From a456e419d839b43edfbf9555f43937f6c64cff84 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 5 Feb 2024 03:39:16 -0800 Subject: [PATCH 01/13] [threat-actors] Add APT31 aliases --- clusters/threat-actor.json | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index a8893d0..ce5cdfe 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7971,14 +7971,17 @@ "https://www.mandiant.com/resources/insights/apt-groups", "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf", "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi", - "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf" + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists" ], "synonyms": [ "ZIRCONIUM", "JUDGMENT PANDA", "BRONZE VINEWOOD", "Red keres", - "Violet Typhoon" + "Violet Typhoon", + "TA412", + "Zirconium" ] }, "related": [ From 3690ab0e24061c8bdf5d7e5dc7e3474cc3b20cd9 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 5 Feb 2024 03:39:16 -0800 Subject: [PATCH 02/13] [threat-actors] Add TA2552 --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index ce5cdfe..5624bdc 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14731,6 +14731,16 @@ }, "uuid": "2485a9cb-b41c-43bd-8b1c-c64e919c0a4e", "value": "Storm-1575" + }, + { + "description": "Since January 2020, Proofpoint researchers have tracked an actor abusing Microsoft Office 365 (O365) third-party application (3PA) access, with suspected activity dating back to August 2019. The actor, known as TA2552, uses well-crafted Spanish language lures that leverage a narrow range of themes and brands. The lures entice users to click a link in the message, taking them to the legitimate Microsoft third-party apps consent page. There they are prompted to grant a third-party application read-only user permissions to their O365 account via OAuth2 or other token-based authorization methods. TA2552 seeks access to specific account resources like the user’s contacts and mail. Requesting read-only permissions for such account resources could be used to conduct account reconnaissance, silently steal data, or to intercept password reset messages from other accounts such as those at financial institutions. While organizations with global presence have received messages from this group, they appear to choose recipients who are likely Spanish speakers. \n\n", + "meta": { + "refs": [ + "https://www.proofpoint.com/us/blog/threat-insight/ta2552-uses-oauth-access-token-phishing-exploit-read-only-risks" + ] + }, + "uuid": "e9de47f0-3e68-465c-b91e-7a2b7371955c", + "value": "TA2552" } ], "version": 298 From 72504d286a1e06b014297184b4d27f8f0629a0bb Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 5 Feb 2024 03:39:16 -0800 Subject: [PATCH 03/13] [threat-actors] Add MUSTANG PANDA aliases --- clusters/threat-actor.json | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 5624bdc..d8ad39e 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -6957,7 +6957,10 @@ "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf", - "https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html" + "https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html", + "https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader", + "https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european", + "https://unit42.paloaltonetworks.com/stately-taurus-targets-philippines-government-cyberespionage/" ], "synonyms": [ "BRONZE PRESIDENT", @@ -6965,7 +6968,10 @@ "Red Lich", "TEMP.HEX", "BASIN", - "Earth Preta" + "Earth Preta", + "TA416", + "Stately Taurus", + "LuminousMoth" ] }, "uuid": "78bf726c-a9e6-11e8-9e43-77249a2f7339", From 3f6ff94c89960c1d170163686ca3b3595e720ab6 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 5 Feb 2024 03:39:16 -0800 Subject: [PATCH 04/13] [threat-actors] Add APT33 aliases --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index d8ad39e..0273fee 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1945,7 +1945,8 @@ "COBALT TRINITY", "G0064", "ATK35", - "Peach Sandstorm" + "Peach Sandstorm", + "TA451" ], "victimology": "Petrochemical, Aerospace, Saudi Arabia" }, From 40f65a9d91a723b17c91ec15ecc1fd38e8219734 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 5 Feb 2024 03:39:16 -0800 Subject: [PATCH 05/13] [threat-actors] Add Evilnum aliases --- clusters/threat-actor.json | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 0273fee..92e56fb 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -9171,10 +9171,16 @@ "refs": [ "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/", "https://securelist.com/deathstalker-mercenary-triumvirate/98177/", - "https://securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/" + "https://securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/", + "https://www.proofpoint.com/us/blog/threat-insight/buy-sell-steal-evilnum-targets-cryptocurrency-forex-commodities", + "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-evilnum-apt-group-active-iocs-7", + "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-evilnum-apt-group-targeting-financial-sector" ], "synonyms": [ - "DeathStalker" + "DeathStalker", + "TA4563", + "EvilNum", + "Jointworm" ] }, "uuid": "b6f3150f-2240-4c57-9dda-5144c5077058", From be8e127590e28e538fb40c6efd46b47e3e1a313f Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 5 Feb 2024 03:39:16 -0800 Subject: [PATCH 06/13] [threat-actors] Add APT39 aliases --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 92e56fb..8e45759 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7620,7 +7620,8 @@ "REMIX KITTEN", "COBALT HICKMAN", "G0087", - "Radio Serpens" + "Radio Serpens", + "TA454" ] }, "uuid": "c2c64bd3-a325-446f-91a8-b4c0f173a30b", From 57016ac3ae39b7462707f9652c77d600055d22d9 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 5 Feb 2024 03:39:16 -0800 Subject: [PATCH 07/13] [threat-actors] Add TA2722 --- clusters/threat-actor.json | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 8e45759..0053c0f 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14755,6 +14755,19 @@ }, "uuid": "e9de47f0-3e68-465c-b91e-7a2b7371955c", "value": "TA2552" + }, + { + "description": "TA2722 is a highly active threat actor that targets various industries including Shipping/Logistics, Manufacturing, Business Services, Pharmaceutical, and Energy. They primarily focus on organizations in North America, Europe, and Southeast Asia. This threat actor impersonates Philippine government entities and uses themes related to the government to gain remote access to target computers. Their objectives include information gathering, installing follow-on malware, and engaging in business email compromise activities.", + "meta": { + "refs": [ + "https://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-spoofs-philippine-government-covid-19-health-data-widespread" + ], + "synonyms": [ + "Balikbayan Foxes" + ] + }, + "uuid": "625c3fb4-16fc-4992-9ff2-4fad869750ac", + "value": "TA2722" } ], "version": 298 From 9cb1fd6aa86d77a1649ffeacf96e96d6e143a3bf Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 5 Feb 2024 03:39:16 -0800 Subject: [PATCH 08/13] [threat-actors] Add Lazarus Group aliases --- clusters/threat-actor.json | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 0053c0f..8d58210 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -3215,7 +3215,8 @@ "https://attack.mitre.org/groups/G0082", "https://attack.mitre.org/groups/G0032", "https://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry/", - "https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds" + "https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds", + "https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists" ], "synonyms": [ "Operation DarkSeoul", @@ -3253,7 +3254,9 @@ "Diamond Sleet", "ZINC", "Sapphire Sleet", - "COPERNICIUM" + "COPERNICIUM", + "TA404", + "Lazarus group" ] }, "related": [ From bd0d541a7a7ee83e56d68cbbf0d66854c698f3d5 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 5 Feb 2024 03:39:16 -0800 Subject: [PATCH 09/13] [threat-actors] Add OilRig aliases --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 8d58210..06bc957 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -4026,7 +4026,8 @@ "G0049", "Evasive Serpens", "Hazel Sandstorm", - "EUROPIUM" + "EUROPIUM", + "TA452" ], "targeted-sector": [ "Chemical", From fc173c1a78cfe78105c902b564173ba93d6901b6 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 5 Feb 2024 03:39:17 -0800 Subject: [PATCH 10/13] [threat-actors] Add APT10 aliases --- clusters/threat-actor.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 06bc957..1d2bc72 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1035,7 +1035,8 @@ "https://unit42.paloaltonetworks.com/atoms/granite-taurus", "https://www.mandiant.com/resources/insights/apt-groups", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", - "https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf" + "https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", + "https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new" ], "synonyms": [ "STONE PANDAD", @@ -1049,7 +1050,8 @@ "BRONZE RIVERSIDE", "ATK41", "G0045", - "Granite Taurus" + "Granite Taurus", + "TA429" ] }, "related": [ From 4699f65425d3fcbe32a4729f41a5e76a565272a0 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 5 Feb 2024 03:39:17 -0800 Subject: [PATCH 11/13] [threat-actors] Add TA2719 --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 1d2bc72..2492f2e 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14774,6 +14774,16 @@ }, "uuid": "625c3fb4-16fc-4992-9ff2-4fad869750ac", "value": "TA2722" + }, + { + "description": "In late March 2020, Proofpoint researchers began tracking a new actor with a penchant for using NanoCore and later AsyncRAT, popular commodity remote access trojans (RATs). Dubbed TA2719 by Proofpoint, the actor uses localized lures with colorful images that impersonate local banks, law enforcement, and shipping services. Proofpoint has observed this actor send low volume campaigns to recipients in Austria, Chile, Greece, Hungary, Italy, North Macedonia, Netherlands, Spain, Sweden, Taiwan, United States, and Uruguay. ", + "meta": { + "refs": [ + "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages" + ] + }, + "uuid": "33bfb09d-c6f4-4403-b434-1d4d4733ec52", + "value": "TA2719" } ], "version": 298 From 9c5bc36ab449300e42c631c5152a95f90eb53183 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 5 Feb 2024 03:39:17 -0800 Subject: [PATCH 12/13] [threat-actors] Add MuddyWater aliases --- clusters/threat-actor.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 2492f2e..557732d 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -6207,7 +6207,8 @@ "https://www.zdnet.com/article/new-leaks-of-iranian-cyber-espionage-operations-hit-telegram-and-the-dark-web/", "https://attack.mitre.org/groups/G0069/", "http://www.secureworks.com/research/threat-profiles/cobalt-ulster", - "https://unit42.paloaltonetworks.com/atoms/boggyserpens/" + "https://unit42.paloaltonetworks.com/atoms/boggyserpens/", + "https://www.sentinelone.com/blog/the-new-frontline-of-geopolitics-understanding-the-rise-of-state-sponsored-cyber-attacks/" ], "synonyms": [ "TEMP.Zagros", @@ -6218,7 +6219,8 @@ "G0069", "ATK51", "Boggy Serpens", - "Mango Sandstorm" + "Mango Sandstorm", + "TA450" ] }, "related": [ From ffeed3447f5769c584c845e633be83436f0753bb Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 5 Feb 2024 03:39:17 -0800 Subject: [PATCH 13/13] [threat-actors] Add Silent Librarian aliases --- clusters/threat-actor.json | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 557732d..27417a2 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7947,12 +7947,15 @@ "https://www.proofpoint.com/us/threat-insight/post/seems-phishy-back-school-lures-target-university-students-and-staff", "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian", "https://www.secureworks.com/research/threat-profiles/cobalt-dickens", - "https://community.riskiq.com/article/44eb0802" + "https://community.riskiq.com/article/44eb0802", + "https://www.proofpoint.com/us/corporate-blog/post/iranian-state-sponsored-and-aligned-attacks-what-you-need-know-and-steps-protect" ], "synonyms": [ "COBALT DICKENS", "Mabna Institute", - "TA407" + "TA407", + "TA4900", + "Yellow Nabu" ] }, "uuid": "5059b44d-2753-4977-b987-4922f09afe6b",