From f042f98247f00afadffc5f1b2fd0fc250b9ddd45 Mon Sep 17 00:00:00 2001 From: StefanKelm Date: Mon, 8 Jun 2020 14:09:39 +0200 Subject: [PATCH 01/10] Update threat-actor.json Higaisa --- clusters/threat-actor.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 572c9cf..a42411e 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -8304,7 +8304,8 @@ ], "country": "KR", "refs": [ - "https://s.tencent.com/research/report/836.html" + "https://s.tencent.com/research/report/836.html", + "https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/" ] }, "uuid": "a9df6cb7-74ff-482f-b23b-ac40e975a31a", @@ -8341,5 +8342,5 @@ "value": "COBALT KATANA" } ], - "version": 162 + "version": 163 } From 9365bfb7cdad11638deeb52dafa84b3e1793fada Mon Sep 17 00:00:00 2001 From: Rony Date: Thu, 11 Jun 2020 23:42:35 +0530 Subject: [PATCH 02/10] Adding GALLIUM Threat Actor --- clusters/threat-actor.json | 40 ++++++++++++++++++++++---------------- 1 file changed, 23 insertions(+), 17 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index a42411e..1c873d3 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1158,13 +1158,6 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" - }, - { - "dest-uuid": "8dda51ef-9a30-48f7-b0fd-5b6f0a62262d", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "suspected-link" } ], "uuid": "56b37b05-72e7-4a89-ba8a-61ce45269a8c", @@ -7916,16 +7909,9 @@ }, "related": [ { - "dest-uuid": "56b37b05-72e7-4a89-ba8a-61ce45269a8c", + "dest-uuid": "e400b6c5-77cf-453d-ba0f-44575583ac6c", "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "suspected-link" - }, - { - "dest-uuid": "6085aad0-1d95-11ea-a140-078d42aced40", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" + "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "similar" } @@ -8340,7 +8326,27 @@ }, "uuid": "d1c25b0e-e4c5-4b7c-b790-2e185cb2f07e", "value": "COBALT KATANA" + }, + { + "description": "GALLIUM, is a threat actor believed to be targeting telecommunication providers over the world, mostly South-East Asia, Europe and Africa. To compromise targeted networks, GALLIUM target unpatched internet-facing services using publicly available exploits and have been known to target vulnerabilities in WildFly/JBoss.", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", + "https://www.youtube.com/watch?v=fBFm2fiEPTg" + ] + }, + "related": [ + { + "dest-uuid": "8dda51ef-9a30-48f7-b0fd-5b6f0a62262d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type":"similar" + } + ], + "uuid": "e400b6c5-77cf-453d-ba0f-44575583ac6c", + "value": "GALLIUM" } ], - "version": 163 + "version": 164 } From 29be5ac7e1d1b6d174a86c370f63198512c61339 Mon Sep 17 00:00:00 2001 From: Rony Date: Fri, 12 Jun 2020 00:09:59 +0530 Subject: [PATCH 03/10] fixed typo! --- clusters/threat-actor.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 1c873d3..eb9c0ec 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7420,7 +7420,7 @@ "https://www.microsoft.com/security/blog/2017/03/27/detecting-and-mitigating-elevation-of-privilege-exploit-for-cve-2017-0005/", "https://duo.com/decipher/apt-groups-moving-down-the-supply-chain", "https://redalert.nshc.net/2019/12/03/threat-actor-targeting-hong-kong-activists", - "https:/twitter.com/bkMSFT/status/1201876664667582466", + "https://twitter.com/bkMSFT/status/1201876664667582466", "https://www.secureworks.com/research/threat-profiles/bronze-vinewood" ], "synonyms": [ From 0cb36249a4c6b6556dac8fddb795134c09038e52 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 12 Jun 2020 09:26:30 +0200 Subject: [PATCH 04/10] chg: [jq] all the things --- clusters/threat-actor.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index eb9c0ec..e841a8f 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -8341,11 +8341,11 @@ "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], - "type":"similar" + "type": "similar" } - ], - "uuid": "e400b6c5-77cf-453d-ba0f-44575583ac6c", - "value": "GALLIUM" + ], + "uuid": "e400b6c5-77cf-453d-ba0f-44575583ac6c", + "value": "GALLIUM" } ], "version": 164 From 583f1d2fc20d9caad03ca045b912840fba1e5f31 Mon Sep 17 00:00:00 2001 From: StefanKelm Date: Wed, 17 Jun 2020 11:56:29 +0200 Subject: [PATCH 05/10] Update threat-actor.json TA505 --- clusters/threat-actor.json | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index e841a8f..4b1c439 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7012,6 +7012,10 @@ "https://threatpost.com/ta505-servhelper-malware/140792/", "https://blog.yoroi.company/research/the-stealthy-email-stealer-in-the-ta505-arsenal/", "https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/", + "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader", + "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/servhelper-evolution-and-new-ta505-campaigns/", + "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672", + "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104", "https://www.secureworks.com/research/threat-profiles/gold-tahoe" ], "synonyms": [ @@ -8348,5 +8352,5 @@ "value": "GALLIUM" } ], - "version": 164 + "version": 165 } From bc97b0708901d89336fe55d45fb251f704a1dbd1 Mon Sep 17 00:00:00 2001 From: Rony Date: Sun, 21 Jun 2020 19:19:17 +0530 Subject: [PATCH 06/10] Update threat-actor.json --- clusters/threat-actor.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index e841a8f..1067ab0 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7891,11 +7891,12 @@ "meta": { "refs": [ "https://www.proofpoint.com/us/threat-insight/post/lookback-forges-ahead-continued-targeting-united-states-utilities-sector-reveals", - "https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks" + "https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks", + "https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new" ] }, "uuid": "5cd95926-0098-435e-892d-9c9f61763ad7", - "value": "LookBack" + "value": "TA410" }, { "description": "In 2018, the Cybereason Nocturnus team identified an advanced, persistent attack targeting global telecommunications providers carried out by a threat actor using tools and techniques commonly associated with Chinese-affiliated threat actors, such as APT10. This multi-wave attacks focused on obtaining data of specific, high-value targets and resulted in a complete takeover of the network.", From 92bc206879a65f89b6aba34501af323841053bf1 Mon Sep 17 00:00:00 2001 From: StefanKelm Date: Tue, 23 Jun 2020 14:54:09 +0200 Subject: [PATCH 07/10] Update threat-actor.json APT30 --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 4b1c439..42d990c 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -3681,6 +3681,7 @@ "cfr-type-of-incident": "Espionage", "country": "CN", "refs": [ + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", "https://attack.mitre.org/wiki/Group/G0013", "https://www.cfr.org/interactive/cyber-operations/apt-30" @@ -8352,5 +8353,5 @@ "value": "GALLIUM" } ], - "version": 165 + "version": 166 } From 14665429d745c9414073d870ad28f58fbc7cfa41 Mon Sep 17 00:00:00 2001 From: StefanKelm Date: Thu, 25 Jun 2020 16:23:00 +0200 Subject: [PATCH 08/10] Update threat-actor.json APT31 --- clusters/threat-actor.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 42d990c..b486d1a 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7426,6 +7426,8 @@ "https://duo.com/decipher/apt-groups-moving-down-the-supply-chain", "https://redalert.nshc.net/2019/12/03/threat-actor-targeting-hong-kong-activists", "https://twitter.com/bkMSFT/status/1201876664667582466", + "https://www.secureworks.com/research/bronz-vinewood-uses-hanaloader-to-target-government-supply-chain", + "https://www.secureworks.com/research/bronze-vinewood-targets-supply-chains", "https://www.secureworks.com/research/threat-profiles/bronze-vinewood" ], "synonyms": [ @@ -8353,5 +8355,5 @@ "value": "GALLIUM" } ], - "version": 166 + "version": 167 } From 86a8f04be3d7122a049bb66062409e5cf9308a72 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Thu, 2 Jul 2020 11:27:08 +0200 Subject: [PATCH 09/10] chg: Bump travis --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 3cd29fc..013d41b 100644 --- a/.travis.yml +++ b/.travis.yml @@ -18,7 +18,7 @@ install: - git clone https://github.com/MISP/PyMISPGalaxies.git - pushd PyMISPGalaxies - git submodule update --init - - git submodule foreach git pull origin master + - git submodule foreach git pull origin main - pipenv install -d - popd - popd From ba46bb6a0bffb515c9d76f7f95650c5ab6f3d8f4 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 7 Jul 2020 09:13:21 +0200 Subject: [PATCH 10/10] chg: [threat-actor] fix #561 by using new meta to classify as a campaign only. Based on https://github.com/MISP/misp-galaxy/issues/469 There is an old and persistence issue in attribution world and basically no-one really agrees on this. So we decided to start a specific metadata `threat-actor-classification` on the threat-actor to define the various types per cluster entry: - _operation_: - _A military operation is the coordinated military actions of a state, or a non-state actor, in response to a developing situation. These actions are designed as a military plan to resolve the situation in the state or actor's favor. Operations may be of a combat or non-combat nature and may be referred to by a code name for the purpose of national security. Military operations are often known for their more generally accepted common usage names than their actual operational objectives._ from Wikipedia - **In the context of MISP threat-actor name, it's a single specific operation.** - _campaign_: - _The term military campaign applies to large scale, long duration, significant military strategy plans incorporating a series of inter-related military operations or battles forming a distinct part of a larger conflict often called a war. The term derives from the plain of Campania, a place of annual wartime operations by the armies of the Roman Republic._ from Wikipedia - **In the context of MISP threat-actor-name, it's long-term activity which might be composed of one or more operations.** - threat-actor - **In the context of MISP threat-actor-name, it's an agreed name by a set of organisations.** - activity group - **In the context of MISP threat-actor-name, it's a group defined by its set of common techniques or activities.** - unknown - **In the context of MISP threat-actor-name, it's still not clear if it's an operation, campaign, threat-actor or activity group** The meta field is an array to allow specific cluster of threat-actor to show the current disagreement between different organisations about the type (threat actor, activity group, campaign and operation). --- clusters/threat-actor.json | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 6b5c86b..df7cb52 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -6810,6 +6810,9 @@ ], "synonyms": [ "Roaming Mantis Group" + ], + "threat-actor-classification": [ + "campaign" ] }, "uuid": "b27beb94-ce25-11e8-8e11-2f1a59bd0e91", @@ -8356,5 +8359,5 @@ "value": "GALLIUM" } ], - "version": 167 + "version": 168 }