From 58f3cc2e11f57a92dbc4ea283a792117e88cc596 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:55 -0800 Subject: [PATCH 01/99] [threat-actors] Add Gamaredon Group aliases --- clusters/threat-actor.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index e58977d..927b991 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -4561,7 +4561,9 @@ "Shuckworm", "Trident Ursa", "UAC-0010", - "Winterflounder" + "Winterflounder", + "Aqua Blizzard", + "Actinium" ] }, "related": [ From 732d00998bac604807369d3fd51e519a165c6f0b Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:55 -0800 Subject: [PATCH 02/99] [threat-actors] Add Denim Tsunami --- clusters/threat-actor.json | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 927b991..fa460f7 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14137,6 +14137,23 @@ }, "uuid": "46e26e5c-ad74-45aa-a654-1afef67f4566", "value": "Blackwood" + }, + { + "description": "Denim Tsunami is a threat actor group that has been involved in targeted attacks against European and Central American customers. They have been observed using multiple Windows and Adobe 0-day exploits, including one for CVE-2022-22047, which is a privilege escalation vulnerability. Denim Tsunami developed a custom malware called Subzero, which has capabilities such as keylogging, capturing screenshots, data exfiltration, and running remote shells. They have also been associated with the Austrian spyware distributor DSIRF.", + "meta": { + "country": "AT", + "refs": [ + "https://www.thezdi.com/blog/2023/1/23/activation-context-cache-poisoning-exploiting-csrss-for-privilege-escalation", + "https://socradar.io/threats-of-commercialized-malware-knotweed/", + "https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/" + ], + "synonyms": [ + "KNOTWEED", + "DSIRF" + ] + }, + "uuid": "79a347d9-1938-4550-8836-98e4ed95f77c", + "value": "Denim Tsunami" } ], "version": 298 From 3ed1619c89731427c69609d997e6d6fde69c474b Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:55 -0800 Subject: [PATCH 03/99] [threat-actors] Add APT40 aliases --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index fa460f7..7ceed02 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -6386,7 +6386,8 @@ "Red Ladon", "ITG09", "MUDCARP", - "ISLANDDREAMS" + "ISLANDDREAMS", + "Gingham Typhoon" ] }, "related": [ From 550d062c77a37cdb4b582a2fcde594508aea203c Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:55 -0800 Subject: [PATCH 04/99] [threat-actors] Add Blue Tsunami --- clusters/threat-actor.json | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 7ceed02..4f5d076 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14155,6 +14155,21 @@ }, "uuid": "79a347d9-1938-4550-8836-98e4ed95f77c", "value": "Denim Tsunami" + }, + { + "description": "Blue Tsunami, also known as Black Cube, is a cyber mercenary group associated with the private intelligence firm Black Cube. They target individuals in various industries, including human rights, finance, and consulting. Blue Tsunami engages in social engineering and uses techniques such as honeypot profiles, fake jobs, and fake companies to gather human intelligence for their clients. LinkedIn and Microsoft recently took down numerous fake accounts and company pages linked to Blue Tsunami.", + "meta": { + "country": "IL", + "refs": [ + "https://precisionpconline.com/a-unified-front-against-cyber-mercenaries/", + "https://www.microsoft.com/en-us/security/blog/2023/11/09/microsoft-shares-threat-intelligence-at-cyberwarcon-2023/" + ], + "synonyms": [ + "Black Cube" + ] + }, + "uuid": "46104ded-49f5-4440-bd25-e05c1126f0ba", + "value": "Blue Tsunami" } ], "version": 298 From 38fea405f5e70c3a1fa773e746e772abf3c5f931 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:56 -0800 Subject: [PATCH 05/99] [threat-actors] Add DEV-0586 aliases --- clusters/threat-actor.json | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 4f5d076..b75494f 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -10464,13 +10464,16 @@ "Ukraine" ], "cfr-type-of-incident": "Sabotage", + "country": "RU", "refs": [ "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/", - "https://unit42.paloaltonetworks.com/atoms/ruinousursa/" + "https://unit42.paloaltonetworks.com/atoms/ruinousursa/", + "https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/" ], "synonyms": [ - "Ruinous Ursa" + "Ruinous Ursa", + "Cadet Blizzard" ] }, "related": [ From f1d514afc41a6f75b519fdc85de0945a0034fe06 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:56 -0800 Subject: [PATCH 06/99] [threat-actors] Add Cuboid Sandstorm --- clusters/threat-actor.json | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index b75494f..36f2768 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14173,6 +14173,20 @@ }, "uuid": "46104ded-49f5-4440-bd25-e05c1126f0ba", "value": "Blue Tsunami" + }, + { + "description": "Cuboid Sandstorm is an Iranian threat actor that targeted an Israel-based IT company in July 2021. They gained access to the company's network and used it to compromise downstream customers in the defense, energy, and legal sectors in Israel. The group also utilized custom implants, including a remote access Trojan disguised as RuntimeBroker.exe or svchost.exe, to establish persistence on victim hosts.", + "meta": { + "country": "IR", + "refs": [ + "https://www.microsoft.com/security/blog/2021/11/18/iranian-targeting-of-it-sector-on-the-rise/" + ], + "synonyms": [ + "DEV-0228" + ] + }, + "uuid": "a4004712-f74b-4c8c-b1fb-bb7229bc2da1", + "value": "Cuboid Sandstorm" } ], "version": 298 From 4cec7a7322486481134078979f3ea5ec14a26720 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:56 -0800 Subject: [PATCH 07/99] [threat-actors] Add Pearl Sleet --- clusters/threat-actor.json | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 36f2768..ff7bfb8 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14187,6 +14187,21 @@ }, "uuid": "a4004712-f74b-4c8c-b1fb-bb7229bc2da1", "value": "Cuboid Sandstorm" + }, + { + "description": "Pearl Sleet is a nation state activity group based in North Korea that has been active since at least 2012. They primarily target defectors from North Korea, media organizations in carrying out their cyber espionage activities.", + "meta": { + "country": "KP", + "refs": [ + "https://techcommunity.microsoft.com/t5/microsoft-defender-xdr-blog/monthly-news-december-2023/ba-p/3998431" + ], + "synonyms": [ + "DEV-0215", + "LAWRENCIUM" + ] + }, + "uuid": "ef0d776a-51de-4965-ba1c-69ed256e0e5d", + "value": "Pearl Sleet" } ], "version": 298 From d491ae01bff6dda0fa758336e9aa90439ebf507d Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:56 -0800 Subject: [PATCH 08/99] [threat-actors] Add Turla aliases --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index ff7bfb8..c73619f 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2636,7 +2636,8 @@ "ITG12", "Blue Python", "SUMMIT", - "UNC4210" + "UNC4210", + "Secret Blizzard" ], "targeted-sector": [ "Government, Administration", From 54a2b4766d73366aff0c45c5aecf83e1cb2853d6 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:56 -0800 Subject: [PATCH 09/99] [threat-actors] Add HAFNIUM aliases --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index c73619f..75e7a0b 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -9367,7 +9367,8 @@ "ATK233", "G0125", "Operation Exchange Marauder", - "Red Dev 13" + "Red Dev 13", + "Silk Typhoon" ] }, "related": [ From 0ffadd08ecd76d85f8bedfc6a184d426f33fbd6d Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:56 -0800 Subject: [PATCH 10/99] [threat-actors] Add TiltedTemple aliases --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 75e7a0b..5531d00 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13498,7 +13498,8 @@ "https://www.microsoft.com/en-us/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/" ], "synonyms": [ - "DEV-0322" + "DEV-0322", + "Circle Typhoon" ] }, "uuid": "aca6b3d2-1c3b-4674-9de8-975e35723bcf", From 1b6a5e8b1762a5626ac5dd15fc411232e40a6e8e Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:56 -0800 Subject: [PATCH 11/99] [threat-actors] Add APT32 aliases --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 5531d00..6f0baff 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -4834,7 +4834,8 @@ "TIN WOODLAWN", "BISMUTH", "ATK17", - "G0050" + "G0050", + "Canvas Cyclone" ], "targeted-sector": [ "Dissidents", From 0e47e278795e51451c6fd2d4c4ef58b83d578a72 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:57 -0800 Subject: [PATCH 12/99] [threat-actors] Add Carmine Tsunami --- clusters/threat-actor.json | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 6f0baff..7750c86 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14206,6 +14206,22 @@ }, "uuid": "ef0d776a-51de-4965-ba1c-69ed256e0e5d", "value": "Pearl Sleet" + }, + { + "description": "Carmine Tsunami is a threat actor linked to an Israel-based private sector offensive actor called QuaDream. QuaDream sells a platform called REIGN to governments for law enforcement purposes, which includes exploits, malware, and infrastructure for data exfiltration from mobile devices. Carmine Tsunami is associated with the iOS malware called KingsPawn and has targeted civil society victims, including journalists, political opposition figures, and NGO workers, in various regions. They utilize domain registrars and inexpensive cloud hosting providers, often using single domains per IP address and deploying free Let's Encrypt SSL certificates.", + "meta": { + "country": "IL", + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2023/04/11/dev-0196-quadreams-kingspawn-malware-used-to-target-civil-society-in-europe-north-america-the-middle-east-and-southeast-asia/", + "https://citizenlab.ca/2023/04/spyware-vendor-quadream-exploits-victims-customers/" + ], + "synonyms": [ + "DEV-0196", + "QuaDream" + ] + }, + "uuid": "fa76ce6a-f434-4d4a-817f-c4bd0a3f803c", + "value": "Carmine Tsunami" } ], "version": 298 From 8c5dd8672f8ccf28eff736892b038f8edf1cebfe Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:57 -0800 Subject: [PATCH 13/99] [threat-actors] Add APT28 aliases --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 7750c86..28557c6 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2407,7 +2407,8 @@ "APT-C-20", "UAC-0028", "FROZENLAKE", - "Sofacy" + "Sofacy", + "Forest Blizzard" ], "targeted-sector": [ "Military", From c81b10b3f58b6944fb493dfda6a2c1444bf8b37d Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:57 -0800 Subject: [PATCH 14/99] [threat-actors] Add LAPSUS aliases --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 28557c6..50be072 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -10110,7 +10110,8 @@ "synonyms": [ "LAPSUS$", "DEV-0537", - "SLIPPY SPIDER" + "SLIPPY SPIDER", + "Strawberry Tempest" ] }, "related": [ From 05cf259436032bbfa4745b06b2d1db52a6f77e45 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:57 -0800 Subject: [PATCH 15/99] [threat-actors] Add GALLIUM aliases --- clusters/threat-actor.json | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 50be072..6120a0f 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -9061,15 +9061,18 @@ { "description": "GALLIUM, is a threat actor believed to be targeting telecommunication providers over the world, mostly South-East Asia, Europe and Africa. To compromise targeted networks, GALLIUM target unpatched internet-facing services using publicly available exploits and have been known to target vulnerabilities in WildFly/JBoss.", "meta": { + "country": "CN", "refs": [ "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", "https://www.youtube.com/watch?v=fBFm2fiEPTg", "https://troopers.de/troopers22/talks/7cv8pz/", - "https://unit42.paloaltonetworks.com/atoms/alloytaurus/" + "https://unit42.paloaltonetworks.com/atoms/alloytaurus/", + "https://unit42.paloaltonetworks.com/alloy-taurus-targets-se-asian-government/" ], "synonyms": [ "Red Dev 4", - "Alloy Taurus" + "Alloy Taurus", + "Granite Typhoon" ] }, "related": [ From 4388309aa06024efd674db5c792aa6ba9b78b5ce Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:57 -0800 Subject: [PATCH 16/99] [threat-actors] Add Mustard Tempest --- clusters/threat-actor.json | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 6120a0f..67981ac 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14227,6 +14227,21 @@ }, "uuid": "fa76ce6a-f434-4d4a-817f-c4bd0a3f803c", "value": "Carmine Tsunami" + }, + { + "description": "Mustard Tempest is a threat actor that primarily uses malvertising as their main technique to gain access to and profile networks. They deploy FakeUpdates, disguised as browser updates or software packages, to lure targets into downloading a ZIP file containing a JavaScript file. Once executed, the JavaScript framework acts as a loader for other malware campaigns, often Cobalt Strike payloads. Mustard Tempest has been associated with the cybercrime syndicate Mustard Tempest, also known as EvilCorp, and has been involved in ransomware attacks using payloads such as WastedLocker, PhoenixLocker, and Macaw.", + "meta": { + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", + "http://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/" + ], + "synonyms": [ + "DEV-0206", + "Purple Vallhund" + ] + }, + "uuid": "3ce9610b-2435-4c41-80d1-3f95a5ff2984", + "value": "Mustard Tempest" } ], "version": 298 From 9756306d987f6d3793171350b54598d638b224a4 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:57 -0800 Subject: [PATCH 17/99] [threat-actors] Add UNC4990 --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 67981ac..370cd32 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14242,6 +14242,17 @@ }, "uuid": "3ce9610b-2435-4c41-80d1-3f95a5ff2984", "value": "Mustard Tempest" + }, + { + "description": "UNC4990 is a financially motivated threat actor that has been active since at least 2020. They primarily target users in Italy and rely on USB devices for initial infection. The group has evolved their tactics over time, using encoded text files on popular websites like GitHub and Vimeo to host payloads. They have been observed using sophisticated backdoors like QUIETBOARD and EMPTYSPACE, and have targeted organizations in various industries, particularly in Italy.", + "meta": { + "country": "IT", + "refs": [ + "https://www.mandiant.com/resources/blog/unc4990-evolution-usb-malware" + ] + }, + "uuid": "7db46444-2d27-4922-8a21-98f8509476dc", + "value": "UNC4990" } ], "version": 298 From ac0fdd61ea86a9f3e259c7ecb5cce96ea490392c Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:57 -0800 Subject: [PATCH 18/99] [threat-actors] Add FIN6 aliases --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 370cd32..b4edca6 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -3874,7 +3874,8 @@ "White Giant", "GOLD FRANKLIN", "ATK88", - "G0037" + "G0037", + "Camouflage Tempest" ] }, "related": [ From d1dae2085bd104d69a6eb5b85c8e379617c39148 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:58 -0800 Subject: [PATCH 19/99] [threat-actors] Add Caramel Tsunami --- clusters/threat-actor.json | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index b4edca6..da980d7 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14254,6 +14254,25 @@ }, "uuid": "7db46444-2d27-4922-8a21-98f8509476dc", "value": "UNC4990" + }, + { + "description": "Caramel Tsunami is a threat actor that specializes in spyware attacks. They have recently resurfaced with an updated toolset and zero-day exploits, targeting specific victims through watering hole attacks. Candiru has been observed exploiting vulnerabilities in popular browsers like Google Chrome and using third-party signed drivers to gain access to the Windows kernel. They have also been linked to other spyware vendors and have been associated with extensive abuses of their surveillance tools.", + "meta": { + "refs": [ + "https://decoded.avast.io/threatresearch/avast-q2-2022-threat-report/", + "https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/", + "https://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/", + "https://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/", + "https://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/", + "https://www.microsoft.com/en-us/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/" + ], + "synonyms": [ + "SOURGUM", + "Candiru" + ] + }, + "uuid": "062938a2-6fa1-4217-ad73-f5e0b5186966", + "value": "Caramel Tsunami" } ], "version": 298 From 3d51ce84fb062d4c137e75240088aa5c31f17409 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:58 -0800 Subject: [PATCH 20/99] [threat-actors] Add Earth Lusca aliases --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index da980d7..583bb37 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -10598,7 +10598,8 @@ "BRONZE UNIVERSITY", "AQUATIC PANDA", "Red Dev 10", - "RedHotel" + "RedHotel", + "Charcoal Typhoon" ] }, "related": [ From 8d024a52b1b08bffdfb840c90b33847bfcf28666 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:58 -0800 Subject: [PATCH 21/99] [threat-actors] Add BRONZE STARLIGHT aliases --- clusters/threat-actor.json | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 583bb37..59565d4 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -10735,11 +10735,17 @@ "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation", "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility", - "https://twitter.com/cglyer/status/1480734487000453121" + "https://twitter.com/cglyer/status/1480734487000453121", + "https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group", + "https://www.sentinelone.com/labs/chinese-entanglement-dll-hijacking-in-the-asian-gambling-sector/", + "https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", + "https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader" ], "synonyms": [ "SLIME34", - "DEV-0401" + "DEV-0401", + "Cinnamon Tempest", + "Emperor Dragonfly" ] }, "related": [ From 4cbf4353b033f38b121e06eb678407094f24b0a3 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:58 -0800 Subject: [PATCH 22/99] [threat-actors] Add Storm-0867 --- clusters/threat-actor.json | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 59565d4..1cabb7a 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14280,6 +14280,20 @@ }, "uuid": "062938a2-6fa1-4217-ad73-f5e0b5186966", "value": "Caramel Tsunami" + }, + { + "description": "Storm-0867 is a threat actor that has been active since 2012 and has targeted various industries and regions. They employ sophisticated phishing campaigns, utilizing social engineering techniques and a phishing as a service platform called Caffeine. Their attacks involve intercepting and manipulating communication between users and legitimate services, allowing them to steal passwords, hijack sign-in sessions, bypass multifactor authentication, and modify authentication methods.", + "meta": { + "country": "EG", + "refs": [ + "https://techcommunity.microsoft.com/t5/microsoft-security-experts-blog/defender-experts-chronicles-a-deep-dive-into-storm-0867/ba-p/3911769" + ], + "synonyms": [ + "DEV-0867" + ] + }, + "uuid": "dc1d0202-8976-4d15-810d-4af0feff6af9", + "value": "Storm-0867" } ], "version": 298 From 8ebdd40e4261787004bc23351f95e2404493101e Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:58 -0800 Subject: [PATCH 23/99] [threat-actors] Add Velvet Tempest --- clusters/threat-actor.json | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 1cabb7a..20ac754 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14294,6 +14294,20 @@ }, "uuid": "dc1d0202-8976-4d15-810d-4af0feff6af9", "value": "Storm-0867" + }, + { + "description": "Velvet Tempest is a threat actor associated with the BlackCat ransomware group. They have been observed deploying multiple ransomware payloads, including BlackCat, and have targeted various industries such as energy, fashion, tobacco, IT, and manufacturing. Velvet Tempest relies on access brokers to gain network access and utilizes tools like Cobalt Strike Beacons and PsExec for lateral movement and payload staging. They exfiltrate stolen data using a tool called StealBit and frequently disable unprotected antivirus products.", + "meta": { + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", + "http://www.microsoft.com/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/" + ], + "synonyms": [ + "DEV-0504" + ] + }, + "uuid": "209b1452-7062-46f8-9037-3be5f7eda54f", + "value": "Velvet Tempest" } ], "version": 298 From f35df2c9feece209f17eed34fb20b2af8d465c6d Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:58 -0800 Subject: [PATCH 24/99] [threat-actors] Add Sunglow Blizzard --- clusters/threat-actor.json | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 20ac754..5b9fdcd 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14308,6 +14308,21 @@ }, "uuid": "209b1452-7062-46f8-9037-3be5f7eda54f", "value": "Velvet Tempest" + }, + { + "description": "DEV-0665 is a threat actor associated with the HermeticWiper attacks. Their objective is to disrupt, degrade, and destroy specific resources within a targeted country.", + "meta": { + "country": "RU", + "refs": [ + "https://twitter.com/ESETresearch/status/1503436420886712321", + "https://thehackernews.com/2022/03/second-new-isaacwiper-data-wiper.html" + ], + "synonyms": [ + "DEV-0665" + ] + }, + "uuid": "9c0f0db1-b773-42ff-a6f7-d4b6c1d28ca4", + "value": "Sunglow Blizzard" } ], "version": 298 From 9645731e765e3796e9cff65a36ffda4184b24be2 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:58 -0800 Subject: [PATCH 25/99] [threat-actors] Add Kimsuky aliases --- clusters/threat-actor.json | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 5b9fdcd..bfa7a2d 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -5565,7 +5565,10 @@ "https://us-cert.cisa.gov/ncas/alerts/aa20-301a", "https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite", "https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report", - "https://asec.ahnlab.com/en/57873/" + "https://asec.ahnlab.com/en/57873/", + "https://asec.ahnlab.com/en/61082/", + "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-north-korean-apt-kimsuky-aka-black-banshee-active-iocs-29/", + "https://www.sentinelone.com/labs/a-glimpse-into-future-scarcruft-campaigns-attackers-gather-strategic-intelligence-and-target-cybersecurity-professionals/" ], "synonyms": [ "Velvet Chollima", @@ -5573,7 +5576,9 @@ "Thallium", "Operation Stolen Pencil", "G0086", - "APT43" + "APT43", + "Emerald Sleet", + "THALLIUM" ], "targeted-sector": [ "Research - Innovation", From 0668ed368d23d5c4f3c70056f31632814d908d66 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:59 -0800 Subject: [PATCH 26/99] [threat-actors] Add ENERGETIC BEAR aliases --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index bfa7a2d..7751f86 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2733,7 +2733,8 @@ "ATK6", "ITG15", "BROMINE", - "Blue Kraken" + "Blue Kraken", + "Ghost Blizzard" ], "targeted-sector": [ "Energy" From 42bad34d9183ebcffd05136eab8d5c8c283bbe3b Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:59 -0800 Subject: [PATCH 27/99] [threat-actors] Add Vanilla Tempest --- clusters/threat-actor.json | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 7751f86..6c8f96e 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14329,6 +14329,23 @@ }, "uuid": "9c0f0db1-b773-42ff-a6f7-d4b6c1d28ca4", "value": "Sunglow Blizzard" + }, + { + "description": "Vice Society is a ransomware group that has been active since at least June 2021. They primarily target the education and healthcare sectors, but have also been observed targeting the manufacturing industry. The group has used multiple ransomware families and has been known to utilize PowerShell scripts for their attacks. There are similarities between Vice Society and the Rhysida ransomware group, suggesting a potential connection or rebranding.", + "meta": { + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", + "https://fourcore.io/blogs/rhysida-ransomware-history-ttp-adversary-emulation", + "https://detect.fyi/rhysida-ransomware-and-the-detection-opportunities-3599e9a02bb2", + "https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/" + ], + "synonyms": [ + "DEV-0832", + "Vice Society" + ] + }, + "uuid": "c4132d43-2405-43ca-9940-a6f78e007861", + "value": "Vanilla Tempest" } ], "version": 298 From de63377c999e77c577fcb2be615602c3266d6412 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:59 -0800 Subject: [PATCH 28/99] [threat-actors] Add APT31 aliases --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 6c8f96e..8a21c31 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7939,7 +7939,8 @@ "ZIRCONIUM", "JUDGMENT PANDA", "BRONZE VINEWOOD", - "Red keres" + "Red keres", + "Violet Typhoon" ] }, "related": [ From 9e940af919a4aa3591e177f2e8b0997de2a453b0 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:59 -0800 Subject: [PATCH 29/99] [threat-actors] Add OilRig aliases --- clusters/threat-actor.json | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 8a21c31..1e0e361 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -3985,7 +3985,8 @@ "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy", "https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf", "https://www.wired.com/story/apt-34-iranian-hackers-critical-infrastructure-companies/", - "https://unit42.paloaltonetworks.com/atoms/evasive-serpens/" + "https://unit42.paloaltonetworks.com/atoms/evasive-serpens/", + "https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/" ], "synonyms": [ "Twisted Kitten", @@ -3997,7 +3998,9 @@ "IRN2", "ATK40", "G0049", - "Evasive Serpens" + "Evasive Serpens", + "Hazel Sandstorm", + "EUROPIUM" ], "targeted-sector": [ "Chemical", From 646206e70a070dc5d70162a350354aeaa295a4cd Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:59 -0800 Subject: [PATCH 30/99] [threat-actors] Add Fox Kitten aliases --- clusters/threat-actor.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 1e0e361..0e423a7 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -9145,7 +9145,9 @@ "synonyms": [ "PIONEER KITTEN", "PARISITE", - "UNC757" + "UNC757", + "Lemon Sandstorm", + "RUBIDIUM" ] }, "related": [ From 837ce843448989439f6e97282a2984a7462790ef Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:59 -0800 Subject: [PATCH 31/99] [threat-actors] Add Lilac Typhoon --- clusters/threat-actor.json | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 0e423a7..f451f33 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14352,6 +14352,22 @@ }, "uuid": "c4132d43-2405-43ca-9940-a6f78e007861", "value": "Vanilla Tempest" + }, + { + "description": "Lilac Typhoon is a threat actor attributed to China. They have been identified as exploiting the Atlassian Confluence RCE vulnerability CVE-2022-26134, which allows for remote code execution. This vulnerability has been used in cryptojacking campaigns and is included in commercial exploit frameworks. Lilac Typhoon has also been involved in deploying various payloads such as Cobalt Strike, web shells, botnets, coin miners, and ransomware.", + "meta": { + "country": "CN", + "refs": [ + "https://securityboulevard.com/2022/10/analysis-of-cisa-releases-advisory-on-top-cves-exploited-chinese-state-sponsored-groups/", + "https://riskybiznews.substack.com/p/risky-biz-news-google-shuts-down", + "https://twitter.com/MsftSecIntel/status/1535417776290111489" + ], + "synonyms": [ + "DEV-0234" + ] + }, + "uuid": "b80be7a7-6d06-4da7-8ae0-302a198e7c73", + "value": "Lilac Typhoon" } ], "version": 298 From 5afd6822155f13096a19cb68e5f1f300a8be12d3 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:00 -0800 Subject: [PATCH 32/99] [threat-actors] Add MosesStaff aliases --- clusters/threat-actor.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index f451f33..3be5954 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -10068,7 +10068,9 @@ "https://www.fortinet.com/blog/threat-research/guard-your-drive-from-driveguard" ], "synonyms": [ - "Moses Staff" + "Moses Staff", + "Marigold Sandstorm", + "DEV-0500" ] }, "related": [ From 2dc29dc6c704a93a32e1535830c69158dc809554 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:00 -0800 Subject: [PATCH 33/99] [threat-actors] Add WIZARD SPIDER aliases --- clusters/threat-actor.json | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 3be5954..034e3dc 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7469,12 +7469,21 @@ "https://www.secureworks.com/blog/trickbot-modifications-target-us-mobile-users", "http://www.secureworks.com/research/threat-profiles/gold-blackburn", "https://strapi.eurepoc.eu/uploads/Eu_Repo_C_APT_profile_Conti_Wizard_Spider_dc2a733e18.pdf", - "https://www.prodaft.com/m/reports/WizardSpider_TLPWHITE_v.1.4.pdf" + "https://www.prodaft.com/m/reports/WizardSpider_TLPWHITE_v.1.4.pdf", + "https://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/", + "https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/" ], "synonyms": [ "TEMP.MixMaster", "GOLD BLACKBURN", - "FIN12" + "FIN12", + "Periwinkle Tempest", + "DEV-0193", + "Storm-0193", + "Trickbot LLC", + "UNC2053", + "Pistachio Tempest", + "DEV-0237" ] }, "related": [ From 6fdd037988c5f20c654b2671f1374057907aa532 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:00 -0800 Subject: [PATCH 34/99] [threat-actors] Add Ruby Sleet --- clusters/threat-actor.json | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 034e3dc..9382856 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14379,6 +14379,20 @@ }, "uuid": "b80be7a7-6d06-4da7-8ae0-302a198e7c73", "value": "Lilac Typhoon" + }, + { + "description": "Ruby Sleet is a threat actor linked to North Korea's Ministry of State Security. Cerium has been involved in spear-phishing campaigns, compromising devices, and conducting cyberattacks alongside other North Korean threat actors. They have also targeted companies involved in COVID-19 research and vaccine development.", + "meta": { + "country": "KP", + "refs": [ + "https://blogs.microsoft.com/on-the-issues/2020/11/13/health-care-cyberattacks-covid-19-paris-peace-forum/" + ], + "synonyms": [ + "CERIUM" + ] + }, + "uuid": "03ff54cf-f7d4-4606-a531-2ca6d4fa6a54", + "value": "Ruby Sleet" } ], "version": 298 From da57d8c5fdd3de624163be72a9df2120c5191326 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:00 -0800 Subject: [PATCH 35/99] [threat-actors] Add Bohrium aliases --- clusters/threat-actor.json | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 9382856..19b83e6 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13219,6 +13219,10 @@ "country": "IR", "refs": [ "https://twitter.com/CyberAmyHB/status/1532398956918890500" + ], + "synonyms": [ + "Smoke Sandstorm", + "BOHRIUM" ] }, "uuid": "111efc97-6a93-487b-8cb3-1e890ac51066", From a1ea480023c5978fc44e1568d5c6591a25ffca46 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:00 -0800 Subject: [PATCH 36/99] [threat-actors] Add PARINACOTA aliases --- clusters/threat-actor.json | 3 +++ 1 file changed, 3 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 19b83e6..b788c2c 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -11027,6 +11027,9 @@ "meta": { "refs": [ "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/" + ], + "synonyms": [ + "Wine Tempest" ] }, "related": [ From 5ffdc0f868897a4bb0db59e581395de0078e8bcd Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:00 -0800 Subject: [PATCH 37/99] [threat-actors] Add APT33 aliases --- clusters/threat-actor.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index b788c2c..4280c88 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1931,7 +1931,8 @@ "https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/", "https://www.cfr.org/interactive/cyber-operations/apt-33", "https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf", - "https://dragos.com/adversaries.html" + "https://dragos.com/adversaries.html", + "https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/" ], "synonyms": [ "APT 33", @@ -1941,7 +1942,8 @@ "HOLMIUM", "COBALT TRINITY", "G0064", - "ATK35" + "ATK35", + "Peach Sandstorm" ], "victimology": "Petrochemical, Aerospace, Saudi Arabia" }, From 7a2cfa4f42a2cb175e78a663f7f4179a0122536d Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:00 -0800 Subject: [PATCH 38/99] [threat-actors] Add Silent Chollima aliases --- clusters/threat-actor.json | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 4280c88..088da3b 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -3087,11 +3087,13 @@ "value": "UNION SPIDER" }, { + "description": "Andariel is a threat actor that primarily targets South Korean corporations and institutions. They are believed to collaborate with or operate as a subsidiary organization of the Lazarus threat group. WHOIS utilizes spear phishing attacks, watering hole attacks, and supply chain attacks for initial access. They have been known to exploit vulnerabilities and use malware such as Infostealer and TigerRAT.", "meta": { "attribution-confidence": "50", "country": "KP", "refs": [ - "https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf" + "https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf", + "https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/" ], "synonyms": [ "OperationTroy", @@ -3099,7 +3101,9 @@ "GOP", "WHOis Team", "Andariel", - "Subgroup: Andariel" + "Subgroup: Andariel", + "Onyx Sleet", + "PLUTONIUM" ] }, "uuid": "245c8dde-ed42-4c49-b48b-634e3e21bdd7", From a1dfeca461195951de91050d41184972a9aef953 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:01 -0800 Subject: [PATCH 39/99] [threat-actors] Add Raspberry Typhoon --- clusters/threat-actor.json | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 088da3b..8be7577 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14406,6 +14406,20 @@ }, "uuid": "03ff54cf-f7d4-4606-a531-2ca6d4fa6a54", "value": "Ruby Sleet" + }, + { + "description": "Microsoft has tracked Raspberry Typhoon (RADIUM) as the primary threat group targeting nations that ring the South China Sea. Raspberry Typhoon consistently targets government ministries, military entities, and corporate entities connected to critical infrastructure, particularly telecoms. Since January 2023, Raspberry Typhoon has been particularly persistent. When targeting government ministries or infrastructure, Raspberry Typhoon typically conducts intelligence collection and malware execution. In many countries, targets vary from defense and intelligence-related ministries to economic and trade-related ministries", + "meta": { + "country": "CN", + "refs": [ + "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW1aFyW" + ], + "synonyms": [ + "RADIUM" + ] + }, + "uuid": "37f012df-54d8-4b3d-a288-af47240430ea", + "value": "Raspberry Typhoon" } ], "version": 298 From 447c06447769e684515216852479fa164c4367a5 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:01 -0800 Subject: [PATCH 40/99] [threat-actors] Add Phlox Tempest --- clusters/threat-actor.json | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 8be7577..94640f8 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14420,6 +14420,19 @@ }, "uuid": "37f012df-54d8-4b3d-a288-af47240430ea", "value": "Raspberry Typhoon" + }, + { + "description": "Phlox Tempest is a threat actor responsible for a large-scale click fraud campaign targeting users through YouTube comments and malicious ads. They use ChromeLoader to infect victims' computers with malware, often delivered as ISO image files that victims are tricked into downloading. The attackers aim to profit from clicks generated by malicious browser extensions or node-WebKit installed on the victim's device. Microsoft and other cybersecurity organizations have issued warnings about this ongoing and prevalent campaign.", + "meta": { + "refs": [ + "https://twitter.com/MsftSecIntel/status/1570911625841983489" + ], + "synonyms": [ + "DEV-0796" + ] + }, + "uuid": "dd012c50-4f4f-4485-ac52-294a341f03e5", + "value": "Phlox Tempest" } ], "version": 298 From ba525e4c54af67ca934fa4eb889925db68eb2158 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:01 -0800 Subject: [PATCH 41/99] [threat-actors] Add TA505 aliases --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 94640f8..7377d57 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7393,7 +7393,8 @@ "G0092", "ATK103", "Hive0065", - "CHIMBORAZO" + "CHIMBORAZO", + "Spandex Tempest" ] }, "related": [ From ce3a5dd1825fe1e106c83d7646dc1b52bef9435f Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:01 -0800 Subject: [PATCH 42/99] [threat-actors] Add MuddyWater aliases --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 7377d57..5aff159 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -6192,7 +6192,8 @@ "COBALT ULSTER", "G0069", "ATK51", - "Boggy Serpens" + "Boggy Serpens", + "Mango Sandstorm" ] }, "related": [ From 76430b605e19b7b6e9f34f00886fd9567e02ba11 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:01 -0800 Subject: [PATCH 43/99] [threat-actors] Add Scattered Spider aliases --- clusters/threat-actor.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 5aff159..0c3e757 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12229,7 +12229,9 @@ "Scattered Swine", "Scatter Swine", "Octo Tempest", - "0ktapus" + "0ktapus", + "Storm-0971", + "DEV-0971" ] }, "uuid": "3b238f3a-c67a-4a9e-b474-dc3897e00129", From 475dc882964838e1b9172abd5a0441db5c3a3756 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:01 -0800 Subject: [PATCH 44/99] [threat-actors] Add Storm-1295 --- clusters/threat-actor.json | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 0c3e757..5b20d5a 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14437,6 +14437,20 @@ }, "uuid": "dd012c50-4f4f-4485-ac52-294a341f03e5", "value": "Phlox Tempest" + }, + { + "description": "Storm-1295 is a threat actor group that operates the Greatness phishing-as-a-service platform. They utilize synchronous relay servers to present targets with a replica of a sign-in page, resembling traditional phishing attacks. Their adversary-in-the-middle capability allows Storm-1295 to offer their services to other attackers. Active since mid-2022, Storm-1295 is tracked by Microsoft and is known for their involvement in the Greatness PhaaS platform.", + "meta": { + "refs": [ + "https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/monthly-news-july-2023/ba-p/3860740", + "https://twitter.com/MsftSecIntel/status/1696273952870367320" + ], + "synonyms": [ + "DEV-1295" + ] + }, + "uuid": "5f485e47-18ad-4302-85a1-0a390fe90dc1", + "value": "Storm-1295" } ], "version": 298 From 681784a3ec22c4bddc9b09bf1ee4c55f1a764e6c Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:01 -0800 Subject: [PATCH 45/99] [threat-actors] Add Storm-1167 --- clusters/threat-actor.json | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 5b20d5a..ada0724 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14451,6 +14451,20 @@ }, "uuid": "5f485e47-18ad-4302-85a1-0a390fe90dc1", "value": "Storm-1295" + }, + { + "description": "Storm-1167 is a threat actor tracked by Microsoft, known for their use of an AiTM phishing kit. They were responsible for launching an attack that led to Business Email Compromise activity.", + "meta": { + "country": "ID", + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2023/06/08/detecting-and-mitigating-a-multi-stage-aitm-phishing-and-bec-campaign/" + ], + "synonyms": [ + "DEV-1167" + ] + }, + "uuid": "17fb8267-44a3-405b-b6b9-ba7fdeb56693", + "value": "Storm-1167" } ], "version": 298 From 72073b2384997c6002992f8e0ca154bd784d08bc Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:01 -0800 Subject: [PATCH 46/99] [threat-actors] Add APT5 aliases --- clusters/threat-actor.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index ada0724..9c62dc1 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -5194,13 +5194,15 @@ "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-fleetwood", "https://www.mandiant.com/resources/insights/apt-groups", - "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi" + "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi", + "http://internal-www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html" ], "synonyms": [ "KEYHOLE PANDA", "MANGANESE", "BRONZE FLEETWOOD", - "TEMP.Bottle" + "TEMP.Bottle", + "Mulberry Typhoon" ], "targeted-sector": [ "Electronic", From 44a446c63f42fe4d6af3cc6775c8ad321f9b6582 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:02 -0800 Subject: [PATCH 47/99] [threat-actors] Add APT15 aliases --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 9c62dc1..6373f82 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1160,7 +1160,8 @@ "BRONZE IDLEWOOD", "NICKEL", "G0004", - "Red Vulture" + "Red Vulture", + "Nylon Typhoon" ], "targeted-sector": [ "Government, Administration" From 0dcbc136a7eff45b3cc89c18e7371d81b8ff1e79 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:02 -0800 Subject: [PATCH 48/99] [threat-actors] Add Opal Sleet --- clusters/threat-actor.json | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 6373f82..d709522 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14468,6 +14468,24 @@ }, "uuid": "17fb8267-44a3-405b-b6b9-ba7fdeb56693", "value": "Storm-1167" + }, + { + "description": "Konni is a threat actor associated with APT37, a North Korean cyber crime group. They have been active since 2012 and are known for their cyber-espionage activities. Konni has targeted various sectors, including education, government, business organizations, and the cryptocurrency industry. They have exploited vulnerabilities such as CVE-2023-38831 and have used malware like KonniRAT to gain control of victim hosts and steal important information.", + "meta": { + "country": "KP", + "refs": [ + "https://nsfocusglobal.com/the-new-apt-group-darkcasino-and-the-global-surge-in-winrar-0-day-exploits/", + "https://paper.seebug.org/3031/", + "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-konni-apt-group-active-iocs-11", + "https://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/" + ], + "synonyms": [ + "OSMIUM", + "Konni" + ] + }, + "uuid": "5f71a9ea-511d-4fdd-9807-271ef613f488", + "value": "Opal Sleet" } ], "version": 298 From 22d3ea5ebfa3394785cf5bcd9de6cba8581d01dc Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:02 -0800 Subject: [PATCH 49/99] [threat-actors] Add Storm-1044 --- clusters/threat-actor.json | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index d709522..85fe4e9 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14486,6 +14486,19 @@ }, "uuid": "5f71a9ea-511d-4fdd-9807-271ef613f488", "value": "Opal Sleet" + }, + { + "description": "Storm-1044 has been identified as part of a cyber campaign in collaboration with Twisted Spider. They employ a strategic approach, targeting specific endpoints using an initial access trojan called DanaBot. Once they gain access, Storm-1044 initiates lateral movement through Remote Desktop Protocol sign-in attempts, passing control to Twisted Spider. Twisted Spider then compromises the endpoints by introducing the CACTUS ransomware. Microsoft has detected ongoing malvertising attacks involving Storm-1044, leading to the deployment of CACTUS ransomware.", + "meta": { + "refs": [ + "https://twitter.com/MsftSecIntel/status/1730383711437283757" + ], + "synonyms": [ + "DEV-1044" + ] + }, + "uuid": "5ec7a98e-9725-4f87-8a6e-91e2b4ba04ac", + "value": "Storm-1044" } ], "version": 298 From ae82f07fd8456ceaaccf0baf63de88a124e8a342 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:02 -0800 Subject: [PATCH 50/99] [threat-actors] Add Pink Sandstorm --- clusters/threat-actor.json | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 85fe4e9..c51341d 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14499,6 +14499,29 @@ }, "uuid": "5ec7a98e-9725-4f87-8a6e-91e2b4ba04ac", "value": "Storm-1044" + }, + { + "description": "Agonizing Serpens is an Iranian-linked APT group that has been active since 2020. They are known for their destructive wiper and fake-ransomware attacks, primarily targeting Israeli organizations in the education and technology sectors. The group has strong connections to Iran's Ministry of Intelligence and Security and has been observed using various tools and techniques to bypass security measures. They aim to steal sensitive information, including PII and intellectual property, and inflict damage by wiping endpoints.", + "meta": { + "country": "IR", + "refs": [ + "https://www.oodaloop.com/archive/2024/01/02/critical-infrastructure-remains-the-brass-ring-for-cyber-attackers-in-2024/", + "https://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/", + "https://socprime.com/blog/agonizing-serpens-attack-detection-iran-backed-hackers-target-israeli-tech-firms-and-educational-institutions/", + "https://therecord.media/iran-linked-hackers-target-israel-education-tech-sectors", + "https://www.enigmasoftware.com/moneybirdransomware-removal/", + "https://research.checkpoint.com/2023/agrius-deploys-moneybird-in-targeted-attacks-against-israeli-organizations/" + ], + "synonyms": [ + "AMERICIUM", + "BlackShadow", + "DEV-0022", + "Agrius", + "Agonizing Serpens" + ] + }, + "uuid": "0876c327-c82a-45f7-82fa-267c312ceb05", + "value": "Pink Sandstorm" } ], "version": 298 From 43f95874692812035790d97922214ebf42915221 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:02 -0800 Subject: [PATCH 51/99] [threat-actors] Add POLONIUM aliases --- clusters/threat-actor.json | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index c51341d..ab881e1 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -10461,7 +10461,11 @@ "cfr-type-of-incident": "Espionage", "country": "LB", "refs": [ - "https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/" + "https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/", + "https://www.deepinstinct.com/blog/polonium-apt-group-uncovering-new-elements" + ], + "synonyms": [ + "Plaid Rain" ] }, "related": [ From 49c3e06605dd3ebc27c5bd8f8c5f9304ddfaa55f Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:02 -0800 Subject: [PATCH 52/99] [threat-actors] Add FIN7 aliases --- clusters/threat-actor.json | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index ab881e1..9900145 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2916,7 +2916,8 @@ "https://threatintel.blog/OPBlueRaven-Part2/", "https://www.secureworks.com/research/threat-profiles/gold-niagara", "https://www.computerweekly.com/news/252525240/ALPHV-BlackCat-ransomware-family-becoming-more-dangerous", - "https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape" + "https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape", + "https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/" ], "synonyms": [ "CARBON SPIDER", @@ -2926,7 +2927,10 @@ "G0046", "G0008", "Coreid", - "Carbanak" + "Carbanak", + "Sangria Tempest", + "ELBRUS", + "Carbon Spider" ] }, "related": [ From ba7137c5a3258e6da14382557f09a75a52f18fe6 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:03 -0800 Subject: [PATCH 53/99] [threat-actors] Add Lazarus Group aliases --- clusters/threat-actor.json | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 9900145..ceb3fc8 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -3210,7 +3210,9 @@ "https://blogs.jpcert.or.jp/en/2021/01/Lazarus_tools.html", "https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html", "https://attack.mitre.org/groups/G0082", - "https://attack.mitre.org/groups/G0032" + "https://attack.mitre.org/groups/G0032", + "https://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry/", + "https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds" ], "synonyms": [ "Operation DarkSeoul", @@ -3241,7 +3243,14 @@ "ATK3", "G0032", "ATK117", - "G0082" + "G0082", + "Citrine Sleet", + "DEV-0139", + "DEV-1222", + "Diamond Sleet", + "ZINC", + "Sapphire Sleet", + "COPERNICIUM" ] }, "related": [ From 73d23f62116498fa64b2f1b5eda442c620112d52 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:03 -0800 Subject: [PATCH 54/99] [threat-actors] Add Sandworm aliases --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index ceb3fc8..fbb23b7 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2819,7 +2819,8 @@ "IRIDIUM", "Blue Echidna", "FROZENBARENTS", - "UAC-0113" + "UAC-0113", + "Seashell Blizzard" ], "targeted-sector": [ "Electric", From 6f61a3fc3e2dbe9d74b20ba644fad7e0d94396b1 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:03 -0800 Subject: [PATCH 55/99] [threat-actors] Add Storm-1084 --- clusters/threat-actor.json | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index fbb23b7..2b4b2c8 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14540,6 +14540,21 @@ }, "uuid": "0876c327-c82a-45f7-82fa-267c312ceb05", "value": "Pink Sandstorm" + }, + { + "description": "Storm-1084 is a threat actor that has been observed collaborating with the MuddyWater group. They have used the DarkBit persona to mask their involvement in targeted attacks. Storm-1084 has been linked to destructive actions, including the encryption of on-premise devices and deletion of cloud resources. They have been observed using tools such as Rport, Ligolo, and a customized PowerShell backdoor. The extent of their autonomy or collaboration with other Iranian threat actors is currently unclear.", + "meta": { + "country": "IR", + "refs": [ + "https://circleid.com/posts/20230824-signs-of-muddywater-developments-found-in-the-dns", + "https://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/" + ], + "synonyms": [ + "DEV-1084" + ] + }, + "uuid": "2cc32087-f242-4091-8634-4554635b7a58", + "value": "Storm-1084" } ], "version": 298 From 83f874da2c7e94d86c13e3e4c575388634e7a8e5 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:03 -0800 Subject: [PATCH 56/99] [threat-actors] Add LYCEUM aliases --- clusters/threat-actor.json | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 2b4b2c8..80fda84 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -8426,7 +8426,9 @@ "value": "TA428" }, { + "description": "Lyceum is an Iranian APT group that has been active since at least 2014. They primarily target Middle Eastern governments and organizations in the energy and telecommunications sectors. Lyceum is known for using cyber espionage techniques and has been linked to other Iranian threat groups such as APT34. They have developed and deployed malware families like Shark and Milan, and have been observed using DNS tunneling and HTTPfor command and control communication.", "meta": { + "country": "IR", "refs": [ "https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign", "https://www.secureworks.com/research/threat-profiles/cobalt-lyceum", @@ -8438,7 +8440,8 @@ "COBALT LYCEUM", "HEXANE", "Spirlin", - "siamesekitten" + "siamesekitten", + "Storm-0133" ] }, "uuid": "e1b95185-8db6-4f3c-9ffd-1749087d934a", From 972ed33536db63a4a8ac8ba4550aa6bf72e1553c Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:03 -0800 Subject: [PATCH 57/99] [threat-actors] Add TA2101 aliases --- clusters/threat-actor.json | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 80fda84..7576af3 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -8700,18 +8700,23 @@ { "description": "Proofpoint researchers detected campaigns from a relatively new actor, tracked internally as TA2101, targeting German companies and organizations to deliver and install backdoor malware. The actor initiated their campaigns impersonating the Bundeszentralamt fur Steuern, the German Federal Ministry of Finance, with lookalike domains, verbiage, and stolen branding in the emails. For their campaigns in Germany, the actor chose Cobalt Strike, a commercially licensed software tool that is generally used for penetration testing and emulates the type of backdoor framework used by Metasploit, a similar penetration testing tool. Proofpoint researchers have also observed this actor distributing Maze ransomware, employing similar social engineering techniques to those it uses for Cobalt Strike, while also targeting organizations in Italy and impersonating the Agenzia Delle Entrate, the Italian Revenue Agency. We have also recently observed the actor targeting organizations in the United States using the IcedID banking Trojan while impersonating the United States Postal Service (USPS).", "meta": { + "country": "RU", "refs": [ "https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", "https://adversary.crowdstrike.com/adversary/twisted-spider/", "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf", "https://www.secureworks.com/blog/how-cyber-adversaries-are-adapting-to-exploit-the-global-pandemic", - "http://www.secureworks.com/research/threat-profiles/gold-village" + "http://www.secureworks.com/research/threat-profiles/gold-village", + "https://www.cysecurity.news/2023/12/twisted-spiders-dangerous-cactus.html" ], "synonyms": [ "Maze Team", "TWISTED SPIDER", - "GOLD VILLAGE" + "GOLD VILLAGE", + "Storm-0216", + "DEV-0216", + "Twisted Spider" ] }, "uuid": "39925aa0-c7bf-4b9b-97d6-7d600329453d", From 68e0ffb0066d82ffc53a28041f99ae72a79502d8 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:04 -0800 Subject: [PATCH 58/99] [threat-actors] Add Storm-1099 --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 7576af3..5224629 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14563,6 +14563,17 @@ }, "uuid": "2cc32087-f242-4091-8634-4554635b7a58", "value": "Storm-1084" + }, + { + "description": "Storm-1099 is a sophisticated Russia-affiliated influence actor that has been conducting pro-Russia influence operations targeting international supporters of Ukraine since Spring 2022. They are known for their website forgery operation called \"Doppelganger\" and have been actively spreading false information. They have been involved in pushing the claim that Hamas acquired Ukrainian weapons for an attack on Israel. Storm-1099 has also been implicated in amplifying images of graffiti in Paris, suggesting possible Russian involvement and aligning with Russia's Active Measures playbook.", + "meta": { + "country": "RU", + "refs": [ + "https://blogs.microsoft.com/on-the-issues/2023/12/07/russia-ukraine-digital-threat-celebrity-cameo-mtac/" + ] + }, + "uuid": "b05a2a56-08dc-4827-9aef-aaade91016a4", + "value": "Storm-1099" } ], "version": 298 From de04fe33e16673b5520b697baec0b3ba30993482 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:04 -0800 Subject: [PATCH 59/99] [threat-actors] Add Storm-1286 --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 5224629..4980aed 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14574,6 +14574,16 @@ }, "uuid": "b05a2a56-08dc-4827-9aef-aaade91016a4", "value": "Storm-1099" + }, + { + "description": "Storm-1286 is a threat actor that engages in large-scale spamming activities, primarily targeting user accounts without multifactor authentication enabled. They employ password spraying attacks to compromise these accounts and utilize legacy authentication protocols like IMAP and SMTP. In the past, they have attempted to compromise admin accounts and create new LOB applications with high administrative permissions to spread spam. Despite previous actions taken by Microsoft Threat Intelligence, Storm-1286 continues to explore new methods to establish a high-scale spamming platform within victim organizations using non-privileged users.", + "meta": { + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2023/12/12/threat-actors-misuse-oauth-applications-to-automate-financially-driven-attacks/" + ] + }, + "uuid": "375988ab-91b9-419e-8646-a4783b931288", + "value": "Storm-1286" } ], "version": 298 From 3fda32a0d6946e52c36449292a1462fe1b7ebdcd Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:04 -0800 Subject: [PATCH 60/99] [threat-actors] Add Ghostwriter aliases --- clusters/threat-actor.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 4980aed..6dfbcc5 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -9488,7 +9488,9 @@ "synonyms": [ "UNC1151", "TA445", - "PUSHCHA" + "PUSHCHA", + "Storm-0257", + "DEV-0257" ] }, "related": [ From 3a193291b9e03c359f96811f77883aa0cdf85d3d Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:04 -0800 Subject: [PATCH 61/99] [threat-actors] Add Storm-1101 --- clusters/threat-actor.json | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 6dfbcc5..578df6a 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14586,6 +14586,19 @@ }, "uuid": "375988ab-91b9-419e-8646-a4783b931288", "value": "Storm-1286" + }, + { + "description": "DEV-1101 is a threat actor tracked by Microsoft who is responsible for developing and advertising phishing kits, specifically AiTM phishing kits. These kits are capable of bypassing multifactor authentication and are available for purchase or rent by other cybercriminals. DEV-1101 offers an open-source kit with various enhancements, such as mobile device management and CAPTCHA evasion. Their tool has been used in high-volume phishing campaigns by multiple actors, including DEV-0928, and is sold for $300 with VIP licenses available for $1,000.", + "meta": { + "refs": [ + "http://www.microsoft.com/en-us/security/blog/2023/03/13/dev-1101-enables-high-volume-aitm-campaigns-with-open-source-phishing-kit/" + ], + "synonyms": [ + "DEV-1101" + ] + }, + "uuid": "8081af2c-442f-4487-9cf7-022cbe010b8f", + "value": "Storm-1101" } ], "version": 298 From a6c451be2dc590174baac07456bfb6a2efc82496 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:04 -0800 Subject: [PATCH 62/99] [threat-actors] Add Storm-0381 --- clusters/threat-actor.json | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 578df6a..7776a1b 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14599,6 +14599,20 @@ }, "uuid": "8081af2c-442f-4487-9cf7-022cbe010b8f", "value": "Storm-1101" + }, + { + "description": "Storm-0381 is a threat actor identified by Microsoft as a Russian cybercrime group. They are known for their use of malvertising to deploy Magniber, a type of ransomware.", + "meta": { + "country": "RU", + "refs": [ + "https://www.microsoft.com/en-us/security/security-insider/microsoft-digital-defense-report-2023" + ], + "synonyms": [ + "DEV-0381" + ] + }, + "uuid": "874860fe-5aee-4c94-aee1-2166c225c41e", + "value": "Storm-0381" } ], "version": 298 From fa7709e63c4731f96432b0845a67cf1f368765c5 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:04 -0800 Subject: [PATCH 63/99] [threat-actors] Add Storm-0530 --- clusters/threat-actor.json | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 7776a1b..a99b741 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14613,6 +14613,25 @@ }, "uuid": "874860fe-5aee-4c94-aee1-2166c225c41e", "value": "Storm-0381" + }, + { + "description": "H0lyGh0st is a North Korean threat actor that has been active since June 2021. They are responsible for developing and deploying the H0lyGh0st ransomware, which targets small-to-medium businesses in various sectors. The group employs \"double extortion\" tactics, encrypting data and threatening to publish it if the ransom is not paid. There are connections between H0lyGh0st and the PLUTONIUM APT group, indicating a possible affiliation.", + "meta": { + "country": "KP", + "refs": [ + "https://ics-cert.kaspersky.com/publications/reports/2023/03/24/apt-attacks-on-industrial-organizations-in-h2-2022/", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-040a", + "https://blogs.blackberry.com/en/2022/08/h0lygh0st-ransomware", + "https://www.microsoft.com/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/", + "https://www.picussecurity.com/resource/h0lygh0st-north-korean-threat-group-strikes-back-with-new-ransomware" + ], + "synonyms": [ + "DEV-0530", + "H0lyGh0st" + ] + }, + "uuid": "47945864-c233-46e7-8b96-b427b97b0ebf", + "value": "Storm-0530" } ], "version": 298 From b645975616b8e6ce3a80ad6845d6bf57698469ca Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:04 -0800 Subject: [PATCH 64/99] [threat-actors] Add DarkHotel aliases --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index a99b741..517daf9 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -372,7 +372,8 @@ "TUNGSTEN BRIDGE", "T-APT-02", "G0012", - "ATK52" + "ATK52", + "Zigzag Hail" ] }, "related": [ From b3f440203aac719bb21f812a9d66a995ce71123a Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:05 -0800 Subject: [PATCH 65/99] [threat-actors] Add Storm-0539 --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 517daf9..4e618c4 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14633,6 +14633,17 @@ }, "uuid": "47945864-c233-46e7-8b96-b427b97b0ebf", "value": "Storm-0530" + }, + { + "description": "Storm-0539 is a financially motivated threat actor that has been active since at least 2021. They primarily target retail organizations for gift card fraud and theft. Their tactics include phishing via emails or SMS to distribute malicious links that redirect users to phishing pages designed to steal credentials and session tokens. Once access is gained, Storm-0539 registers a device for secondary authentication prompts, bypassing multi-factor authentication and gaining persistence in the environment. They also collect emails, contact lists, and network configurations for further attacks against the same organizations.", + "meta": { + "refs": [ + "https://www.rewterz.com/rewterz-news/rewterz-threat-update-microsoft-warns-of-emerging-threat-by-storm-0539-behind-gift-card-frauds/", + "https://techcommunity.microsoft.com/t5/microsoft-defender-xdr-blog/monthly-news-november-2023/ba-p/3970796" + ] + }, + "uuid": "760b350c-522e-432d-80c5-7aab0eaf8873", + "value": "Storm-0539" } ], "version": 298 From 991765a1c749d2149bfeddf04a12d387816fc7c6 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:05 -0800 Subject: [PATCH 66/99] [threat-actors] Add SaintBear aliases --- clusters/threat-actor.json | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 4e618c4..d95aae4 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -10269,6 +10269,7 @@ { "description": "A group targeting UA state organizations using the GraphSteel and GrimPlant malware.", "meta": { + "country": "RU", "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.graphsteel", "https://cert.gov.ua/article/38374", @@ -10277,7 +10278,8 @@ "https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/", "https://unit42.paloaltonetworks.com/atoms/nascentursa/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nodaria-ukraine-infostealer", - "https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/" + "https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/", + "https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/" ], "synonyms": [ "UNC2589", @@ -10285,7 +10287,10 @@ "UAC-0056", "Nascent Ursa", "Nodaria", - "FROZENVISTA" + "FROZENVISTA", + "Storm-0587", + "DEV-0587", + "Saint Bear" ] }, "uuid": "c67d3dfb-ab39-46e1-a971-5efdfe6a5b9f", From eb8db810c0c7d0d58370a043e039b12f380b2411 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:05 -0800 Subject: [PATCH 67/99] [threat-actors] Add Storm-1152 --- clusters/threat-actor.json | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index d95aae4..674a47e 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14649,6 +14649,19 @@ }, "uuid": "760b350c-522e-432d-80c5-7aab0eaf8873", "value": "Storm-0539" + }, + { + "description": "Storm-1152, a cybercriminal group, was recently taken down by Microsoft for illegally reselling Outlook accounts. They operated by creating approximately 750 million fraudulent Microsoft accounts and earned millions of dollars in illicit revenue. Storm-1152 also offered CAPTCHA-solving services and was connected to ransomware and extortion groups. Microsoft obtained a court order to seize their infrastructure and domains, disrupting their operations.", + "meta": { + "country": "VN", + "refs": [ + "https://securityboulevard.com/2023/12/microsoft-storm-1152-crackdown-stopping-threat-actors/", + "https://blogs.microsoft.com/on-the-issues/2023/12/13/cybercrime-cybersecurity-storm-1152-fraudulent-accounts/", + "https://www.rewterz.com/rewterz-news/rewterz-threat-update-microsoft-warns-of-emerging-threat-by-storm-0539-behind-gift-card-frauds/" + ] + }, + "uuid": "e18dca82-0524-4338-9a66-e13e67c81ac4", + "value": "Storm-1152" } ], "version": 298 From 7607dc70cfe4e25285280072d90a23bc81f43022 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:05 -0800 Subject: [PATCH 68/99] [threat-actors] Add Storm-1567 --- clusters/threat-actor.json | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 674a47e..0a22070 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14662,6 +14662,23 @@ }, "uuid": "e18dca82-0524-4338-9a66-e13e67c81ac4", "value": "Storm-1152" + }, + { + "description": "Storm-1567 is the threat actor behind the Ransomware-as-a-Service Akira. They attacked Swedish organizations in March 2023. This ransomware utilizes the ChaCha encryption algorithm, PowerShell, and Windows Management Instrumentation (WMI). Microsoft's Defender for Endpoint successfully blocked a large-scale hacking campaign carried out by Storm-1567, highlighting the effectiveness of their security solution.", + "meta": { + "refs": [ + "https://news.sophos.com/en-us/2023/12/20/cryptoguard-an-asymmetric-approach-to-the-ransomware-battle/", + "https://securelist.com/crimeware-report-fakesg-akira-amos/111483/", + "https://www.trellix.com/en-us/about/newsroom/stories/research/akira-ransomware.html", + "https://blog.sekoia.io/sekoia-io-mid-2023-ransomware-threat-landscape", + "https://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/" + ], + "synonyms": [ + "Akira" + ] + }, + "uuid": "3a912680-6f38-4fe7-9941-744f0e2280b3", + "value": "Storm-1567" } ], "version": 298 From 0b571d7e76de1e4f94bf6b2cb6d10d5c126fb058 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:05 -0800 Subject: [PATCH 69/99] [threat-actors] Add Storm-0829 --- clusters/threat-actor.json | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 0a22070..95b69bf 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14679,6 +14679,23 @@ }, "uuid": "3a912680-6f38-4fe7-9941-744f0e2280b3", "value": "Storm-1567" + }, + { + "description": "Nwgen is a group that focuses on data exfiltration and ransomware activities. They have been found to share techniques with other threat groups such as Karakurt, Lapsus$, and Yanluowang. Nwgen has been observed carrying out attacks and deploying ransomware, encrypting files and demanding a ransom of $150,000 in Monero cryptocurrency for the decryption software.", + "meta": { + "refs": [ + "https://www.enigmasoftware.com/nwgenransomware-removal/", + "https://www.databreaches.net/east-tennessee-childrens-hospital-updates-information-on-ransomware-incident/", + "https://readme.security/cybercrime-is-more-of-a-threat-than-nation-state-hackers-6f6cccf47721", + "https://twitter.com/cglyer/status/1546297609215696897" + ], + "synonyms": [ + "DEV-0829", + "Nwgen Team" + ] + }, + "uuid": "3e595289-05b8-43fc-bd88-f8650436447f", + "value": "Storm-0829" } ], "version": 298 From 1589a943a9e596bb2e466d3c89d7e843b1ac7b2b Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:05 -0800 Subject: [PATCH 70/99] [threat-actors] Add Storm-1674 --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 95b69bf..b8eae0d 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14696,6 +14696,17 @@ }, "uuid": "3e595289-05b8-43fc-bd88-f8650436447f", "value": "Storm-0829" + }, + { + "description": "Storm-1674 is an access broker known for using tools based on the publicly available TeamsPhisher tool to distribute DarkGate malware. Storm-1674 campaigns have typically relied on phishing lures sent over Teams with malicious attachments, such as ZIP files containing a LNK file that ultimately drops DarkGate and Pikabot. In September 2023, Microsoft observed handoffs from Storm-1674 to ransomware operators that have led to Black Basta ransomware deployment.", + "meta": { + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/", + "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-widely-abused-msix-app-installer-disabled-by-microsoft-active-iocs/" + ] + }, + "uuid": "eb7b5ed7-cf9d-4c72-8f89-a2ee070b89b6", + "value": "Storm-1674" } ], "version": 298 From a42dc67fb6edc237fe925bab71525ae3d50e717e Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:05 -0800 Subject: [PATCH 71/99] [threat-actors] Add Storm-0835 --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index b8eae0d..26012d3 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14707,6 +14707,16 @@ }, "uuid": "eb7b5ed7-cf9d-4c72-8f89-a2ee070b89b6", "value": "Storm-1674" + }, + { + "description": "Cybercriminals have launched a phishing campaign targeting senior executives in U.S. firms, using the EvilProxy phishing toolkit for credential harvesting and account takeover attacks. This campaign, initiated in July 2023, primarily targets sectors such as banking, financial services, insurance, property management, real estate, and manufacturing. The attackers exploit an open redirection vulnerability on the job search platform \"indeed.com,\" redirecting victims to malicious phishing pages impersonating Microsoft. EvilProxy functions as a reverse proxy, intercepting credentials, two-factor authentication codes, and session cookies to hijack accounts. The threat actors, known as Storm-0835 by Microsoft, have hundreds of customers who pay monthly fees for their services, making attribution difficult. The attacks involve sending phishing emails with deceptive links to Indeed, redirecting victims to EvilProxy pages for credential harvesting.", + "meta": { + "refs": [ + "https://www.linkedin.com/pulse/cyber-criminals-using-evilproxy-phishing-kit-target-senior-soral/" + ] + }, + "uuid": "2da09284-be56-49cd-ad18-993a6eb17af2", + "value": "Storm-0835" } ], "version": 298 From e497ec2b381ac764c3209972a4c6bed05392ead0 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:05 -0800 Subject: [PATCH 72/99] [threat-actors] Add Storm-1575 --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 26012d3..a8893d0 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14717,6 +14717,17 @@ }, "uuid": "2da09284-be56-49cd-ad18-993a6eb17af2", "value": "Storm-0835" + }, + { + "description": "Storm-1575 is a threat actor identified by Microsoft as being involved in phishing campaigns using the Dadsec platform. They utilize hundreds of Domain Generated Algorithm domains to host credential harvesting pages and target global organizations to steal Microsoft 365 credentials.", + "meta": { + "refs": [ + "https://www.bridewell.com/insights/blogs/detail/analysing-widespread-microsoft365-credential-harvesting-campaign", + "https://twitter.com/MsftSecIntel/status/1712936244987019704?lang=en" + ] + }, + "uuid": "2485a9cb-b41c-43bd-8b1c-c64e919c0a4e", + "value": "Storm-1575" } ], "version": 298 From effee963cc216bf469f76d5c07fcc43299199cdf Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 2 Feb 2024 15:32:02 +0100 Subject: [PATCH 73/99] chg: [microsoft] updated version --- clusters/microsoft-activity-group.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/microsoft-activity-group.json b/clusters/microsoft-activity-group.json index 8dcd644..4e0ede8 100644 --- a/clusters/microsoft-activity-group.json +++ b/clusters/microsoft-activity-group.json @@ -1840,5 +1840,5 @@ "value": "Zigzag Hail" } ], - "version": 20 + "version": 21 } From ca366fc16a8755fa593578e908d403b5f6b52642 Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Mon, 5 Feb 2024 07:34:58 +0100 Subject: [PATCH 74/99] chg: [ATRM] bump to latest ATRM version --- clusters/atrm.json | 58 ++++++++++++++++++++++++++++------------------ galaxies/atrm.json | 4 ++-- 2 files changed, 38 insertions(+), 24 deletions(-) diff --git a/clusters/atrm.json b/clusters/atrm.json index f6c4224..09218e4 100644 --- a/clusters/atrm.json +++ b/clusters/atrm.json @@ -11,7 +11,8 @@ "Ram Pliskin", "Nikhil Mittal", "MITRE ATT&CK", - "AlertIQ" + "AlertIQ", + "Craig Fretwell" ], "category": "atrm", "description": "The purpose of the Azure Threat Research Matrix (ATRM) is to educate readers on the potential of Azure-based tactics, techniques, and procedures (TTPs). It is not to teach how to weaponize or specifically abuse them. For this reason, some specific commands will be obfuscated or parts will be omitted to prevent abuse.", @@ -491,7 +492,7 @@ "value": "AZT404.2 - Logic Application" }, { - "description": "By utilizing a Automation Account configured with a managed identity or RunAs account, an attacker can execute Azure operations on a given resource.", + "description": "By utilizing a Function Application, an attacker can execute Azure operations on a given resource.", "meta": { "kill_chain": [ "ATRM-tactics:Privilege Escalation" @@ -1066,10 +1067,10 @@ "description": "By generating an SAS URI for a resource, an adversary may extract the contents of that resource without authentication at any time.", "meta": { "kill_chain": [ - "ATRM-tactics:Exfiltration" + "ATRM-tactics:Impact" ], "refs": [ - "https://microsoft.github.io/Azure-Threat-Research-Matrix/Exfiltration/AZT701/AZT701" + "https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT701/AZT701" ] }, "uuid": "9ca7b25c-643a-5e55-a210-684f49fe82d8", @@ -1079,10 +1080,10 @@ "description": "An adversary may create an SAS URI to download the disk attached to a virtual machine.", "meta": { "kill_chain": [ - "ATRM-tactics:Exfiltration" + "ATRM-tactics:Impact" ], "refs": [ - "https://microsoft.github.io/Azure-Threat-Research-Matrix/Exfiltration/AZT701/AZT701-1" + "https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT701/AZT701-1" ] }, "uuid": "8805d880-8887-52b6-a113-8c0f4fec4230", @@ -1092,10 +1093,10 @@ "description": "By generating a Shared Access Signature (SAS) URI, an adversary can access a container in a Storage Account at any time.", "meta": { "kill_chain": [ - "ATRM-tactics:Exfiltration" + "ATRM-tactics:Impact" ], "refs": [ - "https://microsoft.github.io/Azure-Threat-Research-Matrix/Exfiltration/AZT701/AZT701-2" + "https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT701/AZT701-2" ] }, "uuid": "aae55a3a-8e32-5a62-8d41-837b2ebb1e69", @@ -1105,23 +1106,23 @@ "description": "An adversary can generate a connection string to mount an Azure Storage Account File Share as an NFS or SMB share to their local machine.", "meta": { "kill_chain": [ - "ATRM-tactics:Exfiltration" + "ATRM-tactics:Impact" ], "refs": [ - "https://microsoft.github.io/Azure-Threat-Research-Matrix/Exfiltration/AZT702/AZT702-1" + "https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT702/AZT702-1" ] }, "uuid": "dc6f9ee0-55b2-5197-87a5-7474cfc04d72", "value": "AZT702 - File Share Mounting" }, { - "description": "By setting up cross-tenant replication, an adversary may set up replication from one tenant's storage account to an external tenant's storage account.", + "description": "", "meta": { "kill_chain": [ - "ATRM-tactics:Exfiltration" + "ATRM-tactics:Impact" ], "refs": [ - "https://microsoft.github.io/Azure-Threat-Research-Matrix/Exfiltration/AZT703/AZT703-1" + "https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT703/AZT703-1" ] }, "uuid": "ff4276bf-ab9e-5157-a171-5cdd4a3e6002", @@ -1131,10 +1132,10 @@ "description": "An adversary may leverage resources found at a 'soft deletion' state, restore them and advance their attack by retrieving contents meant to be deleted", "meta": { "kill_chain": [ - "ATRM-tactics:Exfiltration" + "ATRM-tactics:Impact" ], "refs": [ - "https://microsoft.github.io/Azure-Threat-Research-Matrix/Exfiltration/AZT704/AZT704" + "https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT704/AZT704" ] }, "uuid": "47ded49d-ef4c-57d4-8050-f66f884c4388", @@ -1144,10 +1145,10 @@ "description": "An adversary may recover a key vault object found in a 'soft deletion' state.", "meta": { "kill_chain": [ - "ATRM-tactics:Exfiltration" + "ATRM-tactics:Impact" ], "refs": [ - "https://microsoft.github.io/Azure-Threat-Research-Matrix/Exfiltration/AZT704/AZT704-1" + "https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT704/AZT704-1" ] }, "uuid": "d8fc76f2-6776-5a09-bfb3-57852ae1d786", @@ -1157,10 +1158,10 @@ "description": "An adversary may recover a storage account object found in a 'soft deletion' state.", "meta": { "kill_chain": [ - "ATRM-tactics:Exfiltration" + "ATRM-tactics:Impact" ], "refs": [ - "https://microsoft.github.io/Azure-Threat-Research-Matrix/Exfiltration/AZT704/AZT704-2" + "https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT704/AZT704-2" ] }, "uuid": "cd9f0082-b2c7-53f8-95a6-a4fe746f973e", @@ -1170,15 +1171,28 @@ "description": "An adversary may recover a virtual machine object found in a 'soft deletion' state.", "meta": { "kill_chain": [ - "ATRM-tactics:Exfiltration" + "ATRM-tactics:Impact" ], "refs": [ - "https://microsoft.github.io/Azure-Threat-Research-Matrix/Exfiltration/AZT704/AZT704-3" + "https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT704/AZT704-3" ] }, "uuid": "d333405e-af82-555c-a68f-e723878b5f55", "value": "AZT704.3 - Recovery Services Vault" + }, + { + "description": "An adversary may recover a virtual machine object found in a 'soft deletion' state.", + "meta": { + "kill_chain": [ + "ATRM-tactics:Impact" + ], + "refs": [ + "https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT704/AZT704-3" + ] + }, + "uuid": "9d181c95-ccf7-5c94-8f4a-f6a2df62d760", + "value": "AZT705 - Azure Backup Delete" } ], - "version": 1 + "version": 2 } diff --git a/galaxies/atrm.json b/galaxies/atrm.json index 6731d04..d56184e 100644 --- a/galaxies/atrm.json +++ b/galaxies/atrm.json @@ -9,12 +9,12 @@ "Privilege Escalation", "Persistence", "Credential Access", - "Exfiltration" + "Impact" ] }, "name": "Azure Threat Research Matrix", "namespace": "atrm", "type": "atrm", "uuid": "b541a056-154c-41e7-8a56-41db3f871c00", - "version": 1 + "version": 2 } From a456e419d839b43edfbf9555f43937f6c64cff84 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 5 Feb 2024 03:39:16 -0800 Subject: [PATCH 75/99] [threat-actors] Add APT31 aliases --- clusters/threat-actor.json | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index a8893d0..ce5cdfe 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7971,14 +7971,17 @@ "https://www.mandiant.com/resources/insights/apt-groups", "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf", "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi", - "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf" + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists" ], "synonyms": [ "ZIRCONIUM", "JUDGMENT PANDA", "BRONZE VINEWOOD", "Red keres", - "Violet Typhoon" + "Violet Typhoon", + "TA412", + "Zirconium" ] }, "related": [ From 3690ab0e24061c8bdf5d7e5dc7e3474cc3b20cd9 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 5 Feb 2024 03:39:16 -0800 Subject: [PATCH 76/99] [threat-actors] Add TA2552 --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index ce5cdfe..5624bdc 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14731,6 +14731,16 @@ }, "uuid": "2485a9cb-b41c-43bd-8b1c-c64e919c0a4e", "value": "Storm-1575" + }, + { + "description": "Since January 2020, Proofpoint researchers have tracked an actor abusing Microsoft Office 365 (O365) third-party application (3PA) access, with suspected activity dating back to August 2019. The actor, known as TA2552, uses well-crafted Spanish language lures that leverage a narrow range of themes and brands. The lures entice users to click a link in the message, taking them to the legitimate Microsoft third-party apps consent page. There they are prompted to grant a third-party application read-only user permissions to their O365 account via OAuth2 or other token-based authorization methods. TA2552 seeks access to specific account resources like the user’s contacts and mail. Requesting read-only permissions for such account resources could be used to conduct account reconnaissance, silently steal data, or to intercept password reset messages from other accounts such as those at financial institutions. While organizations with global presence have received messages from this group, they appear to choose recipients who are likely Spanish speakers. \n\n", + "meta": { + "refs": [ + "https://www.proofpoint.com/us/blog/threat-insight/ta2552-uses-oauth-access-token-phishing-exploit-read-only-risks" + ] + }, + "uuid": "e9de47f0-3e68-465c-b91e-7a2b7371955c", + "value": "TA2552" } ], "version": 298 From 72504d286a1e06b014297184b4d27f8f0629a0bb Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 5 Feb 2024 03:39:16 -0800 Subject: [PATCH 77/99] [threat-actors] Add MUSTANG PANDA aliases --- clusters/threat-actor.json | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 5624bdc..d8ad39e 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -6957,7 +6957,10 @@ "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf", - "https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html" + "https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html", + "https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader", + "https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european", + "https://unit42.paloaltonetworks.com/stately-taurus-targets-philippines-government-cyberespionage/" ], "synonyms": [ "BRONZE PRESIDENT", @@ -6965,7 +6968,10 @@ "Red Lich", "TEMP.HEX", "BASIN", - "Earth Preta" + "Earth Preta", + "TA416", + "Stately Taurus", + "LuminousMoth" ] }, "uuid": "78bf726c-a9e6-11e8-9e43-77249a2f7339", From 3f6ff94c89960c1d170163686ca3b3595e720ab6 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 5 Feb 2024 03:39:16 -0800 Subject: [PATCH 78/99] [threat-actors] Add APT33 aliases --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index d8ad39e..0273fee 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1945,7 +1945,8 @@ "COBALT TRINITY", "G0064", "ATK35", - "Peach Sandstorm" + "Peach Sandstorm", + "TA451" ], "victimology": "Petrochemical, Aerospace, Saudi Arabia" }, From 40f65a9d91a723b17c91ec15ecc1fd38e8219734 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 5 Feb 2024 03:39:16 -0800 Subject: [PATCH 79/99] [threat-actors] Add Evilnum aliases --- clusters/threat-actor.json | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 0273fee..92e56fb 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -9171,10 +9171,16 @@ "refs": [ "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/", "https://securelist.com/deathstalker-mercenary-triumvirate/98177/", - "https://securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/" + "https://securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/", + "https://www.proofpoint.com/us/blog/threat-insight/buy-sell-steal-evilnum-targets-cryptocurrency-forex-commodities", + "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-evilnum-apt-group-active-iocs-7", + "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-evilnum-apt-group-targeting-financial-sector" ], "synonyms": [ - "DeathStalker" + "DeathStalker", + "TA4563", + "EvilNum", + "Jointworm" ] }, "uuid": "b6f3150f-2240-4c57-9dda-5144c5077058", From be8e127590e28e538fb40c6efd46b47e3e1a313f Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 5 Feb 2024 03:39:16 -0800 Subject: [PATCH 80/99] [threat-actors] Add APT39 aliases --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 92e56fb..8e45759 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7620,7 +7620,8 @@ "REMIX KITTEN", "COBALT HICKMAN", "G0087", - "Radio Serpens" + "Radio Serpens", + "TA454" ] }, "uuid": "c2c64bd3-a325-446f-91a8-b4c0f173a30b", From 57016ac3ae39b7462707f9652c77d600055d22d9 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 5 Feb 2024 03:39:16 -0800 Subject: [PATCH 81/99] [threat-actors] Add TA2722 --- clusters/threat-actor.json | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 8e45759..0053c0f 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14755,6 +14755,19 @@ }, "uuid": "e9de47f0-3e68-465c-b91e-7a2b7371955c", "value": "TA2552" + }, + { + "description": "TA2722 is a highly active threat actor that targets various industries including Shipping/Logistics, Manufacturing, Business Services, Pharmaceutical, and Energy. They primarily focus on organizations in North America, Europe, and Southeast Asia. This threat actor impersonates Philippine government entities and uses themes related to the government to gain remote access to target computers. Their objectives include information gathering, installing follow-on malware, and engaging in business email compromise activities.", + "meta": { + "refs": [ + "https://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-spoofs-philippine-government-covid-19-health-data-widespread" + ], + "synonyms": [ + "Balikbayan Foxes" + ] + }, + "uuid": "625c3fb4-16fc-4992-9ff2-4fad869750ac", + "value": "TA2722" } ], "version": 298 From 9cb1fd6aa86d77a1649ffeacf96e96d6e143a3bf Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 5 Feb 2024 03:39:16 -0800 Subject: [PATCH 82/99] [threat-actors] Add Lazarus Group aliases --- clusters/threat-actor.json | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 0053c0f..8d58210 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -3215,7 +3215,8 @@ "https://attack.mitre.org/groups/G0082", "https://attack.mitre.org/groups/G0032", "https://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry/", - "https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds" + "https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds", + "https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists" ], "synonyms": [ "Operation DarkSeoul", @@ -3253,7 +3254,9 @@ "Diamond Sleet", "ZINC", "Sapphire Sleet", - "COPERNICIUM" + "COPERNICIUM", + "TA404", + "Lazarus group" ] }, "related": [ From bd0d541a7a7ee83e56d68cbbf0d66854c698f3d5 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 5 Feb 2024 03:39:16 -0800 Subject: [PATCH 83/99] [threat-actors] Add OilRig aliases --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 8d58210..06bc957 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -4026,7 +4026,8 @@ "G0049", "Evasive Serpens", "Hazel Sandstorm", - "EUROPIUM" + "EUROPIUM", + "TA452" ], "targeted-sector": [ "Chemical", From fc173c1a78cfe78105c902b564173ba93d6901b6 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 5 Feb 2024 03:39:17 -0800 Subject: [PATCH 84/99] [threat-actors] Add APT10 aliases --- clusters/threat-actor.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 06bc957..1d2bc72 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1035,7 +1035,8 @@ "https://unit42.paloaltonetworks.com/atoms/granite-taurus", "https://www.mandiant.com/resources/insights/apt-groups", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", - "https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf" + "https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", + "https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new" ], "synonyms": [ "STONE PANDAD", @@ -1049,7 +1050,8 @@ "BRONZE RIVERSIDE", "ATK41", "G0045", - "Granite Taurus" + "Granite Taurus", + "TA429" ] }, "related": [ From 4699f65425d3fcbe32a4729f41a5e76a565272a0 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 5 Feb 2024 03:39:17 -0800 Subject: [PATCH 85/99] [threat-actors] Add TA2719 --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 1d2bc72..2492f2e 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14774,6 +14774,16 @@ }, "uuid": "625c3fb4-16fc-4992-9ff2-4fad869750ac", "value": "TA2722" + }, + { + "description": "In late March 2020, Proofpoint researchers began tracking a new actor with a penchant for using NanoCore and later AsyncRAT, popular commodity remote access trojans (RATs). Dubbed TA2719 by Proofpoint, the actor uses localized lures with colorful images that impersonate local banks, law enforcement, and shipping services. Proofpoint has observed this actor send low volume campaigns to recipients in Austria, Chile, Greece, Hungary, Italy, North Macedonia, Netherlands, Spain, Sweden, Taiwan, United States, and Uruguay. ", + "meta": { + "refs": [ + "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages" + ] + }, + "uuid": "33bfb09d-c6f4-4403-b434-1d4d4733ec52", + "value": "TA2719" } ], "version": 298 From 9c5bc36ab449300e42c631c5152a95f90eb53183 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 5 Feb 2024 03:39:17 -0800 Subject: [PATCH 86/99] [threat-actors] Add MuddyWater aliases --- clusters/threat-actor.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 2492f2e..557732d 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -6207,7 +6207,8 @@ "https://www.zdnet.com/article/new-leaks-of-iranian-cyber-espionage-operations-hit-telegram-and-the-dark-web/", "https://attack.mitre.org/groups/G0069/", "http://www.secureworks.com/research/threat-profiles/cobalt-ulster", - "https://unit42.paloaltonetworks.com/atoms/boggyserpens/" + "https://unit42.paloaltonetworks.com/atoms/boggyserpens/", + "https://www.sentinelone.com/blog/the-new-frontline-of-geopolitics-understanding-the-rise-of-state-sponsored-cyber-attacks/" ], "synonyms": [ "TEMP.Zagros", @@ -6218,7 +6219,8 @@ "G0069", "ATK51", "Boggy Serpens", - "Mango Sandstorm" + "Mango Sandstorm", + "TA450" ] }, "related": [ From ffeed3447f5769c584c845e633be83436f0753bb Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 5 Feb 2024 03:39:17 -0800 Subject: [PATCH 87/99] [threat-actors] Add Silent Librarian aliases --- clusters/threat-actor.json | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 557732d..27417a2 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7947,12 +7947,15 @@ "https://www.proofpoint.com/us/threat-insight/post/seems-phishy-back-school-lures-target-university-students-and-staff", "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian", "https://www.secureworks.com/research/threat-profiles/cobalt-dickens", - "https://community.riskiq.com/article/44eb0802" + "https://community.riskiq.com/article/44eb0802", + "https://www.proofpoint.com/us/corporate-blog/post/iranian-state-sponsored-and-aligned-attacks-what-you-need-know-and-steps-protect" ], "synonyms": [ "COBALT DICKENS", "Mabna Institute", - "TA407" + "TA407", + "TA4900", + "Yellow Nabu" ] }, "uuid": "5059b44d-2753-4977-b987-4922f09afe6b", From b35d4bd07ac71bff9f04a8f38ba0180723dc5096 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 5 Feb 2024 15:21:25 +0100 Subject: [PATCH 88/99] chg: [threat-actor] version updated --- clusters/threat-actor.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 27417a2..2501bef 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14791,5 +14791,5 @@ "value": "TA2719" } ], - "version": 298 + "version": 299 } From 3379a0777b8f00494bcc4d4edaa6483e1ce5c9e3 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 5 Feb 2024 09:20:10 -0800 Subject: [PATCH 89/99] [threat-actors] Add Karkadann --- clusters/threat-actor.json | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 2501bef..16d729c 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14789,6 +14789,20 @@ }, "uuid": "33bfb09d-c6f4-4403-b434-1d4d4733ec52", "value": "TA2719" + }, + { + "description": "Karkadann is a threat actor that has been active since at least October 2020, targeting government bodies and news outlets in the Middle East. They have been involved in watering hole attacks, compromising high-profile websites to inject malicious JavaScript code. The group has been linked to another commercial spyware company called Candiru, suggesting they may utilize multiple spyware technologies. There are similarities in the infrastructure and tactics used by Karkadann in their campaigns.", + "meta": { + "refs": [ + "https://securelist.com/apt-trends-report-q2-2022/106995/", + "https://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/" + ], + "synonyms": [ + "Piwiks" + ] + }, + "uuid": "8146ba06-cef2-4a94-b26e-1a4041e04c7d", + "value": "Karkadann" } ], "version": 299 From bffb0ef644880a4c8e687a576c32aa78c8231474 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 5 Feb 2024 09:20:10 -0800 Subject: [PATCH 90/99] [threat-actors] Add Tomiris --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 16d729c..503f328 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14803,6 +14803,16 @@ }, "uuid": "8146ba06-cef2-4a94-b26e-1a4041e04c7d", "value": "Karkadann" + }, + { + "description": "Tomiris is a threat actor that has been active since at least 2019. They primarily target government and diplomatic entities in the Commonwealth of Independent States region, with occasional victims in other regions being foreign representations of CIS countries. Tomiris uses a wide variety of malware implants, including downloaders, backdoors, and file stealers, developed in different programming languages. They employ various attack vectors such as spear-phishing, DNS hijacking, and exploitation of vulnerabilities. There are potential ties between Tomiris and Turla, but they are considered separate threat actors with distinct targeting and tradecraft by Kaspersky.", + "meta": { + "refs": [ + "https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/" + ] + }, + "uuid": "2f854548-1af0-4f55-acab-4f85ce9f162c", + "value": "Tomiris" } ], "version": 299 From dd01813e51b0b9b45b3d085939dcc1733eb7c745 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 5 Feb 2024 09:20:10 -0800 Subject: [PATCH 91/99] [threat-actors] Add ShaggyPanther --- clusters/threat-actor.json | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 503f328..63b2352 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14813,6 +14813,19 @@ }, "uuid": "2f854548-1af0-4f55-acab-4f85ce9f162c", "value": "Tomiris" + }, + { + "description": "ShaggyPanther is a threat actor that primarily targets government entities in Taiwan and Malaysia. They have been active since 2008 and utilize hidden encrypted payloads in registry keys. Their activities have been detected in various locations, including Indonesia and Syria.", + "meta": { + "country": "CN", + "refs": [ + "https://securelist.com/ksb-2019-review-of-the-year/95394/", + "https://securelist.com/apt-trends-report-q3-2019/94530/", + "https://securelist.com/apt-review-of-the-year/89117/" + ] + }, + "uuid": "07791d89-64b6-46df-9f67-ccde8c2cbb20", + "value": "ShaggyPanther" } ], "version": 299 From 40becc0ee992b47a593dcb9aef993502ff507b85 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 5 Feb 2024 09:20:10 -0800 Subject: [PATCH 92/99] [threat-actors] Add Fishing Elephant --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 63b2352..1f93174 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14826,6 +14826,17 @@ }, "uuid": "07791d89-64b6-46df-9f67-ccde8c2cbb20", "value": "ShaggyPanther" + }, + { + "description": "Fishing Elephant is a threat actor that primarily targets victims in Bangladesh and Pakistan. They rely on consistent TTPs, including payload and communication patterns, while occasionally incorporating new techniques such as geo-fencing and hiding executables within certificate files. Their tool of choice is AresRAT, which they deliver through platforms like Heroku and Dropbox. Recently, they have shifted their focus to government and diplomatic entities in Turkey, Pakistan, Bangladesh, Ukraine, and China.", + "meta": { + "refs": [ + "https://securelist.com/apt-trends-report-q1-2020/96826/", + "https://securelist.com/apt-trends-report-q1-2022/106351/" + ] + }, + "uuid": "0df34184-4ccf-4357-8e8e-e990058d2992", + "value": "Fishing Elephant" } ], "version": 299 From cff0da0b3a287389e47b4cda14cf8429ffb94d64 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 5 Feb 2024 09:20:10 -0800 Subject: [PATCH 93/99] [threat-actors] Add RevengeHotels --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 1f93174..862d9b2 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14837,6 +14837,16 @@ }, "uuid": "0df34184-4ccf-4357-8e8e-e990058d2992", "value": "Fishing Elephant" + }, + { + "description": "RevengeHotels is a targeted cybercrime campaign that has been active since 2015, primarily targeting hotels, hostels, and tourism companies. The threat actor uses remote access Trojan malware to infiltrate hotel front desks and steal credit card data from guests and travelers. The campaign has impacted hotels in multiple countries, including Brazil, Argentina, Chile, and Mexico. The threat actor employs social engineering techniques and sells credentials from infected systems to other cybercriminals for remote access.", + "meta": { + "refs": [ + "https://securelist.com/revengehotels/95229/" + ] + }, + "uuid": "083acee6-6969-4c74-80c2-5d442936aa97", + "value": "RevengeHotels" } ], "version": 299 From c97fc15d59a9b13f43445810b4693dc03f15d3ff Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 5 Feb 2024 09:20:11 -0800 Subject: [PATCH 94/99] [threat-actors] Add GhostEmperor --- clusters/threat-actor.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 862d9b2..e3ec656 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14847,6 +14847,18 @@ }, "uuid": "083acee6-6969-4c74-80c2-5d442936aa97", "value": "RevengeHotels" + }, + { + "description": "GhostEmperor is a Chinese-speaking threat actor that targets government entities and telecom companies in Southeast Asia. They employ a Windows kernel-mode rootkit called Demodex to gain remote control over their targeted servers. The actor demonstrates a high level of sophistication and uses various anti-forensic and anti-analysis techniques to evade detection. They have been active for a significant period of time and continue to pose a threat to their targets.", + "meta": { + "country": "CN", + "refs": [ + "https://www.mandiant.com/resources/blog/unc4841-post-barracuda-zero-day-remediation", + "https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/" + ] + }, + "uuid": "3c3ca8f3-c6ab-4c5d-9bd0-be6677d6cdeb", + "value": "GhostEmperor" } ], "version": 299 From 3a15a275849dd1a8faa93a90090aff00ea5a312c Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 5 Feb 2024 09:20:11 -0800 Subject: [PATCH 95/99] [threat-actors] Add Operation Triangulation --- clusters/threat-actor.json | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index e3ec656..ae7b07b 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14859,6 +14859,19 @@ }, "uuid": "3c3ca8f3-c6ab-4c5d-9bd0-be6677d6cdeb", "value": "GhostEmperor" + }, + { + "description": "Operation Triangulation is an ongoing APT campaign targeting iOS devices with zero-click iMessage exploits. The threat actor behind the campaign has been active since at least 2019 and continues to operate. The attack chain involves the delivery of a malicious iMessage attachment that launches a series of exploits, ultimately leading to the deployment of the TriangleDB implant. Kaspersky researchers have discovered and reported multiple vulnerabilities used in the campaign, with patches released by Apple.", + "meta": { + "refs": [ + "https://securelist.com/operation-triangulation-the-last-hardware-mystery/111669/", + "https://securelist.com/operation-triangulation-catching-wild-triangle/110916/", + "https://securelist.com/triangulation-validators-modules/110847/", + "https://securelist.com/operation-triangulation/109842/" + ] + }, + "uuid": "220001c6-c976-4cad-a356-4d8c2dd2b1c1", + "value": "Operation Triangulation" } ], "version": 299 From 045ec7071fd567d5c2e4dfc606679c79549c8423 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 5 Feb 2024 09:20:11 -0800 Subject: [PATCH 96/99] [threat-actors] Add Operation Ghoul --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index ae7b07b..371eb47 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14872,6 +14872,17 @@ }, "uuid": "220001c6-c976-4cad-a356-4d8c2dd2b1c1", "value": "Operation Triangulation" + }, + { + "description": "Operation Ghoul is a profit-driven threat actor that targeted over 130 organizations in 30 countries, primarily in the industrial and engineering sectors. They employed high-quality social engineering techniques, such as spear-phishing emails disguised as payment advice from a UAE bank, to distribute malware. The group's main motivation is financial gain through the sale of stolen intellectual property and business intelligence, as well as attacks on banking accounts. Their attacks were effective, particularly against companies that were unprepared to detect them.", + "meta": { + "refs": [ + "https://securelist.com/kaspersky-security-bulletin-2016-executive-summary/76858/", + "https://securelist.com/operation-ghoul-targeted-attacks-on-industrial-and-engineering-organizations/75718/" + ] + }, + "uuid": "624cc006-1131-4e53-a53c-3958cfbe233f", + "value": "Operation Ghoul" } ], "version": 299 From d2586524e397f0991517095188584ce638ac75ca Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 5 Feb 2024 09:20:11 -0800 Subject: [PATCH 97/99] [threat-actors] Add CardinalLizard --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 371eb47..c1b0261 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14883,6 +14883,17 @@ }, "uuid": "624cc006-1131-4e53-a53c-3958cfbe233f", "value": "Operation Ghoul" + }, + { + "description": "CardinalLizard, a cyber threat actor linked to China, has targeted entities in Asia since 2018. Their methods include spear-phishing, custom malware with anti-detection features, and potentially shared infrastructure with other actors.", + "meta": { + "country": "CN", + "refs": [ + "https://securelist.com/apt-review-of-the-year/89117/" + ] + }, + "uuid": "97f40858-1582-4a59-a990-866813982830", + "value": "CardinalLizard" } ], "version": 299 From 3a44200a0c8343442626463c39be5cf7f6da2bc1 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 5 Feb 2024 09:20:11 -0800 Subject: [PATCH 98/99] [threat-actors] Add APT5 aliases --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index c1b0261..885f83e 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -5225,7 +5225,8 @@ "MANGANESE", "BRONZE FLEETWOOD", "TEMP.Bottle", - "Mulberry Typhoon" + "Mulberry Typhoon", + "Poisoned Flight" ], "targeted-sector": [ "Electronic", From 957e848a6f8b8e5332f7ad0cc1d2a38740489e69 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 5 Feb 2024 09:20:11 -0800 Subject: [PATCH 99/99] [threat-actors] Add Ferocious Kitten --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 885f83e..ebe47ef 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14895,6 +14895,17 @@ }, "uuid": "97f40858-1582-4a59-a990-866813982830", "value": "CardinalLizard" + }, + { + "description": "Ferocious Kitten is an APT group that has been active against Persian-speaking individuals since 2015 and appears to be based in Iran. Although it has been active over a large timespan, the group has mostly operated under the radar until a lure document was uploaded to VirusTotal and was brought to public knowledge by researchers on Twitter. Subsequently, one of its implants was analyzed by a Chinese intelligence firm. Kaspersky then expanded some of the findings on the group and provided insights on additional variants. The malware dropped from the aforementioned document is dubbed MarkiRAT and is used to record keystrokes and clipboard content, provide file download and upload capabilities as well as the ability to execute arbitrary commands on the victims machine. Kaspersky were able to trace the implant back to at least 2015, along with variants intended to hijack the execution of the Telegram and Chrome applications as a persistence method. Interestingly, some of the TTPs used by this threat actor are reminiscent of other groups operating in the domain of dissident surveillance. For example, it used the same C2 domains across its implants for years, which was witnessed in the activity of Domestic Kitten. In the same vein, the Telegram execution hijacking technique observed in this campaign by Ferocious Kitten was also observed being used by Rampant Kitten, as covered by Check Point.", + "meta": { + "country": "IR", + "refs": [ + "https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/" + ] + }, + "uuid": "f34962a4-a792-4f23-af23-a8bf0f053fcf", + "value": "Ferocious Kitten" } ], "version": 299