From 19491649f215fe5b79d9b5b314168517f3ae297d Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 19 Nov 2024 07:56:46 -0800 Subject: [PATCH 1/3] [threat-actors] Add BrazenBamboo --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 6d423b6..23b98e7 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -17443,6 +17443,17 @@ }, "uuid": "4d3c9666-6e08-4186-854c-cc0f8c28f5b6", "value": "Kairos" + }, + { + "description": "BrazenBamboo is a Chinese state-affiliated threat actor known for developing the LIGHTSPY, DEEPDATA, and DEEPPOST malware families. Their infrastructure includes capabilities for zero-day exploitation, specifically targeting vulnerabilities like FortiClient, and employs a command-and-control architecture that supports multi-platform operations. Volexity's analysis indicates that BrazenBamboo is a well-resourced entity with a focus on domestic targets, utilizing custom analyst software to manage data collected from their malware. The ongoing development of their malware families is evidenced by the timestamps associated with their latest payloads.", + "meta": { + "country": "CN", + "refs": [ + "https://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata/" + ] + }, + "uuid": "305fbff0-d3ff-43e3-8741-63bad68e47ee", + "value": "BrazenBamboo" } ], "version": 320 From 511fbae2df8621a1c9c06a738a90b37e6bb132f2 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 19 Nov 2024 07:56:47 -0800 Subject: [PATCH 2/3] [threat-actors] Add Water Barghest --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 23b98e7..e8039bd 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -17454,6 +17454,16 @@ }, "uuid": "305fbff0-d3ff-43e3-8741-63bad68e47ee", "value": "BrazenBamboo" + }, + { + "description": "Water Barghest is a cybercriminal group that has compromised over 20,000 IoT devices by October 2024, monetizing them through a residential proxy marketplace. They automate the entire process from identifying vulnerable devices using n-day and zero-day exploits to deploying Ngioweb malware and selling the compromised assets. Their operations include leveraging Ubiquiti EdgeRouter devices for espionage and utilizing automated scripts to exploit vulnerabilities within minutes of discovery. Water Barghest has maintained a low profile for years, but their activities gained attention due to the deployment of a zero-day vulnerability against Cisco IOS XE devices in October 2023.", + "meta": { + "refs": [ + "https://www.trendmicro.com/en_us/research/24/k/water-barghest.html" + ] + }, + "uuid": "314325cd-5972-46a9-af1e-4b1e5585619d", + "value": "Water Barghest" } ], "version": 320 From d7169d4cc42cfeca25af409557da5fbd010ec21b Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 19 Nov 2024 07:56:48 -0800 Subject: [PATCH 3/3] [threat actors] Update README --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 5c2bd9f..75aaa72 100644 --- a/README.md +++ b/README.md @@ -599,7 +599,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements [Threat Actor](https://www.misp-galaxy.org/threat-actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group. -Category: *actor* - source: *MISP Project* - total: *779* elements +Category: *actor* - source: *MISP Project* - total: *781* elements [[HTML](https://www.misp-galaxy.org/threat-actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)]