MISP/misp-galaxy
6
0
Fork 0
mirror of https://github.com/MISP/misp-galaxy.git synced 2024-11-22 14:57:18 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

merge

Browse source
This commit is contained in:
Delta-Sierra 2024-11-05 15:39:01 +01:00
commit a3faa78a99
10 changed files with 11795 additions and 4419 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
README.md
View file

@ -535,7 +535,7 @@ Category: *sector* - source: *CERT-EU* - total: *118* elements
[Sigma-Rules](https://www.misp-galaxy.org/sigma-rules) - MISP galaxy cluster based on Sigma Rules.
Category: *rules* - source: *https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma* - total: *2970* elements
Category: *rules* - source: *https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma* - total: *2971* elements
[[HTML](https://www.misp-galaxy.org/sigma-rules)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/sigma-rules.json)]
@ -599,7 +599,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements
[Threat Actor](https://www.misp-galaxy.org/threat-actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group.
Category: *actor* - source: *MISP Project* - total: *751* elements
Category: *actor* - source: *MISP Project* - total: *763* elements
[[HTML](https://www.misp-galaxy.org/threat-actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)]
@ -607,7 +607,7 @@ Category: *actor* - source: *MISP Project* - total: *751* elements
[Tidal Campaigns](https://www.misp-galaxy.org/tidal-campaigns) - Tidal Campaigns Cluster
Category: *Campaigns* - source: *https://app-api.tidalcyber.com/api/v1/campaigns/* - total: *83* elements
Category: *Campaigns* - source: *https://app-api.tidalcyber.com/api/v1/campaigns/* - total: *102* elements
[[HTML](https://www.misp-galaxy.org/tidal-campaigns)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-campaigns.json)]
@ -615,7 +615,7 @@ Category: *Campaigns* - source: *https://app-api.tidalcyber.com/api/v1/campaigns
[Tidal Groups](https://www.misp-galaxy.org/tidal-groups) - Tidal Groups Galaxy
Category: *Threat Groups* - source: *https://app-api.tidalcyber.com/api/v1/groups/* - total: *206* elements
Category: *Threat Groups* - source: *https://app-api.tidalcyber.com/api/v1/groups/* - total: *224* elements
[[HTML](https://www.misp-galaxy.org/tidal-groups)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-groups.json)]
@ -623,7 +623,7 @@ Category: *Threat Groups* - source: *https://app-api.tidalcyber.com/api/v1/group
[Tidal References](https://www.misp-galaxy.org/tidal-references) - Tidal References Cluster
Category: *References* - source: *https://app-api.tidalcyber.com/api/v1/references/* - total: *4349* elements
Category: *References* - source: *https://app-api.tidalcyber.com/api/v1/references/* - total: *4627* elements
[[HTML](https://www.misp-galaxy.org/tidal-references)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-references.json)]
@ -631,7 +631,7 @@ Category: *References* - source: *https://app-api.tidalcyber.com/api/v1/referenc
[Tidal Software](https://www.misp-galaxy.org/tidal-software) - Tidal Software Cluster
Category: *Software* - source: *https://app-api.tidalcyber.com/api/v1/software/* - total: *1053* elements
Category: *Software* - source: *https://app-api.tidalcyber.com/api/v1/software/* - total: *1106* elements
[[HTML](https://www.misp-galaxy.org/tidal-software)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-software.json)]
@ -647,7 +647,7 @@ Category: *Tactic* - source: *https://app-api.tidalcyber.com/api/v1/tactic/* - t
[Tidal Technique](https://www.misp-galaxy.org/tidal-technique) - Tidal Technique Cluster
Category: *Technique* - source: *https://app-api.tidalcyber.com/api/v1/technique/* - total: *202* elements
Category: *Technique* - source: *https://app-api.tidalcyber.com/api/v1/technique/* - total: *203* elements
[[HTML](https://www.misp-galaxy.org/tidal-technique)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-technique.json)]

54
clusters/ransomware.json
View file

@ -27672,7 +27672,8 @@
"http://lbbpoq6d2jglpw7dxarr6oaakgnlxt5nmrza5ojlufsuffuzexajsuyd.onion/",
"http://lbbp2rsfcmg5durpwgs22wxrdngsa4wiwmc4xk6hgmuluy6bvbvvtlid.onion/",
"http://lbbov7weoojwnqytnjqygmglkwtim5dvyw3xvoluk5ostz75ofd6enqd.onion/",
"http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion/ec_page3.php"
"http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion/ec_page3.php",
"http://lockbitfnszjao7hayqsd424m74k5jxc52hozvabjrut7pjfsfaaaoad.onion"
],
"refs": [
"https://threatpost.com/lockbit-ransomware-proliferates-globally/168746",
@ -28355,7 +28356,14 @@
"meta": {
"links": [
"http://eraleignews.com/",
"http://wn6vonooq6fggjdgyocp7bioykmfjket7sbp47cwhgubvowwd7ws5pyd.onion/"
"http://wn6vonooq6fggjdgyocp7bioykmfjket7sbp47cwhgubvowwd7ws5pyd.onion/",
"http://basheqtvzqwz4vp6ks5lm2ocq7i6tozqgf6vjcasj4ezmsy4bkpshhyd.onion/",
"http://bashe4aec32kr6zbifwd5x6xgjsmhg4tbowrbx4pneqhc5mqooyifpid.onion/",
"http://basheqtvzqwz4vp6ks5lm2ocq7i6tozqgf6vjcasj4ezmsy4bkpshhyd.onion",
"http://basherq53eniermxovo3bkduw5qqq5bkqcml3qictfmamgvmzovykyqd.onion",
"http://basherykagbxoaiaxkgqhmhd5gbmedwb3di4ig3ouovziagosv4n77qd.onion",
"http://bashete63b3gcijfofpw6fmn3rwnmyi5aclp55n6awcfbexivexbhyad.onion",
"http://bashex7mokreyoxl6wlswxl4foi7okgs7or7aergnuiockuoq35yt3ad.onion"
],
"refs": [
"https://www.ransomlook.io/group/eraleign (apt73)"
@ -29374,7 +29382,8 @@
"http://66ohzao6afsv2opk22r2kv6fbnf2fthe7v4ykzzc5vjezvvyf3gocwyd.onion/",
"https://2nn4b6gihz5bttzabjegune3blwktad2zmy77fwutvvrxxodbufo6qid.onion/",
"http://y6kyfs2unbfcyodzjrxadn4w5vyulhyotdi5dtiqulxbduujehupunqd.onion/",
"http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/api/blog/get"
"http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/api/blog/get",
"http://3o5ewrzhqoyodfs5kll4cjxagdfrpuu474panwobm4im7ejfpaux5jyd.onion/"
],
"refs": [
"https://www.ransomlook.io/group/embargo"
@ -29904,7 +29913,44 @@
},
"uuid": "6a20c736-d83c-502f-8a9f-379a556fb4ac",
"value": "interlock"
},
{
"meta": {
"links": [
"http://vlofmq2u3f5amxmnblvxaghy73aedwta74fyceywr6eeguw3cn6h6uad.onion/"
],
"refs": [
"https://www.ransomlook.io/group/playboy"
]
},
"uuid": "4e672e18-c9e3-5b29-a500-8615a1b9c1a8",
"value": "playboy"
},
{
"meta": {
"links": [
"http://hellcakbszllztlyqbjzwcbdhfrodx55wq77kmftp4bhnhsnn5r3odad.onion"
],
"refs": [
"https://www.ransomlook.io/group/hellcat"
]
},
"uuid": "f5ffee22-b5d1-5d55-8dd2-5db26d184cde",
"value": "hellcat"
},
{
"meta": {
"links": [
"http://ks5424y3wpr5zlug5c7i6svvxweinhbdcqcfnptkfcutrncfazzgz5id.onion/posts.php",
"http://ks5424y3wpr5zlug5c7i6svvxweinhbdcqcfnptkfcutrncfazzgz5id.onion"
],
"refs": [
"https://www.ransomlook.io/group/killsec3"
]
},
"uuid": "455c76ae-4abe-5237-90eb-87e9530e240c",
"value": "killsec3"
}
],
"version": 137
"version": 138
}

3313
clusters/sigma-rules.json
View file

File diff suppressed because it is too large Load diff

233
clusters/threat-actor.json
View file

@ -1037,7 +1037,8 @@
"https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
"https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf",
"https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new",
"https://www.crowdstrike.com/blog/two-birds-one-stone-panda/"
"https://www.crowdstrike.com/blog/two-birds-one-stone-panda/",
"http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-china-ngo-government-attacks"
],
"synonyms": [
"STONE PANDA",
@ -1052,7 +1053,8 @@
"ATK41",
"G0045",
"Granite Taurus",
"TA429"
"TA429",
"Cicada"
]
},
"related": [
@ -4052,7 +4054,8 @@
"https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf",
"https://www.wired.com/story/apt-34-iranian-hackers-critical-infrastructure-companies/",
"https://unit42.paloaltonetworks.com/atoms/evasive-serpens/",
"https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/"
"https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/",
"https://www.trendmicro.com/en_us/research/24/j/earth-simnavaz-cyberattacks.html"
],
"synonyms": [
"Twisted Kitten",
@ -4067,7 +4070,8 @@
"Evasive Serpens",
"Hazel Sandstorm",
"EUROPIUM",
"TA452"
"TA452",
"Earth Simnavaz"
],
"targeted-sector": [
"Chemical",
@ -6106,6 +6110,7 @@
"value": "APT6"
},
{
"description": "AridViper is a state-sponsored APT primarily targeting military personnel, journalists, and dissidents in the Middle East, with a focus on Israel and Palestine. The group employs custom-developed mobile malware, including variants like AridSpy, GnatSpy, and Micropsia, often delivered through spear-phishing emails and deceptive applications. Their operations involve sophisticated social engineering tactics, including the use of fake social media profiles and weaponized apps masquerading as legitimate services. AridViper's activities are characterized by a blend of technical sophistication and psychological manipulation, aiming to exfiltrate sensitive data from compromised systems.",
"meta": {
"cfr-suspected-state-sponsor": "Palestine",
"cfr-suspected-victims": [
@ -6143,15 +6148,13 @@
"https://www.threatconnect.com/blog/kasperagent-malware-campaign/",
"https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/sexually-explicit-material-used-as-lures-in-cyber-attacks?linkId=12425812",
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064309/The-Desert-Falcons-targeted-attacks.pdf",
"https://services.google.com/fh/files/misc/tool-of-first-resort-israel-hamas-war-cyber.pdf"
"https://www.sentinelone.com/labs/gaza-cybergang-unified-front-targeting-hamas-opposition/"
],
"synonyms": [
"Desert Falcon",
"Renegade Jackal",
"DESERTVARNISH",
"UNC718",
"Arid Viper",
"APT-C-23"
"APT-C-23",
"Bearded Barbie"
]
},
"uuid": "0cfff0f4-868c-40a1-b9b4-0d153c0b33b6",
@ -11583,10 +11586,12 @@
"https://labs.k7computing.com/index.php/romcom-rat-not-your-typical-love-story/",
"https://blogs.blackberry.com/en/2023/07/decoding-romcom-behaviors-and-opportunities-for-detection",
"https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html",
"https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html"
"https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html",
"https://blog.talosintelligence.com/uat-5647-romcom/"
],
"synonyms": [
"Storm-0978"
"Storm-0978",
"UAT-5647"
]
},
"uuid": "ba9e1ed2-e142-48d0-a593-f73ac6d59ccd",
@ -16989,127 +16994,149 @@
"value": "TaskMasters"
},
{
"description": "Anonymous 64 is a group accused by China's national security ministry of attempting to gain control of web portals, outdoor electronic screens, and network television. The Ministry of State Security claims that Anonymous 64 is linked to a cyber unit within Taiwan's defense ministry and identifies three active-duty military personnel as its members. The MSS alleges that the group is involved in an influence operation within China, using hacktivism as a cover. The accusations suggest that Anonymous 64 engages in sabotage activities, prompting authorities to call for public reporting of such actions.",
"meta": {
"country": "TW",
"refs": [
"https://www.seqrite.com/blog/operation-cobalt-whisper-targets-industries-hong-kong-pakistan/"
"https://www.theregister.com/2024/09/25/china_anonymous_64_taiwan_accusations/"
],
"synonyms": [
"Anonymous 64"
]
},
"related": [
{
"dest-uuid": "51c8ffc5-5453-4bf8-b100-74186d9a0de0",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "targets"
"uuid": "94f0fd5e-68a7-458a-bb5f-f2f4e5230fcc",
"value": "Anonymous64"
},
{
"dest-uuid": "84668357-5a8c-4bdd-9f0f-6b50b2484b47",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
"description": "Asnarök is a threat actor that exploited CVE-2020-12271 and utilized command injection privilege escalation to gain root access to devices and install the Asnarök Trojan and demonstrated significant changes in TTPs, including the deployment of a web shell that did not reach out to external C2 for commands. X-Ops identified a patient-zero device linked to the attack and observed the use of an IC.sh script that stole local user account data. The actor's activities were linked to a broader pattern of malicious exploit research and targeted vulnerabilities disclosed by bug bounty researchers.",
"meta": {
"refs": [
"https://news.sophos.com/en-us/2024/10/31/pacific-rim-neutralizing-china-based-threat/",
"https://news.sophos.com/en-us/2024/10/31/pacific-rim-timeline/"
],
"type": "targets"
"synonyms": [
"Personal Panda"
]
},
"uuid": "4e26b4ac-5530-428b-8694-3dd6d24ee286",
"value": "Asnarök"
},
{
"dest-uuid": "9df5fb28-2298-4030-9db3-8cdef35bee14",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "targets"
"description": "Shahid Hemmat is an IRGC-CEC affiliated hacking group linked to cyberattacks targeting U.S. critical infrastructure, including the defense industry and international transportation sectors. The group has been implicated in the hack of a booster station at the Municipal Water Authority in Aliquippa, Pennsylvania, which disrupted drinking water supply. Key figures within Shahid Hemmat include Manouchehr Akbari, Amir Hossein Hoseini, Mohammad Hossein Moradi, and Mohammad Reza Rafatnejad. The U.S. government is offering a $10 million reward for information on these individuals.",
"meta": {
"country": "IR",
"refs": [
"https://securityonline.info/shahid-hemmat-hackers-10m-reward-offered-by-us/",
"https://www.bitdefender.com/en-us/blog/hotforsecurity/us-offers-10-million-bounty-for-members-of-iranian-hacking-gang/"
]
},
"uuid": "ae17fcf4-1335-4dec-9976-e26d2e5f7290",
"value": "Shahid Hemmat"
},
{
"dest-uuid": "84668357-5a8c-4bdd-9f0f-6b50b250414b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "targets"
"description": "RipperSec is a pro-Palestinian, likely Malaysian hacktivist group created in June 2023, known for conducting DDoS attacks, data breaches, and defacements primarily targeting government and educational websites, as well as organizations perceived to support Israel. The group has claimed 196 DDoS attacks, with a significant portion directed at Israel, and utilizes a tool called MegaMedusa for their operations. RipperSec operates on Telegram, where it has amassed over 2,000 members, and collaborates with various like-minded hacktivist groups. Their attack strategy relies heavily on community involvement rather than sophisticated infrastructure.",
"meta": {
"country": "MY",
"refs": [
"https://blog.checkpoint.com/security/hacktivists-call-for-release-of-telegram-founder-with-freedurov-ddos-campaign/",
"https://www.radware.com/blog/security/2024/08/megamedusa-rippersec-public-web-ddos-attack-tool/",
"https://www.cyjax.com/the-hacktivist-response-to-uk-foreign-policy/"
]
},
"uuid": "70d09d1f-15fb-4003-bd9a-b52250d9d57e",
"value": "RipperSec"
},
{
"dest-uuid": "3a94474b-7e23-4e06-9129-faea7ef55af8",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "targets"
"description": "LulzSec Black is a hacktivist group that has claimed responsibility for coordinated DDoS attacks against Cyprus' government and critical infrastructure in response to the country's support for Israel. They have also announced cyberattacks targeting the UAE, including breaches of a government website and Alfa Electronics, asserting these actions are in support of Palestine. The group has indicated intentions for further attacks and has not provided independently verifiable evidence of their claims. Their operations reflect a focus on disrupting services and compromising data as part of their political agenda.",
"meta": {
"refs": [
"https://dailydarkweb.net/lulzsec-black-claims-cyberattacks-on-emirati-government-and-other-sector-targets/"
]
},
"uuid": "a86b67d2-fc94-4c1b-91e1-949c969176ed",
"value": "LulzSec Black"
},
{
"dest-uuid": "ed13b6c9-c32c-4a58-82a7-ce64dc7fa086",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "targets"
"description": "OverFlame is a hacktivist group known for executing DDoS attacks and website defacements, primarily targeting government institutions and corporations in Europe and North America. The group has been involved in coordinated attacks alongside other pro-Russian threat actors, such as NoName057and the Peoples Cyber Army, often motivated by anti-government and anti-corporate sentiments. OverFlame operates through underground forums and encrypted messaging platforms to coordinate attacks and recruit members. Their activities have included targeting financial services, political parties, and educational institutions, demonstrating a focus on disrupting critical infrastructure.",
"meta": {
"refs": [
"https://socradar.io/biggest-education-industry-attacks-in-2024/",
"https://www.scworld.com/brief/austria-subjected-to-pro-russian-ddos-intrusions"
]
},
"uuid": "8bd29f1a-ea33-49c2-a783-42cd2a193f83",
"value": "OverFlame"
},
{
"dest-uuid": "ac2dad84-5194-41bb-9edd-aad8d42f828f",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "targets"
"description": "UNC5820 is a threat actor exploiting the CVE-2024-47575 vulnerability in Fortinet's FortiManager, allowing them to bypass authentication and execute arbitrary commands. They have been observed exfiltrating configuration data, user information, and FortiOS256-hashed passwords from managed FortiGate devices. While the actor has staged and exfiltrated sensitive data, there is currently no evidence of lateral movement or further compromise of additional environments. Mandiant has not determined whether UNC5820 is state-sponsored or identified its geographic location.",
"meta": {
"refs": [
"https://cloud.google.com/blog/topics/threat-intelligence/fortimanager-zero-day-exploitation-cve-2024-47575/"
]
},
"uuid": "e13e36e7-a75b-42fa-8d51-35f9eeafebfc",
"value": "UNC5820"
},
{
"dest-uuid": "04e0eef9-d7e8-4280-86bb-cc9897be8e08",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "targets"
"description": "Water Makara employs the Astaroth banking malware, which features a new defense evasion technique. Their spear phishing campaigns exploit human error by targeting users to click on malicious files. To mitigate these threats, organizations should implement regular security training, enforce strong password policies, utilize multifactor authentication (MFA), keep security solutions updated, and apply the principle of least privilege.",
"meta": {
"refs": [
"https://www.trendmicro.com/en_us/research/24/j/water-makara-uses-obfuscated-javascript-in-spear-phishing-campai.html"
]
},
"uuid": "54bc063d-fc4e-4076-a282-cdb98480da2a",
"value": "Water Makara"
},
{
"dest-uuid": "6d6c87fd-8da6-465c-a381-b47f3810a6ea",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "targets"
"description": "UAC-0215 is an APT group that has orchestrated a phishing campaign targeting public institutions, major industries, and military units in Ukraine, utilizing rogue RDP files to gain unauthorized access. The malicious emails are designed to appear legitimate, enticing recipients to open attachments that connect their systems to the attacker's server, allowing extensive access to local resources. CERT-UA has identified this activity as high-risk and has advised organizations to block RDP files at mail gateways and restrict RDP connection capabilities. The campaign's geographical footprint suggests a potential for broader cyberattacks beyond Ukraine.",
"meta": {
"refs": [
"https://cyble.com/blog/phishing-campaign-targeting-ukraine-uac-0215/",
"https://cert.gov.ua/article/6281076"
]
},
"uuid": "0debc8ab-1449-4915-aa33-f6a54df2b2d7",
"value": "UAC-0215"
},
{
"dest-uuid": "8291a998-e888-4351-87ec-c6da6b06bff6",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "targets"
"description": "IcePeony is a China-nexus APT group that has been active since at least 2023, targeting government agencies, academic institutions, and political organizations in countries such as India, Mauritius, and Vietnam. They primarily employ SQL injection techniques to exploit vulnerabilities in publicly accessible web servers, subsequently installing web shells or executing malware like IceCache to facilitate credential theft. IcePeony operates under harsh work conditions, potentially adhering to the 996 working hour system, and shows a particular interest in the governments of Indian Ocean countries. Their activities suggest alignment with China's national interests, possibly related to maritime strategy.",
"meta": {
"country": "CN",
"refs": [
"https://nao-sec.org/2024/10/IcePeony-with-the-996-work-culture.html"
]
},
"uuid": "793280d5-d28c-4d4a-87b6-487ba9d9fbd1",
"value": "IcePeony"
},
{
"dest-uuid": "98821a86-3c11-474b-afab-3c84af061407",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "targets"
"description": "DarkRaaS is a threat actor specializing in selling unauthorized access to various organizations' systems and networks across multiple countries, with a recent focus on targets in Israel, UAE, Turkey, and South America 4 9 20. The group has been operating for at least six years and typically offers access to sensitive data, internal systems, and infrastructure, with prices ranging up to $25,000 for VPN access 4 9. Their targets span various sectors including government institutions, educational facilities, oil and gas companies, and IT organizations, often claiming to have access to multiple terabytes of sensitive data 7 19.",
"meta": {
"refs": [
"https://cyberpress.org/darkraas-ransomware-oil-gas-company/",
"https://cyberpress.org/darkraas-ransomware-intelligence-data/",
"https://dailydarkweb.net/darkraas-allegedly-breached-a-major-oil-and-gas-company/"
]
},
"uuid": "0c18304e-e65f-4881-94e1-cc2d621ec563",
"value": "DarkRaaS"
},
{
"dest-uuid": "8d7aa230-d07f-46e8-a099-6f1753793b84",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
"description": "BLACKMETA is a pro-Palestinian hacktivist group that has claimed responsibility for a series of DDoS attacks and data breaches targeting organizations perceived as supportive of Israel, including the Internet Archive and various entities in the UAE and Saudi Arabia. The group employs DDoS attacks, website defacement, and data exfiltration, with motivations rooted in political ideology and retribution for perceived injustices against Palestinians. Their operations have been linked to a Telegram channel, where they publicize their activities and collaborate with other hacktivist groups. Additionally, they have been attributed to significant cyber disruptions, including a 100-hour DDoS campaign against a UAE bank, showcasing their operational capabilities.",
"meta": {
"country": "PS",
"refs": [
"https://thecyberexpress.com/sn-blackmeta-claim-snapchat-cyberattack/",
"https://www.radware.com/security/threat-advisories-and-attack-reports/six-day-web-ddos-attack-campaign/",
"https://securityboulevard.com/?p=2033037",
"https://socradar.io/internet-archive-data-breach-and-ddos-attacks/"
],
"type": "targets"
"synonyms": [
"SN Blackmeta"
]
},
{
"dest-uuid": "6d9dbde3-25de-48b9-ab98-361c4211e6be",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "targets"
},
{
"dest-uuid": "e10093ef-ccbf-4c24-9093-61e856c05ccd",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "targets"
},
{
"dest-uuid": "e07cd84c-1d66-4de3-8b93-15fa93f119cc",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "targets"
},
{
"dest-uuid": "0904672b-c18a-450e-88d6-6a94dd0eb25a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "targets"
}
],
"uuid": "75d2d875-6e49-4152-b055-62337b0a22df",
"value": "Operation Cobalt Whisper"
"uuid": "969753d8-3cc9-43a2-9b8d-753d2bb385b4",
"value": "Blackmeta"
}
],
"version": 319

376
clusters/tidal-campaigns.json
View file

@ -323,7 +323,7 @@
"value": "APT40 Recent Tradecraft"
},
{
"description": "In July 2024, security researchers publicized a campaign attributed to Chinese state-sponsored espionage group APT41, where actors gained and maintained long-term access to various organizations' networks in multiple sectors around the world. Victims belonged to the shipping/logistics, media, entertainment, technology, and automotive industries and were located in western Europe, the Middle East, and East and Southeast Asia. Actors used a combination of red teaming tools, publicly available software, and custom malware for persistence, command and control, data collection, and exfiltration to Microsoft OneDrive accounts. The intrusions were notable for featuring the reemergence of DUSTPAN, a dropper not observed since a series of older APT41 compromises in 2021 & 2022.<sup>[[Mandiant APT41 July 18 2024](/references/34ee3a7c-27c0-492f-a3c6-a5a3e86915f0)]</sup>",
"description": "*We are no longer maintaining this object in favor of a similar object subsequently published by MITRE: \"APT41 DUST\" (Campaign). All relevant Tidal content extensions (e.g. additional Technique and Object relationships and metadata) have been added to the MITRE-authored object.*\n\nIn July 2024, security researchers publicized a campaign attributed to Chinese state-sponsored espionage group APT41, where actors gained and maintained long-term access to various organizations' networks in multiple sectors around the world. Victims belonged to the shipping/logistics, media, entertainment, technology, and automotive industries and were located in western Europe, the Middle East, and East and Southeast Asia. Actors used a combination of red teaming tools, publicly available software, and custom malware for persistence, command and control, data collection, and exfiltration to Microsoft OneDrive accounts. The intrusions were notable for featuring the reemergence of DUSTPAN, a dropper not observed since a series of older APT41 compromises in 2021 & 2022.<sup>[[Mandiant APT41 July 18 2024](/references/34ee3a7c-27c0-492f-a3c6-a5a3e86915f0)]</sup>",
"meta": {
"campaign_attack_id": "C3049",
"first_seen": "2023-03-21T00:00:00Z",
@ -337,7 +337,19 @@
},
"related": [],
"uuid": "ea6266fd-50a7-4223-ade3-e60c3467f540",
"value": "APT41 2023-2024 Persistence & Exfiltration Activity"
"value": "APT41 2023-2024 Persistence & Exfiltration Activity (Deprecated)"
},
{
"description": "[APT41 DUST](https://app.tidalcyber.com/campaigns/b90adbbd-0fe3-5c5f-9433-543a5f01b0ae) was conducted by [APT41](https://app.tidalcyber.com/groups/502223ee-8947-42f8-a532-a3b3da12b7d9) from 2023 to July 2024 against entities in Europe, Asia, and the Middle East. [APT41 DUST](https://app.tidalcyber.com/campaigns/b90adbbd-0fe3-5c5f-9433-543a5f01b0ae) targeted sectors such as shipping, logistics, and media for information gathering purposes. [APT41](https://app.tidalcyber.com/groups/502223ee-8947-42f8-a532-a3b3da12b7d9) used previously-observed malware such as [DUSTPAN](https://app.tidalcyber.com/software/78454d3f-fa12-5b6f-9390-6412064d7c8d) as well as newly observed tools such as [DUSTTRAP](https://app.tidalcyber.com/software/ed72d5bb-2cf7-51a4-9d76-97fbd11c54d0) in [APT41 DUST](https://app.tidalcyber.com/campaigns/b90adbbd-0fe3-5c5f-9433-543a5f01b0ae).<sup>[[Google Cloud APT41 2024](https://app.tidalcyber.com/references/33bb9f8a-db9d-5dda-b4ae-2ba7fee0a0ae)]</sup>",
"meta": {
"campaign_attack_id": "C0040",
"first_seen": "2023-01-31T23:00:00Z",
"last_seen": "2024-06-30T22:00:00Z",
"source": "MITRE"
},
"related": [],
"uuid": "b90adbbd-0fe3-5c5f-9433-543a5f01b0ae",
"value": "APT41 DUST"
},
{
"description": "ArcaneDoor was a campaign, which likely ran from November 2023 until around February 2024, that targeted Cisco Adaptive Security Appliances (ASAs). ASAs are network devices that combine firewall, VPN, and other functionality. The campaign targeted unspecified government institutions around the world and was believed to have been conducted for espionage purposes.<sup>[[Cisco Talos ArcaneDoor April 24 2024](/references/531c3f6f-2d2b-4774-b069-e2b7a13602c1)]</sup>\n\nResearchers attributed the campaign to UAT4356 (aka Storm-1849), a possible China-linked adversary.<sup>[[Wired ArcaneDoor April 24 2024](/references/05a8afd3-0173-41ca-b23b-196ea0f3b1c1)]</sup> The initial access vector for the ArcaneDoor attacks remains unclear. After gaining a foothold, actors used the Line Dancer tool to upload Line Runner, a persistence and arbitrary code execution capability, to compromised ASAs (Cisco assigned two vulnerabilities, CVE-2024-20359 and CVE-2024-20353, to these activities). Responders observed various actions on objectives during the attacks, including device configuration modification, network traffic capture, and possible lateral movement.<sup>[[Cisco Talos ArcaneDoor April 24 2024](/references/531c3f6f-2d2b-4774-b069-e2b7a13602c1)]</sup>",
@ -589,6 +601,43 @@
"uuid": "c5d35d8d-fe96-5210-bb57-4692081a25a9",
"value": "C0033"
},
{
"description": "Actors associated with the North Korean threat group Citrine Sleet were observed exploiting a zero-day vulnerability (CVE-2024-7971) in Chromium web browser software to achieve remote code execution in target environments. Actors were observed delivering FudModule, an advanced rootkit tool, during the attacks.<sup>[[Microsoft Security Blog August 30 2024](/references/d7ef2e80-30c0-47ce-91d4-db1690c6c689)]</sup>",
"meta": {
"campaign_attack_id": "C3055",
"first_seen": "2024-08-19T00:00:00Z",
"last_seen": "2024-08-30T00:00:00Z",
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"a38ef717-4427-4aa0-9666-bb97c6ff45f3",
"b9c973c9-062d-4cbd-8bfe-98d0b4e547eb",
"a98d7a43-f227-478e-81de-e7299639a355",
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
"2feda37d-5579-4102-a073-aa02e82cb49f"
]
},
"related": [],
"uuid": "3ecdd876-7e93-4877-9032-49170c65a864",
"value": "Citrine Sleet Chromium Zero-Day Exploit Activity (CVE-2024-7971)"
},
{
"description": "Microsoft researchers observed threat actors, believed to be members of the Citrine Sleet aka DEV-0139 group, launch an apparently targeted attack against an organization in the cryptocurrency industry.<sup>[[Microsoft DEV-0139 December 6 2022](/references/f9c070f1-aa83-45a3-bffb-c90f4caf5926)]</sup>",
"meta": {
"campaign_attack_id": "C3056",
"first_seen": "2024-06-18T00:00:00Z",
"last_seen": "2022-10-19T00:00:00Z",
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
"2feda37d-5579-4102-a073-aa02e82cb49f"
]
},
"related": [],
"uuid": "dd4f230d-198b-45d5-b0f9-55ee725cd836",
"value": "Citrine Sleet Cryptocurrency Industry Attack"
},
{
"description": "In June 2023, U.S. authorities released Cybersecurity Advisory AA23-158A, which detailed observed exploits of a zero-day SQL injection vulnerability (CVE-2023-34362) affecting Progress Software's managed file transfer (MFT) solution, MOVEit Transfer. According to the Advisory, exploit activity began on May 27, 2023, as threat actors, which the Advisory attributed to \"CL0P Ransomware Gang, also known as TA505\", began compromising internet-facing MOVEit Transfer web applications. Actors deployed web shells, dubbed LEMURLOOT, on compromised MOVEit applications, which enabled persistence, discovery of files and folders stored on MOVEit servers, and staging and exfiltration of compressed victim data. Authorities indicated they expected to see \"widespread exploitation of unpatched software services in both private and public networks\".<sup>[[U.S. CISA CL0P CVE-2023-34362 Exploitation](/references/07e48ca8-b965-4234-b04a-dfad45d58b22)]</sup> Progress Software acknowledged the vulnerability and issued guidance on known affected versions, software upgrades, and patching.<sup>[[Progress Software MOVEit Transfer Critical Vulnerability](/references/9f364e22-b73c-4f3a-902c-a3f0eb01a2b9)]</sup>\n\n**Related Vulnerabilities**: CVE-2023-34362<sup>[[U.S. CISA CL0P CVE-2023-34362 Exploitation](/references/07e48ca8-b965-4234-b04a-dfad45d58b22)]</sup>",
"meta": {
@ -692,9 +741,7 @@
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
"2e5f6e4a-4579-46f7-9997-6923180815dd",
"2feda37d-5579-4102-a073-aa02e82cb49f"
"2e5f6e4a-4579-46f7-9997-6923180815dd"
]
},
"related": [],
@ -719,6 +766,46 @@
"uuid": "1a2caf4c-658d-4117-a912-55f4d6bca899",
"value": "Defense Sector Supply Chain Compromise by North Korea-Linked Actors"
},
{
"description": "Security researchers observed consistent adversary use of Web Distributed Authoring and Versioning (WebDAV) technology to host malicious files related to Emmenhtal (aka PeakLight), a stealthy loader malware that was then used to ingress various final malicious payloads, including DarkGate, Amadey, and SelfAU3.<sup>[[Sekoia.io Blog September 19 2024](/references/df9ff358-4d1e-4094-92cd-4703c53a384c)]</sup>",
"meta": {
"campaign_attack_id": "C3060",
"first_seen": "2023-12-01T00:00:00Z",
"last_seen": "2024-09-19T00:00:00Z",
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"61085b71-eb19-46d8-a9e6-1ab9d2f3c08d",
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
"2feda37d-5579-4102-a073-aa02e82cb49f"
]
},
"related": [],
"uuid": "0ca317da-c8d6-4bd5-8c1e-5d581c9095ce",
"value": "Emmenhtal Loader Distribution Activity"
},
{
"description": "ESET researchers observed cyberespionage activity that they linked to the FamousSparrow group, where actors used ProxyLogon and other vulnerability exploits to compromise hotel, legal, and other organizations worldwide and install a backdoor dubbed SparrowDoor, among other post-exploit tools.<sup>[[ESET FamousSparrow September 23 2021](/references/f91d6d8e-22a4-4851-9444-7a066e6b7aa5)]</sup>\n\nAt a similar time, Kaspersky researchers reported activity they linked to the GhostEmperor group, where ProxyLogon was also exploited and similar post-exploit tools were deployed, as well as a rootkit dubbed Demodex. The researchers further indicated that one of the command and control servers identified during their investigation correlated to the FamousSparrow activity that ESET had reported.<sup>[[Kaspersky September 30 2021](/references/8851f554-05c6-4fb0-807e-2ef0bc28e131)]</sup>",
"meta": {
"campaign_attack_id": "C3064",
"first_seen": "2021-03-03T00:00:00Z",
"last_seen": "2021-03-31T00:00:00Z",
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"915e7ac2-b266-45d7-945c-cb04327d6246",
"e499005b-adba-45bb-85e3-07043fd9edf9",
"8b1cb0dc-dd3e-44ba-828c-55c040e93b93",
"5f5e40cd-0732-4eb4-a083-06940623c3f9",
"15f2277a-a17e-4d85-8acd-480bf84f16b4",
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
"2feda37d-5579-4102-a073-aa02e82cb49f"
]
},
"related": [],
"uuid": "7fa02214-cd06-480d-af2d-5943be14c6bd",
"value": "FamousSparrow/GhostEmperor Vulnerability Exploit and Post-Compromise Activity"
},
{
"description": "In September 2023, French cybersecurity authorities released advisory CERTFR-2023-CTI-007, which detailed a network intrusion of the Regional and University Hospital Center of Brest, in northwestern France. Actors used valid credentials belonging to a healthcare professional to connect to a remote desktop service exposed to the Internet, then installed Cobalt Strike and SystemBC to provide backdoor network access. Authorities indicated that the credentials were likely compromised via unspecified infostealer malware.\n\nThe actors used multiple third-party tools for credential access and discovery, and they attempted to exploit at least five vulnerabilities for privilege escalation and lateral movement. Authorities worked with hospital personnel to isolate affected systems and disrupt the intrusion before suspected data exfiltration and encryption could take place. Based on infrastructural and behavioral overlaps with other incidents, officials attributed the intrusion to the FIN12 financially motivated actor group and indicated the same actors are responsible for dozens of attacks on French victims in recent years.\n\nAdditional details, indicators of compromise, and the observed Cobalt Strike configuration can be found in the [source report](https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-007.pdf).<sup>[[CERTFR-2023-CTI-007](/references/0f4a03c5-79b3-418e-a77d-305d5a32caca)]</sup>\n\n**Related Vulnerabilities**: CVE-2023-21746, CVE-2022-24521, CVE-2021-34527, CVE-2019-0708, CVE-2020-1472<sup>[[CERTFR-2023-CTI-007](/references/0f4a03c5-79b3-418e-a77d-305d5a32caca)]</sup>",
"meta": {
@ -740,6 +827,25 @@
"uuid": "129ffe04-ea90-45d1-a2fd-7ff0bffa0433",
"value": "FIN12 March 2023 Hospital Center Intrusion"
},
{
"description": "This object represents a collection of MITRE ATT&CK® Techniques and other objects related to the subject threat. Further contextual details are provided via the sources in the References tab below and any associated Tags.",
"meta": {
"campaign_attack_id": "C3066",
"first_seen": "2024-06-27T00:00:00Z",
"last_seen": "2024-10-23T00:00:00Z",
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"ef7715f8-526a-4df5-bad3-74b66170a52b",
"a98d7a43-f227-478e-81de-e7299639a355",
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
"2feda37d-5579-4102-a073-aa02e82cb49f"
]
},
"related": [],
"uuid": "50a2fbb8-e92e-4033-9dfc-d6b47aaab22d",
"value": "FortiManager Zero-Day Exploit Activity (CVE-2024-47575)"
},
{
"description": "[Frankenstein](https://app.tidalcyber.com/campaigns/2fab9878-8aae-445a-86db-6b47b473f56b) was described by security researchers as a highly-targeted campaign conducted by moderately sophisticated and highly resourceful threat actors in early 2019. The unidentified actors primarily relied on open source tools, including [Empire](https://app.tidalcyber.com/software/fea655ac-558f-4dd0-867f-9a5553626207). The campaign name refers to the actors' ability to piece together several unrelated open-source tool components.<sup>[[Talos Frankenstein June 2019](https://app.tidalcyber.com/references/a6faa495-db01-43e8-9db3-d446570802bc)]</sup>",
"meta": {
@ -764,6 +870,23 @@
"uuid": "94587edf-0292-445b-8c66-b16629597f1e",
"value": "FunnyDream"
},
{
"description": "In July 2024, Sygnia researchers reported about what they described as an \"updated infection chain\" used to deploy a variant of the Demodex rootkit, associated with the GhostEmperor (AKA FamousSparrow and Salt Typhoon) China-backed cyberespionage group. The attacks, which were discovered at an unspecified time in \"late 2023\", featured malware loading and obfuscation methods distinct from those observed during previous GhostEmperor activity in 2021.<sup>[[Sygnia July 17 2024](/references/7d30acb4-9600-46bd-a800-1c7e1149e9b4)]</sup>",
"meta": {
"campaign_attack_id": "C3065",
"first_seen": "2023-12-01T00:00:00Z",
"last_seen": "2023-12-31T00:00:00Z",
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
"2feda37d-5579-4102-a073-aa02e82cb49f"
]
},
"related": [],
"uuid": "c1447188-c034-408e-a827-55314c698827",
"value": "GhostEmperor/Demodex 2023 Compromise"
},
{
"description": "U.S. cybersecurity authorities released an advisory that warned of recent attacks targeting healthcare entities and providers, which leveraged social engineering techniques for initial access and ultimately led to financial theft. The attacks used voice phishing and phishing domains, and sometimes bypassed multi-factor authentication measures, to gain footholds. Actors often used information gathered through extensive reconnaissance to facilitate these efforts.\n\nActors then used \"living off the land\" (LOTL) techniques to persist stealthily in compromised environments. Ultimately, actors sought to modify patient automated clearinghouse (ACH) account information to divert payments to actor-controlled bank accounts. The advisory did not attribute the recent campaign to a named adversary group.<sup>[[FBI Social Engineering Attacks June 24 2024](/references/527ac41a-a65e-4cf9-a9c9-194443b37c5b)]</sup>",
"meta": {
@ -781,6 +904,22 @@
"uuid": "1610257c-e2fc-4b05-bd63-5c2cbfb2342e",
"value": "Healthcare Social Engineering & Payment Diversion Activity"
},
{
"description": "[HomeLand Justice](https://app.tidalcyber.com/campaigns/04329c95-d792-5333-b5bc-13ef2c545d7b) was a disruptive campaign involving the use of ransomware, wiper malware, and sensitive information leaks conducted by Iranian state cyber actors against Albanian government networks in July and September 2022. Initial access for [HomeLand Justice](https://app.tidalcyber.com/campaigns/04329c95-d792-5333-b5bc-13ef2c545d7b) was established in May 2021 as threat actors subsequently moved laterally, exfiltrated sensitive information, and maintained persistence for approximately 14 months prior to the attacks. Responsibility was claimed by the \"HomeLand Justice\" front whose messaging indicated targeting of the Mujahedeen-e Khalq (MEK), an Iranian opposition group who maintain a refugee camp in Albania, and were formerly designated a terrorist organization by the US State Department.<sup>[[Mandiant ROADSWEEP August 2022](https://app.tidalcyber.com/references/0d81ec58-2e12-5824-aa53-feb0d2260f30)]</sup><sup>[[Microsoft Albanian Government Attacks September 2022](https://app.tidalcyber.com/references/d00399e9-a6c6-5691-92cd-0185b03b689e)]</sup><sup>[[CISA Iran Albanian Attacks September 2022](https://app.tidalcyber.com/references/c5d37bde-52bc-525a-b25a-e097f77a924a)]</sup> A second wave of attacks was launched in September 2022 using similar tactics after public attribution of the previous activity to Iran and the severing of diplomatic ties between Iran and Albania.<sup>[[CISA Iran Albanian Attacks September 2022](https://app.tidalcyber.com/references/c5d37bde-52bc-525a-b25a-e097f77a924a)]</sup>\n\n",
"meta": {
"campaign_attack_id": "C0038",
"first_seen": "2021-05-01T04:00:00Z",
"last_seen": "2022-09-01T04:00:00Z",
"source": "MITRE",
"tags": [
"e551ae97-d1b4-484e-9267-89f33829ec2c",
"15787198-6c8b-4f79-bf50-258d55072fee"
]
},
"related": [],
"uuid": "04329c95-d792-5333-b5bc-13ef2c545d7b",
"value": "HomeLand Justice"
},
{
"description": "This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to the specified threat activity. Further background & contextual details can be found in the References tab below.",
"meta": {
@ -829,6 +968,29 @@
"uuid": "18cf25b5-ed3a-40f6-bf0a-a3938a4f8da2",
"value": "Iranian APT Targeting U.S. Voter Data"
},
{
"description": "On October 16, 2024, U.S., Canadian, and Australian cybersecurity authorities released joint Cybersecurity Advisory AA24-290A, which detailed attacks by unspecified \"Iranian cyber actors\", who used brute forcing and other credential access techniques to compromise various critical infrastructure entities, including organizations in the healthcare and public health (HPH), government, information technology, engineering, and energy sectors. The advisory indicated that the actors likely carried out the attacks in order to ultimately sell harvested credentials and victim network information \"to enable access to cybercriminals\".<sup>[[U.S. CISA Iranian Actors Critical Infrastructure October 16 2024](/references/a70a4487-eaae-43b3-bfe0-0677fd911959)]</sup>",
"meta": {
"campaign_attack_id": "C3063",
"first_seen": "2023-10-01T00:00:00Z",
"last_seen": "2024-02-07T00:00:00Z",
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"51006447-540b-4b9d-bdba-1cbff8038ae9",
"35e694ec-5133-46e3-b7e1-5831867c3b55",
"61cdbb28-cbfd-498b-9ab1-1f14337f9524",
"15787198-6c8b-4f79-bf50-258d55072fee",
"89c5b94b-ecf4-4d53-9b74-3465086d4565",
"291c006e-f77a-4c9c-ae7e-084974c0e1eb",
"15f2277a-a17e-4d85-8acd-480bf84f16b4",
"c9c73000-30a5-4a16-8c8b-79169f9c24aa"
]
},
"related": [],
"uuid": "3b15979c-eabf-41d1-8930-f480106f8430",
"value": "Iranian Cyber Actors Compromise Critical Infrastructure Organizations"
},
{
"description": "In September 2022, U.S., Canadian, United Kingdom, and Australian cybersecurity authorities released joint Cybersecurity Advisory AA22-257A, which detailed malicious cyber activity attributed to advanced persistent threat (APT) actors affiliated with the Iranian governments Islamic Revolutionary Guard Corps (IRGC). The advisory updated a previous alert (AA21-321A), published in November 2021, and summarized recent activities linked to the actors. Since at least March 2021, the actors were observed targeting victims in a wide range of U.S. critical infrastructure sectors, including transportation and healthcare, and victims in unspecified sectors in Australia, Canada, and the United Kingdom.\n\nThe actors typically exploited vulnerabilities to gain initial network access. They were observed exploiting vulnerabilities in Microsoft Exchange servers (ProxyShell) and Fortinet devices in 2021, and VMware Horizon (Log4j) in 2022. After gaining access, the actors typically evaluated the perceived value of data held within a victim network and either encrypted it for ransom and/or exfiltrated it. The actors are believed to have sold some exfiltrated data or used it as leverage to further pressure victims into paying a ransom.\n\nIn addition to behavioral observations and indicators of compromise, the advisories provided detection and mitigation guidance, which can be found in the source reports [here](https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-257a) and [here](https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-321a).\n\n**Related Vulnerabilities**: CVE-2021-34523, CVE-2021-31207, CVE-2021-44228, CVE-2021-45046, CVE-2021-45105<sup>[[U.S. CISA IRGC Actors September 14 2022](/references/728b20b0-f702-4dbe-afea-50270648a3a2)]</sup>, CVE-2021-34473, CVE-2018-13379, CVE-2020-12812, CVE-2019-5591<sup>[[U.S. CISA Iranian Government Actors November 19 2021](/references/d7014279-bc6a-43d4-953a-a6bc1d97a13b)]</sup>",
"meta": {
@ -919,6 +1081,21 @@
"uuid": "86e3565d-93dc-40e5-8f84-20d1c15b8e9d",
"value": "June 2023 Citrix Vulnerability Exploitation"
},
{
"description": "[KV Botnet Activity](https://app.tidalcyber.com/campaigns/c0c1054c-46f0-5221-9e7c-9907fe224947) consisted of exploitation of primarily “end-of-life” small office-home office (SOHO) equipment from manufacturers such as Cisco, NETGEAR, and DrayTek. [KV Botnet Activity](https://app.tidalcyber.com/campaigns/c0c1054c-46f0-5221-9e7c-9907fe224947) was used by [Volt Typhoon](https://app.tidalcyber.com/groups/4ea1245f-3f35-5168-bd10-1fc49142fd4e) to obfuscate connectivity to victims in multiple critical infrastructure segments, including energy and telecommunication companies and entities based on the US territory of Guam. While the KV Botnet is the most prominent element of this campaign, it overlaps with another botnet cluster referred to as the JDY cluster.<sup>[[Lumen KVBotnet 2023](https://app.tidalcyber.com/references/81bbc4e1-e1e6-5c93-bf65-ffdc9c7ff71d)]</sup> This botnet was disrupted by US law enforcement entities in early 2024 after periods of activity from October 2022 through January 2024.<sup>[[DOJ KVBotnet 2024](https://app.tidalcyber.com/references/55cf0ced-0de3-5af8-b3e6-3c33bb445593)]</sup>",
"meta": {
"campaign_attack_id": "C0035",
"first_seen": "2022-10-01T04:00:00Z",
"last_seen": "2024-01-01T05:00:00Z",
"source": "MITRE",
"tags": [
"b20e7912-6a8d-46e3-8e13-9a3fc4813852"
]
},
"related": [],
"uuid": "c0c1054c-46f0-5221-9e7c-9907fe224947",
"value": "KV Botnet Activity"
},
{
"description": "In November 2023, U.S. cybersecurity authorities and international partners released Cybersecurity Advisory AA23-325A, which detailed observed exploitation of CVE-2023-4966 (known colloquially as the “Citrix Bleed” vulnerability) by threat actors believed to be affiliated with the LockBit ransomware operation.\n\nCitrix Bleed is a vulnerability in Citrix NetScaler web application delivery control (“ADC”) and NetScaler Gateway appliances, which allows adversaries to bypass password requirements and multifactor authentication, enabling hijacking of legitimate user sessions and subsequent credential harvesting, lateral movement, and data or resource access. Authorities indicated that they expected “widespread” Citrix Bleed exploitation on unpatched services due to the ease of carrying out the exploit.\n\nAfter successful Citrix Bleed exploitation, LockBit affiliates were observed using a variety of follow-on TTPs and using a range of software, including abuse of native utilities and popular legitimate remote management and monitoring (“RMM”) tools. Indicators of compromise associated with recent intrusions and further incident response and mitigation guidance can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a).<sup>[[U.S. CISA LockBit Citrix Bleed November 21 2023](/references/21f56e0c-9605-4fbb-9cb1-f868ba6eb053)]</sup> Public reporting suggested that actors associated with the Medusa and Qilin ransomware operations, plus other unknown ransomware and uncategorized actors, had also exploited Citrix Bleed as part of their operations.<sup>[[Malwarebytes Citrix Bleed November 24 2023](/references/fdc86cea-0015-48d1-934f-b22244de6306)]</sup><sup>[[Cybernews Yanfeng Qilin November 2023](/references/93c89ca5-1863-4ee2-9fff-258f94f655c4)]</sup>",
"meta": {
@ -1009,7 +1186,7 @@
"value": "Molerats 2021 Backdoor Delivery Campaign"
},
{
"description": "This object represents a collection of MITRE ATT&CK® Techniques related to multiple incidents attributed to the North Korean actor group Moonstone Sleet that took place from August 2023 through May 2024. Attacks targeted individuals and organizations related to the software, information technology, education, and defense industrial base sectors, and are believed to have been carried out for both financial gain and espionage purposes.<sup>[[Microsoft Security Blog 5 28 2024](/references/faf315ed-71f7-4e29-8334-701da35a69ad)]</sup>",
"description": "*We are no longer maintaining this object in favor of a similar object subsequently published by MITRE: \"Moonstone Sleet\" (Group). All relevant Tidal content extensions (e.g. additional Technique and Object relationships and metadata) have been added to the MITRE-authored object.*\n\nThis object represents a collection of MITRE ATT&CK® Techniques related to multiple incidents attributed to the North Korean actor group Moonstone Sleet that took place from August 2023 through May 2024. Attacks targeted individuals and organizations related to the software, information technology, education, and defense industrial base sectors, and are believed to have been carried out for both financial gain and espionage purposes.<sup>[[Microsoft Security Blog 5 28 2024](/references/faf315ed-71f7-4e29-8334-701da35a69ad)]</sup>",
"meta": {
"campaign_attack_id": "C3039",
"first_seen": "2023-08-01T00:00:00Z",
@ -1023,7 +1200,7 @@
},
"related": [],
"uuid": "6e63729b-6483-4a87-923c-2de179a32f17",
"value": "Moonstone Sleet Operations"
"value": "Moonstone Sleet Operations (Deprecated)"
},
{
"description": "[Night Dragon](https://app.tidalcyber.com/campaigns/85f136b3-d5a3-4c4c-a37c-40e4418dc989) was a cyber espionage campaign that targeted oil, energy, and petrochemical companies, along with individuals and executives in Kazakhstan, Taiwan, Greece, and the United States. The unidentified threat actors searched for information related to oil and gas field production systems, financials, and collected data from SCADA systems. Based on the observed techniques, tools, and network activities, security researchers assessed the campaign involved a threat group based in China.<sup>[[McAfee Night Dragon](https://app.tidalcyber.com/references/242d2933-ca2b-4511-803a-454727a3acc5)]</sup>",
@ -1222,6 +1399,18 @@
"uuid": "71f6d3b1-c45e-421c-99cb-3b695647cf0b",
"value": "Pikabot Distribution Campaigns 2023"
},
{
"description": "[Pikabot](https://app.tidalcyber.com/software/fb1b0624-3290-5977-abbc-bc9609b51f8d) was distributed in [Pikabot Distribution February 2024](https://app.tidalcyber.com/campaigns/6e6fa0e4-18b3-5700-803d-b821dcdcd787) using malicious emails with embedded links leading to malicious ZIP archives requiring user interaction for follow-on infection. The version of [Pikabot](https://app.tidalcyber.com/software/fb1b0624-3290-5977-abbc-bc9609b51f8d) distributed featured significant changes over the 2023 variant, including reduced code complexity and simplified obfuscation mechanisms.<sup>[[Elastic Pikabot 2024](https://app.tidalcyber.com/references/6c222f33-f588-513c-9149-4c2308e05319)]</sup><sup>[[Zscaler Pikabot 2024](https://app.tidalcyber.com/references/9c1edd25-0fd0-5b5d-8091-68074da52593)]</sup>",
"meta": {
"campaign_attack_id": "C0036",
"first_seen": "2024-02-01T05:00:00Z",
"last_seen": "2024-02-01T05:00:00Z",
"source": "MITRE"
},
"related": [],
"uuid": "6e6fa0e4-18b3-5700-803d-b821dcdcd787",
"value": "Pikabot Distribution February 2024"
},
{
"description": "Researchers observed a campaign, with activity occurring between March and at least June 2024, where multiple discrete threat actor clusters used similar social engineering techniques to trick users into copying and executing PowerShell scripts, which ultimately led to malware deployment on the victim's system. Payloads included droppers, RATs, and information stealer malware.\n\nInitial contact with the victim occurred through both malspam email campaigns and web browser injects, which would trigger a popup claiming an error occurred when trying to open a document or webpage. The popup would prompt the user to run a script in the PowerShell terminal or Windows Run dialog box. Researchers attributed these campaigns to TA571, an initial access broker, a known intrusion set (ClearFake), and a newer group dubbed ClickFix.<sup>[[Proofpoint June 17 2024](/references/a65d7492-04a4-46d4-85ed-134786c6828b)]</sup><sup>[[BleepingComputer Fake Chrome Errors June 17 2024](/references/6efa70e3-d8eb-4260-b0ab-62335681e6fd)]</sup>",
"meta": {
@ -1276,6 +1465,49 @@
"uuid": "a9bef150-04e6-41f2-9f94-069f9912f5e3",
"value": "Quantum Ransomware Compromise"
},
{
"description": "On October 10, 2024, U.S. cybersecurity authorities and international patners released a joint Cybersecurity Advisory (JCSA-20241010-001), which detailed TTPs used by Russian Foreign Intelligence Service (SVR) actors (aka APT29, Midnight Blizzard, et al) during \"recent\" cyber operations. The advisory highlighted the variety of initial access and post-exploitation TTPs leveraged by SVR actors in both targeted and broad-based campaigns, and it also spotlighted that these actors have the \"capability and interest\" to exploit a relatively long list of publicly disclosed vulnerabilities, which are tagged to this object.<sup>[[FBI SVR Update October 10 2024](/references/63a76e88-2cd1-4cfa-bd96-4c1c3eebb39b)]</sup>",
"meta": {
"campaign_attack_id": "C3062",
"first_seen": "2021-01-01T00:00:00Z",
"last_seen": "2024-10-10T00:00:00Z",
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"af5e9be5-b86e-47af-91dd-966a5e34a186",
"61cdbb28-cbfd-498b-9ab1-1f14337f9524",
"e551ae97-d1b4-484e-9267-89f33829ec2c",
"154bd6f0-9276-4ea5-946c-d35769d3ae4b",
"1ee3e55f-8f28-43c4-9f01-8a1bad68bd56",
"082b6886-9f4a-4237-82e4-827f6bab704e",
"7d158419-2d50-4688-aa4f-3b68a4d30870",
"5c7a911d-9f28-4f13-a6aa-c7a2e2b3ca55",
"46404b24-e38a-4fea-981b-cac3d3020c8b",
"9a0df3c4-2bbf-4192-a08a-ec27d9a4c5f1",
"e676e31d-d1d4-4a83-afa9-acf58be4f92a",
"49478e42-38e9-417c-9cf9-7f2c5d41bfa8",
"b7ad8591-fbff-46ec-8f4a-33f569cce2f9",
"5ef89937-dd06-4407-91d2-61db30c75934",
"72d3fa15-265b-4f4c-ba77-635d8531fe69",
"5bd6e9f7-78e3-4a8b-8734-c8c45b61a76d",
"b3665c87-5cb3-414e-8910-d4ffe53371c2",
"d1596bb2-b947-419a-b1f0-8f38e28eae09",
"49a674f7-c117-422e-8057-67bdfab2de9c",
"a4240ea5-b7d4-40a0-afbd-76fcf2e4ebbc",
"f97e406e-0d4b-4927-af03-8113a720417f",
"1b0321d7-4d9a-4977-bd2a-092c2693b328",
"cccb02c5-9791-4cb4-8fe8-0c5a6aea7dcf",
"15b77e5c-2285-434d-9719-73c14beba8bd",
"08809fa0-61b6-4394-b103-1c4d19a5be16",
"7551097a-dfdd-426f-aaa2-a2916dd9b873",
"a32a757a-9d6b-43ca-ac4b-5f695dd0f110",
"1b98f09a-7d93-4abb-8f3e-1eacdb9f9871"
]
},
"related": [],
"uuid": "246d56a6-141c-4d60-a346-538e44fac1c9",
"value": "Russian SVR Cyber Operations and Vulnerability Exploitation Activity"
},
{
"description": "Researchers have observed an evolution in Scattered Spider's/UNC3944's TTPs since the second half of 2023, with actors especially focusing on gaining wide access to victim SaaS environments for reconnaissance, data theft, and subsequent extortion purposes. This object reflects the MITRE ATT&CK® Techniques associated with this activity.<sup>[[Google Cloud June 13 2024](/references/161423a2-165d-448f-90e9-0c53e319a125)]</sup>\n\nNotable Techniques newly associated with Scattered Spider via this Campaign object include Forge Web Credentials: SAML Tokens (T1606.002), Impair Defenses: Disable or Modify Tools (T1562.001), Indicator Removal: Clear Windows Event Logs (T1070.001), Software Discovery: Security Software Discovery (T1518.001), and Pre-OS Boot: System Firmware (T1542.001).",
"meta": {
@ -1317,7 +1549,7 @@
"value": "ScreenConnect Vulnerability Exploit Attacks"
},
{
"description": "The [SolarWinds Compromise](https://app.tidalcyber.com/campaigns/8bde8146-0656-5800-82e6-e24e008e4f4a) was a sophisticated supply chain cyber operation conducted by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) that was discovered in mid-December 2020. [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) used customized malware to inject malicious code into the SolarWinds Orion software build process that was later distributed through a normal software update; they also used password spraying, token theft, API abuse, spear phishing, and other supply chain attacks to compromise user accounts and leverage their associated access. Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. Industry reporting initially referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.<sup>[[SolarWinds Advisory Dec 2020](https://app.tidalcyber.com/references/4e8b908a-bdc5-441b-bc51-98dfa87f6b7a)]</sup><sup>[[SolarWinds Sunburst Sunspot Update January 2021](https://app.tidalcyber.com/references/1be1b6e0-1b42-4d07-856b-b6321c17bb88)]</sup><sup>[[FireEye SUNBURST Backdoor December 2020](https://app.tidalcyber.com/references/d006ed03-a8af-4887-9356-3481d81d43e4)]</sup><sup>[[Volexity SolarWinds](https://app.tidalcyber.com/references/355cecf8-ef3e-4a6e-a652-3bf26fe46d88)]</sup><sup>[[CrowdStrike StellarParticle January 2022](https://app.tidalcyber.com/references/149c1446-d6a1-4a63-9420-def9272d6cb9)]</sup><sup>[[Unit 42 SolarStorm December 2020](https://app.tidalcyber.com/references/ecbb602a-2427-5eba-8c2b-25d90c95f166)]</sup><sup>[[Microsoft Analyzing Solorigate Dec 2020](https://app.tidalcyber.com/references/8ad72d46-ba2c-426f-bb0d-eb47723c8e11)]</sup><sup>[[Microsoft Internal Solorigate Investigation Blog](https://app.tidalcyber.com/references/66cade99-0040-464c-98a6-bba57719f0a4)]</sup> \n\nIn April 2021, the US and UK governments attributed the [SolarWinds Compromise](https://app.tidalcyber.com/campaigns/8bde8146-0656-5800-82e6-e24e008e4f4a) to Russia's Foreign Intelligence Service (SVR); public statements included citations to [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447), Cozy Bear, and The Dukes.<sup>[[NSA Joint Advisory SVR SolarWinds April 2021](https://app.tidalcyber.com/references/43d9c469-1d54-454b-ba67-74e7f1de9c10)]</sup><sup>[[UK NSCS Russia SolarWinds April 2021](https://app.tidalcyber.com/references/f49e6780-8caa-4c3c-8d68-47a2cc4319a1)]</sup><sup>[[Mandiant UNC2452 APT29 April 2022](https://app.tidalcyber.com/references/5276508c-6792-56be-b757-e4b495ef6c37)]</sup> The US government assessed that of the approximately 18,000 affected public and private sector customers of Solar Winds Orion product, a much smaller number were compromised by follow-on [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) activity on their systems.<sup>[[USG Joint Statement SolarWinds January 2021](https://app.tidalcyber.com/references/336a6549-a95d-5763-bbaf-5ef0d3141800)]</sup> ",
"description": "The [SolarWinds Compromise](https://app.tidalcyber.com/campaigns/8bde8146-0656-5800-82e6-e24e008e4f4a) was a sophisticated supply chain cyber operation conducted by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) that was discovered in mid-December 2020. [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) used customized malware to inject malicious code into the SolarWinds Orion software build process that was later distributed through a normal software update; they also used password spraying, token theft, API abuse, spear phishing, and other supply chain attacks to compromise user accounts and leverage their associated access. Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. This activity has been labled the StellarParticle campaign in industry reporting.<sup>[[CrowdStrike StellarParticle January 2022](https://app.tidalcyber.com/references/149c1446-d6a1-4a63-9420-def9272d6cb9)]</sup> Industry reporting also initially referred to the actors involved in this campaign as UNC2452, NOBELIUM, Dark Halo, and SolarStorm.<sup>[[SolarWinds Advisory Dec 2020](https://app.tidalcyber.com/references/4e8b908a-bdc5-441b-bc51-98dfa87f6b7a)]</sup><sup>[[SolarWinds Sunburst Sunspot Update January 2021](https://app.tidalcyber.com/references/1be1b6e0-1b42-4d07-856b-b6321c17bb88)]</sup><sup>[[FireEye SUNBURST Backdoor December 2020](https://app.tidalcyber.com/references/d006ed03-a8af-4887-9356-3481d81d43e4)]</sup><sup>[[Volexity SolarWinds](https://app.tidalcyber.com/references/355cecf8-ef3e-4a6e-a652-3bf26fe46d88)]</sup><sup>[[CrowdStrike StellarParticle January 2022](https://app.tidalcyber.com/references/149c1446-d6a1-4a63-9420-def9272d6cb9)]</sup><sup>[[Unit 42 SolarStorm December 2020](https://app.tidalcyber.com/references/ecbb602a-2427-5eba-8c2b-25d90c95f166)]</sup><sup>[[Microsoft Analyzing Solorigate Dec 2020](https://app.tidalcyber.com/references/8ad72d46-ba2c-426f-bb0d-eb47723c8e11)]</sup><sup>[[Microsoft Internal Solorigate Investigation Blog](https://app.tidalcyber.com/references/66cade99-0040-464c-98a6-bba57719f0a4)]</sup> \n\nIn April 2021, the US and UK governments attributed the [SolarWinds Compromise](https://app.tidalcyber.com/campaigns/8bde8146-0656-5800-82e6-e24e008e4f4a) to Russia's Foreign Intelligence Service (SVR); public statements included citations to [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447), Cozy Bear, and The Dukes.<sup>[[NSA Joint Advisory SVR SolarWinds April 2021](https://app.tidalcyber.com/references/43d9c469-1d54-454b-ba67-74e7f1de9c10)]</sup><sup>[[UK NSCS Russia SolarWinds April 2021](https://app.tidalcyber.com/references/f49e6780-8caa-4c3c-8d68-47a2cc4319a1)]</sup><sup>[[Mandiant UNC2452 APT29 April 2022](https://app.tidalcyber.com/references/5276508c-6792-56be-b757-e4b495ef6c37)]</sup> The US government assessed that of the approximately 18,000 affected public and private sector customers of Solar Winds Orion product, a much smaller number were compromised by follow-on [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) activity on their systems.<sup>[[USG Joint Statement SolarWinds January 2021](https://app.tidalcyber.com/references/336a6549-a95d-5763-bbaf-5ef0d3141800)]</sup> ",
"meta": {
"campaign_attack_id": "C0024",
"first_seen": "2019-08-01T05:00:00Z",
@ -1332,6 +1564,30 @@
"uuid": "8bde8146-0656-5800-82e6-e24e008e4f4a",
"value": "SolarWinds Compromise"
},
{
"description": "Microsoft researchers observed Storm-0501 actors abusing hybrid user identities and their associated privileges in order to pivot from on-premises to cloud environments in Q3 2024. Storm-0501 is a financially motivated actor that has been known to deploy multiple distinct ransomware families and exfiltrate data for extortion purposes, leveraging the relatively new, Rust-based Embargo ransomware (along with a number of supporting commodity and open-source tools) during the hybrid compromise attack.<sup>[[Microsoft Security Blog September 26 2024](/references/bf05138b-f690-4b0f-ba10-9af71f7d9bfc)]</sup> Mandiant reserachers linked Storm-0501 with an actor group they track as UNC2190, which was observed carrying out ransomware attacks while branded as \"54BB47h\" (Sabbath) in 2021.<sup>[[Mandiant Sabbath Ransomware November 29 2021](/references/ab3a20a5-2df1-4f8e-989d-baa96ffaca74)]</sup><sup>[[Tyler McLellan UNC2190 September 26 2024](/references/32298444-284a-4991-ba3b-a80bd62be903)]</sup>",
"meta": {
"campaign_attack_id": "C3057",
"first_seen": "2024-07-17T00:00:00Z",
"last_seen": "2024-09-17T00:00:00Z",
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"ecfc9a06-e970-4310-ac3f-0af98163563b",
"1c1a335a-dc30-470d-9539-b09aa87e2f8c",
"15b77e5c-2285-434d-9719-73c14beba8bd",
"532b7819-d407-41e9-9733-0d716b69eb17",
"c9c73000-30a5-4a16-8c8b-79169f9c24aa",
"5e7433ad-a894-4489-93bc-41e90da90019",
"7e7b0c67-bb85-4996-a289-da0e792d7172",
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
"2feda37d-5579-4102-a073-aa02e82cb49f"
]
},
"related": [],
"uuid": "96a04dd1-c6e6-4edd-ada4-03171fd15b2d",
"value": "Storm-0501 Hybrid Cloud Compromise"
},
{
"description": "This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to the specified threat activity. Further background & contextual details can be found in the References tab below.",
"meta": {
@ -1364,6 +1620,25 @@
"uuid": "6c7185e1-bd46-5a80-9a76-a376b16fbc7b",
"value": "Triton Safety Instrumented System Attack"
},
{
"description": "Mandiant researchers observed UNC2190, an actor group now linked to Storm-0501, deploying evasive, in-memory-only ransomware in 2021 while branded as the \"54BB47h\" (Sabbath) ransomware gang. The group had previously branded its operations as Eruption and Arcane. UNC2190 was seen targeting organizations in the education, health, and natural resources sectors in the United States and Canada from June through at least October 2021.<sup>[[Mandiant Sabbath Ransomware November 29 2021](/references/ab3a20a5-2df1-4f8e-989d-baa96ffaca74)]</sup>",
"meta": {
"campaign_attack_id": "C3058",
"first_seen": "2021-06-01T00:00:00Z",
"last_seen": "2021-10-26T00:00:00Z",
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"5e7433ad-a894-4489-93bc-41e90da90019",
"7e7b0c67-bb85-4996-a289-da0e792d7172",
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
"2feda37d-5579-4102-a073-aa02e82cb49f"
]
},
"related": [],
"uuid": "1a9e2500-a1aa-4001-8bb4-9d7ebca60d47",
"value": "UNC2190 2021 Ransomware Activity"
},
{
"description": "On September 5, 2024, international authorities published joint Cybersecurity Advisory AA24-249A, which detailed recent activity linked to cyber actors affiliated with the 161st Specialist Training Center (aka Unit 29155) of the Russian General Staff Main Intelligence Directorate (GRU), the foreign military intelligence agency of Russia's armed forces. The advisory highlighted Unit 29155 espionage, sabotage, and reputational cyber attacks carried out against targets around the world since 2020.\n\nWhile Unit 29155 had been previously linked to influence, interference, and physical sabotage operations, the advisory noted how the group has expanded its tradecraft to now include offensive cyber operations. The advisory indicated that several groups tracked by the cybersecurity community relate to Unit 29155 cyber actors but may not be directly synonyms with all parts of the Unit (or each other), including: Cadet Blizzard, DEV-0586, Ember Bear, Bleeding Bear, Frozenvista, UNC2589, and UAC-0056.<sup>[[U.S. CISA Unit 29155 September 5 2024](/references/9631a46d-3e0a-4f25-962b-0b2501c47926)]</sup>",
"meta": {
@ -1430,6 +1705,22 @@
"uuid": "b78565ce-8eec-49ad-b762-8d2107fa9ce7",
"value": "Velvet Ant F5 BIG-IP Espionage Activity"
},
{
"description": "[Versa Director Zero Day Exploitation](https://app.tidalcyber.com/campaigns/e28a09b7-885f-5556-b56e-7ad3e0581ac0) was conducted by [Volt Typhoon](https://app.tidalcyber.com/groups/4ea1245f-3f35-5168-bd10-1fc49142fd4e) from early June through August 2024 as zero-day exploitation of Versa Director servers controlling software-defined wide area network (SD-WAN) applications. Since tracked as CVE-2024-39717, exploitation focused on credential capture from compromised Versa Director servers at managed service providers (MSPs) and internet service providers (ISPs) to enable follow-on access to service provider clients. [Versa Director Zero Day Exploitation](https://app.tidalcyber.com/campaigns/e28a09b7-885f-5556-b56e-7ad3e0581ac0) was followed by the delivery of the [VersaMem](https://app.tidalcyber.com/software/ea857bb3-408e-566f-a693-96d9dc4f3c90) web shell for both credential theft and follow-on code execution.<sup>[[Lumen Versa 2024](https://app.tidalcyber.com/references/1d7f40f7-76e6-5ba2-8561-17f3646cf407)]</sup>",
"meta": {
"campaign_attack_id": "C0039",
"first_seen": "2024-06-01T06:00:00Z",
"last_seen": "2024-08-01T06:00:00Z",
"source": "MITRE",
"tags": [
"a98d7a43-f227-478e-81de-e7299639a355",
"712d4124-8860-488a-a780-2938f9df6313"
]
},
"related": [],
"uuid": "e28a09b7-885f-5556-b56e-7ad3e0581ac0",
"value": "Versa Director Zero Day Exploitation"
},
{
"description": "Void Banshee is an advanced persistent threat (APT) group identified by Trend Micro researchers, which is known to target victims in North America, Europe, and Southeast Asia for information theft and financial gain. In May 2024, researchers observed Void Banshee actors exploiting CVE-2024-38112, a remote code execution vulnerability in the \"MSHTML\" web browser software component. The vulnerability had not been previously disclosed, so the campaign was characterized as \"zero-day\" exploit activity. Actors delivered the Atlantida infostealer malware during the observed attacks.<sup>[[Trend Micro Void Banshee July 15 2024](/references/02c4dda2-3aae-43ec-9b14-df282b200def)]</sup>\n\nLater, researchers noted that Void Banshee also exploited a separate MSHTML-related vulnerability, CVE-2024-43461, as a zero-day during attacks culminating in Atlantida infostealer deployments.<sup>[[BleepingComputer Void Banshee September 16 2024](/references/2c9a2355-02c5-4718-ad6e-b2fac9ad4096)]</sup>",
"meta": {
@ -1469,6 +1760,75 @@
"uuid": "e740e392-98cb-428a-ab92-b0a4d1d546b7",
"value": "Voldemort Malware Delivery Campaign"
},
{
"description": "*We are no longer maintaining this object in favor of a similar object subsequently published by MITRE: \"Versa Director Zero Day Exploitation\" (Campaign). All relevant Tidal content extensions (e.g. additional Technique and Object relationships and metadata) have been added to the MITRE-authored object.*\n\nThis object represents a collection of MITRE ATT&CK® Techniques and other objects related to the subject threat. Further contextual details are provided via the sources in the References tab below and any associated Tags.",
"meta": {
"campaign_attack_id": "C3067",
"first_seen": "2024-06-12T00:00:00Z",
"last_seen": "2024-07-15T00:00:00Z",
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"a98d7a43-f227-478e-81de-e7299639a355",
"712d4124-8860-488a-a780-2938f9df6313",
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
"2feda37d-5579-4102-a073-aa02e82cb49f"
]
},
"related": [],
"uuid": "553feab0-28a8-4a0f-a4a9-2aac6aa11c56",
"value": "Volt Typhoon Versa Director Zero-Day Exploitation (CVE-2024-39717) (Deprecated)"
},
{
"description": "[Pikabot](https://app.tidalcyber.com/software/fb1b0624-3290-5977-abbc-bc9609b51f8d) was distributed in [Water Curupira Pikabot Distribution](https://app.tidalcyber.com/campaigns/5b6d5717-676d-5e8b-a2a3-2717c62f6450) throughout 2023 by an entity linked to BlackBasta ransomware deployment via email attachments. This activity followed the take-down of [QakBot](https://app.tidalcyber.com/software/9050b418-5ffd-481a-a30d-f9059b0871ea), with several technical overlaps and similarities with [QakBot](https://app.tidalcyber.com/software/9050b418-5ffd-481a-a30d-f9059b0871ea), indicating a possible connection. The identified activity led to the deployment of tools such as [Cobalt Strike](https://app.tidalcyber.com/software/9b6bcbba-3ab4-4a4c-a233-cd12254823f6), while coinciding with campaigns delivering [DarkGate](https://app.tidalcyber.com/software/39d81c48-8f7c-54cb-8fac-485598e31a55) and [IcedID](https://app.tidalcyber.com/software/7f59bb7c-5fa9-497d-9d8e-ba9349fd9433) en route to ransomware deployment.<sup>[[TrendMicro Pikabot 2024](https://app.tidalcyber.com/references/a2a22246-d49e-5847-9d20-dac64f1df3ea)]</sup>",
"meta": {
"campaign_attack_id": "C0037",
"first_seen": "2023-01-01T05:00:00Z",
"last_seen": "2023-12-01T05:00:00Z",
"source": "MITRE"
},
"related": [],
"uuid": "5b6d5717-676d-5e8b-a2a3-2717c62f6450",
"value": "Water Curupira Pikabot Distribution"
},
{
"description": "Security researchers observed adversaries using Web Distributed Authoring and Versioning (WebDAV) remote file management technology - hosted via free, development/testing-focused Cloudflare servers - to deliver various malware payloads, including AsyncRAT, XWorm, VenomRAT, and the PureLogs infostealer. One infection involved an unspecified organization in the government sector.<sup>[[Esentire July 31 2024](/references/18185ffd-8a66-4531-86de-4ba4dd9f675b)]</sup>",
"meta": {
"campaign_attack_id": "C3059",
"first_seen": "2024-07-01T00:00:00Z",
"last_seen": "2024-07-31T00:00:00Z",
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"61085b71-eb19-46d8-a9e6-1ab9d2f3c08d",
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
"2feda37d-5579-4102-a073-aa02e82cb49f"
]
},
"related": [],
"uuid": "635edcc0-f8af-4b61-85ba-2589df9f3c58",
"value": "WebDAV Malware Delivery Activity"
},
{
"description": "Researchers observed a campaign that used phishing communications to trick victims into clicking links that would redirect them to compromised websites hosting a zero-day vulnerability exploit to bypass Microsoft Windows SmartScreen security technology (CVE-2024-21412). The exploit activity involved additional redirect activity, including via internet shortcut files hosted on an adversary WebDAV server. The attacks culminated in delivery of the DarkGate loader/remote access trojan.<sup>[[Trend Micro March 13 2024](/references/0574a0a7-694b-4858-b053-8f7911c8ce54)]</sup>",
"meta": {
"campaign_attack_id": "C3061",
"first_seen": "2024-01-15T00:00:00Z",
"last_seen": "2024-02-13T00:00:00Z",
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"5187cea7-601f-4829-8b41-306044200b64",
"a98d7a43-f227-478e-81de-e7299639a355",
"61085b71-eb19-46d8-a9e6-1ab9d2f3c08d",
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
"2feda37d-5579-4102-a073-aa02e82cb49f"
]
},
"related": [],
"uuid": "22265193-4c7d-4edb-8e4e-727dcefd0a09",
"value": "Windows SmartScreen Bypass (CVE-2024-21412) DarkGate Campaign"
},
{
"description": "A suspected affiliate of the Zloader operation carried out attacks mainly affecting financial institutions. Intrusions typically came via drive-by compromise and initiallly saw the installation of the Atera software, which was then used to load Zloader, and in some cases, Ursnif.<sup>[[WeLiveSecurity April 19 2022](/references/f86845b9-03c4-446b-845f-b31b79b247ee)]</sup>",
"meta": {

646
clusters/tidal-groups.json
View file

File diff suppressed because it is too large Load diff

6404
clusters/tidal-references.json
View file

File diff suppressed because it is too large Load diff

4365
clusters/tidal-software.json
View file

File diff suppressed because it is too large Load diff

428
clusters/tidal-tactic.json
View file

@ -137,10 +137,6 @@
"dest-uuid": "f2d216e3-43d6-4a2e-aa5b-d6be78d018b6",
"type": "uses"
},
{
"dest-uuid": "40e4133b-28c2-4da7-9a6a-7392ae87f1da",
"type": "uses"
},
{
"dest-uuid": "8af6a9ee-c323-44fa-85d3-29366fd1bb4f",
"type": "uses"
@ -189,6 +185,10 @@
"dest-uuid": "7f953df5-c91f-4975-a579-2be3c89bca7e",
"type": "uses"
},
{
"dest-uuid": "40e4133b-28c2-4da7-9a6a-7392ae87f1da",
"type": "uses"
},
{
"dest-uuid": "113b8750-d166-5cac-bd26-2c82c90b9d88",
"type": "uses"
@ -205,42 +205,6 @@
"tactic_attack_id": "TA0042"
},
"related": [
{
"dest-uuid": "66ce76fb-5e1b-4462-9b46-d59bdfc6d3f3",
"type": "uses"
},
{
"dest-uuid": "c30faf84-496b-4f27-a4bc-aa36d583c69f",
"type": "uses"
},
{
"dest-uuid": "4c0db4e5-14e0-4fb7-88b0-bb391ce5ad58",
"type": "uses"
},
{
"dest-uuid": "bae33d7b-c835-4eda-b310-bf426270c0b1",
"type": "uses"
},
{
"dest-uuid": "5bcbb0c5-7061-481f-a677-09028a6c59f7",
"type": "uses"
},
{
"dest-uuid": "0f77a14a-d450-4885-b81f-23eeffa53a7e",
"type": "uses"
},
{
"dest-uuid": "3426077d-3b9c-4f77-a1c6-d68f0dea670e",
"type": "uses"
},
{
"dest-uuid": "fe96475a-3090-449d-91fd-ae73cb4d9c7c",
"type": "uses"
},
{
"dest-uuid": "be637d66-5110-4872-bc15-63b062c3f290",
"type": "uses"
},
{
"dest-uuid": "f2661f07-9027-4d19-9028-d07b7511f3d5",
"type": "uses"
@ -378,11 +342,39 @@
"type": "uses"
},
{
"dest-uuid": "60ac24aa-ce63-5c1d-8126-db20a27d85be",
"dest-uuid": "66ce76fb-5e1b-4462-9b46-d59bdfc6d3f3",
"type": "uses"
},
{
"dest-uuid": "478da817-1914-50f6-b1fd-434081a34354",
"dest-uuid": "c30faf84-496b-4f27-a4bc-aa36d583c69f",
"type": "uses"
},
{
"dest-uuid": "4c0db4e5-14e0-4fb7-88b0-bb391ce5ad58",
"type": "uses"
},
{
"dest-uuid": "bae33d7b-c835-4eda-b310-bf426270c0b1",
"type": "uses"
},
{
"dest-uuid": "5bcbb0c5-7061-481f-a677-09028a6c59f7",
"type": "uses"
},
{
"dest-uuid": "0f77a14a-d450-4885-b81f-23eeffa53a7e",
"type": "uses"
},
{
"dest-uuid": "3426077d-3b9c-4f77-a1c6-d68f0dea670e",
"type": "uses"
},
{
"dest-uuid": "fe96475a-3090-449d-91fd-ae73cb4d9c7c",
"type": "uses"
},
{
"dest-uuid": "be637d66-5110-4872-bc15-63b062c3f290",
"type": "uses"
},
{
@ -392,6 +384,14 @@
{
"dest-uuid": "f57c8d43-ca88-5351-9828-36b1937daf0e",
"type": "uses"
},
{
"dest-uuid": "60ac24aa-ce63-5c1d-8126-db20a27d85be",
"type": "uses"
},
{
"dest-uuid": "478da817-1914-50f6-b1fd-434081a34354",
"type": "uses"
}
],
"uuid": "989d09c2-12b8-4419-9b34-a328cf295fff",
@ -457,10 +457,6 @@
"dest-uuid": "9953faea-d25d-4e6e-a132-8993535c5c14",
"type": "uses"
},
{
"dest-uuid": "74b99029-3f0a-4cc8-90d6-5a6b177c06eb",
"type": "uses"
},
{
"dest-uuid": "4557bfb9-b940-49b6-b8be-571979134419",
"type": "uses"
@ -481,6 +477,10 @@
"dest-uuid": "d2a19fd8-ff9c-4f9e-9e84-ed3ea12c4b7c",
"type": "uses"
},
{
"dest-uuid": "74b99029-3f0a-4cc8-90d6-5a6b177c06eb",
"type": "uses"
},
{
"dest-uuid": "3f95e4f2-cd4a-502c-a12a-becb8d28440c",
"type": "uses"
@ -629,12 +629,16 @@
"dest-uuid": "46f60fff-71a1-4cfd-b639-71a0ac903bbb",
"type": "uses"
},
{
"dest-uuid": "6051e618-c476-41db-8b0b-0aef9d2bbbf7",
"type": "uses"
},
{
"dest-uuid": "68427c7d-f65a-4545-abfd-13d69e5e50cf",
"type": "uses"
},
{
"dest-uuid": "6051e618-c476-41db-8b0b-0aef9d2bbbf7",
"dest-uuid": "88358f1a-07b2-5d95-8ee5-4b22b7cebe5b",
"type": "uses"
},
{
@ -809,10 +813,6 @@
"dest-uuid": "b0a1ef13-0c54-47e8-a220-7543ba41a327",
"type": "uses"
},
{
"dest-uuid": "eff618a9-6498-4b01-bca1-cd5f3784fc27",
"type": "uses"
},
{
"dest-uuid": "0df21d65-c885-415a-8f91-477ae1b37839",
"type": "uses"
@ -917,6 +917,10 @@
"dest-uuid": "bd569ff9-c038-48c0-83d0-f5c784b439bc",
"type": "uses"
},
{
"dest-uuid": "eff618a9-6498-4b01-bca1-cd5f3784fc27",
"type": "uses"
},
{
"dest-uuid": "0ca28cc0-89d0-4680-baef-94d7202c6a9b",
"type": "uses"
@ -1069,10 +1073,6 @@
"dest-uuid": "62c22cc4-5643-4679-a6ae-9f6a3147d2fe",
"type": "uses"
},
{
"dest-uuid": "bce86020-2851-4b01-97a9-e51a6b23ea68",
"type": "uses"
},
{
"dest-uuid": "3c4a2f3a-5877-4a27-a417-76318523657e",
"type": "uses"
@ -1109,18 +1109,22 @@
"dest-uuid": "110c385f-9f27-4fd6-837c-6261294073ab",
"type": "uses"
},
{
"dest-uuid": "bce86020-2851-4b01-97a9-e51a6b23ea68",
"type": "uses"
},
{
"dest-uuid": "25a957d5-0c89-52a1-b446-bf993e17631c",
"type": "uses"
},
{
"dest-uuid": "6823f994-6b4e-5170-ba2b-bd4bc6f0c452",
"type": "uses"
},
{
"dest-uuid": "f1329084-6e9c-5933-83cd-56c1bf8439e3",
"type": "uses"
},
{
"dest-uuid": "1169afd3-d80d-5942-b16f-8dc1812ef6bb",
"type": "uses"
},
{
"dest-uuid": "0719ea2b-d630-5ada-9b04-c3136ff530ae",
"type": "uses"
},
{
"dest-uuid": "3d6727cd-d297-51e9-a6a2-8718284bf8e5",
"type": "uses"
@ -1132,6 +1136,14 @@
{
"dest-uuid": "2fa370dd-42be-5c10-85e8-294624c8a778",
"type": "uses"
},
{
"dest-uuid": "1169afd3-d80d-5942-b16f-8dc1812ef6bb",
"type": "uses"
},
{
"dest-uuid": "0719ea2b-d630-5ada-9b04-c3136ff530ae",
"type": "uses"
}
],
"uuid": "ec4f9786-c00c-430a-bc6d-0d0d22fdd393",
@ -1365,10 +1377,6 @@
"dest-uuid": "0ca28cc0-89d0-4680-baef-94d7202c6a9b",
"type": "uses"
},
{
"dest-uuid": "74e2b24b-3bf7-4361-bc07-983bffe674f7",
"type": "uses"
},
{
"dest-uuid": "68ffdbed-08d8-46a2-a833-984bbf0d9b4a",
"type": "uses"
@ -1465,6 +1473,10 @@
"dest-uuid": "7aae1ad0-fb1f-484a-a176-c94e4c7ada77",
"type": "uses"
},
{
"dest-uuid": "74e2b24b-3bf7-4361-bc07-983bffe674f7",
"type": "uses"
},
{
"dest-uuid": "45f107b6-ae8e-49d7-a3fc-ea6437fbac76",
"type": "uses"
@ -1529,6 +1541,22 @@
"dest-uuid": "110c385f-9f27-4fd6-837c-6261294073ab",
"type": "uses"
},
{
"dest-uuid": "25a957d5-0c89-52a1-b446-bf993e17631c",
"type": "uses"
},
{
"dest-uuid": "3d6727cd-d297-51e9-a6a2-8718284bf8e5",
"type": "uses"
},
{
"dest-uuid": "b9490b5f-645c-54a6-bf50-ad63540e6a07",
"type": "uses"
},
{
"dest-uuid": "769d2e67-5430-5fdd-9a07-d1b227110ec0",
"type": "uses"
},
{
"dest-uuid": "71867386-ddc2-4cdb-a0c9-7c27172c23c1",
"type": "uses"
@ -1560,18 +1588,6 @@
{
"dest-uuid": "15660958-1f4f-4136-8cda-82123fd38232",
"type": "uses"
},
{
"dest-uuid": "3d6727cd-d297-51e9-a6a2-8718284bf8e5",
"type": "uses"
},
{
"dest-uuid": "b9490b5f-645c-54a6-bf50-ad63540e6a07",
"type": "uses"
},
{
"dest-uuid": "769d2e67-5430-5fdd-9a07-d1b227110ec0",
"type": "uses"
}
],
"uuid": "b17dde68-dbcf-4cfd-9bb8-be014ec65c37",
@ -1597,10 +1613,6 @@
"dest-uuid": "5652575d-cdb9-44ef-9c32-fff038f15444",
"type": "uses"
},
{
"dest-uuid": "81564f1d-9c72-4d03-8561-b0d255f76c5f",
"type": "uses"
},
{
"dest-uuid": "852748c2-280b-41e8-ba87-d97ec9fade70",
"type": "uses"
@ -1693,6 +1705,10 @@
"dest-uuid": "026c9281-07f1-4358-96d3-151fed76b1fe",
"type": "uses"
},
{
"dest-uuid": "81564f1d-9c72-4d03-8561-b0d255f76c5f",
"type": "uses"
},
{
"dest-uuid": "2f32c30e-b79a-497a-b05f-ab8bd93aa689",
"type": "uses"
@ -1857,10 +1873,6 @@
"dest-uuid": "6c55cf9c-0259-4ba0-9574-e90f6c88e6fd",
"type": "uses"
},
{
"dest-uuid": "b0d884c3-cf87-4610-992d-4ec54c667759",
"type": "uses"
},
{
"dest-uuid": "fc34e661-55c3-47be-a368-c2f5776cdd17",
"type": "uses"
@ -1949,6 +1961,14 @@
"dest-uuid": "49749e13-48ed-49fc-82d1-13ae13b457c1",
"type": "uses"
},
{
"dest-uuid": "fbc49122-feae-52bf-9b96-93594cb5a01d",
"type": "uses"
},
{
"dest-uuid": "b0d884c3-cf87-4610-992d-4ec54c667759",
"type": "uses"
},
{
"dest-uuid": "2afcdcd1-ce55-4837-a84d-8279bc10f948",
"type": "uses"
@ -2117,10 +2137,6 @@
"dest-uuid": "3a956db0-a3f0-442a-a981-db2ee20d60b2",
"type": "uses"
},
{
"dest-uuid": "bd52a415-2b7a-4048-84bf-b20f385b357e",
"type": "uses"
},
{
"dest-uuid": "1e3d9e0a-6744-44e4-836d-1db38a4cc99c",
"type": "uses"
@ -2205,6 +2221,18 @@
"dest-uuid": "33486e3e-1104-42d0-8053-34c8c9c4d10f",
"type": "uses"
},
{
"dest-uuid": "81070f84-0835-5fdf-bcbb-4e16252dc2f0",
"type": "uses"
},
{
"dest-uuid": "67a83337-b17a-5413-a506-d84306cc0dfb",
"type": "uses"
},
{
"dest-uuid": "bd52a415-2b7a-4048-84bf-b20f385b357e",
"type": "uses"
},
{
"dest-uuid": "7851bfe7-f149-47f5-9970-66d7cc4fdbe6",
"type": "uses"
@ -2301,6 +2329,18 @@
"dest-uuid": "110c385f-9f27-4fd6-837c-6261294073ab",
"type": "uses"
},
{
"dest-uuid": "967b85c4-cfa7-520c-819b-4f7e36562589",
"type": "uses"
},
{
"dest-uuid": "d9ee3cf6-5852-5896-851d-28f751f5bf3c",
"type": "uses"
},
{
"dest-uuid": "3fee577e-dad0-53a5-9d58-6049cb5a70e5",
"type": "uses"
},
{
"dest-uuid": "c41cb2d3-ff4c-5ee7-99b9-8a3d7987c9bf",
"type": "uses"
@ -2321,30 +2361,6 @@
"dest-uuid": "d8406198-626c-5659-945e-2b5105fcd0c9",
"type": "uses"
},
{
"dest-uuid": "ed511983-98ef-572f-b5fc-0687f48467e0",
"type": "uses"
},
{
"dest-uuid": "9e55bc80-a187-58f7-a687-d37bbd618db7",
"type": "uses"
},
{
"dest-uuid": "d9eb2887-840e-5ed7-bb4b-3b210f4147f9",
"type": "uses"
},
{
"dest-uuid": "448dc009-2d3f-5480-aba3-0d80dc4336cd",
"type": "uses"
},
{
"dest-uuid": "e2911337-76ed-5834-b621-bb2b9a4205ee",
"type": "uses"
},
{
"dest-uuid": "20417e43-6ffa-5d36-a2ef-e27cd5a4b8f1",
"type": "uses"
},
{
"dest-uuid": "04e8e75c-434e-51e0-9780-580a3823a8cb",
"type": "uses"
@ -2376,6 +2392,30 @@
{
"dest-uuid": "769d2e67-5430-5fdd-9a07-d1b227110ec0",
"type": "uses"
},
{
"dest-uuid": "ed511983-98ef-572f-b5fc-0687f48467e0",
"type": "uses"
},
{
"dest-uuid": "9e55bc80-a187-58f7-a687-d37bbd618db7",
"type": "uses"
},
{
"dest-uuid": "d9eb2887-840e-5ed7-bb4b-3b210f4147f9",
"type": "uses"
},
{
"dest-uuid": "448dc009-2d3f-5480-aba3-0d80dc4336cd",
"type": "uses"
},
{
"dest-uuid": "e2911337-76ed-5834-b621-bb2b9a4205ee",
"type": "uses"
},
{
"dest-uuid": "20417e43-6ffa-5d36-a2ef-e27cd5a4b8f1",
"type": "uses"
}
],
"uuid": "8e29c6c9-0c10-4bb0-827d-ff0ab8922726",
@ -2389,6 +2429,34 @@
"tactic_attack_id": "TA0006"
},
"related": [
{
"dest-uuid": "e63414a7-c6f7-4bcf-a6eb-25b0c4ddbb2a",
"type": "uses"
},
{
"dest-uuid": "f516ecd7-a6a6-4018-8e58-c007be05bdce",
"type": "uses"
},
{
"dest-uuid": "28fd13d1-b555-47fa-9d47-caf6b1367ace",
"type": "uses"
},
{
"dest-uuid": "6f6b88df-039c-4b69-87e0-97dfabbb49d8",
"type": "uses"
},
{
"dest-uuid": "195aa08b-15fd-4019-b905-8f31bc5e2094",
"type": "uses"
},
{
"dest-uuid": "d049bae1-29f3-5f7d-ba6a-08b1227d5b72",
"type": "uses"
},
{
"dest-uuid": "ca544853-bda2-554a-b7c4-c239760e56a2",
"type": "uses"
},
{
"dest-uuid": "d98dbf30-c454-42ff-a9f3-2cd3319cc0d9",
"type": "uses"
@ -2465,46 +2533,6 @@
"dest-uuid": "888e603b-ca97-4671-aa43-a25248fc9fc8",
"type": "uses"
},
{
"dest-uuid": "0fef0394-7cf6-4797-8a5e-1cbfd31ee501",
"type": "uses"
},
{
"dest-uuid": "a0bb264e-8617-4ae6-bafd-f52b36c63d12",
"type": "uses"
},
{
"dest-uuid": "02ed857b-ba39-4fab-b1d9-3ed2aa689dfd",
"type": "uses"
},
{
"dest-uuid": "b0a1ef13-0c54-47e8-a220-7543ba41a327",
"type": "uses"
},
{
"dest-uuid": "b4a1cbaa-85d1-4a65-977f-494f66a141e3",
"type": "uses"
},
{
"dest-uuid": "52dabfcc-b7a4-4334-9014-ab9d82f5527b",
"type": "uses"
},
{
"dest-uuid": "e493bf4a-0eba-4e60-a7a6-c699084dc98a",
"type": "uses"
},
{
"dest-uuid": "b44a263f-76b2-4a1f-baeb-dd285974eca6",
"type": "uses"
},
{
"dest-uuid": "ab0da102-5a14-42b1-969e-5d3daefdf0c5",
"type": "uses"
},
{
"dest-uuid": "e63414a7-c6f7-4bcf-a6eb-25b0c4ddbb2a",
"type": "uses"
},
{
"dest-uuid": "34674b83-86a7-4ad9-8b05-49b505aa5ef0",
"type": "uses"
@ -2618,19 +2646,39 @@
"type": "uses"
},
{
"dest-uuid": "f516ecd7-a6a6-4018-8e58-c007be05bdce",
"dest-uuid": "0fef0394-7cf6-4797-8a5e-1cbfd31ee501",
"type": "uses"
},
{
"dest-uuid": "28fd13d1-b555-47fa-9d47-caf6b1367ace",
"dest-uuid": "a0bb264e-8617-4ae6-bafd-f52b36c63d12",
"type": "uses"
},
{
"dest-uuid": "6f6b88df-039c-4b69-87e0-97dfabbb49d8",
"dest-uuid": "02ed857b-ba39-4fab-b1d9-3ed2aa689dfd",
"type": "uses"
},
{
"dest-uuid": "195aa08b-15fd-4019-b905-8f31bc5e2094",
"dest-uuid": "b0a1ef13-0c54-47e8-a220-7543ba41a327",
"type": "uses"
},
{
"dest-uuid": "b4a1cbaa-85d1-4a65-977f-494f66a141e3",
"type": "uses"
},
{
"dest-uuid": "52dabfcc-b7a4-4334-9014-ab9d82f5527b",
"type": "uses"
},
{
"dest-uuid": "e493bf4a-0eba-4e60-a7a6-c699084dc98a",
"type": "uses"
},
{
"dest-uuid": "b44a263f-76b2-4a1f-baeb-dd285974eca6",
"type": "uses"
},
{
"dest-uuid": "ab0da102-5a14-42b1-969e-5d3daefdf0c5",
"type": "uses"
},
{
@ -2642,11 +2690,11 @@
"type": "uses"
},
{
"dest-uuid": "260571a6-3c08-5419-98c5-3fa1aa8e675d",
"dest-uuid": "2fa370dd-42be-5c10-85e8-294624c8a778",
"type": "uses"
},
{
"dest-uuid": "2fa370dd-42be-5c10-85e8-294624c8a778",
"dest-uuid": "260571a6-3c08-5419-98c5-3fa1aa8e675d",
"type": "uses"
}
],
@ -2669,10 +2717,6 @@
"dest-uuid": "41c4b4cc-99da-4323-b0f4-229906578501",
"type": "uses"
},
{
"dest-uuid": "3f926f8f-7b47-4a7d-976a-269704a6bc5c",
"type": "uses"
},
{
"dest-uuid": "f9d61206-3063-4d04-b06f-225f4766bff1",
"type": "uses"
@ -2753,6 +2797,10 @@
"dest-uuid": "93bd112e-9494-4b60-bdc5-8b610c7ebe21",
"type": "uses"
},
{
"dest-uuid": "3f926f8f-7b47-4a7d-976a-269704a6bc5c",
"type": "uses"
},
{
"dest-uuid": "1492c4ba-c933-47b8-953d-6de3db8cfce8",
"type": "uses"
@ -2833,10 +2881,6 @@
"dest-uuid": "2e634ff1-a4ea-41b4-8ee9-23db4627a986",
"type": "uses"
},
{
"dest-uuid": "70ffc700-eb9b-54d7-8fd4-564bd71a6434",
"type": "uses"
},
{
"dest-uuid": "4c7c0caa-b9bc-5d63-b5c3-812fdf3bba8a",
"type": "uses"
@ -2844,6 +2888,10 @@
{
"dest-uuid": "309c7c8b-c366-5762-8611-136971ac4eb4",
"type": "uses"
},
{
"dest-uuid": "70ffc700-eb9b-54d7-8fd4-564bd71a6434",
"type": "uses"
}
],
"uuid": "ee7e5a85-a940-46e4-b408-12956f3baafa",
@ -2954,7 +3002,7 @@
"value": "Lateral Movement"
},
{
"description": "The adversary is trying to gather data of interest to their goal.\n\nCollection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary's objectives. Frequently, the next goal after collecting data is to steal (exfiltrate) the data. Common target sources include various drive types, browsers, audio, video, and email. Common collection methods include capturing screenshots and keyboard input.",
"description": "The adversary is trying to gather data of interest to their goal.\n\nCollection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary's objectives. Frequently, the next goal after collecting data is to either steal (exfiltrate) the data or to use the data to gain more information about the target environment. Common target sources include various drive types, browsers, audio, video, and email. Common collection methods include capturing screenshots and keyboard input.",
"meta": {
"ordinal_position": "11",
"source": "MITRE",
@ -3057,6 +3105,18 @@
"dest-uuid": "34674b83-86a7-4ad9-8b05-49b505aa5ef0",
"type": "uses"
},
{
"dest-uuid": "ca544853-bda2-554a-b7c4-c239760e56a2",
"type": "uses"
},
{
"dest-uuid": "4562d25c-b3a8-582a-9a04-ff5f510ded7f",
"type": "uses"
},
{
"dest-uuid": "4d893ef6-a30e-5283-b47b-31d17ac427be",
"type": "uses"
},
{
"dest-uuid": "0c81e13a-3608-4171-8075-9f70b2934028",
"type": "uses"
@ -3121,6 +3181,10 @@
"tactic_attack_id": "TA0011"
},
"related": [
{
"dest-uuid": "1637efc5-85cc-515c-8244-fa973b0d69a6",
"type": "uses"
},
{
"dest-uuid": "f0dd515b-51cf-4853-a20c-02226d099ee0",
"type": "uses"
@ -3366,11 +3430,11 @@
"type": "uses"
},
{
"dest-uuid": "8b6743e7-e856-5772-8b38-2c002602b365",
"dest-uuid": "4c34fe8b-ea13-55f9-9a2f-5948e2a2ecca",
"type": "uses"
},
{
"dest-uuid": "4c34fe8b-ea13-55f9-9a2f-5948e2a2ecca",
"dest-uuid": "8b6743e7-e856-5772-8b38-2c002602b365",
"type": "uses"
}
],
@ -3489,6 +3553,26 @@
"dest-uuid": "24787dca-6afd-4ab3-ab6c-32e9486ec418",
"type": "uses"
},
{
"dest-uuid": "4a4a4fc9-88bc-500e-ae0e-db0d5f1f5503",
"type": "uses"
},
{
"dest-uuid": "7683b3ab-64c0-539a-8c37-d5fa4cb6b2a8",
"type": "uses"
},
{
"dest-uuid": "99360c91-8f86-544f-8689-494ad62c1890",
"type": "uses"
},
{
"dest-uuid": "1471c62a-d480-5234-801d-ac228fd7a31c",
"type": "uses"
},
{
"dest-uuid": "c7e3f0b5-f25e-5a99-9831-f8fd21ee3d22",
"type": "uses"
},
{
"dest-uuid": "b9c9fd13-c10c-5e78-aeeb-ac18dc0605f9",
"type": "uses"

331
clusters/tidal-technique.json
View file

File diff suppressed because it is too large Load diff