-bc51-98dfa87f6b7a)]</sup><sup>[[SolarWinds Sunburst Sunspot Update January 2021](https://app.tidalcyber.com/references/1be1b6e0-1b42-4d07-856b-b6321c17bb88)]</sup><sup>[[FireEye SUNBURST Backdoor December 2020](https://app.tidalcyber.com/references/d006ed03-a8af-4887-9356-3481d81d43e4)]</sup><sup>[[Volexity SolarWinds](https://app.tidalcyber.com/references/355cecf8-ef3e-4a6e-a652-3bf26fe46d88)]</sup><sup>[[CrowdStrike StellarParticle January 2022](https://app.tidalcyber.com/references/149c1446-d6a1-4a63-9420-def9272d6cb9)]</sup><sup>[[Unit 42 SolarStorm December 2020](https://app.tidalcyber.com/references/ecbb602a-2427-5eba-8c2b-25d90c95f166)]</sup><sup>[[Microsoft Analyzing Solorigate Dec 2020](https://app.tidalcyber.com/references/8ad72d46-ba2c-426f-bb0d-eb47723c8e11)]</sup><sup>[[Microsoft Internal Solorigate Investigation Blog](https://app.tidalcyber.com/references/66cade99-0040-464c-98a6-bba57719f0a4)]</sup> \n\nIn April 2021, the US and UK governments attributed the [SolarWinds Compromise](https://app.tidalcyber.com/campaigns/8bde8146-0656-5800-82e6-e24e008e4f4a) to Russia's Foreign Intelligence Service (SVR); public statements included citations to [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447), Cozy Bear, and The Dukes.<sup>[[NSA Joint Advisory SVR SolarWinds April 2021](https://app.tidalcyber.com/references/43d9c469-1d54-454b-ba67-74e7f1de9c10)]</sup><sup>[[UK NSCS Russia SolarWinds April 2021](https://app.tidalcyber.com/references/f49e6780-8caa-4c3c-8d68-47a2cc4319a1)]</sup><sup>[[Mandiant UNC2452 APT29 April 2022](https://app.tidalcyber.com/references/5276508c-6792-56be-b757-e4b495ef6c37)]</sup> The US government assessed that of the approximately 18,000 affected public and private sector customers of Solar Winds’ Orion product, a much smaller number were compromised by follow-on [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) activity on their systems.<sup>[[USG Joint Statement SolarWinds January 2021](https://app.tidalcyber.com/references/336a6549-a95d-5763-bbaf-5ef0d3141800)]</sup> ",
|
||||
"meta": {
|
||||
|
@ -733,6 +1285,7 @@
|
|||
"last_seen": "2021-01-01T06:00:00Z",
|
||||
"source": "MITRE",
|
||||
"tags": [
|
||||
"fe28cf32-a15c-44cf-892c-faa0360d6109",
|
||||
"f2ae2283-f94d-4f8f-bbde-43f2bed66c55"
|
||||
]
|
||||
},
|
||||
|
@ -740,17 +1293,95 @@
|
|||
"uuid": "8bde8146-0656-5800-82e6-e24e008e4f4a",
|
||||
"value": "SolarWinds Compromise"
|
||||
},
|
||||
{
|
||||
"description": "This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to the specified threat activity. Further background & contextual details can be found in the References tab below.",
|
||||
"meta": {
|
||||
"campaign_attack_id": "C5030",
|
||||
"first_seen": "2024-02-26T00:00:00Z",
|
||||
"last_seen": "2024-02-27T00:00:00Z",
|
||||
"owner": "TidalCyberIan",
|
||||
"source": "Tidal Cyber",
|
||||
"tags": [
|
||||
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
|
||||
"2feda37d-5579-4102-a073-aa02e82cb49f"
|
||||
]
|
||||
},
|
||||
"related": [],
|
||||
"uuid": "55fe6e08-96df-41a0-bfa9-555c6b4ce623",
|
||||
"value": "TA577 NTLM Credential Theft Attacks"
|
||||
},
|
||||
{
|
||||
"description": "[Triton Safety Instrumented System Attack](https://app.tidalcyber.com/campaigns/6c7185e1-bd46-5a80-9a76-a376b16fbc7b) was a campaign employed by [TEMP.Veles](https://app.tidalcyber.com/groups/3a54b8dc-a231-4db8-96da-1c0c1aa396f6) which leveraged the [Triton](https://app.tidalcyber.com/software/) malware framework against a petrochemical organization.<sup>[[Triton-EENews-2017](https://app.tidalcyber.com/references/5cc54d85-ee53-579d-a8fb-9b54b3540dc0)]</sup> The malware and techniques used within this campaign targeted specific Triconex [Safety Controller](https://attack.mitre.org/assets/A0010)s within the environment.<sup>[[FireEye TRITON 2018](https://app.tidalcyber.com/references/bfa5886a-a7f4-40d1-98d0-c3358abcf265)]</sup> The incident was eventually discovered due to a safety trip that occurred as a result of an issue in the malware.<sup>[[FireEye TRITON 2017](https://app.tidalcyber.com/references/597a4d8b-ffb2-4551-86db-b319f5a5b707)]</sup>\n",
|
||||
"meta": {
|
||||
"campaign_attack_id": "C0030",
|
||||
"first_seen": "2017-06-01T04:00:00Z",
|
||||
"last_seen": "2017-08-01T04:00:00Z",
|
||||
"source": "MITRE"
|
||||
"source": "MITRE",
|
||||
"tags": [
|
||||
"3ed3f7a6-b446-4fbc-a433-ff1d63c0e647"
|
||||
]
|
||||
},
|
||||
"related": [],
|
||||
"uuid": "6c7185e1-bd46-5a80-9a76-a376b16fbc7b",
|
||||
"value": "Triton Safety Instrumented System Attack"
|
||||
},
|
||||
{
|
||||
"description": "Researchers observed suspected \"China-nexus\" actor Velvet Ant exploiting CVE-2024-20399 in Cisco Nexus network switch devices in order to upload and execute \"previously unknown custom malware\" on the devices' operating systems. Researchers first observed \"zero-day\" exploit activity in the wild at an undisclosed point \"during the past year\", and after they shared the findings, Cisco acknowledged the vulnerability in an advisory published on July 1, 2024.\n\nThe vulnerability's overall risk is mitigated by the fact that it requires valid administrator-level credentials and network access to the target switch for successful exploitation. However, researchers highlighted how sophisticated threat groups are increasingly targeting network appliances as means of network access and persistence, since those appliances \"are often not sufficiently protected and monitored\". This exploit campaign was discovered as part of a larger investigation into Velvet Ant, which was previously observed targeting F5 load balancer devices for persistence.<sup>[[The Hacker News Velvet Ant Cisco July 2 2024](/references/e3949201-c949-4126-9e02-34bfad4713c0)]</sup><sup>[[Sygnia Velvet Ant July 1 2024](/references/a0cfeeb6-4617-4dea-80d2-290eaf2bcf5b)]</sup>",
|
||||
"meta": {
|
||||
"campaign_attack_id": "C5046",
|
||||
"first_seen": "2023-07-01T00:00:00Z",
|
||||
"last_seen": "2024-07-01T00:00:00Z",
|
||||
"owner": "TidalCyberIan",
|
||||
"source": "Tidal Cyber",
|
||||
"tags": [
|
||||
"72bc70fa-3979-4d3b-a0e9-b9ebebcf2a38",
|
||||
"a98d7a43-f227-478e-81de-e7299639a355",
|
||||
"a159c91c-5258-49ea-af7d-e803008d97d3",
|
||||
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
|
||||
"2feda37d-5579-4102-a073-aa02e82cb49f"
|
||||
]
|
||||
},
|
||||
"related": [],
|
||||
"uuid": "bcf6bb5b-443f-4adb-ab6b-f864ea27614d",
|
||||
"value": "Velvet Ant Cisco Network Switches Exploit Activity (CVE-2024-20399)"
|
||||
},
|
||||
{
|
||||
"description": "This object reflects the tools & TTPs associated with a campaign attributed to Velvet Ant, a suspected \"China-nexus\" state-sponsored threat group. Researchers believe the actor managed to maintain extremely prolonged access to a victim network – residing and remaining active there for around three years – notably by abusing a legacy, internet-exposed F5 BIG-IP load balancer appliance as an internal command and control mechanism. Researchers assess the intrusion was carried out for espionage purposes.<sup>[[Sygnia Velvet Ant June 17 2024](/references/5c313af4-61a8-449d-a6c7-f7ead6c72e19)]</sup><sup>[[BleepingComputer Velvet Ant June 17 2024](/references/70235e47-f8bb-4d16-9933-9f4923f08f5d)]</sup>",
|
||||
"meta": {
|
||||
"campaign_attack_id": "C5044",
|
||||
"first_seen": "2020-12-01T00:00:00Z",
|
||||
"last_seen": "2023-12-01T00:00:00Z",
|
||||
"owner": "TidalCyberIan",
|
||||
"source": "Tidal Cyber",
|
||||
"tags": [
|
||||
"a159c91c-5258-49ea-af7d-e803008d97d3",
|
||||
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
|
||||
"2feda37d-5579-4102-a073-aa02e82cb49f"
|
||||
]
|
||||
},
|
||||
"related": [],
|
||||
"uuid": "b78565ce-8eec-49ad-b762-8d2107fa9ce7",
|
||||
"value": "Velvet Ant F5 BIG-IP Espionage Activity"
|
||||
},
|
||||
{
|
||||
"description": "A suspected affiliate of the Zloader operation carried out attacks mainly affecting financial institutions. Intrusions typically came via drive-by compromise and initiallly saw the installation of the Atera software, which was then used to load Zloader, and in some cases, Ursnif.<sup>[[WeLiveSecurity April 19 2022](/references/f86845b9-03c4-446b-845f-b31b79b247ee)]</sup>",
|
||||
"meta": {
|
||||
"campaign_attack_id": "C5020",
|
||||
"first_seen": "2020-10-01T00:00:00Z",
|
||||
"last_seen": "2022-04-13T00:00:00Z",
|
||||
"owner": "TidalCyberIan",
|
||||
"source": "Tidal Cyber",
|
||||
"tags": [
|
||||
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
|
||||
"ebec1bf0-e06c-48b2-adeb-fc0669306bc8",
|
||||
"39357cc1-dbb1-49e4-9fe0-ff24032b94d5",
|
||||
"e7681e16-9106-4d0a-a915-9958989161a3",
|
||||
"2feda37d-5579-4102-a073-aa02e82cb49f"
|
||||
]
|
||||
},
|
||||
"related": [],
|
||||
"uuid": "396e073e-76d7-4fcf-97b4-9343d0a0b819",
|
||||
"value": "Zloader & Ursnif Affiliate Campaign 2020-22"
|
||||
}
|
||||
],
|
||||
"version": 1
|
||||
|
|
File diff suppressed because it is too large
Load diff
File diff suppressed because it is too large
Load diff
File diff suppressed because it is too large
Load diff
9
galaxies/first-csirt-services-framework.json
Normal file
9
galaxies/first-csirt-services-framework.json
Normal file
|
@ -0,0 +1,9 @@
|
|||
{
|
||||
"description": "The Computer Security Incident Response Team (CSIRT) Services Framework is a high-level document describing in a structured way a collection of cyber security services and associated functions that Computer Security Incident Response Teams and other teams providing incident management related services may provide",
|
||||
"icon": "user",
|
||||
"name": "FIRST CSIRT Services Framework",
|
||||
"namespace": "first",
|
||||
"type": "first-csirt-services-framework",
|
||||
"uuid": "4a72488f-ef5b-4895-a5d9-c625dee663cb",
|
||||
"version": 1
|
||||
}
|
229
tools/gen_csf.py
Normal file
229
tools/gen_csf.py
Normal file
|
@ -0,0 +1,229 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
#
|
||||
# A simple convertor script to generate galaxies from the MITRE NICE framework
|
||||
# https://niccs.cisa.gov/workforce-development/nice-framework
|
||||
# Copyright (C) 2024 Jean-Louis Huynen
|
||||
# Copyright (C) 2024 Déborah Servili
|
||||
#
|
||||
# This program is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU Affero General Public License as
|
||||
# published by the Free Software Foundation, either version 3 of the
|
||||
# License, or (at your option) any later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU Affero General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU Affero General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
import pdb
|
||||
import requests
|
||||
import json
|
||||
import os
|
||||
import uuid
|
||||
import re
|
||||
from bs4 import BeautifulSoup
|
||||
|
||||
# uuidv4 generated to be concatenated in v5: 43803a9f-9ea6-4ebc-9cb5-68ccdc2c23e0
|
||||
|
||||
galaxy = {
|
||||
"namespace": "first",
|
||||
"type": "first-csirt-services-framework",
|
||||
"name": "FIRST CSIRT Services Framework",
|
||||
"description": "The Computer Security Incident Response Team (CSIRT) Services Framework is a high-level document describing in a structured way a collection of cyber security services and associated functions that Computer Security Incident Response Teams and other teams providing incident management related services may provide",
|
||||
"uuid": "4a72488f-ef5b-4895-a5d9-c625dee663cb",
|
||||
"version": 1,
|
||||
"icon": 'user',
|
||||
}
|
||||
|
||||
cluster = {
|
||||
'authors': ["FIRST", "CIRCL", "Jean-Louis Huynen"],
|
||||
'category': 'csirt',
|
||||
"type": "first-csirt-services-framework",
|
||||
"name": "FIRST CSIRT Services Framework",
|
||||
"description": "The Computer Security Incident Response Team (CSIRT) Services Framework is a high-level document describing in a structured way a collection of cyber security services and associated functions that Computer Security Incident Response Teams and other teams providing incident management related services may provide",
|
||||
"uuid": "4a72488f-ef5b-4895-a5d9-c625dee663cb",
|
||||
'source': 'https://www.first.org/standards/frameworks/csirts/csirt_services_framework_v2.1',
|
||||
'values': [],
|
||||
'version': 1,
|
||||
}
|
||||
|
||||
# URL to download
|
||||
url = "https://www.first.org/standards/frameworks/csirts/csirt_services_framework_v2.1#5-Service-Area-Information-Security-Event-Management"
|
||||
|
||||
# Send a GET request to the webpage
|
||||
response = requests.get(url)
|
||||
|
||||
def extract_nostrong_content(element):
|
||||
content = element.find_next_siblings('p', limit=3)
|
||||
extracted = {}
|
||||
|
||||
extracted["purpose"] = content[0].text.strip()[8:]
|
||||
for sibling in content[0].find_next_siblings():
|
||||
if "Description:" in sibling.text:
|
||||
break
|
||||
extracted["purpose"] += f" {sibling.text.strip()}"
|
||||
|
||||
extracted["description"] = content[1].text.strip()[12:]
|
||||
for sibling in content[1].find_next_siblings():
|
||||
if "Outcome:" in sibling.text:
|
||||
break
|
||||
extracted["description"] += f" {sibling.text.strip()}"
|
||||
|
||||
extracted["outcome"] = content[2].text.strip()[8:]
|
||||
for sibling in content[2].find_next_siblings():
|
||||
if sibling.name in ["h2", "h3", "h4"] or any(substring in sibling.text for substring in ["The following functions", "List of functions"]):
|
||||
break
|
||||
extracted["outcome"] += f" {sibling.text.strip()}"
|
||||
return extracted
|
||||
|
||||
def extract_content(element):
|
||||
content = {}
|
||||
description_title = element.find_next(
|
||||
"em", string=lambda text: "Description:" in text
|
||||
)
|
||||
purpose_title = element.find_next("em", string=lambda text: "Purpose:" in text)
|
||||
outcome_title = element.find_next("em", string=lambda text: "Outcome:" in text)
|
||||
|
||||
content["purpose"] = (
|
||||
purpose_title.parent.parent.get_text(strip=True).replace("Purpose:", "").strip()
|
||||
)
|
||||
for sibling in purpose_title.parent.parent.find_next_siblings():
|
||||
if "Description:" in sibling.text:
|
||||
break
|
||||
content["purpose"] += f" {sibling.text.strip()}"
|
||||
|
||||
content["description"] = (
|
||||
description_title.parent.parent.get_text(strip=True)
|
||||
.replace("Description:", "")
|
||||
.strip()
|
||||
)
|
||||
|
||||
for sibling in description_title.parent.parent.find_next_siblings():
|
||||
if "Outcome:" in sibling.text:
|
||||
break
|
||||
content["description"] += f" {sibling.text.strip()}"
|
||||
|
||||
content["outcome"] = (
|
||||
outcome_title.parent.parent.get_text(strip=True).replace("Outcome:", "").strip()
|
||||
)
|
||||
for sibling in outcome_title.parent.parent.find_next_siblings():
|
||||
if sibling.name in ["h2", "h3", "h4"] or any(substring in sibling.text for substring in ["The following functions", "List of functions"]):
|
||||
break
|
||||
content["outcome"] += f" {sibling.text.strip()}"
|
||||
content["outcome"] = content["outcome"].split("The following functions")[0].strip()
|
||||
return content
|
||||
|
||||
|
||||
def remove_heading(input_string):
|
||||
return re.sub(r'^\d+(\.\d+)*\s+', '', input_string)
|
||||
|
||||
# Check if the request was successful
|
||||
if response.status_code == 200:
|
||||
# Parse the page content with BeautifulSoup
|
||||
soup = BeautifulSoup(response.content, 'html.parser')
|
||||
|
||||
# Removing all links <a>
|
||||
for a in soup.find_all('a', href=True):
|
||||
if a['href'].startswith('#'):
|
||||
a.decompose()
|
||||
|
||||
# Extract the section titled "4 CSIRT Services Framework Structure"
|
||||
section_header = soup.find(
|
||||
'h2', id="5-Service-Area-Information-Security-Event-Management"
|
||||
)
|
||||
if section_header:
|
||||
|
||||
services = section_header.find_next_siblings('h3')
|
||||
functions = section_header.find_next_siblings('h4')
|
||||
|
||||
for service in services:
|
||||
if "Monitoring and detection" in service.text:
|
||||
content = extract_nostrong_content(service)
|
||||
else:
|
||||
content = extract_content(service)
|
||||
name = remove_heading(service.text.strip())
|
||||
suuid = str(
|
||||
uuid.uuid5(uuid.UUID("43803a9f-9ea6-4ebc-9cb5-68ccdc2c23e0"), name)
|
||||
)
|
||||
cluster["values"].append(
|
||||
{
|
||||
"description": content["description"],
|
||||
"meta": {
|
||||
"purpose": content["purpose"],
|
||||
"outcome": content["outcome"],
|
||||
},
|
||||
"uuid": suuid,
|
||||
"value": name,
|
||||
"related": [],
|
||||
}
|
||||
)
|
||||
|
||||
for function in functions:
|
||||
content = extract_content(function)
|
||||
# get the parent service
|
||||
parent_service = function.find_previous('h3')
|
||||
relationship = {
|
||||
"dest-uuid": str(
|
||||
uuid.uuid5(
|
||||
uuid.UUID("43803a9f-9ea6-4ebc-9cb5-68ccdc2c23e0"),
|
||||
remove_heading(parent_service.text.strip()),
|
||||
)
|
||||
),
|
||||
"type": "part-of",
|
||||
}
|
||||
|
||||
name = remove_heading(function.text.strip())
|
||||
|
||||
cluster["values"].append(
|
||||
{
|
||||
"description": content["description"],
|
||||
"meta": {
|
||||
"purpose": content["purpose"],
|
||||
"outcome": content["outcome"],
|
||||
},
|
||||
"uuid": str(
|
||||
uuid.uuid5(
|
||||
uuid.UUID("43803a9f-9ea6-4ebc-9cb5-68ccdc2c23e0"), name
|
||||
)
|
||||
),
|
||||
"value": name,
|
||||
"related": [relationship],
|
||||
}
|
||||
)
|
||||
|
||||
with open(
|
||||
os.path.join(
|
||||
os.path.dirname(__file__),
|
||||
'..',
|
||||
'galaxies',
|
||||
f'first-csirt-services-framework.json',
|
||||
),
|
||||
'w',
|
||||
) as f:
|
||||
json.dump(galaxy, f, indent=2, sort_keys=True, ensure_ascii=False)
|
||||
f.write(
|
||||
'\n'
|
||||
) # only needed for the beauty and to be compliant with jq_all_the_things
|
||||
|
||||
with open(
|
||||
os.path.join(
|
||||
os.path.dirname(__file__),
|
||||
'..',
|
||||
'clusters',
|
||||
f'first-csirt-services-framework.json',
|
||||
),
|
||||
'w',
|
||||
) as f:
|
||||
json.dump(cluster, f, indent=2, sort_keys=True, ensure_ascii=False)
|
||||
f.write(
|
||||
'\n'
|
||||
) # only needed for the beauty and to be compliant with jq_all_the_things
|
||||
|
||||
else:
|
||||
print("Couldn't find the section header.")
|
||||
else:
|
||||
print(f"Failed to download the webpage. Status code: {response.status_code}")
|
|
@ -5,7 +5,7 @@ cffi==1.16.0
|
|||
charset-normalizer==3.3.2
|
||||
click==8.1.7
|
||||
colorama==0.4.6
|
||||
cryptography==42.0.4
|
||||
cryptography==43.0.1
|
||||
Deprecated==1.2.14
|
||||
ghp-import==2.1.0
|
||||
gitdb==4.0.11
|
||||
|
|
Loading…
Reference in a new issue