MISP/misp-galaxy
6
0
Fork 0
mirror of https://github.com/MISP/misp-galaxy.git synced 2024-11-22 14:57:18 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge remote-tracking branch 'MISP/main'

Browse source
This commit is contained in:
Christophe Vandeplas 2024-06-11 15:23:06 +02:00
commit 50d42dc598
No known key found for this signature in database
GPG key ID: BDC48619FFDC5A5B
6 changed files with 4914 additions and 1513 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
clusters/producer.json
View file

@ -461,7 +461,18 @@
},
"uuid": "0adf6f0f-3795-4de1-9763-1bdd1c31a5d7",
"value": "Cisco Talos Intelligence Group"
},
{
"description": "Headquartered in The Hague, the Netherlands, Europols mission is to support its Member States in preventing and combating all forms of serious international and organised crime, cybercrime and terrorism. Europol also works with many non-EU partner states and international organisations.",
"meta": {
"country": "NL",
"official-refs": [
"https://www.europol.europa.eu/"
]
},
"uuid": "f6eae887-7ee4-4999-a909-5eef291c40cc",
"value": "Europol"
}
],
"version": 6
"version": 7
}

3092
clusters/ransomware.json
View file

File diff suppressed because it is too large Load diff

2
clusters/sector.json
View file

@ -1044,5 +1044,5 @@
"value": "Non-profit organisation"
}
],
"version": 5
"version": 6
}

3054
clusters/sigma-rules.json
View file

File diff suppressed because it is too large Load diff

114
clusters/threat-actor.json
View file

@ -2397,7 +2397,8 @@
"https://unit42.paloaltonetworks.com/atoms/fighting-ursa/",
"https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag",
"https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/",
"https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html"
"https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html",
"https://bluepurple.binaryfirefly.com/p/bluepurple-pulse-week-ending-june-64e"
],
"synonyms": [
"Pawn Storm",
@ -2423,7 +2424,9 @@
"UAC-0028",
"FROZENLAKE",
"Sofacy",
"Forest Blizzard"
"Forest Blizzard",
"BlueDelta",
"Fancy Bear"
],
"targeted-sector": [
"Military",
@ -8967,6 +8970,19 @@
{
"description": "An actor mainly targeting Pakistan military targets, active since at least 2012. We have low confidence that this malware might be authored by an Indian company. To spread the malware, they use unique implementations to leverage the exploits of known vulnerabilities (such as CVE-2017-11882) and later deploy a Powershell payload in the final stages.",
"meta": {
"cfr-suspected-state-sponsor": "India",
"cfr-suspected-victims": [
"China",
"Pakistan",
"Nepal",
"Afghanistan"
],
"cfr-target-category": [
"Government",
"Military",
"Private Sector"
],
"country": "IN",
"refs": [
"https://securelist.com/apt-trends-report-q1-2018/85280/",
"https://blog.trendmicro.com/trendlabs-security-intelligence/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group/",
@ -15981,7 +15997,99 @@
},
"uuid": "53ac2695-35ba-4ab2-a5cd-48ca533f1b72",
"value": "Void Manticore"
},
{
"description": "ALPHA SPIDER is a threat actor known for developing and operating the Alphv ransomware as a service. They have been observed using novel offensive techniques, such as exploiting software vulnerabilities and leveraging legitimate administration tools for malicious activities. ALPHA SPIDER affiliates have demonstrated persistence in exfiltrating data and have shown the ability to bypass security measures like DNS-based filtering and multifactor authentication. Despite lacking specific operational security measures, defenders have opportunities to detect and respond to ALPHA SPIDER's operations effectively.",
"meta": {
"refs": [
"https://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/"
],
"synonyms": [
"ALPHV Ransomware Group"
]
},
"uuid": "6149f3b6-510d-4e45-bf88-cd25c7193702",
"value": "Alpha Spider"
},
{
"description": "RansomHub is a rapidly growing ransomware group believed to be an updated version of the older Knight ransomware. They have been linked to attacks exploiting the Zerologon vulnerability to gain initial access. RansomHub has attracted former affiliates of the ALPHV ransomware group and operates as a Ransomware-as-a-Service with a unique affiliate prepayment model. The group has been active in extorting victims and leaking sensitive data to pressure for ransom payments.",
"meta": {
"refs": [
"https://symantec-enterprise-blogs.security.com/threat-intelligence/ransomhub-knight-ransomware",
"https://forescoutstage.wpengine.com/blog/analysis-a-new-ransomware-group-emerges-from-the-change-healthcare-cyber-attack/",
"https://www.sentinelone.com/blog/ransomware-evolution-how-cheated-affiliates-are-recycling-victim-data-for-profit/"
]
},
"uuid": "9d218bb3-fc59-43e0-a273-a0a0fb5c463e",
"value": "RansomHub"
},
{
"description": "Unfading Sea Haze is a threat actor focused on espionage, targeting government and military organizations in the South China Sea region since 2018. They employ spear-phishing emails with malicious attachments to gain initial access, followed by the deployment of custom malware such as Gh0st RAT variants and SharpJSHandler. The group utilizes scheduled tasks and manipulates local administrator accounts for persistence, while also incorporating Remote Monitoring and Management tools into their attacks. Unfading Sea Haze demonstrates a sophisticated and patient approach, remaining undetected for years and showing adaptability through evolving exfiltration tactics and malware arsenal.",
"meta": {
"country": "CN",
"refs": [
"https://www.securityweek.com/newly-detected-chinese-group-targeting-military-government-entities/",
"https://www.bleepingcomputer.com/news/security/unfading-sea-haze-hackers-hide-on-military-and-govt-networks-for-6-years/"
]
},
"uuid": "58e75098-8edc-48ce-b1de-c1a8647e33d3",
"value": "Unfading Sea Haze"
},
{
"description": "Stucx is a threat actor known for targeting Israeli systems, including SCADA systems and the Red Alert missile protection system. Stucx Team has also developed a mobile application called MyOPECS for coordinating attacks, which includes features like DDoS attacks and is expected to add more capabilities in the future. Additionally, they have been observed using VPNs and proxy software to conceal their activities and have a history of making threats against those who cooperate with Israel.",
"meta": {
"refs": [
"https://socradar.io/reflections-of-the-israel-palestine-conflict-on-the-cyber-world/",
"https://www.darkowl.com/blog-content/2-month-review-of-cyber-activities-in-the-israel-hamas-conflict/"
]
},
"uuid": "ee13ddb3-e8c0-4568-b56c-82d82c30f48b",
"value": "StucxTeam"
},
{
"description": "FlyingYeti is a Russia-aligned threat actor targeting Ukrainian military entities. They conduct reconnaissance activities and launch phishing campaigns using malware like COOKBOX. FlyingYeti exploits the WinRAR vulnerability CVE-2023-38831 to infect targets with malicious payloads. Cloudforce One has successfully disrupted their operations and provided recommendations for defense against their phishing campaigns.",
"meta": {
"country": "RU",
"refs": [
"https://blog.cloudflare.com/disrupting-flyingyeti-campaign-targeting-ukraine"
]
},
"uuid": "1dcbad05-c5b7-4ec3-8920-45f396554f7a",
"value": "FlyingYeti"
},
{
"description": "SEXi is a ransomware group that targets VMware ESXi servers, encrypting data and demanding ransom payments. They have been observed encrypting virtual machines and backups, causing significant disruptions to services. The group's name is a play on the word \"ESXi,\" indicating a deliberate focus on these systems. SEXi has been linked to other ransomware variants based on the Babuk source code.",
"meta": {
"refs": [
"https://www.cybersecurity-insiders.com/proven-data-restores-powerhosts-vmware-backups-after-sexi-ransomware-attack/",
"https://heimdalsecurity.com/blog/powerhosts-esxi-servers-encrypted-with-new-sexi-ransomware/",
"https://www.darkreading.com/threat-intelligence/sexi-ransomware-desires-vmware-hypervisors"
]
},
"uuid": "1bd2034f-a135-4c71-b08f-867b7f9e7998",
"value": "SEXi"
},
{
"description": "LilacSquid is an APT actor targeting a variety of industries worldwide since at least 2021. They use tactics such as exploiting vulnerabilities and compromised RDP credentials to gain access to victim organizations. Their post-compromise activities involve deploying MeshAgent and a customized version of QuasarRAT known as PurpleInk to maintain control over infected systems. LilacSquid has been observed using tools like Secure Socket Funneling for data exfiltration.",
"meta": {
"refs": [
"https://blog.talosintelligence.com/lilacsquid/"
]
},
"uuid": "efacc258-fa0e-4686-99d2-03bab14a640e",
"value": "LilacSquid"
},
{
"description": "Hunt3r Kill3rs is a newly emerged threat group claiming expertise in cyber operations, including ICS breaches and web application vulnerabilities exploitation. They have discussed using Java fuzzing in their exploits and have made unverified claims of joint attacks with other threat actors.",
"meta": {
"country": "RU",
"refs": [
"https://socradar.io/dark-web-profile-hunt3r-kill3rs/"
]
},
"uuid": "4b32ad58-972e-4aa2-be3d-ff875ed06eba",
"value": "Hunt3r Kill3rs"
}
],
"version": 309
"version": 310
}

152
tools/ransomware/ransomlook_update.py Normal file
View file

@ -0,0 +1,152 @@
import requests
import json
import time
import uuid
import re
from pathlib import Path
# open clusters/ransomware
ransompath = Path(__file__).parent.parent.parent / 'clusters' / 'ransomware.json'
ransomware_galaxy = ransompath.open("r")
ransom_galaxy = json.load(ransomware_galaxy)
ransomware_galaxy.close()
# get groups names from ransomlook
ransomlook_groups = requests.get("https://www.ransomlook.io/api/groups")
ransomlook_groups = ransomlook_groups.json()
# tracking updated and created clusters
updated = []
created = []
# preparing name groups exception management
# For now, only seen exceptions are groups with a known synonym in parentheses
# ex: "Eraleign (Apt73)"
exceptions = []
pattern = re.compile(r'^(.*)\((.*)\)$')
for rlookgroup in ransomlook_groups:
match = pattern.match(rlookgroup)
if match:
# Name as registred in ransomlook, first known name, synonym
exceptions.append((rlookgroup, match.group(1).strip(), match.group(2).strip()))
for rlookgroup in ransomlook_groups:
# check if it is an exception
true_rlookgroup = rlookgroup
synonym = ""
if exceptions:
for exception in exceptions:
if rlookgroup.lower() == exception[0].lower():
rlookgroup = exception[1]
synonym = exception[2]
break
# get data from ransomlook
ransom_data = requests.get(
"https://www.ransomlook.io/api/group/" + str(true_rlookgroup)
).json()
# checking if the cluster exists
cluster_exist = False
for cluster in ransom_galaxy['values']:
if cluster['value'].lower() == rlookgroup.lower():
cluster_exist = True
elif 'meta' in cluster:
if 'synonyms' in cluster['meta']:
for syn in cluster['meta']['synonyms']:
if syn.lower() == rlookgroup.lower():
cluster_exist = True
# Updating the cluster if existing
if cluster_exist == True:
if 'description' not in cluster:
if ransom_data[0]['meta'] is not None:
cluster['description'] = ransom_data[0]['meta']
if 'meta' not in cluster:
cluster['meta'] = {}
if 'links' not in cluster['meta']:
cluster['meta']['links'] = []
if 'locations' in ransom_data[0]:
for location in ransom_data[0]['locations']:
if location['slug'] not in cluster['meta']['links']:
cluster['meta']['links'].append(location['slug'])
if synonym:
if 'synonyms' not in cluster['meta']:
cluster['meta']['synonyms'] = []
cluster['meta']['synonyms'].append(synonym)
if 'refs' not in cluster['meta']:
cluster['meta']['refs'] = []
if 'profile' in ransom_data[0]:
for url in ransom_data[0]['profile']:
if url not in cluster['meta']['refs']:
cluster['meta']['refs'].append(url)
url = "https://www.ransomlook.io/group/" + true_rlookgroup
if url not in cluster['meta']['refs']:
cluster['meta']['refs'].append(url)
if 'uuid' not in cluster:
cluster['uuid'] = str(
uuid.uuid5(
uuid.UUID('10cf658b-5d32-4c4b-bb32-61760a640372'), rlookgroup
)
)
break
if cluster_exist == True:
updated.append(str(rlookgroup))
else:
# creating a new cluster
created.append(str(rlookgroup))
new_cluster = {}
new_cluster['value'] = rlookgroup
if ransom_data[0]['meta'] is not None:
new_cluster['description'] = ransom_data[0]['meta']
new_cluster['meta'] = {}
new_cluster['meta']["links"] = []
if 'locations' in ransom_data[0]:
for location in ransom_data[0]['locations']:
if location['slug'] not in new_cluster['meta']['links']:
new_cluster['meta']["links"].append(location['slug'])
if synonym:
new_cluster['meta']['synonyms'] = []
new_cluster['meta']['synonyms'].append(synonym)
new_cluster['meta']["refs"] = []
url = "https://www.ransomlook.io/group/" + true_rlookgroup
if url not in new_cluster['meta']['refs']:
new_cluster['meta']['refs'].append(url)
if 'profile' in ransom_data[0]:
for url in ransom_data[0]['profile']:
if url not in new_cluster['meta']['refs']:
new_cluster['meta']["refs"].append(url)
new_cluster['uuid'] = str(
uuid.uuid5(uuid.UUID('10cf658b-5d32-4c4b-bb32-61760a640372'), rlookgroup)
)
ransom_galaxy['values'].append(new_cluster)
print("\n" + str(len(updated)) + " clusters updated:")
print(updated)
print("\n" + str(len(created)) + " clusters created:")
print(created)
print("\nTotal modified :" + str(len(updated) + len(created)))
ransom_galaxy['version'] = ransom_galaxy['version'] + 1
tojson = json.dumps(ransom_galaxy, indent=2, ensure_ascii=False)
ransomware_galaxy = ransompath.open("w+")
ransomware_galaxy.write(tojson)
ransomware_galaxy.close()