MISP/misp-galaxy
6
0
Fork 0
mirror of https://github.com/MISP/misp-galaxy.git synced 2024-11-22 14:57:18 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge branch 'rectifyq-main'

Browse source
This commit is contained in:
Alexandre Dulaunoy 2024-10-10 06:37:21 +02:00
commit 29517e06dc
Signed by: adulau
GPG key ID: 09E2CD4944E6CBCD
3 changed files with 319 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
README.md
View file

@ -599,7 +599,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements
[Threat Actor](https://www.misp-galaxy.org/threat-actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group.
Category: *actor* - source: *MISP Project* - total: *746* elements
Category: *actor* - source: *MISP Project* - total: *751* elements
[[HTML](https://www.misp-galaxy.org/threat-actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)]

254
clusters/producer.json
View file

@ -668,7 +668,259 @@
"description": "Cloudflare, Inc. is an American company that provides content delivery network services, cloud cybersecurity, DDoS mitigation, wide area network services, reverse proxies, Domain Name Service, and ICANN-accredited domain registration services. Cloudflare's headquarters are in San Francisco, California.",
"uuid": "a0a87034-b8ff-4991-9ae1-e650a43292ef",
"value": "Cloudflare"
},
{
"description": "Recorded Future, Inc. is an American privately held cybersecurity company founded in 2009, with headquarters in Somerville, Massachusetts.",
"meta": {
"company-type": "Cyber Security Vendor",
"country": "US",
"official-refs": [
"https://www.recordedfuture.com/"
],
"product-type": [
"Digital Risk Protection",
"Threat Intelligence",
"Exposure Management",
"Threat Intelligence Feeds"
],
"products": [
"Threat Intelligence",
"Brand Intelligence",
"SecOps Intelligence",
"Vulnerability Intelligence",
"Third-Party Intelligence",
"Geopolitical Intelligence",
"Attack Surface Intelligence",
"Identity Intelligence",
"Payment Fraud Intelligence",
"Analyst On Demand"
],
"refs": [
"https://en.wikipedia.org/wiki/Recorded_Future",
"https://www.recordedfuture.com/resources"
],
"synonyms": [
"Recorded Future, Inc",
"Insikt Group"
]
},
"uuid": "ad7032df-0e9a-4ea9-b35c-c68ff854be80",
"value": "Recorded Future"
},
{
"description": "Cyble empowers organizations to take control of their cyber risks with AI-driven, cybersecurity platforms.",
"meta": {
"company-type": "Cyber Security Vendor",
"country": "US",
"official-refs": [
"https://cyble.com/"
],
"product-type": [
"Digital Risk Protection",
"Threat Intelligence",
"Exposure Management"
],
"products": [
"Cyble Vision",
"Cyble Hawk",
"AmIBreached",
"Odin",
"The Cyber Express"
],
"refs": [
"https://cyble.com/resources/",
"https://thecyberexpress.com/"
],
"synonyms": "The Cyber Express"
},
"uuid": "43e3e0a8-a12d-450a-8f2d-94915123549c",
"value": "Cyble"
},
{
"description": "CYFIRMA is a threat discovery and cyber-intelligence company with the worlds first platform that can deliver predictive cyber-intelligence",
"meta": {
"company-type": "Cyber Intelligence Provider",
"country": "SG",
"official-refs": [
"https://www.cyfirma.com/"
],
"product-type": [
"Threat Intelligence",
"Digital Risk Protection",
"Mobile App"
],
"products": [
"DeCYFIR",
"DeTCT",
"DeFNCE"
],
"refs": [
"https://www.cyfirma.com/research/",
"https://golden.com/wiki/CYFIRMA-K46ZYP8"
]
},
"uuid": "9d804c53-f307-421c-9f4d-41061c7eee62",
"value": "Cyfirma"
},
{
"description": "SentinelOne, Inc. is an American cybersecurity company listed on NYSE based in Mountain View, California.",
"meta": {
"company-type": "Cyber Security Vendor",
"country": "US",
"official-refs": [
"https://www.sentinelone.com/"
],
"product-type": [
"Endpoint Protection",
"Endpoint Detection Response",
"Deception Technology"
],
"products": [
"Singularity Platform",
"Singularity Identity",
"Singularity Hologram"
],
"refs": [
"https://www.sentinelone.com/labs/"
],
"synonyms": "Sentinel One"
},
"uuid": "996c48de-7bb8-414d-b6fe-ec94abb5f461",
"value": "SentinelOne"
},
{
"description": "Fortinet, Inc. is a cybersecurity company with headquarters in Sunnyvale, California. The company develops and sells security solutions like firewalls, endpoint security and intrusion detection systems.",
"meta": {
"company-type": "Cyber Security Vendor",
"country": "US",
"official-refs": [
"https://www.fortinet.com/"
],
"product-type": [
"Firewall",
"Application delivery controller",
"SOAR",
"Web application firewall / API security",
"Network security platform"
],
"products": [
"FortiADC",
"FortiAnalyzer",
"FortiAuthenticator",
"FortiCASB",
"FortiClient",
"FortiEDR",
"FortiCNP",
"FortiDDos",
"FortiDeceptor",
"FortiExtender",
"FortiGate",
"FortiIsolator",
"FortiMail",
"FortiManager",
"FortiNAC",
"FortiPAM",
"FortiSandbox",
"FortiSIEM",
"FortiSASE",
"FortiSOAR",
"FortiSwitch",
"FortiTester",
"FortiToken",
"FortiVoice",
"FortiWeb"
],
"refs": [
"https://en.wikipedia.org/wiki/Fortinet",
"https://www.fortinet.com/blog/threat-research"
]
},
"uuid": "bfafdca5-3171-4953-86ab-c74f44822fd3",
"value": "Fortinet"
},
{
"description": "Zscaler, Inc. (/ˈziːˌskeɪlər/) is an American cloud security company based in San Jose, California. The company offers cloud-based services to protect enterprise networks and data.",
"meta": {
"company-type": "Cyber Security Vendor",
"country": "US",
"official-refs": [
"https://www.zscaler.com/"
],
"product-type": [
"Secure Web Gateway",
"SASE",
"VPN",
"CASB",
"DLP"
],
"products": [
"Zscaler Internet Access",
"Zscaler Private Access",
"Zscaler Digital Experience",
"Zscaler Zero Trust Exchange"
],
"refs": [
"https://www.zscaler.com/blogs?type=security-research",
"https://en.wikipedia.org/wiki/Zscaler"
]
},
"uuid": "1427d7df-a9b8-4809-afe0-1180cfdd930d",
"value": "Zscaler"
},
{
"description": "Splunk Inc. is an American software company based in San Francisco, California, that produces software for searching, monitoring, and analyzing machine-generated data via a web-style interface.",
"meta": {
"company-type": "Cyber Security Vendor",
"country": "US",
"product-type": [
"SIEM",
"Observability",
"SOAR",
"UEBA"
],
"products": [
"Splunk Enterprise Security",
"Splunk ITSI",
"Splunk SOAR",
"Splunk Observability Cloud",
"Splunk UEBA"
],
"refs": [
"https://www.splunk.com/",
"https://www.splunk.com/en_us/blog/security.html",
"https://en.wikipedia.org/wiki/Splunk"
]
},
"uuid": "7acb73f9-83c8-4a1d-88e5-873bad8659fa",
"value": "Splunk"
},
{
"description": "Huntress Labs Incorporated operates as a security software solution provider. The Company provides managed threat detection and response services to uncover, address persistent footholds that prevent defenses. Huntress Labs serves customers in the United States.",
"meta": {
"company-type": "Cyber Security Vendor",
"country": "US",
"official-refs": [
"https://www.huntress.com/"
],
"product-type": [
"Managed Security",
"Endpoint Detection Response",
"Security Awareness Training"
],
"products": [
"Managed EDR",
"MDR for Microsoft 365",
"Security Awareness Training",
"Managed SIEM"
],
"refs": [
"https://www.huntress.com/",
"https://www.huntress.com/blog"
]
},
"uuid": "9bfc59a7-ab20-4ef0-8034-871956d4a9cc",
"value": "Huntress"
}
],
"version": 12
"version": 14
}

65
clusters/threat-actor.json
View file

@ -16918,6 +16918,71 @@
},
"uuid": "80a874d5-0645-4245-aeb6-9b33a8689928",
"value": "UNC1860"
},
{
"description": "SkidSec is a threat group that has engaged in operations targeting exposed printers in South Korea to disseminate North Korean propaganda, utilizing techniques such as printer exploitation and social engineering for evidence collection. The group has also experienced a leadership change following the loss of their leader, Govadmin, while continuing to mobilize their followers for various missions. They have humorously solicited financial support for their activities, framing it as a means to support their cause. Additionally, they have been noted for their potential to leak sensitive information from compromised devices.",
"meta": {
"refs": [
"https://socradar.io/dark-peep-7-shadows-of-betrayal-and-leadership-in-flux/",
"https://medium.com/@criminalip/skidsec-hacker-group-announces-plans-to-spread-north-korean-propaganda-through-hacked-printers-in-fdd314178dc4"
],
"synonyms": [
"SkidSec Leaks"
]
},
"uuid": "afca4b9c-2bdb-47ef-becc-1d5683d3d2fb",
"value": "SkidSec"
},
{
"description": "Awaken Likho is an APT group that has targeted Russian government agencies and industrial enterprises, employing techniques such as information gathering via search engines and using MeshCentral for remote access. The group has been active since at least December 2021 and has ramped up its activities following the Russo-Ukrainian conflict. Recent reports indicate that they are focusing on espionage against critical infrastructure in the defense and energy sectors. Analysis of their malware reveals a new version that is still in development, suggesting ongoing operational capabilities.",
"meta": {
"refs": [
"https://securelist.com/awaken-likho-apt-new-implant-campaign/114101/",
"https://bi.zone/eng/expertise/blog/core-werewolf-protiv-opk-i-kriticheskoy-infrastruktury/"
],
"synonyms": [
"Core Werewolf"
]
},
"uuid": "b3a4c34f-0ad6-4083-938a-958deb34b6c7",
"value": "Awaken Likho"
},
{
"description": "CeranaKeeper is a China-aligned APT that has been active since at least early 2022, primarily targeting governmental institutions in Asian countries. The group employs custom backdoors like TONESHELL and OneDoor, leveraging cloud services such as Dropbox and OneDrive for data exfiltration. CeranaKeeper utilizes techniques like side-loading, brute-force attacks, and the deployment of BAT scripts to extend its reach within compromised networks. Their operations are characterized by a relentless pursuit of sensitive data, adapting their toolset and methods to evade detection.",
"meta": {
"country": "CN",
"refs": [
"https://www.welivesecurity.com/en/eset-research/separating-bee-panda-ceranakeeper-making-beeline-thailand/"
]
},
"uuid": "a798eb63-b0b2-4da5-8a9e-d6e821f775eb",
"value": "CeranaKeeper"
},
{
"description": "SongXY is a Chinese APT group that employs phishing tactics to initiate cyberespionage campaigns. They utilize the Royal Road RTF builder, exploiting the CVE-2018-0798 vulnerability in Microsoft Equation Editor. In one instance, they sent a document containing a link to an attacker-controlled server, which automatically triggered upon opening, allowing them to gather information about the target's system configuration.",
"meta": {
"refs": [
"https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/",
"http://www.ptsecurity.com/upload/corporate/ww-en/analytics/APT-Attacks-eng.pdf"
]
},
"uuid": "439a65b0-c4b4-4a09-a9c9-2c70476574ab",
"value": "SongXY"
},
{
"description": "TaskMasters is a state-sponsored Chinese APT that has been active since at least 2010, primarily targeting industrial, energy, and government sectors in Russia and the CIS. The group has been linked to the Webdav-O Trojan, which employs techniques to bypass network defenses by connecting to legitimate services. Investigations suggest that TaskMasters may have been involved in attacks against Russian federal executive authorities in 2020, potentially alongside another Chinese group, TA428. Additionally, the group has been associated with the BackDoor.RemShell.24 malware, indicating a diverse toolkit in their operations.",
"meta": {
"country": "CN",
"refs": [
"https://www.group-ib.com/blog/task/",
"https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/?utm_source=rss&utm_medium=rss&utm_campaign=apt-group-targeting-governmental-agencies-in-east-asia"
],
"synonyms": [
"BlueTraveller"
]
},
"uuid": "f6134b6c-56f1-4eda-be0f-79411d627f19",
"value": "TaskMasters"
}
],
"version": 316