Merge pull request #519 from danielplohmann/crowdstrike2020report

adding new/updated threat actor names from CrowdStrike 2020 report
This commit is contained in:
Alexandre Dulaunoy 2020-03-05 09:07:16 +01:00 committed by GitHub
commit 4a64d0a4ad
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -1673,7 +1673,8 @@
"country": "CN",
"refs": [
"https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/",
"http://www.crowdstrike.com/blog/rhetoric-foreshadows-cyber-activity-in-the-south-china-sea/"
"http://www.crowdstrike.com/blog/rhetoric-foreshadows-cyber-activity-in-the-south-china-sea/",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf"
],
"synonyms": [
"APT23",
@ -1897,7 +1898,8 @@
"https://www.justice.gov/opa/pr/former-us-counterintelligence-agent-charged-espionage-behalf-iran-four-iranians-charged-cyber",
"https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/",
"https://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf",
"https://attack.mitre.org/groups/G0058/"
"https://attack.mitre.org/groups/G0058/",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf"
],
"synonyms": [
"Newscaster",
@ -2827,7 +2829,8 @@
"http://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign",
"https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/",
"https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html",
"https://attack.mitre.org/groups/G0046/"
"https://attack.mitre.org/groups/G0046/",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf"
],
"synonyms": [
"Carbanak",
@ -2908,7 +2911,8 @@
"https://www.symantec.com/connect/blogs/russian-bank-employees-received-fake-job-offers-targeted-email-attack",
"https://www.forcepoint.com/blog/security-labs/highly-evasive-code-injection-awaits-user-interaction-delivering-malware",
"https://www.kaspersky.com/blog/financial-trojans-2019/25690/",
"https://www.welivesecurity.com/2015/04/09/operation-buhtrap/"
"https://www.welivesecurity.com/2015/04/09/operation-buhtrap/",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf"
]
},
"uuid": "b737c51f-b579-49d5-a907-743b2e6d03cb",
@ -4272,7 +4276,11 @@
"https://www.lookingglasscyber.com/wp-content/uploads/2015/08/Operation_Armageddon_Final.pdf",
"https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution/",
"https://attack.mitre.org/groups/G0047/",
"https://github.com/StrangerealIntel/CyberThreatIntel/tree/master/Russia/APT/Gamaredon"
"https://github.com/StrangerealIntel/CyberThreatIntel/tree/master/Russia/APT/Gamaredon",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf"
],
"synonyms": [
"Primitive Bear"
]
},
"related": [
@ -4417,11 +4425,13 @@
"refs": [
"https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7",
"https://www.bleepingcomputer.com/news/security/longhorn-cyber-espionage-group-is-actually-the-cia/",
"https://www.cfr.org/interactive/cyber-operations/longhorn"
"https://www.cfr.org/interactive/cyber-operations/longhorn",
"http://blogs.360.cn/post/APT-C-39_CIA_EN.html"
],
"synonyms": [
"Lamberts",
"the Lamberts"
"the Lamberts",
"APT-C-39"
]
},
"related": [
@ -6478,7 +6488,8 @@
"country": "CN",
"refs": [
"https://www.cfr.org/interactive/cyber-operations/mustang-panda",
"https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/"
"https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf"
]
},
"uuid": "78bf726c-a9e6-11e8-9e43-77249a2f7339",
@ -6499,7 +6510,11 @@
"refs": [
"https://www.cfr.org/interactive/cyber-operations/thrip",
"https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets",
"https://attack.mitre.org/groups/G0076/"
"https://attack.mitre.org/groups/G0076/",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf"
],
"synonyms": [
"LOTUS PANDA"
]
},
"uuid": "98be4300-a9ef-11e8-9a95-bb9221083cfc",
@ -6928,7 +6943,8 @@
"https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/"
],
"synonyms": [
"SectorJ04 Group"
"SectorJ04 Group",
"GRACEFUL SPIDER"
]
},
"uuid": "03c80674-35f8-4fe0-be2b-226ed0fcd69f",
@ -7017,7 +7033,8 @@
],
"synonyms": [
"Silence",
"Silence APT group"
"Silence APT group",
"WHISPER SPIDER"
]
},
"uuid": "0d5e17fd-7a71-47fd-b4bc-867cdb833726",
@ -7032,11 +7049,13 @@
"https://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/",
"https://securelist.com/chafer-used-remexi-malware/89538/",
"https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets",
"https://attack.mitre.org/groups/G0087/"
"https://attack.mitre.org/groups/G0087/",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf"
],
"synonyms": [
"APT 39",
"Chafer"
"Chafer",
"REMIX KITTEN"
]
},
"uuid": "c2c64bd3-a325-446f-91a8-b4c0f173a30b",
@ -7077,7 +7096,8 @@
"meta": {
"refs": [
"https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/",
"https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/"
"https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf"
]
},
"uuid": "80f07c15-cad3-44a2-a8a4-dd14490b5117",
@ -7097,7 +7117,8 @@
"description": "Beginning in January 2018 and persisting through the first half of the year, CrowdStrike Intelligence observed SALTY SPIDER, developer and operator of the long-running Sality botnet, distribute malware designed to target cryptocurrency users.",
"meta": {
"refs": [
"https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/"
"https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf"
]
},
"uuid": "7e37be6b-5a94-45f3-bdeb-f494c520eee3",
@ -7107,7 +7128,8 @@
"description": "This adversary is suspected of continuing to target upstream providers (e.g., law firms and managed service providers) to support additional intrusions against high-profile assets. In 2018, CrowdStrike observed this adversary using spear-phishing, URL 'web bugs' and scheduled tasks to automate credential harvesting.",
"meta": {
"refs": [
"https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/"
"https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf"
]
},
"uuid": "d7a41ada-6687-4a6b-8b5c-396808cdd758",
@ -7117,7 +7139,8 @@
"description": "One of the first observed adopters of the 8.t exploit document builder in late 2017, further KRYPTONITE PANDA activity was limited in 2018. Last known activity for this adversary occurred in June 2018 and involved suspected targeting of Cambodia.",
"meta": {
"refs": [
"https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/"
"https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf"
]
},
"uuid": "393ebaad-4f05-4b35-bd31-45ac4ae7472d",
@ -7372,7 +7395,11 @@
"refs": [
"https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/",
"https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/",
"https://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/"
"https://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf"
],
"synonyms": [
"CIRCUIT PANDA"
]
},
"uuid": "320c42f7-eab7-4ef9-b09a-74396caa6c3e",
@ -7737,7 +7764,11 @@
"description": "A previously undocumented attack group is using both custom and off-the-shelf malware to target IT providers in Saudi Arabia in what appear to be supply chain attacks with the end goal of compromising the IT providers customers.\nThe group, which we are calling Tortoiseshell, has been active since at least July 2018. Symantec has identified a total of 11 organizations hit by the group, the majority of which are based in Saudi Arabia. In at least two organizations, evidence suggests that the attackers gained domain admin-level access.",
"meta": {
"refs": [
"https://www.symantec.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain"
"https://www.symantec.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain",
"https://www.darkreading.com/threat-intelligence/iranian-government-hackers-target-us-veterans/d/d-id/1335897"
],
"synonyms": [
"IMPERIAL KITTEN"
]
},
"uuid": "5f108484-db7f-11e9-aaa4-fb0176425734",
@ -7967,6 +7998,106 @@
},
"uuid": "87af83a4-ced4-4e7c-96a6-86612dc095b1",
"value": "InvisiMole"
},
{
"description": "Publicly known as 'EmpireMonkey', ANTHROPOID SPIDER conducted phishing campaigns in February and March 2019, spoofing French, Norwegian and Belizean financial regulators and institutions. These campaigns used macro-enabled Microsoft documents to deliver the PowerShell Empire post-exploitation framework. ANTHROPOID SPIDER likely enabled a breach that allegedly involved fraudulent transfers over the SWIFT network.",
"meta": {
"refs": [
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
"https://www.kaspersky.com/about/press-releases/2019_fin7-hacking-group-targets-more-than-130-companies-after-leaders-arrest",
"https://fortiguard.com/encyclopedia/botnet/7630456"
],
"synonyms": [
"Empire Monkey",
"CobaltGoblin"
]
},
"uuid": "559a64d8-8657-4a93-9208-060d52efdec4",
"value": "ANTHROPOID SPIDER"
},
{
"description": "Opportunistic actor that installs custom root certificate on victim to support man-in-the-middle network monitoring.",
"meta": {
"refs": [
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
"https://na.eventscloud.com/file_uploads/6568237bca6dc156e5c5557c5989e97c_CrowdStrikeFal.Con2019_ThroughEyesOfAdversary_J.Ayers.pdf"
]
},
"uuid": "2d2f3b53-c544-4823-a65f-da53ff8f594e",
"value": "CLOCKWORD SPIDER"
},
{
"description": "In June 2019, CrowdStrike Intelligence observed a source code fork of BitPaymer and began tracking the new ransomware strain as DoppelPaymer. Further technical analysis revealed an increasing divergence between two versions of Dridex, with the new version dubbed DoppelDridex. Based on this evidence, CrowdStrike Intelligence assessed with high confidence that a new group split off from INDRIK SPIDER to form the adversary DOPPEL SPIDER. Following DOPPEL SPIDERs inception, CrowdStrike Intelligence observed multiple BGH incidents attributed to the group, with the largest known ransomware demand being 250 BTC. Other demands were not nearly as high, suggesting that the group conducts network reconnaissance to determine the value of the victim organization.",
"meta": {
"refs": [
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf"
]
},
"uuid": "2154b183-c5c5-418f-8e47-f6e999b64e30",
"value": "DOPPEL SPIDER"
},
{
"description": "Spambots continued to decline in 2019, with MONTY SPIDERs CraP2P spambot falling silent in April.",
"meta": {
"refs": [
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf"
]
},
"uuid": "168a9e38-70e3-4542-b78f-afa2414436bb",
"value": "MONTY SPIDER"
},
{
"description": "NARWHAL SPIDERs operation of Cutwail v2 was limited to country-specific spam campaigns, although late in 2019 there appeared to be an effort to expand by bringing in INDRIK SPIDER as a customer.",
"meta": {
"refs": [
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf"
]
},
"uuid": "fda9cdea-0017-495e-879d-0f348db2aa07",
"value": "NARWHAL SPIDER"
},
{
"description": "Mentioned as MaaS operator in CrowdStrike's 2020 Report.",
"meta": {
"refs": [
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf"
]
},
"uuid": "c042c592-25f6-4887-8a1b-6b8e3bfdcf0c",
"value": "NOCTURNAL SPIDER"
},
{
"description": "Mentioned as operator of DanaBot in CrowdStrike's 2020 Report.",
"meta": {
"refs": [
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf"
]
},
"uuid": "7fb1662e-0257-4606-b3a2-bf294c64c098",
"value": "SCULLY SPIDER"
},
{
"description": "Mentioned as operator of SmokeLoader in CrowdStrike's 2020 Report.",
"meta": {
"refs": [
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf"
]
},
"uuid": "e27796eb-624a-4e41-aa40-52d47c764b07",
"value": "SMOKY SPIDER"
},
{
"description": "VENOM SPIDER is the developer of a large toolset that includes SKID, VenomKit and Taurus Loader. Under the moniker 'badbullzvenom', the adversary has been an active member of Russian underground forums since at least 2012, specializing in the identification of vulnerabilities and the subsequent development of tools for exploitation, as well as for gaining and maintaining access to victim machines and carding services. Recent advertisements for the malware indicate that VENOM SPIDER limits the sale and use of its tools, selling modules only to trusted affiliates. This preference can be seen in the fact that adversaries observed using the tools include the targeted criminal adversary COBALT SPIDER and BGH adversaries WIZARD SPIDER and PINCHY SPIDER.",
"meta": {
"refs": [
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf"
],
"synonyms": [
"badbullzvenom"
]
},
"uuid": "86b4e2f3-8bbf-48fd-9d27-034d3ac3b187",
"value": "VENOM SPIDER"
}
],
"version": 156