From d6ade514bc86e4dca450e936b766a8402ae2f564 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 7 Oct 2024 03:58:02 -0700 Subject: [PATCH 1/8] [threat-actors] Add SkidSec --- clusters/threat-actor.json | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 34844ed..dab0b0e 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16918,6 +16918,20 @@ }, "uuid": "80a874d5-0645-4245-aeb6-9b33a8689928", "value": "UNC1860" + }, + { + "description": "SkidSec is a threat group that has engaged in operations targeting exposed printers in South Korea to disseminate North Korean propaganda, utilizing techniques such as printer exploitation and social engineering for evidence collection. The group has also experienced a leadership change following the loss of their leader, Govadmin, while continuing to mobilize their followers for various missions. They have humorously solicited financial support for their activities, framing it as a means to support their cause. Additionally, they have been noted for their potential to leak sensitive information from compromised devices.", + "meta": { + "refs": [ + "https://socradar.io/dark-peep-7-shadows-of-betrayal-and-leadership-in-flux/", + "https://medium.com/@criminalip/skidsec-hacker-group-announces-plans-to-spread-north-korean-propaganda-through-hacked-printers-in-fdd314178dc4" + ], + "synonyms": [ + "SkidSec Leaks" + ] + }, + "uuid": "afca4b9c-2bdb-47ef-becc-1d5683d3d2fb", + "value": "SkidSec" } ], "version": 316 From dfe6e6dfabc46068929494c23c02105ace990cdc Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 7 Oct 2024 03:58:02 -0700 Subject: [PATCH 2/8] [threat-actors] Add Awaken Likho --- clusters/threat-actor.json | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index dab0b0e..78ed7f8 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16932,6 +16932,20 @@ }, "uuid": "afca4b9c-2bdb-47ef-becc-1d5683d3d2fb", "value": "SkidSec" + }, + { + "description": "Awaken Likho is an APT group that has targeted Russian government agencies and industrial enterprises, employing techniques such as information gathering via search engines and using MeshCentral for remote access. The group has been active since at least December 2021 and has ramped up its activities following the Russo-Ukrainian conflict. Recent reports indicate that they are focusing on espionage against critical infrastructure in the defense and energy sectors. Analysis of their malware reveals a new version that is still in development, suggesting ongoing operational capabilities.", + "meta": { + "refs": [ + "https://securelist.com/awaken-likho-apt-new-implant-campaign/114101/", + "https://bi.zone/eng/expertise/blog/core-werewolf-protiv-opk-i-kriticheskoy-infrastruktury/" + ], + "synonyms": [ + "Core Werewolf" + ] + }, + "uuid": "b3a4c34f-0ad6-4083-938a-958deb34b6c7", + "value": "Awaken Likho" } ], "version": 316 From 182102f73899b7345d623d8d50359c282ffc5e67 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 7 Oct 2024 03:58:02 -0700 Subject: [PATCH 3/8] [threat-actors] Add CeranaKeeper --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 78ed7f8..4e3e522 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16946,6 +16946,17 @@ }, "uuid": "b3a4c34f-0ad6-4083-938a-958deb34b6c7", "value": "Awaken Likho" + }, + { + "description": "CeranaKeeper is a China-aligned APT that has been active since at least early 2022, primarily targeting governmental institutions in Asian countries. The group employs custom backdoors like TONESHELL and OneDoor, leveraging cloud services such as Dropbox and OneDrive for data exfiltration. CeranaKeeper utilizes techniques like side-loading, brute-force attacks, and the deployment of BAT scripts to extend its reach within compromised networks. Their operations are characterized by a relentless pursuit of sensitive data, adapting their toolset and methods to evade detection.", + "meta": { + "country": "CN", + "refs": [ + "https://www.welivesecurity.com/en/eset-research/separating-bee-panda-ceranakeeper-making-beeline-thailand/" + ] + }, + "uuid": "a798eb63-b0b2-4da5-8a9e-d6e821f775eb", + "value": "CeranaKeeper" } ], "version": 316 From 2137a86586816edac3a9362b749f63276553231b Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 7 Oct 2024 03:58:02 -0700 Subject: [PATCH 4/8] [threat-actors] Add SongXY --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 4e3e522..db5c3d8 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16957,6 +16957,17 @@ }, "uuid": "a798eb63-b0b2-4da5-8a9e-d6e821f775eb", "value": "CeranaKeeper" + }, + { + "description": "SongXY is a Chinese APT group that employs phishing tactics to initiate cyberespionage campaigns. They utilize the Royal Road RTF builder, exploiting the CVE-2018-0798 vulnerability in Microsoft Equation Editor. In one instance, they sent a document containing a link to an attacker-controlled server, which automatically triggered upon opening, allowing them to gather information about the target's system configuration.", + "meta": { + "refs": [ + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/", + "http://www.ptsecurity.com/upload/corporate/ww-en/analytics/APT-Attacks-eng.pdf" + ] + }, + "uuid": "439a65b0-c4b4-4a09-a9c9-2c70476574ab", + "value": "SongXY" } ], "version": 316 From 8c9ee3b293adafa1b0ed45afeba5ebc36bd17523 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 7 Oct 2024 03:58:02 -0700 Subject: [PATCH 5/8] [threat-actors] Add TaskMasters --- clusters/threat-actor.json | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index db5c3d8..40c3e41 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16968,6 +16968,21 @@ }, "uuid": "439a65b0-c4b4-4a09-a9c9-2c70476574ab", "value": "SongXY" + }, + { + "description": "TaskMasters is a state-sponsored Chinese APT that has been active since at least 2010, primarily targeting industrial, energy, and government sectors in Russia and the CIS. The group has been linked to the Webdav-O Trojan, which employs techniques to bypass network defenses by connecting to legitimate services. Investigations suggest that TaskMasters may have been involved in attacks against Russian federal executive authorities in 2020, potentially alongside another Chinese group, TA428. Additionally, the group has been associated with the BackDoor.RemShell.24 malware, indicating a diverse toolkit in their operations.", + "meta": { + "country": "CN", + "refs": [ + "https://www.group-ib.com/blog/task/", + "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/?utm_source=rss&utm_medium=rss&utm_campaign=apt-group-targeting-governmental-agencies-in-east-asia" + ], + "synonyms": [ + "BlueTraveller" + ] + }, + "uuid": "f6134b6c-56f1-4eda-be0f-79411d627f19", + "value": "TaskMasters" } ], "version": 316 From 3ac6bb3080c3ca42f23ea32ead3a262d01738ca4 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 7 Oct 2024 03:58:03 -0700 Subject: [PATCH 6/8] [threat actors] Update README --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index bea1cde..1e1075d 100644 --- a/README.md +++ b/README.md @@ -599,7 +599,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements [Threat Actor](https://www.misp-galaxy.org/threat-actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group. -Category: *actor* - source: *MISP Project* - total: *746* elements +Category: *actor* - source: *MISP Project* - total: *751* elements [[HTML](https://www.misp-galaxy.org/threat-actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)] From e7ac294850a16f024c7dca9b2c8edda0e7a39c8a Mon Sep 17 00:00:00 2001 From: rectifyq <170057705+rectifyq@users.noreply.github.com> Date: Wed, 9 Oct 2024 12:57:36 +0000 Subject: [PATCH 7/8] chg: [producer] added Recorded Future, Cyble, Cyfirma, SentinelOne, Fortinet, Zscaler, Splunk and Huntress. --- clusters/producer.json | 252 ++++++++++++++++++++++++++++++++++++++++- 1 file changed, 251 insertions(+), 1 deletion(-) diff --git a/clusters/producer.json b/clusters/producer.json index 72fa059..6e61eb2 100644 --- a/clusters/producer.json +++ b/clusters/producer.json @@ -668,7 +668,257 @@ "description": "Cloudflare, Inc. is an American company that provides content delivery network services, cloud cybersecurity, DDoS mitigation, wide area network services, reverse proxies, Domain Name Service, and ICANN-accredited domain registration services. Cloudflare's headquarters are in San Francisco, California.", "uuid": "a0a87034-b8ff-4991-9ae1-e650a43292ef", "value": "Cloudflare" + }, + { + "description": "Recorded Future, Inc. is an American privately held cybersecurity company founded in 2009, with headquarters in Somerville, Massachusetts.", + "meta": { + "company-type": "Cyber Security Vendor", + "country": "US", + "official-refs": [ + "https://www.recordedfuture.com/" + ], + "product-type": [ + "Digital Risk Protection", + "Threat Intelligence", + "Exposure Management", + "Threat Intelligence Feeds" + ], + "products": [ + "Threat Intelligence", + "Brand Intelligence", + "SecOps Intelligence", + "Vulnerability Intelligence", + "Third-Party Intelligence", + "Geopolitical Intelligence", + "Attack Surface Intelligence", + "Identity Intelligence", + "Payment Fraud Intelligence", + "Analyst On Demand" + ], + "refs": [ + "https://en.wikipedia.org/wiki/Recorded_Future", + "https://www.recordedfuture.com/resources" + ], + "synonyms": [ + "Recorded Future, Inc", + "Insikt Group" + ] + }, + "uuid": "ad7032df-0e9a-4ea9-b35c-c68ff854be80", + "value": "Recorded Future" + }, + { + "description": "Cyble empowers organizations to take control of their cyber risks with AI-driven, cybersecurity platforms.", + "meta": { + "company-type": "Cyber Security Vendor", + "country": "US", + "official-refs": [ + "https://cyble.com/" + ], + "product-type": [ + "Digital Risk Protection", + "Threat Intelligence", + "Exposure Management" + ], + "products": [ + "Cyble Vision", + "Cyble Hawk", + "AmIBreached", + "Odin", + "The Cyber Express" + ], + "refs": [ + "https://cyble.com/resources/", + "https://thecyberexpress.com/" + ], + "synonyms": "The Cyber Express" + }, + "uuid": "43e3e0a8-a12d-450a-8f2d-94915123549c", + "value": "Cyble" + }, + { + "description": "CYFIRMA is a threat discovery and cyber-intelligence company with the world’s first platform that can deliver predictive cyber-intelligence", + "meta": { + "company-type": "Cyber Intelligence Provider", + "country": "SG", + "official-refs": [ + "https://www.cyfirma.com/" + ], + "product-type": [ + "Threat Intelligence", + "Digital Risk Protection", + "Mobile App" + ], + "products": [ + "DeCYFIR", + "DeTCT", + "DeFNCE" + ], + "refs": [ + "https://www.cyfirma.com/research/", + "https://golden.com/wiki/CYFIRMA-K46ZYP8" + ] + }, + "uuid": "9d804c53-f307-421c-9f4d-41061c7eee62", + "value": "Cyfirma" + }, + { + "description": "SentinelOne, Inc. is an American cybersecurity company listed on NYSE based in Mountain View, California.", + "meta": { + "company-type": "Cyber Security Vendor", + "country": "US", + "official-refs": [ + "https://www.sentinelone.com/" + ], + "product-type": [ + "Endpoint Protection", + "Endpoint Detection Response", + "Deception Technology" + ], + "products": [ + "Singularity Platform", + "Singularity Identity", + "Singularity Hologram" + ], + "refs": "https://www.sentinelone.com/labs/", + "synonyms": "Sentinel One" + }, + "uuid": "996c48de-7bb8-414d-b6fe-ec94abb5f461", + "value": "SentinelOne" + }, + { + "description": "Fortinet, Inc. is a cybersecurity company with headquarters in Sunnyvale, California. The company develops and sells security solutions like firewalls, endpoint security and intrusion detection systems.", + "meta": { + "company-type": "Cyber Security Vendor", + "country": "US", + "official-refs": [ + "https://www.fortinet.com/" + ], + "product-type": [ + "Firewall", + "Application delivery controller", + "SOAR", + "Web application firewall / API security", + "Network security platform" + ], + "products": [ + "FortiADC", + "FortiAnalyzer", + "FortiAuthenticator", + "FortiCASB", + "FortiClient", + "FortiEDR", + "FortiCNP", + "FortiDDos", + "FortiDeceptor", + "FortiExtender", + "FortiGate", + "FortiIsolator", + "FortiMail", + "FortiManager", + "FortiNAC", + "FortiPAM", + "FortiSandbox", + "FortiSIEM", + "FortiSASE", + "FortiSOAR", + "FortiSwitch", + "FortiTester", + "FortiToken", + "FortiVoice", + "FortiWeb" + ], + "refs": [ + "https://en.wikipedia.org/wiki/Fortinet", + "https://www.fortinet.com/blog/threat-research" + ] + }, + "uuid": "bfafdca5-3171-4953-86ab-c74f44822fd3", + "value": "Fortinet" + }, + { + "description": "Zscaler, Inc. (/ˈziːˌskeɪlər/) is an American cloud security company based in San Jose, California. The company offers cloud-based services to protect enterprise networks and data.", + "meta": { + "company-type": "Cyber Security Vendor", + "country": "US", + "official-refs": [ + "https://www.zscaler.com/" + ], + "product-type": [ + "Secure Web Gateway", + "SASE", + "VPN", + "CASB", + "DLP" + ], + "products": [ + "Zscaler Internet Access", + "Zscaler Private Access", + "Zscaler Digital Experience", + "Zscaler Zero Trust Exchange" + ], + "refs": [ + "https://www.zscaler.com/blogs?type=security-research", + "https://en.wikipedia.org/wiki/Zscaler" + ] + }, + "uuid": "1427d7df-a9b8-4809-afe0-1180cfdd930d", + "value": "Zscaler" + }, + { + "description": "Splunk Inc. is an American software company based in San Francisco, California, that produces software for searching, monitoring, and analyzing machine-generated data via a web-style interface.", + "meta": { + "company-type": "Cyber Security Vendor", + "country": "US", + "product-type": [ + "SIEM", + "Observability", + "SOAR", + "UEBA" + ], + "products": [ + "Splunk Enterprise Security", + "Splunk ITSI", + "Splunk SOAR", + "Splunk Observability Cloud", + "Splunk UEBA" + ], + "refs": [ + "https://www.splunk.com/", + "https://www.splunk.com/en_us/blog/security.html", + "https://en.wikipedia.org/wiki/Splunk" + ] + }, + "uuid": "7acb73f9-83c8-4a1d-88e5-873bad8659fa", + "value": "Splunk" + }, + { + "description": "Huntress Labs Incorporated operates as a security software solution provider. The Company provides managed threat detection and response services to uncover, address persistent footholds that prevent defenses. Huntress Labs serves customers in the United States.", + "meta": { + "company-type": "Cyber Security Vendor", + "country": "US", + "official-refs": [ + "https://www.huntress.com/" + ], + "product-type": [ + "Managed Security", + "Endpoint Detection Response", + "Security Awareness Training" + ], + "products": [ + "Managed EDR", + "MDR for Microsoft 365", + "Security Awareness Training", + "Managed SIEM" + ], + "refs": [ + "https://www.huntress.com/", + "https://www.huntress.com/blog" + ] + }, + "uuid": "9bfc59a7-ab20-4ef0-8034-871956d4a9cc", + "value": "Huntress" } ], - "version": 12 + "version": 13 } From 4c58ed03b09ed3bcdbc240183e861146e74184c3 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 10 Oct 2024 06:37:03 +0200 Subject: [PATCH 8/8] fix: [producer] refs are arrays --- clusters/producer.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/clusters/producer.json b/clusters/producer.json index 6e61eb2..c26e25a 100644 --- a/clusters/producer.json +++ b/clusters/producer.json @@ -780,7 +780,9 @@ "Singularity Identity", "Singularity Hologram" ], - "refs": "https://www.sentinelone.com/labs/", + "refs": [ + "https://www.sentinelone.com/labs/" + ], "synonyms": "Sentinel One" }, "uuid": "996c48de-7bb8-414d-b6fe-ec94abb5f461", @@ -920,5 +922,5 @@ "value": "Huntress" } ], - "version": 13 + "version": 14 }