diff --git a/clusters/microsoft-activity-group.json b/clusters/microsoft-activity-group.json index 3d97ff3..1927f89 100644 --- a/clusters/microsoft-activity-group.json +++ b/clusters/microsoft-activity-group.json @@ -287,7 +287,17 @@ }, "uuid": "99e708f7-1c01-467d-b0da-f6cebd434abc", "value": "GADOLINIUM" + }, + { + "description": "HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control. Once they’ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA. In campaigns unrelated to these vulnerabilities, Microsoft has observed HAFNIUM interacting with victim Office 365 tenants. While they are often unsuccessful in compromising customer accounts, this reconnaissance activity helps the adversary identify more details about their targets’ environments. HAFNIUM operates primarily from leased virtual private servers (VPS) in the United States.", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/" + ] + }, + "uuid": "fbb66d6c-0faa-49cc-8aa3-2f9bd4e9c298", + "value": "HAFNIUM" } ], - "version": 9 + "version": 10 } diff --git a/clusters/mitre-ics-tactics.json b/clusters/mitre-ics-tactics.json index 8cb8cae..56102ce 100644 --- a/clusters/mitre-ics-tactics.json +++ b/clusters/mitre-ics-tactics.json @@ -271,7 +271,7 @@ ] }, "uuid": "2366ffb0-91ba-4b8e-bfad-d460c98d43a8", - "value": "Innitial Access" + "value": "Initial Access" } ], "version": 1 diff --git a/clusters/ransomware.json b/clusters/ransomware.json index f881244..a137f2d 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -13420,7 +13420,7 @@ "https://www.fortinet.com/blog/threat-research/analysis-of-new-globeimposter-ransomware-variant.html" ] }, - "uuid": "8cfa694c-2e6b-310a-728f-027d981870b2", + "uuid": "a4631cef-dc51-4bee-a51f-3f1ea75ff201", "value": "GlobeImposter" }, { @@ -13432,7 +13432,7 @@ "https://spyware-techie.com/blackworm-ransomware-removal-guide" ] }, - "uuid": "8cfa694a-2e5b-300a-727f-027d881870b2", + "uuid": "457e9a45-607e-41ef-8ad1-bf8684722445", "value": "BlackWorm" }, { @@ -13444,7 +13444,7 @@ "https://malware.wikia.org/wiki/Tellyouthepass" ] }, - "uuid": "7cfa694a-1e5b-300a-627f-027d881870b1", + "uuid": "c6ca9b44-d0cd-40c9-9d00-39e0f7bcae79", "value": "Tellyouthepass" }, { @@ -13455,7 +13455,7 @@ "https://www.2-spyware.com/remove-bigbobross-ransomware.html" ] }, - "uuid": "8cfa684a-1e4b-309a-617f-026d881870b1", + "uuid": "5d3fc33b-8e90-4d9d-8f45-f047264ce8cb", "value": "BigBobRoss" }, { @@ -13466,7 +13466,7 @@ "https://www.pcrisk.com/removal-guides/12121-planetary-ransomware" ] }, - "uuid": "6cfa664a-1e2b-329a-607f-026d781870b1", + "uuid": "7c742031-6b3d-4c3a-8b36-9154a6dc7b30", "value": "Planetary" }, { @@ -13483,7 +13483,7 @@ "Cripttor" ] }, - "uuid": "8cfa554a-1e1b-328a-606f-026d771870b1", + "uuid": "e19d92d7-cf17-4b2b-8ec2-1efc6df2fa1e", "value": "Cr1ptT0r" }, { @@ -13508,7 +13508,7 @@ "https://www.zdnet.com/article/new-phobos-ransomware-exploits-weak-security-to-hit-targets-around-the-world/" ] }, - "uuid": "6cfa554a-1e1b-327a-605f-025d761570b1", + "uuid": "d2c7fb08-293e-453b-a213-adeb79505767", "value": "Phobos" }, { @@ -13520,7 +13520,7 @@ "https://www.ehackingnews.com/2019/05/getcrypt-ransomware-modus-operandi-and.html" ] }, - "uuid": "6cfa553a-1e1b-115a-401f-015d681470b1", + "uuid": "7c9df1bd-9212-4ce3-b407-636e41bc4eea", "value": "GetCrypt" }, { @@ -13532,7 +13532,7 @@ "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/nemty-ransomware-possibly-spreads-through-exposed-remote-desktop-connections" ] }, - "uuid": "6cfa554a-1e2b-115a-400f-014d671470b1", + "uuid": "5fb75933-1ed5-4512-a062-d39865eedab0", "value": "Nemty" }, { @@ -13542,7 +13542,7 @@ "https://www.acronis.com/en-us/blog/posts/meet-buran-new-delphi-ransomware-delivered-rig-exploit-kit" ] }, - "uuid": "6cfa554a-1e1b-114a-300f-013d671370b0", + "uuid": "a92b2165-29e7-463a-b3d5-c8b7d8a25f65", "value": "Buran" }, { @@ -13552,7 +13552,7 @@ "https://securitynews.sonicwall.com/xmlpost/hildacrypt-ransomware-actively-spreading-in-the-wild/" ] }, - "uuid": "6cea5549-1d1b-111a-309f-012d671360b1", + "uuid": "25fcb177-7219-4414-b5de-8aeb2e6d146f", "value": "Hildacrypt" }, { @@ -13568,7 +13568,7 @@ "Sherminator" ] }, - "uuid": "7cea4438-1d1c-121a-30af-011d661260b2", + "uuid": "2e8aa6da-00b1-4222-b212-c48a7348893c", "value": "Mr.Dec" }, { @@ -13582,7 +13582,7 @@ "Freezing" ] }, - "uuid": "4cea4448-1d3c-111a-40af-011d461260b4", + "uuid": "9b074569-b90c-44e6-b9b2-e6e19a48118d", "value": "Freeme" }, { @@ -13594,7 +13594,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.doppelpaymer" ] }, - "uuid": "5cea5548-1e3c-222a-3faf-022d461260b5", + "uuid": "3d8989dc-9a10-4cae-ab24-ff0abed487f4", "value": "DoppelPaymer" }, { @@ -13605,7 +13605,7 @@ "https://id-ransomware.blogspot.com/2019/01/unnamed-desync-ransomware.html" ] }, - "uuid": "6cea5546-1e2c-333a-4faf-033d461360b5", + "uuid": "e5288fc1-ff2a-4992-a1fb-6a8ef612de51", "value": "Desync" }, { @@ -13627,7 +13627,6 @@ "type": "related-to" } ], - "uuid": "7cea8846-1f3d-331a-3ebf-055d452351b6", "value": "Maze" }, { @@ -13660,7 +13659,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.ftcode" ] }, - "uuid": "7cea9946-1f4d-441a-4ebf-044d442454b6", + "uuid": "6f9b7c54-45fa-422c-97f0-0f0c015e3c4e", "value": "FTCode" }, { @@ -13937,7 +13936,7 @@ "type": "variant-of" }, { - "dest-uuid": "7cea8846-1f3d-331a-3ebf-055d452351b6", + "dest-uuid": "5d999c23-11cf-4dee-84bb-f447a4f70dc8", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], @@ -14106,7 +14105,7 @@ "type": "similar" }, { - "dest-uuid": "7cea8846-1f3d-331a-3ebf-055d452351b6", + "dest-uuid": "5d999c23-11cf-4dee-84bb-f447a4f70dc8", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], @@ -14141,7 +14140,7 @@ "type": "similar" }, { - "dest-uuid": "7cea8846-1f3d-331a-3ebf-055d452351b6", + "dest-uuid": "5d999c23-11cf-4dee-84bb-f447a4f70dc8", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], @@ -14152,5 +14151,5 @@ "value": "Sekhmet" } ], - "version": 93 + "version": 94 } diff --git a/clusters/stealer.json b/clusters/stealer.json index 105639f..117d4f8 100644 --- a/clusters/stealer.json +++ b/clusters/stealer.json @@ -63,7 +63,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar" ] }, - "uuid": "a646edaa-4c6f-3a79-7a6c-143535259e15", + "uuid": "045ab0d5-2f08-4fcd-af47-81c1143fa5fb", "value": "Vidar" }, { @@ -74,9 +74,9 @@ "https://blog.yoroi.company/research/the-ave_maria-malware/" ] }, - "uuid": "a546edaa-4c6f-2a79-7a6c-133535249e14", + "uuid": "f3413f6c-5c3a-4df0-bbb5-2dbdf4d68c4c", "value": "Ave Maria" } ], - "version": 6 + "version": 7 } diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index f4b605e..857c60f 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -4308,9 +4308,12 @@ "cfr-type-of-incident": "Espionage", "country": "IR", "refs": [ + "https://www.intezer.com/prince-of-persia-the-sands-of-foudre/", + "https://www.freebuf.com/articles/network/105726.html", "https://www.blackhat.com/docs/us-16/materials/us-16-Guarnieri-Iran-And-The-Soft-War-For-Internet-Dominance-wp.pdf", "https://iranthreats.github.io/", "http://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/", + "http://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/", "https://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/", "https://www.cfr.org/interactive/cyber-operations/prince-persia", "https://unit42.paloaltonetworks.com/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/", @@ -4318,7 +4321,8 @@ ], "synonyms": [ "Operation Mermaid", - "Prince of Persia" + "Prince of Persia", + "Foudre" ] }, "uuid": "1671be1b-c844-48f5-84c8-54ac4fe4d71e", @@ -4774,7 +4778,8 @@ ], "synonyms": [ "CactusPete", - "Karma Panda" + "Karma Panda", + "BRONZE HUNTLEY" ] }, "uuid": "0ab7c8de-fc23-4793-99aa-7ee336199e26", @@ -7951,7 +7956,10 @@ " https://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html" ], "synonyms": [ - "RAZOR TIGER" + "RAZOR TIGER", + "Rattlesnake", + "APT-C-17", + "T-APT-04" ] }, "related": [ @@ -8008,21 +8016,6 @@ "uuid": "947a450a-df6c-4c2e-807b-0da8ecea1d26", "value": "Attor" }, - { - "description": "DePriMon is an unusually advanced downloader whose developers have put extra effort into setting up the architecture and crafting the critical components.", - "meta": { - "cfr-target-category": [ - "Private sector", - "Finance" - ], - "cfr-type-of-incident": "Espionage", - "refs": [ - "https://www.welivesecurity.com/2019/11/21/deprimon-default-print-monitor-malicious-downloader" - ] - }, - "uuid": "443faf38-ad93-4421-8a53-47ad84b195fa", - "value": "DePriMon" - }, { "description": "According to 360 TIC the actor has carried out continuous cyber espionage activities since 2011 on key units and departments of the Chinese government, military industry, scientific research, and finance. The organization focuses on information related to the nuclear industry and scientific research. The targets were mainly concentrated in mainland China...[M]ore than 670 malware samples have been collected from the group, including more than 60 malicious plugins specifically for lateral movement; more than 40 C2 domain names and IPs related to the organization have also been discovered.", "meta": { @@ -8447,10 +8440,14 @@ "https://news.sophos.com/en-us/2020/12/21/how-sunburst-malware-does-defense-evasion/", "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/", "https://pastebin.com/6EDgCKxd", - "https://github.com/fireeye/sunburst_countermeasures" + "https://github.com/fireeye/sunburst_countermeasures", + "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware", + "https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html" ], "synonyms": [ - "DarkHalo" + "DarkHalo", + "StellarParticle", + "NOBELIUM" ] }, "uuid": "2ee5ed7a-c4d0-40be-a837-20817474a15b", @@ -8473,7 +8470,34 @@ }, "uuid": "27de6a09-844b-4dcb-9ff9-7292aad826ba", "value": "TeamTNT" + }, + { + "description": "HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures. HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control. Once they’ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA.In campaigns unrelated to these vulnerabilities, Microsoft has observed HAFNIUM interacting with victim Office 365 tenants. While they are often unsuccessful in compromising customer accounts, this reconnaissance activity helps the adversary identify more details about their targets’ environments. HAFNIUM operates primarily from leased virtual private servers (VPS) in the United States.", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", + "https://www.splunk.com/en_us/blog/security/detecting-hafnium-exchange-server-zero-day-activity-in-splunk.html", + "https://www.reddit.com/r/msp/comments/lwmo5c/mass_exploitation_of_onprem_exchange_servers", + "https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day", + "https://twitter.com/ESETresearch/status/1366862946488451088", + "https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html", + "https://us-cert.cisa.gov/ncas/alerts/aa21-062a", + "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289", + "https://github.com/microsoft/CSS-Exchange/tree/main/Security", + "https://github.com/cert-lv/exchange_webshell_detection", + "https://www.crowdstrike.com/blog/falcon-complete-stops-microsoft-exchange-server-zero-day-exploits", + "https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021", + "https://pastebin.com/J4L3r2RS", + "https://www.huntress.com/blog/rapid-response-mass-exploitation-of-on-prem-exchange-servers", + "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Execution/exchange-iis-worker-dropping-webshell.md", + "https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server", + "https://www.nextron-systems.com/2021/03/06/scan-for-hafnium-exploitation-evidence-with-thor-lite" + ] + }, + "uuid": "4f05d6c1-3fc1-4567-91cd-dd4637cc38b5", + "value": "HAFNIUM" } ], - "version": 198 + "version": 199 } diff --git a/clusters/tool.json b/clusters/tool.json index 4bab6de..eaf3961 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -8221,7 +8221,78 @@ "related": [], "uuid": "e1bfe1d9-190c-4cf4-aec8-a8f2c41c7d8b", "value": "HyperBro" + }, + { + "description": "SUNSPOT is StellarParticle’s malware used to insert the SUNBURST backdoor into software builds of the SolarWinds Orion IT management product.", + "meta": { + "refs": [ + "https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/" + ] + }, + "uuid": "d9b2305e-9802-483c-a95d-2ae8525c7704", + "value": "SUNSPOT" + }, + { + "description": "", + "meta": { + "refs": [ + "https://www.clearskysec.com/cedar/" + ], + "type": [ + "webshell" + ] + }, + "related": [], + "uuid": "1974ea65-7312-4d91-a592-649983b46554", + "value": "Caterpillar WebShell" + }, + { + "description": "The P.A.S. webshell was developed by an ukrainian student, Jaroslav Volodimirovich Panchenko, who used the nick-name Profexer. It was developed in PHP and features a characteristic password-based encryption. This tool was available through a form on his website, where a user had to provide a password to receive a custom webshell. The form suggested a donation to the developer. It was commonly used, including during a WORDPRESS website attack.", + "meta": { + "refs": [ + "https://us-cert.cisa.gov/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf" + ], + "synonyms": [ + "Fobushell" + ], + "type": [ + "webshell" + ] + }, + "related": [], + "uuid": "6baa1f46-daa9-4f40-952b-ec613c835abb", + "value": "P.A.S. webshell" + }, + { + "description": "Exaramel is a backdoor first publicly reported by ESET in 2018. Two samples were identified, one targeting the WINDOWS operating system and the other targeting LINUX operating systems.", + "meta": { + "refs": [ + "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf" + ], + "type": [ + "backdoor" + ] + }, + "related": [], + "uuid": "95174297-6dff-47d9-bcb9-263f9b2efcfb", + "value": "Exaramel" + }, + { + "description": "RDAT is a backdoor used by the suspected Iranian threat group OilRig. RDAT was originally identified in 2017 and targeted companies in the telecommunications sector.", + "meta": { + "refs": [ + "https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/" + ], + "type": [ + "backdoor" + ] + }, + "related": [], + "uuid": "d357a6ff-00e5-4fcc-8b9e-4a9d98a736e7", + "value": "RDAT" } ], - "version": 140 + "version": 144 }