From 8ed437784407c6f89569313181f47abeff6e61ad Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Wed, 20 Dec 2023 03:40:24 -0800 Subject: [PATCH 1/7] [threat-actors] Add BiBiGun --- clusters/threat-actor.json | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index e9b6cc9..99b8e7d 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13825,6 +13825,20 @@ }, "uuid": "00b84012-fa25-4942-ad64-c76be24828a8", "value": "Sandman APT" + }, + { + "description": "A pro-Hamas hacktivist group developed a wiper called BiBi-Linux to target and destroy data on Israeli systems. The malware impersonates ransomware but operates solely to corrupt and delete files, indicating no data theft. A Windows variant, BiBi-Windows, was also discovered, sharing similarities with BiBi-Linux but targeting all files except executables. ESET researchers have named the group behind the wipers BiBiGun. The group's TTPs have shown overlaps with Moses Staff, which is believed to have an Iran nexus.", + "meta": { + "country": "PS", + "refs": [ + "https://twitter.com/ESETresearch/status/1719437301900595444", + "https://github.com/knight0x07/BiBi-Windows-Wiper-Analysis?tab=readme-ov-file", + "https://thehackernews.com/2023/11/new-bibi-windows-wiper-targets-windows.html", + "https://www.securityjoes.com/post/bibi-linux-a-new-wiper-dropped-by-pro-hamas-hacktivist-group" + ] + }, + "uuid": "f8054f5b-45e5-4624-b8d0-1b9c30aa084e", + "value": "BiBiGun" } ], "version": 296 From a4c56efca87901cdaab85189b77c52b174b7ddf0 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Wed, 20 Dec 2023 03:40:25 -0800 Subject: [PATCH 2/7] [threat-actors] Add Storm-1283 --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 99b8e7d..97cc4f2 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13839,6 +13839,16 @@ }, "uuid": "f8054f5b-45e5-4624-b8d0-1b9c30aa084e", "value": "BiBiGun" + }, + { + "description": "Storm-1283 is a threat actor that targeted Microsoft Azure cloud platform. They gained access to user accounts and created OAuth applications using stolen credentials, allowing them to control resources and deploy virtual machines for cryptomining. The targeted organizations incurred significant financial losses ranging from $10,000 to $1.5 million. Storm-1283 utilized compromised accounts and subscriptions to carry out their illicit activities.", + "meta": { + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2023/12/12/threat-actors-misuse-oauth-applications-to-automate-financially-driven-attacks/" + ] + }, + "uuid": "c9ffcc82-f7ac-46ce-9ea2-91e51d14e11b", + "value": "Storm-1283" } ], "version": 296 From 365bbbe24a910246ffd956f05a845a4fedce3115 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Wed, 20 Dec 2023 03:40:25 -0800 Subject: [PATCH 3/7] [threat-actors] Add Solntsepek --- clusters/threat-actor.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 97cc4f2..b021aa5 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13849,6 +13849,18 @@ }, "uuid": "c9ffcc82-f7ac-46ce-9ea2-91e51d14e11b", "value": "Storm-1283" + }, + { + "description": "Solntsepek is a threat actor group with ties to the Russian military unit GRU. They have claimed responsibility for a cyberattack on Kyivstar, a Ukrainian mobile operator, and have been linked to previous attacks on Ukrainian infrastructure. Solntsepek has been associated with the Sandworm hacking group, known for their destructive cyberattacks, including the NotPetya worm. They have also engaged in hostile activities, such as revealing personal details of Ukrainian soldiers.", + "meta": { + "country": "RU", + "refs": [ + "https://kyivindependent.com/sbu-russian-hacker-group-reponsible-for-kyiv-star-cyberattack/", + "https://dev.ua/ru/news/atakovali-suspilne-provaiderov-i-minrazvitiya-obschin-kto-stoit-za-rossiiskoi-gruppirovkoi-solntsepek-kotoraya-aktivizirovala-napadeniya-na-ukrainskie-struktury" + ] + }, + "uuid": "0b792fbe-87c2-42c5-8d0d-97c7d47078b5", + "value": "Solntsepek" } ], "version": 296 From 8e53536147b287a7131099b7406bd5381a02d474 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Wed, 20 Dec 2023 03:40:25 -0800 Subject: [PATCH 4/7] [threat-actors] Add UNC4736 --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index b021aa5..68e33ad 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13861,6 +13861,17 @@ }, "uuid": "0b792fbe-87c2-42c5-8d0d-97c7d47078b5", "value": "Solntsepek" + }, + { + "description": "UNC4736 is a North Korean threat actor that has been involved in supply chain attacks targeting software chains of 3CX and X_TRADER. They have used malware strains such as TAXHAUL, Coldcat, and VEILEDSIGNAL to compromise Windows and macOS systems. UNC4736 has been linked to financially motivated cybercrime operations, particularly focused on cryptocurrency and fintech-related services. They have also demonstrated infrastructure overlap with other North Korean and APT43 activity.", + "meta": { + "country": "KP", + "refs": [ + "https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise" + ] + }, + "uuid": "afe5526e-e5e4-4b05-bc69-2bfb6785fc7e", + "value": "UNC4736" } ], "version": 296 From 38b67da12ffe87104575012f6d07dd2fd61725e3 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Wed, 20 Dec 2023 03:40:25 -0800 Subject: [PATCH 5/7] [threat-actors] Add Taidoor aliases --- clusters/threat-actor.json | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 68e33ad..456867f 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -8160,10 +8160,13 @@ "meta": { "refs": [ "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf", - "https://attack.mitre.org/groups/G0015/" + "https://attack.mitre.org/groups/G0015/", + "https://www.trendmicro.com/en_us/research/22/j/tracking-earth-aughiskys-malware-and-changes.html", + "https://blog.reversinglabs.com/blog/taidoor-a-truly-persistent-threat" ], "synonyms": [ - "G0015" + "G0015", + "Earth Aughisky" ] }, "uuid": "e6669606-91ad-11e9-b6f5-374843911989", From b6ea7157b4e835f26b6bb6300bf57d60eff8b9a0 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Wed, 20 Dec 2023 03:40:25 -0800 Subject: [PATCH 6/7] [threat-actors] Add Tortoiseshell aliases --- clusters/threat-actor.json | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 456867f..cc51ce7 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -8536,12 +8536,20 @@ { "description": "A previously undocumented attack group is using both custom and off-the-shelf malware to target IT providers in Saudi Arabia in what appear to be supply chain attacks with the end goal of compromising the IT providers’ customers.\nThe group, which we are calling Tortoiseshell, has been active since at least July 2018. Symantec has identified a total of 11 organizations hit by the group, the majority of which are based in Saudi Arabia. In at least two organizations, evidence suggests that the attackers gained domain admin-level access.", "meta": { + "country": "IR", "refs": [ "https://www.symantec.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain", - "https://www.darkreading.com/threat-intelligence/iranian-government-hackers-target-us-veterans/d/d-id/1335897" + "https://www.darkreading.com/threat-intelligence/iranian-government-hackers-target-us-veterans/d/d-id/1335897", + "https://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-october", + "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html", + "https://ics-cert.kaspersky.com/publications/reports/2023/09/25/apt-and-financial-attacks-on-industrial-organizations-in-h1-2023/" ], "synonyms": [ - "IMPERIAL KITTEN" + "IMPERIAL KITTEN", + "Yellow Liderc", + "Imperial Kitten", + "TA456", + "Crimson Sandstorm" ] }, "uuid": "5f108484-db7f-11e9-aaa4-fb0176425734", From 2cd9cf28a25091d24724315b9d1ec9308873a5a0 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Wed, 20 Dec 2023 03:40:25 -0800 Subject: [PATCH 7/7] [threat-actors] Add GambleForce --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index cc51ce7..c5acd1c 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13883,6 +13883,16 @@ }, "uuid": "afe5526e-e5e4-4b05-bc69-2bfb6785fc7e", "value": "UNC4736" + }, + { + "description": "GambleForce is a threat actor specializing in SQL injection attacks. They have targeted over 20 websites in various sectors across multiple countries, compromising six companies. GambleForce utilizes publicly available pentesting tools and has been active since mid-September 2023.", + "meta": { + "refs": [ + "https://www.group-ib.com/blog/gambleforce-gang/" + ] + }, + "uuid": "94ce7925-1a37-4b02-a25b-b87a389c92b3", + "value": "GambleForce" } ], "version": 296