This commit is contained in:
Delta-Sierra 2021-03-11 10:35:05 +01:00
commit c37befc8a9
6 changed files with 152 additions and 48 deletions

View file

@ -287,7 +287,17 @@
}, },
"uuid": "99e708f7-1c01-467d-b0da-f6cebd434abc", "uuid": "99e708f7-1c01-467d-b0da-f6cebd434abc",
"value": "GADOLINIUM" "value": "GADOLINIUM"
},
{
"description": "HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control. Once theyve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA. In campaigns unrelated to these vulnerabilities, Microsoft has observed HAFNIUM interacting with victim Office 365 tenants. While they are often unsuccessful in compromising customer accounts, this reconnaissance activity helps the adversary identify more details about their targets environments. HAFNIUM operates primarily from leased virtual private servers (VPS) in the United States.",
"meta": {
"refs": [
"https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/"
]
},
"uuid": "fbb66d6c-0faa-49cc-8aa3-2f9bd4e9c298",
"value": "HAFNIUM"
} }
], ],
"version": 9 "version": 10
} }

View file

@ -271,7 +271,7 @@
] ]
}, },
"uuid": "2366ffb0-91ba-4b8e-bfad-d460c98d43a8", "uuid": "2366ffb0-91ba-4b8e-bfad-d460c98d43a8",
"value": "Innitial Access" "value": "Initial Access"
} }
], ],
"version": 1 "version": 1

View file

@ -13420,7 +13420,7 @@
"https://www.fortinet.com/blog/threat-research/analysis-of-new-globeimposter-ransomware-variant.html" "https://www.fortinet.com/blog/threat-research/analysis-of-new-globeimposter-ransomware-variant.html"
] ]
}, },
"uuid": "8cfa694c-2e6b-310a-728f-027d981870b2", "uuid": "a4631cef-dc51-4bee-a51f-3f1ea75ff201",
"value": "GlobeImposter" "value": "GlobeImposter"
}, },
{ {
@ -13432,7 +13432,7 @@
"https://spyware-techie.com/blackworm-ransomware-removal-guide" "https://spyware-techie.com/blackworm-ransomware-removal-guide"
] ]
}, },
"uuid": "8cfa694a-2e5b-300a-727f-027d881870b2", "uuid": "457e9a45-607e-41ef-8ad1-bf8684722445",
"value": "BlackWorm" "value": "BlackWorm"
}, },
{ {
@ -13444,7 +13444,7 @@
"https://malware.wikia.org/wiki/Tellyouthepass" "https://malware.wikia.org/wiki/Tellyouthepass"
] ]
}, },
"uuid": "7cfa694a-1e5b-300a-627f-027d881870b1", "uuid": "c6ca9b44-d0cd-40c9-9d00-39e0f7bcae79",
"value": "Tellyouthepass" "value": "Tellyouthepass"
}, },
{ {
@ -13455,7 +13455,7 @@
"https://www.2-spyware.com/remove-bigbobross-ransomware.html" "https://www.2-spyware.com/remove-bigbobross-ransomware.html"
] ]
}, },
"uuid": "8cfa684a-1e4b-309a-617f-026d881870b1", "uuid": "5d3fc33b-8e90-4d9d-8f45-f047264ce8cb",
"value": "BigBobRoss" "value": "BigBobRoss"
}, },
{ {
@ -13466,7 +13466,7 @@
"https://www.pcrisk.com/removal-guides/12121-planetary-ransomware" "https://www.pcrisk.com/removal-guides/12121-planetary-ransomware"
] ]
}, },
"uuid": "6cfa664a-1e2b-329a-607f-026d781870b1", "uuid": "7c742031-6b3d-4c3a-8b36-9154a6dc7b30",
"value": "Planetary" "value": "Planetary"
}, },
{ {
@ -13483,7 +13483,7 @@
"Cripttor" "Cripttor"
] ]
}, },
"uuid": "8cfa554a-1e1b-328a-606f-026d771870b1", "uuid": "e19d92d7-cf17-4b2b-8ec2-1efc6df2fa1e",
"value": "Cr1ptT0r" "value": "Cr1ptT0r"
}, },
{ {
@ -13508,7 +13508,7 @@
"https://www.zdnet.com/article/new-phobos-ransomware-exploits-weak-security-to-hit-targets-around-the-world/" "https://www.zdnet.com/article/new-phobos-ransomware-exploits-weak-security-to-hit-targets-around-the-world/"
] ]
}, },
"uuid": "6cfa554a-1e1b-327a-605f-025d761570b1", "uuid": "d2c7fb08-293e-453b-a213-adeb79505767",
"value": "Phobos" "value": "Phobos"
}, },
{ {
@ -13520,7 +13520,7 @@
"https://www.ehackingnews.com/2019/05/getcrypt-ransomware-modus-operandi-and.html" "https://www.ehackingnews.com/2019/05/getcrypt-ransomware-modus-operandi-and.html"
] ]
}, },
"uuid": "6cfa553a-1e1b-115a-401f-015d681470b1", "uuid": "7c9df1bd-9212-4ce3-b407-636e41bc4eea",
"value": "GetCrypt" "value": "GetCrypt"
}, },
{ {
@ -13532,7 +13532,7 @@
"https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/nemty-ransomware-possibly-spreads-through-exposed-remote-desktop-connections" "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/nemty-ransomware-possibly-spreads-through-exposed-remote-desktop-connections"
] ]
}, },
"uuid": "6cfa554a-1e2b-115a-400f-014d671470b1", "uuid": "5fb75933-1ed5-4512-a062-d39865eedab0",
"value": "Nemty" "value": "Nemty"
}, },
{ {
@ -13542,7 +13542,7 @@
"https://www.acronis.com/en-us/blog/posts/meet-buran-new-delphi-ransomware-delivered-rig-exploit-kit" "https://www.acronis.com/en-us/blog/posts/meet-buran-new-delphi-ransomware-delivered-rig-exploit-kit"
] ]
}, },
"uuid": "6cfa554a-1e1b-114a-300f-013d671370b0", "uuid": "a92b2165-29e7-463a-b3d5-c8b7d8a25f65",
"value": "Buran" "value": "Buran"
}, },
{ {
@ -13552,7 +13552,7 @@
"https://securitynews.sonicwall.com/xmlpost/hildacrypt-ransomware-actively-spreading-in-the-wild/" "https://securitynews.sonicwall.com/xmlpost/hildacrypt-ransomware-actively-spreading-in-the-wild/"
] ]
}, },
"uuid": "6cea5549-1d1b-111a-309f-012d671360b1", "uuid": "25fcb177-7219-4414-b5de-8aeb2e6d146f",
"value": "Hildacrypt" "value": "Hildacrypt"
}, },
{ {
@ -13568,7 +13568,7 @@
"Sherminator" "Sherminator"
] ]
}, },
"uuid": "7cea4438-1d1c-121a-30af-011d661260b2", "uuid": "2e8aa6da-00b1-4222-b212-c48a7348893c",
"value": "Mr.Dec" "value": "Mr.Dec"
}, },
{ {
@ -13582,7 +13582,7 @@
"Freezing" "Freezing"
] ]
}, },
"uuid": "4cea4448-1d3c-111a-40af-011d461260b4", "uuid": "9b074569-b90c-44e6-b9b2-e6e19a48118d",
"value": "Freeme" "value": "Freeme"
}, },
{ {
@ -13594,7 +13594,7 @@
"https://malpedia.caad.fkie.fraunhofer.de/details/win.doppelpaymer" "https://malpedia.caad.fkie.fraunhofer.de/details/win.doppelpaymer"
] ]
}, },
"uuid": "5cea5548-1e3c-222a-3faf-022d461260b5", "uuid": "3d8989dc-9a10-4cae-ab24-ff0abed487f4",
"value": "DoppelPaymer" "value": "DoppelPaymer"
}, },
{ {
@ -13605,7 +13605,7 @@
"https://id-ransomware.blogspot.com/2019/01/unnamed-desync-ransomware.html" "https://id-ransomware.blogspot.com/2019/01/unnamed-desync-ransomware.html"
] ]
}, },
"uuid": "6cea5546-1e2c-333a-4faf-033d461360b5", "uuid": "e5288fc1-ff2a-4992-a1fb-6a8ef612de51",
"value": "Desync" "value": "Desync"
}, },
{ {
@ -13627,7 +13627,6 @@
"type": "related-to" "type": "related-to"
} }
], ],
"uuid": "7cea8846-1f3d-331a-3ebf-055d452351b6",
"value": "Maze" "value": "Maze"
}, },
{ {
@ -13660,7 +13659,7 @@
"https://malpedia.caad.fkie.fraunhofer.de/details/ps1.ftcode" "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.ftcode"
] ]
}, },
"uuid": "7cea9946-1f4d-441a-4ebf-044d442454b6", "uuid": "6f9b7c54-45fa-422c-97f0-0f0c015e3c4e",
"value": "FTCode" "value": "FTCode"
}, },
{ {
@ -13937,7 +13936,7 @@
"type": "variant-of" "type": "variant-of"
}, },
{ {
"dest-uuid": "7cea8846-1f3d-331a-3ebf-055d452351b6", "dest-uuid": "5d999c23-11cf-4dee-84bb-f447a4f70dc8",
"tags": [ "tags": [
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
@ -14106,7 +14105,7 @@
"type": "similar" "type": "similar"
}, },
{ {
"dest-uuid": "7cea8846-1f3d-331a-3ebf-055d452351b6", "dest-uuid": "5d999c23-11cf-4dee-84bb-f447a4f70dc8",
"tags": [ "tags": [
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
@ -14141,7 +14140,7 @@
"type": "similar" "type": "similar"
}, },
{ {
"dest-uuid": "7cea8846-1f3d-331a-3ebf-055d452351b6", "dest-uuid": "5d999c23-11cf-4dee-84bb-f447a4f70dc8",
"tags": [ "tags": [
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
@ -14152,5 +14151,5 @@
"value": "Sekhmet" "value": "Sekhmet"
} }
], ],
"version": 93 "version": 94
} }

View file

@ -63,7 +63,7 @@
"https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar" "https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar"
] ]
}, },
"uuid": "a646edaa-4c6f-3a79-7a6c-143535259e15", "uuid": "045ab0d5-2f08-4fcd-af47-81c1143fa5fb",
"value": "Vidar" "value": "Vidar"
}, },
{ {
@ -74,9 +74,9 @@
"https://blog.yoroi.company/research/the-ave_maria-malware/" "https://blog.yoroi.company/research/the-ave_maria-malware/"
] ]
}, },
"uuid": "a546edaa-4c6f-2a79-7a6c-133535249e14", "uuid": "f3413f6c-5c3a-4df0-bbb5-2dbdf4d68c4c",
"value": "Ave Maria" "value": "Ave Maria"
} }
], ],
"version": 6 "version": 7
} }

View file

@ -4308,9 +4308,12 @@
"cfr-type-of-incident": "Espionage", "cfr-type-of-incident": "Espionage",
"country": "IR", "country": "IR",
"refs": [ "refs": [
"https://www.intezer.com/prince-of-persia-the-sands-of-foudre/",
"https://www.freebuf.com/articles/network/105726.html",
"https://www.blackhat.com/docs/us-16/materials/us-16-Guarnieri-Iran-And-The-Soft-War-For-Internet-Dominance-wp.pdf", "https://www.blackhat.com/docs/us-16/materials/us-16-Guarnieri-Iran-And-The-Soft-War-For-Internet-Dominance-wp.pdf",
"https://iranthreats.github.io/", "https://iranthreats.github.io/",
"http://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/", "http://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/",
"http://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/",
"https://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/", "https://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/",
"https://www.cfr.org/interactive/cyber-operations/prince-persia", "https://www.cfr.org/interactive/cyber-operations/prince-persia",
"https://unit42.paloaltonetworks.com/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/", "https://unit42.paloaltonetworks.com/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/",
@ -4318,7 +4321,8 @@
], ],
"synonyms": [ "synonyms": [
"Operation Mermaid", "Operation Mermaid",
"Prince of Persia" "Prince of Persia",
"Foudre"
] ]
}, },
"uuid": "1671be1b-c844-48f5-84c8-54ac4fe4d71e", "uuid": "1671be1b-c844-48f5-84c8-54ac4fe4d71e",
@ -4774,7 +4778,8 @@
], ],
"synonyms": [ "synonyms": [
"CactusPete", "CactusPete",
"Karma Panda" "Karma Panda",
"BRONZE HUNTLEY"
] ]
}, },
"uuid": "0ab7c8de-fc23-4793-99aa-7ee336199e26", "uuid": "0ab7c8de-fc23-4793-99aa-7ee336199e26",
@ -7951,7 +7956,10 @@
" https://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html" " https://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html"
], ],
"synonyms": [ "synonyms": [
"RAZOR TIGER" "RAZOR TIGER",
"Rattlesnake",
"APT-C-17",
"T-APT-04"
] ]
}, },
"related": [ "related": [
@ -8008,21 +8016,6 @@
"uuid": "947a450a-df6c-4c2e-807b-0da8ecea1d26", "uuid": "947a450a-df6c-4c2e-807b-0da8ecea1d26",
"value": "Attor" "value": "Attor"
}, },
{
"description": "DePriMon is an unusually advanced downloader whose developers have put extra effort into setting up the architecture and crafting the critical components.",
"meta": {
"cfr-target-category": [
"Private sector",
"Finance"
],
"cfr-type-of-incident": "Espionage",
"refs": [
"https://www.welivesecurity.com/2019/11/21/deprimon-default-print-monitor-malicious-downloader"
]
},
"uuid": "443faf38-ad93-4421-8a53-47ad84b195fa",
"value": "DePriMon"
},
{ {
"description": "According to 360 TIC the actor has carried out continuous cyber espionage activities since 2011 on key units and departments of the Chinese government, military industry, scientific research, and finance. The organization focuses on information related to the nuclear industry and scientific research. The targets were mainly concentrated in mainland China...[M]ore than 670 malware samples have been collected from the group, including more than 60 malicious plugins specifically for lateral movement; more than 40 C2 domain names and IPs related to the organization have also been discovered.", "description": "According to 360 TIC the actor has carried out continuous cyber espionage activities since 2011 on key units and departments of the Chinese government, military industry, scientific research, and finance. The organization focuses on information related to the nuclear industry and scientific research. The targets were mainly concentrated in mainland China...[M]ore than 670 malware samples have been collected from the group, including more than 60 malicious plugins specifically for lateral movement; more than 40 C2 domain names and IPs related to the organization have also been discovered.",
"meta": { "meta": {
@ -8447,10 +8440,14 @@
"https://news.sophos.com/en-us/2020/12/21/how-sunburst-malware-does-defense-evasion/", "https://news.sophos.com/en-us/2020/12/21/how-sunburst-malware-does-defense-evasion/",
"https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/", "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/",
"https://pastebin.com/6EDgCKxd", "https://pastebin.com/6EDgCKxd",
"https://github.com/fireeye/sunburst_countermeasures" "https://github.com/fireeye/sunburst_countermeasures",
"https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware",
"https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html"
], ],
"synonyms": [ "synonyms": [
"DarkHalo" "DarkHalo",
"StellarParticle",
"NOBELIUM"
] ]
}, },
"uuid": "2ee5ed7a-c4d0-40be-a837-20817474a15b", "uuid": "2ee5ed7a-c4d0-40be-a837-20817474a15b",
@ -8473,7 +8470,34 @@
}, },
"uuid": "27de6a09-844b-4dcb-9ff9-7292aad826ba", "uuid": "27de6a09-844b-4dcb-9ff9-7292aad826ba",
"value": "TeamTNT" "value": "TeamTNT"
},
{
"description": "HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures. HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control. Once theyve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA.In campaigns unrelated to these vulnerabilities, Microsoft has observed HAFNIUM interacting with victim Office 365 tenants. While they are often unsuccessful in compromising customer accounts, this reconnaissance activity helps the adversary identify more details about their targets environments. HAFNIUM operates primarily from leased virtual private servers (VPS) in the United States.",
"meta": {
"refs": [
"https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers",
"https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/",
"https://www.splunk.com/en_us/blog/security/detecting-hafnium-exchange-server-zero-day-activity-in-splunk.html",
"https://www.reddit.com/r/msp/comments/lwmo5c/mass_exploitation_of_onprem_exchange_servers",
"https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day",
"https://twitter.com/ESETresearch/status/1366862946488451088",
"https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html",
"https://us-cert.cisa.gov/ncas/alerts/aa21-062a",
"https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289",
"https://github.com/microsoft/CSS-Exchange/tree/main/Security",
"https://github.com/cert-lv/exchange_webshell_detection",
"https://www.crowdstrike.com/blog/falcon-complete-stops-microsoft-exchange-server-zero-day-exploits",
"https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021",
"https://pastebin.com/J4L3r2RS",
"https://www.huntress.com/blog/rapid-response-mass-exploitation-of-on-prem-exchange-servers",
"https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Execution/exchange-iis-worker-dropping-webshell.md",
"https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server",
"https://www.nextron-systems.com/2021/03/06/scan-for-hafnium-exploitation-evidence-with-thor-lite"
]
},
"uuid": "4f05d6c1-3fc1-4567-91cd-dd4637cc38b5",
"value": "HAFNIUM"
} }
], ],
"version": 198 "version": 199
} }

View file

@ -8221,7 +8221,78 @@
"related": [], "related": [],
"uuid": "e1bfe1d9-190c-4cf4-aec8-a8f2c41c7d8b", "uuid": "e1bfe1d9-190c-4cf4-aec8-a8f2c41c7d8b",
"value": "HyperBro" "value": "HyperBro"
},
{
"description": "SUNSPOT is StellarParticles malware used to insert the SUNBURST backdoor into software builds of the SolarWinds Orion IT management product.",
"meta": {
"refs": [
"https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/"
]
},
"uuid": "d9b2305e-9802-483c-a95d-2ae8525c7704",
"value": "SUNSPOT"
},
{
"description": "",
"meta": {
"refs": [
"https://www.clearskysec.com/cedar/"
],
"type": [
"webshell"
]
},
"related": [],
"uuid": "1974ea65-7312-4d91-a592-649983b46554",
"value": "Caterpillar WebShell"
},
{
"description": "The P.A.S. webshell was developed by an ukrainian student, Jaroslav Volodimirovich Panchenko, who used the nick-name Profexer. It was developed in PHP and features a characteristic password-based encryption. This tool was available through a form on his website, where a user had to provide a password to receive a custom webshell. The form suggested a donation to the developer. It was commonly used, including during a WORDPRESS website attack.",
"meta": {
"refs": [
"https://us-cert.cisa.gov/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity",
"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf"
],
"synonyms": [
"Fobushell"
],
"type": [
"webshell"
]
},
"related": [],
"uuid": "6baa1f46-daa9-4f40-952b-ec613c835abb",
"value": "P.A.S. webshell"
},
{
"description": "Exaramel is a backdoor first publicly reported by ESET in 2018. Two samples were identified, one targeting the WINDOWS operating system and the other targeting LINUX operating systems.",
"meta": {
"refs": [
"https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/",
"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf"
],
"type": [
"backdoor"
]
},
"related": [],
"uuid": "95174297-6dff-47d9-bcb9-263f9b2efcfb",
"value": "Exaramel"
},
{
"description": "RDAT is a backdoor used by the suspected Iranian threat group OilRig. RDAT was originally identified in 2017 and targeted companies in the telecommunications sector.",
"meta": {
"refs": [
"https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/"
],
"type": [
"backdoor"
]
},
"related": [],
"uuid": "d357a6ff-00e5-4fcc-8b9e-4a9d98a736e7",
"value": "RDAT"
} }
], ],
"version": 140 "version": 144
} }