This commit is contained in:
Delta-Sierra 2024-01-31 15:51:14 +01:00
commit 3e5bf4b373
2 changed files with 2254 additions and 1689 deletions

File diff suppressed because it is too large Load diff

View file

@ -9253,13 +9253,16 @@
"https://github.com/fireeye/sunburst_countermeasures", "https://github.com/fireeye/sunburst_countermeasures",
"https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware", "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware",
"https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html", "https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html",
"https://unit42.paloaltonetworks.com/atoms/solarphoenix/" "https://unit42.paloaltonetworks.com/atoms/solarphoenix/",
"https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/",
"https://www.microsoft.com/en-us/security/blog/2023/08/02/midnight-blizzard-conducts-targeted-social-engineering-over-microsoft-teams/"
], ],
"synonyms": [ "synonyms": [
"DarkHalo", "DarkHalo",
"StellarParticle", "StellarParticle",
"NOBELIUM", "NOBELIUM",
"Solar Phoenix" "Solar Phoenix",
"Midnight Blizzard"
] ]
}, },
"related": [ "related": [
@ -14035,7 +14038,14 @@
"meta": { "meta": {
"country": "CN", "country": "CN",
"refs": [ "refs": [
"https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/" "https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/",
"https://www.rewterz.com/rewterz-news/rewterz-threat-advisory-ivanti-vpn-zero-days-weaponized-by-unc5221-threat-actors-to-deploy-multiple-malware-families-active-iocs/",
"https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day",
"https://quointelligence.eu/2024/01/unc5221-unreported-and-undetected-wirefire-web-shell-variant/",
"https://www.volexity.com/blog/2024/01/18/ivanti-connect-secure-vpn-exploitation-new-observations/"
],
"synonyms": [
"UNC5221"
] ]
}, },
"uuid": "f288f686-b5b3-4c86-9960-5f8fb18709a3", "uuid": "f288f686-b5b3-4c86-9960-5f8fb18709a3",
@ -14113,7 +14123,19 @@
}, },
"uuid": "bbb389f2-344f-4ca8-a9c9-902061f88deb", "uuid": "bbb389f2-344f-4ca8-a9c9-902061f88deb",
"value": "Cotton Sandstorm" "value": "Cotton Sandstorm"
},
{
"description": "Blackwood is a China-aligned APT group that has been active since at least 2018. They primarily engage in cyberespionage operations targeting individuals and companies in China, Japan, and the United Kingdom. Blackwood utilizes sophisticated techniques such as adversary-in-the-middle attacks to deliver their custom implant, NSPX30, through updates of legitimate software. They also have the capability to hide the location of their command and control servers by intercepting traffic generated by the implant.",
"meta": {
"country": "CN",
"refs": [
"https://www.welivesecurity.com/en/eset-research/nspx30-sophisticated-aitm-enabled-implant-evolving-since-2005/",
"https://blog.sonicwall.com/en-us/2024/01/blackwood-apt-group-has-a-new-dll-loader/"
]
},
"uuid": "46e26e5c-ad74-45aa-a654-1afef67f4566",
"value": "Blackwood"
} }
], ],
"version": 297 "version": 298
} }